File Manager
Upload
Current Directory: /home/lartcid/public_html/journal.lartc.id
[Back]
..
[Open]
Hapus
Rename
.htaccess
[Edit]
Hapus
Rename
.well-known
[Open]
Hapus
Rename
README.md
[Edit]
Hapus
Rename
api
[Open]
Hapus
Rename
cache
[Open]
Hapus
Rename
cgi-bin
[Open]
Hapus
Rename
classes
[Open]
Hapus
Rename
config.TEMPLATE.inc.php
[Edit]
Hapus
Rename
config.inc.php
[Edit]
Hapus
Rename
controllers
[Open]
Hapus
Rename
cypress.json
[Edit]
Hapus
Rename
dbscripts
[Open]
Hapus
Rename
docs
[Open]
Hapus
Rename
error_log
[Edit]
Hapus
Rename
favicon.ico
[Edit]
Hapus
Rename
index.php
[Edit]
Hapus
Rename
js
[Open]
Hapus
Rename
lib
[Open]
Hapus
Rename
locale
[Open]
Hapus
Rename
mini.php
[Edit]
Hapus
Rename
pages
[Open]
Hapus
Rename
php.ini
[Edit]
Hapus
Rename
plugins
[Open]
Hapus
Rename
public
[Open]
Hapus
Rename
registry
[Open]
Hapus
Rename
scheduledTaskLogs
[Open]
Hapus
Rename
schemas
[Open]
Hapus
Rename
styles
[Open]
Hapus
Rename
templates
[Open]
Hapus
Rename
tools
[Open]
Hapus
Rename
Edit File
# ------------------------------------------------------ # Imunify360 ModSecurity Rules # Copyright (C) 2024 CloudLinux Inc All right reserved # The Imunify360 ModSecurity Rules is distributed under # IMUNIFY360 LICENSE AGREEMENT # ------------------------------------------------------ # Imunify360 ModSecurity WordPress Ruleset # DEFA-2590 SecRule ARGS_NAMES "^WordPress$" "chain,id:77141091,block,severity:2,t:none,msg:'IM360 WAF: Obfuscated malware dropper request||MVN:%{MATCHED_VAR_NAME}||T:APACHE||',tag:'wp_core'" SecRule ARGS_NAMES "^Database$" "t:none" # DEFA-1815 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140865,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Theme Konzept Arbitrary File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith /includes/uploadify/upload.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,t:urlDecodeUni" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140867,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Simple Ads Manager Plugin File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,t:urlDecodeUni" # DEFA-1819 #WPT-26 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140870,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress FormCraft Plugin File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_URI "@rx \/wp-content\/plugins\/formcraft\/file-upload\/server\/(?:php|content)\/" "chain,t:none,t:normalizePath" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|ico|suspected|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module)(?:\W|$)" "t:none,t:urlDecodeUni" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140871,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Downloads Manager File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_URI "@rx \/wp-content\/plugins\/downloads-manager\/" "chain,t:none,t:normalizePath" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,t:urlDecodeUni" # Track WordPress ?author=1 usernames check SecRule ARGS:author "@ge 1" "id:77140876,pass,auditlog,phase:2,severity:5,t:none,msg:'IM360 WAF: Track WordPress users enumeration||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'noshow'" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140907,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Downloads Manager File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_URI "@rx /wp-content/plugins/dzs-videogallery/admin/upload.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,t:urlDecodeUni" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140908,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Simple Ads Manager File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/social-networking-e-commerce-1/classes/views/social-options/form_cat_add.php" "chain,t:none,t:normalizePath" SecRule ARGS:config_path "@rx \.\.\/\.\.\/" "chain,t:none,t:urlDecodeUni" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,t:urlDecodeUni" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140909,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Viral Optins Plugin File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/viral-optins/api/uploader/file-uploader.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,t:urlDecodeUni" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140913,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Satoshi Theme File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith /wp-content/themes/satoshi/functions/upload-handler.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,t:urlDecodeUni" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140914,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress iThemes2 Theme File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith /wp-content/themes/ithemes2/themify/themify-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:upload "@streq 1" "chain,t:none,t:urlDecodeUni" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,t:urlDecodeUni" # DEFA-1782 SecRule REQUEST_METHOD "@rx ^GET$" "id:77140917,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin eShop Magic Arbitrary File Access||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/eshop-magic/download.php" "chain,t:none,t:normalizePath" SecRule ARGS:file "@rx \.\.\/\.\.\/" "t:none,t:urlDecodeUni" # DEFA-1783 SecRule REQUEST_METHOD "@rx ^GET$" "id:77140918,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Mobile Detector 3.5 file Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith wp-content/plugins/wp-mobile-detector/resize.php" "chain,t:none,t:normalizePath" SecRule ARGS:src "!@rx ^(?:ht|f)tps?:\/\/%{SERVER_NAME}" "t:none,t:urlDecodeUni" # DEFA-1787 #WPT-26 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140924,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Cherry-Plugin File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith wp-content/plugins/cherry-plugin/admin/import-export/upload.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|ico|suspected|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module)(?:\W|$)" "t:none,t:urlDecodeUni" # DEFA-1925 SecRule REQUEST_METHOD "@rx ^GET$" "id:77140934,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin WebPlayer SQL injection vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith hd-webplayer/playlist.php" "chain,t:none,t:normalizePath" SecRule ARGS:videoid "@rx \D" "t:none" # DEFA-1944 SecRule REQUEST_METHOD "@rx POST" "id:77140937,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: WordPress JobManager Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_URI "@rx \/jm-ajax\/upload_file\/" "chain,t:none,t:normalizePath" SecRule FILES "@rx (?:\.htaccess|\.(pht|phtml|php\d?)$)" "t:lowercase" # DEFA-1947 SecRule REQUEST_METHOD "@rx POST" "id:77140939,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: WordPress Category and Page Icons Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith category-page-icons/include/wpdev-flash-uploader.php" "chain,t:none,t:normalizePath" SecRule &ARGS:dir_icons "@gt 0" "chain,t:none" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:lowercase" # DEFA-2078 SecRule REQUEST_FILENAME "@endsWith advanced-custom-fields/core/actions/export.php" "id:77140968,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Advanced Custom Fields Remote File Inclusion vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_advanced_custom_fields'" SecRule ARGS:acf_abspath "@rx ^(?:ht|f)tps?:\/\/" "t:none,t:urlDecodeUni" # DEFA-2117 SecRule REQUEST_FILENAME "@endsWith inboundio-marketing/admin/partials/csv_uploader.php" "id:77140982,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin InBoundio Marketing Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_inboundio_marketing'" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none,t:lowercase" # DEFA-2165 SecRule REQUEST_FILENAME "@rx (mobile-friendly-app-builder-by-easytouch|mobile-app-builder-by-wappress|webapp-builder|zen-mobile-app-native|wp2android-turn-wp-site-into-android-app)/server/images\.php" "id:77140987,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Builder Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'service_wp_plugin'" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none,t:lowercase" # DEFA-2298 SecRule REQUEST_URI "@contains /wp-json/trx_addons/v2/get/sc_layout" "id:77141008,chain,block,log,severity:2,t:none,t:normalizePath,t:urlDecodeUni,t:lowercase,msg:'IM360 WAF: WordPress ThemeREX Plugin RCE||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||USR:%{ARGS.user_login}||',tag:'service_i360custom',tag:'service_wp_plugin'" SecRule ARGS:sc "@rx (wp_insert_user|array_pop)" "t:none,t:lowercase" # DEFA-2310 SecRule REQUEST_URI "@contains /login/" "id:77141010,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress AccessAlly plugin unauthenticated arbitrary PHP code execution||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_wp_plugin'" SecRule ARGS:login_error "@rx <\?" "t:none,t:urlDecodeUni" # DEFA-2320 SecRule ARGS:comment "@rx <!--\s{0,128}(?:dynamic-cached-content|mfunc|mclude)" "id:77141016,block,log,severity:2,t:none,t:urlDecodeUni,t:lowercase,msg:'IM360 WAF: WordPress Caching plugins remote PHP code execution||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" # DEFA-2281 SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/contact-form-7/modules/file.php" "id:77141031,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Contact-Form-7 5.1.6 plugin remote file upload||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_contact_form'" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140916,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress connector.minimal.php File Upload Vulnerability (CVE-2019-9194)||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith /php/connector.minimal.php" "chain,t:none,t:normalizePath" SecRule ARGS:cmd "@contains upload" "chain,t:none,t:urlDecodeUni" SecRule &ARGS:target "@gt 0" "chain,t:none" SecRule FILES "@rx ;echo" "t:none,t:urlDecodeUni" # DEFA-2366 SecRule REQUEST_FILENAME|PATH_INFO "@rx \/wp-content\/plugins\/blnmrpb\/(?:index\.php)?" "id:77141036,block,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress WebShell in Fake Plugin blnmrpb||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_wp_plugin'" # DEFA-2473 SecRule REQUEST_FILENAME "@rx plugins/(wordpress-popup|hustle)/views/admin/dashboard" "id:77141074,block,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Hustle/wordpress-popup directory traversal||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wordpress_popup'" # DEFA-2684 SecRule REQUEST_FILENAME "@endsWith chopslider/get_script/index.php" "id:77142119,phase:2,chain,block,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WordPress Chop Slider 3 - A blind SQL injection (CVE-2020-11530)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_lord_linus_chop_slider'" SecRule ARGS:id "!@rx ^-?\d+$" "t:none,t:urlDecodeUni" # DEFA-2697 SecRule REQUEST_FILENAME "@rx wp-content\/uploads\/elementor\/tmp\/[a-f0-9]{13}\/" "id:77142132,block,log,t:none,t:urlDecodeUni,t:normalizePath,severity:2,msg:'IM360 WAF: WordPress Plugin Elementor Block web shell access (CVE-2020-7055)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" # DEFA-2746 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142150,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Path traversal vulnerability in Gravity forms plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule ARGS:gf_page "@streq upload" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:removeWhitespace" SecRule ARGS:gform_unique_id "@rx \.\.\/" "t:urlDecodeUni,t:removeWhitespace,t:normalizePath" # DEFA-2772 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142163,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Redirect from login page in WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-login.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:redirect_to "@pm /htm? /stm? .js?" "t:none,t:urlDecodeUni" # DEFA-2772 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142165,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: XSS in the WP-Piwik plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:wp-piwik[track_mode] "@streq manually" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:wp-piwik[tracking_code] "@rx (?:(x-)?(?:java|vb|j|ecma)?script)" "t:none,t:urlDecode" # DEFA-2749 SecRule &ARGS:yp_remote_get "@gt 0" "id:77142168,phase:1,severity:2,block,log,t:none,msg:'IM360 WAF: WordPress YellowPencil Visual CSS Style Editor < 7.2.0 - Privilege Escalation||T:APACHE||',tag:'wp_plugin_yellow_pencil_visual_theme_customizer'" # DEFA-2940 SecRule REQUEST_FILENAME "@endsWith reflex-gallery/admin/scripts/FileUploader/php.php" "id:77142217,chain,msg:'IM360 WAF: Arbitrary File Upload vulnerability in the ReFlex Gallery plugin before 3.1.4 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,severity:2,tag:'wp_plugin_reflex_gallery'" SecRule ARGS:Year|ARGS:Month "@ge 1" "t:none" # DEFA-2972 SecRule REQUEST_FILENAME "@endsWith /wp-custom-pages/wp-download.php" "id:77142247,pass,nolog,auditlog,t:none,t:normalizePath,severity:5,msg:'IM360 WAF: Track WordPress WP Custom Pages 0.5.0.1 LFI||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',setvar:'tx.bl_file_flag=1',tag:'service_i360custom',tag:'wp_core'" # DEFA-3165 DEFA-3436 SecRule REQUEST_FILENAME "@rx \/(?:lib|elfinder)\/php\/connector\.minimal\.php" "id:77316730,phase:2,block,log,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress plugin File Manager < 6.9 & Elfinder 2.1.47 - Remote Code Execution||T:APACHE||REQUEST_FILENAME:.../lib/php/connector.minimal.php||',tag:'service_i360custom'" # DEFA-3285 SecRule REQUEST_URI "@rx \/wp-content\/plugins\/?[\w\d\-_]{0,50}assembly\/js\/js\.php" "id:77316740,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Attempt to exploit malicious WordPress plugin||URI:%{REQUEST_URI}||T:APACHE||',tag:'service_i360custom'" # DEFA-3415 SecRule REQUEST_FILENAME "@endsWith ee-file-engine.php" "chain,id:77316747,block,log,phase:2,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in the WordPress Plugin Simple File List < 4.2.3||T:APACHE||ARGS.eeFileOld:%{ARGS.eeFileOld}||ARGS.eeFileAction:%{ARGS.eeFileAction}||',tag:'wp_core',tag:'service_i360custom'" SecRule ARGS:eeFileOld "!@endsWith .php" "chain,t:none" SecRule ARGS:eeFileAction "@beginsWith Rename|" "chain,t:none" SecRule ARGS:eeFileAction "@endsWith .php" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316752,chain,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated Privilege Escalation Vulnerability in WordPress Ultimate Member < 2.1.12||WPU:%{TX.wp_user}||T:APACHE||',tag:'service_im360'" SecRule &ARGS:wp_capabilities[administrator] "@gt 0" "t:none" # DEFA-3465 SecRule ARGS:aam-media "!@rx \.(jpg|jpeg|png|svg|gif|ico|pdf|doc|docx|ppt|pptx|pps|ppsx|odt|xls|xlsx|psd)$" "id:77316755,block,log,phase:2,severity:2,t:none,msg:'IM360 WAF: Data leak in WordPress plugin Advanced Access Manager < 5.9.9||T:APACHE||ARGS.aam-media:%{ARGS.aam-media}||',tag:'wp_core',tag:'service_i360custom'" # DEFA-3434 SecRule REQUEST_COOKIES:usces_cookie "@rx WP_HTML_Token[^}]+?bookmark_name[^}]+?on_destroy" "id:77316763,block,log,phase:2,severity:2,t:none,t:urlDecode,msg:'IM360 WAF: Unsafe deserialization leading to RCE in WordPress plugin Welcart e-Commerce < 1.9.36||T:APACHE||REQUEST_COOKIES.usces_cookie=%{REQUEST_COOKIES.usces_cookie}||',tag:'wp_core',tag:'service_im360'" SecRule REQUEST_COOKIES:usces_cookie "@rx WP_HTML_Token[^}]+?bookmark_name" "id:77350311,pass,nolog,auditlog,phase:2,severity:2,t:none,t:urlDecode,msg:'IM360 WAF: Unsafe deserialization leading to RCE in WordPress plugin Welcart e-Commerce < 1.9.36||T:APACHE||REQUEST_COOKIES.usces_cookie=%{REQUEST_COOKIES.usces_cookie}||',tag:'wp_core',tag:'service_i360custom'" # DEFA-3544 SecRule REQUEST_FILENAME "@rx contact-form-7/v1/contact-forms/(?:\d+)/feedback$" "id:77316768,chain,block,log,phase:2,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in the WordPress Plugin The Contact Form 7 <= 5.3.1||T:APACHE||REQUEST_FILENAME:%{REQUEST_FILENAME}||%{MATCHED_VAR_NAME}:%{MATCHED_VAR}||',tag:'wp_core',tag:'service_i360custom'" SecRule FILES "@rx (?i:\.(?:php|phtml)\d?[\pC\pZ])" "t:none" SecRule REQUEST_FILENAME "@contains contact-form-7/v1/contact-forms/" "id:77350249,chain,block,log,phase:2,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in the WordPress Plugin The Contact Form 7 <= 5.3.2||T:APACHE||REQUEST_FILENAME:%{REQUEST_FILENAME}||%{MATCHED_VAR_NAME}:%{MATCHED_VAR}||',tag:'wp_core',tag:'service_i360custom'" SecRule FILES "@rx [\x{0000}-\x{001F}]" "t:none" SecRule REQUEST_FILENAME "@contains contact-form-7/v1/contact-forms/" "id:77350250,chain,block,log,phase:2,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in the WordPress Plugin The Contact Form 7 <= 5.3.2||T:APACHE||REQUEST_FILENAME:%{REQUEST_FILENAME}||%{MATCHED_VAR_NAME}:%{MATCHED_VAR}||',tag:'wp_core',tag:'service_i360custom'" SecRule FILES "@rx \.\w+\s\.\w+$" "t:none,t:urlDecodeUni" # DEFA-3507 SecRule REQUEST_FILENAME "@endsWith /advanced_file_manager_5/php/connector.minimal.php" "id:77316774,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: File upload vulnerability in Advanced File Manager WordPress plugin||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" # DEFA-3647 SecRule REQUEST_URI "@contains /wp-content/plugins/super-forms/uploads/php/" "id:77316779,chain,block,log,severity:2,phase:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Arbitrary File Upload vulnerability in SuperForms 4.9 WordPress plugin||File:%{FILES}||WPU:%{TX.wp_user}||T:APACHE||',tag:'service_im360'" SecRule REQUEST_METHOD "@rx ^POST$" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" # DEFA-3647 SecRule REQUEST_FILENAME "@contains /wp-content/uploads/superforms/" "id:77316780,chain,block,log,severity:2,phase:2,t:none,t:normalizePath,msg:'IM360 WAF: Suspicious file access attempt in SuperForms 4.9 WordPress plugin||T:APACHE||SC:%{SCRIPT_FILENAME}||',tag:'service_i360custom'" SecRule REQUEST_FILENAME "@rx \.(?:pht|phtml|php\d?)$" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77225150,chain,msg:'IM360 WAF: XSS vulnerability in WordPress before 4.3.1 (CVE-2015-7989)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,severity:2,tag:'wp_core'" SecRule ARGS:email "@contains '" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@rx \/wp-admin\/(?:user\-(?:new|edit)|profile)\.php$" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule REQUEST_FILENAME "@contains /wp-content/plugins/sexy-contact-form/includes/fileupload/" "id:77240020,chain,msg:'IM360 WAF: Protecting WordPress Creative Contact Form Files folder||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,severity:2,tag:'wp_plugin_sexy_contact_form'" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@contains /wp-content/plugins/sexy-contact-form/includes/fileupload/files/" "id:77240022,chain,msg:'IM360 WAF: Protecting WordPress Creative Contact Form Files folder||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,severity:2,tag:'wp_plugin_sexy_contact_form'" SecRule REQUEST_BASENAME "@rx \.(?:php|js|pl)(?:\.|$)" "t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:comment "@ge 65536" "id:77225010,chain,msg:'IM360 WAF: XSS vulnerability in WordPress before 4.2.1 (CVE-2015-3440 VE-2015-8834)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:length,severity:2,tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith wp-comments-post.php" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@contains /wp-includes/js/" "id:77225080,chain,msg:'IM360 WAF: XSS vulnerability in Plupload before 2.1.9 or MediaElement.js before 2.21.0 as used in WordPress before 4.5.2 (CVE-2016-4566 & CVE-2016-4567)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'wp_core'" SecRule REQUEST_BASENAME "@within flashmediaelement.swf plupload.flash.swf" "chain,t:none,t:lowercase" SecRule ARGS "!@rx ^[\d\.ab]+$" "t:none" SecRule REQUEST_FILENAME "@contains wp/v2/posts" "id:77225160,chain,msg:'IM360 WAF: Content injection vulnerability in WordPress 4.7.x before 4.7.2 (CVE-2017-1001000)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'wp_core'" SecRule ARGS:id "@rx \D" "t:none" #WPT-62 WPT-66 SecRule REQUEST_URI "@rx \/wp-admin\/load-(styles|scripts)\.php" "id:77225200,chain,block,log,phase:2,t:none,t:normalizePath,severity:2,msg:'IM360 WAF: Unauthenticated attackers can cause a denial of service in WordPress through 4.9.2 (CVE-2018-6389)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule ARGS:load[] "@rx (?:[\w-]+,){100,}" "t:none,t:urlDecode" SecRule ARGS:page|ARGS:option_page "@streq bt_bb_settings" "id:77234280,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:lowercase,msg:'IM360 WAF: Privilege escalation vulnerability in bold-page-builder plugin before 2.3.2 for WordPress (CVE-2019-15821)||File:%{REQUEST_FILENAME}||T:APACHE||',tag:'wp_plugin_bold_page_builder'" SecRule &REQUEST_COOKIES:/^wordpress_logged_in_/ "@eq 0" "chain,t:none" SecRule REQUEST_FILENAME "@rx \/wp-admin\/options(?:-general)?\.php$" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77234700,chain,msg:'IM360 WAF: SQLi vulnerability in ninja-forms plugin before 3.3.21.2 for WordPress (CVE-2019-15025)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,severity:2,tag:'wp_plugin_ninja_forms'" SecRule ARGS:post_type "@streq nf_sub" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:form_id|ARGS:nf_form_filter|ARGS:begin_date|ARGS:end_date "!@rx (?:^[\w\/\-]+$|^$)" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@contains preview-shortcode-external.php" "id:77221460,chain,msg:'IM360 WAF: XSS vulnerability in the OMFG Mobile Pro plugin 1.1.26 and earlier for WordPress (CVE-2014-4541)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_omfg_mobile'" SecRule ARGS:shortcode "@contains >" SecRule REQUEST_FILENAME "@contains main_page.php" "id:77221500,chain,msg:'IM360 WAF: XSS vulnerability in the Game tabs plugin 0.4.0 and earlier for WordPress (CVE-2014-4531)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_game_tabs'" SecRule ARGS:n "@contains >" SecRule REQUEST_FILENAME "@contains wp-restful/html_api_login.php" "id:77221770,chain,msg:'IM360 WAF: XSS vulnerabilities in the WP RESTful plugin 0.1 and earlier for WordPress (CVE-2014-4595)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:normalizePath,t:lowercase,severity:2,tag:'wp_plugin_wp_restful'" SecRule ARGS:oauth_callback_temp|ARGS:oauth_token_temp "@rx \x22" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule REQUEST_FILENAME "@contains wp-restful/html_api_authorize.php" "id:77221771,chain,msg:'IM360 WAF: XSS vulnerabilities in the WP RESTful plugin 0.1 and earlier for WordPress (CVE-2014-4595)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:lowercase,t:normalizePath,severity:2,tag:'wp_plugin_wp_restful'" SecRule ARGS:oauth_callback "@contains >" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule REQUEST_FILENAME "@endsWith /js/window.php" "id:77227130,chain,msg:'IM360 WAF: XSS vulnerability in the Navis DocumentCloud plugin before 0.1.1 for WordPress (CVE-2015-2807)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'wp_plugin_navis_documentcloud'" SecRule ARGS:wpbase "@rx \x22" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@contains download" "id:77228010,chain,msg:'IM360 WAF: Directory traversal vulnerability in the Zip Attachments plugin before 1.5.1 for WordPress (CVE-2015-4694)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_zip_attachments'" SecRule ARGS:za_file "@contains .." "t:none" SecRule REQUEST_FILENAME "@contains /image-export/download.php" "id:77228150,chain,msg:'IM360 WAF: Remote file download vulnerability in WordPress Plugin Image-export v1.1.0 (CVE-2016-5609)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:lowercase,t:urlDecodeUni,severity:2,tag:'wp_plugin_image_export'" SecRule ARGS:file "@contains /" "t:none,t:lowercase,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith download.php" "id:77228160,chain,msg:'IM360 WAF: Remote file download vulnerability in download-zip-attachments v1.0 for WordPress (CVE-2015-4704)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_download_zip_attachments'" SecRule ARGS:za_file "@rx \.\.|^\/" "t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:url "@contains >" "id:77228200,chain,msg:'IM360 WAF: XSS vulnerabilities in the WordPress plugin Ooorl v3.1.1 (CVE-2014-4542)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_ooorl'" SecRule REQUEST_COOKIES_NAMES "@contains wordpress" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith redirect.php" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith page-layout-builder/includes/layout-settings.php" "id:77228760,chain,msg:'IM360 WAF: XSS vulnerability in the WordPress plugin page-layout-builder v1.9.3 (CVE-2016-1000141)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'wp_plugin_page_layout_builder'" SecRule ARGS:layout_settings_id "@rx \x22" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule ARGS:fileName "@contains .." "id:77228940,chain,msg:'IM360 WAF: Remote file download vulnerability in the candidate-application-form v1.0 for WordPress (CVE-2016-1000005)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,severity:2,tag:'wp_plugin_candidate_application_form'" SecRule REQUEST_FILENAME "@endsWith downloadpdffile.php" "t:none,t:lowercase" SecRule ARGS:query "@contains php://" "id:77232170,chain,msg:'IM360 WAF: Directory traversal vulnerability in JSmol2WP plugin 1.07 for WordPress (CVE-2018-20462)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_plugin_jsmol2wp'" SecRule REQUEST_FILENAME "@endsWith /php/jsmol.php" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule REQUEST_FILENAME "@endsWith test-plugin.php" "id:77221710,chain,msg:'IM360 WAF: XSS vulnerability in the Swipe Checkout for Jigoshop plugin 3.1.0 and earlier for WordPress (CVE-2014-4557)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:lowercase,severity:2,tag:'wp_plugin_swipe_hq_checkout_for_jigoshop'" SecRule ARGS:api_url "@contains >" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule REQUEST_FILENAME "@endsWith /valums_uploader/php.php" "chain,id:77316754,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress plugin Valums Uploader - File Upload Vulnerability||T:APACHE||',tag:'service_im360'" SecRule FILES "!