Description
The AdRotate Banner Manager plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 5.17.7 via the 'banner' attribute of the adrotate shortcode. This is due to insufficient input validation and sanitization of the banner shortcode attribute before concatenation into a PHP code string wrapped in W3 Total Cache mfunc or Borlabs Cache fragment markers. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server. This vulnerability requires W3 Total Cache or Borlabs Cache support to be enabled in AdRotate settings.
Published: 2026-06-24
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AdRotate Banner Manager versions up to 5.17.7 allow PHP code injection through the 'banner' attribute of the adrotate shortcode because the plugin concatenates unsanitized input into a PHP code string wrapped in fragment markers for W3 Total Cache or Borlabs Cache. This insufficient input validation permits an attacker to inject arbitrary PHP code that will be executed on the server when the shortcode is processed, thereby compromising the confidentiality, integrity, and availability of the entire WordPress site. The vulnerability is limited to authenticated users with Contributor-level access or higher on a WordPress installation that has either W3 Total Cache or Borlabs Cache support enabled in AdRotate settings. Any site that runs one of those caching plugins together with a vulnerable version of AdRotate Banner Manager exposes all files and server resources to execution of attacker-supplied PHP code. The CVSS score of 8.8 classifies this flaw as high severity, and although an EPSS score is currently unavailable, the lack of a KEV listing does not negate the risk. In a realistic scenario an attacker would need to authenticate as a Contributor, enable the relevant caching plugin, and then embed malicious PHP in the 'banner' attribute of the shortcode. This can lead to full server compromise if the injected code gains sufficient privileges.

Affected Systems

AdRotate Banner Manager by adegans is the affected product. All releases up to and including 5.17.7 are vulnerable. The flaw resides in the adrotate shortcode implementation. WordPress sites running any 5.17.7 or older release of this plugin with W3 Total Cache or Borlabs Cache support enabled in the plugin settings are susceptible.

Risk and Exploitability

The flaw carries a CVSS score of 8.8, indicating a high severity. No EPSS score is available, but the lack of a KEV listing does not reduce the threat. Exploitation requires an authenticated Contributor or higher on a WordPress site with W3 Total Cache or Borlabs Cache enabled in AdRotate settings. The attacker must embed malicious PHP within the banner attribute of an adrotate shortcode. Successful exploitation results in arbitrary PHP execution on the server, enabling potential full compromise of the site and underlying systems.

Generated by OpenCVE AI on June 24, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AdRotate Banner Manager to the latest release where the injection is fixed.
  • If an immediate update is not possible, disable W3 Total Cache or Borlabs Cache support in the AdRotate settings to remove the vector that incorporates unsanitized code into PHP execution.
  • Conduct a security review of the WordPress installation for any unauthorized code injected through the 'banner' attribute and delete such content.

Generated by OpenCVE AI on June 24, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
Description The AdRotate Banner Manager plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 5.17.7 via the 'banner' attribute of the adrotate shortcode. This is due to insufficient input validation and sanitization of the banner shortcode attribute before concatenation into a PHP code string wrapped in W3 Total Cache mfunc or Borlabs Cache fragment markers. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server. This vulnerability requires W3 Total Cache or Borlabs Cache support to be enabled in AdRotate settings.
Title AdRotate Banner Manager <= 5.17.7 - Authenticated (Contributor+) PHP Code Injection via 'banner' Shortcode Attribute
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T13:05:32.102Z

Reserved: 2026-06-15T06:21:42.514Z

Link: CVE-2026-12242

cve-icon Vulnrichment

Updated: 2026-06-24T13:05:21.448Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:30:17Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')