CVE-2022-1206

Name of the Vulnerable Software and Affected Versions The AdRotate Banner Manager – The only ad manager you'll need plugin for WordPress versions up to, and including, 5.13.2

Description The issue is related to arbitrary file uploads due to missing file extension sanitization in the adrotate insert media() function. This allows authenticated attackers with administrator-level access and above to upload arbitrary files with double extensions on the affected site's server, potentially making remote code execution possible. The exploitability of this issue is limited to select instances where the configuration will execute the first extension present.

Recommendations For versions up to, and including, 5.13.2, consider disabling the adrotate insert media() function until a patch is available to prevent arbitrary file uploads. Restrict access to the affected plugin to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.