Home

Description

The Creta Testimonial Showcase WordPress plugin before 1.2.4 is vulnerable to Local File Inclusion. This makes it possible for authenticated attackers, with editor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files.

PUBLISHED Reserved 2025-09-18 | Published 2025-11-14 | Updated 2025-11-14 | Assigner WPScan

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

Any version before 1.2.4
affected

Credits

Khaled Alenazi (Nxploited) finder

WPScan coordinator

References

wpscan.com/...rability/27d58c5a-ab87-41aa-a806-53fa96d4351c/ exploit vdb-entry technical-description

cve.org (CVE-2025-10686)

nvd.nist.gov (CVE-2025-10686)

Download JSON