WP-Safety

Random Banner Security & Risk Analysis

wordpress.org/plugins/random-banner

Display random image, SWF, or script ads across your WordPress site with this powerful, customizable, and user-friendly Random Banner plugin.

1K active installs v4.2.12 PHP 7.0+ WP 5.3+ Updated Mar 15, 2026
ads-campaignadvertisementbannerbanner-adsrandom-banner
54
C · Use Caution
CVEs total4
Unpatched2
Last CVENov 28, 2024
Plugin page Download
Safety Verdict

Is Random Banner Safe to Use in 2026?

Use With Caution

Score 54/100

Random Banner has 2 unpatched vulnerabilities. Evaluate alternatives or apply available mitigations.

4 known CVEs 2 unpatched Last CVE: Nov 28, 2024Updated 2mo ago
Risk Assessment

The "random-banner" plugin exhibits a concerning security posture primarily due to its extensive attack surface and a history of significant vulnerabilities. The static analysis reveals a large number of AJAX handlers (18) that lack authentication checks, presenting a significant risk for unauthorized actions. While the plugin does implement nonce and capability checks, their limited presence against the sheer volume of unprotected entry points diminishes their effectiveness. The taint analysis, though showing no critical or high severity flows, is still concerning as all analyzed flows contained unsanitized paths, suggesting potential for vulnerabilities that might not have been detected by the current analysis.

The vulnerability history is a major red flag. With 4 known CVEs, 2 of which are currently unpatched and including a high-severity "Cross-site Scripting" vulnerability, the plugin has a proven track record of being exploitable. The consistent presence of XSS as a common vulnerability type further reinforces this concern. While the plugin avoids dangerous functions and file operations, and has a reasonable rate of prepared SQL statements and output escaping, these positive aspects are heavily outweighed by the unprotected entry points and the recurring vulnerability history. The plugin's overall security is weak, and users should exercise extreme caution.

Key Concerns

  • 18 unprotected AJAX handlers
  • 2 unpatched CVEs
  • 1 high severity CVE
  • 3 medium severity CVEs
  • All 7 taint flows have unsanitized paths
  • Only 1 capability check for 18 unprotected AJAX handlers
  • Only 2 nonce checks for 18 unprotected AJAX handlers
Vulnerabilities
4 published

Random Banner Security Vulnerabilities

CVEs by Year

1 CVE in 2014
2014
1 CVE in 2022
2022
2 CVEs in 2024 · unpatched
2024
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2024-53787medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Random Banner <= 4.2.11 - Authenticated (Contributor+) Stored Cross-Site Scripting

Nov 28, 2024Unpatched
CVE-2024-35645medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Random Banner <= 4.2.11 - Authenticated (Admin+) Stored Cross-Site Scripting

May 30, 2024Unpatched
CVE-2022-0210medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Random Banner <= 4.1.4 - Authenticated (Admin+) Stored Cross-Site Scripting

Jan 14, 2022 Patched in 4.1.5 (739d)
CVE-2014-4847high · 7.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Random Banner < 2.0 - Cross-Site Scripting

Jun 29, 2014 Patched in 2.0 (3495d)
Version History

Random Banner Release Timeline

v4.2.12Current2 CVEs
CVE-2024-53787 CVE-2024-35645
v4.2.112 CVEs
CVE-2024-53787 CVE-2024-35645
v4.2.102 CVEs
CVE-2024-53787 CVE-2024-35645
v4.2.92 CVEs
CVE-2024-53787 CVE-2024-35645
v4.2.82 CVEs
CVE-2024-53787 CVE-2024-35645
v4.2.72 CVEs
CVE-2024-53787 CVE-2024-35645
v4.2.62 CVEs
CVE-2024-53787 CVE-2024-35645
v4.2.52 CVEs
CVE-2024-53787 CVE-2024-35645
v4.2.42 CVEs
CVE-2024-53787 CVE-2024-35645
v4.2.32 CVEs
CVE-2024-53787 CVE-2024-35645
v4.2.22 CVEs
CVE-2024-53787 CVE-2024-35645
v4.2.12 CVEs
CVE-2024-53787 CVE-2024-35645
v4.22 CVEs
CVE-2024-53787 CVE-2024-35645
v4.1.112 CVEs
CVE-2024-53787 CVE-2024-35645
v4.1.102 CVEs
CVE-2024-53787 CVE-2024-35645
v4.1.92 CVEs
CVE-2024-53787 CVE-2024-35645
v4.1.82 CVEs
CVE-2024-53787 CVE-2024-35645
v4.1.72 CVEs
CVE-2024-53787 CVE-2024-35645
v4.1.62 CVEs
CVE-2024-53787 CVE-2024-35645
v4.1.52 CVEs
CVE-2024-53787 CVE-2024-35645
Code Analysis
Analyzed Mar 16, 2026

Random Banner Code Analysis

Dangerous Functions
0
Raw SQL Queries
9
14 prepared
Unescaped Output
61
204 escaped
Nonce Checks
2
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

61% prepared23 total queries

Output Escaping

77% escaped265 total outputs
Data Flows · Security
7 unsanitized

Data Flow Analysis

7 flows7 with unsanitized paths
bc_get_random_banner_support (include\pages\support.php:8)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
18 unprotected

