1. Download and install "Testimonials Widget 3.5.1" from

2. Go into “Testimonials” tab from the sidebar and create a new testimonials by clicking on the “Add New” button

3. Enter testimonial's name, content. In "Author", "Job Title", "Location", "Company", "URL" fields of "Testimonial Data", input an XSS vector, For example:


4. Save the changes and click on “Submit for Review” (if roles is Contributor) or "Publish" (if roles is Author or Editor).

5. By visiting permalink, ex:<name-of-testimonial> or by visiting posts that have embedded shortcodes (Ex: [testimonials limit=5 paging=true char_limit=0]), the JavaScript code injected would be executed.

The problem lied in files at "templates/" folder, where plugin echos user input values without sanitizing:

Ex: testimonials-widget/templates/span-author.php

global $tw_template_args;

$testimonial = $tw_template_args['testimonial'];

$author = empty( $testimonial['testimonial_author'] ) ? $testimonial['testimonial_source'] : $testimonial['testimonial_author'];
<span class="author"><?php echo $author; ?></span>