20241106

date.txt

@@ -1 +1 @@
-20241105
+20241106

poc/auth/heateor-social-login-323326633e68646fd78ad5035af9e4d0.yaml

@@ -0,0 +1,59 @@
+id: heateor-social-login-323326633e68646fd78ad5035af9e4d0
+
+info:
+  name: >
+    Heateor Social Login WordPress <= 1.1.35 - Authentication Bypass
+  author: topscoder
+  severity: critical
+  description: >
+    
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/6b1d212b-75fe-4285-9c22-62b040e5a36c?source=api-scan
+  classification:
+    cvss-metrics: 
+    cvss-score: 
+    cve-id: 
+  metadata:
+    fofa-query: "wp-content/plugins/heateor-social-login/"
+    google-query: inurl:"/wp-content/plugins/heateor-social-login/"
+    shodan-query: 'vuln:'
+  tags: cve,wordpress,wp-plugin,heateor-social-login,critical
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/heateor-social-login/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "heateor-social-login"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 1.1.35')

poc/auth/loginizer-security.yaml

@@ -0,0 +1,59 @@
+id: loginizer-security-a645aa27d21902e8047247162f3fd0fb
+
+info:
+  name: >
+    Loginizer Security and Loginizer <= 1.9.2 - Authentication Bypass
+  author: topscoder
+  severity: critical
+  description: >
+    
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/5db00b22-d766-4fde-86fe-98d90936028c?source=api-scan
+  classification:
+    cvss-metrics: 
+    cvss-score: 
+    cve-id: 
+  metadata:
+    fofa-query: "wp-content/plugins/loginizer-security/"
+    google-query: inurl:"/wp-content/plugins/loginizer-security/"
+    shodan-query: 'vuln:'
+  tags: cve,wordpress,wp-plugin,loginizer-security,critical
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/loginizer-security/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "loginizer-security"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 1.9.2')

poc/backup/everest-backup-c5cfc7a8f5c040156a3bb37da7e93d2e.yaml

@@ -0,0 +1,59 @@
+id: everest-backup-c5cfc7a8f5c040156a3bb37da7e93d2e
+
+info:
+  name: >
+    Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin <= 2.2.13 - Sensitive Invormation Disclosure via procstat Log
+  author: topscoder
+  severity: low
+  description: >
+    
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/9b871957-a2b3-492f-b461-7040d9098b2b?source=api-scan
+  classification:
+    cvss-metrics: 
+    cvss-score: 
+    cve-id: 
+  metadata:
+    fofa-query: "wp-content/plugins/everest-backup/"
+    google-query: inurl:"/wp-content/plugins/everest-backup/"
+    shodan-query: 'vuln:'
+  tags: cve,wordpress,wp-plugin,everest-backup,low
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/everest-backup/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "everest-backup"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 2.2.13')

poc/cve/CVE-2024-10020-397e5cc97549d156277da4b33b2ec5af.yaml

@@ -0,0 +1,59 @@
+id: CVE-2024-10020-397e5cc97549d156277da4b33b2ec5af
+
+info:
+  name: >
+    Heateor Social Login WordPress <= 1.1.35 - Authentication Bypass
+  author: topscoder
+  severity: critical
+  description: >
+    The Heateor Social Login WordPress plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.1.35. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they have access to the email and the user does not have an already-existing account for the service returning the token. An attacker cannot authenticate as an administrator by default, but these accounts are also at risk if authentication for administrators has explicitly been allowed via the social login.
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/6b1d212b-75fe-4285-9c22-62b040e5a36c?source=api-prod
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 8.1
+    cve-id: CVE-2024-10020
+  metadata:
+    fofa-query: "wp-content/plugins/heateor-social-login/"
+    google-query: inurl:"/wp-content/plugins/heateor-social-login/"
+    shodan-query: 'vuln:CVE-2024-10020'
+  tags: cve,wordpress,wp-plugin,heateor-social-login,critical
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/heateor-social-login/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "heateor-social-login"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 1.1.35')

poc/cve/CVE-2024-10028-df3e6beddae25a2d75eafa93f8243ba1.yaml

@@ -0,0 +1,59 @@
+id: CVE-2024-10028-df3e6beddae25a2d75eafa93f8243ba1
+
+info:
+  name: >
+    Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin <= 2.2.13 - Sensitive Invormation Disclosure via procstat Log
+  author: topscoder
+  severity: high
+  description: >
+    The Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.13 via the exposed process stats file during the backup process. This makes it possible for unauthenticated attackers to obtain an archive file name and download the site's backup.
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/9b871957-a2b3-492f-b461-7040d9098b2b?source=api-prod
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2024-10028
+  metadata:
+    fofa-query: "wp-content/plugins/everest-backup/"
+    google-query: inurl:"/wp-content/plugins/everest-backup/"
+    shodan-query: 'vuln:CVE-2024-10028'
+  tags: cve,wordpress,wp-plugin,everest-backup,high
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/everest-backup/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "everest-backup"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 2.2.13')

poc/cve/CVE-2024-10084-861e5ee4c434bf307e7c7990c04e71c6.yaml

@@ -0,0 +1,59 @@
+id: CVE-2024-10084-861e5ee4c434bf307e7c7990c04e71c6
+
+info:
+  name: >
+    Contact Form 7 – Dynamic Text Extension <= 4.5 - Information Disclosure via Shortcode
+  author: topscoder
+  severity: low
+  description: >
+    The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Basic Information Disclosure in all versions up to, and including, 4.5 via the CF7_get_post_var shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract the titles and text contents of private and password-protected posts, they do not own.
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/e051a83e-ad5a-4789-bfee-e03aa9d6a3fc?source=api-prod
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 4.3
+    cve-id: CVE-2024-10084
+  metadata:
+    fofa-query: "wp-content/plugins/contact-form-7-dynamic-text-extension/"
+    google-query: inurl:"/wp-content/plugins/contact-form-7-dynamic-text-extension/"
+    shodan-query: 'vuln:CVE-2024-10084'
+  tags: cve,wordpress,wp-plugin,contact-form-7-dynamic-text-extension,low
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/contact-form-7-dynamic-text-extension/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "contact-form-7-dynamic-text-extension"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 4.5')