VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 9 known issues Latest disclosed Aug 19, 2024

AdRotate Banner Manager Vulnerabilities

Review known vulnerability records for the WordPress plugin AdRotate Banner Manager (`adrotate`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2022-1206, CVE-2022-26366 and CVE-2022-0649, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
9
High or Critical
7
Patch Coverage
100%
Last Updated
Aug 20, 2024
Priority CVE Quick Links

Fast paths into AdRotate Banner Manager CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
9
CVE-2014-1854 Critical 3.9.5
CVE-2014-1854 AdRotate Banner Manager SQL Injection

AdRotate – Ad manager & AdSense Ads 3.9 - 3.9.4 - SQL Injection

CVE-2011-4671 Critical 3.6.8
CVE-2011-4671 AdRotate Banner Manager SQL Injection

AdRotate – Ad manager & AdSense Ads < 3.6.8 - SQL Injection

CVE-2022-26366 High 5.9.1
CVE-2022-26366 AdRotate Banner Manager Cross-Site Request Forgery

AdRotate Banner Manager <= 5.9 - Cross-Site Request Forgery

CVE-2022-1206 High 5.13.3
CVE-2022-1206 AdRotate Banner Manager Remote Code Execution

AdRotate – Ad manager & AdSense Ads <= 5.13.2 - Authenticated (Admin+) Double Extension Arbitrary File Upload

CVE-2022-0267 High 5.8.22
CVE-2022-0267 AdRotate Banner Manager SQL Injection

AdRotate – Ad manager & AdSense Ads <= 5.8.17 - Admin+ SQL Injection

CVE-2021-24138 High 5.8.4
CVE-2021-24138 AdRotate Banner Manager SQL Injection

AdRotate < 5.8.4 - Authenticated SQL Injection

CVE-2019-13570 High 5.3
CVE-2019-13570 AdRotate Banner Manager SQL Injection

AdRotate – Ad manager & AdSense Ads <= 5.2 - Authenticated SQL Injection

CVE-2022-0649 Medium 5.8.23
CVE-2022-0649 AdRotate Banner Manager Stored Cross-Site Scripting

AdRotate – Ad manager & AdSense Ads <= 5.8.22 - Authenticated Stored Cross-Site Scripting via Group Names

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for AdRotate Banner Manager so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
9 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
2 critical and 5 high severity findings.
Recent CVEs
CVE-2022-1206, CVE-2022-26366 and CVE-2022-0649
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for AdRotate Banner Manager

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2022-1206
CVE-2022-1206: AdRotate – Ad manager & AdSense Ads <= 5.13.2 - Authenticated (Admin+) Double Extension Arbitrary File Upload

The AdRotate Banner Manager – The only ad manager you'll need plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension sanitization in the adrotate_insert_media() function in all versions up to, and including, 5.13.2. This makes it possible for a...

Published
Aug 19, 2024
Patched Release
5.13.3
Affected Versions
Versions up to 5.13.2
Next Step
Update to 5.13.3 or newer if supported.
Open CVE-2022-1206 Report Open CVE Reference
Plugin High Patched: Yes CVE-2022-26366
CVE-2022-26366: AdRotate Banner Manager <= 5.9 - Cross-Site Request Forgery

The AdRotate Banner Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.9. This is due to missing or incorrect nonce validation on the adrotate_options() function. This makes it possible for unauthenticated attackers to inv...

Published
Nov 11, 2022
Patched Release
5.9.1
Affected Versions
Versions up to 5.9
Next Step
Update to 5.9.1 or newer if supported.
Open CVE-2022-26366 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-0649
CVE-2022-0649: AdRotate – Ad manager & AdSense Ads <= 5.8.22 - Authenticated Stored Cross-Site Scripting via Group Names

The AdRotate WordPress plugin before 5.8.23 does not escape Group Names, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Published
Apr 11, 2022
Patched Release
5.8.23
Affected Versions
Versions before 5.8.23
Next Step
Update to 5.8.23 or newer if supported.
Open CVE-2022-0649 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-0662
CVE-2022-0662: AdRotate – Ad manager & AdSense Ads <= 5.8.22 - Authenticated Stored Cross-Site Scripting via Advert Names

The AdRotate WordPress plugin before 5.8.23 does not sanitise and escape Advert Names which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Published
Apr 11, 2022
Patched Release
5.8.23
Affected Versions
Versions before 5.8.23
Next Step
Update to 5.8.23 or newer if supported.
Open CVE-2022-0662 Report Open CVE Reference
Plugin High Patched: Yes CVE-2022-0267
CVE-2022-0267: AdRotate – Ad manager & AdSense Ads <= 5.8.17 - Admin+ SQL Injection

The AdRotate WordPress plugin before 5.8.22 does not sanitise and escape the adrotate_action before using it in a SQL statement via the adrotate_request_action function available to admins, leading to a SQL injection

Published
Feb 07, 2022
Patched Release
5.8.22
Affected Versions
Versions up to 5.8.17
Next Step
Update to 5.8.22 or newer if supported.
Open CVE-2022-0267 Report Open CVE Reference
Plugin High Patched: Yes CVE-2021-24138
CVE-2021-24138: AdRotate < 5.8.4 - Authenticated SQL Injection

Unvalidated input in the AdRotate WordPress plugin, versions before 5.8.4, leads to Authenticated SQL injection via param "id". This requires an admin privileged user.

Published
Jun 03, 2020
Patched Release
5.8.4
Affected Versions
Versions before 5.8.4
Next Step
Update to 5.8.4 or newer if supported.
Open CVE-2021-24138 Report Open CVE Reference
Plugin High Patched: Yes CVE-2019-13570
CVE-2019-13570: AdRotate – Ad manager & AdSense Ads <= 5.2 - Authenticated SQL Injection

The AJdG AdRotate plugin before 5.3 for WordPress allows SQL Injection.

Published
Jul 11, 2019
Patched Release
5.3
Affected Versions
Versions up to 5.2
Next Step
Update to 5.3 or newer if supported.
Open CVE-2019-13570 Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2014-1854
CVE-2014-1854: AdRotate – Ad manager & AdSense Ads 3.9 - 3.9.4 - SQL Injection

The Ad manager & AdSense Ads for WordPress is vulnerable to blind SQL Injection via the ‘track’ parameter in versions 3.9 to 3.9.4 in the free version and 3.9 to 3.9.5 in the premium version due to insufficient escaping on the user supplied parameter and lack of sufficient prepar...

Published
Feb 22, 2014
Patched Release
3.9.5
Affected Versions
3.9 through 3.9.4
Next Step
Update to 3.9.5 or newer if supported.
Open CVE-2014-1854 Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2011-4671
CVE-2011-4671: AdRotate – Ad manager & AdSense Ads < 3.6.8 - SQL Injection

SQL injection vulnerability in adrotate/adrotate-out.php in the AdRotate plugin 3.6.6, and other versions before 3.6.8, for WordPress allows remote attackers to execute arbitrary SQL commands via the track parameter (aka redirect URL).

Published
Nov 08, 2011
Patched Release
3.6.8
Affected Versions
Versions before 3.6.8
Next Step
Update to 3.6.8 or newer if supported.
Open CVE-2011-4671 Report Open CVE Reference