cleantalk
Vulnerabilities and Security Researches

AdRotate Banner Manager – The only ad manager you'll need, CVE-2026-12242

CVE, Research URL

CVE-2026-12242

Home page URL

Security reports for AdRotate Banner Manager – The only ad manager you'll need

Application

AdRotate Banner Manager – The only ad manager you'll need

Published on
Jun 24, 2026
Research Description
The AdRotate Banner Manager plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 5.17.7 via the 'banner' attribute of the adrotate shortcode. This is due to insufficient input validation and sanitization of the banner shortcode attribute before concatenation into a PHP code string wrapped in W3 Total Cache mfunc or Borlabs Cache fragment markers. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server. This vulnerability requires W3 Total Cache or Borlabs Cache support to be enabled in AdRotate settings.
Affected versions
max 5.17.8.
Status
vulnerable
Previous vulnerability researches
Infility Global (CVE-2025-15268) , Feb 27, 2026
Infility Global (CVE-2024-12723) , Jan 29, 2025
Infility Global (CVE-2025-68864) , Jan 27, 2026
Infility Global (CVE-2025-68865) , Jan 10, 2026
Infility Global (CVE-2025-12968) , Jan 10, 2026
New vulnerability
Email JavaScript Cloak (CVE-2026-10091) , Jun 25, 2026
Advanced Contact Form 7 – Compact DB (CVE-2026-12094) , Jun 25, 2026
All-In-One Intranet (CVE-2026-54837) , Jun 25, 2026
MDTF – Meta Data and Taxonomies Filter (CVE-2026-54845) , Jun 25, 2026
MDTF – Meta Data and Taxonomies Filter (CVE-2026-54843) , Jun 25, 2026