Real Testimonials – Testimonial Slider, Collect Customer Reviews and Video Testimonials Security & Risk Analysis

A Customizable Testimonial plugin to Automate Collecting, Filtering, and Publishing Customer Reviews. Testimonial Slider, Grid & More to Grow Sales

40K active installs v3.1.12 PHP 7.0+ WP 5.0+ Updated Dec 29, 2025

review-formsocial-prooftestimonial-slidertestimonialsvideo-testimonials

A · Safe

CVEs total3

Unpatched0

Last CVEApr 11, 2025

Plugin page Download

Safety Verdict

Is Real Testimonials – Testimonial Slider, Collect Customer Reviews and Video Testimonials Safe to Use in 2026?

Generally Safe

Score 97/100

Real Testimonials – Testimonial Slider, Collect Customer Reviews and Video Testimonials has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Apr 11, 2025Updated 3mo ago

Risk Assessment

The "testimonial-free" plugin v3.1.12 exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices by using prepared statements for all SQL queries and a high percentage of properly escaped outputs. The absence of raw SQL queries, file operations, and critical or high-severity taint flows are also encouraging signs. The presence of 16 nonce checks and 7 capability checks indicates an awareness of WordPress security mechanisms.

However, several areas raise concerns. The plugin exposes 13 entry points, with 2 AJAX handlers lacking authentication checks. This is a significant risk as it could allow unauthenticated users to interact with sensitive plugin functionality. The use of the `unserialize` function is a potential danger, as it can lead to object injection vulnerabilities if the serialized data originates from an untrusted source. While the taint analysis found no critical or high-severity issues, the presence of `unserialize` warrants careful scrutiny of how serialized data is handled.

The plugin's vulnerability history reveals 3 known medium-severity CVEs, all of which are currently patched. This indicates a pattern of past vulnerabilities, specifically Cross-Site Scripting (XSS), which is a common and often exploitable issue. Although no currently unpatched vulnerabilities exist, the history suggests that developers should remain vigilant about securing input and output against XSS attacks. In conclusion, while the plugin has strengths in its SQL handling and output escaping, the unprotected AJAX handlers and the use of `unserialize` present tangible risks that require immediate attention. The history of medium-severity CVEs further emphasizes the need for ongoing security diligence.

Key Concerns

Unprotected AJAX handlers
Use of unserialize function
History of medium CVEs (3 total)

Vulnerabilities

Real Testimonials – Testimonial Slider, Collect Customer Reviews and Video Testimonials Security Vulnerabilities

CVEs by Year

1 CVE in 2020

2020

1 CVE in 2022

2022

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2025-22269medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Real Testimonials <= 3.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 11, 2025 Patched in 3.1.7 (6d)

CVE-2022-4648medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Real Testimonials <= 2.5.11 - Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode

Dec 22, 2022 Patched in 2.6.0 (397d)

WF-23f1b1da-2ac0-49c1-bb32-2fe2cfd56192-testimonial-freemedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Real Testimonials <= 2.1.6 - Authenticated Stored Cross-Site Scripting

Feb 20, 2020 Patched in 2.2 (1433d)

Code Analysis

Analyzed Mar 16, 2026

Real Testimonials – Testimonial Slider, Collect Customer Reviews and Video Testimonials Code Analysis

Dangerous Functions

Raw SQL Queries

10 prepared

Unescaped Output

1050 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$plugins = unserialize( $response['body'] );src\Admin\HelpPage\Help.php:171

SQL Query Safety

100% prepared10 total queries

Output Escaping

92% escaped1143 total outputs

Data Flows

All sanitized

Data Flow Analysis

7 flows

spftestimonial_export (src\Admin\Views\Framework\functions\actions.php:70)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

Real Testimonials – Testimonial Slider, Collect Customer Reviews and Video Testimonials Attack Surface

