CVE-2025-10686

The Creta Testimonial Showcase WordPress plugin, before version 1.2.4, contains a Local File Inclusion (LFI) vulnerability. The root cause is improper sanitization of user-supplied file paths, allowing an attacker with editor-level access to include arbitrary files from the server's filesystem [1].

To exploit this vulnerability, an attacker must be authenticated with at least editor-level privileges within the WordPress site. No additional authentication is needed beyond the existing WordPress user session. The attacker can then craft a request that causes the plugin to include a remote or local file, such as a PHP shell, leading to code execution [1].

The impact is significant: an authenticated editor (or higher) can achieve arbitrary PHP code execution on the server. This can lead to full site compromise, data exfiltration, or further lateral movement within the hosting environment [1].

The vulnerability is patched in version 1.2.4 of the Creta Testimonial Showcase plugin. Users should update immediately to the latest version. The issue was publicly disclosed by researcher Khaled Alenazi (Nxploited) and published via WPScan on October 24, 2025 [1].