CVE-2022-50947

MEDIUM

WordPress Plugin Testimonial Slider and Showcase 2.2.6 Stored XSS

Title source: cna

Description

WordPress Plugin Testimonial Slider and Showcase 2.2.6 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title parameter. Attackers with editor privileges can inject JavaScript payloads through the testimonial title field that execute in the browsers of users viewing the draft post, enabling cookie theft and session hijacking.

Exploits (1)

exploitdb WORKING POC

by Luqman Hakim Zahari · textwebappsphp

https://www.exploit-db.com/exploits/51007

View Code ZIP pw:eip

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-51007

https://www.exploit-db.com/exploits/51007

Product product

Official Product Homepage

https://wordpress.org

Product product

Product Reference

https://wordpress.org/plugins/testimonial-slider-and-showcase/

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress Plugin Testimonial Slider and Showcase 2.2.6 Stored XSS

https://www.vulncheck.com/advisories/wordpress-plugin-testimonial-slider-and-showcase-stored-xss

Scores

CVSS v3 6.4

EPSS 0.0003

EPSS Percentile 8.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

RadiusTheme/Testimonial Slider and Showcase 2.2.6

Published May 10, 2026

Tracked Since May 10, 2026