20240828

date.txt

@@ -1 +1 @@
-20240827
+20240828

poc/api/umbraco-delivery-api.yaml

@@ -0,0 +1,37 @@
+id: umbraco-delivery-api
+
+info:
+  name: Umbraco Delivery API - Detect
+  author: stvnhrlnd
+  severity: info
+  description: Umbraco Delivery API is publicly exposed.
+  impact: |
+    When the Umbraco Delivery API is enabled, all published content is made
+    available to the public by default. This may result in sensitive
+    information being exposed and should be investigated.
+  remediation: |
+    If the Delivery API is intended to be public facing, then ensure that it
+    does not return any sensitive information. Use the
+    `DisallowedContentTypeAliases` configuration option in `appsettings.json`
+    to restrict the content types that are returned.
+
+    If the Delivery API is not intended to be public facing, set `PublicAccess`
+    to `false` in `appsettings.json` and specify an API key to restrict access.
+  reference:
+    - https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api
+    - https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/media-delivery-api
+  tags: umbraco
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/umbraco/delivery/api/v1/content"
+      - "{{BaseURL}}/umbraco/delivery/api/v2/content"
+      - "{{BaseURL}}/umbraco/delivery/api/v1/media?fetch=children:/"
+      - "{{BaseURL}}/umbraco/delivery/api/v2/media?fetch=children:/"
+    redirects: true
+    max-redirects: 3
+    matchers:
+      - type: status
+        status:
+          - 200

poc/auth/blogintroduction-wordpress-plugin.yaml

@@ -0,0 +1,59 @@
+id: blogintroduction-wordpress-plugin
+
+info:
+  name: >
+    Blog Introduction <= 0.3.0 - Cross-Site Request Forgery to Settings Update
+  author: topscoder
+  severity: medium
+  description: >
+    
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/2896c925-e035-4193-92db-e8a3dd34a0b7?source=api-scan
+  classification:
+    cvss-metrics: 
+    cvss-score: 
+    cve-id: 
+  metadata:
+    fofa-query: "wp-content/plugins/blogintroduction-wordpress-plugin/"
+    google-query: inurl:"/wp-content/plugins/blogintroduction-wordpress-plugin/"
+    shodan-query: 'vuln:'
+  tags: cve,wordpress,wp-plugin,blogintroduction-wordpress-plugin,medium
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/blogintroduction-wordpress-plugin/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "blogintroduction-wordpress-plugin"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 0.3.0')

poc/cve/CVE-2024-34389-fe08cd55c51385a73e5900466c448828.yaml

@@ -0,0 +1,59 @@
+id: CVE-2024-34389-fe08cd55c51385a73e5900466c448828
+
+info:
+  name: >
+    WP Post Author – Enhance Your Posts with the Author Bio, Co-Authors, Guest Authors, and Post Rating System, including User Registration Form Builder <= 3.7.4 - Missing Authorization
+  author: topscoder
+  severity: low
+  description: >
+    The WP Post Author plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the awpa_pro_api_post_rating_review() function in all versions up to, and including, 3.7.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to leave reviews on private posts.
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/df681544-f64b-4590-a377-08b05693ff1f?source=api-prod
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
+    cvss-score: 4.3
+    cve-id: CVE-2024-34389
+  metadata:
+    fofa-query: "wp-content/plugins/wp-post-author/"
+    google-query: inurl:"/wp-content/plugins/wp-post-author/"
+    shodan-query: 'vuln:CVE-2024-34389'
+  tags: cve,wordpress,wp-plugin,wp-post-author,low
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/wp-post-author/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "wp-post-author"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 3.7.4')

poc/cve/CVE-2024-35776-4603712eba61b41dace16ff8dc5a05ad.yaml

@@ -0,0 +1,59 @@
+id: CVE-2024-35776-4603712eba61b41dace16ff8dc5a05ad
+
+info:
+  name: >
+    phpinfo() WP <= 5.0 - Unauthenticated Information Exposure
+  author: topscoder
+  severity: medium
+  description: >
+    The phpinfo() WP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.0. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/6091faeb-f8a0-40f3-963c-6c5814219832?source=api-prod
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 5.3
+    cve-id: CVE-2024-35776
+  metadata:
+    fofa-query: "wp-content/plugins/phpinfo-wp/"
+    google-query: inurl:"/wp-content/plugins/phpinfo-wp/"
+    shodan-query: 'vuln:CVE-2024-35776'
+  tags: cve,wordpress,wp-plugin,phpinfo-wp,medium
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/phpinfo-wp/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "phpinfo-wp"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 5.0')

poc/cve/CVE-2024-37932-c4079cc09cc1529a039f6c695ff7b4d2.yaml

@@ -0,0 +1,59 @@
+id: CVE-2024-37932-c4079cc09cc1529a039f6c695ff7b4d2
+
+info:
+  name: >
+    Woocommerce OpenPos <= 6.4.4 - Unauthenticated Arbitrary File Deletion
+  author: topscoder
+  severity: critical
+  description: >
+    The Openpos - WooCommerce Point Of Sale(POS) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 6.4.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/c7f1ffba-bae2-4f69-ac96-c4570d36eb73?source=api-prod
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
+    cvss-score: 9.1
+    cve-id: CVE-2024-37932
+  metadata:
+    fofa-query: "wp-content/plugins/woocommerce-openpos/"
+    google-query: inurl:"/wp-content/plugins/woocommerce-openpos/"
+    shodan-query: 'vuln:CVE-2024-37932'
+  tags: cve,wordpress,wp-plugin,woocommerce-openpos,critical
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/woocommerce-openpos/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "woocommerce-openpos"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 6.4.4')

poc/cve/CVE-2024-37933-4ba0703593e026cca4dd8afa5a2e2ecf.yaml

@@ -0,0 +1,59 @@
+id: CVE-2024-37933-4ba0703593e026cca4dd8afa5a2e2ecf
+
+info:
+  name: >
+    Woocommerce OpenPos <= 6.4.4 - Unauthenticated SQL Injection
+  author: topscoder
+  severity: critical
+  description: >
+    The Woocommerce OpenPos plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 6.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/21da3c10-72b9-4c04-8586-dcf6dcf55852?source=api-prod
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 10
+    cve-id: CVE-2024-37933
+  metadata:
+    fofa-query: "wp-content/plugins/woocommerce-openpos/"
+    google-query: inurl:"/wp-content/plugins/woocommerce-openpos/"
+    shodan-query: 'vuln:CVE-2024-37933'
+  tags: cve,wordpress,wp-plugin,woocommerce-openpos,critical
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/woocommerce-openpos/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "woocommerce-openpos"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 6.4.4')