The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager, developed by scripteo, suffers from a critical SQL Injection vulnerability identified as CVE-2025-7402. This vulnerability exists due to improper neutralization of special elements in SQL commands (CWE-89), specifically in the 'site_id' parameter, which is insufficiently escaped before being incorporated into SQL queries. The flaw affects all plugin versions up to and including 4.95. An unauthenticated attacker can exploit this vulnerability remotely without any user interaction by injecting time-based SQL payloads that manipulate the backend database queries. This allows the attacker to extract sensitive information from the database, such as user credentials, configuration data, or other confidential content stored within the WordPress database. The vulnerability does not require authentication or privileges, making it highly accessible to attackers scanning for vulnerable WordPress sites. The lack of patches or official fixes at the time of publication increases the urgency for mitigation. While no active exploitation has been reported, the vulnerability's characteristics make it a prime target for attackers aiming to compromise WordPress sites using this plugin. The CVSS 3.1 base score of 7.5 reflects the network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact, with no impact on integrity or availability.

This vulnerability can lead to unauthorized disclosure of sensitive data stored in the WordPress database, including user information, site configuration, and potentially payment or advertising data managed by the Ads Pro Plugin. Organizations running affected versions of the plugin risk data breaches that could compromise customer privacy and lead to reputational damage, regulatory penalties, and financial loss. Since the attack requires no authentication and can be performed remotely, it significantly increases the attack surface for WordPress sites using this plugin. The exposure of sensitive data can also facilitate further attacks, such as privilege escalation or site takeover. Given WordPress's widespread use globally, the vulnerability could affect a large number of websites, especially those relying on this popular advertising management plugin. The lack of impact on integrity and availability means the site may continue to function normally while data is being exfiltrated, making detection more difficult.

1. Immediate upgrade to a patched version of the Ads Pro Plugin once available from the vendor. Monitor official channels for patch releases. 2. In the absence of an official patch, implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the 'site_id' parameter. 3. Employ input validation and sanitization at the application level, ensuring that all user-supplied parameters are properly escaped or parameterized in SQL queries. 4. Restrict database user permissions to the minimum necessary, preventing the plugin's database user from performing unauthorized queries or accessing sensitive tables. 5. Regularly audit and monitor database logs and web server logs for unusual query patterns or repeated access attempts to the vulnerable parameter. 6. Consider temporarily disabling the Ads Pro Plugin if immediate patching or mitigation is not feasible, especially on high-risk or public-facing sites. 7. Educate site administrators about the risks of SQL injection and encourage timely updates of all WordPress plugins and core components.