Creta Testimonial Showcase < 1.2.4 – Editor+ Local File Inclusion | CVE 2025-10686

Description

The plugin is vulnerable to Local File Inclusion. This makes it possible for authenticated attackers, with editor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files.

Proof of Concept

1. Create a new shortcode at http://example.cm/wp-admin/edit.php?post_type=cretats_tms_sc
2. While saving the post in wp-admin, intercept the request and set the parameter 'cretats_layout' to '../../../../wp-config' (four directory traversals).
3. Insert the shortcode into a page: [cretats_testimonials_sc id="1036"].
4. Load the page. WordPress attempts to include /opt/lampp/htdocs/wordpress/wp-config.php, which typically results in a fatal error or visible evidence in PHP error logs. Alternatively, using a benign proof file (e.g., proof.php printing 'LFI-OK') will echo that string, confirming LFI.