CVE-2020-8549: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in the Strong Testimonials WordPress plugin versions before 2.40.1. The vulnerability, identified as CVE-2020-8549, was first reported on January 23, 2020, and affects over 90,000 active installations (Astra Blog, Jinson Blog).

The vulnerability exists in the client details section when adding or editing a testimonial. Specifically, the 'custom[client_name]' and 'custom[company_name]' parameters were found to be vulnerable to stored cross-site scripting. The XSS payload gets executed when the testimonial is added to a page on the site. Additionally, the payload in custom[client_name] also executes in the All Testimonials admin page (/wp-admin/edit.php?post_type=wpm-testimonial). The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability could allow attackers to perform malicious actions such as stealing session tokens, performing arbitrary actions on behalf of victims, capturing keystrokes, and potentially compromising user credentials. When exploited, the attacker could execute arbitrary JavaScript code in the context of other users' browsers who view the affected testimonials (Astra Blog).

The vulnerability was patched in version 2.40.1, released on January 25, 2020. Users are strongly recommended to update to this version or later to mitigate the risk. No alternative workarounds were provided (Strong Testimonials Changelog).