File Manager
Upload
Current Directory: /home/lartcid/public_html/journal.lartc.id
[Back]
..
[Open]
Hapus
Rename
.htaccess
[Edit]
Hapus
Rename
.well-known
[Open]
Hapus
Rename
README.md
[Edit]
Hapus
Rename
api
[Open]
Hapus
Rename
cache
[Open]
Hapus
Rename
cgi-bin
[Open]
Hapus
Rename
classes
[Open]
Hapus
Rename
config.TEMPLATE.inc.php
[Edit]
Hapus
Rename
config.inc.php
[Edit]
Hapus
Rename
controllers
[Open]
Hapus
Rename
cypress.json
[Edit]
Hapus
Rename
dbscripts
[Open]
Hapus
Rename
docs
[Open]
Hapus
Rename
error_log
[Edit]
Hapus
Rename
favicon.ico
[Edit]
Hapus
Rename
index.php
[Edit]
Hapus
Rename
js
[Open]
Hapus
Rename
lib
[Open]
Hapus
Rename
locale
[Open]
Hapus
Rename
mini.php
[Edit]
Hapus
Rename
pages
[Open]
Hapus
Rename
php.ini
[Edit]
Hapus
Rename
plugins
[Open]
Hapus
Rename
public
[Open]
Hapus
Rename
registry
[Open]
Hapus
Rename
scheduledTaskLogs
[Open]
Hapus
Rename
schemas
[Open]
Hapus
Rename
styles
[Open]
Hapus
Rename
templates
[Open]
Hapus
Rename
tools
[Open]
Hapus
Rename
Edit File
# --------------------------------------------------------------- # Imunify360 ModSecurity Rules # Copyright (C) 2021 CloudLinux Inc All right reserved # The Imunify360 ModSecurity Rules is distributed under # IMUNIFY360 LICENSE AGREEMENT # Please see the enclosed IM360-LICENSE.txt file for full details. # --------------------------------------------------------------- # Imunify360 ModSecurity WordPress Ruleset # DEFA-2590 SecRule ARGS_NAMES "^WordPress$" "chain,id:77141091,block,severity:2,t:none,msg:'IM360 WAF: Obfuscated malware dropper request||MVN:%{MATCHED_VAR_NAME}||T:APACHE||',tag:'wp_core'" SecRule ARGS_NAMES "^Database$" "t:none" # Heuristic: WPDuplicatorRCE SecRule REQUEST_METHOD "POST" "id:77140737,chain,phase:2,deny,log,severity:2,t:none,msg:'IM360 WAF: WordPress Duplicator - RCE||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_duplicator',tag:'im360_req_post'" SecRule REQUEST_URI "@pm /installer-backup.php /installer.php" "chain,t:none,t:lowercase,t:urlDecode" SecRule ARGS "@rx ('\)\;)" "t:none,t:lowercase,t:urlDecode" # DEFA-1205 Persistent XSS in WP Live Chat Support Plugin for WordPress SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:post|ajax)\.php" "id:77140771,chain,phase:2,pass,log,severity:5,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: Persistent XSS in WP Live Chat Support Plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule ARGS:wplc_custom_js "!@rx ^$" "t:none" # DEFA-1362 SecRule &ARGS:wp_statistics_hit "@gt 0" "id:77140786,chain,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated blind SQLi vulnerability in WP Statistics before 12.6.6.1 plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule &ARGS:wp_statistics_hit[track_all] "@gt 0" "t:none,chain" SecRule &ARGS:wp_statistics_hit[page_uri] "@gt 0" "t:none,chain" SecRule ARGS:wp_statistics_hit[search_query] "@rx \'" # DEFA-1770 SecRule REQUEST_URI "@contains wp-support-plus-responsive-ticket-system" "id:77140840,chain,phase:2,block,log,severity:2,t:none,t:lowercase,msg:'IM360 WAF: WordPress Plugin WP Support Plus Responsive Ticket System 2.0 Directory Traversal||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wp_support_plus_responsive_ticket_system'" SecRule REQUEST_FILENAME "@endsWith downloadAttachment.php" "chain,t:none" SecRule ARGS:path "@rx \.\.\/" "t:none,t:urlDecodeUni,t:normalizePath" # DEFA-1771 SecRule REQUEST_FILENAME "@endsWith ungallery/source_vuln.php" "id:77140841,chain,phase:2,block,log,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: WordPress UnGallery plugin <= 1.5.8 Local File Disclosure Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_ungallery'" SecRule ARGS:pic "@rx \.\.\/" "t:none,t:urlDecodeUni,t:normalizePath" # DEFA-1815 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140865,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Theme Konzept Arbitrary File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_wp_theme',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /includes/uploadify/upload.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none,t:urlDecodeUni" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140867,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Simple Ads Manager Plugin File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_simple_ads_manager',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none,t:urlDecodeUni" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140870,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress FormCraft Plugin File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@rx \/wp-content\/plugins\/formcraft\/file-upload\/server\/(?:php|content)\/" "chain,t:none,t:normalizePath" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none,t:urlDecodeUni" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140871,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Downloads Manager Plugin File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_downloads_manager',tag:'im360_req_post'" SecRule REQUEST_URI "@rx \/wp-content\/plugins\/downloads-manager\/" "chain,t:none,t:normalizePath" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none,t:urlDecodeUni" # Track WordPress ?author=1 usernames check SecRule ARGS:author "@ge 1" "id:77140876,pass,auditlog,phase:2,severity:5,t:none,msg:'IM360 WAF: Track WordPress users enumeration||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'noshow'" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140907,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Downloads Manager Plugin File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_downloads_manager',tag:'im360_req_post'" SecRule REQUEST_URI "@rx /wp-content/plugins/dzs-videogallery/admin/upload.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none,t:urlDecodeUni" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140908,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Simple Ads Manager Plugin File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_simple_ads_manager',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/social-networking-e-commerce-1/classes/views/social-options/form_cat_add.php" "chain,t:none,t:normalizePath" SecRule ARGS:config_path "@rx \.\.\/\.\.\/" "chain,t:none,t:urlDecodeUni" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none,t:urlDecodeUni" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140909,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Viral Optins Plugin File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/viral-optins/api/uploader/file-uploader.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none,t:urlDecodeUni" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140913,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Satoshi Theme File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_wp_theme',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-content/themes/satoshi/functions/upload-handler.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none,t:urlDecodeUni" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140914,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress iThemes2 Theme File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_wp_theme',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-content/themes/ithemes2/themify/themify-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:upload "@streq 1" "chain,t:none,t:urlDecodeUni" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none,t:urlDecodeUni" # DEFA-1782 SecRule REQUEST_METHOD "@rx ^GET$" "id:77140917,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress eShop Magic Arbitrary File Access||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_eshop_magic',tag:'im360_req_get'" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/eshop-magic/download.php" "chain,t:none,t:normalizePath" SecRule ARGS:file "@rx \.\.\/\.\.\/" "t:none,t:urlDecodeUni" # DEFA-1783 SecRule REQUEST_METHOD "@rx ^GET$" "id:77140918,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Mobile Detector 3.5 plugin file Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_mobile_detector',tag:'im360_req_get'" SecRule REQUEST_FILENAME "@endsWith wp-content/plugins/wp-mobile-detector/resize.php" "chain,t:none,t:normalizePath" SecRule ARGS:src "!@rx ^(?:ht|f)tps?:\/\/%{SERVER_NAME}" "t:none,t:urlDecodeUni" # DEFA-1787 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140924,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Cherry-Plugin File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith wp-content/plugins/cherry-plugin/admin/import-export/upload.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none,t:urlDecodeUni" # DEFA-1925 SecRule REQUEST_METHOD "@rx ^GET$" "id:77140934,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress WebPlayer plugin SQL injection vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_hd_webplayer',tag:'im360_req_get'" SecRule REQUEST_FILENAME "@endsWith hd-webplayer/playlist.php" "chain,t:none,t:normalizePath" SecRule ARGS:videoid "@rx \D" "t:none" # DEFA-1926 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140935,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Headway theme Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_wp_theme',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith visual-editor/lib/upload-header.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:urlDecodeUni,t:removeWhitespace" # DEFA-1944 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140937,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress JobManager Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wp_job_manager',tag:'im360_req_post'" SecRule REQUEST_URI "@rx /jm-ajax/upload_file/" "chain,t:none,t:normalizePath" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:urlDecodeUni,t:removeWhitespace" # DEFA-1947 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140939,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Category and Page Icons Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_category_page_icons',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith category-page-icons/include/wpdev-flash-uploader.php" "chain,t:none,t:normalizePath" SecRule &ARGS:dir_icons "@gt 0" "chain,t:none" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:urlDecodeUni,t:removeWhitespace" # Placeholder for 140963 # DEFA-1945 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140964,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Unauthenticated Content Injection vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_core',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-json/wp/v2/posts/" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule REQUEST_HEADERS:Content-Type "application/json" "chain,t:none" SecRule REQUEST_BODY "@rx \x22id\x22\s{0,128}\:\s{0,128}\x22\D{1,128}\x22" "t:none,t:urlDecode" # DEFA-2078 SecRule REQUEST_FILENAME "@endsWith advanced-custom-fields/core/actions/export.php" "id:77140968,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Advanced Custom Fields Remote File Inclusion vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_advanced_custom_fields'" SecRule ARGS:acf_abspath "@rx ^(?:ht|f)tps?:\/\/" "t:none,t:urlDecodeUni" # DEFA-2079 SecRule REQUEST_FILENAME "@endsWith flickr-picture-backup/flickr-picture-download.php" "id:77140969,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Flickr Picture Backup Remote File Inclusion vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_flickr'" SecRule ARGS:url "@rx (\.htaccess|.+\.(pht|phtml|php\d?))" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-2080 SecRule REQUEST_FILENAME "@endsWith fast-image-adder/fast-image-adder-uploader.php" "id:77140970,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Fast Image Adder Remote File Inclusion vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_fast_image_adder'" SecRule ARGS:url "@rx (\.htaccess|.+\.(pht|phtml|php\d?))" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-2087 SecRule REQUEST_FILENAME "@endsWith frontend/captcha/ajaxresponse.php" "id:77140971,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Gwolle Guestbook Remote File Inclusion vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_gwolle_gb'" SecRule ARGS:abspath "@rx ^(?:ht|f)tps?:\/\/" "t:none,t:urlDecodeUni" # DEFA-2091 SecRule REQUEST_FILENAME "@endsWith delete-all-comments/delete-all-comments.php" "id:77140974,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Delete-All-Comments Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_delete_all_comments'" SecRule ARGS:restorefromfileURL|ARGS:restorefromfileNAME "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-2092 SecRule REQUEST_FILENAME "@endsWith designfolio-plus/admin/upload-file.php" "id:77140975,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress theme DesignFolio Plus Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_design'" SecRule ARGS:upload_path "@rx \.\.\/" "t:none,t:urlDecodeUni" # DEFA-2100 SecRule REQUEST_FILENAME "@endsWith /evo/admin/upload-file.php" "id:77140977,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress theme Evo Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'service_wp_theme'" SecRule ARGS:upload_path "@rx \." "chain,t:none,t:urlDecodeUni" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-2102 SecRule REQUEST_FILENAME "@endsWith gallery-pro/admin/upload-file.php" "id:77140979,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress theme Gallery Pro Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_gallery_pro'" SecRule ARGS:upload_path "@rx \." "chain,t:none,t:urlDecodeUni" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-2103 SecRule REQUEST_FILENAME "@endsWith holding_pattern/admin/upload-file.php" "id:77140981,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress theme Holding Pattern Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'service_wp_plugin'" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-2117 SecRule REQUEST_FILENAME "@endsWith inboundio-marketing/admin/partials/csv_uploader.php" "id:77140982,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin InBoundio Marketing Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_inboundio_marketing'" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-2118 SecRule REQUEST_FILENAME "@endsWith mailcwp/mailcwp-upload.php" "id:77140983,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin MailCWP Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||UD:%{ARGS.upload_dir}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_mailcwp'" SecRule &ARGS:message_id "@gt 0" "chain,t:none" SecRule &ARGS:upload_dir "@gt 0" "chain,t:none" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-2164 SecRule REQUEST_FILENAME "@endsWith /micro/admin/upload-file.php" "id:77140986,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Micro Theme Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'service_wp_theme'" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-2165 SecRule REQUEST_FILENAME "@rx (mobile-friendly-app-builder-by-easytouch|mobile-app-builder-by-wappress|webapp-builder|zen-mobile-app-native|wp2android-turn-wp-site-into-android-app)/server/images\.php" "id:77140987,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Builder Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'service_wp_plugin'" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-2166 SecRule REQUEST_FILENAME "@endsWith /neosense/js/back-end/libraries/fileuploader/upload_handler.php" "id:77140988,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Neosense Theme Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'service_wp_theme'" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-2107 (local check) SecRule REQUEST_METHOD "@rx ^POST$" "id:77140993,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: WordPress Plugin InfiniteWP Auth Bypass vulnerability (local)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_iwp_client',tag:'im360_req_post'" SecRule &REQUEST_COOKIES:PHPSESSID "@eq 0" "chain,t:none" SecRule REQUEST_BODY "@rx (?:^_IWP_JSON_PREFIX_)(.{4,8192})" "chain,capture,t:none,t:urlDecodeUni" SecRule TX:1 "@rx \x22iwp_action\x22\s{0,128}\:\s{0,128}\x22(?:add_site|readd_site)\x22" "chain,t:none,t:urlDecodeUni" SecRule TX:1 "@rx \x22username\x22\s{0,128}\:\s{0,128}\x22\w{0,128}\x22" "t:none,t:urlDecodeUni" # DEFA-2159 (local check) SecRule REQUEST_FILENAME "@endsWith wp-admin/admin.php" "id:77140995,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin WP Database Reset Auth Bypass vulnerability (local)||MVN:%{MATCHED_VAR_NAME}||DB:%{ARGS.db-reset-tables[]}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wordpress_database_reset'" SecRule &REQUEST_COOKIES:PHPSESSID "@eq 0" "chain,t:none" SecRule &ARGS:db-reset-tables[] "@gt 0" "t:none" # DEFA-2298 SecRule REQUEST_URI "@contains /wp-json/trx_addons/v2/get/sc_layout" "id:77141008,chain,block,log,severity:2,t:none,t:normalizePath,t:urlDecodeUni,t:lowercase,msg:'IM360 WAF: WordPress ThemeREX Plugin RCE||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||USR:%{ARGS.user_login}||',tag:'service_i360custom',tag:'service_wp_plugin'" SecRule ARGS:sc "@rx (wp_insert_user|array_pop)" "t:none,t:lowercase" # DEFA-2310 SecRule REQUEST_URI "@contains /login/" "id:77141010,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress AccessAlly plugin unauthenticated arbitrary PHP code execution||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_wp_plugin'" SecRule ARGS:login_error "@rx <\?" "t:none,t:urlDecodeUni" # DEFA-2316 SecRule REQUEST_FILENAME "@endsWith /abstract-class-front-action.php" "id:77141014,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: WordPress Forminator Plugin Remote File Upload Exploit||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_forminator'" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-2320 SecRule ARGS:comment "@rx <!--\s{0,128}(?:dynamic-cached-content|mfunc|mclude)" "id:77141016,block,log,severity:2,t:none,t:urlDecodeUni,t:lowercase,msg:'IM360 WAF: WordPress Caching plugins remote PHP code execution||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin'" # DEFA-2281 SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/contact-form-7/modules/file.php" "id:77141031,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Contact-Form-7 5.1.6 plugin remote file upload||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_contact_form'" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140916,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress connector.minimal.php File Upload Vulnerability (CVE-2019-9194)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /php/connector.minimal.php" "chain,t:none,t:normalizePath" SecRule ARGS:cmd "@contains upload" "chain,t:none,t:urlDecodeUni" SecRule &ARGS:target "@gt 0" "chain,t:none" SecRule FILES "@rx ;echo" "t:none,t:urlDecodeUni" # DEFA-2366 SecRule REQUEST_FILENAME|PATH_INFO "@rx \/wp-content\/plugins\/blnmrpb\/(?:index\.php)?" "id:77141036,block,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress WebShell in Fake Plugin blnmrpb||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_wp_plugin'" SecRule REQUEST_FILENAME|PATH_INFO "@rx \/wp-content\/plugins\/wpdefault\/[^\.]+\.php" "id:77141044,phase:2,pass,log,severity:5,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: Backdoor plugin wpdefault for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin'" # DEFA-2393 SecRule REQUEST_FILENAME "@endsWith /category-page-icons/include/wpdev-flash-uploader.php" "id:77141048,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Category and Page Icons Arbitrary File Deletion||T:APACHE||F:%{ARGS.file_name_org}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_category_page_icons'" SecRule ARGS:ajax_action "@streq delete-image" "chain,t:none,t:lowercase" SecRule ARGS:file_name_dir "@rx \.\.\/" "t:none,t:urlDecodeUni,t:removeWhitespace" # DEFA-2482 SecRule REQUEST_FILENAME "@endsWith /index.php" "id:77141069,chain,phase:2,pass,log,t:none,t:urlDecodeUni,t:normalizePath,severity:5,msg:'IM360 WAF: WordPress StatTraq 1.3.0 SQL Injection||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wp_stattraq',tag:'noshow'" SecRule ARGS:view "@pm hit_counter ip_address page_views query_strings search_engine_stats referrer session sessions summary user_agent user_counter options" "chain,t:none,t:lowercase" SecRule ARGS:limitNumber "@rx \D" "t:none,t:urlDecodeUni" # DEFA-2483 SecRule REQUEST_FILENAME "@endsWith /frameset.php" "id:77141070,chain,phase:2,pass,log,t:none,t:urlDecodeUni,t:normalizePath,severity:5,msg:'IM360 WAF: WordPress Event-Registration Plugins 5.43 Arbitrary File Upload||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_event_registration',tag:'noshow'" SecRule ARGS:js "@streq mcFileManager.insertFileToForm" "chain,t:none" SecRule ARGS:initial_rootpath "@streq mce_clear" "chain,t:none" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:urlDecodeUni" # DEFA-2483 SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/event-registration/jscripts/tiny_mce/plugins/filemanager/upload.php" "id:77141071,chain,phase:2,pass,log,t:none,t:urlDecodeUni,t:normalizePath,severity:5,msg:'IM360 WAF: WordPress Event-Registration Plugins 5.43 Arbitrary File Upload||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_event_registration',tag:'noshow'" SecRule ARGS:path "@contains wp-content/plugins/event-registration/jscripts/tiny_mce/plugins/filemanager/files" "chain,t:none,t:normalizePath,t:urlDecodeUni" SecRule FILES "@rx (\.htaccess|.+\.(pht|p?html|php\d?)$)" "t:none,t:urlDecodeUni" # DEFA-2484 DEFA-2559 SecRule REQUEST_URI "@rx wp-json\/rankmath\/v1\/updateMeta" "id:77141072,chain,phase:2,pass,log,t:none,t:urlDecodeUni,t:normalizePath,severity:5,msg:'IM360 WAF: Privilege Escalation via Unprotected REST API Endpoint in Rank Math SEO Plugin for WordPress (CVE-2020-11514)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_seo_by_rank_math',tag:'noshow'" SecRule ARGS:objectType "@streq user" "chain,t:none" SecRule ARGS:meta[wp_user_level] "@rx (?:10|^$)" "chain,t:none" SecRule &ARGS:objectID "@gt 0" "chain,t:none" SecRule ARGS:meta[wp_capabilities][administrator] "@rx (?:10|^$)" "chain,t:none" SecRule &REQUEST_COOKIES:/wordpress_logged_in/ "@eq 0" "t:none" # DEFA-2473 SecRule REQUEST_FILENAME "@rx plugins/(wordpress-popup|hustle)/views/admin/dashboard" "id:77141074,block,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Hustle/wordpress-popup directory traversal||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wordpress_popup'" # DEFA-2684 SecRule REQUEST_FILENAME "@endsWith chopslider/get_script/index.php" "id:77142119,phase:2,chain,block,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WordPress Chop Slider 3 - A blind SQL injection (CVE-2020-11530)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_lord_linus_chop_slider'" SecRule ARGS:id "!@rx ^-?\d+$" "t:none,t:urlDecodeUni" # DEFA-2604 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142120,chain,pass,log,t:none,severity:5,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in the WordPress Plugin Simple File List < 4.2.3||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_simple_file_list',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@contains /wp-content/plugins/simple-file-list/ee-upload-engine.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:eeSFL_FileUploadDir "@streq /wp-content/uploads/simple-file-list/" "t:none,t:urlDecodeUni" # DEFA-2604 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142121,chain,pass,log,t:none,severity:2,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in the WordPress Plugin Simple File List < 4.2.3||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_simple_file_list',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@contains /wp-content/plugins/simple-file-list/ee-upload-engine.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:eeFileAction "@streq Rename" "t:none,t:urlDecodeUni" # DEFA-2697 SecRule REQUEST_FILENAME "@rx wp-content\/uploads\/elementor\/tmp\/[a-f0-9]{13}\/" "id:77142132,block,log,t:none,t:urlDecodeUni,t:normalizePath,severity:2,msg:'IM360 WAF: Block web shell access via Elementor plugin for WordPress (CVE-2020-7055)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_elementor'" # DEFA-2746 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142150,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Path traversal vulnerability in Gravity forms plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin',tag:'im360_req_post'" SecRule ARGS:gf_page "@streq upload" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:removeWhitespace" SecRule ARGS:gform_unique_id "@rx \.\.\/" "t:urlDecodeUni,t:removeWhitespace,t:normalizePath" # DEFA-2767 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142153,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Stored XSS vulnerability in the Visualizer plugin for WordPress (CVE-2019-16931)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@rx wp-json\/visualizer\/v\d\/update-chart" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule REQUEST_BODY "@rx \x22visualizer-chart-type\x22\:\x22[^\x22]\x22[><]" "t:urlDecodeUni,t:removeWhitespace" # DEFA-2772 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142163,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Redirect from login page in WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@contains /wp-login.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:redirect_to "@pm /htm? /stm? .js?" "t:none,t:urlDecodeUni" # DEFA-2782 SecRule REQUEST_FILENAME "@endsWith /wp-login.php" "id:77142164,chain,phase:2,severity:2,deny,log,t:none,t:normalizePath,msg:'IM360 WAF: WordPress bbPress < 2.6.5 - Privilege Escalation (CVE-2020-13693)||T:APACHE||BBP FORUMS ROLE %{ARGS.bbp-forums-role}',tag:'wp_plugin'" SecRule &ARGS:bbp-forums-role "@gt 0" "t:none" # DEFA-2772 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142165,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: XSS in the WP-Piwik plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule ARGS:wp-piwik[track_mode] "@streq manually" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:wp-piwik[tracking_code] "@rx (?:(x-)?(?:java|vb|j|ecma)?script)" "t:none,t:urlDecode" # DEFA-2749 SecRule &ARGS:yp_remote_get "@gt 0" "id:77142168,phase:1,severity:2,deny,log,t:none,msg:'IM360 WAF: WordPress YellowPencil Visual CSS Style Editor < 7.2.0 - Privilege Escalation||T:APACHE||',tag:'wp_plugin_yellow_pencil_visual_theme_customizer'" # DEFA-2772 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142172,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: iThemes Sync settigs update Vulnerability for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule &ARGS:ithemes-sync-request "@gt 0" "chain,t:none,t:urlDecodeUni" SecRule ARGS:request "@rx \x22arguments\x22:{\x22update-options\x22:\[\[\x22" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none,t:urlDecodeUni,t:htmlEntityDecode" # DEFA-2772 SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "id:77142173,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Privilege escalation vulnerability in WordPress ND Shortcodes For Visual Composer plugin||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_nd_shortcodes'" SecRule &ARGS:nd_options_value_import_settings "@gt 0" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none,t:urlDecodeUni,t:htmlEntityDecode" # DEFA -2772 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142174,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Persistent XSS Vulnerability in DELUCKS SEO plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_delucks_seo',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:/^dpc\[basic_metadata\]/ "@rx \x22" "t:none,t:urlDecodeUni" # DEFA-2772 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142183,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Stored XSS Vulnerability in LiveChat plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_wp_live_chat_software_for_wordpress',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule &ARGS:licenseNumber "@gt 0" "chain,t:none,t:urlDecodeUni" SecRule ARGS:licenseEmail "@rx [\x22<]" "t:none,t:urlDecodeUni,t:htmlEntityDecode" # DEFA-2832 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142194,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress page-flip-image-gallery plugin remote file upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_page_flip_image_gallery',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/page-flip-image-gallery/upload.php" "t:none,t:normalizePath" # DEFA-2940 SecRule REQUEST_FILENAME "@endsWith reflex-gallery/admin/scripts/FileUploader/php.php" "id:77142217,chain,msg:'IM360 WAF: Arbitrary File Upload vulnerability in the ReFlex Gallery plugin before 3.1.4 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,severity:2,tag:'wp_plugin_reflex_gallery'" SecRule ARGS:Year|ARGS:Month "@ge 1" "t:none" # DEFA-2980 SecRule &ARGS:aiosp_edit "@gt 0" "chain,id:77142219,deny,log,phase:2,severity:2,t:none,msg:'IM360 WAF: WordPress plugin All in One SEO Pack - Authenticated Stored Cross-Site Scripting||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule ARGS:/^aiosp_/ "@rx (?si)<script" "t:none" # DEFA-2990 SecRule ARGS:tccj-update "@streq Update" "chain,id:77142229,phase:2,severity:2,deny,log,t:none,msg:'IM360 WAF: WordPress plugin TC Custom JavaScript - Unauthenticated Stored Cross-Site Scripting (CVE-2020-14063) - CSRF variation||T:APACHE||ARGS.tccj-update:%{ARGS.tccj-update}||ARGS.tccj-content:%{ARGS.tccj-content}||',tag:'service_i360custom'" SecRule &ARGS:tccj-content "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2972 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77142249,chain,block,log,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WordPress MiwoFTP Plugin 1.0.5 Arbitrary File Download||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_miwoftp'" SecRule ARGS:item "@pmFromFile bl_os_files" "t:none" # DEFA-2972 SecRule REQUEST_FILENAME "@endsWith /wp-custom-pages/wp-download.php" "id:77142247,chain,deny,log,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WordPress WP Custom Pages 0.5.0.1 LFI||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wp_custom_pages'" SecRule ARGS:url "@pmFromFile bl_os_files" "t:none" # DEFA-2972 SecRule REQUEST_FILENAME "@endsWith /mac-dock-gallery/macdownload.php" "id:77142248,chain,block,log,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WordPress Mac Photo Gallery plugin arbitrary file disclosure vulnerability||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_mac_dock_gallery'" SecRule ARGS:url "@pmFromFile bl_os_files" "t:none" # DEFA-3089 SecRule REQUEST_METHOD "@streq post" "chain,id:77142255,block,log,phase:2,severity:2,t:none,t:lowercase,msg:'IM360 WAF: WordPress plugin wpStoreCart - Unauthenticated Arbitrary File Upload leading to Remote Code Execution||T:APACHE||REQUEST_FILENAME:%{REQUEST_FILENAME}||REMOTE_FILENAME:%{TX.0}||',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /php/upload.