Skip to content

Commit

Permalink
20240820
Browse files Browse the repository at this point in the history
  • Loading branch information
actions-user committed Aug 20, 2024
1 parent 8b2291e commit 1c786a8
Show file tree
Hide file tree
Showing 149 changed files with 7,932 additions and 354 deletions.
2 changes: 1 addition & 1 deletion date.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
20240819
20240820
127 changes: 127 additions & 0 deletions poc.txt

Large diffs are not rendered by default.

59 changes: 59 additions & 0 deletions poc/backup/snapshot-backup-518ee5abfc5c619140ace18f02fca8ee.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: snapshot-backup-518ee5abfc5c619140ace18f02fca8ee

info:
name: >
Snapshot Backup <= 2.1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
author: topscoder
severity: medium
description: >
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b467fc26-242f-47c4-bcfd-38980489a0c3?source=api-scan
classification:
cvss-metrics:
cvss-score:
cve-id:
metadata:
fofa-query: "wp-content/plugins/snapshot-backup/"
google-query: inurl:"/wp-content/plugins/snapshot-backup/"
shodan-query: 'vuln:'
tags: cve,wordpress,wp-plugin,snapshot-backup,medium

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/snapshot-backup/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "snapshot-backup"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 2.1.1')
59 changes: 59 additions & 0 deletions poc/cve/CVE-2022-1206-bbfcec5a838b2b14e78ed6986ba9a4ca.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2022-1206-bbfcec5a838b2b14e78ed6986ba9a4ca

info:
name: >
AdRotate – Ad manager & AdSense Ads <= 5.13.2 - Authenticated (Admin+) Double Extension Arbitrary File Upload
author: topscoder
severity: low
description: >
The AdRotate Banner Manager – The only ad manager you'll need plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension sanitization in the adrotate_insert_media() function in all versions up to, and including, 5.13.2. This makes it possible for authenticated attackers, with administrator-level access and above, to upload arbitrary files with double extensions on the affected site's server which may make remote code execution possible. This is only exploitable on select instances where the configuration will execute the first extension present.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9f92219a-e07e-422d-a9f2-dbe4fbcd5f55?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2022-1206
metadata:
fofa-query: "wp-content/plugins/adrotate/"
google-query: inurl:"/wp-content/plugins/adrotate/"
shodan-query: 'vuln:CVE-2022-1206'
tags: cve,wordpress,wp-plugin,adrotate,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/adrotate/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "adrotate"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 5.13.2')
59 changes: 59 additions & 0 deletions poc/cve/CVE-2024-43210-c00b158f348148a948ad30200894c026.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2024-43210-c00b158f348148a948ad30200894c026

info:
name: >
LA-Studio Element Kit for Elementor <= 1.3.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
author: topscoder
severity: low
description: >
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.9.2 due to insufficient input sanitization and output escaping on title tags found in blocks. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/bfa12bf7-5056-4d65-885c-36fcb37c017c?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
cvss-score: 6.4
cve-id: CVE-2024-43210
metadata:
fofa-query: "wp-content/plugins/lastudio-element-kit/"
google-query: inurl:"/wp-content/plugins/lastudio-element-kit/"
shodan-query: 'vuln:CVE-2024-43210'
tags: cve,wordpress,wp-plugin,lastudio-element-kit,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/lastudio-element-kit/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "lastudio-element-kit"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 1.3.9.2')
59 changes: 59 additions & 0 deletions poc/cve/CVE-2024-43216-f2dc4220b6ea8c45c403bfb4dc6072f7.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2024-43216-f2dc4220b6ea8c45c403bfb4dc6072f7

info:
name: >
Filr – Secure document library <= 1.2.4 - Authenticated (Editor+) Stored Cross-Site Scripting
author: topscoder
severity: low
description: >
The Filr – Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b20ec769-822a-4d9b-9824-6e29d3677ac3?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
cvss-score: 4.4
cve-id: CVE-2024-43216
metadata:
fofa-query: "wp-content/plugins/filr-protection/"
google-query: inurl:"/wp-content/plugins/filr-protection/"
shodan-query: 'vuln:CVE-2024-43216'
tags: cve,wordpress,wp-plugin,filr-protection,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/filr-protection/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "filr-protection"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 1.2.4')
59 changes: 59 additions & 0 deletions poc/cve/CVE-2024-43277-6b4940f2eac79c6e5fa7f9ba0cc0604e.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2024-43277-6b4940f2eac79c6e5fa7f9ba0cc0604e

info:
name: >
UsersWP <= 1.2.15 - Missing Authorization
author: topscoder
severity: high
description: >
The UsersWP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activation_redirect() function in versions up to, and including, 1.2.15. This makes it possible for unauthenticated attackers to trigger the activation redirect.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ab5a88a9-55ff-428d-9ce2-3247f5d48266?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
cvss-score: 5.3
cve-id: CVE-2024-43277
metadata:
fofa-query: "wp-content/plugins/userswp/"
google-query: inurl:"/wp-content/plugins/userswp/"
shodan-query: 'vuln:CVE-2024-43277'
tags: cve,wordpress,wp-plugin,userswp,high

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/userswp/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "userswp"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 1.2.15')
59 changes: 59 additions & 0 deletions poc/cve/CVE-2024-43285-2259cac19eda110255245b91d280697e.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2024-43285-2259cac19eda110255245b91d280697e

info:
name: >
Presto Player <= 3.0.2 - Missing Authorization
author: topscoder
severity: low
description: >
The Presto Player plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/06ccfd81-065f-4151-97ea-dd6d4fc79337?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
cvss-score: 4.3
cve-id: CVE-2024-43285
metadata:
fofa-query: "wp-content/plugins/presto-player/"
google-query: inurl:"/wp-content/plugins/presto-player/"
shodan-query: 'vuln:CVE-2024-43285'
tags: cve,wordpress,wp-plugin,presto-player,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/presto-player/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "presto-player"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 3.0.2')
Loading

0 comments on commit 1c786a8

Please sign in to comment.