cbcvebase.
CVE-2020-36728
published 2023-06-07

CVE-2020-36728: The Adning Advertising plugin for WordPress is vulnerable to file deletion via path traversal in versions up to, and including, 1.5.5. This allows…

PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.16%
86.4th percentile
The Adning Advertising plugin for WordPress is vulnerable to file deletion via path traversal in versions up to, and including, 1.5.5. This allows unauthenticated attackers to delete arbitrary files which can be used to reset and gain full control of a site.

Affected

2 ranges
VendorProductVersion rangeFixed in
tunafishadning_advertising<= 1.5.5
tunasiteadning_advertising< 1.5.61.5.6

Detection & IOCsextracted from sources · hover to see the quote

sigma
matchers: status_code == 200 AND contains_all(body, '{{filename}}','tmp_name','grid_item','success')
  • Unauthenticated file deletion via path traversal — look for unauthenticated HTTP requests targeting the Adning Advertising plugin (versions ≤ 1.5.5) that result in arbitrary file deletion, particularly targeting wp-config.php or similar files to reset site control.
  • Exploit probe pattern: HTTP GET to a dynamically named PHP file with a base64-encoded marker parameter; a successful exploit response body contains both the marker value and strings 'tmp_name', 'grid_item', and 'success' with HTTP 200.
  • Nuclei template boundary marker '--b214a08e1c094defed15a5cc4c2285ee--' can be used to identify this specific exploit template in proxy/WAF logs.
  • ·The exploit is only applicable to Adning Advertising plugin versions up to and including 1.5.5; patched versions are not vulnerable.
  • ·The Nuclei template uses dynamic placeholders ({{filename}}, {{marker}}) resolved at runtime; the actual filenames and markers will vary per scan execution and cannot be statically matched.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.