Strong Testimonials Vulnerability – Authenticated(Contributor+) Improper Authorization to Views Modification – CVE-2023-6491 | WordPress Plugin Vulnerability Report
Plugin Name: Strong Testimonials
Key Information:
- Software Type: Plugin
- Software Slug: strong-testimonials
- Software Status: Active
- Software Author: wpchill
- Software Downloads: 3,337,363
- Active Installs: 100,000
- Last Updated: June 18, 2024
- Patched Versions: 3.1.13
- Affected Versions: <= 3.1.12
Vulnerability Details:
- Name: Strong Testimonials <= 3.1.12
- Title: Authenticated(Contributor+) Improper Authorization to Views Modification
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- CVE: CVE-2023-6491
- CVSS Score: 4.3
- Publicly Published: June 6, 2024
- Researcher: Rafshanzani Suhada
- Description: The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the
wpmtst_save_view_sticky
function in all versions up to, and including, 3.1.12. This allows authenticated attackers with contributor access and above to modify favorite views.
Summary:
The Strong Testimonials plugin for WordPress has a vulnerability in versions up to and including 3.1.12 that allows authenticated attackers with contributor access and above to modify favorite views. This vulnerability has been patched in version 3.1.13.
Detailed Overview:
The vulnerability discovered by researcher Rafshanzani Suhada affects the Strong Testimonials plugin due to a lack of proper capability checks in the wpmtst_save_view_sticky
function. Exploiting this flaw allows authenticated users with contributor-level permissions or higher to manipulate favorite views, potentially affecting data integrity and user experience. Updating to version 3.1.13 or later is crucial to mitigate this risk and ensure secure plugin operation.
Advice for Users:
Immediate Action: Update Strong Testimonials to version 3.1.13 or later immediately.
Check for Signs of Vulnerability: Monitor user activities and favorite view settings for any unauthorized modifications.
Alternate Plugins: Consider using alternative testimonial plugins temporarily until Strong Testimonials is updated and verified secure.
Stay Updated: Regularly update all WordPress plugins to their latest versions to prevent vulnerabilities and maintain website security.
Conclusion:
The swift response from the Strong Testimonials plugin developers in releasing version 3.1.13 highlights the importance of prompt updates in addressing security vulnerabilities. Users are advised to ensure their installations are running version 3.1.13 or later to safeguard their WordPress sites against potential exploits.
References:
Detailed Report:
In today's digital landscape, maintaining the security of your WordPress website is paramount to protecting sensitive data and preserving user trust. Recently, a critical security vulnerability was discovered in the Strong Testimonials plugin, which is widely used across more than 100,000 active WordPress sites. This plugin, developed by wpchill, facilitates the management and display of customer testimonials, making it a valuable tool for many businesses and organizations.
Vulnerability Details:
The vulnerability, identified as CVE-2023-6491, affects Strong Testimonials versions up to and including 3.1.12. It involves an authenticated(Contributor+) improper authorization issue within the wpmtst_save_view_sticky function. This flaw allows attackers with contributor-level access or higher to modify favorite views, potentially compromising the integrity of displayed testimonials and user experience on affected websites.
Summary:
The vulnerability in Strong Testimonials allows authenticated attackers to manipulate favorite views, posing risks to data integrity and user trust. This issue has been addressed in the latest release, version 3.1.13, which all users are strongly encouraged to update to immediately.
Detailed Overview:
Discovered by researcher Rafshanzani Suhada and published on June 6, 2024, this vulnerability underscores the importance of rigorous capability checks in WordPress plugins. Exploitation of the wpmtst_save_view_sticky function vulnerability could lead to unauthorized modifications in testimonial displays, potentially affecting the credibility of customer feedback and undermining user trust in the affected websites.
Advice for Users:
Website administrators should take immediate action by updating Strong Testimonials to version 3.1.13 or newer to mitigate the identified security risk. Additionally, monitoring user activities and favorite view settings for any unauthorized changes is crucial. While awaiting the plugin update, consider using alternative testimonial plugins that offer similar functionality to maintain site operations smoothly.
Conclusion:
The swift release of version 3.1.13 by Strong Testimonials developers highlights the critical role of proactive updates in addressing security vulnerabilities promptly. Ensuring your WordPress site is always running the latest patched versions not only protects against potential exploits but also reinforces your commitment to maintaining a secure online presence and safeguarding user data.
Previous vulnerabilities:
Since July 24, 2018, there have been 7 previous vulnerabilities identified in Strong Testimonials, underscoring the ongoing importance of vigilance and proactive security measures in WordPress plugin management.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.
Strong Testimonials Vulnerability – Authenticated(Contributor+) Improper Authorization to Views Modification – CVE-2023-6491 | WordPress Plugin Vulnerability Report FAQs
What is the vulnerability in the Strong Testimonials plugin?
What is the vulnerability in the Strong Testimonials plugin?
The vulnerability in the Strong Testimonials plugin (CVE-2023-6491) allows authenticated attackers with contributor-level access or higher to modify favorite views due to inadequate capability checks. This means attackers could potentially alter or delete saved views, impacting user experience and data integrity.