CVE-2025-10686 is a path traversal vulnerability classified under CWE-22 affecting the Creta Testimonial Showcase WordPress plugin prior to version 1.2.4. The flaw allows authenticated users with editor-level access or higher to exploit improper pathname restrictions, enabling Local File Inclusion (LFI). By manipulating file paths, attackers can include arbitrary files from the server filesystem and execute embedded PHP code. This effectively grants the attacker the ability to execute arbitrary code with the privileges of the web server process, potentially leading to full system compromise. The vulnerability requires authentication at an elevated privilege level but does not require additional user interaction. The CVSS v3.1 score is 7.2, reflecting high impact on confidentiality, integrity, and availability, with network attack vector and low attack complexity. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be considered a critical risk for affected WordPress sites. The plugin is commonly used for displaying testimonials, and its presence in WordPress environments makes it a target for attackers seeking to leverage trusted plugins for server compromise.

For European organizations, this vulnerability can lead to severe consequences including unauthorized access to sensitive data, website defacement, deployment of malware, or use of compromised servers as pivot points for further attacks. Organizations relying on WordPress for their web presence, especially those using the Creta Testimonial Showcase plugin, face risks of data breaches and service disruptions. The ability to execute arbitrary PHP code can undermine trust, cause regulatory compliance issues (e.g., GDPR violations), and result in financial and reputational damage. Given the high adoption of WordPress in Europe, especially in Germany, the UK, France, and the Netherlands, the threat is significant. Attackers exploiting this vulnerability could target government, healthcare, financial, and e-commerce sectors where WordPress is prevalent. The requirement for editor-level access somewhat limits the attack surface but insider threats or compromised credentials could facilitate exploitation.

1. Immediately update the Creta Testimonial Showcase plugin to version 1.2.4 or later once available to patch the vulnerability. 2. Restrict editor-level and higher privileges to trusted users only and regularly audit user roles and permissions. 3. Implement strict file upload controls and scanning to prevent malicious files from being uploaded and included. 4. Employ web application firewalls (WAFs) with rules to detect and block path traversal attempts targeting this plugin. 5. Use security plugins that monitor file integrity and alert on suspicious changes. 6. Isolate WordPress installations in containerized or sandboxed environments to limit the impact of successful exploitation. 7. Monitor logs for unusual file inclusion or PHP execution patterns indicative of exploitation attempts. 8. Enforce multi-factor authentication (MFA) for all users with elevated privileges to reduce risk of credential compromise. 9. Regularly back up website data and configurations to enable quick recovery if compromise occurs.