Ads Pro Plugin Under Siege: CVE-2025-4689 Chains SQLi and LFI for Critical RCE

Critical vulnerability CVE-2025-4689 in Ads Pro Plugin chains SQL Injection and Local File Inclusion, enabling unauthenticated remote code execution on WordPress sites.
CVE Analysis

6 min read

ZeroPath Security Research

ZeroPath Security Research

2025-07-01

Ads Pro Plugin Under Siege: CVE-2025-4689 Chains SQLi and LFI for Critical RCE

Introduction

The Ads Pro Plugin, a widely used WordPress advertising management tool, is currently facing a severe security threat. CVE-2025-4689, a critical vulnerability rated at CVSS 9.8, chains SQL Injection and Local File Inclusion (LFI) vulnerabilities, enabling unauthenticated attackers to execute arbitrary code remotely. With over 40,000 installations potentially at risk, the urgency to understand and mitigate this threat cannot be overstated.

Technical Information

CVE-2025-4689 exploits a dangerous combination of two vulnerabilities:

Step 1: SQL Injection

Attackers exploit the unauthenticated SQL Injection vulnerability (CVE-2024-13322) via the 'a_id' parameter, allowing them to insert malicious PHP code into the database or filesystem. A typical malicious SQL payload might look like:

'; INSERT INTO wp_posts (post_content) VALUES ('<?php system($_GET["cmd"]); ?>'); --

Step 2: Local File Inclusion (LFI)

After injecting malicious files, attackers exploit the LFI vulnerability by manipulating file paths in plugin functions (e.g., wp_ajax_bsa_pro_actions). This allows the execution of the previously uploaded malicious files as PHP scripts:

GET /wp-admin/admin-ajax.php?action=bsa_pro_actions&file=../../uploads/2025/07/malicious.jpg HTTP/1.1

This chained exploitation grants attackers remote code execution capabilities, potentially leading to complete server compromise.

Affected Systems and Versions

  • Ads Pro Plugin for WordPress, versions up to and including 4.89.

Vendor Security History

The Ads Pro Plugin, developed by Scripteo, has previously encountered significant vulnerabilities, notably CVE-2024-13322 (SQL Injection). The vendor has been criticized for slow response times in addressing critical security flaws, raising concerns about their security maturity and responsiveness.

References

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]

Detect & fix
what others miss