Skip to main content

Advanced Ads Tracking CVE-2025-59554

CRITICAL
SQL Injection (CWE-89)
2026-06-17 Patchstack
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
9.3 CRITICAL

Unauthenticated network-reachable SQLi in a WordPress plugin endpoint warrants AV:N/AC:L/PR:N/UI:N; scope change to shared wp_* DB yields S:C with full read (C:H), limited availability impact, no integrity impact per description.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:L/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 14:51 vuln.today

DescriptionCVE.org

Unauthenticated SQL Injection in Advanced Ads - Tracking < 3.0.7 versions.

AnalysisAI

Unauthenticated SQL injection in the Advanced Ads - Tracking WordPress plugin versions prior to 3.0.7 allows remote attackers to inject arbitrary SQL into backend database queries without authentication. The CVSS 9.3 score with scope change (S:C) indicates the impact extends beyond the plugin to the underlying WordPress database, enabling data exfiltration and partial availability disruption. No public exploit identified at time of analysis, but the unauthenticated network-accessible nature makes this attractive for opportunistic scanning of WordPress installations.

Technical ContextAI

Advanced Ads - Tracking is a commercial add-on to the Advanced Ads WordPress plugin (developed by Advanced Ads GmbH) that records ad impressions and clicks, typically writing tracking events into the WordPress database via plugin-specific endpoints. CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) indicates the plugin builds SQL queries by concatenating user-supplied input - likely tracking parameters such as ad IDs, referrer, or campaign identifiers - without using WordPress's $wpdb->prepare() parameterized statements or proper sanitization functions like esc_sql() or absint(). The CPE cpe:2.3:a:advanced_ads_gmbh:advanced_ads_-_tracking confirms the affected product, and the scope change (S:C) in the CVSS vector is consistent with a plugin-level flaw that pivots into the broader WordPress wp_* database tables shared across the installation.

RemediationAI

Upgrade the Advanced Ads - Tracking plugin to version 3.0.7 or later, which Patchstack identifies as the fixed release (Patch available per vendor advisory at https://patchstack.com/database/wordpress/plugin/advanced-ads-tracking/vulnerability/wordpress-advanced-ads-tracking-plugin-3-0-7-sql-injection-vulnerability). If immediate patching is not possible, deactivate and remove the Tracking add-on until it can be updated - note this disables ad performance metrics collection, which may impact campaign reporting. As a compensating control, deploy a WordPress-aware WAF (such as Wordfence, Patchstack's own mitigation, or ModSecurity with OWASP CRS) to filter SQL injection payloads on requests to wp-admin/admin-ajax.php and any plugin-specific tracking endpoints; this may produce false positives on legitimate tracking traffic. Audit wp_users and wp_options tables for unexpected modifications and rotate WordPress secret keys in wp-config.php if compromise is suspected.

Share

CVE-2025-59554 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy