CVE-2025-32656
Published: 11 April 2025
Summary
CVE-2025-32656 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 21.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is a PHP Local File Inclusion issue, tracked as CWE-98, that stems from improper control of filenames in include/require statements. It affects the RadiusTheme Testimonial Slider And Showcase Pro WordPress plugin in all versions through 2.3.15 and carries a CVSS 3.1 score of 8.1.
An unauthenticated attacker can supply a crafted filename over the network to force the plugin to include arbitrary local files. Successful exploitation can yield full control over the confidentiality, integrity, and availability of the affected WordPress site, although the attack requires high complexity.
The issue is documented in the Patchstack advisory, which identifies the affected plugin versions and links to the corresponding vendor update that resolves the file-inclusion flaw. The associated EPSS score remains low, with only a modest increase from 0.0115 to a peak of 0.0187.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-10742
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Testimonial Slider And Showcase Pro testimonial-slider-showcase-pro allows PHP Local File Inclusion.This issue affects Testimonial Slider And Showcase Pro: from n/a through <= 2.3.15.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.