-
Notifications
You must be signed in to change notification settings - Fork 125
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
New Nuclei template for CVE-2024-6297-05b8b2a97ccecc2fd598cd678681096…
…5.yaml [Sun Jun 30 03:33:36 UTC 2024] :robot:
- Loading branch information
1 parent
3b4ae4a
commit 4d16bfd
Showing
1 changed file
with
59 additions
and
0 deletions.
There are no files selected for viewing
59 changes: 59 additions & 0 deletions
59
nuclei-templates/2024/CVE-2024-6297-05b8b2a97ccecc2fd598cd6786810965.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| id: CVE-2024-6297-05b8b2a97ccecc2fd598cd6786810965 | ||
|
|
||
| info: | ||
| name: > | ||
| Several WordPress.org Plugins <= Various Versions - Injected Backdoor | ||
| author: topscoder | ||
| severity: critical | ||
| description: > | ||
| Several plugins for WordPress hosted on WordPress.org have been compromised and injected with malicious PHP scripts. A malicious threat actor compromised the source code of various plugins and injected code that exfiltrates database credentials and is used to create new, malicious, administrator users and send that data back to a server. Currently, not all plugins have been patched and we strongly recommend uninstalling the plugins for the time being and running a complete malware scan. | ||
| reference: | ||
| - https://github.com/topscoder/nuclei-wordfence-cve | ||
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/56d24bc8-4a1a-4e60-aec5-960703a6058a?source=api-prod | ||
| classification: | ||
| cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | ||
| cvss-score: 10 | ||
| cve-id: CVE-2024-6297 | ||
| metadata: | ||
| fofa-query: "wp-content/plugins/twenty20/" | ||
| google-query: inurl:"/wp-content/plugins/twenty20/" | ||
| shodan-query: 'vuln:CVE-2024-6297' | ||
| tags: cve,wordpress,wp-plugin,twenty20,critical | ||
|
|
||
| http: | ||
| - method: GET | ||
| redirects: true | ||
| max-redirects: 3 | ||
| path: | ||
| - "{{BaseURL}}/wp-content/plugins/twenty20/readme.txt" | ||
|
|
||
| extractors: | ||
| - type: regex | ||
| name: version | ||
| part: body | ||
| group: 1 | ||
| internal: true | ||
| regex: | ||
| - "(?mi)Stable tag: ([0-9.]+)" | ||
|
|
||
| - type: regex | ||
| name: version | ||
| part: body | ||
| group: 1 | ||
| regex: | ||
| - "(?mi)Stable tag: ([0-9.]+)" | ||
|
|
||
| matchers-condition: and | ||
| matchers: | ||
| - type: status | ||
| status: | ||
| - 200 | ||
|
|
||
| - type: word | ||
| words: | ||
| - "twenty20" | ||
| part: body | ||
|
|
||
| - type: dsl | ||
| dsl: | ||
| - compare_versions(version, '1.6.3') |