@rx ^$" "t:none" # DEFA-3987 SecRule &ARGS:action "@lt 1" "id:77316862,pass,phase:2,nolog,severity:5,skipAfter:MARKER_action,msg:'IM360 WAF: ARGS action optimization||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'noshow',tag:'service_gen'" # DEFA-4172 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316873,chain,block,log,t:none,severity:2,msg:'IM360 WAF: Remote Code Execution in WP Super Cache 1.7.1 Plugin for WordPress||WPU:%{TX.wp_user}||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/(?:options-general|admin-ajax)\.php" "chain,t:none,t:htmlEntityDecode,t:normalizePath" SecRule ARGS:page "@streq wpsupercache" "chain,t:none" SecRule ARGS:action "@streq scupdates" "chain,t:none" SecRule ARGS:wp_cache_location "@rx \x27" # DEFA-3743 SecRule REQUEST_METHOD "POST" "chain,id:77316806,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Privilege escalation in The Plus Addons for Elementor (CVE-2021-24175)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@endsWith theplus_ajax_register" "chain,t:none" SecRule &ARGS:user_login "@gt 0" "chain,t:none" SecRule &ARGS:email "@gt 0" "chain,t:none" SecRule &ARGS:password "@gt 0" "chain,t:none" SecRule ARGS:tp_user_reg_role "@pm administrator editor" "t:none,t:lowercase" # DEFA-3743 SecRule REQUEST_METHOD "POST" "chain,id:77316807,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Privilege escalation in The Plus Addons for Elementor (CVE-2021-24175)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@endsWith theplus_google_ajax_register" "chain,t:none" SecRule &ARGS:email "@gt 0" "chain,t:none" SecRule &ARGS:name "@gt 0" "chain,t:none" SecRule ARGS:tp_user_reg_role "@pm administrator editor" "t:none,t:lowercase" # DEFA-1946 SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140938,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress WooCommerce Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_woocommerce'" SecRule ARGS:action "@streq nm_personalizedproduct_upload_file" "chain,t:none,t:lowercase" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:lowercase" # DEFA-1993 SecRule REQUEST_FILENAME "@endsWith videostab/ajax_videostab.php" "id:77140951,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: PrestaShop videostab Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule ARGS:action "@contains submituploadvideo" "chain,t:none,t:lowercase" SecRule FILES "@rx (?i)(\.htaccess|\.(pht|phtml|php\d?)$)" "t:none" # DEFA-1995 SecRule REQUEST_FILENAME "@endsWith advancedslider/ajax_advancedsliderupload.php" "id:77140953,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: PrestaShop advancedslider Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule ARGS:action "@contains submituploadimage" "chain,t:none,t:lowercase" SecRule FILES "@rx (?i)(\.htaccess|\.(pht|phtml|php\d?)$)" "t:none" # DEFA-2099 SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140976,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Estatik Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||WPU:%{TX:wp_user}||MV:%{MATCHED_VAR}',tag:'wp_core',tag:'wp_plugin_estatik'" SecRule ARGS:action "@streq es_prop_media_images" "chain,t:none,t:lowercase" SecRule FILES "@rx \.(?:php\d?|js|p(?:l|y)|rb|sh|(?:p|s|x|d)?html?\d?|asp|exe|dll|com|htaccess)$" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-2088 SecRule REQUEST_METHOD "POST" "id:77140972,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: WordPress Plugin Accesspress Anonymous Post Pro Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq ap_file_upload_action" "chain,t:none" SecRule &ARGS:file_uploader_nonce "@gt 0" "chain,t:none" SecRule &ARGS:allowedExtensions[] "@gt 0" "chain,t:none" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none,t:lowercase" # DEFA-2101 SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140978,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin FrontEnd File Manager Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_nmedia_user_file_uploader'" SecRule ARGS:action "@streq nm_filemanager_upload_file" "chain,t:none,t:lowercase" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none,t:lowercase" # DEFA-2302 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141011,chain,msg:'IM360 WAF: WPCentral < 1.5.1 Auth Bypass & Privelege Escalation||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'service_i360custom'" SecRule ARGS:action "@streq my_wpc_signon" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule &ARGS:auth_key "!@eq 0" "chain,t:none" SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,192.200.108.100" "t:none" # DEFA-2319 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141015,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress KenBurner Slider plugin unauthenticated arbitrary file download||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_wp_plugin'" SecRule ARGS:action "@streq kbslider_show_image" "t:none,t:lowercase,chain" SecRule ARGS:img "@rx \.\.\/" "t:none,t:urlDecodeUni,t:removeWhitespace,t:normalizePath" # DEFA-2475 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141073,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Elementor Page Builder < 2.9.6 - Authenticated Safe Mode Privilege Escalation||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_elementor'" SecRule ARGS:action "@streq elementor_ajax" "chain,t:none,t:lowercase,t:urlDecodeUni" SecRule ARGS:actions "@contains enable_safe_mode" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2552 SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77141086,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WordPress Responsive Poll through 1.3.4 - Unauthenticated endpoints manipulation (CVE-2020-11673)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@pm TotalSoftPoll_Clone TotalSoftPoll_Del TotalSoftPoll_Edit TotalSoftPoll_Edit_Q_M TotalSoftPoll_Edit_Ans TotalSoftPoll_Theme_Clone TotalSoftPoll_Theme_Edit TotalSoftPoll_Theme_Edit1 TotalSoftPoll_1_Vote TotalSoftPoll_1_Results TotalSoftPoll_Clone_Set TotalSoftPoll_Edit_Set TotalSoftPoll_Del_Set TS_PTable_New_MTable_DisMiss_Callback_Poll TS_Poll_Question_DisMiss Total_Soft_Poll_Prev" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none,t:lowercase" # DEFA-2552 SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77141087,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WordPress Responsive Poll through 1.3.4 - Unauthenticated endpoints manipulation (CVE-2020-11673)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@pm TotalSoftPoll_Clone TotalSoftPoll_Del TotalSoftPoll_Edit TotalSoftPoll_Edit_Q_M TotalSoftPoll_Edit_Ans TotalSoftPoll_Theme_Clone TotalSoftPoll_Theme_Edit TotalSoftPoll_Theme_Edit1 TotalSoftPoll_1_Vote TotalSoftPoll_1_Results TotalSoftPoll_Clone_Set TotalSoftPoll_Edit_Set TotalSoftPoll_Del_Set TS_PTable_New_MTable_DisMiss_Callback_Poll TS_Poll_Question_DisMiss Total_Soft_Poll_Prev" "chain,t:none,t:urlDecodeUni" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none" # DEFA-2475 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142103,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Elementor Page Builder < 2.9.6 - Authenticated Safe Mode Privilege Escalation||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_elementor'" SecRule ARGS:action "@streq elementor_ajax" "chain,t:none,t:lowercase" SecRule ARGS:actions "@contains enable_safe_mode" "chain,t:none" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none" # DEFA-2680 SecRule REQUEST_FILENAME "@endsWith simple-ads-manager/sam-ajax-admin.php" "id:77142110,chain,msg:'IM360 WAF: Unrestricted file upload vulnerability in the Simple Ads Manager plugin before 2.5.96 for WordPress (CVE-2015-2825)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_core'" SecRule ARGS:action "@pm upload_ad_image na" "t:none,t:lowercase" # DEFA-2711 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142128,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Revslider Revolution UpdatedCaptionsCSS Content Injection||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq revslider_ajax_action" "chain,t:none,t:lowercase,t:urlDecodeUni" SecRule ARGS:client_action "@streq get_captions_css" "chain,t:none,t:lowercase,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2711 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142129,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Revslider Revolution UpdatedCaptionsCSS Content Injection||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq revslider_ajax_action" "chain,t:none,t:lowercase,t:urlDecodeUni" SecRule ARGS:client_action "@streq get_captions_css" "chain,t:none,t:lowercase,t:urlDecodeUni" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none" # DEFA-2744 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142139,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,msg:'IM360 WAF: Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.3.3 RCE (CVE-2020-12800)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_drag_and_drop_multiple_file_upload_contact_form_7'" SecRule ARGS:action "@streq dnd_codedropz_upload" "chain,t:none,t:lowercase,t:urlDecodeUni" SecRule ARGS:supported_type|FILES "@rx \%$" "t:none,t:lowercase,t:urlDecodeUni" # DEFA-2737 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142142,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress MailerLite Sign Up Forms Plugin SQL Injection||A:%{ARGS.action}||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@pm mailerlite_get_more_groups mailerlite_gutenberg_form_preview mailerlite_gutenberg_form_preview2 mailerlite_subscribe_form mailerlite_redirect_to_form_edit" "chain,t:none" SecRule ARGS:form_id "!@rx ^-?\d+$" "t:none,t:urlDecodeUni" # DEFA-2777 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142170,chain,pass,nolog,auditlog,severity:5,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Combined Attack on Elementor Pro and Ultimate Addons||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_elementor',tag:'noshow'" SecRule ARGS:action "@streq elementor_ajax" "chain,t:none,t:lowercase,t:urlDecodeUni" SecRule ARGS:actions "@contains pro_assets_manager_custom_icon_upload" "t:none,t:urlDecodeUni" # DEFA-3103 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142256,block,log,phase:2,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Block nulled themes pingbacks||T:APACHE||%{MATCHED_VAR_NAME}:%{MATCHED_VAR}||',tag:'service_im360'" SecRule ARGS:action "@streq rms_ping_from_the_universe" "t:none" # DEFA-3100 SecRule REQUEST_FILENAME "@endsWith /cgi-bin/mainfunction.cgi" "id:77142259,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: IOT unauthenticated file upload and RCE||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule ARGS:action "@streq login" "chain,t:none" SecRule ARGS:keyPath "@rx [\s\+]?wget\shttps?:\/\/([^\s\+])" "t:none,t:compressWhitespace,t:htmlEntityDecode" # DEFA-3626 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316778,chain,block,log,t:none,severity:2,msg:'IM360 WAF: WordPress Plugin 123contactform-for-wordpress Arbitrary File Upload||WPU:%{TX.wp_user}||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule ARGS:action "@pm cfp-new-post cfp-new-post" "chain,t:none" SecRule &ARGS:post_content "@gt 0" "chain,t:none" SecRule &ARGS:post_status "@gt 0" "chain,t:none" SecRule &ARGS:post_author "@gt 0" "chain,t:none" SecRule ARGS:post_image_name|ARGS:post_image "@rx \.(?:phar|ph[p\d]|pl|py|cgi|asp|js|html|htm|phtml)$" "t:none" # DEFA-3755 SecRule REQUEST_FILENAME "@endsWith /data_debug.php" "id:77316808,chain,block,log,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: SQL Injection in Cacti 1.2.0 - 1.2.16 (CVE-2020-35701)||T:APACHE||',tag:'service_im360'" SecRule ARGS:action "@streq ajax_hosts" "chain,t:none" SecRule ARGS:site_id "@rx [\)\'\x22<]" "t:none" # DEFA-3873 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77316821,chain,block,log,severity:2,t:none,t:lowercase,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: Arbitrary File Upload in Kaswara Modern WPBakery Page Builder Addons (CVE-2021-24284)||File:%{ARGS.fonticonzipfile}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq uploadFontIcon" "t:none" # DEFA-4099 WPT-106 SecRule REQUEST_METHOD "POST" "id:77316853,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Privilege Escalation in ProfilePress WordPress plugin (CVE-2021-34621)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq pp_ajax_signup" "chain,t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:reg_password "@rx ^F0x" "t:none" # DEFA-4099 SecRule REQUEST_METHOD "POST" "id:77316854,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Arbitriary File Upload in WP User Avatar plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}||FILES:%{FILES}||',tag:'wp_core'" SecRule ARGS:action "@streq update" "chain,t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule FILES "!@rx \.(?:jpg|jpeg|png|gif)$" "t:none" # DEFA-1806 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140855,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin N-Media Website Contact Form with File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_BASENAME "@rx (?:upload_settings_image|admin-ajax)\.php" "chain,t:none,t:urlDecodeUni" SecRule ARGS:action "@streq nm_webcontact_upload_file" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,t:urlDecodeUni" # DEFA-1817 SecRule ARGS:action "@pm upload-plugin update_plugin themes themeupload revslider_ajax_action" "id:77140866,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Malicious plugin upload attempt||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_core'" SecRule REQUEST_URI "@rx \/wp-admin\/(?:update|admin-(?:ajax|post))\.php" "t:none,t:lowercase,chain" SecRule REQUEST_HEADERS:Accept "@streq */*" "t:none,chain" SecRule FILES "@rx ^(?:[a-z]{7}|rock)\.zip$" "t:none,capture" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140868,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Revslider Plugin File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq revslider_ajax_action" "chain,t:none,t:urlDecodeUni" SecRule ARGS:client_action "@streq update_plugin" "chain,t:none,t:urlDecodeUni" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,t:urlDecodeUni" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140869,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Simple Ads Manager Plugin File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq upload_ad_image" "chain,t:none,t:urlDecodeUni" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140910,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Slider Revolution 3.0.95 / Showbiz Pro 1.7.1 Plugin File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq showbiz_ajax_action" "chain,t:none,t:urlDecodeUni" SecRule ARGS:client_action "@streq update_plugin" "chain,t:none,t:urlDecodeUni" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" # DEFA-1873 SecRule ARGS:action "@pm wpuf_file_upload wpuf_insert_image" "id:77140928,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Unrestricted Arbitrary File Upload in WP User Frontend plugin before 2.3.11 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'wp_plugin_wp_user_frontend'" SecRule FILES "@rx pwn.gif" "t:none" # DEFA-2297 SecRule ARGS:action "@streq duplicator_download" "id:77141007,chain,msg:'IM360 WAF: WordPress Plugin Duplicator File Download Auth Bypass (CVE-2020-11738)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',phase:2,block,log,t:none,t:urlDecodeUni,severity:2,tag:'wp_core'" SecRule ARGS:file "@contains ../" "t:none,t:urlDecodeUni" # DEFA-2772 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142176,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: SQLi in Smart Google Code Inserter before 3.5 plugin for WordPress (CVE-2018-3810)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/(?:admin-(?:ajax|post)|options-general)\.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:action "@streq saveadwords" "chain,t:none,t:urlDecodeUni" SecRule ARGS:oId[] "@rx \D" "t:none,t:urlDecodeUni" # DEFA-2979 SecRule REQUEST_METHOD "@rx ^POST$" "chain,id:77142218,block,log,phase:2,severity:2,t:none,msg:'IM360 WAF: WordPress plugin Adning Advertising - Unauthenticated Arbitrary File Upload leading to Remote Code Execution||T:APACHE||ARGS:allowed_file_types=%{ARGS.allowed_file_types}||',tag:'wp_core'" SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq _ning_upload_image" "chain,t:none" SecRule ARGS:allowed_file_types "@rx (?i:php|phtml|pht|php\d)" "t:none" # DEFA-3074 SecRule REQUEST_METHOD "@streq post" "chain,id:77142246,block,log,phase:2,severity:2,t:none,t:lowercase,msg:'IM360 WAF: WordPress Theme Divi - Unauthenticated Arbitrary File Upload leading to Remote Code Execution||WPU:%{TX.wp_user}||T:APACHE||ARGS.action:%{ARGS.action}||REMOTE_FILENAME:%{TX.0}||',tag:'service_im360'" SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq et_core_portability_import" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,capture" # DEFA-3106 SecRule REQUEST_METHOD "POST" "chain,id:77142253,block,log,phase:2,severity:2,t:none,msg:'IM360 WAF: WordPress plugin Quiz and Survey Master - Unauthenticated Arbitrary File Upload leading to Remote Code Execution||WPU:%{TX.wp_user}||T:APACHE||ARGS.action:%{ARGS.action}||REMOTE_FILENAME:%{TX.0}||',tag:'wp_core'" SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq qsm_upload_image_fd_question" "chain,t:none" SecRule FILES "@rx (?i)^file.{1,160}\.(?:pht|phtml|php\d?)$" "t:none,capture" # DEFA-3135 SecRule REQUEST_METHOD "@streq post" "id:77316722,chain,block,log,phase:2,severity:2,t:none,t:lowercase,msg:'IM360 WAF: WordPress Plugin Autoptimize < 2.7.7 - Authenticated Arbitrary File Upload leading to Remote Code Execution||WPU:%{TX.wp_user}||T:APACHE||ARGS.action:%{ARGS.action}||FILES.file:%{FILES.file}||',tag:'service_im360'" SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq ao_ccss_import" "chain,t:none" SecRule FILES "!@endsWith .zip" "t:none" # DEFA-3058 SecRule REQUEST_METHOD "POST" "id:77316726,chain,block,log,phase:2,severity:2,t:none,msg:'IM360 WAF: WordPress plugin wpStoreCart - Unauthenticated Arbitrary File Upload leading to Remote Code Execution||WPU:%{TX.wp_user}||T:APACHE||vulnerable_parameter:%{ARGS.seed_csp4_settings_content[headline]}||REMOTE_FILENAME:%{TX.1}||tx.0=%{TX.0}',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" "chain,t:none,t:normalizePath" SecRule ARGS:option_page "@streq seed_csp4_settings_content" "chain,t:none" SecRule ARGS:action "@streq update" "chain,t:none" SecRule ARGS:seed_csp4_settings_content[headline] "@rx \<" "t:none,t:htmlEntityDecode" # DEFA-3973 SecRule REQUEST_METHOD "@rx POST" "id:77316838,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Remote file upload in Fancy Product Designer for WordPress||File:%{FILES}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php /wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@rx fpd_custom_uplod_file" "chain,t:none" SecRule ARGS:url "@rx <\?php|base64," "t:none" # DEFA-4046 SecRule REQUEST_METHOD "@rx POST" "id:77316849,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: CSRF vulnerability in Fluent Forms Fastest Contact Form Builder Plugin for WordPress||File:%{FILES}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@rx ^fluentform" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-2702 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142125,chain,block,log,t:none,severity:2,msg:'IM360 WAF: Block WordPress registration flood||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains wp-login.php" "chain,t:none" SecRule ARGS:action "@contains register" "chain,t:none,setvar:tx.rbl_perf=1" SecRule TX:RBL_IP "@rbl web-spammers.v2.rbl.imunify.com." "chain,t:none" SecRule TX:RBL_IP "!@rbl nxdomain.v2.rbl.imunify.com." "t:none" # DEFA-4426 SecRule REQUEST_METHOD "@streq POST" "id:77317972,chain,block,severity:2,t:none,msg:'IM360 WAF: Content deletion prevention in HashThemes Demo Importer <= 1.1.1 plugin for WordPress (CVE-2021-39333)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx (?:\/wp-admin\/admin-ajax|\/hashthemes-demo-importer)\.php$" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq hdi_install_demo" "chain,t:none" SecRule ARGS:reset "@streq true" "t:none" # DEFA-4226 SecRule REQUEST_METHOD "@rx ^POST$" "id:77317982,chain,block,log,t:none,severity:2,msg:'IM360 WAF: Code injection in Kaswara WordPress Plugin||WPU:%{TX.wp_user}||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||User:%{SCRIPT_USERNAME}',tag:'wp_core'" SecRule REQUEST_FILENAME "@pm /wp-admin/admin-ajax.php /wp-content/plugins/kaswara/includes/handlers/ajax_handler.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq kaswaraCustomCode" "chain,t:none" SecRule ARGS:customJS "!@rx ^$" SecRule REQUEST_METHOD "@rx ^POST$" "id:77317983,chain,block,log,t:none,severity:2,msg:'IM360 WAF: SQL injection in Kaswara WordPress Plugin||WPU:%{TX.wp_user}||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||User:%{SCRIPT_USERNAME}',tag:'wp_core'" SecRule REQUEST_FILENAME "@pm /wp-admin/admin-ajax.php /wp-content/plugins/kaswara/includes/handlers/ajax_handler.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq kaswaraCustomCode" "chain,t:none" SecRule ARGS "@contains '" # DEFA-4636 SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77318030,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Cross-Site Request Forgery in Login/Signup Popup & Waitlist Woocommerce & Side Cart Woocommerce plugins for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@contains xoo_admin_settings_save" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@rx %{SERVER_NAME}" "t:none" # DEFA-4687 SecRule REQUEST_METHOD "@rx POST" "id:77318040,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: LFI & RCE Essential Addons for Elementor plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@rx (?:eael|eael_product)_product_gallery" "chain,t:none" SecRule ARGS:/template_info/ "@rx \/..?\/|<php" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77318041,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: LFI & RCE Essential Addons for Elementor plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@rx load_more" "chain,t:none" SecRule ARGS:/template_info/ "@rx \/..?\/|<php" "t:none" # DEFA-4706 SecRule REQUEST_METHOD "@rx POST" "id:77318042,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Remote Code Execution in PHP Everywhere < 3.0.0 plugin for WordPress (CVE-2022-24663)||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx parse-media-shortcode" "chain,t:none" SecRule ARGS:shortcode "@contains [php_everywhere]" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77318043,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Remote Code Execution in PHP Everywhere < 3.0.0 plugin for WordPress (CVE-2022-24664)||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/post.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@contains edit" "chain,t:none" SecRule &ARGS:meta-box-loader "@gt 0" "chain,t:none" SecRule ARGS "@contains [php_everywhere]" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77318044,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Remote Code Execution in PHP Everywhere < 3.0.0 plugin for WordPress (CVE-2022-24665)||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/post.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@contains edit" "chain,t:none" SecRule &ARGS:post "@gt 0" "chain,t:none" SecRule ARGS "@contains [php_everywhere]" "t:none" # DEFA-4586 SecRule REQUEST_URI "@contains /wp-json/aioseo/v1/" "id:77318019,chain,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Authenticated Privilege Escalation in All in One SEO < 4.1.5.3 plugin for WordPress (CVE-2021-25036)||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule MATCHED_VAR "@rx [A-Z]" "t:none" #DEFA-4729 SecRule REQUEST_URI "@contains /wp-content/plugins/wp-breeze/" "id:77350009,phase:2,block,log,severity:2,t:none,t:lowercase,msg:'IM360 WAF: WordPress Fake WP-Breeze Plugin blocked||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule REQUEST_METHOD "@pm POST GET" "id:77225140,chain,msg:'IM360 WAF: XSS vulnerability in the in WordPress before 4.5.3 (CVE-2016-5834)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,severity:2,tag:'wp_core'" SecRule ARGS:action "@streq upload-attachment" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule FILES "@contains <" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_BASENAME "@streq async-upload.php" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77225210,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Unrestricted file upload vulnerability in WordPress 4.9.7 (CVE-2018-14028)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_BASENAME "@streq update.php" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:action "@rx ^upload-(?:plugin|theme)$" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule FILES "!@rx \.zip$" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77233420,chain,msg:'IM360 WAF: Unrestricted file upload Vulnerability in SupportCandy plugin through 2.0.0 for WordPress (CVE-2019-11223)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,severity:2,tag:'wp_plugin_supportcandy'" SecRule &ARGS:setting_action "@ge 1" "chain,t:none" SecRule ARGS:action "@streq wpsc_tickets" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77233640,chain,msg:'IM360 WAF: SQLi Vulnerability in Adenion Blog2Social plugin through 5.5.0 for WordPress (CVE-2019-13572)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,severity:2,tag:'wp_plugin_blog2social'" SecRule ARGS:action "@streq b2s_sort_data" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:/^b2sSort/|ARGS:b2sSchedDate|ARGS:b2sUserLang "@rx \W" "t:none,t:urlDecodeUni" # DEFA-3987 SecRule &ARGS:page "@lt 1" "id:77316870,pass,phase:2,nolog,severity:5,skipAfter:MARKER_page,msg:'IM360 WAF: ARGS page optimization||T:APACHE||',tag:'noshow',tag:'service_gen'" # DEFA-2119 SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-post.php" "id:77140984,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin MailPoet Newsletters 2.6.8 wysija-newsletters Arbitrary File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wysija_newsletters'" SecRule ARGS:page "@streq wysija_campaigns" "chain,t:none,t:lowercase" SecRule ARGS:action "@rx ^(?:themes|themeupload)$" "chain,t:none,t:lowercase" SecRule FILES "@rx ^(([a-zA-Z]{5}|XAttacker)\.zip)$" "t:none,t:urlDecodeUni,t:removeWhitespace" # DEFA-3987 SecMarker MARKER_action # DEFA-3987 SecRule &ARGS:page "@lt 1" "id:77316872,pass,phase:2,nolog,severity:5,skipAfter:MARKER_page,msg:'IM360 WAF: ARGS page optimization||T:APACHE||',tag:'noshow',tag:'service_gen'" # DEFA-1819 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140906,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress plugin pageline File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "@rx (?:wp-admin\/admin-post\.php|wp-admin\/admin-ajax\.php)$" "chain,t:none,t:normalizePath" SecRule ARGS:page "@streq pagelines" "chain,t:none" SecRule ARGS:settings_upload "@streq settings" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" # DEFA-3580 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316771,chain,block,log,severity:2,t:none,msg:'IM360 WAF: SVG files upload allowed by default in Elementor < 3.0.14 WordPress plugin||WPU:%{TX.wp_user}||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith wp-admin.php" "chain,t:none,t:normalizePath" SecRule ARGS:page "@rx ^elementor" "chain,t:none" SecRule FILES "@rx \.svg$" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77233620,chain,msg:'IM360 WAF: SQLi Vulnerability in 10Web Photo Gallery plugin before 1.5.31 for WordPress (CVE-2019-14313)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,severity:2,tag:'wp_plugin_photo_gallery'" SecRule ARGS:page "@within albums_bwg galleries_bwg" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:orderby|ARGS:order "@rx \W" "t:none,t:urlDecodeUni" SecRule ARGS:page "@streq lolmi-settings" "id:77234320,chain,msg:'IM360 WAF: Privilege escalation vulnerability in login-or-logout-menu-item plugin before 1.2.0 for WordPress (CVE-2019-15820)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_plugin_login_or_logout_menu_item'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/options-general.php" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77229180,chain,msg:'IM360 WAF: SQL Injection Vulnerability in Multi Meta Box plugin v1.0 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,severity:2,tag:'wp_plugin_multi_meta_box'" SecRule ARGS:page "@streq multi_metabox_listing" "chain,t:none,t:lowercase" SecRule ARGS:id "@rx \D" "t:none" # DEFA-3987 SecMarker MARKER_page # Heuristic: TwentyShell SecRule REQUEST_URI "@rx \/wp-content\/themes\/twenty[^\.]{0,108}\.php" "chain,id:77140740,phase:2,severity:2,log,block,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Twenty shell abuse attempt||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_core',tag:'service_rbl_infectors'" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # Heuristic: SuspiciousAccess SecRule REQUEST_URI "@pm /wp-content/uploads/2018/10/mod_config.php /wp-content/plugins/wp-to-twitter/tmhOAuth/sys.php.php /wp-content/themes/better-mag/footer.php /wp-content/plugins/sfn.php /wp-admin/yt.php /assets/images/accesson.php /wp-admin/maint/index.php /wp-admin/includes/index.php /wp-includes/css/login_wall.php /wp-logos.php /wp-icoud.php /wp-cahce.php /wp-content/indes.php /wp-includes/indes.php /wp-conde.php" "id:77140742,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Block abusive scripts||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_core'" # DEFA-2541 SecRule REQUEST_METHOD "@rx ^POST$" "id:77141092,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Suspicious access attempt to admin-ajax.php. No referrer header||WPU:%{TX.wp_user}||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule &REQUEST_HEADERS:Referer "@eq 0" "chain,t:none" SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none" # DEFA-2653 # DEFA-2777 SecRule REQUEST_FILENAME "@contains /wp-content/uploads/elementor/custom-icon" "id:77142112,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Combined Attack on Elementor Pro and Ultimate Addons||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_elementor'" SecRule REQUEST_FILENAME "!@rx \.(css|eot|html|js|json|otf|svg|ttf|txt|woff|woff2)$" "t:none,t:urlDecodeUni,t:removeWhitespace,t:normalizePath" # DEFA-2736 SecRule REQUEST_FILENAME "@endsWith /wp-content/uploads/file-manager/log.txt" "id:77142131,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Giribaz File Manager plugin before 5.0.2 Information Disclosure (CVE-2018-7204)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_file_manager'" # DEFA-2833 SecRule REQUEST_URI "@pm jquery-file-upload/server/php/index.php server/php/upload.class.php server/php/UploadHandler.php example/upload.php" "id:77142198,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: jQuery-File-Upload - Arbitrary File Upload (CVE-2018-9206)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none" # DEFA-2833 SecRule REQUEST_URI "@pm jquery-file-upload/server/php/index.php server/php/upload.class.php server/php/UploadHandler.php example/upload.php" "id:77142200,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: jQuery-File-Upload - Arbitrary File Upload (CVE-2018-9206)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-4145 SecRule REQUEST_URI "@pm jquery-file-upload/server/php/index.php server/php/upload.class.php server/php/UploadHandler.php example/upload.php" "id:77316860,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: jQuery-File-Upload - Arbitrary File Upload (CVE-2018-9206)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" # DEFA-4753 SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/dzs-zoomsounds/savepng.php" "id:77350016,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in Plugin dzs-zoomsounds < 6.05 for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'wp_core'" SecRule ARGS:location "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico|rb)\W" "t:none" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77316921,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: PF File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq piotnetforms_ajax_form_builder" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77316922,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: PAFE File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq pafe_ajax_form_builder" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_URI "@contains /wp-content/uploads/piotnet-addons-for-elementor/" "id:77316923,chain,phase:2,block,log,severity:2,msg:'IM360 WAF: PF RCE||T:APACHE||',tag:'wp_core'" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_URI "@contains /wp-content/uploads/piotnetforms/files/" "id:77316924,chain,phase:2,block,log,severity:2,t:normalizePath,msg:'IM360 WAF: PAFE RCE||T:APACHE||',tag:'wp_core'" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" # DEFA-4330 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316937,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Data injection vulnerability in Automatic Plugin for WordPress||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||WPU:%{TX.wp_user}||T:APACHE||default_role:{ARGS.default_role}||users_can_register:%{ARGS.users_can_register}||home:%{ARGS.home}||siteurl:%{ARGS.siteurl}||names:%{ARGS.names}||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_URI "@contains /plugins/wp-automatic/process_form.php" "t:none,setvar:tx.rbl_infectors=1" # DEFA-4148 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316863,chain,block,log,severity:2,phase:2,t:none,msg:'IM360 WAF: Arbitrary File Upload vulnerability in dzs-videogallery WordPress plugin||File:%{FILES}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-content/plugins/super-forms/uploads/php/" "chain,t:none,t:normalizePath" SecRule FILES "@rx \.(?:pht|phtml|php\d?)$" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316934,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Suspicious access attempt with no referer - (WP folders)!||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_URI "@rx wp-(?:includes|content|admin)" "chain,t:none" SecRule REQUEST_URI "!@pm doing_wp_cron wffn_frontend_analytics guest.vary.php confirmation.php stripe" "chain,t:none" SecRule REQUEST_FILENAME "!@rx (?:guest\.vary|admin-ajax|wp-login|wp-load|post)\.php$" "chain,t:none" SecRule REQUEST_FILENAME "@rx (\.htaccess|\.(pht|phtml|php\d?|txt|md|js|shtml|xml)$)" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" # DEFA-4146 #WPT-26 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316864,chain,block,log,severity:2,phase:2,t:none,msg:'IM360 WAF: Arbitrary File Upload vulnerability in SuperStoreFinder WordPress plugin||File:%{FILES}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-content/plugins/superstorefinder-wp/ssf-wp-admin/pages/import.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" #DEFA-4375 SecRule REQUEST_METHOD "@streq POST" "id:77317985,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: MStore API < 3.4.5 - Unauthenticated PHP File Upload||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-json/api/flutter_woo/config_file" "chain,t:lowercase" SecRule FILES_NAMES "@rx (?:config|config\.tifa)\.json\.php" "t:lowercase" # DEFA-4651 SecRule REQUEST_URI "@contains /wp-json/whm/v3/themesettings" "id:77318032,chain,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: XSS Vulnerability in HTML Email Template Designer Plugin for WordPress (CVE-2022-0218)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none" SecRule REQUEST_URI "@contains /wp-json/whm/v3/themesettings" "id:77318033,chain,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: XSS Vulnerability in HTML Email Template Designer Plugin for WordPress (CVE-2022-0218)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule &REQUEST_COOKIES:/wordpress_logged_in/ "@eq 0" "t:none" # DEFA-4434 SecRule REQUEST_URI "@rx \/wp-json\/omapp\/v1\/(?:info|support)" "id:77317973,block,log,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Sensitive Information Disclosure in OptinMonster plugin for WordPress (CVE-2021-39341)||WPU:%{TX.wp_user}||T:APACHE||User:%{SCRIPT_USERNAME}||',tag:'wp_core'" SecRule REQUEST_METHOD "@rx ^OPTIONS$" "id:77317974,chain,block,log,severity:2,t:none,msg:'IM360 WAF: Sensitive Information Disclosure in OptinMonster plugin for WordPress (CVE-2021-39341)||T:APACHE||User:%{SCRIPT_USERNAME}||',tag:'wp_core'" SecRule REQUEST_URI "@contains omapp/v1" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:Referer "@contains https://wp.app.optinmonster.test" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77317975,chain,block,log,severity:2,t:none,msg:'IM360 WAF: Sensitive Information Disclosure in OptinMonster plugin for WordPress (CVE-2021-39341)||T:APACHE||User:%{SCRIPT_USERNAME}||',tag:'wp_core'" SecRule REQUEST_URI "@contains omapp/v1/api/regenerate" "chain,t:none,t:normalizePath" SecRule &ARGS:key "@eq 0" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77317976,chain,block,log,severity:2,t:none,msg:'IM360 WAF: Sensitive Information Disclosure in OptinMonster plugin for WordPress (CVE-2021-39341)||T:APACHE||User:%{SCRIPT_USERNAME}||',tag:'wp_core'" SecRule REQUEST_URI "@contains omapp/v1/api/regenerate" "chain,t:none,t:normalizePath" SecRule ARGS:key "@rx ^$" "t:none" # DEFA-4774 SecRule REQUEST_FILENAME "@endsWith wp-content/plugins/wpcargo/includes/barcode.php" "id:77350018,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WPCargo < 6.9.0 - Unauthenticated RCE (CVE-2021-25003)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_wpcargo'" SecRule &ARGS:text "@gt 0" "t:none,chain" SecRule ARGS:filepath "@rx (\.htaccess|\.(pht|phtml|php\d?))" "t:none,t:lowercase" # DEFA-4808 SecRule REQUEST_METHOD "POST" "id:77350023,chain,block,t:none,severity:2,msg:'IM360 WAF: Authentication Bypass in SiteGround Security plugin WP_Query WordPress (CVE-2022-0992)||WPU:%{TX.wp_user}||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "sgs2fa" "chain,t:none" SecRule REQUEST_URI "@pm /wp-login.php /wp-signup.php" "chain,t:none,t:normalizePath" SecRule &REQUEST_COOKIES:sgs_2fa_login_nonce "@eq 0" "t:none" SecRule REQUEST_METHOD "POST" "id:77350024,chain,block,t:none,severity:2,msg:'IM360 WAF: Authentication Bypass in SiteGround Security plugin WP_Query WordPress (CVE-2022-0992)||WPU:%{TX.wp_user}||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "sgs2fa" "chain,t:none" SecRule REQUEST_URI "@pm /wp-login.php /wp-signup.php" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-4873 SecRule ARGS:action "add_custom_font" "id:77350034,chain,block,t:none,severity:2,msg:'IM360 WAF: CSRF to RCE in Tatsu Plugin for WordPress (CVE-2021-25094)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "POST" "id:77350035,chain,block,t:none,severity:2,msg:'IM360 WAF: Unauthenticated File Upload in Tatsu Plugin for WordPress (CVE-2021-25094)||WPU:%{TX.wp_user}||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "add_custom_font" "chain,t:none" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule FILES "^\." "t:none" SecRule REQUEST_URI "@contains /typehub/custom/" "id:77350036,chain,block,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated RCE in Tatsu Plugin for WordPress (CVE-2021-25094)||WPU:%{TX.wp_user}||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_BASENAME "\.php" "t:none" # DEFA-5139 SecRule REQUEST_FILENAME "@pm wp-content/plugins/wpgateway/wpgateway-webservice-new.php" "id:77350104,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Privilege escalation in WPGateway WordPress plugin (CVE-2022-3180)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule ARGS:wp_new_credentials "@eq 1" "t:none,t:lowercase" # DEFA-5476 SecRule REQUEST_METHOD "@rx POST" "id:77350152,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: CSRF in Yith WooCommerce Gift Cards Premium plugin for WordPress||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains wp-admin/admin-post.php" "chain,t:none" SecRule ARGS:page "@streq yith_woocommerce_gift_cards_panel" "chain,t:none" SecRule REQUEST_HEADERS:referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350153,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in Yith WooCommerce Gift Cards Premium plugin for WordPress (CVE-2022-45359)||WPU:%{TX.wp_user}||T:APACHE||File:%{FILES}||',tag:'wp_core'" SecRule REQUEST_URI "@contains wp-admin/admin-post.php" "chain,t:none" SecRule ARGS:page "@streq yith_woocommerce_gift_cards_panel" "chain,t:none" SecRule ARGS:ywgc_safe_submit_field "@streq importing_gift_cards" "chain,t:none" SecRule FILES:file_import_csv "!