/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-apache
# ------------------------------------------------------ # Imunify360 ModSecurity Rules # Copyright (C) 2026 CloudLinux Inc All right reserved # The Imunify360 ModSecurity Rules is distributed under # IMUNIFY360 LICENSE AGREEMENT # ------------------------------------------------------ # Imunify360 ModSecurity Base Ruleset SecRule ARGS_NAMES "^WordPress$" "chain,id:77141091,block,severity:2,t:none,msg:'IM360 WAF: Obfuscated malware dropper request||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS_NAMES "^Database$" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77231698,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: RCE via cron_interval injection in Total Upkeep before 1.16.7 (CVE-2024-9461)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_boldgrid_backup'" SecRule ARGS:cron_interval "!@rx ^[0-9a-z_\x2a\x2f,\x2d ]+$" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@rx ^POST$" "id:77154133,chain,pass,nolog,auditlog,t:none,severity:5,phase:5,msg:'IM360 WAF: Authenticated File Upload Vulnerability in Kadence WooCommerce Email Designer <= 1.5.14 WordPress plugin (CVE-2025-39557)||Action:%{ARGS.action}||MV:%{MATCHED_VAR}||kt-woomail-customize:%{ARGS.kt-woomail-customize}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains customize.php" "chain,t:none" SecRule FILES "!@rx ^$" "t:none" SecRule ARGS:post_type "@rx event|location" "id:77804199,chain,pass,nolog,auditlog,t:none,severity:5,phase:5,msg:'IM360 WAF: SQLi vulnerability in Events Manager <= 7.0.3 (CVE-2025-6970||Action:%{ARGS.action}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:/orderby/ "@detectSQLi" "t:none" SecRule REQUEST_URI "@rx /wp-admin/edit.php|/wp-admin/admin-ajax.php|/events/" "id:77804200,chain,pass,nolog,auditlog,t:none,severity:5,phase:5,msg:'IM360 WAF: SQLi vulnerability in Events Manager <= 7.0.3 (CVE-2025-6970||Action:%{ARGS.action}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:/post/ "@rx event|location" "chain,t:none" SecRule ARGS:/order/ "@detectSQLi" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77013587,chain,block,nolog,auditlog,t:none,severity:2,phase:2,msg:'IM360 WAF: Unauthenticated SQL Injection Vulnerability in Ultimate Member <=2.9.1 WordPress plugin (CVE-2025-0308)||Action:%{ARGS.action}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains admin-ajax.php" "chain,t:none" SecRule ARGS:search "@rx \d=\(select\s|sleep\(|<\w+\/onload|\x27[><]|\(CHR\(|_PIPE\.|waitfor delay \x27\d" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77625155,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.3.3 RCE (CVE-2020-12800)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq dnd_codedropz_upload" "chain,t:none" SecRule ARGS|FILES "@rx \.(phar|php\d?|phar\.php)$" "t:none" SecRule ARGS|REQUEST_COOKIES "@rx ^file:///(C:/boot.ini|etc/passwd)$" "id:77625156,block,nolog,auditlog,severity:2,phase:2,t:none,msg:'IM360 WAF: Generic file inclusion block||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_FILENAME "@rx /wp-content/uploads/wp_dndcf7_uploads/.{1,500}\.(phar|php\d?|phar\.php)$" "id:77625157,pass,nolog,auditlog,severity:5,phase:5,t:none,t:normalizePath,msg:'IM360 WAF: Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.3.3 RCE (CVE-2020-12800)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|FILES "@contains ABSPATH=php://filter/" "id:77625158,phase:2,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Object Injection in PHPMailer library in WordPress 3.7 to 5.7.1 (CVE-2020-36326)||RSV:8.02||T:APACHE||MVN:%{TX.mvn625157}||MV:%{MATCHED_VAR}||',setvar:tx.mvn625157=%{MATCHED_VAR_NAME},tag:'wp_core'" SecRule MATCHED_VAR "@contains convert.base64-decode|convert.base64-encode|convert.iconv." "chain,t:none" SecRule MATCHED_VAR "@rx (?i)(convert\.base64-decode/resource=php://|auto_prepend_file=php://|\x5c\x5cxadd allow_url_include=1 \x5c\x5cx|allow_url_include=on -d safe_mode=off|file:///etc/passwd)" "t:none" SecRule REQUEST_FILENAME "@endsWith /admin-ajax.php" "id:77569532,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary file upload in Modern Events Calendar before 7.12.0 (CVE-2024-5441)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_modern_events_calendar_lite'" SecRule ARGS:action "@rx ^mec_(?:fes_form|save_event|submit_event|upload_image|featured_image)" "chain,t:none,t:lowercase" SecRule ARGS:featured_image|ARGS:image_url|ARGS:/mec\x5b[^\x5d]*image/ "@rx https?://[^\s\x22\x27]{1,500}\.(?:php[3-8]?|phtml|phar|inc|phps)(?:\?|\x22|\x27|$|\s)" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_URI "@rx /wp-(?:admin|json)/" "id:77625152,chain,pass,nolog,auditlog,t:none,severity:5,phase:5,msg:'IM360 WAF: Object Injection in PHPMailer library in WordPress 3.7 to 5.7.1 (CVE-2020-36326)||Action:%{ARGS.action}||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@rx upload|submit|attachment|form" "t:none,chain" SecRule ARGS:/name/|ARGS:/file/|ARGS:/path/|ARGS:/attachment/ "@rx (?i)phar://|\.(phar|php\d?|phar\.php)$" "t:none,t:urlDecode" SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|FILES "@pm php:// base64-decode allow_url_include safe_mode /etc/passwd" "id:77625153,chain,skip:1,pass,nolog,auditlog,t:none,t:lowercase,severity:5,phase:5,msg:'IM360 WAF:Object Injection in PHPMailer library in WordPress 3.7 to 5.7.1 (CVE-2020-36326)||Action:%{ARGS.action}||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule MATCHED_VAR "@rx (?i)(?:convert\.base64-decode/resource=php://|auto_prepend_file=php://|allow_url_include=(?:1|on)|safe_mode=off|file:///etc/passwd)" "t:none" SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|FILES "@pm :// phar php file zip ftp data" "id:77625154,chain,pass,nolog,auditlog,t:none,t:lowercase,severity:5,phase:5,msg:'IM360 WAF:Object Injection in PHPMailer library in WordPress 3.7 to 5.7.1 (CVE-2020-36326)||Action:%{ARGS.action}||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule MATCHED_VAR "@rx (?i)(?:phar|php\d?|file|zip|ftp|data)://" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77116537,chain,pass,nolog,auditlog,t:none,severity:5,phase:5,msg:'IM360 WAF: Local File Inclusion vulnerability in Graphina <= 3.0.4 WordPress plugin (CVE-2025-47533)||Action:%{ARGS.action}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains admin-ajax.php" "chain,t:none" SecRule ARGS:action "@rx ^graphina" "chain,t:none" SecRule ARGS:database_config "@rx ." "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77116538,chain,pass,nolog,auditlog,t:none,severity:5,phase:5,msg:'IM360 WAF: Local File Inclusion vulnerability in Graphina <= 3.0.4 WordPress plugin (CVE-2025-47533)||Action:%{ARGS.action}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains admin-ajax.php" "chain,t:none" SecRule ARGS:action "@rx ^graphina" "chain,t:none" SecRule &ARGS:nonce|&REQUEST_HEADERS:Referer "@eq 0" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77116539,chain,pass,nolog,auditlog,t:none,severity:5,phase:5,msg:'IM360 WAF: Local File Inclusion vulnerability in Graphina <= 3.0.4 WordPress plugin (CVE-2025-47533)||Action:%{ARGS.action}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains admin-ajax.php" "chain,t:none" SecRule ARGS:action "@rx ^graphina" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77527444,chain,pass,nolog,auditlog,t:none,severity:5,phase:5,msg:'IM360 WAF: Authenticated RCE Vulnerability in Unlimited Elements for Elementor <= 1.5.89 WordPress plugin (CVE-2023-6743)||Action:%{ARGS.action}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains admin-ajax.php" "chain,t:none" SecRule ARGS:action "@rx unitecreator" "chain,t:none" SecRule ARGS:file|ARGS:template_data "@rx ." "t:none" SecRule REQUEST_METHOD "@rx ^POST|GET$" "id:77773778,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unauthenticated Local File Inclusion in CMSMasters Content Composer < 2.5.7 WordPress plugin (CVE-2025-4414)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS "@contains cmsmasters_" "chain,t:none" SecRule ARGS "@rx (\.\.\/\.\.\/|\w{2,6}:\/\/)" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77457551,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated Arbitrary File Upload In Migration, Backup, Staging - WPvivid Backup & Migration <= 0.9.116 WordPress plugin (CVE-2025-5961)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains .php" "chain,t:none,t:normalizePath" SecRule ARGS "@rx (?i)wpvivid" "chain,t:none" SecRule FILES "!@rx ^$" "t:none" SecRule REQUEST_FILENAME "@rx \/(?:wp-)|\/(?:admin-(?:ajax|post)\.php)|\.php$" "id:77050939,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: SQL Injection in Email Subscribers by Icegram Express <= 5.7.20 (CVE-2024-4295)||MV:%{MATCHED_VAR}||Hash:%{ARGS.hash}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:hash "@rx sleep\(|<\w+\/onload|\x27[><]|\(CHR\(|_PIPE\." "t:none" SecRule REQUEST_FILENAME "@rx \/(?:wp-)|\/(?:admin-(?:ajax|post)\.php)|\.php$" "id:77050940,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: SQL Injection in Email Subscribers by Icegram Express <= 5.7.20 (CVE-2024-4295)||MV:%{MATCHED_VAR}||Hash:%{ARGS.hash}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:hash "@rx sleep\(|<\w+\/onload|\(CHR\(|_PIPE\." "t:none,t:base64Decode,t:urlDecode" SecRule REQUEST_METHOD "@rx ^POST$" "id:77093875,chain,pass,nolog,auditlog,t:none,severity:5,phase:5,msg:'IM360 WAF: Local File Inclusion vulnerability in The WP Travel Engine <6.5.2 WordPress plugin (CVE-2025-49308)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \.php" "chain,t:none" SecRule ARGS:layout "@contains ../../../" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx ^POST$" "id:77093876,chain,pass,nolog,auditlog,t:none,severity:5,phase:5,msg:'IM360 WAF: Local File Inclusion vulnerability in The WP Travel Engine <6.5.2 WordPress plugin (CVE-2025-49308)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \.php" "chain,t:none" SecRule ARGS "@rx layout\x22\:\x22\.\.\/\.\.\/\.\.\/" "t:none" SecRule REQUEST_METHOD "POST" "id:77140737,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: WordPress Duplicator - RCE||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@pm /installer-backup.php /installer.php" "chain,t:none,t:lowercase,t:urlDecode" SecRule ARGS "@rx ('\)\;)" "t:none,t:lowercase,t:urlDecode" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:post|ajax)\.php" "id:77140771,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: Persistent XSS in WP Live Chat Support Plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:wplc_custom_js "!@rx ^$" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77680812,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in Chaty Pro <= 3.3.3 WordPress plugin (CVE-2025-26776)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:cht_widget_img "@rx .*" "chain,t:none" SecRule FILES "!@rx ^$" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77680813,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in Chaty Pro <= 3.3.3 WordPress plugin (CVE-2025-26776)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS "@rx (?:^charity_|cht_widget) " "chain,t:none" SecRule FILES "!@rx ^$" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77680814,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in Chaty Pro <= 3.3.3 WordPress plugin (CVE-2025-26776)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule FILES "@rx ^cht_.*" "t:none" SecRule &ARGS:wp_statistics_hit "@gt 0" "id:77140786,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated blind SQLi vulnerability in WP Statistics plugin for WordPress (CVE-2022-25148)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule &ARGS:wp_statistics_hit[track_all] "@gt 0" "t:none,chain" SecRule &ARGS:wp_statistics_hit[page_uri] "@gt 0" "t:none,chain" SecRule ARGS:wp_statistics_hit[search_query] "@rx \'" "t:none" SecRule REQUEST_URI "@contains wp-support-plus-responsive-ticket-system" "id:77140840,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,msg:'IM360 WAF: WordPress Plugin WP Support Plus Responsive Ticket System 2.0 Directory Traversal||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_wp_support_plus_responsive_ticket_system'" SecRule REQUEST_FILENAME "@endsWith downloadAttachment.php" "chain,t:none" SecRule ARGS:path "@rx \.\.\/" "t:none,t:urlDecodeUni,t:normalizePath" SecRule REQUEST_METHOD "POST" "id:77710103,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary file deletion in Extensions For CF7 plugin for Wordpress <= 3.2.8 (CVE-2025-7645)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'wp_plugin_contact_form_7'" SecRule ARGS:_wpcf7 ".{1,100}" "t:none,chain" SecRule FILES_NAMES|ARGS:/file/ "@rx \.\.\/" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77010012,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary File Deletion in Forminator plugin for WordPress before 1.44.3 (CVE-2025-6463)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_forminator'" SecRule REQUEST_FILENAME "@endsWith /admin-ajax.php" "t:none,t:lowercase,chain" SecRule ARGS:action "@rx ^forminator_submit_form" "t:none,chain" SecRule ARGS_NAMES "@rx \[file\]\[file_path\]" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77679368,chain,phase:2,nolog,pass,severity:5,t:none,msg:'IM360 WAF: PaymentIntent usage in Contact Form 7 (CVE-2025-3247)||PI:%{TX.pi_id}||Hits:%{SESSION.hit_count}||RSV:8.02||T:APACHE||',tag:'wp_plugin_contact_form_7',tag:'noshow'" SecRule REQUEST_URI "@contains /wp-json/contact-form-7/v1/contact-forms/\d+/feedback" "chain,t:none" SecRule ARGS:_wpcf7_stripe_payment_intent "@rx ^(pi_[a-zA-Z0-9_]{24,999})" "t:none,capture,setvar:tx.pi_id=%{TX.1},initcol:session=%{TX.1},setvar:session.hit_count=+1,expirevar:session.hit_count=7200" SecRule TX:pi_id "@rx ." "id:77679369,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: BLOCKED - PaymentIntent replay attack in Contact Form 7 (CVE-2025-3247)||PI:%{TX.pi_id}||Hits:%{SESSION.hit_count}||RSV:8.02||T:APACHE||',tag:'wp_plugin_contact_form_7'" SecRule session:hit_count "@gt 1" "t:none" SecRule REQUEST_FILENAME "@endsWith ungallery/source_vuln.php" "id:77140841,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: WordPress UnGallery plugin <= 1.5.8 Local File Disclosure Vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_ungallery'" SecRule ARGS:pic "@rx \.\.\/" "t:none,t:urlDecodeUni,t:normalizePath" SecRule REQUEST_METHOD "@rx ^POST$" "id:77140865,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Theme Konzept Arbitrary File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /includes/uploadify/upload.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@rx ^POST$" "id:77140867,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Simple Ads Manager Plugin File Upload Vulnerability (CVE-2015-2825)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@rx ^POST$" "id:77140870,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress FormCraft Plugin File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@rx \/wp-content\/plugins\/formcraft\/file-upload\/server\/(?:php|content)\/" "chain,t:none,t:normalizePath" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|ico|suspected|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module)(?:\W1323132|$)" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@rx ^POST$" "id:77140871,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Downloads Manager File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@rx \/wp-content\/plugins\/downloads-manager\/" "chain,t:none,t:normalizePath" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,t:urlDecodeUni" SecRule ARGS:author "@ge 1" "id:77140876,pass,auditlog,phase:2,severity:5,t:none,msg:'IM360 WAF: Track WordPress users enumeration||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_METHOD "@rx ^POST$" "id:77140907,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Downloads Manager File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@rx /wp-content/plugins/dzs-videogallery/admin/upload.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@rx ^POST$" "id:77140908,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Simple Ads Manager File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/social-networking-e-commerce-1/classes/views/social-options/form_cat_add.php" "chain,t:none,t:normalizePath" SecRule ARGS:config_path "@rx \.\.\/\.\.\/" "chain,t:none,t:urlDecodeUni" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@rx ^POST$" "id:77140909,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Viral Optins Plugin File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/viral-optins/api/uploader/file-uploader.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@rx ^POST$" "id:77140913,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Satoshi Theme File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-content/themes/satoshi/functions/upload-handler.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@rx ^POST$" "id:77140914,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress iThemes2 Theme File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-content/themes/ithemes2/themify/themify-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:upload "@streq 1" "chain,t:none,t:urlDecodeUni" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@rx ^GET$" "id:77140917,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin eShop Magic Arbitrary File Access||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/eshop-magic/download.php" "chain,t:none,t:normalizePath" SecRule ARGS:file "@rx \.\.\/\.\.\/" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@rx ^GET$" "id:77140918,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Mobile Detector 3.5 file Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith wp-content/plugins/wp-mobile-detector/resize.php" "chain,t:none,t:normalizePath" SecRule ARGS:src "!@rx ^(?:ht|f)tps?:\/\/%{SERVER_NAME}" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@rx ^POST$" "id:77140924,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Cherry-Plugin File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith wp-content/plugins/cherry-plugin/admin/import-export/upload.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|ico|suspected|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module)(?:\W|$)" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@rx ^GET$" "id:77140934,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin WebPlayer SQL injection vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith hd-webplayer/playlist.php" "chain,t:none,t:normalizePath" SecRule ARGS:videoid "@rx \D" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77140935,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Headway theme Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith visual-editor/lib/upload-header.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|phar|php\d?)$)" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77140937,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: WordPress JobManager Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@rx \/jm-ajax\/upload_file\/" "chain,t:none,t:normalizePath" SecRule FILES "@rx (?:\.htaccess|\.(pht|phtml|php\d?)$)" "t:lowercase" SecRule REQUEST_METHOD "@rx POST" "id:77140939,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: WordPress Category and Page Icons Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith category-page-icons/include/wpdev-flash-uploader.php" "chain,t:none,t:normalizePath" SecRule &ARGS:dir_icons "@gt 0" "chain,t:none" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:lowercase" SecRule REQUEST_METHOD "@rx ^POST$" "id:77140964,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Unauthenticated Content Injection vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{tx.1}||',tag:'wp_core'" SecRule REQUEST_URI "@pm /wp-json/ wp-admin/admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule ARGS:content|ARGS:shortcode "@rx (.{0,50}<[^\s.]+?\s[^=.]+?=['\x22][^:]+?:\/\/[^'\x22]+?['\x22]><\/script.{0,50})" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith advanced-custom-fields/core/actions/export.php" "id:77140968,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Advanced Custom Fields Remote File Inclusion vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_advanced_custom_fields'" SecRule ARGS:acf_abspath "@rx ^(?:ht|f)tps?:\/\/" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith flickr-picture-backup/flickr-picture-download.php" "id:77140969,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Flickr Picture Backup Remote File Inclusion vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_flickr'" SecRule ARGS:url "@rx (\.htaccess|.+\.(pht|phar|phtml|php\d?))" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith fast-image-adder/fast-image-adder-uploader.php" "id:77140970,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Fast Image Adder Remote File Inclusion vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_fast_image_adder'" SecRule ARGS:url "@rx (\.htaccess|.+\.(pht|phtml|phar|php\d?))" "t:none,t:lowercase" SecRule REQUEST_METHOD "@rx POST" "id:77143713,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated (Subscriber+) Arbitrary File Upload in Greenshift 11.4-11.4.5 (CVE-2025-3616)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /proxy" "chain,t:none" SecRule FILES "@rx ." "t:none" SecRule REQUEST_FILENAME "@endsWith frontend/captcha/ajaxresponse.php" "id:77140971,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Gwolle Guestbook Remote File Inclusion vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_gwolle_gb'" SecRule ARGS:abspath "@rx ^(?:ht|f)tps?:\/\/" "t:none" SecRule REQUEST_FILENAME "@endsWith delete-all-comments/delete-all-comments.php" "id:77140974,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Delete-All-Comments Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_delete_all_comments'" SecRule ARGS:restorefromfileURL|ARGS:restorefromfileNAME "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith designfolio-plus/admin/upload-file.php" "id:77140975,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress theme DesignFolio Plus Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_design'" SecRule ARGS:upload_path "@rx \.\.\/" "t:none" SecRule REQUEST_FILENAME "@endsWith /evo/admin/upload-file.php" "id:77140977,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress theme Evo Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:upload_path "@rx \." "chain,t:none,t:urlDecodeUni" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|phar|php\d?)$)" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith gallery-pro/admin/upload-file.php" "id:77140979,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress theme Gallery Pro Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_gallery_pro'" SecRule ARGS:upload_path "@rx \." "chain,t:none,t:urlDecodeUni" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|phar|php\d?)$)" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith holding_pattern/admin/upload-file.php" "id:77140981,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress theme Holding Pattern Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|phar|php\d?)$)" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith inboundio-marketing/admin/partials/csv_uploader.php" "id:77140982,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin InBoundio Marketing Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_inboundio_marketing'" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|phar|php\d?)$)" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith mailcwp/mailcwp-upload.php" "id:77140983,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin MailCWP Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||UD:%{ARGS.upload_dir}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_mailcwp'" SecRule &ARGS:message_id "@gt 0" "chain,t:none" SecRule &ARGS:upload_dir "@gt 0" "chain,t:none" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|phar|php\d?)$)" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /micro/admin/upload-file.php" "id:77140986,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Micro Theme Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@rx (mobile-friendly-app-builder-by-easytouch|mobile-app-builder-by-wappress|webapp-builder|zen-mobile-app-native|wp2android-turn-wp-site-into-android-app)/server/images\.php" "id:77140987,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Builder Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /neosense/js/back-end/libraries/fileuploader/upload_handler.php" "id:77140988,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Neosense Theme Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|phar|php\d?)$)" "t:none,t:lowercase" SecRule REQUEST_METHOD "@rx ^POST$" "id:77140993,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress Plugin InfiniteWP Auth Bypass vulnerability (local)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule &REQUEST_COOKIES:PHPSESSID "@eq 0" "chain,t:none" SecRule ARGS|REQUEST_BODY "@rx ^_IWP_JSON_PREFIX_" "chain,capture,t:none,t:urlDecodeUni" SecRule TX:0 "@rx \x22iwp_action\x22\s{0,128}\:\s{0,128}\x22(?:add_site|readd_site)\x22" "chain,t:none,t:urlDecodeUni" SecRule TX:0 "@rx \x22username\x22\s{0,128}\:\s{0,128}\x22\w{0,128}\x22" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin.php" "id:77140995,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Auth Bypass vulnerability in WP Database Reset WordPress plugin (CVE-2020-7048)||MVN:%{MATCHED_VAR_NAME}||DB:%{MATCHED_VAR}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule &REQUEST_COOKIES:PHPSESSID "@eq 0" "chain,t:none" SecRule ARGS:db-reset-tables[] "@rx ." "t:none" SecRule REQUEST_URI "@contains /wp-json/trx_addons/v2/get/sc_layout" "id:77141008,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:urlDecodeUni,t:lowercase,msg:'IM360 WAF: WordPress ThemeREX Plugin RCE||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||USR:%{ARGS.user_login}||',tag:'wp_core'" SecRule ARGS:sc "@rx (wp_insert_user|array_pop)" "t:none,t:lowercase" SecRule REQUEST_URI "@contains /login/" "id:77141010,chain,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress AccessAlly plugin unauthenticated arbitrary PHP code execution||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:login_error "@rx <\?" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith /abstract-class-front-action.php" "id:77141014,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: WordPress Forminator Plugin Remote File Upload Exploit (CVE-2024-28890)||RSV:8.02||T:APACHE ||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_forminator'" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|phar|php\d?)$)" "t:none,t:lowercase" SecRule ARGS:comment|ARGS:comment_post_ID "@rx (?i)<!--\s{0,999}(?:dynamic-cached-content|mfunc|mclude)" "id:77141016,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,msg:'IM360 WAF: RCE in W3 Total Cache WordPress plugin (CVE-2025-9501)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_METHOD "^POST$" "id:77217105,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: RCE in W3 Total Cache WordPress plugin XML-RPC (CVE-2025-9501)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_w3_total_cache',chain" SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" "t:none,chain" SecRule XML:/* "@rx wp\.newComment|metaWeblog\.newPost" "t:none,chain" SecRule XML:/* "@rx (?i)<!--\s{0,999}(?:dynamic-cached-content|mfunc|mclude)" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "^POST$" "id:77217106,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: RCE in W3 Total Cache WordPress plugin REST API (CVE-2025-9501)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_w3_total_cache',chain" SecRule REQUEST_URI "@endsWith /wp-json/wp/v2/comments" "t:none,t:urlDecode,chain" SecRule ARGS:comment|ARGS:comment_post_ID "@rx (?i)<!--\s{0,999}(?:dynamic-cached-content|mfunc|mclude)" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/contact-form-7/modules/file.php" "id:77141031,chain,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Contact-Form-7 5.1.6 plugin remote file upload||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_contact_form'" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|phar|php\d?)$)" "t:none,t:lowercase" SecRule REQUEST_METHOD "@rx ^POST$" "id:77140916,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress connector.minimal.php File Upload Vulnerability (CVE-2019-9194)||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /php/connector.minimal.php" "chain,t:none,t:normalizePath" SecRule ARGS:cmd "@contains upload" "chain,t:none,t:urlDecodeUni" SecRule &ARGS:target "@gt 0" "chain,t:none" SecRule FILES "@rx ;echo" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME|PATH_INFO "@rx \/wp-content\/plugins\/blnmrpb\/(?:index\.php)?" "id:77141036,block,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress WebShell in Fake Plugin blnmrpb||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME|PATH_INFO "@rx \/wp-content\/plugins\/wpdefault\/[^\.]+\.php" "id:77141044,phase:2,pass,nolog,auditlog,severity:5,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: Backdoor plugin wpdefault for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /category-page-icons/include/wpdev-flash-uploader.php" "id:77141048,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Category and Page Icons Arbitrary File Deletion||RSV:8.02||T:APACHE||F:%{ARGS.file_name_org}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_category_page_icons'" SecRule ARGS:ajax_action "@streq delete-image" "chain,t:none,t:lowercase" SecRule ARGS:file_name_dir "@rx \.\.\/\.\.\/\.\.\/" "t:none" SecRule REQUEST_FILENAME "@endsWith /index.php" "id:77141069,chain,phase:2,pass,nolog,auditlog,t:none,t:urlDecodeUni,t:normalizePath,severity:5,msg:'IM360 WAF: WordPress StatTraq 1.3.0 SQL Injection||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_wp_stattraq',tag:'noshow'" SecRule ARGS:view "@pm hit_counter ip_address page_views query_strings search_engine_stats referrer session sessions summary user_agent user_counter options" "chain,t:none,t:lowercase" SecRule ARGS:limitNumber "@rx \D" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith /frameset.php" "id:77141070,chain,phase:2,pass,nolog,auditlog,t:none,t:urlDecodeUni,t:normalizePath,severity:5,msg:'IM360 WAF: WordPress Event-Registration Plugins 5.43 Arbitrary File Upload||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_event_registration',tag:'noshow'" SecRule ARGS:js "@streq mcFileManager.insertFileToForm" "chain,t:none" SecRule ARGS:initial_rootpath "@streq mce_clear" "chain,t:none" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/event-registration/jscripts/tiny_mce/plugins/filemanager/upload.php" "id:77141071,chain,phase:2,pass,nolog,auditlog,t:none,t:urlDecodeUni,t:normalizePath,severity:5,msg:'IM360 WAF: WordPress Event-Registration Plugins 5.43 Arbitrary File Upload||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_event_registration',tag:'noshow'" SecRule ARGS:path "@contains wp-content/plugins/event-registration/jscripts/tiny_mce/plugins/filemanager/files" "chain,t:none,t:normalizePath,t:urlDecodeUni" SecRule FILES "@rx (\.htaccess|.+\.(pht|p?html|php\d?)$)" "t:none,t:urlDecodeUni" SecRule REQUEST_URI "@rx wp-json\/rankmath\/v1\/updateMeta" "id:77141072,chain,phase:2,pass,nolog,auditlog,t:none,t:urlDecodeUni,t:normalizePath,severity:5,msg:'IM360 WAF: Privilege Escalation via Unprotected REST API Endpoint in Rank Math SEO Plugin for WordPress (CVE-2020-11514)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_seo_by_rank_math',tag:'noshow'" SecRule ARGS:objectType "@streq user" "chain,t:none" SecRule ARGS:meta[wp_user_level] "@rx (?:10|^$)" "chain,t:none" SecRule &ARGS:objectID "@gt 0" "chain,t:none" SecRule ARGS:meta[wp_capabilities][administrator] "@rx (?:10|^$)" "chain,t:none" SecRule &REQUEST_COOKIES:/wordpress_logged_in/ "@eq 0" "t:none" SecRule REQUEST_FILENAME "@rx plugins/(wordpress-popup|hustle)/views/admin/dashboard" "id:77141074,block,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Hustle/wordpress-popup directory traversal||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_wordpress_popup'" SecRule REQUEST_FILENAME "@endsWith chopslider/get_script/index.php" "id:77142119,phase:2,chain,block,nolog,auditlog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WordPress Chop Slider 3 - A blind SQL injection (CVE-2020-11530)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_lord_linus_chop_slider'" SecRule ARGS:id "!@rx ^-?\d+$" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@rx ^POST$" "id:77142120,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in the WordPress Plugin Simple File List < 4.2.3||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-content/plugins/simple-file-list/ee-upload-engine.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:eeSFL_FileUploadDir "@streq /wp-content/uploads/simple-file-list/" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@rx ^POST$" "id:77142121,chain,pass,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in the WordPress Plugin Simple File List < 4.2.3||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_simple_file_list'" SecRule REQUEST_FILENAME "@contains /wp-content/plugins/simple-file-list/ee-upload-engine.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:eeFileAction "@streq rename" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_FILENAME "@rx wp-content\/uploads\/elementor\/tmp\/[a-f0-9]{13}\/" "id:77142132,block,nolog,auditlog,t:none,t:urlDecodeUni,t:normalizePath,severity:2,msg:'IM360 WAF: WordPress Plugin Elementor Block web shell access (CVE-2020-7055)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_METHOD "@rx ^POST$" "id:77142150,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Path traversal vulnerability in Gravity forms plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:gf_page "@streq upload" "chain,t:none" SecRule ARGS:gform_unique_id "@rx \.\.\/\.\.\/\.\.\/" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77829155,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary file upload in Gravity Forms before 2.9.21 (CVE-2025-12352)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:gform_submit "@rx ." "chain,t:none" SecRule ARGS:gform_uploaded_files "@rx https?:\x2f\x2f[^\s\x22\x27]{1,500}\.(?:php[3-8]?|phtml|phar|inc|phps)(?:\x22|\x27|\?|$|\s)" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:gform_uploaded_files "!@contains gf-download=" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_METHOD "@rx ^POST$" "id:77142153,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Stored XSS vulnerability in the Visualizer plugin for WordPress (CVE-2019-16931)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx wp-json\/visualizer\/v\d\/update-chart" "chain,t:none,t:urlDecode,t:normalizePath" SecRule ARGS|REQUEST_BODY "@rx \x22\s*visualizer-chart-type\s*\x22\\s*:\s*\x22[^\x22]\x22\s*[><]" "t:urlDecode" SecRule REQUEST_METHOD "@rx ^POST$" "id:77142163,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Redirect from login page in WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-login.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:redirect_to "@pm /htm? /stm? .js?" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith /wp-login.php" "id:77142164,chain,phase:2,severity:2,block,nolog,auditlog,t:none,t:normalizePath,msg:'IM360 WAF: WordPress bbPress < 2.6.5 - Privilege Escalation (CVE-2020-13693)||RSV:8.02||T:APACHE||BBP FORUMS ROLE %{ARGS.bbp-forums-role}||',tag:'wp_core'" SecRule &ARGS:bbp-forums-role "@gt 0" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77142165,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: XSS in the WP-Piwik plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:wp-piwik[track_mode] "@streq manually" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:wp-piwik[tracking_code] "@rx (?:(x-)?(?:java|vb|j|ecma)?script)" "t:none,t:urlDecode" SecRule &ARGS:yp_remote_get "@gt 0" "id:77142168,phase:1,severity:2,block,nolog,auditlog,t:none,msg:'IM360 WAF: WordPress YellowPencil Visual CSS Style Editor < 7.2.0 - Privilege Escalation||RSV:8.02||T:APACHE||',tag:'wp_plugin_yellow_pencil_visual_theme_customizer'" SecRule REQUEST_METHOD "@rx ^POST$" "id:77142172,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: iThemes Sync settings update vulnerability for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule &ARGS:ithemes-sync-request "@gt 0" "chain,t:none,t:urlDecodeUni" SecRule ARGS:request "@rx \x22arguments\x22:{\x22update-options\x22:\[\[\x22" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "id:77142173,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Privilege escalation vulnerability in WordPress ND Shortcodes For Visual Composer plugin||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_nd_shortcodes'" SecRule &ARGS:nd_options_value_import_settings "@gt 0" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@rx ^POST$" "id:77142174,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Persistent XSS Vulnerability in DELUCKS SEO plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_delucks_seo'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:/^dpc\[basic_metadata\]/ "@rx \x22" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@rx ^POST$" "id:77142183,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Stored XSS Vulnerability in LiveChat plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_wp_live_chat_software_for_wordpress'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule &ARGS:licenseNumber "@gt 0" "chain,t:none,t:urlDecodeUni" SecRule ARGS:licenseEmail "@rx [\x22<]" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule REQUEST_METHOD "@rx ^POST$" "id:77142194,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress page-flip-image-gallery plugin remote file upload vulnerability||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/page-flip-image-gallery/upload.php" "t:none,t:normalizePath" SecRule REQUEST_FILENAME "@endsWith reflex-gallery/admin/scripts/FileUploader/php.php" "id:77142217,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Arbitrary File Upload vulnerability in the ReFlex Gallery plugin before 3.1.4 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_reflex_gallery'" SecRule ARGS:Year|ARGS:Month "@ge 1" "t:none" SecRule &ARGS:aiosp_edit "@gt 0" "chain,id:77142219,block,nolog,auditlog,phase:2,severity:2,t:none,msg:'IM360 WAF: WordPress plugin All in One SEO Pack - Authenticated Stored Cross-Site Scripting||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:/^aiosp_/ "@rx (?si)<script" "t:none" SecRule ARGS:tccj-update "@streq Update" "chain,id:77142229,phase:2,severity:2,block,nolog,auditlog,t:none,msg:'IM360 WAF: WordPress plugin TC Custom JavaScript - Unauthenticated Stored Cross-Site Scripting (CVE-2020-14063) - CSRF variation||RSV:8.02||T:APACHE||ARGS.tccj-update:%{ARGS.tccj-update}||ARGS.tccj-content:%{ARGS.tccj-content}||',tag:'wp_core'" SecRule &ARGS:tccj-content "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith download.php" "id:77142247,pass,nolog,auditlog,t:none,t:normalizePath,severity:5,msg:'IM360 WAF: Track WordPress WP Custom Pages 0.5.0.1 LFI||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',setvar:'tx.bl_file_flag=1',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /mac-dock-gallery/macdownload.php" "id:77142248,pass,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:5,msg:'IM360 WAF: Track WordPress Mac Photo Gallery plugin arbitrary file disclosure vulnerability||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',setvar:'tx.bl_file_flag=1',tag:'wp_core'" SecRule REQUEST_METHOD "POST" "chain,id:77142255,block,nolog,auditlog,phase:2,severity:2,t:none,msg:'IM360 WAF: WordPress plugin wpStoreCart - Unauthenticated Arbitrary File Upload leading to Remote Code Execution||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||REQUEST_FILENAME:%{REQUEST_FILENAME}||REMOTE_FILENAME:%{TX.0}||',tag:'wp_core'" SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /php/upload.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx (?i)^Filedata.{1,160}\.(?:pht|phtml|php\d?)$" "t:none,capture" SecRule REQUEST_METHOD "POST" "id:77316730,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: RCE in File Manager < 6.9 & Elfinder 2.1.47 WordPress plugin (CVE-2019-9194)||WPU:%{TX.wp_user}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \/(?:lib|elfinder)\/php\/connector\.minimal\.php" "t:none,t:normalizePath,t:lowercase" SecRule REQUEST_URI "@rx \/wp-content\/plugins\/?[\w\d\-_]{0,50}assembly\/js\/js\.php" "id:77316740,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Attempt to exploit malicious WordPress plugin||URI:%{REQUEST_URI}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith ee-file-engine.php" "chain,id:77316747,block,nolog,auditlog,phase:2,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in the WordPress Plugin Simple File List < 4.2.3||RSV:8.02||T:APACHE||ARGS.eeFileOld:%{ARGS.eeFileOld}||ARGS.eeFileAction:%{ARGS.eeFileAction}||',tag:'wp_core'" SecRule ARGS:eeFileOld "!@endsWith .php" "chain,t:none" SecRule ARGS:eeFileAction "@beginsWith Rename|" "chain,t:none" SecRule ARGS:eeFileAction "@endsWith .php" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316752,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated Privilege Escalation Vulnerability in WordPress Ultimate Member < 2.1.12 (CVE-2020-36155)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &ARGS:wp_capabilities[administrator] "@gt 0" "t:none" SecRule ARGS:aam-media "!@rx \.(jpg|jpeg|png|svg|gif|ico|pdf|doc|docx|ppt|pptx|pps|ppsx|odt|xls|xlsx|psd)$" "id:77316755,block,nolog,auditlog,phase:2,severity:2,t:none,msg:'IM360 WAF: Data leak in WordPress plugin Advanced Access Manager < 5.9.9||RSV:8.02||T:APACHE||ARGS.aam-media:%{ARGS.aam-media}||',tag:'wp_core'" SecRule REQUEST_COOKIES:usces_cookie "@rx WP_HTML_Token[^}]+?bookmark_name[^}]+?on_destroy" "id:77316763,block,nolog,auditlog,phase:2,severity:2,t:none,t:urlDecode,msg:'IM360 WAF: Unsafe deserialization leading to RCE in WordPress plugin Welcart e-Commerce < 1.9.36||RSV:8.02||T:APACHE||REQUEST_COOKIES.usces_cookie=%{REQUEST_COOKIES.usces_cookie}||',tag:'wp_core'" SecRule REQUEST_COOKIES:usces_cookie "@rx WP_HTML_Token[^}]+?bookmark_name" "id:77350311,pass,nolog,auditlog,phase:2,severity:2,t:none,t:urlDecode,msg:'IM360 WAF: Unsafe deserialization leading to RCE in WordPress plugin Welcart e-Commerce < 1.9.36||RSV:8.02||T:APACHE||REQUEST_COOKIES.usces_cookie=%{REQUEST_COOKIES.usces_cookie}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \/wp-content\/plugins\/easy-wp-smtp\/[a-f0-9]{1,30}_debug_log" "id:77316767,phase:2,block,nolog,auditlog,severity:2,t:lowercase,t:normalizePath,msg:'IM360 WAF: Administrator account takeover in the Easy WP SMTP plugin for WordPress||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||User:%{SCRIPT_USERNAME}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx contact-form-7/v1/contact-forms/(?:\d+)/feedback$" "id:77316768,chain,block,nolog,auditlog,phase:2,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in the WordPress Plugin The Contact Form 7 <= 5.3.1 (CVE-2020-35489)||RSV:8.02||T:APACHE||REQUEST_FILENAME:%{REQUEST_FILENAME}||%{MATCHED_VAR_NAME}:%{MATCHED_VAR}||',tag:'wp_core'" SecRule FILES "@rx (?i:\.(?:php|phtml)\d?[\pC\pZ])" "t:none" SecRule REQUEST_FILENAME "@contains contact-form-7/v1/contact-forms/" "id:77350249,chain,block,nolog,auditlog,phase:2,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in the WordPress Plugin The Contact Form 7 <= 5.3.2 (CVE-2020-35489)||RSV:8.02||T:APACHE||REQUEST_FILENAME:%{REQUEST_FILENAME}||%{MATCHED_VAR_NAME}:%{MATCHED_VAR}||',tag:'wp_core'" SecRule FILES "@rx [\x{0000}-\x{001F}]" "t:none" SecRule REQUEST_FILENAME "@contains contact-form-7/v1/contact-forms/" "id:77350250,chain,block,nolog,auditlog,phase:2,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in the WordPress Plugin The Contact Form 7 <= 5.3.2 (CVE-2020-35489)||RSV:8.02||T:APACHE||REQUEST_FILENAME:%{REQUEST_FILENAME}||%{MATCHED_VAR_NAME}:%{MATCHED_VAR}||',tag:'wp_core'" SecRule FILES "@rx \.\w+\s\.\w+$" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316772,chain,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Authenticated stored XSS in Orbit Fox < 2.10.2 WordPress plugin||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith post.php" "chain,t:none" SecRule &ARGS:post "@gt 0" "chain,t:none" SecRule ARGS:obfx-header-scripts_meta_nonce|ARGS:obfx-footer-scripts_meta_nonce "@contains <script>" "t:none,t:htmlEntityDecode" SecRule REQUEST_METHOD "@rx POST" "id:77316774,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: File upload vulnerability in Advanced File Manager WordPress plugin||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /advanced_file_manager_5/php/connector.minimal.php" "chain,t:none" SecRule FILES "!@rx ^$" "t:none" SecRule REQUEST_URI "@contains /wp-content/plugins/super-forms/uploads/php/" "id:77316779,chain,block,nolog,auditlog,severity:2,phase:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Arbitrary File Upload vulnerability in SuperForms 4.9 WordPress plugin||File:%{FILES}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_METHOD "@rx ^POST$" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_FILENAME "@contains /wp-content/uploads/superforms/" "id:77316780,chain,block,nolog,auditlog,severity:2,phase:2,t:none,t:normalizePath,msg:'IM360 WAF: Suspicious file access attempt in SuperForms 4.9 WordPress plugin||RSV:8.02||T:APACHE||SC:%{SCRIPT_FILENAME}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \.(?:pht|phtml|php\d?)$" "t:none" SecRule REQUEST_METHOD "^GET$" "id:77316783,chain,pass,auditlog,severity:5,phase:2,t:none,msg:'IM360 WAF: Monitoring WordPress 5.3 User Enumeration attempts||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains wp-json/wp/v2/users" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule &REQUEST_COOKIES:/wordpress_logged_in_/ "@eq 0" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77316796,chain,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: File upload vulnerability in the YITH WooCommerce Gift Cards Premium plugin before 3.3.1 for WordPress (CVE-2021-3120)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||File:%{FILES}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-content/plugins/yith-woocommerce-gift-cards-premium/" "chain,t:none,t:normalizePath" SecRule ARGS:ywgc-is-digital "@pm true 1" "chain,t:none" SecRule ARGS:gift_amounts "@rx \d" "chain,t:none" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77316810,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated option update in multiple Thrive Themes for WordPress||MVN:hook_url||MV:%{ARGS.hook_url}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-json/td/v1/" "chain,t:none,t:normalizePath" SecRule &ARGS:hook_url "@gt 0" "chain,t:none" SecRule ARGS:api_key "@rx ^$" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77316811,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated file upload in multiple Thrive Themes for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-json/thrive/kraken" "chain,t:none,t:normalizePath" SecRule &ARGS:attachment_ID "@gt 0" "chain,t:none" SecRule FILES "@rx \.(?:pht|phtml|php?\d?)$" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@contains /wp-content/plugins/sexy-contact-form/includes/fileupload/" "id:77240020,chain,msg:'IM360 WAF: Protecting WordPress Creative Contact Form Files folder||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,severity:2,tag:'wp_plugin_sexy_contact_form'" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@contains /wp-content/plugins/sexy-contact-form/includes/fileupload/files/" "id:77240022,chain,phase:2,block,nolog,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,severity:2,msg:'IM360 WAF: Protecting WordPress Creative Contact Form Files folder||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_sexy_contact_form'" SecRule REQUEST_BASENAME "@rx \.(?:php|js|pl)(?:\.|$)" "t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:comment "@ge 65536" "id:77225010,chain,phase:2,block,nolog,auditlog,t:length,severity:2,msg:'IM360 WAF: XSS vulnerability in WordPress before 4.2.1 (CVE-2015-3440 VE-2015-8834)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith wp-comments-post.php" "t:none,t:lowercase" SecRule ARGS:comment "@contains %u" "id:77225030,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in WordPress before 4.1.2 (CVE-2015-3438)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith wp-comments-post.php" "chain,t:none,t:lowercase" SecRule ARGS:comment "@rx (\%u[a-f0-9]{5,8})" "chain,capture,t:none,t:utf8toUnicode" SecRule TX:1 "@beginsWith 0" "chain,t:none,t:urlDecodeUni,t:hexEncode" SecRule TX:1 "@eq 4" "t:none,t:urlDecodeUni,t:hexEncode,t:length" SecRule REQUEST_FILENAME "@contains wp/v2/posts" "id:77225160,chain,phase:2,block,nolog,auditlog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: Content injection vulnerability in WordPress 4.7.x before 4.7.2 (CVE-2017-1001000)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:id "@rx \D" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77220720,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in the CommentLuv plugin before 2.92.4 for WordPress (CVE-2013-1409)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_commentluv'" SecRule REQUEST_BASENAME "@streq admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:_ajax_nonce "@rx \x22" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77227800,chain,phase:2,pass,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in the Custom Banners plugin 1.2.2.2 for WordPress (CVE-2014-4724)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_custom_banners'" SecRule ARGS:option_page "@streq custom-banners-settings-group" "chain,t:none,t:lowercase" SecRule ARGS:custom_banners_custom_css|ARGS:custom_banners_registered_name|ARGS:custom_banners_registered_url|ARGS:custom_banners_registered_key "@rx \x22|<" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77227890,chain,phase:2,pass,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in BuddyPress plugin before 1.9.2 for WordPress (CVE-2014-1888)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_buddypress'" SecRule REQUEST_URI "@contains groups/create/step/group-details" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:group-name "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77226870,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in the Job Manager plugin 0.7.22 and earlier for WordPress (CVE-2015-2321)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_job_manager'" SecRule &ARGS:jobman-apply "@ge 1" "chain,t:none" SecRule ARGS:/^jobman-field-/ "@contains '" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77232070,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in Image Photo Gallery Final Tiles Grid 3.3.52 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_final_tiles_grid_gallery_lite'" SecRule &ARGS:_fs_blog_admin "@eq 1" "chain,t:none" SecRule ARGS:ftg_name|ARGS:ftg_width|ARGS:ftg_loadedDuration "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77232860,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in Custom Field Suite plugin on or before 2.5.14 for WordPress (CVE-2019-11871)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_custom_field_suite'" SecRule ARGS:post_type "@streq cfs" "chain,t:none,t:lowercase" SecRule ARGS:/cfs\[fields\]\[\d+?\]\[label\]/|ARGS:/cfs\[fields\]\[\d+?\]\[name\]/ "@contains <" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77232940,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: XSS vulnerability in Woocommerce plugin v3.5.3 for WordPress (CVE-2019-9168)||MV:%{MATCHED_VAR}||TX0:%{TX.0}||TX1:%{TX.0}||RSV:8.02||T:APACHE||',tag:'wp_plugin_woocommerce'" SecRule REQUEST_FILENAME "@endsWith /admin-ajax.php" "chain,t:none" SecRule ARGS:changes[caption] "@pmFromFile bl_xss_input" "t:none,t:htmlEntityDecode" SecRule REQUEST_FILENAME "@contains videowhisper-live-streaming-integration" "id:77220840,chain,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Multiple XSS vulnerabilities in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress (CVE-2014-1906)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_videowhisper_live_streaming_integration'" SecRule MATCHED_VAR "@rx integration\/ls\/(?:channel|htmlchat|lb_logout|lb_status|video|videotext|vc_chatlog|v_status)\.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:message|ARGS:n|ARGS:ct|ARGS:m|ARGS:msg "@contains <" "t:none,t:urlDecode,t:htmlEntityDecode" SecRule ARGS:EMAIL|ARGS:MESSAGE|ARGS:NAME "@rx \x22" "id:77221230,chain,block,nolog,auditlog,t:none,t:urlDecode,severity:2,msg:'IM360 WAF: XSS vulnerabilities in the ActiveHelper LiveHelp Live Chat plugin 3.1.0 and earlier for WordPress (CVE-2014-4513)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_activehelper_livehelp'" SecRule REQUEST_FILENAME "@contains /wp-content/plugins/activehelper-livehelp/server/offline.php" "t:none,t:urlDecodeUni,t:lowercase,t:normalizePath" SecRule ARGS:text "@rx \x22" "id:77221240,chain,block,nolog,auditlog,t:none,t:urlDecode,severity:2,msg:'IM360 WAF: XSS vulnerability in the AnyFont plugin 2.2.3 and earlier for WordPress (CVE-2014-4515)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_anyfont'" SecRule REQUEST_FILENAME "@contains wp-content/plugins/anyfont/mce_anyfont/dialog.php" "t:none,t:lowercase,t:normalizePath" SecRule REQUEST_FILENAME "@endsWith admin/swarm-settings.php" "id:77221370,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerabilities in the Bugs Go Viral : Facebook Promotion Generator plugin 1.3.4 and earlier for WordPress (CVE-2014-4528)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_bugs_go_viral_facebook_promotion_generator_for_wordpress'" SecRule ARGS:fb_edit_action|ARGS:promo_id|ARGS:promo_type "@contains >" "t:htmlEntityDecode" SecRule &ARGS:event "@gt 0" "id:77221380,chain,phase:2,block,nolog,auditlog,t:none,t:urlDecode,t:lowercase,t:htmlEntityDecode,severity:2,msg:'IM360 WAF: Multiple XSS vulnerabilities in the Events Manager plugin before 5.3.5 and Events Manager Pro plugin before 2.2.9 for WordPress (CVE-2013-1407)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_events_manager'" SecRule ARGS:dbem_phone|ARGS:user_email|ARGS:user_name "@contains >" "t:none,t:htmlEntityDecode" SecRule REQUEST_FILENAME "@endsWith popup.php" "id:77221410,chain,phase:2,block,nolog,auditlog,t:none,t:urlDecodeUni,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in the Simple Popup Images plugin for WordPress (CVE-2014-3921)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_simple_popup_images'" SecRule ARGS:z "@rx \x22" "t:none" SecRule REQUEST_FILENAME "@contains captcha-secureimage/test/index.php" "id:77221950,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in the SI CAPTCHA Anti-Spam plugin 2.7.4 for WordPress (CVE-2014-5190)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_si_captcha_for_wordpress'" SecRule REQUEST_URI "@rx \x22" "t:none,t:htmlEntityDecode" SecRule REQUEST_FILENAME "@contains custom-image/media.php" "id:77222080,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in WP Easy Post Types plugin before 1.4.4 for WordPress (CVE-2014-4524)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_easy_post_types'" SecRule ARGS:ref "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@contains paginas/vista-previa-form.php" "id:77222100,chain,phase:2,block,nolog,auditlog,t:none,t:urlDecodeUni,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in the EnvialoSimple: Email Marketing and Newsletters plugin before 1.98 for WordPress (CVE-2014-4527)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_envialosimple_email_marketing_y_newsletters_gratis'" SecRule ARGS:AdministratorID|ARGS:FormID "@contains <" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith includes/toadmin.php" "id:77226080,chain,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in Contact Form 7 Integrations plugin 1.0 through 1.3.10 for WordPress (CVE-2014-6445)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_contact_form_7_integrations'" SecRule &ARGS:uC "@ge 1" "chain" SecRule &ARGS:uE "@ge 1" "chain" SecRule ARGS:uC|ARGS:uE "@contains <" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule REQUEST_FILENAME "@pm c_login.php vp/index.php" "id:77226100,chain,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: Multiple XSS vulnerabilities in the VideoWhisper Video Presentation plugin before 3.31 for WordPress (CVE-2014-4570)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_videowhisper_video_presentation'" SecRule ARGS:room_name|ARGS:room "@pm < >" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith vv_login.php" "id:77226110,chain,phase:2,block,nolog,auditlog,t:none,t:urlDecodeUni,t:lowercase,severity:2,msg:'IM360 WAF: XSS in the VideoWhisper Live Streaming Integration plugin 4.27.2 and earlier for WordPress (CVE-2014-4569)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_videowhisper_live_streaming_integration'" SecRule ARGS:room_name "@pm < >" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith services/diagnostics.php" "id:77226180,chain,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in the WordPress Social Login plugin 2.0.3 and earlier for WordPress (CVE-2014-4576)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wordpress_social_login'" SecRule ARGS:xhrurl "@contains <" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith wp-photo-album-plus/wppa-ajax-front.php" "id:77226860,chain,phase:2,pass,nolog,auditlog,t:none,t:urlDecodeUni,t:lowercase,severity:2,msg:'IM360 WAF: Multiple XSS vulnerabilities in the WP Photo Album Plus (aka WPPA) plugin before 6.1.3 for WordPress (CVE-2015-3647)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_photo_album_plus'" SecRule ARGS:wppa-action "@streq do-comment" "chain,t:none,t:lowercase" SecRule ARGS:comname|ARGS:comemail|ARGS:comment "@rx <" "t:none,t:urlDecodeUni,t:htmlEntitydecode" SecRule &ARGS:post-id "@ge 1" "id:77227110,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in the Contact Form Clean and Simple plugin 4.4.0 and earlier for WordPress (CVE-2014-8955)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_clean_and_simple_contact_form_by_meg_nicholas'" SecRule ARGS:cscf[name] "@rx \x22|<" "t:none,t:urlDecode,t:htmlEntityDecode" SecRule REQUEST_FILENAME "@endsWith js/window.php" "id:77227280,chain,phase:2,pass,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in the sourceAFRICA plugin 0.1.3 for WordPress (CVE-2015-6920)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_sourceafrica'" SecRule ARGS:wpbase "@rx \x22" "t:none,t:urlDecode,t:htmlEntityDecode" SecRule ARGS:redirect_to "@contains <" "id:77227650,chain,phase:2,pass,nolog,auditlog,t:none,t:urlDecodeUni,severity:2,msg:'IM360 WAF: XSS vulnerability in Nextend Facebook Connect plugin before 1.5.6 for WordPress (CVE-2015-4413)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_nextend_facebook_connect'" SecRule REQUEST_FILENAME "@endsWith wp-login.php" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@pm iframe-googlefont-preview iframe-font-preview" "id:77228040,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in the Titan Framework plugin before 1.6 for WordPress (CVE-2014-6444)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_titan_framework'" SecRule ARGS:t|ARGS:text "@contains <" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@contains /views/notify.php" "id:77228240,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: XSS vulnerability in the Uploader Plugin 1.0.4 for WordPress (CVE-2013-2287)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_uploader'" SecRule REQUEST_FILENAME "@contains /wp-content/plugins/" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:notify "@within notif unnotif" "chain,t:none,t:lowercase" SecRule ARGS:blog "@contains <" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith falha.php" "id:77228250,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in the Bradesco Gateway plugin 2.0 for WordPress (CVE-2013-5916)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_bradesco_gateway'" SecRule REQUEST_FILENAME "@contains /wp-content/plugins/" "chain,t:none,t:lowercase,t:normalizePath" SecRule REQUEST_URI "@contains <" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith raf_form.php" "id:77228260,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in the Recommend to a Friend plugin 1.0.2 for WordPress (CVE-2013-7276)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_recommend_a_friend'" SecRule ARGS:current_url "@contains <" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77232450,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Arbitrary File Download vulnerability in Ad Manager Plugin v1.0.11 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_ad_manager_wd'" SecRule ARGS:post_type "@streq wd_ads_ads" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:path "@contains .." "t:none,t:urlDecodeUni" SecRule REQUEST_URI "@contains includes/bookx_export.php" "id:77221540,chain,msg:'IM360 WAF: Directory traversal vulnerability in BookX plugin 1.7 for WordPress (CVE-2014-4937)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,t:none,t:urlDecode,t:normalizePath,severity:2,tag:'wp_plugin_bookx'" SecRule ARGS:file "@beginsWith ../" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith wp-content/plugins/wp-source-control/downloadfiles/download.php" "id:77222350,chain,msg:'IM360 WAF: Directory traversal in the WP Content Source Control plugin 3.0.0 and earlier for WordPress (CVE-2014-5368)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,t:none,severity:2,tag:'wp_plugin_wp_source_control'" SecRule ARGS:path "@contains ../" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@contains charts" "id:77226990,chain,msg:'IM360 WAF: Multiple Directory traversal vulnerabilities in Tera Charts (tera-charts) plugin 0.1 for WordPress (CVE-2014-4940)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',block,t:none,t:lowercase,severity:2,tag:'wp_plugin_tera_charts'" SecRule MATCHED_VAR "@pm treemap.php zoomabletreemap.php" "chain,t:none" SecRule ARGS:fn "@contains .." "t:none" SecRule REQUEST_FILENAME "@endsWith download_audio.php" "id:77227180,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Directory traversal vulnerability in the SE HTML5 Album Audio Player plugin 1.1.0 and earlier for WordPress (CVE-2015-4414)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_se_html5_album_audio_player'" SecRule ARGS:file "@contains .." "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith wechat/image.php" "id:77230630,chain,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: Local File Inclusion vulnerability in Wechat Broadcast 1.2.0 Plugin for WordPress (CVE-2018-16283)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wechat_broadcast'" SecRule MATCHED_VAR "@contains wp-content/plugins" "chain" SecRule ARGS:url "@contains .." "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77230990,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in Custom Field Suite plugin 2.5.12 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_custom_field_suite'" SecRule ARGS:post_type "@streq cfs" "chain,t:none,t:lowercase" SecRule ARGS:cfs[extras][order] "@rx \D" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77222280,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in the WebEngage plugin before 2.0.1 for WordPress (CVE-2014-4574)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_webengage'" SecRule REQUEST_BASENAME "@streq resize.php" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:height "@rx \x22" "t:none" SecRule REQUEST_FILENAME "@contains js/ta_loaded.js.php" "id:77220370,chain,msg:'IM360 WAF: XSS vulnerability in the Traffic Analyzer plugin 3.3.2 and earlier for WordPress (CVE-2013-3526)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,t:none,t:lowercase,t:urlDecodeUni,t:normalizePath,severity:2,tag:'wp_plugin_trafficanalyzer'" SecRule ARGS:aoid "@rx \D" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/formcraft/form.php" "id:77220390,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,t:normalizePath,severity:2,msg:'IM360 WAF: SQL injection vulnerability in the FormCraft plugin 1.3.7 and earlier for WordPress (CVE-2013-7187)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:id "@rx \D" "t:none" SecRule REQUEST_FILENAME "@contains contactme" "id:77221250,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in the Contact Form by ContactMe.com plugin 2.3 and earlier for WordPress (CVE-2014-4518)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_contactme'" SecRule MATCHED_VAR "@endsWith wp-content/plugins/contactme/xd_resize.php" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:height|ARGS:width "@rx \D" "t:none" SecRule REQUEST_FILENAME "@endsWith wp-symposium/get_album_item.php" "id:77226960,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,msg:'IM360 WAF: SQL injection vulnerabilities in the WP Symposium plugin before 15.8 for WordPress (CVE-2015-6522)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_symposium'" SecRule ARGS:size "@rx \D" "t:none" SecRule REQUEST_FILENAME "@endsWith google-document-embedder/view.php" "id:77227040,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: SQL injection vulnerability in the Google Doc Embedder plugin before 2.5.15 for WordPress (CVE-2014-9173)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_google_document_embedder'" SecRule ARGS:embedded "@ge 1" "chain,t:none" SecRule ARGS:gpid "@rx \D" "t:none" SecRule ARGS:dex_reservations_calendar_load2 "@eq 1" "id:77227610,chain,phase:2,block,nolog,auditlog,severity:2,msg:'IM360 WAF: SQL Injection vulnerabilities in the plugin CP Reservation Calendar plugin before 1.1.7 for WordPress (CVE-2015-7235)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_cp_reservation_calendar'" SecRule ARGS:id "!@streq Rcalender1" "t:none" SecRule ARGS:cpmvc_do_action "@streq mvparse" "id:77227780,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: SQL injection vulnerability in the CP Multi View Event Calendar plugin 1.01 for WordPress (CVE-2014-8586)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_cp_multi_view_calendar'" SecRule ARGS:calid "@rx \D" "t:none" SecRule REQUEST_FILENAME "@endsWith ss_handler.php" "id:77228350,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: SQL injection in the WordPress Spreadsheet (wpSS) plugin 0.62 for WordPress (CVE-2014-8363)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_spreadsheets'" SecRule ARGS:ss_id "@rx \D" "t:none" SecRule ARGS:msg "@streq imported" "id:77243410,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in WordPress plugin enhanced-tooltipglossary v3.2.8 (CVE-2016-1000132)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_enhanced_tooltipglossary'" SecRule REQUEST_FILENAME "@endsWith backend/views/admin_importexport.php" "chain,t:none,t:normalizePath" SecRule ARGS:itemsnumber "@rx \D" "t:none" SecRule REQUEST_FILENAME "@contains include/user/download" "id:77228030,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Absolute path traversal vulnerability in the Swim Team plugin 1.44.10777 for WordPress (CVE-2015-5471)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_swimteam'" SecRule ARGS:file "@beginsWith /" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith /includes/download.php" "id:77228140,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Remote file download vulnerability in WordPress plugin wp-ecommerce-shop-styling before v2.5 (CVE-2015-5468)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_ecommerce_shop_styling'" SecRule ARGS:filename "@contains /" "chain,t:none" SecRule ARGS:filename "!@endsWith .pdf" "t:none,t:lowercase" SecRule REQUEST_URI "@rx /wp-content/uploads/e2pdf/.{1,999}\.(?:php|phtml|php\d|pht|phps|phar|phpt|pgif|shtml|htaccess|inc|suspected)(?:\?|$)" "id:77105606,phase:2,block,nolog,auditlog,severity:5,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: Access to PHP file in E2Pdf uploads blocked (CVE-2023-6826)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_e2pdf'" SecRule REQUEST_URI "@contains /wp-admin/admin.php" "id:77374303,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary file upload via import_action in E2Pdf before 1.20.25 (CVE-2023-6826)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_e2pdf'" SecRule ARGS:page "@streq e2pdf-templates" "chain,t:none" SecRule ARGS:action "@streq import" "chain,t:none" SecRule REQUEST_BODY "@rx <name>[^<]{0,200}\.(?:php|phtml|php\d|pht|phps|phar|phpt|pgif|shtml|htaccess|inc|suspected)</name>" "t:none,t:lowercase" SecRule ARGS:filepath "@beginsWith /" "id:77228950,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Remote file download vulnerability in the simple-image-manipulator v1.0 for WordPress (CVE-2015-1000010)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_simple_image_manipulator'" SecRule REQUEST_FILENAME "@endsWith simple-image-manipulator/controller/download.php" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule ARGS:file_link "@beginsWith /" "id:77228990,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Remote file download vulnerability in recent-backups v0.7 plugin for WordPress (CVE-2015-1000006)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_recent_backups'" SecRule REQUEST_FILENAME "@endsWith recent-backups/download-file.php" "t:none,t:normalizePath,t:lowercase" SecRule ARGS:url "@beginsWith /" "id:77229060,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Remote file download vulnerability in wptf-image-gallery v1.03 for WordPress (CVE-2016-1000007)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wptf_image_gallery'" SecRule REQUEST_FILENAME "@endsWith lib-mbox/ajax_load.php" "t:none,t:normalizePath,t:lowercase" SecRule REQUEST_COOKIES:/^wordpress_sec/|REQUEST_COOKIES:/^wordpress_logged_in/ "@rx ([0-9a-fA-f]{32})$" "id:77220212,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: CSRF vulnerability in the ShareThis plugin before 7.0.6 for WordPress (CVE-2013-3479)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &ARGS:st_widget "@ge 1" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_COOKIES:/^wordpress_sec/|REQUEST_COOKIES:/^wordpress_logged_in/ "@rx ([0-9a-fA-f]{32})$" "id:77230051,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: CSRF vulnerability in Weblizar-pinterest-feeds plugin 1.1.1 for WordPress (CVE-2018-5656)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &ARGS:weblizar_pffree_settings_save_get-users "@ge 1" "chain,t:none" SecRule REQUEST_BASENAME "@streq admin-ajax.php" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_COOKIES:/^wordpress_sec/|REQUEST_COOKIES:/^wordpress_logged_in/ "@rx ([0-9a-fA-f]{32})$" "id:77230311,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: CSRF vulnerability in Add Social Share Messenger Buttons Whatsapp and Viber plugin 1.0.8 for WordPress (CVE-2018-11632)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_add_social_share_buttons'" SecRule &ARGS:add_custom_service_style "@ge 1" "chain,t:none" SecRule REQUEST_BASENAME "@streq admin-post.php" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /admin-ajax.php" "id:77283492,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Local File Inclusion in Easy Social Share Buttons before 9.5 (CVE-2024-31300)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_easy_social_share_buttons3'" SecRule ARGS:action "@beginsWith essb" "chain,t:none,t:lowercase" SecRule ARGS "@rx (?:\.\./|\.\.%2f|%2e%2e/|%2e%2e%2f)" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_FILENAME "@endsWith wp-content/plugins/wp-easycart/inc/admin/phpinfo.php" "id:77222160,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: Information disclosure vulnerability in The EasyCart plugin before 2.0.6 for WordPress (CVE-2014-4942)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_easycart'" SecRule REQUEST_FILENAME "@contains wp-content/plugins/wordpress-mobile-pack/export/content.php" "id:77222220,chain,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: Information disclosure vulnerability in the WordPress Mobile Pack plugin before 2.0.2 for WordPress (CVE-2014-5337)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wordpress_mobile_pack'" SecRule ARGS:content "@streq exportarticles" "chain,t:none,t:lowercase" SecRule &ARGS:callback "!@eq 0" "t:none" SecRule REQUEST_FILENAME "@contains /server/php/" "id:77226070,chain,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: Shell Upload Vulnerability WP Symposium plugin 14.11 for WordPress (CVE-2014-10021)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_symposium'" SecRule ARGS_NAMES "@rx uploader_(uid|url)" "chain,t:none,t:lowercase" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_FILENAME "@contains wp-content/plugins/wp-social-invitations/test.php" "id:77226220,chain,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in in the WP Social Invitations plugin before 1.4.4.3 for WordPress (CVE-2014-4597)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_social_invitations'" SecRule ARGS:xhrurl "!@streq http://www.example.com" "t:none" SecRule ARGS:icl_action "@streq reminder_popup" "id:77226280,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in the WPML plugin before 3.1.9 for WordPress (CVE-2015-2315)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wpml'" SecRule ARGS:target "@contains javascript" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith stageshow_redirect.php" "id:77226830,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Open redirect vulnerability in the Redirect function in the StageShow plugin before 5.0.9 for WordPress (CVE-2015-5461)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_stageshow'" SecRule &ARGS:url "@ge 1" "t:none" SecRule REQUEST_FILENAME "@endsWith reflex-gallery/admin/scripts/FileUploader/php.php" "id:77226980,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Unrestricted file upload vulnerability in the ReFlex Gallery plugin before 3.1.4 for WordPress (CVE-2015-4133)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_reflex_gallery'" SecRule ARGS:Year|ARGS:Month "@ge 1" "chain,t:none" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith db-backup/download.php" "id:77227070,chain,phase:2,block,nolog,auditlog,t:none,t:urlDecodeUni,t:lowercase,severity:2,msg:'IM360 WAF: Directory traversal vulnerability in the DB Backup plugin 4.5 and earlier for WordPress (CVE-2014-9119)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_db_backup'" SecRule ARGS:file "@rx ^\/|\.\." "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith proxy.php" "id:77227190,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Absolute path traversal vulnerability in the google currency lookup in the Paypal Currency Converter Basic For WooCommerce plugin before 1.4 for WordPress (CVE-2015-5065)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_woocommerce'" SecRule ARGS:requrl "@rx ^(\.\.|\/)" "t:none" SecRule REQUEST_FILENAME "@endsWith twentyfifteen/genericons/example.html" "id:77227200,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: XSS vulnerability in Genericons before 3.3.1 as used in WordPress before 4.2.2 (CVE-2015-3429)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith lib/dp_image.php" "id:77227220,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Directory traversal vulnerability in the DukaPress plugin before 2.5.4 for WordPress (CVE-2014-8799)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_dukapress'" SecRule ARGS:src "@rx ^\/|\.\." "t:none" SecRule REQUEST_FILENAME "@endsWith library/clicktracker.php" "id:77227500,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: SQL injection vulnerability in the AdRotate Pro plugin 3.9 through 3.9.5 and AdRotate Free plugin 3.9 through 3.9.4 for WordPress (CVE-2014-1854)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_adrotate'" SecRule ARGS:track "!@rx ^\d*," "t:none" SecRule REQUEST_FILENAME "@contains inc/amfphp/administration/banneruploaderscript" "id:77227830,chain,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: Unrestricted file upload vulnerability in the WP EasyCart (aka WordPress Shopping Cart) plugin before 3.0.9 for WordPress (CVE-2014-9308)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_easycart'" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none,t:lowercase" SecRule &FILES "@ge 1" "id:77228070,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Shell upload vulnerability in Gravity Forms (CVE-2025-12974)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_gravityforms'" SecRule ARGS:gf_page "@streq upload" "chain,t:none" SecRule &ARGS:form_id "@ge 1" "chain,t:none" SecRule &ARGS:field_id "@ge 1" "chain,t:none" SecRule ARGS:name "@rx \.(?:php\d?|phar|js|p(?:l|y)|rb|sh|(?:p|s|x|d)?html?\d?|asp|exe|dll|com|htaccess)$" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith infusionsoft/utilities/code_generator.php" "id:77228080,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: Arbitrary File Upload and Arbitrary PHP Code Execution in the Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for WordPress (CVE-2014-6446)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_infusionsoft'" SecRule &ARGS:swp_url "@ge 1" "id:77232920,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: RFI vulnerability in social warfare plugin before 3.5.3 for WordPress (CVE-2019-9978)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_social_warfare'" SecRule &ARGS:swp_debug "@ge 1" "chain,t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-post.php" "t:none,t:normalizePath" SecRule REQUEST_METHOD "@pm POST GET" "id:77233220,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: XSS vulnerability in Modern Events Calendar Lite plugin 4.2.1 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_modern_events_calendar_lite'" SecRule ARGS:taxonomy "@rx ^(?:mec_label|mec_organizer|mec_location)$" "chain,t:none" SecRule ARGS|!ARGS:description "@rx \x22" "t:none" SecRule &ARGS:cp_appbooking_id "@ge 1" "id:77233270,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability exists in Appointment Hour Booking Plugin v 1.1.35 or possibly below for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_appointment_hour_booking'" SecRule &ARGS:cp_appbooking_pform_process "@ge 1" "chain,t:none" SecRule ARGS:/^fieldname\d/ "@rx \x22" "t:none,t:urlDecode" SecRule ARGS:RelayState "@streq testvalidate" "id:77233280,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in miniOrange SAML SP Single Sign On plugin before 4.8.73 for WordPress (CVE-2019-12346)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_miniorange_saml_20_single_sign_on'" SecRule ARGS:SAMLResponse "@contains <" "t:none,t:urlDecode" SecRule ARGS:page|ARGS:option_page "@streq bt_bb_settings" "id:77234280,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,msg:'IM360 WAF: Privilege escalation vulnerability in bold-page-builder plugin before 2.3.2 for WordPress (CVE-2019-15821)||File:%{REQUEST_FILENAME}||RSV:8.02||T:APACHE||',tag:'wp_plugin_bold_page_builder'" SecRule &REQUEST_COOKIES:/^wordpress_logged_in_/ "@eq 0" "chain,t:none" SecRule REQUEST_FILENAME "@rx \/wp-admin\/options(?:-general)?\.php$" "t:none,t:normalizePath,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77234700,chain,phase:2,pass,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: SQLi vulnerability in ninja-forms plugin before 3.3.21.2 for WordPress (CVE-2019-15025)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_ninja_forms'" SecRule ARGS:post_type "@streq nf_sub" "chain,t:none,t:lowercase" SecRule ARGS:form_id|ARGS:nf_form_filter|ARGS:begin_date|ARGS:end_date "!@rx (?:^[\w\/\-]+$|^$)" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@contains preview-shortcode-external.php" "id:77221460,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in the OMFG Mobile Pro plugin 1.1.26 and earlier for WordPress (CVE-2014-4541)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_omfg_mobile'" SecRule ARGS:shortcode "@contains >" "t:none" SecRule REQUEST_FILENAME "@contains main_page.php" "id:77221500,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in the Game tabs plugin 0.4.0 and earlier for WordPress (CVE-2014-4531)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_game_tabs'" SecRule ARGS:n "@contains >" "t:none" SecRule REQUEST_FILENAME "@contains wp-restful/html_api_login.php" "id:77221770,chain,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerabilities in the WP RESTful plugin 0.1 and earlier for WordPress (CVE-2014-4595)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_restful'" SecRule ARGS:oauth_callback_temp|ARGS:oauth_token_temp "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@contains wp-restful/html_api_authorize.php" "id:77221771,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,t:normalizePath,severity:2,msg:'IM360 WAF: XSS vulnerabilities in the WP RESTful plugin 0.1 and earlier for WordPress (CVE-2014-4595)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_restful'" SecRule ARGS:oauth_callback "@contains >" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith /js/window.php" "id:77227130,chain,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in the Navis DocumentCloud plugin before 0.1.1 for WordPress (CVE-2015-2807)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_navis_documentcloud'" SecRule ARGS:wpbase "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@contains download" "id:77228010,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Directory traversal vulnerability in the Zip Attachments plugin before 1.5.1 for WordPress (CVE-2015-4694)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_zip_attachments'" SecRule ARGS:za_file "@contains .." "t:none" SecRule REQUEST_FILENAME "@contains /image-export/download.php" "id:77228150,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Remote file download vulnerability in WordPress Plugin Image-export v1.1.0 (CVE-2016-5609)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_image_export'" SecRule ARGS:file "@contains /" "t:none,t:lowercase,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith download.php" "id:77228160,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Remote file download vulnerability in download-zip-attachments v1.0 for WordPress (CVE-2015-4704)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_download_zip_attachments'" SecRule ARGS:za_file "@rx \.\.|^\/" "t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:url "@contains >" "id:77228200,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerabilities in the WordPress plugin Ooorl v3.1.1 (CVE-2014-4542)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_ooorl'" SecRule REQUEST_COOKIES:/wordpress/ "@rx ." "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith redirect.php" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith page-layout-builder/includes/layout-settings.php" "id:77228760,chain,phase:2,pass,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:5,msg:'IM360 WAF: XSS vulnerability in the WordPress plugin page-layout-builder v1.9.3 (CVE-2016-1000141)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_page_layout_builder'" SecRule ARGS:layout_settings_id "@rx \x22" "t:none,t:urlDecode,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77228760" SecRule ARGS:fileName "@contains .." "id:77228940,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Remote file download vulnerability in the candidate-application-form v1.0 for WordPress (CVE-2016-1000005)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_candidate_application_form'" SecRule REQUEST_FILENAME "@endsWith downloadpdffile.php" "t:none,t:lowercase" SecRule ARGS:query "@contains php://" "id:77232170,chain,phase:2,block,nolog,auditlog,t:none,t:urlDecode,t:lowercase,severity:2,msg:'IM360 WAF: Directory traversal vulnerability in JSmol2WP plugin 1.07 for WordPress (CVE-2018-20462)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_jsmol2wp'" SecRule REQUEST_FILENAME "@endsWith /php/jsmol.php" "t:none,t:normalizePath,t:lowercase" SecRule &ARGS:cp_contactformpp_pform_process "@ge 1" "id:77233110,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: SQL Injection vulnerability in CP Contact Form with PayPal plugin 1.1.5 for WordPress (CVE-2015-9234)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_cp_contact_form_with_paypal'" SecRule ARGS:cp_contactformpp_id "@rx \D" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77233110" SecRule REQUEST_FILENAME "@endsWith test-plugin.php" "id:77221710,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in the Swipe Checkout for Jigoshop plugin 3.1.0 and earlier for WordPress (CVE-2014-4557)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_swipe_hq_checkout_for_jigoshop'" SecRule ARGS:api_url "@contains >" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith /valums_uploader/php.php" "chain,id:77316754,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress plugin Valums Uploader - File Upload Vulnerability||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$) " "t:none" SecRule &ARGS:action "@lt 1" "id:77316862,pass,phase:2,nolog,severity:5,skipAfter:MARKER_action,msg:'IM360 WAF: ARGS action optimization||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'noshow',tag:'wp_core'" SecRule REQUEST_METHOD "@rx POST" "id:77316881,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authenticated File Upload vulnerability in WordPress Download Manager plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/post.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq editpost" "chain,t:none" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php?\d?)$)" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316873,chain,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Remote Code Execution in WP Super Cache 1.7.1 Plugin for WordPress||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/(?:options-general|admin-ajax)\.php" "chain,t:none,t:normalizePath" SecRule ARGS:page "@streq wpsupercache" "chain,t:none" SecRule ARGS:action "@streq scupdates" "chain,t:none" SecRule ARGS:wp_cache_location "@rx \x27" "t:none" SecRule REQUEST_METHOD "POST" "chain,id:77316806,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Privilege escalation in The Plus Addons for Elementor (CVE-2021-24175)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@endsWith theplus_ajax_register" "chain,t:none" SecRule &ARGS:user_login "@gt 0" "chain,t:none" SecRule &ARGS:email "@gt 0" "chain,t:none" SecRule &ARGS:password "@gt 0" "chain,t:none" SecRule ARGS:tp_user_reg_role "@pm administrator editor" "t:none,t:lowercase" SecRule REQUEST_METHOD "POST" "chain,id:77316807,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Privilege escalation in The Plus Addons for Elementor (CVE-2021-24175)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@endsWith theplus_google_ajax_register" "chain,t:none" SecRule &ARGS:email "@gt 0" "chain,t:none" SecRule &ARGS:name "@gt 0" "chain,t:none" SecRule ARGS:tp_user_reg_role "@pm administrator editor" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77741313,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQL Injection in Unlimited Elements For Elementor plugin for WordPress < 1.5.108 (CVE-2024-4779)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq unlimitedelements_ajax_action" "chain,t:none" SecRule ARGS:client_action "@streq get_select2_post_titles" "chain,t:none" SecRule ARGS:/data\[post_ids\]/ "@rx \s+(?:and|or|union|select|sleep|benchmark|waitfor|delay|concat|group_concat|version|user|database|table|information_schema|load_file|into\s+outfile)" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140767,chain,phase:2,block,nolog,auditlog,severity:2,msg:'IM360 WAF: Local file inclusion vulnerability in Contact Form Builder plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_contact_form_builder'" SecRule ARGS:action "@pm CFMShortcode ContactFormMakerPreview ContactFormmakerwdcaptcha ContactFormmakerwdcaptcha" "t:none,chain" SecRule ARGS:action "@rx \.\.\/\.\.\/" "t:none,t:lowercase,t:urlDecode" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "id:77140768,chain,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: File upload vulnerability in WooCommerce plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||order_id:%{ARGS.order_id}||name:%{ARGS.name}||',tag:'wp_core',tag:'wp_plugin_woocommerce'" SecRule ARGS:action "@contains wccs_upload_file_func" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140775,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Stored XSS vulnerability in Live Chat with Facebook Messenger plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@rx update_zb_fbc_code" "t:none,chain" SecRule ARGS:domain "@rx <" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140776,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Convert Plus WordPress plugin flaw allows hackers to create Admin accounts||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq cp_add_subscriber" "t:none,chain" SecRule ARGS:cp_set_user "@streq administrator" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77140779,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: XSS vulnerability in FB Messenger Live Chat For||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq update_zb_fbc_code" "chain,t:none" SecRule ARGS:domain "@rx <\/" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77140780,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: New user account role escalation in many plugins for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq fs_set_db_option" "t:none,chain" SecRule ARGS:option_name "@streq users_can_register" "t:none,chain" SecRule ARGS:option_value "@gt 0" "t:none" SecRule REQUEST_URI "@rx \/wp-admin\/admin-(?:post|ajax)\.php" "id:77140823,chain,phase:2,block,nolog,auditlog,severity:2,t:urlDecode,msg:'IM360 WAF: Privilege escalation in WordPress ND Donations plugin||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action|ARGS:action_rcs "@rx (nd_learning_import_settings_php_function|nd_travel_import_settings_php_function|nd_stats_import_settings_php_function|nd_donations_import_settings_php_function|action_rcs_page_setting_save_post|hc_ajax_save_option|nd_options_import_settings_php_function|nd_booking_import_settings_php_function)" "t:none" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140838,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: WordPress Plugin WP User Frontend < 2.3.11 - Unrestricted Arbitrary File Upload||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_wp_user_frontend'" SecRule ARGS:action "@streq wpuf_file_upload" "chain,t:none,t:lowercase" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140839,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: Arbitrary File Upload Vulnerability in Adblock Blocker||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq getcountryuser" "chain,t:none,t:lowercase" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140938,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress WooCommerce Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_woocommerce'" SecRule ARGS:action "@streq nm_personalizedproduct_upload_file" "chain,t:none,t:lowercase" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:lowercase" SecRule REQUEST_FILENAME "@endsWith videostab/ajax_videostab.php" "id:77140951,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: PrestaShop videostab Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@contains submituploadvideo" "chain,t:none,t:lowercase" SecRule FILES "@rx (?i)(\.htaccess|\.(pht|phtml|php\d?)$)" "t:none" SecRule REQUEST_FILENAME "@endsWith advancedslider/ajax_advancedsliderupload.php" "id:77140953,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: PrestaShop advancedslider Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@contains submituploadimage" "chain,t:none,t:lowercase" SecRule FILES "@rx (?i)(\.htaccess|\.(pht|phtml|php\d?)$)" "t:none" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140976,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Estatik Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||WPU:%{TX.wp_user}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_estatik'" SecRule ARGS:action "@streq es_prop_media_images" "chain,t:none,t:lowercase" SecRule FILES "@rx \.(?:php\d?|js|p(?:l|y)|rb|sh|(?:p|s|x|d)?html?\d?|asp|exe|dll|com|htaccess)$" "t:none,t:lowercase" SecRule REQUEST_METHOD "POST" "id:77140972,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: WordPress Plugin Accesspress Anonymous Post Pro Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq ap_file_upload_action" "chain,t:none" SecRule &ARGS:file_uploader_nonce "@gt 0" "chain,t:none" SecRule &ARGS:allowedExtensions[] "@gt 0" "chain,t:none" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140978,chain,phase:2,pass,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin FrontEnd File Manager Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_nmedia_user_file_uploader'" SecRule ARGS:action "@streq nm_filemanager_upload_file" "chain,t:none,t:lowercase" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140989,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Ninja Forms Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_ninjaforms'" SecRule ARGS:action "@streq nf_async_upload" "chain,t:none,t:lowercase" SecRule &ARGS:security "@gt 0" "chain,t:none" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141011,chain,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WPCentral < 1.5.1 Auth Bypass & Privelege Escalation||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq my_wpc_signon" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule &ARGS:auth_key "!@eq 0" "chain,t:none" SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,192.200.108.100" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141012,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Popup Builder plugin SQL injection via PHP deserialization||RSV:8.02||T:APACHE||URL:%{ARGS.attachmentUrl}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_popup_builder'" SecRule ARGS:action "@streq import_popups" "t:none,t:lowercase,chain" SecRule &ARGS:attachmentUrl "@gt 0" "t:none,chain" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141015,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress KenBurner Slider plugin unauthenticated arbitrary file download||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq kbslider_show_image" "t:none,t:lowercase,chain" SecRule ARGS:img "@rx \.\.\/" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141018,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress GDPR Cookie Consent < 1.8.3 Improper Access Controls||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_wp_cookie_law_info'" SecRule ARGS:action "@streq cli_policy_generator" "t:none,t:lowercase,chain" SecRule ARGS:cli_policy_generator_action "@streq save_contentdata" "t:none,t:lowercase,chain" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141034,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Ultimate Membership Pro < 8.6.2 CSRF for Delete an Arbitrary User||RSV:8.02||T:APACHE||ID:%{ARGS.id}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_ultimate_member'" SecRule ARGS:action "@streq ihc_delete_user_via_ajax" "chain,t:none,t:lowercase" SecRule &ARGS:id "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141035,chain,block,nolog,auditlog,severity:2,t:none,t:lowercase,msg:'IM360 WAF: WordPress Tutor LMS 1.5.3 CSRF to add user||RSV:8.02||T:APACHE||Action:%{ARGS.action}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_tutor'" SecRule ARGS:action "@rx ^(add_new_instructor|tutor_add_instructor)$" "chain,t:none,t:lowercase" SecRule &ARGS:user_login "@gt 0" "chain,t:none" SecRule &ARGS:password "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141040,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Merge Minify Refresh before 1.10.7 Authenticated Arbitrary File Delete||RSV:8.02||T:APACHE||F:%{MATCHED_VAR}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_merge_minify_refresh'" SecRule ARGS:action "@streq mmr_files" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "chain,t:none" SecRule ARGS:purge "@rx \.\.\/" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141041,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress WP Fastest Cache < 0.9.0.3 CSRF Arbitrary File Deletion||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_wp_fastest_cache'" SecRule ARGS:action "@streq wpfc_delete_current_page_cache" "chain,t:none,t:lowercase" SecRule ARGS:path "@rx \.\.\/" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141046,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress File Upload < 4.13.0 - Directory Traversal to RCE||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_wp_file_upload'" SecRule ARGS:action "@streq wfu_ajax_action_ask_server" "chain,t:none,t:lowercase" SecRule &ARGS:filesizes "@gt 0" "chain,t:none" SecRule ARGS:filenames "@rx \.\.\/" "t:none,t:hexDecode" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141047,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress WPML < 4.3.7 - Authenticated CSRF leading to RCE||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_wpml'" SecRule ARGS:action "@streq installer_download_plugin" "chain,t:none,t:lowercase" SecRule ARGS:data "@rx \x22slug\x22\s{0,128}\:\s{0,128}\x22woocommerce-multilingual\x22" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141051,chain,phase:2,block,nolog,auditlog,t:none,t:urlDecodeUni,t:normalizePath,severity:2,msg:'IM360 WAF: WordPress WPvivid Backup < 0.9.36 CSRF attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'wp_plugin_wpvivid_backuprestore'" SecRule ARGS:action "@contains wpvivid_add_remote" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77094795,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Arbitrary File Upload in WPvivid Backup before 0.9.124 (CVE-2026-1357)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wpvivid_backuprestore'" SecRule ARGS:wpvivid_action "@pm send_to_site" "chain,t:none" SecRule &ARGS:wpvivid_content "@gt 0" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141053,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: CSRF vlnerability in Data Tables Generator WordPress plugin||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||Action:%{ARGS.action}||',tag:'wp_core',tag:'wp_plugin_data_tables_generator_by_supsystic'" SecRule ARGS:action "@rx ^(getListForTbl|updateRows|updateMeta|saveSettings|remove|create|render|getSettings|getMeta|getCountRows|getRows|clone|rename)$" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141057,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: IMPress for IDX Broker < 2.6.2 - Authenticated Post manipulations (CVE-2020-9514)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_idx_broker_platinum'" SecRule ARGS:action "@streq create_dynamic_page" "chain,t:none,t:lowercase" SecRule &ARGS:post_title "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141058,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: IMPress for IDX Broker < 2.6.2 - Authenticated Post manipulations (CVE-2020-9514)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_idx_broker_platinum'" SecRule ARGS:action "@rx (create|delete)_dynamic_page" "chain,t:none,t:lowercase" SecRule &ARGS:wrapper_page_id "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141066,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WordPress Gutenberg & Elementor Templates Importer For Responsive < 2.2.6 - Unprotected AJAX Endpoints (CVE-2020-12073)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_responsive_add_ons'" SecRule ARGS:action "@rx (responsive-ready-sites-(import-set-site-data-free|import-xml|import-options|import-wpforms|import-widgets|import-customizer-settings|import-end|reset-customizer-data|reset-site-options|reset-widgets-data|delete-posts|delete-wp-forms|delete-terms|set-reset-data))|(admin_(init|notices|enqueue_scripts))" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141073,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Elementor Page Builder < 2.9.6 - Authenticated Safe Mode Privilege Escalation||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_elementor'" SecRule ARGS:action "@streq elementor_ajax" "chain,t:none" SecRule ARGS:actions "@contains enable_safe_mode" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith contact_form.php" "id:77141076,chain,pass,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:5,msg:'IM360 WAF: PHPMailer < 5.2.20 - Remote Code Execution (CVE-2016-10045)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'im360_service'" SecRule ARGS:action "@streq send" "chain,t:none,t:lowercase" SecRule ARGS:email|ARGS:msg "@rx <\?|\/.{1,8}\/.{1,10}\/" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-post.php" "id:77141077,chain,pass,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:5,msg:'IM360 WAF: WP Advanced Search < 3.3.4 - Unauthenticated Database Access and Remote Code Execution||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_wp_advanced_search',tag:'noshow'" SecRule ARGS:action "@streq db_import" "chain,t:none" SecRule REQUEST_HEADERS:Upgrade-Insecure-Requests "@streq 1" "chain,t:none" SecRule REQUEST_HEADERS:Content-Type "@rx \x0d\x0a" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141079,phase:2,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WordPress WP Lead Plus X <= 0.99 - Multiple CSRF||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@pm core37_lp_save_page core37_lp_delete_page core37_lp_form_admin_save_settings core37_lp_save_popup_option core37_lp_delete_popup_option core37_lp_save_widget_option core37_lp_delete_widget_option core37_lp_export_template core37_lp_load_local_templates c37_lp_use_wp_template_file core37_lp_delete_template" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141081,phase:2,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WordPress LifterLMS < 3.37.15 Arbitrary File Writing||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_lifterlms'" SecRule ARGS:action "@streq export_admin_table" "chain,t:none,t:urlDecodeUni" SecRule ARGS:filename "@rx \.\.\/" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141082,phase:2,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: Klarna Checkout for WooCommerce < 2.0.10 - Authenticated Arbitrary Plugin Deactivation, Activation and Installation - CSRF||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_klarna_checkout_for_woocommerce'" SecRule ARGS:action "@streq change_klarna_addon_status" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77141086,chain,pass,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:5,msg:'IM360 WAF: WordPress Responsive Poll through 1.3.4 - Unauthenticated endpoints manipulation (CVE-2020-11673)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none,chain" SecRule ARGS:action "@pm TotalSoftPoll_Clone TotalSoftPoll_Del TotalSoftPoll_Edit TotalSoftPoll_Edit_Q_M TotalSoftPoll_Edit_Ans TotalSoftPoll_Theme_Clone TotalSoftPoll_Theme_Edit TotalSoftPoll_Theme_Edit1 TotalSoftPoll_1_Vote TotalSoftPoll_1_Results TotalSoftPoll_Clone_Set TotalSoftPoll_Edit_Set TotalSoftPoll_Del_Set TS_PTable_New_MTable_DisMiss_Callback_Poll TS_Poll_Question_DisMiss Total_Soft_Poll_Prev" "t:none,t:urlDecodeUni,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77141086" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77141087,chain,pass,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:5,msg:'IM360 WAF: WordPress Responsive Poll through 1.3.4 - Unauthenticated endpoints manipulation (CVE-2020-11673)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "chain,t:none" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none,chain" SecRule ARGS:action "@pm TotalSoftPoll_Clone TotalSoftPoll_Del TotalSoftPoll_Edit TotalSoftPoll_Edit_Q_M TotalSoftPoll_Edit_Ans TotalSoftPoll_Theme_Clone TotalSoftPoll_Theme_Edit TotalSoftPoll_Theme_Edit1 TotalSoftPoll_1_Vote TotalSoftPoll_1_Results TotalSoftPoll_Clone_Set TotalSoftPoll_Edit_Set TotalSoftPoll_Del_Set TS_PTable_New_MTable_DisMiss_Callback_Poll TS_Poll_Question_DisMiss Total_Soft_Poll_Prev" "t:none,t:urlDecodeUni,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77141087" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141089,phase:2,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WordPress Plugin MapPress Maps < 2.53.9 RCE (CVE-2020-12077)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@rx (mapp_tpl_get|mapp_tpl_save|mapp_tpl_delete)" "chain,t:none,t:urlDecodeUni" SecRule ARGS:name "@rx \.\.\/" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142099,chain,block,nolog,auditlog,t:none,t:normalizePath,severity:2,msg:'IM360 WAF: Newspaper WordPress Theme - Privilege Escalation (CVE-2016-10972)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq td_ajax_update_panel" "chain,t:none" SecRule ARGS:/wp_option/ "@rx (administrator|subscriber|users_can_register|1|0)" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142100,chain,block,nolog,auditlog,t:none,t:normalizePath,severity:2,msg:'IM360 WAF: Newspaper WordPress Theme - Privilege Escalation (CVE-2016-10972)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq td_ajax_update_panel" "chain,t:none" SecRule ARGS:/wp_option/ "@rx (administrator|subscriber|users_can_register|1|0)" "chain,t:none" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142103,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Elementor Page Builder < 2.9.6 - Authenticated Safe Mode Privilege Escalation||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_elementor'" SecRule ARGS:action "@streq elementor_ajax" "chain,t:none,t:lowercase" SecRule ARGS:actions "@contains enable_safe_mode" "chain,t:none" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none" SecRule REQUEST_FILENAME "@endsWith simple-ads-manager/sam-ajax-admin.php" "id:77142110,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Unrestricted file upload vulnerability in the Simple Ads Manager plugin before 2.5.96 for WordPress (CVE-2015-2825)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@pm upload_ad_image na" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142128,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Revslider Revolution UpdatedCaptionsCSS Content Injection||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq revslider_ajax_action" "chain,t:none,t:lowercase" SecRule ARGS:client_action "@streq get_captions_css" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142129,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Revslider Revolution UpdatedCaptionsCSS Content Injection||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq revslider_ajax_action" "chain,t:none,t:lowercase" SecRule ARGS:client_action "@streq get_captions_css" "chain,t:none,t:lowercase" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142139,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.3.3 RCE (CVE-2020-12800)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_drag_and_drop_multiple_file_upload_contact_form_7'" SecRule ARGS:action "@streq dnd_codedropz_upload" "chain,t:none,t:lowercase" SecRule ARGS:supported_type|FILES "@rx \%$" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142141,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin UpdraftPlus RCE (CVE-2017-16871)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_updraftplus'" SecRule ARGS:action "@streq plupload_action" "chain,t:none,t:lowercase" SecRule ARGS:name "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142142,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress MailerLite Sign Up Forms Plugin SQL Injection||A:%{ARGS.action}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@pm mailerlite_get_more_groups mailerlite_gutenberg_form_preview mailerlite_gutenberg_form_preview2 mailerlite_subscribe_form mailerlite_redirect_to_form_edit" "chain,t:none" SecRule ARGS:form_id "!@rx ^-?\d+$" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142143,block,severity:2,nolog,auditlog,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Easy2Map Persistent Cross-Site Scripting (XSS) Vulnerability||ARGS:action=%{ARGS.action}||ARGS:mapID=%{ARGS.mapID}||ARGS:mapName=%{ARGS.mapName}||RSV:8.02||T:APACHE||',tag:'wp_plugin_easy2map'" SecRule ARGS:action "@streq save_map_name" "chain,t:none" SecRule &ARGS:mapID "@gt 0" "chain,t:none" SecRule ARGS:mapName "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142151,phase:2,severity:2,pass,nolog,auditlog,t:none,t:normalizePath,msg:'IM360 WAF: WordPress GDPR Compliance plugin - Unauthorized option update (array variant)||TYPE=%{TX._WPGDPRC_TYPE}||OPTION=%{TX._WPGDPRC_OPTION}||VALUE=%{TX._WPGDPRC_VALUE}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_gdpr_compliance'" SecRule ARGS:action "@streq wpgdprc_process_action" "chain,t:none" SecRule ARGS:data[type] "@rx ." "chain,t:none,capture,setvar:TX._WPGDPRC_TYPE=%{TX.0}" SecRule ARGS:data[option] "@rx ." "chain,t:none,capture,setvar:TX._WPGDPRC_OPTION=%{TX.0}" SecRule ARGS:data[value] "@rx ." "chain,t:none,capture,setvar:TX._WPGDPRC_VALUE=%{TX.0}" SecRule TX:_WPGDPRC_TYPE "@streq save_setting" "chain,t:none" SecRule TX:_WPGDPRC_OPTION "!