CVE-2025-10487
BaseFortify
Publication date: 2025-11-01
Last updated on: 2025-11-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| advanced_ads | wordpress_plugin | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Advanced Ads β Ad Manager & AdSense WordPress plugin (up to version 2.0.12) is a Remote Code Execution issue caused by improper access restrictions on an AJAX endpoint. Specifically, the select_one() function does not limit which functions can be called, allowing unauthenticated attackers to invoke arbitrary functions starting with get_the_, such as get_the_excerpt. This can lead to information exposure and potentially remote code execution.
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to execute arbitrary code remotely or access sensitive information by exploiting the AJAX endpoint in the plugin. This could lead to data exposure, unauthorized control over the website, and potentially further compromise of the hosting environment.
What immediate steps should I take to mitigate this vulnerability?
Update the Advanced Ads β Ad Manager & AdSense WordPress plugin to version 2.0.13 or later, which includes a fix that validates the ad rendering method in the select_one function to prevent unauthorized access and remote code execution. Ensure your environment meets the minimum requirements of PHP 7.4 and WordPress 5.7 as required by the updated plugin version. [2]