WP-Safety

Creta Testimonial Showcase Security & Risk Analysis

wordpress.org/plugins/creta-testimonial-showcase

Showcase client reviews with Creta Testimonial Showcase an easy, responsive WordPress testimonial plugin with free and premium templates.

2K active installs v1.2.5 PHP 7.2+ WP 5.0+ Updated Feb 26, 2026
feedbackreviewstestimonialswordpress-plugin
99
A · Safe
CVEs total1
Unpatched0
Last CVEOct 24, 2025
Download
Safety Verdict

Is Creta Testimonial Showcase Safe to Use in 2026?

Generally Safe

Score 99/100

Creta Testimonial Showcase has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Oct 24, 2025Updated 1mo ago
Risk Assessment

The 'creta-testimonial-showcase' plugin v1.2.5 presents a mixed security posture. On the positive side, the plugin utilizes prepared statements for all SQL queries, a strong indicator of protection against SQL injection. It also demonstrates a reasonable level of output escaping, with 79% of outputs properly handled. The absence of critical or high-severity taint flows further suggests a generally well-coded application in this regard.

However, significant concerns arise from the plugin's attack surface. With a total of 7 entry points, 5 of which are unprotected AJAX handlers, there is a substantial risk of unauthorized actions being performed. The presence of 3 nonce checks, while present, is insufficient to cover all potentially sensitive AJAX endpoints. The plugin's vulnerability history, although currently showing no unpatched issues, includes a past medium-severity 'Path Traversal' vulnerability. This historical context, combined with the current lack of robust authentication on its AJAX endpoints, raises flags for potential similar vulnerabilities in the future.

In conclusion, while the plugin shows good practices in database interaction and output handling, the lack of authentication on a majority of its AJAX handlers is a critical weakness. This oversight, coupled with a past path traversal vulnerability, necessitates caution. Addressing the unprotected AJAX endpoints should be a priority to improve the plugin's overall security.

Key Concerns

  • 5 unprotected AJAX handlers
  • Past medium severity vulnerability
  • Only 2 capability checks for 7 entry points
  • 79% output escaping (could be higher)
Vulnerabilities
1

Creta Testimonial Showcase Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-10686medium · 6.6Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Creta Testimonial Showcase <= 1.2.3 - Authenticated (Editor+) Local File Inclusion

Oct 24, 2025 Patched in 1.2.4 (25d)
Code Analysis
Analyzed Mar 16, 2026

Creta Testimonial Showcase Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
40
155 escaped
Nonce Checks
3
Capability Checks
2
File Operations
1
External Requests
2
Bundled Libraries
0

Output Escaping

79% escaped195 total outputs
Attack Surface
5 unprotected

Creta Testimonial Showcase Attack Surface

Entry Points7
Unprotected5

AJAX Handlers 6

authwp_ajax_cretats_get_preview_htmladmin\class-meta-shortcode.php:10
authwp_ajax_cretats_get_notice_dismissadmin\class-meta-shortcode.php:12
authwp_ajax_get_elemento_collectionsadmin\themes-page\themes-page.php:16
noprivwp_ajax_get_elemento_collectionsadmin\themes-page\themes-page.php:17
authwp_ajax_get_elemento_productsadmin\themes-page\themes-page.php:33
noprivwp_ajax_get_elemento_productsadmin\themes-page\themes-page.php:34

Shortcodes 1

[cretats_testimonials_sc] includes\shortcodes\testimonial-shortcode.php:80
WordPress Hooks 20
actionadmin_enqueue_scriptsadmin\class-admin-init.php:9
actionadmin_menuadmin\class-meta-boxes.php:6
actionsave_postadmin\class-meta-boxes.php:7
actionadd_meta_boxesadmin\class-meta-boxes.php:8
filtermanage_cretats_testimonial_posts_columnsadmin\class-meta-boxes.php:9
actionmanage_cretats_testimonial_posts_custom_columnadmin\class-meta-boxes.php:10
actionadmin_menuadmin\class-meta-shortcode.php:7
actionsave_postadmin\class-meta-shortcode.php:8
actionadd_meta_boxesadmin\class-meta-shortcode.php:9
filtermanage_cretats_tms_sc_posts_columnsadmin\class-meta-shortcode.php:14
actionmanage_cretats_tms_sc_posts_custom_columnadmin\class-meta-shortcode.php:15
actionadmin_headeradmin\class-meta-shortcode.php:17
actionadmin_menuadmin\themes-page\themes-page.php:2
actionwp_logincreta-testimonial-showcase.php:36
actionadmin_footercreta-testimonial-showcase.php:42
actionadmin_enqueue_scriptscreta-testimonial-showcase.php:67
actionadmin_noticescreta-testimonial-showcase.php:79
actioninitincludes\post-types\register-testimonial.php:6
actionwp_enqueue_scriptspublic\class-public-init.php:9
filterthe_contentpublic\class-public-init.php:10
Maintenance & Trust

Creta Testimonial Showcase Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedFeb 26, 2026
PHP min version7.2
Downloads15K

Community Trust

Rating20/100
Number of ratings2
Active installs2K
Alternatives

Creta Testimonial Showcase Alternatives

Testimonial Customer Feedback

Testimonial Customer Feedback

testimonial-maker

A
100

Display client testimonials with customizable layouts, slider effects, and responsive design. Simple setup with shortcode support.

1K No CVEs
Five Star Restaurant Reviews

Five Star Restaurant Reviews

good-reviews-wp

A
100

Restaurant reviews made easy. Add and display reviews on your restaurant site using SEO friendly schema markup.

500 1 CVE
Advance Review Manager

Advance Review Manager

advance-review-manager

A
100

Advance Review Manager is a powerful yet easy-to-use plugin to effortlessly create and manage all kind of reviews.

0 No CVEs
GlowReviews – Smart Feedback & Testimonials

GlowReviews – Smart Feedback & Testimonials

glowreviews

A
100

Collect and display customer feedback with star ratings, image uploads, and WordPress user integration.

0 No CVEs
Scorpiotek Testimonials

Scorpiotek Testimonials

scorpiotek-testimonials

A
100

A modern WordPress testimonials plugin with slider and star rating.

0 No CVEs
Developer Profile

Creta Testimonial Showcase Developer Profile

Creta Themes

80 plugins · 12K total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
25 days
View full developer profile
Detection Fingerprints

How We Detect Creta Testimonial Showcase

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/creta-testimonial-showcase/assets/css/admin-inline.css/wp-content/plugins/creta-testimonial-showcase/assets/css/admin-style.css/wp-content/plugins/creta-testimonial-showcase/assets/js/admin-js.js/wp-content/plugins/creta-testimonial-showcase/assets/css/admin-theme-page.css/wp-content/plugins/creta-testimonial-showcase/assets/js/admin-theme-page.js/wp-content/plugins/creta-testimonial-showcase/assets/css/bootstrap.min.css/wp-content/plugins/creta-testimonial-showcase/assets/js/bootstrap.bundle.min.js/wp-content/plugins/creta-testimonial-showcase/assets/css/owl.carousel.min.css+5 more
Script Paths
/wp-content/plugins/creta-testimonial-showcase/assets/js/admin-js.js/wp-content/plugins/creta-testimonial-showcase/assets/js/admin-theme-page.js/wp-content/plugins/creta-testimonial-showcase/assets/js/bootstrap.bundle.min.js/wp-content/plugins/creta-testimonial-showcase/assets/js/owl.carousel.min.js/wp-content/plugins/creta-testimonial-showcase/assets/js/color-picker.js
Version Parameters
ver=1.2.5

HTML / DOM Fingerprints

CSS Classes
cretats-popup-overlaycretats-popup-contentcretats-popup-dismisscretats-popup-wrapcretats-popup-template-btncretats-popup-bundle-btncretats-theme-bundle-bannerbundle-row+13 more
Data Attributes
data-cretats-theme-showcase-columns
JS Globals
cretats_ajax_object
Shortcode Output
cretats_testimonial_showcase
FAQ

Frequently Asked Questions about Creta Testimonial Showcase