Skip to main content

Fancy Testimonials

1 CVEs product

Monthly

CVE-2026-8039 MEDIUM This Month

Stored Cross-Site Scripting in the Fancy Testimonials WordPress plugin (all versions ≤ 1.0, by dijitul) permits any authenticated Contributor-level user to persist arbitrary JavaScript via the 'author' attribute of the [testimonial] shortcode, which executes in every subsequent visitor's browser context. The CVSS scope change (S:C) reflects that injected scripts operate within the victim's browser session — enabling session hijacking, credential theft, or malicious redirects targeting site visitors and administrators alike. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but the attack technique is trivially reproducible given knowledge of the shortcode parameter.

WordPress XSS Fancy Testimonials
NVD VulDB
CVSS 3.1
6.4
EPSS
0.3%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Fancy Testimonials WordPress plugin (all versions ≤ 1.0, by dijitul) permits any authenticated Contributor-level user to persist arbitrary JavaScript via the 'author' attribute of the [testimonial] shortcode, which executes in every subsequent visitor's browser context. The CVSS scope change (S:C) reflects that injected scripts operate within the victim's browser session — enabling session hijacking, credential theft, or malicious redirects targeting site visitors and administrators alike. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but the attack technique is trivially reproducible given knowledge of the shortcode parameter.

WordPress XSS Fancy Testimonials
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy