20241018

date.txt

@@ -1 +1 @@
-20241017
+20241018

poc/auth/publishpress-authors.yaml

@@ -0,0 +1,59 @@
+id: publishpress-authors
+
+info:
+  name: >
+    Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors <= 4.7.1 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary User Email Update and Account Takeover
+  author: topscoder
+  severity: low
+  description: >
+    
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/d0506137-82e3-4988-9b23-370465a866c0?source=api-scan
+  classification:
+    cvss-metrics: 
+    cvss-score: 
+    cve-id: 
+  metadata:
+    fofa-query: "wp-content/plugins/publishpress-authors/"
+    google-query: inurl:"/wp-content/plugins/publishpress-authors/"
+    shodan-query: 'vuln:'
+  tags: cve,wordpress,wp-plugin,publishpress-authors,low
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/publishpress-authors/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "publishpress-authors"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 4.7.1')

poc/cve/CVE-2024-10014-287fb7ccc9db018318f62de1bc8e246a.yaml

@@ -0,0 +1,59 @@
+id: CVE-2024-10014-287fb7ccc9db018318f62de1bc8e246a
+
+info:
+  name: >
+    Flat UI Button <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via flatbtn Shortcode
+  author: topscoder
+  severity: low
+  description: >
+    The Flat UI Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's flatbtn shortcode in version 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/ec5474ac-62d7-4431-b789-51c831dd1c20?source=api-prod
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+    cvss-score: 6.4
+    cve-id: CVE-2024-10014
+  metadata:
+    fofa-query: "wp-content/plugins/flat-ui-button/"
+    google-query: inurl:"/wp-content/plugins/flat-ui-button/"
+    shodan-query: 'vuln:CVE-2024-10014'
+  tags: cve,wordpress,wp-plugin,flat-ui-button,low
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/flat-ui-button/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "flat-ui-button"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '1.0')

poc/cve/CVE-2024-10040-ee8183e3617c63ac904e5e710044f265.yaml

@@ -0,0 +1,59 @@
+id: CVE-2024-10040-ee8183e3617c63ac904e5e710044f265
+
+info:
+  name: >
+    Infinite-Scroll <= 2.6.2 - Cross-Site Request Forgery to Plugin Settings Update
+  author: topscoder
+  severity: medium
+  description: >
+    The Infinite-Scroll plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.2. This is due to missing or incorrect nonce validation on the process_ajax_edit and process_ajax_delete function. This makes it possible for unauthenticated attackers to make changes to plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/4045575a-35f0-46e5-afb7-93eee9be3a97?source=api-prod
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
+    cvss-score: 5.3
+    cve-id: CVE-2024-10040
+  metadata:
+    fofa-query: "wp-content/plugins/infinite-scroll/"
+    google-query: inurl:"/wp-content/plugins/infinite-scroll/"
+    shodan-query: 'vuln:CVE-2024-10040'
+  tags: cve,wordpress,wp-plugin,infinite-scroll,medium
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/infinite-scroll/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "infinite-scroll"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 2.6.2')

poc/cve/CVE-2024-10049-5634711959b0699a5bdae8c67ef9be92.yaml

@@ -0,0 +1,59 @@
+id: CVE-2024-10049-5634711959b0699a5bdae8c67ef9be92
+
+info:
+  name: >
+    Edit WooCommerce Templates <= 1.1.2 - Reflected Cross-Site Scripting via page
+  author: topscoder
+  severity: medium
+  description: >
+    The Edit WooCommerce Templates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/3704b365-cbdf-4c74-9619-59f0a10e3c6a?source=api-prod
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2024-10049
+  metadata:
+    fofa-query: "wp-content/plugins/woo-edit-templates/"
+    google-query: inurl:"/wp-content/plugins/woo-edit-templates/"
+    shodan-query: 'vuln:CVE-2024-10049'
+  tags: cve,wordpress,wp-plugin,woo-edit-templates,medium
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/woo-edit-templates/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "woo-edit-templates"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 1.1.2')

poc/cve/CVE-2024-10055-a7567bb6df1c6f932e81f3fa194c2a29.yaml

@@ -0,0 +1,59 @@
+id: CVE-2024-10055-a7567bb6df1c6f932e81f3fa194c2a29
+
+info:
+  name: >
+    Click to Chat – WP Support All-in-One Floating Widget <= 2.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpsaio_snapchat Shortcode
+  author: topscoder
+  severity: low
+  description: >
+    The Click to Chat – WP Support All-in-One Floating Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpsaio_snapchat shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/b4c13600-0791-4ade-9c28-f43f164aedae?source=api-prod
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+    cvss-score: 6.4
+    cve-id: CVE-2024-10055
+  metadata:
+    fofa-query: "wp-content/plugins/support-chat/"
+    google-query: inurl:"/wp-content/plugins/support-chat/"
+    shodan-query: 'vuln:CVE-2024-10055'
+  tags: cve,wordpress,wp-plugin,support-chat,low
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/support-chat/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "support-chat"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 2.3.3')

poc/cve/CVE-2024-10057-3619138af4b1755697a61cf7520ca3e3.yaml

@@ -0,0 +1,59 @@
+id: CVE-2024-10057-3619138af4b1755697a61cf7520ca3e3
+
+info:
+  name: >
+    RSS Feed Widget <= 2.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via rfw-youtube-videos Shortcode
+  author: topscoder
+  severity: low
+  description: >
+    The RSS Feed Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's rfw-youtube-videos shortcode in all versions up to, and including, 2.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/b77ea258-dced-4c36-bd0d-8977a347d1c9?source=api-prod
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+    cvss-score: 6.4
+    cve-id: CVE-2024-10057
+  metadata:
+    fofa-query: "wp-content/plugins/rss-feed-widget/"
+    google-query: inurl:"/wp-content/plugins/rss-feed-widget/"
+    shodan-query: 'vuln:CVE-2024-10057'
+  tags: cve,wordpress,wp-plugin,rss-feed-widget,low
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/rss-feed-widget/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "rss-feed-widget"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 2.9.9')