CVE-2025-4380

HIGH NUCLEI

Ads Pro Plugin <= 4.89 - Unauthenticated Local File Inclusion

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-4380. PoCs published by r0otk3r. A Nuclei detection template is also available.

AI-analyzed exploit summary This Python exploit targets CVE-2025-4380, an LFI vulnerability in Ads Pro Plugin ≤ 4.89 for WordPress, allowing unauthenticated attackers to read arbitrary files via the `bsa_preview_callback` AJAX action. The script supports single/mass exploitation, proxies, and output saving.

Description

The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.89 via the 'bsa_template' parameter of the `bsa_preview_callback` function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases .php files can can be uploaded and included, or already exist on the site.

Exploits (1)

nomisec WORKING POC

by r0otk3r · poc

https://github.com/r0otk3r/CVE-2025-4380

View Code ZIP pw:eip

This Python exploit targets CVE-2025-4380, an LFI vulnerability in Ads Pro Plugin ≤ 4.89 for WordPress, allowing unauthenticated attackers to read arbitrary files via the `bsa_preview_callback` AJAX action. The script supports single/mass exploitation, proxies, and output saving.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Ads Pro Plugin for WordPress ≤ 4.89

No auth needed

Prerequisites: Target running vulnerable Ads Pro Plugin · Network access to the WordPress admin-ajax.php endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Ads Pro Plugin <= 4.89 - Local File Inclusion

CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch

FOFA: body="/wp-content/plugins/ap-plugin-scripteo"

References (2)

Core 2

Core References

Product

https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/3078861b-3a16-4e93-a4f6-5ae885bc0747?source=cve

Scores

CVSS v3 8.1

EPSS 0.1651

EPSS Percentile 95.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-98

Status published

Products (2)

scripteo/Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager < 4.89

scripteo/ads_pro < 4.89

Published Jul 02, 2025

Tracked Since Feb 18, 2026