cbcvebase.
CVE-2020-36705
published 2023-06-07

CVE-2020-36705: The Adning Advertising plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the _ning_upload_image function in…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
6.94%
93.3th percentile
The Adning Advertising plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the _ning_upload_image function in versions up to, and including, 1.5.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.

Affected

2 ranges
VendorProductVersion rangeFixed in
tunafishadning_advertising<= 1.5.5
tunasiteadning_advertising< 1.5.61.5.6

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/angwp
  • Detect vulnerable Adning Advertising plugin by matching the version string in page body: look for 'Ads on this site are served by Adning v<version>' and confirm version is less than 1.5.6
  • Confirm vulnerable instance by checking HTTP 200 response body contains both 'served by Adning' and 'adning.com', combined with version < 1.5.6
  • The vulnerable function is _ning_upload_image — monitor for unauthenticated POST requests invoking this function for arbitrary file upload attempts
  • The vulnerability is actively exploited in the wild (high EPSS score: 0.89502, 99.5th percentile); prioritize detection and patching
  • ·Detection via passive page-body regex only works if the Adning plugin renders its version string in the HTML output; sites with caching or hardened configurations may suppress this string
  • ·The Nuclei template uses a single GET to the base URL with host-redirect following (max 2 redirects); detection may miss instances behind aggressive redirect chains or WAFs
  • ·The vulnerability affects all versions up to and including 1.5.5; the fix was introduced in 1.5.6 — version comparison must use strict less-than 1.5.6

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.