cleantalk
Vulnerabilities and Security Researches

Client Testimonial Slider, CVE-2025-13897

CVE, Research URL

CVE-2025-13897

Home page URL

Security reports for Client Testimonial Slider

Application

Client Testimonial Slider

Published on
Jan 09, 2026
Research Description
The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aft_testimonial_meta_name' custom field in the Client Information metabox in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected administrative page.
Affected versions
max 2.0.
Status
vulnerable
Previous vulnerability researches
Client Testimonial Slider (CVE-2025-13897) , Jan 27, 2026
Client Testimonial Slider (CVE-2026-2716) , Apr 17, 2026
New vulnerability
NextGEN Download Gallery (CVE-2026-0675) , Apr 17, 2026
Smart Online Order for Clover (CVE-2025-15635) , Apr 17, 2026
Basic Google Maps Placemarks (CVE-2026-3581) , Apr 17, 2026
MyRewards – Loyalty Points and Rewards for WooCommerce – Reward orders, referrals, product reviews and more (CVE-2026-40786) , Apr 17, 2026
Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress (CVE-2025-9318) , Apr 17, 2026