A high-severity Local File Inclusion (LFI) vulnerability in the Ads Pro Plugin for WordPress allows unauthenticated attackers to read sensitive files from the underlying server, potentially leading to a full system compromise.

The plugin is vulnerable to Local File Inclusion in all versions up to and including 4.0. This flaw allows an unauthenticated attacker to include and read arbitrary files from the server's local file system, which can lead to the exposure of sensitive configuration files like wp-config.php.

A successful exploit could lead to the exposure of highly sensitive information, including database credentials, application source code, and system user data. With a CVSS score of 8.1 (High), this vulnerability poses a significant risk of further system compromise, potentially enabling attackers to gain deeper access to the network infrastructure and cause severe reputational damage.

Immediate Action: Immediately update the Ads Pro Plugin to the latest patched version as specified by the vendor to eliminate the vulnerability. If the plugin is not essential, consider disabling or removing it entirely from your WordPress installation.

Proactive Monitoring: Monitor web server access logs for unusual requests containing file path traversal patterns (e.g., ../, ..%2f) directed at the plugin's endpoints. Review for any signs of unauthorized file access or reconnaissance activity.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules specifically designed to detect and block Local File Inclusion and directory traversal attack patterns as a virtual patch.

Public Exploit Available: false

Given the high severity of this vulnerability and the ease of exploitation, immediate action is required. We strongly recommend that all administrators identify installations of the affected Ads Pro Plugin and apply the necessary updates without delay to prevent the potential compromise of the web server and its sensitive data.