CVE-2025-4689

Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Unauthenticated Local File Inclusion to Remote Code Execution

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion which leads to Remote Code Execution in all versions up to, and including, 4.89. This is due to the presence of a SQL Injection vulnerability and Local File Inclusion vulnerability that can be chained with an image upload. This makes it possible for unauthenticated attackers to execute code on the server upload image files on the server than can be fetched via a SQL injection vulnerability, and ultimately executed as PHP code through the local file inclusion vulnerability.

El complemento Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager de WordPress, es vulnerable a la Inclusión de Archivos Locales, lo que provoca la ejecución remota de código en todas las versiones hasta la 4.89 incluida. Esto se debe a una vulnerabilidad de inyección SQL y a una vulnerabilidad de Inclusión de Archivos Locales que puede vincularse con la carga de imágenes. Esto permite que atacantes no autenticados ejecuten código en el servidor, carguen archivos de imagen que se pueden obtener mediante una vulnerabilidad de inyección SQL y, finalmente, se ejecuten como código PHP mediante la vulnerabilidad de Inclusión de Archivos Locales.

*Credits: Trương Hữu Phúc (truonghuuphuc)

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2025-05-14 CVE Reserved
2025-07-01 CVE Published
2025-07-02 CVE Updated
2025-07-08 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

CAPEC

References (2)

URL	Tag	Source
https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010
https://www.wordfence.com/threat-intel/vulnerabilities/id/038ddfcd-093b-4234-a0b8-a3bf9a3d329f?source=cve

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Scripteo Search vendor "Scripteo"		Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager Search vendor "Scripteo" for product "Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager"				<= 4.89 Search vendor "Scripteo" for product "Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager" and version " <= 4.89"		en		Affected