WP-Safety

CM Ad Changer – A simple tool to control and optimize your site's banners Security & Risk Analysis

wordpress.org/plugins/cm-ad-changer

Manage banner ad campaigns with the WordPress ad management plugin. Display ads via shortcodes or widgets and control how banners rotate.

100 active installs v2.0.7 PHP 5.2.4+ WP 5.4.0+ Updated Jan 29, 2026
ad-managerad-serveradsadservingadvertising
97
A · Safe
CVEs total3
Unpatched0
Last CVEApr 22, 2025
Plugin page Download
Safety Verdict

Is CM Ad Changer – A simple tool to control and optimize your site's banners Safe to Use in 2026?

Generally Safe

Score 97/100

CM Ad Changer – A simple tool to control and optimize your site's banners has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

3 known CVEsLast CVE: Apr 22, 2025Updated 3mo ago
Risk Assessment

The "cm-ad-changer" v2.0.7 plugin presents a mixed security posture. While it demonstrates some good practices, such as a reasonable number of nonce and capability checks relative to its attack surface, significant concerns remain. The presence of 7 AJAX handlers, with 3 lacking proper authentication checks, creates direct entry points that could be exploited by unauthenticated users. Furthermore, the use of the dangerous `unserialize` function, coupled with only 32% of output being properly escaped, raises concerns about potential code injection and cross-site scripting vulnerabilities. The plugin's vulnerability history, including one high and two medium severity CVEs, with common types being CSRF and XSS, further underscores these risks, even though no currently unpatched vulnerabilities are listed. The last vulnerability being in the recent past suggests that ongoing security issues have been addressed, but the historical pattern of CSRF and XSS indicates potential weaknesses in input sanitization and CSRF protection.

Key Concerns

  • Unprotected AJAX handlers
  • Dangerous function unserialize used
  • Low percentage of properly escaped output
  • One high severity known CVE history
  • Two medium severity known CVE history
  • Flows with unsanitized paths
Vulnerabilities
3 published

CM Ad Changer – A simple tool to control and optimize your site's banners Security Vulnerabilities

CVEs by Year

2 CVEs in 2016
2016
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
2

3 total CVEs

CVE-2025-46245medium · 4.3Cross-Site Request Forgery (CSRF)

CM Ad Changer <= 2.0.5 - Cross-Site Request Forgery

Apr 22, 2025 Patched in 2.0.6 (9d)
WF-d96c9b04-6850-40ab-8006-81cca8a9dffe-cm-ad-changerhigh · 8.8Cross-Site Request Forgery (CSRF)

CM Ad Changer <= 1.7.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Jun 9, 2016 Patched in 1.7.8 (2784d)
WF-fa181ff8-5324-4782-ad45-4a701ac63b8c-cm-ad-changermedium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CM Ad Changer < 1.7.6 - Cross-Site Scripting

Apr 21, 2016 Patched in 1.7.6 (2833d)
Version History

CM Ad Changer – A simple tool to control and optimize your site's banners Release Timeline

v2.0.7Current
v2.0.6
v2.0.51 CVE
CVE-2025-46245
v2.0.41 CVE
CVE-2025-46245
v2.0.31 CVE
CVE-2025-46245
Code Analysis
Analyzed Mar 16, 2026

CM Ad Changer – A simple tool to control and optimize your site's banners Code Analysis

Dangerous Functions
2
Raw SQL Queries
11
12 prepared
Unescaped Output
243
114 escaped
Nonce Checks
7
Capability Checks
3
File Operations
8
External Requests
6
Bundled Libraries
0

Dangerous Functions Found

unserialize$meta = unserialize($fields_data[ 'meta' ]);backend\views\admin_campaigns.php:269
unserialize$meta = unserialize($campaign[ 'meta' ]);shared\classes\cmac-data.php:464

SQL Query Safety

52% prepared23 total queries

Output Escaping

32% escaped357 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

7 flows3 with unsanitized paths
cminds_system_info_content (package\cminds-free.php:2726)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

CM Ad Changer – A simple tool to control and optimize your site's banners Attack Surface

Entry Points12
Unprotected3

AJAX Handlers 7

authwp_ajax_cmac_event_dispatcherbackend\cm-ad-changer-backend.php:57
noprivwp_ajax_cmac_event_dispatcherbackend\cm-ad-changer-backend.php:58
authwp_ajax_ac_upload_imagebackend\cm-ad-changer-backend.php:60
authwp_ajax_cm-submit-uninstall-reasonpackage\cminds-free.php:147
authwp_ajax_cm-submit-registration-emailpackage\cminds-free.php:148
authwp_ajax_cm-submit-deregistrationpackage\cminds-free.php:149
authwp_ajax_cm-submit-registration-skippackage\cminds-free.php:150

Shortcodes 5

[cminds_free_registration] package\cminds-free.php:54
[cminds_free_guide] package\cminds-free.php:55
[cminds_upgrade_box] package\cminds-free.php:56
[cminds_free_activation] package\cminds-free.php:57
[cm_ad_changer] shared\cm-ad-changer-shared.php:196
WordPress Hooks 24
actionadmin_menubackend\cm-ad-changer-backend.php:52
actionadmin_enqueue_scriptsbackend\cm-ad-changer-backend.php:53
actionadmin_noticesbackend\cm-ad-changer-backend.php:55
actionadmin_noticescm-ad-changer.php:254
actionadmin_initcm-ad-changer.php:314
actionwp_enqueue_scriptsfrontend\cm-ad-changer-frontend.php:25
actionwp_enqueue_scriptsfrontend\cm-ad-changer-frontend.php:26
actionwp_print_stylesfrontend\cm-ad-changer-frontend.php:27
actionactivated_pluginpackage\cminds-free.php:31
actionadmin_initpackage\cminds-free.php:33
actionadmin_menupackage\cminds-free.php:34
actionadmin_enqueue_scriptspackage\cminds-free.php:35
actionadmin_enqueue_scriptspackage\cminds-free.php:36
actioncminds_download_sysinfopackage\cminds-free.php:48
actioninitpackage\cminds-free.php:50
actioninitpackage\cminds-free.php:51
filterplugin_row_metapackage\cminds-free.php:59
actionwp_dashboard_setuppackage\cminds-free.php:62
actionadmin_footerpackage\cminds-free.php:157
filterwp_mail_content_typepackage\cminds-free.php:311
filterwp_mail_content_typepackage\cminds-free.php:2076
filterwp_mail_content_typepackage\cminds-free.php:2167
actionwidgets_initshared\classes\cmac-widget.php:170
actionadmin_noticesshared\cm-ad-changer-shared.php:38
Maintenance & Trust

CM Ad Changer – A simple tool to control and optimize your site's banners Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 29, 2026
PHP min version5.2.4
Downloads45K

Community Trust

Rating62/100
Number of ratings15
Active installs100
Alternatives

CM Ad Changer – A simple tool to control and optimize your site's banners Alternatives

AdSpeed Ad Server

AdSpeed Ad Server

adspeed-ad-server

A
85

This plugin displays ads from your AdSpeed account on the sidebar or within a post. Ads are served, managed and tracked for impressions and clicks by &hellip;

20 No CVEs
Ads.txt Manager

Ads.txt Manager

ads-txt

A
100

Create, manage, and validate your ads.txt and app-ads.txt from within WordPress, like any other content asset.

100K No CVEs
Ads.txt Manager

Ads.txt Manager

ads-txt-manager

A
92

Ads.txt Manager is a plugin to help WordPress sites easily take advantage of the Ads.txt Manager service.

4K No CVEs
AdPlugg WordPress Ad Plugin

AdPlugg WordPress Ad Plugin

adplugg

A
100

Advertising is easy with AdPlugg. The AdPlugg WordPress Ad Plugin and ad server allow you to easily manage, schedule, rotate and track your ads.

500 1 CVE
Actirise – Advertising & Monetization

Actirise – Advertising & Monetization

actirise

A
100

Premium advertising solution to grow your WordPress site revenue with no code and real-time insights.

200 No CVEs
Developer Profile

CM Ad Changer – A simple tool to control and optimize your site's banners Developer Profile

CreativeMindsSolutions

19 plugins · 22K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
535 days
View full developer profile
Detection Fingerprints

How We Detect CM Ad Changer – A simple tool to control and optimize your site's banners

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/cm-ad-changer/backend/css/backend.css/wp-content/plugins/cm-ad-changer/backend/js/backend.js/wp-content/plugins/cm-ad-changer/frontend/css/frontend.css/wp-content/plugins/cm-ad-changer/frontend/js/frontend.js/wp-content/plugins/cm-ad-changer/shared/css/shared.css/wp-content/plugins/cm-ad-changer/shared/js/shared.js
Script Paths
/wp-content/plugins/cm-ad-changer/backend/js/backend.js/wp-content/plugins/cm-ad-changer/frontend/js/frontend.js/wp-content/plugins/cm-ad-changer/shared/js/shared.js
Version Parameters
cm-ad-changer/backend/css/backend.css?ver=cm-ad-changer/backend/js/backend.js?ver=cm-ad-changer/frontend/css/frontend.css?ver=cm-ad-changer/frontend/js/frontend.js?ver=cm-ad-changer/shared/css/shared.css?ver=cm-ad-changer/shared/js/shared.js?ver=

HTML / DOM Fingerprints

HTML Comments
<!-- CM Ad Changer Shortcode --><!-- END CM Ad Changer Shortcode --><!-- CM Ad Changer Admin Settings --><!-- END CM Ad Changer Admin Settings -->
Data Attributes
data-cmadchanger-campaign-iddata-cmadchanger-image-iddata-cmadchanger-weightdata-cmadchanger-typedata-cmadchanger-link-target
JS Globals
CMAC_ADMIN_OPTIONSCMAC_AJAX_URLCMAC_AJAX_NONCECMAC_AD_CHANGER_FRONTEND_AJAX_HANDLECMAC_AD_CHANGER_ADMIN_AJAX_HANDLECMAC_SETTINGS+1 more
Shortcode Output
[cm_ad_changer id="[cm_ad_changer link-target="[cm_ad_changer type="[cm_ad_changer campaign_id="
FAQ

Frequently Asked Questions about CM Ad Changer – A simple tool to control and optimize your site's banners