diff --git a/vulnerabilities/wordpress/sniplets-xss.yaml b/cves/2008/CVE-2008-1060.yaml
similarity index 88%
rename from vulnerabilities/wordpress/sniplets-xss.yaml
rename to cves/2008/CVE-2008-1060.yaml
index 195e8e384f..449056a138 100644
--- a/vulnerabilities/wordpress/sniplets-xss.yaml
+++ b/cves/2008/CVE-2008-1060.yaml
@@ -1,4 +1,4 @@
-id: sniplets-xss
+id: CVE-2008-1060
info:
name: Wordpress Plugin Sniplets - Cross-Site Scripting
@@ -7,6 +7,7 @@ info:
description: Cross-site scripting (XSS) on Wordpress Plugin Sniplets
reference:
- https://www.exploit-db.com/exploits/5194
+ - https://wpscan.com/vulnerability/d0278ebe-e6ae-4f7c-bcad-ba318573f881
tags: xss,wordpress,wp-plugin,wp
requests:
diff --git a/vulnerabilities/wordpress/sniplets-lfi.yaml b/cves/2008/CVE-2008-1061.yaml
similarity index 86%
rename from vulnerabilities/wordpress/sniplets-lfi.yaml
rename to cves/2008/CVE-2008-1061.yaml
index b3172af4e8..604af9ca09 100644
--- a/vulnerabilities/wordpress/sniplets-lfi.yaml
+++ b/cves/2008/CVE-2008-1061.yaml
@@ -1,4 +1,4 @@
-id: sniplets-lfi
+id: CVE-2008-1061
info:
name: WordPress Sniplets 1.1.2 - Local File Inclusion
@@ -7,10 +7,12 @@ info:
description: WordPress Sniplets 1.1.2 is vulnerable to local file inclusion.
reference:
- https://www.exploit-db.com/exploits/5194
+ - https://wpscan.com/vulnerability/d0278ebe-e6ae-4f7c-bcad-ba318573f881
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-22
+ cve-id: CVE-2008-1061
tags: wordpress,wp-plugin,lfi,wp
requests:
diff --git a/vulnerabilities/wordpress/db-backup-lfi.yaml b/cves/2015/CVE-2014-9119.yaml
similarity index 96%
rename from vulnerabilities/wordpress/db-backup-lfi.yaml
rename to cves/2015/CVE-2014-9119.yaml
index ad45d744d3..7cfeda3da7 100644
--- a/vulnerabilities/wordpress/db-backup-lfi.yaml
+++ b/cves/2015/CVE-2014-9119.yaml
@@ -1,4 +1,4 @@
-id: db-backup-lfi
+id: CVE-2014-9119
info:
name: WordPress DB Backup <=4.5 - Local File Inclusion
@@ -12,6 +12,7 @@ info:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-22
+ cve-id: CVE-2014-9119
tags: wordpress,wp-plugin,lfi,wp
requests:
diff --git a/vulnerabilities/wordpress/candidate-application-lfi.yaml b/cves/2015/CVE-2015-1000005.yaml
similarity index 94%
rename from vulnerabilities/wordpress/candidate-application-lfi.yaml
rename to cves/2015/CVE-2015-1000005.yaml
index cdc97aa53a..44709f6368 100644
--- a/vulnerabilities/wordpress/candidate-application-lfi.yaml
+++ b/cves/2015/CVE-2015-1000005.yaml
@@ -1,4 +1,4 @@
-id: candidate-application-lfi
+id: CVE-2015-1000005
info:
name: WordPress Candidate Application Form <= 1.3 - Local File Inclusion
@@ -11,6 +11,7 @@ info:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cwe-id: CWE-22
+ cve-id: CVE-2015-1000005
tags: wordpress,wp-plugin,lfi,wp
requests:
diff --git a/vulnerabilities/wordpress/simple-image-manipulator-lfi.yaml b/cves/2015/CVE-2015-1000010.yaml
similarity index 82%
rename from vulnerabilities/wordpress/simple-image-manipulator-lfi.yaml
rename to cves/2015/CVE-2015-1000010.yaml
index 5214a72c67..1ef473f718 100644
--- a/vulnerabilities/wordpress/simple-image-manipulator-lfi.yaml
+++ b/cves/2015/CVE-2015-1000010.yaml
@@ -1,16 +1,18 @@
-id: simple-image-manipulator-lfi
+id: CVE-2015-1000010
info:
- name: WordPress Simple Image Manipulator 1.0 - Local File Inclusion
+ name: WordPress Simple Image Manipulator < 1.0 - Local File Inclusion
author: dhiyaneshDK
severity: high
description: WordPress Simple Image Manipulator 1.0 is vulnerable to local file inclusion in ./simple-image-manipulator/controller/download.php because no checks are made to authenticate users or sanitize input when determining file location.
