D7net
Home
Console
Upload
information
Create File
Create Folder
About
Tools
:
/
proc
/
self
/
root
/
opt
/
bitninja-waf
/
etc
/
BitNinja
/
Filename :
406-WORDPRESS-PLUGIN-VULNERABILITY-PROTECTION.conf
back
Copy
SecRule REQUEST_URI "@pm /installer.php /installer-backup.php" "block,auditlog,phase:2,id:406001,chain,\ severity:CRITICAL,\ msg:'Duplicator <= 1.2.40 - Arbitrary Code Execution',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'" SecRule "ARGS_POST:dbname|ARGS_POST:dbuser|ARGS_POST:dbhost|ARGS_POST:dbport" "@rx [');]" \ "setvar:tx.bn_inbound_found=+1" SecRule REQUEST_URI ".*/wp-json/omapp/?.*" \ "id:406002, \ phase:2,\ rev:'1',\ auditlog,\ block,\ SEVERITY:critical,\ msg:'OptinMonster plugin authentication vulnerability protection. Block requests for OMAPP urls if the REFERER header contains https://wp.app.optinmonster.test',\ logdata:'OptinMonster plugin authentication vulnerability protection. Block requests for OMAPP urls if the REFERER header contains https://wp.app.optinmonster.test',\ chain" SecRule REQUEST_HEADERS:Referer "@contains https://wp.app.optinmonster.test" "setvar:tx.bn_inbound_found=+1" SecRule REQUEST_URI "@rx wp-json\/rankmath\/v1\/updateMeta" \ "id:406003,\ chain,\ phase:2,\ rev:'1',\ auditlog,\ pass,\ log,\ t:none,\ t:urlDecodeUni,\ t:normalizePath,\ severity:critical,\ logdata:'Privilege Escalation via Unprotected REST API Endpoint in Rank Math SEO Plugin for WordPress (CVE-2020-11514)',\ msg:'Privilege Escalation via Unprotected REST API Endpoint in Rank Math SEO Plugin for WordPress (CVE-2020-11514)'" SecRule ARGS:objectType "@streq user" "chain,t:none" SecRule ARGS:meta[wp_user_level] "@rx (?:10|^$)" "chain,t:none" SecRule &ARGS:objectID "@gt 0" "chain,t:none" SecRule &ARGS:meta[wp_capabilities][administrator] "@gt 0" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule ARGS:action "@rx ^duplicator(_pro)?_download$" \ "id:406004,\ chain,\ phase:2,\ rev:'1',\ log,\ auditlog,\ t:none,\ t:urlDecodeUni,\ severity:critical,\ logdata:'Duplicator File Download Auth Bypass (CVE-2020-11738)',\ msg:'Duplicator File Download Auth Bypass (CVE-2020-11738)'" SecRule ARGS:file "@contains ../" "t:none,t:urlDecodeUni,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_FILENAME "@endsWith wechat/image.php" \ "id:406005, \ chain, \ phase:2, \ rev:'1',\ block, \ t:none,t:urlDecodeUni,t:normalizePath,t:lowercase, \ severity:critical, \ logdata:'Local File Inclusion vulnerability in Wechat Broadcast 1.2.0 Plugin for WordPress (CVE-2018-16283)',\ msg:'Local File Inclusion vulnerability in Wechat Broadcast 1.2.0 Plugin for WordPress (CVE-2018-16283)'" SecRule MATCHED_VAR "@contains wp-content/plugins" "chain" SecRule ARGS:url "@pm .. http" "t:none,t:urlDecodeUni,setvar:tx.bn_inbound_found=+1" SecRule REQUEST_METHOD "POST" \ "id:406006, \ phase:2, \ rev:'1',\ chain, \ block, \ t:none, \ severity:2, \ logdata:'Authentication Bypass in SiteGround Security plugin WP_Query WordPress (CVE-2022-0992)',\ msg:'Authentication Bypass in SiteGround Security plugin WP_Query WordPress (CVE-2022-0992)'" SecRule ARGS:action "sgs2fa" \ "chain, \ t:none" SecRule REQUEST_URI "@pm /wp-login.php /wp-signup.php" "chain,t:none,t:normalizePath" SecRule &REQUEST_COOKIES:sgs_2fa_login_nonce "@eq 0" "t:none, setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_METHOD "POST" \ "id:406007, \ phase:2, \ rev:'1',\ chain, \ block, \ t:none, \ severity:2, \ logdata:'Authentication Bypass in SiteGround Security plugin WP_Query WordPress (CVE-2022-0992)',\ msg:'Authentication Bypass in SiteGround Security plugin WP_Query WordPress (CVE-2022-0992)'" SecRule ARGS:action "sgs2fa" \ "chain, \ t:none" SecRule REQUEST_URI "@pm /wp-login.php /wp-signup.php" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none, setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_URI "@rx /wp-admin/admin-ajax.php" \ "id:406008,\ phase:2,\ rev:'1',\ chain,\ block,\ t:none,\ severity:critical,\ logdata:'Authenticated Path Traversal and Local File Inclusion in JupiterX Theme <= 2.0.6 and Jupiter Theme <= 6.10.1 for WordPress (CVE-2022-1657)',\ msg:'Authenticated Path Traversal and Local File Inclusion in JupiterX Theme <= 2.0.6 and Jupiter Theme <= 6.10.1 for WordPress (CVE-2022-1657)'" SecRule ARGS:action "(?:jupiterx|mka)_cp_load_pane_action" "chain,t:none" SecRule ARGS:slug "@rx \.\.\/\.\.\/" "t:none, setvar:tx.bn_inbound_found=+1" SecRule REQUEST_METHOD "@rx POST" \ "id:406009, \ chain, \ phase:2, \ block, \ severity:critical, \ t:none, t:urlDecodeUni, \ msg:'Unauthenticated account takeover in WordPress tagDiv Composer < 3.5 (CVE-2022-3477)', \ logdata:'Unauthenticated account takeover in WordPress tagDiv Composer < 3.5 (CVE-2022-3477)'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@streq td_ajax_fb_login_user" "chain,t:none" SecRule ARGS:user[email] "!rx ^$" "chain,t:none,t:urlDecodeUni" SecRule &REQUEST_HEADERS:Referer "!@contains %{REQUEST_HEADERS.Host}" "setvar:tx.bn_inbound_found=+1" SecRule REQUEST_METHOD "@rx POST" \ "id:406010, \ chain, \ phase:2, \ block, \ severity:critical, \ t:none, t:urlDecodeUni, \ msg:'Unauthenticated account takeover in WordPress tagDiv Composer < 3.5 (CVE-2022-3477)', \ logdata:'Unauthenticated account takeover in WordPress tagDiv Composer < 3.5 (CVE-2022-3477)'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@streq td_ajax_fb_login_user" "chain,t:none" SecRule ARGS:user[email] "!rx ^$" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_COOKIES:/wordpress_logged_in_/ "@eq 0" "setvar:tx.bn_inbound_found=+1" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ "id:406011,\ chain,\ phase:2,\ block,\ log,\ severity:critical,\ t:none,t:lowercase,t:urlDecodeUni,t:normalizePath,\ msg:'Authenticated PHP Object Injection in Redirection for Contact Form 7 Plugin (CVE-2021-24280)',\ logdata:'Authenticated PHP Object Injection in Redirection for Contact Form 7 Plugin (CVE-2021-24280)'" SecRule ARGS:action "@streq import_from_debug" "chain,t:none,t:lowercase" SecRule &ARGS:data[debug_info] "@gt 0" "t:none,t:urlDecodeUni,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_METHOD "POST" \ "id:406012, \ rev:'1',\ chain, \ phase:2, \ block, \ severity:critical, \ t:none,t:normalizePath, \ rev:1, \ msg:'Unauthenticated Arbitrary Function Call in Woo Product Table < 3.1.2 for WordPress (CVE-2022-1020)', \ logdata:'Unauthenticated Arbitrary Function Call in Woo Product Table < 3.1.2 for WordPress (CVE-2022-1020)'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx wpt_admin_update_notice_option" "chain,t:none" SecRule &ARGS:option_key "@gt 0" "chain,t:none" SecRule ARGS:perpose "@streq update" "chain,t:none" SecRule ARGS:callback "@rx wp_(?:delete|upload)|phpinfo" "t:none,setvar:tx.bn_inbound_found=+1" SecRule REQUEST_METHOD "POST" \ "id:406013, \ rev:'1',\ chain, \ phase:2, \ block, \ log, \ severity:critical, \ msg:'Privilege escalation in The Plus Addons for Elementor (CVE-2021-24175)', \ logdata:'Privilege escalation in The Plus Addons for Elementor (CVE-2021-24175)', \ t:none" SecRule ARGS:action "@endsWith theplus_ajax_register" "chain, t:none" SecRule &ARGS:user_login "@gt 0" "chain, t:none" SecRule &ARGS:email "@gt 0" "chain, t:none" SecRule &ARGS:password "@gt 0" "chain, t:none" SecRule ARGS:tp_user_reg_role "@pm administrator editor" "t:none, t:lowercase, setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_METHOD "POST" \ "id:406014, \ rev:'1',\ chain, \ phase:2, \ block, \ log, \ severity:critical, \ msg:'Privilege escalation in The Plus Addons for Elementor (CVE-2021-24175)', \ logdata:'Privilege escalation in The Plus Addons for Elementor (CVE-2021-24175)', \ t:none" SecRule ARGS:action "@endsWith theplus_google_ajax_register" "chain, t:none" SecRule &ARGS:email "@gt 0" "chain, t:none" SecRule &ARGS:name "@gt 0" "chain, t:none" SecRule ARGS:tp_user_reg_role "@pm administrator editor" "t:none, t:lowercase, setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ "id:406015,\ rev:'1',\ chain,\ block,\ t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,\ severity:critical,\ msg:'IMPress for IDX Broker < 2.6.2 - Authenticated Post manipulations (CVE-2020-9514)',\ logdata:'IMPress for IDX Broker < 2.6.2 - Authenticated Post manipulations (CVE-2020-9514)'" SecRule ARGS:action "@rx (create|delete)_dynamic_page" "chain,t:none,t:lowercase" SecRule &ARGS:wrapper_page_id "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none, setvar:tx.bn_inbound_found=+1" SecRule ARGS:rest_route "@contains /pmpro/v1/" \ "id:406016,\ chain,\ phase:2,\ rev:'1',\ log,\ block,\ auditlog,\ t:none,\ t:urlDecodeUni,\ severity:critical,\ logdata:'Paid Memberships Pro < 2.9.8 SQL Injection (CVE-2023-23488)',\ msg:'Paid Memberships Pro < 2.9.8 SQL Injection (CVE-2023-23488)'" SecRule ARGS:code "@rx [^A-Za-z0-9\-]" "t:none,t:urlDecodeUni,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ "id:406017,\ chain,\ phase:2,\ rev:'1',\ log,\ block,\ auditlog,\ t:none,\ t:urlDecodeUni,\ severity:critical,\ logdata:'Easy Digital Downloads < 3.1.0.4 SQL Injection (CVE-2023-23489)',\ msg:'Easy Digital Downloads < 3.1.0.4 SQL Injection (CVE-2023-23489)'" SecRule ARGS:action "edd_download_search" "chain,t:none" SecRule ARGS:s "@contains '" "t:none,t:urlDecodeUni,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ "id:406018,\ chain,\ phase:2,\ rev:'1',\ log,\ block,\ auditlog,\ t:none,\ t:urlDecodeUni,\ severity:critical,\ logdata:'Survey Maker < 3.1.2 SQL Injection (CVE-2023-23490)',\ msg:'Survey Maker < 3.1.2 SQL Injection (CVE-2023-23490)'" SecRule ARGS:action "ays_surveys_export_json" "chain,t:none" SecRule ARGS:/surveys_ids\[\w*\]/ "@rx [^0-9]" "t:none,t:urlDecodeUni,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_METHOD "POST" \ "id:406019,\ chain,\ phase:2,\ rev:'1',\ t:none,\ severity:critical,\ logdata:'CSRF in Quick Restaurant Menu <= 2.0.2 plugin for WordPress (CVE-2023-0554)',\ msg:'CSRF in Quick Restaurant Menu <= 2.0.2 plugin for WordPress (CVE-2023-0554)'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx erm_(delete|create|update)_menu_item" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_METHOD "@rx POST" \ "id:406020,\ chain,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ logdata:'Unauthenticated Blind SQL Injection in WP Statistics plugin for WordPress (CVE-2022-0513)',\ msg:'Unauthenticated Blind SQL Injection in WP Statistics plugin for WordPress (CVE-2022-0513)'" SecRule REQUEST_URI "@contains /wp-json/wp-statistics/v2/hit" "chain,t:none,t:normalizePath" SecRule ARGS:exclusion_match|ARGS:wp_statistics_hit_rest "@rx ^(?:yes|1|true$)" "chain,t:none,t:lowercase" SecRule ARGS:exclusion_reason "@rx '|\x22|\(" "t:none,t:htmlEntityDecode,t:urlDecode,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_FILENAME "@pm wp-content/plugins/wpgateway/wpgateway-webservice-new.php" \ "id:406021,\ chain,\ phase:2,\ rev:1, \ severity:critical,\ t:none,t:normalizePath,\ logdata:'Privilege escalation in WPGateway WordPress plugin <= 3.5 (CVE-2022-3180)',\ msg:'Privilege escalation in WPGateway WordPress plugin <= 3.5 (CVE-2022-3180)'" SecRule ARGS:wp_new_credentials "@eq 1" "t:none,t:lowercase,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_METHOD "@rx POST" \ "id:406022, \ chain, \ phase:2, \ severity:CRITICAL, \ rev:1, \ t:none, \ msg:'CSRF in Yith WooCommerce Gift Cards Premium plugin for WordPress.