Description
The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.89 via the 'bsa_template' parameter of the `bsa_preview_callback` function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases .php files can can be uploaded and included, or already exist on the site.
Published: 2025-07-02
Score: 8.1 High
EPSS: 16.5% Moderate
KEV: No
Impact: Local file inclusion enabling execution of arbitrary PHP code
Action: Immediate patch
AI Analysis

Impact

The Ads Pro Plugin – Multi‑Purpose WordPress Advertising Manager suffers from a Local File Inclusion flaw that allows an attacker without authentication to supply arbitrary file paths via the bsa_template parameter in the bsa_preview_callback function. Once the plugin includes the supplied file, any PHP code within that file is executed on the server. This flaw can be leveraged to bypass access controls, steal sensitive data, and potentially achieve full code execution if arbitrary PHP files can be uploaded or if target files already exist on the server. The weakness is identified as CWE‑98.

Affected Systems

This vulnerability affects the Ads Pro Plugin – Multi‑Purpose WordPress Advertising Manager supplied by scripteo. All releases up to and including 4.89 are impacted. No information is available regarding further restricted sub‑versions or patch versions. The plugin runs within the WordPress environment, so any WordPress site that has not upgraded beyond 4.89 and still enables the preview callback is susceptible.

Risk and Exploitability

The CVSS base score of 8.1 indicates a high‑severity flaw. The EPSS score of 17 % shows that, at the time of analysis, there is a moderate probability that attackers will target this vulnerability. It is not listed in CISA's KEV catalogue, so no publicly known exploits have yet been documented. An attacker can trigger the inclusion by sending a specially crafted HTTP request to the WordPress site containing a bsa_template value that points to a local file, such as a previously uploaded PHP file or a script that can be used to establish persistence. Since the flaw is unauthenticated and local, the attacker only needs network access to the server, making it a practical risk for exposed WordPress installations that do not restrict the plugin’s input. Given the high impact and non‑zero likelihood of exploitation, administrators should act promptly.

Generated by OpenCVE AI on April 22, 2026 at 17:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Ads Pro Plugin to a version newer than 4.89 or apply the vendor’s official patch if available.
  • If an update is not possible, disable or remove the bsa_preview_callback function or configure the plugin to reject the bsa_template parameter entirely.
  • Restrict file upload capabilities by ensuring only safe file types (e.g., .jpg, .png) are accepted and preventing PHP execution in upload directories.
  • Configure the web server to disallow execution of PHP files in directories where the plugin stores files.
  • Implement application‑level input validation for the bsa_template parameter to only allow whitelisted paths to prevent LFI attempts.

Generated by OpenCVE AI on April 22, 2026 at 17:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.10717}

 epss

{'score': 0.11501}

Tue, 08 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Scripteo
Scripteo ads Pro
CPEs cpe:2.3:a:scripteo:ads_pro:*:*:*:*:*:wordpress:*:*
Vendors & Products Scripteo
Scripteo ads Pro

Wed, 02 Jul 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 02 Jul 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.89 via the 'bsa_template' parameter of the `bsa_preview_callback` function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases .php files can can be uploaded and included, or already exist on the site.
Title Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Unauthenticated Local File Inclusion
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Scripteo Ads Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:44:51.389Z

Reserved: 2025-05-06T13:13:59.893Z

Link: CVE-2025-4380

cve-icon Vulnrichment

Updated: 2025-07-02T13:10:58.869Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-02T04:15:52.710

Modified: 2025-07-08T14:34:59.070

Link: CVE-2025-4380

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:15:22Z

Weaknesses