Mini File Manager

Edit File

# ---------------------------------------------------------------
# Imunify360 ModSecurity Rules
# Copyright (C) 2021 CloudLinux Inc All right reserved
# The Imunify360 ModSecurity Rules is distributed under
# IMUNIFY360 LICENSE AGREEMENT
# Please see the enclosed IM360-LICENSE.txt file for full details.
# ---------------------------------------------------------------

# RBL whitelist DEFA-3987
SecRule REMOTE_ADDR "@ipMatchFromFile rbl_whitelist" "id:77316900,phase:2,pass,nolog,severity:5,t:none,skipAfter:RBL_WHITELIST"

# DEFA-4149
SecRule REQUEST_METHOD "@rx POST" "id:77316879,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: File upload vulnerability in Fancy Product Designer < 4.5.1 for WooCommerce for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'"
SecRule REQUEST_URI "@contains fancy-product-designer/inc/custom-image-handler.php" "chain,t:none,t:lowercase,t:normalizePath"
SecRule &ARGS:uploadsDir "@gt 0" "chain,t:none"
SecRule &ARGS:uploadsDirURL "@gt 0" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-4149
SecRule REQUEST_URI "@contains fancy-product-designer/inc/custom-image-handler.php" "id:77316880,chain,phase:2,deny,log,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: File upload vulnerability in Fancy Product Designer < 4.5.1 for WooCommerce for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin'"
SecRule &ARGS:url "@gt 0" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-2752
SecRule REQUEST_METHOD "^POST$" "chain,id:77142152,phase:2,severity:7,log,pass,t:none,msg:'IM360 WAF: WordPress WP Private Content Plus plugin - unauthenticated options change (CVE-2019-15816)||T:APACHE||REMOTE_ADDR=%{REMOTE_ADDR}||page=%{ARGS.page}||class method=save_%{ARGS.wppcp_tab}',tag:'wp_plugin_wp_private_content_plus',tag:'im360_req_post'"
SecRule ARGS:page "@rx ^wppcp" "chain,t:none"
SecRule &ARGS:wppcp_tab "@gt 0" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-3683
SecRule REQUEST_METHOD "@rx ^POST$" "id:77316789,chain,pass,log,t:none,severity:7,msg:'IM360 WAF: Authenticated settings update in Responsive Menu < 4.0.3 WordPress plugin||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wp_responsive_menu',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@endsWith /wp-admin/edit.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS:post_type "@streq rmp_menu" "chain,t:none"
SecRule ARGS:page "@streq settings" "chain,t:none"
SecRule FILES "!@rx ^$" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-3683
SecRule REQUEST_METHOD "@rx ^POST$" "id:77316790,chain,pass,log,t:none,severity:7,msg:'IM360 WAF: CSRF vulnerability in Responsive Menu < 4.0.3 WordPress plugin||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wp_responsive_menu',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@endsWith /wp-admin/edit.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS:post_type "@streq rmp_menu" "chain,t:none"
SecRule ARGS:page "@streq themes" "chain,t:none"
SecRule FILES "!@rx ^$" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-3977
SecRule REQUEST_METHOD "@rx POST" "id:77316835,chain,phase:2,pass,log,severity:7,t:none,msg:'IM360 WAF: Unauthenticated Redirect Import/Export in Simple 301 Redirects by BetterLinks for WordPress||File:%{FILES}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'"
SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php /wp-admin/admin-post.php" "chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS:page "@streq 301options" "chain,t:none"
SecRule &ARGS:import "@gt 0" "t:none,setvar:'tx.rbl_infectors=1'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:i(?:s(?:_(?:in(?:t(?:eger)?|finite)|n(?:u(?:meric|ll)|an)|(?:calla|dou)ble|s(?:calar|tring)|f(?:inite|loat)|re(?:source|al)|l(?:ink|ong)|a(?:rray)?|object|bool)|set)|n(?:(?:clud|vok)e|t(?:div|val))|(?:mplod|dat)e|conv)|s(?:t(?:r(?:(?:le|sp)n|coll)|at)|(?:e(?:rializ|ttyp)|huffl)e|i(?:milar_text|zeof|nh?)|p(?:liti?|rintf)|(?:candi|ubst)r|y(?:mlink|slog)|o(?:undex|rt)|leep|rand|qrt)|f(?:ile(?:(?:siz|typ)e|owner|pro)|l(?:o(?:atval|ck|or)|ush)|(?:rea|mo)d|t(?:ell|ok)|unction|close|gets|stat|eof)|c(?:h(?:o(?:wn|p)|eckdate|root|dir|mod)|o(?:(?:(?:nsta|u)n|mpac)t|sh?|py)|lose(?:dir|log)|(?:urren|ryp)t|eil)|e(?:x(?:(?:trac|i)t|p(?:lode)?)|a(?:ster_da(?:te|ys)|ch)|r(?:ror_log|egi?)|mpty|cho|nd)|l(?:o(?:g(?:1[0p])?|caltime)|i(?:nk(?:info)?|st)|(?:cfirs|sta)t|evenshtein|trim)|d(?:i(?:(?:skfreespac)?e|r(?:name)?)|e(?:fined?|coct)|(?:oubleva)?l|ate)|r(?:e(?:(?:quir|cod|nam)e|adlin[ek]|wind|set)|an(?:ge|d)|ound|sort|trim)|m(?:b(?:split|ereg)|i(?:crotime|n)|a(?:i[ln]|x)|etaphone|y?sql|hash)|u(?:n(?:(?:tain|se)t|iqid|link)|s(?:leep|ort)|cfirst|mask)|a(?:s(?:(?:se|o)rt|inh?)|r(?:sort|ray)|tan[2h]?|cosh?|bs)|t(?:e(?:xtdomain|mpnam)|a(?:int|nh?)|ouch|ime|rim)|h(?:e(?:ader(?:s_(?:lis|sen)t)?|brev)|ypot|ash)|p(?:a(?:thinfo|ck)|r(?:intf?|ev)|close|o[sw]|i)|g(?:et(?:t(?:ext|ype)|date)|mdate)|o(?:penlog|ctdec|rd)|b(?:asename|indec)|n(?:atsor|ex)t|k(?:sort|ey)|quotemeta|wordwrap|virtual|join)(?:\s|/\*.*\*/|//.*|#.*)*$.*$" "id:77140164,chain,pass,log,phase:2,severity:7,t:none,capture,ctl:auditLogParts=+E,setvar:TX.php_inject=+1,msg:'IM360 WAF: Infectors: PHP Injection Low value||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}',tag:'service_o',tag:'service_i360'"
SecRule REQUEST_URI "!@rx \/wc-api\/KCO_WC_Validation\/" "t:none,t:urlDecode,t:normalizePath"

SecRule REQUEST_URI "!@rx (?:\/(wp-spamfree|com_breezingforms|midway\/framework\/assets))" "chain,id:77140878,phase:request,log,pass,severity:7,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: Infectors: Suspicious access attempt (webshell)!||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}',tag:'service_i360custom'"
SecRule REQUEST_URI "@rx (\/(images|img(s)?|pictures|upload(s)?)\/[^\.]{0,108}\.(pht|phtml|php\d?$))" "t:none,t:urlDecodeUni,t:normalizePath,setvar:'tx.rbl_infectors=1'"

# DirectoryBruteForce infectors
SecRule REQUEST_FILENAME "@pmFromFile userdata_dirb_URLs.data" "id:77142160,phase:request,pass,log,severity:7,t:urlDecode,t:removeWhitespace,t:lowercase,msg:'IM360 WAF: Infectors. Dirb like fuzzing||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',setvar:'tx.rbl_infectors=1'"

# Infectors from COMODO
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!ARGS:textarea|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "(?i)(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" "id:77140880,msg:'IM360 WAF: Infectors: PHP Injection Attack||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||SC:%{SCRIPT_FILENAME}',phase:2,capture,pass,ctl:auditLogParts=+E,t:none,severity:7,setvar:'tx.rbl_infectors=1'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|b(?:(?:son_(?:de|en)|ase64_en)code|zopen)|var_dump)(?:\s|/\*.*\*/|//.*|#.*)*$.*$" "id:77134464,pass,log,phase:2,severity:7,t:none,capture,ctl:auditLogParts=+E,msg:'IM360 WAF: Infectors: PHP Injection High-Risk PHP Function||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}',tag:'service_o',tag:'service_i360',setvar:'tx.rbl_infectors=1'"

#DEFA-5387 FP fix
SecRule REQUEST_URI "!@pm cpanel AdminTranslations /administrator/ post.php" "id:77140882,chain,msg:'IM360 WAF: Infectors: OS File Access Attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||SC:%{SCRIPT_FILENAME}',phase:2,block,severity:2,log,t:none"
SecRule ARGS|REQUEST_COOKIES|XML:/*|!ARGS:/body/|!ARGS:code|!ARGS:/content/|!ARGS:/description/|!ARGS:/install\[values\]\[\w+\]\[fileDenyPattern\]/|!ARGS:/message/|!ARGS:/post/|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:wpTextbox1 "(?:(?<!\w)(?:\.(?:ht(?:group|passwd)|www_{0,1}acl)|boot\.ini|global\.asa|httpd\.conf)\b|^/etc/)" "t:none,capture,ctl:auditLogParts=+E,t:cmdLine,setvar:'tx.rbl_infectors=1'"

# Uploader
SecRule REQUEST_URI "!@rx \/stats\/(?:alive|success|failure)$" "id:77140883,chain,phase:2,log,pass,t:none,t:normalizePath,severity:7,msg:'IM360 WAF: RBL block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||ARGS.path:%{ARGS.path}||ARGS.url:%{ARGS.url}||SC:%{SCRIPT_FILENAME}||',tag:'service_i360custom'"
SecRule ARGS:url "!@rx ^$" "chain,t:none"
SecRule ARGS:path "!@rx ^$" "t:none,setvar:'tx.rbl_infectors=1'"

# S.A.P.
SecRule REQUEST_COOKIES:f_pp|ARGS:f_pp "!rx ^$" "id:77140885,phase:2,log,pass,severity:7,msg:'IM360 WAF: RBL block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}',tag:'service_i360custom',setvar:'tx.rbl_infectors=1'"

# z0
SecRule ARGS:z0 "!rx ^$" "id:77140886,phase:2,log,pass,severity:7,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: RBL block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}',tag:'service_i360custom',setvar:'tx.rbl_infectors=1'"

# DEFA-1964
SecRule REQUEST_METHOD "@pm GET POST" "id:77140942,chain,pass,auditlog,severity:7,phase:2,t:none,msg:'IM360 WAF: Block WordPress 5.3 User Enumeration attempts||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_core'"
SecRule REQUEST_URI "@contains wp-json/wp/v2/users" "t:none,t:normalizePath,setvar:'tx.rbl_infectors=1'"

# DEFA-2039
SecRule ARGS:up_auto_log "@streq true" "id:77140957,phase:2,pass,auditlog,t:none,severity:7,msg:'IM360 WAF: Block WordPress Userpro Authentication Bypass attempts||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wp_user_profiles',setvar:'tx.rbl_infectors=1'"

# DEFA-2298
SecRule &ARGS:sc "@gt 0" "id:77141009,chain,pass,log,severity:7,t:none,msg:'IM360 WAF: WordPress ThemeREX Plugin RCE remote check||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{ARGS.sc}||',tag:'service_i360custom',tag:'service_wp_plugin'"
SecRule REQUEST_URI "@contains /trx_addons/v2/" "t:none,t:normalizePath,t:urlDecodeUni,t:lowercase,setvar:'tx.rbl_infectors=1'"

# DEFA-2338
SecRule REQUEST_FILENAME "@endsWith /adminer/inc/editor/index.php" "id:77141024,pass,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Plugin Adminer <= 1.4.5 Security Bypass||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_adminer',setvar:'tx.rbl_infectors=1'"

# DEFA-2358
SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/indeed-membership-pro/export.xml" "id:77141028,pass,log,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Plugin Ultimate Membership Pro < 8.6.1 - Multiple Critical Vulnerabilities||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_ultimate_member',setvar:'tx.rbl_infectors=1'"

# DEFA-2507
SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/brizy/admin/site-settings.php" "id:77141078,pass,log,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: PHPMailer < 5.2.20 - Remote Code Execution||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_brizy',setvar:'tx.rbl_infectors=1'"

# DEFA-2540
SecRule REQUEST_METHOD "@streq GET" "chain,id:77141084,pass,t:none,severity:7,msg:'IM360 WAF: Tracking suspicious file access||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'i360custom',tag:'im360_req_get'"
SecRule REQUEST_URI "@contains /wordpress/license.txt" "t:none,t:urlDecodeUni,t:normalizePath,setvar:'tx.rbl_infectors=1'"

# DEFA-2677
SecRule REQUEST_URI "@pm /wp-admin/post.php /wp-admin/admin-ajax.php" "id:77142107,chain,phase:2,pass,log,severity:7,t:urlDecode,t:removeWhitespace,t:normalizePath,msg:'IM360 WAF: File upload via plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin'"
SecRule FILES "!@rx ^$" "setvar:'tx.rbl_infectors=1'"

# DEFA-2676
SecRule REQUEST_URI "@pm /wp-admin/post.php /wp-admin/admin-ajax.php" "id:77142108,chain,phase:2,pass,log,severity:7,t:urlDecode,t:removeWhitespace,t:normalizePath,msg:'IM360 WAF: Directory traversal via plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'"
SecRule ARGS "@contains ../" "t:none,t:urlDecode,setvar:'tx.rbl_infectors=1'"

# DEFA-2855
SecRule ARGS:lang "@rx \W" "id:77142202,phase:2,severity:7,pass,log,t:none,t:urlDecodeUni,msg:'IM360 WAF: Track generic SQLi attack vector||T:APACHE||',tag:'service_i360custom',setvar:'tx.rbl_infectors=1'"

# DEFA-2927
SecRule ARGS:cffaction "@pm test_db_connection test_db_query get_data_from_database get_post_types get_posts get_available_taxonomies get_taxonomies get_users" "id:77142220,pass,log,severity:7,t:none,msg:'IM360 WAF: Unauthenticated SQL Injection in Payment Form For Paypal Pro < 1.1.65||T:APACHE||ARGS.cffaction:%{ARGS.cffaction}||',tag:'wp_plugin_payment_form_for_paypal_pro',setvar:'tx.rbl_infectors=1'"

