Description
The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion which leads to Remote Code Execution in all versions up to, and including, 4.89. This is due to the presence of a SQL Injection vulnerability and Local File Inclusion vulnerability that can be chained with an image upload. This makes it possible for unauthenticated attackers to execute code on the server upload image files on the server than can be fetched via a SQL injection vulnerability, and ultimately executed as PHP code through the local file inclusion vulnerability.
Published: 2025-07-02
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Ads Pro Plugin for WordPress contains a vulnerability that allows unauthenticated attackers to upload arbitrary image files. An image upload can be combined with a SQL injection flaw to retrieve the uploaded file through a database query, and then a local file inclusion flaw permits the file to be executed as PHP code. This chain of vulnerabilities can lead to complete compromise of the WordPress site. The weakness is classified as CWE-98, indicating improper control of file paths and inclusion. The adversary could gain full control over the web server, exfiltrate data, install backdoors, or pivot to other systems on the network.

Affected Systems

WordPress sites that use the Ads Pro Plugin version 4.89 or earlier, specifically those developed by Scripteo. No specific upstream versions are listed; the vulnerability exists in all releases up to and including the stated 4.89 version.

Risk and Exploitability

The CVSS score of 9.8 classifies this flaw as critical. The EPSS score of less than 1% indicates that while the probability of exploitation is low at present, the potential damage is severe. The vulnerability is not currently listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is an unauthenticated payload consisting of an image file upload, followed by a SQL injection to retrieve the file, and culminating in a local file inclusion that causes the server to execute the file as PHP code. The lack of authentication requirements and the remote nature of the code execution elevate the risk considerably.

Generated by OpenCVE AI on April 22, 2026 at 14:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for Ads Pro Plugin if one is available for versions above 4.89; if no patch exists, upgrade the plugin to the newest version or replace it with an alternative advertising manager.
  • Limit image upload capabilities to authenticated users only and enforce strict MIME type and file size validation. Consider disabling the feature entirely for sites that do not require dynamic image uploads.
  • Implement web application firewall rules to detect and block SQL injection attempts and LFI patterns, such as monitoring for database query patterns that resolve to file paths and blocking manifest or request sequences that perform file inclusion.

Generated by OpenCVE AI on April 22, 2026 at 14:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19688 The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion which leads to Remote Code Execution in all versions up to, and including, 4.89. This is due to the presence of a SQL Injection vulnerability and Local File Inclusion vulnerability that can be chained with an image upload. This makes it possible for unauthenticated attackers to execute code on the server upload image files on the server than can be fetched via a SQL injection vulnerability, and ultimately executed as PHP code through the local file inclusion vulnerability.
History

Tue, 08 Jul 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Scripteo
Scripteo ads Pro
CPEs cpe:2.3:a:scripteo:ads_pro:*:*:*:*:*:wordpress:*:*
Vendors & Products Scripteo
Scripteo ads Pro

Wed, 02 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 02 Jul 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion which leads to Remote Code Execution in all versions up to, and including, 4.89. This is due to the presence of a SQL Injection vulnerability and Local File Inclusion vulnerability that can be chained with an image upload. This makes it possible for unauthenticated attackers to execute code on the server upload image files on the server than can be fetched via a SQL injection vulnerability, and ultimately executed as PHP code through the local file inclusion vulnerability.
Title Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Unauthenticated Local File Inclusion to Remote Code Execution
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Scripteo Ads Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:32:56.793Z

Reserved: 2025-05-14T13:42:23.455Z

Link: CVE-2025-4689

cve-icon Vulnrichment

Updated: 2025-07-02T13:05:27.738Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-02T04:15:55.587

Modified: 2025-07-08T14:26:15.963

Link: CVE-2025-4689

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:00:05Z

Weaknesses