Introduction
Attackers can exploit a flaw in the Advanced Ads WordPress plugin to execute arbitrary PHP functions without authentication, potentially exposing sensitive site data or escalating to remote code execution. With over 100,000 active installations, this vulnerability impacts a significant portion of WordPress-powered publishers and ad-driven sites.
About Advanced Ads: Advanced Ads is a widely used ad management plugin for WordPress, maintained by monetizemore. It offers ad placement, targeting, and reporting features, and is deployed on over 100,000 sites. Its reach makes security issues in this plugin highly consequential for the broader WordPress ecosystem.
Technical Information
CVE-2025-10487 is a remote code execution vulnerability affecting all versions of the Advanced Ads WordPress plugin up to and including 2.0.12. The vulnerability resides in the select_one() function, which is exposed via an AJAX endpoint. This endpoint does not properly restrict access or validate which functions can be called, allowing unauthenticated users to invoke arbitrary PHP functions that begin with get_the_.
The root cause is the lack of access control and input validation on the AJAX handler. Attackers can send crafted requests to the admin-ajax.php endpoint with parameters that specify which function to execute. Because there is no nonce verification or capability check, the call is processed regardless of authentication state. Functions like get_the_excerpt can be called, leading to information exposure such as excerpts from private or unpublished posts. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code), which covers code injection and related flaws.
No public code snippets or detailed PoC are available in the referenced sources.
Detection Methods
Detecting vulnerabilities in the Advanced Ads plugin for WordPress involves a combination of proactive monitoring, log analysis, and the use of specialized security tools. While specific detection signatures or code snippets are not provided in the available sources, the following general strategies can be employed:
1. Monitor for Unauthorized Administrator Accounts:
Regularly review the list of administrator accounts on your WordPress site. Be vigilant for any unexpected or unauthorized accounts, as their presence may indicate a compromise.
2. Analyze Web Server Logs for Suspicious Activity:
Examine server logs for unusual patterns, such as repeated failed login attempts, unexpected POST requests to administrative endpoints, or access to files that should not be publicly available. These anomalies can signal exploitation attempts.
3. Utilize Security Plugins and Web Application Firewalls (WAFs):
Deploy reputable security plugins and WAFs that offer real-time monitoring and can detect known attack patterns. These tools can provide alerts for potential threats and may offer virtual patching capabilities.
4. Implement File Integrity Monitoring:
Set up systems to monitor changes to critical files within your WordPress installation. Unexpected modifications can be indicative of malicious activity.
5. Conduct Regular Vulnerability Scans:
Use automated scanning tools to periodically assess your website for known vulnerabilities, including those affecting plugins like Advanced Ads. This proactive approach helps in identifying and mitigating risks promptly.
6. Stay Informed About Plugin Updates and Security Advisories:
Keep abreast of updates and security advisories related to the Advanced Ads plugin. Applying updates promptly ensures that known vulnerabilities are patched, reducing the risk of exploitation.
By integrating these detection methods into your website's security protocol, you can enhance your ability to identify and respond to potential threats associated with the Advanced Ads plugin.
Affected Systems and Versions
- Product: Advanced Ads WordPress plugin
- Affected versions: All versions up to and including 2.0.12
- Vulnerable configuration: Any WordPress site with the Advanced Ads plugin version 2.0.12 or earlier installed and active
Vendor Security History
Advanced Ads has experienced several security issues in the past, including:
- Authenticated Stored Cross-Site Scripting (CVE-2024-3952, May 2024)
- Authenticated PHP Object Injection (CVE-2024-2290, May 2024)
- Authenticated Stored Cross-Site Scripting (CVE-2022-32776, September 2022)
- Reflected Cross-Site Scripting (March 2020)
The vendor has consistently released patches for reported vulnerabilities, but the recurrence of access control and input validation issues suggests ongoing challenges in secure coding practices.
