PLUGIN SECURITY
Is Adrotate safe?
Known vulnerabilities, PHP compatibility and safer alternatives for the Adrotate WordPress plugin — checked against WP Clinic's local security database.
Plugin details
- Slug:
adrotate - Requires PHP: 8.0+
- Max supported PHP (analyzed): 8.4
Known vulnerabilities
- AdRotate Banner Manager [adrotate] < 5.8.23 [CVE-2022-0267, AdRotate < 5.8.22 - Admin+ SQL Injection, AdRotate – Ad manager & AdSense Ads <= 5.8.17 - Admin+ SQL Injection]
- AdRotate Banner Manager [adrotate] < 5.8.4 [CVE-2021-24138, AdRotate < 5.8.4 - Authenticated SQL Injection, AdRotate < 5.8.4 - Authenticated SQL Injection]
- AdRotate Banner Manager [adrotate] < 5.3 [CVE-2019-13570, WordPress AdRotate Banner Manager plugin <= 5.2 - Authenticated SQL Injection (SQLi) vulnerability, AdRotate Banner Manager <= 5.2 - Authenticated SQL Injection, AdRotate – Ad manager & AdSense Ads <= 5.2 - Authenticated SQL Injection]
- AdRotate Banner Manager [adrotate] >= 3.9 - <= 3.9.4 [CVE-2014-1854, WordPress AdRotate Plugin 3.9.4 - SQL Injection, AdRotate <= 3.9.4 - clicktracker.php track Parameter SQL Injection, AdRotate – Ad manager & AdSense Ads 3.9 - 3.9.4 - SQL Injection]
- AdRotate Banner Manager [adrotate] < 3.6.8 [CVE-2011-4671, WordPress AdRotate Plugin <= 3.6.5 - SQL Injection, AdRotate <= 3.6.5 - SQL Injection, AdRotate <= 3.6.6 - SQL Injection, AdRotate – Ad manager & AdSense Ads < 3.6.8 - SQL Injection]
+ 6 more known vulnerabilities
- AdRotate Banner Manager [adrotate] < 5.8.23 [CVE-2022-0649, WordPress Adrotate plugin <= 5.8.22 - Cross-Site Scripting (XSS) vulnerability, Adrotate < 5.8.23 - Admin+ XSS via Group Name, AdRotate – Ad manager & AdSense Ads <= 5.8.22 - Authenticated Stored Cross-Site Scripting via Group Names]
- AdRotate Banner Manager [adrotate] < 5.8.23 [CVE-2022-0662, WordPress Adrotate plugin <= 5.8.22 - Cross-Site Scripting (XSS) vulnerability, Adrotate < 5.8.23 - Admin+ XSS via Advert Name, AdRotate – Ad manager & AdSense Ads <= 5.8.22 - Authenticated Stored Cross-Site Scripting via Advert Names]
- AdRotate Banner Manager [adrotate] < 5.8.4 [WordPress AdRotate plugin <= 5.8.3 - Authenticated SQL Injection (SQLi) vulnerability]
- AdRotate Banner Manager [adrotate] < 5.9.1 [CVE-2022-26366, WordPress AdRotate Banner Manager plugin <= 5.9 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities, AdRotate Banner Manager <= 5.9 - Cross-Site Request Forgery, AdRotate Banner Manager < 5.9.1 - Password Change via CSRF]
- AdRotate Banner Manager [adrotate] < 5.13.3 [CVE-2022-1206, WordPress AdRotate Plugin <= 5.13.2 is vulnerable to Arbitrary File Upload, AdRotate – Ad manager & AdSense Ads <= 5.13.2 - Authenticated (Admin+) Double Extension Arbitrary File Upload]
- AdRotate Banner Manager [adrotate] < 5.17.8 [CVE-2026-12242, AdRotate Banner Manager <= 5.17.7 - Authenticated (Contributor+) PHP Code Injection via 'banner' Shortcode Attribute, WordPress AdRotate Banner Manager Plugin <= 5.17.7 is vulnerable to a medium priority Arbitrary Code Execution]
Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.
Safer / more established alternatives
- Google for WooCommerce — 800000+ active installs
- Ad Inserter – Ad Manager & AdSense Ads — 300000+ active installs — max PHP 8.4
- Head, Footer and Post Injections — 200000+ active installs — max PHP 8.4
- Ads.txt Manager — 100000+ active installs
- Advanced Ads – Ad Manager & AdSense — 100000+ active installs
Check your own WordPress site
Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.