Introduction
The Ads Pro Plugin, a widely used WordPress advertising management tool, is currently facing a severe security threat. CVE-2025-4689, a critical vulnerability rated at CVSS 9.8, chains SQL Injection and Local File Inclusion (LFI) vulnerabilities, enabling unauthenticated attackers to execute arbitrary code remotely. With over 40,000 installations potentially at risk, the urgency to understand and mitigate this threat cannot be overstated.
Technical Information
CVE-2025-4689 exploits a dangerous combination of two vulnerabilities:
Step 1: SQL Injection
Attackers exploit the unauthenticated SQL Injection vulnerability (CVE-2024-13322) via the 'a_id' parameter, allowing them to insert malicious PHP code into the database or filesystem. A typical malicious SQL payload might look like:
'; INSERT INTO wp_posts (post_content) VALUES ('<?php system($_GET["cmd"]); ?>'); --
Step 2: Local File Inclusion (LFI)
After injecting malicious files, attackers exploit the LFI vulnerability by manipulating file paths in plugin functions (e.g., wp_ajax_bsa_pro_actions
). This allows the execution of the previously uploaded malicious files as PHP scripts:
GET /wp-admin/admin-ajax.php?action=bsa_pro_actions&file=../../uploads/2025/07/malicious.jpg HTTP/1.1
This chained exploitation grants attackers remote code execution capabilities, potentially leading to complete server compromise.
Affected Systems and Versions
- Ads Pro Plugin for WordPress, versions up to and including 4.89.
Vendor Security History
The Ads Pro Plugin, developed by Scripteo, has previously encountered significant vulnerabilities, notably CVE-2024-13322 (SQL Injection). The vendor has been criticized for slow response times in addressing critical security flaws, raising concerns about their security maturity and responsiveness.
References
Source: This report was created using AI
If you have suggestions for improvement or feedback, please reach out to us at [email protected]