CVE-2025-32657 Overview
CVE-2025-32657 is a PHP Local File Inclusion (LFI) vulnerability in the RadiusTheme Testimonial Slider And Showcase Pro plugin for WordPress. The flaw stems from improper control of filenames passed to PHP include or require statements [CWE-98]. Attackers with low-privilege authenticated access can coerce the plugin into loading arbitrary local PHP files. Successful exploitation can lead to code execution, sensitive file disclosure, and full site compromise. The vulnerability affects all versions up to and including 2.1.7.
Critical Impact
Authenticated attackers can load arbitrary local PHP files, enabling remote code execution and disclosure of WordPress secrets such as wp-config.php.
Affected Products
- RadiusTheme Testimonial Slider And Showcase Pro (plugin slug testimonial-slider-showcase-pro)
- All versions from initial release through 2.1.7
- WordPress sites running the vulnerable plugin
Discovery Timeline
- 2025-10-22 - CVE-2025-32657 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-32657
Vulnerability Analysis
The plugin accepts user-controlled input and passes it to a PHP file inclusion statement without proper validation or path normalization. This allows an attacker to manipulate the filename argument and reference local files outside the intended directory. The issue is categorized as PHP Remote File Inclusion but in this context permits Local File Inclusion (LFI) on affected WordPress installations. The Patchstack advisory confirms exploitation requires low-level authentication on the target site.
Root Cause
The root cause is improper control of filenames supplied to PHP include or require calls [CWE-98]. The plugin does not enforce an allowlist of valid template files, nor does it sanitize directory traversal sequences such as ../. Any parameter routed into the inclusion sink becomes an arbitrary file selector.
Attack Vector
An authenticated attacker submits a crafted request to a vulnerable plugin endpoint with a manipulated filename parameter. The plugin resolves the path and includes the referenced PHP file in the server context. Attackers commonly target wp-config.php to extract database credentials, or chain the LFI with log poisoning or uploaded payloads to achieve remote code execution. See the Patchstack WordPress Vulnerability Report for advisory details.
Detection Methods for CVE-2025-32657
Indicators of Compromise
- HTTP requests to plugin endpoints containing path traversal sequences such as ../ or URL-encoded variants %2e%2e%2f
- Access log entries referencing sensitive paths like wp-config.php, /etc/passwd, or PHP session files
- Unexpected PHP errors referencing missing include targets in plugin code paths
- New or modified PHP files under wp-content/uploads/ shortly after suspicious include requests
Detection Strategies
- Monitor web server logs for parameters supplied to the testimonial-slider-showcase-pro plugin containing traversal patterns or absolute paths
- Deploy WordPress-aware web application firewall (WAF) rules targeting CWE-98 patterns in plugin requests
- Alert on authenticated low-privilege accounts triggering plugin AJAX or admin-ajax actions tied to template loading
Monitoring Recommendations
- Track read access to wp-config.php and other sensitive files outside normal PHP-FPM workflows
- Enable PHP error logging and forward to a central SIEM for correlation with web access logs
- Audit plugin inventory and flag any WordPress instances running testimonial-slider-showcase-pro version 2.1.7 or earlier
How to Mitigate CVE-2025-32657
Immediate Actions Required
- Update RadiusTheme Testimonial Slider And Showcase Pro to a version newer than 2.1.7 as soon as a patched release is available
- Restrict access to the WordPress admin area and enforce strong authentication for any user role that can interact with the plugin
- Rotate WordPress secrets, database credentials, and API keys if LFI exploitation is suspected
- Review web server logs for traversal patterns dating back to plugin installation
Patch Information
No fixed version is identified in the available CVE record beyond confirmation that all releases through 2.1.7 are affected. Consult the Patchstack WordPress Vulnerability Report and the RadiusTheme vendor channel for the latest patched build.
Workarounds
- Deactivate and remove the plugin until a verified patch is installed
- Apply virtual patching through a WordPress WAF that blocks traversal payloads in plugin parameters
- Harden PHP with open_basedir restrictions to confine file inclusion to the WordPress document root
- Disable allow_url_include and allow_url_fopen in php.ini to prevent escalation to remote file inclusion
# Configuration example: harden php.ini against file inclusion abuse
allow_url_include = Off
allow_url_fopen = Off
open_basedir = "/var/www/html:/tmp"
disable_functions = "exec,passthru,shell_exec,system,proc_open,popen"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