reference:
- https://packetstormsecurity.com/files/132962/WordPress-Simple-Image-Manipulator-1.0-File-Download.html
+ - https://wpscan.com/vulnerability/40e84e85-7176-4552-b021-6963d0396543
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-22
+ cve-id: CVE-2015-1000010
tags: wordpress,wp-plugin,lfi,wp
requests:
diff --git a/vulnerabilities/wordpress/wp-revslider-file-download.yaml b/cves/2015/CVE-2015-1579.yaml
similarity index 86%
rename from vulnerabilities/wordpress/wp-revslider-file-download.yaml
rename to cves/2015/CVE-2015-1579.yaml
index a2c97e0a18..46af5fe0a3 100644
--- a/vulnerabilities/wordpress/wp-revslider-file-download.yaml
+++ b/cves/2015/CVE-2015-1579.yaml
@@ -1,17 +1,19 @@
-id: wp-revslider-file-download
+id: CVE-2015-1579
info:
- name: Wordpress Revslider - Local File Inclusion
+ name: WordPress Slider Revolution - Local File Disclosure
author: pussycat0x
severity: high
description: WordPress Revslider is affected by an unauthenticated file retrieval vulnerability, which could result in attacker downloading the wp-config.php file.
reference:
- https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html
- https://cxsecurity.com/issue/WLB-2021090129
+ - https://wpscan.com/vulnerability/4b077805-5dc0-4172-970e-cc3d67964f80
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-22
+ cve-id: CVE-2015-1579
metadata:
google-dork: inurl:/wp-content/plugins/revslider
tags: wordpress,wp-plugin,lfi,revslider
diff --git a/vulnerabilities/wordpress/wordpress-infinitewp-auth-bypass.yaml b/cves/2020/CVE-2020-8772.yaml
similarity index 91%
rename from vulnerabilities/wordpress/wordpress-infinitewp-auth-bypass.yaml
rename to cves/2020/CVE-2020-8772.yaml
index df56152a95..a6eed0faea 100644
--- a/vulnerabilities/wordpress/wordpress-infinitewp-auth-bypass.yaml
+++ b/cves/2020/CVE-2020-8772.yaml
@@ -1,7 +1,7 @@
-id: wordpress-infinitewp-auth-bypass
+id: CVE-2020-8772
info:
- name: WordPress InfiniteWP Client Authentication Bypass
+ name: InfiniteWP Client < 1.9.4.5 - Authentication Bypass
author: princechaddha
severity: critical
description: InfiniteWP Client plugin versions 1.9.4.4 or earlier contain a critical authentication bypass vulnerability. InfiniteWP Client is a plugin that, when installed on a WordPress site, allows a site owner
@@ -9,9 +9,11 @@ info:
reference:
- https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/
- https://wordpress.org/plugins/iwp-client/#developers
+ - https://wpscan.com/vulnerability/fac62d36-0fa1-4b43-8f5c-bddbd0cff140
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
+ cve-id: CVE-2020-8772
remediation: Upgrade to InfiniteWP Client 1.9.4.5 or higher.
tags: wordpress,auth-bypass,wp-plugin
diff --git a/vulnerabilities/wordpress/ninjaform-open-redirect.yaml b/cves/2021/CVE-2021-24165.yaml
similarity index 97%
rename from vulnerabilities/wordpress/ninjaform-open-redirect.yaml
rename to cves/2021/CVE-2021-24165.yaml
index ba9879a567..18143a6626 100644
--- a/vulnerabilities/wordpress/ninjaform-open-redirect.yaml
+++ b/cves/2021/CVE-2021-24165.yaml
@@ -1,4 +1,4 @@
-id: ninjaform-open-redirect
+id: CVE-2021-24165
info:
name: Ninja Forms < 3.4.34 - Administrator Open Redirect
diff --git a/cves/2021/CVE-2021-25112.yaml b/cves/2021/CVE-2021-25112.yaml
index 1705945685..af81e3f429 100644
--- a/cves/2021/CVE-2021-25112.yaml
+++ b/cves/2021/CVE-2021-25112.yaml
@@ -1,20 +1,13 @@
id: CVE-2021-25112
info:
- name: WordPress WHMCS Bridge < 6.4b - Cross-Site Scripting
- author: DhiyaneshDK
+ name: WHMCS Bridge < 6.4b - Reflected Cross-Site Scripting (XSS)
+ author: dhiyaneshDk
severity: medium
- description: WordPress WHMCS Bridge < 6.4b is susceptible to authenticated reflected cross-site scripting because the plugin does not sanitize and escape the error parameter before outputting it back in admin dashboard.
+ description: The plugin does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a Reflected Cross-Site Scripting
reference:
- https://wpscan.com/vulnerability/4aae2dd9-8d51-4633-91bc-ddb53ca3471c
- - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25112
- - https://plugins.trac.wordpress.org/changeset/2659751
- classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.1
- cve-id: CVE-2021-25112
- cwe-id: CWE-79
- tags: cve,cve2021,wordpress,xss,wp-plugin,authenticated
+ tags: wordpress,wp-plugin,authenticated,whmcs,xss
requests:
- raw:
@@ -26,7 +19,6 @@ requests:
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
-
- |
GET /wp-admin/options-general.php?page=cc-ce-bridge-cp&error=%3Cimg%20src%20onerror=alert(document.domain)%3E HTTP/1.1
Host: {{Hostname}}
@@ -37,7 +29,8 @@ requests:
- type: word
part: body
words:
- - "![]()
"
+ - "![]()
"
+ condition: and
- type: word
part: header
@@ -47,5 +40,3 @@ requests:
- type: status
status:
- 200
-
-# Enhanced by mp on 2022/04/21
diff --git a/vulnerabilities/wordpress/wordpress-woocommerce-sqli.yaml b/cves/2021/CVE-2021-32789.yaml
similarity index 76%
rename from vulnerabilities/wordpress/wordpress-woocommerce-sqli.yaml
rename to cves/2021/CVE-2021-32789.yaml
index 8a96cfe510..604de1a977 100644
--- a/vulnerabilities/wordpress/wordpress-woocommerce-sqli.yaml
+++ b/cves/2021/CVE-2021-32789.yaml
@@ -1,26 +1,30 @@
-id: wordpress-woocommerce-sqli
+id: CVE-2021-32789
info:
- name: Woocommerce Unauthenticated SQL Injection
- author: rootxharsh,iamnoooob,S1r1u5_,cookiehanhoan,madrobot
+ name: WooCommerce Blocks 2.5 to 5.5 & Woocommerce 3.3 to 5.5 - Authenticated ? & Unauthenticated SQL Injection
+ author: rootxharsh,iamnoooob,S1r1u5_,cookiehanhoan,madrobot,akincibor
severity: critical
description: The Woocommerce plugin for Wordpress contains an unauthenticated SQL injection vulnerability.
reference:
- https://woocommerce.com/posts/critical-vulnerability-detected-july-2021
- https://viblo.asia/p/phan-tich-loi-unauthen-sql-injection-woocommerce-naQZRQyQKvx
- https://securitynews.sonicwall.com/xmlpost/wordpress-woocommerce-plugin-sql-injection/
+ - https://wpscan.com/vulnerability/1212fec8-1fde-41e5-af70-abdd7ffe5379 #CVE-2021-32790 (Authenticated ?)
+ - https://wpscan.com/vulnerability/0f2089dc-9376-4d7d-95a2-25c99526804a #CVE-2021-32789
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-89
- tags: wordpress,woocommerce,sqli,wp-plugin,injection
+ cve-id: CVE-2021-32789
+ tags: wordpress,woocommerce,sqli,wp-plugin,injection,wp
requests:
- method: GET
path:
- - '{{BaseURL}}/wp-json/wc/store/products/collection-data?calculate_attribute_counts[0][query_type]=or&calculate_attribute_counts[0][taxonomy]=%252522%252529%252520union%252520all%252520select%2525201%25252Cconcat%252528id%25252C0x3a%25252c%252522sqli-test%252522%252529from%252520wp_users%252520where%252520%252549%252544%252520%252549%25254E%252520%2525281%252529%25253B%252500'
- '{{BaseURL}}/?rest_route=/wc/store/products/collection-data&calculate_attribute_counts[0][query_type]=or&calculate_attribute_counts[0][taxonomy]=%252522%252529%252520union%252520all%252520select%2525201%25252Cconcat%252528id%25252C0x3a%25252c%252522sqli-test%252522%252529from%252520wp_users%252520where%252520%252549%252544%252520%252549%25254E%252520%2525281%252529%25253B%252500'
+ - '{{BaseURL}}/wp-json/wc/store/products/collection-data?calculate_attribute_counts[0][query_type]=or&calculate_attribute_counts[0][taxonomy]=%252522%252529%252520union%252520all%252520select%2525201%25252Cconcat%252528id%25252C0x3a%25252c%252522sqli-test%252522%252529from%252520wp_users%252520where%252520%252549%252544%252520%252549%25254E%252520%2525281%252529%25253B%252500'
+ stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
diff --git a/vulnerabilities/wordpress/accessibility-helper-xss.yaml b/cves/2022/CVE-2022-0150.yaml
similarity index 96%
rename from vulnerabilities/wordpress/accessibility-helper-xss.yaml
rename to cves/2022/CVE-2022-0150.yaml
index e1b5a6ec3a..63fc691e1e 100644
--- a/vulnerabilities/wordpress/accessibility-helper-xss.yaml
+++ b/cves/2022/CVE-2022-0150.yaml
@@ -1,4 +1,4 @@
-id: accessibility-helper-xss
+id: CVE-2022-0150
info:
name: WP Accessibility Helper (WAH) < 0.6.0.7 - Reflected Cross-Site Scripting (XSS)
diff --git a/vulnerabilities/wordpress/admin-word-count-column-lfi.yaml b/cves/2022/CVE-2022-1390.yaml
similarity index 68%
rename from vulnerabilities/wordpress/admin-word-count-column-lfi.yaml
rename to cves/2022/CVE-2022-1390.yaml
index b337563594..11a4f3925f 100644
--- a/vulnerabilities/wordpress/admin-word-count-column-lfi.yaml
+++ b/cves/2022/CVE-2022-1390.yaml
@@ -1,18 +1,20 @@
-id: admin-word-count-column-lfi
+id: CVE-2022-1390
info:
name: WordPress Admin Word Count Column 2.2 - Local File Inclusion
author: daffainfo,Splint3r7
severity: high
- description: WordPress Admin Word Count Column 2.2 is vulnerable to local file inclusion.
+ description: The plugin does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique.
reference:
- https://packetstormsecurity.com/files/166476/WordPress-Admin-Word-Count-Column-2.2-Local-File-Inclusion.html
- https://wordpress.org/plugins/admin-word-count-column/
+ - https://wpscan.com/vulnerability/6293b319-dc4f-4412-9d56-55744246c990
remediation: This plugin has been closed as of March 29, 2022 and is not available for download.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-22
+ cve-id: CVE-2022-1390
tags: wordpress,wp-plugin,lfi,wp
requests:
diff --git a/vulnerabilities/wordpress/cab-fare-calculator-lfi.yaml b/cves/2022/CVE-2022-1391.yaml
similarity index 80%
rename from vulnerabilities/wordpress/cab-fare-calculator-lfi.yaml
rename to cves/2022/CVE-2022-1391.yaml
index 44c69bf0ff..f89549d19b 100644
--- a/vulnerabilities/wordpress/cab-fare-calculator-lfi.yaml
+++ b/cves/2022/CVE-2022-1391.yaml
@@ -1,17 +1,19 @@
-id: cab-fare-calculator-lfi
+id: CVE-2022-1391
info:
- name: WordPress Cab fare calculator 1.0.3 - Local File Inclusion
+ name: WordPress Cab fare calculator < 1.0.4 - Local File Inclusion
author: Hassan Khan Yusufzai - Splint3r7
severity: high
description: WordPress Cab fare calculator 1.0.3 is vulnerable to local file inclusion.
