{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4689", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-14T13:42:23.455Z", "datePublished": "2025-07-02T03:47:21.403Z", "dateUpdated": "2026-04-08T16:32:56.793Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:56.793Z"}, "affected": [{"vendor": "scripteo", "product": "Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.89", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion which leads to Remote Code Execution in all versions up to, and including, 4.89. This is due to the presence of a SQL Injection vulnerability and Local File Inclusion vulnerability that can be chained with an image upload. This makes it possible for unauthenticated attackers to execute code on the server upload image files on the server than can be fetched via a SQL injection vulnerability, and ultimately executed as PHP code through the local file inclusion vulnerability."}], "title": "Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Unauthenticated Local File Inclusion to Remote Code Execution", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/038ddfcd-093b-4234-a0b8-a3bf9a3d329f?source=cve"}, {"url": "https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "cweId": "CWE-98", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc)"}], "timeline": [{"time": "2025-05-10T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-07-01T14:53:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-02T13:01:22.397494Z", "id": "CVE-2025-4689", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-02T13:19:13.445Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4689", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-02T13:01:22.397494Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-02T13:05:27.738Z"}}], "cna": {"title": "Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Unauthenticated Local File Inclusion to Remote Code Execution", "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc)"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "scripteo", "product": "Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.89"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-10T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-07-01T14:53:27.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/038ddfcd-093b-4234-a0b8-a3bf9a3d329f?source=cve"}, {"url": "https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010"}], "descriptions": [{"lang": "en", "value": "The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion which leads to Remote Code Execution in all versions up to, and including, 4.89. This is due to the presence of a SQL Injection vulnerability and Local File Inclusion vulnerability that can be chained with an image upload. This makes it possible for unauthenticated attackers to execute code on the server upload image files on the server than can be fetched via a SQL injection vulnerability, and ultimately executed as PHP code through the local file inclusion vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-07-02T03:47:21.403Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4689", "state": "PUBLISHED", "dateUpdated": "2025-07-02T13:19:13.445Z", "dateReserved": "2025-05-14T13:42:23.455Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-02T03:47:21.403Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:scripteo:ads_pro:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "1F5A3BA9-1E6E-4BE0-B4BA-F69EC84C4BF5", "versionEndIncluding": "4.89", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion which leads to Remote Code Execution in all versions up to, and including, 4.89. This is due to the presence of a SQL Injection vulnerability and Local File Inclusion vulnerability that can be chained with an image upload. This makes it possible for unauthenticated attackers to execute code on the server upload image files on the server than can be fetched via a SQL injection vulnerability, and ultimately executed as PHP code through the local file inclusion vulnerability."}, {"lang": "es", "value": "El complemento Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager de WordPress, es vulnerable a la Inclusi\u00f3n de Archivos Locales, lo que provoca la ejecuci\u00f3n remota de c\u00f3digo en todas las versiones hasta la 4.89 incluida. Esto se debe a una vulnerabilidad de inyecci\u00f3n SQL y a una vulnerabilidad de Inclusi\u00f3n de Archivos Locales que puede vincularse con la carga de im\u00e1genes. Esto permite que atacantes no autenticados ejecuten c\u00f3digo en el servidor, carguen archivos de imagen que se pueden obtener mediante una vulnerabilidad de inyecci\u00f3n SQL y, finalmente, se ejecuten como c\u00f3digo PHP mediante la vulnerabilidad de Inclusi\u00f3n de Archivos Locales."}], "id": "CVE-2025-4689", "lastModified": "2025-07-08T14:26:15.963", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-07-02T04:15:55.587", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/038ddfcd-093b-4234-a0b8-a3bf9a3d329f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:46:08.440674+00:00", "value": {"mitigation_remediation": ["Apply the latest vendor patch for Ads Pro Plugin if one is available for versions above 4.89; if no patch exists, upgrade the plugin to the newest version or replace it with an alternative advertising manager.", "Limit image upload capabilities to authenticated users only and enforce strict MIME type and file size validation. Consider disabling the feature entirely for sites that do not require dynamic image uploads.", "Implement web application firewall rules to detect and block SQL injection attempts and LFI patterns, such as monitoring for database query patterns that resolve to file paths and blocking manifest or request sequences that perform file inclusion."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Ads Pro Plugin version 4.89 or earlier, specifically those developed by Scripteo. No specific upstream versions are listed; the vulnerability exists in all releases up to and including the stated 4.89 version.", "description_and_impact": "The Ads Pro Plugin for WordPress contains a vulnerability that allows unauthenticated attackers to upload arbitrary image files. An image upload can be combined with a SQL injection flaw to retrieve the uploaded file through a database query, and then a local file inclusion flaw permits the file to be executed as PHP code. This chain of vulnerabilities can lead to complete compromise of the WordPress site. The weakness is classified as CWE-98, indicating improper control of file paths and inclusion. The adversary could gain full control over the web server, exfiltrate data, install backdoors, or pivot to other systems on the network.", "risk_and_exploitability": "The CVSS score of 9.8 classifies this flaw as critical. The EPSS score of less than 1% indicates that while the probability of exploitation is low at present, the potential damage is severe. The vulnerability is not currently listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is an unauthenticated payload consisting of an image file upload, followed by a SQL injection to retrieve the file, and culminating in a local file inclusion that causes the server to execute the file as PHP code. The lack of authentication requirements and the remote nature of the code execution elevate the risk considerably."}}}}, "created": "2026-04-22T15:00:05.604960+00:00", "updated": "2026-04-22T15:00:05.604983+00:00", "vendors": []}