Platform
wordpress
Component
advanced-ads
Fixed in
2.0.13
CVE-2025-10487 describes a Remote Code Execution (RCE) vulnerability affecting the Advanced Ads – Ad Manager & AdSense plugin for WordPress. This vulnerability allows unauthenticated attackers to execute arbitrary code, potentially leading to complete system compromise and data theft. The issue impacts versions 0.0.0 through 2.0.12, and a patch is available in version 2.0.13.
The impact of this RCE vulnerability is significant. An attacker could leverage it to gain complete control over a WordPress site running the vulnerable plugin. This could involve deploying malware, stealing sensitive data (user credentials, customer information, database contents), modifying website content, or using the compromised site as a launchpad for further attacks against other systems on the network. The ability to call functions like gettheexcerpt demonstrates the potential for information exposure, which could be a precursor to more serious attacks. The unauthenticated nature of the exploit means that no user interaction is required for exploitation.
This vulnerability was publicly disclosed on 2025-11-01. As of this date, there is no indication of active exploitation in the wild, but the ease of exploitation and the plugin's popularity suggest that it could become a target. No Proof-of-Concept (PoC) code has been publicly released, but the vulnerability description provides sufficient detail for attackers to develop their own exploits. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.41% (61% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Advanced Ads plugin to version 2.0.13 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the vulnerable AJAX endpoint. This can be achieved through a WordPress firewall (WAF) or by implementing custom access control rules within the plugin itself (though this requires advanced development skills). Monitor WordPress access logs for suspicious requests targeting the select_one() function. While a direct detection signature is difficult without plugin code access, look for unusual function calls originating from the plugin.
Actualice el plugin Advanced Ads a la versión 2.0.13 o superior para mitigar la vulnerabilidad de ejecución de código limitada no autenticada. Esta actualización corrige la falta de restricciones adecuadas en el acceso a un endpoint AJAX, previniendo que atacantes puedan ejecutar funciones arbitrarias.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-10487 is a Remote Code Execution vulnerability in the Advanced Ads WordPress plugin, allowing attackers to execute arbitrary code. It affects versions 0.0.0–2.0.12 and is rated HIGH severity.
If you are using Advanced Ads plugin versions 0.0.0 through 2.0.12, you are vulnerable. Check your plugin version and upgrade immediately.
Upgrade the Advanced Ads plugin to version 2.0.13 or later. If immediate upgrade is not possible, restrict access to the vulnerable AJAX endpoint using a WAF or custom rules.
As of 2025-11-01, there is no confirmed active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the official Advanced Ads plugin website or WordPress plugin repository for the latest security advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.