cbcvebase.
CVE-2025-4380
published 2025-07-02

CVE-2025-4380: The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and…

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
28.16%
97.9th percentile
The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.89 via the 'bsa_template' parameter of the `bsa_preview_callback` function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases .php files can can be uploaded and included, or already exist on the site.

Affected

2 ranges
VendorProductVersion rangeFixed in
scripteoads_pro<= 4.89
scripteoads_pro_plugin_multi-purpose_wordpress_advertising_manager<= 4.89

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=bsa_preview_callback&bsa_template=../php/example
path/wp-content/plugins/ap-plugin-scripteo
  • Presence of the plugin directory '/wp-content/plugins/ap-plugin-scripteo' in page body can be used to fingerprint vulnerable installations via FOFA or web crawlers.
  • The vulnerable parameter is 'bsa_template' in the 'bsa_preview_callback' AJAX action; monitor for directory traversal sequences (e.g., '../') in this parameter.
  • ·The vulnerability is exploitable by unauthenticated attackers, meaning no session or authentication token is required to trigger the LFI via the AJAX endpoint.
  • ·Code execution via LFI is conditional on the attacker being able to upload a .php file or a suitable .php file already existing on the server.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.