{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12984", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-10T21:16:00.943Z", "datePublished": "2026-01-17T06:42:19.675Z", "dateUpdated": "2026-04-08T17:00:47.406Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:47.406Z"}, "affected": [{"vendor": "monetizemore", "product": "Advanced Ads \u2013\u00a0Ad Manager & AdSense", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.15", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Advanced Ads \u2013\u00a0Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "title": "Advanced Ads \u2013 Ad Manager & AdSense <= 2.0.15 - Authenticated (Admin+) SQL Injection", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/729e8a06-abaa-4468-8a80-1e5c6cbace92?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-ads/tags/2.0.13/includes/admin/class-placement-list-table.php#L254"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429511%40advanced-ads&new=3429511%40advanced-ads&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "timeline": [{"time": "2026-01-16T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-21T16:07:54.152927Z", "id": "CVE-2025-12984", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T16:08:06.202Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12984", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-21T16:07:54.152927Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T16:08:02.685Z"}}], "cna": {"title": "Advanced Ads \u2013 Ad Manager & AdSense <= 2.0.15 - Authenticated (Admin+) SQL Injection", "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "monetizemore", "product": "Advanced Ads \u2013\u00a0Ad Manager & AdSense", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.15"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-16T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/729e8a06-abaa-4468-8a80-1e5c6cbace92?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-ads/tags/2.0.13/includes/admin/class-placement-list-table.php#L254"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429511%40advanced-ads&new=3429511%40advanced-ads&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Advanced Ads \u2013\u00a0Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:47.406Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12984", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:00:47.406Z", "dateReserved": "2025-11-10T21:16:00.943Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-17T06:42:19.675Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Advanced Ads \u2013\u00a0Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}, {"lang": "es", "value": "El plugin Advanced Ads \u2013 Ad Manager &amp; AdSense para WordPress es vulnerable a inyecci\u00f3n SQL a trav\u00e9s del par\u00e1metro 'order' en todas las versiones hasta la 2.0.15, inclusive, debido a un escape insuficiente en el par\u00e1metro proporcionado por el usuario y la falta de preparaci\u00f3n suficiente en la consulta SQL existente. Esto hace posible que atacantes autenticados, con acceso de nivel de Administrador y superior, a\u00f1adan consultas SQL adicionales en consultas ya existentes que pueden ser utilizadas para extraer informaci\u00f3n sensible de la base de datos."}], "id": "CVE-2025-12984", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-17T07:16:00.987", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/advanced-ads/tags/2.0.13/includes/admin/class-placement-list-table.php#L254"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429511%40advanced-ads&new=3429511%40advanced-ads&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/729e8a06-abaa-4468-8a80-1e5c6cbace92?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T23:56:39.832331+00:00", "value": {"mitigation_remediation": ["Update the Advanced Ads \u2013 Ad Manager & AdSense plugin to the latest version that removes the vulnerable code path (at least version 2.0.16).", "Modify user role permissions so that only trusted accounts have Administrator or higher access, and enforce strong authentication for those accounts.", "Configure a Web Application Firewall or equivalent filtering to block suspicious SQL injection patterns on the plugin\u2019s admin endpoints."], "summary": {"action": "Apply Patch", "impact": "Authenticated SQL Injection leading to sensitive data extraction"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Advanced Ads \u2013 Ad Manager & AdSense plugin for any release through version 2.0.15 are affected. The issue is isolated to the plugin\u2019s admin interface; standard WordPress core functions are not directly impacted.", "description_and_impact": "The vulnerability resides in the Advanced Ads \u2013 Ad Manager & AdSense WordPress plugin and allows an authenticated user with Administrator privileges or higher to inject arbitrary SQL statements through the unescaped 'order' parameter. Because the plugin concatenates this parameter directly into a query without proper preparation or escaping, an attacker can append additional commands to the original query, potentially extracting confidential information such as user credentials, system configuration, or other sensitive content.", "risk_and_exploitability": "The CVSS score of 4.9 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of active exploitation in the wild, and the vulnerability is not noted in the CISA KEV catalog. Exploitation requires legitimate Administrator credentials or higher, so the attack surface is limited to sites with insecure admin access management. An attacker who can authenticate can construct injection payloads through the 'order' field to read or manipulate database rows."}}}}, "created": "2026-01-19T09:19:27.190819+00:00", "updated": "2026-04-22T00:00:03.953464+00:00", "vendors": ["monetizemore", "monetizemore$PRODUCT$advanced_ads", "wordpress", "wordpress$PRODUCT$wordpress"]}