平台
wordpress
组件
tc-testimonial
修复版本
1.1.2
CVE-2025-49410 describes a Stored Cross-Site Scripting (XSS) vulnerability within the TC Testimonials WordPress plugin. This vulnerability allows attackers to inject malicious scripts that are stored on the server and executed when other users view the affected pages. Versions of TC Testimonials prior to 1.1.2 are affected, and a patch is available in version 1.1.2.
The impact of this XSS vulnerability is significant. An attacker could inject arbitrary JavaScript code into the TC Testimonials plugin, which would then be executed in the browsers of any user visiting a page displaying the malicious testimonial. This could lead to account takeover, data theft (including cookies and session tokens), redirection to phishing sites, or defacement of the website. The stored nature of the vulnerability means that a single successful injection can affect numerous users over time, amplifying the potential impact. The plugin's widespread use in WordPress sites further increases the potential blast radius.
CVE-2025-49410 was publicly disclosed on 2025-08-20. While no public exploits have been confirmed at the time of writing, the CRITICAL severity and ease of exploitation associated with XSS vulnerabilities suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Websites using the TC Testimonials plugin, particularly those with user-generated content or testimonial features, are at risk. Sites with limited security monitoring or outdated WordPress installations are especially vulnerable. Shared hosting environments where plugin updates are managed by the hosting provider may also be at increased risk if the plugin is not promptly updated.
• wordpress / composer / npm:
grep -r "<script" /var/www/html/wp-content/plugins/tc-testimonials/• wordpress / composer / npm:
wp plugin list --status=all | grep "tc-testimonials"• wordpress / composer / npm:
wp plugin update tc-testimonials --version=1.1.2disclosure
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-49410 is to immediately upgrade the TC Testimonials plugin to version 1.1.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily disabling the plugin to prevent new malicious testimonials from being added. Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting WordPress plugins may offer some protection, but this is not a substitute for patching. Regularly scan your WordPress installation for vulnerable plugins using a security scanner.
将 TC Testimonials 插件更新到最新可用版本以缓解 XSS 漏洞。在 WordPress 仓库或开发人员网站上检查更新。实施额外的安全措施,例如验证和清理所有用户输入,以防止未来的 XSS 攻击。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-49410 is a CRITICAL Stored XSS vulnerability in the TC Testimonials WordPress plugin, allowing attackers to inject malicious scripts.
Yes, if you are using TC Testimonials version 1.1.1 or earlier, you are affected by this vulnerability.
Upgrade the TC Testimonials plugin to version 1.1.2 or later to resolve this vulnerability.
While no confirmed exploits are public, the CRITICAL severity suggests a high probability of exploitation.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。