CVE-2025-4380 – This vulnerability allows unauthenticated attac... (How to Fix)

📋 TL;DR

This vulnerability allows unauthenticated attackers to include and execute arbitrary PHP files on WordPress servers running the Ads Pro Plugin. Attackers can achieve remote code execution, bypass access controls, and access sensitive data. All WordPress sites using Ads Pro Plugin versions up to 4.89 are affected.

💻 Affected Systems

Products:

Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager

Versions: All versions up to and including 4.89

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin activated

📦 What is this software?

Ads Pro by Scripteo

View all CVEs affecting Ads Pro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, malware deployment, and persistent backdoor access

🟠

Likely Case

Website defacement, data exfiltration, and installation of cryptocurrency miners or backdoors

🟢

If Mitigated

Limited impact if file uploads are restricted and server permissions are properly configured

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request manipulation required; no authentication needed

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.90 or later

Vendor Advisory: https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Ads Pro Plugin
4. Click 'Update Now' if available
5. If not available, download version 4.90+ from CodeCanyon and manually update

🔧 Temporary Workarounds

Disable vulnerable endpoint via .htaccess

linux

Blocks access to the vulnerable callback function

RewriteEngine On
RewriteCond %{QUERY_STRING} bsa_preview_callback [NC]
RewriteRule .* - [F,L]

Disable plugin temporarily

all

Deactivate the plugin until patched

wp plugin deactivate ads-pro-plugin

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block requests containing 'bsa_template' parameter
Restrict file upload capabilities and implement strict file permission controls

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Ads Pro Plugin version number

Check Version:

wp plugin get ads-pro-plugin --field=version

Verify Fix Applied:

Verify plugin version is 4.90 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing 'bsa_preview_callback' with 'bsa_template' parameter
Unusual file inclusion attempts in web server logs

Network Indicators:

POST/GET requests to /wp-admin/admin-ajax.php with bsa_preview_callback action
Traffic patterns showing file path traversal attempts

SIEM Query:

source="web_access.log" AND ("bsa_preview_callback" OR "bsa_template")

📊 Metadata

CVE ID: CVE-2025-4380

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

EPSS Score: 16.51% exploit probability (94.7th percentile)

Published: July 2, 2025

Last Updated: July 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4380, you might also want to check these: