CVE-2025-32657 is a vulnerability classified as 'Improper Control of Filename for Include/Require Statement in PHP Program,' commonly referred to as a PHP Local File Inclusion (LFI) vulnerability. It affects the RadiusTheme Testimonial Slider And Showcase Pro WordPress plugin, specifically versions up to and including 2.1.7. The vulnerability arises because the plugin fails to properly validate or sanitize user-supplied input used in PHP include or require statements. This improper control allows an attacker to manipulate the filename parameter to include arbitrary files from the local filesystem. Exploiting this vulnerability can lead to disclosure of sensitive files (such as configuration files containing database credentials), execution of arbitrary PHP code if an attacker can upload malicious files, or denial of service by including invalid files. The CVSS v3.1 base score is 7.5, indicating a high severity level, with the vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. This means the attack can be performed remotely over the network, requires low privileges but high attack complexity, no user interaction, and impacts confidentiality, integrity, and availability significantly. No known public exploits have been reported yet, but the vulnerability is published and should be considered a critical risk for affected installations. The plugin is commonly used in WordPress environments to display testimonials and showcases, making it a target for attackers seeking to compromise websites and their underlying servers.

For European organizations, the impact of this vulnerability can be severe. Many European businesses and institutions rely on WordPress and associated plugins for their web presence, including marketing, customer engagement, and e-commerce. Exploitation of this LFI vulnerability can lead to unauthorized access to sensitive data such as customer information, internal documents, or credentials stored on the web server. Attackers could also execute arbitrary code, potentially leading to full server compromise, data theft, defacement, or use of the compromised server as a pivot point for further attacks within the organization’s network. This can result in reputational damage, regulatory penalties under GDPR for data breaches, and operational disruptions. The high attack complexity somewhat limits mass exploitation but does not eliminate risk, especially for targeted attacks against high-value European entities. The lack of user interaction requirement means automated scanning and exploitation tools could be used by attackers once exploit code becomes available.

Organizations should immediately verify if they use the RadiusTheme Testimonial Slider And Showcase Pro plugin and identify the version in use. Since no patch links are currently provided, organizations should monitor the vendor’s announcements and apply updates as soon as patches are released. In the interim, restrict access to vulnerable endpoints via web application firewalls (WAFs) or reverse proxies by creating rules to detect and block suspicious file inclusion patterns. Implement strict input validation and sanitization on any user-supplied parameters related to file paths. Disable PHP functions that allow file inclusion if not required, such as include(), require(), and their variants, or use PHP configuration directives to restrict file access (e.g., open_basedir). Conduct thorough code audits and penetration testing to identify and remediate similar vulnerabilities. Additionally, maintain regular backups and incident response plans to quickly recover from potential exploitation. Network segmentation and least privilege principles should be enforced to limit lateral movement if compromise occurs.