CVE-2022-1206
AdRotate – Ad manager & AdSense Ads <= 5.13.2 - Authenticated (Admin+) Double Extension Arbitrary File UploadThe AdRotate Banner Manager – The only ad manager you'll need plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension sanitization in the adrotate_insert_media() function in all versions up to, and including, 5.13.2. This makes it possible for authenticated attackers, with administrator-level access and above, to upload arbitrary files with double extensions on the affected site's server which may make remote code execution possible. This is only exploitable on select instances where the configuration will execute the first extension present.
We have discovered 5,239 live websites that are affected by CVE-2022-1206.
Affected Software
| Product |  AdRotate for WordPress |
| Category | Wordpress Plugins |
| Vulnerable Domains | 5,239 live websites (31% of AdRotate for WordPress install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 202 versions ( 82% of all versions) |
Common Weakness Enumeration
CWE-434 Unrestricted Upload of File with Dangerous TypeDetails
- Published - Aug 20, 2024
- Updated - Apr 8, 2026
Credits
- Jörg Steinsträter (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2022-1206 United States | 1,832 websites |
 Germany | 484 websites |
 Italy | 330 websites |
 France | 247 websites |
 Russia | 210 websites |
 Japan | 186 websites |
 GB | 177 websites |
 Brazil | 165 websites |
 Poland | 139 websites |
 Canada | 126 websites |
Website Distribution by TLD
Number of websites using CVE-2022-1206| .com | 2,257 websites |
| .it | 269 websites |
| .de | 241 websites |
| .org | 220 websites |
| .net | 190 websites |
| .ru | 162 websites |
| .com.br | 146 websites |
| .pl | 114 websites |
| .co.uk | 104 websites |
| .info | 80 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2022-1206
Top websites that are affected by CVE-2022-1206. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********.de | Germany | **,*** | |
| *********.com | United States | **,*** | |
| ***************.com | United States | **,*** | |
| **********.com | United States | **,*** | |
| ********.com | France | **,*** | |
| *********.org | United States | **,*** | |
| ******************.com | United States | **,*** | |
| ********.com | United States | **,*** | |
| ******************.com | United States | **,*** | |
| *********.*****.media | Russia | **,*** |
FAQ
CVE-2022-1206 is Unrestricted Upload of File with Dangerous Type in AdRotate for WordPress
A total of 5,239 websites have been identified as vulnerable to CVE-2022-1206, based on global website indexing conducted by WebTechSurvey.
The AdRotate for WordPress is affected by the CVE-2022-1206 vulnerability.
AdRotate for WordPress versions up to and including 5.13.2 are vulnerable to CVE-2022-1206.