Random Banner Attack Surface

Entry Points19
Unprotected18

AJAX Handlers 18

authwp_ajax_bc_rb_save_bannerinclude\ajax\request.php:12
noprivwp_ajax_bc_rb_save_bannerinclude\ajax\request.php:13
authwp_ajax_bc_rb_delete_bannerinclude\ajax\request.php:15
noprivwp_ajax_bc_rb_delete_bannerinclude\ajax\request.php:16
authwp_ajax_bc_rb_save_optionsinclude\ajax\request.php:18
noprivwp_ajax_bc_rb_save_optionsinclude\ajax\request.php:19
authwp_ajax_bc_rb_save_popupinclude\ajax\request.php:21
noprivwp_ajax_bc_rb_save_popupinclude\ajax\request.php:22
authwp_ajax_bc_rb_save_categoryinclude\ajax\request.php:24
noprivwp_ajax_bc_rb_save_categoryinclude\ajax\request.php:25
authwp_ajax_bc_rb_delete_categoryinclude\ajax\request.php:27
noprivwp_ajax_bc_rb_delete_categoryinclude\ajax\request.php:28
authwp_ajax_bc_rb_save_insert_postinclude\ajax\request.php:30
authwp_ajax_noprivbc_rb_save_insert_postinclude\ajax\request.php:31
authwp_ajax_bc_rb_donation_laterinclude\ajax\request.php:33
noprivwp_ajax_bc_rb_donation_laterinclude\ajax\request.php:34
authwp_ajax_bc_delete_dbsinclude\ajax\request.php:36
noprivwp_ajax_bc_delete_dbsinclude\ajax\request.php:37

Shortcodes 1

[bc_random_banner] include\controller\populate-content.php:450
WordPress Hooks 18
filterthe_contentinclude\controller\populate-content.php:647
actionsave_postinclude\controller\populate-content.php:713
actionplugins_loadedinclude\controller\populate-content.php:746
actionplugins_loadedinclude\function\function.php:883
actionbc_rb_upgradeinclude\update\upgrade.php:8
actionadmin_menuinclude\view\admin-setting.php:7
actionadd_meta_boxesinclude\view\admin-setting.php:947
actionwp_footerinclude\view\admin-setting.php:1016
filterbulk_actions-edit-postinclude\view\admin-setting.php:1018
filterbulk_actions-edit-pageinclude\view\admin-setting.php:1019
filterhandle_bulk_actions-edit-postinclude\view\admin-setting.php:1035
filterhandle_bulk_actions-edit-pageinclude\view\admin-setting.php:1036
actionadmin_noticesinclude\view\admin-setting.php:1062
actionwidgets_initinclude\widget\random-banner-widget.php:150
actionadmin_initinstall-uninstall.php:40
actionwp_enqueue_scriptsinstall-uninstall.php:69
actionadmin_enqueue_scriptsinstall-uninstall.php:71
actionadmin_initinstall-uninstall.php:276
Maintenance & Trust

Random Banner Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 15, 2026
PHP min version7.0
Downloads120K

Community Trust

Rating92/100
Number of ratings52
Active installs1K
Alternatives

Random Banner Alternatives

Banner Upload

Banner Upload

banner-upload

A
85

Easy way to display the different size of banner advertisements in WordPress using widgets

500 No CVEs
AdRotate Switch

AdRotate Switch

adrotate-switch

A
85

Looking for a fresh start with AdRotate Banner Manager or AdRotate Professional but you don't want to have to re-do all your ads?

70 No CVEs
MAIRDUMONT NETLETIX Ads

MAIRDUMONT NETLETIX Ads

nx-ads

A
85

MAIRDUMONT NETLETIX ads integration. This plugin is only for publishers who have a marketing contract with MAIRDUMONT NETLETIX.

40 No CVEs
Banner Slider for Advertisement

Banner Slider for Advertisement

banner-slider-for-advertisement

A
85

Banner advertisement slider to maximize your revenue & earn money from home page, categories, tags and search like pages.

30 No CVEs
Ads Benedict

Ads Benedict

ads-benedict

A
85

This is a super basic banner ad plugin. CPM? CPC? CPX? CPR? Nope... If you need to have a banner or banners displayed in multiple spots, this is it.

10 No CVEs
Developer Profile

Random Banner Developer Profile

M A Vinoth Kumar

21 plugins · 4K total installs

68
trust score
Avg Security Score
84/100
Avg Patch Time
462 days
View full developer profile
Detection Fingerprints

How We Detect Random Banner

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/random-banner/assets/script/bc_rb_global.js/wp-content/plugins/random-banner/assets/style/bc_rb_global.css/wp-content/plugins/random-banner/assets/style/animate.css/wp-content/plugins/random-banner/assets/style/owl.carousel.css/wp-content/plugins/random-banner/assets/script/owl.carousel.js/wp-content/plugins/random-banner/assets/style/owl.theme.default.css/wp-content/plugins/random-banner/assets/style/owl.transitions.css/wp-content/plugins/random-banner/assets/style/style.css+7 more
Script Paths
assets/script/bc_rb_global.jsassets/script/owl.carousel.jsassets/script/script.jsassets/script/bootstrap.jsassets/script/sweetalert.jsassets/script/moment.js
Version Parameters
ver=4.2.12

HTML / DOM Fingerprints

CSS Classes
bc_fedalert-danger
HTML Comments
<!-- Notifications. --><!-- Global Script and Styles --><!-- Enqueue all CSS Files --><!-- Enqueue all JS Files -->+4 more
Data Attributes
data-dismiss="alert"aria-hidden="true"
JS Globals
vardatasweet_data
FAQ

Frequently Asked Questions about Random Banner