Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PluginOps Testimonial Slider testimonial-add allows PHP Local File Inclusion.This issue affects Testimonial Slider: from n/a through <= 3.5.8.6.
Published: 2025-09-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper control of filename in an include or require statement within the Testimonial Slider plugin allows an attacker to specify arbitrary file paths. By supplying a crafted filename, the plugin can read any accessible local file; if that file contains PHP code, the code will execute under the web server’s user context, potentially granting full system compromise. This issue is classified as CWE‑98, Improper Control of Filename for Include/Require Statements, and is a classic Local File Inclusion flaw that directly threatens confidentiality, integrity, and availability.

Affected Systems

The flaw affects the Testimonial Slider plugin developed by PluginOps. All releases from the initial version up through version 3.5.8.6 are impacted. No other vendors or products are explicitly listed in the advisory.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity for this vulnerability. The EPSS score of less than 1% suggests that the likelihood of public exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is local in nature, likely triggered through the plugin’s web interface where the filename parameter can be supplied by a remote user. Because the flaw resides in server‑side PHP code, an attacker that can reach the affected plugin’s endpoint can potentially include local files and achieve remote code execution if exploited successfully.

Generated by OpenCVE AI on April 30, 2026 at 06:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Testimonial Slider plugin to a version newer than 3.5.8.6 if one is available
  • If the plugin is not critical to operations, uninstall or deactivate it completely
  • Implement server or application‑level controls to prevent local file inclusion, such as validating or sanitizing any user‑supplied paths before include/require statements

Generated by OpenCVE AI on April 30, 2026 at 06:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31274 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PluginOps Testimonial Slider allows PHP Local File Inclusion. This issue affects Testimonial Slider: from n/a through 3.5.8.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PluginOps Testimonial Slider allows PHP Local File Inclusion. This issue affects Testimonial Slider: from n/a through 3.5.8.6. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PluginOps Testimonial Slider testimonial-add allows PHP Local File Inclusion.This issue affects Testimonial Slider: from n/a through <= 3.5.8.6.
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Pluginops
Pluginops testimonial Slider
Wordpress
Wordpress wordpress
Vendors & Products Pluginops
Pluginops testimonial Slider
Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PluginOps Testimonial Slider allows PHP Local File Inclusion. This issue affects Testimonial Slider: from n/a through 3.5.8.6.
Title WordPress Testimonial Slider Plugin <= 3.5.8.6 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Pluginops Testimonial Slider
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:55.332Z

Reserved: 2025-09-25T15:20:29.870Z

Link: CVE-2025-60126

cve-icon Vulnrichment

Updated: 2025-09-26T13:09:25.370Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:40.063

Modified: 2026-04-23T15:34:16.147

Link: CVE-2025-60126

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T06:15:29Z

Weaknesses