Edge case templates for LearnDash LMS (fixes #15)

topscoder · May 13, 2024 · 48b44fe · 48b44fe
1 parent 6de7509
commit 48b44fe
Show file tree

Hide file tree

Showing 9 changed files with 37 additions and 30 deletions.
diff --git a/lib/parsers/edge-cases.yaml b/lib/parsers/edge-cases.yaml
@@ -0,0 +1,7 @@
+sfwd-lms:
+  target: ""
+  regex: '(?mi)learndash_quiz_front.min.css\?ver=([0-9]+\.[0-9]+\.[0-9]+)'
+
+fusion-builder:
+  target: "wp-content/plugins/fusion-builder/languages/fusion-builder.pot"
+  regex: "(?mi)Project-Id-Version: Avada Builder ([0-9.]+)"
diff --git a/nuclei-templates/2018/CVE-2018-25019-10a89ae66beb80eb5f5ead8cc5089e02.yaml b/nuclei-templates/2018/CVE-2018-25019-10a89ae66beb80eb5f5ead8cc5089e02.yaml
@@ -4,7 +4,7 @@ info:
   name: >
     LearnDash LMS <= 2.5.3 - Arbitrary File Upload
   author: topscoder
-  severity: high
+  severity: critical
   description: >
     The LearnDash LMS WordPress plugin before 2.5.4 does not have any authorisation and validation of the file to be uploaded in the learndash_assignment_process_init() function, which could allow unauthenticated users to upload arbitrary files to the web server
   reference:
@@ -17,14 +17,14 @@ info:
     fofa-query: "wp-content/plugins/sfwd-lms/"
     google-query: inurl:"/wp-content/plugins/sfwd-lms/"
     shodan-query: 'vuln:CVE-2018-25019'
-  tags: cve,wordpress,wp-plugin,sfwd-lms,high
+  tags: cve,wordpress,wp-plugin,sfwd-lms,critical
 
 http:
   - method: GET
     redirects: true
     max-redirects: 3
     path:
-      - "{{BaseURL}}/wp-content/plugins/sfwd-lms/readme.txt"
+      - "{{BaseURL}}/"
 
     extractors:
       - type: regex
@@ -33,14 +33,14 @@ http:
         group: 1
         internal: true
         regex:
-          - "(?mi)Stable tag: ([0-9.]+)"
+          - "(?mi)learndash_quiz_front.min.css\?ver=([0-9]+\.[0-9]+\.[0-9]+)"
 
       - type: regex
         name: version
         part: body
         group: 1
         regex:
-          - "(?mi)Stable tag: ([0-9.]+)"
+          - "(?mi)learndash_quiz_front.min.css\?ver=([0-9]+\.[0-9]+\.[0-9]+)"
 
     matchers-condition: and
     matchers:

diff --git a/nuclei-templates/2020/CVE-2020-6009-2a5ae121ac45c4db9286f6262f63f6e5.yaml b/nuclei-templates/2020/CVE-2020-6009-2a5ae121ac45c4db9286f6262f63f6e5.yaml
@@ -24,7 +24,7 @@ http:
     redirects: true
     max-redirects: 3
     path:
-      - "{{BaseURL}}/wp-content/plugins/sfwd-lms/readme.txt"
+      - "{{BaseURL}}/"
 
     extractors:
       - type: regex
@@ -33,14 +33,14 @@ http:
         group: 1
         internal: true
         regex:
-          - "(?mi)Stable tag: ([0-9.]+)"
+          - "(?mi)learndash_quiz_front.min.css\?ver=([0-9]+\.[0-9]+\.[0-9]+)"
 
