XSS ODay Released Effecting Easy Testimonials Plugin for WordPress


Confirmed by researchers at 0Day Today, a hacker going by the name of “En_dusthas just disclosed a new Cross-Site Scripting (XSS) 0Day vulnerability effecting the Easy Testimonials version 3.2 Plugin for WordPress yesterday, November 25th 2018. According to the plugins home site, Easy Testimonials is designed to allow users “to insert a list of all Testimonials, output a Random Testimonial, or display a slideshow of Testimonials anywhere on your website, sidebar or widgets.” To date, the plugin has over 40,000 active installs.

However, the XSS vulnerability described below allows for privileged escalation tied to the back end of your website through a manually entered URL address, ultimately allowing hackers to obtain administrator level access. Until the exploit is patched by its developers and new version of the plugin is released, it is advised than any WordPress owner utilizing this plugin deactivate it for the time being.

Full Exploit:

No automatic alt text available.