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx (?i)^Filedata.{1,160}\.(?:pht|phtml|php\d?)$" "t:none,capture" # DEFA-3165 DEFA-3436 SecRule REQUEST_FILENAME "@rx \/(?:lib|elfinder)\/php\/connector\.minimal\.php" "id:77316730,phase:2,deny,log,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress plugin File Manager < 6.9 & Elfinder 2.1.47 - Remote Code Execution||T:APACHE||REQUEST_FILENAME:.../lib/php/connector.minimal.php||',tag:'service_i360custom'" # DEFA-3285 SecRule REQUEST_URI "@rx \/wp-content\/plugins\/?[\w\d-_]{0,50}assembly\/js\/js\.php" "id:77316740,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Attempt to exploit malicious WordPress plugin||URI:%{REQUEST_URI}||T:APACHE||',tag:'service_i360custom'" # DEFA-3415 SecRule REQUEST_FILENAME "@endsWith ee-file-engine.php" "chain,id:77316747,deny,log,phase:2,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in the WordPress Plugin Simple File List < 4.2.3||T:APACHE||ARGS.eeFileOld:%{ARGS.eeFileOld}||ARGS.eeFileAction:%{ARGS.eeFileAction}||',tag:'wp_plugin',tag:'service_i360custom'" SecRule ARGS:eeFileOld "!@endsWith .php" "chain,t:none" SecRule ARGS:eeFileAction "@beginsWith Rename|" "chain,t:none" SecRule ARGS:eeFileAction "@endsWith .php" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316752,chain,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated Privilege Escalation Vulnerability in WordPress Ultimate Member < 2.1.12||T:APACHE||',tag:'service_i360custom',tag:'im360_req_post'" SecRule &ARGS:wp_capabilities[administrator] "@gt 0" "t:none" # DEFA-3465 SecRule ARGS:aam-media "!@rx \.(jpg|jpeg|png|svg|gif|ico|pdf|doc|docx|ppt|pptx|pps|ppsx|odt|xls|xlsx|psd)$" "id:77316755,deny,log,phase:2,severity:2,t:none,msg:'IM360 WAF: Data leak in WordPress plugin Advanced Access Manager < 5.9.9||T:APACHE||ARGS.aam-media:%{ARGS.aam-media}||',tag:'wp_plugin',tag:'service_i360custom'" # DEFA-3434 SecRule REQUEST_COOKIES:usces_cookie "!@beginsWith {" "id:77316763,pass,log,phase:2,severity:5,t:none,t:urlDecode,msg:'IM360 WAF: Unsafe deserialization leading to RCE in WordPress plugin Welcart e-Commerce < 1.9.36||T:APACHE||REQUEST_COOKIES.usces_cookie=%{REQUEST_COOKIES.usces_cookie}||',tag:'wp_plugin',tag:'service_i360custom',tag:'noshow'" # DEFA-3531 SecRule REQUEST_FILENAME "@rx \/wp-content\/plugins\/easy-wp-smtp\/[a-f0-9]{1,30}_debug_log.txt" "id:77316767,phase:2,deny,log,severity:2,t:lowercase,t:normalizePath,msg:'IM360 WAF: Administrator account takeover in the Easy WP SMTP plugin for WordPress||T:APACHE||MV:%{MATCHED_VAR}||User:%{SCRIPT_USERNAME}||',tag:'wp_plugin',tag:'service_i360custom'" # DEFA-3544 SecRule REQUEST_FILENAME "@rx contact-form-7/v1/contact-forms/(?:\d+)/feedback$" "id:77316768,chain,deny,log,phase:2,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in the WordPress Plugin The Contact Form 7 <= 5.3.1||T:APACHE||REQUEST_FILENAME:%{REQUEST_FILENAME}||%{MATCHED_VAR_NAME}:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'service_i360custom'" SecRule FILES "@rx (?i:\.(?:php|phtml)\d?[\pC\pZ])" "t:none" # DEFA-3593 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316772,chain,block,log,t:none,severity:2,msg:'IM360 WAF: Authenticated stored XSS in Orbit Fox < 2.10.2 WordPress plugin||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith post.php" "chain,t:none" SecRule &ARGS:post "@gt 0" "chain,t:none" SecRule ARGS:obfx-header-scripts_meta_nonce|ARGS:obfx-footer-scripts_meta_nonce "@contains <script>" "t:none,t:htmlEntityDecode" # DEFA-3507 SecRule REQUEST_FILENAME "@endsWith /advanced_file_manager_5/php/connector.minimal.php" "id:77316774,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: File upload vulnerability in Advanced File Manager WordPress plugin||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" # DEFA-3647 SecRule REQUEST_URI "@contains /wp-content/plugins/super-forms/uploads/php/" "id:77316779,chain,block,log,severity:2,phase:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Arbitrary File Upload vulnerability in SuperForms 4.9 WordPress plugin||File:%{FILES}||T:APACHE||',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_METHOD "@rx ^POST$" "chain,t:none" SecRule FILES "@rx \.(?:pht|phtml|php\d?)$" "t:none" # DEFA-3647 SecRule REQUEST_FILENAME "@contains /wp-content/uploads/superforms/" "id:77316780,chain,block,log,severity:2,phase:2,t:none,t:normalizePath,msg:'IM360 WAF: Suspicious file access attempt in SuperForms 4.9 WordPress plugin||T:APACHE||SC:%{SCRIPT_FILENAME}||',tag:'service_i360custom'" SecRule REQUEST_FILENAME "@rx \.(?:pht|phtml|php\d?)$" "t:none" # DEFA-1964 SecRule REQUEST_METHOD "^GET$" "id:77316783,chain,pass,auditlog,severity:5,phase:2,t:none,msg:'IM360 WAF: Monitoring WordPress 5.3 User Enumeration attempts||T:APACHE||',tag:'service_i360custom',tag:'wp_core',tag:'noshow',tag:'im360_req_get'" SecRule REQUEST_URI "@contains wp-json/wp/v2/users" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule &REQUEST_COOKIES:/wordpress_logged_in_/ "@eq 0" # DEFA-3701 SecRule REQUEST_METHOD "^POST$" "id:77316796,chain,block,log,severity:2,t:none,msg:'IM360 WAF: File upload vulnerability in the YITH WooCommerce Gift Cards Premium plugin before 3.3.1 for WordPress (CVE-2021-3120)||T:APACHE||File:%{FILES}||',tag:'wp_plugin_yith_woocommerce_gift_cards',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-content/plugins/yith-woocommerce-gift-cards-premium/" "chain,t:none,t:normalizePath" SecRule ARGS:ywgc-is-digital "@pm true 1" "chain,t:none" SecRule ARGS:gift_amounts "@rx \d" "chain,t:none" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:urlDecodeUni,t:removeWhitespace" # DEFA-3779 SecRule REQUEST_METHOD "@rx POST" "id:77316810,chain,phase:2,deny,log,severity:2,t:none,msg:'IM360 WAF: Unauthenticated option update in multiple Thrive Themes for WordPress||MVN:hook_url||MV:%{ARGS.hook_url}||T:APACHE||',tag:'service_i360custom',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-json/td/v1/" "chain,t:none,t:lowercase,t:normalizePath" SecRule &ARGS:hook_url "@gt 0" "chain,t:none" SecRule ARGS:api_key "@rx ^$" # DEFA-3779 SecRule REQUEST_METHOD "@rx POST" "id:77316811,chain,phase:2,deny,log,severity:2,t:none,msg:'IM360 WAF: Unauthenticated file upload in multiple Thrive Themes for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-json/thrive/kraken" "chain,t:none,t:lowercase,t:normalizePath" SecRule &ARGS:attachment_ID "@gt 0" "chain,t:none" SecRule FILES "@rx \.(?:pht|phtml|php?\d?)$" "t:none,t:lowercase,t:normalizePath" SecRule REQUEST_METHOD "@pm POST GET" "id:77209501,chain,msg:'IM360 WAF: Start track WordPress session id||ID:%{TX.1}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,nolog,severity:5,tag:'service_gen'" SecRule REQUEST_COOKIES_NAMES "@rx ^wordpress_(?:(?:sec|logged_in)_)?([0-9a-fA-f]{32})$" "capture,setsid:'%{TX.1}',setvar:'SESSION.wp_session=1',expirevar:'SESSION.wp_session=300'" SecRule REQUEST_METHOD "@pm POST GET" "id:77225150,chain,msg:'IM360 WAF: XSS vulnerability in WordPress before 4.3.1 (CVE-2015-7989)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_core'" SecRule ARGS:email "@contains '" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@rx \/wp-admin\/(?:user\-(?:new|edit)|profile)\.php$" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule REQUEST_FILENAME "@contains /wp-content/plugins/sexy-contact-form/includes/fileupload/" "id:77240020,chain,msg:'IM360 WAF: Protecting WordPress Creative Contact Form Files folder||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,severity:2,tag:'wp_plugin_sexy_contact_form'" SecRule FILES "@rx \.(?:php|js|pl)(?:\.|$)" "t:none,t:lowercase,t:urlDecodeUni" SecRule REQUEST_FILENAME "@contains /wp-content/plugins/sexy-contact-form/includes/fileupload/files/" "id:77240022,chain,msg:'IM360 WAF: Protecting WordPress Creative Contact Form Files folder||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,severity:2,tag:'wp_plugin_sexy_contact_form'" SecRule REQUEST_BASENAME "@rx \.(?:php|js|pl)(?:\.|$)" "t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:comment "@ge 65536" "id:77225010,chain,msg:'IM360 WAF: XSS vulnerability in WordPress before 4.2.1 (CVE-2015-3440 VE-2015-8834)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:length,severity:2,tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith wp-comments-post.php" "t:none,t:lowercase" SecRule ARGS:comment "@contains %u" "id:77225030,chain,msg:'IM360 WAF: XSS vulnerability in WordPress before 4.1.2 (CVE-2015-3438)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith wp-comments-post.php" "chain,t:none,t:lowercase" SecRule ARGS:comment "@rx (\%u[a-f0-9]{5,8})" "chain,capture,t:none,t:utf8toUnicode" SecRule TX:1 "@beginsWith 0" "chain,t:none,t:urlDecodeUni,t:hexEncode" SecRule TX:1 "@eq 4" "t:none,t:urlDecodeUni,t:hexEncode,t:length" SecRule REQUEST_FILENAME "@contains /wp-includes/js/" "id:77225080,chain,msg:'IM360 WAF: XSS vulnerability in Plupload before 2.1.9 or MediaElement.js before 2.21.0 as used in WordPress before 4.5.2 (CVE-2016-4566 & CVE-2016-4567)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'wp_core'" SecRule REQUEST_BASENAME "@within flashmediaelement.swf plupload.flash.swf" "chain,t:none,t:lowercase" SecRule ARGS "!@rx ^[\d\.ab]+$" "t:none" SecRule REQUEST_FILENAME "@contains wp/v2/posts" "id:77225160,chain,msg:'IM360 WAF: Content injection vulnerability in WordPress 4.7.x before 4.7.2 (CVE-2017-1001000)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'wp_core'" SecRule ARGS:id "@rx \D" "t:none" #WPT-62 WPT-66 SecRule REQUEST_URI "@rx \/wp-admin\/load-(styles|scripts)\.php" "id:77225200,chain,block,log,phase:2,t:none,t:normalizePath,severity:2,msg:'IM360 WAF: Unauthenticated attackers can cause a denial of service in WordPress through 4.9.2 (CVE-2018-6389)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule ARGS:load[] "@rx (?:[\w-]+,){100,}" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77220720,chain,msg:'IM360 WAF: XSS vulnerability in the CommentLuv plugin before 2.92.4 for WordPress (CVE-2013-1409)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_commentluv'" SecRule REQUEST_BASENAME "@streq admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:_ajax_nonce "@rx \x22" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77227800,chain,msg:'IM360 WAF: XSS vulnerability in the Custom Banners plugin 1.2.2.2 for WordPress (CVE-2014-4724)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_custom_banners'" SecRule ARGS:option_page "@streq custom-banners-settings-group" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:custom_banners_custom_css|ARGS:custom_banners_registered_name|ARGS:custom_banners_registered_url|ARGS:custom_banners_registered_key "@rx \x22|<" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77227890,chain,msg:'IM360 WAF: XSS vulnerability in BuddyPress plugin before 1.9.2 for WordPress (CVE-2014-1888)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_buddypress'" SecRule REQUEST_URI "@contains groups/create/step/group-details" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule ARGS:group-name "@rx \x22" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77226870,chain,msg:'IM360 WAF: XSS vulnerability in the Job Manager plugin 0.7.22 and earlier for WordPress (CVE-2015-2321)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_job_manager'" SecRule &ARGS:jobman-apply "@ge 1" "chain,t:none" SecRule ARGS:/^jobman-field-/ "@contains '" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77232070,chain,msg:'IM360 WAF: XSS vulnerability in Image Photo Gallery Final Tiles Grid 3.3.52 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_final_tiles_grid_gallery_lite'" SecRule &ARGS:_fs_blog_admin "@eq 1" "chain,t:none" SecRule ARGS:ftg_name|ARGS:ftg_width|ARGS:ftg_loadedDuration "@rx \x22" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77232860,chain,msg:'IM360 WAF: XSS vulnerability in Custom Field Suite plugin on or before 2.5.14 for WordPress (CVE-2019-11871)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_custom_field_suite'" SecRule ARGS:post_type "@streq cfs" "chain,t:none,t:lowercase" SecRule ARGS:/cfs\[fields\]\[\d+?\]\[label\]/|ARGS:/cfs\[fields\]\[\d+?\]\[name\]/ "@contains <" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77232940,chain,msg:'IM360 WAF: XSS vulnerability in Woocommerce plugin v3.5.3 for WordPress (CVE-2019-9168)||MV:%{MATCHED_VAR}||TX0:%{TX.0}||TX1:%{TX.0}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_woocommerce'" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule ARGS:changes[caption] "@rx \s(\w+)\s?=\s?\x22?\w+\([^\)]?\)[\x22\s>]" "chain,t:none,t:htmlEntityDecode,capture" SecRule TX:1 "@pmFromFile bl_xss_input" "t:none" SecRule REQUEST_FILENAME "@contains videowhisper-live-streaming-integration" "id:77220840,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress (CVE-2014-1906)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',deny,status:403,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_videowhisper_live_streaming_integration'" SecRule MATCHED_VAR "@rx integration\/ls\/(?:channel|htmlchat|lb_logout|lb_status|video|videotext|vc_chatlog|v_status)\.php" "chain,t:none,t:lowercase,t:urlDecodeUni,t:normalizePath" SecRule ARGS:message|ARGS:n|ARGS:ct|ARGS:m|ARGS:msg "@contains <" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule ARGS:EMAIL|ARGS:MESSAGE|ARGS:NAME "@rx \x22" "id:77221230,chain,msg:'IM360 WAF: XSS vulnerabilities in the ActiveHelper LiveHelp Live Chat plugin 3.1.0 and earlier for WordPress (CVE-2014-4513)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',deny,status:403,log,t:none,t:urlDecodeUni,multiMatch,severity:2,tag:'wp_plugin_activehelper_livehelp'" SecRule REQUEST_FILENAME "@contains /wp-content/plugins/activehelper-livehelp/server/offline.php" "t:none,t:urlDecodeUni,t:lowercase,t:normalizePath" SecRule ARGS:text "@rx \x22" "id:77221240,chain,msg:'IM360 WAF: XSS vulnerability in the AnyFont plugin 2.2.3 and earlier for WordPress (CVE-2014-4515)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',deny,status:403,log,t:none,t:urlDecodeUni,multiMatch,severity:2,tag:'wp_plugin_anyfont'" SecRule REQUEST_FILENAME "@contains wp-content/plugins/anyfont/mce_anyfont/dialog.php" "t:none,t:urlDecodeUni,t:lowercase,t:normalizePath" SecRule REQUEST_FILENAME "@endsWith admin/swarm-settings.php" "id:77221370,chain,msg:'IM360 WAF: XSS vulnerabilities in the Bugs Go Viral : Facebook Promotion Generator plugin 1.3.4 and earlier for WordPress (CVE-2014-4528)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecode,t:lowercase,t:htmlEntityDecode,severity:2,tag:'wp_plugin_bugs_go_viral_facebook_promotion_generator_for_wordpress'" SecRule ARGS:fb_edit_action|ARGS:promo_id|ARGS:promo_type "@contains >" "t:htmlEntityDecode" SecRule &ARGS:event "@gt 0" "id:77221380,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in the Events Manager plugin before 5.3.5 and Events Manager Pro plugin before 2.2.9 for WordPress (CVE-2013-1407)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecode,t:lowercase,t:htmlEntityDecode,severity:2,tag:'wp_plugin_events_manager'" SecRule ARGS:dbem_phone|ARGS:user_email|ARGS:user_name "@contains >" "t:none,t:htmlEntityDecode" SecRule REQUEST_FILENAME "@endsWith popup.php" "id:77221410,chain,msg:'IM360 WAF: XSS vulnerability in the Simple Popup Images plugin for WordPress (CVE-2014-3921)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_plugin_simple_popup_images'" SecRule ARGS:z "@rx \x22" SecRule REQUEST_FILENAME "@contains captcha-secureimage/test/index.php" "id:77221950,chain,msg:'IM360 WAF: XSS vulnerability in the SI CAPTCHA Anti-Spam plugin 2.7.4 for WordPress (CVE-2014-5190)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:removeWhitespace,t:htmlEntityDecode,multiMatch,severity:2,tag:'wp_plugin_si_captcha_for_wordpress'" SecRule REQUEST_URI "@rx \x22" "t:none,t:urlDecodeUni,t:removeWhitespace,t:htmlEntityDecode" SecRule REQUEST_FILENAME "@contains custom-image/media.php" "id:77222080,chain,msg:'IM360 WAF: XSS vulnerability in WP Easy Post Types plugin before 1.4.4 for WordPress (CVE-2014-4524)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,multiMatch,severity:2,tag:'wp_plugin_easy_post_types'" SecRule ARGS:ref "@rx \x22" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@contains paginas/vista-previa-form.php" "id:77222100,chain,msg:'IM360 WAF: XSS vulnerability in the EnvialoSimple: Email Marketing and Newsletters plugin before 1.98 for WordPress (CVE-2014-4527)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,multiMatch,severity:2,tag:'wp_plugin_envialosimple_email_marketing_y_newsletters_gratis'" SecRule ARGS:AdministratorID|ARGS:FormID "@contains <" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith includes/toadmin.php" "id:77226080,chain,msg:'IM360 WAF: XSS vulnerability in Contact Form 7 Integrations plugin 1.0 through 1.3.10 for WordPress (CVE-2014-6445)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,multiMatch,severity:2,tag:'wp_plugin_contact_form_7_integrations'" SecRule &ARGS:uC "@ge 1" "chain" SecRule &ARGS:uE "@ge 1" "chain" SecRule ARGS:uC|ARGS:uE "@contains <" "t:none,t:urlDecodeUni,t:htmlEntityDecode,multiMatch" SecRule REQUEST_FILENAME "@pm c_login.php vp/index.php" "id:77226100,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in the VideoWhisper Video Presentation plugin before 3.31 for WordPress (CVE-2014-4570)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'wp_plugin_videowhisper_video_presentation'" SecRule ARGS:room_name|ARGS:room "@pm < >" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith vv_login.php" "id:77226110,chain,msg:'IM360 WAF: XSS in the VideoWhisper Live Streaming Integration plugin 4.27.2 and earlier for WordPress (CVE-2014-4569)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_plugin_videowhisper_live_streaming_integration'" SecRule ARGS:room_name "@pm < >" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith services/diagnostics.php" "id:77226180,chain,msg:'IM360 WAF: XSS vulnerability in the WordPress Social Login plugin 2.0.3 and earlier for WordPress (CVE-2014-4576)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'wp_plugin_wordpress_social_login'" SecRule ARGS:xhrurl "@contains <" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith wp-photo-album-plus/wppa-ajax-front.php" "id:77226860,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in the WP Photo Album Plus (aka WPPA) plugin before 6.1.3 for WordPress (CVE-2015-3647)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_plugin_wp_photo_album_plus'" SecRule ARGS:wppa-action "@streq do-comment" "chain,t:none,t:lowercase" SecRule ARGS:comname|ARGS:comemail|ARGS:comment "@rx <" "t:none,t:urlDecodeUni,t:htmlEntitydecode" SecRule &ARGS:post-id "@ge 1" "id:77227110,chain,msg:'IM360 WAF: XSS vulnerability in the Contact Form Clean and Simple plugin 4.4.0 and earlier for WordPress (CVE-2014-8955)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_clean_and_simple_contact_form_by_meg_nicholas'" SecRule ARGS:cscf[name] "@rx \x22|<" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule REQUEST_FILENAME "@endsWith js/window.php" "id:77227280,chain,msg:'IM360 WAF: XSS vulnerability in the sourceAFRICA plugin 0.1.3 for WordPress (CVE-2015-6920)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_plugin_sourceafrica'" SecRule ARGS:wpbase "@rx \x22" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule ARGS:redirect_to "@contains <" "id:77227650,chain,msg:'IM360 WAF: XSS vulnerability in Nextend Facebook Connect plugin before 1.5.6 for WordPress (CVE-2015-4413)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,severity:2,tag:'wp_plugin_nextend_facebook_connect'" SecRule REQUEST_FILENAME "@endsWith wp-login.php" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@contains includes/api_tenpay/inc.tenpay_notify" "id:77227840,chain,msg:'IM360 WAF: XSS vulnerability in the Alipay plugin 3.6.0 and earlier for WordPress (CVE-2014-4514)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'wp_plugin_alipay'" SecRule ARGS:$para_ret['total_fee "@rx <" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule REQUEST_FILENAME "@pm iframe-googlefont-preview iframe-font-preview" "id:77228040,chain,msg:'IM360 WAF: XSS vulnerability in the Titan Framework plugin before 1.6 for WordPress (CVE-2014-6444)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_titan_framework'" SecRule ARGS:t|ARGS:text "@contains <" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule REQUEST_FILENAME "@contains /views/notify.php" "id:77228240,chain,msg:'IM360 WAF: XSS vulnerability in the Uploader Plugin 1.0.4 for WordPress (CVE-2013-2287)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,severity:2,tag:'wp_plugin_uploader'" SecRule REQUEST_FILENAME "@contains /wp-content/plugins/" "chain,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath" SecRule ARGS:notify "@within notif unnotif" "chain,t:none,t:lowercase" SecRule ARGS:blog "@contains <" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule REQUEST_FILENAME "@endsWith falha.php" "id:77228250,chain,msg:'IM360 WAF: XSS vulnerability in the Bradesco Gateway plugin 2.0 for WordPress (CVE-2013-5916)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_bradesco_gateway'" SecRule REQUEST_FILENAME "@contains /wp-content/plugins/" "chain,t:none,t:lowercase,t:urlDecodeUni,t:normalizePath" SecRule REQUEST_URI "@contains <" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule REQUEST_FILENAME "@endsWith raf_form.php" "id:77228260,chain,msg:'IM360 WAF: XSS vulnerability in the Recommend to a Friend plugin 1.0.2 for WordPress (CVE-2013-7276)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_recommend_a_friend'" SecRule ARGS:current_url "@contains <" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77232450,chain,msg:'IM360 WAF: Arbitrary File Download vulnerability in Ad Manager Plugin v1.0.11 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_ad_manager_wd'" SecRule ARGS:post_type "@streq wd_ads_ads" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:path "@contains .." "t:none,t:urlDecodeUni" SecRule REQUEST_URI "@contains includes/bookx_export.php" "id:77221540,chain,msg:'IM360 WAF: Directory traversal vulnerability in BookX plugin 1.7 for WordPress (CVE-2014-4937 )||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,t:none,t:urlDecodeUni,t:cmdline,t:removeWhitespace,t:normalizePath,multiMatch,severity:2,tag:'wp_plugin_bookx'" SecRule ARGS:file "@beginsWith ../" "t:none,t:urlDecodeUni,t:cmdline,t:removeWhitespace,t:normalizePath" SecRule REQUEST_FILENAME "@endswith wp-content/plugins/wp-source-control/downloadfiles/download.php" "id:77222350,chain,msg:'IM360 WAF: Directory traversal in the WP Content Source Control plugin 3.0.0 and earlier for WordPress (CVE-2014-5368)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,multiMatch,severity:2,tag:'wp_plugin_wp_source_control'" SecRule ARGS:path "@contains ../" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalizePath" SecRule REQUEST_FILENAME "@contains charts" "id:77226990,chain,msg:'IM360 WAF: Multiple Directory traversal vulnerabilities in Tera Charts (tera-charts) plugin 0.1 for WordPress (CVE-2014-4940)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',deny,status:403,t:none,t:lowercase,severity:2,tag:'wp_plugin_tera_charts'" SecRule MATCHED_VAR "@pm treemap.php zoomabletreemap.php" "chain,t:none" SecRule ARGS:fn "@contains .." "t:none" SecRule REQUEST_FILENAME "@endsWith download_audio.php" "id:77227180,chain,msg:'IM360 WAF: Directory traversal vulnerability in the SE HTML5 Album Audio Player plugin 1.1.0 and earlier for WordPress (CVE-2015-4414)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_se_html5_album_audio_player'" SecRule ARGS:file "@contains .." "t:none,t:urlDecodeUni,t:normalizePath" SecRule REQUEST_FILENAME "@endsWith wechat/image.php" "id:77230630,chain,msg:'IM360 WAF: Local File Inclusion vulnerability in Wechat Broadcast 1.2.0 Plugin for WordPress (CVE-2018-16283)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'wp_plugin_wechat_broadcast'" SecRule MATCHED_VAR "@contains wp-content/plugins" "chain" SecRule ARGS:url "@contains .." "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77230990,chain,msg:'IM360 WAF: XSS vulnerability in Custom Field Suite plugin 2.5.12 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_custom_field_suite'" SecRule ARGS:post_type "@streq cfs" "chain,t:none,t:lowercase" SecRule ARGS:cfs[extras][order] "@rx \D" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77222280,chain,msg:'IM360 WAF: XSS vulnerability in the WebEngage plugin before 2.0.1 for WordPress (CVE-2014-4574)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_webengage'" SecRule REQUEST_BASENAME "@streq resize.php" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:height "@rx \D" "t:none" SecRule REQUEST_FILENAME "@contains js/ta_loaded.js.php" "id:77220370,chain,msg:'IM360 WAF: XSS vulnerability in the Traffic Analyzer plugin 3.3.2 and earlier for WordPress (CVE-2013-3526)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,t:none,t:lowercase,t:urlDecodeUni,t:normalizePath,severity:2,tag:'wp_plugin_trafficanalyzer'" SecRule ARGS:aoid "@rx \D" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/formcraft/form.php" "id:77220390,chain,msg:'IM360 WAF: SQL injection vulnerability in the FormCraft plugin 1.3.7 and earlier for WordPress (CVE-2013-7187)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,severity:2,tag:'service_wp_plugin'" SecRule ARGS:id "@rx \D" "t:none" SecRule REQUEST_FILENAME "@contains contactme" "id:77221250,chain,msg:'IM360 WAF: XSS vulnerability in the Contact Form by ContactMe.com plugin 2.3 and earlier for WordPress (CVE-2014-4518)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_contactme'" SecRule MATCHED_VAR "@endswith wp-content/plugins/contactme/xd_resize.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule ARGS:height|ARGS:width "@rx \D" "t:none" SecRule REQUEST_FILENAME "@endsWith wp-symposium/get_album_item.php" "id:77226960,chain,msg:'IM360 WAF: SQL injection vulnerabilities in the WP Symposium plugin before 15.8 for WordPress (CVE-2015-6522)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_plugin_wp_symposium'" SecRule ARGS:size "@rx \D" "t:none" SecRule REQUEST_FILENAME "@endsWith google-document-embedder/view.php" "id:77227040,chain,msg:'IM360 WAF: SQL injection vulnerability in the Google Doc Embedder plugin before 2.5.15 for WordPress (CVE-2014-9173)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_plugin_google_document_embedder'" SecRule ARGS:embedded "@ge 1" "chain,t:none" SecRule ARGS:gpid "@rx \D" "t:none" SecRule ARGS:dex_reservations_calendar_load2 "@eq 1" "id:77227610,chain,msg:'IM360 WAF: SQL Injection vulnerabilities in the plugin CP Reservation Calendar plugin before 1.1.7 for WordPress (CVE-2015-7235)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,severity:2,tag:'wp_plugin_cp_reservation_calendar'" SecRule ARGS:id "!@streq Rcalender1" "t:none,t:urlDecodeUni" SecRule ARGS:cpmvc_do_action "@streq mvparse" "id:77227780,chain,msg:'IM360 WAF: SQL injection vulnerability in the CP Multi View Event Calendar plugin 1.01 for WordPress (CVE-2014-8586)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_cp_multi_view_calendar'" SecRule ARGS:calid "@rx \D" "t:none" SecRule REQUEST_FILENAME "@endsWith ss_handler.php" "id:77228350,chain,msg:'IM360 WAF: SQL injection in the WordPress Spreadsheet (wpSS) plugin 0.62 for WordPress (CVE-2014-8363)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_wp_spreadsheets'" SecRule ARGS:ss_id "@rx \D" "t:none" SecRule ARGS:msg "@streq imported" "id:77243410,chain,msg:'IM360 WAF: XSS vulnerability in WordPress plugin enhanced-tooltipglossary v3.2.8 (CVE-2016-1000132)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_enhanced_tooltipglossary'" SecRule REQUEST_FILENAME "@endsWith backend/views/admin_importexport.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:itemsnumber "@rx \D" "t:none" SecRule REQUEST_FILENAME "@contains include/user/download" "id:77228030,chain,msg:'IM360 WAF: Absolute path traversal vulnerability in the Swim Team plugin 1.44.10777 for WordPress (CVE-2015-5471)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_plugin_wp_swimteam'" SecRule ARGS:file "@beginsWith /" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith /includes/download.php" "id:77228140,chain,msg:'IM360 WAF: Remote file download vulnerability in WordPress plugin wp-ecommerce-shop-styling before v2.5 (CVE-2015-5468)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_wp_ecommerce_shop_styling'" SecRule ARGS:filename "@contains /" "chain,t:none,t:lowercase" SecRule ARGS:filename "!@endsWith .pdf" "t:none,t:lowercase,t:urlDecodeUni" SecRule ARGS:filepath "@beginsWith /" "id:77228950,chain,msg:'IM360 WAF: Remote file download vulnerability in the simple-image-manipulator v1.0 for WordPress (CVE-2015-1000010)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,severity:2,tag:'wp_plugin_simple_image_manipulator'" SecRule REQUEST_FILENAME "@endsWith simple-image-manipulator/controller/download.php" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule ARGS:file_link "@beginsWith /" "id:77228990,chain,msg:'IM360 WAF: Remote file download vulnerability in recent-backups v0.7 plugin for WordPress (CVE-2015-1000006)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,severity:2,tag:'wp_plugin_recent_backups'" SecRule REQUEST_FILENAME "@endsWith recent-backups/download-file.php" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule ARGS:url "@beginsWith /" "id:77229060,chain,msg:'IM360 WAF: Remote file download vulnerability in wptf-image-gallery v1.03 for WordPress (CVE-2016-1000007)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,severity:2,tag:'wp_plugin_wptf_image_gallery'" SecRule REQUEST_FILENAME "@endsWith lib-mbox/ajax_load.php" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule SESSION:sharethis "@eq 1" "id:77220211,phase:2,pass,nolog,skip:1,severity:5,tag:'wp_plugin_sharethis'" SecRule &SESSION:wp_session "@ge 1" "id:77220212,chain,msg:'IM360 WAF: CSRF vulnerability in the ShareThis plugin before 7.0.6 for WordPress (CVE-2013-3479)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_sharethis'" SecRule &ARGS:st_widget "@ge 1" "chain,t:none" SecRule REQUEST_FILENAME "@contains index.php" "t:none,t:lowercase" SecRule SESSION:cart66 "@eq 1" "id:77220291,phase:2,pass,nolog,skip:1,severity:5,tag:'wp_plugin_cart66_lite'" SecRule SESSION:wp_add "@eq 1" "id:77221171,phase:2,pass,nolog,skip:1,severity:5,tag:'wp_plugin_wp125'" SecRule REQUEST_BASENAME "@streq options-general.php" "id:77222010,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:lowercase,severity:5,tag:'wp_plugin_wp_file_upload',tag:'im360_req_get'" SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.ref=1',expirevar:'SESSION.ref=300',t:none,t:lowercase" SecRule SESSION:ref "@eq 1" "id:77222011,phase:2,pass,nolog,skip:1,severity:5,tag:'wp_plugin_wp_file_upload'" SecRule &SESSION:wp_session "@ge 1" "id:77230051,chain,msg:'IM360 WAF: CSRF vulnerability in Weblizar-pinterest-feeds plugin 1.1.1 for WordPress (CVE-2018-5656)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_weblizar_pinterest_feeds'" SecRule &ARGS:weblizar_pffree_settings_save_get-users "@ge 1" "chain,t:none" SecRule REQUEST_BASENAME "@streq admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule &SESSION:wp_pffree-weblizar "!@eq 1" "t:none" SecRule &SESSION:wp_session "@ge 1" "id:77230311,chain,msg:'IM360 WAF: CSRF vulnerability in Add Social Share Messenger Buttons Whatsapp and Viber plugin 1.0.8 for WordPress (CVE-2018-11632)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_add_social_share_buttons'" SecRule &ARGS:add_custom_service_style "@ge 1" "chain,t:none" SecRule REQUEST_BASENAME "@streq admin-post.php" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule &SESSION:wp_social_share_buttons "!@eq 1" "t:none" SecRule REQUEST_FILENAME "@endsWith wp-content/plugins/wp-easycart/inc/admin/phpinfo.php" "id:77222160,msg:'IM360 WAF: Information disclosure vulnerability in The EasyCart plugin before 2.0.6 for WordPress (CVE-2014-4942)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalizePath,t:removeWhitespace,t:lowercase,multiMatch,severity:2,tag:'wp_plugin_wp_easycart'" SecRule REQUEST_FILENAME "@contains wp-content/plugins/wordpress-mobile-pack/export/content.php" "id:77222220,chain,msg:'IM360 WAF: Information disclosure vulnerability in the WordPress Mobile Pack plugin before 2.0.2 for WordPress (CVE-2014-5337)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,multiMatch,severity:2,tag:'wp_plugin_wordpress_mobile_pack'" SecRule ARGS:content "@streq exportarticles" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule &ARGS:callback "!eq 0" SecRule REQUEST_FILENAME "@contains /server/php/" "id:77226070,chain,msg:'IM360 WAF: Shell Upload Vulnerability WP Symposium plugin 14.11 for WordPress (CVE-2014-10021)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,multiMatch,severity:2,tag:'wp_plugin_wp_symposium'" SecRule ARGS_NAMES "@rx uploader_(uid|url)" "chain,t:none,t:urlDecodeUni,t:lowercase,multiMatch" SecRule FILES "@rx \.(?:php|js|pl)(?:\.|$)" "t:none,t:urlDecodeUni,t:lowercase,multiMatch" SecRule REQUEST_FILENAME "@contains wp-content/plugins/wp-social-invitations/test.php" "id:77226220,chain,msg:'IM360 WAF: XSS vulnerability in in the WP Social Invitations plugin before 1.4.4.3 for WordPress (CVE-2014-4597)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'wp_plugin_wp_social_invitations'" SecRule ARGS:xhrurl "!@streq http://www.example.com" "t:none,t:urlDecodeUni,t:compressWhitespace" SecRule ARGS:icl_action "@streq reminder_popup" "id:77226280,chain,msg:'IM360 WAF: XSS vulnerability in the WPML plugin before 3.1.9 for WordPress (CVE-2015-2315)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_plugin_wpml'" SecRule ARGS:target "@contains javascript" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_FILENAME "@endsWith stageshow_redirect.php" "id:77226830,chain,msg:'IM360 WAF: Open redirect vulnerability in the Redirect function in the StageShow plugin before 5.0.9 for WordPress (CVE-2015-5461)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_stageshow'" SecRule &ARGS:url "@ge 1" SecRule REQUEST_FILENAME "@endsWith reflex-gallery/admin/scripts/FileUploader/php.php" "id:77226980,chain,msg:'IM360 WAF: Unrestricted file upload vulnerability in the ReFlex Gallery plugin before 3.1.4 for WordPress (CVE-2015-4133)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,severity:2,tag:'wp_plugin_reflex_gallery'" SecRule ARGS:Year|ARGS:Month "@ge 1" "chain,t:none" SecRule FILES "!@rx \.(?:jpe?g|gif|bmp|png)$" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith db-backup/download.php" "id:77227070,chain,msg:'IM360 WAF: Directory traversal vulnerability in the DB Backup plugin 4.5 and earlier for WordPress (CVE-2014-9119)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_plugin_db_backup'" SecRule ARGS:file "@rx ^\/|\.\." "t:none,t:urlDecodeUni,t:normalizePath" SecRule REQUEST_FILENAME "@endsWith proxy.php" "id:77227190,chain,msg:'IM360 WAF: Absolute path traversal vulnerability in the google currency lookup in the Paypal Currency Converter Basic For WooCommerce plugin before 1.4 for WordPress (CVE-2015-5065)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_woocommerce'" SecRule ARGS:requrl "@rx ^(\.\.|\/)" "t:none" SecRule REQUEST_FILENAME "@endsWith twentyfifteen/genericons/example.html" "id:77227200,msg:'IM360 WAF: XSS vulnerability in Genericons before 3.3.1 as used in WordPress before 4.2.2 (CVE-2015-3429)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith lib/dp_image.php" "id:77227220,chain,msg:'IM360 WAF: Directory traversal vulnerability in the DukaPress plugin before 2.5.4 for WordPress (CVE-2014-8799)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_plugin_dukapress'" SecRule ARGS:src "@rx ^\/|\.\." "t:none,t:urlDecodeUni,t:normalizePath" SecRule REQUEST_FILENAME "@endsWith library/clicktracker.php" "id:77227500,chain,msg:'IM360 WAF: SQL injection vulnerability in the AdRotate Pro plugin 3.9 through 3.9.5 and AdRotate Free plugin 3.9 through 3.9.4 for WordPress (CVE-2014-1854)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_plugin_adrotate'" SecRule ARGS:track "!@rx ^\d*," "t:none" SecRule REQUEST_FILENAME "@contains inc/amfphp/administration/banneruploaderscript" "id:77227830,chain,msg:'IM360 WAF: Unrestricted file upload vulnerability in the WP EasyCart (aka WordPress Shopping Cart) plugin before 3.0.9 for WordPress (CVE-2014-9308)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:normalizePath,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_plugin_wp_easycart'" SecRule FILES "!@rx \.(?:jpe?g|gif|bmp|png)$" "t:none,t:lowercase" SecRule &FILES "@ge 1" "id:77228070,chain,msg:'IM360 WAF: Shell upload vulnerability in Gravity Forms 1.8.19 and earlier||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_infusionsoft'" SecRule ARGS:gf_page "@streq upload" "chain,t:none" SecRule &ARGS:form_id "@ge 1" "chain,t:none" SecRule &ARGS:field_id "@ge 1" "chain,t:none" SecRule ARGS:name "@rx \.(?:php\d?|js|p(?:l|y)|rb|sh|(?:p|s|x|d)?html?\d?|asp|exe|dll|com|htaccess)$" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_FILENAME "@endsWith infusionsoft/utilities/code_generator.php" "id:77228080,msg:'IM360 WAF: Arbitrary File Upload and Arbitrary PHP Code Execution in the Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for WordPress (CVE-2014-6446)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'wp_plugin_infusionsoft'" SecRule &ARGS:swp_url "@ge 1" "id:77232920,chain,msg:'IM360 WAF: RFI vulnerability in social warfare plugin before 3.5.3 for WordPress (CVE-2019-9978)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_social_warfare'" SecRule &ARGS:swp_debug "@ge 1" "chain,t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-post.php" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77233220,chain,phase:2,deny,status:403,log,severity:2,t:none,msg:'IM360 WAF: XSS vulnerability in Modern Events Calendar Lite plugin 4.2.1 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_plugin_modern_events_calendar_lite'" SecRule ARGS:taxonomy "@rx ^(?:mec_label|mec_organizer|mec_location)$" "chain,t:none" SecRule ARGS|!ARGS:description "@rx \x22" "t:none" SecRule &ARGS:cp_appbooking_id "@ge 1" "id:77233270,chain,msg:'IM360 WAF: XSS vulnerability exists in Appointment Hour Booking Plugin v 1.1.35 or possibly below for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_appointment_hour_booking'" SecRule &ARGS:cp_appbooking_pform_process "@ge 1" "chain,t:none" SecRule ARGS:/^fieldname\d/ "@rx \x22" "t:none,t:urlDecodeUni" SecRule ARGS:RelayState "@streq testvalidate" "id:77233280,chain,msg:'IM360 WAF: XSS vulnerability in miniOrange SAML SP Single Sign On plugin before 4.8.73 for WordPress (CVE-2019-12346)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_miniorange_saml_20_single_sign_on'" SecRule ARGS:SAMLResponse "@contains <" "t:none,t:urlDecodeUni" SecRule ARGS:page|ARGS:option_page "@streq bt_bb_settings" "id:77234280,chain,phase:2,deny,status:403,log,severity:2,t:none,t:urlDecodeUni,t:lowercase,msg:'IM360 WAF: Privilege escalation vulnerability in bold-page-builder plugin before 2.3.2 for WordPress (CVE-2019-15821)||File:%{REQUEST_FILENAME}||T:APACHE||',tag:'wp_plugin_bold_page_builder'" SecRule &REQUEST_COOKIES:/^wordpress_logged_in_/ "@eq 0" "chain,t:none" SecRule REQUEST_FILENAME "@rx \/wp-admin\/options(?:-general)?\.php$" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77234700,chain,msg:'IM360 WAF: SQLi vulnerability in ninja-forms plugin before 3.3.21.2 for WordPress (CVE-2019-15025)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_ninja_forms'" SecRule ARGS:post_type "@streq nf_sub" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:form_id|ARGS:nf_form_filter|ARGS:begin_date|ARGS:end_date "!@rx (?:^[\w\/\-]+$|^$)" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@contains preview-shortcode-external.php" "id:77221460,chain,msg:'IM360 WAF: XSS vulnerability in the OMFG Mobile Pro plugin 1.1.26 and earlier for WordPress (CVE-2014-4541)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,multiMatch,severity:2,tag:'wp_plugin_omfg_mobile'" SecRule ARGS:shortcode "@contains >" SecRule REQUEST_FILENAME "@contains main_page.php" "id:77221500,chain,msg:'IM360 WAF: XSS vulnerability in the Game tabs plugin 0.4.0 and earlier for WordPress (CVE-2014-4531)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,multiMatch,severity:2,tag:'wp_plugin_game_tabs'" SecRule ARGS:n "@contains >" SecRule REQUEST_FILENAME "@contains wp-restful/html_api_login.php" "id:77221770,chain,msg:'IM360 WAF: XSS vulnerabilities in the WP RESTful plugin 0.1 and earlier for WordPress (CVE-2014-4595)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:htmlEntityDecode,multiMatch,severity:2,tag:'wp_plugin_wp_restful'" SecRule ARGS:oauth_callback_temp|ARGS:oauth_token_temp "@rx \x22" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule REQUEST_FILENAME "@contains wp-restful/html_api_authorize.php" "id:77221771,chain,msg:'IM360 WAF: XSS vulnerabilities in the WP RESTful plugin 0.1 and earlier for WordPress (CVE-2014-4595)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:htmlEntityDecode,multiMatch,severity:2,tag:'wp_plugin_wp_restful'" SecRule ARGS:oauth_callback "@contains >" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule REQUEST_FILENAME "@endsWith /js/window.php" "id:77227130,chain,msg:'IM360 WAF: XSS vulnerability in the Navis DocumentCloud plugin before 0.1.1 for WordPress (CVE-2015-2807)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'wp_plugin_navis_documentcloud'" SecRule ARGS:wpbase "@rx \x22" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@contains download" "id:77228010,chain,msg:'IM360 WAF: Directory traversal vulnerability in the Zip Attachments plugin before 1.5.1 for WordPress (CVE-2015-4694)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_zip_attachments'" SecRule ARGS:za_file "@contains .." "t:none" SecRule REQUEST_FILENAME "@contains /image-export/download.php" "id:77228150,chain,msg:'IM360 WAF: Remote file download vulnerability in WordPress Plugin Image-export v1.1.0 (CVE-2016-5609)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,t:urlDecodeUni,severity:2,tag:'wp_plugin_image_export'" SecRule ARGS:file "@contains /" "t:none,t:lowercase,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith download.php" "id:77228160,chain,msg:'IM360 WAF: Remote file download vulnerability in download-zip-attachments v1.0 for WordPress (CVE-2015-4704)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_download_zip_attachments'" SecRule ARGS:za_file "@rx \.\.|^\/" "t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:url "@contains >" "id:77228200,chain,msg:'IM360 WAF: XSS vulnerabilities in the WordPress plugin Ooorl v3.1.1 (CVE-2014-4542)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_ooorl'" SecRule REQUEST_COOKIES_NAMES "@contains wordpress" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith redirect.php" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith page-layout-builder/includes/layout-settings.php" "id:77228760,chain,msg:'IM360 WAF: XSS vulnerability in the WordPress plugin page-layout-builder v1.9.3 (CVE-2016-1000141)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'wp_plugin_page_layout_builder'" SecRule ARGS:layout_settings_id "@rx \x22" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule ARGS:fileName "@contains .." "id:77228940,chain,msg:'IM360 WAF: Remote file download vulnerability in the candidate-application-form v1.0 for WordPress (CVE-2016-1000005)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_candidate_application_form'" SecRule REQUEST_FILENAME "@endsWith downloadpdffile.php" "t:none,t:lowercase" SecRule ARGS:query "@contains php://" "id:77232170,chain,msg:'IM360 WAF: Directory traversal vulnerability in JSmol2WP plugin 1.07 for WordPress (CVE-2018-20462)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_plugin_jsmol2wp'" SecRule REQUEST_FILENAME "@endsWith /php/jsmol.php" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule &ARGS:cp_contactformpp_pform_process "@ge 1" "id:77233110,chain,msg:'IM360 WAF: SQL Injection vulnerability in CP Contact Form with PayPal plugin 1.1.5 for WordPress (CVE-2015-9234)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_cp_contact_form_with_paypal'" SecRule ARGS:cp_contactformpp_id "@rx \D" "t:none" SecRule REQUEST_FILENAME "@endsWith test-plugin.php" "id:77221710,chain,msg:'IM360 WAF: XSS vulnerability in the Swipe Checkout for Jigoshop plugin 3.1.0 and earlier for WordPress (CVE-2014-4557)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:removeWhitespace,t:htmlEntityDecode,t:lowercase,multiMatch,severity:2,tag:'wp_plugin_swipe_hq_checkout_for_jigoshop'" SecRule ARGS:api_url "@contains >" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /valums_uploader/php.php" "chain,id:77316754,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress plugin Valums Uploader - File Upload Vulnerability||T:APACHE||',tag:'service_i360custom'" SecRule FILES "!@rx ^$" "t:none" # DEFA-3987 SecRule &ARGS:action "@lt 1" "id:77316862,pass,phase:2,nolog,severity:5,skipAfter:MARKER_action,msg:'ARGS action optimization||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'noshow',tag:'service_gen'" # DEFA-4190 SecRule REQUEST_METHOD "@rx POST" "id:77316881,chain,phase:2,deny,log,severity:2,t:none,msg:'IM360 WAF: Authenticated File Upload vulnerability in WordPress Download Manager plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-admin/post.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@streq editpost" "chain,t:none" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php?\d?)$)" "t:none" # DEFA-4172 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316873,chain,block,log,t:none,severity:2,msg:'IM360 WAF: Remote Code Execution in WP Super Cache 1.7.1 Plugin for WordPress||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@rx /wp-admin/(?:options-general|admin-ajax)\.php" "chain,t:none,t:htmlEntityDecode,t:normalizePath" SecRule ARGS:page "@streq wpsupercache" "chain,t:none" SecRule ARGS:action "@streq scupdates" "chain,t:none" SecRule ARGS:wp_cache_location "@rx \x27" # DEFA-3743 SecRule REQUEST_METHOD "POST" "chain,id:77316806,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Privilege escalation in The Plus Addons for Elementor (CVE-2021-24175)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_wp_plugin',tag:'im360_req_post'" SecRule ARGS:action "@endsWith theplus_ajax_register" "chain,t:none" SecRule &ARGS:user_login "@gt 0" "chain,t:none" SecRule &ARGS:email "@gt 0" "chain,t:none" SecRule &ARGS:password "@gt 0" "chain,t:none" SecRule ARGS:tp_user_reg_role "@pm administrator editor" "t:none,t:lowercase" # DEFA-3743 SecRule REQUEST_METHOD "POST" "chain,id:77316807,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Privilege escalation in The Plus Addons for Elementor (CVE-2021-24175)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_wp_plugin',tag:'im360_req_post'" SecRule ARGS:action "@endsWith theplus_google_ajax_register" "chain,t:none" SecRule &ARGS:email "@gt 0" "chain,t:none" SecRule &ARGS:name "@gt 0" "chain,t:none" SecRule ARGS:tp_user_reg_role "@pm administrator editor" "t:none,t:lowercase" # DEFA-1108 Local file inclusion vulnerability in Contact Form Builder plugin for WordPress SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140767,chain,phase:2,block,log,severity:2,msg:'IM360 WAF: Local file inclusion vulnerability in Contact Form Builder plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_contact_form_builder'" SecRule ARGS:action "@pm CFMShortcode ContactFormMakerPreview ContactFormmakerwdcaptcha nopriv_ContactFormmakerwdcaptcha" "t:none,chain" SecRule ARGS:action "@rx \.\.\/\.\.\/" "t:none,t:lowercase,t:urlDecodeUni" # DEFA-1121 File upload vulnerability in WooCommerce plugin for WordPress SecRule REQUEST_FILENAME "@contains wp-admin/admin-ajax.php" "id:77140768,chain,phase:2,pass,log,severity:5,t:urlDecodeUni,t:removeWhitespace,msg:'IM360 WAF: File upload vulnerability in WooCommerce plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||order_id:%{ARGS:order_id}||name:%{ARGS:name}||',tag:'service_i360custom',tag:'wp_plugin_woocommerce'" SecRule ARGS:action "@contains wccs_upload_file_func" "chain,t:none" SecRule FILES "@rx \.(?:php\d?|js|p(?:l|y)|rb|sh|(?:p|s|x|d)?html?\d?|aspx?|cgi|exe|dll|com|htaccess)$" # DEFA-1205 Stored XSS vulnerability in Live Chat with Facebook Messenger plugin for WordPress SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140775,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: Stored XSS vulnerability in Live Chat with Facebook Messenger plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule ARGS:action "@rx update_zb_fbc_code" "t:none,chain" SecRule ARGS:domain "@rx <" "t:none,t:urlDecodeUni" # DEFA-1244 SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140776,chain,block,log,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: Convert Plus WordPress plugin flaw allows hackers to create Admin accounts||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule ARGS:action "@streq cp_add_subscriber" "t:none,chain" SecRule ARGS:cp_set_user "@streq administrator" "t:none,t:lowercase" # DEFA-1203 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77140779,chain,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: XSS vulnerability in FB Messenger Live Chat For||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule ARGS:action "@streq update_zb_fbc_code" "chain,t:none" SecRule ARGS:domain "@rx <\/" "t:none" # DEFA-1277 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77140780,chain,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: New user account role escalation in many plugins for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule ARGS:action "@streq fs_set_db_option" "t:none,chain" SecRule ARGS:option_name "@streq users_can_register" "t:none,chain" SecRule ARGS:option_value "@gt 0" # https://cxsecurity.com/issue/WLB-2019070111 # https://blog.nintechnet.com/privilege-escalation-vulnerability-in-wordpress-nd-donations-plugin/ SecRule REQUEST_URI "@rx \/wp-admin\/admin-(?:post|ajax)\.php" "id:77140823,chain,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Privilege escalation in WordPress ND Donations plugin||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule ARGS:action|ARGS:action_rcs "@rx (nd_learning_import_settings_php_function|nd_travel_import_settings_php_function|nd_stats_import_settings_php_function|nd_donations_import_settings_php_function|action_rcs_page_setting_save_post|hc_ajax_save_option|nd_options_import_settings_php_function|nd_booking_import_settings_php_function)" "t:none" # DEFA-1768 SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140838,chain,phase:2,block,log,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: WordPress Plugin WP User Frontend < 2.3.11 - Unrestricted Arbitrary File Upload||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wp_user_frontend'" SecRule ARGS:action "@streq wpuf_file_upload" "chain,t:none,t:lowercase" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:urlDecodeUni,t:removeWhitespace" # DEFA-1769 SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140839,chain,phase:2,block,log,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: Arbitrary File Upload Vulnerability in Adblock Blocker||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_wp_plugin'" SecRule ARGS:action "@streq getcountryuser" "chain,t:none,t:lowercase" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:urlDecodeUni,t:removeWhitespace" # DEFA-1946 SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140938,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress WooCommerce Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_woocommerce'" SecRule ARGS:action "@streq nm_personalizedproduct_upload_file" "chain,t:none,t:lowercase" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:urlDecodeUni,t:removeWhitespace" # DEFA-1993 SecRule REQUEST_FILENAME "@endsWith videostab/ajax_videostab.php" "id:77140951,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: PrestaShop videostab Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'other_apps'" SecRule ARGS:action "@contains submituploadvideo" "chain,t:none,t:lowercase" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-1995 SecRule REQUEST_FILENAME "@endsWith advancedslider/ajax_advancedsliderUpload.php" "id:77140953,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: PrestaShop advancedslider Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'other_apps'" SecRule ARGS:action "@contains submituploadimage" "chain,t:none,t:lowercase" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-2099 SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140976,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Estatik Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_estatik'" SecRule ARGS:action "@streq es_prop_media_images" "chain,t:none,t:lowercase" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-2088 SecRule REQUEST_METHOD "^POST$" "id:77140972,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: WordPress Plugin Accesspress Anonymous Post Pro Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_accesspress_anonymous_post',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq ap_file_upload_action" "chain,t:none,t:urlDecodeUni" SecRule &ARGS:file_uploader_nonce "@gt 0" "chain,t:none" SecRule &ARGS:allowedExtensions[] "@gt 0" "chain,t:none" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-2101 SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140978,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin FrontEnd File Manager Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_nmedia_user_file_uploader'" SecRule ARGS:action "@streq nm_filemanager_upload_file" "chain,t:none,t:lowercase" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-2171 SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140989,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Ninja Forms Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_ninjaforms'" SecRule ARGS:action "@streq nf_async_upload" "chain,t:none,t:lowercase" SecRule &ARGS:security "@gt 0" "chain,t:none" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-2302 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141011,chain,msg:'IM360 WAF: WPCentral < 1.5.1 Auth Bypass & Privelege Escalation||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'service_i360custom'" SecRule ARGS:action "@streq my_wpc_signon" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule &ARGS:auth_key "!@eq 0" "chain,t:none" SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,192.200.108.100" "t:none" # DEFA-2312 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141012,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Popup Builder plugin SQL injection via PHP deserialization||T:APACHE||URL:%{ARGS.attachmentUrl}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_popup_builder'" SecRule ARGS:action "@streq import_popups" "t:none,t:lowercase,chain" SecRule &ARGS:attachmentUrl "@gt 0" "t:none,chain" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2319 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141015,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress KenBurner Slider plugin unauthenticated arbitrary file download||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_wp_plugin'" SecRule ARGS:action "@streq kbslider_show_image" "t:none,t:lowercase,chain" SecRule ARGS:img "@rx \.\.\/" "t:none,t:urlDecodeUni,t:removeWhitespace,t:normalizePath" # DEFA-2323 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141018,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress GDPR Cookie Consent < 1.8.3 Improper Access Controls||T:APACHE||PG:%{ARGS.page_id}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_wp_cookie_law_info'" SecRule ARGS:action "@streq cli_policy_generator" "t:none,t:lowercase,chain" SecRule ARGS:cli_policy_generator_action "@streq save_contentdata" "t:none,t:lowercase,chain" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2364 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141034,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Ultimate Membership Pro < 8.6.2 CSRF for Delete an Arbitrary User||T:APACHE||ID:%{ARGS.id}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_ultimate_member'" SecRule ARGS:action "@streq ihc_delete_user_via_ajax" "chain,t:none,t:lowercase" SecRule &ARGS:id "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2365 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141035,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Tutor LMS 1.5.3 CSRF to add user||T:APACHE||Action:%{ARGS.action}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_tutor'" SecRule ARGS:action "@rx ^(add_new_instructor|tutor_add_instructor)$" "chain,t:none,t:htmlEntityDecode,t:lowercase" SecRule &ARGS:user_login "@gt 0" "chain,t:none" SecRule &ARGS:password "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2377 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141040,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Merge + Minify + Refresh < 1.10.7 Authenticated Arbitrary File Delete||T:APACHE||F:%{ARGS.purge}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_merge_minify_refresh'" SecRule ARGS:action "@streq mmr_files" "chain,t:none,t:lowercase" SecRule ARGS:purge "@rx \.\.\/" "chain,t:none,t:urlDecodeUni,t:removeWhitespace,t:normalizePath" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2378 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141041,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress WP Fastest Cache < 0.9.0.3 CSRF Arbitrary File Deletion||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wp_fastest_cache'" SecRule ARGS:action "@streq wpfc_delete_current_page_cache" "chain,t:none,t:lowercase" SecRule ARGS:path "@rx \.\.\/" "chain,t:none,t:urlDecodeUni,t:removeWhitespace" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2387 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141046,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress File Upload < 4.13.0 - Directory Traversal to RCE||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wp_file_upload'" SecRule ARGS:action "@streq wfu_ajax_action_ask_server" "chain,t:none,t:lowercase" SecRule &ARGS:filesizes "@gt 0" "chain,t:none" SecRule ARGS:filenames "@rx \.\.\/" "t:none,t:hexDecode,t:urlDecodeUni,t:removeWhitespace" # DEFA-2388 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141047,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress WPML < 4.3.7 - Authenticated CSRF leading to RCE||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wpml'" SecRule ARGS:action "@streq installer_download_plugin" "chain,t:none,t:lowercase" SecRule ARGS:data "@rx \x22slug\x22\s{0,128}\:\s{0,128}\x22woocommerce-multilingual\x22" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2422 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141051,chain,msg:'IM360 WAF: WordPress WPvivid Backup < 0.9.36 CSRF attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'service_i360custom',tag:'wp_plugin_wpvivid_backuprestore'" SecRule ARGS:action "@contains wpvivid_add_remote" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@rx %{SERVER_NAME}" "t:none" # DEFA-2427 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141053,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: CSRF vlnerability in Data Tables Generator WordPress plugin||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||Action:%{ARGS.action}||',tag:'service_i360custom',tag:'wp_plugin_data_tables_generator_by_supsystic'" SecRule ARGS:action "@rx ^(getListForTbl|updateRows|updateMeta|saveSettings|remove|create|render|getSettings|getMeta|getCountRows|getRows|clone|rename)$" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2431 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141057,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: IMPress for IDX Broker < 2.6.2 - Authenticated Post manipulations CVE-2020-9514||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_idx_broker_platinum'" SecRule ARGS:action "@streq create_dynamic_page" "chain,t:none,t:lowercase" SecRule &ARGS:post_title "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2431 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141058,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: IMPress for IDX Broker < 2.6.2 - Authenticated Post manipulations CVE-2020-9514||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_idx_broker_platinum'" SecRule ARGS:action "@rx (create|delete)_dynamic_page" "chain,t:none,t:lowercase" SecRule &ARGS:wrapper_page_id "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2458 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141066,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WordPress Gutenberg & Elementor Templates Importer For Responsive < 2.2.6 - Unprotected AJAX Endpoints (CVE-2020-12073)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_responsive_add_ons'" SecRule ARGS:action "@rx (responsive-ready-sites-(import-set-site-data-free|import-xml|import-options|import-wpforms|import-widgets|import-customizer-settings|import-end|reset-customizer-data|reset-site-options|reset-widgets-data|delete-posts|delete-wp-forms|delete-terms|set-reset-data))|(admin_(init|notices|enqueue_scripts))" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2475 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141073,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Elementor Page Builder < 2.9.6 - Authenticated Safe Mode Privilege Escalation||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_elementor'" SecRule ARGS:action "@streq elementor_ajax" "chain,t:none,t:lowercase,t:urlDecodeUni" SecRule ARGS:actions "@contains enable_safe_mode" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2502 SecRule REQUEST_FILENAME "@endsWith contact_form.php" "id:77141076,chain,pass,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: PHPMailer < 5.2.20 - Remote Code Execution||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule ARGS:action "@streq send" "chain,t:none" SecRule ARGS:email|ARGS:msg "@rx <\?