CVE-2025-60107

The LambertGroup AllInOne Banner with Playlist WordPress plugin suffers from a blind SQL injection vulnerability due to improper neutralization of special elements used in SQL commands. This affects all versions up to and including 3.8, where unsanitized user input is incorporated into database queries [1].

Exploitation does not require authentication, as the vulnerable parameter is accessible to unauthenticated attackers. By crafting malicious input and observing application responses (such as timing delays or boolean page differences), an attacker can perform blind SQL injection to enumerate database structures and extract data [1].

The impact is severe: an attacker can retrieve sensitive information from the database, including user credentials and other private data. The CVSS v3 base score of 8.5 reflects the high risk, especially given that this type of vulnerability is frequently targeted in mass-exploit campaigns against thousands of WordPress sites [1].

As a mitigation, immediate update of the plugin is strongly recommended. If updating is not possible, administrators should contact their hosting provider or a web developer for assistance. The vulnerability is publicly disclosed with technical details available, making prompt action critical to prevent compromise [1].