CVE-2025-4689 is a critical vulnerability affecting the Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager developed by scripteo, impacting all versions up to and including 4.89. This vulnerability is a combination of two distinct but chained issues: a SQL Injection (SQLi) vulnerability and a Local File Inclusion (LFI) vulnerability. The SQL Injection flaw allows an attacker to manipulate database queries, enabling unauthorized access to image file paths stored in the database. The LFI vulnerability permits the inclusion and execution of local files on the server. When combined, these vulnerabilities allow an unauthenticated attacker to upload malicious image files to the server, retrieve their paths via SQL Injection, and then execute them as PHP code through the Local File Inclusion mechanism. This chain effectively leads to Remote Code Execution (RCE) without requiring any authentication or user interaction. The vulnerability is classified under CWE-98, which concerns improper control of filenames used in include or require statements in PHP programs, leading to remote file inclusion attacks. The CVSS v3.1 base score is 9.8, indicating a critical severity level with network attack vector, low attack complexity, no privileges required, no user interaction, and full impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild yet, but the severity and ease of exploitation make this a high-risk threat for any WordPress site using this plugin. The absence of available patches at the time of publication further increases the urgency for mitigation.

For European organizations, this vulnerability poses a significant risk, especially for those relying on WordPress sites with the Ads Pro Plugin for advertising management. Successful exploitation can lead to full server compromise, allowing attackers to execute arbitrary code, steal sensitive data, deface websites, or use the compromised server as a pivot point for further attacks within the network. This can result in data breaches impacting personal data protected under GDPR, causing legal and financial repercussions. The availability of the affected plugin across many WordPress installations in Europe means that small and medium enterprises, e-commerce platforms, and media companies could be targeted. Additionally, compromised advertising platforms can be abused to deliver malicious ads, spreading malware to end users. The critical nature of the vulnerability and the lack of authentication requirements make it attractive for automated exploitation campaigns, potentially leading to widespread impact across European digital infrastructure.

Immediate mitigation steps include disabling or uninstalling the Ads Pro Plugin until a security patch is released. Organizations should monitor their WordPress installations for suspicious activity, including unexpected file uploads or anomalous database queries. Web application firewalls (WAFs) should be configured to detect and block SQL injection attempts and suspicious file inclusion patterns. Restricting file upload permissions and validating file types strictly can reduce the risk of malicious files being accepted. Additionally, isolating the web server environment using containerization or sandboxing can limit the impact of a successful exploit. Regular backups should be maintained to enable recovery from potential compromises. Organizations should subscribe to vendor advisories and CVE databases to apply patches promptly once available. Conducting a thorough security audit of all WordPress plugins and removing unused or unsupported plugins can reduce the attack surface.