WordPress Fancy Testimonials Authenticated Stored XSS (CVE-2026-8039)

Vulnerability Overview Vulnerability Name: Fancy Testimonials <= 1.0 - Authenticated (Author+) Stored Cross-Site Scripting Vulnerability Type: Stored Cross-Site Scripting (Stored XSS) CVSS Score: 6.4 (Medium) CVE ID: CVE-2026-8039 Published Date: June 17, 2026 Last Updated: June 18, 2026 Researcher: zakaria Affected Range Affected Software: Fancy Testimonials Software Type: Plugin Software Slug: fancy-testimonials Affected Versions: <= 1.0 Vulnerability Description: The Fancy Testimonials plugin contains a stored cross-site scripting vulnerability in the shortcode attribute within the shortcode. This vulnerability exists in all versions, including 1.0, due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor level or higher permissions to inject arbitrary web scripts into pages, which execute when users visit the injected pages. Remediation Patch Status: No known patch Recommended Actions: Please review the vulnerability details in detail and implement mitigation measures according to your organization's risk tolerance. It is recommended to uninstall the affected software and seek alternatives. Additional Information Reference Links: - plugins.trac.wordpress.org - plugins.trac.wordpress.org Notes This vulnerability database is completely free for querying and use, containing all vulnerability data identical to the user interface. API documentation and Webhook documentation are provided, detailing how to query vulnerability API endpoints and configure webhooks. Contact Technical Support: support@wordfence.com Business Hours: 9am-8pm ET, 6am-5pm PT, and 2pm-1am UTC/GMT (excluding weekends and holidays) Response Time: 365 days a year, 1-hour response time Copyright Information Copyright: © 2012-2026 Defiant Inc. All Rights Reserved License: Used under the licensing terms of Defiant Inc. and MITRE Corporation. Social Media Facebook: Wordfence Twitter: Wordfence LinkedIn: Wordfence Instagram: Wordfence Subscription Subscription Link: Subscribe Disclaimer Terms of Service: Terms of Service Privacy Policy: Privacy Policy Data Protection: Do not sell or share my personal information Technical Support Wordfence Free: Free Wordfence Premium: Premium Wordfence Care: Care Wordfence Response: Response Wordfence CLI: Command Line Wordfence Intelligence: Intelligence Wordfence Central: Central Documentation Documentation: Documentation Learning Center: Learning Center Free Support: Free Support Premium Support: Premium Support News Blog: Blog Latest Updates: Latest Updates Vulnerability Announcements: Vulnerability Announcements About About Wordfence: About Wordfence Affiliate Program: Affiliate Program Careers: Careers Contact: Contact Security: Security CVE Request Form: CVE Request Form Subscribe to Updates Subscribe: Subscribe Others Wordfence Intelligence: Wordfence Intelligence Wordfence: Wordfence Summary Vulnerability Overview: The Fancy Testimonials plugin contains a stored cross-site scripting vulnerability, affecting all versions, including 1.0. Affected Range: The affected software is Fancy Testimonials, and the affected versions are <= 1.0. Remediation: No known patch; it is recommended to uninstall the affected software and seek alternatives. Notes This vulnerability database is completely free for querying and use, containing all vulnerability data identical to the user interface. API documentation and Webhook documentation are provided, detailing how to query vulnerability API endpoints and configure webhooks. Contact Technical Support: support@wordfence.com Business Hours: 9am-8pm ET, 6am-5pm PT, and 2pm-1am UTC/GMT (excluding weekends and holidays) Response Time: 365 days a year, 1-hour response time Copyright Information Copyright: © 2012-2026 Defiant Inc. All Rights Reserved License: Used under the licensing terms of Defiant Inc. and MITRE Corporation. Social Media Facebook: Wordfence Twitter: Wordfence LinkedIn: Wordfence Instagram: Wordfence Subscription Subscription Link: Subscribe Disclaimer Terms of Service: Terms of Service Privacy Policy: Privacy Policy Data Protection: Do not sell or share my personal information Technical Support Wordfence Free: Free Wordfence Premium: Premium Wordfence Care: Care Wordfence Response: Response Wordfence CLI: Command Line Wordfence Intelligence: Intelligence Wordfence Central: Central Documentation Documentation: Documentation Learning Center: Learning Center Free Support: Free Support Premium Support: Premium Support News Blog: Blog Latest Updates: Latest Updates Vulnerability Announcements: Vulnerability Announcements About About Wordfence: About Wordfence Affiliate Program: Affiliate Program Careers: Careers Contact: Contact Security: Security CVE Request Form: CVE Request Form Subscribe to Updates Subscribe: Subscribe Others Wordfence Intelligence: Wordfence Intelligence Wordfence: Wordfence Summary Vulnerability Overview: The Fancy Testimonials plugin contains a stored cross-site scripting vulnerabilit

Goal Reached Thanks to every supporter — we hit 100%!

WordPress Fancy Testimonials Authenticated Stored XSS (CVE-2026-8039)

More from this source