@rx ^wpgdprc" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142161,chain,block,nolog,auditlog,t:none,t:normalizePath,severity:2,msg:'IM360 WAF: Newspaper WordPress Theme - Privilege Escalation (CVE-2016-10972)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq td_ajax_update_panel" "chain,t:none,t:urlDecodeUni" SecRule &ARGS:wp_option[siteurl]|&ARGS:wp_option[home]|&ARGS:wp_option[users_can_register]|&ARGS:wp_option[default_role] "@ge 1" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142170,chain,pass,nolog,auditlog,severity:5,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Combined Attack on Elementor Pro and Ultimate Addons||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_elementor',tag:'noshow'" SecRule ARGS:action "@streq elementor_ajax" "chain,t:none,t:lowercase,t:urlDecodeUni" SecRule ARGS:actions "@contains pro_assets_manager_custom_icon_upload" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142171,chain,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Combined Attack on Elementor Pro and Ultimate Addons||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_elementor',tag:'noshow'" SecRule ARGS:action "@streq elementor_ajax" "chain,t:none,t:lowercase" SecRule ARGS:actions "@contains pro_assets_manager_custom_icon_upload" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142171" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142195,chain,phase:2,severity:2,block,nolog,auditlog,t:none,t:normalizePath,msg:'IM360 WAF: OneTone 3.0.6 Unauthenticated Stored Cross-Site Scripting (CVE-2019-17230)(CVE-2019-17231)||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@rx onetone_options_import" "chain,t:none" SecRule ARGS:options "@rx (?si)<script" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142205,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin wpDiscuz before 5.3.6 SQL injection (CVE-2020-13640)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@rx ^(wpdloadmorecomments|wpdsorting)$" "chain,t:none,t:lowercase" SecRule ARGS:order|ARGS:orderBy "!@rx ^(comment_date_gmt|by_vote|asc|desc)$" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142210,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: XSS in PW WooCommerce Bulk Edit||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_pw_bulk_edit'" SecRule ARGS:action "@streq pwbe_save_products" "chain,t:none" SecRule ARGS|REQUEST_BODY "@rx \x22\s?\x3E\s?\x3C\s?script" "t:urlDecode" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142223,phase:2,severity:5,pass,nolog,auditlog,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (ebor framework v2)||RSV:8.02||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.optionName:%{ARGS.optionName}||ARGS.optionValue:%{ARGS.optionValue}||',tag:'wp_core',tag:'noshow'" SecRule ARGS:action "@streq ebor_framework_update_option" "chain,t:none" SecRule ARGS:optionName "@streq siteurl" "chain,t:none" SecRule &ARGS:optionValue "@gt 0" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142224,phase:2,severity:5,pass,nolog,auditlog,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (efbl_save_access_token)||RSV:8.02||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.efbl_access_token:%{ARGS.efbl_access_token}||',tag:'wp_core',tag:'noshow'" SecRule ARGS:action "@streq efbl_save_access_token" "chain,t:none" SecRule ARGS:efbl_access_token "@contains <script" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142226,phase:2,severity:5,pass,nolog,auditlog,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (setsetting)||RSV:8.02||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.yog_google_maps_api_key:%{ARGS.yog_google_maps_api_key}||',tag:'wp_core',tag:'noshow'" SecRule ARGS:action "@streq setsetting" "chain,t:none" SecRule ARGS:yog_google_maps_api_key "@contains <script" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142227,phase:2,severity:5,pass,nolog,auditlog,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (of_ajax_post_action)||RSV:8.02||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.data:%{ARGS.data}||',tag:'wp_core',tag:'noshow'" SecRule ARGS:action "@streq of_ajax_post_action" "chain,t:none" SecRule ARGS:data "@rx (?:s(?:\x3a)4(?:\x3a)\x22home\x22|s(?:\x3a)7(?:\x3a)\x22siteurl\x22)" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142230,phase:2,severity:5,pass,nolog,auditlog,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (fs_set_db_option)||RSV:8.02||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.option_name:%{ARGS.option_name}||ARGS.option_value:%{ARGS.option_value}||',tag:'wp_core',tag:'noshow'" SecRule ARGS:action "@streq fs_set_db_option" "chain,t:none" SecRule ARGS:option_name "@streq siteurl" "chain,t:none" SecRule &ARGS:option_value "@gt 0" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142231,phase:2,severity:5,pass,nolog,auditlog,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (td_ajax_update_panel)||RSV:8.02||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.wp_option:%{ARGS.wp_option}||',tag:'wp_core',tag:'noshow'" SecRule ARGS:action "@streq td_ajax_update_panel" "chain,t:none" SecRule ARGS:wp_option "@rx (?:s(?:\x3a)7(?:\x3a)\x22siteurl\x22)" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142232,phase:2,severity:5,pass,nolog,auditlog,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (ect_dashboard_switch)||RSV:8.02||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.option_name:%{ARGS.option_name}||ARGS.value:%{ARGS.value}||',tag:'wp_core',tag:'noshow'" SecRule ARGS:action "@streq ect_dashboard_switch" "chain,t:none" SecRule ARGS:option_name "@streq siteurl" "chain,t:none" SecRule &ARGS:value "@gt 0" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142233,phase:2,severity:5,pass,nolog,auditlog,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (arm_update_feature_settings)||RSV:8.02||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.arm_features_options:%{ARGS.arm_features_options}||ARGS.arm_features_status:%{ARGS.arm_features_status}||',tag:'wp_core',tag:'noshow'" SecRule ARGS:action "@streq arm_update_feature_settings" "chain,t:none" SecRule ARGS:arm_features_options "@streq siteurl" "chain,t:none" SecRule &ARGS:arm_features_status "@gt 0" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142235,phase:2,severity:2,block,nolog,auditlog,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (astra-sites-import-widgets - v2)||RSV:8.02||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.widgets_data:%{ARGS.widgets_data}||',tag:'wp_core'" SecRule ARGS:action "@streq astra-sites-import-widgets" "chain,t:none" SecRule &ARGS:widgets_data "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142256,block,nolog,auditlog,phase:2,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Block nulled themes pingbacks||RSV:8.02||T:APACHE||%{MATCHED_VAR_NAME}:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq rms_ping_from_the_universe" "t:none" SecRule REQUEST_FILENAME "@endsWith /cgi-bin/mainfunction.cgi" "id:77142259,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: IOT unauthenticated file upload and RCE||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq login" "chain,t:none" SecRule ARGS:keyPath "@rx [\s\+]?wget\shttps?:\/\/([^\s\+])" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77316738,block,nolog,auditlog,phase:2,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress plugin Post Grid < 2.0.73/Team Showcase < 1.22.16 - Stored Cross-Site Scripting||ARGS.action:%{ARGS.action}||ARGS.source:%{ARGS.source}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@rx ^(?:post_grid_import_xml_layouts|team_import_xml_layouts)$" "chain,t:none" SecRule ARGS:source "@contains ://" "chain,t:none" SecRule ARGS:source "!@beginsWith file://" "t:none" SecRule REQUEST_METHOD "@rx ^POST" "id:77316778,chain,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: WordPress Plugin 123contactform-for-wordpress Arbitrary File Upload||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@pm cfp-new-post cfp-new-post" "chain,t:none" SecRule &ARGS:post_content "@gt 0" "chain,t:none" SecRule &ARGS:post_status "@gt 0" "chain,t:none" SecRule &ARGS:post_author "@gt 0" "chain,t:none" SecRule ARGS:post_image_name|ARGS:post_image "@rx \.(?:phar|ph[p\d]|pl|py|cgi|asp|js|html|htm|phtml)$" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316782,chain,block,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: CSRF vulnerability in NextGEN Gallery < 3.5.0 (CVE-2020-35943)||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@pm upload_image" "chain,t:none,t:urlDecodeUni" SecRule &ARGS:gallery_name "@gt 0" "chain,t:none" SecRule &ARGS:nonce "@eq 0" "t:none" SecRule REQUEST_FILENAME "@endsWith /data_debug.php" "id:77316808,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: SQL Injection in Cacti 1.2.0 - 1.2.16 (CVE-2020-35701)||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq ajax_hosts" "chain,t:none" SecRule ARGS:site_id "@rx [\)\'\x22<]" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77316813,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: PHP Object Injection vulnerability in Facebook plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-post.php" "chain,t:normalizePath" SecRule ARGS:action "@pm admin_post send_server_events" "chain,t:none" SecRule ARGS|REQUEST_BODY "@rx \x22GuzzleHttp\x5CCookie\x5CFileCookieJar[^\w]+filename\x22;s\:\d{1,3}\:\x22[^\.]{7,160}\.(?:pht|phtml|php?\d?)\x22" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx POST" "id:77316814,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: CSRF vulnerability in Facebook plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@pm save_fbe_settings delete_fbe_settings" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77316820,chain,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin Contact Form 7 Authenticated PHP Object Injection in Redirection (CVE-2021-24280)||Data:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq import_from_debug" "chain,t:none" SecRule ARGS:data[debug_info] "@rx ." "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77316821,chain,block,nolog,auditlog,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: Arbitrary File Upload in Kaswara Modern WPBakery Page Builder Addons (CVE-2021-24284)||File:%{ARGS.fonticonzipfile}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq uploadFontIcon" "t:none" SecRule REQUEST_METHOD "POST" "id:77316853,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Privilege Escalation in ProfilePress WordPress plugin (CVE-2021-34621)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq pp_ajax_signup" "chain,t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:reg_password "@rx ^F0x" "t:none,t:urlDecode" SecRule REQUEST_METHOD "POST" "id:77316854,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitriary File Upload in WP User Avatar plugin for WordPress (CVE-2021-34623)||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||FILES:%{FILES}||',tag:'wp_core'" SecRule ARGS:action "@streq update" "chain,t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77140855,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: WordPress Plugin N-Media Website Contact Form with File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_BASENAME "@rx (?:upload_settings_image|admin-ajax)\.php" "chain,t:none" SecRule ARGS:action "@streq nm_webcontact_upload_file" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule ARGS:action "@pm upload-plugin update_plugin themes themeupload revslider_ajax_action" "id:77140866,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Malicious plugin upload attempt||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@rx \/wp-admin\/(?:update|admin-(?:ajax|post))\.php" "t:none,chain" SecRule REQUEST_HEADERS:Accept "@streq */*" "t:none,chain" SecRule FILES "@rx ^(?:[a-z]{7}|rock)\.zip$" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77140868,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: WordPress Revslider Plugin File Upload Vulnerability (CVE-2023-2359)||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq revslider_ajax_action" "chain,t:none" SecRule ARGS:client_action "@streq update_plugin" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_METHOD "@rx ^POST" "id:77140869,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress Simple Ads Manager Plugin File Upload Vulnerability (CVE-2015-2825)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq upload_ad_image" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77140869" SecRule REQUEST_METHOD "@rx ^POST" "id:77140903,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: FCKEditor Core 2.x 2.4.3 File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:param "@streq upload_slide" "chain,t:none" SecRule ARGS:action "@streq load_library" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_METHOD "@rx ^POST" "id:77140910,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: WordPress Slider Revolution 3.0.95 / Showbiz Pro 1.7.1 Plugin File Upload Vulnerability (CVE-2014-9734)||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq showbiz_ajax_action" "chain,t:none" SecRule ARGS:client_action "@streq update_plugin" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule ARGS:action "@pm wpuf_file_upload wpuf_insert_image" "id:77140928,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unrestricted Arbitrary File Upload in WP User Frontend plugin before 2.3.11 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'wp_plugin_wp_user_frontend'" SecRule FILES "@rx pwn.gif" "t:none" SecRule REQUEST_FILENAME "@endsWith server/php/index.php" "id:77140973,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin ACF Frontend Display Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_acf_frontend_display'" SecRule REQUEST_FILENAME "@rx acf-frontend-display" "chain,t:none,t:lowercase" SecRule ARGS:action "@streq upload" "chain,t:none,t:lowercase" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase" SecRule ARGS:action "@streq output csv" "id:77140991,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,msg:'IM360 WAF: WordPress Plugin Participants Database SQL Injection vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_participants_database'" SecRule ARGS:CSV_type "@streq participant list" "chain,t:none,t:lowercase" SecRule ARGS:subsource "@streq participants-database" "chain,t:none,t:lowercase" SecRule ARGS:query "!@rx ^$" "t:none" SecRule ARGS:action "@streq duplicator_download" "id:77141007,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: WordPress Plugin Duplicator File Download Auth Bypass (CVE-2020-11738)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:file "@contains ../" "t:none" SecRule ARGS:action "@streq register" "id:77141013,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,msg:'IM360 WAF: WordPress Profile Builder Plugin Unauthenticated Administrator Registration||RSV:8.02||T:APACHE||USR:%{ARGS.username}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_profile_builder'" SecRule ARGS:custom_field_user_role "@streq administrator" "chain,t:none,t:lowercase" SecRule &ARGS:username "@gt 0" "chain,t:none" SecRule &ARGS:email "@gt 0" "chain,t:none" SecRule &ARGS:passw1 "@gt 0" "chain,t:none" SecRule &ARGS:passw2 "@gt 0" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141039,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Import Export Users < 1.3.9 Authenticated Arbitrary User Creation||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:import_page "@streq wordpress_hf_user_csv" "chain,t:none,t:lowercase" SecRule ARGS:step "@streq 3" "chain,t:none" SecRule ARGS:action "@streq user_csv_import_request" "chain,t:none,t:lowercase" SecRule ARGS:file "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77141042,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: CSRF vulnerability in Pricing Table by Supsystic plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_pricing_table'" SecRule ARGS:mod "@streq tables" "chain,t:none" SecRule ARGS:action "@pm getListForTbl remove removeGroup clear save exportForDb updateLabel changeTpl saveAsCopy getJSONExportTable createFromTpl" "chain,t:none" SecRule &ARGS:id "@gt 0" "chain,t:none" SecRule ARGS:reqType "@streq ajax" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none,t:lowercase" SecRule ARGS:action "@streq duplicator_pro_download" "id:77142126,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: WordPress Plugin Duplicator Pro File Download Auth Bypass (CVE-2020-11738)||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:file "@rx \.\.\/" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77142155,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: SQLi vulnerability in the Ajax Load More 5.3.1 plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_ajax_load_more'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq alm_update_repeater" "chain,t:none" SecRule ARGS:value|ARGS:repeater "@pm ' <" "t:none,t:urlDecode" SecRule ARGS:action_rcs "@streq action_rcs_page_setting_save_post" "id:77142159,chain,severity:2,block,nolog,auditlog,t:none,msg:'IM360 WAF: WordPress Coming Soon Page & Maintenance Mode plugin - Unauthenticated stored XSS||RSV:8.02||T:APACHE||HOOK:%{ARGS.hook}||PAYLOAD_IN:%{MATCHED_VAR_NAME}||PAYLOAD:%{MATCHED_VAR}||',tag:'wp_plugin_responsive_coming_soon_page'" SecRule &ARGS:hook "@gt 0" "t:none,chain" SecRule ARGS|!ARGS:action_rcs|!ARGS:hook "@rx (?si)<script" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx ^POST" "id:77142175,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authentication Bypass in Smart Google Code Inserter before 3.5 plugin for WordPress (CVE-2018-3810)||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_delucks_seo'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/(?:admin-(?:ajax|post)|options-general)\.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq savegooglecode" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx ^POST" "id:77142176,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: SQLi in Smart Google Code Inserter before 3.5 plugin for WordPress (CVE-2018-3810)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/(?:admin-(?:ajax|post)|options-general)\.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq saveadwords" "chain,t:none" SecRule ARGS:oId[] "@rx \D" "t:none" SecRule REQUEST_METHOD "@rx ^POST" "id:77142179,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Persistent XSS Vulnerability in Travelpayouts plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_travelpayouts'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq import_csv" "chain,t:none" SecRule ARGS:value[][] "@rx [\x22<]" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx ^POST" "id:77142180,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Persistent XSS Vulnerability in thim_update_theme_mods||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq thim_update_theme_mods" "chain,t:none" SecRule ARGS:thim_key "@pm thim_google_analytics siteurl" "chain,t:none" SecRule ARGS:thim_value "@rx ([\x22<]|http)" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx ^POST" "id:77142184,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Persistent XSS Vulnerability in WP Quick Booking Manager plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_wp_quick_booking_manager'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq gen_save_cssfixfront" "chain,t:none" SecRule ARGS:css "@rx ^<\/style>" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx ^POST" "chain,id:77142218,block,nolog,auditlog,phase:2,severity:2,t:none,msg:'IM360 WAF: WordPress plugin Adning Advertising - Unauthenticated Arbitrary File Upload leading to Remote Code Execution||RSV:8.02||T:APACHE||ARGS:allowed_file_types=%{ARGS.allowed_file_types}||',tag:'wp_core'" SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq _ning_upload_image" "chain,t:none" SecRule ARGS:allowed_file_types "@rx (?i:php|phtml|pht|php\d)" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "chain,id:77142241,pass,nolog,auditlog,phase:2,severity:2,t:none,msg:'IM360 WAF: WordPress plugin wpDiscuz - Unauthenticated Arbitrary File Upload leading to Remote Code Execution||RSV:8.02||T:APACHE||ARGS.action:%{ARGS.action}||REMOTE_FILENAME:%{TX.0}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq wmuUploadFiles" "chain,t:none" SecRule FILES "@rx (?i)^wmu_files.{1,160}\.(?:pht|phtml|php\d?)$" "t:none,capture" SecRule REQUEST_METHOD "POST" "id:77140772,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unauthenticated stored XSS in FV Flowplayer Video Player plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:action "@contains fv_wp_flowplayer_email_signup" "chain,t:none,t:urlDecodeUni" SecRule ARGS:email "<" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@streq post" "chain,id:77142246,block,nolog,auditlog,phase:2,severity:2,t:none,t:lowercase,msg:'IM360 WAF: WordPress Theme Divi - Unauthenticated Arbitrary File Upload leading to Remote Code Execution||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||ARGS.action:%{ARGS.action}||REMOTE_FILENAME:%{TX.0}||',tag:'wp_core'" SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq et_core_portability_import" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_METHOD "POST" "chain,id:77142253,block,nolog,auditlog,phase:2,severity:2,t:none,msg:'IM360 WAF: WordPress plugin Quiz and Survey Master - Unauthenticated Arbitrary File Upload leading to Remote Code Execution||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||ARGS.action:%{ARGS.action}||REMOTE_FILENAME:%{TX.0}||',tag:'wp_core'" SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq qsm_upload_image_fd_question" "chain,t:none" SecRule FILES "@rx (?i)^file.{1,160}\.(?:pht|phtml|php\d?)$" "t:none,capture" SecRule REQUEST_METHOD "@streq post" "chain,id:77142254,block,nolog,auditlog,phase:2,severity:2,t:none,t:lowercase,msg:'IM360 WAF: WordPress Plugin Quiz and Survey Master - Unauthenticated Arbitrary File Deletion||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.file_url:%{ARGS.file_url}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq qsm_remove_file_fd_question" "chain,t:none" SecRule ARGS:file_url "@rx (?i)(?:pht|phtml|php\d?)$" "t:none" SecRule REQUEST_METHOD "@streq post" "id:77316722,chain,block,nolog,auditlog,phase:2,severity:2,t:none,t:lowercase,msg:'IM360 WAF: WordPress Plugin Autoptimize < 2.7.7 - Authenticated Arbitrary File Upload leading to Remote Code Execution||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||ARGS.action:%{ARGS.action}||FILES.file:%{FILES.file}||',tag:'wp_core'" SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq ao_ccss_import" "chain,t:none" SecRule FILES "!@endsWith .zip" "t:none" SecRule REQUEST_METHOD "POST" "id:77316726,chain,pass,nolog,auditlog,phase:2,severity:5,t:none,msg:'IM360 WAF: WordPress plugin wpStoreCart - Unauthenticated Arbitrary File Upload leading to Remote Code Execution||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" "chain,t:none,t:normalizePath" SecRule ARGS:option_page "@streq seed_csp4_settings_content" "chain,t:none" SecRule ARGS:action "@streq update" "chain,t:none" SecRule ARGS:seed_csp4_settings_content[headline] "@rx \<" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316785,chain,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: CSRF vulnerability in Responsive Menu < 4.0.3 WordPress plugin||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-post.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@pm admin_post_rmp_upload_theme_file admin_post" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77316826,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: File upload vulnerability in External Media plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@contains upload-remote-file" "chain,t:none" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77316837,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Remote file upload in Fancy Product Designer for WordPress||File:%{FILES}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php /wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx fpd_custom_uplod_file" "chain,t:none" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none,t:lowercase" SecRule REQUEST_METHOD "@rx POST" "id:77316838,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Remote file upload in Fancy Product Designer for WordPress||File:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php /wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx fpd_custom_uplod_file" "chain,t:none" SecRule ARGS:url "@rx <\?php|<script" "t:none,t:base64Decode" SecRule REQUEST_METHOD "@rx POST" "id:77316847,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Arbitrary File Upload in WooCommerce Stock Manager for WordPress||File:%{FILES}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq admin_menu" "chain,t:none" SecRule &ARGS:upload "@gt 0" "chain,t:none" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77316848,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: CSRF vulnerability in WooCommerce Stock Manager for WordPress||File:%{FILES}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@streq admin_menu" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77316849,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: CSRF vulnerability in Fluent Forms Fastest Contact Form Builder Plugin for WordPress||File:%{FILES}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx ^fluentform" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_BASENAME "@streq admin.php" "id:77220820,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in Collabtive 1.2 (CVE-2014-3247)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq addpro" "chain,t:none,t:lowercase" SecRule ARGS:desc "@rx (?:'|\x22|<)" "t:none" SecRule ARGS:controller "@rx POST" "id:77240570,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerabilities in Nibbleblog before 4.0.2 (CVE-2014-8996)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq view" "chain,t:none,t:lowercase" SecRule ARGS:hash "@rx ^[0-9a-f]+$" "chain,t:none" SecRule ARGS:author_name|ARGS:content "@rx \x22|<" "t:none" SecRule REQUEST_FILENAME "@contains card.php" "id:77240800,chain,phase:2,pass,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Multiple XSS vulnerabilities in Dolibarr ERP/CRM 3.8.3 (CVE-2016-1912)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq update" "chain,t:none,t:lowercase" SecRule ARGS:lastname|ARGS:firstname|ARGS:job|ARGS:email|ARGS:signature "@contains <" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith member.php" "id:77242430,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: SQL injection vulnerability in the MyBB 1.8.1 (CVE-2014-9240)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq do_register" "chain,t:none,t:lowercase" SecRule ARGS:regsubmit "@rx submit\s*registration\s*!" "chain,t:none,t:lowercase" SecRule ARGS:question_id "@contains '" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith report.php" "id:77242440,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in the MyBB 1.8.1 (CVE-2014-9241)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &ARGS:my_post_key "@ge 1" "chain,t:none" SecRule ARGS:action "@streq do_report" "chain,t:none,t:lowercase" SecRule &ARGS:pid "@ge 1" "chain,t:none" SecRule ARGS:type "@contains <" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith usercp.php" "id:77242441,chain,phase:2,pass,nolog,auditlog,t:none,t:lowercase,severity:5,msg:'IM360 WAF: XSS vulnerability in the MyBB 1.8.1 (CVE-2014-9241)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &ARGS:my_post_key "@ge 1" "chain,t:none" SecRule ARGS:action "@streq do_editsig" "chain,t:none,t:lowercase" SecRule ARGS:signature "@rx <script" "t:none,t:urlDecode,t:urlDecode" SecRule ARGS:action "@contains errors" "id:77243170,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in EspoCRM before 2.6.0 (CVE-2014-7987)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /install/index.php" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:desc "@contains <" "t:none,t:urlDecode" SecRule &ARGS:/MODAUTH/ "@ge 1" "id:77247650,chain,phase:2,pass,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in the MODX Revolution through v2.7.0-pl (CVE-2018-20756 VE-2018-20757)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" "chain,t:none" SecRule ARGS:action "@rx ^(security\/user|resource)\/(?:create|update)$" "chain,t:none,t:normalizePath" SecRule ARGS:extended|ARGS:pagetitle "@contains <" "t:none,t:urlDecode" SecRule ARGS:id|ARGS:dir "@contains .." "id:77243590,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Directory traversal in MODX Revolution before 2.5.2-pl (CVE-2016-10037 & CVE-2016-10039)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@pm getfiles getlist" "chain,t:none,t:lowercase" SecRule &REQUEST_HEADERS:modauth|&REQUEST_COOKIES:PHPSESSID "@ge 1" "chain,t:none" SecRule REQUEST_FILENAME "@contains /connectors/" "t:none,t:lowercase" SecRule ARGS:wpTextbox1 "@contains </style>" "id:77244320,chain,phase:2,block,nolog,auditlog,t:none,t:urlDecode,severity:2,msg:'IM360 WAF: XSS vulnerability in MediaWiki before 1.23.15 1.26.x before 1.26.4 and 1.27.x before 1.27.1 (CVE-2016-6333)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &ARGS:wpEditToken "@ge 1" "chain,t:none" SecRule ARGS:action "@streq submit" "chain,t:none,t:lowercase" SecRule ARGS:title "@endsWith common.css" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@rx \/(?:index\.php)?$" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77240563,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: CSRF vulnerability in Nibbleblog before 4.0.5 (CVE-2015-6966)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq new_simple" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule ARGS:subtype "@streq assignsubmission" "id:77242992,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: CSRF vulnerability in Moodle through 2.6.11 2.7.x before 2.7.13 2.8.x before 2.8.11 2.9.x before 2.9.5 and 3.0.x before 3.0.3 (CVE-2016-2157)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &ARGS:action "@ge 1" "chain,t:none" SecRule &ARGS:plugin "@ge 1" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule ARGS:module "@pm config-mycode user-groups forum-management tools-tasks user-titles" "id:77242402,chain,phase:2,pass,nolog,auditlog,t:none,t:lowercase,severity:5,msg:'IM360 WAF: XSS vulnerabilities in the MyBB (aka MyBulletinBoard) before 1.8.4 (CVE-2015-2149)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@pm add edit" "chain,t:none,t:lowercase" SecRule ARGS:title|ARGS:description "@contains <script" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx POST" "id:77316878,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: File upload vulnerability in Fancy Product Designer < 4.5.1 for WooCommerce for WordPress||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains fancy-product-designer/inc/custom-image-handler.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule &ARGS:uploadsDir "@gt 0" "chain,t:none" SecRule &ARGS:uploadsDirURL "@gt 0" "chain,t:none" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77316882,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authenticated Directory Traversal vulnerability in WordPress Download Manager plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/post.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq editpost" "chain,t:none" SecRule ARGS:file[page_template] "@rx \.\.\/" "t:none" SecRule REQUEST_URI "@rx (\/wp-json|rest_route=)\/wc\/" "id:77316858,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: SQLi vulnerability in WooCommerce plugin for WordPress (CVE-2021-32790)||Req:%{REQUEST_URI}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@rx calculate_attribute_counts.{0,500}20(?:select|update)\%" "t:none,t:lowercase,t:urlDecode" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316898,chain,block,severity:2,t:none,msg:'IM360 WAF: CSRF vulnerability in Nested Pages < 3.1.15 (CVE-2021-38342)||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_nested_pages'" SecRule ARGS:action "@pm npBulkActions npBulkEdit" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith /admin-post.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule &ARGS:nonce "@eq 0" "t:none" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "id:77316883,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: File Upload vulnerability in Publisher theme for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq deferred_loading" "chain,t:none" SecRule ARGS:reqID "@streq ajax_field" "chain,t:none" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "id:77316884,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: File Upload vulnerability in Publisher theme for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq deferred_loading" "chain,t:none" SecRule ARGS:reqID "@streq ajax_field" "chain,t:none" SecRule ARGS:key|ARGS:exclude "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "id:77316885,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: File Upload vulnerability in Publisher theme for WordPress||key:%{ARGS.key}||RSV:8.02||T:APACHE||exclude:%{ARGS.exclude}||',tag:'wp_core',tag:'noshow'" SecRule ARGS:action "@streq deferred_loading" "chain,t:none" SecRule ARGS:reqID "@streq ajax_field" "chain,t:none" SecRule &ARGS:key|&ARGS:exclude "@gt 0" "t:none" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "id:77316886,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: File Upload vulnerability in Publisher theme for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq deferred_loading" "chain,t:none" SecRule ARGS:reqID "@streq ajax_field" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infector_rule}r77316886" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77317955,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated File Upload in SUMO Affiliates Pro||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq fs_affiliates_file_upload" "chain,t:none,t:lowercase" SecRule ARGS:key "@streq upload_file" "chain,t:none,t:lowercase" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_URI "@contains /wp-content/uploads/fs-files/" "id:77317956,chain,phase:2,block,nolog,auditlog,severity:2,msg:'IM360 WAF: RCE in SUMO Affiliates Pro||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_METHOD "POST" "id:77317961,chain,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Authenticated File Upload and Path Traversal in Brizy - Page Builder plugin for WordPress (CVE-2021-38346)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_brizy'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "brizy_create_block_screenshot" "chain,t:none" SecRule ARGS:id "@rx \.\.\/|(?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_METHOD "POST" "id:77317962,chain,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Authenticated File Upload in Brizy - Page Builder plugin for WordPress (CVE-2021-38346)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_brizy'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "brizy_create_block_screenshot" "chain,t:none" SecRule ARGS:ibsf "@pm <script <?php" "t:none" SecRule REQUEST_METHOD "POST" "id:77317963,chain,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Authenticated File Upload in Brizy - Page Builder plugin for WordPress (CVE-2021-38346)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_brizy'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "brizy_create_block_screenshot" "chain,t:none" SecRule ARGS:ibsf "@pm <script <?php" "t:none,t:base64Decode" SecRule REQUEST_METHOD "POST" "id:77317964,chain,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Authenticated File Upload in Brizy - Page Builder plugin for WordPress (CVE-2021-38346)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_brizy'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "brizy_create_block_screenshot" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77317970,chain,block,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: CSRF vulnerability in WP Fastest Cache Plugin < 0.9.5 (CVE-2021-24870)||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_fastest_cache'" SecRule ARGS:action "@streq wpfc_save_cdn_integration" "chain,t:none,t:urlDecodeUni" SecRule &ARGS:nonce "@eq 0" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77317972,chain,block,severity:2,t:none,msg:'IM360 WAF: Content deletion prevention in HashThemes Demo Importer <= 1.1.1 plugin for WordPress (CVE-2021-39333)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx (?:\/wp-admin\/admin-ajax|\/hashthemes-demo-importer)\.php$" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq hdi_install_demo" "chain,t:none" SecRule ARGS:reset "@streq true" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77317982,chain,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Code injection in Kaswara WordPress Plugin||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||User:%{SCRIPT_USERNAME}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@pm /wp-admin/admin-ajax.php /wp-content/plugins/kaswara/includes/handlers/ajax_handler.