Adéla Goldová

Name of the Vulnerable Software and Affected Versions: HMS Testimonials plugin versions prior to 2.0.11 Description: The issue allows remote attackers to inject arbitrary web script or HTML via several parameters, including `name`, `image`, `url`, `testimonial`, `date format`, to various forms and settings pages, such as "hms-testimonials-addnew" page, "hms-testimonials-settings" page, "hms-testimonials-settings-fields" page, and "hms-testimonials-templates-new" page. Recommendations: For versions prior to 2.0.11, update to version 2.0.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable parameters, such as `name`, `image`, `url`, `testimonial`, and `date format`, in the affected forms and settings pages until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** HMS Testimonials plugin versions prior to 2.0.11 **Description** The issue allows remote attackers to hijack the authentication of administrators for various requests, including adding new testimonials via the "hms-testimonials-addnew" page, adding new groups via the "hms-testimonials-addnewgroup" page, changing default settings via the "hms-testimonials-settings" page, changing advanced settings via the "hms-testimonials-settings-advanced" page, changing custom fields settings via the "hms-testimonials-settings-fields" page, or changing template settings via the "hms-testimonials-templates-new" page to wp-admin/admin.php. **Recommendations** Update to version 2.0.11 or later to resolve the issue.