(CVE-2022-45359)', \ logdata:'CSRF in Yith WooCommerce Gift Cards Premium plugin for WordPress.(CVE-2022-45359)'" SecRule REQUEST_URI "@contains wp-admin/admin-post.php" "chain,t:none" SecRule ARGS:page "@streq yith_woocommerce_gift_cards_panel" "chain,t:none" SecRule REQUEST_HEADERS:referer "!@contains %{SERVER_NAME}" "t:none, setvar:tx.bn_inbound_found=+1" SecRule REQUEST_METHOD "@rx POST" \ "id:406023, \ chain, \ phase:2, \ severity:CRITICAL, \ rev:1, \ t:none, \ msg:'Unauthenticated Arbitrary File Upload in Yith WooCommerce Gift Cards Premium plugin for WordPress (CVE-2022-45359)', \ logdata:'Unauthenticated Arbitrary File Upload in Yith WooCommerce Gift Cards Premium plugin for WordPress (CVE-2022-45359)'" SecRule REQUEST_URI "@contains wp-admin/admin-post.php" "chain,t:none" SecRule ARGS:page "@streq yith_woocommerce_gift_cards_panel" "chain,t:none" SecRule ARGS:ywgc_safe_submit_field "@streq importing_gift_cards" "chain,t:none" SecRule FILES:file_import_csv "!@rx \.csv$" "t:none, setvar:tx.bn_inbound_found=+1" SecRule REQUEST_URI "@rx /wp-admin/" \ "id:406024, \ chain, \ phase:2, \ block,log, \ severity:CRITICAL, \ rev:1, \ t:none, \ msg:'Privilege escalation in Elementor Pro < 3.11.7 (CWE-862)', \ logdata:'Privilege escalation in Elementor Pro < 3.11.7 (CWE-862)'" SecRule ARGS:wc-ajax "@rx ^\d" "t:none, setvar:tx.bn_inbound_found=+1" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ "id:406025,\ chain,\ severity:critical,\ t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,\ logdata:'Essential Addons for Elementor < 5.7.2 - Privilege Escalation (CVE-2023-32243)',\ msg:'Essential Addons for Elementor < 5.7.2 - Privilege Escalation (CVE-2023-32243)'" SecRule ARGS:action "@streq login_or_register_user" "chain,t:none,t:lowercase" SecRule ARGS:eael-resetpassword-submit "@streq true" "chain,t:none,t:lowercase" SecRule &ARGS:eael-pass1 "@eq 1" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none,t:htmlEntityDecode,t:lowercase,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/essential-addons-for-elementor-lite/readme.txt" \ "id:406026,\ chain,\ severity:critical,\ t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,\ logdata:'Essential Addons for Elementor < 5.7.2 - Vulnerable version discovery (CVE-2023-32243)',\ msg:'Essential Addons for Elementor < 5.7.2 - Vulnerable version discovery (CVE-2023-32243)'" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none,t:htmlEntityDecode,t:lowercase,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_METHOD "@rx ^POST$" \ "id:406027,\ chain,\ phase:2,\ severity:critical,\ t:none,\ logdata:'Unauthenticated Stored Cross-Site Scripting in Shield Security <= 17.0.17 (CVE-2023-0992)',\ msg:'Unauthenticated Stored Cross-Site Scripting in Shield Security <= 17.0.17 (CVE-2023-0992)'" SecRule REQUEST_HEADERS:User-Agent "@rx <script" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_URI "@contains getwid/v1/get_remote_content" \ "id:406028,\ chain,\ phase:2,\ severity:critical,\ t:none,\ logdata:'Authenticated SSRF in Getwid <= 1.8.3 plugin for WordPress (CVE-2023-1895)',\ msg:'Authenticated SSRF in Getwid <= 1.8.3 plugin for WordPress (CVE-2023-1895)'" SecRule ARGS:get_content_url "!@contains /wp-json/getwid-templates-server/v1/get_content" "t:none,t:normalizePath,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_METHOD "@rx ^POST$" \ "id:406029,\ chain,\ phase:2,\ severity:critical,\ t:none,\ logdata:'Privilege Escalation in ReviewX <= 1.6.13 for WooCommerce for WordPress (CVE-2023-2833)',\ msg:'Privilege Escalation in ReviewX <= 1.6.13 for WooCommerce for WordPress (CVE-2023-2833)'" SecRule &ARGS:wp_screen_options[option] "@gt 0" "chain,t:none" SecRule ARGS:wp_screen_options[value] "\D" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_METHOD "@rx ^POST$" \ "id:406030,\ chain,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ msg:'Unauthenticated Account Takeover In ARMember < 3.4.8 WordPress Plugin (CVE-2022-1903)',\ logdata:'Unauthenticated Account Takeover In ARMember < 3.4.8 WordPress Plugin (CVE-2022-1903)'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx arm_shortcode_form_ajax_action" "chain,t:none" SecRule ARGS:arm_action "@streq change-password" "chain,t:none" SecRule ARGS:action2 "@streq rp" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_METHOD "@rx ^POST$" \ "id:406031,\ chain,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ msg:'Authentication Bypass in Stripe Payment Plugin <= 3.7.7 for WooCommerce WordPress Plugin (CVE-2023-3162)',\ logdata:'Authentication Bypass in Stripe Payment Plugin <= 3.7.7 for WooCommerce WordPress Plugin (CVE-2023-3162)'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule &ARGS:order_id "@gt 0" "chain,t:none" SecRule &ARGS:createaccount "@gt 0 " "chain,t:none" SecRule ARGS:action|ARGS:wc-ajax "@rx eh_spg_stripe_cancel_order" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_METHOD "@rx POST" \ "id:406032,\ chain,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ msg:'Privilege Escalation Vulnerability in WP Project Manager <= 2.6.4 plugin for WordPress (CVE-2023-3636)',\ logdata:'Privilege Escalation Vulnerability in WP Project Manager <= 2.6.4 plugin for WordPress (CVE-2023-3636)'" SecRule REQUEST_URI "@contains pm/v2/save_users_map_name" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS "@pm github bitbucket" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_URI "@contains /wp-content/plugins/media-library-assistant/includes/mla-stream-image.php" \ "id:406033,\ chain,\ rev:'1',\ severity:critical,\ phase:2,\ logdata:'RCE in WordPress Media-Library plugin < 3.10 (CVE-2023-4634)',\ msg:'RCE in WordPress Media-Library plugin < 3.10 (CVE-2023-4634)'" SecRule ARGS:mla_stream_file "@contains ://" "t:none,t:urlDecodeUni,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_METHOD "@rx ^POST$" \ "id:406034,\ chain,\ rev:'1',\ severity:critical,\ phase:2,\ t:none,\ logdata:'Unauthenticated Privilege Escalation in Donation Forms by Charitable <= 1.7.0.12 Plugin for WordPress (CVE-2023-4404)',\ msg:'Unauthenticated Privilege Escalation in Donation Forms by Charitable <= 1.7.0.12 Plugin for WordPress (CVE-2023-4404)'" SecRule ARGS:charitable_action "@streq save_registration" "chain,t:none" SecRule &ARGS:role "@gt 0" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_METHOD "@rx ^POST$" \ "id:406035,\ chain,\ rev:'1',\ severity:critical,\ phase:2,\ t:none,\ logdata:'Blind authenticated SQLi vulnerability in Slimstat Analytics <= 5.0.9 Plugin For WordPress (CVE-2023-4598)',\ msg:'Blind authenticated SQLi vulnerability in Slimstat Analytics <= 5.0.9 Plugin For WordPress (CVE-2023-4598)'" SecRule REQUEST_FILENAME "@contains /wp-json/wp/v2/" "chain,t:none,t:normalizePath" SecRule ARGS|ARGS:content "@rx wp:shortcode -->\n\[slimstat" "chain,t:none" SecRule ARGS|ARGS:content "!@rx wp:shortcode -->\n\[slimstat\s[^\]]+(w='\w{2,20}(?:'\]|'\s))" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_METHOD "POST" \ "id:406036,\ chain,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ msg:'Arbitrary File Deletion in AI ChatBot Plugin < 4.9.1 for WordPress (CVE-2023-5212)',\ logdata:'Arbitrary File Deletion in AI ChatBot Plugin < 4.9.1 for WordPress (CVE-2023-5212)'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx wp_ajax_qcld_openai_(delete_training|upload_pagetraining)_file" "chain,t:none" SecRule ARGS:file|ARGS:filename "@contains ../" "t:none,t:normalizePath,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_METHOD "POST" \ "id:406037,\ chain,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ msg:'SQL Injection in AI ChatBot Plugin < 4.9.1 for WordPress (CVE-2023-5204)',\ logdata:'SQL Injection in AI ChatBot Plugin < 4.9.1 for WordPress (CVE-2023-5204)'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq wp_ajax_nopriv_wpbo_search_site" "chain,t:none" SecRule ARGS:strid "@pm union case sleep()" "t:none, t:lowercase,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_METHOD "@rx POST" \ "id:406038,\ chain,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ msg:'Unauthenticated Stored XSS in tagDiv Composer < 4.2 Wordpress plugin (CVE-2023-3169)',\ logdata:'Unauthenticated Stored XSS in tagDiv Composer < 4.2 Wordpress plugin (CVE-2023-3169)'" SecRule REQUEST_URI "@contains /wp-json/tdw/save_css" "chain,t:none,t:normalizePath" SecRule ARGS:compiled_css "@rx ^<\/style" "t:none,t:htmlEntityDecode,t:removeWhitespace,t:urlDecode,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_METHOD "POST" \ "id:406039,\ chain,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ msg:'Unauthenticated File Upload Vulnerability in Royal Elementor Addons and Templates <= 1.3.78 Plugin For WordPress (CVE-2023-5360)',\ logdata:'Unauthenticated File Upload Vulnerability in Royal Elementor Addons and Templates <= 1.3.78 Plugin For WordPress (CVE-2023-5360)'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "wpr_addons_upload_file" "chain,t:none" SecRule ARGS:allowed_file_types "@rx \W" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_METHOD "@rx ^POST$" \ "id:406040,\ chain,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ msg:'Arbitrary File Upload Vulnerability in User Registration WordPress Plugin (CVE-2023-3342)',\ logdata:'Arbitrary File Upload Vulnerability in User Registration WordPress Plugin (CVE-2023-3342)'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx (?:save|user_registration_update)_profile_details" "chain,t:none" SecRule ARGS:profile_pic_url|ARGS:url "@rx \.(pht|phtml|php\d?)$" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_METHOD "@rx ^POST$" \ "id:406041,\ chain,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ msg:'Possible Arbitrary File Upload Vulnerability in User Registration WordPress Plugin (CVE-2023-3342)',\ logdata:'Possible Arbitrary File Upload Vulnerability in User Registration WordPress Plugin (CVE-2023-3342)'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx (?:save|user_registration_update)_profile_details" "chain,t:none" SecRule ARGS:profile_pic_url|ARGS:url "!@rx ^$" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_FILENAME "@contains wp-content/uploads/user_registration_uploads/temp-uploads/" \ "id:406042,\ chain,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,t:normalizePath,\ msg:'Arbitrary File Upload Vulnerability in User Registration WordPress Plugin (CVE-2023-3342)',\ logdata:'Arbitrary File Upload Vulnerability in User Registration WordPress Plugin (CVE-2023-3342)'" SecRule REQUEST_FILENAME "!@rx \.