A high-severity vulnerability has been identified in the "Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager" plugin for WordPress. This flaw allows an unauthenticated attacker to steal sensitive information directly from the website's database, including user credentials and other confidential data. Immediate patching is required to prevent a potential data breach.

The vulnerability is a time-based blind SQL Injection. The application fails to properly sanitize user-supplied input to the ‘site_id’ parameter before using it in a database query. An unauthenticated attacker can send specially crafted requests containing malicious SQL commands (e.g., using SLEEP() or BENCHMARK() functions) and measure the server's response time to infer information from the database one character at a time, ultimately allowing for the exfiltration of sensitive data.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to a complete compromise of the database's confidentiality. The primary business impacts include a significant data breach, leading to the theft of customer information, user credentials, and other proprietary data. This can result in severe reputational damage, loss of customer trust, and potential regulatory fines under data protection laws like GDPR or CCPA.

Immediate Action:

• Immediately update the "Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager" to the latest patched version provided by the vendor.
• If the plugin is not critical for business operations, consider deactivating and uninstalling it to completely remove the attack surface.
• Review WordPress security settings to ensure hardening best practices are in place.

Proactive Monitoring:

• Monitor web server access logs for unusual or repeated requests targeting the vulnerable parameter (‘site_id’), especially those with abnormally long response times.
• Analyze Web Application Firewall (WAF) logs for any alerts related to SQL injection attempts against the website.
• Enable and monitor database query logs for suspicious queries, particularly those containing time-delay functions like SLEEP() or BENCHMARK().

Compensating Controls:

• Deploy a properly configured Web Application Firewall (WAF) with rulesets designed to detect and block SQL injection attacks. This can provide a layer of defense if immediate patching is not feasible.
• Implement the principle of least privilege for the database user account associated with the WordPress application, limiting the data an attacker can access if the vulnerability is exploited.
• Ensure regular, automated backups of the website and database are being performed and stored securely offline.

Public Exploit Available: False

Given the high severity (CVSS 7.5) and the potential for unauthenticated data exfiltration, this vulnerability poses a significant risk to the organization. We strongly recommend that all WordPress sites using the affected plugin be patched immediately by updating to the latest version. Although this CVE is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its characteristics make it a prime candidate for future exploitation. Prioritize this remediation activity to prevent a potential data breach.