CVE-2025-3433 - Vulnerability Details

- Advanced Advertising System <= 1.3.1 - Open Redirect

Description

The Advanced Advertising System plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.3.1. This is due to insufficient validation on the redirect url supplied via the 'redir' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.

Published: 2025-04-08

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Advanced Advertising System WordPress plugin, allowing an attacker to supply the 'redir' parameter without proper validation. This flaw lets unauthenticated users be redirected to arbitrary URLs, potentially leading to phishing or malware delivery. The weakness follows the definition of CWE-601, representing untrusted redirects that enable attackers to manipulate user navigation without permission.

Affected Systems

All installable versions of the Advanced Advertising System plugin by smartdevth up to and including 1.3.1 are affected. WordPress sites running these plugin versions are at risk if the 'redir' parameter is exposed in public URLs or internal links.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity vulnerability. The EPSS score of less than 1% reflects a low probability of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. Attackers can exploit the flaw by embedding a crafted URL that triggers the redirect parameter, typically through phishing emails or malicious links. Because the redirect target is not validated, users can be sent to dangerous sites without their knowledge.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

smartdevth

Advanced Advertising System

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.3.1

No data.

Vendor	Product	Confidence	Versions
Smartdevth	Advanced Advertising System	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Advanced Advertising System plugin to the latest version (1.3.2 or newer) which removes the unvalidated redirect.
Disable or restrict the 'redir' query parameter for all non-admin traffic to prevent unintended redirects.
Configure web application firewalls or security plugins to detect and block attempts to manipulate the 'redir' parameter until an update is available.

Generated by OpenCVE AI on April 21, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-10343	The Advanced Advertising System plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.3.1. This is due to insufficient validation on the redirect url supplied via the 'redir' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00153.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/advanced-advertising-system/trunk/shortcode.php#L165
https://www.wordfence.com/threat-intel/vulnerabilities/id/72a56589-9dc0-47a7-bb68-e31f84a639ee?source=cve

History

Tue, 08 Apr 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 08 Apr 2025 08:30:00 +0000

Type	Values Removed	Values Added
Description		The Advanced Advertising System plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.3.1. This is due to insufficient validation on the redirect url supplied via the 'redir' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
Title		Advanced Advertising System <= 1.3.1 - Open Redirect
Weaknesses		CWE-601
References		https://plugins.trac.wordpress.org/browser/advanced-advertising-system/trunk/shortcode.php#L165 https://www.wordfence.com/threat-intel/vulnerabilities/id/72a56589-9dc0-47a7-bb68-e31f84a639ee?source=cve
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Smartdevth Advanced Advertising System

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-04-08T08:22:08.994Z

Updated: 2026-04-08T17:00:47.726Z

Reserved: 2025-04-07T19:56:02.349Z

Link: CVE-2025-3433

Vulnrichment

Updated: 2025-04-08T13:14:23.214Z

NVD

Status : Deferred

Published: 2025-04-08T09:15:28.943

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3433

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T21:30:45Z

Weaknesses

CWE-601

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object