CVE-2020-36728
published 2023-06-07CVE-2020-36728: The Adning Advertising plugin for WordPress is vulnerable to file deletion via path traversal in versions up to, and including, 1.5.5. This allows…
PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.16%
86.4th percentile
The Adning Advertising plugin for WordPress is vulnerable to file deletion via path traversal in versions up to, and including, 1.5.5. This allows unauthenticated attackers to delete arbitrary files which can be used to reset and gain full control of a site.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tunafish | adning_advertising | <= 1.5.5 | — |
| tunasite | adning_advertising | < 1.5.6 | 1.5.6 |
Detection & IOCsextracted from sources · hover to see the quote
sigma
matchers: status_code == 200 AND contains_all(body, '{{filename}}','tmp_name','grid_item','success')- →Unauthenticated file deletion via path traversal — look for unauthenticated HTTP requests targeting the Adning Advertising plugin (versions ≤ 1.5.5) that result in arbitrary file deletion, particularly targeting wp-config.php or similar files to reset site control. ↗
- →Exploit probe pattern: HTTP GET to a dynamically named PHP file with a base64-encoded marker parameter; a successful exploit response body contains both the marker value and strings 'tmp_name', 'grid_item', and 'success' with HTTP 200.
- →Nuclei template boundary marker '--b214a08e1c094defed15a5cc4c2285ee--' can be used to identify this specific exploit template in proxy/WAF logs.
- ·The exploit is only applicable to Adning Advertising plugin versions up to and including 1.5.5; patched versions are not vulnerable. ↗
- ·The Nuclei template uses dynamic placeholders ({{filename}}, {{marker}}) resolved at runtime; the actual filenames and markers will vary per scan execution and cannot be statically matched.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-52gj-66p3-r6v6: The Adning Advertising plugin for WordPress is vulnerable to file deletion via path traversal in versions up to, and including, 1
ghsa_unreviewed·2023-06-07
CVE-2020-36728 [CRITICAL] CWE-22 GHSA-52gj-66p3-r6v6: The Adning Advertising plugin for WordPress is vulnerable to file deletion via path traversal in versions up to, and including, 1
The Adning Advertising plugin for WordPress is vulnerable to file deletion via path traversal in versions up to, and including, 1.5.5. This allows unauthenticated attackers to delete arbitrary files which can be used to reset and gain full control of a site.
VulnCheck
Adning Advertising plugin for WordPress Directory Traversal File Deletion
vulncheck·2020·CVSS 6.5
CVE-2020-36728 [MEDIUM] Adning Advertising plugin for WordPress Directory Traversal File Deletion
Adning Advertising plugin for WordPress Directory Traversal File Deletion
The Adning Advertising plugin for WordPress is vulnerable to file deletion via path traversal in versions up to, and including, 1.5.5. This allows unauthenticated attackers to delete arbitrary files which can be used to reset and gain full control of a site.
Affected: tunasite adning_advertising
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.nintechnet.com/critical-vulnerability-in-adning-advertising-plugin-actively-exploited-in-the-wild/; https://wpscan.com/vulnerability/e9873fe3-fc06-4a52-aa32-6922cab7830c/; https://dashboard.shadowserver.org/statistics/honeypot/vuln
No detection rules found.
Nuclei
WordPress Plugin Adning Advertising < 1.5.6 - Arbitrary File Upload
nuclei·CVSS 9.8
CVE-2020-36728 [CRITICAL] WordPress Plugin Adning Advertising < 1.5.6 - Arbitrary File Upload
WordPress Plugin Adning Advertising
--b214a08e1c094defed15a5cc4c2285ee--
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains_all(body, '{{filename}}','tmp_name','grid_item','success')"
condition: and
internal: true
- raw:
- |
GET /{{filename}}.php?input={{base64(marker)}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains(body, '{{marker}}')"
condition: and
# digest: 4a0a0047304502200b3a2392a8d66b931f2d1fed27b6c1621aaff6f83dd8d95c531a75bde37d1093022100fe6261e0e3b16414565820bfcef77d32b78b150e4169e99968bd4c7bf87ee309:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
https://blog.nintechnet.com/critical-vulnerability-in-adning-advertising-plugin-actively-exploited-in-the-wild/https://codecanyon.net/item/wp-pro-advertising-system-all-in-one-ad-manager/269693https://www.wordfence.com/blog/2020/07/critical-vulnerabilities-patched-in-adning-advertising-plugin/https://www.wordfence.com/threat-intel/vulnerabilities/id/e7506429-7f8a-45b5-b1b0-6fdb39599ee5?source=cvehttps://blog.nintechnet.com/critical-vulnerability-in-adning-advertising-plugin-actively-exploited-in-the-wild/https://codecanyon.net/item/wp-pro-advertising-system-all-in-one-ad-manager/269693https://www.wordfence.com/blog/2020/07/critical-vulnerabilities-patched-in-adning-advertising-plugin/https://www.wordfence.com/threat-intel/vulnerabilities/id/e7506429-7f8a-45b5-b1b0-6fdb39599ee5?source=cve
2023-06-07
Published
Exploited in the wild