WordPress Plugin Vulnerabilities

Adning Advertising < 1.5.6 - Unauthenticated Arbitrary File Upload/Deletion

Description

The issue is being actively exploited, and could allow unauthorised attackers to upload/delete arbitrary files.

Affects Plugins

Plugin icon
angwp
Fixed in 1.5.6

References

CVE
CVE-2020-36728
Exploitdb
49332
URL
https://codecanyon.net/item/wp-pro-advertising-system-all-in-one-ad-manager/269693
URL
https://blog.nintechnet.com/critical-vulnerability-in-adning-advertising-plugin-actively-exploited-in-the-wild/
URL
https://www.wordfence.com/blog/2020/07/critical-vulnerabilities-patched-in-adning-advertising-plugin/

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
10.0 (critical)

Miscellaneous

Verified
No
WPVDB ID
e9873fe3-fc06-4a52-aa32-6922cab7830c

Timeline

Publicly Published
2020-07-07 (about 5 years ago)
Added
2020-07-07 (about 5 years ago)
Last Updated
2023-06-08 (about 2 years ago)

Other

Published
Title
Published
2021-01-28
Title
uListing < 1.7 - Unauthenticated Arbitrary Account Change
Published
2021-08-26
Title
Woffice < 4.0.2 - Unauthenticated Disclosure of Notification Titles
Published
2024-02-27
Title
LifterLMS – WordPress LMS Plugin for eLearning < 7.5.2 - Missing Authorization via process_review
Published
2023-04-25
Title
REST API TO MiniProgram <= 4.6.9 - Subscriber+ Attachment Deletion
Published
2021-08-30
Title
Countdown Block < 1.1.2 - Missing Authorisation in AJAX action