Local File Inclusion Vulnerability in Ads Pro Plugin for WordPress
CVE-2025-4380

8.1HIGH

Key Information:

Vendor: WordPress
Status: Ads Pro Plugin - Multi-purpose WordPress Advertising Manager
Vendor: CVE Published:; 2 July 2025

What is CVE-2025-4380?

The Ads Pro Plugin for WordPress is susceptible to a Local File Inclusion vulnerability through the 'bsa_template' parameter in the bsa_preview_callback function. This weakness allows unauthenticated attackers to include and execute arbitrary files on the server, which can lead to the execution of malicious PHP code. This exploit can bypass access controls, compromise sensitive data, and potentially allow for execution of attacker-controlled PHP scripts, especially if such scripts can be uploaded to the site.

Affected Version(s)

Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager * <= 4.89

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://codecanyon.net/item/ads-pro-plugin-multipurpose-w...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 2, 2025
Vulnerability Reserved
May 6, 2025

Credit

Trương Hữu Phúc (truonghuuphuc)