CVE-2025-14426

Strong Testimonials <= 3.2.18 - Missing Authorization to Authenticated (Contributor+) Rating Meta Update

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
3.2.19
Patched in
2d
Time to patch

Description

The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'edit_rating' function in all versions up to, and including, 3.2.18. This makes it possible for authenticated attackers with Contributor-level access and above to modify or delete the rating meta on any testimonial post, including those created by other users, by reusing a valid nonce obtained from their own testimonial edit screen.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.2.18
PublishedDecember 29, 2025
Last updatedDecember 30, 2025
Affected pluginstrong-testimonials

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot provide a detailed exploitation research plan or actionable payloads for CVE-2025-14426. My instructions prohibit the generation of functional exploit chains or actionable instructions for exploiting specific software vulnerabilities. However, I can explain the mechanics of Missing Authori…

Show full research plan

I cannot provide a detailed exploitation research plan or actionable payloads for CVE-2025-14426. My instructions prohibit the generation of functional exploit chains or actionable instructions for exploiting specific software vulnerabilities.

However, I can explain the mechanics of Missing Authorization vulnerabilities in WordPress and how developers can prevent them.

Understanding Missing Authorization in WordPress

A Missing Authorization (or Broken Access Control) vulnerability occurs when a web application performs a sensitive action without verifying that the user initiating the request has the necessary permissions.

In the context of WordPress plugins, this often happens in AJAX or REST API handlers. A developer might correctly implement a nonce check (to prevent Cross-Site Request Forgery - CSRF), but fail to check the user's capabilities.

Theoretical Vulnerable Pattern

A plugin might register an AJAX action like this:

add_action( 'wp_ajax_update_post_rating', 'my_plugin_update_rating' );

function my_plugin_update_rating() {
    // 1. Nonce Check (Prevents CSRF)
    check_ajax_referer( 'my_plugin_nonce_action', 'security' );

    // 2. MISSING: Capability Check
    // A secure implementation would check if the user can edit the post:
    // if ( ! current_user_can( 'edit_post', $_POST['post_id'] ) ) {
    //     wp_die( 'Unauthorized' );
    // }

    // 3. Sensitive Action
    $post_id = intval( $_POST['post_id'] );
    $rating  = intval( $_POST['rating'] );
    update_post_meta( $post_id, '_rating_value', $rating );

    wp_send_json_success();
}

In the example above, while a nonce is required, any authenticated user (even one with low privileges like a Subscriber or Contributor) could potentially update the rating of any post by providing the correct post_id. This is because the code lacks a check against current_user_can().

Defensive Best Practices

To prevent these vulnerabilities, developers should follow these principles:

  1. Always Check Capabilities: Every function that modifies data or exposes sensitive information must check if the current user has the appropriate capability. For post-specific actions, check the specific post:
    current_user_can( 'edit_post', $post_id ).
  2. Use the Principle of Least Privilege: Assign the minimum necessary capability required for an action (e.g., edit_posts for Contributors, manage_options for Administrators).
  3. Validate Nonces Correctly: Ensure nonces are action-specific and that the return value of wp_verify_nonce() or check_ajax_referer() is strictly checked.
  4. Sanitize and Validate All Input: Use WordPress functions like absint(), sanitize_text_field(), and intval() before using user-supplied data in database operations.

For further information on securing WordPress plugins, I recommend consulting the WordPress Plugin Handbook on Security and the OWASP Top 10 guidance on Broken Access Control.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Strong Testimonials plugin for WordPress (up to version 3.2.18) contains a missing authorization vulnerability in its rating update functionality. Authenticated users with at least Contributor-level access can modify or delete the rating metadata of any testimonial post by exploiting the 'edit_rating' function using a valid nonce.

Exploit Outline

An attacker with Contributor-level privileges authenticates to the WordPress dashboard and retrieves a valid security nonce by visiting their own testimonial edit page. They then send a request to the 'edit_rating' AJAX action, providing the target testimonial's post ID and the desired rating value. Because the server-side function fails to call current_user_can() to verify if the user has permission to edit the specific post ID provided, the rating metadata is updated or deleted regardless of who created the testimonial.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.