Description
The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘site_id’ parameter in all versions up to, and including, 4.95 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-11-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Exposure
Action: Apply Patch
AI Analysis

Impact

The Ads Pro Plugin for WordPress is vulnerable to time‑based SQL Injection through the site_id parameter. Because the plugin fails to escape or prepare the user‑supplied value properly, unauthenticated attackers can inject additional SQL statements. This allows the attacker to pull sensitive data from the database, potentially exposing user information, configuration, or other confidential content. The weakness is classified as CWE‑89.

Affected Systems

Scripteo offers the Ads Pro Plugin – Multi‑Purpose WordPress Advertising Manager. All released versions up to and including 4.95 are affected. The vulnerability is present in the plugin’s handling of the site_id parameter regardless of the WordPress installation version, but the specific workaround or patch depends on the plugin update channel for that vendor.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while an EPSS score of less than 1% points to a low exploitation probability at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers would typically access the vulnerable endpoint over HTTP or HTTPS, sending a crafted site_id value; because the plugin does not verify authentication for that parameter, no privileged credentials are required. Once injected, the attacker can extract arbitrary data from the database, posing a significant confidentiality risk, although the overall likelihood of being exploited remains low under current threat intelligence.

Generated by OpenCVE AI on April 21, 2026 at 01:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ads Pro Plugin to a version newer than 4.95 when the vendor releases a fix that removes the site_id SQL injection flaw.
  • If an update is not immediately available, restrict access to the site_id parameter so that only authenticated administrators can use it, and add server‑side input validation to escape or parameterize the value before it is passed to the database query.
  • Deploy a web application firewall or security plugin configured to detect and block SQL injection payloads targeting the site_id parameter while the vulnerability remains unresolved.
  • Continuously monitor database logs for unexpected or large queries that might indicate an injection attempt and review web access logs for suspicious activity.

Generated by OpenCVE AI on April 21, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 25 Nov 2025 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Scripteo
Scripteo ads Pro
Wordpress
Wordpress wordpress
Vendors & Products Scripteo
Scripteo ads Pro
Wordpress
Wordpress wordpress

Mon, 24 Nov 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 24 Nov 2025 05:00:00 +0000

Type Values Removed Values Added
Description The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘site_id’ parameter in all versions up to, and including, 4.95 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.95 - Unauthenticated SQL Injection via site_id
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Scripteo Ads Pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:53:27.824Z

Reserved: 2025-07-10T00:03:18.297Z

Link: CVE-2025-7402

cve-icon Vulnrichment

Updated: 2025-11-24T17:23:18.684Z

cve-icon NVD

Status : Deferred

Published: 2025-11-24T05:16:05.903

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7402

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:30:24Z

Weaknesses