# DEFA-2972
SecRule REQUEST_FILENAME "@endsWith /bamegamenu/ajax_phpcode.php" "chain,id:77142250,phase:2,severity:7,pass,log,t:none,t:normalizePath,msg:'IM360 WAF: PrestaShop Responsive Mega Menu module < 1.7.2.5 arbitrary code execution (CVE-2018-8823)||T:APACHE||ARGS.code:%{ARGS.code}||',tag:'service_i360custom'"
SecRule &ARGS:code "@gt 0" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-3027
SecRule ARGS:es "@streq open" "id:77316723,chain,phase:2,pass,log,severity:7,msg:'IM360 WAF: SQL Injection in Plugin Email Subscribers & Newsletters 4.2.2 for WordPress (CVE-2019-20361)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_email_subscribers'"
SecRule &ARGS:hash "@gt 0" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-3027
SecRule ARGS:a "@pm fetch display" "id:77316725,chain,phase:2,pass,log,severity:7,msg:'IM360 WAF: File Upload/RCE in ThinkCMF||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'"
SecRule &ARGS:templateFile "@gt 0" "chain,t:none"
SecRule ARGS:prefix "@contains '" "t:none,t:htmlEntityDecode,t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-3100
SecRule ARGS|REQUEST_URI|XML:/* "@rx ;[\s\+]?wget\shttps?:\/\/([^\s\+])" "id:77142263,phase:2,pass,log,severity:7,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,msg:'IM360 WAF: IOT unauthenticated file upload and RCE||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-3100
SecRule ARGS|REQUEST_URI|XML:/* "@rx \$\{IFS\}" "id:77142266,pass,phase:2,log,severity:7,t:none,t:htmlEntityDecode,msg:'IM360 WAF: Special shell symbol in request||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',setvar:'tx.rbl_infectors=1'"

# DEFA-3100
# DEFA-3564 added exception
SecRule REQUEST_URI "!@pm /wp-admin/admin-ajax.php /wp-json/wp/v2/media/ /configproducts.php" "id:77142267,chain,phase:2,pass,log,severity:7,t:none,t:normalizePath,msg:'IM360 WAF: Special shell symbol in request||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom'"
SecRule ARGS|REQUEST_URI|XML:/* "@rx \$\{(?!(?:(?:itemURL|innerHtml\[index\]\.link|eventId|city|term|api_itech|userSignature|href|name)\}|startDate\(|endDate\(|Prospects))" "t:none,t:htmlEntityDecode,setvar:'tx.rbl_infectors=1'"

# DEFA-3348
SecRule ARGS|REQUEST_LINE "@rx (?:wget https?\:\/\/pastebin\.com\/raw\/)" "id:77316744,phase:2,log,pass,severity:7,t:urlDecode,t:lowercase,t:htmlEntityDecode,t:hexDecode,multimatch,msg:'IM360 WAF: Suspicious url download attempt||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',setvar:'tx.rbl_infectors=1'"

SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" "id:33341,pass,log,severity:7,phase:2,t:none,ctl:ruleEngine=On,msg:'IM360 WAF: Block file upload for Infectors||T:APACHE||SC:%{SCRIPT_FILENAME}||User:%{SCRIPT_USERNAME}||',tag:'service_i360',setvar:'tx.rbl_infectors=1'"

# DEFA-2643, DEFA-2764
SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php /wp-content/plugins/wp-total-donations/the-ajax-caller.php wp-cron.php" "id:77140752,chain,phase:2,pass,log,severity:7,t:urlDecode,t:normalizePath,msg:'IM360 WAF: WP Total Donations Plugin vulnerability (CVE-2019-6703)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'"
SecRule ARGS "@pm miglaA_update_me miglaA_update_arr miglaA_update_barinfo" "t:none,t:urlDecode,setvar:'tx.rbl_infectors=1'"

SecRule ARGS|ARGS_NAMES|REQUEST_URI|REQUEST_HEADERS:User-Agent|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx (?:print|echo|eval|exec)\(" "id:77140881,msg:'IM360 WAF: Infectors: Arbitrary code execution vulnerability in Request URI||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||SC:%{SCRIPT_FILENAME}',phase:2,pass,log,t:none,t:urlDecodeUni,t:removeWhitespace,t:lowercase,severity:7,setvar:'tx.rbl_infectors=1'"

# WSO
SecRule ARGS:a "!rx ^$" "id:77140884,chain,phase:2,log,pass,severity:7,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: RBL block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}',tag:'service_i360custom'"
SecRule ARGS:p1 "!@rx ^$" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-2159
SecRule REQUEST_FILENAME "@endsWith wp-admin/admin.php" "id:77140985,chain,phase:2,pass,log,severity:7,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin WP Database Reset Auth Bypass vulnerability||MVN:%{MATCHED_VAR_NAME}||DB:%{ARGS.db-reset-tables[]}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wordpress_database_reset'"
SecRule &ARGS:db-reset-tables[] "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-2107
SecRule REQUEST_METHOD "@rx ^POST$" "id:77140990,chain,phase:2,pass,log,severity:7,t:none,msg:'IM360 WAF: WordPress Plugin InfiniteWP Auth Bypass vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_iwp_client',tag:'im360_req_post'"
SecRule REQUEST_BODY "@rx (?:^_IWP_JSON_PREFIX_)(.{4,8192})" "chain,capture,t:none,t:urlDecodeUni"
SecRule TX:1 "@rx \x22iwp_action\x22\s{0,128}\:\s{0,128}\x22(?:add_site|readd_site)\x22" "chain,t:none,t:urlDecodeUni"
SecRule TX:1 "@rx \x22username\x22\s{0,128}\:\s{0,128}\x22\w{0,128}\x22" "t:none,t:urlDecodeUni,setvar:'tx.rbl_infectors=1'"

# DEFA-2108
SecRule REQUEST_METHOD "@rx ^POST$" "id:77140980,chain,phase:2,pass,log,severity:7,t:none,msg:'IM360 WAF: WordPress Plugin Time Capsule Auth Bypass vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_wp_time_capsule',tag:'im360_req_post'"
SecRule REQUEST_BODY "@rx IWP_JSON_PREFIX" "t:none,t:urlDecodeUni,setvar:'tx.rbl_infectors=1'"

# DEFA-2454
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77141060,chain,pass,t:none,log,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: Authenticated Privilege Escalation in RegistrationMagic Plugin for WordPress||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_wp_plugin'"
SecRule ARGS:page "@streq rm_submissions" "chain,t:none"
SecRule ARGS:rm_slug "@pm rm_user_edit rm_form_export" "setvar:'tx.rbl_infectors=1'"

# DEFA-2691
SecRule REQUEST_METHOD "@rx ^POST$" "id:77142118,chain,pass,log,t:none,severity:7,msg:'IM360 WAF: Logged suspicious request||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'im360_req_post'"
SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx ^$" "t:none,t:urlDecodeUni,setvar:'tx.rbl_infectors=1'"

# DEFA-2706
SecRule REQUEST_METHOD "@rx ^POST$" "id:77142138,chain,pass,t:none,severity:7,log,msg:'IM360 WAF: RCE vulnerability in Breezy - Page Builder plugin for WordPress||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_breezy_page_builder',tag:'im360_req_post'"
SecRule ARGS:/^brizy-settings-ta/ "@streq code-injection" "chain,t:none,t:urlDecodeUni"
SecRule ARGS:footer_code|ARGS:header_code "@contains String.fromCharCode(" "t:none,t:urlDecodeUni,setvar:'tx.rbl_infectors=1'"

# DEFA-2754
SecRule ARGS:otw_pctl_action "@rx ^(manage_otw_pctl_custom_templates|delete_otw_pctl_custom_template|manage_otw_pctl_options)$" "id:77142169,phase:2,severity:7,pass,log,t:none,capture,msg:'IM360 WAF: WordPress Post Custom Templates Lite <= 1.6 - Persistent Cross-Site Scripting||T:APACHE||otw_pctl_action = %{TX.1}',tag:'wp_plugin_post_custom_templates_lite',setvar:'tx.rbl_infectors=1'"

# DEFA-2833
SecRule REQUEST_URI "@pm jquery-file-upload/server/php/index.php server/php/upload.class.php server/php/UploadHandler.php example/upload.php" "id:77142199,pass,log,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: jQuery-File-Upload - Arbitrary File Upload (CVE-2018-9206)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin',setvar:'tx.rbl_infectors=1'"

# DEFA-2905
SecRule REQUEST_FILENAME "@endsWith index.php" "id:77142206,chain,phase:2,pass,log,severity:7,t:none,t:normalizePath,msg:'IM360 WAF: Joomla Com_Fabrik Vulnerabilities (RBL)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_fabrik" "setvar:'tx.rbl_infectors=1'"

# DEFA-2834
SecRule REQUEST_FILENAME "@rx \/wp-content\/plugins\/pw-bulk-edit\/(readme\.txt|results\.js|license\.txt)" "id:77142209,pass,log,severity:7,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: XSS in PW WooCommerce Bulk Edit (Recon)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_pw_bulk_edit',setvar:'tx.rbl_infectors=1'"

# DEFA-2906
SecRule REQUEST_METHOD "@rx ^POST$" "id:77142212,chain,phase:2,pass,log,severity:7,t:none,msg:'IM360 WAF: Shell Upload in Joomla 3.x||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'joomla_core',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@endsWith /administrator/index.php" "chain,t:none,t:normalizePath"
SecRule ARGS:option "@streq com_templates" "chain,t:none"
SecRule ARGS:view "@streq template" "chain,t:none"
SecRule &ARGS:id "@gt 0" "chain,t:none"
SecRule &ARGS:file "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-2990
SecRule ARGS:tccj-update "@streq Update" "chain,id:77142228,phase:2,severity:7,pass,log,t:none,msg:'IM360 WAF: WordPress plugin TC Custom JavaScript - Unauthenticated Stored Cross-Site Scripting (CVE-2020-14063) - direct exploitation variation||T:APACHE||ARGS.tccj-update:%{ARGS.tccj-update}||ARGS.tccj-content:%{ARGS.tccj-content}||',tag:'service_i360custom'"
SecRule &ARGS:tccj-content "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-3163
SecRule FILES "@rx ^\." "id:77316727,phase:2,pass,log,severity:7,t:none,msg:'IM360 WAF: Suspicious file upload detection||T:APACHE||FILES:%{FILES}||',tag:'service_i360custom',setvar:'tx.rbl_infectors=1'"

# DEFA-3225
SecRule REQUEST_METHOD "POST" "id:77316731,chain,phase:2,pass,log,severity:7,t:none,msg:'IM360 WAF: File Upload in Front-end Editor plugin for WordPress||T:APACHE||Files:%{FILES}||',tag:'wp_plugin_front_end_editor',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@contains /wp-content/plugins/front-end-editor/lib/aloha-editor/plugins/extra/draganddropfiles/demo/" "chain,t:none,t:htmlEntityDecode,t:normalizePath"
SecRule FILES "!@rx ^$" "setvar:'tx.rbl_infectors=1'"

# DEFA-3223
SecRule REQUEST_METHOD "POST" "id:77316732,chain,phase:2,pass,severity:7,log,t:none,msg:'IM360 WAF: File Upload Vulnerability in Awesome Support plugin for WordPress||T:APACHE||Files:%{FILES}||',tag:'wp_plugin_awesome_support',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@rx \/wp-content\/plugins\/awesome-support\/plugins\/jquery\.fineuploader-[^\/]\/server\/php\/" "chain,t:none,t:htmlEntityDecode,t:normalizePath"
SecRule FILES "!@rx ^$" "setvar:'tx.rbl_infectors=1'"

# DEFA-3224
SecRule REQUEST_METHOD "POST" "id:77316733,chain,phase:2,pass,severity:7,log,t:none,msg:'IM360 WAF: File Upload Vulnerability in Fluid forms plugin for WordPress||T:APACHE||Files:%{FILES}||',tag:'wp_plugin',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@contains /wp-content/plugins/fluid_forms/file-upload/server/php/" "chain,t:none,t:htmlEntityDecode,t:normalizePath"
SecRule FILES "!@rx ^$" "setvar:'tx.rbl_infectors=1'"

# DEFA-3292
SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/simplepress/resources/jscript/sp-common.min.js" "id:77316735,pass,log,t:none,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: WordPress Simple:Press - Broken Access Control||T:APACHE||',tag:'wp_plugin_simplepress',setvar:'tx.rbl_infectors=1'"

# DEFA-3398
SecRule REQUEST_METHOD "^POST$" "id:77316797,chain,pass,log,t:none,severity:7,msg:'IM360 WAF: RCE in uri used by KashmirBlack||Request-URI:%{REQUEST_URI}||T:APACHE||',tag:'service_i360custom',tag:'im360_req_post'"
SecRule REQUEST_URI "@pmFromFile rce_uri" "t:none,t:urlDecodeUni,t:normalizePath"

# DEFA-3699
SecRule REQUEST_METHOD "^POST$" "id:77316800,chain,pass,log,t:none,severity:7,msg:'IM360 WAF: RCE in vBulletin (CVE-2019-16759)||Code:%{ARGS}||T:APACHE||',tag:'service_i360custom',tag:'im360_req_post'"
SecRule ARGS:/subWidgets[\d][template]/ "@streq widget_php" "chain,t:none"
SecRule &ARGS:/subWidgets[\d][config][code]/ "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-3779
SecRule REQUEST_METHOD "@rx POST" "id:77316812,chain,phase:2,pass,log,severity:7,t:none,msg:'IM360 WAF: Unauthenticated file upload in multiple Thrive Themes for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'wp_plugin',tag:'im360_req_post'"
SecRule REQUEST_URI "@contains /wp-json/thrive/kraken" "chain,t:none,t:lowercase,t:normalizePath"
SecRule &ARGS:attachment_ID "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-3951
SecRule REQUEST_METHOD "@rx POST" "id:77316832,chain,phase:2,pass,log,severity:7,t:none,msg:'IM360 WAF: Suspicious Joomla plugin installation attempt||File:%{FILES}||T:APACHE||Install directory:%{ARGS.install_directory}||',tag:'service_i360custom',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@endsWith /administrator/index.php" "chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS:option "@streq com_installer" "chain,t:none"
SecRule ARGS:task "@streq install.install" "setvar:'tx.rbl_infectors=1'"

