CVE-2023-1372: 
WordPress vulnerability analysis and mitigation

The WH Testimonials WordPress plugin version 3.0.0 and below contains an unauthenticated stored Cross-Site Scripting (XSS) vulnerability tracked as CVE-2023-1372. The vulnerability was discovered on March 11, 2023, and publicly disclosed on March 13, 2023. The issue affects the testimonial submission functionality where multiple parameters (whhomepage, whtextshort, and whtext_full) are not properly sanitized or escaped (WPScan).

The vulnerability stems from insufficient input sanitization and output escaping in the testimonial submission feature. Specifically, the whhomepage, whtextshort, and whtext_full parameters of submitted testimonials are not properly sanitized, allowing attackers to inject malicious scripts. The vulnerability has been assigned a CVSS score of 8.8 (High), indicating significant severity (WPScan).

This vulnerability allows unauthenticated attackers to perform Stored Cross-Site Scripting attacks. When successfully exploited, the attacker can inject malicious scripts that will be executed in the context of other users' browsers when they view the affected testimonials, potentially leading to session hijacking, credential theft, or other client-side attacks (WPScan).

At the time of disclosure, there was no known fix available for this vulnerability. Website administrators running affected versions of the WH Testimonials plugin should consider disabling the plugin until a security update is available (WPScan).