CVE-2022-1206: 
WordPress vulnerability analysis and mitigation

The AdRotate Banner Manager plugin for WordPress (versions up to and including 5.13.2) contains an arbitrary file upload vulnerability (CVE-2022-1206). The vulnerability exists due to missing file extension sanitization in the adrotateinsertmedia() function. This security flaw was discovered in August 2024 and affects the plugin that provides ad management functionality for WordPress sites (NVD).

The vulnerability stems from improper file extension sanitization in the adrotateinsertmedia() function. This makes it possible for authenticated attackers with administrator-level access to upload arbitrary files with double extensions on the affected site's server. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating high potential impact on confidentiality, integrity, and availability (NVD).

The vulnerability could enable remote code execution on affected systems when exploited successfully. This is only possible in specific instances where the server configuration will execute the first extension present in double-extension files. Given the requirement for administrator-level access, the impact is somewhat limited but still significant for compromised admin accounts (NVD).

Users should upgrade to a version newer than 5.13.2 of the AdRotate Banner Manager plugin. For systems that cannot be immediately updated, administrators should carefully monitor and restrict access to administrator accounts (NVD).