CVE-2025-4380 is a Local File Inclusion vulnerability classified under CWE-98, affecting the Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager for WordPress, versions up to and including 4.89. The vulnerability stems from improper validation of the 'bsa_template' parameter in the bsa_preview_callback function, which allows an attacker to manipulate the filename used in an include or require statement. Because the plugin does not properly sanitize or restrict this parameter, an unauthenticated attacker can supply arbitrary file paths, causing the server to include and execute files that may contain malicious PHP code. This can lead to remote code execution if the attacker can upload PHP files or leverage existing files on the server. The vulnerability impacts confidentiality, integrity, and availability by enabling unauthorized code execution, data disclosure, and potential system compromise. The CVSS 3.1 score of 8.1 reflects a network attack vector with high impact but requiring high attack complexity and no privileges or user interaction. No public exploits have been reported yet, but the vulnerability is critical due to the widespread use of WordPress and the plugin's functionality. The lack of available patches at the time of publication increases the urgency for mitigation. This vulnerability is particularly dangerous because it allows unauthenticated attackers to bypass access controls and execute arbitrary PHP code, which can lead to full server compromise.

The impact of CVE-2025-4380 is severe for organizations running WordPress sites with the vulnerable Ads Pro Plugin installed. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary PHP code on the web server. This can result in unauthorized access to sensitive data, defacement of websites, installation of backdoors or malware, and potentially full server takeover. The ability to bypass access controls and execute code without authentication increases the risk of widespread compromise. Organizations may face data breaches, service disruptions, reputational damage, and regulatory penalties. Given WordPress's extensive use worldwide, the vulnerability poses a significant threat to businesses, government agencies, and other entities relying on this plugin for advertising management. The absence of known public exploits currently limits immediate widespread attacks, but the vulnerability's nature and severity make it a prime target for future exploitation.

To mitigate CVE-2025-4380, organizations should take the following specific actions: 1) Immediately update the Ads Pro Plugin to a patched version once available; monitor vendor communications for patch releases. 2) If patches are not yet available, disable or deactivate the vulnerable plugin to prevent exploitation. 3) Implement web application firewall (WAF) rules to detect and block attempts to manipulate the 'bsa_template' parameter or suspicious file inclusion patterns. 4) Restrict file permissions and disable PHP execution in directories used for file uploads to prevent execution of malicious PHP files. 5) Conduct thorough audits of the web server and WordPress installation for unauthorized files or backdoors. 6) Employ strict input validation and sanitization for all user-supplied parameters in custom code or plugins. 7) Monitor logs for unusual access patterns or errors related to file inclusion attempts. 8) Harden the WordPress environment by limiting plugin usage to trusted and actively maintained plugins only. 9) Educate administrators on the risks of installing unverified plugins and the importance of timely updates. These measures collectively reduce the risk of exploitation until a vendor patch is applied.