Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Testimonial Slider And Showcase Pro testimonial-slider-showcase-pro allows PHP Local File Inclusion.This issue affects Testimonial Slider And Showcase Pro: from n/a through <= 2.3.15.
Published: 2025-04-11
Score: 8.1 High
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of the filename for an include/require statement in PHP, allowing local file inclusion. An attacker could supply a malicious file path and cause the plugin to read or execute arbitrary files on the web server, potentially exposing sensitive configuration data or compromising the site. The weakness is classified as CWE‑98.

Affected Systems

RadiusTheme’s Testimonial Slider And Showcase Pro plugin for WordPress, affecting all installations running any version up to and including 2.3.15. This includes any WordPress site that has the plugin activated and accessible to unauthenticated or authenticated users who can influence the file path parameter.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, while the EPSS score of 2% indicates a non‑negligible current likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog, suggesting limited public exploitation. The likely attack vector is through a crafted request to the plugin’s file path parameter, enabling the attacker to read arbitrary local files. Without additional access, this does not directly lead to remote code execution, but it can disclose critical information that could be leveraged for further attacks.

Generated by OpenCVE AI on May 20, 2026 at 14:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Testimonial Slider And Showcase Pro plugin to the latest available version (>=2.3.16) to obtain the vendor's fix for the local file inclusion flaw.
  • If an immediate upgrade is not possible, uninstall or disable the plugin entirely to eliminate the vulnerable functionality.
  • Implement a web‑application firewall rule or server‑side access control that blocks or sanitizes requests attempting to include arbitrary file paths used by the plugin, thereby mitigating the risk until a patch is applied.

Generated by OpenCVE AI on May 20, 2026 at 14:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10742 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Testimonial Slider And Showcase Pro allows PHP Local File Inclusion. This issue affects Testimonial Slider And Showcase Pro: from n/a through 2.3.15.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Testimonial Slider And Showcase Pro allows PHP Local File Inclusion. This issue affects Testimonial Slider And Showcase Pro: from n/a through 2.3.15. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Testimonial Slider And Showcase Pro testimonial-slider-showcase-pro allows PHP Local File Inclusion.This issue affects Testimonial Slider And Showcase Pro: from n/a through <= 2.3.15.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 11 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 11 Apr 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Testimonial Slider And Showcase Pro allows PHP Local File Inclusion. This issue affects Testimonial Slider And Showcase Pro: from n/a through 2.3.15.
Title WordPress Testimonial Slider and Showcase Pro plugin <= 2.3.15 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:06:57.610Z

Reserved: 2025-04-09T11:21:11.058Z

Link: CVE-2025-32656

cve-icon Vulnrichment

Updated: 2025-04-11T13:31:16.781Z

cve-icon NVD

Status : Deferred

Published: 2025-04-11T09:15:34.907

Modified: 2026-04-23T15:29:17.620

Link: CVE-2025-32656

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T15:00:13Z

Weaknesses