Skip to main content

Adrotate Banner Manager

1 CVEs product

Monthly

CVE-2026-12242 HIGH This Week

Authenticated PHP code injection in the AdRotate Banner Manager WordPress plugin (versions ≤5.17.7) allows Contributor-level users to execute arbitrary PHP on the server by abusing the 'banner' attribute of the [adrotate] shortcode. Exploitation requires W3 Total Cache or Borlabs Cache support to be enabled in AdRotate settings, where unsanitized input is concatenated into a PHP string wrapped in mfunc/fragment cache markers. Reported by Wordfence; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

PHP WordPress RCE Code Injection Adrotate Banner Manager
NVD
CVSS 3.1
8.8
EPSS
0.5%
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated PHP code injection in the AdRotate Banner Manager WordPress plugin (versions ≤5.17.7) allows Contributor-level users to execute arbitrary PHP on the server by abusing the 'banner' attribute of the [adrotate] shortcode. Exploitation requires W3 Total Cache or Borlabs Cache support to be enabled in AdRotate settings, where unsanitized input is concatenated into a PHP string wrapped in mfunc/fragment cache markers. Reported by Wordfence; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

PHP WordPress RCE +2
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy