CVE-2025-32656 identifies a Remote File Inclusion (RFI) vulnerability in the RadiusTheme Testimonial Slider And Showcase Pro plugin, specifically versions up to 2.3.15. The vulnerability stems from improper validation or control over the filename parameter used in PHP include or require statements. This flaw allows an attacker to manipulate the input to include arbitrary files, potentially from remote servers or local file systems. Remote File Inclusion vulnerabilities are critical because they can enable attackers to execute arbitrary PHP code on the server, leading to full site compromise, data theft, or defacement. The plugin is typically used in WordPress environments to display testimonials and showcases, making it a target for attackers seeking to exploit popular CMS platforms. Although no known exploits have been reported in the wild yet, the vulnerability's nature means it could be weaponized quickly once details are public. The lack of a CVSS score suggests the vulnerability is newly published, with limited public analysis. The vulnerability affects all versions up to and including 2.3.15, with no patch links currently available, indicating that users should be vigilant and apply mitigations proactively. The vulnerability was reserved and published in April 2025 by Patchstack, a known vulnerability database and security service provider.

The impact of CVE-2025-32656 is significant for organizations running WordPress sites with the RadiusTheme Testimonial Slider And Showcase Pro plugin. Successful exploitation can lead to remote code execution, allowing attackers to run arbitrary PHP code on the web server. This can result in full site takeover, data breaches, defacement, or pivoting to internal networks. Confidentiality is at risk due to potential data exposure, integrity can be compromised by unauthorized code or content changes, and availability may be affected if the site is defaced or taken offline. Given the plugin's use in many business and personal websites, the scope of affected systems is broad. The ease of exploitation is relatively high since RFI vulnerabilities often do not require authentication or complex user interaction. This elevates the threat level, especially for public-facing websites. The absence of known exploits in the wild currently reduces immediate risk but does not diminish the potential for rapid exploitation once attackers develop proof-of-concept code.

1. Immediately monitor for updates from RadiusTheme and apply any patches addressing this vulnerability as soon as they are released. 2. Until a patch is available, disable or remove the Testimonial Slider And Showcase Pro plugin if feasible, especially on critical or high-traffic sites. 3. Implement strict input validation and sanitization on any parameters that influence file inclusion, ensuring only expected and safe filenames are processed. 4. Configure PHP settings to disable remote file inclusion by setting 'allow_url_include' to 'Off' and 'allow_url_fopen' to 'Off' where possible. 5. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious file inclusion attempts or unusual URL parameters. 6. Conduct regular security audits and scanning of WordPress plugins to identify vulnerable components. 7. Limit file permissions on the server to prevent unauthorized file uploads or modifications. 8. Educate site administrators on the risks of installing unverified plugins and the importance of timely updates.