Description
The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘bsa_pro_id’ parameter in all versions up to, and including, 4.89 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-07-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Exfiltration
Action: Immediate Patch
AI Analysis

Impact

The Ads Pro Plugin for WordPress is vulnerable to time‑based SQL Injection via the bsa_pro_id parameter. The plugin fails to escape user input and does not properly prepare the SQL statement, allowing unauthenticated attackers to inject additional SQL code that can read sensitive database contents. The primary impact is the unauthorized disclosure of confidential information stored in the site's database.

Affected Systems

All installations of the Ads Pro Plugin – Multi‑Purpose WordPress Advertising Manager from scripteo, up to and including version 4.89, are affected. Versions newer than 4.89 have corrected the vulnerability.

Risk and Exploitability

The CVSS score of 7.5 indicates moderate to high severity. Although the EPSS score is low (<1%), the lack of authentication and straightforward injection logic increase the risk of exploitation in environments that expose the vulnerable endpoint. The vulnerability is not listed in CISA’s KEV catalog, but the potential for data theft requires prompt attention. Exploitation would involve sending crafted bsa_pro_id values in HTTP requests, causing the underlying database to execute the injected query.

Generated by OpenCVE AI on April 22, 2026 at 01:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ads Pro Plugin to the latest released version (≥4.90) available from the scripteo or WordPress plugin repository.
  • If an immediate update cannot be performed, temporarily disable the Ads Pro Plugin or block HTTP requests containing suspicious bsa_pro_id parameters using a web‑application firewall or access‑control list.
  • Deploy a web‑application firewall configured to detect and block time‑based SQL injection attempts targeting the bsa_pro_id parameter.

Generated by OpenCVE AI on April 22, 2026 at 01:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19676 The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘bsa_pro_id’ parameter in all versions up to, and including, 4.89 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Tue, 08 Jul 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Scripteo
Scripteo ads Pro
CPEs cpe:2.3:a:scripteo:ads_pro:*:*:*:*:*:wordpress:*:*
Vendors & Products Scripteo
Scripteo ads Pro

Wed, 02 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 02 Jul 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘bsa_pro_id’ parameter in all versions up to, and including, 4.89 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Unauthenticated Time-Based SQL Injection via ‘bsa_pro_id'
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Scripteo Ads Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:01.419Z

Reserved: 2025-05-29T21:44:56.553Z

Link: CVE-2025-5339

cve-icon Vulnrichment

Updated: 2025-07-02T13:18:13.039Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-02T04:15:57.677

Modified: 2025-07-08T14:18:57.083

Link: CVE-2025-5339

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:15:07Z

Weaknesses