CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-49410

CVSS 10.0v3.1pub. 2025-08-20upd. 2026-04-28

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu TC Testimonials allows Stored XSS. This issue affects TC Testimonials: from n/a through 1.1.1.

🤖 AI Analysis
How it works

The vulnerability results from improper neutralization of input data during web page generation (CWE-79). An attacker can inject malicious JavaScript code into fields supported by the plugin, which is then permanently stored in the database. Each time the infected page is displayed, the malicious script is executed in the victim's browser without their knowledge.

Impact

An attacker can hijack sessions of logged-in users (including administrators), perform actions on their behalf, steal authentication credentials, or introduce unauthorized modifications to the website. Due to the changed scope (S:C), the impact may extend beyond the application itself.

Mitigation & patch

The TC Testimonials plugin should be updated to a version higher than 1.1.1. Detailed information about available patches can be found in the vendor references and in the Patchstack database.

Who is affected

WordPress TC Testimonials plugin by Imran Emu, versions from the beginning up to and including 1.1.1.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
XSS
CWE
References