reference:
- https://www.exploit-db.com/exploits/50843
- https://wordpress.org/plugins/cab-fare-calculator
+ - https://wpscan.com/vulnerability/680121fe-6668-4c1a-a30d-e70dd9be5aac
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-22
+ cve-id: CVE-2022-1391
tags: wordpress,wp-plugin,lfi,wp
requests:
diff --git a/vulnerabilities/wordpress/ad-widget-lfi.yaml b/vulnerabilities/wordpress/ad-widget-lfi.yaml
index 125fb8aa54..2bfbe00c93 100644
--- a/vulnerabilities/wordpress/ad-widget-lfi.yaml
+++ b/vulnerabilities/wordpress/ad-widget-lfi.yaml
@@ -8,6 +8,7 @@ info:
reference:
- https://cxsecurity.com/issue/WLB-2017100084
- https://plugins.trac.wordpress.org/changeset/1628751/ad-widget
+ - https://wpscan.com/vulnerability/caca21fe-56bf-4d4c-afc8-4a218e52f0a2
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
diff --git a/vulnerabilities/wordpress/advanced-access-manager-lfi.yaml b/vulnerabilities/wordpress/advanced-access-manager-lfi.yaml
index 2a341dfb38..18c995d3fa 100644
--- a/vulnerabilities/wordpress/advanced-access-manager-lfi.yaml
+++ b/vulnerabilities/wordpress/advanced-access-manager-lfi.yaml
@@ -8,6 +8,7 @@ info:
reference:
- https://wpscan.com/vulnerability/9873
- https://id.wordpress.org/plugins/advanced-access-manager/
+ - https://wpscan.com/vulnerability/dfe62ff5-956c-4403-b3fd-55677628036b
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
diff --git a/vulnerabilities/wordpress/brandfolder-open-redirect.yaml b/vulnerabilities/wordpress/brandfolder-open-redirect.yaml
index 7c050c1701..f8896d3c0c 100644
--- a/vulnerabilities/wordpress/brandfolder-open-redirect.yaml
+++ b/vulnerabilities/wordpress/brandfolder-open-redirect.yaml
@@ -1,7 +1,7 @@
id: brandfolder-open-redirect
info:
- name: WordPress Brandfolder - Remote/Local File Inclusion
+ name: WordPress Brandfolder - Open Redirect
author: 0x_Akoko
severity: low
description: WordPress Brandfolder is vulnerable to remote/local file inclusion and allows remote attackers to inject an arbitrary URL into the 'callback.php' endpoint via the 'wp_abspath' parameter which will redirect the victim to it.
diff --git a/vulnerabilities/wordpress/eatery-restaurant-open-redirect.yaml b/vulnerabilities/wordpress/eatery-restaurant-open-redirect.yaml
index 02e6e97e29..7457ff109d 100644
--- a/vulnerabilities/wordpress/eatery-restaurant-open-redirect.yaml
+++ b/vulnerabilities/wordpress/eatery-restaurant-open-redirect.yaml
@@ -1,10 +1,10 @@
id: eatery-restaurant-open-redirect
info:
- name: WordPress Attitude Themes 1.1.1 Open Redirection
+ name: WordPress Eatery Restaurant Themes < 2.2 - Open Redirection
author: 0x_Akoko
severity: low
- description: The WordPress Attitude Themes allows remote attackers to redirect users to an attacker controlled URL.
+ description: The WordPress Eatery Themes allows remote attackers to redirect users to an attacker controlled URL.
reference:
- https://cxsecurity.com/issue/WLB-2020030183
tags: wordpress,wp-theme,redirect
diff --git a/vulnerabilities/wordpress/feedwordpress-xss.yaml b/vulnerabilities/wordpress/feedwordpress-xss.yaml
deleted file mode 100644
index 20cc24cc81..0000000000
--- a/vulnerabilities/wordpress/feedwordpress-xss.yaml
+++ /dev/null
@@ -1,41 +0,0 @@
-id: feedwordpress-xss
-
-info:
- name: FeedWordPress < 2022.0123 - Reflected Cross-Site Scripting (XSS)
- author: dhiyaneshDk
- severity: medium
- description: The plugin is affected by a Reflected Cross-Site Scripting (XSS) within the "visibility" parameter.
- reference:
- - https://wpscan.com/vulnerability/7ed050a4-27eb-4ecb-9182-1d8fa1e71571
- tags: wordpress,wp-plugin,xss,feedwordpress,authenticated
-
-requests:
- - raw:
- - |
- POST /wp-login.php HTTP/1.1
- Host: {{Hostname}}
- Origin: {{RootURL}}
- Content-Type: application/x-www-form-urlencoded
- Cookie: wordpress_test_cookie=WP%20Cookie%20check
-
- log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- - |
- GET /wp-admin/admin.php?page=feedwordpress%2Fsyndication.php&visibility=%22%3E%3Cimg+src%3D2+onerror%3Dalert%28document.domain%29%3E HTTP/1.1
- Host: {{Hostname}}
-
- cookie-reuse: true
- matchers-condition: and
- matchers:
- - type: word
- part: body
- words:
- - '">
" method="post">'
-
- - type: word
- part: header
- words:
- - text/html
-
- - type: status
- status:
- - 200
diff --git a/vulnerabilities/wordpress/nativechurch-wp-theme-lfd.yaml b/vulnerabilities/wordpress/nativechurch-wp-theme-lfd.yaml
index 5ce4bfe007..cb97256a17 100644
--- a/vulnerabilities/wordpress/nativechurch-wp-theme-lfd.yaml
+++ b/vulnerabilities/wordpress/nativechurch-wp-theme-lfd.yaml
@@ -7,6 +7,7 @@ info:
description: WordPress NativeChurch Theme is vulnerable to local file inclusion in the download.php file.
reference:
- https://packetstormsecurity.com/files/132297/WordPress-NativeChurch-Theme-1.0-1.5-Arbitrary-File-Download.html
+ - https://wpscan.com/vulnerability/2e1062ed-0c48-473f-aab2-20ac9d4c72b1
tags: wordpress,wp-theme,lfi
requests:
diff --git a/vulnerabilities/wordpress/newsletter-manager-open-redirect.yaml b/vulnerabilities/wordpress/newsletter-manager-open-redirect.yaml
deleted file mode 100644
index 040b58bc74..0000000000
--- a/vulnerabilities/wordpress/newsletter-manager-open-redirect.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-id: newsletter-manager-open-redirect
-
-info:
- name: Newsletter Manager < 1.5 - Unauthenticated Open Redirect
- author: akincibor
- severity: low
- description: |
- The plugin used base64 encoded user input in the appurl parameter without validation, to redirect users using the header() PHP function, leading to an open redirect issue.
- reference:
- - https://wpscan.com/vulnerability/847b3878-da9e-47d6-bc65-3cfd2b3dc1c1
- metadata:
- verified: true
- tags: wp-plugin,redirect,wordpress,wp,unauth
-
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/?wp_nlm=confirmation&appurl=aHR0cDovL2ludGVyYWN0LnNo"
-
- matchers:
- - type: regex
- part: header
- regex:
- - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
diff --git a/vulnerabilities/wordpress/sassy-social-share.yaml b/vulnerabilities/wordpress/sassy-social-share.yaml
index 8d425c291c..dbfb112d7b 100644
--- a/vulnerabilities/wordpress/sassy-social-share.yaml
+++ b/vulnerabilities/wordpress/sassy-social-share.yaml
@@ -4,6 +4,9 @@ info:
name: Sassy Social Share <= 3.3.3 - Cross-Site Scripting
author: Random_Robbie
severity: medium
+ description: AJAX endpoints which returns JSON data has no Content-Type header set, and uses default text/html. Any JSON that has HTML will be rendered as such.
+ reference:
+ - https://wpscan.com/vulnerability/4631519b-2060-43a0-b69b-b3d7ed94c705
tags: wordpress,wp-plugin,sassy,xss
requests:
diff --git a/vulnerabilities/wordpress/video-synchro-pdf-lfi.yaml b/vulnerabilities/wordpress/video-synchro-pdf-lfi.yaml
index d91642cd80..1af0ff6c7e 100644
--- a/vulnerabilities/wordpress/video-synchro-pdf-lfi.yaml
+++ b/vulnerabilities/wordpress/video-synchro-pdf-lfi.yaml
@@ -1,17 +1,19 @@
-id: video-synchro-pdf-lfi
+id: CVE-2022-1392
info:
name: WordPress Videos sync PDF 1.7.4 - Local File Inclusion
- author: Hassan Khan Yusufzai - Splint3r7
+ author: Splint3r7
severity: high
description: WordPress Videos sync PDF 1.7.4 is vulnerable to local file inclusion.
reference:
- https://www.exploit-db.com/exploits/50844
- https://wordpress.org/plugins/video-synchro-pdf/
+ - https://wpscan.com/vulnerability/fe3da8c1-ae21-4b70-b3f5-a7d014aa3815
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-22
+ cve-id: CVE-2022-1392
tags: wordpress,wp-plugin,lfi,wp
requests:
diff --git a/vulnerabilities/wordpress/w3c-total-cache-ssrf.yaml b/vulnerabilities/wordpress/w3c-total-cache-ssrf.yaml
index 5c7fdc88b3..1af7477154 100644
--- a/vulnerabilities/wordpress/w3c-total-cache-ssrf.yaml
+++ b/vulnerabilities/wordpress/w3c-total-cache-ssrf.yaml
@@ -1,7 +1,7 @@
id: w3c-total-cache-ssrf
info:
- name: Wordpress W3C Total Cache SSRF <= 0.9.4
+ name: Wordpress W3C Total Cache <= 0.9.4 - Unauthenticated Server Side Request Forgery (SSRF)
author: random_robbie
severity: medium
description: The W3 Total Cache WordPress plugin was affected by an Unauthenticated Server Side Request Forgery (SSRF) security vulnerability.
diff --git a/vulnerabilities/wordpress/wordpress-social-metrics-tracker.yaml b/vulnerabilities/wordpress/wordpress-social-metrics-tracker.yaml
index c393680936..7a2f40879e 100644
--- a/vulnerabilities/wordpress/wordpress-social-metrics-tracker.yaml
+++ b/vulnerabilities/wordpress/wordpress-social-metrics-tracker.yaml
@@ -4,7 +4,10 @@ info:
name: Social Metrics Tracker <= 1.6.8 - Unauthorised Data Export
author: randomrobbie
severity: medium
- tags: wordpress,wp-plugin
+ description: The lack of proper authorisation when exporting data from the plugin could allow unauthenticated users to get information about the posts and page of the blog, including their author's username and email.
+ reference:
+ - https://wpscan.com/vulnerability/f4eed3ba-2746-426f-b030-a8c432defeb2
+ tags: wordpress,wp-plugin,wp
requests:
- method: GET
diff --git a/vulnerabilities/wordpress/wordpress-zebra-form-xss.yaml b/vulnerabilities/wordpress/wordpress-zebra-form-xss.yaml
index 4094c066d1..331c52ce5e 100644
--- a/vulnerabilities/wordpress/wordpress-zebra-form-xss.yaml
+++ b/vulnerabilities/wordpress/wordpress-zebra-form-xss.yaml
@@ -1,12 +1,13 @@
id: wordpress-zebra-form-xss
info:
- name: Wordpress Zebra Form - Cross-Site Scripting
+ name: Zebra_Form Library <= 2.9.8 - Reflected Cross-Site Scripting (XSS)
author: madrobot
severity: medium
reference:
- https://blog.wpscan.com/2021/02/15/zebra-form-xss-wordpress-vulnerability-affects-multiple-plugins.html
- tags: wordpress,xss
+ - https://wpscan.com/vulnerability/e4b796fa-3215-43ff-a6aa-71f6e1db25e5
+ tags: wordpress,xss,wp
requests:
- raw:
diff --git a/vulnerabilities/wordpress/wp-ambience-xss.yaml b/vulnerabilities/wordpress/wp-ambience-xss.yaml
index 846c96eb86..884bae2883 100644
--- a/vulnerabilities/wordpress/wp-ambience-xss.yaml
+++ b/vulnerabilities/wordpress/wp-ambience-xss.yaml
@@ -1,11 +1,12 @@
id: wp-ambience-xss
info:
- name: WordPress Theme Ambience - 'src' Reflected Cross-Site Scripting (XSS)
+ name: WordPress Theme Ambience <= 1.0 - Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference:
- https://www.exploit-db.com/exploits/38568
+ - https://wpscan.com/vulnerability/c465e5c1-fe43-40e9-894a-97b8ac462381
tags: wordpress,xss,wp-plugin
requests:
diff --git a/vulnerabilities/wordpress/wp-church-admin-xss.yaml b/vulnerabilities/wordpress/wp-church-admin-xss.yaml
index dd400c14f6..6a7e64f5db 100644
--- a/vulnerabilities/wordpress/wp-church-admin-xss.yaml
+++ b/vulnerabilities/wordpress/wp-church-admin-xss.yaml
@@ -5,7 +5,7 @@ info:
author: daffainfo
severity: medium
reference:
- - https://packetstormsecurity.com/files/132034/WordPress-Church-Admin-0.800-Cross-Site-Scripting.html
+ - https://packetstormsecurity.com/files/132034/WordPress-Church-Admin-0.800-Cross-Site-Scripting.html # Is this stored ?
tags: wordpress,xss,wp-plugin
requests:
diff --git a/vulnerabilities/wordpress/wp-whmcs-xss.yaml b/vulnerabilities/wordpress/wp-whmcs-xss.yaml
deleted file mode 100644
index 69a4a54185..0000000000
--- a/vulnerabilities/wordpress/wp-whmcs-xss.yaml
+++ /dev/null
@@ -1,42 +0,0 @@
-id: wp-whmcs-xss
-
-info:
- name: WHMCS Bridge < 6.4b - Reflected Cross-Site Scripting (XSS)
- author: dhiyaneshDk
- severity: medium
- description: The plugin does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a Reflected Cross-Site Scripting
- reference:
- - https://wpscan.com/vulnerability/4aae2dd9-8d51-4633-91bc-ddb53ca3471c
- tags: wordpress,wp-plugin,authenticated,whmcs,xss
-
-requests:
- - raw:
- - |
- POST /wp-login.php HTTP/1.1
- Host: {{Hostname}}
- Origin: {{RootURL}}
- Content-Type: application/x-www-form-urlencoded
- Cookie: wordpress_test_cookie=WP%20Cookie%20check
-
- log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- - |
- GET /wp-admin/options-general.php?page=cc-ce-bridge-cp&error=%3Cimg%20src%20onerror=alert(document.domain)%3E HTTP/1.1
- Host: {{Hostname}}
-
- cookie-reuse: true
- matchers-condition: and
- matchers:
- - type: word
- part: body
- words:
- - "![]()
"
- condition: and
-
- - type: word
- part: header
- words:
- - text/html
-
- - type: status
- status:
- - 200
diff --git a/vulnerabilities/wordpress/wp-woocommerce-email-verification.yaml b/vulnerabilities/wordpress/wp-woocommerce-email-verification.yaml
index 3d2d93704e..5d6dbacea6 100644
--- a/vulnerabilities/wordpress/wp-woocommerce-email-verification.yaml
+++ b/vulnerabilities/wordpress/wp-woocommerce-email-verification.yaml
@@ -1,12 +1,13 @@
id: wp-woocommerce-email-verification
info:
- name: WordPress WooCommerce <1.8.2 - Authentication Bypass
+ name: Email Verification for WooCommerce < 1.8.2 - Loose Comparison to Authentication Bypass
author: random_robbie,daffianfo
severity: critical
- description: WordPress WooCommerce prior to version 1.8.2 contains a loose comparison issue which could allow any user to log in as administrator.
+ description: Email Verification for WooCommerce Wordpress plugin prior to version 1.8.2 contains a loose comparison issue which could allow any user to log in as administrator.
reference:
- https://wpvulndb.com/vulnerabilities/10318
+ - https://wpscan.com/vulnerability/0c93832c-83db-4053-8a11-70de966bb3a8
classification:
cvss-metrics: CVSS:10.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
diff --git a/vulnerabilities/wordpress/wp-woocommerce-file-download.yaml b/vulnerabilities/wordpress/wp-woocommerce-file-download.yaml
index f3d8f59e94..72bc6269ce 100644
--- a/vulnerabilities/wordpress/wp-woocommerce-file-download.yaml
+++ b/vulnerabilities/wordpress/wp-woocommerce-file-download.yaml
@@ -1,7 +1,7 @@
id: wp-woocommerce-file-download
info:
- name: WordPress WooCommerce < 1.2.7 - Arbitrary File Retrieval
+ name: Product Input Fields for WooCommerce < 1.2.7 - Unauthenticated File Download
author: 0x_Akoko
severity: high
description: WordPress WooCommerce < 1.2.7 is susceptible to file download vulnerabilities. The lack of authorization checks in the handle_downloads() function hooked to admin_init() could allow unauthenticated
@@ -13,7 +13,7 @@ info:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cwe-id: CWE-22
- tags: wordpress,woocommerce,lfi
+ tags: wordpress,woocommerce,lfi,wp
requests:
- method: GET