{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3433", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-07T19:56:02.349Z", "datePublished": "2025-04-08T08:22:08.994Z", "dateUpdated": "2026-04-08T17:00:47.726Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:47.726Z"}, "affected": [{"vendor": "smartdevth", "product": "Advanced Advertising System", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Advanced Advertising System plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.3.1. This is due to insufficient validation on the redirect url supplied via the 'redir' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action."}], "title": "Advanced Advertising System <= 1.3.1 - Open Redirect", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/72a56589-9dc0-47a7-bb68-e31f84a639ee?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-advertising-system/trunk/shortcode.php#L165"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')", "cweId": "CWE-601", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gabriele Zuddas"}], "timeline": [{"time": "2025-04-07T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-08T13:14:00.548322Z", "id": "CVE-2025-3433", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-08T13:14:40.048Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3433", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-08T13:14:00.548322Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-08T13:14:23.214Z"}}], "cna": {"title": "Advanced Advertising System <= 1.3.1 - Open Redirect", "credits": [{"lang": "en", "type": "finder", "value": "Gabriele Zuddas"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "smartdevth", "product": "Advanced Advertising System", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.3.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-07T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/72a56589-9dc0-47a7-bb68-e31f84a639ee?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-advertising-system/trunk/shortcode.php#L165"}], "descriptions": [{"lang": "en", "value": "The Advanced Advertising System plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.3.1. This is due to insufficient validation on the redirect url supplied via the 'redir' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:47.726Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3433", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:00:47.726Z", "dateReserved": "2025-04-07T19:56:02.349Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-08T08:22:08.994Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Advanced Advertising System plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.3.1. This is due to insufficient validation on the redirect url supplied via the 'redir' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action."}, {"lang": "es", "value": "El complemento Advanced Advertising System para WordPress es vulnerable a Open Redirect en todas las versiones hasta la 1.3.1 incluida. Esto se debe a una validaci\u00f3n insuficiente de la URL de redirecci\u00f3n proporcionada mediante el par\u00e1metro 'redir'. Esto permite que atacantes no autenticados redirijan a los usuarios a sitios potencialmente maliciosos si logran enga\u00f1arlos para que realicen una acci\u00f3n."}], "id": "CVE-2025-3433", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-04-08T09:15:28.943", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/advanced-advertising-system/trunk/shortcode.php#L165"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/72a56589-9dc0-47a7-bb68-e31f84a639ee?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T21:24:25.451867+00:00", "value": {"mitigation_remediation": ["Update the Advanced Advertising System plugin to the latest version (1.3.2 or newer) which removes the unvalidated redirect.", "Disable or restrict the 'redir' query parameter for all non-admin traffic to prevent unintended redirects.", "Configure web application firewalls or security plugins to detect and block attempts to manipulate the 'redir' parameter until an update is available."], "summary": {"action": "Apply Patch", "impact": "Open Redirect"}, "threat_synthesis": {"affected_systems": "All installable versions of the Advanced Advertising System plugin by smartdevth up to and including 1.3.1 are affected. WordPress sites running these plugin versions are at risk if the 'redir' parameter is exposed in public URLs or internal links.", "description_and_impact": "The vulnerability resides in the Advanced Advertising System WordPress plugin, allowing an attacker to supply the 'redir' parameter without proper validation. This flaw lets unauthenticated users be redirected to arbitrary URLs, potentially leading to phishing or malware delivery. The weakness follows the definition of CWE-601, representing untrusted redirects that enable attackers to manipulate user navigation without permission.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a moderate severity vulnerability. The EPSS score of less than 1% reflects a low probability of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. Attackers can exploit the flaw by embedding a crafted URL that triggers the redirect parameter, typically through phishing emails or malicious links. Because the redirect target is not validated, users can be sent to dangerous sites without their knowledge."}}}}, "created": "2025-06-24T09:44:20.609918+00:00", "updated": "2026-04-21T21:30:45.745227+00:00", "vendors": ["smartdevth", "smartdevth$PRODUCT$advanced_advertising_system"]}