CVE-2025-10487 is a vulnerability classified under CWE-94 (Improper Control of Generation of Code), affecting the Advanced Ads – Ad Manager & AdSense plugin for WordPress in all versions up to 2.0.12. The vulnerability stems from the select_one() function, which exposes an AJAX endpoint that does not properly restrict access or limit callable functions to safe ones. This design flaw allows unauthenticated attackers to invoke arbitrary functions beginning with get_the_, such as get_the_excerpt, enabling remote code execution (RCE) and information disclosure. The vulnerability is exploitable over the network without authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 7.3, indicating high severity, with impacts on confidentiality, integrity, and availability. Although no public exploits are known yet, the vulnerability's nature suggests that exploitation could lead to unauthorized data access, code execution on the server, and potential site takeover. The plugin is widely used by WordPress sites for managing ads and integrating with AdSense, making the attack surface significant. The lack of patch links indicates that a fix may not yet be available, emphasizing the need for immediate mitigation steps. The vulnerability was reserved in September 2025 and published in November 2025, reflecting recent discovery and disclosure.

For European organizations, this vulnerability poses a substantial risk, particularly for those relying on WordPress sites with the Advanced Ads plugin to manage advertising content. Successful exploitation can lead to unauthorized disclosure of sensitive information, including excerpts and potentially other content accessible via get_the_ functions. Remote code execution can allow attackers to modify site content, inject malicious code, or pivot to other internal systems, compromising data integrity and availability. Given the plugin's role in ad management, attacks could disrupt revenue streams and damage brand reputation. The ease of exploitation without authentication or user interaction increases the likelihood of automated attacks and widespread compromise. Organizations in sectors with high digital advertising dependency, such as media, e-commerce, and marketing agencies, face elevated risks. Additionally, compromised sites could be used to distribute malware or conduct phishing campaigns targeting European users, amplifying the threat landscape.

Immediate mitigation should focus on restricting access to the vulnerable AJAX endpoint by implementing server-side access controls, such as IP whitelisting or authentication requirements, until an official patch is released. Deploy web application firewall (WAF) rules to detect and block requests attempting to invoke unauthorized functions, particularly those targeting get_the_ prefixed functions. Site administrators should monitor logs for suspicious AJAX calls and unusual activity related to the Advanced Ads plugin. It is critical to maintain regular backups of WordPress sites to enable rapid restoration in case of compromise. Once available, promptly apply official patches or updates from the plugin vendor. Consider disabling or removing the Advanced Ads plugin temporarily if mitigation controls cannot be effectively implemented. Additionally, conduct security audits of WordPress installations to identify other potential vulnerabilities and ensure all plugins and themes are up to date. Educate site administrators about the risks of unauthenticated AJAX endpoints and the importance of least privilege principles in plugin design.