diff --git a/CVEs/2021/CVE-2021-36873.md b/CVEs/2021/CVE-2021-36873.md new file mode 100644 index 0000000..d1e6c6c --- /dev/null +++ b/CVEs/2021/CVE-2021-36873.md @@ -0,0 +1,25 @@ +# CVE-2021-36873 + +## Description +Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress iQ Block Country plugin (versions <= 1.2.11). Vulnerable parameter: &blockcountry_blockmessage. + +## CVSS (Vector and Score) +CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N - 5.5 MEDIUM + +## Affected Application +WordPress iQ Block Country plugin + +## Affected Version +<= 1.2.11 + +## Total Installation +30,000+ + +## Steps to Reproduce +1. Login as administrator +2. + + +## Proof of Concept +- Image +- Video \ No newline at end of file diff --git a/README.md b/README.md index 096a605..ec167fe 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,7 @@ These are my bug bounty notes that I have gathered from various sources, you can ## To-Do-List - [ ] Tidy up the reconnaisance folder -- [ ] Seperate the bypass from some vulnerability readme +- [x] Added CVEs folder - [ ] Writes multiple payload bypasses for each vulnerability - [x] Payload XSS for each WAF (Cloudflare, Cloudfront, AWS, etc) - [ ] Payload SQL injection for each WAF (Cloudflare, Cloudfront) \ No newline at end of file diff --git a/SQL Injection.md b/SQL Injection.md index 5088fcb..99cb349 100644 --- a/SQL Injection.md +++ b/SQL Injection.md @@ -13,6 +13,9 @@ SQL Injection (SQLi) is a code injection attack where an attacker manipulates th - Time-based Blind SQLi - Out-of-band SQLi +## Where to find +Everywhere + ## How to exploit # SQLI tricks diff --git a/Web Cache Deception.md b/Web Cache Deception.md index edb19ea..045dff4 100644 --- a/Web Cache Deception.md +++ b/Web Cache Deception.md @@ -1,4 +1,4 @@ -# Web Cache Poisoning +# Web Cache Deception ## Introduction Web Cache Deception is an attack in which an attacker deceives a caching proxy into improperly storing private information sent over the internet and gaining unauthorized access to that cached data