WP-Safety

Ad Inserter – Ad Manager & AdSense Ads Security & Risk Analysis

wordpress.org/plugins/ad-inserter

Manage Google AdSense ads, banners, ad rotation, sticky widgets, AMP ads, ads.txt, tracking, header and footer code, PHP code, global custom fields

300K active installs v2.8.12 PHP 7.4+ WP 5.0+ Updated Feb 28, 2026
ad-managerad-rotationadsadsenseamp
88
A · Safe
CVEs total12
Unpatched0
Last CVENov 4, 2025
Plugin page Download
Safety Verdict

Is Ad Inserter – Ad Manager & AdSense Ads Safe to Use in 2026?

Generally Safe

Score 88/100

Ad Inserter – Ad Manager & AdSense Ads has a strong security track record. Known vulnerabilities have been patched promptly.

12 known CVEsLast CVE: Nov 4, 2025Updated 1mo ago
Risk Assessment

Ad-Inserter version 2.8.12 presents a mixed security posture. While the static analysis reveals a remarkably small attack surface with no exposed AJAX handlers, REST API routes, shortcodes, or cron events, several code signals raise significant concerns. The presence of the `unserialize` function is a critical red flag, as it's notoriously dangerous when handling untrusted input and has been a common vector for deserialization vulnerabilities. Furthermore, a very low percentage (7%) of output is properly escaped, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. The taint analysis supports this, showing 4 flows with unsanitized paths and 2 high-severity issues, likely stemming from the lack of proper output escaping and the potential for unsanitized input to reach dangerous functions.

The plugin's vulnerability history is particularly concerning, with a total of 12 known CVEs. The fact that there are currently no unpatched vulnerabilities is a positive sign, but the history reveals a pattern of High and Medium severity issues including XSS, Missing Authorization, Deserialization of Untrusted Data, Code Injection, Path Traversal, and CSRF. This historical pattern, coupled with the current code signals like `unserialize` and poor output escaping, suggests a recurring tendency to introduce or fail to adequately mitigate vulnerabilities related to input sanitization and authorization.

In conclusion, while Ad-Inserter's limited attack surface is a strength, the significant presence of dangerous functions like `unserialize`, the alarmingly low output escaping rate, and the plugin's extensive history of diverse and severe vulnerabilities create a substantial risk. The 2 high-severity taint flows and the potential for deserialization attacks due to `unserialize` are critical areas of concern that outweigh the otherwise controlled entry points. Users should exercise extreme caution and ensure they are on the absolute latest, patched version, though even then, the inherent risks in the codebase remain.

Key Concerns

  • Dangerous function `unserialize` present
  • Low output escaping percentage (7%)
  • High severity taint flows (2)
  • Unsanitized paths in taint flows (4)
  • High number of known CVEs (12)
  • History of high severity CVEs (5)
  • History of medium severity CVEs (7)
Vulnerabilities
12

Ad Inserter – Ad Manager & AdSense Ads Security Vulnerabilities

CVEs by Year

2 CVEs in 2015
2015
2 CVEs in 2019
2019
2 CVEs in 2022
2022
3 CVEs in 2023
2023
1 CVE in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
5
Medium
7

12 total CVEs

CVE-2025-11745medium · 6.4Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Ad Inserter <= 2.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field

Nov 4, 2025 Patched in 2.8.8 (1d)
CVE-2025-22623medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ad Inserter - Ad Manager and AdSense Ads <= 2.8.0 - Reflected Cross-Site Scripting

Mar 5, 2025 Patched in 2.8.1 (10d)
CVE-2024-49248medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ad Inserter <= 2.7.37 - Reflected Cross-Site Scripting

Oct 14, 2024 Patched in 2.7.38 (5d)
CVE-2023-4645medium · 5.3Missing Authorization

Ad Inserter <= 2.7.30 - Unauthenticated Sensitive Information Exposure via ai_ajax

Sep 22, 2023 Patched in 2.7.31 (123d)
CVE-2023-4668medium · 5.3Missing Authorization

Ad Inserter <= 2.7.30 - Unauthenticated Sensitive Information Exposure via ai-debug-processing-fe

Sep 22, 2023 Patched in 2.7.31 (123d)
CVE-2023-1549high · 7.2Deserialization of Untrusted Data

Ad Inserter <= 2.7.25 - Authenticated (Admin+) PHP Object Injection

Apr 19, 2023 Patched in 2.7.26 (279d)
WF-a596c9c4-ceb4-470c-8ad5-986cd62da91e-ad-inserterhigh · 7.2Improper Control of Generation of Code ('Code Injection')

Ad Inserter < 2.7.11 - Authenticated (Admin+) Remote Code Execution

Feb 3, 2022 Patched in 2.7.11 (719d)
CVE-2022-0288medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ad Inserter <= 2.7.9 - Reflected Cross-Site Scripting

Jan 24, 2022 Patched in 2.7.10 (729d)
CVE-2019-15324high · 8.8Improper Control of Generation of Code ('Code Injection')

Ad Inserter <= 2.4.21 - Authenticated Remote Code Execution

Jul 15, 2019 Patched in 2.4.22 (1653d)
CVE-2019-15323high · 7.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Ad Inserter <= 2.4.19 - Authenticated Path Traversal

Jul 12, 2019 Patched in 2.4.20 (1656d)
WF-427c29e6-9bbe-4094-a2a2-46945525f5b3-ad-insertermedium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ad Inserter <= 1.5.5 - Cross-Site Request Forgery to Cross-Site Scripting

Aug 13, 2015 Patched in 1.5.6 (3085d)
CVE-2015-9497high · 8.8Cross-Site Request Forgery (CSRF)

Ad Inserter – Ad Manager & AdSense Ads < 1.5.3 - Cross-Site Request Forgery to Cross-Site Scripting

