Does AdRotate Banner Manager have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is AdRotate Banner Manager compatible with WordPress 7.0?

According to WordPress.org data, AdRotate Banner Manager 5.17.5 has been tested up to WordPress 7.0. Check the plugin's changelog for the latest compatibility information.

Is AdRotate Banner Manager compatible with PHP 8.0+?

AdRotate Banner Manager requires PHP 8.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is AdRotate Banner Manager updated?

AdRotate Banner Manager was last updated on Apr 7, 2026. Frequent updates are generally a positive security signal.

What is AdRotate Banner Manager's security score?

AdRotate Banner Manager has a WP-Safety security score of 88/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

AdRotate Banner Manager Security & Risk Analysis

wordpress.org/plugins/adrotate

Easily manage, and schedule ads on your WordPress site with AdRotate. Support for Google AdSense, Amazon, and custom banners. Start monetizing today!

20K active installs v5.17.5 PHP 8.0+ WP 4.9+ Updated Apr 7, 2026

ad-manageradsadsensebannermonetize

A · Safe

CVEs total9

Unpatched0

Last CVEAug 19, 2024

Plugin page Download

Safety Verdict

Is AdRotate Banner Manager Safe to Use in 2026?

Generally Safe

Score 88/100

AdRotate Banner Manager has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

9 known CVEsLast CVE: Aug 19, 2024Updated 1mo ago

Risk Assessment

The AdRotate plugin v5.17.4 exhibits a mixed security posture. While it incorporates a reasonable number of capability checks and nonce checks, a significant concern arises from the attack surface analysis, which reveals 4 out of 5 entry points lack proper authentication. This, coupled with taint analysis indicating 2 high-severity flows with unsanitized paths, presents a substantial risk of unauthorized access and potential exploitation. The presence of the `unserialize` function is also a point of concern, as it can lead to object injection vulnerabilities if not handled with extreme care.

The plugin's vulnerability history is particularly troubling, with 9 known CVEs, including 2 critical and 5 high-severity ones. The common vulnerability types like Unrestricted Upload, CSRF, XSS, and SQL Injection suggest a recurring pattern of insecure input handling and authorization bypasses. The fact that the last vulnerability was recent (August 19, 2024) indicates ongoing security issues that have not yet been comprehensively addressed. While there are currently no unpatched CVEs, the historical data and the code analysis findings paint a picture of a plugin that requires diligent monitoring and prompt updates.

In conclusion, AdRotate v5.17.4 has several critical weaknesses that outweigh its strengths. The large number of unprotected entry points and the historical trend of severe vulnerabilities are significant red flags. While some security measures are present, they are insufficient to mitigate the risks presented by the identified code signals and taint flows. Users should proceed with caution and prioritize keeping the plugin updated to the latest available secure version.

Key Concerns

4 unprotected AJAX handlers
2 high severity unsanitized taint flows
Use of unserialize function
Low percentage of prepared statements
Low percentage of properly escaped output
9 total known CVEs
2 critical historical CVEs
5 high historical CVEs
Common vulnerability types (SQLi, XSS, CSRF)

Vulnerabilities

9 published

AdRotate Banner Manager Security Vulnerabilities

CVEs by Year

1 CVE in 2011

2011

1 CVE in 2014

2014

1 CVE in 2019

2019

1 CVE in 2020

2020

4 CVEs in 2022

2022

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

9 total CVEs

CVE-2022-1206high · 7.2Unrestricted Upload of File with Dangerous Type

AdRotate – Ad manager & AdSense Ads <= 5.13.2 - Authenticated (Admin+) Double Extension Arbitrary File Upload

Aug 19, 2024 Patched in 5.13.3 (2d)

CVE-2022-26366high · 8.8Cross-Site Request Forgery (CSRF)

AdRotate Banner Manager <= 5.9 - Cross-Site Request Forgery

Nov 11, 2022 Patched in 5.9.1 (438d)

CVE-2022-0649medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

AdRotate – Ad manager & AdSense Ads <= 5.8.22 - Authenticated Stored Cross-Site Scripting via Group Names

Apr 11, 2022 Patched in 5.8.23 (652d)

CVE-2022-0662medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

AdRotate – Ad manager & AdSense Ads <= 5.8.22 - Authenticated Stored Cross-Site Scripting via Advert Names

Apr 11, 2022 Patched in 5.8.23 (652d)

CVE-2022-0267high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

AdRotate – Ad manager & AdSense Ads <= 5.8.17 - Admin+ SQL Injection

Feb 7, 2022 Patched in 5.8.22 (715d)

CVE-2021-24138high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

AdRotate < 5.8.4 - Authenticated SQL Injection

Jun 3, 2020 Patched in 5.8.4 (1329d)

CVE-2019-13570high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

AdRotate – Ad manager & AdSense Ads <= 5.2 - Authenticated SQL Injection

Jul 11, 2019 Patched in 5.3 (1657d)

CVE-2014-1854critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

AdRotate – Ad manager & AdSense Ads 3.9 - 3.9.4 - SQL Injection

Feb 22, 2014 Patched in 3.9.5 (3622d)

CVE-2011-4671critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

AdRotate – Ad manager & AdSense Ads < 3.6.8 - SQL Injection

Nov 8, 2011 Patched in 3.6.8 (4459d)

Version History

AdRotate Banner Manager Release Timeline

v5.17.5Current

v5.17.4

v5.17.3

v5.17.2

v5.17.1

v5.17

v5.16.1

v5.16

v5.15.5

v5.15.4

v5.15.3

v5.15.2

v5.15.1

v5.15

v5.14.1

v5.14

v5.13.7

v5.13.6.1

v5.13.6

v5.13.5

Code Analysis

Analyzed Mar 16, 2026

AdRotate Banner Manager Code Analysis

Dangerous Functions

Raw SQL Queries

102

59 prepared

Unescaped Output

356

92 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$data = unserialize($data);adrotate-admin-portability.php:47

SQL Query Safety

37% prepared161 total queries

Output Escaping

21% escaped448 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

5 flows2 with unsanitized paths

<adrotate-admin-functions> (adrotate-admin-functions.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

AdRotate Banner Manager Attack Surface

Entry Points5

Unprotected4

AJAX Handlers 4

authwp_ajax_adrotate_impressionadrotate.php:72

noprivwp_ajax_adrotate_impressionadrotate.php:73

authwp_ajax_adrotate_clickadrotate.php:74

noprivwp_ajax_adrotate_clickadrotate.php:75

Shortcodes 1

[adrotate] adrotate.php:67

WordPress Hooks 21

actioninitadrotate-block.php:23

filterblock_categories_alladrotate-block.php:98

actionwp_headadrotate-output.php:589

actionwp_footeradrotate-output.php:591

actionadrotate_empty_trackerdataadrotate.php:58

actionwidgets_initadrotate.php:59

filteradrotate_apply_photonadrotate.php:60

actionwp_headadrotate.php:65

actionwp_enqueue_scriptsadrotate.php:66

filterthe_contentadrotate.php:68

actionadmin_menuadrotate.php:88

actionadmin_enqueue_scriptsadrotate.php:89

actionadmin_noticesadrotate.php:90

filterplugin_row_metaadrotate.php:91

actioninitadrotate.php:95

actioninitadrotate.php:96

actioninitadrotate.php:97

actioninitadrotate.php:98

actioninitadrotate.php:99

actioninitadrotate.php:100

actioninitadrotate.php:101

Scheduled Events 2

adrotate_empty_trackerdata

Maintenance & Trust

AdRotate Banner Manager Maintenance & Trust

Maintenance Signals

WordPress version tested7.0

Last updatedApr 7, 2026

PHP min version8.0

Downloads3.9M

Community Trust

Rating86/100

Number of ratings651

Active installs20K

Alternatives

AdRotate Banner Manager Alternatives

Quads Ads Manager for Google AdSense

quick-adsense-reloaded

Ads & AdSense plugin supporting Media.net, DFP, ads.txt, Web Stories ads, click fraud protection, revenue sharing, and ad blocker detection.

20K 4 CVEs

Ad Inserter – Ad Manager & AdSense Ads

ad-inserter

Manage Google AdSense ads, banners, ad rotation, sticky widgets, AMP ads, ads.txt, tracking, header and footer code, PHP code, global custom fields

300K 12 CVEs

Advanced Ads – Ad Manager & AdSense

advanced-ads

The only complete toolkit for all ad types. Grow your revenue with AdSense, Amazon—or any affiliate network. Get pinpoint targeting and best support!

100K 8 CVEs

Universal Google Adsense and Ads manager

universal-google-adsense-and-ads-manager

Universal Google AdSense and Ads Manager is a flexible easy to use Google Adsense, custom ads & script manager WordPress plugin.

2K 1 unpatched

Advanced Ads for WPBakery Page Builder

ads-for-visual-composer

Manage ads in your WPBakery Page Builder interface.

1K No CVEs

Developer Profile

AdRotate Banner Manager Developer Profile

Arnan

6 plugins · 23K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

1353 days

View full developer profile

Detection Fingerprints

How We Detect AdRotate Banner Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/adrotate/css/admin.css/wp-content/plugins/adrotate/css/frontend.css/wp-content/plugins/adrotate/js/adrotate.js/wp-content/plugins/adrotate/js/jquery.cycle.all.js/wp-content/plugins/adrotate/js/jquery.sticky-kit.min.js/wp-content/plugins/adrotate/js/jquery.knob.min.js/wp-content/plugins/adrotate/js/jquery.flot.min.js/wp-content/plugins/adrotate/js/jquery.flot.pie.min.js+1 more

Script Paths

/wp-content/plugins/adrotate/js/adrotate.js/wp-content/plugins/adrotate/js/jquery.cycle.all.js/wp-content/plugins/adrotate/js/jquery.sticky-kit.min.js/wp-content/plugins/adrotate/js/jquery.knob.min.js/wp-content/plugins/adrotate/js/jquery.flot.min.js/wp-content/plugins/adrotate/js/jquery.flot.pie.min.js+1 more

Version Parameters

adrotate/css/admin.css?ver=adrotate/css/frontend.css?ver=adrotate/js/adrotate.js?ver=adrotate/js/jquery.cycle.all.js?ver=adrotate/js/jquery.sticky-kit.min.js?ver=adrotate/js/jquery.knob.min.js?ver=adrotate/js/jquery.flot.min.js?ver=adrotate/js/jquery.flot.pie.min.js?ver=adrotate/js/adrotate_feedback.js?ver=

HTML / DOM Fingerprints

CSS Classes

adrotate-widgetadrotate-adadrotate-slideradrotate-banneradrotate-groupadrotate-stats-overviewadrotate-graphadrotate-advert+2 more

HTML Comments

<!-- AdRotate Ad ID:<!-- AdRotate Group ID:+3 more

Data Attributes

data-adrotate-iddata-adrotate-groupdata-adrotate-scheduledata-adrotate-mediadata-adrotate-settings

JS Globals

adrotateadrotate_feedbackadrotate_charts

Shortcode Output

[adrotate[adrotate group=[adrotate banner=[adrotate schedule=

FAQ