CVE-2022-1206
AdRotate – Ad manager & AdSense Ads <= 5.13.2 - Authenticated (Admin+) Double Extension Arbitrary File UploadThe AdRotate Banner Manager – The only ad manager you'll need plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension sanitization in the adrotate_insert_media() function in all versions up to, and including, 5.13.2. This makes it possible for authenticated attackers, with administrator-level access and above, to upload arbitrary files with double extensions on the affected site's server which may make remote code execution possible. This is only exploitable on select instances where the configuration will execute the first extension present.
We have discovered 9,659 live websites that are affected by CVE-2022-1206.
Affected Software
| Product |  AdRotate for WordPress |
| Category | Wordpress Plugins |
| Vulnerable Domains | 9,659 live websites (46.78% of AdRotate for WordPress install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 229 versions ( 88.08% of all versions) |
Common Weakness Enumeration
CWE-434 Unrestricted Upload of File with Dangerous TypeDetails
- Published - Aug 20, 2024
- Updated - Sep 13, 2024
Credits
- Jörg Steinsträter (finder)
CWE
CVE References
CWE References
CVE-2022-1206 usage by Country
 United States | 4,174 websites |
 Germany | 895 websites |
 Japan | 470 websites |
 France | 410 websites |
 Italy | 367 websites |
 Russia | 331 websites |
 GB | 267 websites |
 Brazil | 260 websites |
 Poland | 242 websites |
 Spain | 164 websites |
CVE-2022-1206 usage by TLD
| .com | 4,458 websites |
| .de | 396 websites |
| .net | 383 websites |
| .org | 356 websites |
| .com.br | 334 websites |
| .it | 326 websites |
| .ru | 284 websites |
| .pl | 210 websites |
| .co.uk | 165 websites |
| .ca | 145 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2022-1206
Top websites that are affected by CVE-2022-1206. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********************.com | United States | *,*** | |
| **************.se |  Sweden | **,*** | |
| *****************.com | United States | **,*** | |
| **************.com | United States | **,*** | |
| *********.de | United States | **,*** | |
| *********.com | United States | **,*** | |
| ***************.com | United States | **,*** | |
| ***********.com | United States | **,*** | |
| **********.com | United States | **,*** | |
| ********.com | France | **,*** |
FAQ
CVE-2022-1206 is Unrestricted Upload of File with Dangerous Type in AdRotate for WordPress
A total of 9,659 websites have been identified as vulnerable to CVE-2022-1206, discovered through global website indexing conducted by WebTechSurvey.
AdRotate for WordPress is susceptible to CVE-2022-1206 vulnerability.
AdRotate for WordPress versions before, and including, 5.13.2 are vulnerable to CVE-2022-1206.