WP Beacon

Ad Inserter – Ad Manager & AdSense Ads

ad-inserter · by spacetime · wordpress.org ↗ · SVN ↗
Active installs
300k+
Current version
2.8.13
Added
2010-11-14
Last updated
2026-03-29 (1mo ago)
First seen by beacon
11d ago
Total downloads
18,550,530

Alerts (0)

No open alerts.

Show 3 resolved alerts
Medium code_scan_match Resolved · fp_w3tc_codegen_template 2026-04-27 02:28:49 (5d ago)
Slugad-inserter
Finding count86
Findings
PatternKindFileLineSnippetConfidence
eval_callbuiltinclass.php644eval ("?>". $code . "<?php ");medium
base64_decodebuiltinclass.php2,792$this->w3tc_code = '$ai_code = base64_decode (\''.base64_encode ($code).'\'); $ai_enabled = true;';medium
base64_decodebuiltinclass.php2,810$w3tc_code .= 'echo base64_decode (\'' . base64_encode ($html_code) . '\');';medium
base64_decodebuiltinclass.php2,854$base64_code .= 'echo base64_decode (\'' . base64_encode ($html_code) . '\');';medium
base64_decodebuiltinclass.php3,985$ai_wp_data [AI_ACTIVE_GROUP_NAMES] = array_merge ($ai_wp_data [AI_ACTIVE_GROUP_NAMES], json_decode (base64_decode ($matches [1])));medium
base64_decodebuiltinclass.php3,988if (($ai_wp_data [AI_WP_DEBUGGING] & AI_DEBUG_PROCESSING) != 0) ai_log ('ACTIVATED GROUPS: "' . implode (', ', json_decode (base64_decode ($matches [1]))) . '"');medium
base64_decodebuiltinclass.php3,993$processed_code = $debug_list->bar (__('ACTIVATED GROUPS', 'ad-inserter') . ': ' . implode (', ', json_decode (base64_decode ($matches [1]))), '', '') . $processed_code;medium
base64_decodebuiltinclass.php4,088$current_group_name = implode (', ', json_decode (base64_decode ($matches [1])));medium
base64_decodebuiltinclass.php4,139$ad_index_code = ' global $ai_groups; $ai_index = 0; if (isset ($ai_groups) && count ($ai_groups) != 0) {foreach ($ai_groups as $group_name) {foreach (unserialize (base64_decode (\''.medium
base64_decodebuiltinclass.php4,162$this->w3tc_code .= '$ai_code = unserialize (base64_decode (\''.base64_encode (serialize ($ads)).'\'));'.$ad_index_code;medium
base64_decodebuiltinclass.php4,171$this->w3tc_code .= ' if ($ai_index != 0) {$version_names = unserialize (base64_decode (\''.base64_encode (serialize ($this->rotate_names)).'\')); $ai_version_name = $version_names [$ai_inmedium
base64_decodebuiltinclass.php4,177$this->w3tc_code .= ' if ($ai_enabled) {$groups_marker = base64_decode (\'' . base64_encode ($groups_marker) .medium
base64_decodebuiltinclass.php4,178'\'); global $ai_groups; if (preg_match ($groups_marker, $ai_code, $matches)) {if (!isset ($ai_groups)) $ai_groups = array (); $ai_groups = array_merge ($ai_groups, json_decode (base64medium
base64_decodebuiltinclass.php4,268$this->w3tc_code .= '$ai_amp_separator = base64_decode (\'' . base64_encode (AD_AMP_SEPARATOR) . '\'); $ai_amp_page = ' . ($ai_wp_data [AI_WP_AMP_PAGE] ? 'true' : 'false') . '; $ai_amp_enablmedium
base64_decodebuiltinclass.php4,281$this->w3tc_code .= '$ai_head_separator = base64_decode (\'' . base64_encode (AD_HEAD_SEPARATOR) . '\');';medium
View raw JSON
{
    "slug": "ad-inserter",
    "finding_count": 86,
    "findings": [
        {
            "pattern": "eval_call",
            "kind": "builtin",
            "file": "class.php",
            "line": 644,
            "snippet": "eval (\"?>\". $code . \"<?php \");",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class.php",
            "line": 2792,
            "snippet": "$this->w3tc_code = '$ai_code = base64_decode (\\''.base64_encode ($code).'\\'); $ai_enabled = true;';",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class.php",
            "line": 2810,
            "snippet": "$w3tc_code .= 'echo base64_decode (\\'' . base64_encode ($html_code) . '\\');';",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class.php",
            "line": 2854,
            "snippet": "$base64_code .= 'echo base64_decode (\\'' . base64_encode ($html_code) . '\\');';",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class.php",
            "line": 3985,
            "snippet": "$ai_wp_data [AI_ACTIVE_GROUP_NAMES] = array_merge ($ai_wp_data [AI_ACTIVE_GROUP_NAMES], json_decode (base64_decode ($matches [1])));",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class.php",
            "line": 3988,
            "snippet": "if (($ai_wp_data [AI_WP_DEBUGGING] & AI_DEBUG_PROCESSING) != 0) ai_log ('ACTIVATED GROUPS: \"' . implode (', ', json_decode (base64_decode ($matches [1]))) . '\"');",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class.php",
            "line": 3993,
            "snippet": "$processed_code = $debug_list->bar (__('ACTIVATED GROUPS', 'ad-inserter') . ': ' . implode (', ', json_decode (base64_decode ($matches [1]))), '', '') . $processed_code;",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class.php",
            "line": 4088,
            "snippet": "$current_group_name = implode (', ', json_decode (base64_decode ($matches [1])));",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class.php",
            "line": 4139,
            "snippet": "$ad_index_code = ' global $ai_groups; $ai_index = 0; if (isset ($ai_groups) && count ($ai_groups) != 0) {foreach ($ai_groups as $group_name) {foreach (unserialize (base64_decode (\\''.",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class.php",
            "line": 4162,
            "snippet": "$this->w3tc_code .= '$ai_code = unserialize (base64_decode (\\''.base64_encode (serialize ($ads)).'\\'));'.$ad_index_code;",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class.php",
            "line": 4171,
            "snippet": "$this->w3tc_code .= ' if ($ai_index != 0) {$version_names = unserialize (base64_decode (\\''.base64_encode (serialize ($this->rotate_names)).'\\')); $ai_version_name = $version_names [$ai_in",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class.php",
            "line": 4177,
            "snippet": "$this->w3tc_code .= ' if ($ai_enabled) {$groups_marker = base64_decode (\\'' . base64_encode ($groups_marker) .",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class.php",
            "line": 4178,
            "snippet": "'\\'); global $ai_groups; if (preg_match ($groups_marker, $ai_code, $matches)) {if (!isset ($ai_groups)) $ai_groups = array (); $ai_groups = array_merge ($ai_groups, json_decode (base64",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class.php",
            "line": 4268,
            "snippet": "$this->w3tc_code .= '$ai_amp_separator = base64_decode (\\'' . base64_encode (AD_AMP_SEPARATOR) . '\\'); $ai_amp_page = ' . ($ai_wp_data [AI_WP_AMP_PAGE] ? 'true' : 'false') . '; $ai_amp_enabl",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class.php",
            "line": 4281,
            "snippet": "$this->w3tc_code .= '$ai_head_separator = base64_decode (\\'' . base64_encode (AD_HEAD_SEPARATOR) . '\\');';",
            "confidence": "medium"
        }
    ]
}
Critical code_pattern Resolved · oos_vuln_security_finder 2026-04-27 01:54:19 (5d ago)
Slugad-inserter
Patternunserialize_after_remote_call
Kindbuiltin
Version2.8.13
Hit count1
First hit
File
ad-inserter.php
Line
7,294
Snippet
L7293: $response = wp_remote_post ($url, array ('body' => $request)); → L7294: $plugin_info = @unserialize ($response ['body']);
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "ad-inserter",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "2.8.13",
    "hit_count": 1,
    "first_hit": {
        "file": "ad-inserter.php",
        "line": 7294,
        "snippet": "L7293: $response = wp_remote_post ($url, array ('body' => $request));  \u2192  L7294: $plugin_info = @unserialize ($response ['body']);"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}
Critical code_scan_delta Resolved · fp_wporg_official_api 2026-04-24 16:02:15 (7d ago)
Slugad-inserter
Previous version2.8.13
Current version2.8.13
New findings
PatternKindFileLineSnippetConfidence
unserialize_after_remote_callbuiltinad-inserter.php7,294L7293: $response = wp_remote_post ($url, array ('body' => $request)); → L7294: $plugin_info = @unserialize ($response ['body']);high
New finding count1
View raw JSON
{
    "slug": "ad-inserter",
    "previous_version": "2.8.13",
    "current_version": "2.8.13",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "ad-inserter.php",
            "line": 7294,
            "snippet": "L7293: $response = wp_remote_post ($url, array ('body' => $request));  \u2192  L7294: $plugin_info = @unserialize ($response ['body']);",
            "confidence": "high"
        }
    ],
    "new_finding_count": 1
}

SVN committers (1)

Accounts with actual commit access to ad-inserter on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
Spacetime 2010-11-13 200 2021-06-27 · r2554736 2026-04-25 · r3515134

Readme contributors (2)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
Spacetime 2010-11-13 200 commits Active
Ad Inserter 2020-01-15 Active

Versions (24 most recent)

Version Released Download
2.8.13 2026-03-29 · 1mo ago zip
2.8.12 2026-02-28 · 2mo ago zip
2.8.11 2026-02-08 · 2mo ago zip
2.8.10 2026-01-25 · 3mo ago zip
2.8.9 2025-11-30 · 5mo ago zip
2.8.8 2025-10-30 · 6mo ago zip
2.8.7 2025-09-29 · 7mo ago zip
2.8.6 2025-08-31 · 8mo ago zip
2.8.5 2025-07-30 · 9mo ago zip
2.8.4 2025-07-01 · 10mo ago zip
2.8.3 2025-05-30 · 11mo ago zip
2.8.2 2025-04-30 · 1y ago zip
2.8.1 2025-03-02 · 1y ago zip
2.8.0 2025-01-23 · 1y ago zip
2.7.39 2025-01-17 · 1y ago zip
2.7.38 2024-12-16 · 1y ago zip
2.7.37 2024-09-30 · 1y ago zip
2.7.36 2024-08-15 · 1y ago zip
2.7.35 2024-05-30 · 1y ago zip
2.7.34 2024-03-21 · 2y ago zip
2.7.33 2024-03-08 · 2y ago zip
2.7.32 2023-11-30 · 2y ago zip
2.7.31 2023-09-21 · 2y ago zip
2.7.30 2023-08-09 · 2y ago zip