A critical security issue found in the Ad Inserter WordPress plugin allows authenticated attackers to remotely execute PHP code. The vulnerability stems from the use of the check_admin_referer() for authorization, when it was specifically designed to protect WordPress sites against cross-site request forgery (CSRF) exploits using nonces one-time tokens used for blocking expired and repeated requests. WordPress admins should update the plugin to version 2.4.22 which was released by the plugin developer within a day after being notified of the security flaw.
Source: https://www.bleepingcomputer.com/news/security/critical-bug-in-wordpress-plugin-lets-hackers-execute-code/

