CVE-2026-24957 – This CVE describes a missing authorization vuln... (How to Fix)

Q: How do I fix CVE-2026-24957?

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Strong Testimonials and click 'Update Now'. 4. Alternatively, download version 3.2.21+ from WordPress.org and manually update.

Q: What is the severity of CVE-2026-24957?

CVE-2026-24957 has a CVSS score of 6.5 (MEDIUM). This CVE describes a missing authorization vulnerability in the Strong Testimonials WordPress plugin that allows attackers to bypass access controls. It affects WordPress sites running Strong Testimonials version 3.2.20 or earlier, potentially allowing unauthorized users to perform actions reserved for authenticated users.

📋 TL;DR

This CVE describes a missing authorization vulnerability in the Strong Testimonials WordPress plugin that allows attackers to bypass access controls. It affects WordPress sites running Strong Testimonials version 3.2.20 or earlier, potentially allowing unauthorized users to perform actions reserved for authenticated users.

💻 Affected Systems

Products:

WordPress Strong Testimonials Plugin

Versions: n/a through <= 3.2.20

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with the vulnerable plugin version installed and activated.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify or delete testimonials, inject malicious content, or potentially escalate privileges to gain administrative access to the WordPress site.

🟠

Likely Case

Unauthorized users could add, edit, or delete testimonials without proper authentication, potentially defacing the website or posting malicious content.

🟢

If Mitigated

With proper access controls and authentication mechanisms in place, only authorized users can manage testimonials as intended.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability involves broken access control which typically requires minimal technical skill to exploit once discovered.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.21 or later

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/strong-testimonials/vulnerability/wordpress-strong-testimonials-plugin-3-2-20-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Strong Testimonials and click 'Update Now'. 4. Alternatively, download version 3.2.21+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable Strong Testimonials Plugin

all

Temporarily deactivate the plugin until patched

wp plugin deactivate strong-testimonials

Restrict Plugin Access via .htaccess

linux

Add access restrictions to plugin directories

Order Deny,Allow
Deny from all

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block unauthorized access to testimonial management endpoints.
Enable WordPress security plugins that monitor and block suspicious access patterns to admin functions.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Strong Testimonials version number

Check Version:

wp plugin get strong-testimonials --field=version

Verify Fix Applied:

Verify plugin version is 3.2.21 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unauthorized POST requests to /wp-admin/admin-ajax.php with testimonial-related actions
Multiple failed authentication attempts followed by successful testimonial modifications

Network Indicators:

Unusual traffic patterns to testimonial management endpoints from unauthenticated IPs

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND action="wpmtst_*") AND NOT user_authenticated=true

📊 Metadata

CVE ID: CVE-2026-24957

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-862

Published: February 3, 2026

Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://patchstack.com/database/Wordpress/Plugin/strong-testimonials/vulnerability/wordpress-strong-testimonials-plugin-3-2-20-broken-access-control-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24957, you might also want to check these: