CVE-2020-36705: Adning Advertising <= 1.5.5 - Arbitrary File Upload

日期: 2025-08-01 | 影响软件: Adning Advertising | POC: 已公开

漏洞描述

The Adning Advertising plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the _ning_upload_image function in versions up to, and including, 1.5.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.

PoC代码[已公开]

id: CVE-2020-36705

info:
  name: Adning Advertising <= 1.5.5 - Arbitrary File Upload
  author: DhiyaneshDK
  severity: critical
  description: |
    The Adning Advertising plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the _ning_upload_image function in versions up to, and including, 1.5.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
  remediation: Fixed in 1.5.6
  reference:
    - https://blog.nintechnet.com/critical-vulnerability-in-adning-advertising-plugin-actively-exploited-in-the-wild/
    - https://codecanyon.net/item/wp-pro-advertising-system-all-in-one-ad-manager/269693
    - https://wpscan.com/vulnerability/e9873fe3-fc06-4a52-aa32-6922cab7830c
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/4a263b74-e9ae-4fd2-be9b-9b8e9eee5982?source=cve
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-36705
    epss-score: 0.8533
    epss-percentile: 0.99319
    cpe: cpe:2.3:a:tunasite:adning_advertising:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    publicwww-query: "/wp-content/plugins/angwp"
    vendor: tunasite
    product: adning_advertising
    framework: wordpress
  tags: cve,cve2020,wordpress,wp-plugin,angwp,wp,passive,vkev,vuln

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    host-redirects: true
    max-redirects: 2

    extractors:
      - type: regex
        name: version
        part: body
        group: 1
        regex:
          - "(?i)Ads on this site are served by Adning v([0-9.]+)"
        internal: true

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains_all(body, 'served by Adning','adning.com')
          - compare_versions(version, '< 1.5.6')
        condition: and
# digest: 490a00463044022063a79bcd444714f65fe1a9b37b6079d150d998d579f0b2e3ca11372eae92d7cd02204dfc3aae23472919c612d0a4b566a41f61632f3f9e26f0e330a9e1b0cf93cff8:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-36705.yaml

相关漏洞推荐