Skip to content

Commit

Permalink
20240821
Browse files Browse the repository at this point in the history
  • Loading branch information
actions-user committed Aug 21, 2024
1 parent 1c786a8 commit 55f83c9
Show file tree
Hide file tree
Showing 118 changed files with 6,176 additions and 284 deletions.
2 changes: 1 addition & 1 deletion date.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
20240820
20240821
97 changes: 97 additions & 0 deletions poc.txt

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: event-espresso-decaf-22176fe8722d0971848f71b56590811f

info:
name: >
Event Espresso 4 Decaf – Event Registration Event Ticketing <= 5.0.22.decaf - Authenticated (Subscriber+) Missing Authorization to Limited Plugin Settings Modification
author: topscoder
severity: low
description: >
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/689abb68-0c19-4f89-91db-fd15ab8bca8e?source=api-scan
classification:
cvss-metrics:
cvss-score:
cve-id:
metadata:
fofa-query: "wp-content/plugins/event-espresso-decaf/"
google-query: inurl:"/wp-content/plugins/event-espresso-decaf/"
shodan-query: 'vuln:'
tags: cve,wordpress,wp-plugin,event-espresso-decaf,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/event-espresso-decaf/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "event-espresso-decaf"
part: body

- type: dsl
dsl:
- compare_versions(version, '* - 5.0.22.decaf')
59 changes: 59 additions & 0 deletions poc/backup/snapshot-backup.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: snapshot-backup

info:
name: >
Snapshot Backup <= 2.1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
author: topscoder
severity: medium
description: >
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b467fc26-242f-47c4-bcfd-38980489a0c3?source=api-scan
classification:
cvss-metrics:
cvss-score:
cve-id:
metadata:
fofa-query: "wp-content/plugins/snapshot-backup/"
google-query: inurl:"/wp-content/plugins/snapshot-backup/"
shodan-query: 'vuln:'
tags: cve,wordpress,wp-plugin,snapshot-backup,medium

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/snapshot-backup/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "snapshot-backup"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 2.1.1')
17 changes: 8 additions & 9 deletions poc/cross_site_request_forgery/django-debug-exposure-csrf.yaml
Original file line number Diff line number Diff line change
@@ -1,25 +1,24 @@
id: django-debug-exposure

info:
name: Django Debug Exposure
author: shelled
severity: medium
author: geeknik
reference: https://twitter.com/Alra3ees/status/1397660633928286208
severity: high
tags: django,exposure

requests:
- method: POST
path:
- "{{BaseURL}}/admin/login/?next=/admin/"

matchers-condition: and
matchers:
- type: status
status:
- 403

- 500
- type: word
part: body
words:
- 'seeing the help section of this page because you have <code>DEBUG ='
- 'True</code>'
- "DB_HOST"
- "DB_NAME"
- "DJANGO"
- "ADMIN_PASSWORD"
condition: and
59 changes: 59 additions & 0 deletions poc/cve/CVE-2022-1206-72f3efe3c37f1b1e3da1c1576bb63644.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2022-1206-72f3efe3c37f1b1e3da1c1576bb63644

info:
name: >
AdRotate – Ad manager & AdSense Ads <= 5.13.2 - Authenticated (Admin+) Double Extension Arbitrary File Upload
author: topscoder
severity: low
description: >
The AdRotate Banner Manager – The only ad manager you'll need plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension sanitization in the adrotate_insert_media() function in all versions up to, and including, 5.13.2. This makes it possible for authenticated attackers, with administrator-level access and above, to upload arbitrary files with double extensions on the affected site's server which may make remote code execution possible. This is only exploitable on select instances where the configuration will execute the first extension present.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9f92219a-e07e-422d-a9f2-dbe4fbcd5f55?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2022-1206
metadata:
fofa-query: "wp-content/plugins/adrotate/"
google-query: inurl:"/wp-content/plugins/adrotate/"
shodan-query: 'vuln:CVE-2022-1206'
tags: cve,wordpress,wp-plugin,adrotate,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/adrotate/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "adrotate"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 5.13.2')
59 changes: 59 additions & 0 deletions poc/cve/CVE-2022-1206.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2022-1206

info:
name: >
AdRotate – Ad manager & AdSense Ads <= 5.13.2 - Authenticated (Admin+) Double Extension Arbitrary File Upload
author: topscoder
severity: low
description: >
The AdRotate Banner Manager – The only ad manager you'll need plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension sanitization in the adrotate_insert_media() function in all versions up to, and including, 5.13.2. This makes it possible for authenticated attackers, with administrator-level access and above, to upload arbitrary files with double extensions on the affected site's server which may make remote code execution possible. This is only exploitable on select instances where the configuration will execute the first extension present.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9f92219a-e07e-422d-a9f2-dbe4fbcd5f55?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2022-1206
metadata:
fofa-query: "wp-content/plugins/adrotate/"
google-query: inurl:"/wp-content/plugins/adrotate/"
shodan-query: 'vuln:CVE-2022-1206'
tags: cve,wordpress,wp-plugin,adrotate,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/adrotate/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "adrotate"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 5.13.2')
59 changes: 59 additions & 0 deletions poc/cve/CVE-2023-2987-0525060cce1946c27a3697cc1520f683.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2023-2987-0525060cce1946c27a3697cc1520f683

info:
name: >
Wordapp <= 1.6.0 - Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature
author: topscoder
severity: high
description: >
The Wordapp plugin for WordPress is vulnerable to authorization bypass due to an use of insufficiently unique cryptographic signature on the 'wa_pdx_op_config_set' function in versions up to, and including, 1.6.0. This makes it possible for unauthenticated attackers to the plugin to change the 'validation_token' in the plugin config, providing access to the plugin's remote control functionalities, such as creating an admin access URL, which can be used for privilege escalation.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/80440bfa-4a02-4441-bbdb-52d7dd065a9d?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-2987
metadata:
fofa-query: "wp-content/plugins/wordapp/"
google-query: inurl:"/wp-content/plugins/wordapp/"
shodan-query: 'vuln:CVE-2023-2987'
tags: cve,wordpress,wp-plugin,wordapp,high

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/wordapp/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "wordapp"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 1.6.0')
Loading

0 comments on commit 55f83c9

Please sign in to comment.