Strong Testimonials <= 3.1.12 - Authenticated(Contributor+) Improper Authorization to Views Modification

Wordfence Intelligence   >   Vulnerability Database   >   Strong Testimonials <= 3.1.12 - Authenticated(Contributor+) Improper Authorization to Views Modification
4.3
Improper Access Control
CVE CVE-2023-6491
CVSS 4.3 (Medium)
Publicly Published June 6, 2024
Last Updated June 7, 2024
Researcher Rafshanzani Suhada

Description

The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the wpmtst_save_view_sticky function in all versions up to, and including, 3.1.12. This makes it possible for authenticated attackers, with contributor access and above, to modify favorite views.

References

Share

Vulnerability Details for Strong Testimonials

Strong Testimonials

Software Type Plugin
Software Slug strong-testimonials (view on wordpress.org)
Patched? Yes
Remediation Update to version 3.1.13, or a newer patched version
Affected Version
  • <= 3.1.12
Patched Version
  • 3.1.13

Recent vulnerabilities in Strong Testimonials

Strong Testimonials <= 3.2.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via testimonial_view Shortcode
6.4
CVE-2026-3239
Apr 7, 2026
Researcher: Ronnachai Sretawat Na Ayutaya (Simonhaskelly)
Strong Testimonials <= 3.2.18 - Missing Authorization to Authenticated (Contributor+) Rating Meta Update
4.3
CVE-2025-14426
Dec 29, 2025
Researcher: type5afe
Strong Testimonials <= 3.2.20 - Missing Authorization
4.3
CVE-2026-24957
Dec 28, 2025
Researcher: Doan Dinh Van (DinhVan52)
Strong Testimonials <= 3.2.16 - Unauthenticated Arbitrary Shortcode Execution
4.3
CVE-2025-11268
Nov 5, 2025
Researcher: Kishan Vyas
Strong Testimonials <= 3.2.11 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Fields
6.4
CVE-2025-7367
Jul 14, 2025
Researcher: ISMAILSHADOW
Strong Testimonials <= 3.2.3 - Missing Authorization
5.3
CVE-2025-26975
Feb 23, 2025
Researcher: Revan Arifio
Strong Testimonials <= 3.1.16 - Missing Authorization
4.3
CVE-2024-47362
Sep 30, 2024
Researcher: Joshua Chan
Strong Testimonials <= 3.1.11 - Authenticated (Contributor+) Stored Cross-Site Scripting
6.4
CVE-2024-3261
Apr 3, 2024
Researcher: Dmitrii Ignatyev
Strong Testimonials <= 3.1.10 - Cross-Site Request Forgery
4.3
CVE-2023-52123
Dec 28, 2023
Researcher: Brandon James Roldan (tomorrowisnew)
Strong Testimonials <= 3.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
6.4
CVE-2023-26013
Feb 21, 2023
Researcher: Rafshanzani Suhada
# Title CVE ID CVSS Researchers Date
1 Strong Testimonials <= 3.2.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via testimonial_view Shortcode CVE-2026-3239 6.4 Ronnachai Sretawat Na Ayutaya (Simonhaskelly) April 7, 2026
2 Strong Testimonials <= 3.2.18 - Missing Authorization to Authenticated (Contributor+) Rating Meta Update CVE-2025-14426 4.3 type5afe December 29, 2025
3 Strong Testimonials <= 3.2.20 - Missing Authorization CVE-2026-24957 4.3 Doan Dinh Van (DinhVan52) December 28, 2025
4 Strong Testimonials <= 3.2.16 - Unauthenticated Arbitrary Shortcode Execution CVE-2025-11268 4.3 Kishan Vyas November 5, 2025
5 Strong Testimonials <= 3.2.11 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Fields CVE-2025-7367 6.4 ISMAILSHADOW July 14, 2025
6 Strong Testimonials <= 3.2.3 - Missing Authorization CVE-2025-26975 5.3 Revan Arifio February 23, 2025
7 Strong Testimonials <= 3.1.16 - Missing Authorization CVE-2024-47362 4.3 Joshua Chan September 30, 2024
8 Strong Testimonials <= 3.1.11 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-3261 6.4 Dmitrii Ignatyev April 3, 2024
9 Strong Testimonials <= 3.1.10 - Cross-Site Request Forgery CVE-2023-52123 4.3 Brandon James Roldan (tomorrowisnew) December 28, 2023
10 Strong Testimonials <= 3.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes CVE-2023-26013 6.4 Rafshanzani Suhada February 21, 2023
View more vulnerabilities in this software package View more vulnerabilities

This record contains material that is subject to copyright.

Copyright 2012-2026 Defiant Inc.

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more.

Copyright 1999-2026 The MITRE Corporation

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation