Skip to main content

AllInOne - Banner Rotator CVE-2025-60110

HIGH
SQL Injection (CWE-89)
2025-09-26 audit@patchstack.com
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 24, 2026 - 01:25 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 19:14 vuln.today
CVE Published
Sep 26, 2025 - 09:15 nvd
HIGH 8.5

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup AllInOne - Banner Rotator allows SQL Injection. This issue affects AllInOne - Banner Rotator: from n/a through 3.8.

AnalysisAI

SQL injection in AllInOne - Banner Rotator WordPress plugin (versions through 3.8) allows authenticated low-privilege users to execute arbitrary SQL queries with scope-changing impact on confidentiality and availability. The vulnerability requires only low-privilege authentication (PR:L) with network access and low attack complexity, enabling unauthorized database access and potential information disclosure from the WordPress installation. EPSS score of 0.03% (10th percentile) suggests low probability of mass exploitation, though the scope change (S:C) indicates impact beyond the vulnerable component. No public exploit identified at time of analysis.

Technical ContextAI

This vulnerability stems from CWE-89 (SQL Injection), where user-supplied input is improperly sanitized before being incorporated into SQL queries within the AllInOne - Banner Rotator WordPress plugin. The plugin, developed by LambertGroup for managing rotating banner advertisements, fails to neutralize special SQL characters or use parameterized queries when processing authenticated user input. The CVSS vector S:C (Changed Scope) indicates the vulnerability affects resources beyond the plugin itself, likely enabling access to the broader WordPress database containing user credentials, posts, and site configuration. This is characteristic of WordPress plugin vulnerabilities where database privileges are shared across the application, allowing SQL injection in one component to access tables belonging to WordPress core or other plugins.

Affected ProductsAI

WordPress plugin AllInOne - Banner Rotator by LambertGroup, versions 3.8 and earlier. The vulnerability affects all installations of the plugin from unknown initial version through version 3.8. According to Patchstack vulnerability database reference, this plugin is distributed through the WordPress.org plugin repository. Site administrators running any version up to and including 3.8 should consider their installations vulnerable if the plugin is active and the WordPress site permits authenticated user access beyond administrator roles.

RemediationAI

Patchstack database indicates this vulnerability has been disclosed but the references do not specify a patched version number or confirm patch availability. Site administrators should immediately check for plugin updates beyond version 3.8 through the WordPress admin dashboard or the official WordPress.org plugin repository. If no update is available, implement the following compensating controls in priority order: (1) Restrict WordPress user registration to prevent untrusted user accounts from gaining the PR:L authentication required for exploitation, noting this prevents public user registration but maintains site functionality for existing users. (2) Remove or deactivate the AllInOne - Banner Rotator plugin if banner rotation is non-critical to site operation, which eliminates the attack surface entirely but removes banner management functionality. (3) Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in requests to the plugin's endpoints, though this may generate false positives requiring tuning and does not address exploitation from already-authenticated sessions. (4) Monitor WordPress database query logs for anomalous SELECT statements with UNION, JOIN, or subquery patterns originating from low-privilege user sessions. Consult Patchstack advisory at https://patchstack.com/database/wordpress/plugin/all-in-one-bannerrotator/vulnerability/wordpress-allinone-banner-rotator-plugin-3-8-sql-injection-vulnerability for updated remediation guidance.

Share

CVE-2025-60110 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy