// For flags

CVE-2025-4380

Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Unauthenticated Local File Inclusion

Severity Score

8.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.89 via the 'bsa_template' parameter of the `bsa_preview_callback` function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases .php files can can be uploaded and included, or already exist on the site.

El complemento Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager para WordPress, es vulnerable a la inclusión local de archivos en todas las versiones hasta la 4.89 incluida, a través del parámetro 'bsa_template' de la función 'bsa_preview_callback'. Esto permite a atacantes no autenticados incluir y ejecutar archivos arbitrarios en el servidor, permitiendo la ejecución de cualquier código PHP en dichos archivos. Esto puede utilizarse para eludir los controles de acceso, obtener datos confidenciales o ejecutar código cuando se pueden subir e incluir archivos .php, o si ya existen en el sitio.

*Credits: Trương Hữu Phúc (truonghuuphuc)
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2025-05-06 CVE Reserved
  • 2025-07-01 CVE Published
  • 2025-07-02 CVE Updated
  • 2025-07-03 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Scripteo
Search vendor "Scripteo"
 Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager
Search vendor "Scripteo" for product "Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager"
 <= 4.89
Search vendor "Scripteo" for product "Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager" and version " <= 4.89"
en
Affected