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq kaswaraCustomCode" "chain,t:none" SecRule ARGS:customJS "!@rx ^$" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77317983,chain,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: SQL injection in Kaswara WordPress Plugin||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||User:%{SCRIPT_USERNAME}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@pm /wp-admin/admin-ajax.php /wp-content/plugins/kaswara/includes/handlers/ajax_handler.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq kaswaraCustomCode" "chain,t:none" SecRule ARGS "@contains '" "t:none" SecRule ARGS:action "@streq admin-dismiss-unsubscribe" "id:77317984,chain,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Unauthenticated Page Deletion in WP DSGVO Tools (GDPR) <= 3.1.23 Plugin for WordPress (CVE-2021-42359)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||User:%{SCRIPT_USERNAME}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@pm /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule &ARGS:id|&ARGS:postid "!@eq 0" "chain,t:none" SecRule &REQUEST_COOKIES:/wordpress_logged_in_/ "@eq 0" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77317991,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authentication Bypass Vulnerability in User Registration Plugin for WordPress (CVE-2021-4073)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq rm_login_social_user" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "chain,t:none" SecRule ARGS:email "!@rx ^$" "t:none" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77318030,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Cross-Site Request Forgery in Login/Signup Popup & Waitlist Woocommerce & Side Cart Woocommerce plugins for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@contains xoo_admin_settings_save" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/post.php" "id:77318037,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Path Traversal vulnerability in WordPress 5.0.0||File:%{FILES.meta_input[_wp_attached_file]}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_METHOD "^POST$" "chain,t:none" SecRule ARGS:action "@rx edit" "chain,t:none" SecRule ARGS:meta_input[_wp_attached_file] "@rx \/\.\.\/\.\.\/" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/post.php" "id:77318038,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: RFI vulnerability in WordPress 5.0.0||File:%{FILES.meta_input[_wp_attached_file]}||User:%{SCRIPT_USERNAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_METHOD "^POST$" "chain,t:none" SecRule ARGS:action "@rx edit" "chain,t:none" SecRule ARGS:meta_input[_wp_attached_file] "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico|rb)\W" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77318040,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: LFI & RCE Essential Addons for Elementor plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx (?:eael|eael_product)_product_gallery" "chain,t:none" SecRule ARGS:/template_info/ "@rx \/..?\/|<php" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77318041,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: LFI & RCE Essential Addons for Elementor plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx load_more" "chain,t:none" SecRule ARGS:/template_info/ "@rx \/..?\/|<php" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77318042,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Remote Code Execution in PHP Everywhere < 3.0.0 plugin for WordPress (CVE-2022-24663)||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx parse-media-shortcode" "chain,t:none" SecRule ARGS:shortcode "@contains [php_everywhere]" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77318043,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Remote Code Execution in PHP Everywhere < 3.0.0 plugin for WordPress (CVE-2022-24664)||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/post.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@contains edit" "chain,t:none" SecRule &ARGS:meta-box-loader "@gt 0" "chain,t:none" SecRule ARGS "@contains [php_everywhere]" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77318044,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Remote Code Execution in PHP Everywhere < 3.0.0 plugin for WordPress (CVE-2022-24665)||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/post.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@contains edit" "chain,t:none" SecRule &ARGS:post "@gt 0" "chain,t:none" SecRule ARGS "@contains [php_everywhere]" "t:none" SecRule REQUEST_URI "@contains /wp-json/aioseo/v1/" "id:77318019,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Authenticated Privilege Escalation in All in One SEO < 4.1.5.3 plugin for WordPress (CVE-2021-25036)||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule MATCHED_VAR "@rx [A-Z]" "t:none" SecRule REQUEST_URI "@contains /wp-content/plugins/wp-breeze/" "id:77350009,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,msg:'IM360 WAF: WordPress Fake WP-Breeze Plugin blocked||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_METHOD "@pm POST GET" "id:77225140,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in the in WordPress before 4.5.3 (CVE-2016-5834)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq upload-attachment" "chain,t:none,t:lowercase" SecRule FILES "@contains <" "chain,t:none,t:urlDecode" SecRule REQUEST_BASENAME "@streq async-upload.php" "t:none,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77225210,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unrestricted file upload vulnerability in WordPress 4.9.7 (CVE-2018-14028)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_BASENAME "@streq update.php" "chain,t:none,t:lowercase" SecRule ARGS:action "@rx ^upload-(?:plugin|theme)$" "chain,t:none,t:lowercase" SecRule FILES "!@rx \.zip$" "t:none,t:lowercase" SecRule ARGS:fn "@contains .." "id:77225190,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Unauthenticated Directory traversal vulnerability in Javo Spot Premium Theme for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq jvfrm_spot_get_json" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "t:none,t:normalizePath,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77229090,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in the WooCommerce plugin before 2.6.9 for WordPress (CVE-2016-10112)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_woocommerce'" SecRule ARGS:action "@streq woocommerce_tax_rates_save_changes" "chain,t:none,t:lowercase" SecRule ARGS:/postcode/ "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77230820,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in Unite Gallery Lite plugin 1.7.43 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_unite_gallery_lite'" SecRule ARGS:action "@streq unitegallery_ajax_action" "chain,t:none,t:lowercase" SecRule ARGS:data[main][title]|ARGS:data[title] "@rx \x22|<" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77232100,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in Bookly - Online Booking and Scheduling Plugin 16.4 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_bookly_responsive_appointment_booking_tool'" SecRule ARGS:action "@streq bookly_update_service" "chain,t:none,t:lowercase" SecRule ARGS:title "@contains <" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77232721,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: XSS vulnerability in WP Fastest Cache 0.8.8.5 for WordPress (CVE-2018-17583 CVE-2018-17586)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_fastest_cache'" SecRule ARGS:action "@beginsWith wpfc_save_" "chain,t:none,t:lowercase" SecRule REQUEST_BASENAME "@streq admin-ajax.php" "chain,t:none,t:lowercase" SecRule ARGS:/^rules\[\d+?]\[content]$/ "@contains <" "t:none,t:urlDecode,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77232721" SecRule REQUEST_METHOD "@pm POST GET" "id:77232960,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability WP Google Maps plugin 7.11.17 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_google_maps'" SecRule ARGS:action "@streq wpgmza_settings_page_post" "chain,t:none,t:lowercase" SecRule ARGS:wpgmza_gdpr_company_name|ARGS:wpgmza_gdpr_retention_purpose "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith client-assist.php" "id:77226200,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in the dsIDXpress IDX plugin before 2.1.1 and WordPress Edition plugin 1.0-beta10 and earlier for WordPress (CVE-2014-4521 / CVE-2014-4522)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_dssearchagent_wordpress_edition'" SecRule ARGS:action "@contains <" "t:none,t:urlDecode" SecRule ARGS:action "@streq fw_send_email" "id:77230460,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in Multi Step Form plugin through 1.2.5 for WordPress (CVE-2018-14430)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_multi_step_form'" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:email|ARGS:/^fw_data\[/ "@contains <" "t:none,t:urlDecode" SecRule ARGS:action "@streq revslider_show_image" "id:77222050,chain,msg:'IM360 WAF: Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress (CVE-2014-9734)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'wp_core'" SecRule ARGS:img "@contains .." "chain,t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule ARGS:action "@contains ../" "id:77232730,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: LFI and CSRF vulnerability in WebDorado Contact Form Builder plugin 10Web Form Maker plugin before 1.13.5 for WordPress (CVE-2019-11557 CVE-2019-11590 CVE-2019-11591)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_form_maker'" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "t:none,t:normalizePath,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77226632,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in the Welcart e-Commerce plugin 1.3.12 for WordPress (CVE-2014-10016)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_welcart'" SecRule ARGS:action "@contains shop_options_ajax" "chain,t:none,t:lowercase" SecRule ARGS:mode "@contains update_delivery_method" "chain,t:none,t:lowercase" SecRule ARGS:time|ARGS:nocod|ARGS:intl "@rx \D" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77226760,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: SQL injection vulnerability in Survey and Poll plugin 1.1.7 for WordPress (CVE-2015-2090)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_survey_and_poll'" SecRule ARGS:action "@streq ajax_survey" "chain,t:none,t:lowercase" SecRule ARGS:survey_id "@rx \D" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77232360,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: SQL vulnerability in WordPress Booking Calendar Plugin v8.4.3 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_booking_calendar'" SecRule ARGS:action "@streq trash_restore" "chain,t:none,t:lowercase" SecRule ARGS:booking_id "@rx \D" "t:none" SecRule REQUEST_FILENAME "@endsWith simple-ads-manager/sam-ajax-admin.php" "id:77226931,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: SQL injection vulnerabilities in the Simple Ads Manager plugin before 2.7.97 for WordPress (CVE-2015-2824)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_simple_ads_manager'" SecRule ARGS:action "@streq load_users" "chain,t:none,t:lowercase" SecRule ARGS:subscriber|ARGS:contributor|ARGS:author|ARGS:editor|ARGS:admin "!@rx ^[a-z]+$" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith simple-ads-manager/sam-ajax-admin.php" "id:77226933,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: SQL injection vulnerabilities in the Simple Ads Manager plugin before 2.7.97 for WordPress (CVE-2015-2824)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_simple_ads_manager'" SecRule ARGS:action "@streq load_posts" "chain,t:none,t:lowercase" SecRule ARGS:cstr "@rx \D" "t:none" SecRule REQUEST_COOKIES:/^wordpress_sec/|REQUEST_COOKIES:/^wordpress_logged_in/ "@rx ([0-9a-fA-f]{32})$" "id:77230151,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: CSRF vulnerability in Acurax-social-media-widget plugin before 3.2.6 for WordPress (CVE-2018-6357)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_acurax_social_media_widget'" SecRule ARGS:action "@streq acx_asmw_saveorder" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "chain,t:none" SecRule REQUEST_BASENAME "@streq admin-ajax.php" "t:none,t:lowercase" SecRule REQUEST_COOKIES:/^wordpress_sec/|REQUEST_COOKIES:/^wordpress_logged_in/ "@rx ([0-9a-fA-f]{32})$" "id:77230521,chain,msg:'IM360 WAF: CSRF vulnerability in ULike plugin version 2.8.1 3.1 for WordPress (CVE-2018-1000511)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:5,tag:'wp_plugin_wp_ulike'" SecRule ARGS:action "@streq ulikelogs" "chain,t:none,t:lowercase" SecRule REQUEST_BASENAME "@streq admin-ajax.php" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77232130,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Open redirect vulnerability in Ninja Forms plugin before 3.3.19.1 for WordPress (CVE-2018-19796)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_ninja_forms'" SecRule REQUEST_BASENAME "@streq admin-ajax.php" "chain,t:none,t:lowercase" SecRule ARGS:action "@streq nf_download_all_subs" "chain,t:none,t:lowercase" SecRule ARGS:args[redirect] "@beginsWith http" "t:none" SecRule REQUEST_COOKIES:/^wordpress_sec/|REQUEST_COOKIES:/^wordpress_logged_in/ "@rx ([0-9a-fA-f]{32})$" "id:77232471,chain,msg:'IM360 WAF: CSRF vulnerability in Smart Forms plugin before 1.2.2 for WordPress (CVE-2019-5920)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:5,tag:'wp_core'" SecRule ARGS:action "@streq formcraft_basic_form_save" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77232570,chain,msg:'IM360 WAF: File upload and RCE vulnerabilities in Slider Revolution Plugin for WordPress (CVE-2014-9735)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:2,tag:'wp_core'" SecRule &ARGS:client_action "@ge 1" "chain,t:none" SecRule &ARGS:data "@gt 0" "chain,t:none" SecRule ARGS:action "@streq revslider_ajax_action" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_FILENAME "@endsWith simple-ads-manager/sam-ajax-admin.php" "id:77226910,chain,msg:'IM360 WAF: Unrestricted file upload vulnerability in the Simple Ads Manager plugin before 2.5.96 for WordPress (CVE-2015-2825)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,tag:'wp_plugin_simple_ads_manager'" SecRule ARGS:action "@streq upload_ad_image" "chain,t:none,t:lowercase" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none,t:lowercase" SecRule ARGS:action "@pm miglaA_update_me wpgdprc_process_action" "id:77230970,chain,msg:'IM360 WAF: Arbitrary Code Execution vulnerability in WP GDPR Compliance plugin before 1.4.3 and Total Donations plugin through 2.0.5 for WordPress (CVE-2018-19207 CVE-2019-6703)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_wp_gdpr_compliance'" SecRule ARGS:data "@pm administrator editor users_can_register" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_BASENAME "@streq admin-ajax.php" "t:none,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77233122,chain,msg:'IM360 WAF: XSS vulnerability in WordPress Download Manager Plugin 2.9.96 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_download_manager'" SecRule ARGS:action "@streq wpdm_settings" "chain,t:none,t:lowercase" SecRule ARGS|!ARGS:wpdm_login_msg|!ARGS:wpdm_permission_msg|!ARGS:__wpdm_blocked_ips_msg "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77233420,chain,msg:'IM360 WAF: Unrestricted file upload Vulnerability in SupportCandy plugin through 2.0.0 for WordPress (CVE-2019-11223)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_supportcandy'" SecRule &ARGS:setting_action "@ge 1" "chain,t:none" SecRule ARGS:action "@streq wpsc_tickets" "chain,t:none,t:lowercase" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77233640,chain,msg:'IM360 WAF: SQLi Vulnerability in Adenion Blog2Social plugin through 5.5.0 for WordPress (CVE-2019-13572)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_blog2social'" SecRule ARGS:action "@streq b2s_sort_data" "chain,t:none,t:lowercase" SecRule ARGS:/^b2sSort/|ARGS:b2sSchedDate|ARGS:b2sUserLang "@rx \W" "t:none" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-post.php" "id:77140853,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin MailPoet Newsletters 2.6.8 wysija-newsletters Arbitrary File Upload Vulnerability (CVE-2014-4725)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_wysija_newsletters'" SecRule ARGS:page "@streq wysija_campaigns" "chain,t:none,t:lowercase" SecRule ARGS:action "@rx ^(?:themes|themeupload)$" "chain,t:none,t:lowercase" SecRule FILES "@rx (rock\.zip|\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-post.php" "id:77140984,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress Plugin MailPoet Newsletters 2.6.8 wysija-newsletters Arbitrary File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_wysija_newsletters'" SecRule ARGS:page "@streq wysija_campaigns" "chain,t:none,t:lowercase" SecRule ARGS:action "@rx ^(?:themes|themeupload)$" "chain,t:none,t:lowercase" SecRule FILES "@rx ^(([a-zA-Z]{5}|XAttacker)\.zip)$" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77141019,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Participants Database < 1.9.5.6 Authenticated Time Based SQL Injection||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_participants_database'" SecRule ARGS:page "@streq participants-database" "chain,t:none,t:lowercase" SecRule ARGS:action "@streq admin_list_filter" "chain,t:none,t:lowercase" SecRule ARGS:ascdesc "!@rx ^(desc|asc)$" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77141020,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Participants Database < 1.9.5.6 Authenticated Time Based SQL Injection||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_participants_database'" SecRule ARGS:page "@streq participants-database" "chain,t:none,t:lowercase" SecRule ARGS:action "@streq admin_list_filter" "chain,t:none,t:lowercase" SecRule ARGS:list_filter_count "@rx \D" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77141025,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Plugin Htaccess by BestWebSoft <= 1.8.1 CSRF to edit .htaccess||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_htaccess'" SecRule ARGS:page "@streq htaccess.php" "chain,t:none,t:lowercase" SecRule ARGS:action "@streq htaccess_editor" "chain,t:none,t:lowercase" SecRule &ARGS:htccss_customise "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@rx ^POST" "id:77142182,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Stored XSS Vulnerability in WP Quick Booking Manager plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_responsive_coming_soon'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "chain,t:none,t:normalizePath" SecRule ARGS:page "@streq wpsm_responsive_coming_soon" "chain,t:none" SecRule ARGS:action_rcs "@streq action_rcs_page_setting_save_post" "chain,t:none" SecRule ARGS:rcsp_description|ARGS:rcsp_headline "@contains <" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx ^POST$" "id:77142186,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated settings update in WP Inventory Manager plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "chain,t:none,t:normalizePath" SecRule ARGS:page "@streq wpim_manage_settings" "chain,t:none" SecRule ARGS:action "@streq save" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77142243,chain,phase:2,block,severity:2,nolog,auditlog,t:none,msg:'IM360 WAF: Stored XSS Vulnerability in Coming Soon Page, Under Construction & Maintenance Mode by SeedProd Plugin (CVE-2020-15038)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_coming_soon_page'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "chain,t:none,t:normalizePath" SecRule ARGS:page "@streq seed_csp4" "chain,t:none" SecRule ARGS:option_page "@streq seed_csp4_settings_content" "chain,t:none" SecRule ARGS:action "@streq update" "chain,t:none" SecRule ARGS:seed_csp4_settings_content[headline] "@contains <" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@streq post" "id:77222012,chain,msg:'IM360 WAF: CSRF vulnerability in the WordPress File Upload plugin before 2.4.2 for WordPress (CVE-2014-5199)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,tag:'wp_core'" SecRule ARGS:page "@streq wordpress_file_upload" "chain,t:none" SecRule ARGS:action "@streq edit_settings" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "chain,t:none" SecRule REQUEST_BASENAME "@streq options-general.php" "t:none" SecRule REQUEST_COOKIES:/^wordpress_sec/|REQUEST_COOKIES:/^wordpress_logged_in/ "@rx ([0-9a-fA-f]{32})$" "id:77226651,chain,msg:'IM360 WAF: CSRF vulnerability in the All In One WP Security & Firewall plugin before 3.9.0 for WordPress (CVE-2015-0895)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,t:none,severity:5,tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith admin.php" "chain,t:none,t:lowercase" SecRule ARGS:page "@contains aiowpsec" "chain,t:none,t:lowercase" SecRule ARGS:tab "@streq tab6" "chain,t:none,t:lowercase" SecRule ARGS:action|ARGS:action2 "@contains delete" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_COOKIES:/^wordpress_sec/|REQUEST_COOKIES:/^wordpress_logged_in/ "@rx ([0-9a-fA-f]{32})$" "id:77210871,chain,msg:'IM360 WAF: CSRF vulnerability in Crony Cronjob Manager plugin before 0.4.7 for WordPress (CVE-2017-14530)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:5,tag:'wp_plugin_crony'" SecRule &ARGS:name "@ge 1" "chain,t:none" SecRule ARGS:page "@streq crony" "chain,t:none,t:lowercase" SecRule REQUEST_BASENAME "@endsWith admin.php" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "id:77350027,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: RCE Vulnerability in Elementor WordPress Plugin (CVE-2022-1329)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_METHOD "^POST$" "t:none,chain" SecRule ARGS:action "@rx admin|init" "chain,t:none" SecRule &ARGS:_nonce "@ge 0" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350027" SecMarker MARKER_action SecRule &ARGS:page "@lt 1" "id:77316872,pass,phase:2,nolog,severity:5,skipAfter:MARKER_page,msg:'IM360 WAF: ARGS page optimization||RSV:8.02||T:APACHE||',tag:'noshow',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77140799,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: CSRF vulnerability in Post SMTP plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:page "@streq postman_email_log" "t:none,chain" SecRule &REQUEST_COOKIES:/wordpress_logged_in/ "@ge 1" "t:none,chain" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77140800,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: XSS vulnerability in Maintenance plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "t:none,t:normalizePath,chain" SecRule ARGS:page "@streq maintenance" "t:none,chain" SecRule ARGS:lib_options[page_title] "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx ^POST$" "id:77140906,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WordPress plugin pageline File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx (?:wp-admin\/admin-post\.php|wp-admin\/admin-ajax\.php)$" "chain,t:none,t:normalizePath" SecRule ARGS:page "@streq pagelines" "chain,t:none" SecRule ARGS:settings_upload "@streq settings" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77140998,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: CSRF to RCE Vulnerability in Code Snippets Plugin for WordPress (CVE-2020-8417)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_snippets'" SecRule ARGS:page "@streq import-snippets" "t:none,chain" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77141022,chain,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Registration Magic < 4.6.0.3 Authenticated SQL Injection||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:page "@streq rm_analytics_show_form" "chain,t:none,t:lowercase" SecRule ARGS:rm_form_id "@rx \D" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77141023,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WordPress Plugin Huge IT Slider 2.6.8 SQL Injection (CVE-2015-2062)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:page "@streq sliders_huge_it_slider" "chain,t:none,t:lowercase" SecRule ARGS:task "@rx ^(popup_posts|edit_cat)$" "chain,t:none,t:lowercase" SecRule ARGS:removeslide "@rx ^.{12,999}" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "id:77729974,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary File Upload in File Manager Advanced plugin for WordPress < 5.2.14 (CVE-2024-13333)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq fma_load_action" "t:none,chain" SecRule ARGS:cmd "@streq upload" "t:none,chain" SecRule FILES "@rx \.htaccess$" "t:none" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "id:77729975,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary File Upload in File Manager Advanced plugin for WordPress < 5.2.14 (CVE-2024-13333)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq fma_load_action" "t:none,chain" SecRule ARGS:cmd "@streq upload" "t:none,chain" SecRule REQUEST_BODY "@contains AddType" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77141032,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Ultimate Membership Pro < 8.7 CSRF allowing Arbitrary Account Deletion||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_ultimate_member'" SecRule ARGS:page "@streq ihc_manage" "chain,t:none,t:lowercase" SecRule ARGS:tab "@streq users" "chain,t:none,t:lowercase" SecRule &ARGS:delete "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77141033,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Ultimate Membership Pro < 8.7 CSRF allowing Arbitrary Account Creation||RSV:8.02||T:APACHE||R:%{ARGS.role}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_ultimate_member'" SecRule ARGS:page "@streq ihc_manage" "chain,t:none,t:lowercase" SecRule ARGS:tab "@streq users" "chain,t:none,t:lowercase" SecRule &ARGS:user_login "@gt 0" "chain,t:none" SecRule &ARGS:user_email "@gt 0" "chain,t:none" SecRule &ARGS:role "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77141061,chain,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: CSRF vulnerability in RegistrationMagic Plugin for WordPress||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:page "@beginsWith rm_" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77141062,chain,block,nolog,auditlog,t:none,t:normalizePath,severity:2,msg:'IM360 WAF: SQLi vulnerability in RegistrationMagic Plugin for WordPress||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:page "@streq rm_field_manage" "chain,t:none" SecRule ARGS:rm_form_id "@rx \D" "t:none" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin.php" "id:77141068,chain,phase:2,pass,nolog,auditlog,t:none,t:urlDecodeUni,t:normalizePath,severity:5,msg:'IM360 WAF: WordPress custom-searchable-data-entry-system SQL injection||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_custom_searchable_data_entry_system',tag:'noshow'" SecRule ARGS:page "@streq sds-edit-field" "chain,t:none,t:lowercase" SecRule ARGS:sds-edit-field-id "@rx \D" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "id:77141075,chain,block,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: WordPress Vulnerability - Social Metrics Tracker <= 1.6.8 - Unauthorised Data Export||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_social_metrics_tracker'" SecRule ARGS:page "@streq social-metrics-tracker-export" "chain,t:none" SecRule ARGS:smt_download_export_file "@streq 1" "chain,t:none" SecRule ARGS:gapi_client_id "@rx [\x22<]" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@rx ^POST" "id:77142156,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthorized reset settings in the LiveChat <= 3.7.2 plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:page "@streq livechat_settings" "chain,t:none" SecRule ARGS:reset "@streq 1" "chain,t:none" SecRule &REQUEST_COOKIES:/^wordpress_logged_in_/ "@eq 0" "t:none" SecRule REQUEST_METHOD "@rx ^POST" "id:77142157,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthorized update settings in the LiveChat <= 3.7.2 plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:page "@streq livechat_settings" "chain,t:none" SecRule REQUEST_HEADERS:Referer "@contains livechat_settings" "chain,t:none" SecRule &REQUEST_COOKIES:/^wordpress_logged_in_/ "@eq 0" "t:none" SecRule REQUEST_METHOD "@rx ^POST" "id:77142158,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: XSS in the LiveChat <= 3.7.2 plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:page "@streq livechat_settings" "chain,t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Referer "@contains livechat_settings" "chain,t:none" SecRule ARGS "@contains >" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx ^POST$" "id:77142181,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Persistent XSS Vulnerability in private content plus plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_private_content'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "chain,t:none,t:normalizePath" SecRule ARGS:page "@pm wppcp-security-settings-page wppcp-settings" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77142185,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: CSRF Vulnerability in LiveChat plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_wp_live_chat_software_for_wordpress'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin-(?:ajax|post)\.php" "chain,t:none,t:normalizePath" SecRule ARGS:page "@streq wpsm_responslivechat_settings" "chain,t:none" SecRule &ARGS:licenseNumber "@gt 0" "chain,t:none" SecRule &ARGS:licenseEmail "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith wp-admin/options-general.php" "id:77316770,chain,block,nolog,auditlog,t:none,t:normalizePath,severity:2,msg:'IM360 WAF: WordPress Plugin Limit Login Attempts Reloaded reflected XSS (CVE-2020-35590)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_limit_login_attempts_reloaded',tag:'wp_core'" SecRule ARGS:page "@streq limit-login-attempts" "chain,t:none,t:lowercase" SecRule ARGS:tab "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316771,chain,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: SVG files upload allowed by default in Elementor < 3.0.14 WordPress plugin||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith wp-admin.php" "chain,t:none,t:normalizePath" SecRule ARGS:page "@rx ^elementor" "chain,t:none" SecRule FILES "@rx \.svg$" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316787,chain,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: CSRF vulnerability in Responsive Menu < 4.0.3 WordPress plugin||RSV:8.02||T:APACHE||Rfr:%{REQUEST_HEADERS.Referer}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_wp_responsive_menu'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/edit.php" "chain,t:none,t:normalizePath" SecRule ARGS:post_type "@streq rmp_menu" "chain,t:none" SecRule ARGS:page "@streq themes" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "chain,t:none" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316788,chain,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: CSRF vulnerability in Responsive Menu < 4.0.3 WordPress plugin||RSV:8.02||T:APACHE||Rfr:%{REQUEST_HEADERS.Referer}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_wp_responsive_menu'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/edit.php" "chain,t:none,t:normalizePath" SecRule ARGS:post_type "@streq rmp_menu" "chain,t:none" SecRule ARGS:page "@streq settings" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "chain,t:none" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none" SecRule REQUEST_URI "@contains /wp-admin/admin.php" "id:77316823,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: XSS vulnerability in Store Locator Plus plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:page "^slp_" "chain,t:none" SecRule ARGS:start "@rx \x22|'" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx POST" "id:77316829,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: SQL Injection in WP Statistics < 1.0.8 plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_wp_statistics'" SecRule REQUEST_URI "@contains /wp-admin/admin.php" "chain,t:none,t:normalizePath" SecRule ARGS:page "@streq wps_pages_page" "chain,t:none" SecRule ARGS:ID|ARGS:type "@rx \x22|\x27|\x2f|\x00|\x0a|\x0d" "t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77228110,chain,msg:'IM360 WAF: XSS vulnerabilities in Google Analyticator plugin before 6.4.9.6 for WordPress (CVE-2015-6238)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_google_analyticator'" SecRule ARGS:page "@streq google-analyticator" "chain,t:none,t:lowercase" SecRule ARGS:ga_admin_disable_DimentionIndex|ARGS:ga_adsense|ARGS:ga_downloads_prefix|ARGS:ga_downloads|ARGS:ga_outbound_prefix "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77228370,chain,msg:'IM360 WAF: XSS in the Collne Welcart e-Commerce plugin 1.8.2 for WordPress (CVE-2016-4827)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_welcart'" SecRule ARGS:page "@pm usces_itemnew usces_itemedit" "chain,t:none,t:lowercase" SecRule ARGS:post_title "@contains <" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77228500,chain,msg:'IM360 WAF: XSS vulnerability in the Simple Sticky Footer plugin before 1.3.3 for WordPress (CVE-2014-9454)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_simple_sticky_footer'" SecRule ARGS:page "@streq simple-simple-sticky-footer" "chain,t:none,t:lowercase" SecRule ARGS:simple_sf_width|ARGS:simple_sf_style "@rx \'|<" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77228510,chain,msg:'IM360 WAF: XSS vulnerability in the Quick Page/Post Redirect plugin before 5.0.5 for WordPress (CVE-2014-2598)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_quick_pagepost_redirect_plugin'" SecRule ARGS:page "@streq redirect-updates" "chain,t:none,t:lowercase" SecRule ARGS:quickppr_redirects[request][]|ARGS:quickppr_redirects[destination][] "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77229500,chain,msg:'IM360 WAF: XSS vulnerability in the Photocrati NextGEN Gallery plugin 2.1.15 for WordPress (CVE-2015-9229)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:5,tag:'wp_plugin_nextgen_gallery'" SecRule ARGS:page "@streq nggallery-manage-gallery" "chain,t:none,t:lowercase" SecRule REQUEST_BASENAME "@streq admin.php" "chain,t:none,t:lowercase" SecRule ARGS:/images\[\d*?\]\[alttext\]/ "@contains </script>" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77229920,chain,msg:'IM360 WAF: XSS vulnerability in Oturia Smart Google Code Inserter plugin before 3.5 for WordPress (CVE-2018-3810)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_smart_google_code_inserter'" SecRule ARGS:page "@streq smartcode" "chain,t:none,t:lowercase" SecRule REQUEST_BASENAME "@streq options-general.php" "chain,t:none,t:lowercase" SecRule ARGS:sgcgoogleanalytic|ARGS:sgcwebtools "@contains <" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77230370,chain,msg:'IM360 WAF: XSS vulnerability in the User Profile & Membership plugin before 2.0.11 for WordPress (CVE-2018-10234)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_ultimate_member'" SecRule ARGS:page "@streq um_options" "chain,t:none,t:lowercase" SecRule ARGS:um_options[delete_account_text] "@contains <" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77230610,chain,msg:'IM360 WAF: XSS vulnerability in WPtouch plugin 4.3.28 for WordPress (CVE-2018-17417)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_wptouch'" SecRule ARGS:page "@streq wptouch-admin-general-settings" "chain,t:none,t:lowercase" SecRule ARGS:wptouch__wptouch_pro__filtered_urls|ARGS:wptouch__wptouch_pro__force_locale|ARGS:wptouch__wptouch_pro__remove_shortcodes|ARGS:wptouch__wptouch_pro__custom_user_agents|ARGS:wptouch__wptouch_pro__site_title "@rx \x22|<" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77230660,chain,msg:'IM360 WAF: XSS vulnerability in Affiliates Manager plugin through 2.6.0 for WordPress (CVE-2018-17579)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_affiliates_manager'" SecRule ARGS:page "@streq wpam-settings" "chain,t:none,t:lowercase" SecRule ARGS:txtMinimumPayout|ARGS:txtCookieExpire|ARGS:txtEmailName|ARGS:txtEmailAddress|ARGS:affBountyAmount|ARGS:affCurrencySymbol|ARGS:affCurrencyCode "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77230690,chain,msg:'IM360 WAF: SQLi and XSS vulnerability in Slideshow Gallery 1.6.8 plugin for WordPress (CVE-2018-18017 CVE-2018-18018 and CVE-2018-18019)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_slideshow_gallery'" SecRule ARGS:page "@beginsWith slideshow-" "chain,t:none,t:lowercase" SecRule REQUEST_BASENAME "@streq admin.php" "chain,t:none,t:lowercase" SecRule ARGS:Slide[title]|ARGS:Slide[image_url]|ARGS:Gallery[id]|ARGS:Gallery[title] "@detectSQLi" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77230780,chain,msg:'IM360 WAF: XSS vulnerability in Ultimate Member - User Profile & Membership plugin 2.0.29 and before 2.0.28 for WordPress (CVE-2018-17866)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:5,tag:'wp_plugin_ultimate_member',tag:'noshow'" SecRule ARGS:page "@streq um_options" "chain,t:none,t:lowercase" SecRule ARGS_NAMES "@beginsWith um_options" "chain,t:none,t:lowercase" SecRule ARGS|!ARGS:/um_options/ "@rx \x22|<" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@pm POST GET" "id:77230850,chain,msg:'IM360 WAF: XSS vulnerability in Appointments plugin 2.4.0 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_appointments'" SecRule ARGS:page "@streq app_settings" "chain,t:none,t:lowercase" SecRule ARGS|!ARGS:additional_css|!ARGS:confirmation_message|!ARGS:reminder_message|!ARGS:removal_notification_message "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77232620,chain,msg:'IM360 WAF: XSS vulnerability in Responsive-coming-soon-page plugin 1.1.18 for WordPress (CVE-2018-5657 CVE-2018-5659 CVE-2018-5660 CVE-2018-5661 CVE-2018-5662 CVE-2018-5663 CVE-2018-5664 CVE-2018-5665 and CVE-2018-5666)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_responsive_coming_soon_page'" SecRule ARGS:page "@streq rcsm-weblizar" "chain,t:none,t:lowercase" SecRule ARGS|!ARGS:coming-soon_message|!ARGS:subscriber_form_message "@rx \x22" "chain,t:none,t:urlDecode" SecRule ARGS_NAMES "@rx ^weblizar_rcsm_settings_save_(?:appearance|social|subscriber|counter_clock|footer)_option$" "t:none,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77232830,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: XSS vulnerability in Calendar plugin <= 1.3.10 (CVE-2018-18872)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_calendar'" SecRule ARGS:page "@within calendar calendar-categories" "chain,t:none,t:lowercase" SecRule ARGS:category_name|ARGS:event_title "@contains <" "t:none,t:urlDecode" SecRule &ARGS:page_id "@ge 1" "id:77221383,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in the Events Manager plugin before 5.3.5 and Events Manager Pro plugin before 2.2.9 for WordPress (CVE-2013-1407)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_events_manager'" SecRule ARGS:scope "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@contains wp-content/plugins/garagesale/templates/printAdminUsersList_Footer.tpl.php" "id:77221510,chain,msg:'IM360 WAF: XSS vulnerability in the GarageSale plugin before 1.2.3 for WordPress (CVE-2014-4532)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,tag:'wp_plugin_garagesale'" SecRule ARGS:page "@rx \x22" "t:urlDecode" SecRule REQUEST_FILENAME "@endsWith aprils-super-functions-pack/readme.php" "id:77226550,chain,msg:'IM360 WAF: XSS vulnerability in the April Super Functions Pack plugin before 1.4.8 for WordPress (CVE-2014-100026)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,tag:'wp_plugin_aprils_super_functions_pack'" SecRule ARGS:page "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith /codebase/spreadsheet.php" "id:77228300,chain,msg:'IM360 WAF: XSS vulnerability in the Spreadsheet (dhtmlxSpreadsheet) plugin 2.0 for WordPress (CVE-2013-6281)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,t:lowercase,t:normalizePath,severity:2,tag:'wp_plugin_dhtmlxspreadsheet'" SecRule ARGS:page "@contains <" "t:none,t:urlDecode" SecRule &ARGS:icl_post_action "@ge 1" "id:77230760,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: XSS vulnerability WPML (aka sitepress-multilingual-cms) plugin through 3.6.3 (CVE-2018-18069)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wpml'" SecRule ARGS:page "@beginsWith sitepress-multilingual-cms-" "chain,t:none,t:lowercase" SecRule ARGS:/^locale_file_name_/ "@rx \x22" "t:none,t:urlDecode" SecRule ARGS:file "@contains .." "id:77228720,chain,msg:'IM360 WAF: Directory traversal vulnerability in XCloner plugin 3.1.1 for WordPress (CVE-2014-8606)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_xcloner_backup_and_restore'" SecRule ARGS:task "@streq download" "chain,t:none,t:lowercase" SecRule ARGS:page|ARGS:option "@pm xcloner_show com_xcloner-backupandrestore" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@pm /wp-admin/admin-ajax.php /administrator/index.php" "t:none,t:lowercase,t:normalizePath" SecRule REQUEST_METHOD "@pm POST GET" "id:77221420,chain,msg:'IM360 WAF: XSS vulnerability in the Meta Slider plugin 2.5 for WordPress (CVE-2014-4846)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_metaslider'" SecRule ARGS:page "@streq metaslider" "chain,t:none,t:lowercase" SecRule ARGS:id "@rx \D" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77227590,chain,msg:'IM360 WAF: SQL injection vulnerabilities in the Pie Register plugin before 2.0.19 for WordPress (CVE-2015-7682)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_pie_register'" SecRule ARGS:page "@streq pie-invitation-codes" "chain,t:none,t:lowercase" SecRule ARGS:select_invitaion_code_bulk_option|ARGS:invi_del_id "@rx \D" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77229680,chain,msg:'IM360 WAF: SQL injection vulnerability in Responsive Image Gallery plugin before 1.2.1 for WordPress (CVE-2017-14125)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_responsive_image_gallery'" SecRule ARGS:page "@streq wpdevart_gallery_themes" "chain,t:none,t:lowercase" SecRule REQUEST_BASENAME "@streq admin.php" "chain,t:none,t:lowercase" SecRule ARGS:id "@rx \D" "t:none" SecRule REQUEST_COOKIES:/^wordpress_sec/|REQUEST_COOKIES:/^wordpress_logged_in/ "@rx ([0-9a-fA-f]{32})$" "id:77220292,chain,msg:'IM360 WAF: CSRF vulnerability in the Cart66 Lite plugin before 1.5.1.15 for WordPress (CVE-2013-5977)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:5,tag:'wp_plugin_cart66_lite'" SecRule &ARGS:cart66-action "@ge 1" "chain,t:none" SecRule ARGS:page "@streq cart66-products" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_COOKIES:/^wordpress_sec/|REQUEST_COOKIES:/^wordpress_logged_in/ "@rx ([0-9a-fA-f]{32})$" "id:77221172,chain,msg:'IM360 WAF: CSRF vulnerability in the WP125 plugin before 1.5.0 for WordPress (CVE-2013-2700)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,severity:5,tag:'wp_plugin_wp125'" SecRule &ARGS:adname "@eq 1" "chain" SecRule &ARGS:adtarget "@eq 1" "chain" SecRule &ARGS:adimage "@eq 1" "chain" SecRule ARGS:page "@streq wp125_addedit" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_COOKIES:/^wordpress_sec/|REQUEST_COOKIES:/^wordpress_logged_in/ "@rx ([0-9a-fA-f]{32})$" "id:77221212,chain,msg:'IM360 WAF: CSRF vulnerability in the Search Everything plugin before 8.1.1 for WordPress (CVE-2014-3843)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:5,tag:'wp_plugin_search_everything'" SecRule ARGS:page "@streq extend_search" "chain,t:none,t:lowercase" SecRule REQUEST_METHOD "@streq post" "chain,t:none,t:lowercase" SecRule REQUEST_BASENAME "@streq options-general.php" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule ARGS:page "@streq ab_map_options" "id:77226391,chain,msg:'IM360 WAF: CSRF vulnerability in the AB Google Map Travel (AB-MAP) plugin before 4.0 for WordPress (CVE-2015-2755)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,tag:'wp_core'" SecRule REQUEST_METHOD "@streq post" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /admin.php" "id:77226501,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: CSRF vulnerability in the Contact Form DB plugin before 2.8.32 for WordPress (CVE-2015-1874)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:page "@streq cf7dbpluginsubmissions" "chain,t:none,t:lowercase" SecRule &ARGS:delete "@ge 1" "chain" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77226770,chain,msg:'IM360 WAF: SQL injection vulnerability in the NewStatPress plugin before 0.9.9 for WordPress (CVE-2015-4062)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_newstatpress'" SecRule ARGS:page "@streq nsp_search" "chain,t:none,t:lowercase" SecRule ARGS:/where[1-3]/ "!@rx ^[a-z]+$" "t:none,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77227350,chain,msg:'IM360 WAF: Unrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress (CVE-2014-5460)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:5,tag:'wp_plugin_slideshow_gallery'" SecRule ARGS:page "@streq slideshow-slides" "chain,t:none,t:lowercase" SecRule ARGS:method "@streq save" "chain,t:none,t:lowercase" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none,t:lowercase" SecRule REQUEST_METHOD "@rx POST" "id:77227721,chain,msg:'IM360 WAF: CSRF vulnerability in the Timed Popup (wp-timed-popup) plugin 1.3 for WordPress (CVE-2014-9525)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:5,tag:'wp_core'" SecRule ARGS:page "@contains wp-popup" "chain,t:none,t:lowercase" SecRule REQUEST_COOKIES:/^wordpress_sec/|REQUEST_COOKIES:/^wordpress_logged_in/ "@rx ([0-9a-fA-f]{32})$" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_COOKIES:/^wordpress_sec/|REQUEST_COOKIES:/^wordpress_logged_in/ "@rx ([0-9a-fA-f]{32})$" "id:77227821,chain,msg:'IM360 WAF: CSRF vulnerability in the CreativeMinds CM Downloads Manager plugin before 2.0.7 for WordPress (CVE-2014-9129)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:5,tag:'wp_core'" SecRule ARGS:page "@streq cmdm_admin_settings" "chain,t:none,t:lowercase" SecRule REQUEST_METHOD "@rx POST" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_COOKIES:/^wordpress_sec/|REQUEST_COOKIES:/^wordpress_logged_in/ "@rx ([0-9a-fA-f]{32})$" "id:77229441,chain,msg:'IM360 WAF: CSRF vulnerability in Clean Login plugin before 1.8 for WordPress (CVE-2017-8875)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:5,tag:'wp_core'" SecRule ARGS:page "@streq clean_login_menu" "chain,t:none,t:lowercase" SecRule REQUEST_METHOD "@rx POST" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "chain,t:none" SecRule REQUEST_FILENAME "@endsWith wp-admin/options-general.php" "t:none,t:normalizePath" SecRule &TX:wp_user "@ge 1" "id:77210952,chain,msg:'IM360 WAF: CSRF vulnerability in Responsive-coming-soon-page plugin 1.1.18 for WordPress (CVE-2018-5658)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_core'" SecRule ARGS:page "@streq rcsm-weblizar" "chain,t:none,t:lowercase" SecRule REQUEST_BASENAME "@streq admin.php" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "chain,t:none" SecRule ARGS_NAMES "@rx ^weblizar\_rcsm\_settings\_save\_(?:appearance|social|subscriber|counter\_clock|footer)\_option$" "t:none,t:lowercase" SecRule REQUEST_COOKIES:/^wordpress_sec/|REQUEST_COOKIES:/^wordpress_logged_in/ "@rx ([0-9a-fA-f]{32})$" "id:77229971,chain,msg:'IM360 WAF: CSRF vulnerability in Booking-calendar plugin 2.1.7 for WordPress (CVE-2018-5673)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:5,tag:'wp_plugin_booking_calendar'" SecRule ARGS:page "@beginsWith wpdevart-" "chain,t:none,t:lowercase" SecRule MATCHED_VAR "@rx ^wpdevart-(?:forms|extras|themes)$" "chain" SecRule REQUEST_METHOD "@rx POST" "chain,t:none" SecRule REQUEST_BASENAME "@streq admin.php" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77230531,chain,msg:'IM360 WAF: CSRF vulnerability in Metronet Tag Manager plugin version 1.2.7 for WordPress (CVE-2018-1000506)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:5,tag:'wp_plugin_metronet_tag_manager'" SecRule ARGS:page "@streq metronet-tag-manager" "chain,t:none,t:lowercase" SecRule &ARGS:gtm-code-head|&ARGS:gtm-code "@ge 1" "chain,t:none" SecRule REQUEST_BASENAME "@streq options-general.php" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_COOKIES:/^wordpress_sec/|REQUEST_COOKIES:/^wordpress_logged_in/ "@rx ([0-9a-fA-f]{32})$" "id:77230581,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: CSRF vulnerability in File Manager plugin 3.0 for WordPress (CVE-2018-16966)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "chain,t:none" SecRule &ARGS:public_path "@ge 1" "chain,t:none" SecRule ARGS:page "@streq wp_file_manager_root" "t:none,t:lowercase" SecRule REQUEST_COOKIES:/^wordpress_sec/|REQUEST_COOKIES:/^wordpress_logged_in/ "@rx ([0-9a-fA-f]{32})$" "id:77230641,chain,msg:'IM360 WAF: CSRF vulnerability in WP Fastest Cache 0.8.8.5 plugin for WordPress (CVE-2018-17584)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:5,tag:'wp_core'" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "chain,t:none" SecRule &ARGS:wpFastestCachePage "@ge 1" "chain,t:none" SecRule ARGS:page "@streq wpfastestcacheoptions" "t:none,t:lowercase" SecRule REQUEST_COOKIES:/^wordpress_sec/|REQUEST_COOKIES:/^wordpress_logged_in/ "@rx ([0-9a-fA-f]{32})$" "id:77230791,chain,msg:'IM360 WAF: CSRF vulnerability in Slimstat Analytics 4.7.8.3 plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:5,tag:'wp_core'" SecRule ARGS:page "@streq slimconfig" "chain,t:none,t:lowercase" SecRule REQUEST_METHOD "@streq POST" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule &ARGS:tfa_enable_tfa "@ge 1" "id:77232181,chain,msg:'IM360 WAF: CSRF vulnerability in two-factor-authentication plugin before 1.3.13 for WordPress (CVE-2018-20231)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:5,tag:'wp_plugin_two_factor_authentication'" SecRule REQUEST_COOKIES:/^wordpress_sec/|REQUEST_COOKIES:/^wordpress_logged_in/ "@rx ([0-9a-fA-f]{32})$" "chain,t:none" SecRule ARGS:page "@streq two-factor-auth-user" "chain,t:none,t:lowercase" SecRule ARGS:two-factor-authentication "!@rx ^$" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77233121,chain,msg:'IM360 WAF: XSS vulnerability in WordPress Download Manager Plugin 2.9.96 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_download_manager'" SecRule ARGS:page "@streq templates" "chain,t:none,t:lowercase" SecRule ARGS:post_type "@streq wpdmpro" "chain,t:none,t:lowercase" SecRule ARGS|!ARGS:email_template[message] "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77233310,chain,msg:'IM360 WAF: XSS vulnerability in WP Nearby Places Basic plugin 1.3 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_wp_nearby_places_basic'" SecRule ARGS:page "@streq mynearbyplaces_settings" "chain,t:none,t:lowercase" SecRule ARGS "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77233470,chain,msg:'IM360 WAF: XSS exists in Share this Image Plugin of v1.19 or before for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_core'" SecRule ARGS:page "@streq sti-options" "chain,t:none,t:lowercase" SecRule ARGS:selector "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77233620,chain,phase:2,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: SQLi Vulnerability in 10Web Photo Gallery plugin < 1.5.31 (CVE-2019-14313)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_photo_gallery'" SecRule ARGS:page "@within albums_bwg galleries_bwg" "chain,t:none,t:lowercase" SecRule ARGS:orderby|ARGS:order "@rx \W" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm POST GET" "id:77233730,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: SQL injection vulnerability in FV Flowplayer Video Player plugin < 7.3.18.727||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_fv_wordpress_flowplayer'" SecRule ARGS:page "@streq fv_player" "chain,t:none,t:lowercase" SecRule ARGS:orderby|ARGS:order "!@within player_name id date_created desc asc" "t:none,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77234071,chain,msg:'IM360 WAF: CSRF vulnerability in visitors-traffic-real-time-statistics plugin before 1.13 for WordPress (CVE-2019-15832)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_visitors_traffic_real_time_statistics'" SecRule ARGS:page "@streq ahc_hits_counter_settings" "chain,t:none,t:lowercase" SecRule &ARGS:/^set_/ "@ge 1" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77234090,chain,msg:'IM360 WAF: SQL vulnerability exists in AjdG AdRotate Plugin of v 5.2 or before for WordPress (CVE-2019-13570)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_adrotate'" SecRule ARGS:page "@streq adrotate-ads" "chain,t:none,t:lowercase" SecRule ARGS:ad "@rx \D" "t:none" SecRule ARGS:page "@streq owp_setup" "id:77234260,chain,msg:'IM360 WAF: Privilege escalation vulnerability in Ocean Extra plugin through 1.5.8 for WordPress (CVE-2019-16250)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,tag:'wp_plugin_ocean_extra'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-post.php" "t:none,t:normalizePath,t:lowercase" SecRule ARGS:page "@streq lolmi-settings" "id:77234320,chain,msg:'IM360 WAF: Privilege escalation vulnerability in login-or-logout-menu-item plugin before 1.2.0 for WordPress (CVE-2019-15820)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,tag:'wp_plugin_login_or_logout_menu_item'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/options-general.php" "t:none,t:normalizePath" SecRule &ARGS:Export_Submit "@ge 1" "id:77234680,chain,msg:'IM360 WAF: Privilege escalation vulnerability in ultimate-faqs plugin through 1.8.24 for WordPress (CVE-2019-17232)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_core'" SecRule ARGS:page "@streq ewd-ufaq-options" "chain,t:none,t:lowercase" SecRule REQUEST_BASENAME "@streq admin.php" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77229180,chain,msg:'IM360 WAF: SQL Injection Vulnerability in Multi Meta Box plugin v1.0 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_multi_meta_box'" SecRule ARGS:page "@streq multi_metabox_listing" "chain,t:none,t:lowercase" SecRule ARGS:id "@rx \D" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77230750,chain,msg:'IM360 WAF: XSS vulnerability in Smart Slider3 plugin version 3.3.8 for WordPress (CVE-2018-18302 CVE-2018-18303 CVE-2018-18304 CVE-2018-18305)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'wp_plugin_smart_slider_3'" SecRule ARGS:page "@beginsWith smart-slider" "chain,t:none,t:lowercase" SecRule ARGS:sliderTitle|ARGS:slider[title]|ARGS:slide[title] "@contains <" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@streq POST" "id:77987061,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary file read in Smart Slider 3 before 3.5.1.34 (CVE-2026-3098)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_smart_slider_3'" SecRule REQUEST_FILENAME "@endsWith /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq smart-slider3" "chain,t:none,t:lowercase" SecRule ARGS:nextendcontroller "@streq slider" "chain,t:none,t:lowercase" SecRule ARGS:nextendaction "@rx ^export" "t:none,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET" "id:77230980,chain,msg:'IM360 WAF: XSS vulnerability in Restrict User Access WordPress Plugin 1.0.1||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:5,tag:'wp_plugin_restrict_user_access'" SecRule ARGS:page "@streq wprua-edit" "chain,t:none,t:lowercase" SecRule ARGS:page|ARGS:duration[count] "@rx \D" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@streq POST" "id:77416292,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: CSRF in Restrict File Access plugin for WordPress <= 1.1.2 (CVE-2025-7667)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:page "@streq restrict-file-access" "t:none,chain" SecRule REQUEST_URI "@contains /wp-admin/upload.php" "t:none,chain" SecRule ARGS:deleteFile "!@rx ^$" "t:none,setvar:tx.rbl_infectors=1" SecMarker MARKER_page SecRule REQUEST_URI "@rx \/wp-content\/themes\/twenty[^\.]{0,108}\.php" "chain,id:77140740,phase:2,severity:2,nolog,auditlog,block,msg:'IM360 WAF: Twenty shell abuse attempt||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_URI "@pm /wp-content/uploads/2018/10/mod_config.php /wp-content/plugins/wp-to-twitter/tmhOAuth/sys.php.php /wp-content/themes/better-mag/footer.php /wp-content/plugins/sfn.php /wp-admin/yt.php /assets/images/accesson.php /wp-admin/maint/index.php /wp-admin/includes/index.php /wp-includes/css/login_wall.php /wp-logos.php /wp-icoud.php /wp-cahce.php /wp-content/indes.php /wp-includes/indes.php /wp-conde.php" "id:77140742,phase:2,block,nolog,auditlog,severity:2,msg:'IM360 WAF: Block abusive scripts||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@rx /admin-ajax.php" "id:77140750,chain,phase:2,block,nolog,auditlog,severity:2,msg:'IM360 WAF: Privilege escalation flaw in WP GDPR Compliance plugin (CVE-2023-6700)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_gdpr_compliance'" SecRule ARGS "@rx (wpgdprc_process_action)" "t:none,chain" SecRule ARGS "@rx (\"option\"\s*?:\s*?\"users_can_register\"\s*?,\s*?\"value\"\s*?:\s*?\"1\"|\"default_role\"\s*?,\s*?\"value\"\s*?:\s*?\"administrator\")" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@streq PUT" "id:77140949,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Arbitary file read in W3 Total Cache plugin before 0.9.4 for WordPres (CVE-2019-6715)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_w3_total_cache'" SecRule REQUEST_FILENAME "@endsWith wp-content/plugins/w3-total-cache/pub/sns.php" "chain,t:none,t:normalizePath" SecRule ARGS "@rx \x22Type\x22\s{0,100}:\s{0,100}\x22SubscriptionConfirmation\x22" "chain,t:none,t:urlDecode" SecRule MATCHED_VAR "@rx \x22SubscribeURL\x22\s{0,100}:\s{0,100}\x22file\:\/\/" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx ^POST$" "id:77141092,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Suspicious access attempt to admin-ajax.php. No referrer header||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule &REQUEST_HEADERS:Referer "@eq 0" "chain,t:none" SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none" SecRule REQUEST_FILENAME "@contains /wp-content/uploads/elementor/custom-icon" "id:77142112,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Combined Attack on Elementor Pro and Ultimate Addons||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_elementor'" SecRule REQUEST_FILENAME "!@rx \.(css|eot|html|js|json|otf|svg|ttf|txt|woff|woff2)$" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-content/uploads/file-manager/log.txt" "id:77142131,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Giribaz File Manager plugin before 5.0.2 Information Disclosure (CVE-2018-7204)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_file_manager'" SecRule REQUEST_METHOD "@streq POST" "id:77412181,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary File Upload in AI Engine plugin for WordPress < 2.9.5 (CVE-2025-7847)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_ai_engine'" SecRule REQUEST_URI "@contains /wp-json/ai-engine/v1/simpleFileUpload" "t:none,chain" SecRule REQUEST_HEADERS:Cookie "@contains wordpress_logged_in_" "t:none,chain" SecRule REQUEST_HEADERS:Content-Type "@contains application/json" "t:none,chain" SecRule ARGS:filename "@rx (?i)\.(?:php|pht|phtml|phps|php3|php4|php5|php7|php8)$" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77412181" SecRule REQUEST_METHOD "@streq POST" "id:77412182,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary File Upload in AI Engine plugin for WordPress < 2.9.5 (CVE-2025-7847)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_ai_engine'" SecRule REQUEST_URI "@contains /wp-json/ai-engine/v1/simpleFileUpload" "t:none,chain" SecRule REQUEST_HEADERS:Cookie "@contains wordpress_logged_in_" "t:none,chain" SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "t:none,chain" SecRule FILES_NAMES "@rx (?i)\.(?:php|pht|phtml|phps|php3|php4|php5|php7|php8)$" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77412182" SecRule REQUEST_METHOD "@streq POST" "id:77294546,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary File Upload in AI Engine plugin for WordPress before 3.3.3 (CVE-2026-1400)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_ai_engine'" SecRule REQUEST_URI "@contains /wp-json/mwai/v1/helpers/update_media_metadata" "t:none,t:lowercase,chain" SecRule REQUEST_BODY "@rx \x22filename\x22\s{0,10}:\s{0,10}\x22[^\x22]{1,256}\.(?:ph(?:p\d?|ar|tml)|htaccess|shtml)" "t:none,t:lowercase" SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php /wp-content/plugins/wp-total-donations/the-ajax-caller.php wp-cron.php" "id:77142178,chain,phase:2,block,nolog,auditlog,severity:2,t:normalizePath,msg:'IM360 WAF: WP Total Donations Plugin vulnerability (CVE-2019-6703)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS "@pm miglaA_ migla_getme" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /jquery-html5-file-upload/readme.txt" "id:77142196,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: jQuery-File-Upload - Arbitrary File Upload (CVE-2018-9206)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77142198,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: jQuery-File-Upload - Arbitrary File Upload (CVE-2018-9206)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@pm jquery-file-upload/server/php/index.php server/php/upload.class.php server/php/UploadHandler.php example/upload.php" "chain,t:none" SecRule &REQUEST_HEADERS:Referer "@eq 0" "chain,t:none" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none" SecRule REQUEST_URI "@pm jquery-file-upload/server/php/index.php server/php/upload.class.php server/php/UploadHandler.php example/upload.php" "id:77142200,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: jQuery-File-Upload - Arbitrary File Upload (CVE-2018-9206)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@rx \/wp-content\/plugins\/pw-bulk-edit\/(readme\.txt|results\.js|license\.txt)" "id:77142208,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: XSS in PW WooCommerce Bulk Edit (Recon)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_pw_bulk_edit'" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none" SecRule REQUEST_URI "@pm jquery-file-upload/server/php/index.php server/php/upload.class.php server/php/UploadHandler.php example/upload.php" "id:77316860,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: jQuery-File-Upload - Arbitrary File Upload (CVE-2018-9206)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/dzs-zoomsounds/savepng.php" "id:77350016,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in Plugin dzs-zoomsounds < 6.05 for WordPress||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:location "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico|rb)\W" "t:none" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77316921,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: PF File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq piotnetforms_ajax_form_builder" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77316922,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: PAFE File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq pafe_ajax_form_builder" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_URI "@contains /wp-content/uploads/piotnet-addons-for-elementor/" "id:77316923,chain,phase:2,block,nolog,auditlog,severity:2,msg:'IM360 WAF: PF RCE||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_URI "@contains /wp-content/uploads/piotnetforms/files/" "id:77316924,chain,phase:2,block,nolog,auditlog,severity:2,t:normalizePath,msg:'IM360 WAF: PAFE RCE||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316937,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Data injection vulnerability in Automatic Plugin for WordPress||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||default_role:{ARGS.default_role}||users_can_register:%{ARGS.users_can_register}||home:%{ARGS.home}||siteurl:%{ARGS.siteurl}||names:%{ARGS.names}||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_URI "@contains /plugins/wp-automatic/process_form.php" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316937" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316863,chain,block,nolog,auditlog,severity:2,phase:2,t:none,msg:'IM360 WAF: Arbitrary File Upload vulnerability in dzs-videogallery WordPress plugin||File:%{FILES}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-content/plugins/super-forms/uploads/php/" "chain,t:none,t:normalizePath" SecRule FILES "@rx \.(?:pht|phtml|php\d?)$" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316934,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Suspicious access attempt with no referer - (WP folders)!||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_URI "@rx wp-(?:includes|content|admin)" "chain,t:none" SecRule REQUEST_URI "!@pm doing_wp_cron wffn_frontend_analytics guest.vary.php confirmation.php stripe" "chain,t:none" SecRule REQUEST_FILENAME "!@rx (?:guest\.vary|admin-ajax|wp-login|wp-load|post)\.php$" "chain,t:none" SecRule REQUEST_FILENAME "@rx (\.htaccess|\.(pht|phtml|php\d?|txt|md|js|shtml|xml)$)" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316864,chain,block,nolog,auditlog,severity:2,phase:2,t:none,msg:'IM360 WAF: Arbitrary File Upload vulnerability in SuperStoreFinder WordPress plugin||File:%{FILES}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-content/plugins/superstorefinder-wp/ssf-wp-admin/pages/import.php" "chain,t:none,t:normalizePath" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_URI "@rx \/forums\/search\/\w{1,20}\/?--><" "id:77317942,chain,phase:2,t:none,pass,severity:5,auditlog,msg:'IM360 WAF: Cross-Site Scripting in Avada < 7.4.2 theme for WordPress||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@rx >/?$" "t:none" SecRule REQUEST_URI "@rx \/forums\/search\/" "id:77317943,chain,phase:2,t:none,pass,severity:5,auditlog,msg:'IM360 WAF: Cross-Site Scripting in Avada < 7.4.2 theme for WordPress||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@rx <[^\(]{0,200}.{0,30}[\x22'\x60][\)>]" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77317985,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: MStore API < 3.4.5 - Unauthenticated PHP File Upload||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-json/api/flutter_woo/config_file" "chain,t:lowercase" SecRule FILES_NAMES "@rx (?:config|config\.tifa)\.json\.php" "t:lowercase" SecRule REQUEST_URI "@contains /wp-json/whm/v3/themesettings" "id:77318032,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: XSS Vulnerability in HTML Email Template Designer Plugin for WordPress (CVE-2022-0218)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none" SecRule REQUEST_URI "@contains /wp-json/whm/v3/themesettings" "id:77318033,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: XSS Vulnerability in HTML Email Template Designer Plugin for WordPress (CVE-2022-0218)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule &REQUEST_COOKIES:/wordpress_logged_in/ "@eq 0" "t:none" SecRule REQUEST_URI "@contains /wp-admin/admin-post.php/" "id:77350008,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Sensitive data disclosure vulnerability in UpdraftPlus Backup plugin for WordPress (CVE-2022-0633)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_updraftplus'" SecRule REQUEST_URI "@contains /wp-admin/options-general.php" "chain,t:none,t:normalizePath" SecRule ARGS:page "@streq updraftplus" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77243863,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Reflected XSS in UpdraftPlus plugin for WordPress < 1.25.1 (CVE-2025-0215)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_updraftplus'" SecRule ARGS:page "@streq updraftplus" "chain,t:none" SecRule ARGS:udaction "@streq initiate_restore" "chain,t:none" SecRule ARGS:showdata "@detectXSS" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316935,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Login attempt to WordPress with incorrect referer||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||SN:%{SERVER_NAME}||Rf:%{REQUEST_HEADERS.Referer}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_URI "@contains /wp-login.php" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_URI "@rx \/wp-json\/omapp\/v1\/(?:info|support)" "id:77317973,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Sensitive Information Disclosure in OptinMonster plugin for WordPress (CVE-2021-39341)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||User:%{SCRIPT_USERNAME}||',tag:'wp_core'" SecRule REQUEST_METHOD "@rx ^OPTIONS$" "id:77317974,chain,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Sensitive Information Disclosure in OptinMonster plugin for WordPress (CVE-2021-39341)||RSV:8.02||T:APACHE||User:%{SCRIPT_USERNAME}||',tag:'wp_core'" SecRule REQUEST_URI "@contains omapp/v1" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:Referer "@contains https://wp.app.optinmonster.test" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77317975,chain,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Sensitive Information Disclosure in OptinMonster plugin for WordPress (CVE-2021-39341)||RSV:8.02||T:APACHE||User:%{SCRIPT_USERNAME}||',tag:'wp_core'" SecRule REQUEST_URI "@contains omapp/v1/api/regenerate" "chain,t:none,t:normalizePath" SecRule &ARGS:key "@eq 0" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77317975" SecRule REQUEST_METHOD "@rx ^POST$" "id:77317976,chain,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Sensitive Information Disclosure in OptinMonster plugin for WordPress (CVE-2021-39341)||RSV:8.02||T:APACHE||User:%{SCRIPT_USERNAME}||',tag:'wp_core'" SecRule REQUEST_URI "@contains omapp/v1/api/regenerate" "chain,t:none,t:normalizePath" SecRule ARGS:key "@rx ^$" "t:none" SecRule REQUEST_FILENAME "@endsWith /public/assets/jquery-file-upload/server/php/index.php" "id:77318020,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF:jQuery-File-Upload <=9.22.0 - Arbitrary File Upload(CVE-2018-9206)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:file "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico|rb)\W" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77316867,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Blind SQL Injection in WP Statistics plugin for WordPress (CVE-2022-0513)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-json/wp-statistics/v2/hit" "chain,t:none,t:normalizePath" SecRule ARGS:exclusion_match|ARGS:wp_statistics_hit_rest "@rx ^(?:yes|1|true)" "chain,t:none,t:lowercase" SecRule ARGS:exclusion_reason "@rx '|\x22|\(" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith wp-content/plugins/wpcargo/includes/barcode.php" "id:77350018,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WPCargo < 6.9.0 - Unauthenticated RCE (CVE-2021-25003)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_wpcargo'" SecRule &ARGS:text "@gt 0" "t:none,chain" SecRule ARGS:filepath "@rx (\.htaccess|\.(pht|phtml|php\d?))" "t:none,t:lowercase" SecRule REQUEST_METHOD "POST" "id:77350020,chain,block,t:none,severity:2,msg:'IM360 WAF: Stored XSS vulnerability in WordPress before 5.8.3 (CVE-2022-21662)||RSV:8.02||T:APACHE||MVN:%{TX.m_name}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:post_name "@rx \x22<" "t:none" SecRule REQUEST_METHOD "POST" "id:77350021,chain,pass,t:none,severity:5,msg:'IM360 WAF: SQLi possible in WP_Meta_Query WordPress class before 5.8.3 (CVE-2022-21664)||RSV:8.02||T:APACHE||MVN:%{TX.m_name}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:/query/ "@rx \x22alias\x22\:\[\x22([^\]\\\:]+)" "chain,t:none,setvar:tx.m_var=%{MATCHED_VAR},setvar:tx.m_name=%{MATCHED_VAR_NAME}" SecRule TX:m_var "@rx \x27|\)|\/\*|#" "t:none" SecRule REQUEST_METHOD "POST" "id:77350022,chain,pass,t:none,severity:5,msg:'IM360 WAF: Possiblle SQLi attack on WordPress||RSV:8.02||T:APACHE||MVN:%{TX.m_name}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:/query/ "@pm sleep( alert( <script /**/ 1=1 2>1 ../../../ ' chr(" "t:none,t:lowercase,setvar:tx.m_var=%{MATCHED_VAR},setvar:tx.m_name=%{MATCHED_VAR_NAME}" SecRule REQUEST_METHOD "POST" "id:77350023,chain,block,t:none,severity:2,msg:'IM360 WAF: Authentication Bypass in SiteGround Security plugin WP_Query WordPress (CVE-2022-0992)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "sgs2fa" "chain,t:none" SecRule REQUEST_URI "@pm /wp-login.php /wp-signup.php" "chain,t:none,t:normalizePath" SecRule &REQUEST_COOKIES:sgs_2fa_login_nonce "@eq 0" "t:none" SecRule REQUEST_METHOD "POST" "id:77350024,chain,block,t:none,severity:2,msg:'IM360 WAF: Authentication Bypass in SiteGround Security plugin WP_Query WordPress (CVE-2022-0992)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "sgs2fa" "chain,t:none" SecRule REQUEST_URI "@pm /wp-login.php /wp-signup.php" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule ARGS:action "add_custom_font" "id:77350034,chain,block,t:none,severity:2,msg:'IM360 WAF: CSRF to RCE in Tatsu Plugin for WordPress (CVE-2021-25094)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "POST" "id:77350035,chain,block,t:none,severity:2,msg:'IM360 WAF: Unauthenticated File Upload in Tatsu Plugin for WordPress (CVE-2021-25094)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "add_custom_font" "chain,t:none" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule FILES "^\." "t:none" SecRule REQUEST_URI "@contains /typehub/custom/" "id:77350036,chain,block,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated RCE in Tatsu Plugin for WordPress (CVE-2021-25094)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_BASENAME "\.php" "t:none" SecRule REQUEST_URI "@rx /wp-admin/admin-ajax.php" "id:77350043,chain,block,t:none,severity:2,msg:'IM360 WAF: Authenticated Path Traversal and Local File Inclusion in JupiterX Theme <= 2.0.6 and Jupiter Theme <= 6.10.1 for WordPress (CVE-2022-1657)||RSV:8.02||T:APACHE||MV:%{ARGS.slug}||',tag:'wp_core'" SecRule ARGS:action "(?:jupiterx|mka)_cp_load_pane_action" "chain,t:none" SecRule ARGS:slug "@rx \.\.\/\.\.\/" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350044,chain,block,t:none,severity:2,msg:'IM360 WAF: XSS in Elementor <3.1.4 plugin for WordPrfess (CVE-2021-24891)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains #elementor-action:action=lightbox" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:settings|ARGS:html "@rx <script|\x22onerror\x22:" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350053,chain,block,t:none,severity:2,msg:'IM360 WAF: XSS in Elementor <3.1.4 plugin for WordPrfess (CVE-2021-24891)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains #elementor-action:action=lightbox" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:settings|ARGS:html "@rx <script|\x22onerror\x22:" "t:none,t:base64Decode" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350048,chain,pass,t:none,severity:5,msg:'IM360 WAF: Monitor XSS in Elementor <3.1.4 plugin for WordPrfess (CVE-2021-24891)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_URI "@contains #elementor-action:action=lightbox" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:settings "@rx ^$" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350045,chain,block,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in Elementor Website Builder plugin <= 3.5.5 for WordPress||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@pm /wp-admin/admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:videoType "@streq hosted" "chain,t:none" SecRule ARGS:videoParams|ARGS:onerror "@rx document\.|<script\)" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350054,chain,block,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in Elementor Website Builder plugin <= 3.5.5 for WordPress||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@pm /wp-admin/admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS:videoType "@streq hosted" "chain,t:none" SecRule ARGS:videoParams|ARGS:onerror "@rx document\.|<script\)" "t:none,t:base64Decode" SecRule REQUEST_METHOD "POST" "id:77350055,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Arbitrary Function Call in Woo Product Table < 3.1.2 for WordPress (CVE-2022-1020)||Callback:%{ARGS.callback}||opt_value:%{ARGS.option_value}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx wpt_admin_update_notice_option" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "POST" "id:77350056,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Arbitrary Function Call in Woo Product Table < 3.1.2 for WordPress (CVE-2022-1020)||Callback:%{ARGS.callback}||opt_value:%{ARGS.option_value}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx wpt_admin_update_notice_option" "chain,t:none" SecRule ARGS:callback "!@rx ^$" "chain,t:none" SecRule &REQUEST_COOKIES:/wordpress_logged_in/ "@eq 0" "t:none" SecRule REQUEST_METHOD "POST" "id:77350057,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Arbitrary Function Call in Woo Product Table < 3.1.2 for WordPress (CVE-2022-1020)||Callback:%{ARGS.callback}||opt_value:%{ARGS.option_value}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx wpt_admin_update_notice_option" "chain,t:none" SecRule &ARGS:option_key "@gt 0" "chain,t:none" SecRule ARGS:perpose "@streq update" "chain,t:none" SecRule ARGS:callback "@rx wp_(?:delete|upload)|phpinfo" "t:none" SecRule REQUEST_METHOD "POST" "id:77350058,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Track possible Unauthenticated Arbitrary Function Call in Woo Product Table < 3.1.2 for WordPress (CVE-2022-1020)||Callback:%{ARGS.callback}||opt_value:%{ARGS.option_value}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx wpt_admin_update_notice_option" "chain,t:none" SecRule &ARGS:option_key "@gt 0" "chain,t:none" SecRule ARGS:perpose "@streq update" "chain,t:none" SecRule ARGS:callback "!@rx ^$" "t:none" SecRule REQUEST_METHOD "POST" "id:77350082,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Arbitrary File Upload in Kaswara Modern WPBakery Page Builder Addons plugin for WordPress (CVE-2021-24284)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@contains uploadFontIcon" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_METHOD "POST" "id:77350091,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authenticated Arbitrary File Deletion in Download Manager Plugin for WordPress (CVE-2022-2431)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq before_delete_post" "chain,t:none" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "t:none,t:normalizePath" SecRule REQUEST_METHOD "POST" "id:77350092,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authenticated Arbitrary File Deletion in Download Manager Plugin for WordPress (CVE-2022-2431)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq edit" "chain,t:none" SecRule REQUEST_FILENAME "@contains /wp-admin/post.php" "chain,t:none,t:normalizePath" SecRule ARGS:file[files][] "@rx ^\/|\.\.\/\.\.\/" "t:none,t:normalizePath,t:urlDecode" SecRule REQUEST_METHOD "POST" "id:77350093,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Cross-Site Request Forgery in Ecwid Ecommerce Shopping Cart Plugin For WordPress (CVE-2022-2432)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "chain,t:none" SecRule &ARGS:ecwid_store_id|&ARGS:ecwid_store_page_id|&ARGS:ecwid_disable_dashboard|&ARGS:ecwid_disable_pb_url|&ARGS:ecwid_plugin_migration_since_version|&ARGS:ecwid_seo_links_enabled|&ARGS:ecwid_print_html_catalog|&ARGS:ecwid_api_status|&ARGS:ecwid_hide_canonical "@gt 0" "t:none" SecRule REQUEST_METHOD "POST" "id:77350094,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Cross-Site Request Forgery in Ecwid Ecommerce Shopping Cart Plugin For WordPress (CVE-2022-2432)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:wp-nonce "@rx ^$|null" "chain,t:none,t:lowercase" SecRule &ARGS:ecwid_store_id|&ARGS:ecwid_store_page_id|&ARGS:ecwid_disable_dashboard|&ARGS:ecwid_disable_pb_url|&ARGS:ecwid_plugin_migration_since_version|&ARGS:ecwid_seo_links_enabled|&ARGS:ecwid_print_html_catalog|&ARGS:ecwid_api_status|&ARGS:ecwid_hide_canonical "@gt 0" "t:none" SecRule REQUEST_METHOD "POST" "id:77350095,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Cross-Site Request Forgery in Ecwid Ecommerce Shopping Cart Plugin For WordPress (CVE-2022-2432)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &ARGS:wp-nonce "@lt 1" "chain,t:none" SecRule &ARGS:ecwid_store_id|&ARGS:ecwid_store_page_id|&ARGS:ecwid_disable_dashboard|&ARGS:ecwid_disable_pb_url|&ARGS:ecwid_plugin_migration_since_version|&ARGS:ecwid_seo_links_enabled|&ARGS:ecwid_print_html_catalog|&ARGS:ecwid_api_status|&ARGS:ecwid_hide_canonical "@gt 0" "t:none" SecRule REQUEST_FILENAME "@pm /page.php /index.php" "id:77350096,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: SQL Injection via WordPress Link functionality||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &ARGS:page|&ARGS:limit "@gt 0" "chain,t:none" SecRule ARGS:limit|ARGS:page|ARGS:id|ARGS:fid "@rx (?:<script>|\/\.\.\/etc\/passwd|exec xp_cmdshell|\/\*\*\/)" "t:none" SecRule REQUEST_FILENAME "@pm /product_details.php" "id:77350097,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: SQL Injection via id parameter||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:p_id|ARGS:productId|ARGS:id|ARGS:categ-id|ARGS:product-id "@rx (\/\*\*\/)" "t:none" SecRule REQUEST_FILENAME "@pm /wp-admin/admin-ajax.php /admin-post.php /cgi-sys/autodiscover.cgi /cgi-sys/autoconfig.cgi /cgi-sys/suspendedpage.cgi /index.php" "id:77350098,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Arbitrary File Download/Read in BackupBuddy Plugin For WordPress (CVE-2022-31474)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:local-download|ARGS:local-destination-id "@pm /etc/passwd ../../ /wp-config.php .my.cnf .accesshash" "t:none" SecRule REQUEST_FILENAME "@pm wp-content/plugins/wpgateway/wpgateway-webservice-new.php" "id:77350104,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Privilege escalation in WPGateway WordPress plugin (CVE-2022-3180)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:wp_new_credentials "@eq 1" "t:none,t:lowercase" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350129,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: RCE vulnerability in MailPress plugin for WordPress||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-content/plugins/mailpress/mp-includes/action.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq autosave" "chain,t:none" SecRule ARGS:subject "@contains <" "t:none,t:urlDecode" SecRule REQUEST_URI "@contains /wp-content/plugins/mailpress/mp-includes/action.php" "id:77350130,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Payload access attempt in MailPress plugin for WordPress||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq iview" "chain,t:none" SecRule ARGS:id "!@rx ^$" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx POST" "id:77350139,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated account takeover in WordPress tagDiv Composer < 3.5 (CVE-2022-3477)||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@streq td_ajax_fb_login_user" "chain,t:none" SecRule ARGS:user[email] "!@rx ^$" "chain,t:none" SecRule &REQUEST_HEADERS:Referer "!@contains %{REQUEST_HEADERS.Host}" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350140,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated account takeover in WordPress tagDiv Composer < 3.5 (CVE-2022-3477)||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq td_ajax_fb_login_user" "chain,t:none" SecRule ARGS:user[email] "!@rx ^$" "chain,t:none" SecRule &REQUEST_COOKIES:/wordpress_logged_in_/ "@eq 0" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350141,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated account takeover in WordPress tagDiv Composer < 3.5 (CVE-2022-3477)||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@streq td_ajax_fb_login_user" "chain,t:none" SecRule ARGS:user[email] "!@rx ^$" "t:none,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350141'" SecRule REQUEST_METHOD "^POST$" "id:77350149,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Possible XMLRPC SSRF attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_FILENAME "@contains xmlrpc" "chain,t:none" SecRule SERVER_NAME|REQUEST_HEADERS:Host "@rx [\#\?\[\]]" "t:none,t:htmlEntityDecode" SecRule REQUEST_METHOD "^POST$" "id:77350150,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Possible XMLRPC SSRF attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_FILENAME "@contains xmlrpc" "chain,t:none" SecRule REQUEST_URI|ARGS "@rx (?:10|127)\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.[1-3]\d\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|localhost|fc00\:\:" "t:none,t:htmlEntityDecode" SecRule REQUEST_METHOD "^POST$" "id:77350151,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Possible XMLRPC SSRF attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains xmlrpc" "chain,t:none" SecRule REQUEST_URI|ARGS "@rx (?:gopher|doc|glob|file|phar|zlib|ftp|ldap|dict|ogg|data):\/\/" "t:none,t:htmlEntityDecode" SecRule REQUEST_METHOD "@rx ^GET$" "id:77162787,phase:5,pass,chain,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary Shortcode Execution in WordPress Popular Posts plugin for WordPress <= 7.1.0 (CVE-2024-11733)||MV:%{ARGS.time_quantity}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wordpress_popular_posts'" SecRule REQUEST_URI "@contains /wordpress-popular-posts/" "t:none,t:normalizePath,chain" SecRule ARGS:range "@streq custom" "t:none,chain" SecRule ARGS:time_quantity "@rx [^\d]" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350152,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: CSRF in Yith WooCommerce Gift Cards Premium plugin for WordPress||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains wp-admin/admin-post.php" "chain,t:none" SecRule ARGS:page "@streq yith_woocommerce_gift_cards_panel" "chain,t:none" SecRule REQUEST_HEADERS:referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350153,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in Yith WooCommerce Gift Cards Premium plugin for WordPress (CVE-2022-45359)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||File:%{FILES}||',tag:'wp_core'" SecRule REQUEST_URI "@contains wp-admin/admin-post.php" "chain,t:none" SecRule ARGS:page "@streq yith_woocommerce_gift_cards_panel" "chain,t:none" SecRule ARGS:ywgc_safe_submit_field "@streq importing_gift_cards" "chain,t:none" SecRule FILES:file_import_csv "!@rx \.csv$" "t:none" SecRule REQUEST_URI "@contains /members/member_detail.php" "id:77350154,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: SQL Injection Vulnerability in profile builder 3.0.5 plugin for WordPress||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:id "@rx \D" "t:none" SecRule ARGS:template_pagination_path|ARGS:template_path|ARGS:template_path_item "@contains \/..\/.." "id:77350157,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated Local File Inclusion in LearnPress plugin for WordPress (CVE-2022-47615)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:ORDER_BY|ARGS:GROUP_BY "@rx (?:^[^{])\x27|\x28|\x7c\x7c|--|=" "id:77350158,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Track Unauthenticated SQL Injection in LearnPress plugin for WordPress (CVE-2022-45808)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS_NAMES "@contains learn_press_recent_courses learn_press_featured_courses" "id:77350159,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Track Authenticated SQL Injection in LearnPress plugin for WordPress (CVE-2022-45820)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule MATCHED_VAR "@rx (?:^[^{])\x27|\x28|\x7c\x7c|--|=" "t:none" SecRule REQUEST_METHOD "POST" "id:77350164,chain,block,t:none,severity:2,msg:'IM360 WAF: CSRF in Quick Restaurant Menu <= 2.0.2 plugin for WordPress (CVE-2023-0554)||RSV:8.02||T:APACHE||Action:%{ARGS.action}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx erm_(?:delete|create|update)_menu_item" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350170,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Insecure Deserialization in BuddyForms Plugin < 2.7.8 for WordPress (CVE-2023-26326)||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx upload_image_from_url" "chain,t:none" SecRule ARGS:url "@rx ^phar|\.phar$" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350171,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Track suspicious upload in WordPress||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx upload" "chain,t:none" SecRule ARGS:url "!@rx ^http" "t:none" SecRule REQUEST_COOKIES:/platform_checkout_session/ "!@rx ^$" "id:77350172,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authentication Bypass in WooCommerce Payments before 4.8.0-5.6.1 plugin for WordPress (CVE-2023-28121)||User:%{SCRIPT_USERNAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule RESPONSE_HEADERS:set-cookie "@rx platform_checkout_session" "id:77350173,phase:3,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authentication Bypass in WooCommerce Payments before 4.8.0-5.6.1 plugin for WordPress (CVE-2023-28121)||MV:%{MATCHED_VAR}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_METHOD "@rx POST" "id:77350174,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Possible Authentication Bypass in WooCommerce Payments before plugin for WordPress 4.8.0-5.6.1 (CVE-2023-28121)||User:%{SCRIPT_USERNAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:X_WCPAY_PLATFORM_CHECKOUT_USER "!@rx ^$" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350175,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Possible Authentication Bypass in WooCommerce Payments before plugin for WordPress 4.8.0-5.6.1 (CVE-2023-28121)||User:%{SCRIPT_USERNAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_HEADERS:Content-Length "!@rx ^([56789]\d{6,999}|\d{8,999})$" "chain,t:none" SecRule FILES "@rx ^$" "chain,t:none" SecRule ARGS|REQUEST_BODY "@contains X_WCPAY_PLATFORM_CHECKOUT_USER" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350188,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Possible Authentication Bypass in WooCommerce Payments before plugin for WordPress 4.8.0-5.6.1 (CVE-2023-28121)||User:%{SCRIPT_USERNAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains wp-json/wp/v2/users" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:/X_WCPAY_PLATFORM_CHECKOUT_USER/ "@rx \d" "chain,t:none" SecRule ARGS:roles[] "@rx administrator|contributor" "t:none,t:lowercase" SecRule REQUEST_URI "@rx /wp-admin/" "id:77350176,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Privilege escalation in Elementor Pro < 3.11.7 (CWE-862)||MV:%{ARGS.wc-ajax}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:wc-ajax "@rx ^\d" "t:none" SecRule REQUEST_HEADERS:x-forwarded-for|REQUEST_HEADERS:x-real-ip "@rx src=|href=|>\s*<|'\\'\\\x22\x22|'<\s*\x22" "id:77350183,phase:1,block,nolog,auditlog,severity:2,t:none,t:urlDecode,msg:'IM360 WAF: XSS in X-Forwarded-For request header||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_HEADERS:x-forwarded-for|REQUEST_HEADERS:x-real-ip "@rx <[^\s.]+\s+[^=.]+=[^(]+\([^)]+\)" "id:77350184,phase:1,block,nolog,auditlog,severity:2,t:none,t:urlDecode,msg:'IM360 WAF: Unauthenticated Stored XSS in Limit Login Attempts <= 1.7.1 plugin for WordPress (CVE-2023-1912)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350189,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Stored Cross-Site Scripting in Shield Security <= 17.0.17 (CVE-2023-0992)||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_HEADERS:User-Agent "@rx <script" "t:none" SecRule REQUEST_URI "@rx wp-(?:includes|content|admin)" "id:77350190,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress plugins/themes version enumeration||RSV:8.02||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_FILENAME "@rx (wlwmanifest\.xml|readme\.txt|changelog\.(md|txt)|lang_upload\.php|arm_widgets_js\.js|__\sUPDATES.txt|wpuef-configurator.js)" "t:none" SecRule REQUEST_URI "@rx wp-(?:includes|content|admin)" "id:77350207,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress plugins/themes version enumeration||RSV:8.02||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule RESPONSE_STATUS "!@rx ^20" "chain,t:none" SecRule REQUEST_FILENAME "@rx (wlwmanifest\.xml|readme\.txt|changelog\.(md|txt)|lang_upload\.php|arm_widgets_js\.js|__\sUPDATES.txt|wpuef-configurator.js)" "t:none" SecRule REQUEST_URI "@rx wp-(?:includes|content|admin)" "id:77350588,chain,phase:2,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: WordPress plugins/themes version enumeration using wlwmanifest.xml||MV:%{MATCHED_VAR}||User:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_FILENAME "@contains wlwmanifest.xml" "t:none" SecRule REQUEST_URI "@rx wp-(?:includes|content|admin)" "id:77350589,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress plugins/themes version enumeration using readme.txt||MV:%{MATCHED_VAR}||User:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_FILENAME "@contains readme.txt" "t:none" SecRule REQUEST_URI "@rx wp-(?:includes|content|admin)" "id:77350590,chain,phase:2,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: WordPress plugins/themes version enumeration using changelog||MV:%{MATCHED_VAR}||User:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_FILENAME "@rx changelog\.(?:md|txt)" "t:none" SecRule REQUEST_URI "@rx wp-(?:includes|content|admin)" "id:77350591,chain,phase:2,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: WordPress plugins/themes version enumeration using lang_upload||MV:%{MATCHED_VAR}||User:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_FILENAME "@contains lang_upload.php" "t:none" SecRule REQUEST_URI "@rx wp-(?:includes|content|admin)" "id:77350592,chain,phase:2,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: WordPress plugins/themes version enumeration using arm_widgets_js||MV:%{MATCHED_VAR}||User:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_FILENAME "@contains arm_widgets_js.js" "t:none" SecRule REQUEST_URI "@rx wp-(?:includes|content|admin)" "id:77350593,chain,phase:2,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: WordPress plugins/themes version enumeration using UPDATES.txt||MV:%{MATCHED_VAR}||User:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_FILENAME "@rx __\s?UPDATES\.txt" "t:none" SecRule REQUEST_URI "@rx wp-(?:includes|content|admin)" "id:77350594,chain,phase:2,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: WordPress plugins/themes version enumeration using wpuef-configurator||MV:%{MATCHED_VAR}||User:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_FILENAME "@contains wpuef-configurator.js" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77350193,chain,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Essential Addons for Elementor < 5.7.2 - Privilege Escalation (CVE-2023-32243)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq login_or_register_user" "chain,t:none,t:lowercase" SecRule ARGS:eael-resetpassword-submit "@streq true" "chain,t:none,t:lowercase" SecRule &ARGS:eael-pass1 "@eq 1" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/essential-addons-for-elementor-lite/readme.txt" "id:77350194,chain,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Essential Addons for Elementor < 5.7.2 - Vulnerable version discovery (CVE-2023-32243)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350198,chain,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Unauthenticated Stored XSS vulnerability in Beautiful Cookie Consent Banner <= 2.10.1 WordPress plugin||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-post.php" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:nsc_bar_content_href "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350201,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Privilege Escalation in ReviewX <= 1.6.13 for WooCommerce for WordPress (CVE-2023-2833)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_plugin_reviewx'" SecRule ARGS:wp_screen_options[value] "\D" "t:none" SecRule REQUEST_URI "@contains getwid/v1/get_remote_content" "id:77350203,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authenticated SSRF in Getwid <= 1.8.3 plugin for WordPress (CVE-2023-1895)||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:get_content_url "!@contains /wp-json/getwid-templates-server/v1/get_content" "t:none,t:normalizePath" SecRule REQUEST_FILENAME "\/[\.#]?wp-config[\.-][\w\._-]*(?:[#~]|(?:inc|txt|tar|xml|zip|bak|old|orig(?:inal)?|save|\d|sw(?:p|o)))$" "id:77350212,block,nolog,auditlog,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure Attempt in WordPress||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule REQUEST_BASENAME "wp-config.php" "id:77350213,chain,block,nolog,auditlog,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure Attempt via Advanced Access Manager < 5.9.9 plugin for WordPress (CVE-2019-25213)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_plugin_advanced_access_manager'" SecRule ARGS:aam-media "@rx \d+" "t:none" SecRule ARGS:aam-media "@contains wp-config.php" "id:77350214,block,nolog,auditlog,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure via Advanced Access Manager < 5.9.9 plugin for WordPress (CVE-2019-25213)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_plugin_advanced_access_manager'" SecRule REQUEST_FILENAME "@pm /wp-admin/admin-ajax.php /wp-admin/edit.php /wp-content/force-download.php" "id:77350215,chain,block,nolog,auditlog,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure Attempt in WordPress plugins||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &ARGS:action "@gt 0" "chain,t:none" SecRule REQUEST_URI|ARGS:img|ARGS:file|ARGS:path|ARGS:f "@contains ../wp-config.php" "t:none" SecRule REQUEST_FILENAME "@contains /wp-content/cache/log/" "id:77350216,chain,block,nolog,auditlog,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure Attempt in WordPress plugins||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule REQUEST_BASENAME "@endsWith .log" "t:none" SecRule REQUEST_FILENAME "@contains /wp-content/themes/" "id:77350217,chain,block,nolog,auditlog,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure Attempt via WordPress themes||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule REQUEST_BASENAME "@endsWith .php" "chain,t:none" SecRule ARGS:/file/|ARGS:/url/|ARGS:/img/|ARGS:arquivo "wp-config.php" "t:none" SecRule REQUEST_FILENAME "@contains /wp-content/plugins/" "id:77350218,chain,block,nolog,auditlog,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure Attempt via WordPress plugins||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule REQUEST_BASENAME "@endsWith .php" "chain,t:none" SecRule ARGS:/file/|ARGS:/url/|ARGS:/img/|ARGS:download|ARGS:/path/|ARGS:cfg|ARGS:id|ARGS:wap|ARGS:var|ARGS:f|ARGS:info|ARGS:destinations "wp-config.php" "t:none" SecRule REQUEST_FILENAME "/wp-content/uploads/(?:file-manager\/)?(?:log|wp-config-backup)\.txt" "id:77350219,block,nolog,auditlog,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure via File Manager plugin for WordPress||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-e-commerce/wpsc-includes/misc.functions.php" "id:77350220,chain,block,nolog,auditlog,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: LFI in WP-E-Commerce plugin < 3.8.9.5 for WordPress||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule ARGS:image_name "wp-config.php" "t:none" SecRule ARGS:wpv-image "wp-config.php" "id:77350221,block,nolog,auditlog,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: LFI in WP Vault 0.8.6.6 plugin for WordPress||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule REQUEST_URI "@pm /_wpeprivate/config.json " "id:77350222,block,nolog,auditlog,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information disclosure in WPEngine plugin for WordPress||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule ARGS:aam-media "@contains wp-config.php" "id:77350230,block,nolog,auditlog,t:none,t:base64Decode,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure via Advanced Access Manager < 5.9.9 plugin for WordPress||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@pm /wp-admin/admin-ajax.php /wp-admin/edit.php /wp-content/force-download.php" "id:77350231,chain,block,nolog,auditlog,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure Attempt in WordPress plugins||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &ARGS:action "@gt 0" "chain,t:none" SecRule REQUEST_URI|ARGS:img|ARGS:file|ARGS:path|ARGS:f "@contains ../wp-config.php" "t:none,t:base64Decode" SecRule REQUEST_FILENAME "@contains /wp-content/themes/" "id:77350232,chain,block,nolog,auditlog,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure Attempt via WordPress themes||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule REQUEST_BASENAME "@endsWith .php" "chain,t:none" SecRule ARGS:/file/|ARGS:/url/|ARGS:/img/|ARGS:arquivo "wp-config.php" "t:none,t:base64Decode" SecRule REQUEST_FILENAME "@contains /wp-content/plugins/" "id:77350233,chain,block,nolog,auditlog,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: Information Disclosure Attempt via WordPress plugins||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule REQUEST_BASENAME "@endsWith .php" "chain,t:none" SecRule ARGS:/file/|ARGS:/url/|ARGS:/img/|ARGS:download|ARGS:/path/|ARGS:cfg|ARGS:id|ARGS:wap|ARGS:var|ARGS:f|ARGS:info|ARGS:destinations "wp-config.php" "t:none,t:base64Decode" SecRule REQUEST_FILENAME "@contains /wp-e-commerce/wpsc-includes/misc.functions.php" "id:77350234,chain,block,nolog,auditlog,t:none,t:normalizePath,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: LFI in WP-E-Commerce plugin < 3.8.9.5 for WordPress||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule ARGS:image_name "wp-config.php" "t:none,t:base64Decode" SecRule ARGS:wpv-image "wp-config.php" "id:77350235,block,nolog,auditlog,t:none,t:base64Decode,severity:2,t:htmlEntityDecode,msg:'IM360 WAF: LFI in WP Vault 0.8.6.6 plugin for WordPress||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'wp_core'" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350236,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress Plugin Stripe Payment <= 3.7.7 Authentication Bypass WooCommerce (CVE-2023-3162)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule &ARGS:createaccount "@gt 0 " "chain,t:none" SecRule ARGS:action|ARGS:wc-ajax "@rx eh_spg_stripe_cancel_order" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350227,chain,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Arbitrary File Upload Vulnerability in User Registration WordPress Plugin (CVE-2023-3342)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx (?:save|user_registration_update)_profile_details" "chain,t:none" SecRule ARGS:profile_pic_url|ARGS:url "@rx \.(pht|phtml|php\d?)$" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350228,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Possible Arbitrary File Upload Vulnerability in User Registration WordPress Plugin (CVE-2023-3342)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx (?:save|user_registration_update)_profile_details" "chain,t:none" SecRule ARGS:profile_pic_url|ARGS:url "!@rx ^$" "t:none" SecRule REQUEST_FILENAME "@contains wp-content/uploads/user_registration_uploads/temp-uploads/" "id:77350229,chain,block,nolog,auditlog,t:none,t:normalizePath,severity:2,msg:'IM360 WAF: Arbitrary File Upload Vulnerability in User Registration WordPress Plugin (CVE-2023-3342)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "!@rx \.(?:jpeg|jpg|gif|png)$" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350238,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Account Takeover in ARMember < 3.4.8 WordPress Plugin (CVE-2022-1903)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx arm_shortcode_form_ajax_action" "chain,t:none" SecRule ARGS:arm_action "@streq change-password" "chain,t:none" SecRule ARGS:action2 "@streq rp" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350244,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Privilege Escalation in Donation Forms by Charitable <= 1.7.0.12 Plugin for WordPress (CVE-2023-4404)||MV:%{ARGS.role}||RSV:8.02||T:APACHE||',tag:'wp_plugin_charitable'" SecRule ARGS:charitable_action "@streq save_registration" "chain,t:none" SecRule &ARGS:role "@gt 0" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350246,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Blind authenticated SQLi vulnerability in Slimstat Analytics <= 5.0.9 Plugin For WordPress (CVE-2023-4598)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@pm /wp-json/ /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:shortcode|ARGS:content "@rx \[slimstat" "chain,t:none" SecRule ARGS:shortcode|ARGS:content "!@rx wp:\[slimstat\s[^\]]+(w='\w{2,20}(?:'\]|'\s))" "t:none" SecRule REQUEST_URI "@contains /wp-content/plugins/media-library-assistant/includes/mla-stream-image.php" "chain,id:77350251,block,nolog,auditlog,phase:2,severity:2,msg:'IM360 WAF: RCE in WordPress Media-Library plugin < 3.10 (CVE-2023-4634)||File:%{TX.0}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:mla_stream_file "@contains ://" "t:none" SecRule REQUEST_METHOD "POST" "id:77350252,chain,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: WordPress malicious plugin install block||SC:%{SCRIPT_FILENAME}||Action:%{ARGS.action}||Plugin:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||Theme:%{FILES.themezip}||User:%{SCRIPT_USERNAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/(?:admin-ajax|theme-editor|plugin-install|plugin-editor|update)\.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx ^(?:update|activate|upload|install)-(?:plugin|theme)$|^edit-theme-plugin-file$" "chain,t:none" SecRule ARGS:/plugin/|ARGS:/theme/|ARGS:/file/ "@rx \b(wordpresscore|wp-zexit|wp-clearlineee|wp-resortpack|ioptimization|bqxtbuu|blnmrpb|wp-breeze|loftloader\.2\.4\.0|cve-2023-45124|root-file-manager|ph-file-manager|zer0day|file-manager-zeroday|phoenix_|wp-engine-module|wp-kernel-module|core-stab|task-controller|wp-json-api-disable|wp-security-enforcements|wordpress-theme-security|ai-seo-fix|WPRobot3|wp-proportioning-cyberterrorism|wp-federally-sadi|wp-resonator-lockage|wp-state-basic|wp-security-prime|wp-engine-fast-action|wpcs|hellos|wppf|foxiplugin|handsome_toaster|Goodwin|one_images_user|wp-content-optimizer|xkrfp|toolkit-service|wp-performance-tools)\b" "t:none,t:lowercase" SecRule REQUEST_METHOD "POST" "id:77216767,chain,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: WordPress malicious plugin install block||Action:%{ARGS.action}||Plugin:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||Theme:%{FILES.themezip}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/(?:admin-ajax|theme-editor|plugin-install|plugin-editor|update)\.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx ^(?:update|activate|upload|install)-(?:plugin|theme)$|^edit-theme-plugin-file$" "chain,t:none" SecRule ARGS:/plugin/|ARGS:/theme/|ARGS:/file/ "@rx \bwpboost\b|\bwp-security-helper\b|\bdummy-plugin\b" "t:none,t:lowercase" SecRule REQUEST_URI "@rx \/plugins\/((?i)wordpresscore|core-engine|TOPXOH|wp-zexit|wp-clearlineee|wp-resortpack|apikey|ioptimization|bqxtbuu|blnmrpb|wp-breeze|loftloader\.2\.4\.0|cve-2023-45124|root-file-manager|ph-file-manager|zer0day|file-manager-zeroday|phoenix_|wp-engine-module|wp-kernel-module|core-stab|task-controller|wp-json-api-disable|wp-security-enforcements|wordpress-theme-security|ai-seo-fix|WPRobot3|wp-proportioning-cyberterrorism|wp-federally-sadi|wp-resonator-lockage|wp-state-basic|hellos|wp-security-prime|wp-engine-fast-action|wpcs|wppf|foxiplugin|handsome_toaster|Goodwin|google-gdpr|one_images_user|wp-content-optimizer|xkrfp|toolkit-service|wp-performance-tools)\/" "id:77350295,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Interaction with fake plugin||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@rx \/?plugins\/(minipiwertumin2|aplugin|hellowp|pwnd|se[o]{2,3}?x?|santuy|seslmfescg|1122|wp-lazyload-\w+-module|wordpress-for|hellos)\/" "id:77350390,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Interaction with fake plugin||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@rx \/?plugins\/(seoplugins\/db|instabuilder2\/cache\/plugins\/moon)\.php" "id:77350392,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Interaction with fake plugin||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_METHOD "POST" "id:77350558,chain,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: WordPress malicious plugin install block||SC:%{SCRIPT_FILENAME}||Plugin:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||Theme:%{FILES.themezip}||User:%{SCRIPT_USERNAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/(?:admin-ajax|theme-editor|plugin-install|plugin-editor|update)\.