CVE-2022-26366 – WordPress AdRotate Banner Manager Plugin <= 5.9 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-26366
Cross-Site Request Forgery (CSRF) in AdRotate Banner Manager Plugin <= 5.9 on WordPress. Cross-Site Request Forgery (CSRF) en el complemento AdRotate Banner Manager <= 5.9 en WordPress. The AdRotate Banner Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.9. This is due to missing or incorrect nonce validation on the adrotate_options() function. This makes it possible for unauthenticated attackers to invoke these functions, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/adrotate/wordpress-adrotate-banner-manager-plugin-5-9-multiple-cross-site-request-forgery-csrf-vulnerabilities?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-0267 – AdRotate < 5.8.22 - Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2022-0267
The AdRotate WordPress plugin before 5.8.22 does not sanitise and escape the adrotate_action before using it in a SQL statement via the adrotate_request_action function available to admins, leading to a SQL injection El plugin AdRotate de WordPress versiones anteriores a 5.8.22, no sanea y escapa de la acción adrotate_action antes de usarla en una sentencia SQL por medio de la función adrotate_request_action disponible para administradores, conllevando a una inyección SQL • https://wpscan.com/vulnerability/7df70f49-547f-4bdb-bf9b-2e06f93488c6 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •