Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : June 25, 2026

CVE-2026-12242: AdRotate Banner Manager <= 5.17.7 Authenticated (Contributor+) PHP Code Injection via 'banner' Shortcode Attribute PoC, Patch Analysis & Rule

CVE ID CVE-2026-12242
Plugin adrotate
Severity High (CVSS 8.8)
CWE 94
Vulnerable Version 5.17.7
Patched Version 5.17.8
Disclosed June 22, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-12242:

This vulnerability is a PHP Code Injection flaw in the AdRotate Banner Manager plugin for WordPress, all versions up to and including 5.17.7. It allows authenticated attackers with Contributor-level access and above to inject and execute arbitrary PHP code on the server. The vulnerability exists in the ‘adrotate_shortcode’ function, which processes the ‘banner’ attribute of the adrotate shortcode. The CVSS score is 8.8, indicating high severity. The exploit requires W3 Total Cache or Borlabs Cache support to be enabled within the AdRotate plugin settings.

The root cause is insufficient input validation and sanitization of the ‘banner’ attribute from the shortcode. In the vulnerable version, the function adrotate_shortcode() in /wp-content/plugins/adrotate/adrotate-output.php (line 265) directly takes the user-supplied value from $atts[‘banner’], trims whitespace characters, but does not enforce an integer type. When W3 Total Cache or Borlabs Cache is enabled, the plugin wraps the shortcode output in PHP code markers ( and for W3 Total Cache, or similar markers for Borlabs Cache). The banner ID value is concatenated directly into a PHP code string within these markers, allowing a malicious user to break out of the intended context and inject arbitrary PHP code.

An attacker with at least Contributor-level permissions can craft a post or page containing the adrotate shortcode with a malicious ‘banner’ attribute. For example: [adrotate banner=”1; system(‘id’); //”]. When the shortcode is processed, the banner value is placed inside the PHP code block generated for caching. If W3 Total Cache or Borlabs Cache support is enabled, the plugin executes the resulting PHP string as code, triggering the injected command. The attacker does not need to interact with any additional endpoints; the exploit occurs on post/page rendering.

The patch (diff shown) adds input sanitization to the ‘banner’ attribute by wrapping the trimmed value with absint(), which converts the input to an absolute integer. This ensures that only numeric values are accepted, preventing any string-based injection. Additionally, the patch introduces a regex validation for the ‘group’ attribute to ensure it is a comma-separated list of digits. These changes prevent the concatenation of non-numeric content into the PHP code string, effectively blocking the injection vector.

Successful exploitation leads to remote code execution (RCE) on the WordPress server. An attacker can execute arbitrary operating system commands, read or modify sensitive files, create backdoors, escalate privileges, or pivot to other internal systems. This represents a complete compromise of the web application and potentially the underlying server.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff 
--- a/adrotate/adrotate-output.php
+++ b/adrotate/adrotate-output.php
@@ -262,13 +262,17 @@
 function adrotate_shortcode($atts, $content = null) {
 	global $adrotate_config;

-	$banner_id = (!empty($atts['banner'])) ? trim($atts['banner'], 'rt ') : 0;
-	$group_ids = (!empty($atts['group'])) ? trim($atts['group'], 'rt ') : 0;
+	$banner_id = (!empty($atts['banner'])) ? absint(trim($atts['banner'], 'rt ')) : 0;
+	$group_ids = (!empty($atts['group'])) ? strval(trim($atts['group'], 'rt ')) : 0;
 	if(!empty($atts['fallback'])) $fallback	= 0; // Not supported in free version
 	if(!empty($atts['weight']))	$weight	= 0; // Not supported in free version
 	if(!empty($atts['site'])) $site = 0; // Not supported in free version
 	if(!empty($atts['wrapper'])) $wrapper = 0; // Not supported in free version

+	if(!preg_match('/^d+(,d+)*$/', $group_ids)) {
+		$group_ids = intval(0);
+	}
+
 	$output = "";
 	if($adrotate_config['w3caching'] == 'Y') {
 		$output .= "<!-- mfunc ".W3TC_DYNAMIC_SECURITY." -->";
--- a/adrotate/adrotate.php
+++ b/adrotate/adrotate.php
@@ -5,7 +5,7 @@
 Author: Arnan de Gans
 Author URI: https://www.arnan.me/
 Description: Everything you need to manage all your ads, banners and affiliate links while keeping things simple.
-Version: 5.17.7
+Version: 5.17.8
 License: GPLv3

 Text Domain: adrotate

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School