       - type: regex
         name: version
         part: body
         group: 1
         regex:
-          - "(?mi)Stable tag: ([0-9.]+)"
+          - "(?mi)learndash_quiz_front.min.css\?ver=([0-9]+\.[0-9]+\.[0-9]+)"
 
     matchers-condition: and
     matchers:

diff --git a/nuclei-templates/2020/CVE-2020-7108-d6e8b2f76cbc2ec5ae7e7af3679d4ed8.yaml b/nuclei-templates/2020/CVE-2020-7108-d6e8b2f76cbc2ec5ae7e7af3679d4ed8.yaml
@@ -24,7 +24,7 @@ http:
     redirects: true
     max-redirects: 3
     path:
-      - "{{BaseURL}}/wp-content/plugins/sfwd-lms/readme.txt"
+      - "{{BaseURL}}/"
 
     extractors:
       - type: regex
@@ -33,14 +33,14 @@ http:
         group: 1
         internal: true
         regex:
-          - "(?mi)Stable tag: ([0-9.]+)"
+          - "(?mi)learndash_quiz_front.min.css\?ver=([0-9]+\.[0-9]+\.[0-9]+)"
 
       - type: regex
         name: version
         part: body
         group: 1
         regex:
-          - "(?mi)Stable tag: ([0-9.]+)"
+          - "(?mi)learndash_quiz_front.min.css\?ver=([0-9]+\.[0-9]+\.[0-9]+)"
 
     matchers-condition: and
     matchers:

diff --git a/nuclei-templates/2023/CVE-2023-28777-13a97dd87cd8da4d2ca9cc4586e65cfe.yaml b/nuclei-templates/2023/CVE-2023-28777-13a97dd87cd8da4d2ca9cc4586e65cfe.yaml
@@ -4,7 +4,7 @@ info:
   name: >
     LearnDash LMS <= 4.5.3 - Authenticated (Contributor+) SQL Injection
   author: topscoder
-  severity: high
+  severity: low
   description: >
     The LearnDash LMS plugin for WordPress is vulnerable to SQL Injection via an unknown parameter in versions up to, and including, 4.5.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
   reference:
@@ -17,14 +17,14 @@ info:
     fofa-query: "wp-content/plugins/sfwd-lms/"
     google-query: inurl:"/wp-content/plugins/sfwd-lms/"
     shodan-query: 'vuln:CVE-2023-28777'
-  tags: cve,wordpress,wp-plugin,sfwd-lms,high
+  tags: cve,wordpress,wp-plugin,sfwd-lms,low
 
 http:
   - method: GET
     redirects: true
     max-redirects: 3
     path:
-      - "{{BaseURL}}/wp-content/plugins/sfwd-lms/readme.txt"
+      - "{{BaseURL}}/"
 
     extractors:
       - type: regex
@@ -33,14 +33,14 @@ http:
         group: 1
         internal: true
         regex:
-          - "(?mi)Stable tag: ([0-9.]+)"
+          - "(?mi)learndash_quiz_front.min.css\?ver=([0-9]+\.[0-9]+\.[0-9]+)"
 
       - type: regex
         name: version
         part: body
         group: 1
         regex:
-          - "(?mi)Stable tag: ([0-9.]+)"
+          - "(?mi)learndash_quiz_front.min.css\?ver=([0-9]+\.[0-9]+\.[0-9]+)"
 
     matchers-condition: and
     matchers:

diff --git a/nuclei-templates/2023/CVE-2023-3105-838c5377a3ecbc7084b894cb32f7b8cc.yaml b/nuclei-templates/2023/CVE-2023-3105-838c5377a3ecbc7084b894cb32f7b8cc.yaml
@@ -4,7 +4,7 @@ info:
   name: >
     LearnDash LMS <= 4.6.0 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change
   author: topscoder
-  severity: high
+  severity: low
   description: >
     The LearnDash LMS plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for attackers with with existing account access at any level, to change user passwords and potentially take over administrator accounts.
   reference:
@@ -17,14 +17,14 @@ info:
     fofa-query: "wp-content/plugins/sfwd-lms/"
     google-query: inurl:"/wp-content/plugins/sfwd-lms/"
     shodan-query: 'vuln:CVE-2023-3105'
-  tags: cve,wordpress,wp-plugin,sfwd-lms,high
+  tags: cve,wordpress,wp-plugin,sfwd-lms,low
 
 http:
   - method: GET
     redirects: true
     max-redirects: 3
     path:
-      - "{{BaseURL}}/wp-content/plugins/sfwd-lms/readme.txt"
+      - "{{BaseURL}}/"
 
     extractors:
       - type: regex
@@ -33,14 +33,14 @@ http:
         group: 1
         internal: true
         regex:
-          - "(?mi)Stable tag: ([0-9.]+)"
+          - "(?mi)learndash_quiz_front.min.css\?ver=([0-9]+\.[0-9]+\.[0-9]+)"
 
       - type: regex
         name: version
         part: body
         group: 1
         regex:
-          - "(?mi)Stable tag: ([0-9.]+)"
+          - "(?mi)learndash_quiz_front.min.css\?ver=([0-9]+\.[0-9]+\.[0-9]+)"
 
     matchers-condition: and
     matchers:

diff --git a/nuclei-templates/2024/CVE-2024-1208-02626784075443390163f8db5670c28a.yaml b/nuclei-templates/2024/CVE-2024-1208-02626784075443390163f8db5670c28a.yaml
@@ -24,7 +24,7 @@ http:
     redirects: true
     max-redirects: 3
     path:
-      - "{{BaseURL}}/wp-content/plugins/sfwd-lms/readme.txt"
+      - "{{BaseURL}}/"
 
     extractors:
       - type: regex
@@ -33,14 +33,14 @@ http:
         group: 1
         internal: true
         regex:
-          - "(?mi)Stable tag: ([0-9.]+)"
+          - "(?mi)learndash_quiz_front.min.css\?ver=([0-9]+\.[0-9]+\.[0-9]+)"
 
       - type: regex
         name: version
         part: body
         group: 1
         regex:
-          - "(?mi)Stable tag: ([0-9.]+)"
+          - "(?mi)learndash_quiz_front.min.css\?ver=([0-9]+\.[0-9]+\.[0-9]+)"
 
     matchers-condition: and
     matchers:

diff --git a/nuclei-templates/2024/CVE-2024-1209-953891b7b02246cb4b83db8ae0e364f6.yaml b/nuclei-templates/2024/CVE-2024-1209-953891b7b02246cb4b83db8ae0e364f6.yaml
@@ -24,7 +24,7 @@ http:
     redirects: true
     max-redirects: 3
     path:
-      - "{{BaseURL}}/wp-content/plugins/sfwd-lms/readme.txt"
+      - "{{BaseURL}}/"
 
     extractors:
       - type: regex
@@ -33,14 +33,14 @@ http:
         group: 1
         internal: true
         regex:
-          - "(?mi)Stable tag: ([0-9.]+)"
+          - "(?mi)learndash_quiz_front.min.css\?ver=([0-9]+\.[0-9]+\.[0-9]+)"
 
       - type: regex
         name: version
         part: body
         group: 1
         regex:
-          - "(?mi)Stable tag: ([0-9.]+)"
+          - "(?mi)learndash_quiz_front.min.css\?ver=([0-9]+\.[0-9]+\.[0-9]+)"
 
     matchers-condition: and
     matchers:

diff --git a/nuclei-templates/2024/CVE-2024-1210-417dd4625c1b025667086ec6772974db.yaml b/nuclei-templates/2024/CVE-2024-1210-417dd4625c1b025667086ec6772974db.yaml
@@ -24,7 +24,7 @@ http:
     redirects: true
     max-redirects: 3
     path:
-      - "{{BaseURL}}/wp-content/plugins/sfwd-lms/readme.txt"
+      - "{{BaseURL}}/"
 
     extractors:
       - type: regex
@@ -33,14 +33,14 @@ http:
         group: 1
         internal: true
         regex:
-          - "(?mi)Stable tag: ([0-9.]+)"
+          - "(?mi)learndash_quiz_front.min.css\?ver=([0-9]+\.[0-9]+\.[0-9]+)"
 
       - type: regex
         name: version
         part: body
         group: 1
         regex:
-          - "(?mi)Stable tag: ([0-9.]+)"
+          - "(?mi)learndash_quiz_front.min.css\?ver=([0-9]+\.[0-9]+\.[0-9]+)"
 
     matchers-condition: and
     matchers: