CVE-2025-4380 is a critical vulnerability classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Programs), affecting the Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager developed by scripteo. This vulnerability exists in all versions up to and including 4.89 of the plugin. The flaw arises from insecure handling of the 'bsa_template' parameter within the 'bsa_preview_callback' function, which allows an unauthenticated attacker to perform Local File Inclusion (LFI). Through this vulnerability, an attacker can manipulate the parameter to include arbitrary files from the server, potentially executing arbitrary PHP code if the included files contain executable PHP scripts. This can lead to full compromise of the web server hosting the vulnerable WordPress site. The attack does not require authentication or user interaction, increasing its risk. The CVSS v3.1 base score is 8.1, reflecting high severity with network attack vector, high complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the nature of the vulnerability makes it a prime target for exploitation once publicly disclosed. The absence of available patches at the time of disclosure further elevates the risk for affected installations. Given that WordPress is widely used across Europe and Ads Pro Plugin is a popular advertising management tool, this vulnerability poses a significant threat to websites relying on this plugin, potentially leading to data breaches, defacement, or full server takeover.

For European organizations, the impact of CVE-2025-4380 can be severe. Many businesses, media companies, and e-commerce platforms in Europe utilize WordPress with advertising plugins like Ads Pro to manage monetization. Exploitation could lead to unauthorized access to sensitive customer data, intellectual property, and internal systems. The ability to execute arbitrary PHP code on the server can result in website defacement, insertion of malicious content (such as malware or phishing pages), and pivoting to internal networks. This can damage brand reputation, lead to regulatory non-compliance under GDPR due to data breaches, and cause operational disruptions. Small and medium enterprises (SMEs), which often rely on third-party plugins without extensive security audits, are particularly vulnerable. Additionally, public sector websites using WordPress could face risks to public trust and service availability. The high severity and unauthenticated nature of the vulnerability mean attackers can rapidly exploit it at scale, increasing the likelihood of widespread incidents across European digital infrastructure.

1. Immediate mitigation involves disabling or removing the Ads Pro Plugin until a secure patched version is released. 2. Restrict access to the vulnerable functionality by implementing web application firewall (WAF) rules that block requests containing suspicious 'bsa_template' parameter values or attempts to include local files. 3. Harden PHP configurations by disabling dangerous functions such as 'allow_url_include' and restricting file inclusion paths using 'open_basedir' directives. 4. Monitor web server logs for unusual requests targeting the 'bsa_template' parameter or attempts to access sensitive files. 5. Conduct a thorough security audit of all installed plugins and themes to identify other potential vulnerabilities. 6. Once a patch is available, promptly apply it and verify the fix through testing. 7. Implement file integrity monitoring to detect unauthorized changes to PHP files. 8. Educate site administrators on secure plugin management and the risks of using outdated or unsupported plugins. 9. Consider deploying intrusion detection/prevention systems (IDS/IPS) tailored for WordPress environments to detect exploitation attempts. These steps go beyond generic advice by focusing on immediate risk reduction, proactive monitoring, and configuration hardening specific to this vulnerability and WordPress plugin ecosystem.