CVE-2013-5672

Name of the Vulnerable Software and Affected Versions IndiaNIC Testimonial plugin version 2.2 for WordPress

Description The issue allows remote attackers to hijack the authentication of administrators for various requests, including adding testimonials, listing templates, and widget templates. It also enables the insertion of cross-site scripting (XSS) sequences via multiple parameters, including project name, project url, client name, client city, client state, description, tags, video url, is featured, title, widget title, no of testimonials, filter by country, filter by tags, and widget template, which are sent to the "wp-admin/admin-ajax.php" endpoint.

Recommendations For IndiaNIC Testimonial plugin version 2.2, consider disabling the iNIC testimonial save, iNIC testimonial save listing template, and iNIC testimonial save widget actions until a patch is available. Restrict access to the wp-admin/admin-ajax.php endpoint to minimize the risk of exploitation. Avoid using the parameters project name, project url, client name, client city, client state, description, tags, video url, is featured, title, widget title, no of testimonials, filter by country, filter by tags, and widget template in the affected endpoint until the issue is resolved.