CVE-2025-4380

HIGH NUCLEI

Scripteo Ads Pro < 4.89 - Remote File Inclusion

Title source: rule

Description

The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.89 via the 'bsa_template' parameter of the `bsa_preview_callback` function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases .php files can can be uploaded and included, or already exist on the site.

Exploits (1)

nomisec WORKING POC

by r0otk3r · poc

https://github.com/r0otk3r/CVE-2025-4380

View Code ZIP pw:eip

Nuclei Templates (1)

Ads Pro Plugin <= 4.89 - Local File Inclusion

CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch

FOFA: body="/wp-content/plugins/ap-plugin-scripteo"

References (2)

[Product] https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/3078861b-3a16-4e93-a4f6-5ae885bc0747?source=cve

Scores

CVSS v3 8.1

EPSS 0.1651

EPSS Percentile 94.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-98

Status published

Products (2)

scripteo/ads_pro < 4.89

scripteo/Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager < 4.89

Published Jul 02, 2025

Tracked Since Feb 18, 2026