CVE-2025-4689 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2025-4689?

CVE-2025-4689 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to execute arbitrary code on WordPress servers running the vulnerable Ads Pro Plugin. Attackers can chain SQL injection with local file inclusion via image uploads to achieve remote code execution. All WordPress sites using Ads Pro Plugin versions up to 4.89 are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary code on WordPress servers running the vulnerable Ads Pro Plugin. Attackers can chain SQL injection with local file inclusion via image uploads to achieve remote code execution. All WordPress sites using Ads Pro Plugin versions up to 4.89 are affected.

💻 Affected Systems

Products:

Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager

Versions: All versions up to and including 4.89

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin activated. No special configuration needed.

📦 What is this software?

Ads Pro by Scripteo

View all CVEs affecting Ads Pro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to install backdoors, steal data, deploy ransomware, or pivot to other systems in the network.

🟠

Likely Case

Website defacement, malware distribution, credential theft, and unauthorized access to sensitive data stored on the server.

🟢

If Mitigated

Limited impact if proper web application firewalls, file upload restrictions, and network segmentation are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability chain (SQLi → LFI → RCE) is well-documented and relatively easy to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 4.90 or later

Vendor Advisory: https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Ads Pro Plugin' and click 'Update Now'. 4. Verify version is 4.90 or higher.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the Ads Pro Plugin until patched

wp plugin deactivate ads-pro-plugin

Restrict file uploads

linux

Block image uploads to the plugin directory via .htaccess or web server config

<FilesMatch "\.(php|php5|php7|phtml)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

🧯 If You Can't Patch

Remove the Ads Pro Plugin completely from your WordPress installation
Implement a web application firewall (WAF) with rules blocking SQL injection and local file inclusion attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for Ads Pro Plugin version 4.89 or lower

Check Version:

wp plugin get ads-pro-plugin --field=version

Verify Fix Applied:

Confirm plugin version is 4.90 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-content/plugins/ads-pro-plugin/
SQL error messages in web server logs
Unexpected file uploads to plugin directories

Network Indicators:

HTTP requests with SQL injection patterns targeting plugin endpoints
File inclusion attempts using ../ patterns

SIEM Query:

source="web_logs" AND (uri="*ads-pro-plugin*" AND (method="POST" OR status="500"))

📊 Metadata

CVE ID: CVE-2025-4689

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

EPSS Score: 0.45% exploit probability (62.9th percentile)

Published: July 2, 2025

Last Updated: July 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4689, you might also want to check these: