Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in scripteo Ads Pro ap-plugin-scripteo allows PHP Local File Inclusion.This issue affects Ads Pro: from n/a through <= 4.89.
Published: 2025-05-23
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Ads Pro plugin arises from improper control of the filename passed to an include/require statement. A malicious actor can supply a crafted path that forces the plugin to include an arbitrary local file, exposing sensitive configuration data or enabling the execution of user‑supplied PHP code. The weakness is classified as CWE‑98.

Affected Systems

The vulnerability impacts the scripteo Ads Pro plugin for WordPress on all installations running versions up to and including 4.89, regardless of site user privileges.

Risk and Exploitability

The CVSS score is 8.1, indicating high severity, while the EPSS score is less than 1 %, implying a low current exploitation probability. The flaw is not listed in CISA KEV. Attackers can reach the vulnerable code via a web request that includes a manipulated file path; the plugin does not sanitize the filename before inclusion. The primary risk is the potential to read confidential files or upload and execute arbitrary code on the host.

Generated by OpenCVE AI on April 30, 2026 at 19:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ads Pro plugin to any version newer than 4.89 or the latest release that resolves the LFI flaw.
  • If an update is unavailable, remove the Ads Pro plugin entirely from the WordPress installation to eliminate the attack surface.
  • Configure the site’s PHP environment to restrict file access with open_basedir or similar sandboxing mechanisms to limit the directories the plugin may include, as a temporary containment measure.

Generated by OpenCVE AI on April 30, 2026 at 19:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28041 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in scripteo Ads Pro Plugin allows PHP Local File Inclusion. This issue affects Ads Pro Plugin: from n/a through 4.88.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in scripteo Ads Pro Plugin allows PHP Local File Inclusion. This issue affects Ads Pro Plugin: from n/a through 4.88. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in scripteo Ads Pro ap-plugin-scripteo allows PHP Local File Inclusion.This issue affects Ads Pro: from n/a through <= 4.89.
Title WordPress Ads Pro plugin <= 4.88 - Local File Inclusion vulnerability WordPress Ads Pro plugin <= 4.89 - Local File Inclusion vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in scripteo Ads Pro Plugin allows PHP Local File Inclusion. This issue affects Ads Pro Plugin: from n/a through 4.88.
Title WordPress Ads Pro plugin <= 4.88 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:37.639Z

Reserved: 2025-04-24T14:22:16.421Z

Link: CVE-2025-46444

cve-icon Vulnrichment

Updated: 2025-05-23T13:42:41.574Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:34.047

Modified: 2026-04-23T15:30:00.100

Link: CVE-2025-46444

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:15:16Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')