PatchSiren cyber security CVE debrief
CVE-2022-50947 Wordpress CVE debrief
CVE-2022-50947 is a stored cross-site scripting issue in the WordPress plugin Testimonial Slider and Showcase 2.2.6. According to the supplied record, an authenticated editor can place malicious script into the testimonial title field because the post_title parameter is not properly sanitized. When affected content is viewed, the script can execute in a browser, creating a risk of session abuse and other account-impacting actions. The supplied record does not list this CVE in CISA KEV.
- Vendor
- Wordpress
- Product
- Unknown
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-10
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-05-10
- Advisory updated
- 2026-05-10
Who should care
WordPress administrators and site owners running Testimonial Slider and Showcase 2.2.6, especially environments that allow editor-level users to create or edit testimonials.
Technical summary
The supplied NVD/CVE description identifies a stored XSS (CWE-79) in Testimonial Slider and Showcase 2.2.6. The flaw is triggered when the plugin accepts attacker-controlled post_title input for testimonial content without adequate sanitization, allowing script to be stored and later rendered in victims’ browsers. The described attack requires authenticated editor privileges and can affect users who view the impacted draft or rendered post.
Defensive priority
Medium priority: the issue requires authenticated access, but stored XSS in a WordPress plugin can still expose administrative and user sessions if affected content is rendered.
Recommended defensive actions
- Review all WordPress instances using Testimonial Slider and Showcase and confirm whether version 2.2.6 is installed.
- Apply the vendor's remediated release if available; otherwise disable or remove the plugin until a fix is confirmed.
- Restrict editor-level access to trusted accounts and review whether testimonial creation should be limited further.
- Inspect existing testimonial titles and related content for unexpected markup or script-like input and remove suspicious entries.
- Verify that the site and plugin templates correctly sanitize and escape user-controlled fields before rendering.
Evidence notes
The vulnerability details come from the supplied NVD record for CVE-2022-50947, which classifies the issue as CWE-79 and describes the unsanitized post_title path in Testimonial Slider and Showcase 2.2.6. The plugin landing page at wordpress.org is included in the source corpus for product identification, and the VulnCheck advisory is listed in the NVD references. A public exploit-db link is also present in the corpus, but this debrief does not rely on it for technical claims. The supplied record timestamps are 2026-05-10 and should be treated as record metadata, not the original vulnerability date.
Official resources
Supplied record metadata shows CVE-2022-50947 was published and modified on 2026-05-10. The issue is described as a stored XSS in WordPress plugin Testimonial Slider and Showcase 2.2.6 affecting authenticated editors. No CISA KEV entry is a