Description
The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.89. This is due to missing or incorrect nonce validation on the bsaCreateAdTemplate function. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-07-02
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via PHP Injection
Action: Update
AI Analysis

Impact

The Ads Pro Plugin – Multi‑Purpose WordPress Advertising Manager has a missing or incorrect nonce check in the bsaCreateAdTemplate function, allowing attackers to force a site administrator to click a crafted link and trigger the execution of arbitrary PHP code on the server. This flaw gives attackers full control over the affected WordPress installation and represents a high‑severity CSRF (CWE‑352).

Affected Systems

Any WordPress site that installs the scripteo Ads Pro Plugin, version 4.89 or earlier, is vulnerable. The plugin is distributed through the WordPress ecosystem, so typical hosts running local or cloud‑based WordPress sites fall within the scope.

Risk and Exploitability

The vulnerability scores a CVSS of 8.8 and an EPSS of less than 1 %. It does not appear in the CISA KEV catalog. While the low EPSS indicates a modest likelihood of exploitation, the risk remains high because unauthenticated remote code execution is possible if an administrator follows an attacker‑provided link. The likely attack vector is a simple HTTP request embedded in a link that an administrator opens.

Generated by OpenCVE AI on April 28, 2026 at 11:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Ads Pro Plugin version released after 4.89 that resolves the CSRF flaw.
  • If an update is not available or cannot be applied, deactivate or uninstall the plugin, or strip the bsaCreateAdTemplate endpoint by adding a custom snippet that hooks into WordPress.
  • After applying the fix or removal, audit administrator accounts and enforce strong permissions with a security plugin that limits ad-creation rights to trusted users.

Generated by OpenCVE AI on April 28, 2026 at 11:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19686 The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.89. This is due to missing or incorrect nonce validation on the bsaCreateAdTemplate function. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Tue, 08 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Scripteo
Scripteo ads Pro
CPEs cpe:2.3:a:scripteo:ads_pro:*:*:*:*:*:wordpress:*:*
Vendors & Products Scripteo
Scripteo ads Pro

Wed, 02 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 02 Jul 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.89. This is due to missing or incorrect nonce validation on the bsaCreateAdTemplate function. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Cross-Site Request Forgery to PHP Code Injection in bsaCreateAdTemplate
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Scripteo Ads Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:41:50.309Z

Reserved: 2025-06-20T20:58:22.123Z

Link: CVE-2025-6459

cve-icon Vulnrichment

Updated: 2025-07-02T13:05:25.743Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-02T04:15:59.413

Modified: 2025-07-08T13:55:50.920

Link: CVE-2025-6459

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T11:15:26Z

Weaknesses