The vulnerability is a Missing Authorization flaw in the revenueflex Auto Ad Inserter – Increase Google Adsense and Ad Manager Revenue plugin, affecting all releases from the earliest version up to and including 1.5. It allows an attacker who can access the WordPress site (even with limited privileges such as a basic editor role) to alter ad‑insertion settings without proper authorization. Such changes could modify how ads are displayed, potentially diverting revenue streams or serving improper advertising content. The weakness is identified as CWE‑862.

WordPress sites that use the revenueflex Auto Ad Inserter – Increase Google Adsense and Ad Manager Revenue plugin on versions 1.5 or earlier. The plugin is distributed by revenueflex and commonly installed via the WordPress plugin repository. No specific operating system or web server version is required for exploitation; the issue resides entirely within the plugin's PHP code.

The CVSS score of 7.2 indicates a high severity due to the potential for significant impact on the site's monetization and user experience. The EPSS score of less than 1% suggests that, as of this assessment, the likelihood of exploitation is relatively low, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is the WordPress administrative interface, where any user who has access to the plugin settings page, even without explicit editorial permissions, can modify ad configuration if the plugin code does not properly validate access control. This could allow attackers to redirect revenue streams or inject malicious advertising content.