insert-php.yaml

id: insert-php

info:
  name: "Woody code snippets <= 2.4.5 - Reflected Cross-Site Scripting"
  author: topscoder
  severity: medium
  description: "The Woody code snippets plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
  reference:
    - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2736272%40insert-php&new=2736272%40insert-php&sfp_email=&sfph_mail=
    - https://patchstack.com/database/vulnerability/insert-php-/wordpress-woody-code-snippets-plugin-2-4-5-reflected-cross-site-scripting-xss-vulnerability
    - https://wpscan.com/vulnerability/6d6761b7-0c17-4428-8748-2179732030a3
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id:
  metadata:
    fofa-query: "wp-content/plugins/insert-php/"
    google-query: inurl:"/wp-content/plugins/insert-php/"
    shodan-query: 'vuln:'
  tags: cve,wordpress,wp-plugin,insert-php,medium

http:
  - method: GET
    redirects: true
    max-redirects: 3
    path:
      - "{{BaseURL}}/wp-content/plugins/insert-php/readme.txt"

    extractors:
      - type: regex
        name: version
        part: body
        group: 1
        internal: true
        regex:
          - "(?mi)Stable tag: ([0-9.]+)"

      - type: regex
        name: version
        part: body
        group: 1
        regex:
          - "(?mi)Stable tag: ([0-9.]+)"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - "insert-php"
        part: body

      - type: dsl
        dsl:
          - compare_versions(version, '<= 2.4.5')