# DEFA-3951
SecRule REQUEST_METHOD "@rx POST" "id:77316833,chain,phase:2,pass,log,severity:7,t:none,msg:'IM360 WAF: Suspicious OpenCart plugin installation attempt||File:%{FILES}||T:APACHE||Install directory:%{ARGS.install_directory}||',tag:'service_i360custom',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@endsWith /admin/index.php" "chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS:route "@streq marketplace/installer/upload" "chain,t:none"
SecRule &ARGS:user_token "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-4099
SecRule REQUEST_METHOD "POST" "id:77316856,chain,phase:2,pass,log,severity:7,t:none,msg:'IM360 WAF: Privilege Escalation in WP User Avatar plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'"
SecRule ARGS:/wp_capabilities* "@streq administrator" "setvar:'tx.rbl_infectors=1'"

# DEFA-3593
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77316773,chain,pass,log,severity:7,t:none,t:normalizePath,msg:'IM360 WAF: Privilege escalation vulnerability in Orbit Fox < 2.10.2 WordPress plugin||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'"
SecRule ARGS:actions "@rx save_builder" "chain,t:none,t:lowercase"
SecRule ARGS:actions "@rx user_role" "t:none,t:lowercase,setvar:'tx.rbl_infectors=1'"

SecRule REQUEST_METHOD "@pm GET POST" "id:77231170,chain,pass,status:403,log,phase:2,severity:7,t:none,msg:'IM360 WAF: XSS vulnerability in the Inline Entity Form module 7.x-1.x before 7.x-1.6 for Drupal (CVE-2015-5507)||MV:%{ARGS.instance[description]}||T:APACHE||',tag:'drupal_core'"
SecRule ARGS:instance[description] "@contains <" "chain,t:none,t:urlDecodeUni"
SecRule ARGS:form_id "@contains field_ui_field_edit_form" "setvar:'tx.rbl_infectors=1'"

# DEFA-3987
SecRule &ARGS:action "@lt 1" "id:77316865,pass,phase:2,nolog,severity:5,skipAfter:MARKER_action_infectors,msg:'ARGS action optimization||T:APACHE||',tag:'noshow',tag:'service_gen'"

# DEFA-3891
SecRule REQUEST_METHOD "@rx POST" "id:77316822,chain,phase:2,pass,log,severity:5,t:none,msg:'IM360 WAF: Privilege escalation in Store Locator Plus plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'wp_plugin',tag:'noshow',tag:'im360_req_post'"
SecRule REQUEST_URI "@contains /wp-admin/admin.php" "chain,t:none,t:normalizePath"
SecRule ARGS:page "^slp_" "chain,t:none"
SecRule ARGS:action "@streq update" "setvar:'tx.rbl_infectors=1'"

# DEFA-2368
SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77141043,chain,pass,phase:2,log,severity:7,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: XSS vulnerability in in Pricing Table by Supsystic Plugin||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_pricing_table'"
SecRule ARGS:mod "@streq tables" "chain,t:none"
SecRule &ARGS:unique_id "@gt 0" "chain,t:none"
SecRule ARGS:action "@pm getJSONExportTable importJSONTable createFromTpl" "setvar:'tx.rbl_infectors=1'"

# DEFA-2760
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142189,chain,pass,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: Possible WordPress site takeover||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'"
SecRule &ARGS:action "@gt 0" "chain,t:none,t:lowercase,t:urlDecodeUni"
SecRule ARGS:/option/ "@rx (users_can_register|default_role)" "t:none,t:urlDecodeUni,setvar:'tx.rbl_infectors=1'"

# DEFA-2912
SecRule REQUEST_METHOD "@rx ^POST$" "id:77142216,chain,phase:2,pass,log,severity:7,t:none,msg:'IM360 WAF: Rewriting configuration variables in PrestaShop from version 1.6.0.1 - 1.7.6.6||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@endsWith /index.php" "chain,t:none,t:normalizePath"
SecRule ARGS:controller "@streq AdminDashboard" "chain"
SecRule ARGS:action "@streq refreshDashboard" "setvar:'tx.rbl_infectors=1'"

# DEFA-3683
SecRule REQUEST_METHOD "@rx ^POST$" "id:77316786,chain,pass,log,t:none,severity:7,msg:'IM360 WAF: Authenticated file upload vulnerability in Responsive Menu < 4.0.3 WordPress plugin||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wp_responsive_menu',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-post.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS:action "@pm admin_post_rmp_upload_theme_file admin_post" "chain,t:none"
SecRule FILES "!@rx ^$" "setvar:'tx.rbl_infectors=1'"

# DEFA-3837
SecRule REQUEST_METHOD "@rx POST" "id:77316818,chain,phase:2,pass,log,severity:5,t:none,msg:'IM360 WAF: XSS vulnerability in WP Page Builder plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'wp_plugin',tag:'noshow',tag:'im360_req_post'"
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS:action "@pm wppb_page_save" "chain,t:none"
SecRule &ARGS:page_builder_data|&ARGS:wppb_page_css "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-3951
SecRule REQUEST_METHOD "@rx POST" "id:77316831,chain,phase:2,pass,log,severity:7,t:none,msg:'IM360 WAF: Suspicious WordPress plugin installation attempt||File:%{FILES}||T:APACHE||',tag:'service_i360custom',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@endsWith wp-admin/update.php" "chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS:action "@streq upload-plugin" "chain,t:none"
SecRule &ARGS:install-plugin-submit "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-3977
SecRule REQUEST_METHOD "@rx POST" "id:77316834,chain,phase:2,pass,log,severity:7,t:none,msg:'IM360 WAF: Unauthenticated Redirect Import/Export in Simple 301 Redirects by BetterLinks for WordPress||File:%{FILES}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'"
SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php /wp-admin/admin-post.php" "chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS:action "@pm admin_init" "setvar:'tx.rbl_infectors=1'"

# DEFA-3977
SecRule REQUEST_METHOD "@rx POST" "id:77316836,chain,phase:2,pass,log,severity:7,t:none,msg:'IM360 WAF: Authenticated Arbitrary Plugin Installation/Activation in Simple 301 Redirects by BetterLinks for WordPress||File:%{FILES}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'"
SecRule REQUEST_URI "@pm /wp-admin/admin.php" "chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS:action "@rx wp_ajax_simple301redirects/admin/(?:install|activate)_plugin" "chain,t:none"
SecRule &ARGS:slug|&ARGS:basename "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-3973
SecRule REQUEST_METHOD "@rx POST" "id:77316839,chain,phase:2,pass,log,severity:7,t:none,msg:'IM360 WAF: Remote file upload in Fancy Product Designer for WordPress||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'"
SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php /wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php" "chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS:action "@rx fpd_custom_uplod_file" "setvar:'tx.rbl_infectors=1'"

# DEFA-4099
SecRule REQUEST_METHOD "POST" "id:77316855,chain,phase:2,pass,log,severity:7,t:none,msg:'IM360 WAF: Authenticated Privilege Escalation in WP User Avatar plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" "chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS:action "@streq update" "setvar:'tx.rbl_infectors=1'"

# DEFA-2034
SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140965,chain,phase:2,pass,auditlog,severity:7,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: Block authentication bypass in WordPress Ultimate Addons for Elementor < 1.20.1||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||E:%{ARGS.data[\'email\']}||',tag:'service_i360custom',tag:'wp_plugin_ultimate_addons_for_elementor'"
SecRule ARGS:action "@rx (uael_login_form_google|uael_login_form_facebook)" "chain,t:none,t:lowercase"
SecRule ARGS:data['name'] "!@rx ^$" "setvar:'tx.rbl_infectors=1'"

