CVE-2020-14959

Name of the Vulnerable Software and Affected Versions Easy Testimonials plugin versions prior to 3.6 for WordPress

Description The issue allows remote attackers to inject arbitrary web script or HTML via certain parameters in the wp-admin/post.php file, including Client Name, Position, Web Address, Other, Location Reviewed, Product Reviewed, Item Reviewed, or Rating. This is due to insufficient protection of the webpage structure when handling these parameters, enabling cross-site scripting (XSS) attacks.

Recommendations For Easy Testimonials plugin versions prior to 3.6, update to version 3.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the wp-admin/post.php file or disabling the parameters Client Name, Position, Web Address, Other, Location Reviewed, Product Reviewed, Item Reviewed, and Rating until the update is applied.