A high-severity vulnerability has been identified in the Creta Testimonial Showcase WordPress plugin, assigned CVE-2025-10686 with a CVSS score of 7.2. This flaw allows unauthenticated attackers to inject malicious code into the website by submitting a crafted testimonial. Successful exploitation could lead to website defacement, theft of administrator credentials, and redirection of users to malicious sites, posing a significant risk to the organization's web presence and reputation.

The Creta Testimonial Showcase plugin is vulnerable to a Stored Cross-Site Scripting (XSS) attack. The vulnerability exists because the plugin fails to properly sanitize user-supplied input when a new testimonial is submitted. An unauthenticated remote attacker can submit a testimonial containing malicious JavaScript code. This malicious code is then stored in the website's database and executed in the browser of anyone who views the page displaying the testimonials, including site administrators.

This vulnerability is rated as High severity with a CVSS score of 7.2. If exploited, it could have a significant business impact, including reputational damage from website defacement or the hosting of malicious content. An attacker could leverage this flaw to steal administrator session cookies, leading to a full compromise of the WordPress site. This could result in data breaches, unauthorized content modification, and the use of the compromised website to launch further attacks, such as phishing campaigns against customers or employees.

Immediate Action: Immediately update the Creta Testimonial Showcase WordPress plugin to the latest patched version (1.0 or higher) on all affected websites. If the plugin is not critical to business operations, the recommended course of action is to disable and completely remove it to eliminate the attack surface. Additionally, review WordPress security settings to ensure user roles and permissions are configured according to the principle of least privilege.

Proactive Monitoring: Monitor web server access logs for suspicious POST requests to the testimonial submission endpoint, specifically looking for payloads containing HTML script tags (e.g., <script>, onerror, onload). Implement file integrity monitoring to detect unauthorized changes to plugin files or website content. Review administrative audit logs for any unusual or unauthorized activities.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rulesets designed to detect and block common XSS attack patterns. Enforce a strict Content Security Policy (CSP) to limit the execution of inline scripts. If possible, disable the public testimonial submission feature until the plugin can be updated.

Public Exploit Available: false

Given the high severity (CVSS 7.2) and the ease of exploitation for this type of vulnerability, we strongly recommend that all instances of the Creta Testimonial Showcase plugin be updated immediately. Although this vulnerability is not currently listed on the CISA KEV catalog, its potential impact on website integrity and security warrants urgent attention. A comprehensive audit of all installed WordPress plugins should also be conducted to identify and remove any unused or non-essential components, thereby reducing the overall attack surface.