# DEFA-2034
SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140966,chain,phase:2,pass,auditlog,severity:7,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: Block authentication bypass in WordPress Ultimate Addons for Beaver Builder < 1.24.1||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||E:%{ARGS.email}||',tag:'service_i360custom',tag:'wp_plugin_ultimate_addons_for_beaver_builder'"
SecRule ARGS:action "@rx (uabb-lf-google-submit|uabb-lf-facebook-submit)" "chain,t:none,t:lowercase"
SecRule ARGS:email "!@rx ^$" "chain,t:none"
SecRule ARGS:name "!@rx ^$" "setvar:'tx.rbl_infectors=1'"

# DEFA-2179
SecRule SCRIPT_FILENAME|REQUEST_FILENAME "@endsWith wp-central/wpcentral.php" "id:77140996,chain,phase:2,pass,log,severity:7,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress wpCentral Plugin Auth Bypass vulnerability||A:%{ARGS.action}||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom',tag:'wp_plugin_wp_central'"
SecRule ARGS:action "@rx wpc_fetch_authkey" "t:none,t:lowercase,setvar:'tx.rbl_infectors=1'"

# DEFA-2323
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141017,chain,pass,log,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress GDPR Cookie Consent < 1.8.3 Improper Access Controls||T:APACHE||PG:%{ARGS.page_id}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wp_cookie_law_info'"
SecRule ARGS:action "@streq cli_policy_generator" "chain,t:none,t:lowercase"
SecRule ARGS:cli_policy_generator_action "@streq save_contentdata" "t:none,t:lowercase,setvar:'tx.rbl_infectors=1'"

# DEFA-2358
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141027,chain,pass,log,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Plugin Ultimate Membership Pro < 8.6.1 - Multiple Critical Vulnerabilities||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_ultimate_member'"
SecRule ARGS:action "@streq ihc_make_export_file" "chain,t:none,t:lowercase"
SecRule ARGS:import_users|ARGS:import_settings|ARGS:import_postmeta "!@rx ^$" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-2358
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141029,chain,pass,log,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Plugin Ultimate Membership Pro < 8.6.1 - Multiple Critical Vulnerabilities||T:APACHE||UN:%{ARGS.username}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_ultimate_member'"
SecRule ARGS:action "@streq ihc_generate_direct_link" "chain,t:none,t:lowercase"
SecRule &ARGS:username "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-2358
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141030,chain,pass,log,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Plugin Ultimate Membership Pro < 8.6.1 - Multiple Critical Vulnerabilities||T:APACHE||UID:%{ARGS.uid}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_ultimate_member'"
SecRule ARGS:action "@streq ihc_generate_direct_link_by_uid" "chain,t:none,t:lowercase"
SecRule &ARGS:uid "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-2394
SecRule REQUEST_FILENAME "@endsWith admin-post.php" "id:77141049,chain,pass,log,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress popup-builder Authenticated Settings Modification||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_popup_builder'"
SecRule ARGS:action "@pm sgpbSaveSettings csv_file sgpb_system_info" "setvar:'tx.rbl_infectors=1'"

# DEFA-2422
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141052,chain,msg:'IM360 WAF: WordPress WPvivid Backup < 0.9.36 Auth Bypass||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,tag:'service_i360custom',tag:'wp_plugin_wpvivid_backuprestore'"
SecRule ARGS:action "@contains wpvivid_add_remote" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_COOKIES:/^wordpress_logged_in_* "!@rx ^$" "setvar:'tx.rbl_infectors=1'"

# DEFA-2431
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141055,chain,pass,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: IMPress for IDX Broker < 2.6.2 - Authenticated Post manipulations CVE-2020-9514||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_idx_broker_platinum'"
SecRule ARGS:action "@streq create_dynamic_page" "chain,t:none,t:lowercase"
SecRule &ARGS:post_title "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-2431
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141056,chain,pass,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: IMPress for IDX Broker < 2.6.2 - Authenticated Post manipulations CVE-2020-9514||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_idx_broker_platinum'"
SecRule ARGS:action "@rx (create|delete)_dynamic_page" "chain,t:none,t:lowercase"
SecRule &ARGS:wrapper_page_id "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-2458
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141067,chain,pass,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: WordPress Gutenberg & Elementor Templates Importer For Responsive < 2.2.6 - Unprotected AJAX Endpoints (CVE-2020-12073)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_responsive_add_ons'"
SecRule ARGS:action "@rx (responsive-ready-sites-(import-set-site-data-free|import-xml|import-options|import-wpforms|import-widgets|import-customizer-settings|import-end|reset-customizer-data|reset-site-options|reset-widgets-data|delete-posts|delete-wp-forms|delete-terms|set-reset-data))|(admin_(init|notices|enqueue_scripts))" "t:none,t:urlDecodeUni,setvar:'tx.rbl_infectors=1'"

# DEFA-2549 - privilege escalation
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141083,phase:2,chain,pass,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: Klarna Checkout for WooCommerce < 2.0.10 - Authenticated Arbitrary Plugin Deactivation, Activation and Installation||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_klarna_checkout_for_woocommerce'"
SecRule ARGS:action "^change_klarna_addon_status$" "t:none,t:urlDecodeUni,setvar:'tx.rbl_infectors=1'"

# DEFA-2552
SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77141088,chain,pass,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: WordPress Responsive Poll through 1.3.4 - Unauthenticated endpoints manipulation (CVE-2020-11673)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_poll_wp'"
SecRule ARGS:action "@pm TotalSoftPoll_Clone TotalSoftPoll_Del TotalSoftPoll_Edit TotalSoftPoll_Edit_Q_M TotalSoftPoll_Edit_Ans TotalSoftPoll_Theme_Clone TotalSoftPoll_Theme_Edit TotalSoftPoll_Theme_Edit1 TotalSoftPoll_1_Vote TotalSoftPoll_1_Results TotalSoftPoll_Clone_Set TotalSoftPoll_Edit_Set TotalSoftPoll_Del_Set TS_PTable_New_MTable_DisMiss_Callback_Poll TS_Poll_Question_DisMiss Total_Soft_Poll_Prev" "t:none,t:urlDecodeUni,setvar:'tx.rbl_infectors=1'"

# DEFA-2581 - RCE
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141090,phase:2,chain,pass,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: WordPress Plugin MapPress Maps < 2.53.9 RCE (CVE-2020-12077)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_mappress'"
SecRule ARGS:action "^mapp_tpl_save$" "chain,t:none,t:urlDecodeUni"
SecRule &ARGS:name "@gt 0" "chain,t:none"
SecRule &ARGS:content "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-2644
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142101,chain,pass,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: Newspaper WordPress Theme - Privilege Escalation (CVE-2016-10972)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'"
SecRule ARGS:action "@streq td_ajax_update_panel" "chain,t:none,t:urlDecodeUni"
SecRule ARGS:/wp_option/ "@rx (administrator|subscriber|users_can_register|1|0)" "t:none,t:urlDecodeUni,setvar:'tx.rbl_infectors=1'"

# DEFA-2475
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142104,chain,pass,log,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Elementor Page Builder < 2.9.6 - Authenticated Safe Mode Privilege Escalation||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_elementor'"
SecRule ARGS:action "@streq elementor_ajax" "chain,t:none,t:lowercase"
SecRule ARGS:actions "@contains enable_safe_mode" "setvar:'tx.rbl_infectors=1'"

