diff --git a/date.txt b/date.txt index 7f899e9ca4..78339c045d 100644 --- a/date.txt +++ b/date.txt @@ -1 +1 @@ -20241024 +20241025 diff --git a/poc.txt b/poc.txt index f434b1adf6..93332fba0a 100644 --- a/poc.txt +++ b/poc.txt @@ -2157,6 +2157,7 @@ ./poc/auth/author-chat-plugin.yaml ./poc/auth/author-chat.yaml ./poc/auth/author-discussion-c25b3390c286e55908824809769541c8.yaml +./poc/auth/author-discussion.yaml ./poc/auth/authorization-header-secrets.yaml ./poc/auth/authorizenet-payment-gateway-for-woocommerce-1e9ec360d46e3b0f5c34b40b9dc888cb.yaml ./poc/auth/authorizenet-payment-gateway-for-woocommerce.yaml @@ -6120,6 +6121,7 @@ ./poc/aws/CVE-2024-5807-48aa8ec2a268d9df77455ed1544a27dd.yaml ./poc/aws/CVE-2024-7624-ebfd9e3cba7ebe22ec232d00cda9ba4f.yaml ./poc/aws/CVE-2024-8505-83a08aab53494aec2ab7878bf97aab78.yaml +./poc/aws/CVE-2024-8666-908b61c7df30cf8fad96ec25610ac7b3.yaml ./poc/aws/CVE-2024-9214-15d13cf5003c02ec255d03e8e2676c45.yaml ./poc/aws/CVE-2024-9436-72a457058cb05b316cebd946dd84ec21.yaml ./poc/aws/CVE-2024-9519-3ec20334c310bfd5a54adeb128ccb5a1.yaml @@ -33548,8 +33550,10 @@ ./poc/cve/CVE-2024-10002.yaml ./poc/cve/CVE-2024-10003-80927643a11133e8ee1977195d97aaa0.yaml ./poc/cve/CVE-2024-10003.yaml +./poc/cve/CVE-2024-10011-eefe8c0c540af6a79376e37c4cbbfad9.yaml ./poc/cve/CVE-2024-10014-287fb7ccc9db018318f62de1bc8e246a.yaml ./poc/cve/CVE-2024-10014.yaml +./poc/cve/CVE-2024-10016-178761d7d6f8e5f5807de98de6404c48.yaml ./poc/cve/CVE-2024-10040-ee8183e3617c63ac904e5e710044f265.yaml ./poc/cve/CVE-2024-10040.yaml ./poc/cve/CVE-2024-10045-b4e327038c9d97f0951cbe31ae85ae95.yaml @@ -33557,6 +33561,7 @@ ./poc/cve/CVE-2024-10049-5634711959b0699a5bdae8c67ef9be92.yaml ./poc/cve/CVE-2024-10049.yaml ./poc/cve/CVE-2024-10050-5934ca333400ff14e6c956e88c6fcdd7.yaml +./poc/cve/CVE-2024-10050.yaml ./poc/cve/CVE-2024-10055-a7567bb6df1c6f932e81f3fa194c2a29.yaml ./poc/cve/CVE-2024-10055.yaml ./poc/cve/CVE-2024-10057-3619138af4b1755697a61cf7520ca3e3.yaml @@ -33567,15 +33572,24 @@ ./poc/cve/CVE-2024-10079.yaml ./poc/cve/CVE-2024-10080-e752dddf0fc4544c6494ed49850e78fe.yaml ./poc/cve/CVE-2024-10080.yaml +./poc/cve/CVE-2024-10112-b49134293bd607a2527227eff1da1897.yaml +./poc/cve/CVE-2024-10148-66e8a68a811d5893a9baabebb92f1d1e.yaml +./poc/cve/CVE-2024-10150-430c4ec0389798d1691a4f250437c712.yaml ./poc/cve/CVE-2024-10176-5fa3a3e54fe7dc27a4441a8eb1a55212.yaml +./poc/cve/CVE-2024-10176.yaml ./poc/cve/CVE-2024-10180-cda9906f3b0afcef720a2edb145ba669.yaml +./poc/cve/CVE-2024-10180.yaml ./poc/cve/CVE-2024-10189-c70ac469531f5752b3a747a22314dda8.yaml ./poc/cve/CVE-2024-10189.yaml ./poc/cve/CVE-2024-1021.yaml ./poc/cve/CVE-2024-10250-381303a6df453508271ce4a14d6f5e15.yaml ./poc/cve/CVE-2024-10250.yaml +./poc/cve/CVE-2024-10341-f9f2b1daeef7d31a7252cb1ebc44b526.yaml +./poc/cve/CVE-2024-10342-4c9fa17231c31987f79d558b7b883e9d.yaml +./poc/cve/CVE-2024-10343-4b62a3038a6fc336914f3ddb9e620492.yaml ./poc/cve/CVE-2024-1037-b7f7f3d961a0c33ea429c4b0e05a6902.yaml ./poc/cve/CVE-2024-1037.yaml +./poc/cve/CVE-2024-10374-0f08cd74cdc8b699792d2afd2c3f92eb.yaml ./poc/cve/CVE-2024-1038-09acb945d02620d1c14081c7f022392a.yaml ./poc/cve/CVE-2024-1038.yaml ./poc/cve/CVE-2024-1041-4d41bff9bd3d73f09dd9d25dcb4b1efa.yaml @@ -42010,6 +42024,7 @@ ./poc/cve/CVE-2024-48023-46eb55dd5256b43b1683f15c0267076d.yaml ./poc/cve/CVE-2024-48023.yaml ./poc/cve/CVE-2024-48024-026d31d33246acc9d70dccccb6421f1b.yaml +./poc/cve/CVE-2024-48024-1ddc9ae6987f7e744de734513560dbad.yaml ./poc/cve/CVE-2024-48024.yaml ./poc/cve/CVE-2024-48025-6cd3b5b51f7c36d669654b11d9494954.yaml ./poc/cve/CVE-2024-48025.yaml @@ -42247,6 +42262,7 @@ ./poc/cve/CVE-2024-49275-d0867f09d6bc9d4b2b2d53a8ecdfb98b.yaml ./poc/cve/CVE-2024-49275.yaml ./poc/cve/CVE-2024-49276-d0d5e19e02d2760dc06120052076f002.yaml +./poc/cve/CVE-2024-49276-e9ed620857fc589be2b05034e4af0e8d.yaml ./poc/cve/CVE-2024-49276.yaml ./poc/cve/CVE-2024-49277-ed3c0f9bf8f0337647ab8c21c34a7ab8.yaml ./poc/cve/CVE-2024-49277.yaml @@ -42298,6 +42314,7 @@ ./poc/cve/CVE-2024-49304-e71f19919b4a870fa986fb3394551a41.yaml ./poc/cve/CVE-2024-49304.yaml ./poc/cve/CVE-2024-49305-ec750a30a095a0ecaf36eb7e4f2b32f3.yaml +./poc/cve/CVE-2024-49305-eef0a3090d6461b4ef311ea325c26686.yaml ./poc/cve/CVE-2024-49305.yaml ./poc/cve/CVE-2024-49306-0bb0318ccc4bea732c4bdca26fccb3c9.yaml ./poc/cve/CVE-2024-49306-1cdf03661e0a2c823137f9050fb9576e.yaml @@ -42382,37 +42399,55 @@ ./poc/cve/CVE-2024-49605-abe76096c63236f66bbd33eb9323c5ac.yaml ./poc/cve/CVE-2024-49605.yaml ./poc/cve/CVE-2024-49606-3a5428d0c0dbbfb9c56723d7c29c054a.yaml +./poc/cve/CVE-2024-49606.yaml ./poc/cve/CVE-2024-49607-64ce57671b0289ab72a7e0f383ac1ffa.yaml ./poc/cve/CVE-2024-49607.yaml ./poc/cve/CVE-2024-49608-5bdd9a09bdee1e9bcca9b0b0a36370f6.yaml +./poc/cve/CVE-2024-49608.yaml ./poc/cve/CVE-2024-49609-1ea128eca503bd3621e2636fd3b0a24d.yaml +./poc/cve/CVE-2024-49609.yaml ./poc/cve/CVE-2024-49610-e276141806c90c8da1ae9ea2397c09e3.yaml ./poc/cve/CVE-2024-49610.yaml ./poc/cve/CVE-2024-49611-0b401dfd2653c6c894ca029a1f361ec1.yaml ./poc/cve/CVE-2024-49611.yaml ./poc/cve/CVE-2024-49612-ab0e18564dcdfb17730a7fc478bf7313.yaml +./poc/cve/CVE-2024-49612.yaml ./poc/cve/CVE-2024-49613-9d52a64f6a13e7b3598a56dbf69e235d.yaml +./poc/cve/CVE-2024-49613.yaml ./poc/cve/CVE-2024-49614-c03cd20dc1c204f9536ac90d5ad5818e.yaml +./poc/cve/CVE-2024-49614.yaml ./poc/cve/CVE-2024-49615-5d7e01b7caf2b90a62ab7962d1b13798.yaml +./poc/cve/CVE-2024-49615.yaml ./poc/cve/CVE-2024-49616-12903163177d452d2a0070223381b654.yaml +./poc/cve/CVE-2024-49616.yaml ./poc/cve/CVE-2024-49617-355981a1bda96d01bbac989ca90970c9.yaml ./poc/cve/CVE-2024-49617.yaml ./poc/cve/CVE-2024-49618-c84b5655f6139af3b7f839c836c76415.yaml +./poc/cve/CVE-2024-49618.yaml ./poc/cve/CVE-2024-49619-9b063bda5ffc20eed5638994355a295f.yaml +./poc/cve/CVE-2024-49619.yaml ./poc/cve/CVE-2024-49620-25cb5951bfa413e3fdbf54ae868830c1.yaml +./poc/cve/CVE-2024-49620.yaml ./poc/cve/CVE-2024-49621-6a6ccb4664aafd1cb101e048c876f136.yaml ./poc/cve/CVE-2024-49621.yaml ./poc/cve/CVE-2024-49622-73d2f2c3cfdb388c9a00a75b116b50fd.yaml ./poc/cve/CVE-2024-49622.yaml ./poc/cve/CVE-2024-49623-0a7673acbcb990a765e0bd908a1b8fa0.yaml +./poc/cve/CVE-2024-49623.yaml ./poc/cve/CVE-2024-49624-495ca30253e950b50c4b2a0eb2ca534f.yaml +./poc/cve/CVE-2024-49624.yaml ./poc/cve/CVE-2024-49625-2ea85552517c0a3af9164c6eacdfcf6a.yaml +./poc/cve/CVE-2024-49625.yaml ./poc/cve/CVE-2024-49626-196a719cf95eed5680108b6866258493.yaml +./poc/cve/CVE-2024-49626.yaml ./poc/cve/CVE-2024-49627-abf0710e12ac3f35c2b6783434e3dc98.yaml +./poc/cve/CVE-2024-49627.yaml ./poc/cve/CVE-2024-49628-530c491e3101f98e03550eb7d8690611.yaml +./poc/cve/CVE-2024-49628.yaml ./poc/cve/CVE-2024-49629-360991ccba57b8c46cf57fad72639fba.yaml ./poc/cve/CVE-2024-49629.yaml ./poc/cve/CVE-2024-49630-25467829e0c7dd0c8c013d9e7af1274e.yaml +./poc/cve/CVE-2024-49630.yaml ./poc/cve/CVE-2024-4969-2124add2305584b370ba2ae716fb8d1c.yaml ./poc/cve/CVE-2024-4969.yaml ./poc/cve/CVE-2024-4970-bc7600147784c57fe431c75df2da0499.yaml @@ -44355,7 +44390,9 @@ ./poc/cve/CVE-2024-8664.yaml ./poc/cve/CVE-2024-8665-d05eed41be11b2c07c036fabd71a8c1b.yaml ./poc/cve/CVE-2024-8665.yaml +./poc/cve/CVE-2024-8666-908b61c7df30cf8fad96ec25610ac7b3.yaml ./poc/cve/CVE-2024-8667-5c098ba059ee0ed17c22f667a11637ec.yaml +./poc/cve/CVE-2024-8667.yaml ./poc/cve/CVE-2024-8668-1afc2fdebf49d39af06708ab015d11cc.yaml ./poc/cve/CVE-2024-8668.yaml ./poc/cve/CVE-2024-8669-48017cad1d0f5431615877a08826da9a.yaml @@ -44388,6 +44425,7 @@ ./poc/cve/CVE-2024-8716-43fdfe618831212c3a2e4fcf4b947494.yaml ./poc/cve/CVE-2024-8716.yaml ./poc/cve/CVE-2024-8717-f50cdd4919a31c31be7179351ebd88ee.yaml +./poc/cve/CVE-2024-8717.yaml ./poc/cve/CVE-2024-8718-bae11f6e4558979b96cf12d8205fcc15.yaml ./poc/cve/CVE-2024-8718.yaml ./poc/cve/CVE-2024-8719-11acce34bf7f1b7b222e1642931e8df6.yaml @@ -44408,6 +44446,7 @@ ./poc/cve/CVE-2024-8728.yaml ./poc/cve/CVE-2024-8729-dab7403130a298562b52429e5c9b05ed.yaml ./poc/cve/CVE-2024-8729.yaml +./poc/cve/CVE-2024-8730-7ea0964cfd16a9627cf12e4d262a7e7c.yaml ./poc/cve/CVE-2024-8730-efc3370bbeb807667af618ae74e58df1.yaml ./poc/cve/CVE-2024-8730.yaml ./poc/cve/CVE-2024-8731-17af0496f744b4928e697d3cdef20cc7.yaml @@ -44468,6 +44507,7 @@ ./poc/cve/CVE-2024-8800.yaml ./poc/cve/CVE-2024-8801-7af07c1fd60de2365ef9119bb4c38bf1.yaml ./poc/cve/CVE-2024-8801.yaml +./poc/cve/CVE-2024-8802-1bbf0ac93983a3758c6cebdb70935c10.yaml ./poc/cve/CVE-2024-8802-e9f6f582db2e920a7bf95437ee8218f9.yaml ./poc/cve/CVE-2024-8802.yaml ./poc/cve/CVE-2024-8803-df0cad41146d797b650656e79e7e9bc8.yaml @@ -44516,6 +44556,7 @@ ./poc/cve/CVE-2024-8943-4db6fcd2a35c5836041911131a498ec4.yaml ./poc/cve/CVE-2024-8943.yaml ./poc/cve/CVE-2024-8959-7dd748dcf54b4c29b81631c1b2cc1200.yaml +./poc/cve/CVE-2024-8959.yaml ./poc/cve/CVE-2024-8964-c867d6af282cfd42151c0dd0c624594f.yaml ./poc/cve/CVE-2024-8964.yaml ./poc/cve/CVE-2024-8965-591377ac4a4cf47c615cc83488de4f93.yaml @@ -44595,6 +44636,7 @@ ./poc/cve/CVE-2024-9106.yaml ./poc/cve/CVE-2024-9108-478dcd933a3ac793fed8ba9602550215.yaml ./poc/cve/CVE-2024-9108.yaml +./poc/cve/CVE-2024-9109-db046fec044ec68a48276b8ee3af3015.yaml ./poc/cve/CVE-2024-9115-07ac47d03400519778a0be24bcd69ac7.yaml ./poc/cve/CVE-2024-9115.yaml ./poc/cve/CVE-2024-9117-acfad5d521304a0a4745f09b7afbdfed.yaml @@ -44611,6 +44653,7 @@ ./poc/cve/CVE-2024-9130.yaml ./poc/cve/CVE-2024-9146-07ff7f48d28be141c25c2ebc6ab3b6b0.yaml ./poc/cve/CVE-2024-9146.yaml +./poc/cve/CVE-2024-9156-91338f4767908f7cd3520c3ed36ee2c4.yaml ./poc/cve/CVE-2024-9156-d99e2555a7cd9c15ca6db5a16c2bbdcf.yaml ./poc/cve/CVE-2024-9156.yaml ./poc/cve/CVE-2024-9161-7df3ec5d46908dca2a1515693ac69f54.yaml @@ -44649,6 +44692,7 @@ ./poc/cve/CVE-2024-9213-dae363b473afb57d7fbb1aad2d776b3a.yaml ./poc/cve/CVE-2024-9213.yaml ./poc/cve/CVE-2024-9214-15d13cf5003c02ec255d03e8e2676c45.yaml +./poc/cve/CVE-2024-9214.yaml ./poc/cve/CVE-2024-9215-bd487c67d70329011b9510288cdc3f00.yaml ./poc/cve/CVE-2024-9215.yaml ./poc/cve/CVE-2024-9218-75beb28483214f413384b6d563c1c16a.yaml @@ -44676,6 +44720,7 @@ ./poc/cve/CVE-2024-9232.yaml ./poc/cve/CVE-2024-9234-a70b6d1b82b579fc4a6ae49321787247.yaml ./poc/cve/CVE-2024-9234.yaml +./poc/cve/CVE-2024-9235-9f84e172c440fa390654d1d978fbd78e.yaml ./poc/cve/CVE-2024-9237-0780221ee4da552afeda6f1d6485730c.yaml ./poc/cve/CVE-2024-9237.yaml ./poc/cve/CVE-2024-9240-e1b23a53c56acd157c1d8d507856a949.yaml @@ -44702,6 +44747,7 @@ ./poc/cve/CVE-2024-9289.yaml ./poc/cve/CVE-2024-9292-19dc703f2b0bc0aa1458f81c299d2b0a.yaml ./poc/cve/CVE-2024-9292.yaml +./poc/cve/CVE-2024-9302-a4e5e1a6797eb0268e9f6e37033f4ea7.yaml ./poc/cve/CVE-2024-9304-d4dd64df5410cc541049ece29b517fcd.yaml ./poc/cve/CVE-2024-9304.yaml ./poc/cve/CVE-2024-9305-673fe8be371d67b8a54273e3a80563a0.yaml @@ -44742,6 +44788,7 @@ ./poc/cve/CVE-2024-9373-21279f27679fbe0272aa43186143715d.yaml ./poc/cve/CVE-2024-9373.yaml ./poc/cve/CVE-2024-9374-5132ea7cc6b556a723d32caed574bb63.yaml +./poc/cve/CVE-2024-9374.yaml ./poc/cve/CVE-2024-9375-1ada64725f832858cb5e8e8b357262ef.yaml ./poc/cve/CVE-2024-9375.yaml ./poc/cve/CVE-2024-9377-eb9f54f5139e537cd6a9ac4820541be4.yaml @@ -44751,6 +44798,7 @@ ./poc/cve/CVE-2024-9382-4e97289b6d15924ff13ebdb1ff9d487d.yaml ./poc/cve/CVE-2024-9382.yaml ./poc/cve/CVE-2024-9383-a210609d66f2b087a6d8d08b197e2d73.yaml +./poc/cve/CVE-2024-9383-e6381b380c85f38b54c8d29f39ceaf78.yaml ./poc/cve/CVE-2024-9383.yaml ./poc/cve/CVE-2024-9384-45317d12b3612671d113cd9ed97a884f.yaml ./poc/cve/CVE-2024-9384.yaml @@ -44781,6 +44829,7 @@ ./poc/cve/CVE-2024-9457-72dd9bc9875b76de9e691aa9064bfa77.yaml ./poc/cve/CVE-2024-9457.yaml ./poc/cve/CVE-2024-9465.yaml +./poc/cve/CVE-2024-9488-71bbc14254aeeb3532913cac8f75c128.yaml ./poc/cve/CVE-2024-9507-698602582a898ef6e8ecf4cbadd940fc.yaml ./poc/cve/CVE-2024-9507.yaml ./poc/cve/CVE-2024-9518-feda24c489ca1e9c4a2da83d340cc3c2.yaml @@ -44804,6 +44853,7 @@ ./poc/cve/CVE-2024-9530-07b398de04dcd0869e7a746a60991128.yaml ./poc/cve/CVE-2024-9530.yaml ./poc/cve/CVE-2024-9531-d805c1f15e12277b02a0b5395eee6f45.yaml +./poc/cve/CVE-2024-9531.yaml ./poc/cve/CVE-2024-9538-c055e1bb3c954b4e851927865f487720.yaml ./poc/cve/CVE-2024-9538.yaml ./poc/cve/CVE-2024-9540-16b50ef118163619f4eb48f582dee59f.yaml @@ -44845,6 +44895,8 @@ ./poc/cve/CVE-2024-9593.yaml ./poc/cve/CVE-2024-9595-0c12058c023c26b1446aa326839994fd.yaml ./poc/cve/CVE-2024-9595.yaml +./poc/cve/CVE-2024-9598-e4c4282517026cf513fa420d41831fe8.yaml +./poc/cve/CVE-2024-9607-815ef285570b4259ae993f3feefc49d6.yaml ./poc/cve/CVE-2024-9610-22573cea45a3c22fba477c8e4bf581f3.yaml ./poc/cve/CVE-2024-9610.yaml ./poc/cve/CVE-2024-9611-e3d072056298fd4e81d4dfecee6ae07e.yaml @@ -44854,6 +44906,8 @@ ./poc/cve/CVE-2024-9617.yaml ./poc/cve/CVE-2024-9627-609d2082cbf88b0e9c345dfb753e9c47.yaml ./poc/cve/CVE-2024-9627.yaml +./poc/cve/CVE-2024-9628-3d855d9a00666119c6c4dc4121ccafb1.yaml +./poc/cve/CVE-2024-9630-0ce85caa78ba4624e2a8716c2971cba8.yaml ./poc/cve/CVE-2024-9634-d865b6fc0ac9d8d7dca8d3f6df89b5a1.yaml ./poc/cve/CVE-2024-9634.yaml ./poc/cve/CVE-2024-9647-7e123a97b0971ee91cbec517bbcda15d.yaml @@ -44861,6 +44915,7 @@ ./poc/cve/CVE-2024-9649-29e8bedb3d9bfa693dc072c3086eb367.yaml ./poc/cve/CVE-2024-9649.yaml ./poc/cve/CVE-2024-9650-b366e98270b7c64939bad3b88fc2f326.yaml +./poc/cve/CVE-2024-9650.yaml ./poc/cve/CVE-2024-9652-44db9961d333aa8937876e8e157f625b.yaml ./poc/cve/CVE-2024-9652.yaml ./poc/cve/CVE-2024-9656-5e11b0669cd68a7b45a069c732842ecd.yaml @@ -44871,6 +44926,7 @@ ./poc/cve/CVE-2024-9674.yaml ./poc/cve/CVE-2024-9685-162e285486f85718f1eff0c9fc075030.yaml ./poc/cve/CVE-2024-9685.yaml +./poc/cve/CVE-2024-9686-0cacdb2f49f04713e2869267a33b0516.yaml ./poc/cve/CVE-2024-9687-b374db15d58a163b3240b89c41715498.yaml ./poc/cve/CVE-2024-9687.yaml ./poc/cve/CVE-2024-9689-47104403d02f947163494ee0975df512.yaml @@ -44914,7 +44970,9 @@ ./poc/cve/CVE-2024-9863-c87082cf07c135fafcb187e887a8da89.yaml ./poc/cve/CVE-2024-9863.yaml ./poc/cve/CVE-2024-9864-b3c0d6192b3d9a18f1cfed6482b01b47.yaml +./poc/cve/CVE-2024-9864.yaml ./poc/cve/CVE-2024-9865-44de46ebb413c021b1f60bc0350545dc.yaml +./poc/cve/CVE-2024-9865.yaml ./poc/cve/CVE-2024-9873-c5ed80b51344fca9873ea5af2135924b.yaml ./poc/cve/CVE-2024-9873.yaml ./poc/cve/CVE-2024-9888-8bc8fdc1eaaf79b8ee4d0d77b372a40f.yaml @@ -44941,6 +44999,7 @@ ./poc/cve/CVE-2024-9940-7282ba1c7231feca51bd0ab70c139261.yaml ./poc/cve/CVE-2024-9940.yaml ./poc/cve/CVE-2024-9943-a3b0ae840384a3712aacb70aed603ec7.yaml +./poc/cve/CVE-2024-9943.yaml ./poc/cve/CVE-2024-9944-c4d693e491a7b94e2552e7400b79d0d6.yaml ./poc/cve/CVE-2024-9944.yaml ./poc/cve/CVE-2024-9947-aa2c01bce355ed9ad7b6f5ea816b09d1.yaml @@ -58258,6 +58317,7 @@ ./poc/google/google-map-generator-plugin.yaml ./poc/google/google-map-generator.yaml ./poc/google/google-map-locations-46f11d2cff6544d6074d3e7a46c048d8.yaml +./poc/google/google-map-locations.yaml ./poc/google/google-map-shortcode-4063f1a8bf231c43ac949e121b68e58d.yaml ./poc/google/google-map-shortcode-8f2d8b0e519b3bab307579ad88521aeb.yaml ./poc/google/google-map-shortcode-c96b5e793649c2acc1371c4367da3c7d.yaml @@ -62957,6 +63017,7 @@ ./poc/microsoft/saferoads-vms-login-9974.yaml ./poc/microsoft/saferoads-vms-login.yaml ./poc/microsoft/safetymails-forms-ba564ab8f1a3cdbddc62b0c8085aa5af.yaml +./poc/microsoft/safetymails-forms.yaml ./poc/microsoft/samsung-phish.yaml ./poc/microsoft/samsung-printer-default-login.yaml ./poc/microsoft/samsung-printer-detect-9993.yaml @@ -76943,6 +77004,7 @@ ./poc/other/accelerated-mobile-pages-005b497461a232111dda41795c980aac.yaml ./poc/other/accelerated-mobile-pages-11fc44136570c79bff71d856b125b425.yaml ./poc/other/accelerated-mobile-pages-1cd7ab4270971d6f3a02415520e864a6.yaml +./poc/other/accelerated-mobile-pages-526f65506d760c7154592ed6b352efac.yaml ./poc/other/accelerated-mobile-pages-639b426dce0f1fc69a4b02bd697bf142.yaml ./poc/other/accelerated-mobile-pages-8e93717ad227032a6b4d17f4fed875f6.yaml ./poc/other/accelerated-mobile-pages-a51f2e101ef3de86685df58296b59f39.yaml @@ -77754,6 +77816,7 @@ ./poc/other/advanced-ads-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/advanced-ads-plugin.yaml ./poc/other/advanced-ads.yaml +./poc/other/advanced-advertising-system.yaml ./poc/other/advanced-ajax-page-loader-73c51238dff4af1331aac9d91f9ae182.yaml ./poc/other/advanced-ajax-page-loader-94b986ce02c9c2e3c3d960667cb1b92d.yaml ./poc/other/advanced-ajax-page-loader.yaml @@ -78778,6 +78841,7 @@ ./poc/other/app-ads-txt.yaml ./poc/other/app-builder-09ca7744c66449f31bc03e15c2f39a87.yaml ./poc/other/app-builder-cc5b9457c52646660323bdd8a2ca0305.yaml +./poc/other/app-builder-d0dffcaa66a40dc2bcdc4d07c3a4381d.yaml ./poc/other/app-builder-eca6f7f195596103d6303d8cae661ec6.yaml ./poc/other/app-builder.yaml ./poc/other/appex-lotapp.yaml @@ -79740,6 +79804,7 @@ ./poc/other/balada-injector-malware.yaml ./poc/other/balkon-d069673e112779a96aeb6209bf69dce0.yaml ./poc/other/balkon.yaml +./poc/other/bamazoo-button-generator-5054ec6f419d465fde7a9bbb9279a5d2.yaml ./poc/other/ban-users-577363bdc084e759bd6a1dc11f3bca46.yaml ./poc/other/ban-users.yaml ./poc/other/bandcamp.yaml @@ -80003,6 +80068,7 @@ ./poc/other/beebee-mini-0da1828f19d05c8cce32e07b3a3bcb70.yaml ./poc/other/beebee-mini.yaml ./poc/other/beego-admin-dashboard.yaml +./poc/other/beek-widget-extention-e72e52716f8a1d9dc15935fb7386c752.yaml ./poc/other/beepress-8d5ee4ae1f99e8509a035c95d177715c.yaml ./poc/other/beepress.yaml ./poc/other/before-after-image-slider-8952d207591cbb85c149d7d8605278ff.yaml @@ -81067,6 +81133,7 @@ ./poc/other/buddypress-5abc3cfaa08aa1d49185519fbef12ac0.yaml ./poc/other/buddypress-5d00cbc0ee6c6bd42adeec07f13b5046.yaml ./poc/other/buddypress-5d1e35e1b3bb7ed1755281958616a43e.yaml +./poc/other/buddypress-5f27cc718978f95bbc28160117d5d092.yaml ./poc/other/buddypress-65fec6754ac95b9f0864aaaedd0964c3.yaml ./poc/other/buddypress-6960b8a871a135227c0527e22fcf801b.yaml ./poc/other/buddypress-6de1f057afc0f496e3da86b94d6714da.yaml @@ -82058,6 +82125,7 @@ ./poc/other/cf7-message-filter.yaml ./poc/other/cf7-multi-step-dc451ec0e984e189bd60b12f2825ad31.yaml ./poc/other/cf7-multi-step.yaml +./poc/other/cf7-repeatable-fields.yaml ./poc/other/cf7-styler-74824b1145634c3785bfd42d95e7e456.yaml ./poc/other/cf7-styler-e297bfd236247c466d664fb85745e474.yaml ./poc/other/cf7-styler-for-divi-c0edda9b92d4b0c62161180425cab74e.yaml @@ -85677,6 +85745,7 @@ ./poc/other/duplicate-theme-435d41ab059b131da9c58303fe4dce25.yaml ./poc/other/duplicate-theme.yaml ./poc/other/duplicate-title-validate-b43f6f422ad6849c68612dc662fefe51.yaml +./poc/other/duplicate-title-validate.yaml ./poc/other/duplicator-06a9028cbc1cbce76e98bbe2457c5643.yaml ./poc/other/duplicator-19cde58e6a77d3a32e1bc88e020b23a5.yaml ./poc/other/duplicator-2cefe1c60551091898d865333a36cad4.yaml @@ -88095,6 +88164,7 @@ ./poc/other/femr.yaml ./poc/other/fengyunqifei-firim.yaml ./poc/other/ferma-ru-net-checkout-b09b8408f580ee9f68cd1f5fd79929bb.yaml +./poc/other/ferma-ru-net-checkout.yaml ./poc/other/festos.yaml ./poc/other/fetch-jft-75bf15fb9e1156e27e8d1185e2ed4722.yaml ./poc/other/fetch-jft.yaml @@ -88430,6 +88500,7 @@ ./poc/other/flexible-shipping-f15de3254f4cc9f5839892856607205d.yaml ./poc/other/flexible-shipping-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/flexible-shipping-plugin.yaml +./poc/other/flexible-shipping-ups-81fa7ec035fed91b2dce3c153ee54628.yaml ./poc/other/flexible-shipping-ups-b9c4d9a295ec61321ee829a8fb5a9f09.yaml ./poc/other/flexible-shipping-ups.yaml ./poc/other/flexible-shipping-usps-e9e36a60529338c1efcb1cc580097e2b.yaml @@ -89638,6 +89709,7 @@ ./poc/other/geotrust-cert.yaml ./poc/other/gerpgo-erp.yaml ./poc/other/gerryworks-post-by-mail-62cdc36b710ba7de69f0c2cc3cc9e710.yaml +./poc/other/gerryworks-post-by-mail.yaml ./poc/other/gespage-panel-7605.yaml ./poc/other/gespage-panel-7606.yaml ./poc/other/gespage-panel.yaml @@ -93272,6 +93344,8 @@ ./poc/other/leaflet-maps-marker-pro-plugin.yaml ./poc/other/leaflet-maps-marker-pro.yaml ./poc/other/leaflet-maps-marker.yaml +./poc/other/league-of-legends-shortcodes-18aa008d427ba0ab00e482b3b0ad3be0.yaml +./poc/other/league-of-legends-shortcodes-f987b27d0774c0d4f28fd011de2278fd.yaml ./poc/other/league-table-lite.yaml ./poc/other/leaguemanager-5c96dd0a1d010a9f5eb176899526427e.yaml ./poc/other/leaguemanager-79b4a297a70112de1ef5037d30baf467.yaml @@ -95977,6 +96051,7 @@ ./poc/other/mytube-6138c1e6d04acc1cb3532231044d8f24.yaml ./poc/other/mytube.yaml ./poc/other/mytweetlinks-06f8496e81bd7910f90de935fe074979.yaml +./poc/other/mytweetlinks.yaml ./poc/other/n2ws.yaml ./poc/other/n8n-panel.yaml ./poc/other/nabble.yaml @@ -97239,6 +97314,7 @@ ./poc/other/order-delivery-date-59ae59859af5b6f88e2cd4c64e405151.yaml ./poc/other/order-delivery-date-7cd2f383add42b0e1770984e4c63b228.yaml ./poc/other/order-delivery-date.yaml +./poc/other/order-notification-for-telegram-885b4503787511c543bb6855aef08767.yaml ./poc/other/order-tip-woo-6d652f6ad2f3c9b1f06ccbe3893a77e6.yaml ./poc/other/order-tip-woo.yaml ./poc/other/order-tracking-5037beb9137c4e706f510e0cc7013be0.yaml @@ -100085,6 +100161,7 @@ ./poc/other/rate-my-post-plugin.yaml ./poc/other/rate-my-post.yaml ./poc/other/rate-own-post-91063d4ac8509c96b895f0b07d545460.yaml +./poc/other/rate-own-post.yaml ./poc/other/rate-star-review-297909caf104b9b2d652d6a9796a1ec6.yaml ./poc/other/rate-star-review.yaml ./poc/other/rating-bws-71160249f3ff918399d1d8aecde446c3.yaml @@ -101966,6 +102043,7 @@ ./poc/other/sermon-browser-plugin.yaml ./poc/other/sermon-browser.yaml ./poc/other/sermonaudio-widgets-395464819182b0d860378632e14d7814.yaml +./poc/other/sermonaudio-widgets.yaml ./poc/other/sermone-online-sermons-management-139bef5b5213790e12b84be388a01e90.yaml ./poc/other/sermone-online-sermons-management-ac4f5accf552b47da6372afb9d7587f2.yaml ./poc/other/sermone-online-sermons-management-bfa9ab2fb59c68ac75236e3a4b163b91.yaml @@ -102188,6 +102266,7 @@ ./poc/other/shipping-labels-for-woo-0cbf14291d4583ffd61b35718dfcb26d.yaml ./poc/other/shipping-labels-for-woo.yaml ./poc/other/shipyaari-shipping-managment-f55875c06713cd179f47b536bfa29e82.yaml +./poc/other/shipyaari-shipping-managment.yaml ./poc/other/shokoserver.yaml ./poc/other/shop7z.yaml ./poc/other/shop_builder-mallbuilder.yaml @@ -102344,6 +102423,7 @@ ./poc/other/shoutbox-theme-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/shoutbox-theme.yaml ./poc/other/shoutbox.yaml +./poc/other/shoutcast-icecast-html5-radio-player-dea29291f8f4b3d4798ec5a1427f8216.yaml ./poc/other/shoutcast-server-10217.yaml ./poc/other/shoutcast-server-10218.yaml ./poc/other/shoutcast-server.yaml @@ -102512,6 +102592,7 @@ ./poc/other/simple-cloudflare-turnstile-81dcb84be5e4c162eb1957d7c05c0add.yaml ./poc/other/simple-cloudflare-turnstile.yaml ./poc/other/simple-code-insert-shortcode-dcc74d04b7c37d2d98d8a27da22cf426.yaml +./poc/other/simple-code-insert-shortcode.yaml ./poc/other/simple-csv-xls-exporter-f2a9e8ace27464af0d9b07c29aa3fa1c.yaml ./poc/other/simple-csv-xls-exporter.yaml ./poc/other/simple-custom-post-order.yaml @@ -102677,6 +102758,7 @@ ./poc/other/simple-membership.yaml ./poc/other/simple-nav-archives-6fd489547fc918639f5e673223cd710b.yaml ./poc/other/simple-nav-archives.yaml +./poc/other/simple-news-255def006aa11dd7cff8831e3d71b7b6.yaml ./poc/other/simple-org-chart-11ce1c2850e056152ce51409c1527728.yaml ./poc/other/simple-org-chart-76ee77ce8284ca42a790472577f97109.yaml ./poc/other/simple-org-chart.yaml @@ -104583,6 +104665,7 @@ ./poc/other/svs-pricing-tables-77b76a5766c08f60528e62ba3a17993c.yaml ./poc/other/svs-pricing-tables.yaml ./poc/other/sw-contact-form-bf825e98290aae61050ba648f4e1e69d.yaml +./poc/other/sw-contact-form.yaml ./poc/other/sw-product-bundles-5deb878530e34cc3cfcf5df5ab0ce685.yaml ./poc/other/sw-product-bundles.yaml ./poc/other/swagger-09560a4b06d5c78595084e41c3b1913b.yaml @@ -116370,6 +116453,7 @@ ./poc/social/social-kit-ff9293ba28748efa2ab9a2fe77385468.yaml ./poc/social/social-kit.yaml ./poc/social/social-link-groups-e11ebd6a0576cc6dd732933da845c3d2.yaml +./poc/social/social-link-groups.yaml ./poc/social/social-link-pages-3c85cae5d472762ffdcd77ebd5a645f0.yaml ./poc/social/social-link-pages.yaml ./poc/social/social-locker-3a38ee16e0f62829b4ad2c21f2f41220.yaml @@ -116672,6 +116756,7 @@ ./poc/social/wd-facebook-feed-c63cc25c301d398c295d5ec6d8a30eb4.yaml ./poc/social/wd-facebook-feed-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/social/wd-facebook-feed-da480e5cdc80b1085a96b4fdebe2bbce.yaml +./poc/social/wd-facebook-feed-dce3723535fd3999bc0316d05545981a.yaml ./poc/social/wd-facebook-feed-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/social/wd-facebook-feed-plugin.yaml ./poc/social/wd-facebook-feed.yaml @@ -118144,6 +118229,7 @@ ./poc/sql/CVE-2024-0972-d643db18054b1dd86be768803ada8c1e.yaml ./poc/sql/CVE-2024-10014-287fb7ccc9db018318f62de1bc8e246a.yaml ./poc/sql/CVE-2024-10180-cda9906f3b0afcef720a2edb145ba669.yaml +./poc/sql/CVE-2024-10343-4b62a3038a6fc336914f3ddb9e620492.yaml ./poc/sql/CVE-2024-1046-bfec7425f9f443824c4a93511a98dbc5.yaml ./poc/sql/CVE-2024-1047-68db58e698228b42f923e1452fb395bc.yaml ./poc/sql/CVE-2024-1049-0e66fa189b7475aa8bef5ee2db21f9f7.yaml @@ -118651,6 +118737,7 @@ ./poc/sql/CVE-2024-47645-107ee6912b6dbf8ebc560bd5f696aa95.yaml ./poc/sql/CVE-2024-4779-2538af254bdbffcd0c4f76bfdaf81c5f.yaml ./poc/sql/CVE-2024-4789-db4647af61ca31063be76c6f44a638fb.yaml +./poc/sql/CVE-2024-48024-1ddc9ae6987f7e744de734513560dbad.yaml ./poc/sql/CVE-2024-48039-883dbbd880643eda64a8a99bdab006e4.yaml ./poc/sql/CVE-2024-48040-7e3656b3612f7c9ba3d5478ddbb0a10f.yaml ./poc/sql/CVE-2024-48045-dbafc3ae68879dd92381c461637e1cad.yaml @@ -118802,6 +118889,7 @@ ./poc/sql/CVE-2024-8740-b2d2025fc8d62dbeaa509a90233bcea6.yaml ./poc/sql/CVE-2024-8795-3332712efb7806b1aa3560db5575e663.yaml ./poc/sql/CVE-2024-8800-24174edddc1bdbea66c89ab990604404.yaml +./poc/sql/CVE-2024-8802-1bbf0ac93983a3758c6cebdb70935c10.yaml ./poc/sql/CVE-2024-8802-e9f6f582db2e920a7bf95437ee8218f9.yaml ./poc/sql/CVE-2024-8872-af9dba20c77deb90e6dc21e6e1a04408.yaml ./poc/sql/CVE-2024-8914-a880cd2d5e4d4bdbe19c9508e28fe443.yaml @@ -118812,6 +118900,7 @@ ./poc/sql/CVE-2024-9027-ec1d14f9cf6c519b7d592b0e7e7d1db1.yaml ./poc/sql/CVE-2024-9068-c94ef37fc347edbfd98673bfe3ff6156.yaml ./poc/sql/CVE-2024-9071-e914db5d977654920beab727cf0bbfaf.yaml +./poc/sql/CVE-2024-9109-db046fec044ec68a48276b8ee3af3015.yaml ./poc/sql/CVE-2024-9127-fbead61baaa4b799b72adbd8da23591e.yaml ./poc/sql/CVE-2024-9156-d99e2555a7cd9c15ca6db5a16c2bbdcf.yaml ./poc/sql/CVE-2024-9210-05b930cdba52007cfc2ab2432260ceb1.yaml @@ -118825,6 +118914,7 @@ ./poc/sql/CVE-2024-9587-9addb86845d8c338383a9caf97ac21e2.yaml ./poc/sql/CVE-2024-9649-29e8bedb3d9bfa693dc072c3086eb367.yaml ./poc/sql/CVE-2024-9652-44db9961d333aa8937876e8e157f625b.yaml +./poc/sql/CVE-2024-9686-0cacdb2f49f04713e2869267a33b0516.yaml ./poc/sql/CVE-2024-9687-b374db15d58a163b3240b89c41715498.yaml ./poc/sql/CVE-2024-9704-f21a430d525f14c5222622c2499dbc1f.yaml ./poc/sql/CVE-2024-9776-b87b3db31f1eda93892f1d85c0aa0846.yaml @@ -120656,6 +120746,7 @@ ./poc/sql/felici-e83986bdda01c6cbf916db6f349af367.yaml ./poc/sql/file-manager-38267cacb7d16b0f0dbad9cdccc3b164.yaml ./poc/sql/file-manager-5afc1d5d5506db51958aa1cb25998e9c.yaml +./poc/sql/file-upload-types-0ae0add1178211808ca9adb56c0020f3.yaml ./poc/sql/fileorganizer-d129dcd91671ee29c3cf5545f48db813.yaml ./poc/sql/filmix-09180f4ff94074ad413e55c77fdb25a4.yaml ./poc/sql/filr-protection-6477bf18cad6c823db485408d49b337b.yaml @@ -126083,6 +126174,7 @@ ./poc/upload/file-renaming-on-upload-8b86b16b577fc8a0a50e073d4dde668f.yaml ./poc/upload/file-renaming-on-upload.yaml ./poc/upload/file-upload-poc.yaml +./poc/upload/file-upload-types-0ae0add1178211808ca9adb56c0020f3.yaml ./poc/upload/file-upload.yaml ./poc/upload/fine-report-v9-file-upload.yaml ./poc/upload/flink-upload-rce.yaml @@ -129146,6 +129238,7 @@ ./poc/wordpress/mappress-google-maps-for-wordpress-c2f7d5e7ad588a45b067c408f7c06c5a.yaml ./poc/wordpress/mappress-google-maps-for-wordpress.yaml ./poc/wordpress/mapster-wp-maps-461ea30f42ad696e5f4caf7ead9ea09c.yaml +./poc/wordpress/mapster-wp-maps-d4ffe72e619c5820adacd75a0bb10771.yaml ./poc/wordpress/mapster-wp-maps.yaml ./poc/wordpress/mas-wp-job-manager-company-91a354031afaf753cd10201b4ae5dcc0.yaml ./poc/wordpress/mas-wp-job-manager-company.yaml @@ -130887,6 +130980,7 @@ ./poc/wordpress/wp-autosearch-3013221bec1e8c080cfd4c6fa44a7c60.yaml ./poc/wordpress/wp-autosearch.yaml ./poc/wordpress/wp-autosuggest-sql-injection.yaml +./poc/wordpress/wp-awesome-buttons-2820dda94c4351eb470773e65bbd82be.yaml ./poc/wordpress/wp-awesome-faq-1810de92410b9d284ddfb8d8e8243d17.yaml ./poc/wordpress/wp-awesome-faq-6477bf18cad6c823db485408d49b337b.yaml ./poc/wordpress/wp-awesome-faq-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -132450,6 +132544,7 @@ ./poc/wordpress/wp-image-resizer-plugin.yaml ./poc/wordpress/wp-image-resizer.yaml ./poc/wordpress/wp-image-seo-eebce0c30352e4cca6bb856d6d8562e7.yaml +./poc/wordpress/wp-image-seo.yaml ./poc/wordpress/wp-image-slideshow-63cff07c44f51ee0cb01e0d4559aa088.yaml ./poc/wordpress/wp-image-slideshow.yaml ./poc/wordpress/wp-image-zoooom-3bec8bee8868db732e1243da0a109cc4.yaml @@ -132945,6 +133040,7 @@ ./poc/wordpress/wp-megamenu.yaml ./poc/wordpress/wp-members-0e06bc303271d3dd0f159fde6a16d15c.yaml ./poc/wordpress/wp-members-0fd5b42d78c1a98ecec129bb96c7eb8b.yaml +./poc/wordpress/wp-members-59670ea7d44b96f3df6e11e0f647119e.yaml ./poc/wordpress/wp-members-68898d38b159910b419ff6b80fce35d1.yaml ./poc/wordpress/wp-members-717b0afc7b43636298c4b517aad93014.yaml ./poc/wordpress/wp-members-781becd8802ecb7a3973540abce2fd01.yaml @@ -135295,6 +135391,7 @@ ./poc/wordpress/wpdiscuz-6dbcda9f09ff7fb78bf303a3ce8d46ac.yaml ./poc/wordpress/wpdiscuz-708d4486febfeff4ee31f3de1dd4ff0c.yaml ./poc/wordpress/wpdiscuz-7a39fd43a97eca966277c8ad1c9970b6.yaml +./poc/wordpress/wpdiscuz-7cbc80d769cb97ee802ffdd473bcb597.yaml ./poc/wordpress/wpdiscuz-9c5a3f3b318625337d2b871fc64c7c36.yaml ./poc/wordpress/wpdiscuz-a42f4ce2b9027a5c9be1ce5900971b7e.yaml ./poc/wordpress/wpdiscuz-a5c14194a10e4de17487eed4cfc93434.yaml @@ -135710,6 +135807,8 @@ ./poc/wordpress/wps-limit-login-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/wordpress/wps-limit-login-plugin.yaml ./poc/wordpress/wps-limit-login.yaml +./poc/wordpress/wps-telegram-chat-c99dc0e9b6c07bc33ceba80191e0b070.yaml +./poc/wordpress/wps-telegram-chat-fe8838c35b67483d2b19c523bf1ada01.yaml ./poc/wordpress/wpsc-mijnpress-1b437444ff9f0898de1740f2ca9ba3de.yaml ./poc/wordpress/wpsc-mijnpress-88f999c241defacacacaad6f64e55e70.yaml ./poc/wordpress/wpsc-mijnpress-d41d8cd98f00b204e9800998ecf8427e.yaml diff --git a/poc/auth/author-discussion.yaml b/poc/auth/author-discussion.yaml new file mode 100644 index 0000000000..839039b24c --- /dev/null +++ b/poc/auth/author-discussion.yaml @@ -0,0 +1,59 @@ +id: author-discussion + +info: + name: > + Author Discussion <= 0.2.2 - Authenticated (Subscriber+) SQL Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8fcc8b94-6ed3-4784-93f3-ec1654d197bd?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/author-discussion/" + google-query: inurl:"/wp-content/plugins/author-discussion/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,author-discussion,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/author-discussion/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "author-discussion" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.2.2') \ No newline at end of file diff --git a/poc/aws/CVE-2024-8666-908b61c7df30cf8fad96ec25610ac7b3.yaml b/poc/aws/CVE-2024-8666-908b61c7df30cf8fad96ec25610ac7b3.yaml new file mode 100644 index 0000000000..0f55ca95d7 --- /dev/null +++ b/poc/aws/CVE-2024-8666-908b61c7df30cf8fad96ec25610ac7b3.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8666-908b61c7df30cf8fad96ec25610ac7b3 + +info: + name: > + Shoutcast Icecast HTML5 Radio Player <= 2.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Shoutcast Icecast HTML5 Radio Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'html5radio' shortcode in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7e870ae2-abae-457a-b3d1-75a96ec09d41?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8666 + metadata: + fofa-query: "wp-content/plugins/shoutcast-icecast-html5-radio-player/" + google-query: inurl:"/wp-content/plugins/shoutcast-icecast-html5-radio-player/" + shodan-query: 'vuln:CVE-2024-8666' + tags: cve,wordpress,wp-plugin,shoutcast-icecast-html5-radio-player,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/shoutcast-icecast-html5-radio-player/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "shoutcast-icecast-html5-radio-player" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10011-eefe8c0c540af6a79376e37c4cbbfad9.yaml b/poc/cve/CVE-2024-10011-eefe8c0c540af6a79376e37c4cbbfad9.yaml new file mode 100644 index 0000000000..71ad5b93b5 --- /dev/null +++ b/poc/cve/CVE-2024-10011-eefe8c0c540af6a79376e37c4cbbfad9.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10011-eefe8c0c540af6a79376e37c4cbbfad9 + +info: + name: > + BuddyPress <= 14.1.0 - Authenticated (Subscriber+) Directory Traversal + author: topscoder + severity: low + description: > + The BuddyPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 14.1.0 via the id parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory and enables file uploads to directories outside of the web root. Depending on server configuration it may be possible to upload files with double extensions. This vulnerability only affects Windows. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4327f414-64f4-4193-a5c0-2a5ecdd75e11?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N + cvss-score: 8.1 + cve-id: CVE-2024-10011 + metadata: + fofa-query: "wp-content/plugins/buddypress/" + google-query: inurl:"/wp-content/plugins/buddypress/" + shodan-query: 'vuln:CVE-2024-10011' + tags: cve,wordpress,wp-plugin,buddypress,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/buddypress/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "buddypress" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 14.1.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10016-178761d7d6f8e5f5807de98de6404c48.yaml b/poc/cve/CVE-2024-10016-178761d7d6f8e5f5807de98de6404c48.yaml new file mode 100644 index 0000000000..15b7df00a7 --- /dev/null +++ b/poc/cve/CVE-2024-10016-178761d7d6f8e5f5807de98de6404c48.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10016-178761d7d6f8e5f5807de98de6404c48 + +info: + name: > + File Upload Types by WPForms <= 1.4.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload + author: topscoder + severity: low + description: > + The File Upload Types by WPForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/17988a66-5b48-4f57-96f8-74e539bc875e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10016 + metadata: + fofa-query: "wp-content/plugins/file-upload-types/" + google-query: inurl:"/wp-content/plugins/file-upload-types/" + shodan-query: 'vuln:CVE-2024-10016' + tags: cve,wordpress,wp-plugin,file-upload-types,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/file-upload-types/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "file-upload-types" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10050.yaml b/poc/cve/CVE-2024-10050.yaml new file mode 100644 index 0000000000..79d7d89daa --- /dev/null +++ b/poc/cve/CVE-2024-10050.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10050 + +info: + name: > + Elementor Header & Footer Builder <= 1.6.43 - Authenticated (Contributor+) Information Disclosure via Shortcode + author: topscoder + severity: low + description: > + The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 1.6.43 via the hfe_template shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to view the contents of Draft, Private and Password-protected posts they do not own. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/662f6ae2-2047-4bbf-b4a6-2d536051e389?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.3 + cve-id: CVE-2024-10050 + metadata: + fofa-query: "wp-content/plugins/header-footer-elementor/" + google-query: inurl:"/wp-content/plugins/header-footer-elementor/" + shodan-query: 'vuln:CVE-2024-10050' + tags: cve,wordpress,wp-plugin,header-footer-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/header-footer-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "header-footer-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.6.43') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10112-b49134293bd607a2527227eff1da1897.yaml b/poc/cve/CVE-2024-10112-b49134293bd607a2527227eff1da1897.yaml new file mode 100644 index 0000000000..acdecc9749 --- /dev/null +++ b/poc/cve/CVE-2024-10112-b49134293bd607a2527227eff1da1897.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10112-b49134293bd607a2527227eff1da1897 + +info: + name: > + Simple News <= 2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via news Shortcode + author: topscoder + severity: low + description: > + The Simple News plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'news' shortcode in all versions up to, and including, 2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/79147dad-4bce-40fb-b9c1-e211845251a0?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10112 + metadata: + fofa-query: "wp-content/plugins/simple-news/" + google-query: inurl:"/wp-content/plugins/simple-news/" + shodan-query: 'vuln:CVE-2024-10112' + tags: cve,wordpress,wp-plugin,simple-news,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/simple-news/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "simple-news" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10148-66e8a68a811d5893a9baabebb92f1d1e.yaml b/poc/cve/CVE-2024-10148-66e8a68a811d5893a9baabebb92f1d1e.yaml new file mode 100644 index 0000000000..219b2aa80f --- /dev/null +++ b/poc/cve/CVE-2024-10148-66e8a68a811d5893a9baabebb92f1d1e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10148-66e8a68a811d5893a9baabebb92f1d1e + +info: + name: > + Awesome buttons <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via btn2 Shortcode + author: topscoder + severity: low + description: > + The Awesome buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's btn2 shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/84ef25b6-8119-41e5-9959-ccdfb9893e75?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10148 + metadata: + fofa-query: "wp-content/plugins/wp-awesome-buttons/" + google-query: inurl:"/wp-content/plugins/wp-awesome-buttons/" + shodan-query: 'vuln:CVE-2024-10148' + tags: cve,wordpress,wp-plugin,wp-awesome-buttons,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-awesome-buttons/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-awesome-buttons" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10150-430c4ec0389798d1691a4f250437c712.yaml b/poc/cve/CVE-2024-10150-430c4ec0389798d1691a4f250437c712.yaml new file mode 100644 index 0000000000..9e0b9a4165 --- /dev/null +++ b/poc/cve/CVE-2024-10150-430c4ec0389798d1691a4f250437c712.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10150-430c4ec0389798d1691a4f250437c712 + +info: + name: > + Bamazoo – Button Generator <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via dgs Shortcode + author: topscoder + severity: low + description: > + The Bamazoo – Button Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's dgs shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/543507a1-02de-417f-a742-7764465987b2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10150 + metadata: + fofa-query: "wp-content/plugins/bamazoo-button-generator/" + google-query: inurl:"/wp-content/plugins/bamazoo-button-generator/" + shodan-query: 'vuln:CVE-2024-10150' + tags: cve,wordpress,wp-plugin,bamazoo-button-generator,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bamazoo-button-generator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bamazoo-button-generator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10176.yaml b/poc/cve/CVE-2024-10176.yaml new file mode 100644 index 0000000000..f9b0541546 --- /dev/null +++ b/poc/cve/CVE-2024-10176.yaml @@ -0,0 +1,60 @@ +id: CVE-2024-10176 + +info: + name: > + Compact WP Audio Player <= 1.9.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via sc_embed_player Shortcode + author: topscoder + severity: low + description: > + The Compact WP Audio Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's + sc_embed_player shortcode in all versions up to, and including, 1.9.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/bba90659-09a8-470a-91d3-d1986562672a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10176 + metadata: + fofa-query: "wp-content/plugins/compact-wp-audio-player/" + google-query: inurl:"/wp-content/plugins/compact-wp-audio-player/" + shodan-query: 'vuln:CVE-2024-10176' + tags: cve,wordpress,wp-plugin,compact-wp-audio-player,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/compact-wp-audio-player/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "compact-wp-audio-player" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.9.13') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10180.yaml b/poc/cve/CVE-2024-10180.yaml new file mode 100644 index 0000000000..b16f68445a --- /dev/null +++ b/poc/cve/CVE-2024-10180.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10180 + +info: + name: > + Contact Form 7 - Repeatable Fields <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via field_group Shortcode + author: topscoder + severity: low + description: > + The Contact Form 7 – Repeatable Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's field_group shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0782bc16-7d21-4205-af01-97e3ad3db40b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10180 + metadata: + fofa-query: "wp-content/plugins/cf7-repeatable-fields/" + google-query: inurl:"/wp-content/plugins/cf7-repeatable-fields/" + shodan-query: 'vuln:CVE-2024-10180' + tags: cve,wordpress,wp-plugin,cf7-repeatable-fields,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cf7-repeatable-fields/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cf7-repeatable-fields" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10341-f9f2b1daeef7d31a7252cb1ebc44b526.yaml b/poc/cve/CVE-2024-10341-f9f2b1daeef7d31a7252cb1ebc44b526.yaml new file mode 100644 index 0000000000..eaf87c21f8 --- /dev/null +++ b/poc/cve/CVE-2024-10341-f9f2b1daeef7d31a7252cb1ebc44b526.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10341-f9f2b1daeef7d31a7252cb1ebc44b526 + +info: + name: > + League of Legends Shortcodes <= 1.0.1 - Authenticated (Contributor+) SQL Injection via Shortcode + author: topscoder + severity: low + description: > + The League of Legends Shortcodes plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 1.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/22ddafad-9214-4d32-9fc3-3f3c759633ad?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 6.5 + cve-id: CVE-2024-10341 + metadata: + fofa-query: "wp-content/plugins/league-of-legends-shortcodes/" + google-query: inurl:"/wp-content/plugins/league-of-legends-shortcodes/" + shodan-query: 'vuln:CVE-2024-10341' + tags: cve,wordpress,wp-plugin,league-of-legends-shortcodes,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/league-of-legends-shortcodes/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "league-of-legends-shortcodes" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10342-4c9fa17231c31987f79d558b7b883e9d.yaml b/poc/cve/CVE-2024-10342-4c9fa17231c31987f79d558b7b883e9d.yaml new file mode 100644 index 0000000000..838a373af7 --- /dev/null +++ b/poc/cve/CVE-2024-10342-4c9fa17231c31987f79d558b7b883e9d.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10342-4c9fa17231c31987f79d558b7b883e9d + +info: + name: > + League of Legends Shortcodes <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode + author: topscoder + severity: low + description: > + The League of Legends Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/45e96aa3-97bb-4774-a1b5-5f0a7b18293e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10342 + metadata: + fofa-query: "wp-content/plugins/league-of-legends-shortcodes/" + google-query: inurl:"/wp-content/plugins/league-of-legends-shortcodes/" + shodan-query: 'vuln:CVE-2024-10342' + tags: cve,wordpress,wp-plugin,league-of-legends-shortcodes,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/league-of-legends-shortcodes/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "league-of-legends-shortcodes" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10343-4b62a3038a6fc336914f3ddb9e620492.yaml b/poc/cve/CVE-2024-10343-4b62a3038a6fc336914f3ddb9e620492.yaml new file mode 100644 index 0000000000..d8c9c7d8b2 --- /dev/null +++ b/poc/cve/CVE-2024-10343-4b62a3038a6fc336914f3ddb9e620492.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10343-4b62a3038a6fc336914f3ddb9e620492 + +info: + name: > + Beek Widget Extention <= 0.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode + author: topscoder + severity: low + description: > + The Beek Widget Extention plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 0.9.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4afc8de7-0d7e-4dee-972e-3eb707cd7b2b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10343 + metadata: + fofa-query: "wp-content/plugins/beek-widget-extention/" + google-query: inurl:"/wp-content/plugins/beek-widget-extention/" + shodan-query: 'vuln:CVE-2024-10343' + tags: cve,wordpress,wp-plugin,beek-widget-extention,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/beek-widget-extention/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "beek-widget-extention" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.9.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10374-0f08cd74cdc8b699792d2afd2c3f92eb.yaml b/poc/cve/CVE-2024-10374-0f08cd74cdc8b699792d2afd2c3f92eb.yaml new file mode 100644 index 0000000000..1b9a6c1b84 --- /dev/null +++ b/poc/cve/CVE-2024-10374-0f08cd74cdc8b699792d2afd2c3f92eb.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10374-0f08cd74cdc8b699792d2afd2c3f92eb + +info: + name: > + WP-Members <= 3.4.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpmem_loginout Shortcode + author: topscoder + severity: low + description: > + The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpmem_loginout shortcode in all versions up to, and including, 3.4.9.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5ea93a49-0e1a-4a24-8f6b-03e624f517d4?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10374 + metadata: + fofa-query: "wp-content/plugins/wp-members/" + google-query: inurl:"/wp-content/plugins/wp-members/" + shodan-query: 'vuln:CVE-2024-10374' + tags: cve,wordpress,wp-plugin,wp-members,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-members/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-members" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.4.9.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-48024-1ddc9ae6987f7e744de734513560dbad.yaml b/poc/cve/CVE-2024-48024-1ddc9ae6987f7e744de734513560dbad.yaml new file mode 100644 index 0000000000..8c5b69cbae --- /dev/null +++ b/poc/cve/CVE-2024-48024-1ddc9ae6987f7e744de734513560dbad.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-48024-1ddc9ae6987f7e744de734513560dbad + +info: + name: > + Keep Backup Daily <= 2.0.8 - Unauthenticated Information Disclosure + author: topscoder + severity: medium + description: > + The Keep Backup Daily plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.8. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8b007bf9-9756-4f18-81b9-7d4b15c5dca8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-48024 + metadata: + fofa-query: "wp-content/plugins/keep-backup-daily/" + google-query: inurl:"/wp-content/plugins/keep-backup-daily/" + shodan-query: 'vuln:CVE-2024-48024' + tags: cve,wordpress,wp-plugin,keep-backup-daily,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/keep-backup-daily/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "keep-backup-daily" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49276-e9ed620857fc589be2b05034e4af0e8d.yaml b/poc/cve/CVE-2024-49276-e9ed620857fc589be2b05034e4af0e8d.yaml new file mode 100644 index 0000000000..81e0007ed5 --- /dev/null +++ b/poc/cve/CVE-2024-49276-e9ed620857fc589be2b05034e4af0e8d.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49276-e9ed620857fc589be2b05034e4af0e8d + +info: + name: > + Clio Grow <= 1.0.2 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Clio Grow plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/17cffc76-7b41-4dc0-90cc-695b6f5474ce?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-49276 + metadata: + fofa-query: "wp-content/plugins/clio-grow-form/" + google-query: inurl:"/wp-content/plugins/clio-grow-form/" + shodan-query: 'vuln:CVE-2024-49276' + tags: cve,wordpress,wp-plugin,clio-grow-form,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/clio-grow-form/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "clio-grow-form" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49305-eef0a3090d6461b4ef311ea325c26686.yaml b/poc/cve/CVE-2024-49305-eef0a3090d6461b4ef311ea325c26686.yaml new file mode 100644 index 0000000000..c5e51c06ec --- /dev/null +++ b/poc/cve/CVE-2024-49305-eef0a3090d6461b4ef311ea325c26686.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49305-eef0a3090d6461b4ef311ea325c26686 + +info: + name: > + Email Verification for WooCommerce <= 2.8.10 - Unauthenticated SQL Injection + author: topscoder + severity: critical + description: > + The Email Verification for WooCommerce plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.8.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2dfeeff5-5fcf-445b-af66-33ec873b7e44?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2024-49305 + metadata: + fofa-query: "wp-content/plugins/emails-verification-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/emails-verification-for-woocommerce/" + shodan-query: 'vuln:CVE-2024-49305' + tags: cve,wordpress,wp-plugin,emails-verification-for-woocommerce,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/emails-verification-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "emails-verification-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8.10') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49606.yaml b/poc/cve/CVE-2024-49606.yaml new file mode 100644 index 0000000000..e67538adfa --- /dev/null +++ b/poc/cve/CVE-2024-49606.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49606 + +info: + name: > + Google Map Locations <= 1.0 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Google Map Locations plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1a253ebd-c1c1-4a8f-a02a-67b244f840ce?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-49606 + metadata: + fofa-query: "wp-content/plugins/google-map-locations/" + google-query: inurl:"/wp-content/plugins/google-map-locations/" + shodan-query: 'vuln:CVE-2024-49606' + tags: cve,wordpress,wp-plugin,google-map-locations,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/google-map-locations/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "google-map-locations" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49608.yaml b/poc/cve/CVE-2024-49608.yaml new file mode 100644 index 0000000000..8d0c2c429f --- /dev/null +++ b/poc/cve/CVE-2024-49608.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49608 + +info: + name: > + GERRYWORKS Post by Mail <= 1.0 - Contributor+ Privilege Escalation + author: topscoder + severity: low + description: > + The GERRYWORKS Post by Mail plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to elevate their privileges to administrator. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3856289b-6e82-4d05-afa2-ea561a4e5c30?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-49608 + metadata: + fofa-query: "wp-content/plugins/gerryworks-post-by-mail/" + google-query: inurl:"/wp-content/plugins/gerryworks-post-by-mail/" + shodan-query: 'vuln:CVE-2024-49608' + tags: cve,wordpress,wp-plugin,gerryworks-post-by-mail,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/gerryworks-post-by-mail/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "gerryworks-post-by-mail" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49609.yaml b/poc/cve/CVE-2024-49609.yaml new file mode 100644 index 0000000000..1ee05ca518 --- /dev/null +++ b/poc/cve/CVE-2024-49609.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49609 + +info: + name: > + Author Discussion <= 0.2.2 - Authenticated (Subscriber+) SQL Injection + author: topscoder + severity: low + description: > + The Author Discussion plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 0.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8fcc8b94-6ed3-4784-93f3-ec1654d197bd?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 6.5 + cve-id: CVE-2024-49609 + metadata: + fofa-query: "wp-content/plugins/author-discussion/" + google-query: inurl:"/wp-content/plugins/author-discussion/" + shodan-query: 'vuln:CVE-2024-49609' + tags: cve,wordpress,wp-plugin,author-discussion,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/author-discussion/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "author-discussion" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.2.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49612.yaml b/poc/cve/CVE-2024-49612.yaml new file mode 100644 index 0000000000..036bccb113 --- /dev/null +++ b/poc/cve/CVE-2024-49612.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49612 + +info: + name: > + SW Contact Form <= 1.0 - Authenticated (Subscriber+) SQL Injection + author: topscoder + severity: low + description: > + The SW Contact Form plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/20f1600e-6404-4f60-b415-e6588e26f97d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-49612 + metadata: + fofa-query: "wp-content/plugins/sw-contact-form/" + google-query: inurl:"/wp-content/plugins/sw-contact-form/" + shodan-query: 'vuln:CVE-2024-49612' + tags: cve,wordpress,wp-plugin,sw-contact-form,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/sw-contact-form/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "sw-contact-form" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49613.yaml b/poc/cve/CVE-2024-49613.yaml new file mode 100644 index 0000000000..dc2e74ddf5 --- /dev/null +++ b/poc/cve/CVE-2024-49613.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49613 + +info: + name: > + Simple Code Insert Shortcode <= 1.0 - Authenticated (Contributor+) SQL Injection + author: topscoder + severity: low + description: > + The Simple Code Insert Shortcode plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/004e7773-31b9-47e5-a26b-64e75b6b2f9d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-49613 + metadata: + fofa-query: "wp-content/plugins/simple-code-insert-shortcode/" + google-query: inurl:"/wp-content/plugins/simple-code-insert-shortcode/" + shodan-query: 'vuln:CVE-2024-49613' + tags: cve,wordpress,wp-plugin,simple-code-insert-shortcode,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/simple-code-insert-shortcode/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "simple-code-insert-shortcode" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49614.yaml b/poc/cve/CVE-2024-49614.yaml new file mode 100644 index 0000000000..dce1750ddb --- /dev/null +++ b/poc/cve/CVE-2024-49614.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49614 + +info: + name: > + SermonAudio Widgets <= 1.9.3 - Authenticated (Contributor+) SQL Injection + author: topscoder + severity: low + description: > + The SermonAudio Widgets plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.9.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/bb3be09d-6f65-48cc-b692-f4231d3f6858?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-49614 + metadata: + fofa-query: "wp-content/plugins/sermonaudio-widgets/" + google-query: inurl:"/wp-content/plugins/sermonaudio-widgets/" + shodan-query: 'vuln:CVE-2024-49614' + tags: cve,wordpress,wp-plugin,sermonaudio-widgets,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/sermonaudio-widgets/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "sermonaudio-widgets" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.9.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49615.yaml b/poc/cve/CVE-2024-49615.yaml new file mode 100644 index 0000000000..cc4e15aeca --- /dev/null +++ b/poc/cve/CVE-2024-49615.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49615 + +info: + name: > + SafetyForms <= 1.0.0 - Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + The SafetyForms plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to inject malicious SQL code into a query via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to the fact that the query results won't be displayed to the attacker, exploitation possibilities are limited. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/58b026c8-ad67-4c77-8770-2b3b87bb2dfd?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-49615 + metadata: + fofa-query: "wp-content/plugins/safetymails-forms/" + google-query: inurl:"/wp-content/plugins/safetymails-forms/" + shodan-query: 'vuln:CVE-2024-49615' + tags: cve,wordpress,wp-plugin,safetymails-forms,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/safetymails-forms/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "safetymails-forms" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49616.yaml b/poc/cve/CVE-2024-49616.yaml new file mode 100644 index 0000000000..c41b39e247 --- /dev/null +++ b/poc/cve/CVE-2024-49616.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49616 + +info: + name: > + Rate Own Post <= 1.0 - Authenticated (Subscriber+) SQL Injection + author: topscoder + severity: low + description: > + The Rate Own Post plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/547830df-eb90-471b-87be-5c5f2fc52b36?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-49616 + metadata: + fofa-query: "wp-content/plugins/rate-own-post/" + google-query: inurl:"/wp-content/plugins/rate-own-post/" + shodan-query: 'vuln:CVE-2024-49616' + tags: cve,wordpress,wp-plugin,rate-own-post,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/rate-own-post/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "rate-own-post" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49618.yaml b/poc/cve/CVE-2024-49618.yaml new file mode 100644 index 0000000000..7011b6523a --- /dev/null +++ b/poc/cve/CVE-2024-49618.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49618 + +info: + name: > + MyTweetLinks <= 1.1.1 - Authenticated (Subscriber+) SQL Injection + author: topscoder + severity: low + description: > + The MyTweetLinks plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f727d82e-8295-4440-90fa-dc41b1d02f8f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-49618 + metadata: + fofa-query: "wp-content/plugins/mytweetlinks/" + google-query: inurl:"/wp-content/plugins/mytweetlinks/" + shodan-query: 'vuln:CVE-2024-49618' + tags: cve,wordpress,wp-plugin,mytweetlinks,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mytweetlinks/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mytweetlinks" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49619.yaml b/poc/cve/CVE-2024-49619.yaml new file mode 100644 index 0000000000..c80312644c --- /dev/null +++ b/poc/cve/CVE-2024-49619.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49619 + +info: + name: > + Social Link Groups <= 1.1.0 - Authenticated (Contributor+) SQL Injection + author: topscoder + severity: low + description: > + The Social Link Groups plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/fb4dc258-a1b2-4e7c-8bba-1b3162b8954b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-49619 + metadata: + fofa-query: "wp-content/plugins/social-link-groups/" + google-query: inurl:"/wp-content/plugins/social-link-groups/" + shodan-query: 'vuln:CVE-2024-49619' + tags: cve,wordpress,wp-plugin,social-link-groups,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/social-link-groups/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "social-link-groups" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49620.yaml b/poc/cve/CVE-2024-49620.yaml new file mode 100644 index 0000000000..ef8e6efd1f --- /dev/null +++ b/poc/cve/CVE-2024-49620.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49620 + +info: + name: > + FERMA.ru.net <= 1.3.3 - Authenticated (Subscriber+) SQL Injection + author: topscoder + severity: low + description: > + The FERMA.ru.net plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.3.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/30bf7a5f-bc1a-4c3b-a49e-79543271e620?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-49620 + metadata: + fofa-query: "wp-content/plugins/ferma-ru-net-checkout/" + google-query: inurl:"/wp-content/plugins/ferma-ru-net-checkout/" + shodan-query: 'vuln:CVE-2024-49620' + tags: cve,wordpress,wp-plugin,ferma-ru-net-checkout,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ferma-ru-net-checkout/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ferma-ru-net-checkout" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49623.yaml b/poc/cve/CVE-2024-49623.yaml new file mode 100644 index 0000000000..53b3b4c8fb --- /dev/null +++ b/poc/cve/CVE-2024-49623.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49623 + +info: + name: > + Duplicate Title Validate <= 1.0 - Authenticated (Subscriber+) SQL Injection + author: topscoder + severity: low + description: > + The Duplicate Title Validate plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ce5b3390-75c2-4288-91a6-f9ceb893a952?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-49623 + metadata: + fofa-query: "wp-content/plugins/duplicate-title-validate/" + google-query: inurl:"/wp-content/plugins/duplicate-title-validate/" + shodan-query: 'vuln:CVE-2024-49623' + tags: cve,wordpress,wp-plugin,duplicate-title-validate,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/duplicate-title-validate/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "duplicate-title-validate" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49624.yaml b/poc/cve/CVE-2024-49624.yaml new file mode 100644 index 0000000000..78aa7a5d24 --- /dev/null +++ b/poc/cve/CVE-2024-49624.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49624 + +info: + name: > + Advanced Advertising System <= 1.3.1 - Unauthenticated PHP Object Injection + author: topscoder + severity: critical + description: > + The Advanced Advertising System plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.3.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/602e088e-57af-4b30-96c3-a44b2a8e4edb?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-49624 + metadata: + fofa-query: "wp-content/plugins/advanced-advertising-system/" + google-query: inurl:"/wp-content/plugins/advanced-advertising-system/" + shodan-query: 'vuln:CVE-2024-49624' + tags: cve,wordpress,wp-plugin,advanced-advertising-system,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/advanced-advertising-system/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "advanced-advertising-system" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49625.yaml b/poc/cve/CVE-2024-49625.yaml new file mode 100644 index 0000000000..625071f75e --- /dev/null +++ b/poc/cve/CVE-2024-49625.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49625 + +info: + name: > + SiteBuilder Dynamic Components <= 1.0 - Unauthenticated PHP Object Injection + author: topscoder + severity: critical + description: > + The SiteBuilder Dynamic Components plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.0 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/987e228b-3a89-463e-aa4f-52d9edf911b2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-49625 + metadata: + fofa-query: "wp-content/plugins/sitebuilder-dynamic-components/" + google-query: inurl:"/wp-content/plugins/sitebuilder-dynamic-components/" + shodan-query: 'vuln:CVE-2024-49625' + tags: cve,wordpress,wp-plugin,sitebuilder-dynamic-components,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/sitebuilder-dynamic-components/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "sitebuilder-dynamic-components" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49626.yaml b/poc/cve/CVE-2024-49626.yaml new file mode 100644 index 0000000000..8176535ae3 --- /dev/null +++ b/poc/cve/CVE-2024-49626.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49626 + +info: + name: > + Shipyaari Shipping Management <= 1.2 - Unauthenticated PHP Object Injection + author: topscoder + severity: critical + description: > + The Shipyaari Shipping Management plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.2 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a1ce59bf-2d59-4c15-8be1-0d733526d1eb?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-49626 + metadata: + fofa-query: "wp-content/plugins/shipyaari-shipping-managment/" + google-query: inurl:"/wp-content/plugins/shipyaari-shipping-managment/" + shodan-query: 'vuln:CVE-2024-49626' + tags: cve,wordpress,wp-plugin,shipyaari-shipping-managment,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/shipyaari-shipping-managment/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "shipyaari-shipping-managment" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49627.yaml b/poc/cve/CVE-2024-49627.yaml new file mode 100644 index 0000000000..148ccc6d52 --- /dev/null +++ b/poc/cve/CVE-2024-49627.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49627 + +info: + name: > + WordPress Image SEO <= 1.1.4 - Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + The WordPress Image SEO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.4. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to invoke this function via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/750fc65a-081d-4c4d-ba14-73b68abd019e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-49627 + metadata: + fofa-query: "wp-content/plugins/wp-image-seo/" + google-query: inurl:"/wp-content/plugins/wp-image-seo/" + shodan-query: 'vuln:CVE-2024-49627' + tags: cve,wordpress,wp-plugin,wp-image-seo,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-image-seo/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-image-seo" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49628.yaml b/poc/cve/CVE-2024-49628.yaml new file mode 100644 index 0000000000..78d3d19517 --- /dev/null +++ b/poc/cve/CVE-2024-49628.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49628 + +info: + name: > + Most And Least Read Posts Widget <= 2.5.18 - Cross-Site Request Forgery via most_and_least_read_posts_options + author: topscoder + severity: medium + description: > + The Most And Least Read Posts Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.18. This is due to missing or incorrect nonce validation on the most_and_least_read_posts_options function. This makes it possible for unauthenticated attackers to update plugin options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5671d318-ca8c-4882-a522-f327e65a24f0?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-49628 + metadata: + fofa-query: "wp-content/plugins/most-and-least-read-posts-widget/" + google-query: inurl:"/wp-content/plugins/most-and-least-read-posts-widget/" + shodan-query: 'vuln:CVE-2024-49628' + tags: cve,wordpress,wp-plugin,most-and-least-read-posts-widget,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/most-and-least-read-posts-widget/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "most-and-least-read-posts-widget" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.5.18') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49630.yaml b/poc/cve/CVE-2024-49630.yaml new file mode 100644 index 0000000000..ad3d3cfac9 --- /dev/null +++ b/poc/cve/CVE-2024-49630.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49630 + +info: + name: > + WP Education <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via text_html_tag + author: topscoder + severity: low + description: > + The WP Education plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a85f7ddb-b784-45d4-9d2f-a636c12e7f85?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-49630 + metadata: + fofa-query: "wp-content/plugins/wp-education/" + google-query: inurl:"/wp-content/plugins/wp-education/" + shodan-query: 'vuln:CVE-2024-49630' + tags: cve,wordpress,wp-plugin,wp-education,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-education/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-education" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8666-908b61c7df30cf8fad96ec25610ac7b3.yaml b/poc/cve/CVE-2024-8666-908b61c7df30cf8fad96ec25610ac7b3.yaml new file mode 100644 index 0000000000..0f55ca95d7 --- /dev/null +++ b/poc/cve/CVE-2024-8666-908b61c7df30cf8fad96ec25610ac7b3.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8666-908b61c7df30cf8fad96ec25610ac7b3 + +info: + name: > + Shoutcast Icecast HTML5 Radio Player <= 2.