CVE-2022-4648 – Real Testimonials < 2.6.0 - Contributor+ Stored XSS

https://notcve.org/view.php?id=CVE-2022-4648

22 Dec 2022 — The Real Testimonials WordPress plugin before 2.6.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. El complemento Real Testimonials de WordPress anterior a 2.6.0 no valida ni escapa algunos de sus atributos de código corto antes de devolverlos a la página, lo que podría permitir a los ... • https://wpscan.com/vulnerability/9bbfb664-5b83-452b-82bb-562a1e18eb65 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •