Description
The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to SQL Injection via the ‘oid’ parameter in all versions up to, and including, 4.89 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-07-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection allowing unauthorized database disclosure
Action: Patch Immediately
AI Analysis

Impact

The Ads Pro Plugin – Multi‑Purpose WordPress Advertising Manager version 4.89 and earlier contain an unauthenticated SQL injection vulnerability. The 'oid' parameter is insufficiently sanitized and the query is not properly prepared, permitting attackers to inject arbitrary SQL statements. This flaw can lead to extraction of sensitive data from the MySQL database used by WordPress, compromising data confidentiality.

Affected Systems

WordPress sites that have the Ads Pro Plugin installed from the scripteo vendor, specifically any version of the plugin up through 4.89. The vulnerability impacts any server that hosts a WordPress installation running these plugin versions and exposing the oid parameter in HTTP requests.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity issue, with an EPSS score of less than 1%, suggesting a relatively low probability of widespread automated exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. An unauthenticated attacker can issue a crafted HTTP request containing a malicious oid value to the plugin's endpoint, leading to arbitrary SQL query execution and data exfiltration. The lack of input validation and query preparation makes this exploit straightforward for an attacker with basic web application hacking skills.

Generated by OpenCVE AI on April 21, 2026 at 19:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ads Pro Plugin to a version newer than 4.89 or to the latest available release.
  • If upgrading immediately is not possible, disable or uninstall the plugin until a patch is applied.
  • Apply web application firewall rules or security plugins that block SQL injection patterns on the oid parameter or all POST/GET routes of the WordPress installation.
  • Monitor database logs and audit trails for anomalous query activity following potential exploitation.

Generated by OpenCVE AI on April 21, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19679 The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to SQL Injection via the ‘oid’ parameter in all versions up to, and including, 4.89 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Tue, 08 Jul 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Scripteo
Scripteo ads Pro
CPEs cpe:2.3:a:scripteo:ads_pro:*:*:*:*:*:wordpress:*:*
Vendors & Products Scripteo
Scripteo ads Pro

Wed, 02 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 02 Jul 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to SQL Injection via the ‘oid’ parameter in all versions up to, and including, 4.89 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Unauthenticated SQL Injection via oid
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Scripteo Ads Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:55:49.916Z

Reserved: 2025-06-20T15:53:53.194Z

Link: CVE-2025-6437

cve-icon Vulnrichment

Updated: 2025-07-02T13:05:21.366Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-02T04:15:58.987

Modified: 2025-07-08T14:10:13.767

Link: CVE-2025-6437

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:00:25Z

Weaknesses