CVE-2025-10487 is a remote code execution vulnerability found in the Advanced Ads – Ad Manager & AdSense plugin for WordPress, affecting all versions up to and including 2.0.12. The vulnerability stems from the select_one() function, which handles AJAX requests but fails to properly restrict access or limit callable functions to safe ones. Specifically, unauthenticated attackers can invoke arbitrary functions prefixed with get_the_, such as get_the_excerpt, through the AJAX endpoint. This improper control of code generation (CWE-94) allows attackers to execute unauthorized code remotely, potentially leading to information disclosure, data manipulation, or full system compromise depending on the functions accessible. The vulnerability requires no authentication or user interaction, making it highly exploitable over the network. Although no public exploits have been reported yet, the plugin’s widespread use in WordPress sites globally increases the risk of future exploitation. The CVSS v3.1 base score of 7.3 reflects the vulnerability’s network attack vector, low attack complexity, no privileges required, and significant impacts on confidentiality, integrity, and availability. The lack of patch links suggests that a fix may not yet be available, underscoring the urgency for mitigations or vendor updates.

The impact of CVE-2025-10487 is substantial for organizations using the affected WordPress plugin. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary code on the web server. This can result in unauthorized access to sensitive information, website defacement, data corruption, or the deployment of malware such as web shells or ransomware. The vulnerability compromises confidentiality by exposing information through functions like get_the_excerpt, integrity by enabling unauthorized code execution, and availability by potentially disrupting website operations. Given the plugin’s role in managing ads, exploitation could also lead to fraudulent ad manipulation or revenue loss. The ease of exploitation without authentication or user interaction increases the likelihood of automated attacks and widespread compromise. Organizations relying on this plugin for ad management face risks to their web infrastructure, customer trust, and regulatory compliance.

1. Immediate mitigation should include disabling or restricting access to the vulnerable AJAX endpoint if possible, using web application firewalls (WAF) or server-level access controls to block unauthorized requests targeting the select_one() function. 2. Monitor web server logs for suspicious AJAX requests invoking get_the_ functions or unusual activity patterns. 3. Limit the plugin’s permissions and isolate the WordPress environment to reduce potential damage from exploitation. 4. Apply principle of least privilege to WordPress user roles and database access to minimize impact if compromised. 5. Regularly update the plugin once the vendor releases a patch addressing this vulnerability. 6. Employ runtime application self-protection (RASP) or intrusion detection systems (IDS) to detect and block exploitation attempts. 7. Educate site administrators on the risks and encourage prompt action to mitigate exposure. 8. Consider alternative ad management solutions if a timely patch is unavailable.