CVE-2022-50947

MEDIUM

WordPress Plugin Testimonial Slider and Showcase 2.2.6 Stored XSS

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-50947. PoCs published by Luqman Hakim Zahari.

AI-analyzed exploit summary The exploit demonstrates a stored XSS vulnerability in the WordPress Testimonial Slider and Showcase plugin (v2.2.6) by injecting a malicious payload into the post_title parameter, which executes when previewed by an Editor or Admin.

Description

WordPress Plugin Testimonial Slider and Showcase 2.2.6 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title parameter. Attackers with editor privileges can inject JavaScript payloads through the testimonial title field that execute in the browsers of users viewing the draft post, enabling cookie theft and session hijacking.

Exploits (1)

exploitdb WORKING POC

by Luqman Hakim Zahari · textwebappsphp

https://www.exploit-db.com/exploits/51007

View Code ZIP pw:eip

The exploit demonstrates a stored XSS vulnerability in the WordPress Testimonial Slider and Showcase plugin (v2.2.6) by injecting a malicious payload into the post_title parameter, which executes when previewed by an Editor or Admin.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WordPress Plugin Testimonial Slider and Showcase 2.2.6

Auth required

Prerequisites: Editor or higher privileges in WordPress · Access to the plugin's testimonial addition feature

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed May 10, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-51007

https://www.exploit-db.com/exploits/51007

Product product

Official Product Homepage

https://wordpress.org

Product product

Product Reference

https://wordpress.org/plugins/testimonial-slider-and-showcase/

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress Plugin Testimonial Slider and Showcase 2.2.6 Stored XSS

https://www.vulncheck.com/advisories/wordpress-plugin-testimonial-slider-and-showcase-stored-xss

Scores

CVSS v3 6.4

EPSS 0.0020

EPSS Percentile 9.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

RadiusTheme/Testimonial Slider and Showcase 2.2.6

Published May 10, 2026

Tracked Since May 10, 2026