Adrotate
by WordPress
CVEs (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-1206 | Hig | 0.40 | 7.2 | 0.01 | Aug 20, 2024 | The AdRotate Banner Manager – The only ad manager you'll need plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension sanitization in the adrotate_insert_media() function in all versions up to, and including, 5.13.2. This makes it possible… | ||
| CVE-2014-1854 | 0.03 | — | 0.05 | Feb 27, 2014 | SQL injection vulnerability in library/clicktracker.php in the AdRotate Pro plugin 3.9 through 3.9.5 and AdRotate Free plugin 3.9 through 3.9.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the track parameter. | |||
| CVE-2011-4671 | 0.03 | — | 0.03 | Dec 2, 2011 | SQL injection vulnerability in adrotate/adrotate-out.php in the AdRotate plugin 3.6.6, and other versions before 3.6.8, for WordPress allows remote attackers to execute arbitrary SQL commands via the track parameter (aka redirect URL). | |||
| CVE-2022-26366 | 0.00 | — | 0.00 | Nov 30, 2022 | Cross-Site Request Forgery (CSRF) in AdRotate Banner Manager Plugin <= 5.9 on WordPress. | |||
| CVE-2022-0662 | 0.00 | — | 0.01 | May 2, 2022 | The AdRotate WordPress plugin before 5.8.23 does not sanitise and escape Advert Names which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||
| CVE-2022-0649 | 0.00 | — | 0.01 | May 2, 2022 | The AdRotate WordPress plugin before 5.8.23 does not escape Group Names, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||
| CVE-2022-0267 | 0.00 | — | 0.01 | Mar 7, 2022 | The AdRotate WordPress plugin before 5.8.22 does not sanitise and escape the adrotate_action before using it in a SQL statement via the adrotate_request_action function available to admins, leading to a SQL injection | |||
| CVE-2021-24138 | 0.00 | — | 0.01 | Mar 18, 2021 | Unvalidated input in the AdRotate WordPress plugin, versions before 5.8.4, leads to Authenticated SQL injection via param "id". This requires an admin privileged user. | |||
| CVE-2019-13570 | 0.00 | — | 0.01 | Jul 23, 2019 | The AJdG AdRotate plugin before 5.3 for WordPress allows SQL Injection. |
- risk 0.40cvss 7.2epss 0.01
The AdRotate Banner Manager – The only ad manager you'll need plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension sanitization in the adrotate_insert_media() function in all versions up to, and including, 5.13.2. This makes it possible…
- CVE-2014-1854Feb 27, 2014risk 0.03cvss —epss 0.05
SQL injection vulnerability in library/clicktracker.php in the AdRotate Pro plugin 3.9 through 3.9.5 and AdRotate Free plugin 3.9 through 3.9.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the track parameter.
- CVE-2011-4671Dec 2, 2011risk 0.03cvss —epss 0.03
SQL injection vulnerability in adrotate/adrotate-out.php in the AdRotate plugin 3.6.6, and other versions before 3.6.8, for WordPress allows remote attackers to execute arbitrary SQL commands via the track parameter (aka redirect URL).
- CVE-2022-26366Nov 30, 2022risk 0.00cvss —epss 0.00
Cross-Site Request Forgery (CSRF) in AdRotate Banner Manager Plugin <= 5.9 on WordPress.
- CVE-2022-0662May 2, 2022risk 0.00cvss —epss 0.01
The AdRotate WordPress plugin before 5.8.23 does not sanitise and escape Advert Names which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
- CVE-2022-0649May 2, 2022risk 0.00cvss —epss 0.01
The AdRotate WordPress plugin before 5.8.23 does not escape Group Names, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
- CVE-2022-0267Mar 7, 2022risk 0.00cvss —epss 0.01
The AdRotate WordPress plugin before 5.8.22 does not sanitise and escape the adrotate_action before using it in a SQL statement via the adrotate_request_action function available to admins, leading to a SQL injection
- CVE-2021-24138Mar 18, 2021risk 0.00cvss —epss 0.01
Unvalidated input in the AdRotate WordPress plugin, versions before 5.8.4, leads to Authenticated SQL injection via param "id". This requires an admin privileged user.
- CVE-2019-13570Jul 23, 2019risk 0.00cvss —epss 0.01
The AJdG AdRotate plugin before 5.3 for WordPress allows SQL Injection.