# DEFA-2642
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142106,phase:2,severity:7,pass,log,t:none,t:normalizePath,msg:'IM360 WAF: WordPress GDPR Compliance plugin - Unauthorized option update (string variant)||TYPE=%{TX._WPGDPRC_TYPE}||OPTION=%{TX._WPGDPRC_OPTION}||VALUE=%{TX._WPGDPRC_VALUE}||T:APACHE||',tag:'wp_plugin_wp_gdpr_compliance'"
SecRule ARGS:action "@streq wpgdprc_process_action" "chain,t:none"
SecRule ARGS:data "@rx ^(?s:\{.*\})$" "chain,t:none,t:trim,capture,setvar:TX._WPGDPRC_DATA=%{TX.0}"
SecRule TX:_WPGDPRC_DATA "@rx (?s:\"type\".+?\"(.+?)\")" "chain,t:none,capture,setvar:TX._WPGDPRC_TYPE=%{TX.1}"
SecRule TX:_WPGDPRC_DATA "@rx (?s:\"option\".+?\"(.+?)\")" "chain,t:none,capture,setvar:TX._WPGDPRC_OPTION=%{TX.1}"
SecRule TX:_WPGDPRC_DATA "@rx (?s:\"value\".+?\"(.+?)\")" "chain,t:none,capture,setvar:TX._WPGDPRC_VALUE=%{TX.1}"
SecRule TX:_WPGDPRC_TYPE "@streq save_setting" "chain,t:none"
SecRule TX:_WPGDPRC_OPTION "!@rx ^wpgdprc" "t:none,t:lowercase,setvar:'tx.rbl_infectors=1'"

# DEFA-2711
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142130,chain,pass,log,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Revslider Revolution UpdatedCaptionsCSS Content Injection||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin'"
SecRule ARGS:action "@streq revslider_ajax_action" "chain,t:none,t:lowercase,t:urlDecodeUni"
SecRule ARGS:client_action "@streq get_captions_css" "t:none,t:lowercase,t:urlDecodeUni,setvar:'tx.rbl_infectors=1'"

# DEFA-2572
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142140,chain,pass,log,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Plugin UpdraftPlus SSRF (CVE-2017-16870)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_updraftplus'"
SecRule ARGS:action "@streq updraft_ajax" "chain,t:none,t:lowercase,t:urlDecodeUni"
SecRule ARGS:subaction "@streq httpget" "chain,t:none,t:lowercase,t:urlDecodeUni"
SecRule &ARGS:curl "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-2763
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142162,chain,pass,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: Newspaper WordPress Theme - Privilege Escalation (CVE-2016-10972)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'"
SecRule ARGS:action "@streq td_ajax_update_panel" "chain,t:none,t:urlDecodeUni"
SecRule &ARGS:wp_option[siteurl]|&ARGS:wp_option[home]|&ARGS:wp_option[users_can_register]|&ARGS:wp_option[default_role] "@ge 1" "setvar:'tx.rbl_infectors=1'"

# DEFA-2800
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142177,phase:2,severity:7,pass,log,t:none,t:normalizePath,msg:'IM360 WAF: WordPress PageLayer <= 1.1.1 - Unprotected AJAX endpoints||T:APACHE||endpoint = %{TX.1}||',tag:'wp_plugin_pagelayer'"
SecRule ARGS:action "@rx (?s)^(pagelayer.*)$" "t:none,capture,setvar:'tx.rbl_infectors=1'"

# DEFA-2985
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142234,phase:2,severity:7,pass,log,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (astra-sites-import-widgets v1)||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.widgets_data:%{ARGS.widgets_data}||',tag:'service_i360custom'"
SecRule ARGS:action "@streq astra-sites-import-widgets" "chain,t:none"
SecRule &ARGS:widgets_data "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-3266
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77316734,chain,pass,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: Unprotected AJAX Action in XCloner Backup and Restore Plugin||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'"
SecRule ARGS:action "@rx wp_ajax_restore_backup" "t:none,t:lowercase,setvar:'tx.rbl_infectors=1'"

# DEFA-3478
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77316753,chain,pass,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: WordPress Plugin Audio Record 1.0 - Arbitrary File Upload||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'"
SecRule ARGS:action "@rx save_record" "setvar:'tx.rbl_infectors=1'"

# DEFA-3626
SecRule REQUEST_METHOD "@rx ^POST$" "id:77316776,chain,pass,log,t:none,severity:7,msg:'IM360 WAF: WordPress Plugin 123contactform-for-wordpress Validation Bypass||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'service_i360custom',tag:'im360_req_post'"
SecRule ARGS:action "@pm wp_ajax_cfp-connect wp_ajax_nopriv_cfp-connect" "chain,t:none"
SecRule &ARGS:pk "@gt 0" "chain,t:none"
SecRule &ARGS:signature "@gt 0" "chain,t:none"
SecRule &ARGS:message "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-3626
SecRule REQUEST_METHOD "@rx ^POST$" "id:77316777,chain,pass,log,t:none,severity:7,msg:'IM360 WAF: WordPress Plugin 123contactform-for-wordpress Arbitrary Post Creation||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'service_i360custom',tag:'im360_req_post'"
SecRule ARGS:action "@pm wp_ajax_cfp-new-post wp_ajax_nopriv_cfp-new-post" "chain,t:none"
SecRule &ARGS:post_content "@gt 0" "chain,t:none"
SecRule &ARGS:post_status "@gt 0" "chain,t:none"
SecRule &ARGS:post_author "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-2702
SecRule REQUEST_METHOD "@rx ^POST$" "id:77142124,chain,pass,log,t:none,severity:7,msg:'IM360 WAF: Block WordPress registration flood||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'im360_req_post'"
SecRule REQUEST_URI "@contains wp-login.php" "chain,t:none,t:urlDecode"
SecRule ARGS:action "@contains register" "setvar:'tx.rbl_infectors=1'"

# DEFA-4240
SecRule REQUEST_URI "@contains /my-account/" "chain,id:77316899,phase:2,pass,log,severity:2,t:none,msg:'IM360 WAF: Authentication Bypass in Booster for WooCommerce < 5.4.4 (CVE-2021-34646)||T:APACHE||',tag:'wp_plugin'"
SecRule &ARGS:wcj_verify_email "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-4468
SecRule REQUEST_METHOD "@rx ^POST$" "id:77317986,chain,pass,log,t:none,severity:5,msg:'IM360 WAF: Authenticated Block Import to Stored XSS in Starter Templates Plugin for WordPress (CVE-2021-42360)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||',tag:'wp_core',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:normalizePath"
SecRule ARGS:action "@streq astra-page-elementor-batch-process" "chain,t:none"
SecRule &ARGS:id "@gt 0" "chain,t:none"
SecRule &ARGS:url "@gt 0" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-3987
SecMarker MARKER_action_infectors

# DEFA-4327
SecRule REQUEST_METHOD "@rx ^POST$" "id:77316931,chain,pass,log,t:none,severity:7,msg:'IM360 WAF: REST-API in the ninja-forms plugin for WordPress to Sensitive Information Disclosure (CVE-2021-34647)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||',tag:'wp_core',tag:'wp_plugin_ninja_forms',tag:'im360_req_post'"
SecRule REQUEST_URI "@contains /wp-json/ninja-forms-submissions/export" "chain,t:none,t:urlDecode"
SecRule &ARGS:form_ids "@gt 0" "chain,t:none"
SecRule &ARGS:start_date "@gt 0" "chain,t:none"
SecRule &ARGS:end_date "@gt 0" "t:none,setvar:'tx.rbl_infectors=1'"

SecRule REQUEST_METHOD "@rx ^POST$" "id:77316932,chain,pass,log,t:none,severity:7,msg:'IM360 WAF: REST-API in the ninja-forms plugin for WordPress to Email Injection (CVE-2021-34647)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||',tag:'wp_core',tag:'wp_plugin_ninja_forms',tag:'im360_req_post'"
SecRule REQUEST_URI "@contains /wp-json/ninja-forms-submissions/email-action" "chain,t:none,t:urlDecode"
SecRule &ARGS:submission "@gt 0" "chain,t:none"
SecRule &ARGS:action_settings "@gt 0" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-4370
SecRule REQUEST_METHOD "@rx ^POST$" "id:77317952,chain,pass,log,severity:5,phase:2,t:none,msg:'IM360 WAF: Authenticated File Upload vulnerability in Access Demo Importer WordPress plugin (CVE-2021-39317)||File:%{FILES}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'"
SecRule &ARGS:file_location "@gt 0" "chain"
SecRule &ARGS:file "@gt 0" "chain"
SecRule &ARGS:host_type "@gt 0" "chain"
SecRule &ARGS:class_name "@gt 0" "chain"
SecRule &ARGS:slug "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-4434
SecRule REQUEST_URI "@contains /wp-json/omapp/v1/" "id:77317977,pass,log,severity:5,t:none,t:normalizePath,t:lowercase,setvar:'tx.rbl_infectors=1',msg:'IM360 WAF: Sensitive Information Disclosure in OptinMonster plugin for WordPress (CVE-2021-39341)||T:APACHE||User:%{SCRIPT_USERNAME}||',tag:'wp_plugin'"

# DEFA-4537
SecRule REQUEST_METHOD "@rx POST" "id:77317990,chain,phase:2,pass,log,severity:5,t:none,msg:'IM360 WAF: Authentication Bypass Vulnerability in User Registration Plugin for WordPress (CVE-2021-4073)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_plugin',tag:'noshow',tag:'im360_req_post'"
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath"
SecRule ARGS:action "@streq rm_login_social_user" "chain,t:none"
SecRule ARGS:email "!@rx ^$" "setvar:'tx.rbl_infectors=1'"

# DEFA-4730
SecRule REQUEST_URI "@contains /wp-admin/options-general.php" "id:77350007,chain,pass,log,severity:5,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Sensitive data disclosure vulnerability in UpdraftPlus Backup plugin for WordPress (CVE-2022-0633)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin'"
SecRule ARGS:action "@streq updraft_download_backup" "chain,t:none"
SecRule ARGS:page "@streq updraftplus" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-4850
SecRule REQUEST_METHOD "POST" "id:77350028,chain,pass,t:none,severity:5,msg:'IM360 WAF: Possible PHP Object Injection Vulnerability in Booking Calendar Plugin <= 9.1 for WordPress (CVE-2022-1463)||T:APACHE||MV:%{ARGS.options}||',tag:'wp_plugin',tag:'im360_req_post'"
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath"
SecRule ARGS:action "@streq WPBC_FLEXTIMELINE_NAV" "chain,t:none"
SecRule &ARGS:options "@gt 0" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-4873
SecRule REQUEST_METHOD "POST" "id:77350037,chain,pass,t:none,severity:5,msg:'IM360 WAF: Infectors File Upload in Tatsu Plugin for WordPress (CVE-2021-25094)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin',tag:'im360_req_post'"
SecRule ARGS:action "add_custom_font" "chain,t:none"
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath"
SecRule FILES "!@rx ^$" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-4878
SecRule REQUEST_URI "@rx /wp-admin/admin-ajax.php" "id:77350041,chain,pass,t:none,severity:5,msg:'IM360 WAF: Possible Authenticated Privilege Escalation and Post deletion in Jupiter Theme <= 6.10.1 and JupiterX Core Plugin <= 2.0.7 for WordPress (CVE-2022-1654)||T:APACHE||MV:%{ARGS}||',tag:'wp_plugin'"
SecRule ARGS:action "(?:abb|jupiterx_core_cp)_uninstall_template" "t:none,setvar:'tx.rbl_infectors=1'"

SecRule REQUEST_URI "@rx /wp-admin/admin-ajax.php" "id:77350042,chain,pass,t:none,severity:5,msg:'IM360 WAF: Possible Authenticated Path Traversal and Local File Inclusion in JupiterX Theme <= 2.0.6 and Jupiter Theme <= 6.10.1 for WordPress (CVE-2022-1657)||T:APACHE||MV:%{ARGS.slug}||',tag:'wp_plugin'"
SecRule ARGS:action "(?:jupiterx|mka)_cp_load_pane_action" "chain,t:none"
SecRule &ARGS:slug "@gt 0" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-4947
SecRule REQUEST_METHOD "POST" "id:77350123,chain,phase:2,pass,log,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Code Injection in Ninja Forms Contact Form for WordPress||Action:%{ARGS.action}||T:APACHE||',tag:'wp_plugin',tag:'noshow'"
SecRule ARGS:action "@rx kbj_test|ninja_forms_render_default_value|ninja_forms_merge_tags|ninja_forms_calc_setting|ninja_forms_save_sub|nf_get_form_id|^init$|^$" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-5028
SecRule REQUEST_METHOD "@rx ^POST$" "id:77350131,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: RCE vulnerability in MailPress plugin for WordPress||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'"
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath"
SecRule ARGS:action "@streq _ning_upload_image" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-4651
SecRule REQUEST_URI "@contains /wp-json/whm/v3/themesettings" "id:77318031,pass,log,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: XSS Vulnerability in HTML Email Template Designer Plugin for WordPress (CVE-2022-0218)||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin',setvar:'tx.rbl_infectors=1'"

# WPT-43
SecRule REQUEST_METHOD "POST" "id:77350165,chain,pass,t:none,severity:5,msg:'IM360 WAF: Infectors Arbitrary Post Deletion in Quick Restaurant Menu <= 2.0.2 plugin for WordPress (CVE-2023-0555)||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'"
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath"
SecRule ARGS:action "@rx erm_delete_menu_item" "t:none,setvar:'tx.rbl_infectors=1'"

# WPT-52
SecRule REQUEST_METHOD "@rx POST" "id:77350167,chain,phase:2,pass,log,severity:5,t:none,msg:'IM360 WAF: XSS vulnerability in Metform Elementor Contact Form Builder <= 3.1.2 plugin for WordPress||T:APACHE||',tag:'wp_plugin',tag:'im360_req_post'"
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" 
SecRule ARGS:action "elementor_ajax" "chain,t:none"
SecRule &ARGS:actions "@gt 0" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-3987
SecRule TX:rbl_infectors "!eq 0" "chain,id:77316861,block,log,severity:2,msg:'IM360 WAF: Block IP which is in the infectors RBL||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "chain,t:none,setvar:tx.rbl_perf=1"
SecRule TX:RBL_IP "@rbl infectors.v2.rbl.imunify.com." "chain,t:none"
SecRule TX:RBL_IP "!@rbl nxdomain.v2.rbl.imunify.com." "t:none,setvar:tx.rbl_perf=1"

# DEFA-4256
SecMarker RBL_WHITELIST