{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7402", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-10T00:03:18.297Z", "datePublished": "2025-11-24T04:36:40.730Z", "dateUpdated": "2026-04-08T16:53:27.824Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:53:27.824Z"}, "affected": [{"vendor": "scripteo", "product": "Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.95", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to time-based SQL Injection via the \u2018site_id\u2019 parameter in all versions up to, and including, 4.95 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "title": "Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.95 - Unauthenticated SQL Injection via site_id", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5548b97d-14f0-4f50-b213-a19c02c240be?source=cve"}, {"url": "https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc)"}], "timeline": [{"time": "2025-11-23T16:21:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-24T17:23:10.944440Z", "id": "CVE-2025-7402", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-24T17:23:21.691Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7402", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-24T17:23:10.944440Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-24T17:23:18.684Z"}}], "cna": {"title": "Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.95 - Unauthenticated SQL Injection via site_id", "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc)"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "scripteo", "product": "Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.95"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-23T16:21:27.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5548b97d-14f0-4f50-b213-a19c02c240be?source=cve"}, {"url": "https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010"}], "descriptions": [{"lang": "en", "value": "The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to time-based SQL Injection via the \u2018site_id\u2019 parameter in all versions up to, and including, 4.95 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:53:27.824Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7402", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:53:27.824Z", "dateReserved": "2025-07-10T00:03:18.297Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-24T04:36:40.730Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to time-based SQL Injection via the \u2018site_id\u2019 parameter in all versions up to, and including, 4.95 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "id": "CVE-2025-7402", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-24T05:16:05.903", "references": [{"source": "security@wordfence.com", "url": "https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5548b97d-14f0-4f50-b213-a19c02c240be?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:23:07.873451+00:00", "value": {"mitigation_remediation": ["Upgrade the Ads\u00a0Pro\u00a0Plugin to a version newer than 4.95 when the vendor releases a fix that removes the site_id SQL injection flaw.", "If an update is not immediately available, restrict access to the site_id parameter so that only authenticated administrators can use it, and add server\u2011side input validation to escape or parameterize the value before it is passed to the database query.", "Deploy a web application firewall or security plugin configured to detect and block SQL injection payloads targeting the site_id parameter while the vulnerability remains unresolved.", "Continuously monitor database logs for unexpected or large queries that might indicate an injection attempt and review web access logs for suspicious activity."], "summary": {"action": "Apply Patch", "impact": "Data Exposure"}, "threat_synthesis": {"affected_systems": "Scripteo offers the Ads\u00a0Pro\u00a0Plugin \u2013 Multi\u2011Purpose WordPress Advertising Manager. All released versions up to and including 4.95 are affected. The vulnerability is present in the plugin\u2019s handling of the site_id parameter regardless of the WordPress installation version, but the specific workaround or patch depends on the plugin update channel for that vendor.", "description_and_impact": "The Ads\u00a0Pro\u00a0Plugin for WordPress is vulnerable to time\u2011based SQL Injection through the site_id parameter. Because the plugin fails to escape or prepare the user\u2011supplied value properly, unauthenticated attackers can inject additional SQL statements. This allows the attacker to pull sensitive data from the database, potentially exposing user information, configuration, or other confidential content. The weakness is classified as CWE\u201189.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity, while an EPSS score of less than 1% points to a low exploitation probability at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers would typically access the vulnerable endpoint over HTTP or HTTPS, sending a crafted site_id value; because the plugin does not verify authentication for that parameter, no privileged credentials are required. Once injected, the attacker can extract arbitrary data from the database, posing a significant confidentiality risk, although the overall likelihood of being exploited remains low under current threat intelligence. "}}}}, "created": "2025-11-25T11:02:38.016308+00:00", "updated": "2026-04-21T01:30:24.391081+00:00", "vendors": ["scripteo", "scripteo$PRODUCT$ads_pro", "wordpress", "wordpress$PRODUCT$wordpress"]}