CVE-2025-10686: 
WordPress vulnerability analysis and mitigation

The Creta Testimonial Showcase WordPress plugin before version 1.2.4 contains a Local File Inclusion vulnerability identified as CVE-2025-10686. The vulnerability was discovered and publicly disclosed on October 24, 2025. This security issue affects WordPress installations using the Creta Testimonial Showcase plugin versions up to and including 1.2.3 (WPScan).

The vulnerability exists in the 'cretats_layout' parameter and allows authenticated attackers with editor-level access or higher to include and execute arbitrary .php files on the server. The issue has been assigned a CVSS score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and falls under the OWASP Top 10 category A1: Injection (WPScan, Rapid7).

When exploited, this vulnerability allows attackers to bypass access controls, obtain sensitive data, and potentially achieve code execution if PHP files can be uploaded and included. The attacker could access and execute arbitrary files on the server, leading to potential unauthorized access to sensitive information and system compromise (Rapid7).

The vulnerability has been patched in version 1.2.4 of the Creta Testimonial Showcase plugin. Users are advised to update to this version immediately to mitigate the risk (WPScan).