WP Clinic
Log in Sign up

PLUGIN SECURITY

Is Adrotate safe?

Known vulnerabilities, PHP compatibility and safer alternatives for the Adrotate WordPress plugin — checked against WP Clinic's local security database.

Plugin details

  • Slug: adrotate
  • Requires PHP: 8.0+
  • Max supported PHP (analyzed): 8.4

Known vulnerabilities

  • AdRotate Banner Manager [adrotate] < 5.8.23 [CVE-2022-0267, AdRotate &lt; 5.8.22 - Admin+ SQL Injection, AdRotate – Ad manager & AdSense Ads <= 5.8.17 - Admin+ SQL Injection]
  • AdRotate Banner Manager [adrotate] < 5.8.4 [CVE-2021-24138, AdRotate &lt; 5.8.4 - Authenticated SQL Injection, AdRotate < 5.8.4 - Authenticated SQL Injection]
  • AdRotate Banner Manager [adrotate] < 5.3 [CVE-2019-13570, WordPress AdRotate Banner Manager plugin <= 5.2 - Authenticated SQL Injection (SQLi) vulnerability, AdRotate Banner Manager &lt;= 5.2 - Authenticated SQL Injection, AdRotate – Ad manager & AdSense Ads <= 5.2 - Authenticated SQL Injection]
  • AdRotate Banner Manager [adrotate] >= 3.9 - <= 3.9.4 [CVE-2014-1854, WordPress AdRotate Plugin 3.9.4 - SQL Injection, AdRotate &lt;= 3.9.4 - clicktracker.php track Parameter SQL Injection, AdRotate – Ad manager & AdSense Ads 3.9 - 3.9.4 - SQL Injection]
  • AdRotate Banner Manager [adrotate] < 3.6.8 [CVE-2011-4671, WordPress AdRotate Plugin <= 3.6.5 - SQL Injection, AdRotate &lt;= 3.6.5 - SQL Injection, AdRotate &lt;= 3.6.6 - SQL Injection, AdRotate – Ad manager & AdSense Ads < 3.6.8 - SQL Injection]
+ 6 more known vulnerabilities
  • AdRotate Banner Manager [adrotate] < 5.8.23 [CVE-2022-0649, WordPress Adrotate plugin <= 5.8.22 - Cross-Site Scripting (XSS) vulnerability, Adrotate &lt; 5.8.23 - Admin+ XSS via Group Name, AdRotate – Ad manager & AdSense Ads <= 5.8.22 - Authenticated Stored Cross-Site Scripting via Group Names]
  • AdRotate Banner Manager [adrotate] < 5.8.23 [CVE-2022-0662, WordPress Adrotate plugin <= 5.8.22 - Cross-Site Scripting (XSS) vulnerability, Adrotate &lt; 5.8.23 - Admin+ XSS via Advert Name, AdRotate – Ad manager & AdSense Ads <= 5.8.22 - Authenticated Stored Cross-Site Scripting via Advert Names]
  • AdRotate Banner Manager [adrotate] < 5.8.4 [WordPress AdRotate plugin <= 5.8.3 - Authenticated SQL Injection (SQLi) vulnerability]
  • AdRotate Banner Manager [adrotate] < 5.9.1 [CVE-2022-26366, WordPress AdRotate Banner Manager plugin <= 5.9 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities, AdRotate Banner Manager <= 5.9 - Cross-Site Request Forgery, AdRotate Banner Manager &lt; 5.9.1 - Password Change via CSRF]
  • AdRotate Banner Manager [adrotate] < 5.13.3 [CVE-2022-1206, WordPress AdRotate Plugin <= 5.13.2 is vulnerable to Arbitrary File Upload, AdRotate – Ad manager & AdSense Ads <= 5.13.2 - Authenticated (Admin+) Double Extension Arbitrary File Upload]
  • AdRotate Banner Manager [adrotate] < 5.17.8 [CVE-2026-12242, AdRotate Banner Manager <= 5.17.7 - Authenticated (Contributor+) PHP Code Injection via 'banner' Shortcode Attribute, WordPress AdRotate Banner Manager Plugin <= 5.17.7 is vulnerable to a medium priority Arbitrary Code Execution]

Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.

Safer / more established alternatives

Check your own WordPress site

Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.