CVE-2025-10487 HIGH

CVE-2025-10487: Advanced Ads <= 2.0.12 - Unauthenticated Limited Code Execution

Vendor Monetizemore
Product Advanced Ads – Ad Manager & AdSense
Weakness CWE-94 · Code injection
Published November 1, 2025
Last update April 8, 2026

CVSS base score

7.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.12 via the select_one() function. This is due to the endpoint not properly restricting access to the AJAX endpoint or limiting the functions that can be called to safe functions. This makes it possible for unauthenticated attackers to call arbitrary functions beginning with get_the_ like get_the_excerpt which can make information exposure possible.

Explanation of Vulnerability in Simple Terms

02Summary

Advanced Ads allows unauthenticated attackers to inject and execute arbitrary code through the plugin's ad management functionality. The vulnerability exists in versions up to 2.0.12 and requires no user interaction. An attacker can exploit this to modify site content, steal data, or compromise the WordPress installation.

What an attacker can do

03Attacker Capabilities

Inject and run arbitrary code on the site without authentication.

Potential impact on your site

04Site Impact

Attackers can modify ads, steal visitor data, inject malware, or take control of the WordPress site.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

November 1, 2025 CVE published
April 8, 2026 Record updated