Description
The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to SQL Injection via the ‘$id’ variable of the getSpace() function in all versions up to, and including, 4.89 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-07-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated SQL Injection allowing data exfiltration
Action: Immediate Patch
AI Analysis

Impact

The Ads Pro Plugin for WordPress is vulnerable to unauthenticated SQL injection through the $id parameter in the getSpace() function. Insufficient escaping and lack of prepared statements allow an attacker to inject and append arbitrary SQL queries, enabling the extraction of sensitive database information. The flaw is a classic CWE‑89 injection vulnerability that compromises the confidentiality of all data accessible via the plugin.

Affected Systems

All WordPress sites running the Ads Pro Plugin – Multi‑Purpose WordPress Advertising Manager version 4.89 or earlier. The affected vendor is scripteo, and the plugin operates as a WordPress extension that can be installed on any WordPress installation.

Risk and Exploitability

This vulnerability carries a CVSS score of 7.5 and an EPSS score of less than 1 %, indicating a moderate to high severity but a low probability of exploitation at this time. The plugin does not require authentication to submit an $id value, so the attack vector is unrestricted web input. If exploited, an attacker could execute arbitrary SQL statements to retrieve confidential data. Because the vulnerability is not listed in CISA’s KEV catalog, it is not widely reported as a current exploit vector but should still be addressed promptly, especially on publicly exposed sites.

Generated by OpenCVE AI on April 22, 2026 at 17:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ads Pro Plugin to version 4.90 or later, which removes the injection flaw.
  • If an immediate upgrade is not possible, restrict access to the plugin’s endpoints by enforcing authentication or by using a firewall rule that blocks unauthenticated requests to the affected URL.
  • Apply input validation to the $id parameter or modify the plugin code to use prepared statements, thereby eliminating the possibility of unintended SQL execution.

Generated by OpenCVE AI on April 22, 2026 at 17:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19687 The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to SQL Injection via the ‘$id’ variable of the getSpace() function in all versions up to, and including, 4.89 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Tue, 08 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Scripteo
Scripteo ads Pro
CPEs cpe:2.3:a:scripteo:ads_pro:*:*:*:*:*:wordpress:*:*
Vendors & Products Scripteo
Scripteo ads Pro

Wed, 02 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 02 Jul 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to SQL Injection via the ‘$id’ variable of the getSpace() function in all versions up to, and including, 4.89 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Unauthenticated SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Scripteo Ads Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:35.871Z

Reserved: 2025-05-06T13:20:49.885Z

Link: CVE-2025-4381

cve-icon Vulnrichment

Updated: 2025-07-02T13:05:26.736Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-02T04:15:53.837

Modified: 2025-07-08T14:33:19.947

Link: CVE-2025-4381

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:15:22Z

Weaknesses