Skip to content

Commit

Permalink
20241109
Browse files Browse the repository at this point in the history
  • Loading branch information
actions-user committed Nov 9, 2024
1 parent e8796cb commit d49338d
Show file tree
Hide file tree
Showing 92 changed files with 5,369 additions and 1 deletion.
2 changes: 1 addition & 1 deletion date.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
20241108
20241109
90 changes: 90 additions & 0 deletions poc.txt

Large diffs are not rendered by default.

27 changes: 27 additions & 0 deletions poc/apache/apache-buffer-overflow.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
id: apache-buffer-overflow

info:
name: Apache HTTP Server Outdated Version - Buffer Overflow
author: AV10V
severity: high
description: |
This template checks for outdated Apache HTTP Server versions that might be susceptible to a buffer overflow vulnerability.
It sends a request to retrieve the server version and matches against known vulnerable versions.
http:
- raw:
- |
HEAD / HTTP/1.1
Host: {{Hostname}}
User-Agent: Nuclei
matchers-condition: and
matchers:
- type: regex
part: header
regex:
- "Server: Apache/2\\.2\\.[0-8]"
- type: word
part: header
words:
- "Apache"
59 changes: 59 additions & 0 deletions poc/cve/CVE-2018-5158-67138bc530fcbd1f4c3ec3156662b94e.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2018-5158-67138bc530fcbd1f4c3ec3156662b94e

info:
name: >
pdf.js < 2.0.943 - Authenticated (Author+) Stored Cross-Site Scripting
author: topscoder
severity: low
description: >
The Algori PDF Viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to the use of a vulnerable version of pdf.js in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0cd66329-098e-4adf-b66f-d82a47720629?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
cvss-score: 6.4
cve-id: CVE-2018-5158
metadata:
fofa-query: "wp-content/plugins/algori-pdf-viewer/"
google-query: inurl:"/wp-content/plugins/algori-pdf-viewer/"
shodan-query: 'vuln:CVE-2018-5158'
tags: cve,wordpress,wp-plugin,algori-pdf-viewer,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/algori-pdf-viewer/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "algori-pdf-viewer"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 1.0.7')
59 changes: 59 additions & 0 deletions poc/cve/CVE-2024-10187.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2024-10187-2566d733855ca241bfb10537fd632ddf

info:
name: >
myCred <= 2.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via mycred_link Shortcode
author: topscoder
severity: low
description: >
The myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mycred_link shortcode in all versions up to, and including, 2.7.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/23a081d4-443d-4b3b-8c89-9eb0e23c961e?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
cvss-score: 6.4
cve-id: CVE-2024-10187
metadata:
fofa-query: "wp-content/plugins/mycred/"
google-query: inurl:"/wp-content/plugins/mycred/"
shodan-query: 'vuln:CVE-2024-10187'
tags: cve,wordpress,wp-plugin,mycred,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/mycred/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "mycred"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 2.7.4')
59 changes: 59 additions & 0 deletions poc/cve/CVE-2024-10261-13a111b77ff7242b7fd206b696ded4b9.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2024-10261-13a111b77ff7242b7fd206b696ded4b9

info:
name: >
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.13.0 - Unauthenticated Arbitrary Shortcode Execution
author: topscoder
severity: high
description: >
The The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.13.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/eaf19371-7b06-45c6-bf16-6ef7dfffb175?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
cvss-score: 7.3
cve-id: CVE-2024-10261
metadata:
fofa-query: "wp-content/plugins/paid-member-subscriptions/"
google-query: inurl:"/wp-content/plugins/paid-member-subscriptions/"
shodan-query: 'vuln:CVE-2024-10261'
tags: cve,wordpress,wp-plugin,paid-member-subscriptions,high

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/paid-member-subscriptions/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "paid-member-subscriptions"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 2.13.0')
59 changes: 59 additions & 0 deletions poc/cve/CVE-2024-10269.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2024-10269-de3e977fc48c497bbd319154dc08b47e

info:
name: >
Easy SVG Support <= 3.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
author: topscoder
severity: low
description: >
The Easy SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5fbc0866-1e9d-457a-8ef3-fb046c89c1dd?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
cvss-score: 6.4
cve-id: CVE-2024-10269
metadata:
fofa-query: "wp-content/plugins/easy-svg/"
google-query: inurl:"/wp-content/plugins/easy-svg/"
shodan-query: 'vuln:CVE-2024-10269'
tags: cve,wordpress,wp-plugin,easy-svg,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/easy-svg/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "easy-svg"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 3.7')
59 changes: 59 additions & 0 deletions poc/cve/CVE-2024-10284-678b4260d3f280e8339a3c114f9bd9d3.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2024-10284-678b4260d3f280e8339a3c114f9bd9d3

info:
name: >
CE21 Suite <= 2.2.0 - Authentication Bypass
author: topscoder
severity: critical
description: >
The CE21 Suite plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.2.0. This is due to hardcoded encryption key in the 'ce21_authentication_phrase' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/45d66743-300e-480d-98b8-99dc30b6e786?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-10284
metadata:
fofa-query: "wp-content/plugins/ce21-suite/"
google-query: inurl:"/wp-content/plugins/ce21-suite/"
shodan-query: 'vuln:CVE-2024-10284'
tags: cve,wordpress,wp-plugin,ce21-suite,critical

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/ce21-suite/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "ce21-suite"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 2.2.0')
59 changes: 59 additions & 0 deletions poc/cve/CVE-2024-10285-0149e578f9b391b0d38534038361bcfd.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2024-10285-0149e578f9b391b0d38534038361bcfd

info:
name: >
CE21 Suite <= 2.2.0 - JWT Token Disclosure
author: topscoder
severity: critical
description: >
The CE21 Suite plugin for WordPress is vulnerable to sensitive information disclosure via the plugin-log.txt in versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to log in the user associated with the JWT token.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/618a9ad7-3a13-43e6-84f4-35287f07e1c0?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-10285
metadata:
fofa-query: "wp-content/plugins/ce21-suite/"
google-query: inurl:"/wp-content/plugins/ce21-suite/"
shodan-query: 'vuln:CVE-2024-10285'
tags: cve,wordpress,wp-plugin,ce21-suite,critical

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/ce21-suite/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "ce21-suite"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 2.2.0')
Loading

0 comments on commit d49338d

Please sign in to comment.