CVE-2025-4380
Published: 02 July 2025
Summary
CVE-2025-4380 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Scripteo Ads Pro. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 4.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to local file inclusion in all versions through 4.89. The flaw exists in the bsa_preview_callback function, where the bsa_template parameter can be abused to include and execute arbitrary server-side files, enabling PHP code execution when suitable files are present or can be uploaded.
Unauthenticated remote attackers can exploit the issue over the network without user interaction. Successful exploitation allows bypass of access controls, disclosure of sensitive information, or full code execution on the affected WordPress site.
The EPSS score has reached a peak of 0.1973 with a current value of 0.1651. No details on patches or specific mitigations are provided in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19684
Vulnerability details
The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.89 via the 'bsa_template' parameter of the `bsa_preview_callback` function. This makes it possible for unauthenticated…
more
attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases .php files can can be uploaded and included, or already exist on the site.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.