CVE-2020-36728: 
WordPress vulnerability analysis and mitigation

The Adning Advertising plugin for WordPress (CVE-2020-36728) contains a critical file deletion vulnerability via path traversal in versions up to 1.5.5. The vulnerability was publicly disclosed on July 7, 2020, affecting the WordPress plugin developed by Tunasite. This security flaw allows unauthenticated attackers to delete arbitrary files, which can potentially lead to a complete site takeover (NVD, WPScan).

The vulnerability has received a CVSS v3.1 base score of 9.8 (Critical) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction. Wordfence assigned a different CVSS score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (NVD).

The vulnerability allows unauthenticated attackers to delete arbitrary files from the affected WordPress installation. This capability can be leveraged to reset and gain full control of a WordPress site, potentially leading to complete site compromise (NVD).

The vulnerability has been patched in version 1.5.6 of the Adning Advertising plugin. Site administrators are strongly advised to update to this version or later to protect against potential attacks (WPScan).