Local File Inclusion Vulnerability in Ads Pro Plugin for WordPress

CVE-2025-4380

What is CVE-2025-4380?

CVE-2025-4380 is a vulnerability identified in the Ads Pro Plugin, a multi-purpose advertising management tool for WordPress. This plugin is designed to help users manage and display advertisements on their WordPress sites, providing functionalities for various ad types, tracking, and performance metrics. However, the vulnerability arises from a Local File Inclusion (LFI) issue found in all versions up to and including 4.89, specifically through the 'bsa_template' parameter within the bsa_preview_callback function.

The flaw allows unauthenticated attackers to include and execute arbitrary files on the server. Given that PHP files can be manipulated, this capability can lead to the execution of malicious code. Consequently, this vulnerability poses a risk of bypassing access controls, extracting sensitive data, or executing arbitrary code, which could substantially disrupt operations and compromise data integrity.

Potential impact of CVE-2025-4380

1. Unauthorized Access and Data Exposure: Since the vulnerability allows attackers to exploit server-side files, this may lead to unauthorized access to sensitive information, which could include user data and site configurations.

2. Code Execution Risks: The ability to execute arbitrary files means that attackers could potentially install backdoors or other malicious scripts. This control over the server could facilitate further exploitation of the compromised environment.

3. Operational Disruption: By executing unauthorized code, attackers could disrupt the normal operations of a WordPress site. This might lead to service downtime, reputational damage, and a loss of user trust, potentially affecting the business's bottom line.

References