Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup AllInOne - Banner Rotator all-in-one-bannerRotator allows SQL Injection.This issue affects AllInOne - Banner Rotator: from n/a through <= 3.8.
Published: 2025-09-26
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an improper neutralization of special elements in an SQL command, a classic SQL injection flaw categorized as CWE-89. An attacker could supply crafted input that is concatenated directly into an SQL query, enabling them to read, modify, or delete data stored in the site's database. The impact includes potential exfiltration of sensitive information, alteration of content, or compromise of site integrity.

Affected Systems

LambertGroup AllInOne - Banner Rotator plugin, versions from the earliest release through 3.8, is affected. No additional version qualifiers were supplied.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity vulnerability. The EPSS score of <1% suggests that the likelihood of automated exploitation is currently very low, and the vulnerability is not listed in CISA's KEV catalog. The attack vector is inferred to involve user-supplied input within the plugin, possibly requiring authenticated access, as the plugin processes form data used to configure banner rotations.

Generated by OpenCVE AI on April 30, 2026 at 00:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AllInOne - Banner Rotator plugin to a version newer than 3.8 once an official patch becomes available.
  • If an update is not immediately available, deactivate or uninstall the plugin to eliminate the attack surface.
  • Modify the plugin’s database interaction logic to use parameterized queries or stored procedures, ensuring that all user-supplied data is properly escaped or sanitized in accordance with best practices for preventing SQL injection.

Generated by OpenCVE AI on April 30, 2026 at 00:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31290 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup AllInOne - Banner Rotator allows SQL Injection. This issue affects AllInOne - Banner Rotator: from n/a through 3.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup AllInOne - Banner Rotator allows SQL Injection. This issue affects AllInOne - Banner Rotator: from n/a through 3.8. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup AllInOne - Banner Rotator all-in-one-bannerRotator allows SQL Injection.This issue affects AllInOne - Banner Rotator: from n/a through <= 3.8.
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup AllInOne - Banner Rotator allows SQL Injection. This issue affects AllInOne - Banner Rotator: from n/a through 3.8.
Title WordPress AllInOne - Banner Rotator Plugin <= 3.8 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:54.839Z

Reserved: 2025-09-25T15:20:22.597Z

Link: CVE-2025-60110

cve-icon Vulnrichment

Updated: 2025-09-26T14:25:39.698Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:37.230

Modified: 2026-04-23T15:34:14.260

Link: CVE-2025-60110

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:15:23Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')