CVE-2025-4689
Published: 02 July 2025
Summary
CVE-2025-4689 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Scripteo Ads Pro. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 20.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Ads Pro Plugin for WordPress, a multi-purpose advertising manager available on CodeCanyon, is affected by a chained vulnerability that enables local file inclusion leading to remote code execution in all versions through 4.89. The root issues are an SQL injection flaw combined with a local file inclusion weakness that can be leveraged after an image upload, allowing an attacker to place and then execute PHP code on the server. The flaw is tracked as CWE-98 and carries a CVSS 3.1 score of 9.8.
Unauthenticated attackers reachable over the network can exploit the issue without any user interaction. By uploading a crafted image, using the SQL injection vector to reference that file, and invoking the local file inclusion path, an attacker can achieve arbitrary code execution with the full privileges of the web server process, resulting in complete compromise of confidentiality, integrity, and availability.
Public references point to the vendor page on CodeCanyon and a detailed Wordfence threat-intel entry; administrators should consult those sources for available updates or configuration guidance. The EPSS score remains low and flat at 0.0119 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19688
Vulnerability details
The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion which leads to Remote Code Execution in all versions up to, and including, 4.89. This is due to the presence of a…
more
SQL Injection vulnerability and Local File Inclusion vulnerability that can be chained with an image upload. This makes it possible for unauthenticated attackers to execute code on the server upload image files on the server than can be fetched via a SQL injection vulnerability, and ultimately executed as PHP code through the local file inclusion vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.