CVE-2025-10487 Overview
The Advanced Ads – Ad Manager & AdSense plugin for WordPress contains a Remote Code Execution vulnerability in all versions up to, and including, 2.0.12. The vulnerability exists in the select_one() function due to improper access restrictions on the AJAX endpoint and insufficient limitations on callable functions. This allows unauthenticated attackers to invoke arbitrary functions that begin with get_the_ prefix, such as get_the_excerpt, potentially leading to information exposure and further exploitation.
Critical Impact
Unauthenticated attackers can exploit this vulnerability remotely to execute arbitrary functions, potentially exposing sensitive information and compromising WordPress site integrity.
Affected Products
- Advanced Ads – Ad Manager & AdSense plugin for WordPress versions up to and including 2.0.12
Discovery Timeline
- 2025-11-01 - CVE-2025-10487 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-10487
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Improper Control of Generation of Code, or Code Injection). The flaw stems from the plugin's select_one() function which exposes an AJAX endpoint without proper authentication or access controls. Additionally, the function fails to implement an allowlist of safe functions that can be called through the endpoint.
The attack can be initiated remotely without any authentication requirements. The vulnerability allows attackers to call PHP functions that begin with the get_the_ prefix. While this may seem limited, WordPress contains numerous functions with this naming convention that can be abused for information disclosure, including get_the_excerpt, get_the_title, get_the_content, and others that could reveal sensitive post data or internal information.
Root Cause
The root cause of this vulnerability is twofold:
Missing Authentication: The AJAX endpoint associated with the select_one() function does not verify whether the requesting user has appropriate permissions to access the functionality.
Insufficient Function Filtering: The code does not properly restrict which functions can be invoked through the endpoint. Instead of implementing a strict allowlist of safe functions, the plugin permits calls to any function matching the get_the_* pattern.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can craft malicious AJAX requests to the vulnerable endpoint, specifying function names that begin with get_the_. The server processes these requests and executes the specified functions, returning results that may contain sensitive information.
The vulnerability can be exploited by sending specially crafted POST requests to the WordPress AJAX handler (/wp-admin/admin-ajax.php) with parameters that trigger the select_one() function and specify the target function to call. Since no authentication is required, any remote attacker can leverage this vulnerability against exposed WordPress installations.
Detection Methods for CVE-2025-10487
Indicators of Compromise
- Unusual or excessive AJAX requests to /wp-admin/admin-ajax.php containing select_one action parameters
- Server logs showing repeated POST requests with get_the_* function parameters from unknown IP addresses
- Unexpected information disclosure or data leakage from WordPress posts or pages
- Web application firewall alerts for suspicious parameter patterns in AJAX requests
Detection Strategies
- Monitor WordPress AJAX endpoint logs for unusual request patterns targeting the Advanced Ads plugin
- Implement web application firewall rules to detect and block requests containing suspicious function call patterns
- Review access logs for POST requests to admin-ajax.php with action parameters related to Advanced Ads plugin functionality
- Deploy runtime application self-protection (RASP) solutions to detect and prevent arbitrary function execution
Monitoring Recommendations
- Enable detailed logging for WordPress AJAX requests and review logs regularly for anomalous activity
- Configure alerting for high volumes of requests to the AJAX endpoint from single IP addresses
- Utilize security plugins that provide activity monitoring and audit logging for WordPress sites
- Implement network-level monitoring to detect reconnaissance activities targeting WordPress installations
How to Mitigate CVE-2025-10487
Immediate Actions Required
- Update the Advanced Ads – Ad Manager & AdSense plugin to the latest patched version immediately
- If immediate patching is not possible, temporarily disable the Advanced Ads plugin until the update can be applied
- Review server access logs for any evidence of exploitation attempts
- Audit WordPress site for any unauthorized changes or data exposure that may have occurred
Patch Information
A security fix has been released by the plugin developers. The patch can be reviewed in the WordPress Changeset Update. Additional details about this vulnerability are available in the Wordfence Vulnerability Report.
Site administrators should update through the WordPress plugin update mechanism or by downloading the latest version directly from the WordPress plugin repository.
Workarounds
- Disable the Advanced Ads plugin entirely if updates cannot be applied immediately
- Implement web application firewall rules to block suspicious AJAX requests targeting the vulnerable endpoint
- Restrict access to /wp-admin/admin-ajax.php at the server level for unauthenticated users where feasible
- Use security plugins to add additional authentication layers to AJAX endpoints
# Example: Apache configuration to restrict AJAX access (use with caution)
# Add to .htaccess in WordPress root directory
<Files admin-ajax.php>
<RequireAll>
Require all granted
# Consider implementing rate limiting or IP restrictions
</RequireAll>
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
