Advanced Ads Tracking
CVE-2025-59554
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Unauthenticated network-reachable SQLi in a WordPress plugin endpoint warrants AV:N/AC:L/PR:N/UI:N; scope change to shared wp_* DB yields S:C with full read (C:H), limited availability impact, no integrity impact per description.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated SQL Injection in Advanced Ads - Tracking < 3.0.7 versions.
AnalysisAI
Unauthenticated SQL injection in the Advanced Ads - Tracking WordPress plugin versions prior to 3.0.7 allows remote attackers to inject arbitrary SQL into backend database queries without authentication. The CVSS 9.3 score with scope change (S:C) indicates the impact extends beyond the plugin to the underlying WordPress database, enabling data exfiltration and partial availability disruption. No public exploit identified at time of analysis, but the unauthenticated network-accessible nature makes this attractive for opportunistic scanning of WordPress installations.
Technical ContextAI
Advanced Ads - Tracking is a commercial add-on to the Advanced Ads WordPress plugin (developed by Advanced Ads GmbH) that records ad impressions and clicks, typically writing tracking events into the WordPress database via plugin-specific endpoints. CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) indicates the plugin builds SQL queries by concatenating user-supplied input - likely tracking parameters such as ad IDs, referrer, or campaign identifiers - without using WordPress's $wpdb->prepare() parameterized statements or proper sanitization functions like esc_sql() or absint(). The CPE cpe:2.3:a:advanced_ads_gmbh:advanced_ads_-_tracking confirms the affected product, and the scope change (S:C) in the CVSS vector is consistent with a plugin-level flaw that pivots into the broader WordPress wp_* database tables shared across the installation.
RemediationAI
Upgrade the Advanced Ads - Tracking plugin to version 3.0.7 or later, which Patchstack identifies as the fixed release (Patch available per vendor advisory at https://patchstack.com/database/wordpress/plugin/advanced-ads-tracking/vulnerability/wordpress-advanced-ads-tracking-plugin-3-0-7-sql-injection-vulnerability). If immediate patching is not possible, deactivate and remove the Tracking add-on until it can be updated - note this disables ad performance metrics collection, which may impact campaign reporting. As a compensating control, deploy a WordPress-aware WAF (such as Wordfence, Patchstack's own mitigation, or ModSecurity with OWASP CRS) to filter SQL injection payloads on requests to wp-admin/admin-ajax.php and any plugin-specific tracking endpoints; this may produce false positives on legitimate tracking traffic. Audit wp_users and wp_options tables for unexpected modifications and rotate WordPress secret keys in wp-config.php if compromise is suspected.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today