Entry Points13

Unprotected2

AJAX Handlers 11

authwp_ajax_sp_tpro_preview_meta_boxsrc\Admin\Views\Framework\Classes\metabox.class.php:120

authwp_ajax_sp_testimonial_form_previewsrc\Admin\Views\Framework\Classes\metabox.class.php:122

authwp_ajax_spftestimonial-get-iconssrc\Admin\Views\Framework\functions\actions.php:60

authwp_ajax_spftestimonial-exportsrc\Admin\Views\Framework\functions\actions.php:94

authwp_ajax_spftestimonial-importsrc\Admin\Views\Framework\functions\actions.php:127

authwp_ajax_spftestimonial-resetsrc\Admin\Views\Framework\functions\actions.php:150

authwp_ajax_spftestimonial-chosensrc\Admin\Views\Framework\functions\actions.php:186

authwp_ajax_shapedplugin_dismiss_offer_bannersrc\Admin\Views\Notices\ShapedPlugin_Offer_Banner.php:36

authwp_ajax_sp-tfree-never-show-review-noticesrc\Admin\Views\Notices\Testimonial_Review.php:31

authwp_ajax_spt_export_shortcodessrc\Includes\TestimonialFree.php:125

authwp_ajax_spt_import_shortcodessrc\Includes\TestimonialFree.php:126

Shortcodes 2

[sp_testimonial] src\Frontend\Frontend.php:53

[sp_testimonial_form] src\Frontend\Frontend.php:54

WordPress Hooks 60

filterinitsrc\Admin\Admin.php:31

filterinitsrc\Admin\Admin.php:32

actionadmin_headsrc\Admin\Admin.php:33

actionadmin_enqueue_scriptssrc\Admin\Admin.php:34

actionwidgets_initsrc\Admin\Admin.php:35

actionpre_post_updatesrc\Admin\Admin.php:140

actionplugins_loadedsrc\Admin\DBUpdates.php:50

actionelementor/preview/enqueue_stylessrc\Admin\Element_Shortcode_Block.php:63

actionelementor/preview/enqueue_scriptssrc\Admin\Element_Shortcode_Block.php:64

actionelementor/editor/before_enqueue_scriptssrc\Admin\Element_Shortcode_Block.php:65

actionelementor/initsrc\Admin\Element_Shortcode_Block.php:123

actionelementor/widgets/registersrc\Admin\Element_Shortcode_Block.php:140

actionelementor/preview/enqueue_stylessrc\Admin\Element_Shortcode_Block_Deprecated.php:63

actionelementor/preview/enqueue_scriptssrc\Admin\Element_Shortcode_Block_Deprecated.php:64

actionelementor/editor/before_enqueue_scriptssrc\Admin\Element_Shortcode_Block_Deprecated.php:65

actionelementor/initsrc\Admin\Element_Shortcode_Block_Deprecated.php:123

actionelementor/widgets/registersrc\Admin\Element_Shortcode_Block_Deprecated.php:140

actionplugins_loadedsrc\Admin\GutenbergBlock\Gutenberg_Block_Init.php:39

actioninitsrc\Admin\GutenbergBlock\Gutenberg_Block_Init.php:40

actioninitsrc\Admin\GutenbergBlock\Gutenberg_Block_Init.php:41

actionenqueue_block_editor_assetssrc\Admin\GutenbergBlock\Gutenberg_Block_Init.php:42

filterblock_categoriessrc\Admin\GutenbergBlock\Gutenberg_Block_Init.php:50

filterblock_categories_allsrc\Admin\GutenbergBlock\Gutenberg_Block_Init.php:52

actionadmin_menusrc\Admin\HelpPage\Help.php:64

actionadmin_print_scriptssrc\Admin\HelpPage\Help.php:70

actionspftestimonial_enqueuesrc\Admin\HelpPage\Help.php:71

filterwp_revisions_to_keepsrc\Admin\updates\update-2.5.5.php:28

actionwp_enqueue_scriptssrc\Admin\Views\Framework\Classes\abstract.class.php:47

actionadd_meta_boxessrc\Admin\Views\Framework\Classes\metabox.class.php:110

actionsave_postsrc\Admin\Views\Framework\Classes\metabox.class.php:111

actionedit_attachmentsrc\Admin\Views\Framework\Classes\metabox.class.php:112

actionadmin_menusrc\Admin\Views\Framework\Classes\options.class.php:177

actionadmin_bar_menusrc\Admin\Views\Framework\Classes\options.class.php:178

actionnetwork_admin_menusrc\Admin\Views\Framework\Classes\options.class.php:182

actionafter_setup_themesrc\Admin\Views\Framework\Classes\SPFTESTIMONIAL.php:157

actioninitsrc\Admin\Views\Framework\Classes\SPFTESTIMONIAL.php:158

actionswitch_themesrc\Admin\Views\Framework\Classes\SPFTESTIMONIAL.php:159

actionadmin_enqueue_scriptssrc\Admin\Views\Framework\Classes\SPFTESTIMONIAL.php:160

actionwp_headsrc\Admin\Views\Framework\Classes\SPFTESTIMONIAL.php:161

filteradmin_body_classsrc\Admin\Views\Framework\Classes\SPFTESTIMONIAL.php:162

actionadmin_footersrc\Admin\Views\Framework\fields\icon\icon.php:75

actionprint_default_editor_scriptssrc\Admin\Views\Framework\fields\wp_editor\wp_editor.php:92

actionadmin_noticessrc\Admin\Views\Notices\ShapedPlugin_Offer_Banner.php:35

actionadmin_noticessrc\Admin\Views\Notices\Testimonial_Review.php:30

actionwp_loadedsrc\Frontend\Frontend.php:50

actionwp_enqueue_scriptssrc\Frontend\Frontend.php:51

actionadmin_enqueue_scriptssrc\Frontend\Frontend.php:52

actionsave_postsrc\Frontend\Frontend.php:55

filtersp_testimonial_review_contentsrc\Frontend\Frontend.php:56

filterplugin_action_linkssrc\Includes\TestimonialFree.php:106

filtermanage_spt_shortcodes_posts_columnssrc\Includes\TestimonialFree.php:107

filterplugin_row_metasrc\Includes\TestimonialFree.php:108

filtermanage_spt_testimonial_posts_columnssrc\Includes\TestimonialFree.php:109

actionmanage_spt_shortcodes_posts_custom_columnsrc\Includes\TestimonialFree.php:118

actionmanage_spt_testimonial_posts_custom_columnsrc\Includes\TestimonialFree.php:119

actionactivated_pluginsrc\Includes\TestimonialFree.php:120

filterpll_get_post_typessrc\Includes\TestimonialFree.php:129

filterpost_updated_messagessrc\Includes\TFREE_Functions.php:27

filteradmin_footer_textsrc\Includes\TFREE_Functions.php:28

filterupdate_footersrc\Includes\TFREE_Functions.php:29

Maintenance & Trust

Real Testimonials – Testimonial Slider, Collect Customer Reviews and Video Testimonials Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 29, 2025

PHP min version7.0

Downloads1.3M

Community Trust

Rating94/100

Number of ratings222

Active installs40K

Alternatives

Real Testimonials – Testimonial Slider, Collect Customer Reviews and Video Testimonials Alternatives

Reviewfic – The Ultimate Testimonial Slider, Carousel, Grid Plugin

reviewfic

100

Showcase testimonials, customer reviews, or quotes on your website. Easily display reviews across posts, pages, custom templates, widgets, and more.

10 No CVEs

Solid Testimonials – Testimonial Slider, Video Testimonials & Customer Reviews

gs-testimonial

Showcase and automate customer reviews with ease - sliders, grids, filters, and more to boost trust and sales.

1K 6 CVEs

Video Testimonial slider

video-testimonial-slider

Video Testimonial Slider plugin for WordPress website. Using plugin to display client Review and Testimonial with video popup through shortcode.

40 No CVEs

Review Showcase for TikTok

review-showcase-for-tiktok

100

Display stunning TikTok video testimonials and reviews in a fast, mobile-responsive, SEO-optimized grid or carousel to boost trust and conversions.

0 No CVEs

Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget

wp-testimonial-with-widget

100

A quick, easy way to add and display responsive, clean client's testimonial on your website using a shortcode, widget or Gutenberg block.

9K No CVEs

Developer Profile

Real Testimonials – Testimonial Slider, Collect Customer Reviews and Video Testimonials Developer Profile

ShapedPlugin LLC

18 plugins · 315K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

385 days

View full developer profile

Detection Fingerprints

How We Detect Real Testimonials – Testimonial Slider, Collect Customer Reviews and Video Testimonials

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/testimonial-free/Admin/assets/css/admin.min.css

Version Parameters

testimonial-free/style.css?ver=testimonial-free/script.js?ver=

HTML / DOM Fingerprints

CSS Classes

spt-testimonial-sliderspt_testimonial_formspt_testimonialtestimonial-free-review-form-wrapper

HTML Comments

Data Attributes

data-testimonial-id

JS Globals

sp_testimonial_free_settingssp_testimonial_frontend_obj

Shortcode Output

[sp_testimonial

FAQ