Skip to main content

Fancy Testimonials CVE-2026-8039

| EUVDEUVD-2026-37867 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-18 Wordfence GHSA-mg2r-742w-hqjh
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from Vendor (Wordfence) · only source for this CVE.

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 18, 2026 - 09:46 vuln.today
CVE Published
Jun 18, 2026 - 07:48 cve.org
MEDIUM 6.4

DescriptionCVE.org

The Fancy Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author' shortcode attribute in the 'testimonial' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the Fancy Testimonials WordPress plugin (all versions ≤ 1.0, by dijitul) permits any authenticated Contributor-level user to persist arbitrary JavaScript via the 'author' attribute of the [testimonial] shortcode, which executes in every subsequent visitor's browser context. The CVSS scope change (S:C) reflects that injected scripts operate within the victim's browser session — enabling session hijacking, credential theft, or malicious redirects targeting site visitors and administrators alike. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-8039 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy