The vulnerability CVE-2025-32657 affects the RadiusTheme Testimonial Slider And Showcase Pro WordPress plugin up to version 2.1.7. It is classified as an improper control of filename for include/require statements in PHP, commonly known as a Remote File Inclusion (RFI) vulnerability. This flaw allows attackers to manipulate the filename parameter used in PHP include or require functions, enabling them to include remote malicious PHP files. When exploited, this can lead to remote code execution on the web server hosting the vulnerable plugin. The vulnerability stems from insufficient validation or sanitization of user-controlled input that determines which files are included during plugin execution. Although the CVE entry notes PHP Local File Inclusion, the nature of the flaw and its classification as RFI indicates that remote files can also be included if PHP configurations permit. This can result in attackers executing arbitrary code, escalating privileges, stealing sensitive data, or defacing websites. No CVSS score has been assigned yet, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved in April 2025 and published in October 2025, indicating recent discovery. The plugin is widely used in WordPress environments for displaying testimonials and showcases, making it a valuable target for attackers seeking to compromise websites. The lack of available patches at the time of reporting increases the urgency for administrators to monitor for updates and apply them promptly once released.

For European organizations, the impact of CVE-2025-32657 can be severe. Exploitation could lead to remote code execution, allowing attackers to gain unauthorized access to web servers, manipulate website content, or pivot to internal networks. This threatens the confidentiality of customer and business data, the integrity of web content, and the availability of online services. Organizations in sectors such as e-commerce, media, education, and government that rely on WordPress and the affected plugin are particularly vulnerable. A successful attack could result in data breaches, reputational damage, regulatory penalties under GDPR, and operational disruptions. The ability to execute arbitrary code remotely without authentication significantly raises the risk profile. Moreover, compromised websites could be used as launchpads for further attacks, including malware distribution or phishing campaigns targeting European users. The absence of known exploits currently provides a window for proactive defense, but the potential impact warrants immediate attention.

1. Monitor RadiusTheme and official plugin repositories for security updates and apply patches immediately once available. 2. Until patches are released, consider disabling or removing the Testimonial Slider And Showcase Pro plugin if feasible. 3. Implement strict input validation and sanitization on all user inputs, especially those influencing file inclusion mechanisms. 4. Configure PHP settings to disable allow_url_include and allow_url_fopen directives to prevent remote file inclusion. 5. Employ Web Application Firewalls (WAFs) with rules designed to detect and block RFI attack patterns targeting WordPress plugins. 6. Conduct regular security audits and vulnerability scans focusing on WordPress plugins and themes. 7. Restrict file permissions on web servers to limit the impact of potential file inclusion exploits. 8. Maintain comprehensive backups of websites and databases to enable rapid recovery in case of compromise. 9. Educate web administrators and developers about secure coding practices related to file inclusion. 10. Monitor logs for suspicious activity indicative of exploitation attempts, such as unusual include paths or remote file requests.