CVE-2025-60110

Vulnerability

Overview

The LambertGroup AllInOne - Banner Rotator plugin for WordPress, versions up to and including 3.8, contains an SQL injection vulnerability due to improper neutralization of special elements used in an SQL command [1]. This flaw arises when user-supplied input is directly incorporated into database queries without adequate sanitization or parameterization, enabling an attacker to inject arbitrary SQL statements.

Exploitation

Attackers can exploit this vulnerability without requiring authentication, as the vulnerable parameter is exposed to be accessible to unauthenticated users. The attack vector is network-based, and the low complexity of exploitation makes it attractive for mass campaigns targeting thousands of WordPress sites regardless of their size or popularity [1]. No special privileges or user interaction are needed to be needed.

Impact

Successful exploitation allows a malicious actor to directly interact with the underlying database. This includes the ability to read sensitive data (e.g., user credentials, personal information), modify or delete content, and potentially escalate privileges within the WordPress installation. The CVSS v3 base score of 8.5 (High) reflects the severe confidentiality, integrity, and availability impacts [1].

Mitigation

As of the plugin to a patched version (beyond 3.8) is the recommended immediate action. If updating is not possible, site owners should consult their hosting provider or web developer for alternative protections, such as web application firewall rules. The vulnerability is known to be used in mass-exploit campaigns, so prompt action is critical [1].