CVE-2025-4380

Name of the Vulnerable Software and Affected Versions: The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager versions up to, and including, 4.89

Description: The issue allows unauthenticated attackers to include and execute arbitrary files on the server via the bsa template parameter of the bsa preview callback function. This enables the execution of any PHP code in those files, which can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php files can be uploaded and included, or already exist on the site.

Recommendations: For versions up to, and including, 4.89, as a temporary workaround, consider disabling the bsa preview callback function until a patch is available. Restrict access to the bsa template parameter to minimize the risk of exploitation. Avoid using the bsa template parameter in the affected function until the issue is resolved.