@rx \.csv$" "t:none" SecRule REQUEST_URI "@rx /wp-admin/" "id:77350176,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Privilege escalation in Elementor Pro < 3.11.7 (CWE-862)||MV:%{ARGS.wc-ajax}||T:APACHE||',tag:'service_i360'" SecRule ARGS:wc-ajax "@rx ^\d" "t:none" # WPT-103 SecRule REQUEST_HEADERS:x-forwarded-for|REQUEST_HEADERS:x-real-ip "@rx src=|href=|><|'\\'\\\x22\x22|'<\x22" "id:77350183,phase:1,block,log,severity:2,t:none,t:removeWhitespace,t:urlDecode,msg:'IM360 WAF: XSS in X-Forwarded-For request header||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360'" SecRule REQUEST_HEADERS:x-forwarded-for|REQUEST_HEADERS:x-real-ip "@rx <[^\s.]+\s[^=.]+=[^(]+\([^)]+\)" "id:77350184,phase:1,block,log,severity:2,t:none,t:compressWhitespace,t:urlDecode,msg:'IM360 WAF: Unauthenticated Stored XSS in Limit Login Attempts <= 1.7.1 plugin for WordPress (CVE-2023-1912)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360'" SecRule REQUEST_URI "@rx wp-(?:includes|content|admin)" "id:77350190,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress plugins/themes version enumeration||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_FILENAME "@rx (wlwmanifest\.xml|readme\.txt|changelog\.(md|txt)|lang_upload\.php|arm_widgets_js\.js|__\sUPDATES.txt|wpuef-configurator.js)" "t:none" SecRule REQUEST_URI "@rx wp-(?:includes|content|admin)" "id:77350207,chain,phase:3,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: WordPress plugins/themes version enumeration||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule RESPONSE_STATUS "!@rx ^20" "chain,t:none" SecRule REQUEST_FILENAME "@rx (wlwmanifest\.xml|readme\.txt|changelog\.(md|txt)|lang_upload\.php|arm_widgets_js\.js|__\sUPDATES.txt|wpuef-configurator.js)" "t:none" # WPT-131 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77350193,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Essential Addons for Elementor < 5.7.2 - Privilege Escalation (CVE-2023-32243)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq login_or_register_user" "chain,t:none,t:lowercase" SecRule ARGS:eael-resetpassword-submit "@streq true" "chain,t:none,t:lowercase" SecRule &ARGS:eael-pass1 "@eq 1" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none,t:htmlEntityDecode" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/essential-addons-for-elementor-lite/readme.txt" "id:77350194,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Essential Addons for Elementor < 5.7.2 - Vulnerable version discovery (CVE-2023-32243)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none,t:htmlEntityDecode" # WPT-151 SecRule REQUEST_METHOD "@rx ^POST$" "id:77350198,chain,block,log,t:none,severity:2,msg:'IM360 WAF: Unauthenticated Stored XSS vulnerability in Beautiful Cookie Consent Banner <= 2.10.1 WordPress plugin||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-post.php" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:nsc_bar_content_href "@rx \x22" "t:none,t:urlDecode" # WPT-157 SecRule REQUEST_METHOD "@rx ^POST$" "id:77350201,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Privilege Escalation in ReviewX <= 1.6.13 for WooCommerce for WordPress (CVE-2023-2833)||MV:%{MATCHED_VAR}||Option:%{ARGS.wp_screen_options[option]}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule &ARGS:wp_screen_options[option] "@gt 0" "chain,t:none" SecRule ARGS:wp_screen_options[value] "\D" "t:none" # WPT-164 SecRule REQUEST_URI "@contains getwid/v1/get_remote_content" "id:77350203,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Authenticated SSRF in Getwid <= 1.8.3 plugin for WordPress (CVE-2023-1895)||T:APACHE||',tag:'wp_core'" SecRule ARGS:get_content_url "!@contains /wp-json/getwid-templates-server/v1/get_content" "t:none,t:normalizePath" SecRule REQUEST_FILENAME "\/[\.#]?wp-config[\.-][\w\._-]*(?:[#~]|(?:inc|txt|tar|xml|zip|bak|old|orig(?:inal)?|save|\d|sw(?:p|o)))$" "id:77350212,block,log,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure Attempt in WordPress||MV:%{MATCHED_VAR}||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule REQUEST_BASENAME "wp-config.php" "id:77350213,chain,block,log,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure Attempt via Advanced Access Manager < 5.9.9 plugin for WordPress||MV:%{MATCHED_VAR}||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule ARGS:aam-media "@rx \d+" "t:none" SecRule ARGS:aam-media "@contains wp-config.php" "id:77350214,block,log,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure via Advanced Access Manager < 5.9.9 plugin for WordPress||MV:%{MATCHED_VAR}||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@pm /wp-admin/admin-ajax.php /wp-admin/edit.php /wp-content/force-download.php" "id:77350215,chain,block,log,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure Attempt in WordPress plugins||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule &ARGS:action "@gt 0" "chain,t:none" SecRule REQUEST_URI|ARGS:img|ARGS:file|ARGS:path|ARGS:f "@contains ../wp-config.php" "t:none" SecRule REQUEST_FILENAME "@contains /wp-content/cache/log/" "id:77350216,chain,block,log,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure Attempt in WordPress plugins||MV:%{MATCHED_VAR}||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule REQUEST_BASENAME "@endsWith .log" SecRule REQUEST_FILENAME "@contains /wp-content/themes/" "id:77350217,chain,block,log,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure Attempt via WordPress themes||MV:%{MATCHED_VAR}||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule REQUEST_BASENAME "@endsWith .php" "chain,t:none" SecRule ARGS:/file/|ARGS:/url/|ARGS:/img/|ARGS:arquivo "wp-config.php" SecRule REQUEST_FILENAME "@contains /wp-content/plugins/" "id:77350218,chain,block,log,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure Attempt via WordPress plugins||MV:%{MATCHED_VAR}||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule REQUEST_BASENAME "@endsWith .php" "chain,t:none" SecRule ARGS:/file/|ARGS:/url/|ARGS:/img/|ARGS:download|ARGS:/path/|ARGS:cfg|ARGS:id|ARGS:wap|ARGS:var|ARGS:f|ARGS:info|ARGS:destinations "wp-config.php" "t:none" SecRule REQUEST_FILENAME "/wp-content/uploads/(?:file-manager\/)?(?:log|wp-config-backup)\.txt" "id:77350219,block,log,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure via File Manager plugin for WordPress||MV:%{MATCHED_VAR}||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-e-commerce/wpsc-includes/misc.functions.php" "id:77350220,chain,block,log,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: LFI in WP-E-Commerce plugin < 3.8.9.5 for WordPress||MV:%{MATCHED_VAR}||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule ARGS:image_name "wp-config.php" "t:none" SecRule ARGS:wpv-image "wp-config.php" "id:77350221,block,log,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: LFI in WP Vault 0.8.6.6 plugin for WordPress||MV:%{MATCHED_VAR}||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule REQUEST_URI "@pm /_wpeprivate/config.json " "id:77350222,block,log,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information disclosure in WPEngine plugin for WordPress||MV:%{MATCHED_VAR}||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule ARGS:aam-media "@contains wp-config.php" "id:77350230,block,log,t:none,t:base64Decode,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure via Advanced Access Manager < 5.9.9 plugin for WordPress||MV:%{MATCHED_VAR}||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@pm /wp-admin/admin-ajax.php /wp-admin/edit.php /wp-content/force-download.php" "id:77350231,chain,block,log,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure Attempt in WordPress plugins||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule &ARGS:action "@gt 0" "chain,t:none" SecRule REQUEST_URI|ARGS:img|ARGS:file|ARGS:path|ARGS:f "@contains ../wp-config.php" "t:none,t:base64Decode" SecRule REQUEST_FILENAME "@contains /wp-content/themes/" "id:77350232,chain,block,log,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure Attempt via WordPress themes||MV:%{MATCHED_VAR}||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule REQUEST_BASENAME "@endsWith .php" "chain,t:none" SecRule ARGS:/file/|ARGS:/url/|ARGS:/img/|ARGS:arquivo "wp-config.php" "t:none,t:base64Decode" SecRule REQUEST_FILENAME "@contains /wp-content/plugins/" "id:77350233,chain,block,log,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure Attempt via WordPress plugins||MV:%{MATCHED_VAR}||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule REQUEST_BASENAME "@endsWith .php" "chain,t:none" SecRule ARGS:/file/|ARGS:/url/|ARGS:/img/|ARGS:download|ARGS:/path/|ARGS:cfg|ARGS:id|ARGS:wap|ARGS:var|ARGS:f|ARGS:info|ARGS:destinations "wp-config.php" "t:none,t:base64Decode" SecRule REQUEST_FILENAME "@contains /wp-e-commerce/wpsc-includes/misc.functions.php" "id:77350234,chain,block,log,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: LFI in WP-E-Commerce plugin < 3.8.9.5 for WordPress||MV:%{MATCHED_VAR}||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule ARGS:image_name "wp-config.php" "t:none,t:base64Decode" SecRule ARGS:wpv-image "wp-config.php" "id:77350235,block,log,t:none,t:base64Decode,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: LFI in WP Vault 0.8.6.6 plugin for WordPress||MV:%{MATCHED_VAR}||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" # WPT-217 SecRule REQUEST_METHOD "@rx ^POST$" "id:77350236,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress Plugin Stripe Payment <= 3.7.7 Authentication Bypass WooCommerce (CVE-2023-3162)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule &ARGS:createaccount "@gt 0 " "chain,t:none" SecRule ARGS:action|ARGS:wc-ajax "@rx eh_spg_stripe_cancel_order" "t:none" # WPT-138 SecRule REQUEST_METHOD "@rx ^POST$" "id:77350238,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Account Takeover in ARMember < 3.4.8 WordPress Plugin (CVE-2022-1903)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx arm_shortcode_form_ajax_action" "chain,t:none" SecRule ARGS:arm_action "@streq change-password" "chain,t:none" SecRule ARGS:action2 "@streq rp" "t:none" SecRule REQUEST_URI "@contains /wp-content/plugins/media-library-assistant/includes/mla-stream-image.php" "chain,id:77350251,block,log,phase:2,severity:2,msg:'IM360 WAF: RCE in WordPress Media-Library plugin < 3.10 (CVE-2023-4634)||File:%{TX.0}||T:APACHE||',tag:'service_im360'" SecRule ARGS:mla_stream_file "@contains ://" "t:none,t:urlDecodeUni,capture" SecRule REQUEST_METHOD "POST" "id:77350252,chain,block,log,t:none,severity:2,msg:'IM360 WAF: WordPress malicious plugin install block||SC:%{SCRIPT_FILENAME}||Plugin:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||Theme:%{FILES.themezip}||User:%{SCRIPT_USERNAME}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/(?:admin-ajax|theme-editor|plugin-install|update)\.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:action "@rx (?:edit-theme-plugin-file|update|activate|(?:upload|install-(?:plugin|theme)))" "chain,t:none" SecRule ARGS:/plugin/|ARGS:/theme/|ARGS:/file/ "@rx (wordpresscore|wp-zexit|wp-clearlineee|wp-resortpack|apikey|ioptimization|bqxtbuu|blnmrpb|wp-breeze|loftloader\.2\.4\.0|cve-2023-45124|root-file-manager|ph-file-manager|zer0day|file-manager-zeroday|phoenix_|wp-engine-module|wp-kernel-module|core-stab|task-controller|wp-json-api-disable|wp-security-enforcements|wordpress-theme-security|ai-seo-fix|WPRobot3|wp-proportioning-cyberterrorism|wp-federally-sadi|wp-resonator-lockage|wp-state-basic)" "t:none,t:lowercase" SecRule REQUEST_URI "@rx \/plugins\/((?i)wordpresscore|core-engine|TOPXOH|wp-zexit|wp-clearlineee|wp-resortpack|apikey|ioptimization|bqxtbuu|blnmrpb|wp-breeze|loftloader\.2\.4\.0|cve-2023-45124|root-file-manager|ph-file-manager|zer0day|file-manager-zeroday|phoenix_|wp-engine-module|wp-kernel-module|core-stab|task-controller|wp-json-api-disable|wp-security-enforcements|wordpress-theme-security|ai-seo-fix|WPRobot3|wp-proportioning-cyberterrorism|wp-federally-sadi|wp-resonator-lockage|wp-state-basic)\/" "id:77350295,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Interaction with fake plugin||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx \/?plugins\/(minipiwertumin2|aplugin|hellowp|pwnd|se[o]{2,3}?x?|santuy|seslmfescg|fp|1122|\w+-wp-core-plugin|\w+-wp-base-plugin|wp-lazyload-\w+-module|wordpress-for)\/" "id:77350390,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Interaction with fake plugin||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx \/?plugins\/(seoplugins\/db|instabuilder2\/cache\/plugins\/moon)\.php" "id:77350392,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Interaction with fake plugin||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||T:APACHE||',tag:'service_im360'" # WPT-280 SecRule REQUEST_METHOD "POST" "id:77350253,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Unauthenticated File Upload Vulnerability in Royal Elementor Addons and Templates <= 1.3.78 Plugin For WordPress (CVE-2023-5360)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "wpr_addons_upload_file" "chain,t:none" SecRule ARGS:allowed_file_types "@rx \W" "t:none" # WPT-284 SecRule REQUEST_METHOD "@rx POST" "id:77350256,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Stored XSS in tagDiv Composer < 4.2 WordPress plugin (CVE-2023-3169)||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-json/tdw/save_css" "chain,t:none,t:normalizePath" SecRule ARGS:compiled_css "@rx ^<\/style" "t:none,t:htmlEntityDecode,t:removeWhitespace,t:urlDecode" # WPT-277 SecRule REQUEST_METHOD "POST" "id:77350259,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Stored XSS in Navigation Links in WordPress Core < 6.3.2||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains wp-json/wp/v2/" "chain,t:none" SecRule ARGS:content "@rx <!--wp:post-navigation-link[^-]+?arrow\x22:\x22([^←→]+)\x22" "t:none,t:compressWhitespace,t:urlDecodeUni" SecRule REQUEST_METHOD "POST" "id:77350260,chain,phase:2,block,log,severity:5,t:none,msg:'IM360 WAF: Stored XSS in Footnotes in WordPress Core < 6.3.2||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp/v2/" "chain,t:none" SecRule ARGS:content "@rx \x22footnotes\x22:\x22\[\{[^\}]*<script[^\}]*\}" SecRule REQUEST_URI "@contains /wp/v2/users" "id:77350262,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Sensitive Information Exposure via User Search REST Endpoint in WordPress Core < 6.3.2||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule ARGS:search "@rx ^(i:user_login|user_nicename|display_name|ID)$" "setvar:tx.rbl_infectors=1" SecRule REQUEST_METHOD "POST" "id:77350263,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Reflected XSS via Application Password Requests in WordPress Core < 6.3.2||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule ARGS:reject_url|ARGS:success_url "@pm javascript: data:" "t:none" SecRule REQUEST_METHOD "POST" "id:77350264,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Reflected XSS via Application Password Requests in WordPress Core < 6.3.2||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule ARGS:reject_url|ARGS:success_url "@rx ^http://" "chain,t:none" SecRule MATCHED_VAR "!@rx http://(?:%{SERVER_NAME}|%{SERVER_ADDR}" "t:none" SecRule REQUEST_METHOD "POST" "id:77350265,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Reflected XSS via Application Password Requests in WordPress Core < 6.3.2||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule ARGS:reject_url|ARGS:success_url "@pm javascript: data:" "t:none" SecRule REQUEST_METHOD "POST" "id:77350266,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Reflected XSS via Application Password Requests in WordPress Core < 6.3.2||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule ARGS:reject_url|ARGS:success_url "@rx ^http://" "chain,t:none" SecRule MATCHED_VAR "!@rx http://(?:%{SERVER_NAME}|%{SERVER_ADDR}" "t:none" # WPT-26 SecRule REQUEST_FILENAME|PATH_INFO "@rx (?:\/wp-content)\/plugins\/apikey\/apikey.php" "id:77350276,block,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress WebShell in Fake Plugin apikey||WPU:%{TX.wp_user}||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_wp_plugin'" # WPT-312 SecRule REQUEST_METHOD "@streq post" "chain,id:77350277,block,log,phase:2,severity:2,t:none,t:lowercase,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload leading to RCE in WordPress plugin WP Live Chart Support Pro < 8.0.07 (CVE-2018-12426)||WPU:%{TX.wp_user}||T:APACHE||REQUEST_FILENAME:%{REQUEST_FILENAME}||',tag:'service_im360',tag:'wp_plugin_wp_live_chat_support'" SecRule REQUEST_HEADERS:Content-Type "@contains image" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-json/wp_live_chat_support/v1/remote_upload" "chain,t:none,t:normalizePath" SecRule FILES "@rx (\.(pht|phtml|php\d?)$)" "t:urlDecodeUni,t:removeWhitespace" SecRule TX:wp_user "@rx [\x00\x22\x0A\x0D\x1A\x5C]" "id:77350278,phase:1,block,log,severity:2,t:none,t:urlDecode,msg:'IM360 WAF: Unauthenticated SQLi Vulnerability in WP Fastest Cache < 1.2.2 plugin for WordPress (CVE-2023-6063)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_plugin_wp_fastest_cache'" SecRule REQUEST_METHOD "^GET|^POST" "chain,id:77350294,block,log,phase:3,severity:5,t:none,msg:'IM360 WAF: Fake WordPress plugin CVE-2023-45124 activation attempt||Plugin:%{MATCHED_VAR}||Time:%{TIME}||Addr:%{tx.remote_addr};login:%{IP.wp_logged_in};get:%{IP.wp_get_req};edit:%{TX.wp_theme_edit}||User:%{SCRIPT_USERNAME}||WPU:%{TX.wp_user}||T:APACHE||',tag:'service_i360'" SecRule REQUEST_URI "@contains /wp-admin/plugins.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq activate" "chain,t:none" SecRule ARGS:plugin "@contains wpress-security-wordpress" "t:none,t:lowercase" # WPT-338 SecRule REQUEST_METHOD "@rx (?i)post" "id:77350298,chain,phase:2,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: File Upload in Elementor <= 3.18.1 plugin for WordPress (CVE-2023-48777)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@rx elementor_ajax" "chain,t:none" SecRule ARGS:actions "@rx import_template[^{]+{\x22fileName\x22:\x22([^\x22]+)\x22," "chain,t:none,capture" SecRule TX:1 "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)$" "t:none,setvar:'tx.rbl_infectors=1'" SecRule REQUEST_FILENAME "@rx wp-content\/uploads\/elementor\/tmp\/[\w]+\/[^\n]+\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)$" "id:77350299,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Suspicious File Access in Elementor <= 3.18.1 plugin for WordPress||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" # WPT-346 SecRule REQUEST_HEADERS:content-dir|REQUEST_HEADERS:content-abs "@gt 256" "id:77350301,phase:2,block,log,severity:2,t:none,t:length,msg:'IM360 WAF: RCE in Backup Migration <= 1.3.7 WordPress plugin (CVE-2023-6553)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_HEADERS:content-dir|REQUEST_HEADERS:content-abs "@pm php: |" "id:77350302,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: RCE in Backup Migration <= 1.3.7 WordPress plugin (CVE-2023-6553)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule &REQUEST_HEADERS:content-dir|&REQUEST_HEADERS:content-abs "@gt 0" "id:77350303,phase:2,pass,nolog,auditlog,severity:5,t:none,setvar:'tx.rbl_infectors=1',msg:'IM360 WAF: RCE in Backup Migration <= 1.3.7 WordPress plugin (CVE-2023-6553)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" # DEFA-2746 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142148,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Category Page Icons <= 0.9.1 - Arbitrary File Upload via Path Traversal||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_URI "@rx \/wp-content\/plugins\/category-page-icons\/include\/wpdev-flash-uploader\.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:removeWhitespace" SecRule ARGS:dir_icons "@rx \.\.\/" "t:urlDecodeUni,t:removeWhitespace,t:normalizePath" SecRule REQUEST_FILENAME "@endsWith /wp-login.php" "id:77350307,chain,phase:2,block,severity:2,nolog,auditlog,t:none,msg:'IM360 WAF: Prohibited WordPress username login/registration||WPU:%{ARGS.log}||User:%{SCRIPT_USERNAME}||T:APACHE||',tag:'wp_core'" SecRule ARGS:log "@rx ^(?:deleted-|wpsupp‑user|wp‑configuser\.|wp_update-|wadminw|greeceman)" "t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-login.php" "id:77350420,chain,phase:2,block,severity:2,nolog,auditlog,t:none,msg:'IM360 WAF: Malicious WordPress user detected (CVE-2024-6297)||WPU:%{ARGS.log}||User:%{SCRIPT_USERNAME}||T:APACHE||',tag:'wp_core'" SecRule ARGS:log "@rx ^(PluginAUTH|PluginGuest|Options)$" "t:none" # WPT-375 SecRule REQUEST_METHOD "@rx (?i)post" "id:77350308,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Authentication Bypass Vulnerability in POST SMTP Mailer <= 2.8.7 WordPress Plugin (CVE-2023-6875)||MV1:%{REQUEST_HEADERS.fcm_token}||MV2:%{REQUEST_HEADERS.auth_key}||MV3:%{REQUEST_HEADERS.device}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains post-smtp/v1/connect-app" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:device "@rx (?i)FakeDevice|pelerganteng|^$|iPhone_ktn" "t:none" SecRule REQUEST_METHOD "@rx (?i)(get|post)" "id:77350345,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authentication Bypass Vulnerability in POST SMTP Mailer <= 2.8.7 WordPress Plugin (CVE-2023-6875)||MV1:%{REQUEST_HEADERS.fcm_token}||MV2:%{REQUEST_HEADERS.auth_key}||MV3:%{REQUEST_HEADERS.device}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains post-smtp/v1/connect-app" "t:none,t:normalizePath" SecRule REQUEST_METHOD "@rx (?i)get" "id:77350346,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authentication Bypass Vulnerability in POST SMTP Mailer <= 2.8.7 WordPress Plugin (CVE-2023-6875)||MV1:%{REQUEST_HEADERS.fcm_token}||MV2:%{REQUEST_HEADERS.auth_key}||MV3:%{REQUEST_HEADERS.device}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains post-smtp/v1/connect-app" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:device "!@eq 28" "t:none,t:length" SecRule REQUEST_METHOD "@rx (?i)get" "id:77350316,chain,phase:2,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authentication Bypass Vulnerability in POST SMTP Mailer <= 2.8.7 WordPress Plugin (CVE-2023-6875)||MV1:%{REQUEST_HEADERS.fcm_token}||MV2:%{REQUEST_HEADERS.auth_key}||MV3:%{REQUEST_HEADERS.device}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-json/post-smtp/v1/get-logs" "t:none,t:normalizePath" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350317,chain,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress user password reset attempt||MV1:%{REQUEST_HEADERS.fcm_token}||MV2:%{REQUEST_HEADERS.auth_key}||MV3:%{REQUEST_HEADERS.device}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains wp-login.php" "chain,t:none" SecRule ARGS:action "@streq lostpassword" "t:none" SecRule REQUEST_METHOD "@rx (?i)get" "id:77350318,chain,block,log,severity:2,t:none,msg:'IM360 WAF: Authentication Bypass Vulnerability in POST SMTP Mailer <= 2.8.7 WordPress Plugin (CVE-2023-6875)||MV1:%{REQUEST_HEADERS.fcm_token}||MV2:%{REQUEST_HEADERS.auth_key}||MV3:%{REQUEST_HEADERS.device}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin.php" "chain,t:none" SecRule &REQUEST_HEADERS:fcm_token "@gt 0" "chain,t:none" SecRule &ARGS:access_token "@gt 0" "chain,t:none" SecRule &ARGS:log_id "@gt 0" "chain,t:none" SecRule &ARGS:type "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:device "@rx (?i)FakeDevice|pelerganteng|iPhone_ktn" "t:none" SecRule REQUEST_METHOD "@rx (?i)get" "id:77350319,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Block Authentication Bypass Vulnerability in POST SMTP Mailer <= 2.8.7 WordPress Plugin (CVE-2023-6875)||MV1:%{REQUEST_HEADERS.fcm_token}||MV2:%{REQUEST_HEADERS.auth_key}||MV3:%{REQUEST_HEADERS.device}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@rx (\/wp-json\/post-smtp\/v1\/get-logs|\/wp-admin\/admin\.php)" "chain,t:none,t:normalizePath" SecRule &REQUEST_HEADERS:fcm_token "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:device "@rx (?i)FakeDevice|pelerganteng|iPhone_ktn" "t:none" SecRule REQUEST_FILENAME "@endsWith /fm_temp.php" "id:77350323,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Authenticated Arbitrary File Upload vulnerability in File Manager Pro <= 8.3.4 plugin for WordPress (CVE-2023-6846)||T:APACHE||',tag:'service_im360'" SecRule ARGS:action "@streq dzsap_download" "id:77350324,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Directory traversal vulnerability in Plugin DZS Zoomsounds < 6.50 for WordPress (CVE-2021-39316)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule ARGS:link "@rx \.\.\/" "t:none,t:urlDecodeUni" # WPT-416 SecRule REQUEST_METHOD "@rx (?i)post" "id:77350325,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Authenticated Arbitrary File Upload Vulnerability in Avada <= 7.11.1 Theme For WordPress (CVE-2023-39307)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule TX:wp_cookie "!@rx ^$" "chain,t:none" SecRule REQUEST_URI "@pm /wp-json/ wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx fusion_panel_import" "chain,t:none" SecRule ARGS:toUrl "!@rx ^http" "t:none" SecRule REQUEST_METHOD "POST" "id:77350328,chain,phase:2,log,deny,severity:2,t:none,msg:'IM360 WAF: LFI Vulnerability in Shield Security plugin for WordPress (CVE-2023-6989)||Data:%{ARGS.render_action_template}||T:APACHE||',tag:'service_im360'" SecRule REQUEST_BASENAME "@streq admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq shield_action" "chain,t:none" SecRule ARGS:ex "@streq generic_render" "chain,t:none" SecRule ARGS:render_action_template "@contains .php" "chain,t:none" SecRule ARGS:render_action_template "\.\.|^\/" "t:none" # WPT-376 SecRule REQUEST_METHOD "@rx (?i)post" "id:77350329,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Stored XSS Vulnerability in POST SMTP Mailer <= 2.8.7 WordPress Plugin (CVE-2023-7027)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:device|REQUEST_HEADERS:device "@rx [\x27\x22<&]" "t:none" # WPT-476 SecRule REQUEST_METHOD "@rx (?i)post" "id:77350366,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Stored XSS In LiteSpeed Cache < 5.7.0.1 WordPress Plugin (CVE-2023-40000)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI|ARGS:rest_route "@contains /litespeed/v1/cdn_status" "chain,t:none,t:normalizePath" SecRule ARGS:result[nameservers]|ARGS:result[_msg] "@rx [<\(\x27]|(exec|passthru|proc_open|eval|shell_exec|fwrite|system|ob_start|assert|file_(?:put|get)_contents|thrownewexception)\(" "t:none" # WPT-435 SecRule REQUEST_METHOD "@rx (?i)post" "id:77350330,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: RCE WordPress Bricks Builder Theme <= 1.9.6 (CVE-2024-25600)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI|ARGS:rest_route "@contains bricks/v1/render_element" "chain,t:none" SecRule ARGS:/queryEditor/|ARGS:/executeCode/ "@rx (?i)file_put_contents\('[^']+',file_get_contents\('http" "t:none,t:urlDecode,t:removeWhitespace" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350331,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: RCE WordPress Bricks Builder Theme <= 1.9.6 (CVE-2024-25600)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI|ARGS:rest_route "@contains bricks/v1/render_element" "chain,t:none" SecRule ARGS:/queryEditor/|ARGS:/executeCode/ "@rx (?i)\x60\W|(exec|passthru|proc_open|eval|shell_exec|fwrite|system|ob_start|assert|file_(?:put|get)_contents|thrownewexception)\(" "t:none,t:urlDecode,t:removeWhitespace" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350337,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: RCE WordPress Bricks Builder Theme <= 1.9.6 (CVE-2024-25600)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI|ARGS:rest_route "@contains bricks/v1/render_element" "chain,t:none" SecRule ARGS:/queryEditor/|ARGS:/executeCode/ "@rx (?i)file_put_contents\('[^']+',file_get_contents\('http" "t:none,t:urlDecode,t:removeWhitespace,t:base64Decode" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350338,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: RCE WordPress Bricks Builder Theme <= 1.9.6 (CVE-2024-25600)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI|ARGS:rest_route "@contains bricks/v1/render_element" "chain,t:none" SecRule ARGS:/queryEditor/|ARGS:/executeCode/ "@rx (?i)\x60\W|(exec|passthru|proc_open|eval|shell_exec|fwrite|system|ob_start|assert|file_(?:put|get)_contents|thrownewexception)\(" "t:none,t:urlDecode,t:removeWhitespace,t:base64Decode" SecRule REQUEST_URI "@rx \/wp-content\/themes\/bricks\/includes\/elements\/\w+(?i)\.(?:h?php[\ds]{0,2}?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "id:77350350,block,log,severity:2,t:none,msg:'IM360 WAF: RCE in WordPress Bricks Builder Theme <= 1.9.6 (CVE-2024-25600)||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@rx \/wp-content\/uploads\/2023\/0(?:3|5|6)\/\w+(?i)\.(?:h?php[\ds]{0,2}|pht[m]?|s?phtml?|swf|xap|phar|inc|ctp|pl$|pgif|cgi|htaccess|module|exe|suspected)(?:\W|$)" "id:77350352,block,log,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Dangerous files in uploads||WPU:%{TX.wp_user}||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx \/wp-includes\/js\/jquery\/\w+(?i)\.(?:h?php[\ds]{0,2}|pht[m]?|s?phtml?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|suspected|ico)(?:\W|$)" "id:77350351,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Suspicious files in jQuery||WPU:%{TX.wp_user}||T:APACHE||',tag:'service_im360'" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350354,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Suspicious PHP objects in reguest||MVN:%{tx.mvn}||MV:%{TX.1}||T:APACHE||',tag:'service_i360'" SecRule REQUEST_FILENAME "@rx \.ph[p\d]{1,2}$|json/" "chain,t:none" SecRule ARGS|REQUEST_COOKIES "@pmFromFile bl_chain" "chain,t:none,t:removeWhitespace,t:removeNulls,t:urlDecodeUni,setvar:tx.mvn=%{MATCHED_VAR_NAME}" SecRule MATCHED_VAR "@rx (.{0,100}\00|\x00|\x0a|\x0d.{0,300})" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350357,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Track suspicious PHP obect||MVN:%{tx.mvn}||MV:%{TX.1}||T:APACHE||',tag:'service_i360'" SecRule REQUEST_FILENAME "@rx \.ph[p\d]{1,2}$|json/" "chain,t:none" SecRule ARGS|REQUEST_COOKIES "@pmFromFile bl_chain" "chain,t:none,t:urlDecode,t:removeWhitespace,t:removeNulls,t:base64Decode,setvar:tx.mvn=%{MATCHED_VAR_NAME}" SecRule MATCHED_VAR "@rx (.{0,100}\00|\x00|\x0a|\x0d.{0,300})" "t:none,t:urlDecodeUni,t:base64Decode" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350353,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Authenticated SQLi Vulnerability in RSS Aggregator by Feedzy <= 4.4.2 WordPress Plugin (CVE-2024-1317)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:_action "@streq fetch_custom_fields" "chain,t:none" SecRule ARGS:search_key "@rx \x22|\x27|\x2f|\x00|\x0a|\x0d" "t:none,t:urlDecode" SecRule REQUEST_METHOD "^POST" "id:77350358,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Privilege escalation vulnerability in Academy LMS WordPress plugin (CVE-2024-1505)||Data:%{ARGS.wp_capabilities}||T:APACHE||WPU:%{TX.wp_user}||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "^academy/frontend/saved_user_info$" "chain,t:none" SecRule ARGS_POST_NAMES "^wp_capabilities$" "t:none" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350359,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Unauthenticated SQL Injection in Ultimate Member User Profile Registration Login Member Directory Content Restriction & Membership plugin 2.1.3-2.8.2 WordPress plugin (CVE-2024-1071)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq um_get_members" "chain,t:none" SecRule ARGS:sorting "!@rx [\w_-]|^$" "t:none" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350364,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Directory Traversal Vulnerability in File Manager And File Manager Pro < 7.2.2 (CVE-2023-6825)||MV:%{TX.1}||MVN:%{tx.mvn}||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:target "@rx ^l1_([^\n]+)$" "chain,t:none,capture" SecRule TX:1 "@rx ^(?:[\/\.]|wp-|\/\.|\.\.\/)|\/wp-|public_html\/|\/www|\w\/\." "t:none,t:base64Decode" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350365,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Possible Directory Traversal Vulnerability in File Manager And File Manager Pro < 7.2.2 (CVE-2023-6825)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:target|ARGS:upload_path "@rx ^l1_([^\n]+)$" "chain,t:none,capture" SecRule TX:1 "!@rx ^$" "t:none,t:base64Decode" # WPT-492 SecRule REQUEST_METHOD "@rx (?i)post" "id:77350373,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Privilege Escalation in Malware Scanner <= 4.7.2 and Web Application Firewall <= 2.1.1 WordPress plugin (CVE-2024-1991)||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \.php" "chain,t:none" SecRule ARGS:option "@streq mo_wpns_change_password" "chain,t:none" SecRule &ARGS:new_password "@gt 0" "chain,t:none" SecRule &ARGS:confirm_password "@gt 0" "chain,t:none" SecRule ARGS:username "!@rx ^$" "t:none" # WPT-526 SecRule REQUEST_METHOD "@rx (?i)post" "id:77350382,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Stored XSS Vulnerability in WP-Members Membership WordPress Plugin <= 3.4.9.2 (CVE-2024-1852)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_core'" SecRule &ARGS:wpmem_reg_page "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:X-Forwarded-For "!@rx (?i)[\[\]\sa-f0-9,\.:\x22\x27]+$|unknown|^$" "t:none" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350385,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Suspicious input in XFF||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360'" SecRule REQUEST_HEADERS:X-Forwarded-For "!@rx (?i)[\[\]\sa-f0-9,\.:\x22\x27]+$|unknown|^$" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77350383,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated SQL Injection in WordPress plugin LayerSlider 7.9.11-7.10.0 (CVE-2024-2879)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||T:APACHE||',tag:'service_im360'" SecRule ARGS:action "@contains ls_get_popup_markup" "chain,t:none" SecRule ARGS:id[where] "\w\(|\x27" "t:none" # WPT-538 SecRule REQUEST_METHOD "(?i)post" "id:77350376,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Arbitrary File Upload vulnerability in WEmanage App Worker WordPress Plugin (CVE-2024-1205)||MV:%{MATCHED_VAR}||T:APACHE||WPU:%{TX.wp_user}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wc/v3/upload-csv-file" "chain,t:none,t:normalizePath" SecRule FILES "!@rx \.csv$" "t:none" # WPT-541 SecRule REQUEST_METHOD "(?i)post" "id:77350387,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Local File Inclusion in MasterStudy LMS < 3.3.1 WordPress plugin (CVE-2024-2411)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@contains stm_lms_load_modal" "chain,t:none" SecRule ARGS:modal "@contains ../" "t:none" SecRule REQUEST_METHOD "(?i)post" "id:77350388,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Local File Inclusion in MasterStudy LMS < 3.3.2 WordPress plugin (CVE-2024-2409)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@contains stm_lms_register" "chain,t:none" SecRule REQUEST_BODY "@rx wp_capabilities[^\}]+administrator" "t:none,t:compressWhitespace" SecRule REQUEST_METHOD "(?i)post" "id:77350389,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Local File Inclusion in MasterStudy LMS < 3.3.4 WordPress plugin (CVE-2024-3136)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@contains stm_lms_load_content" "chain,t:none" SecRule ARGS:template "@contains ../" "t:none" SecRule REQUEST_METHOD "(?i)post" "id:77350393,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Authenticated SQLi WP Activity Log Premium < 4.6.5 WordPress Plugin (CVE-2024-2018)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq wsal_AjaxGenerateReport" "chain,t:none" SecRule ARGS:nextDate "@rx [^\d\w:.\/\-\s]" "t:none" SecRule REQUEST_METHOD "(?i)post" "id:77350397,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Authenticated Privilege Escalation in User Registration-Custom Registration Form, Login Form, and User Profile < 3.1.6 WordPress plugin (CVE-2024-2417)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@contains user_registration_form_save_actoin" "chain,t:none" SecRule ARGS:/data\[form_setting_data\]\[\d+\]\[name\]/ "@streq user_registration_form_setting_default_user_role" "chain,t:none" SecRule ARGS:/data\[form_setting_data\]\[\d+\]\[value\]/ "@contains administrator" "t:none" SecRule REQUEST_METHOD "(?i)post" "id:77350398,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated Privilege Escalation in User Registration-Custom Registration Form, Login Form, and User Profile < 3.1.6 WordPress plugin (CVE-2024-2417)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx ^user_registration_" "t:none,setvar:'tx.rbl_infectors=1'" SecRule &ARGS:wpbdp_view "@eq 1" "id:77350415,chain,phase:2,block,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unauthenticated SQL Injection in Business Directory Plugin for WP (CVE-2024-4443)||T:APACHE||Log:%{MATCHED_VAR}||',tag:'service_im360'" SecRule &REQUEST_COOKIES:/wordpress_logged_in_/ "!@eq 1" "chain,t:none" SecRule REQUEST_URI "@rx listingfields\[\S{1,100}]\[\d{1,100}\]" "t:none" SecRule REQUEST_METHOD "^POST" "id:77350423,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Unauthenticated Stored XSS via Avatar Block in WordPress Core < 6.5.2 (CVE-2024-4439)||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@pm /wp-comments-post.php /wp-admin/profile.php" "chain,t:none,t:normalizePath" SecRule ARGS:author|ARGS:/_name$/ "@rx \x22|\W\w+\([^\)]+\);" "t:none" SecRule REQUEST_METHOD "^POST" "id:77350425,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Unauthenticated Stored XSS via Avatar Block in WordPress Core < 6.5.2 (CVE-2024-4439)||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@contains rest_core_controller_create_item" "chain,t:none" SecRule ARGS:collection_name "@contains avatar" "chain,t:none" SecRule REQUEST_BODY "@rx onerror\x22:\x22(\w+\([^\)]+\))" "t:none,t:removeWhitespace,capture" SecRule REQUEST_METHOD "^POST" "id:77350426,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated Authorization Bypass and Privilege Escalation in ProfileGrid User Profiles, Groups and Communities plugin for WordPress <= 5.8.9 (CVE-2024-6411)||WPU:%{TX:wp_cookie}||userID:%{tx.user_id}||user_meta:%{tx.user_meta}||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq pm_upload_image" "chain,t:none" SecRule ARGS:user_id "!@rx ^$" "chain,t:none,setvar:tx.user_id=%{MATCHED_VAR}" SecRule ARGS:user_meta "@pm administrator editor author" "t:none,setvar:tx.user_meta=%{MATCHED_VAR}"
Simpan