Gratis scannen
HIGHCVE-2025-46444CVSS 8.1

WordPress Ads Pro plugin <= 4.89 - Local File Inclusion vulnerability

wordt vertaald…

Platform

wordpress

Component

ap-plugin-scripteo

Opgelost in

4.89.1

AI Confidence: highNVDEPSS 0.5%Beoordeeld: mei 2026
Bekijk op NVD
Opslaan
Wordt vertaald naar uw taal…

CVE-2025-46444 describes a PHP Local File Inclusion (LFI) vulnerability within the scripteo Ads Pro ap-plugin-scripteo component. This vulnerability allows an attacker to include arbitrary files on the server, potentially leading to sensitive information disclosure. Versions of Ads Pro from 0.0 up to and including 4.89 are affected. A fix is pending, and mitigation strategies are crucial.

WordPress

Detecteer deze CVE in je project

Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.

Gratis scannen

Impact en Aanvalsscenarioswordt vertaald…

The primary impact of this LFI vulnerability is the potential for sensitive information disclosure. An attacker could leverage this flaw to read configuration files, source code, or other files containing credentials, API keys, or proprietary data. Successful exploitation could lead to further compromise of the system, including data breaches and unauthorized access. While the vulnerability is classified as Local File Inclusion, the potential for escalating privileges or gaining access to critical system resources depends on the files accessible through the inclusion mechanism. The blast radius extends to any data accessible through files on the server.

Uitbuitingscontextwordt vertaald…

The vulnerability was published on 2025-05-23. Exploitation probability is currently assessed as medium, given the relatively straightforward nature of LFI vulnerabilities and the potential for automated scanning. Public proof-of-concept (POC) code is likely to emerge, increasing the risk of exploitation. Monitor security advisories and threat intelligence feeds for any indications of active campaigns targeting this vulnerability.

Dreigingsinformatie

Exploit Status

Proof of ConceptOnbekend
CISA KEVNO
InternetblootstellingHoog

EPSS

0.55% (68% percentiel)

CISA SSVC

Exploitatienone
Automatiseerbaarno
Technische Impacttotal

CVSS-vector

DREIGINGSINFORMATIE· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H8.1HIGHAttack VectorNetworkHoe de aanvaller het doel bereiktAttack ComplexityHighVereiste omstandigheden om te exploiterenPrivileges RequiredNoneVereist authenticatieniveau voor aanvalUser InteractionNoneOf het slachtoffer actie moet ondernemenScopeUnchangedImpact buiten het getroffen onderdeelConfidentialityHighRisico op blootstelling van gevoelige dataIntegrityHighRisico op ongeautoriseerde gegevenswijzigingAvailabilityHighRisico op verstoring van dienstennextguardhq.com · CVSS v3.1 Basisscore
Wat betekenen deze metrics?
Attack Vector
Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
Attack Complexity
Hoog — vereist een race condition, niet-standaard configuratie of specifieke omstandigheden.
Privileges Required
Geen — geen authenticatie vereist om te exploiteren.
User Interaction
Geen — automatische en stille aanval. Slachtoffer doet niets.
Scope
Ongewijzigd — impact beperkt tot het kwetsbare component.
Confidentiality
Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
Integrity
Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
Availability
Hoog — volledige crash of uitputting van resources. Totale denial of service.

Getroffen Software

Componentap-plugin-scripteo
Leverancierwordfence
Getroffen bereikOpgelost in
0 – 4.894.89.1

Zwakheidsclassificatie (CWE)

CWE-98

Tijdlijn

  1. Gereserveerd
  2. Gepubliceerd
  3. Gewijzigd
  4. EPSS bijgewerkt
Geen patch — 366 dagen na openbaarmaking

Mitigatie en Workaroundswordt vertaald…

Without a patched version of Ads Pro available, immediate mitigation focuses on restricting file access and validating user input. Implement strict file access controls to limit the files that can be included. Thoroughly validate any user-supplied input used in file paths to prevent attackers from manipulating the inclusion process. Consider using a Web Application Firewall (WAF) to filter malicious requests and block attempts to exploit the vulnerability. Regularly review and update server configurations to minimize the attack surface. After implementing these mitigations, verify their effectiveness by attempting to trigger the vulnerability with controlled input and confirming that file access is restricted.

Hoe te verhelpenwordt vertaald…

No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

CVE Beveiligingsnieuwsbrief

Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.

Veelgestelde vragenwordt vertaald…

What is CVE-2025-46444 — PHP Local File Inclusion in Ads Pro?

CVE-2025-46444 is a vulnerability in Ads Pro allowing attackers to include arbitrary files on the server, potentially exposing sensitive data. It affects versions 0.0 through 4.89 and has a CVSS score of 8.1 (HIGH).

Am I affected by CVE-2025-46444 in Ads Pro?

You are affected if you are using Ads Pro versions 0.0 to 4.89. Check your installed version and implement mitigation strategies until a patch is available.

How do I fix CVE-2025-46444 in Ads Pro?

A patch is pending. Mitigate by restricting file access, validating user input, and using a WAF. Monitor for updates from the vendor.

Is CVE-2025-46444 being actively exploited?

While no active campaigns have been confirmed, the vulnerability's nature suggests a medium probability of exploitation, and public POCs are likely to emerge.

Where can I find the official Ads Pro advisory for CVE-2025-46444?

Check the scripteo website and WordPress plugin repository for updates and advisories related to CVE-2025-46444.

Is jouw project getroffen?

Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.

Gratis scannenCVEs zoeken