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Shoutcast Icecast HTML5 Radio Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'html5radio' shortcode in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7e870ae2-abae-457a-b3d1-75a96ec09d41?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8666 + metadata: + fofa-query: "wp-content/plugins/shoutcast-icecast-html5-radio-player/" + google-query: inurl:"/wp-content/plugins/shoutcast-icecast-html5-radio-player/" + shodan-query: 'vuln:CVE-2024-8666' + tags: cve,wordpress,wp-plugin,shoutcast-icecast-html5-radio-player,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/shoutcast-icecast-html5-radio-player/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "shoutcast-icecast-html5-radio-player" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8667.yaml b/poc/cve/CVE-2024-8667.yaml new file mode 100644 index 0000000000..29cd386740 --- /dev/null +++ b/poc/cve/CVE-2024-8667.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8667 + +info: + name: > + HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce <= 2.10.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Publication + author: topscoder + severity: low + description: > + The HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized post publication due to a missing capability check on the activateCampaign() function in all versions up to, and including, 2.10.0. This makes it possible for authenticated attackers, with contributor-level access and above, to publish arbitrary posts like ones they have submitted for review, or a site administrator has in draft. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7a8eda88-c45a-4867-b427-d63b586e6de3?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-8667 + metadata: + fofa-query: "wp-content/plugins/hurrytimer/" + google-query: inurl:"/wp-content/plugins/hurrytimer/" + shodan-query: 'vuln:CVE-2024-8667' + tags: cve,wordpress,wp-plugin,hurrytimer,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/hurrytimer/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "hurrytimer" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.10.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8717.yaml b/poc/cve/CVE-2024-8717.yaml new file mode 100644 index 0000000000..d3f7eda013 --- /dev/null +++ b/poc/cve/CVE-2024-8717.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8717 + +info: + name: > + PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer – DearFlip <= 2.3.32 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer – DearFlip plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'pdf_source' parameter in all versions up to, and including, 2.3.32 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6d4c2944-28e8-4866-b4da-91cf12d9d115?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8717 + metadata: + fofa-query: "wp-content/plugins/3d-flipbook-dflip-lite/" + google-query: inurl:"/wp-content/plugins/3d-flipbook-dflip-lite/" + shodan-query: 'vuln:CVE-2024-8717' + tags: cve,wordpress,wp-plugin,3d-flipbook-dflip-lite,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/3d-flipbook-dflip-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "3d-flipbook-dflip-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.3.32') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8730-7ea0964cfd16a9627cf12e4d262a7e7c.yaml b/poc/cve/CVE-2024-8730-7ea0964cfd16a9627cf12e4d262a7e7c.yaml new file mode 100644 index 0000000000..0f06e8a6df --- /dev/null +++ b/poc/cve/CVE-2024-8730-7ea0964cfd16a9627cf12e4d262a7e7c.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8730-7ea0964cfd16a9627cf12e4d262a7e7c + +info: + name: > + Exit Notifier <= 1.10.4 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Exit Notifier plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.10.4. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ddc1aedb-e64f-4b61-a247-c3cdc731f001?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8730 + metadata: + fofa-query: "wp-content/plugins/exit-notifier/" + google-query: inurl:"/wp-content/plugins/exit-notifier/" + shodan-query: 'vuln:CVE-2024-8730' + tags: cve,wordpress,wp-plugin,exit-notifier,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/exit-notifier/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "exit-notifier" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.10.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8802-1bbf0ac93983a3758c6cebdb70935c10.yaml b/poc/cve/CVE-2024-8802-1bbf0ac93983a3758c6cebdb70935c10.yaml new file mode 100644 index 0000000000..1f945bf8b0 --- /dev/null +++ b/poc/cve/CVE-2024-8802-1bbf0ac93983a3758c6cebdb70935c10.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8802-1bbf0ac93983a3758c6cebdb70935c10 + +info: + name: > + Clio Grow <= 1.0.2 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Clio Grow plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/10fcfddf-0ed7-471d-86bf-c38e7021c6a4?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8802 + metadata: + fofa-query: "wp-content/plugins/clio-grow-form/" + google-query: inurl:"/wp-content/plugins/clio-grow-form/" + shodan-query: 'vuln:CVE-2024-8802' + tags: cve,wordpress,wp-plugin,clio-grow-form,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/clio-grow-form/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "clio-grow-form" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8959.yaml b/poc/cve/CVE-2024-8959.yaml new file mode 100644 index 0000000000..20c6ad4538 --- /dev/null +++ b/poc/cve/CVE-2024-8959.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8959 + +info: + name: > + WP Adminify – Best WordPress Custom Dashboard Plugin <= 4.0.1.6 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload + author: topscoder + severity: low + description: > + The WP Adminify – Custom WordPress Dashboard, Login and Admin Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.0.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/68094545-0e2a-429d-95b7-bfa86eca1caa?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8959 + metadata: + fofa-query: "wp-content/plugins/adminify/" + google-query: inurl:"/wp-content/plugins/adminify/" + shodan-query: 'vuln:CVE-2024-8959' + tags: cve,wordpress,wp-plugin,adminify,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/adminify/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "adminify" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.0.1.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9109-db046fec044ec68a48276b8ee3af3015.yaml b/poc/cve/CVE-2024-9109-db046fec044ec68a48276b8ee3af3015.yaml new file mode 100644 index 0000000000..3b8f461a8d --- /dev/null +++ b/poc/cve/CVE-2024-9109-db046fec044ec68a48276b8ee3af3015.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9109-db046fec044ec68a48276b8ee3af3015 + +info: + name: > + UPS Live Rates and Access Points <= 2.3.11 - Missing Authorization to Plugin API key reset + author: topscoder + severity: low + description: > + The WooCommerce UPS Shipping – Live Rates and Access Points plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_oauth_data function in all versions up to, and including, 2.3.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's API key. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/699fdea9-15ae-4882-9723-9a98d7d53c74?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-9109 + metadata: + fofa-query: "wp-content/plugins/flexible-shipping-ups/" + google-query: inurl:"/wp-content/plugins/flexible-shipping-ups/" + shodan-query: 'vuln:CVE-2024-9109' + tags: cve,wordpress,wp-plugin,flexible-shipping-ups,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/flexible-shipping-ups/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "flexible-shipping-ups" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.3.11') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9156-91338f4767908f7cd3520c3ed36ee2c4.yaml b/poc/cve/CVE-2024-9156-91338f4767908f7cd3520c3ed36ee2c4.yaml new file mode 100644 index 0000000000..ee6b85193b --- /dev/null +++ b/poc/cve/CVE-2024-9156-91338f4767908f7cd3520c3ed36ee2c4.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9156-91338f4767908f7cd3520c3ed36ee2c4 + +info: + name: > + TI WooCommerce Wishlist <= 2.9.0 - Unauthenticated SQL Injection via 'lang' + author: topscoder + severity: critical + description: > + The TI WooCommerce Wishlist plugin for WordPress is vulnerable to SQL Injection via the 'lang' parameter in all versions up to, and including, 2.9.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4985680e-f7ba-40c7-bca9-f347f1c1cb3b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2024-9156 + metadata: + fofa-query: "wp-content/plugins/ti-woocommerce-wishlist/" + google-query: inurl:"/wp-content/plugins/ti-woocommerce-wishlist/" + shodan-query: 'vuln:CVE-2024-9156' + tags: cve,wordpress,wp-plugin,ti-woocommerce-wishlist,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ti-woocommerce-wishlist/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ti-woocommerce-wishlist" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.9.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9214.yaml b/poc/cve/CVE-2024-9214.yaml new file mode 100644 index 0000000000..18ef0cfd02 --- /dev/null +++ b/poc/cve/CVE-2024-9214.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9214 + +info: + name: > + Extra Product Options Builder for WooCommerce <= 1.2.133 - Unauthenticated Stored Cross-Site Scripting + author: topscoder + severity: high + description: > + The Extra Product Options Builder for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'RednaoSerializedFields' parameter during the creation of a signature file in all versions up to, and including, 1.2.133 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/09890f42-b9ee-4812-8cf2-f638ba9fb20f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-9214 + metadata: + fofa-query: "wp-content/plugins/additional-product-fields-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/additional-product-fields-for-woocommerce/" + shodan-query: 'vuln:CVE-2024-9214' + tags: cve,wordpress,wp-plugin,additional-product-fields-for-woocommerce,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/additional-product-fields-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "additional-product-fields-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.133') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9235-9f84e172c440fa390654d1d978fbd78e.yaml b/poc/cve/CVE-2024-9235-9f84e172c440fa390654d1d978fbd78e.yaml new file mode 100644 index 0000000000..f704c02abb --- /dev/null +++ b/poc/cve/CVE-2024-9235-9f84e172c440fa390654d1d978fbd78e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9235-9f84e172c440fa390654d1d978fbd78e + +info: + name: > + Mapster WP Maps <= 1.5.0 - Incorrect Authorization to Authenticated (Contributor+) Arbitrary Options Update + author: topscoder + severity: low + description: > + The Mapster WP Maps plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to an insufficient capability check on the mapster_wp_maps_set_option_from_js() function in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with contributor-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b81c2990-68d1-4d45-9724-262ec017caf1?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-9235 + metadata: + fofa-query: "wp-content/plugins/mapster-wp-maps/" + google-query: inurl:"/wp-content/plugins/mapster-wp-maps/" + shodan-query: 'vuln:CVE-2024-9235' + tags: cve,wordpress,wp-plugin,mapster-wp-maps,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mapster-wp-maps/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mapster-wp-maps" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9302-a4e5e1a6797eb0268e9f6e37033f4ea7.yaml b/poc/cve/CVE-2024-9302-a4e5e1a6797eb0268e9f6e37033f4ea7.yaml new file mode 100644 index 0000000000..fa6bd60a83 --- /dev/null +++ b/poc/cve/CVE-2024-9302-a4e5e1a6797eb0268e9f6e37033f4ea7.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9302-a4e5e1a6797eb0268e9f6e37033f4ea7 + +info: + name: > + App Builder – Create Native Android & iOS Apps On The Flight <= 5.3.7 - Privilege Escalation and Account Takeover via Weak OTP + author: topscoder + severity: high + description: > + The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.3.7. This is due to the verify_otp_forgot_password() and update_password() functions not having enough controls to prevent a successful brute force attack of the OTP to change a password, or verify that a password reset request came from an authorized user. This makes it possible for unauthenticated attackers to generate and brute force an OTP that makes it possible to change any users passwords, including an administrator. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0eb9d676-4fa0-4bdc-af44-5d7e1dd8c6e6?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.1 + cve-id: CVE-2024-9302 + metadata: + fofa-query: "wp-content/plugins/app-builder/" + google-query: inurl:"/wp-content/plugins/app-builder/" + shodan-query: 'vuln:CVE-2024-9302' + tags: cve,wordpress,wp-plugin,app-builder,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/app-builder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "app-builder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.3.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9374.yaml b/poc/cve/CVE-2024-9374.yaml new file mode 100644 index 0000000000..6d3a504699 --- /dev/null +++ b/poc/cve/CVE-2024-9374.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9374 + +info: + name: > + Terms descriptions <= 3.4.6 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Terms descriptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.4.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/fa977e6c-6b9d-4fa8-99f3-566d6a71424f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-9374 + metadata: + fofa-query: "wp-content/plugins/terms-descriptions/" + google-query: inurl:"/wp-content/plugins/terms-descriptions/" + shodan-query: 'vuln:CVE-2024-9374' + tags: cve,wordpress,wp-plugin,terms-descriptions,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/terms-descriptions/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "terms-descriptions" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.4.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9383-e6381b380c85f38b54c8d29f39ceaf78.yaml b/poc/cve/CVE-2024-9383-e6381b380c85f38b54c8d29f39ceaf78.yaml new file mode 100644 index 0000000000..b52cf6c807 --- /dev/null +++ b/poc/cve/CVE-2024-9383-e6381b380c85f38b54c8d29f39ceaf78.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9383-e6381b380c85f38b54c8d29f39ceaf78 + +info: + name: > + Parcel Pro <= 1.8.4 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Parcel Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'action' parameter in all versions up to, and including, 1.8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8e8fe6f4-7e41-44d3-9980-b5e7f43aa849?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-9383 + metadata: + fofa-query: "wp-content/plugins/woo-parcel-pro/" + google-query: inurl:"/wp-content/plugins/woo-parcel-pro/" + shodan-query: 'vuln:CVE-2024-9383' + tags: cve,wordpress,wp-plugin,woo-parcel-pro,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woo-parcel-pro/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woo-parcel-pro" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.8.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9488-71bbc14254aeeb3532913cac8f75c128.yaml b/poc/cve/CVE-2024-9488-71bbc14254aeeb3532913cac8f75c128.yaml new file mode 100644 index 0000000000..183b88c6a1 --- /dev/null +++ b/poc/cve/CVE-2024-9488-71bbc14254aeeb3532913cac8f75c128.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9488-71bbc14254aeeb3532913cac8f75c128 + +info: + name: > + Comments – wpDiscuz <= 7.6.24 - Authentication Bypass + author: topscoder + severity: critical + description: > + The Comments – wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b71706a7-e101-4d50-a2da-1aeeaf07cf4b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-9488 + metadata: + fofa-query: "wp-content/plugins/wpdiscuz/" + google-query: inurl:"/wp-content/plugins/wpdiscuz/" + shodan-query: 'vuln:CVE-2024-9488' + tags: cve,wordpress,wp-plugin,wpdiscuz,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wpdiscuz/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wpdiscuz" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 7.6.24') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9531.yaml b/poc/cve/CVE-2024-9531.yaml new file mode 100644 index 0000000000..8fb82dba23 --- /dev/null +++ b/poc/cve/CVE-2024-9531.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9531 + +info: + name: > + MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.4 - Missing Authorization to Forged Vendor Profile Deletion Email Sending + author: topscoder + severity: low + description: > + The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mvx_sent_deactivation_request' function in all versions up to, and including, 4.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send a canned email to the site's administrator asking to delete the profile of an arbitrary vendor. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5af1063c-615e-4196-9fa6-960c008544c4?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-9531 + metadata: + fofa-query: "wp-content/plugins/dc-woocommerce-multi-vendor/" + google-query: inurl:"/wp-content/plugins/dc-woocommerce-multi-vendor/" + shodan-query: 'vuln:CVE-2024-9531' + tags: cve,wordpress,wp-plugin,dc-woocommerce-multi-vendor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/dc-woocommerce-multi-vendor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "dc-woocommerce-multi-vendor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.2.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9598-e4c4282517026cf513fa420d41831fe8.yaml b/poc/cve/CVE-2024-9598-e4c4282517026cf513fa420d41831fe8.yaml new file mode 100644 index 0000000000..14baae1fd3 --- /dev/null +++ b/poc/cve/CVE-2024-9598-e4c4282517026cf513fa420d41831fe8.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9598-e4c4282517026cf513fa420d41831fe8 + +info: + name: > + AMP for WP – Accelerated Mobile Pages <= 1.0.99.1 - Cross-Site Request Forgery to Privilege Escalation + author: topscoder + severity: medium + description: > + The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.99.1. This is due to missing or incorrect nonce validation on the 'proxy' function. This makes it possible for unauthenticated attackers to send the logged in user's cookies to their own server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6b155ec8-d69d-40cf-8bea-201629bc9ca6?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-9598 + metadata: + fofa-query: "wp-content/plugins/accelerated-mobile-pages/" + google-query: inurl:"/wp-content/plugins/accelerated-mobile-pages/" + shodan-query: 'vuln:CVE-2024-9598' + tags: cve,wordpress,wp-plugin,accelerated-mobile-pages,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/accelerated-mobile-pages/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "accelerated-mobile-pages" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.99.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9607-815ef285570b4259ae993f3feefc49d6.yaml b/poc/cve/CVE-2024-9607-815ef285570b4259ae993f3feefc49d6.yaml new file mode 100644 index 0000000000..47ae9d57ad --- /dev/null +++ b/poc/cve/CVE-2024-9607-815ef285570b4259ae993f3feefc49d6.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9607-815ef285570b4259ae993f3feefc49d6 + +info: + name: > + 10Web Social Post Feed <= 1.2.9 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The 10Web Social Post Feed plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Please note this is only exploitable when the leave a review notice is present. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/be151552-827c-43a6-a0e0-da19884448fd?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-9607 + metadata: + fofa-query: "wp-content/plugins/wd-facebook-feed/" + google-query: inurl:"/wp-content/plugins/wd-facebook-feed/" + shodan-query: 'vuln:CVE-2024-9607' + tags: cve,wordpress,wp-plugin,wd-facebook-feed,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wd-facebook-feed/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wd-facebook-feed" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9628-3d855d9a00666119c6c4dc4121ccafb1.yaml b/poc/cve/CVE-2024-9628-3d855d9a00666119c6c4dc4121ccafb1.yaml new file mode 100644 index 0000000000..8bab4dd831 --- /dev/null +++ b/poc/cve/CVE-2024-9628-3d855d9a00666119c6c4dc4121ccafb1.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9628-3d855d9a00666119c6c4dc4121ccafb1 + +info: + name: > + WPS Telegram Chat <= 4.5.4 - Authenticated (Subscriber+) Unauthorized Access to Telegram Bot API + author: topscoder + severity: low + description: > + The WPS Telegram Chat plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Wps_Telegram_Chat_Admin::checkСonnection' function in versions up to, and including, 4.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the Telegram Bot API endpoint and communicate with it. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c7f7e545-5e14-421e-90b4-bc54b23d0fe6?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L + cvss-score: 6.3 + cve-id: CVE-2024-9628 + metadata: + fofa-query: "wp-content/plugins/wps-telegram-chat/" + google-query: inurl:"/wp-content/plugins/wps-telegram-chat/" + shodan-query: 'vuln:CVE-2024-9628' + tags: cve,wordpress,wp-plugin,wps-telegram-chat,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wps-telegram-chat/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wps-telegram-chat" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.5.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9630-0ce85caa78ba4624e2a8716c2971cba8.yaml b/poc/cve/CVE-2024-9630-0ce85caa78ba4624e2a8716c2971cba8.yaml new file mode 100644 index 0000000000..31bab72262 --- /dev/null +++ b/poc/cve/CVE-2024-9630-0ce85caa78ba4624e2a8716c2971cba8.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9630-0ce85caa78ba4624e2a8716c2971cba8 + +info: + name: > + WPS Telegram Chat <= 4.5.4 - Missing Authorization to Information Exposure + author: topscoder + severity: high + description: > + The WPS Telegram Chat plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when accessing messages in versions up to, and including, 4.5.4. This makes it possible for unauthenticated attackers to view the messages that are sent through the Telegram Bot API. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/86b9b17f-f819-4316-8565-4e7603cd5de7?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2024-9630 + metadata: + fofa-query: "wp-content/plugins/wps-telegram-chat/" + google-query: inurl:"/wp-content/plugins/wps-telegram-chat/" + shodan-query: 'vuln:CVE-2024-9630' + tags: cve,wordpress,wp-plugin,wps-telegram-chat,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wps-telegram-chat/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wps-telegram-chat" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.5.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9650.yaml b/poc/cve/CVE-2024-9650.yaml new file mode 100644 index 0000000000..1945319af4 --- /dev/null +++ b/poc/cve/CVE-2024-9650.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9650 + +info: + name: > + WP Recipe Maker <= 9.6.1 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via 'tooltip' + author: topscoder + severity: low + description: > + The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tooltip’ parameter in all versions up to, and including, 9.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/085d06e1-31d3-4c01-8d8e-588c04b79ae3?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 6.5 + cve-id: CVE-2024-9650 + metadata: + fofa-query: "wp-content/plugins/wp-recipe-maker/" + google-query: inurl:"/wp-content/plugins/wp-recipe-maker/" + shodan-query: 'vuln:CVE-2024-9650' + tags: cve,wordpress,wp-plugin,wp-recipe-maker,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-recipe-maker/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-recipe-maker" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 9.6.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9686-0cacdb2f49f04713e2869267a33b0516.yaml b/poc/cve/CVE-2024-9686-0cacdb2f49f04713e2869267a33b0516.yaml new file mode 100644 index 0000000000..cca1f43c36 --- /dev/null +++ b/poc/cve/CVE-2024-9686-0cacdb2f49f04713e2869267a33b0516.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9686-0cacdb2f49f04713e2869267a33b0516 + +info: + name: > + Order Notification for Telegram <= 1.0.1 - Missing Authorization to Unauthenticated Send Telegram Test Message + author: topscoder + severity: high + description: > + The Order Notification for Telegram plugin for WordPress is vulnerable to unauthorized test message sending due to a missing capability check on the 'nktgnfw_send_test_message' function in versions up to, and including, 1.0.1. This makes it possible for unauthenticated attackers to send a test message via the Telegram Bot API to the user configured in the settings. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c182b4f2-c67b-4e82-a790-6d98946ebf2c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2024-9686 + metadata: + fofa-query: "wp-content/plugins/order-notification-for-telegram/" + google-query: inurl:"/wp-content/plugins/order-notification-for-telegram/" + shodan-query: 'vuln:CVE-2024-9686' + tags: cve,wordpress,wp-plugin,order-notification-for-telegram,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/order-notification-for-telegram/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "order-notification-for-telegram" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9864.yaml b/poc/cve/CVE-2024-9864.yaml new file mode 100644 index 0000000000..1faeb5f41f --- /dev/null +++ b/poc/cve/CVE-2024-9864.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9864 + +info: + name: > + EventPrime – Modern Events Calendar, Bookings and Tickets <= 4.0.4.7 - Unauthenticated Stored Cross-Site Scripting + author: topscoder + severity: high + description: > + The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ticket names in all versions up to, and including, 4.0.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when front-end users can submit new events with tickets. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/bc2a66cb-ad13-428f-a25a-b2807450aa16?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-9864 + metadata: + fofa-query: "wp-content/plugins/eventprime-event-calendar-management/" + google-query: inurl:"/wp-content/plugins/eventprime-event-calendar-management/" + shodan-query: 'vuln:CVE-2024-9864' + tags: cve,wordpress,wp-plugin,eventprime-event-calendar-management,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/eventprime-event-calendar-management/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "eventprime-event-calendar-management" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.0.4.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9865.yaml b/poc/cve/CVE-2024-9865.yaml new file mode 100644 index 0000000000..a79b8af42c --- /dev/null +++ b/poc/cve/CVE-2024-9865.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9865 + +info: + name: > + EventPrime – Modern Events Calendar, Bookings and Tickets <= 4.0.4.7 - Unauthenticated Stored Cross-Site Scripting via Transaction Log + author: topscoder + severity: high + description: > + The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ep_booking_attendee_fields’ fields in all versions up to, and including, 4.0.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the transaction log for a booking. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/18ded977-5297-4b6f-b9f3-0567f995d08a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-9865 + metadata: + fofa-query: "wp-content/plugins/eventprime-event-calendar-management/" + google-query: inurl:"/wp-content/plugins/eventprime-event-calendar-management/" + shodan-query: 'vuln:CVE-2024-9865' + tags: cve,wordpress,wp-plugin,eventprime-event-calendar-management,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/eventprime-event-calendar-management/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "eventprime-event-calendar-management" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.0.4.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9943.yaml b/poc/cve/CVE-2024-9943.yaml new file mode 100644 index 0000000000..2094b43513 --- /dev/null +++ b/poc/cve/CVE-2024-9943.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9943 + +info: + name: > + MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.4 - Cross-Site Request Forgery to Vendor Updates + author: topscoder + severity: medium + description: > + The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.4. This is due to missing or incorrect nonce validation on several functions in api/class-mvx-rest-controller.php. This makes it possible for unauthenticated attackers to update vendor account details, create vendor accounts, and delete arbitrary users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b950faf9-2122-42af-9f05-ec850767be32?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L + cvss-score: 6.3 + cve-id: CVE-2024-9943 + metadata: + fofa-query: "wp-content/plugins/dc-woocommerce-multi-vendor/" + google-query: inurl:"/wp-content/plugins/dc-woocommerce-multi-vendor/" + shodan-query: 'vuln:CVE-2024-9943' + tags: cve,wordpress,wp-plugin,dc-woocommerce-multi-vendor,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/dc-woocommerce-multi-vendor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "dc-woocommerce-multi-vendor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.2.4') \ No newline at end of file diff --git a/poc/google/google-map-locations.yaml b/poc/google/google-map-locations.yaml new file mode 100644 index 0000000000..038ee9bc41 --- /dev/null +++ b/poc/google/google-map-locations.yaml @@ -0,0 +1,59 @@ +id: google-map-locations + +info: + name: > + Google Map Locations <= 1.0 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1a253ebd-c1c1-4a8f-a02a-67b244f840ce?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/google-map-locations/" + google-query: inurl:"/wp-content/plugins/google-map-locations/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,google-map-locations,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/google-map-locations/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "google-map-locations" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/microsoft/safetymails-forms.yaml b/poc/microsoft/safetymails-forms.yaml new file mode 100644 index 0000000000..abcf33134a --- /dev/null +++ b/poc/microsoft/safetymails-forms.yaml @@ -0,0 +1,59 @@ +id: safetymails-forms + +info: + name: > + SafetyForms <= 1.0.0 - Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/58b026c8-ad67-4c77-8770-2b3b87bb2dfd?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/safetymails-forms/" + google-query: inurl:"/wp-content/plugins/safetymails-forms/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,safetymails-forms,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/safetymails-forms/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "safetymails-forms" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.0') \ No newline at end of file diff --git a/poc/other/accelerated-mobile-pages-526f65506d760c7154592ed6b352efac.yaml b/poc/other/accelerated-mobile-pages-526f65506d760c7154592ed6b352efac.yaml new file mode 100644 index 0000000000..a13238f8c9 --- /dev/null +++ b/poc/other/accelerated-mobile-pages-526f65506d760c7154592ed6b352efac.yaml @@ -0,0 +1,59 @@ +id: accelerated-mobile-pages-526f65506d760c7154592ed6b352efac + +info: + name: > + AMP for WP – Accelerated Mobile Pages <= 1.0.99.1 - Cross-Site Request Forgery to Privilege Escalation + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6b155ec8-d69d-40cf-8bea-201629bc9ca6?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/accelerated-mobile-pages/" + google-query: inurl:"/wp-content/plugins/accelerated-mobile-pages/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,accelerated-mobile-pages,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/accelerated-mobile-pages/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "accelerated-mobile-pages" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.99.1') \ No newline at end of file diff --git a/poc/other/advanced-advertising-system.yaml b/poc/other/advanced-advertising-system.yaml new file mode 100644 index 0000000000..b2aecd9c8f --- /dev/null +++ b/poc/other/advanced-advertising-system.yaml @@ -0,0 +1,59 @@ +id: advanced-advertising-system + +info: + name: > + Advanced Advertising System <= 1.3.1 - Unauthenticated PHP Object Injection + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/602e088e-57af-4b30-96c3-a44b2a8e4edb?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/advanced-advertising-system/" + google-query: inurl:"/wp-content/plugins/advanced-advertising-system/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,advanced-advertising-system,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/advanced-advertising-system/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "advanced-advertising-system" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.1') \ No newline at end of file diff --git a/poc/other/app-builder-d0dffcaa66a40dc2bcdc4d07c3a4381d.yaml b/poc/other/app-builder-d0dffcaa66a40dc2bcdc4d07c3a4381d.yaml new file mode 100644 index 0000000000..91c8c6d0a4 --- /dev/null +++ b/poc/other/app-builder-d0dffcaa66a40dc2bcdc4d07c3a4381d.yaml @@ -0,0 +1,59 @@ +id: app-builder-d0dffcaa66a40dc2bcdc4d07c3a4381d + +info: + name: > + App Builder – Create Native Android & iOS Apps On The Flight <= 5.3.7 - Privilege Escalation and Account Takeover via Weak OTP + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0eb9d676-4fa0-4bdc-af44-5d7e1dd8c6e6?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/app-builder/" + google-query: inurl:"/wp-content/plugins/app-builder/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,app-builder,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/app-builder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "app-builder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.3.7') \ No newline at end of file diff --git a/poc/other/bamazoo-button-generator-5054ec6f419d465fde7a9bbb9279a5d2.yaml b/poc/other/bamazoo-button-generator-5054ec6f419d465fde7a9bbb9279a5d2.yaml new file mode 100644 index 0000000000..b7e9f7c1ef --- /dev/null +++ b/poc/other/bamazoo-button-generator-5054ec6f419d465fde7a9bbb9279a5d2.yaml @@ -0,0 +1,59 @@ +id: bamazoo-button-generator-5054ec6f419d465fde7a9bbb9279a5d2 + +info: + name: > + Bamazoo – Button Generator <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via dgs Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/543507a1-02de-417f-a742-7764465987b2?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/bamazoo-button-generator/" + google-query: inurl:"/wp-content/plugins/bamazoo-button-generator/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,bamazoo-button-generator,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bamazoo-button-generator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bamazoo-button-generator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/other/beek-widget-extention-e72e52716f8a1d9dc15935fb7386c752.yaml b/poc/other/beek-widget-extention-e72e52716f8a1d9dc15935fb7386c752.yaml new file mode 100644 index 0000000000..8b640f9b72 --- /dev/null +++ b/poc/other/beek-widget-extention-e72e52716f8a1d9dc15935fb7386c752.yaml @@ -0,0 +1,59 @@ +id: beek-widget-extention-e72e52716f8a1d9dc15935fb7386c752 + +info: + name: > + Beek Widget Extention <= 0.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4afc8de7-0d7e-4dee-972e-3eb707cd7b2b?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/beek-widget-extention/" + google-query: inurl:"/wp-content/plugins/beek-widget-extention/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,beek-widget-extention,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/beek-widget-extention/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "beek-widget-extention" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.9.5') \ No newline at end of file diff --git a/poc/other/buddypress-5f27cc718978f95bbc28160117d5d092.yaml b/poc/other/buddypress-5f27cc718978f95bbc28160117d5d092.yaml new file mode 100644 index 0000000000..893dec4bbe --- /dev/null +++ b/poc/other/buddypress-5f27cc718978f95bbc28160117d5d092.yaml @@ -0,0 +1,59 @@ +id: buddypress-5f27cc718978f95bbc28160117d5d092 + +info: + name: > + BuddyPress <= 14.1.0 - Authenticated (Subscriber+) Directory Traversal + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4327f414-64f4-4193-a5c0-2a5ecdd75e11?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/buddypress/" + google-query: inurl:"/wp-content/plugins/buddypress/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,buddypress,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/buddypress/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "buddypress" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 14.1.0') \ No newline at end of file diff --git a/poc/other/cf7-repeatable-fields.yaml b/poc/other/cf7-repeatable-fields.yaml new file mode 100644 index 0000000000..95ff6492d0 --- /dev/null +++ b/poc/other/cf7-repeatable-fields.yaml @@ -0,0 +1,59 @@ +id: cf7-repeatable-fields + +info: + name: > + Contact Form 7 - Repeatable Fields <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via field_group Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0782bc16-7d21-4205-af01-97e3ad3db40b?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/cf7-repeatable-fields/" + google-query: inurl:"/wp-content/plugins/cf7-repeatable-fields/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,cf7-repeatable-fields,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cf7-repeatable-fields/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cf7-repeatable-fields" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.1') \ No newline at end of file diff --git a/poc/other/duplicate-title-validate.yaml b/poc/other/duplicate-title-validate.yaml new file mode 100644 index 0000000000..a5297e3e9f --- /dev/null +++ b/poc/other/duplicate-title-validate.yaml @@ -0,0 +1,59 @@ +id: duplicate-title-validate + +info: + name: > + Duplicate Title Validate <= 1.0 - Authenticated (Subscriber+) SQL Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ce5b3390-75c2-4288-91a6-f9ceb893a952?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/duplicate-title-validate/" + google-query: inurl:"/wp-content/plugins/duplicate-title-validate/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,duplicate-title-validate,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/duplicate-title-validate/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "duplicate-title-validate" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/other/ferma-ru-net-checkout.yaml b/poc/other/ferma-ru-net-checkout.yaml new file mode 100644 index 0000000000..97d08f3126 --- /dev/null +++ b/poc/other/ferma-ru-net-checkout.yaml @@ -0,0 +1,59 @@ +id: ferma-ru-net-checkout + +info: + name: > + FERMA.ru.net <= 1.3.3 - Authenticated (Subscriber+) SQL Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/30bf7a5f-bc1a-4c3b-a49e-79543271e620?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/ferma-ru-net-checkout/" + google-query: inurl:"/wp-content/plugins/ferma-ru-net-checkout/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,ferma-ru-net-checkout,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ferma-ru-net-checkout/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ferma-ru-net-checkout" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.3') \ No newline at end of file diff --git a/poc/other/flexible-shipping-ups-81fa7ec035fed91b2dce3c153ee54628.yaml b/poc/other/flexible-shipping-ups-81fa7ec035fed91b2dce3c153ee54628.yaml new file mode 100644 index 0000000000..9177b09969 --- /dev/null +++ b/poc/other/flexible-shipping-ups-81fa7ec035fed91b2dce3c153ee54628.yaml @@ -0,0 +1,59 @@ +id: flexible-shipping-ups-81fa7ec035fed91b2dce3c153ee54628 + +info: + name: > + UPS Live Rates and Access Points <= 2.3.11 - Missing Authorization to Plugin API key reset + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/699fdea9-15ae-4882-9723-9a98d7d53c74?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/flexible-shipping-ups/" + google-query: inurl:"/wp-content/plugins/flexible-shipping-ups/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,flexible-shipping-ups,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/flexible-shipping-ups/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "flexible-shipping-ups" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.3.11') \ No newline at end of file diff --git a/poc/other/gerryworks-post-by-mail.yaml b/poc/other/gerryworks-post-by-mail.yaml new file mode 100644 index 0000000000..050737feea --- /dev/null +++ b/poc/other/gerryworks-post-by-mail.yaml @@ -0,0 +1,59 @@ +id: gerryworks-post-by-mail + +info: + name: > + GERRYWORKS Post by Mail <= 1.0 - Contributor+ Privilege Escalation + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3856289b-6e82-4d05-afa2-ea561a4e5c30?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/gerryworks-post-by-mail/" + google-query: inurl:"/wp-content/plugins/gerryworks-post-by-mail/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,gerryworks-post-by-mail,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/gerryworks-post-by-mail/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "gerryworks-post-by-mail" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/other/league-of-legends-shortcodes-18aa008d427ba0ab00e482b3b0ad3be0.yaml b/poc/other/league-of-legends-shortcodes-18aa008d427ba0ab00e482b3b0ad3be0.yaml new file mode 100644 index 0000000000..a275d1c1f0 --- /dev/null +++ b/poc/other/league-of-legends-shortcodes-18aa008d427ba0ab00e482b3b0ad3be0.yaml @@ -0,0 +1,59 @@ +id: league-of-legends-shortcodes-18aa008d427ba0ab00e482b3b0ad3be0 + +info: + name: > + League of Legends Shortcodes <= 1.0.1 - Authenticated (Contributor+) SQL Injection via Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/22ddafad-9214-4d32-9fc3-3f3c759633ad?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/league-of-legends-shortcodes/" + google-query: inurl:"/wp-content/plugins/league-of-legends-shortcodes/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,league-of-legends-shortcodes,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/league-of-legends-shortcodes/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "league-of-legends-shortcodes" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.1') \ No newline at end of file diff --git a/poc/other/league-of-legends-shortcodes-f987b27d0774c0d4f28fd011de2278fd.yaml b/poc/other/league-of-legends-shortcodes-f987b27d0774c0d4f28fd011de2278fd.yaml new file mode 100644 index 0000000000..09229447ff --- /dev/null +++ b/poc/other/league-of-legends-shortcodes-f987b27d0774c0d4f28fd011de2278fd.yaml @@ -0,0 +1,59 @@ +id: league-of-legends-shortcodes-f987b27d0774c0d4f28fd011de2278fd + +info: + name: > + League of Legends Shortcodes <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/45e96aa3-97bb-4774-a1b5-5f0a7b18293e?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/league-of-legends-shortcodes/" + google-query: inurl:"/wp-content/plugins/league-of-legends-shortcodes/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,league-of-legends-shortcodes,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/league-of-legends-shortcodes/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "league-of-legends-shortcodes" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.1') \ No newline at end of file diff --git a/poc/other/mytweetlinks.yaml b/poc/other/mytweetlinks.yaml new file mode 100644 index 0000000000..dc342156d1 --- /dev/null +++ b/poc/other/mytweetlinks.yaml @@ -0,0 +1,59 @@ +id: mytweetlinks + +info: + name: > + MyTweetLinks <= 1.1.1 - Authenticated (Subscriber+) SQL Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f727d82e-8295-4440-90fa-dc41b1d02f8f?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/mytweetlinks/" + google-query: inurl:"/wp-content/plugins/mytweetlinks/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,mytweetlinks,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mytweetlinks/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mytweetlinks" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.1') \ No newline at end of file diff --git a/poc/other/order-notification-for-telegram-885b4503787511c543bb6855aef08767.yaml b/poc/other/order-notification-for-telegram-885b4503787511c543bb6855aef08767.yaml new file mode 100644 index 0000000000..f4fb0ff0a8 --- /dev/null +++ b/poc/other/order-notification-for-telegram-885b4503787511c543bb6855aef08767.yaml @@ -0,0 +1,59 @@ +id: order-notification-for-telegram-885b4503787511c543bb6855aef08767 + +info: + name: > + Order Notification for Telegram <= 1.0.1 - Missing Authorization to Unauthenticated Send Telegram Test Message + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c182b4f2-c67b-4e82-a790-6d98946ebf2c?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/order-notification-for-telegram/" + google-query: inurl:"/wp-content/plugins/order-notification-for-telegram/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,order-notification-for-telegram,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/order-notification-for-telegram/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "order-notification-for-telegram" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.1') \ No newline at end of file diff --git a/poc/other/rate-own-post.yaml b/poc/other/rate-own-post.yaml new file mode 100644 index 0000000000..b41d8cb5bc --- /dev/null +++ b/poc/other/rate-own-post.yaml @@ -0,0 +1,59 @@ +id: rate-own-post + +info: + name: > + Rate Own Post <= 1.0 - Authenticated (Subscriber+) SQL Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/547830df-eb90-471b-87be-5c5f2fc52b36?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/rate-own-post/" + google-query: inurl:"/wp-content/plugins/rate-own-post/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,rate-own-post,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/rate-own-post/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "rate-own-post" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/other/sermonaudio-widgets.yaml b/poc/other/sermonaudio-widgets.yaml new file mode 100644 index 0000000000..0173ad6b45 --- /dev/null +++ b/poc/other/sermonaudio-widgets.yaml @@ -0,0 +1,59 @@ +id: sermonaudio-widgets + +info: + name: > + SermonAudio Widgets <= 1.9.3 - Authenticated (Contributor+) SQL Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/bb3be09d-6f65-48cc-b692-f4231d3f6858?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/sermonaudio-widgets/" + google-query: inurl:"/wp-content/plugins/sermonaudio-widgets/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,sermonaudio-widgets,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/sermonaudio-widgets/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "sermonaudio-widgets" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.9.3') \ No newline at end of file diff --git a/poc/other/shipyaari-shipping-managment.yaml b/poc/other/shipyaari-shipping-managment.yaml new file mode 100644 index 0000000000..09ebe136a5 --- /dev/null +++ b/poc/other/shipyaari-shipping-managment.yaml @@ -0,0 +1,59 @@ +id: shipyaari-shipping-managment + +info: + name: > + Shipyaari Shipping Management <= 1.2 - Unauthenticated PHP Object Injection + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a1ce59bf-2d59-4c15-8be1-0d733526d1eb?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/shipyaari-shipping-managment/" + google-query: inurl:"/wp-content/plugins/shipyaari-shipping-managment/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,shipyaari-shipping-managment,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/shipyaari-shipping-managment/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "shipyaari-shipping-managment" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2') \ No newline at end of file diff --git a/poc/other/shoutcast-icecast-html5-radio-player-dea29291f8f4b3d4798ec5a1427f8216.yaml b/poc/other/shoutcast-icecast-html5-radio-player-dea29291f8f4b3d4798ec5a1427f8216.yaml new file mode 100644 index 0000000000..2364cd1591 --- /dev/null +++ b/poc/other/shoutcast-icecast-html5-radio-player-dea29291f8f4b3d4798ec5a1427f8216.yaml @@ -0,0 +1,59 @@ +id: shoutcast-icecast-html5-radio-player-dea29291f8f4b3d4798ec5a1427f8216 + +info: + name: > + Shoutcast Icecast HTML5 Radio Player <= 2.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7e870ae2-abae-457a-b3d1-75a96ec09d41?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/shoutcast-icecast-html5-radio-player/" + google-query: inurl:"/wp-content/plugins/shoutcast-icecast-html5-radio-player/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,shoutcast-icecast-html5-radio-player,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/shoutcast-icecast-html5-radio-player/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "shoutcast-icecast-html5-radio-player" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.6') \ No newline at end of file diff --git a/poc/other/simple-code-insert-shortcode.yaml b/poc/other/simple-code-insert-shortcode.yaml new file mode 100644 index 0000000000..8c84471b2d --- /dev/null +++ b/poc/other/simple-code-insert-shortcode.yaml @@ -0,0 +1,59 @@ +id: simple-code-insert-shortcode + +info: + name: > + Simple Code Insert Shortcode <= 1.0 - Authenticated (Contributor+) SQL Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/004e7773-31b9-47e5-a26b-64e75b6b2f9d?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/simple-code-insert-shortcode/" + google-query: inurl:"/wp-content/plugins/simple-code-insert-shortcode/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,simple-code-insert-shortcode,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/simple-code-insert-shortcode/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "simple-code-insert-shortcode" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/other/simple-news-255def006aa11dd7cff8831e3d71b7b6.yaml b/poc/other/simple-news-255def006aa11dd7cff8831e3d71b7b6.yaml new file mode 100644 index 0000000000..24b1dda7b0 --- /dev/null +++ b/poc/other/simple-news-255def006aa11dd7cff8831e3d71b7b6.yaml @@ -0,0 +1,59 @@ +id: simple-news-255def006aa11dd7cff8831e3d71b7b6 + +info: + name: > + Simple News <= 2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via news Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/79147dad-4bce-40fb-b9c1-e211845251a0?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/simple-news/" + google-query: inurl:"/wp-content/plugins/simple-news/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,simple-news,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/simple-news/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "simple-news" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8') \ No newline at end of file diff --git a/poc/other/sw-contact-form.yaml b/poc/other/sw-contact-form.yaml new file mode 100644 index 0000000000..88fcccb4ab --- /dev/null +++ b/poc/other/sw-contact-form.yaml @@ -0,0 +1,59 @@ +id: sw-contact-form + +info: + name: > + SW Contact Form <= 1.0 - Authenticated (Subscriber+) SQL Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/20f1600e-6404-4f60-b415-e6588e26f97d?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/sw-contact-form/" + google-query: inurl:"/wp-content/plugins/sw-contact-form/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,sw-contact-form,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/sw-contact-form/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "sw-contact-form" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/social/social-link-groups.yaml b/poc/social/social-link-groups.yaml new file mode 100644 index 0000000000..ce41085a84 --- /dev/null +++ b/poc/social/social-link-groups.yaml @@ -0,0 +1,59 @@ +id: social-link-groups + +info: + name: > + Social Link Groups <= 1.1.0 - Authenticated (Contributor+) SQL Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/fb4dc258-a1b2-4e7c-8bba-1b3162b8954b?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/social-link-groups/" + google-query: inurl:"/wp-content/plugins/social-link-groups/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,social-link-groups,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/social-link-groups/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "social-link-groups" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.0') \ No newline at end of file diff --git a/poc/social/wd-facebook-feed-dce3723535fd3999bc0316d05545981a.yaml b/poc/social/wd-facebook-feed-dce3723535fd3999bc0316d05545981a.yaml new file mode 100644 index 0000000000..3b042f8d98 --- /dev/null +++ b/poc/social/wd-facebook-feed-dce3723535fd3999bc0316d05545981a.yaml @@ -0,0 +1,59 @@ +id: wd-facebook-feed-dce3723535fd3999bc0316d05545981a + +info: + name: > + 10Web Social Post Feed <= 1.2.9 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/be151552-827c-43a6-a0e0-da19884448fd?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wd-facebook-feed/" + google-query: inurl:"/wp-content/plugins/wd-facebook-feed/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wd-facebook-feed,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wd-facebook-feed/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wd-facebook-feed" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.9') \ No newline at end of file diff --git a/poc/sql/CVE-2024-10343-4b62a3038a6fc336914f3ddb9e620492.yaml b/poc/sql/CVE-2024-10343-4b62a3038a6fc336914f3ddb9e620492.yaml new file mode 100644 index 0000000000..d8c9c7d8b2 --- /dev/null +++ b/poc/sql/CVE-2024-10343-4b62a3038a6fc336914f3ddb9e620492.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10343-4b62a3038a6fc336914f3ddb9e620492 + +info: + name: > + Beek Widget Extention <= 0.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode + author: topscoder + severity: low + description: > + The Beek Widget Extention plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 0.9.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4afc8de7-0d7e-4dee-972e-3eb707cd7b2b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10343 + metadata: + fofa-query: "wp-content/plugins/beek-widget-extention/" + google-query: inurl:"/wp-content/plugins/beek-widget-extention/" + shodan-query: 'vuln:CVE-2024-10343' + tags: cve,wordpress,wp-plugin,beek-widget-extention,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/beek-widget-extention/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "beek-widget-extention" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.9.5') \ No newline at end of file diff --git a/poc/sql/CVE-2024-48024-1ddc9ae6987f7e744de734513560dbad.yaml b/poc/sql/CVE-2024-48024-1ddc9ae6987f7e744de734513560dbad.yaml new file mode 100644 index 0000000000..8c5b69cbae --- /dev/null +++ b/poc/sql/CVE-2024-48024-1ddc9ae6987f7e744de734513560dbad.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-48024-1ddc9ae6987f7e744de734513560dbad + +info: + name: > + Keep Backup Daily <= 2.0.8 - Unauthenticated Information Disclosure + author: topscoder + severity: medium + description: > + The Keep Backup Daily plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.8. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8b007bf9-9756-4f18-81b9-7d4b15c5dca8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-48024 + metadata: + fofa-query: "wp-content/plugins/keep-backup-daily/" + google-query: inurl:"/wp-content/plugins/keep-backup-daily/" + shodan-query: 'vuln:CVE-2024-48024' + tags: cve,wordpress,wp-plugin,keep-backup-daily,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/keep-backup-daily/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "keep-backup-daily" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.8') \ No newline at end of file diff --git a/poc/sql/CVE-2024-8802-1bbf0ac93983a3758c6cebdb70935c10.yaml b/poc/sql/CVE-2024-8802-1bbf0ac93983a3758c6cebdb70935c10.yaml new file mode 100644 index 0000000000..1f945bf8b0 --- /dev/null +++ b/poc/sql/CVE-2024-8802-1bbf0ac93983a3758c6cebdb70935c10.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8802-1bbf0ac93983a3758c6cebdb70935c10 + +info: + name: > + Clio Grow <= 1.0.2 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Clio Grow plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/10fcfddf-0ed7-471d-86bf-c38e7021c6a4?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8802 + metadata: + fofa-query: "wp-content/plugins/clio-grow-form/" + google-query: inurl:"/wp-content/plugins/clio-grow-form/" + shodan-query: 'vuln:CVE-2024-8802' + tags: cve,wordpress,wp-plugin,clio-grow-form,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/clio-grow-form/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "clio-grow-form" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.2') \ No newline at end of file diff --git a/poc/sql/CVE-2024-9109-db046fec044ec68a48276b8ee3af3015.yaml b/poc/sql/CVE-2024-9109-db046fec044ec68a48276b8ee3af3015.yaml new file mode 100644 index 0000000000..3b8f461a8d --- /dev/null +++ b/poc/sql/CVE-2024-9109-db046fec044ec68a48276b8ee3af3015.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9109-db046fec044ec68a48276b8ee3af3015 + +info: + name: > + UPS Live Rates and Access Points <= 2.3.11 - Missing Authorization to Plugin API key reset + author: topscoder + severity: low + description: > + The WooCommerce UPS Shipping – Live Rates and Access Points plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_oauth_data function in all versions up to, and including, 2.3.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's API key. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/699fdea9-15ae-4882-9723-9a98d7d53c74?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-9109 + metadata: + fofa-query: "wp-content/plugins/flexible-shipping-ups/" + google-query: inurl:"/wp-content/plugins/flexible-shipping-ups/" + shodan-query: 'vuln:CVE-2024-9109' + tags: cve,wordpress,wp-plugin,flexible-shipping-ups,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/flexible-shipping-ups/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "flexible-shipping-ups" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.3.11') \ No newline at end of file diff --git a/poc/sql/CVE-2024-9686-0cacdb2f49f04713e2869267a33b0516.yaml b/poc/sql/CVE-2024-9686-0cacdb2f49f04713e2869267a33b0516.yaml new file mode 100644 index 0000000000..cca1f43c36 --- /dev/null +++ b/poc/sql/CVE-2024-9686-0cacdb2f49f04713e2869267a33b0516.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9686-0cacdb2f49f04713e2869267a33b0516 + +info: + name: > + Order Notification for Telegram <= 1.0.1 - Missing Authorization to Unauthenticated Send Telegram Test Message + author: topscoder + severity: high + description: > + The Order Notification for Telegram plugin for WordPress is vulnerable to unauthorized test message sending due to a missing capability check on the 'nktgnfw_send_test_message' function in versions up to, and including, 1.0.1. This makes it possible for unauthenticated attackers to send a test message via the Telegram Bot API to the user configured in the settings. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c182b4f2-c67b-4e82-a790-6d98946ebf2c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2024-9686 + metadata: + fofa-query: "wp-content/plugins/order-notification-for-telegram/" + google-query: inurl:"/wp-content/plugins/order-notification-for-telegram/" + shodan-query: 'vuln:CVE-2024-9686' + tags: cve,wordpress,wp-plugin,order-notification-for-telegram,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/order-notification-for-telegram/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "order-notification-for-telegram" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.1') \ No newline at end of file diff --git a/poc/sql/file-upload-types-0ae0add1178211808ca9adb56c0020f3.yaml b/poc/sql/file-upload-types-0ae0add1178211808ca9adb56c0020f3.yaml new file mode 100644 index 0000000000..045662f389 --- /dev/null +++ b/poc/sql/file-upload-types-0ae0add1178211808ca9adb56c0020f3.yaml @@ -0,0 +1,59 @@ +id: file-upload-types-0ae0add1178211808ca9adb56c0020f3 + +info: + name: > + File Upload Types by WPForms <= 1.4.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/17988a66-5b48-4f57-96f8-74e539bc875e?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/file-upload-types/" + google-query: inurl:"/wp-content/plugins/file-upload-types/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,file-upload-types,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/file-upload-types/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "file-upload-types" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.0') \ No newline at end of file diff --git a/poc/upload/file-upload-types-0ae0add1178211808ca9adb56c0020f3.yaml b/poc/upload/file-upload-types-0ae0add1178211808ca9adb56c0020f3.yaml new file mode 100644 index 0000000000..045662f389 --- /dev/null +++ b/poc/upload/file-upload-types-0ae0add1178211808ca9adb56c0020f3.yaml @@ -0,0 +1,59 @@ +id: file-upload-types-0ae0add1178211808ca9adb56c0020f3 + +info: + name: > + File Upload Types by WPForms <= 1.4.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/17988a66-5b48-4f57-96f8-74e539bc875e?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/file-upload-types/" + google-query: inurl:"/wp-content/plugins/file-upload-types/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,file-upload-types,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/file-upload-types/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "file-upload-types" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.0') \ No newline at end of file diff --git a/poc/wordpress/mapster-wp-maps-d4ffe72e619c5820adacd75a0bb10771.yaml b/poc/wordpress/mapster-wp-maps-d4ffe72e619c5820adacd75a0bb10771.yaml new file mode 100644 index 0000000000..46470a9ca6 --- /dev/null +++ b/poc/wordpress/mapster-wp-maps-d4ffe72e619c5820adacd75a0bb10771.yaml @@ -0,0 +1,59 @@ +id: mapster-wp-maps-d4ffe72e619c5820adacd75a0bb10771 + +info: + name: > + Mapster WP Maps <= 1.5.0 - Incorrect Authorization to Authenticated (Contributor+) Arbitrary Options Update + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b81c2990-68d1-4d45-9724-262ec017caf1?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/mapster-wp-maps/" + google-query: inurl:"/wp-content/plugins/mapster-wp-maps/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,mapster-wp-maps,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mapster-wp-maps/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mapster-wp-maps" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5.0') \ No newline at end of file diff --git a/poc/wordpress/wp-awesome-buttons-2820dda94c4351eb470773e65bbd82be.yaml b/poc/wordpress/wp-awesome-buttons-2820dda94c4351eb470773e65bbd82be.yaml new file mode 100644 index 0000000000..4b82dd6e34 --- /dev/null +++ b/poc/wordpress/wp-awesome-buttons-2820dda94c4351eb470773e65bbd82be.yaml @@ -0,0 +1,59 @@ +id: wp-awesome-buttons-2820dda94c4351eb470773e65bbd82be + +info: + name: > + Awesome buttons <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via btn2 Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/84ef25b6-8119-41e5-9959-ccdfb9893e75?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-awesome-buttons/" + google-query: inurl:"/wp-content/plugins/wp-awesome-buttons/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-awesome-buttons,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-awesome-buttons/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-awesome-buttons" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/poc/wordpress/wp-image-seo.yaml b/poc/wordpress/wp-image-seo.yaml new file mode 100644 index 0000000000..c6da26c088 --- /dev/null +++ b/poc/wordpress/wp-image-seo.yaml @@ -0,0 +1,59 @@ +id: wp-image-seo + +info: + name: > + WordPress Image SEO <= 1.1.4 - Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/750fc65a-081d-4c4d-ba14-73b68abd019e?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-image-seo/" + google-query: inurl:"/wp-content/plugins/wp-image-seo/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-image-seo,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-image-seo/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-image-seo" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.4') \ No newline at end of file diff --git a/poc/wordpress/wp-members-59670ea7d44b96f3df6e11e0f647119e.yaml b/poc/wordpress/wp-members-59670ea7d44b96f3df6e11e0f647119e.yaml new file mode 100644 index 0000000000..e9498b9bd6 --- /dev/null +++ b/poc/wordpress/wp-members-59670ea7d44b96f3df6e11e0f647119e.yaml @@ -0,0 +1,59 @@ +id: wp-members-59670ea7d44b96f3df6e11e0f647119e + +info: + name: > + WP-Members <= 3.4.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpmem_loginout Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5ea93a49-0e1a-4a24-8f6b-03e624f517d4?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-members/" + google-query: inurl:"/wp-content/plugins/wp-members/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-members,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-members/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-members" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.4.9.5') \ No newline at end of file diff --git a/poc/wordpress/wpdiscuz-7cbc80d769cb97ee802ffdd473bcb597.yaml b/poc/wordpress/wpdiscuz-7cbc80d769cb97ee802ffdd473bcb597.yaml new file mode 100644 index 0000000000..822b1259ae --- /dev/null +++ b/poc/wordpress/wpdiscuz-7cbc80d769cb97ee802ffdd473bcb597.yaml @@ -0,0 +1,59 @@ +id: wpdiscuz-7cbc80d769cb97ee802ffdd473bcb597 + +info: + name: > + Comments – wpDiscuz <= 7.6.24 - Authentication Bypass + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b71706a7-e101-4d50-a2da-1aeeaf07cf4b?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wpdiscuz/" + google-query: inurl:"/wp-content/plugins/wpdiscuz/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wpdiscuz,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wpdiscuz/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wpdiscuz" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 7.6.24') \ No newline at end of file diff --git a/poc/wordpress/wps-telegram-chat-c99dc0e9b6c07bc33ceba80191e0b070.yaml b/poc/wordpress/wps-telegram-chat-c99dc0e9b6c07bc33ceba80191e0b070.yaml new file mode 100644 index 0000000000..a26251b842 --- /dev/null +++ b/poc/wordpress/wps-telegram-chat-c99dc0e9b6c07bc33ceba80191e0b070.yaml @@ -0,0 +1,59 @@ +id: wps-telegram-chat-c99dc0e9b6c07bc33ceba80191e0b070 + +info: + name: > + WPS Telegram Chat <= 4.5.4 - Missing Authorization to Information Exposure + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/86b9b17f-f819-4316-8565-4e7603cd5de7?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wps-telegram-chat/" + google-query: inurl:"/wp-content/plugins/wps-telegram-chat/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wps-telegram-chat,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wps-telegram-chat/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wps-telegram-chat" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.5.4') \ No newline at end of file diff --git a/poc/wordpress/wps-telegram-chat-fe8838c35b67483d2b19c523bf1ada01.yaml b/poc/wordpress/wps-telegram-chat-fe8838c35b67483d2b19c523bf1ada01.yaml new file mode 100644 index 0000000000..10f8977e25 --- /dev/null +++ b/poc/wordpress/wps-telegram-chat-fe8838c35b67483d2b19c523bf1ada01.yaml @@ -0,0 +1,59 @@ +id: wps-telegram-chat-fe8838c35b67483d2b19c523bf1ada01 + +info: + name: > + WPS Telegram Chat <= 4.5.4 - Authenticated (Subscriber+) Unauthorized Access to Telegram Bot API + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c7f7e545-5e14-421e-90b4-bc54b23d0fe6?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wps-telegram-chat/" + google-query: inurl:"/wp-content/plugins/wps-telegram-chat/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wps-telegram-chat,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wps-telegram-chat/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wps-telegram-chat" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.5.4') \ No newline at end of file