(?:jpeg|jpg|gif|png)$" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_METHOD "@rx ^POST$" \ "id:406043,\ chain,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ msg:'Unauthenticated Insecure Deserialization in BuddyForms Plugin < 2.7.8 for WordPress (CVE-2023–26326)',\ logdata:'Unauthenticated Insecure Deserialization in BuddyForms Plugin < 2.7.8 for WordPress (CVE-2023–26326)'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx upload_image_from_url" "chain,t:none" SecRule ARGS:url "@rx ^phar|\.phar$" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_COOKIES:/platform_checkout_session/ "!@rx ^$" \ "id:406044,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ setvar:'tx.bn_inbound_found=+1',\ msg:'Authentication Bypass in WooCommerce Payments before 4.8.0-5.6.1 plugin for WordPress (CVE-2023-28121)',\ logdata:'Authentication Bypass in WooCommerce Payments before 4.8.0-5.6.1 plugin for WordPress (CVE-2023-28121)'" SecRule RESPONSE_HEADERS:set-cookie "@rx platform_checkout_session" \ "id:406045,\ phase:3,\ rev:'1',\ severity:critical,\ t:none,\ setvar:'tx.bn_inbound_found=+1',\ msg:'Authentication Bypass in WooCommerce Payments before 4.8.0-5.6.1 plugin for WordPress (CVE-2023-28121)',\ logdata:'Authentication Bypass in WooCommerce Payments before 4.8.0-5.6.1 plugin for WordPress (CVE-2023-28121)'" SecRule REQUEST_METHOD "@rx POST" \ "id:406046,\ chain,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ msg:'Possible Authentication Bypass in WooCommerce Payments before plugin for WordPress 4.8.0-5.6.1 (CVE-2023-28121)',\ logdata:'Possible Authentication Bypass in WooCommerce Payments before plugin for WordPress 4.8.0-5.6.1 (CVE-2023-28121)'" SecRule ARGS:X_WCPAY_PLATFORM_CHECKOUT_USER "!@rx ^$" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_METHOD "@rx POST" \ "id:406047,\ chain,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ msg:'Possible Authentication Bypass in WooCommerce Payments before plugin for WordPress 4.8.0-5.6.1 (CVE-2023-28121)',\ logdata:'Possible Authentication Bypass in WooCommerce Payments before plugin for WordPress 4.8.0-5.6.1 (CVE-2023-28121)'" SecRule REQUEST_HEADERS:Content-Length "!@rx ^([56789]\d{6,}|\d{8,})$" "chain,t:none" SecRule FILES "@rx ^$" "chain,t:none" SecRule ARGS|REQUEST_BODY "@contains X_WCPAY_PLATFORM_CHECKOUT_USER" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_METHOD "@rx POST" \ "id:406048,\ chain,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ msg:'Possible Authentication Bypass in WooCommerce Payments before plugin for WordPress 4.8.0-5.6.1 (CVE-2023-28121)',\ logdata:'Possible Authentication Bypass in WooCommerce Payments before plugin for WordPress 4.8.0-5.6.1 (CVE-2023-28121)'" SecRule REQUEST_URI "@contains wp-json/wp/v2/users" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:/X_WCPAY_PLATFORM_CHECKOUT_USER/ "@rx \d" "chain,t:none" SecRule ARGS:roles[] "@rx administrator|contributor" "t:none,t:lowercase,setvar:'tx.bn_inbound_found=+1'" SecRule ARGS:action "@streq ls_get_popup_markup" \ "id:406049,\ chain,\ phase:2,\ rev:'1',\ log,\ auditlog,\ t:none,t:urlDecodeUni,\ severity:critical,\ logdata:'SQL injection vulnerability in LayerSlider 7.9.11 and 7.10.0 WP plugin (CVE-2024-2879)',\ msg:'SQL injection vulnerability in LayerSlider 7.9.11 and 7.10.0 WP plugin (CVE-2024-2879)'" SecRule ARGS:id[where] "[^0-9]" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule REQUEST_URI "wp-content/debug.log" "id:406050,phase:2,t:urldecode,t:normalizePath,setvar:'tx.bn_inbound_found=+1',msg:'wp-content/debug.log block (CVE-2024-28000)',logdata:'litespeed_role cookie block (CVE-2024-28000)'" SecRule &REQUEST_COOKIES_NAMES:litespeed_role "@gt 0" "id:406051,phase:2,t:none,setvar:'tx.bn_inbound_found=+1',msg:'litespeed_role cookie block (CVE-2024-28000)',logdata:'litespeed_role cookie block (CVE-2024-28000)'"