Platform
wordpress
Component
tc-testimonial
Fixed in
1.1.2
CVE-2025-49410 describes a Stored Cross-Site Scripting (XSS) vulnerability within the TC Testimonials WordPress plugin. This vulnerability allows attackers to inject malicious scripts that are stored on the server and executed when other users view the affected pages. Versions of TC Testimonials prior to 1.1.2 are affected, and a patch is available in version 1.1.2.
The impact of this XSS vulnerability is significant. An attacker could inject arbitrary JavaScript code into the TC Testimonials plugin, which would then be executed in the browsers of any user visiting a page displaying the malicious testimonial. This could lead to account takeover, data theft (including cookies and session tokens), redirection to phishing sites, or defacement of the website. The stored nature of the vulnerability means that a single successful injection can affect numerous users over time, amplifying the potential impact. The plugin's widespread use in WordPress sites further increases the potential blast radius.
CVE-2025-49410 was publicly disclosed on 2025-08-20. While no public exploits have been confirmed at the time of writing, the CRITICAL severity and ease of exploitation associated with XSS vulnerabilities suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-49410 is to immediately upgrade the TC Testimonials plugin to version 1.1.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily disabling the plugin to prevent new malicious testimonials from being added. Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting WordPress plugins may offer some protection, but this is not a substitute for patching. Regularly scan your WordPress installation for vulnerable plugins using a security scanner.
Update the TC Testimonials plugin to the latest available version to mitigate the XSS vulnerability. Check for updates in the WordPress repository or on the developer's website. Implement additional security measures, such as validating and sanitizing all user inputs, to prevent future XSS attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-49410 is a CRITICAL Stored XSS vulnerability in the TC Testimonials WordPress plugin, allowing attackers to inject malicious scripts.
Yes, if you are using TC Testimonials version 1.1.1 or earlier, you are affected by this vulnerability.
Upgrade the TC Testimonials plugin to version 1.1.2 or later to resolve this vulnerability.
While no confirmed exploits are public, the CRITICAL severity suggests a high probability of exploitation.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.