Keeping your WordPress site safe means keeping plugins up-to-date and watching out for vulnerabilities. Today, we’re deep-diving into a real-world example: CVE-2021-36858. This is a vulnerability in the popular _Themepoints Testimonials_ plugin (up to version 2.6) that exposes your site to stored Cross-Site Scripting (XSS) — but only for admin (or higher) users.

Let’s break down what this means, how it happens, and what you can do to protect your site.

What is CVE-2021-36858?

CVE-2021-36858 is a stored XSS vulnerability in the _Themepoints Testimonials_ WordPress plugin, found in versions up to 2.6. Exploiting this bug requires admin-level access — in other words, only authenticated users with “admin” (or higher) privileges can use it.

Why is “admin+ only” still a big deal?

You might think, “If someone’s an admin, they already ‘own’ the site.” But there are situations — like on multi-admin teams, client environments, or compromised accounts — where one admin could attack others, implant persistent malware, or set up backdoors.

How Does Stored XSS Work Here?

An XSS (Cross-Site Scripting) attack lets an attacker inject malicious JavaScript code into a web page. Stored XSS is especially nasty because the payload gets saved in the site’s database. Any user viewing that content can be affected.

Here, the bug happens because the Testimonials plugin does not properly sanitize input fields when an admin saves a testimonial. Malicious JavaScript added here can fire whenever someone views the testimonials page, including other admins.

Goes to Testimonials > Add New Testimonial in the wp-admin dashboard.

3. Inserts a payload (malicious JavaScript) in a field like Author Name, Designation, or testimonials description.

Example Input (in the “Name” field)

<script>alert(document.cookie)</script>

Saves the testimonial.

5. When anyone (admin or visitor, if testimonials are public) views the testimonial, the JavaScript runs.

Let’s imagine a simplified version of what’s going on inside the plugin’s code

// Insecure example (pre-patch)
$name   = $_POST['tp_name'];
// ... insert $name into wp_testimonials table ...
echo $name; // output on the testimonial page (no sanitization!)

There’s no filtering or encoding here, so any HTML/JS will be output as-is.

What Should Happen (Safe Version)

$name = sanitize_text_field($_POST['tp_name']);
echo esc_html($name); // encoded, safe output!

What’s the Real-World Risk?

- Malicious admins could plant JavaScript that steals session cookies, hijacks other admin accounts, or even serve malware to admins and user browsers.
- If some other security flaw or misconfiguration gives lower-level users (like Editors) access to testimonials, this bug gets way scarier.

Are There Proofs or Exploit Scripts Out There?

This is a simple, low-skill exploit — just stashing JS in a field. Full-blown auto-exploitation usually isn't needed.

But a proof-of-concept request looks like

POST /wp-admin/admin.php?page=add-testimonial HTTP/1.1
Host: victimsite.com
Cookie: [admin session]

tp_name=<script>alert(document.cookie)</script>&other_fields=...

Official References

- WPScan Advisory - CVE-2021-36858
- NVD - CVE-2021-36858
- Plugin Directory - Themepoints Testimonials (for updates or patch status)

How To Fix

- Upgrade the Plugin: Make sure you’re on version 2.7 _or higher,_ which reportedly addresses the vulnerability.

Review Admin User List: Make sure only absolutely trusted people have admin access.

- Sanitize Everything: If you’re a developer, always sanitize and escape user inputs, even on “trusted” admin pages.

Final Thoughts

While it’s “admin+ only,” this stored XSS vulnerability in _Themepoints Testimonials_ (CVE-2021-36858) is another reminder — all code that touches browsers needs serious scrutiny, no matter who can input. Always patch, always sanitize, always keep your admin team tight!

Timeline

Published on: 10/28/2022 16:15:00 UTC
Last modified on: 10/28/2022 18:44:00 UTC