CVE-2022-44741 - How a CSRF Flaw Exposed XSS in the David Anderson Testimonial Slider Plugin for WordPress

If you run a WordPress website, plugins can make your life easier, adding features with a few clicks. But sometimes, they can also open the door to hackers. One real-world example is CVE-2022-44741, which exposes a combo of Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) in the Testimonial Slider plugin by David Anderson, versions 1.3.1 and below.

In this post, you’ll learn what went wrong with this plugin, see real code snippets, and discover how attackers exploited it. By the end, you’ll understand how such a simple weakness can put your whole site and its visitors in danger.

What is CVE-2022-44741? (In Plain Language)

CVE-2022-44741 is a vulnerability found in the David Anderson Testimonial Slider plugin, versions up to 1.3.1. The plugin lets site admins add testimonials (user reviews) and display them with fancy sliders.

Here’s the problem:  
- The plugin’s admin pages did not validate that requests really came from an admin user (CSRF flaw).
- It also did not sanitize testimonial content, meaning attacker-supplied scripts could execute (XSS).

Combine those two, and an attacker could trick a logged-in admin into clicking a link or visiting a page. Without knowing, the admin's browser would submit a crafted request to the plugin, injecting malicious JavaScript into the testimonials. Later, anyone visiting the testimonial slider would run this attacker’s code!

What’s Critical?

- Plugin: Testimonial Slider by David Anderson (wordpress.org plugin page)

Vulnerable Versions: ≤ 1.3.1

- Vulnerability Type: Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS)

1. CSRF Issue: The Missing Nonce

WordPress plugins should always add a nonce (a secret key) to forms and AJAX actions, and check it on the server, to prevent CSRF. But Testimonial Slider did not. So if an admin was logged in, anyone could make their browser submit a nasty form to the plugin code.

Attack scenario:

2. XSS Issue: Unfiltered Input

The plugin also didn't clean up or escape what was entered in testimonials. If an admin was tricked (step 1), it was now possible to save any content, even dangerous <script> tags.

Result:  
- Anyone viewing the public testimonial slider could get hit by injected JavaScript, leading to credential theft, defacement, and more.

Code Snippet: Malicious CSRF Form Example

Here’s a real-life example of how a hacker could craft an attack with a simple HTML form. If an admin user lands on the attacker's page, all they need to do is auto-submit this form:

<html>
  <body>
    <form id="csrf" action="https://yourwordpresssite.com/wp-admin/admin-post.php"; method="POST">
      <input type="hidden" name="action" value="add_testimonial">
      <input type="hidden" name="testimonial_author" value="Victim">
      <input type="hidden" name="testimonial_content" value="<script>alert('Hacked via CVE-2022-44741');</script>">
      <!-- more fields as required by plugin -->
    </form>
    <script>
      document.getElementById('csrf').submit();
    </script>
  </body>
</html>

What happens:
If a logged-in admin visits this page, the browser *automatically submits* the form to WordPress, adding a testimonial containing <script>. Now, every visitor who loads the testimonial slider will see the attacker's alert — or worse, have cookies stolen, browser hijacked, etc.

Exploit Details and Impact

Exploit Difficulty:

*Low.* No authentication needed, just get an admin to visit a link.

Potential Attack Outcomes:  
- Persistent (stored) XSS can steal admin cookies and their session, letting the attacker do anything the admin can.

Website defacement.

Who is affected?

Any WordPress website running Testimonial Slider ≤ 1.3.1

- Higher risk if admin users frequently browse email, social media, or untrusted sites while logged in.

Responsible Disclosure Timeline

- Patchstack (advisory): Found and disclosed the bug, November 2022.
- NIST/NVD (CVE record): Published CVE details.
- Plugin status: At discovery, not patched. Always check the official plugin page for current info.

How to Protect Yourself

1. Uninstall or Update: If you use Testimonial Slider, remove it or update to a safe version (if/when one is released).

Web Application Firewall: Tools like Wordfence can block some of these attacks before they land.

5. Check for Nonces: If you make or use plugins, always require and check nonces on all admin actions and forms!

References & Further Reading

- Patchstack Advisory: CVE-2022-44741
- NVD Entry: CVE-2022-44741
- WordPress Plugin Directory: Testimonial Slider
- WordPress Nonces Explained (official docs)

Final Thoughts

CVE-2022-44741 is a classic example of why security basics matter in WordPress plugins. By missing just a couple of lines of code, the Testimonial Slider plugin gave attackers a big opening — and all it took to exploit was an incautious admin visiting a bad link.

Do regular plugin audits, review code for nonce checks and input sanitization, and keep your site updated. It’s a small effort compared to cleaning up a hacked website.


*Stay safe out there! If you found this useful, share it with your friends running WordPress — it could save them from a nasty surprise.*

Timeline

Published on: 11/08/2022 19:15:00 UTC
Last modified on: 11/09/2022 13:47:00 UTC