|\/.{1,8}\/.{1,10}\/" "t:none,t:urlDecodeUni,t:normalizePath" # DEFA-2503 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-post.php" "id:77141077,chain,pass,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:5,msg:'IM360 WAF: WP Advanced Search < 3.3.4 - Unauthenticated Database Access and Remote Code Execution||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wp_advanced_search',tag:'noshow'" SecRule ARGS:action "@streq db_import" "chain,t:none" SecRule REQUEST_HEADERS:Upgrade-Insecure-Requests "@streq 1" "chain,t:none" SecRule REQUEST_HEADERS:Content-Type "@rx \x0d\x0a" "t:none,t:urlDecodeUni" # DEFA-2512 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141079,phase:2,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WordPress WP Lead Plus X <= 0.99 - Multiple CSRF||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_free_sales_funnel_squeeze_pages_landing_page_builder_templates_make'" SecRule ARGS:action "@pm core37_lp_save_page core37_lp_delete_page core37_lp_form_admin_save_settings core37_lp_save_popup_option core37_lp_delete_popup_option core37_lp_save_widget_option core37_lp_delete_widget_option core37_lp_export_template core37_lp_load_local_templates c37_lp_use_wp_template_file core37_lp_delete_template" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2548 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141081,phase:2,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WordPress LifterLMS < 3.37.15 Arbitrary File Writing||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_lifterlms'" SecRule ARGS:action "^export_admin_table$" "chain,t:none,t:urlDecodeUni" SecRule ARGS:filename "@contains ../" "t:none,t:urlDecodeUni,t:normalizePath" # DEFA-2549 - CSRF SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141082,phase:2,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: Klarna Checkout for WooCommerce < 2.0.10 - Authenticated Arbitrary Plugin Deactivation, Activation and Installation - CSRF||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_klarna_checkout_for_woocommerce'" SecRule ARGS:action "^change_klarna_addon_status$" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2552 SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77141086,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WordPress Responsive Poll through 1.3.4 - Unauthenticated endpoints manipulation (CVE-2020-11673)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_poll_wp'" SecRule ARGS:action "@pm TotalSoftPoll_Clone TotalSoftPoll_Del TotalSoftPoll_Edit TotalSoftPoll_Edit_Q_M TotalSoftPoll_Edit_Ans TotalSoftPoll_Theme_Clone TotalSoftPoll_Theme_Edit TotalSoftPoll_Theme_Edit1 TotalSoftPoll_1_Vote TotalSoftPoll_1_Results TotalSoftPoll_Clone_Set TotalSoftPoll_Edit_Set TotalSoftPoll_Del_Set TS_PTable_New_MTable_DisMiss_Callback_Poll TS_Poll_Question_DisMiss Total_Soft_Poll_Prev" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none,t:lowercase" # DEFA-2552 SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77141087,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WordPress Responsive Poll through 1.3.4 - Unauthenticated endpoints manipulation (CVE-2020-11673)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_poll_wp'" SecRule ARGS:action "@pm TotalSoftPoll_Clone TotalSoftPoll_Del TotalSoftPoll_Edit TotalSoftPoll_Edit_Q_M TotalSoftPoll_Edit_Ans TotalSoftPoll_Theme_Clone TotalSoftPoll_Theme_Edit TotalSoftPoll_Theme_Edit1 TotalSoftPoll_1_Vote TotalSoftPoll_1_Results TotalSoftPoll_Clone_Set TotalSoftPoll_Edit_Set TotalSoftPoll_Del_Set TS_PTable_New_MTable_DisMiss_Callback_Poll TS_Poll_Question_DisMiss Total_Soft_Poll_Prev" "chain,t:none,t:urlDecodeUni" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none" # DEFA-2581 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141089,phase:2,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WordPress Plugin MapPress Maps < 2.53.9 RCE (CVE-2020-12077)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_mappress'" SecRule ARGS:action "^(mapp_tpl_get|mapp_tpl_save|mapp_tpl_delete)$" "chain,t:none,t:urlDecodeUni" SecRule ARGS:name "@contains ../" "t:none,t:urlDecodeUni" # DEFA-2644 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142099,chain,block,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: Newspaper WordPress Theme - Privilege Escalation (CVE-2016-10972)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq td_ajax_update_panel" "chain,t:none,t:urlDecodeUni" SecRule ARGS:/wp_option/ "@rx (administrator|subscriber|users_can_register|1|0)" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2644 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142100,chain,block,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: Newspaper WordPress Theme - Privilege Escalation (CVE-2016-10972)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq td_ajax_update_panel" "chain,t:none,t:urlDecodeUni" SecRule ARGS:/wp_option/ "@rx (administrator|subscriber|users_can_register|1|0)" "chain,t:none,t:urlDecodeUni" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none" # DEFA-2475 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142103,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Elementor Page Builder < 2.9.6 - Authenticated Safe Mode Privilege Escalation||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_elementor'" SecRule ARGS:action "@streq elementor_ajax" "chain,t:none,t:lowercase" SecRule ARGS:actions "@contains enable_safe_mode" "chain,t:none" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none" # DEFA-2680 SecRule REQUEST_FILENAME "@endsWith simple-ads-manager/sam-ajax-admin.php" "id:77142110,chain,msg:'IM360 WAF: Unrestricted file upload vulnerability in the Simple Ads Manager plugin before 2.5.96 for WordPress (CVE-2015-2825)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_plugin_simple_ads_manager'" SecRule ARGS:action "@pm upload_ad_image na" "t:none,t:lowercase" # DEFA-2711 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142128,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Revslider Revolution UpdatedCaptionsCSS Content Injection||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin'" SecRule ARGS:action "@streq revslider_ajax_action" "chain,t:none,t:lowercase,t:urlDecodeUni" SecRule ARGS:client_action "@streq get_captions_css" "chain,t:none,t:lowercase,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2711 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142129,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Revslider Revolution UpdatedCaptionsCSS Content Injection||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin'" SecRule ARGS:action "@streq revslider_ajax_action" "chain,t:none,t:lowercase,t:urlDecodeUni" SecRule ARGS:client_action "@streq get_captions_css" "chain,t:none,t:lowercase,t:urlDecodeUni" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none" # DEFA-2744 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142139,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,msg:'IM360 WAF: Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.3.3 RCE (CVE-2020-12800)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_drag_and_drop_multiple_file_upload_contact_form_7'" SecRule ARGS:action "@streq dnd_codedropz_upload" "chain,t:none,t:lowercase,t:urlDecodeUni" SecRule ARGS:supported_type|FILES "@rx \%$" "t:none,t:lowercase,t:urlDecodeUni" # DEFA-2571 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142141,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Plugin UpdraftPlus RCE (CVE-2017-16871)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_updraftplus'" SecRule ARGS:action "@streq plupload_action" "chain,t:none,t:lowercase,t:urlDecodeUni" SecRule ARGS:name "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni" # DEFA-2737 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142142,deny,severity:2,log,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress MailerLite Sign Up Forms Plugin SQL Injection||A:%{ARGS.action}||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_official_mailerlite_sign_up_forms'" SecRule ARGS:action "@pm mailerlite_get_more_groups mailerlite_gutenberg_form_preview mailerlite_gutenberg_form_preview2 mailerlite_subscribe_form mailerlite_redirect_to_form_edit" "chain,t:none" SecRule ARGS:form_id "!@rx ^-?\d+$" "t:none,t:urlDecodeUni" # DEFA-2640 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142143,deny,severity:2,log,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Easy2Map Persistent Cross-Site Scripting (XSS) Vulnerability||ARGS:action=%{ARGS.action}||ARGS:mapID=%{ARGS.mapID}||ARGS:mapName=%{ARGS.mapName}||T:APACHE||',tag:'wp_plugin_easy2map'" SecRule ARGS:action "@streq save_map_name" "chain,t:none,t:urlDecodeUni" SecRule &ARGS:mapID "@gt 0" "chain,t:none" SecRule ARGS:mapName "@contains <script" "t:none,t:urlDecodeUni" # DEFA-2642 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142151,phase:2,severity:2,pass,log,t:none,t:normalizePath,msg:'IM360 WAF: WordPress GDPR Compliance plugin - Unauthorized option update (array variant)||TYPE=%{TX._WPGDPRC_TYPE}||OPTION=%{TX._WPGDPRC_OPTION}||VALUE=%{TX._WPGDPRC_VALUE}||T:APACHE||',tag:'wp_plugin_wp_gdpr_compliance'" SecRule ARGS:action "@streq wpgdprc_process_action" "chain,t:none" SecRule &ARGS:data[type] "@gt 0" "chain,t:none,setvar:TX._WPGDPRC_TYPE=%{ARGS.data[type]}" SecRule &ARGS:data[option] "@gt 0" "chain,t:none,setvar:TX._WPGDPRC_OPTION=%{ARGS.data[option]}" SecRule &ARGS:data[value] "@gt 0" "chain,t:none,setvar:TX._WPGDPRC_VALUE=%{ARGS.data[value]}" SecRule TX:_WPGDPRC_TYPE "@streq save_setting" "chain,t:none" SecRule TX:_WPGDPRC_OPTION "!@rx ^wpgdprc" "t:none,t:lowercase" # DEFA-2763 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142161,chain,block,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: Newspaper WordPress Theme - Privilege Escalation (CVE-2016-10972)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq td_ajax_update_panel" "chain,t:none,t:urlDecodeUni" SecRule &ARGS:wp_option[siteurl]|&ARGS:wp_option[home]|&ARGS:wp_option[users_can_register]|&ARGS:wp_option[default_role] "@ge 1" "chain,t:none,t:urlDecodeUni" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none" # DEFA-2777 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142170,chain,pass,log,severity:5,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Combined Attack on Elementor Pro and Ultimate Addons||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_elementor',tag:'noshow'" SecRule ARGS:action "@streq elementor_ajax" "chain,t:none,t:lowercase,t:urlDecodeUni" SecRule ARGS:actions "@contains pro_assets_manager_custom_icon_upload" "t:none,t:urlDecodeUni" # DEFA-2777 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142171,chain,pass,log,severity:5,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Combined Attack on Elementor Pro and Ultimate Addons||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_elementor',tag:'noshow'" SecRule ARGS:action "@streq elementor_ajax" "chain,t:none,t:lowercase" SecRule ARGS:actions "@contains pro_assets_manager_custom_icon_upload" "chain,t:none,setvar:tx.rbl_perf=1" SecRule TX:RBL_IP "@rbl elementor.rbl.imunify.com." "chain,t:none" SecRule TX:RBL_IP "!@rbl nxdomain.v2.rbl.imunify.com." "t:none" # DEFA-2841 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142195,chain,phase:2,severity:2,deny,log,t:none,t:normalizePath,msg:'IM360 WAF: OneTone 3.0.6 Unauthenticated Stored Cross-Site Scripting (CVE-2019-17230)(CVE-2019-17231)||T:APACHE||',tag:'wp_theme'" SecRule ARGS:action "@rx onetone_options_import" "chain,t:none" SecRule ARGS:options "@rx (?si)<script" "t:none" # DEFA-2861 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142205,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: SQL injection in wpDiscuz plugin before 5.3.6 (CVE-2020-13640)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_wpdiscuz'" SecRule ARGS:action "@rx ^(wpdloadmorecomments|wpdsorting)$" "chain,t:none,t:lowercase,t:urlDecodeUni" SecRule ARGS:order|ARGS:orderBy "!@rx ^(comment_date_gmt|by_vote|asc|desc)$" "t:none,t:urlDecodeUni" # DEFA-2834 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142210,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: XSS in PW WooCommerce Bulk Edit||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_pw_bulk_edit'" SecRule ARGS:action "@streq pwbe_save_products" "chain,t:none" SecRule REQUEST_BODY "@rx \x22\x3E\x3Cscript" "t:urlDecodeUni,t:removeWhitespace" # DEFA-2985 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142223,phase:2,severity:5,pass,log,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (ebor framework v2)||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.optionName:%{ARGS.optionName}||ARGS.optionValue:%{ARGS.optionValue}||',tag:'service_i360custom',tag:'noshow'" SecRule ARGS:action "@streq ebor_framework_update_option" "chain,t:none" SecRule ARGS:optionName "@streq siteurl" "chain,t:none" SecRule &ARGS:optionValue "@gt 0" "t:none" # DEFA-2985 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142224,phase:2,severity:5,pass,log,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (efbl_save_access_token)||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.efbl_access_token:%{ARGS.efbl_access_token}||',tag:'service_i360custom',tag:'noshow'" SecRule ARGS:action "@streq efbl_save_access_token" "chain,t:none" SecRule ARGS:efbl_access_token "@contains <script" "t:none,t:lowercase" # DEFA-2985 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142226,phase:2,severity:5,pass,log,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (setsetting)||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.yog_google_maps_api_key:%{ARGS.yog_google_maps_api_key}||',tag:'service_i360custom',tag:'noshow'" SecRule ARGS:action "@streq setsetting" "chain,t:none" SecRule ARGS:yog_google_maps_api_key "@contains <script" "t:none,t:lowercase" # DEFA-2985 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142227,phase:2,severity:5,pass,log,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (of_ajax_post_action)||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.data:%{ARGS.data}||',tag:'service_i360custom',tag:'noshow'" SecRule ARGS:action "@streq of_ajax_post_action" "chain,t:none" SecRule ARGS:data "@rx (?:s(?:\x3a)4(?:\x3a)\x22home\x22|s(?:\x3a)7(?:\x3a)\x22siteurl\x22)" "t:none" # DEFA-2985 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142230,phase:2,severity:5,pass,log,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (fs_set_db_option)||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.option_name:%{ARGS.option_name}||ARGS.option_value:%{ARGS.option_value}||',tag:'service_i360custom',tag:'noshow'" SecRule ARGS:action "@streq fs_set_db_option" "chain,t:none" SecRule ARGS:option_name "@streq siteurl" "chain,t:none" SecRule &ARGS:option_value "@gt 0" "t:none" # DEFA-2985 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142231,phase:2,severity:5,pass,log,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (td_ajax_update_panel)||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.wp_option:%{ARGS.wp_option}||',tag:'service_i360custom',tag:'noshow'" SecRule ARGS:action "@streq td_ajax_update_panel" "chain,t:none" SecRule ARGS:wp_option "@rx (?:s(?:\x3a)7(?:\x3a)\x22siteurl\x22)" "t:none" # DEFA-2985 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142232,phase:2,severity:5,pass,log,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (ect_dashboard_switch)||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.option_name:%{ARGS.option_name}||ARGS.value:%{ARGS.value}||',tag:'service_i360custom',tag:'noshow'" SecRule ARGS:action "@streq ect_dashboard_switch" "chain,t:none" SecRule ARGS:option_name "@streq siteurl" "chain,t:none" SecRule &ARGS:value "@gt 0" "t:none" # DEFA-2985 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142233,phase:2,severity:5,pass,log,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (arm_update_feature_settings)||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.arm_features_options:%{ARGS.arm_features_options}||ARGS.arm_features_status:%{ARGS.arm_features_status}||',tag:'service_i360custom',tag:'noshow'" SecRule ARGS:action "@streq arm_update_feature_settings" "chain,t:none" SecRule ARGS:arm_features_options "@streq siteurl" "chain,t:none" SecRule &ARGS:arm_features_status "@gt 0" "t:none" # DEFA-2985 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142235,phase:2,severity:2,deny,log,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (astra-sites-import-widgets - v2)||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.widgets_data:%{ARGS.widgets_data}||',tag:'service_i360custom'" SecRule ARGS:action "@streq astra-sites-import-widgets" "chain,t:none" SecRule &ARGS:widgets_data "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-3103 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142256,block,log,phase:2,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Block nulled themes pingbacks||T:APACHE||%{MATCHED_VAR_NAME}:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule ARGS:action "@streq rms_ping_from_the_universe" "t:none" # DEFA-3100 SecRule REQUEST_FILENAME "@endsWith /cgi-bin/mainfunction.cgi" "id:77142259,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: IOT unauthenticated file upload and RCE||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule ARGS:action "@streq login" "chain,t:none" SecRule ARGS:keyPath "@rx [\s\+]?wget\shttps?:\/\/([^\s\+])" "t:none,t:compressWhitespace,t:htmlEntityDecode" # DEFA-3330 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77316738,deny,log,phase:2,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress plugin Post Grid < 2.0.73/Team Showcase < 1.22.16 - Stored Cross-Site Scripting||ARGS.action:%{ARGS.action}||ARGS.source:%{ARGS.source}||T:APACHE||',tag:'wp_plugin',tag:'service_i360custom'" SecRule ARGS:action "@rx ^(?:post_grid_import_xml_layouts|team_import_xml_layouts)$" "chain,t:none" SecRule ARGS:source "@contains ://" "chain,t:none" SecRule ARGS:source "!@beginsWith file://" "t:none" # DEFA-3626 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316778,chain,block,log,t:none,severity:2,msg:'IM360 WAF: WordPress Plugin 123contactform-for-wordpress Arbitrary File Upload||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'service_i360custom',tag:'im360_req_post'" SecRule ARGS:action "@pm wp_ajax_cfp-new-post wp_ajax_nopriv_cfp-new-post" "chain,t:none" SecRule &ARGS:post_content "@gt 0" "chain,t:none" SecRule &ARGS:post_status "@gt 0" "chain,t:none" SecRule &ARGS:post_author "@gt 0" "chain,t:none" SecRule ARGS:post_image_name|ARGS:post_image "@rx \.(?:phar|ph[p\d]|pl|py|cgi|asp|js|html|htm|phtml)$" "t:none" # DEFA-3671 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316782,chain,deny,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: CSRF vulnerability in NextGEN Gallery < 3.5.0 (CVE-2020-35943)||T:APACHE||',tag:'wp_plugin_nextgen_gallery',tag:'im360_req_post'" SecRule ARGS:action "@pm upload_image" "chain,t:none,t:urlDecodeUni" SecRule &ARGS:gallery_name "@gt 0" "chain,t:none" SecRule &ARGS:nonce "@eq 0" "t:none" # DEFA-3755 SecRule REQUEST_FILENAME "@endsWith /data_debug.php" "id:77316808,chain,block,log,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: SQL Injection in Cacti 1.2.0 - 1.2.16 (CVE-2020-35701)||T:APACHE||',tag:'service_i360custom'" SecRule ARGS:action "@streq ajax_hosts" "chain,t:none" SecRule ARGS:site_id "@rx [\)\'\x22<]" "t:none" # DEFA-3794 SecRule REQUEST_METHOD "@rx POST" "id:77316813,chain,phase:2,deny,log,severity:2,t:none,msg:'IM360 WAF: PHP Object Injection vulnerability in Facebook plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'wp_plugin',tag:'im360_req_post'" SecRule ARGS:action "@pm admin_post_wp_async_ admin_post_nopriv_wp_async_" "chain,t:none" SecRule REQUEST_BODY "@rx \x22GuzzleHttp\\Cookie\\FileCookieJar\*filename\x22;s\:\d{1,3}\:\x22[^\.]{7,160}\.(?:pht|phtml|php?\d?)\x22" "t:none,t:htmlEntityDecode" # DEFA-3794 SecRule REQUEST_METHOD "@rx POST" "id:77316814,chain,phase:2,deny,log,severity:2,t:none,msg:'IM360 WAF: CSRF vulnerability in Facebook plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'wp_plugin',tag:'im360_req_post'" SecRule ARGS:action "@pm wp_ajax_save_fbe_settings wp_ajax_delete_fbe_settings" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-3872 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77316820,chain,block,log,severity:2,t:none,t:lowercase,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: Authenticated PHP Object Injection in Redirection for Contact Form 7 Plugin (CVE-2021-24280)||Data:%{ARGS.data[debug_info]}||T:APACHE||',tag:'wp_plugin'" SecRule ARGS:action "@streq import_from_debug" "chain,t:none,t:lowercase" SecRule &ARGS:data[debug_info] "@gt 0" "t:none" # DEFA-3873 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77316821,chain,block,log,severity:2,t:none,t:lowercase,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: Arbitrary File Upload in Kaswara Modern WPBakery Page Builder Addons (CVE-2021-24284)||File:%{ARGS.fonticonzipfile}||T:APACHE||',tag:'service_i360custom',tag:'wp_plugin'" SecRule ARGS:action "@streq uploadFontIcon" "t:none" # DEFA-4099 SecRule REQUEST_METHOD "POST" "id:77316853,chain,phase:2,deny,log,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Privilege Escalation in WP User Avatar plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule ARGS:action "@streq pp_ajax_signup" "chain,t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:/role/ "administrator" "t:none" # DEFA-4099 SecRule REQUEST_METHOD "POST" "id:77316854,chain,phase:2,deny,log,severity:2,t:none,msg:'IM360 WAF: Arbitriary File Upload in WP User Avatar plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||FILES:%{FILES}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule ARGS:action "@streq update" "chain,t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule FILES "!@rx \.(?:jpg|jpeg|png|gif)$" "t:none" # DEFA-1806 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140855,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin N-Media Website Contact Form with File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_wp_plugin',tag:'im360_req_post'" SecRule REQUEST_BASENAME "@rx (?:upload_settings_image|admin-ajax)\.php" "chain,t:none,t:urlDecodeUni" SecRule ARGS:action "@streq nm_webcontact_upload_file" "chain,t:none" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none,t:urlDecodeUni" # DEFA-1817 SecRule ARGS:action "@pm upload-plugin update_plugin themes themeupload revslider_ajax_action" "id:77140866,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Malicious plugin upload attempt||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_core'" SecRule REQUEST_URI "@rx \/wp-admin\/(?:update|admin-(?:ajax|post))\.php" "t:none,t:lowercase,chain" SecRule REQUEST_HEADERS:Accept "@streq */*" "t:none,chain" SecRule FILES "@rx ^(?:[a-z]{7}|rock)\.zip$" "t:none,capture" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140868,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Revslider Plugin File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq revslider_ajax_action" "chain,t:none,t:urlDecodeUni" SecRule ARGS:client_action "@streq update_plugin" "chain,t:none,t:urlDecodeUni" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none,t:urlDecodeUni" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140869,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Simple Ads Manager Plugin File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_simple_ads_manager',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq upload_ad_image" "chain,t:none,t:urlDecodeUni" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none,t:urlDecodeUni" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140903,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: FCKEditor Core 2.x 2.4.3 File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'service_wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:param "@streq upload_slide" "chain,t:none,t:urlDecodeUni" SecRule ARGS:action "@streq load_library" "chain,t:none,t:urlDecodeUni" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none,t:urlDecodeUni" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140910,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Slider Revolution 3.0.95 / Showbiz Pro 1.7.1 Plugin File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq showbiz_ajax_action" "chain,t:none,t:urlDecodeUni" SecRule ARGS:client_action "@streq update_plugin" "chain,t:none,t:urlDecodeUni" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none,t:urlDecodeUni" # DEFA-1873 SecRule ARGS:action "@pm wpuf_file_upload wpuf_insert_image" "id:77140928,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Unrestricted Arbitrary File Upload in WP User Frontend plugin before 2.3.11 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'wp_plugin_wp_user_frontend'" SecRule FILES "@rx pwn.gif" "t:none" # DEFA-2089 SecRule REQUEST_FILENAME "@endsWith server/php/index.php" "id:77140973,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin ACF Frontend Display Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_acf_frontend_display'" SecRule REQUEST_FILENAME "@rx acf-frontend-display" "chain,t:none,t:lowercase,t:urlDecodeUni" SecRule ARGS:action "@streq upload" "chain,t:none,t:lowercase" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-2172 SecRule ARGS:action "@streq output csv" "id:77140991,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:lowercase,msg:'IM360 WAF: WordPress Plugin Participants Database SQL Injection vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_participants_database'" SecRule ARGS:CSV_type "@streq participant list" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:subsource "@streq participants-database" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:query "!@rx ^$" "t:none" # DEFA-2297 SecRule ARGS:action "@streq duplicator_download" "id:77141007,chain,msg:'IM360 WAF: Duplicator File Download Auth Bypass (CVE-2020-11738)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',phase:2,block,log,status:403,t:none,t:urlDecodeUni,severity:2,tag:'wp_plugin_duplicator'" SecRule ARGS:file "@contains ../" "t:none,t:urlDecodeUni" # DEFA-2315 SecRule ARGS:action "@streq register" "id:77141013,chain,phase:2,block,log,severity:2,t:none,t:lowercase,msg:'IM360 WAF: WordPress Profile Builder Plugin Unauthenticated Administrator Registration||T:APACHE||USR:%{ARGS.username}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_profile_builder'" SecRule ARGS:custom_field_user_role "@streq administrator" "chain,t:none,t:lowercase" SecRule &ARGS:username "@gt 0" "chain,t:none" SecRule &ARGS:email "@gt 0" "chain,t:none" SecRule &ARGS:passw1 "@gt 0" "chain,t:none" SecRule &ARGS:passw2 "@gt 0" "t:none" # DEFA-2372 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141039,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Import Export Users < 1.3.9 Authenticated Arbitrary User Creation||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_users_customers_import_export_for_wp_woocommerce'" SecRule ARGS:import_page "@streq wordpress_hf_user_csv" "chain,t:none,t:lowercase" SecRule ARGS:step "@streq 3" "chain,t:none" SecRule ARGS:action "@streq user_csv_import_request" "chain,t:none,t:lowercase" SecRule ARGS:file "!@contains %{SERVER_NAME}" "t:none" # DEFA-2368 SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77141042,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: CSRF vulnerability in Pricing Table by Supsystic plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_pricing_table'" SecRule ARGS:mod "@streq tables" "chain,t:none" SecRule ARGS:action "@pm getListForTbl remove removeGroup clear save exportForDb updateLabel changeTpl saveAsCopy getJSONExportTable createFromTpl" "chain,t:none" SecRule &ARGS:id "@gt 0" "chain,t:none" SecRule ARGS:reqType "@streq ajax" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none,t:lowercase" # DEFA-2710 SecRule ARGS:action "@streq duplicator_pro_download" "id:77142126,chain,msg:'IM360 WAF: Duplicator Pro File Download Auth Bypass (CVE-2020-11738)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',phase:2,block,log,status:403,t:none,t:urlDecodeUni,severity:2,tag:'wp_plugin'" SecRule ARGS:file "@contains ../" "t:none,t:urlDecodeUni" # DEFA-2717 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142155,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: SQLi vulnerability in the Ajax Load More 5.3.1 plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_ajax_load_more',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@contains /wordpress/wp-admin/admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:action "@streq alm_update_repeater" "chain,t:none,t:urlDecodeUni" SecRule ARGS:value|ARGS:repeater "@pm ' <" "t:none,t:urlDecodeUni" # DEFA-2768 SecRule ARGS:action_rcs "@streq action_rcs_page_setting_save_post" "id:77142159,chain,severity:2,log,deny,t:none,msg:'IM360 WAF: WordPress Coming Soon Page & Maintenance Mode plugin - Unauthenticated stored XSS||T:APACHE||HOOK:%{ARGS.hook}||PAYLOAD_IN:%{MATCHED_VAR_NAME}||PAYLOAD:%{MATCHED_VAR}',tag:'wp_plugin_responsive_coming_soon_page'" SecRule &ARGS:hook "@gt 0" "t:none,chain" SecRule ARGS|!ARGS:action_rcs|!ARGS:hook "@rx (?si)<script" "t:none" # DEFA-2772 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142175,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Authentication Bypass in Smart Google Code Inserter before 3.5 plugin for WordPress (CVE-2018-3810)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_delucks_seo',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/(?:admin-(?:ajax|post)|options-general)\.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:action "@streq savegooglecode" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none,t:urlDecodeUni,t:htmlEntityDecode" # DEFA-2772 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142176,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: SQLi in Smart Google Code Inserter before 3.5 plugin for WordPress (CVE-2018-3810)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_delucks_seo',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/(?:admin-(?:ajax|post)|options-general)\.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:action "@streq saveadwords" "chain,t:none,t:urlDecodeUni" SecRule ARGS:oId[] "@rx \D" "t:none,t:urlDecodeUni" # DEFA-2772 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142179,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Persistent XSS Vulnerability in Travelpayouts plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_travelpayouts',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:action "@streq import_csv" "chain,t:none,t:urlDecodeUni" SecRule ARGS:value[][] "@rx [\x22<]" "t:none,t:urlDecodeUni,t:htmlEntityDecode" # DEFA-2772 # DEFA-2762 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142180,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Persistent XSS Vulnerability in thim_update_theme_mods||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:action "@streq thim_update_theme_mods" "chain,t:none,t:urlDecodeUni" SecRule ARGS:thim_key "@pm thim_google_analytics siteurl" "chain,t:none,t:urlDecodeUni" SecRule ARGS:thim_value "@rx ([\x22<]|http)" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" # DEFA-2772 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142184,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Persistent XSS Vulnerability in WP Quick Booking Manager plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_wp_quick_booking_manager',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:action "@streq gen_save_cssfixfront" "chain,t:none,t:urlDecodeUni" SecRule ARGS:css "@rx ^<\/style>" "t:none,t:urlDecodeUni" # DEFA-2979 SecRule REQUEST_METHOD "@streq post" "chain,id:77142218,deny,log,phase:2,severity:2,t:none,t:lowercase,msg:'IM360 WAF: WordPress plugin Adning Advertising - Unauthenticated Arbitrary File Upload leading to Remote Code Execution||T:APACHE||ARGS:allowed_file_types=%{ARGS.allowed_file_types}||',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq _ning_upload_image" "chain,t:none" SecRule ARGS:allowed_file_types "@rx (?i:php|phtml|pht|php5)" "t:none" # DEFA-3034 SecRule REQUEST_METHOD "@streq post" "chain,id:77142241,deny,log,phase:2,severity:2,t:none,t:lowercase,msg:'IM360 WAF: WordPress plugin wpDiscuz - Unauthenticated Arbitrary File Upload leading to Remote Code Execution||T:APACHE||ARGS.action:%{ARGS.action}||REMOTE_FILENAME:%{TX.0}||',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq wmuUploadFiles" "chain,t:none" SecRule FILES "@rx (?i)^wmu_files.{1,160}\.(?:pht|phtml|php\d?)$" "t:none,capture" # DEFA-1205 Unauthenticated stored XSS in FV Flowplayer Video Player plugin for WordPress SecRule REQUEST_METHOD "POST" "id:77140772,chain,phase:2,pass,log,severity:5,t:none,msg:'IM360 WAF: Unauthenticated stored XSS in FV Flowplayer Video Player plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:action "@contains fv_wp_flowplayer_email_signup" "chain,t:none,t:urlDecodeUni" SecRule ARGS:email "<" "t:none,t:urlDecodeUni" # DEFA-3074 SecRule REQUEST_METHOD "@streq post" "chain,id:77142246,deny,log,phase:2,severity:2,t:none,t:lowercase,msg:'IM360 WAF: WordPress Divi Theme - Unauthenticated Arbitrary File Upload leading to Remote Code Execution||T:APACHE||ARGS.action:%{ARGS.action}||REMOTE_FILENAME:%{TX.0}||',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq et_core_portability_import" "chain,t:none" SecRule FILES "@rx \.(?:pht|phtml|php\d?)$" "t:none,capture" # DEFA-3106 SecRule REQUEST_METHOD "@streq post" "chain,id:77142253,deny,log,phase:2,severity:2,t:none,t:lowercase,msg:'IM360 WAF: WordPress plugin Quiz and Survey Master - Unauthenticated Arbitrary File Upload leading to Remote Code Execution||T:APACHE||ARGS.action:%{ARGS.action}||REMOTE_FILENAME:%{TX.0}||',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq qsm_upload_image_fd_question" "chain,t:none" SecRule FILES "@rx (?i)^file.{1,160}\.(?:pht|phtml|php\d?)$" "t:none,capture" # DEFA-3106 SecRule REQUEST_METHOD "@streq post" "chain,id:77142254,deny,log,phase:2,severity:2,t:none,t:lowercase,msg:'IM360 WAF: WordPress plugin Quiz and Survey Master - Unauthenticated Arbitrary File Deletion||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.file_url:%{ARGS.file_url}||',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq qsm_remove_file_fd_question" "chain,t:none" SecRule ARGS:file_url "@rx (?i)(?:pht|phtml|php\d?)$" "t:none" # DEFA-3135 SecRule REQUEST_METHOD "@streq post" "id:77316722,chain,deny,log,phase:2,severity:2,t:none,t:lowercase,msg:'IM360 WAF: WordPress plugin Autoptimize < 2.7.7 - Authenticated Arbitrary File Upload leading to Remote Code Execution||T:APACHE||ARGS.action:%{ARGS.action}||FILES.file:%{FILES.file}||',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq ao_ccss_import" "chain,t:none" SecRule FILES "!@endsWith .zip" "t:none" # DEFA-3058 SecRule REQUEST_METHOD "@streq post" "id:77316726,chain,block,log,phase:2,severity:2,t:none,t:lowercase,msg:'IM360 WAF: WordPress plugin wpStoreCart - Unauthenticated Arbitrary File Upload leading to Remote Code Execution||T:APACHE||vulnerable_parameter:%{ARGS.seed_csp4_settings_content[headline]}||REMOTE_FILENAME:%{TX.1}||tx.0=%{TX.0}',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" "chain,t:none,t:normalizePath" SecRule ARGS:option_page "@streq seed_csp4_settings_content" "chain,t:none" SecRule ARGS:action "@streq update" "chain,t:none" SecRule ARGS:seed_csp4_settings_content[headline] "@rx \<" "t:none,t:htmlEntityDecode" # DEFA-3683 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316785,chain,block,log,t:none,severity:2,msg:'IM360 WAF: CSRF vulnerability in Responsive Menu < 4.0.3 WordPress plugin||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wp_responsive_menu',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-post.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule ARGS:action "@pm admin_post_rmp_upload_theme_file admin_post" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-3942 SecRule REQUEST_METHOD "@rx POST" "id:77316826,chain,phase:2,deny,log,severity:2,t:none,msg:'IM360 WAF: File upload vulnerability in External Media plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@contains wp_ajax_upload-remote-file" "chain,t:none" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:urlDecodeUni,t:removeWhitespace" # DEFA-3973 SecRule REQUEST_METHOD "@rx POST" "id:77316837,chain,phase:2,deny,log,severity:2,t:none,msg:'IM360 WAF: Remote file upload in Fancy Product Designer for WordPress||File:%{FILES}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php /wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@rx fpd_custom_uplod_file" "chain,t:none" SecRule FILES "!@rx \.(?:jpeg|jpg|png|svg|pjpeg|pdf)$" "t:none,t:lowercase,t:normalizePath" # DEFA-3973 SecRule REQUEST_METHOD "@rx POST" "id:77316838,chain,phase:2,deny,log,severity:2,t:none,msg:'IM360 WAF: Remote file upload in Fancy Product Designer for WordPress||File:%{FILES}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php /wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@rx fpd_custom_uplod_file" "chain,t:none" SecRule ARGS:url "@rx <\?php|base64," "t:none" # DEFA-4039 SecRule REQUEST_METHOD "@rx POST" "id:77316847,chain,phase:2,deny,log,severity:2,t:none,msg:'IM360 WAF: Arbitrary File Upload in WooCommerce Stock Manager for WordPress||File:%{FILES}||T:APACHE||',tag:'wp_plugin_woocommerce_stock_manager',tag:'im360_req_post'" SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@streq admin_menu" "chain,t:none" SecRule &ARGS:upload "@gt 0" "chain,t:none" SecRule FILES "!@rx \.(csv|txt)$" # DEFA-4039 SecRule REQUEST_METHOD "@rx POST" "id:77316848,chain,phase:2,deny,log,severity:2,t:none,msg:'IM360 WAF: CSRF vulnerability in WooCommerce Stock Manager for WordPress||File:%{FILES}||T:APACHE||',tag:'wp_plugin_woocommerce_stock_manager',tag:'im360_req_post'" SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@streq admin_menu" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-4046 SecRule REQUEST_METHOD "@rx POST" "id:77316849,chain,phase:2,deny,log,severity:2,t:none,msg:'IM360 WAF: CSRF vulnerability in Fluent Forms Fastest Contact Form Builder Plugin for WordPress||File:%{FILES}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@rx ^fluentform" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_BASENAME "@streq admin.php" "id:77220820,chain,msg:'IM360 WAF: XSS vulnerability in Collabtive 1.2 (CVE-2014-3247)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'other_apps'" SecRule ARGS:action "@streq addpro" "chain,t:none,t:lowercase" SecRule ARGS:desc "@rx (?:'|\x22|<)" "t:none" SecRule ARGS:controller "@streq post" "id:77240570,chain,msg:'IM360 WAF: XSS vulnerabilities in Nibbleblog before 4.0.2 (CVE-2014-8996)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'" SecRule ARGS:action "@streq view" "chain,t:none,t:lowercase" SecRule ARGS:hash "@rx ^[0-9a-f]+$" "chain,t:none" SecRule ARGS:author_name|ARGS:content "@rx \x22|<" "t:none" SecRule REQUEST_FILENAME "@contains card.php" "id:77240800,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in Dolibarr ERP/CRM 3.8.3 (CVE-2016-1912)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'" SecRule ARGS:action "@streq update" "chain,t:none,t:lowercase" SecRule ARGS:lastname|ARGS:firstname|ARGS:job|ARGS:email|ARGS:signature "@contains <" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith member.php" "id:77242430,chain,msg:'IM360 WAF: SQL injection vulnerability in the MyBB 1.8.1 (CVE-2014-9240)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'" SecRule ARGS:action "@streq do_register" "chain,t:none,t:lowercase" SecRule ARGS:regsubmit "@streq submitregistration!" "chain,t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" SecRule ARGS:question_id "@contains '" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith report.php" "id:77242440,chain,msg:'IM360 WAF: XSS vulnerability in the MyBB 1.8.1 (CVE-2014-9241)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'" SecRule &ARGS:my_post_key "@ge 1" "chain,t:none" SecRule ARGS:action "@streq do_report" "chain,t:none,t:lowercase" SecRule &ARGS:pid "@ge 1" "chain,t:none" SecRule ARGS:type "@contains <" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule REQUEST_FILENAME "@endsWith usercp.php" "id:77242441,chain,msg:'IM360 WAF: XSS vulnerability in the MyBB 1.8.1 (CVE-2014-9241)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'" SecRule &ARGS:my_post_key "@ge 1" "chain,t:none" SecRule ARGS:action "@streq do_editsig" "chain,t:none,t:lowercase" SecRule ARGS:signature "@rx '|\x22" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule ARGS:action "@contains errors" "id:77243170,chain,msg:'IM360 WAF: XSS vulnerability in EspoCRM before 2.6.0 (CVE-2014-7987)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'" SecRule REQUEST_FILENAME "@endsWith /install/index.php" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:desc "@contains <" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule &ARGS:HTTP_MODAUTH "@ge 1" "id:77247650,chain,msg:'IM360 WAF: XSS vulnerability in the MODX Revolution through v2.7.0-pl (CVE-2018-20756 VE-2018-20757)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'" SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" "chain,t:none" SecRule ARGS:extended|ARGS:pagetitle "@contains <" "chain,t:none,t:urlDecodeUni" SecRule ARGS:action "@rx ^(security\/user|resource)\/(?:create|update)$" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule ARGS:id|ARGS:dir "@contains .." "id:77243590,chain,msg:'IM360 WAF: Directory traversal in MODX Revolution before 2.5.2-pl (CVE-2016-10037 & CVE-2016-10039)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,severity:2,tag:'other_apps'" SecRule ARGS:action "@pm getfiles getlist" "chain,t:none,t:lowercase" SecRule &REQUEST_HEADERS:modauth|&REQUEST_COOKIES:PHPSESSID "@ge 1" "chain,t:none" SecRule REQUEST_FILENAME "@contains /connectors/" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule ARGS:wpTextbox1 "@contains </style>" "id:77244320,chain,msg:'IM360 WAF: XSS vulnerability in MediaWiki before 1.23.15 1.26.x before 1.26.4 and 1.27.x before 1.27.1 (CVE-2016-6333)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'other_apps'" SecRule &ARGS:wpEditToken "@ge 1" "chain,t:none" SecRule ARGS:action "@streq submit" "chain,t:none,t:lowercase" SecRule ARGS:title "@endsWith common.css" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@rx \/(?:index\.php)?$" "t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:controller "@streq post" "id:77240563,chain,msg:'IM360 WAF: CSRF vulnerability in Nibbleblog before 4.0.5 (CVE-2015-6966)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'" SecRule ARGS:action "@streq new_simple" "chain,t:none,t:lowercase" SecRule REQUEST_METHOD "@streq post" "chain,t:none,t:lowercase" SecRule &SESSION:nbblog "!@eq 1" "t:none" SecRule REQUEST_FILENAME "@endsWith mod/assign/adminmanageplugins.php" "id:77242991,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:2,severity:2,tag:'other_apps'" SecRule ARGS:action "!@pm hide show" "chain,t:none,t:lowercase" SecRule &ARGS:subtype "@ge 1" "setvar:'SESSION.moodle_assignsubmission_sh=1',setvar:'SESSION.TIMEOUT=300',expirevar:'SESSION.moodle_assignsubmission_sh=300',t:none,t:lowercase" SecRule ARGS:subtype "@streq assignsubmission" "id:77242992,chain,msg:'IM360 WAF: CSRF vulnerability in Moodle through 2.6.11 2.7.x before 2.7.13 2.8.x before 2.8.11 2.9.x before 2.9.5 and 3.0.x before 3.0.3 (CVE-2016-2157)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'" SecRule &ARGS:action "@ge 1" "chain,t:none" SecRule &ARGS:plugin "@ge 1" "chain,t:none" SecRule &SESSION:moodle_assignsubmission_sh "!@eq 1" "t:none" # DEFA-2702 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142125,chain,block,log,t:none,severity:2,msg:'IM360 WAF: Block WordPress registration flood||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'im360_req_post'" SecRule REQUEST_URI "@contains wp-login.php" "chain,t:none" SecRule ARGS:action "@contains register" "chain,t:none,setvar:tx.rbl_perf=1" SecRule TX:RBL_IP "@rbl web-spammers.v2.rbl.imunify.com." "chain,t:none" SecRule TX:RBL_IP "!@rbl nxdomain.v2.rbl.imunify.com." "t:none" SecRule ARGS:module "@pm config-mycode user-groups forum-management tools-tasks user-titles" "id:77242402,chain,msg:'IM360 WAF: XSS vulnerabilities in the MyBB (aka MyBulletinBoard) before 1.8.4 (CVE-2015-2149)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'" SecRule ARGS:action "@pm add edit" "chain,t:none,t:lowercase" SecRule ARGS:title|ARGS:description "@contains <" "chain,t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule &ARGS:my_post_key "!@eq 0" # DEFA-4149 SecRule REQUEST_METHOD "@rx POST" "id:77316878,chain,phase:2,deny,log,severity:2,t:none,msg:'IM360 WAF: File upload vulnerability in Fancy Product Designer < 4.5.1 for WooCommerce for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@contains fancy-product-designer/inc/custom-image-handler.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule &ARGS:uploadsDir "@gt 0" "chain,t:none" SecRule &ARGS:uploadsDirURL "@gt 0" "chain,t:none" SecRule FILES "!@rx \.(?:jpe?g|png|svg)$" "t:urlDecodeUni,t:removeWhitespace" # DEFA-4190 SecRule REQUEST_METHOD "@rx POST" "id:77316882,chain,phase:2,deny,log,severity:2,t:none,msg:'IM360 WAF: Authenticated Directory Traversal vulnerability in WordPress Download Manager plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-admin/post.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@streq editpost" "chain,t:none" SecRule ARGS:file[page_template] "@rx \.\.\/" "t:none" # DEFA-4141 SecRule REQUEST_URI "@rx (\/wp-json|rest_route=)\/wc\/" "id:77316858,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: SQLi vulnerability in WooCommerce plugin for WordPress||Req:%{REQUEST_URI}||T:APACHE||',tag:'wp_plugin'" SecRule REQUEST_URI "@rx calculate_attribute_counts.*20(?:select|update)%" "t:none,t:lowercase" # DEFA-4244 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316898,chain,deny,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: CSRF vulnerability in Nested Pages < 3.1.15 (CVE-2021-38342)||T:APACHE||',tag:'wp_plugin_wp_nested_pages',tag:'im360_req_post'" SecRule ARGS:action "@pm npBulkActions npBulkEdit" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith /admin-post.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule &ARGS:nonce "@eq 0" "t:none" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "id:77316883,chain,phase:2,deny,log,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: File Upload vulnerability in Publisher theme for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin'" SecRule ARGS:action "@streq deferred_loading" "chain,t:none" SecRule ARGS:reqID "@streq ajax_field" "chain,t:none" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "id:77316884,chain,phase:2,deny,log,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: File Upload vulnerability in Publisher theme for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin'" SecRule ARGS:action "@streq deferred_loading" "chain,t:none" SecRule ARGS:reqID "@streq ajax_field" "chain,t:none" SecRule ARGS:key|ARGS:exclude "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "id:77316885,chain,phase:2,pass,log,severity:5,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: File Upload vulnerability in Publisher theme for WordPress||key:%{ARGS.key}||T:APACHE||exclude:%{ARGS.exclude}||',tag:'wp_plugin',tag:'noshow'" SecRule ARGS:action "@streq deferred_loading" "chain,t:none" SecRule ARGS:reqID "@streq ajax_field" "chain,t:none" SecRule &ARGS:key|&ARGS:exclude "@gt 0" "t:none" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "id:77316886,chain,phase:2,deny,log,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: File Upload vulnerability in Publisher theme for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin'" SecRule ARGS:action "@streq deferred_loading" "chain,t:none" SecRule ARGS:reqID "@streq ajax_field" "chain,t:none,setvar:tx.rbl_perf=1" SecRule TX:RBL_IP "@rbl infectors.v2.rbl.imunify.com." "chain,t:none" SecRule TX:RBL_IP "!@rbl nxdomain.v2.rbl.imunify.com." "t:none" # DEFA-4374 SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77317955,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: Unauthenticated File Upload in SUMO Affiliates Pro||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'wp_plugin'" SecRule ARGS:action "@streq fs_affiliates_file_upload" "chain,t:none,t:lowercase" SecRule ARGS:key "@streq upload_file" "chain,t:none,t:lowercase" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none,t:lowercase" SecRule REQUEST_URI "@contains /wp-content/uploads/fs-files/" "id:77317956,chain,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: RCE in SUMO Affiliates Pro||T:APACHE||',tag:'service_i360custom',tag:'wp_plugin'" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none" # DEFA-4390 SecRule REQUEST_METHOD "POST" "id:77317960,chain,block,log,t:none,severity:2,msg:'IM360 WAF: Authenticated Stored Cross-Site Scripting in Brizy - Page Builder plugin for WordPress (CVE-2021-38344)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_brizy',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "brizy_update_item" "chain,t:none" SecRule ARGS:data "@pm <script" "t:none" SecRule REQUEST_METHOD "POST" "id:77317961,chain,block,log,t:none,severity:2,msg:'IM360 WAF: Authenticated File Upload and Path Traversal in Brizy - Page Builder plugin for WordPress (CVE-2021-38346)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_brizy',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "brizy_create_block_screenshot" "chain,t:none" SecRule ARGS:id "@rx \.\.\/|\.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)" SecRule REQUEST_METHOD "POST" "id:77317962,chain,block,log,t:none,severity:2,msg:'IM360 WAF: Authenticated File Upload in Brizy - Page Builder plugin for WordPress (CVE-2021-38346)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_brizy',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "brizy_create_block_screenshot" "chain,t:none" SecRule ARGS:ibsf "@pm <script <?php" "t:none" SecRule REQUEST_METHOD "POST" "id:77317963,chain,block,log,t:none,severity:2,msg:'IM360 WAF: Authenticated File Upload in Brizy - Page Builder plugin for WordPress (CVE-2021-38346)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_brizy',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "brizy_create_block_screenshot" "chain,t:none" SecRule ARGS:ibsf "@pm <script <?php" "t:none,t:base64Decode" SecRule REQUEST_METHOD "POST" "id:77317964,chain,block,log,t:none,severity:2,msg:'IM360 WAF: Authenticated File Upload in Brizy - Page Builder plugin for WordPress (CVE-2021-38346)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_brizy',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "brizy_create_block_screenshot" "chain,t:none" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none" # DEFA-4414 SecRule REQUEST_METHOD "@rx ^POST$" "id:77317970,chain,deny,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: CSRF vulnerability in WP Fastest Cache Plugin < 0.9.5 (CVE-2021-24870)||T:APACHE||',tag:'wp_plugin_wp_fastest_cache',tag:'im360_req_post'" SecRule ARGS:action "@streq wpfc_save_cdn_integration" "chain,t:none,t:urlDecodeUni" SecRule &ARGS:nonce "@eq 0" "t:none" # DEFA-4426 SecRule REQUEST_METHOD "@streq POST" "id:77317972,chain,block,severity:2,t:none,msg:'IM360 WAF: Content deletion prevention in HashThemes Demo Importer <= 1.1.1 plugin for WordPress (CVE-2021-39333)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@rx (?:\/wp-admin\/admin-ajax|\/hashthemes-demo-importer)\.php$" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq wp_ajax_hdi_install_demo" "chain,t:none" SecRule ARGS:reset "@streq true" "t:none" # DEFA-4226 SecRule REQUEST_METHOD "@rx ^POST$" "id:77317982,chain,block,log,t:none,severity:2,msg:'IM360 WAF: Code injection in Kaswara WordPress Plugin||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||User:%{SCRIPT_USERNAME}',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@pm /wp-admin/admin-ajax.php /wp-content/plugins/kaswara/includes/handlers/ajax_handler.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq wp_ajax_kaswaraCustomCode" "chain,t:none" SecRule ARGS:customJS "!@rx ^$" SecRule REQUEST_METHOD "@rx ^POST$" "id:77317983,chain,block,log,t:none,severity:2,msg:'IM360 WAF: SQL injection in Kaswara WordPress Plugin||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||User:%{SCRIPT_USERNAME}',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@pm /wp-admin/admin-ajax.php /wp-content/plugins/kaswara/includes/handlers/ajax_handler.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq wp_ajax_kaswaraCustomCode" "chain,t:none" SecRule ARGS "@contains '" # DEFA-4445 SecRule ARGS:action "@streq admin-dismiss-unsubscribe" "id:77317984,chain,block,log,t:none,severity:2,msg:'IM360 WAF: Unauthenticated Page Deletion in WP DSGVO Tools (GDPR) <= 3.1.23 Plugin for WordPress (CVE-2021-42359)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||User:%{SCRIPT_USERNAME}',tag:'wp_plugin'" SecRule REQUEST_FILENAME "@pm /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule &ARGS:id|&ARGS:postid "!@eq 0" "chain,t:none" SecRule &REQUEST_COOKIES:/wordpress_logged_in_*/ "@eq 0" # DEFA-4537 SecRule REQUEST_METHOD "@rx POST" "id:77317991,chain,phase:2,pass,log,severity:5,t:none,msg:'IM360 WAF: Authentication Bypass Vulnerability in User Registration Plugin for WordPress (CVE-2021-4073)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_plugin',tag:'noshow',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq rm_login_social_user" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "chain,t:none" SecRule ARGS:email "!@rx ^$" "t:none" # DEFA-4636 SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77318030,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Cross-Site Request Forgery in Login/Signup Popup & Waitlist Woocommerce & Side Cart Woocommerce plugins for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_plugin'" SecRule ARGS:action "@contains xoo_admin_settings_save" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@rx %{SERVER_NAME}" "t:none" # DEFA-4684 SecRule REQUEST_FILENAME "@endsWith /wp-admin/post.php" "id:77318037,chain,block,log,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Path Traversal vulnerability in WordPress 5.0.0||File:%{FILES.meta_input[_wp_attached_file]}||User:%{SCRIPT_USERNAME}||T:APACHE||',tag:'wp_core',tag:'im360_req_post'" SecRule REQUEST_METHOD "^POST$" "chain,t:none" SecRule ARGS:action "@rx edit" "chain,t:none" SecRule ARGS:meta_input[_wp_attached_file] "@rx \/\.\.\/\.\.\/" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/post.php" "id:77318038,chain,block,log,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: RFI vulnerability in WordPress 5.0.0||File:%{FILES.meta_input[_wp_attached_file]}||User:%{SCRIPT_USERNAME}||T:APACHE||',tag:'wp_core',tag:'im360_req_post'" SecRule REQUEST_METHOD "^POST$" "chain,t:none" SecRule ARGS:action "@rx edit" "chain,t:none" SecRule ARGS:meta_input[_wp_attached_file] "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none" # DEFA-4687 SecRule REQUEST_METHOD "@rx POST" "id:77318040,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: LFI & RCE Essential Addons for Elementor plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@rx wp_ajax_(?:nopriv_eael|eael_product)_product_gallery" "chain,t:none" SecRule ARGS:/template_info* "@rx \/..?\/|<php" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77318041,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: LFI & RCE Essential Addons for Elementor plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@rx wp_ajax_(nopriv_)?load_more" "chain,t:none" SecRule ARGS:/template_info* "@rx \/..?\/|<php" "t:none" # DEFA-4706 SecRule REQUEST_METHOD "@rx POST" "id:77318042,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Remote Code Execution in PHP Everywhere < 3.0.0 plugin for WordPress (CVE-2022-24663)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx parse-media-shortcode" "chain,t:none" SecRule ARGS:shortcode "@contains [php_everywhere]" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77318043,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Remote Code Execution in PHP Everywhere < 3.0.0 plugin for WordPress (CVE-2022-24664)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-admin/post.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@contains edit" "chain,t:none" SecRule &ARGS:meta-box-loader "@gt 0" "chain,t:none" SecRule ARGS "@contains [php_everywhere]" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77318044,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Remote Code Execution in PHP Everywhere < 3.0.0 plugin for WordPress (CVE-2022-24665)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-admin/post.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@contains edit" "chain,t:none" SecRule &ARGS:post "@gt 0" "chain,t:none" SecRule ARGS "@contains [php_everywhere]" "t:none" # DEFA-4586 SecRule REQUEST_URI "@contains /wp-json/aioseo/v1/" "id:77318019,chain,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Authenticated Privilege Escalation in All in One SEO < 4.1.5.3 plugin for WordPress (CVE-2021-25036)||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin'" SecRule MATCHED_VAR "@rx [A-Z]" "t:none" # DEFA-4708 SecRule REQUEST_URI "@contains /wp-content/plugins/core-engine/" "id:77350005,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Block malicious plugin for WordPress||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin'" #DEFA-4729 SecRule REQUEST_URI "@contains /wp-content/plugins/wp-breeze/" "id:77350009,phase:2,block,log,severity:2,t:none,t:lowercase,msg:'IM360 WAF: WordPress Fake WP-Breeze Plugin blocked||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom' SecRule REQUEST_METHOD "@pm POST GET" "id:77225140,chain,msg:'IM360 WAF: XSS vulnerability in the in WordPress before 4.5.3 (CVE-2016-5834)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_core'" SecRule ARGS:action "@streq upload-attachment" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule FILES "@contains <" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_BASENAME "@streq async-upload.php" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77225210,chain,msg:'IM360 WAF: Unrestricted file upload vulnerability in WordPress 4.9.7 (CVE-2018-14028)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_core'" SecRule REQUEST_BASENAME "@streq update.php" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:action "@rx ^upload-(?:plugin|theme)$" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule FILES "!@rx \.zip$" "t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:fn "@contains .." "id:77225190,chain,msg:'IM360 WAF: Unauthenticated Directory traversal vulnerability in Javo Spot Premium Theme for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,severity:2,tag:'service_wp_theme'" SecRule ARGS:action "@streq jvfrm_spot_get_json" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77229090,chain,msg:'IM360 WAF: XSS vulnerability in the WooCommerce plugin before 2.6.9 for WordPress (CVE-2016-10112)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_woocommerce'" SecRule ARGS:action "@streq woocommerce_tax_rates_save_changes" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:/postcode/ "@rx \x22" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77230820,chain,msg:'IM360 WAF: XSS vulnerability in Unite Gallery Lite plugin 1.7.43 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_unite_gallery_lite'" SecRule ARGS:action "@streq unitegallery_ajax_action" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:data[main][title]|ARGS:data[title] "@rx \x22|<" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77232100,chain,msg:'IM360 WAF: XSS vulnerability in Bookly - Online Booking and Scheduling Plugin 16.4 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_bookly_responsive_appointment_booking_tool'" SecRule ARGS:action "@streq bookly_update_service" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:title "@contains <" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77232721,chain,msg:'IM360 WAF: XSS vulnerability in WP Fastest Cache 0.8.8.5 for WordPress (CVE-2018-17583 CVE-2018-17586)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_wp_fastest_cache'" SecRule ARGS:action "@beginsWith wpfc_save_" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_BASENAME "@streq admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:/^rules\[\d+?]\[content]$/ "@contains <" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77232950,chain,msg:'IM360 WAF: XSS vulnerability in Ape Gallery plugin 1.6.14 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_gallery_images_ape'" SecRule REQUEST_BASENAME "@streq admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:action "@Within save-attachment save-attachment-compat" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:changes[title]|ARGS:/^attachments\[\d+\]\[wpape_gallery_effect\]$/ "@rx \x22" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77232960,chain,msg:'IM360 WAF: XSS vulnerability WP Google Maps plugin 7.11.17 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_wp_google_maps'" SecRule ARGS:action "@streq wpgmza_settings_page_post" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:wpgmza_gdpr_company_name|ARGS:wpgmza_gdpr_retention_purpose "@rx \x22" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith client-assist.php" "id:77226200,chain,msg:'IM360 WAF: XSS vulnerability in the dsIDXpress IDX plugin before 2.1.1 and WordPress Edition plugin 1.0-beta10 and earlier for WordPress (CVE-2014-4521 / CVE-2014-4522)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_dssearchagent_wordpress_edition'" SecRule ARGS:action "@contains <" "t:none,t:urlDecodeUni" SecRule ARGS:action "@streq fw_send_email" "id:77230460,chain,msg:'IM360 WAF: XSS vulnerability in Multi Step Form plugin through 1.2.5 for WordPress (CVE-2018-14430)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_plugin_multi_step_form'" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule ARGS:email|ARGS:/^fw_data\[/ "@contains <" "t:none,t:urlDecodeUni" SecRule ARGS:action "@streq revslider_show_image" "id:77222050,chain,msg:'IM360 WAF: Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress (CVE-2014-9734)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'service_wp_plugin'" SecRule ARGS:img "@contains .." "chain,t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule ARGS:action "@contains ../" "id:77232730,chain,msg:'IM360 WAF: LFI and CSRF vulnerability in WebDorado Contact Form Builder plugin 10Web Form Maker plugin before 1.13.5 for WordPress (CVE-2019-11557 CVE-2019-11590 CVE-2019-11591)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,severity:2,tag:'wp_plugin_form_maker'" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77226632,chain,msg:'IM360 WAF: XSS vulnerability in the Welcart e-Commerce plugin 1.3.12 for WordPress (CVE-2014-10016)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_welcart'" SecRule ARGS:action "@contains shop_options_ajax" "chain,t:none,t:lowercase" SecRule ARGS:mode "@contains update_delivery_method" "chain,t:none,t:lowercase" SecRule ARGS:time|ARGS:nocod|ARGS:intl "@rx \D" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77226760,chain,msg:'IM360 WAF: SQL injection vulnerability in Survey and Poll plugin 1.1.7 for WordPress (CVE-2015-2090)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_wp_survey_and_poll'" SecRule ARGS:action "@streq ajax_survey" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:survey_id "@rx \D" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77232360,chain,msg:'IM360 WAF: SQL vulnerability in WordPress Booking Calendar Plugin v8.4.3 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_booking_calendar'" SecRule ARGS:action "@streq trash_restore" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:booking_id "@rx \D" "t:none" SecRule REQUEST_FILENAME "@endsWith simple-ads-manager/sam-ajax-admin.php" "id:77226931,chain,msg:'IM360 WAF: SQL injection vulnerabilities in the Simple Ads Manager plugin before 2.7.97 for WordPress (CVE-2015-2824)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_plugin_simple_ads_manager'" SecRule ARGS:action "@streq load_users" "chain,t:none,t:lowercase" SecRule ARGS:subscriber|ARGS:contributor|ARGS:author|ARGS:editor|ARGS:admin "!@rx ^[a-z]+$" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith simple-ads-manager/sam-ajax-admin.php" "id:77226933,chain,msg:'IM360 WAF: SQL injection vulnerabilities in the Simple Ads Manager plugin before 2.7.97 for WordPress (CVE-2015-2824)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_plugin_simple_ads_manager'" SecRule ARGS:action "@streq load_posts" "chain,t:none,t:lowercase" SecRule ARGS:cstr "@rx \D" "t:none" SecRule &SESSION:wp_session "@ge 1" "id:77230151,chain,msg:'IM360 WAF: CSRF vulnerability in Acurax-social-media-widget plugin before 3.2.6 for WordPress (CVE-2018-6357)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_acurax_social_media_widget'" SecRule ARGS:action "@streq acx_asmw_saveorder" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule &SESSION:wp_acx_asmw "!@eq 1" "chain,t:none" SecRule REQUEST_BASENAME "@streq admin-ajax.php" "t:none,t:urlDecodeUni,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77230521,chain,msg:'IM360 WAF: CSRF vulnerability in ULike plugin version 2.8.1 3.1 for WordPress (CVE-2018-1000511)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_wp_ulike'" SecRule ARGS:action "@streq ulikelogs" "chain,t:none,t:lowercase" SecRule REQUEST_BASENAME "@streq admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule &SESSION:wp_ulike "!@eq 1" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77232130,chain,msg:'IM360 WAF: Open redirect vulnerability in Ninja Forms plugin before 3.3.19.1 for WordPress (CVE-2018-19796)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_ninja_forms'" SecRule REQUEST_BASENAME "@streq admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:action "@streq nf_download_all_subs" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:args[redirect] "@beginsWith http" "t:none,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77232471,chain,msg:'IM360 WAF: CSRF vulnerability in Smart Forms plugin before 1.2.2 for WordPress (CVE-2019-5920)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_smart_forms'" SecRule ARGS:action "@streq formcraft_basic_form_save" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule &SESSION:smartforms "!@eq 1" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77232570,chain,msg:'IM360 WAF: File upload and RCE vulnerabilities in Slider Revolution Plugin for WordPress (CVE-2014-9735)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,status:403,log,t:none,severity:2,tag:'service_wp_plugin',tag:'im360_req_post'" SecRule &ARGS:client_action "@ge 1" "chain,t:none" SecRule &ARGS:data "@gt 0" "chain,t:none" SecRule ARGS:action "@streq revslider_ajax_action" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith simple-ads-manager/sam-ajax-admin.php" "id:77226910,chain,msg:'IM360 WAF: Unrestricted file upload vulnerability in the Simple Ads Manager plugin before 2.5.96 for WordPress (CVE-2015-2825)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_plugin_simple_ads_manager'" SecRule ARGS:action "@streq upload_ad_image" "chain,t:none,t:lowercase" SecRule FILES "!@rx \.(?:jpe?g|gif|bmp|png)$" "t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:action "@pm miglaA_update_me wpgdprc_process_action" "id:77230970,chain,msg:'IM360 WAF: Arbitrary Code Execution vulnerability in WP GDPR Compliance plugin before 1.4.3 and Total Donations plugin through 2.0.5 for WordPress (CVE-2018-19207 CVE-2019-6703)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,severity:2,tag:'wp_plugin_wp_gdpr_compliance'" SecRule ARGS:data "@pm administrator editor users_can_register" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_BASENAME "@streq admin-ajax.php" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77233122,chain,msg:'IM360 WAF: XSS vulnerability in WordPress Download Manager Plugin 2.9.96 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_download_manager'" SecRule ARGS:action "@streq wpdm_settings" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS|!ARGS:wpdm_login_msg|!ARGS:wpdm_permission_msg|!ARGS:__wpdm_blocked_ips_msg "@rx \x22" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77233420,chain,msg:'IM360 WAF: Unrestricted file upload Vulnerability in SupportCandy plugin through 2.0.0 for WordPress (CVE-2019-11223)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_supportcandy'" SecRule &ARGS:setting_action "@ge 1" "chain,t:none" SecRule ARGS:action "@streq wpsc_tickets" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule FILES "@rx \.(?:(?:p|s|x|d)?h(?:p[2-7s]?|(?:tm)?l?)|dll|exe|js|p(?:l|y)|rb|sh|cgi|com|bat|aspx?)" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77233640,chain,msg:'IM360 WAF: SQLi Vulnerability in Adenion Blog2Social plugin through 5.5.0 for WordPress (CVE-2019-13572)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_blog2social'" SecRule ARGS:action "@streq b2s_sort_data" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:/^b2sSort/|ARGS:b2sSchedDate|ARGS:b2sUserLang "@rx \W" "t:none,t:urlDecodeUni" # DEFA-3987 SecRule &ARGS:page "@lt 1" "id:77316870,pass,phase:2,nolog,severity:5,skipAfter:MARKER_page,msg:'ARGS page optimization||T:APACHE||',tag:'noshow',tag:'service_gen'" # DEFA-1797 SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-post.php" "id:77140853,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin MailPoet Newsletters 2.6.8 wysija-newsletters Arbitrary File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wysija_newsletters'" SecRule ARGS:page "@streq wysija_campaigns" "chain,t:none,t:lowercase" SecRule ARGS:action "@rx ^(?:themes|themeupload)$" "chain,t:none,t:lowercase" SecRule FILES "@rx (rock\.zip|\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:urlDecodeUni,t:removeWhitespace" # DEFA-2119 SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-post.php" "id:77140984,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin MailPoet Newsletters 2.6.8 wysija-newsletters Arbitrary File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wysija_newsletters'" SecRule ARGS:page "@streq wysija_campaigns" "chain,t:none,t:lowercase" SecRule ARGS:action "@rx ^(?:themes|themeupload)$" "chain,t:none,t:lowercase" SecRule FILES "@rx ^(([a-zA-Z]{5}|XAttacker)\.zip)$" "t:none,t:urlDecodeUni,t:removeWhitespace" # DEFA-2335 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77141019,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Participants Database < 1.9.5.6 Authenticated Time Based SQL Injection||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_participants_database'" SecRule ARGS:page "@streq participants-database" "chain,t:none,t:lowercase" SecRule ARGS:action "@streq admin_list_filter" "chain,t:none,t:lowercase" SecRule ARGS:ascdesc "!@rx ^(desc|asc)$" "t:none,t:urlDecodeUni,t:lowercase" # DEFA-2335 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77141020,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Participants Database < 1.9.5.6 Authenticated Time Based SQL Injection||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_participants_database'" SecRule ARGS:page "@streq participants-database" "chain,t:none,t:lowercase" SecRule ARGS:action "@streq admin_list_filter" "chain,t:none,t:lowercase" SecRule ARGS:list_filter_count "@rx \D" "t:none,t:urlDecodeUni" # DEFA-2341 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77141025,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Plugin Htaccess by BestWebSoft <= 1.8.1 CSRF to edit .htaccess||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_htaccess'" SecRule ARGS:page "@streq htaccess.php" "chain,t:none,t:lowercase" SecRule ARGS:action "@streq htaccess_editor" "chain,t:none,t:lowercase" SecRule &ARGS:htccss_customise "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2772 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142182,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Stored XSS Vulnerability in WP Quick Booking Manager plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_responsive_coming_soon',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:page "@streq wpsm_responsive_coming_soon" "chain,t:none,t:urlDecodeUni" SecRule ARGS:action_rcs "@streq action_rcs_page_setting_save_post" "chain,t:none,t:urlDecodeUni" SecRule ARGS:rcsp_description|ARGS:rcsp_headline "@contains <" "t:none,t:urlDecodeUni" # DEFA-2772 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142186,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Unauthenticated settings update in WP Inventory Manager plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_wp_inventory_manager',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:page "@streq wpim_manage_settings" "chain,t:none,t:urlDecodeUni" SecRule ARGS:action "@streq save" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none,t:urlDecodeUni" # DEFA-3007 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142243,chain,phase:2,block,severity:2,log,t:none,msg:'IM360 WAF: Stored XSS Vulnerability in Coming Soon Page, Under Construction & Maintenance Mode by SeedProd Plugin (CVE-2020-15038)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_coming_soon_page',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "chain,t:none,t:normalizePath" SecRule ARGS:page "@streq seed_csp4" "chain,t:none" SecRule ARGS:option_page "@streq seed_csp4_settings_content" "chain,t:none" SecRule ARGS:action "@streq update" "chain,t:none" SecRule ARGS:seed_csp4_settings_content[headline] "@contains <" "t:none" SecRule REQUEST_METHOD "@streq post" "id:77222012,chain,msg:'IM360 WAF: CSRF vulnerability in the WordPress File Upload plugin before 2.4.2 for WordPress (CVE-2014-5199)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_wp_file_upload',tag:'im360_req_post'" SecRule ARGS:page "@streq wordpress_file_upload" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:action "@streq edit_settings" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule &SESSION:ref "!@eq 1" "chain" SecRule REQUEST_BASENAME "@streq options-general.php" "t:none,t:urlDecodeUni,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77226651,chain,msg:'IM360 WAF: CSRF vulnerability in the All In One WP Security & Firewall plugin before 3.9.0 for WordPress (CVE-2015-0895)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,t:none,severity:2,tag:'wp_plugin_all_in_one_wp_security_and_firewall'" SecRule REQUEST_FILENAME "@endsWith admin.php" "chain,t:none,t:lowercase" SecRule ARGS:page "@contains aiowpsec" "chain,t:none,t:lowercase" SecRule ARGS:tab "@streq tab6" "chain,t:none,t:lowercase" SecRule ARGS:action|ARGS:action2 "@contains delete" "chain,t:none,t:lowercase" SecRule &SESSION:wpsec "!@eq 1" "t:none" SecRule &SESSION:wp_session "@ge 1" "id:77210870,chain,phase:2,pass,nolog,t:none,severity:5,tag:'wp_plugin_crony'" SecRule ARGS:page "@streq crony" "chain,t:none,t:lowercase" SecRule ARGS:action "@within add edit" "chain,t:none,t:lowercase" SecRule REQUEST_BASENAME "@endsWith admin.php" "setvar:'SESSION.wp_crony=1',expirevar:'SESSION.wp_crony=300',t:none,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77210871,chain,msg:'IM360 WAF: CSRF vulnerability in Crony Cronjob Manager plugin before 0.4.7 for WordPress (CVE-2017-14530)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_crony'" SecRule &ARGS:name "@ge 1" "chain,t:none" SecRule ARGS:page "@streq crony" "chain,t:none,t:lowercase" SecRule REQUEST_BASENAME "@endsWith admin.php" "chain,t:none,t:lowercase" SecRule &SESSION:wp_crony "!@eq 1" "t:none" # DEFA-4819 SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "id:77350027,chain,phase:2,deny,log,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: RCE Vulnerability in Elementor WordPress Plugin (CVE-2022-1329)||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_METHOD "^POST$" "t:none,chain" SecRule ARGS:action "@streq admin_init" "chain,t:none" SecRule &ARGS:_nonce "@ge 0" "chain,t:none,setvar:tx.rbl_perf=1" SecRule TX:RBL_IP "@rbl infectors.v2.rbl.imunify.com." "chain,t:none" SecRule TX:RBL_IP "!@rbl nxdomain.v2.rbl.imunify.com." "t:none" # DEFA-3987 SecMarker MARKER_action # DEFA-3987 SecRule &ARGS:page "@lt 1" "id:77316872,pass,phase:2,nolog,severity:5,skipAfter:MARKER_page,msg:'ARGS page optimization||T:APACHE||',tag:'noshow',tag:'service_gen'" # DEFA-1528 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77140799,chain,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: CSRF vulnerability in Post SMTP plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule ARGS:page "@streq postman_email_log" "t:none,chain" SecRule &REQUEST_COOKIES:/wordpress_logged_in/ "@ge 1" "t:none,chain" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-1529 SecRule REQUEST_METHOD "@streq POST" "id:77140800,chain,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: XSS vulnerability in Maintenance plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "t:none,t:normalizePath,chain" SecRule ARGS:page "@streq maintenance" "t:none,chain" SecRule ARGS:lib_options[page_title] "@rx \x22" "t:none" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140906,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress plugin pageline File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_plugin_pagelines_plus',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@rx (?:wp-admin\/admin-post\.php|wp-admin\/admin-ajax\.php)$" "chain,t:none,t:normalizePath" SecRule ARGS:page "@streq pagelines" "chain,t:none,t:urlDecodeUni" SecRule ARGS:settings_upload "@streq settings" "chain,t:none,t:urlDecodeUni" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none,t:urlDecodeUni" # DEFA-2201 CSRF to RCE Vulnerability in Code Snippets Plugin SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77140998,chain,block,log,severity:2,t:none,t:normalizePath,t:urlDecodeUni,msg:'IM360 WAF: CSRF to RCE Vulnerability in Code Snippets Plugin for WordPress (CVE-2020-8417)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_snippets'" SecRule ARGS:page "@streq import-snippets" "t:none,chain" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2336 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77141022,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Registration Magic < 4.6.0.3 Authenticated SQL Injection||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_wp_plugin'" SecRule ARGS:page "@streq rm_analytics_show_form" "chain,t:none,t:lowercase" SecRule ARGS:rm_form_id "@rx \D" "t:none,t:urlDecodeUni" # DEFA-2337 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77141023,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WordPress Plugin Huge IT Slider 2.6.8 SQL Injection (CVE-2015-2062)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_wp_plugin'" SecRule ARGS:page "@streq sliders_huge_it_slider" "chain,t:none,t:lowercase" SecRule ARGS:task "@rx ^(popup_posts|edit_cat)$" "chain,t:none,t:lowercase" SecRule ARGS:removeslide "@rx ^.{12,}" "t:none,t:urlDecodeUni,t:lowercase" # DEFA-2363 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77141032,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Ultimate Membership Pro < 8.7 CSRF allowing Arbitrary Account Deletion||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_ultimate_member'" SecRule ARGS:page "@streq ihc_manage" "chain,t:none,t:lowercase" SecRule ARGS:tab "@streq users" "chain,t:none,t:lowercase" SecRule &ARGS:delete "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2363 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77141033,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Ultimate Membership Pro < 8.7 CSRF allowing Arbitrary Account Creation||T:APACHE||R:%{ARGS.role}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_ultimate_member'" SecRule ARGS:page "@streq ihc_manage" "chain,t:none,t:lowercase" SecRule ARGS:tab "@streq users" "chain,t:none,t:lowercase" SecRule &ARGS:user_login "@gt 0" "chain,t:none" SecRule &ARGS:user_email "@gt 0" "chain,t:none" SecRule &ARGS:role "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2454 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77141061,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: CSRF vulnerability in RegistrationMagic Plugin for WordPress||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_wp_plugin'" SecRule ARGS:page "@beginsWith rm_" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2454 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77141062,chain,pass,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: SQLi vulnerability in RegistrationMagic Plugin for WordPress||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_wp_plugin'" SecRule ARGS:page "@streq rm_field_manage" "chain,t:none" SecRule ARGS:rm_form_id "@rx \D" "t:none" # DEFA-2476 SecRule REQUEST_FILENAME "@endsWith wp-admin/admin.php" "id:77141068,chain,phase:2,pass,log,t:none,t:urlDecodeUni,t:normalizePath,severity:5,msg:'IM360 WAF: WordPress custom-searchable-data-entry-system SQL injection||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_custom_searchable_data_entry_system',tag:'noshow'" SecRule ARGS:page "@streq sds-edit-field" "chain,t:none,t:lowercase" SecRule ARGS:sds-edit-field-id "@rx \D" "t:none,t:urlDecodeUni" # DEFA-2501 # DEFA-2757 SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "id:77141075,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WordPress Vulnerability - Social Metrics Tracker <= 1.6.8 - Unauthorised Data Export||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_social_metrics_tracker'" SecRule ARGS:page "@streq social-metrics-tracker-export" "chain,t:none" SecRule ARGS:smt_download_export_file "@streq 1" "chain,t:none" SecRule ARGS:gapi_client_id "@rx [\x22<]" "t:none,t:urlDecodeUni" # DFEA-2576 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142156,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthorized reset settings in the LiveChat <= 3.7.2 plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:page "@streq livechat_settings" "chain,t:none,t:urlDecodeUni" SecRule ARGS:reset "@streq 1" "chain,t:none,t:urlDecodeUni" SecRule &REQUEST_COOKIES:/^wordpress_logged_in_/ "@eq 0" "t:none" # DFEA-2576 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142157,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthorized update settings in the LiveChat <= 3.7.2 plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:page "@streq livechat_settings" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "@contains livechat_settings" "chain,t:none,t:urlDecodeUni" SecRule &REQUEST_COOKIES:/^wordpress_logged_in_/ "@eq 0" "t:none" # DFEA-2576 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142158,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: XSS in the LiveChat <= 3.7.2 plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:page "@streq livechat_settings" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "@contains livechat_settings" "chain,t:none,t:urlDecodeUni" SecRule ARGS "@contains >" "t:none,t:urlDecodeUni" # DEFA-2772 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142181,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Persistent XSS Vulnerability in private content plus plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_private_content',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:page "@pm wppcp-security-settings-page wppcp-settings" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none,t:urlDecodeUni" # DEFA-2772 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142185,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: CSRF Vulnerability in LiveChat plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_wp_live_chat_software_for_wordpress',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:page "@streq wpsm_responslivechat_settings" "chain,t:none,t:urlDecodeUni" SecRule &ARGS:licenseNumber "@gt 0" "chain,t:none" SecRule &ARGS:licenseEmail "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none,t:urlDecodeUni" # DEFA-2985 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "chain,id:77142225,phase:2,severity:5,pass,log,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (onesignal-push)||T:APACHE||ARGS.page:%{ARGS.page}||REQUEST_BODY:%{REQUEST_BODY}||',tag:'service_i360custom',tag:'noshow'" SecRule ARGS:page "@streq onesignal-push" "chain,t:none" SecRule REQUEST_HEADERS:Content-Type "@contains application/json" "chain,t:none,t:lowercase" SecRule REQUEST_BODY "@rx (?:\x22portalId\x22)" "chain,t:none" SecRule REQUEST_BODY "@rx (?:<script)" "t:none" # DEFA-3552 SecRule REQUEST_FILENAME "@endsWith wp-admin/options-general.php" "id:77316770,chain,block,log,t:none,t:normalizePath,severity:2,msg:'IM360 WAF: WordPress Plugin Limit Login Attempts Reloaded reflected XSS (CVE-2020-35590)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_limit_login_attempts_reloaded',tag:'service_i360custom'" SecRule ARGS:page "@streq limit-login-attempts" "chain,t:none,t:lowercase" SecRule ARGS:tab "@rx \x22" "t:none" # DEFA-3580 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316771,chain,block,log,severity:2,t:none,msg:'IM360 WAF: SVG files upload allowed by default in Elementor < 3.0.14 WordPress plugin||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_elementor',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith wp-admin.php" "chain,t:none,t:normalizePath" SecRule ARGS:page "@rx ^elementor" "chain,t:none" SecRule FILES "@rx \.svg$" "t:none" # DEFA-3683 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316787,chain,block,log,t:none,severity:2,msg:'IM360 WAF: CSRF vulnerability in Responsive Menu < 4.0.3 WordPress plugin||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wp_responsive_menu',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/edit.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule ARGS:post_type "@streq rmp_menu" "chain,t:none" SecRule ARGS:page "@streq themes" "chain,t:none" SecRule FILES "!@rx ^$" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-3683 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316788,chain,block,log,t:none,severity:2,msg:'IM360 WAF: CSRF vulnerability in Responsive Menu < 4.0.3 WordPress plugin||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wp_responsive_menu',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/edit.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule ARGS:post_type "@streq rmp_menu" "chain,t:none" SecRule ARGS:page "@streq settings" "chain,t:none" SecRule FILES "!@rx ^$" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-3891 SecRule REQUEST_URI "@contains /wp-admin/admin.php" "id:77316823,chain,phase:2,deny,log,severity:2,t:none,msg:'IM360 WAF: XSS vulnerability in Store Locator Plus plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'wp_plugin'" SecRule ARGS:page "^slp_" "chain,t:none" SecRule ARGS:start "@rx \x22|'" "t:none" # DEFA-3960 SecRule REQUEST_METHOD "@rx POST" "id:77316829,chain,phase:2,deny,log,severity:2,t:none,msg:'IM360 WAF: SQL Injection in WP Statistics < 1.0.8 plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_wp_statistics',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-admin/admin.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:page "@streq wps_pages_page" "chain,t:none" SecRule ARGS:ID|ARGS:type "@rx \x22|\x27|\x2f|\x00|\xOa|\x0d" "t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77228110,chain,msg:'IM360 WAF: XSS vulnerabilities in Google Analyticator plugin before 6.4.9.6 for WordPress (CVE-2015-6238)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_google_analyticator'" SecRule ARGS:page "@streq google-analyticator" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:ga_admin_disable_DimentionIndex|ARGS:ga_adsense|ARGS:ga_downloads_prefix|ARGS:ga_downloads|ARGS:ga_outbound_prefix "@rx \x22" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77228370,chain,msg:'IM360 WAF: XSS in the Collne Welcart e-Commerce plugin 1.8.2 for WordPress (CVE-2016-4827)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_welcart'" SecRule ARGS:page "@pm usces_itemnew usces_itemedit" "chain,t:none,t:lowercase" SecRule ARGS:post_title "@contains <" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77228500,chain,msg:'IM360 WAF: XSS vulnerability in the Simple Sticky Footer plugin before 1.3.3 for WordPress (CVE-2014-9454)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_simple_sticky_footer'" SecRule ARGS:page "@streq simple-simple-sticky-footer" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:simple_sf_width|ARGS:simple_sf_style "@rx \'|<" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77228510,chain,msg:'IM360 WAF: XSS vulnerability in the Quick Page/Post Redirect plugin before 5.0.5 for WordPress (CVE-2014-2598)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_quick_pagepost_redirect_plugin'" SecRule ARGS:page "@streq redirect-updates" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:quickppr_redirects[request][]|ARGS:quickppr_redirects[destination][] "@rx \x22" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77229500,chain,msg:'IM360 WAF: XSS vulnerability in the Photocrati NextGEN Gallery plugin 2.1.15 for WordPress (CVE-2015-9229)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_nextgen_gallery'" SecRule ARGS:page "@streq nggallery-manage-gallery" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_BASENAME "@streq admin.php" "chain,t:none,t:lowercase" SecRule ARGS:/images\[\d*?\]\[alttext\]/ "@contains '" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77229920,chain,msg:'IM360 WAF: XSS vulnerability in Oturia Smart Google Code Inserter plugin before 3.5 for WordPress (CVE-2018-3810)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_smart_google_code_inserter'" SecRule ARGS:page "@streq smartcode" "chain,t:none,t:lowercase" SecRule REQUEST_BASENAME "@streq options-general.php" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:sgcgoogleanalytic|ARGS:sgcwebtools "@contains <" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77230370,chain,msg:'IM360 WAF: XSS vulnerability in the User Profile & Membership plugin before 2.0.11 for WordPress (CVE-2018-10234)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_ultimate_member'" SecRule ARGS:page "@streq um_options" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:um_options[delete_account_text] "@contains <" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77230610,chain,msg:'IM360 WAF: XSS vulnerability in WPtouch plugin 4.3.28 for WordPress (CVE-2018-17417)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_wptouch'" SecRule ARGS:page "@streq wptouch-admin-general-settings" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:wptouch__wptouch_pro__filtered_urls|ARGS:wptouch__wptouch_pro__force_locale|ARGS:wptouch__wptouch_pro__remove_shortcodes|ARGS:wptouch__wptouch_pro__custom_user_agents|ARGS:wptouch__wptouch_pro__site_title "@rx \x22|<" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77230660,chain,msg:'IM360 WAF: XSS vulnerability in Affiliates Manager plugin through 2.6.0 for WordPress (CVE-2018-17579)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_affiliates_manager'" SecRule ARGS:page "@streq wpam-settings" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:txtMinimumPayout|ARGS:txtCookieExpire|ARGS:txtEmailName|ARGS:txtEmailAddress|ARGS:affBountyAmount|ARGS:affCurrencySymbol|ARGS:affCurrencyCode "@rx \x22" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77230690,chain,msg:'IM360 WAF: SQLi and XSS vulnerability in Slideshow Gallery 1.6.8 plugin for WordPress (CVE-2018-18017 CVE-2018-18018 and CVE-2018-18019)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_slideshow_gallery'" SecRule ARGS:page "@beginsWith slideshow-" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_BASENAME "@streq admin.php" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:Slide[title]|ARGS:Slide[image_url]|ARGS:Gallery[id]|ARGS:Gallery[title] "@rx (?:<|'|\x22)" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77230780,chain,msg:'IM360 WAF: XSS vulnerability in Ultimate Member - User Profile & Membership plugin 2.0.29 and before 2.0.28 for WordPress (CVE-2018-17866)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,t:none,severity:5,tag:'wp_plugin_ultimate_member',tag:'noshow'" SecRule ARGS:page "@streq um_options" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS_NAMES "@beginsWith um_options" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS|!ARGS:/um_options\[/|!ARGS:um_options[checkmail_email] "@rx \x22|<" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77230850,chain,msg:'IM360 WAF: XSS vulnerability in Appointments plugin 2.4.0 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_appointments'" SecRule ARGS:page "@streq app_settings" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS|!ARGS:additional_css|!ARGS:confirmation_message|!ARGS:reminder_message|!ARGS:removal_notification_message "@rx \x22" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77232620,chain,msg:'IM360 WAF: XSS vulnerability in Responsive-coming-soon-page plugin 1.1.18 for WordPress (CVE-2018-5657 CVE-2018-5659 CVE-2018-5660 CVE-2018-5661 CVE-2018-5662 CVE-2018-5663 CVE-2018-5664 CVE-2018-5665 and CVE-2018-5666)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_responsive_coming_soon_page'" SecRule ARGS:page "@streq rcsm-weblizar" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS|!ARGS:coming-soon_message|!ARGS:subscriber_form_message "@rx \x22" "chain,t:none,t:urlDecodeUni" SecRule ARGS_NAMES "@rx ^weblizar_rcsm_settings_save_(?:appearance|social|subscriber|counter_clock|footer)_option$" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77232830,chain,msg:'IM360 WAF: XSS vulnerability exists in Calendar plugin on or before 1.3.10 for WordPress (CVE-2018-18872)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_calendar'" SecRule ARGS:page "@within calendar calendar-categories" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:category_name|ARGS:event_title "@contains <" "t:none,t:urlDecodeUni" SecRule &ARGS:page_id "@ge 1" "id:77221383,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in the Events Manager plugin before 5.3.5 and Events Manager Pro plugin before 2.2.9 for WordPress (CVE-2013-1407)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_events_manager'" SecRule ARGS:scope "@rx \x22" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@contains wp-content/plugins/garagesale/templates/printAdminUsersList_Footer.tpl.php" "id:77221510,chain,msg:'IM360 WAF: XSS vulnerability in the GarageSale plugin before 1.2.3 for WordPress (CVE-2014-4532)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,multiMatch,severity:2,tag:'wp_plugin_garagesale'" SecRule ARGS:page "@rx \x22" SecRule REQUEST_FILENAME "@endsWith aprils-super-functions-pack/readme.php" "id:77226550,chain,msg:'IM360 WAF: XSS vulnerability in the April Super Functions Pack plugin before 1.4.8 for WordPress (CVE-2014-100026)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'wp_plugin_aprils_super_functions_pack'" SecRule ARGS:page "@rx \x22" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith /codebase/spreadsheet.php" "id:77228300,chain,msg:'IM360 WAF: XSS vulnerability in the Spreadsheet (dhtmlxSpreadsheet) plugin 2.0 for WordPress (CVE-2013-6281)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,t:urlDecodeUni,t:normalizePath,severity:2,tag:'wp_plugin_dhtmlxspreadsheet'" SecRule ARGS:page "@contains <" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule &ARGS:icl_post_action "@ge 1" "id:77230760,chain,msg:'IM360 WAF: XSS vulnerability WPML (aka sitepress-multilingual-cms) plugin through 3.6.3 for WordPress (CVE-2018-18069)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_sitepress_multilingual_cms'" SecRule ARGS:page "@beginswith sitepress-multilingual-cms-" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:/^locale_file_name_/ "@rx \x22" "t:none,t:urlDecodeUni" SecRule ARGS:file "@contains .." "id:77228720,chain,msg:'IM360 WAF: Directory traversal vulnerability in XCloner plugin 3.1.1 for WordPress (CVE-2014-8606)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,severity:2,tag:'wp_plugin_xcloner_backup_and_restore'" SecRule ARGS:task "@streq download" "chain,t:none,t:lowercase" SecRule ARGS:page|ARGS:option "@pm xcloner_show com_xcloner-backupandrestore" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@pm /wp-admin/admin-ajax.php /administrator/index.php" "t:none,t:lowercase,t:normalizePath" SecRule REQUEST_METHOD "@pm POST GET" "id:77221420,chain,msg:'IM360 WAF: XSS vulnerability in the Meta Slider plugin 2.5 for WordPress (CVE-2014-4846)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_metaslider'" SecRule ARGS:page "@streq metaslider" "chain,t:none,t:lowercase" SecRule ARGS:id "@rx \D" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77227590,chain,msg:'IM360 WAF: SQL injection vulnerabilities in the Pie Register plugin before 2.0.19 for WordPress (CVE-2015-7682)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_pie_register'" SecRule ARGS:page "@streq pie-invitation-codes" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:select_invitaion_code_bulk_option|ARGS:invi_del_id "@rx \D" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77229680,chain,msg:'IM360 WAF: SQL injection vulnerability in Responsive Image Gallery plugin before 1.2.1 for WordPress (CVE-2017-14125)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_responsive_image_gallery'" SecRule ARGS:page "@streq wpdevart_gallery_themes" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_BASENAME "@streq admin.php" "chain,t:none,t:lowercase" SecRule ARGS:id "@rx \D" "t:none" SecRule &SESSION:wp_session "@ge 1" "id:77230150,chain,phase:2,pass,nolog,t:none,severity:5,tag:'wp_plugin_acurax_social_media_widget',tag:'im360_req_get'" SecRule ARGS:page "@streq acurax-social-widget-settings" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_METHOD "@streq get" "chain,t:none,t:lowercase" SecRule REQUEST_BASENAME "@streq admin.php" "setvar:'SESSION.wp_acx_asmw=1',expirevar:'SESSION.wp_acx_asmw=300',t:none,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77220210,chain,phase:2,pass,nolog,t:none,severity:5,tag:'wp_plugin_sharethis',tag:'im360_req_get'" SecRule ARGS:page "@contains sharethis.php" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.sharethis=1',expirevar:'SESSION.sharethis=300',t:none,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77220290,chain,phase:2,pass,nolog,severity:5,tag:'wp_plugin_cart66_lite',tag:'im360_req_get'" SecRule ARGS:page "@streq cart66-products" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.cart66=1',expirevar:'SESSION.cart66=300',t:none,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77220292,chain,msg:'IM360 WAF: CSRF vulnerability in the Cart66 Lite plugin before 1.5.1.15 for WordPress (CVE-2013-5977)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_cart66_lite'" SecRule &ARGS:cart66-action "@ge 1" "chain,t:none" SecRule ARGS:page "@streq cart66-products" "t:none,t:urlDecodeUni,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77221170,chain,phase:2,pass,nolog,t:none,severity:5,tag:'wp_plugin_wp125',tag:'im360_req_get'" SecRule ARGS:page "@streq wp125_addedit" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.wp_add=1',expirevar:'SESSION.wp_add=300',t:none,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77221172,chain,msg:'IM360 WAF: CSRF vulnerability in the WP125 plugin before 1.5.0 for WordPress (CVE-2013-2700)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,severity:2,tag:'wp_plugin_wp125'" SecRule &ARGS:adname "@eq 1" "chain" SecRule &ARGS:adtarget "@eq 1" "chain" SecRule &ARGS:adimage "@eq 1" "chain" SecRule ARGS:page "@streq wp125_addedit" "t:none,t:urlDecodeUni,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77221212,chain,msg:'IM360 WAF: CSRF vulnerability in the Search Everything plugin before 8.1.1 for WordPress (CVE-2014-3843)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_search_everything',tag:'im360_req_post'" SecRule ARGS:page "@streq extend_search" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_METHOD "@streq post" "chain,t:none,t:lowercase" SecRule &SESSION:wpse "@eq 0" "chain,t:none" SecRule REQUEST_BASENAME "@streq options-general.php" "t:none,t:urlDecodeUni,t:lowercase" SecRule &SESSION:wp_session "@eq 1" "id:77226390,chain,msg:'IM360 WAF: Start tracking AB Google Map Travel (AB-MAP) WordPress plugin||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,nolog,severity:5,tag:'wp_plugin_ab_google_map_travel',tag:'im360_req_get'" SecRule ARGS:page "@streq ab_map_options" "chain,t:none,t:lowercase" SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.wp_ab_googlemaptravel=1',expirevar:'SESSION.wp_ab_googlemaptravel=300',t:none,t:lowercase" SecRule ARGS:page "@streq ab_map_options" "id:77226391,chain,msg:'IM360 WAF: CSRF vulnerability in the AB Google Map Travel (AB-MAP) plugin before 4.0 for WordPress (CVE-2015-2755)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_ab_google_map_travel',tag:'im360_req_post'" SecRule REQUEST_METHOD "@streq post" "chain,t:none,t:lowercase" SecRule &SESSION:wp_ab_googlemaptravel "!@eq 1" "t:none" SecRule &SESSION:wp_session "@ge 1" "id:77226500,chain,msg:'IM360 WAF: CSRF vulnerability in the Contact Form DB plugin before 2.8.32 for WordPress (CVE-2015-1874)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,nolog,skip:1,severity:5,tag:'wp_plugin_contact_form_7_to_database_extension',tag:'im360_req_get'" SecRule REQUEST_FILENAME "@endsWith /admin.php" "chain,t:none,t:lowercase" SecRule ARGS:page "@contains cf7dbplugin" "chain,t:none,t:lowercase" SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.wp_cfdb=1',expirevar:'SESSION.wp_cfdb=300',t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /admin.php" "id:77226501,chain,msg:'IM360 WAF: CSRF vulnerability in the Contact Form DB plugin before 2.8.32 for WordPress (CVE-2015-1874)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_contact_form_7_to_database_extension'" SecRule ARGS:page "@streq cf7dbpluginsubmissions" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule &ARGS:delete "@ge 1" "chain" SecRule &SESSION:wp_cfdb "!@ge 1" SecRule &SESSION:wp_session "@ge 1" "id:77226650,chain,phase:2,pass,nolog,t:none,skip:1,severity:5,tag:'wp_plugin_all_in_one_wp_security_and_firewall'" SecRule REQUEST_FILENAME "@endsWith admin.php" "chain,t:none,t:lowercase" SecRule ARGS:page "@contains aiowpsec_firewall" "chain,t:none,t:lowercase" SecRule ARGS:tab "@streq tab6" "chain,t:none,t:lowercase" SecRule &ARGS "@eq 2" "setvar:'SESSION.wpsec=1',expirevar:'SESSION.wpsec=300',t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77226770,chain,msg:'IM360 WAF: SQL injection vulnerability in the NewStatPress plugin before 0.9.9 for WordPress (CVE-2015-4062)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_newstatpress'" SecRule ARGS:page "@streq nsp_search" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:/where[1-3]/ "!@rx ^[a-z]+$" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77227350,chain,msg:'IM360 WAF: Unrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress (CVE-2014-5460)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_slideshow_gallery'" SecRule ARGS:page "@streq slideshow-slides" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:method "@streq save" "chain,t:none,t:lowercase" SecRule FILES "!@rx \.(?:jpe?g|gif|bmp|png)$" "t:none,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77227720,chain,phase:2,pass,nolog,skip:1,severity:5,tag:'wp_plugin_wp_timed_popup',tag:'im360_req_get'" SecRule ARGS:page "@contains wp-popup" "chain,t:none,t:lowercase" SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.wp_popup=1',expirevar:'SESSION.wp_popup=300',t:none,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77227721,chain,msg:'IM360 WAF: CSRF vulnerability in the Timed Popup (wp-timed-popup) plugin 1.3 for WordPress (CVE-2014-9525)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_wp_timed_popup',tag:'im360_req_post'" SecRule ARGS:page "@contains wp-popup" "chain,t:none,t:lowercase" SecRule REQUEST_METHOD "@streq post" "chain,t:none,t:lowercase" SecRule &SESSION:wp_popup "!@eq 1" "t:none" SecRule &SESSION:wp_session "@ge 1" "id:77227820,chain,phase:2,pass,nolog,skip:1,severity:5,tag:'wp_plugin_cm_download_manager',tag:'im360_req_get'" SecRule ARGS:page "@streq cmdm_admin_settings" "chain,t:none,t:lowercase" SecRule REQUEST_METHOD "@streq get" "chain,t:none,t:lowercase" SecRule &ARGS "@eq 1" "setvar:'SESSION.wp_cmdm_admin=1',expirevar:'SESSION.wp_cmdm_admin=300',t:none" SecRule &SESSION:wp_session "@ge 1" "id:77227821,chain,msg:'IM360 WAF: CSRF vulnerability in the CreativeMinds CM Downloads Manager plugin before 2.0.7 for WordPress (CVE-2014-9129)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_cm_download_manager',tag:'im360_req_post'" SecRule ARGS:page "@streq cmdm_admin_settings" "chain,t:none,t:lowercase" SecRule REQUEST_METHOD "@streq post" "chain,t:none,t:lowercase" SecRule &SESSION:wp_cmdm_admin "!@eq 1" "t:none" SecRule &SESSION:wp_session "@ge 1" "id:77229441,chain,msg:'IM360 WAF: CSRF vulnerability in Clean Login plugin before 1.8 for WordPress (CVE-2017-8875)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_clean_login',tag:'im360_req_post'" SecRule ARGS:page "@streq clean_login_menu" "chain,t:none,t:lowercase" SecRule REQUEST_METHOD "@streq post" "chain,t:none,t:lowercase" SecRule &SESSION:wp_cleanlog "!@eq 1" "chain,t:none" SecRule REQUEST_FILENAME "@endsWith wp-admin/options-general.php" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77210950,chain,phase:2,pass,nolog,t:none,severity:5,tag:'wp_plugin_responsive_coming_soon_page',tag:'im360_req_get'" SecRule ARGS:page "@streq rcsm-weblizar" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_METHOD "@streq get" "chain,t:none,t:lowercase" SecRule REQUEST_BASENAME "@streq admin.php" "setvar:'SESSION.wp_rcsm-weblizar=1',expirevar:'SESSION.wp_rcsm-weblizar=300',t:none,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77210952,chain,msg:'IM360 WAF: CSRF vulnerability in Responsive-coming-soon-page plugin 1.1.18 for WordPress (CVE-2018-5658)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_responsive_coming_soon_page'" SecRule ARGS:page "@streq rcsm-weblizar" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_BASENAME "@streq admin.php" "chain,t:none,t:lowercase" SecRule &SESSION:wp_rcsm-weblizar "!@eq 1" "chain,t:none" SecRule ARGS_NAMES "@rx ^weblizar\_rcsm\_settings\_save\_(?:appearance|social|subscriber|counter\_clock|footer)\_option$" "t:none,t:urlDecodeUni,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77229970,chain,phase:2,pass,nolog,t:none,severity:5,tag:'wp_plugin_booking_calendar',tag:'im360_req_get'" SecRule ARGS:page "@beginsWith wpdevart-" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule MATCHED_VAR "@rx ^wpdevart-(?:forms|extras|themes)$" "chain" SecRule REQUEST_METHOD "@streq get" "chain,t:none,t:lowercase" SecRule REQUEST_BASENAME "@streq admin.php" "setvar:'SESSION.wp_wpdevart=1',expirevar:'SESSION.wp_wpdevart=300',t:none,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77229971,chain,msg:'IM360 WAF: CSRF vulnerability in Booking-calendar plugin 2.1.7 for WordPress (CVE-2018-5673)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_booking_calendar',tag:'im360_req_post'" SecRule ARGS:page "@beginsWith wpdevart-" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule MATCHED_VAR "@rx ^wpdevart-(?:forms|extras|themes)$" "chain" SecRule REQUEST_METHOD "@streq post" "chain,t:none,t:lowercase" SecRule REQUEST_BASENAME "@streq admin.php" "chain,t:none,t:lowercase" SecRule &SESSION:wp_wpdevart "!@eq 1" "t:none" SecRule &SESSION:wp_session "@ge 1" "id:77230050,chain,phase:2,pass,nolog,t:none,severity:5,tag:'wp_plugin_weblizar_pinterest_feeds',tag:'im360_req_get'" SecRule ARGS:page "@streq pffree-weblizar" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_METHOD "@streq get" "chain,t:none,t:lowercase" SecRule REQUEST_BASENAME "@streq admin.php" "setvar:'SESSION.wp_pffree-weblizar=1',expirevar:'SESSION.wp_pffree-weblizar=300',t:none,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77230310,chain,phase:2,pass,nolog,t:none,severity:5,tag:'wp_plugin_add_social_share_buttons',tag:'im360_req_get'" SecRule ARGS:page "@streq add_social_share_buttons" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.wp_social_share_buttons=1',expirevar:'SESSION.wp_social_share_buttons=300',t:none,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77230520,chain,phase:2,pass,nolog,t:none,severity:5,tag:'wp_plugin_wp_ulike',tag:'im360_req_get'" SecRule ARGS:page "@streq wp-ulike-post-logs" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.wp_ulike=1',expirevar:'SESSION.wp_ulike=300',t:none,t:lowercase" SecRule REQUEST_METHOD "@streq POST" "id:77230531,chain,msg:'IM360 WAF: CSRF vulnerability in Metronet Tag Manager plugin version 1.2.7 for WordPress (CVE-2018-1000506)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_metronet_tag_manager',tag:'im360_req_post'" SecRule ARGS:page "@streq metronet-tag-manager" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule &ARGS:gtm-code-head|&ARGS:gtm-code "@ge 1" "chain,t:none" SecRule REQUEST_BASENAME "@streq options-general.php" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@rx %{SERVER_NAME}" "t:none" SecRule &SESSION:wp_session "@ge 1" "id:77230580,chain,phase:2,pass,nolog,t:none,severity:5,tag:'wp_plugin_wp_file_manager',tag:'im360_req_get'" SecRule ARGS:page "@streq wp_file_manager_root" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.wp_file_manager=1',expirevar:'SESSION.wp_file_manager=300',t:none,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77230581,chain,msg:'IM360 WAF: CSRF vulnerability in File Manager plugin 3.0 for WordPress (CVE-2018-16966)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_wp_file_manager'" SecRule &SESSION:wp_file_manager "!@eq 1" "chain,t:none" SecRule &ARGS:public_path "@ge 1" "chain,t:none" SecRule ARGS:page "@streq wp_file_manager_root" "t:none,t:urlDecodeUni,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77230640,chain,phase:2,pass,nolog,t:none,severity:5,tag:'wp_plugin_wp_fastest_cache',tag:'im360_req_get'" SecRule ARGS:page "@streq wpfastestcacheoptions" "chain,t:none,t:lowercase" SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.wp_wpfastestcache=1',expirevar:'SESSION.wp_wpfastestcache=300',t:none,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77230641,chain,msg:'IM360 WAF: CSRF vulnerability in WP Fastest Cache 0.8.8.5 plugin for WordPress (CVE-2018-17584)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_wp_fastest_cache'" SecRule &SESSION:wp_wpfastestcache "!@eq 1" "chain,t:none" SecRule &ARGS:wpFastestCachePage "@ge 1" "chain,t:none" SecRule ARGS:page "@streq wpfastestcacheoptions" "t:none,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77230790,chain,phase:2,pass,nolog,t:none,severity:5,tag:'wp_plugin_wp_slimstat_analytics',tag:'im360_req_get'" SecRule ARGS:page "@streq slimconfig" "chain,t:none,t:lowercase" SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.wp_slimconfig=1',expirevar:'SESSION.wp_slimconfig=300',t:none,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77230791,chain,msg:'IM360 WAF: CSRF vulnerability in Slimstat Analytics 4.7.8.3 plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_wp_slimstat_analytics'" SecRule ARGS:page "@streq slimconfig" "chain,t:none,t:lowercase" SecRule &SESSION:wp_slimconfig "!@eq 1" "chain,t:none" SecRule REQUEST_METHOD "@streq post" "t:none,t:lowercase" SecRule &SESSION:wp_session "@ge 1" "id:77232181,chain,msg:'IM360 WAF: CSRF vulnerability in two-factor-authentication plugin before 1.3.13 for WordPress (CVE-2018-20231)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_two_factor_authentication'" SecRule &ARGS:tfa_enable_tfa "@ge 1" "chain,t:none" SecRule ARGS:page "@streq two-factor-auth-user" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule &SESSION:wp_session "@ge 1" "id:77232470,chain,phase:2,pass,nolog,t:none,severity:5,tag:'wp_plugin_smart_forms',tag:'im360_req_get'" SecRule ARGS:page "@streq formcraft_basic_dashboard" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.smartforms=1',expirevar:'SESSION.smartforms=300',t:none,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77233121,chain,msg:'IM360 WAF: XSS vulnerability in WordPress Download Manager Plugin 2.9.96 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_download_manager'" SecRule ARGS:page "@streq templates" "chain,t:none,t:lowercase" SecRule ARGS:post_type "@streq wpdmpro" "chain,t:none,t:lowercase" SecRule ARGS|!ARGS:email_template[message] "@rx \x22" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77233310,chain,msg:'IM360 WAF: XSS vulnerability in WP Nearby Places Basic plugin 1.3 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_wp_nearby_places_basic'" SecRule ARGS:page "@streq mynearbyplaces_settings" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS "@rx \x22" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77233470,chain,msg:'IM360 WAF: XSS exists in Share this Image Plugin of v1.19 or before for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'service_wp_plugin'" SecRule ARGS:page "@streq sti-options" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:selector "@rx \x22" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77233620,chain,msg:'IM360 WAF: SQLi Vulnerability in 10Web Photo Gallery plugin before 1.5.31 for WordPress (CVE-2019-14313)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_photo_gallery'" SecRule ARGS:page "@within albums_bwg galleries_bwg" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:orderby|ARGS:order "@rx \W" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77233730,chain,msg:'IM360 WAF: SQL injection vulnerability in FV Flowplayer Video Player plugin 7.3.18.727 and below for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_fv_wordpress_flowplayer'" SecRule ARGS:page "@streq fv_player" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:orderby|ARGS:order "!@within player_name id date_created desc asc" "t:none,t:lowercase,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77234071,chain,msg:'IM360 WAF: CSRF vulnerability in visitors-traffic-real-time-statistics plugin before 1.13 for WordPress (CVE-2019-15832)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_visitors_traffic_real_time_statistics'" SecRule ARGS:page "@streq ahc_hits_counter_settings" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule &ARGS:/^set_/ "@ge 1" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@rx %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77234090,chain,msg:'IM360 WAF: SQL vulnerability exists in AjdG AdRotate Plugin of v 5.2 or before for WordPress (CVE-2019-13570)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_adrotate'" SecRule ARGS:page "@streq adrotate-ads" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:ad "@rx \D" "t:none" SecRule ARGS:page "@streq owp_setup" "id:77234260,chain,msg:'IM360 WAF: Privilege escalation vulnerability in Ocean Extra plugin through 1.5.8 for WordPress (CVE-2019-16250)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_plugin_ocean_extra'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-post.php" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule ARGS:page "@streq lolmi-settings" "id:77234320,chain,msg:'IM360 WAF: Privilege escalation vulnerability in login-or-logout-menu-item plugin before 1.2.0 for WordPress (CVE-2019-15820)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_plugin_login_or_logout_menu_item'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/options-general.php" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule &ARGS:Export_Submit "@ge 1" "id:77234680,chain,msg:'IM360 WAF: Privilege escalation vulnerability in ultimate-faqs plugin through 1.8.24 for WordPress (CVE-2019-17232)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_ultimate_faqs'" SecRule ARGS:page "@streq ewd-ufaq-options" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_BASENAME "@streq admin.php" "t:none,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77229180,chain,msg:'IM360 WAF: SQL Injection Vulnerability in Multi Meta Box plugin v1.0 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_multi_meta_box'" SecRule ARGS:page "@streq multi_metabox_listing" "chain,t:none,t:lowercase" SecRule ARGS:id "@rx \D" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77230750,chain,msg:'IM360 WAF: XSS vulnerability in Smart Slider3 plugin version 3.3.8 for WordPress (CVE-2018-18302 CVE-2018-18303 CVE-2018-18304 CVE-2018-18305)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_smart_slider_3'" SecRule ARGS:page "@beginsWith smart-slider" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:sliderTitle|ARGS:slider[title]|ARGS:slide[title] "@contains <" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77230980,chain,msg:'IM360 WAF: XSS vulnerability in Restrict User Access WordPress Plugin 1.0.1||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'wp_plugin_restrict_user_access'" SecRule ARGS:page "@streq wprua-edit" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:page|ARGS:duration[count] "@rx \D" "t:none,t:urlDecodeUni" SecRule &SESSION:wp_session "@ge 1" "id:77229440,chain,phase:2,pass,nolog,severity:5,tag:'wp_plugin_clean_login',tag:'im360_req_get'" SecRule ARGS:page "@streq clean_login_menu" "chain,t:none,t:lowercase" SecRule REQUEST_METHOD "@streq get" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith wp-admin/options-general.php" "setvar:'SESSION.wp_cleanlog=1',expirevar:'SESSION.wp_cleanlog=300',t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" # DEFA-3987 SecMarker MARKER_page # Heuristic: TwentyShell SecRule REQUEST_URI "@rx \/wp-content\/themes\/twenty[^\.]{0,108}\.php" "chain,id:77140740,phase:2,severity:2,log,deny,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Twenty shell abuse attempt||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_core',tag:'service_rbl_infectors'" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # Heuristic: SuspiciousAccess SecRule REQUEST_URI "@pm /wp-content/uploads/2018/10/mod_config.php /wp-content/plugins/wp-to-twitter/tmhOAuth/sys.php.php /wp-content/themes/better-mag/footer.php /wp-content/plugins/sfn.php /wp-admin/yt.php /assets/images/accesson.php /wp-admin/maint/index.php /wp-admin/includes/index.php /wp-includes/css/login_wall.php /wp-logos.php /wp-icoud.php /wp-cahce.php /wp-content/indes.php /wp-includes/indes.php /wp-conde.php" "id:77140742,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Block abusive scripts||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_core'" # Privilege Escalation Flaw In WP GDPR SecRule REQUEST_URI "@rx (/wp-admin/admin-ajax.php)" "id:77140750,chain,phase:2,deny,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Privilege escalation flaw in WP GDPR Compliance plugin||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wp_gdpr_compliance'" SecRule ARGS "@rx (wpgdprc_process_action)" "t:none,chain" SecRule ARGS "@rx (\"option\"\s*?:\s*?\"users_can_register\"\s*?,\s*?\"value\"\s*?:\s*?\"1\"|\"default_role\"\s*?,\s*?\"value\"\s*?:\s*?\"administrator\")" "t:none" # DEFA-1965 SecRule REQUEST_METHOD "@streq PUT" "id:77140949,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Arbitary file read in W3 Total Cache plugin before 0.9.4 for WordPres (CVE-2019-6715)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_w3_total_cache'" SecRule REQUEST_FILENAME "@endsWith wp-content/plugins/w3-total-cache/pub/sns.php" "chain,t:none,t:normalizePath" SecRule REQUEST_BODY "@rx \x22Type\x22\s{0,100}:\s{0,100}\x22SubscriptionConfirmation\x22" "chain,t:none,t:urlDecode" SecRule MATCHED_VAR "@rx \x22SubscribeURL\x22\s{0,100}:\s{0,100}\x22file\:\/\/" "t:none,t:urlDecode" # DEFA-2541 SecRule REQUEST_METHOD "@rx ^POST$" "id:77141092,chain,pass,log,t:none,severity:5,msg:'IM360 WAF: Suspicious access attempt to admin-ajax.php. No referrer header||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||',tag:'wp_core',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule &REQUEST_HEADERS:Referer "@eq 0" "chain,t:none" SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none" # DEFA-2653 # DEFA-2777 SecRule REQUEST_FILENAME "@contains /wp-content/uploads/elementor/custom-icon" "id:77142112,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Combined Attack on Elementor Pro and Ultimate Addons||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_elementor'" SecRule REQUEST_FILENAME "!@rx \.(css|eot|html|js|json|otf|svg|ttf|txt|woff|woff2)$" "t:none,t:urlDecodeUni,t:removeWhitespace,t:normalizePath" # DEFA-2736 SecRule REQUEST_FILENAME "@endsWith /wp-content/uploads/file-manager/log.txt" "id:77142131,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Giribaz File Manager plugin before 5.0.2 Information Disclosure (CVE-2018-7204)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_file_manager'" # DEFA-2764 SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php /wp-content/plugins/wp-total-donations/the-ajax-caller.php wp-cron.php" "id:77142178,chain,phase:2,block,log,severity:2,t:urlDecode,t:normalizePath,msg:'IM360 WAF: WP Total Donations Plugin vulnerability (CVE-2019-6703)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS "@pm miglaA_ migla_getme" "chain,t:none,t:urlDecode" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none" # DEFA-2833 SecRule REQUEST_FILENAME "@endsWith /jquery-html5-file-upload/readme.txt" "id:77142196,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: jQuery-File-Upload - Arbitrary File Upload (CVE-2018-9206)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin'" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none" # DEFA-2833 SecRule REQUEST_URI "@pm jquery-file-upload/server/php/index.php server/php/upload.class.php server/php/UploadHandler.php example/upload.php" "id:77142198,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: jQuery-File-Upload - Arbitrary File Upload (CVE-2018-9206)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin'" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none" # DEFA-2833 SecRule REQUEST_URI "@pm jquery-file-upload/server/php/index.php server/php/upload.class.php server/php/UploadHandler.php example/upload.php" "id:77142200,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: jQuery-File-Upload - Arbitrary File Upload (CVE-2018-9206)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin'" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2834 SecRule REQUEST_FILENAME "@rx \/wp-content\/plugins\/pw-bulk-edit\/(readme\.txt|results\.js|license\.txt)" "id:77142208,chain,block,log,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: XSS in PW WooCommerce Bulk Edit (Recon)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_pw_bulk_edit'" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none" # DEFA-4145 SecRule REQUEST_URI "@pm jquery-file-upload/server/php/index.php server/php/upload.class.php server/php/UploadHandler.php example/upload.php" "id:77316860,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: jQuery-File-Upload - Arbitrary File Upload (CVE-2018-9206)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin'" SecRule FILES "@rx \.(?:pht|phtml|php?\d?)$" "t:none,t:lowercase,t:normalizePath" # DEFA-4753 SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/dzs-zoomsounds/savepng.php" "id:77350016,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin dzs-zoomsounds - Unauthenticated Remote Code Execution||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_dnz_zoomsounds'" SecRule ARGS:location "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77316921,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: PF File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'wp_plugin'" SecRule ARGS:action "@streq piotnetforms_ajax_form_builder" "chain,t:none,t:lowercase" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77316922,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: PAFE File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'wp_plugin'" SecRule ARGS:action "@streq pafe_ajax_form_builder" "chain,t:none,t:lowercase" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none,t:lowercase" SecRule REQUEST_URI "@contains /wp-content/uploads/piotnet-addons-for-elementor/" "id:77316923,chain,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: PF RCE||T:APACHE||',tag:'service_i360custom',tag:'wp_plugin'" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none" SecRule REQUEST_URI "@contains /wp-content/uploads/piotnetforms/files/" "id:77316924,chain,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: PAFE RCE||T:APACHE||',tag:'service_i360custom',tag:'wp_plugin'" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none" # DEFA-4330 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316936,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Data injection vulnerability in Automatic Plugin for WordPress||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /plugins/wp-automatic/process_form.php" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316937,chain,phase:2,pass,log,severity:5,t:none,msg:'IM360 WAF: Data injection vulnerability in Automatic Plugin for WordPress||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||T:APACHE||default_role:{ARGS.default_role}||users_can_register:%{ARGS.users_can_register}||home:%{ARGS.home}||siteurl:%{ARGS.siteurl}||names:%{ARGS.names}||',tag:'wp_plugin',tag:'noshow',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /plugins/wp-automatic/process_form.php" "t:none" # DEFA-4148 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316863,chain,block,log,severity:2,phase:2,t:none,msg:'IM360 WAF: Arbitrary File Upload vulnerability in dzs-videogallery WordPress plugin||File:%{FILES}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-content/plugins/super-forms/uploads/php/" "chain,t:none,t:normalizePath" SecRule FILES "@rx \.(?:pht|phtml|php\d?)$" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316934,chain,phase:2,pass,log,severity:5,t:none,msg:'IM360 WAF: Suspicious access attempt with no referer - (WP folders)!||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core',tag:'noshow',tag:'im360_req_post'" SecRule REQUEST_URI "@rx wp-(?:includes|content|admin)" "chain,t:none" SecRule REQUEST_FILENAME "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" # DEFA-4146 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316864,chain,block,log,severity:2,phase:2,t:none,msg:'IM360 WAF: Arbitrary File Upload vulnerability in SuperStoreFinder WordPress plugin||File:%{FILES}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-content/plugins/superstorefinder-wp/ssf-wp-admin/pages/import.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx \.(?:pht|phtml|php\d?)$" "t:none" # DEFA-4361 SecRule REQUEST_URI "@rx \/forums\/search\/\w{1,20}\/?--><" "id:77317942,chain,phase:2,t:none,pass,severity:5,auditlog,msg:'IM360 WAF: Cross-Site Scripting in Avada < 7.4.2 theme for WordPress||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin'" SecRule REQUEST_URI "@rx >/?$" "t:none" SecRule REQUEST_URI "@rx \/forums\/search\/" "id:77317943,chain,phase:2,t:none,pass,severity:5,auditlog,msg:'IM360 WAF: Cross-Site Scripting in Avada < 7.4.2 theme for WordPress||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin'" SecRule REQUEST_URI "@rx <[^\(]{0,200}.{0,30}[\x22'`][\)>]" "t:none" #DEFA-4375 SecRule REQUEST_METHOD "@streq POST" "id:77317985,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: MStore API < 3.4.5 - Unauthenticated PHP File Upload||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-json/api/flutter_woo/config_file" "chain,t:lowercase" SecRule FILES_NAMES "@rx config\.json\.php$" "t:lowercase" # DEFA-4651 SecRule REQUEST_URI "@contains /wp-json/whm/v3/themesettings" "id:77318032,chain,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: XSS Vulnerability in HTML Email Template Designer Plugin for WordPress (CVE-2022-0218)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin'" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none" SecRule REQUEST_URI "@contains /wp-json/whm/v3/themesettings" "id:77318033,chain,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: XSS Vulnerability in HTML Email Template Designer Plugin for WordPress (CVE-2022-0218)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin'" SecRule &REQUEST_COOKIES:/wordpress_logged_in/ "@eq 0" "t:none" # DEFA-4730 SecRule REQUEST_URI "@contains /wp-admin/admin-post.php/" "id:77350008,chain,block,log,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Sensitive data disclosure vulnerability in UpdraftPlus Backup plugin for WordPress (CVE-2022-0633)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin'" SecRule REQUEST_URI "@contains /wp-admin/options-general.php" "chain,t:none,t:normalizePath" SecRule ARGS:page "@streq updraftplus" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316935,chain,phase:2,pass,log,severity:5,t:none,msg:'IM360 WAF: Login attempt to WordPress with empty referer||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||T:APACHE||',tag:'wp_core',tag:'noshow',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-login.php" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" # DEFA-4434 SecRule REQUEST_URI "@rx \/wp-json\/omapp\/v1\/(info|support)" "id:77317973,block,log,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Sensitive Information Disclosure in OptinMonster plugin for WordPress (CVE-2021-39341)||T:APACHE||User:%{SCRIPT_USERNAME}||',tag:'wp_plugin'" SecRule REQUEST_METHOD "@rx ^OPTIONS$" "id:77317974,chain,block,log,severity:2,t:none,msg:'IM360 WAF: Sensitive Information Disclosure in OptinMonster plugin for WordPress (CVE-2021-39341)||T:APACHE||User:%{SCRIPT_USERNAME}||',tag:'wp_plugin'" SecRule REQUEST_URI "@contains omapp/v1" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:Referer "@contains https://wp.app.optinmonster.test" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77317975,chain,block,log,severity:2,t:none,msg:'IM360 WAF: Sensitive Information Disclosure in OptinMonster plugin for WordPress (CVE-2021-39341)||T:APACHE||User:%{SCRIPT_USERNAME}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@contains omapp/v1/api/regenerate" "chain,t:none,t:normalizePath" SecRule &ARGS:key "@eq 0" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77317976,chain,block,log,severity:2,t:none,msg:'IM360 WAF: Sensitive Information Disclosure in OptinMonster plugin for WordPress (CVE-2021-39341)||T:APACHE||User:%{SCRIPT_USERNAME}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@contains omapp/v1/api/regenerate" "chain,t:none,t:normalizePath" SecRule ARGS:key "@rx ^$" "t:none" #DEFA-4592 SecRule REQUEST_FILENAME "@endsWith /public/assets/jquery-file-upload/server/php/index.php" "id:77318020,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF:jQuery-File-Upload <=9.22.0 - Arbitrary File Upload(CVE-2018-9206)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'wp_plugin'" SecRule ARGS:file "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none,t:lowercase" # DEFA-4709 SecRule REQUEST_METHOD "@rx POST" "id:77316867,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Blind SQL Injection in WP Statistics plugin for WordPress (CVE-2022-0513)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin'" SecRule REQUEST_URI "@contains /wp-json/wp-statistics/v2/hit" "chain,t:none,t:normalizePath" SecRule ARGS:exclusion_match|ARGS:wp_statistics_hit_rest "@rx ^(?:yes|1|true$)" "chain,t:none,t:lowercase" SecRule ARGS:exclusion_reason "@rx '|\x22|\(" "t:none,t:htmlEntityDecode,t:urlDecode" # DEFA-4774 SecRule REQUEST_FILENAME "@endsWith wp-content/plugins/wpcargo/includes/barcode.php" "id:77350018,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WPCargo < 6.9.0 - Unauthenticated RCE (CVE-2021-25003)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_wpcargo'" SecRule &ARGS:text "@gt 0" "t:none,chain" SecRule ARGS:filepath "@rx (\.htaccess|.+\.(pht|phtml|php\d?))" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-4799 SecRule REQUEST_METHOD "POST" "id:77350019,chain,block,t:none,severity:2,msg:'IM360 WAF: SQLi vulnerability in WP_Query WordPress class before 5.8.3 (CVE-2022-21661)||T:APACHE||MVN:%{TX.m_name}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:/query* "@rx \x22terms\x22\:\[\x22([^\]\\\:]+)" "chain,t:none,setvar:tx.m_var=%{MATCHED_VAR},setvar:tx.m_name=%{MATCHED_VAR_NAME}" SecRule TX:m_var "@rx \x27|\)|\/\*|#" "t:none" SecRule REQUEST_METHOD "POST" "id:77350020,chain,block,t:none,severity:2,msg:'IM360 WAF: Stored XSS vulnerability in WordPress before 5.8.3 (CVE-2022-21662)||T:APACHE||MVN:%{TX.m_name}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:post_name "@rx \x22<" "t:none" SecRule REQUEST_METHOD "POST" "id:77350021,chain,pass,t:none,severity:5,msg:'IM360 WAF: SQLi possible in WP_Meta_Query WordPress class before 5.8.3 (CVE-2022-21664)||T:APACHE||MVN:%{TX.m_name}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'noshow',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:/query* "@rx \x22alias\x22\:\[\x22([^\]\\\:]+)" "chain,t:none,setvar:tx.m_var=%{MATCHED_VAR},setvar:tx.m_name=%{MATCHED_VAR_NAME}" SecRule TX:m_var "@rx \x27|\)|\/\*|#" "t:none" # DEFA-4799 SecRule REQUEST_METHOD "POST" "id:77350022,chain,pass,t:none,severity:5,msg:'IM360 WAF: Possiblle SQLi attack on WordPress||T:APACHE||MVN:%{TX.m_name}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'noshow',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:/query* "@pm sleep( alert( <script /**/ 1=1 2>1 ../../../ ' chr(" "t:none,t:lowercase,setvar:tx.m_var=%{MATCHED_VAR},setvar:tx.m_name=%{MATCHED_VAR_NAME}" # DEFA-4808 SecRule REQUEST_METHOD "POST" "id:77350023,chain,block,t:none,severity:2,msg:'IM360 WAF: Authentication Bypass in SiteGround Security plugin WP_Query WordPress (CVE-2022-0992)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule ARGS:action "sgs2fa" "chain,t:none" SecRule REQUEST_URI "@pm /wp-login.php /wp-signup.php" "chain,t:none,t:normalizePath" SecRule &REQUEST_COOKIES:sgs_2fa_login_nonce "@eq 0" "t:none" SecRule REQUEST_METHOD "POST" "id:77350024,chain,block,t:none,severity:2,msg:'IM360 WAF: Authentication Bypass in SiteGround Security plugin WP_Query WordPress (CVE-2022-0992)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule ARGS:action "sgs2fa" "chain,t:none" SecRule REQUEST_URI "@pm /wp-login.php /wp-signup.php" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-4873 SecRule ARGS:action "add_custom_font" "id:77350034,chain,block,t:none,severity:2,msg:'IM360 WAF: CSRF to RCE in Tatsu Plugin for WordPress (CVE-2021-25094)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "POST" "id:77350035,chain,block,t:none,severity:2,msg:'IM360 WAF: Unauthenticated File Upload in Tatsu Plugin for WordPress (CVE-2021-25094)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule ARGS:action "add_custom_font" "chain,t:none" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule FILES "^\." "t:none" SecRule REQUEST_URI "@contains /typehub/custom/" "id:77350036,chain,block,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated RCE in Tatsu Plugin for WordPress (CVE-2021-25094)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin'" SecRule REQUEST_BASENAME "\.php" "t:none" # DEFA-4878 SecRule REQUEST_URI "@rx /wp-admin/admin-ajax.php" "id:77350043,chain,block,t:none,severity:2,msg:'IM360 WAF: Authenticated Path Traversal and Local File Inclusion in JupiterX Theme <= 2.0.6 and Jupiter Theme <= 6.10.1 for WordPress (CVE-2022-1657)||T:APACHE||MV:%{ARGS.slug}||',tag:'wp_plugin'" SecRule ARGS:action "(?:jupiterx|mka)_cp_load_pane_action" "chain,t:none" SecRule ARGS:slug "@rx \.\.\/\.\.\/" "t:none" # DEFA-4939 SecRule REQUEST_METHOD "@rx ^POST$" "id:77350044,chain,block,t:none,severity:2,msg:'IM360 WAF: XSS in Elementor <3.1.4 plugin for WordPrfess (CVE-2021-24891)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:action "@rx lightbox" "chain,t:none" SecRule ARGS:settings|ARGS:html "@rx <script" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350053,chain,block,t:none,severity:2,msg:'IM360 WAF: XSS in Elementor <3.1.4 plugin for WordPrfess (CVE-2021-24891)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:action "@rx lightbox" "chain,t:none" SecRule ARGS:settings|ARGS:html "@rx <script" "t:none,t:base64Decode" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350048,chain,pass,t:none,severity:5,msg:'IM360 WAF: Monitor XSS in Elementor <3.1.4 plugin for WordPrfess (CVE-2021-24891)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'noshow',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:action "@rx lightbox" "chain,t:none" SecRule ARGS:settings "@rx ^$" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350045,chain,block,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in Elementor Website Builder plugin <= 3.5.5 for WordPress||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@pm /wp-admin/admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:videoType "@streq hosted" "chain,t:none" SecRule ARGS:videoParams|ARGS:onerror "@rx document\.|<script\)" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350054,chain,block,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in Elementor Website Builder plugin <= 3.5.5 for WordPress||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@pm /wp-admin/admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:videoType "@streq hosted" "chain,t:none" SecRule ARGS:videoParams|ARGS:onerror "@rx document\.|<script\)" "t:none,t:base64Decode" SecRule REQUEST_URI "@contains /wp-content/plugins/elementor/assets/js/frontend.min.js" "id:77350046,pass,t:none,t:normalizePath,severity:5,msg:'IM360 WAF: Track Version check of Elementor Website Builder for WordPress||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin'" # DEFA-4965 SecRule REQUEST_METHOD "POST" "id:77350055,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated Arbitrary Function Call in Woo Product Table < 3.1.2 for WordPress (CVE-2022-1020)||Callback:%{ARGS.callback}||opt_value:%{ARGS.option_value}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx wpt_admin_update_notice_option" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "POST" "id:77350056,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated Arbitrary Function Call in Woo Product Table < 3.1.2 for WordPress (CVE-2022-1020)||Callback:%{ARGS.callback}||opt_value:%{ARGS.option_value}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx wpt_admin_update_notice_option" "chain,t:none" SecRule ARGS:callback "!@rx ^$" "chain,t:none" SecRule &REQUEST_COOKIES:/wordpress_logged_in/ "@eq 0" "t:none" SecRule REQUEST_METHOD "POST" "id:77350057,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated Arbitrary Function Call in Woo Product Table < 3.1.2 for WordPress (CVE-2022-1020)||Callback:%{ARGS.callback}||opt_value:%{ARGS.option_value}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx wpt_admin_update_notice_option" "chain,t:none" SecRule &ARGS:option_key "@gt 0" "chain,t:none" SecRule ARGS:perpose "@streq update" "chain,t:none" SecRule ARGS:callback "@rx wp_(?:delete|upload)|phpinfo" "t:none" SecRule REQUEST_METHOD "POST" "id:77350058,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Track possible Unauthenticated Arbitrary Function Call in Woo Product Table < 3.1.2 for WordPress (CVE-2022-1020)||Callback:%{ARGS.callback}||opt_value:%{ARGS.option_value}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx wpt_admin_update_notice_option" "chain,t:none" SecRule &ARGS:option_key "@gt 0" "chain,t:none" SecRule ARGS:perpose "@streq update" "chain,t:none" SecRule ARGS:callback "!@rx ^$" "t:none" # DEFA-5003 SecRule REQUEST_METHOD "POST" "id:77350082,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Arbitrary File Upload in Kaswara Modern WPBakery Page Builder Addons plugin for WordPress (CVE-2021-24284)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@contains uploadFontIcon" "chain,t:none" SecRule FILES "@rx \.(?:zip|p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "t:none" # DEFA-5048 SecRule REQUEST_METHOD "POST" "id:77350091,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Authenticated Arbitrary File Deletion in Download Manager Plugin for WordPress (CVE-2022-2431)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'" SecRule ARGS:action "@streq before_delete_post" "chain,t:none" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "t:none,t:normalizePath" SecRule REQUEST_METHOD "POST" "id:77350092,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Authenticated Arbitrary File Deletion in Download Manager Plugin for WordPress (CVE-2022-2431)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'" SecRule ARGS:action "@streq edit" "chain,t:none" SecRule REQUEST_FILENAME "@contains /wp-admin/post.php" "chain,t:none,t:normalizePath" SecRule ARGS:file[files][] "@rx ^\/|\.\.\/\.\.\/" "t:none,t:normalizePath,t:urlDecode" # DEFA-5050 SecRule REQUEST_METHOD "POST" "id:77350093,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Cross-Site Request Forgery in Ecwid Ecommerce Shopping Cart Plugin For WordPress (CVE-2022-2432)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "chain,t:none" SecRule &ARGS:ecwid_store_id|&ARGS:ecwid_store_page_id|&ARGS:ecwid_disable_dashboard|&ARGS:ecwid_disable_pb_url|&ARGS:ecwid_plugin_migration_since_version|&ARGS:ecwid_seo_links_enabled|&ARGS:ecwid_print_html_catalog|&ARGS:ecwid_api_status|&ARGS:ecwid_hide_canonical "@gt 0" "t:none" SecRule REQUEST_METHOD "POST" "id:77350094,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Cross-Site Request Forgery in Ecwid Ecommerce Shopping Cart Plugin For WordPress (CVE-2022-2432)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'" SecRule ARGS:wp-nonce "@rx ^$|null" "chain,t:none,t:lowercase" SecRule &ARGS:ecwid_store_id|&ARGS:ecwid_store_page_id|&ARGS:ecwid_disable_dashboard|&ARGS:ecwid_disable_pb_url|&ARGS:ecwid_plugin_migration_since_version|&ARGS:ecwid_seo_links_enabled|&ARGS:ecwid_print_html_catalog|&ARGS:ecwid_api_status|&ARGS:ecwid_hide_canonical "@gt 0" "t:none" SecRule REQUEST_METHOD "POST" "id:77350095,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Cross-Site Request Forgery in Ecwid Ecommerce Shopping Cart Plugin For WordPress (CVE-2022-2432)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'" SecRule &ARGS:wp-nonce "@lt 1" "chain,t:none" SecRule &ARGS:ecwid_store_id|&ARGS:ecwid_store_page_id|&ARGS:ecwid_disable_dashboard|&ARGS:ecwid_disable_pb_url|&ARGS:ecwid_plugin_migration_since_version|&ARGS:ecwid_seo_links_enabled|&ARGS:ecwid_print_html_catalog|&ARGS:ecwid_api_status|&ARGS:ecwid_hide_canonical "@gt 0" "t:none" # DEFA-5102 SecRule REQUEST_FILENAME "@pm /page.php /index.php" "id:77350096,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: SQL Injection via WordPress Link functionality||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule &ARGS:page|&ARGS:limit "@gt 0" "chain,t:none" SecRule ARGS:limit|ARGS:page|ARGS:id|ARGS:fid "@rx (?:<script>|\/\.\.\/etc\/passwd|exec xp_cmdshell|\/\*\*\/)" "t:none,t:lowercase" # DEFA-5089 SecRule REQUEST_FILENAME "@pm /product_details.php" "id:77350097,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: SQL Injection via id parameter||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule ARGS:p_id|ARGS:productId|ARGS:id|ARGS:categ-id|ARGS:product-id "@rx (\/\*\*\/)" "t:none,t:lowercase" # DEFA-5124 SecRule REQUEST_FILENAME "@pm /wp-admin/admin-ajax.php /admin-post.php /cgi-sys/autodiscover.cgi /cgi-sys/autoconfig.cgi /cgi-sys/suspendedpage.cgi /index.php" "id:77350098,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Arbitrary File Download/Read in BackupBuddy Plugin For WordPress (CVE-2022-31474)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_plugin'" SecRule ARGS:local-download|ARGS:local-destination-id "@pm /etc/passwd ../../ /wp-config.php .my.cnf .accesshash" "t:none,t:normalizePath" # DEFA-5139 SecRule REQUEST_FILENAME "@pm wp-content/plugins/wpgateway/wpgateway-webservice-new.php" "id:77350104,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Privilege escalation in WPGateway WordPress plugin (CVE-2022-3180)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_plugin'" SecRule ARGS:wp_new_credentials "@eq 1" "t:none,t:lowercase" # DEFA-5027 SecRule REQUEST_METHOD "@rx ^POST$" "id:77350129,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: RCE vulnerability in MailPress plugin for WordPress||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-content/plugins/mailpress/mp-includes/action.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq autosave" "chain,t:none" SecRule ARGS:subject "@contains <" "t:none" SecRule REQUEST_URI "@contains /wp-content/plugins/mailpress/mp-includes/action.php" "id:77350130,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Payload access attempt in MailPress plugin for WordPress||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'" SecRule ARGS:action "@streq iview" "chain,t:none" SecRule ARGS:id "!@rx ^$" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350139,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Unauthenticated account takeover in WordPress tagDiv Composer < 3.5 (CVE-2022-3477)||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@streq td_ajax_fb_login_user" "chain,t:none" SecRule ARGS:user[email] "!rx ^$" "chain,t:none" SecRule &REQUEST_HEADERS:Referer "!@contains %{REQUEST_HEADERS.Host}" SecRule REQUEST_METHOD "@rx POST" "id:77350140,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Unauthenticated account takeover in WordPress tagDiv Composer < 3.5 (CVE-2022-3477)||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@streq td_ajax_fb_login_user" "chain,t:none" SecRule ARGS:user[email] "!rx ^$" "chain,t:none" SecRule &REQUEST_COOKIES:/wordpress_logged_in_/ "@eq 0" # DEFA-5442 SecRule REQUEST_METHOD "^POST$" "id:77350149,chain,phase:2,pass,log,severity:5,t:none,msg:'IM360 WAF: Possible XMLRPC SSRF attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'noshow',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@contains xmlrpc" "chain,t:none" SecRule SERVER_NAME|REQUEST_HEADERS:Host "@rx [\#\?\[\]]" "t:none,t:htmlEntityDecode" SecRule REQUEST_METHOD "^POST$" "id:77350150,chain,phase:2,pass,log,severity:5,t:none,msg:'IM360 WAF: Possible XMLRPC SSRF attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'noshow',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@contains xmlrpc" "chain,t:none" SecRule REQUEST_URI|ARGS "@rx (?:10|127)\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.[1-3]\d\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|localhost|fc00\:\:" "t:none,t:htmlEntityDecode" SecRule REQUEST_METHOD "^POST$" "id:77350151,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Possible XMLRPC SSRF attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@contains xmlrpc" "chain,t:none" SecRule REQUEST_URI|ARGS "@rx (?:gopher|doc|glob|file|phar|zlib|ftp|ldap|dict|ogg|data):\/\/" "t:none,t:htmlEntityDecode" # DEFA-5476 SecRule REQUEST_METHOD "@rx POST" "id:77350152,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: CSRF in Yith WooCommerce Gift Cards Premium plugin for WordPress||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@contains wp-admin/admin-post.php" "chain,t:none" SecRule ARGS:page "@streq yith_woocommerce_gift_cards_panel" "chain,t:none" SecRule REQUEST_HEADERS:referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350153,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in Yith WooCommerce Gift Cards Premium plugin for WordPress (CVE-2022-45359)||T:APACHE||File:%{FILES}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@contains wp-admin/admin-post.php" "chain,t:none" SecRule ARGS:page "@streq yith_woocommerce_gift_cards_panel" "chain,t:none" SecRule ARGS:ywgc_safe_submit_field "@streq importing_gift_cards" "chain,t:none" SecRule FILES:file_import_csv "!@rx \.csv$" "t:none" # DEFA-5526 SecRule REQUEST_URI "@contains /members/member_detail.php" "id:77350154,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: SQL Injection Vulnerability in profile builder 3.0.5 plugin for WordPress||T:APACHE||',tag:'wp_plugin'" SecRule ARGS:id "@rx \D" "t:none" # DEFA-5573 SecRule ARGS:template_pagination_path|ARGS:template_path|ARGS:template_path_item "@contains \/..\/.." "id:77350157,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated Local File Inclusion in LearnPress plugin for WordPress (CVE-2022-47615)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_plugin'" SecRule ARGS:ORDER_BY|ARGS:GROUP_BY "@rx \x27|\x28|\x7c\x7c|--|=" "id:77350158,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Track Unauthenticated SQL Injection in LearnPress plugin for WordPress (CVE-2022-45808)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_plugin'" SecRule ARGS_NAMES "@contains learn_press_recent_courses learn_press_featured_courses" "id:77350159,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Track Authenticated SQL Injection in LearnPress plugin for WordPress (CVE-2022-45820)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_plugin'" SecRule MATCHED_VAR "@rx '\x27|\x28|\x7c\x7c|--|=" "t:none" # WPT-43 SecRule REQUEST_METHOD "POST" "id:77350164,chain,block,t:none,severity:2,msg:'IM360 WAF: CSRF in Quick Restaurant Menu <= 2.0.2 plugin for WordPress (CVE-2023-0554)||T:APACHE||Action:%{ARGS:action}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx erm_(delete|create|update)_menu_item" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # WPT-72 SecRule REQUEST_METHOD "@rx ^POST$" "id:77350170,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Insecure Deserialization in BuddyForms Plugin < 2.7.8 for WordPress (CVE-2023–26326)||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx upload_image_from_url" "chain,t:none" SecRule ARGS:url "@rx ^phar|\.phar$" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350171,chain,phase:2,pass,log,severity:5,t:none,msg:'IM360 WAF: Track suspicious upload in WordPress||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx upload" "chain,t:none" SecRule ARGS:url "!@rx ^http" "t:none" # WPT-86 SecRule REQUEST_COOKIES:/platform_checkout_session/ "!@rx ^$" "id:77350172,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Authentication Bypass in WooCommerce Payments before 4.8.0-5.6.1 plugin for WordPress ||User:%{SCRIPT_USERNAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360'" SecRule RESPONSE_HEADERS:set-cookie "@rx platform_checkout_session" "id:77350173,phase:3,block,log,severity:2,t:none,msg:'IM360 WAF: Authentication Bypass in WooCommerce Payments before 4.8.0-5.6.1 plugin for WordPress ||MV:%{MATCHED_VAR}||User:%{SCRIPT_USERNAME}||T:APACHE||',tag:'service_i360'" SecRule REQUEST_METHOD "@rx POST" "id:77350174,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Possible Authentication Bypass in WooCommerce Payments before plugin for WordPress 4.8.0-5.6.1||User:%{SCRIPT_USERNAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360'" SecRule ARGS:HTTP_X_WCPAY_PLATFORM_CHECKOUT_USER "!@rx ^$" SecRule REQUEST_METHOD "@rx POST" "id:77350175,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Possible Authentication Bypass in WooCommerce Payments before plugin for WordPress 4.8.0-5.6.1||User:%{SCRIPT_USERNAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360'" SecRule REQUEST_HEADERS:Content-Length "!@rx ^([56789]\d{6,}|\d{8,})$" "chain,t:none" SecRule FILES "@rx ^$" "chain,t:none" SecRule REQUEST_BODY "@contains HTTP_X_WCPAY_PLATFORM_CHECKOUT_USER" SecRule REQUEST_URI "@rx /wp-admin/" "id:77350176,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Privilege escalation in Elementor Pro < 3.11.7 (CWE-862)||MV:%{ARGS.wc-ajax}||T:APACHE||',tag:'service_i360'" SecRule ARGS:wc-ajax "@rx ^\d" "t:none" SecRule UNIQUE_ID "@rx fff$" "id:77350177,chain,phase:2,pass,log,severity:5,t:none,msg:'IM360 WAF: Track ajax in WooCommwerce||MV:%{ARGS.wc-ajax}||T:APACHE||',tag:'service_i360'" SecRule ARGS:wc-ajax "!@rx ^$" "t:none"
Simpan