May 2, 2015 Patched in 1.5.3 (3188d)
Code Analysis
Analyzed Mar 16, 2026

Ad Inserter – Ad Manager & AdSense Ads Code Analysis

Dangerous Functions
1
Raw SQL Queries
1
8 prepared
Unescaped Output
1049
83 escaped
Nonce Checks
1
Capability Checks
3
File Operations
18
External Requests
1
Bundled Libraries
2

Dangerous Functions Found

unserialize$used_blocks = unserialize ($ai_db_options_extract [AI_EXTRACT_USED_BLOCKS]);settings.php:221

Bundled Libraries

GuzzlejQuery

SQL Query Safety

89% prepared9 total queries

Output Escaping

7% escaped1132 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

6 flows4 with unsanitized paths
generate_settings_form (settings.php:10)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Ad Inserter – Ad Manager & AdSense Ads Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 20
actionafter_switch_themeincludes\dst\dst.php:257
actionswitch_themeincludes\dst\dst.php:258
actioncustomize_save_afterincludes\dst\dst.php:259
actioninitincludes\dst\dst.php:269
filtercron_schedulesincludes\dst\dst.php:293
actionadmin_initincludes\dst\dst.php:297
actionadmin_initincludes\dst\dst.php:300
actionadmin_noticesincludes\dst\dst.php:301
actionnetwork_admin_noticesincludes\dst\dst.php:302
actionadmin_footerincludes\dst\dst.php:303
actionupgrader_process_completeincludes\dst\dst.php:306
actionadmin_footer-plugins.phpincludes\dst\dst.php:310
actionmedia_buttonsincludes\editor.php:46
filtermce_buttonsincludes\editor.php:48
filtermce_buttons_2includes\editor.php:49
filterwp_default_editorincludes\editor.php:50
actionmedia_buttonsincludes\preview-adb.php:51
filtermce_buttonsincludes\preview-adb.php:53
filtermce_buttons_2includes\preview-adb.php:54
filterwp_default_editorincludes\preview-adb.php:342
Maintenance & Trust

Ad Inserter – Ad Manager & AdSense Ads Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 28, 2026
PHP min version7.4
Downloads18.4M

Community Trust

Rating98/100
Number of ratings2,415
Active installs300K
Alternatives

Ad Inserter – Ad Manager & AdSense Ads Alternatives

AD Publisher – Automatically insert post ads

AD Publisher – Automatically insert post ads

ad-publisher

A
85

Automatically publishing ad code and increasing THE ad UNIT AdSense CTR

100 No CVEs
Auto Ad Inserter – Increase Google Adsense and Ad Manager Revenue

Auto Ad Inserter – Increase Google Adsense and Ad Manager Revenue

revenueflex-easy-ads

A
100

Auto Ad Inserter is an AI-assisted tool used to get the best revenue from ads placed on your site through Google Adsense and Ads manager.

50 1 CVE
Remove Yellow BGBOX

Remove Yellow BGBOX

remove-yellow-bgbox

A
85

Fix the background color that sometimes AdSense ads have on websites/blog’s (Remove Yellow Background/Box From Google Adsense Ads).

10 No CVEs
Sell Ads

Sell Ads

sell-ads

A
85

You want to sell ads? Do you want to sell your ad space easily, directly and without any advertising network? This is exactly the solution of Sell Ads &hellip;

10 No CVEs
Wbcom Designs – WB Ad Manager

Wbcom Designs – WB Ad Manager

wb-ads-rotator-with-split-test

A
100

Comprehensive ad management for WordPress with ad rotation, split testing, multiple placements, Google AdSense, BuddyPress, and bbPress integration.

10 No CVEs
Developer Profile

Ad Inserter – Ad Manager & AdSense Ads Developer Profile

Spacetime

1 plugin · 300K total installs

71
trust score
Avg Security Score
88/100
Avg Patch Time
964 days
View full developer profile
Detection Fingerprints

How We Detect Ad Inserter – Ad Manager & AdSense Ads

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ad-inserter/css/ai-settings.css/wp-content/plugins/ad-inserter/includes/js/ad-inserter-check.js
Script Paths
/wp-content/plugins/ad-inserter/includes/js/ad-inserter-check.js
Version Parameters
ad-inserter/css/ai-settings.css?ver=ad-inserter/includes/js/ad-inserter-check.js?ver=

HTML / DOM Fingerprints

CSS Classes
warning-enabled
HTML Comments
<!-- // 0) If you are not using the default visual editor, make your own in PHP with a defined editor ID: // wp_editor( $content, 'tab-editor' ); // 1) Get contents of your editor in JavaScript: // tmce_getContent( 'tab-editor' ) // 2) Set content of the editor: // tmce_setContent( content, 'tab-editor' ) // Note: If you just want to use the default editor, you can leave the ID blank: // tmce_getContent() // tmce_setContent( content ) // Note: If using a custom textarea ID, different than the editor id, add an extra argument: // tmce_getContent( 'visual-id', 'textarea-id' ) // tmce_getContent( content, 'visual-id', 'textarea-id') // Note: An additional function to provide "focus" to the displayed editor: // tmce_focus( 'tab-editor' ) --><!-- // initialize_preview (); --><!-- editor.on("change keyup redo undo", function (e) { update_message_preview (editor, e); }); --><!-- initialize_preview (); setTimeout (show_blocked_warning, 400); -->+2 more
Data Attributes
version="<?php echo AD_INSERTER_VERSION; ?>"
JS Globals
window.onkeydownwindow.openerwindow.closetmce_getContenttmce_setContenttmce_focus+12 more
FAQ

Frequently Asked Questions about Ad Inserter – Ad Manager & AdSense Ads