CVE-2025-6437: 
WordPress vulnerability analysis and mitigation

The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress contains a SQL Injection vulnerability (CVE-2025-6437) discovered in July 2025. The vulnerability affects all versions up to and including 4.89. This security issue was identified and reported by Wordfence (Wordfence Advisory).

The vulnerability is classified as a SQL Injection (CWE-89) that exists in the 'oid' parameter due to insufficient escaping of user-supplied input and inadequate SQL query preparation. The vulnerability has received a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD Database).

The vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries, potentially leading to the extraction of sensitive information from the database. The CVSS score indicates high confidentiality impact, while integrity and availability remain unaffected (NVD Database).

Users of the Ads Pro Plugin should immediately update to a version newer than 4.89 if available. Until an update is applied, it is recommended to implement additional security measures such as web application firewalls and limiting access to the affected parameter (CodeCanyon Product).