CVE-2022-26366: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the AdRotate Banner Manager WordPress Plugin versions 5.9 and below. The vulnerability was identified on November 11, 2022, and was assigned CVE-2022-26366. The issue affects the plugin's functionality, potentially allowing attackers to execute unwanted actions under authenticated users' privileges (Patchstack).

The vulnerability is classified as a Cross-Site Request Forgery (CSRF) issue, identified as CWE-352. According to the National Vulnerability Database, it received a CVSS v3.1 base score of 8.8 (HIGH) from NIST and 5.4 (MEDIUM) from Patchstack. The vulnerability exists due to the absence of CSRF checks in certain areas of the plugin, which could allow attackers to make logged administrators perform unintended actions (NVD).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. One specific impact noted is the potential for attackers to make a logged admin change their password through CSRF attacks (WPScan).

The vulnerability has been fixed in version 5.9.1 of the AdRotate Banner Manager plugin. Users are advised to update to version 5.9.1 or later to remove the vulnerability. The security issue has been assessed as having a low severity impact and is considered unlikely to be exploited (Patchstack).