プラットフォーム
wordpress
コンポーネント
tc-testimonial
修正版
1.1.2
CVE-2025-49410 describes a Stored Cross-Site Scripting (XSS) vulnerability within the TC Testimonials WordPress plugin. This vulnerability allows attackers to inject malicious scripts that are stored on the server and executed when other users view the affected pages. Versions of TC Testimonials prior to 1.1.2 are affected, and a patch is available in version 1.1.2.
The impact of this XSS vulnerability is significant. An attacker could inject arbitrary JavaScript code into the TC Testimonials plugin, which would then be executed in the browsers of any user visiting a page displaying the malicious testimonial. This could lead to account takeover, data theft (including cookies and session tokens), redirection to phishing sites, or defacement of the website. The stored nature of the vulnerability means that a single successful injection can affect numerous users over time, amplifying the potential impact. The plugin's widespread use in WordPress sites further increases the potential blast radius.
CVE-2025-49410 was publicly disclosed on 2025-08-20. While no public exploits have been confirmed at the time of writing, the CRITICAL severity and ease of exploitation associated with XSS vulnerabilities suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Websites using the TC Testimonials plugin, particularly those with user-generated content or testimonial features, are at risk. Sites with limited security monitoring or outdated WordPress installations are especially vulnerable. Shared hosting environments where plugin updates are managed by the hosting provider may also be at increased risk if the plugin is not promptly updated.
• wordpress / composer / npm:
grep -r "<script" /var/www/html/wp-content/plugins/tc-testimonials/• wordpress / composer / npm:
wp plugin list --status=all | grep "tc-testimonials"• wordpress / composer / npm:
wp plugin update tc-testimonials --version=1.1.2disclosure
エクスプロイト状況
EPSS
0.03% (9% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-49410 is to immediately upgrade the TC Testimonials plugin to version 1.1.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily disabling the plugin to prevent new malicious testimonials from being added. Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting WordPress plugins may offer some protection, but this is not a substitute for patching. Regularly scan your WordPress installation for vulnerable plugins using a security scanner.
XSS 脆弱性を軽減するために、TC Testimonials プラグインを最新バージョンにアップデートしてください。WordPress リポジトリまたは開発者のウェブサイトでアップデートを確認してください。将来の XSS 攻撃を防ぐために、ユーザーからのすべての入力の検証とサニタイズなどの追加のセキュリティ対策を実装してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-49410 is a CRITICAL Stored XSS vulnerability in the TC Testimonials WordPress plugin, allowing attackers to inject malicious scripts.
Yes, if you are using TC Testimonials version 1.1.1 or earlier, you are affected by this vulnerability.
Upgrade the TC Testimonials plugin to version 1.1.2 or later to resolve this vulnerability.
While no confirmed exploits are public, the CRITICAL severity suggests a high probability of exploitation.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。