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx (?:edit-theme-plugin-file|update|activate|(?:upload|install-(?:plugin|theme)))" "chain,t:none" SecRule ARGS:/plugin/|ARGS:/theme/|ARGS:/file/ "@rx ^(custom-css-injector|quick-cache-cleaner|universal-popup-plugin-v\d+|litespeed-cache-classic|monsterinsights-classic|custom-footer-generator|wordfence-security-classic|custom-login-styler|search-rank-enhancer|dynamic-sidebar-manager|seo-booster-pro|easy-themes-manager|google-seo-enhancer|form-builder-pro|rank-booster-pro|quick-cache-cleaner|admin-bar-customizer|responsive-menu-builder|advanced-user-manager|seo-optimizer-pro|advanced-widget-manage|simple-post-enhancer|content-blocker|social-media-integrator)" "t:none,t:lowercase" SecRule REQUEST_URI "@rx \/plugins\/(custom-css-injector|quick-cache-cleaner|universal-popup-plugin-v\d+|litespeed-cache-classic|monsterinsights-classic|custom-footer-generator|wordfence-security-classic|custom-login-styler|search-rank-enhancer|dynamic-sidebar-manager|seo-booster-pro|easy-themes-manager|google-seo-enhancer|form-builder-pro|rank-booster-pro|quick-cache-cleaner|admin-bar-customizer|responsive-menu-builder|advanced-user-manager|seo-optimizer-pro|advanced-widget-manage|simple-post-enhancer|content-blocker|social-media-integrator|wp-security-helper|dummy-plugin|wpboost)\/" "id:77350559,pass,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Interaction with fake plugin||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_METHOD "POST" "id:77350253,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated File Upload Vulnerability in Royal Elementor Addons and Templates <= 1.3.78 Plugin For WordPress (CVE-2023-5360)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "wpr_addons_upload_file" "chain,t:none" SecRule ARGS:allowed_file_types "@rx \W" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350256,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Stored XSS in tagDiv Composer < 4.2 WordPress plugin (CVE-2023-3169)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-json/tdw/save_css" "chain,t:none,t:normalizePath" SecRule ARGS:compiled_css "@rx ^<\/style" "t:none,t:urlDecode" SecRule REQUEST_METHOD "POST" "id:77350257,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Subscriber and Arbitrary Shortcode Execution in WordPress < 6.3.2||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@pm /wp-json/ /admin-ajax.php" "chain,t:none" SecRule ARGS:content|ARGS:shortcode "@pm [embed [sql" "t:none,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350257'" SecRule REQUEST_METHOD "POST" "id:77350259,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Stored XSS in Navigation Links in WordPress Core < 6.3.2||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains wp-json/wp/v2/" "chain,t:none" SecRule ARGS:content "@rx <!--wp:post-navigation-link[^-]+?arrow\x22:\x22([^←→]+)\x22" "t:none,t:urlDecode" SecRule REQUEST_METHOD "POST" "id:77350260,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Stored XSS in Footnotes in WordPress Core < 6.3.2||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp/v2/" "chain,t:none" SecRule ARGS:content "@rx \x22footnotes\x22:\x22\[\{[^\}]*<script[^\}]*\}" "t:none" SecRule REQUEST_URI "@contains /wp/v2/users" "id:77350262,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Sensitive Information Exposure via User Search REST Endpoint in WordPress Core < 6.3.2||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:search "@rx ^(i:user_login|user_nicename|display_name|ID)$" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350262" SecRule REQUEST_METHOD "POST" "id:77350263,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Reflected XSS via Application Password Requests in WordPress Core < 6.3.2||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:reject_url|ARGS:success_url "@pm javascript: data:" "t:none" SecRule REQUEST_METHOD "POST" "id:77350264,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Reflected XSS via Application Password Requests in WordPress Core < 6.3.2||reject_url:%{ARGS.reject_url}||success_url:%{ARGS.success_url}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/" "chain,t:none,t:normalizePath" SecRule ARGS:reject_url|ARGS:success_url "@rx ^https?://" "chain,t:none" SecRule MATCHED_VAR "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "POST" "id:77350267,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: SQL Injection in AI ChatBot Plugin < 4.9.1 for WordPress (CVE-2023-5204)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_chatbot'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq wpbo_search_site" "chain,t:none" SecRule ARGS:strid "@pm union case sleep()" "t:none,t:lowercase" SecRule REQUEST_METHOD "POST" "id:77350268,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: CSRF vulnerability in AI ChatBot Plugin < 4.9.1 for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_chatbot'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq qcld_openai_delete_training_file" "chain,t:none" SecRule &ARGS:file "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "POST" "id:77350269,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Arbitrary File Deletion in AI ChatBot Plugin < 4.9.1 for WordPress (CVE-2023-5212)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_chatbot'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx qcld_openai_(delete_training|upload_pagetraining)_file" "chain,t:none" SecRule ARGS:file|ARGS:filename "@contains ../" "t:none" SecRule REQUEST_FILENAME|PATH_INFO "@rx (?:\/wp-content)\/plugins\/apikey\/apikey.php" "id:77350276,block,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress WebShell in Fake Plugin apikey||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_METHOD "@streq post" "chain,id:77350277,block,nolog,auditlog,phase:2,severity:2,t:none,t:lowercase,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload leading to RCE in WordPress plugin WP Live Chart Support Pro < 8.0.07 (CVE-2018-12426)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||REQUEST_FILENAME:%{REQUEST_FILENAME}||',tag:'wp_core',tag:'wp_plugin_wp_live_chat_support'" SecRule REQUEST_HEADERS:Content-Type "@contains image" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-json/wp_live_chat_support/v1/remote_upload" "chain,t:none,t:normalizePath" SecRule FILES "@rx (\.(pht|phtml|php\d?)$)" "t:none" SecRule TX:wp_user "@rx [\x00\x0A\x0D\x1A]" "id:77350278,phase:1,pass,nolog,auditlog,severity:5,t:none,t:urlDecode,msg:'IM360 WAF: Unauthenticated SQLi Vulnerability in WP Fastest Cache < 1.2.2 plugin for WordPress (CVE-2023-6063)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_fastest_cache'" SecRule REQUEST_METHOD "@rx POST" "id:77350284,chain,phase:2,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Information Disclosure in UserPro <= 5.1.1 plugin for WordPress (CVE-2023-2446)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@rx userpro_shortcode_template" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350284" SecRule REQUEST_METHOD "@rx POST" "id:77350285,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authentication Bypass in UserPro <= 5.1.1 plugin for WordPress (CVE-2023-2437)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@contains userpro_fbconnect" "chain,t:none" SecRule ARGS:email "!@rx ^$" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350285" SecRule REQUEST_METHOD "@rx POST" "id:77350292,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Possible Authenticated Privilage Escalation and Information Disclosure in UserPro <= 5.1.1 plugin for WordPress (CVE-2023-6009, CVE-2023-2446)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq userpro_process_form" "chain,t:none" SecRule ARGS:template "@pm change edit" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350292" SecRule REQUEST_METHOD "@rx POST" "id:77350290,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: File Upload in MW WP Form plugin for WordPress (CVE-2023-6316)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &REQUEST_COOKIES:/mw-wp-form/ "@gt 0" "chain,t:none" SecRule &ARGS:mw-wp-form-form-id "@gt 0" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_METHOD "^GET|^POST" "chain,id:77350294,block,nolog,auditlog,phase:2,severity:2,t:none,msg:'IM360 WAF: Fake WordPress plugin CVE-2023-45124 activation attempt||Plugin:%{MATCHED_VAR}||Time:%{TIME}||Addr:%{tx.remote_addr};login:%{IP.wp_logged_in};get:%{IP.wp_get_req};edit:%{TX.wp_theme_edit}||User:%{SCRIPT_USERNAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/plugins.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq activate" "chain,t:none" SecRule ARGS:plugin "@contains wpress-security-wordpress" "t:none,t:lowercase" SecRule REQUEST_METHOD "^GET|^POST" "chain,id:77375043,block,nolog,auditlog,phase:2,severity:2,t:none,msg:'IM360 WAF: WordPress fake plugin activation attempt||Plugin:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/plugins.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq activate" "chain,t:none" SecRule ARGS:plugin "@pm wordpresscore/ wp-zexit/ wp-clearlineee/ wp-resortpack/ ioptimization/ bqxtbuu/ blnmrpb/ wp-breeze/ cve-2023-45124/ root-file-manager/ ph-file-manager/ zer0day/ file-manager-zeroday/ wp-engine-module/ wp-kernel-module/ core-stab/ task-controller/ wp-json-api-disable/ wp-security-enforcements/ wordpress-theme-security/ ai-seo-fix/ wprobot3/ wp-proportioning-cyberterrorism/ wp-federally-sadi/ wp-resonator-lockage/ wp-state-basic/ wp-security-prime/ wp-engine-fast-action/ wpcs/ hellos/ wppf/ foxiplugin/ handsome_toaster/ goodwin/ core-engine/ topxoh/ apikey/ google-gdpr/ wpboost/ wp-security-helper/ dummy-plugin/ wpress-security-wordpress/ custom-css-injector/ quick-cache-cleaner/ litespeed-cache-classic/ monsterinsights-classic/ custom-footer-generator/ wordfence-security-classic/ custom-login-styler/ search-rank-enhancer/ dynamic-sidebar-manager/ seo-booster-pro/ easy-themes-manager/ google-seo-enhancer/ form-builder-pro/ rank-booster-pro/ admin-bar-customizer/ responsive-menu-builder/ advanced-user-manager/ seo-optimizer-pro/ advanced-widget-manage/ simple-post-enhancer/ content-blocker/ social-media-integrator/ minipiwertumin2/ aplugin/ hellowp/ pwnd/ santuy/ seslmfescg/ 1122/ one_images_user/ wp-content-optimizer/ xkrfp/ toolkit-service/ wp-performance-tools/" "t:none,t:lowercase" SecRule REQUEST_METHOD "^GET|^POST" "chain,id:77185818,block,nolog,auditlog,phase:2,severity:2,t:none,msg:'IM360 WAF: WordPress fake plugin activation attempt||Plugin:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/plugins.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq activate" "chain,t:none" SecRule ARGS:plugin "@rx (?:loftloader\.2\.4\.0|phoenix_|universal-popup-plugin-v\d+|se[o]{2,3}?x?|\w+-wp-core-plugin|\w+-wp-base-plugin|wp-lazyload-\w+-module|wordpress-for)\/" "t:none,t:lowercase" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350298,chain,phase:2,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: File Upload in Elementor <= 3.18.1 plugin for WordPress (CVE-2023-48777)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@rx elementor_ajax" "chain,t:none" SecRule ARGS:actions "@rx import_template[^{]+{\x22fileName\x22:\x22([^\x22]+)\x22," "chain,t:none,capture" SecRule TX:1 "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)$" "t:none,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350298'" SecRule REQUEST_FILENAME "@rx wp-content\/uploads\/elementor\/tmp\/[\w]+\/[^\n]+\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)$" "id:77350299,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Suspicious File Access in Elementor <= 3.18.1 plugin for WordPress (CVE-2023-48777)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_METHOD "@streq POST" "id:77851271,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Arbitrary File Upload in Elementor before 3.18.2 (CVE-2023-48777)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_elementor'" SecRule REQUEST_FILENAME "@endsWith /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq elementor_library_direct_actions" "chain,t:none" SecRule ARGS:library_action "@streq import_template" "chain,t:none" SecRule ARGS:fileName "@rx (?i)(?:\x2e\x2e[\x2f\x5c]|\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)$)" "t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:content-dir|REQUEST_HEADERS:content-abs "@gt 256" "id:77350301,phase:2,block,nolog,auditlog,severity:2,t:none,t:length,msg:'IM360 WAF: RCE in Backup Migration <= 1.3.7 WordPress plugin (CVE-2023-6553)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_backup_backup'" SecRule REQUEST_HEADERS:content-dir|REQUEST_HEADERS:content-abs "@pm php: |" "id:77350302,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: RCE in Backup Migration <= 1.3.7 WordPress plugin (CVE-2023-6553)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_backup_backup'" SecRule &REQUEST_HEADERS:content-dir|&REQUEST_HEADERS:content-abs "@gt 0" "id:77350303,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: RCE in Backup Migration <= 1.3.7 WordPress plugin (CVE-2023-6553)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350303',tag:'wp_plugin_backup_backup'" SecRule REQUEST_METHOD "@streq POST" "id:77589758,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: OS Command Injection in Backup Migration plugin for WordPress < 1.4.0 (CVE-2023-7002)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_backup_backup'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@contains backup_migration_ajax" "chain,t:none" SecRule ARGS:f "@streq download-backup" "chain,t:none" SecRule ARGS:url "@rx (?:\$\(|\$\{|\x60|;[\s]{0,32}(whoami|id|cat|ls|wget|curl|bash|sh|nc|netcat|python|perl|php|ruby)|[\|&]{1,2}[\s]{0,32}(whoami|id|cat|ls|wget|curl|bash|sh|nc)|[\$\x60\x3b|&<>(){}])" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx ^POST$" "id:77142148,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Category Page Icons <= 0.9.1 - Arbitrary File Upload via Path Traversal||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@rx \/wp-content\/plugins\/category-page-icons\/include\/wpdev-flash-uploader\.php" "chain,t:none,t:normalizePath" SecRule ARGS:dir_icons "@rx \.\.\/" "t:none" SecRule REQUEST_URI "@contains /batch/v1" "id:77350261,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: DoS via Cache Poisoning in WordPress Core < 6.3.2||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &REQUEST_HEADERS:HTTP_X_HTTP_METHOD_OVERRIDE "@gt 0" "chain,t:none" SecRule RESPONSE_STATUS "@rx ^4" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-login.php" "id:77350307,chain,phase:2,block,severity:2,nolog,auditlog,t:none,msg:'IM360 WAF: Prohibited WordPress username login/registration||WPU:%{ARGS.log}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:log "@rx ^(?:usr_[a-f0-9]{8}$|deleted-|wpsupp-user|wp-configuser\.|wp_update-|wadminw|yanz\@123457|greeceman|adm1nlxg1n|wordpresupport@|admnlxgxn|95191841|martin_smith|adminbockup|trumpweiss|admmubee|adm1aae5o)" "t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-login.php" "id:77350420,chain,phase:2,block,severity:2,nolog,auditlog,t:none,msg:'IM360 WAF: Malicious WordPress user detected (CVE-2024-6297)||WPU:%{ARGS.log}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:log "@rx ^(PluginAUTH|PluginGuest|Options)$" "t:none" SecRule REQUEST_METHOD "!@streq GET" "id:77657465,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authentication Bypass in ZM Ajax Login & Register plugin for WordPress < 2.0.3 (CVE-2023-2027)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq facebook_login" "t:none,chain" SecRule &REQUEST_COOKIES:/wordpress_[a-f0-9]+/ "@eq 0" "t:none,chain" SecRule REQUEST_FILENAME "@rx /wp-content/plugins/zm-ajax-login-register/|/wp-admin/admin-ajax\.php" "t:none" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350308,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authentication Bypass Vulnerability in POST SMTP Mailer <= 2.8.7 WordPress Plugin (CVE-2023-6875)||MV1:%{REQUEST_HEADERS.fcm_token}||MV2:%{REQUEST_HEADERS.auth_key}||MV3:%{REQUEST_HEADERS.device}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains post-smtp/v1/connect-app" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:device "@rx (?i)FakeDevice|pelerganteng|^$|iPhone_ktn" "t:none" SecRule REQUEST_METHOD "@rx (?i)(get|post)" "id:77350345,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authentication Bypass Vulnerability in POST SMTP Mailer <= 2.8.7 WordPress Plugin (CVE-2023-6875)||MV1:%{REQUEST_HEADERS.fcm_token}||MV2:%{REQUEST_HEADERS.auth_key}||MV3:%{REQUEST_HEADERS.device}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains post-smtp/v1/connect-app" "t:none,t:normalizePath" SecRule REQUEST_METHOD "@rx (?i)get" "id:77350346,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authentication Bypass Vulnerability in POST SMTP Mailer <= 2.8.7 WordPress Plugin (CVE-2023-6875)||MV1:%{REQUEST_HEADERS.fcm_token}||MV2:%{REQUEST_HEADERS.auth_key}||MV3:%{REQUEST_HEADERS.device}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains post-smtp/v1/connect-app" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:device "!@eq 28" "t:none,t:length" SecRule REQUEST_METHOD "@rx (?i)get" "id:77350316,chain,phase:2,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authentication Bypass Vulnerability in POST SMTP Mailer <= 2.8.7 WordPress Plugin (CVE-2023-6875)||MV1:%{REQUEST_HEADERS.fcm_token}||MV2:%{REQUEST_HEADERS.auth_key}||MV3:%{REQUEST_HEADERS.device}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-json/post-smtp/v1/get-logs" "t:none,t:normalizePath" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350317,chain,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress user password reset attempt||MV1:%{REQUEST_HEADERS.fcm_token}||MV2:%{REQUEST_HEADERS.auth_key}||MV3:%{REQUEST_HEADERS.device}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains wp-login.php" "chain,t:none" SecRule ARGS:action "@streq lostpassword" "t:none" SecRule REQUEST_METHOD "@rx (?i)get" "id:77350318,chain,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authentication Bypass Vulnerability in POST SMTP Mailer <= 2.8.7 WordPress Plugin (CVE-2023-6875)||MV1:%{REQUEST_HEADERS.fcm_token}||MV2:%{REQUEST_HEADERS.auth_key}||MV3:%{REQUEST_HEADERS.device}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin.php" "chain,t:none" SecRule &REQUEST_HEADERS:fcm_token "@gt 0" "chain,t:none" SecRule &ARGS:access_token "@gt 0" "chain,t:none" SecRule &ARGS:log_id "@gt 0" "chain,t:none" SecRule &ARGS:type "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:device "@rx (?i)FakeDevice|pelerganteng|iPhone_ktn" "t:none" SecRule REQUEST_METHOD "@rx (?i)get" "id:77350319,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Block Authentication Bypass Vulnerability in POST SMTP Mailer <= 2.8.7 WordPress Plugin (CVE-2023-6875)||MV1:%{REQUEST_HEADERS.fcm_token}||MV2:%{REQUEST_HEADERS.auth_key}||MV3:%{REQUEST_HEADERS.device}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@rx (\/wp-json\/post-smtp\/v1\/get-logs|\/wp-admin\/admin\.php)" "chain,t:none,t:normalizePath" SecRule &REQUEST_HEADERS:fcm_token "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:device "@rx (?i)FakeDevice|pelerganteng|iPhone_ktn" "t:none" SecRule REQUEST_FILENAME "@endsWith /fm_temp.php" "id:77350323,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authenticated Arbitrary File Upload vulnerability in File Manager Pro <= 8.3.4 plugin for WordPress (CVE-2023-6846)||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq dzsap_download" "id:77350324,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Directory traversal vulnerability in Plugin DZS Zoomsounds < 6.50 for WordPress (CVE-2021-39316)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:link "@rx \.\.\/" "t:none" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350325,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authenticated Arbitrary File Upload Vulnerability in Avada <= 7.11.1 Theme For WordPress (CVE-2023-39307)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule TX:wp_cookie "!@rx ^$" "chain,t:none" SecRule REQUEST_URI "@pm /wp-json/ wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx fusion_panel_import" "chain,t:none" SecRule ARGS:toUrl "!@rx ^http" "t:none" SecRule REQUEST_METHOD "POST" "id:77350328,chain,phase:2,nolog,auditlog,block,severity:2,t:none,msg:'IM360 WAF: LFI Vulnerability in Shield Security plugin for WordPress (CVE-2023-6989)||Data:%{ARGS.render_action_template}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_BASENAME "@streq admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq shield_action" "chain,t:none" SecRule ARGS:ex "@streq generic_render" "chain,t:none" SecRule ARGS:render_action_template "@contains .php" "chain,t:none" SecRule ARGS:render_action_template "\.\.|^\/" "t:none" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350329,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Stored XSS Vulnerability in POST SMTP Mailer <= 2.8.7 WordPress Plugin (CVE-2023-7027)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:device|REQUEST_HEADERS:device "@rx [\x27\x22<&]" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350366,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Stored XSS In LiteSpeed Cache < 5.7.0.1 WordPress Plugin (CVE-2023-40000)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI|ARGS:rest_route "@contains /litespeed/v1/cdn_status" "chain,t:none,t:normalizePath" SecRule ARGS:result[nameservers]|ARGS:result[_msg] "@rx [<\(\x27]|(exec|passthru|proc_open|eval|shell_exec|fwrite|system|ob_start|assert|file_(?:put|get)_contents|thrownewexception)\(" "t:none,t:urlDecode,capture,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350366" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350330,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: RCE WordPress Bricks Builder Theme <= 1.9.6 (CVE-2024-25600)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI|ARGS:rest_route "@contains bricks/v1/render_element" "chain,t:none" SecRule ARGS:/queryEditor/|ARGS:/executeCode/ "@rx (?i)file_put_contents\s*\('[^']+',file_get_contents\s*\('http" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350331,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: RCE WordPress Bricks Builder Theme <= 1.9.6 (CVE-2024-25600)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI|ARGS:rest_route "@contains bricks/v1/render_element" "chain,t:none" SecRule ARGS:/queryEditor/|ARGS:/executeCode/ "@rx (?i)\x60\W|(exec|passthru|proc_open|eval|shell_exec|fwrite|system|ob_start|assert|file_(?:put|get)_contents|thrownewexception)\s*\(" "t:none,t:urlDecode" SecRule REQUEST_URI "@rx \/wp-content\/themes\/bricks\/includes\/elements\/\w+(?i)\.(?:h?php[\ds]{0,2}?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "id:77350350,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: RCE in WordPress Bricks Builder Theme <= 1.9.6 (CVE-2024-25600)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_METHOD "POST" "id:77683218,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Remote Code Execution in Widget Options <= 4.1.0 plugin for WordPress (CVE-2025-22630)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq widgetopts_ajax_settings" "chain,t:none" SecRule REQUEST_COOKIES:/wordpress_logged_in_/ "@rx ." "chain,t:none" SecRule ARGS "@rx (?i)(system\s*\(|exec\s*\(|shell_exec\s*\(|passthru\s*\(|proc_open\s*\(|popen\s*\(|`|file_put_contents\s*\(|file_get_contents\s*\(|eval\s*\()" "t:none,t:urlDecode,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77683218'" SecRule REQUEST_METHOD "POST" "id:77683219,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Command Injection bypass attempt in Widget Options <= 4.1.0 plugin for WordPress (CVE-2025-22630)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq widgetopts_ajax_settings" "chain,t:none" SecRule REQUEST_COOKIES:/wordpress_logged_in_/ "@rx ." "chain,t:none" SecRule ARGS "@rx (?i)(\$\w+\s*=\s*['\"][\w]+['\"]\s*\.\s*['\"][\w]+['\"]\s*;\s*\$\w+\s*\(|chr\s*\(\s*\d+\s*\)\s*\.\s*chr\s*\(|\$[a-zA-Z_]\w*\s*\(\s*['\"])" "t:none,t:urlDecode,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77683219'" SecRule REQUEST_METHOD "POST" "id:77683220,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Logic parameter command injection in Widget Options <= 4.1.0 plugin for WordPress (CVE-2025-22630)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq widgetopts_ajax_settings" "chain,t:none" SecRule ARGS:method "@streq save" "chain,t:none" SecRule ARGS "@contains logic[logic]=" "t:none,t:urlDecode,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77683220'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77350347,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQLi Vulnerability in WordPress Booking Calendar Plugin < 9.9.1 (CVE-2024-1207)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule ARGS:calendar_request_params|ARGS:calendar_request_params[dates_ddmmyy_csv] "!@rx ^((\d{2}\.\d{2}\.\d{4})|(\d{4}-\d{2}-\d{2}))(,(\s)?((\d{2}\.\d{2}\.\d{4})|(\d{4}-\d{2}-\d{2}))){0,500}$" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx ^GET" "chain,id:77350349,pass,nolog,auditlog,phase:3,severity:5,t:none,msg:'IM360 WAF: Tracking manual actions in WordPress||Time:%{TIME}||Addr:%{tx.remote_addr};login:%{IP.wp_logged_in};get:%{IP.wp_get_req}||User:%{SCRIPT_USERNAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_URI "@rx \/wp-admin\/load-(?:styles|scripts)\.php" "t:none,t:normalizePath" SecRule REQUEST_URI "@rx \/wp-content\/uploads\/2023\/0(?:3|5|6)\/\w+(?i)\.(?:h?php[\ds]{0,2}|pht[m]?|s?phtml?|swf|xap|phar|inc|ctp|pl$|pgif|cgi|htaccess|module|exe|suspected)(?:\W|$)" "id:77350352,block,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Dangerous files in uploads||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@rx \/wp-includes\/js\/jquery\/\w+(?i)\.(?:h?php[\ds]{0,2}|pht[m]?|s?phtml?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|suspected|ico)(?:\W|$)" "id:77350351,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Suspicious files in jQuery||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350356,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: PMA data leak||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /scripts/setup.php" "chain,t:none,t:normalizePath" SecRule ARGS:configuration "@rx O:10:[\\\x22]+PMA_Config[\\\x22]+:1:\{s:6:[\\\x22]+source[\\\x22]+,s:11:[\\\x22]+\/etc\/passwd[\\\x22]+;\}" "t:none,t:urlDecode" SecRule REQUEST_URI "@rx \/wp-includes\/(?:sodium_compat|SimplePie)\/.{1,999}\.(?:h?php[\ds]{0,2}|pht[m]?|phar)(?:\W|$)" "id:77350586,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Suspicious access to wp-includes library directory||SC:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@rx \/wp-includes\/.{1,999}\.min\.(?:h?php[\ds]{0,2}|pht[m]?|phar)(?:\W|$)" "id:77350600,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Suspicious .min.php file in wp-includes||SC:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_METHOD "streq POST" "chain,id:77350602,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Access to suspicious endpoint (botnet?)||SC:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "@pmFromFile bl_wpboost_uri" "chain,t:none,t:normalizePath,t:lowercase" SecRule REQUEST_FILENAME "@rx ^\/\S+\.(?:php[\ds]{0,2})$" "t:none,t:lowercase" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350353,chain,phase:2,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authenticated SQLi Vulnerability in RSS Aggregator by Feedzy <= 4.4.2 WordPress Plugin (CVE-2024-1317)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:_action "@streq fetch_custom_fields" "chain,t:none" SecRule ARGS:search_key "@rx ^[^{<]\x22|\x27|\x2f|\x00|\x0a|\x0d" "t:none,t:urlDecode" SecRule REQUEST_METHOD "^POST" "id:77350358,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Privilege escalation vulnerability in Academy LMS WordPress plugin (CVE-2024-1505)||Data:%{ARGS.wp_capabilities}||RSV:8.02||T:APACHE||WPU:%{TX.wp_user}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "^academy/frontend/saved_user_info$" "chain,t:none" SecRule ARGS_POST_NAMES "^wp_capabilities$" "t:none" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350359,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated SQL Injection in Ultimate Member User Profile Registration Login Member Directory Content Restriction & Membership plugin 2.1.3-2.8.2 WordPress plugin (CVE-2024-1071)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq um_get_members" "chain,t:none" SecRule ARGS:sorting "!@rx [\w_-]|^$" "t:none" SecRule REQUEST_METHOD "^POST" "id:77350364,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Directory Traversal vulnerability in File Manager and File Manager Pro < 7.2.2 (CVE-2023-6825)||MV:%{TX.1}||MVN:%{tx.mvn}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:target "@rx ^l1_([^\n]+)$" "chain,t:none,capture" SecRule TX:1 "@rx ^(?:[\/\.].{5}|\/\.|\.\.\/)|\/wp-|public_html\/|\/www|\w\/\." "t:none,t:base64Decode" SecRule REQUEST_METHOD "^POST" "id:77350365,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Track Directory Traversal vulnerability in File Manager and File Manager Pro < 7.2.2 (CVE-2023-6825)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:target|ARGS:upload_path "@rx ^l1_([^\n]+)$" "chain,t:none,capture" SecRule TX:1 "!@rx ^$" "t:none" SecRule REQUEST_METHOD "^POST" "id:77350367,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unathenticated Stored XSS Vulnerability in Ultimate Member plugin for WordPress (CVE-2024-2123) - edit profile||Data:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "account\/general\/$" "chain,t:none,t:normalizePath" SecRule ARGS:updated "account" "chain,t:none" SecRule ARGS:um_request "!@rx ^$" "chain,t:none" SecRule ARGS:/username(-\d+)?/|ARGS:/nickname(-\d+)?/|ARGS:/user_login(-\d+)?/|ARGS:/last_name(-\d+)?/|ARGS:/first_name(-\d+)?/ "[<>\[\]\{\}=\\;]+|\/{2,999}|:\/" "t:none,t:urlDecode" SecRule REQUEST_METHOD "^POST" "id:77350368,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unathenticated Stored XSS Vulnerability in Ultimate Member plugin for WordPress (CVE-2024-2123) - register||Data:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "register\/$" "chain,t:none,t:normalizePath" SecRule ARGS:um_request "!@rx ^$" "chain,t:none" SecRule ARGS:/username(-\d+)?/|ARGS:/nickname(-\d+)?/|ARGS:/user_login(-\d+)?/|ARGS:/last_name(-\d+)?/|ARGS:/first_name(-\d+)?/ "[<>\[\]\{\}=\\;]+|\/{2,999}|:\/" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350373,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Privilege Escalation in Malware Scanner <= 4.7.2 and Web Application Firewall <= 2.1.1 WordPress plugin (CVE-2024-1991)||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \.php" "chain,t:none" SecRule ARGS:option "@streq mo_wpns_change_password" "chain,t:none" SecRule &ARGS:new_password "@gt 0" "chain,t:none" SecRule &ARGS:confirm_password "@gt 0" "chain,t:none" SecRule ARGS:username "!@rx ^$" "t:none" SecRule REQUEST_METHOD "(?i)post" "id:77350375,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated Privilege Escalation RegistrationMagic Custom Registration Forms, User Registration, Payment, and User Login <= 5.3.0.0 WordPress Plugin (CVE-2024-1991)||Data:%{ARGS.role}||RSV:8.02||T:APACHE||WPU:%{TX.wp_user}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx rm_update_users_role" "chain,t:none" SecRule ARGS:user_ids "!@rx ^$" "chain,t:none" SecRule ARGS:role "!@rx ^$" "t:none,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350375'" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350382,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Stored XSS Vulnerability in WP-Members Membership WordPress Plugin <= 3.4.9.2 (CVE-2024-1852)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &ARGS:wpmem_reg_page "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:X-Forwarded-For "!@rx (?i)[\[\]\sa-f0-9,\.:\x22\x27]+$|unknown|^$" "t:none" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350385,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Suspicious input in XFF||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_HEADERS:X-Forwarded-For "!@rx (?i)[\[\]\sa-f0-9,\.:\x22\x27]+$|unknown|^$" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77350383,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated SQL Injection in WordPress plugin LayerSlider 7.9.11-7.10.0 (CVE-2024-2879)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@contains ls_get_popup_markup" "chain,t:none" SecRule ARGS:id[where] "\w\(|\x27" "t:none" SecRule REQUEST_METHOD "(?i)post" "id:77350376,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Arbitrary File Upload vulnerability in WEmanage App Worker WordPress Plugin (CVE-2024-1205)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||WPU:%{TX.wp_user}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wc/v3/upload-csv-file" "chain,t:none,t:normalizePath" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none" SecRule REQUEST_METHOD "(?i)post" "id:77350387,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Local File Inclusion in MasterStudy LMS < 3.3.1 WordPress plugin (CVE-2024-2411)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@contains stm_lms_load_modal" "chain,t:none" SecRule ARGS:modal "@contains ../" "t:none" SecRule REQUEST_METHOD "(?i)post" "id:77350388,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Local File Inclusion in MasterStudy LMS < 3.3.2 WordPress plugin (CVE-2024-2409)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@contains stm_lms_register" "chain,t:none" SecRule REQUEST_BODY "@rx wp_capabilities[^\}]+administrator" "t:none" SecRule REQUEST_METHOD "(?i)post" "id:77350389,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Local File Inclusion in MasterStudy LMS < 3.3.4 WordPress plugin (CVE-2024-3136)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@contains stm_lms_load_content" "chain,t:none" SecRule ARGS:template "@contains ../" "t:none" SecRule ARGS:rest_route "@streq /lms/stm-lms/order/items" "id:77220058,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: SQLi in The MasterStudy LMS WordPress Plugin (CVE-2024-1512)||PAYLOAD:%{TX.0}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &ARGS:author_id "@gt 0" "chain,t:none" SecRule ARGS:user "@rx (\D)" "t:none,capture" SecRule REQUEST_METHOD "(?i)post" "id:77350393,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authenticated SQLi WP Activity Log Premium < 4.6.5 WordPress Plugin (CVE-2024-2018)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq wsal_AjaxGenerateReport" "chain,t:none" SecRule ARGS:nextDate "@rx [^\d\w:.\/\-\s]" "t:none" SecRule REQUEST_METHOD "(?i)post" "id:77350397,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authenticated Privilege Escalation in User Registration-Custom Registration Form, Login Form, and User Profile < 3.1.6 WordPress plugin (CVE-2024-2417)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@contains user_registration_form_save_actoin" "chain,t:none" SecRule ARGS:/data\[form_setting_data\]\[\d+\]\[name\]/ "@streq user_registration_form_setting_default_user_role" "chain,t:none" SecRule ARGS:/data\[form_setting_data\]\[\d+\]\[value\]/ "@contains administrator" "t:none" SecRule REQUEST_METHOD "(?i)post" "id:77350398,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated Privilege Escalation in User Registration-Custom Registration Form, Login Form, and User Profile < 3.1.6 WordPress plugin (CVE-2024-2417)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx ^user_registration_" "t:none,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350398'" SecRule REQUEST_METHOD "^POST" "id:77350400,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary Options Update Vulnerability in WP Datepicker for WordPress (CVE-2024-3895)||Data:%{ARGS.wpdp_form_data}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_BASENAME "@streq admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq wpdp_add_new_datepicker_ajax" "chain,t:none" SecRule ARGS:wpdp_form_data "." "t:none" SecRule REQUEST_METHOD "^GET" "id:77350404,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Attempted Response Filter Denial of Service in OWASP CRS||Data:%{ARGS.s}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:s "@rx ^jet database engine$|^access database engine$|^ora-1234\d?$|^oracle error$|^oracle[ _-]*driver$|^cli driver[ _-]*db2$|^db2 sql error$|^dynamic sql error$|^an illegal character has been found in the statement$|^exception[ _-]*informix$|^ingres sqlstate$|^unexpected end of command in statement$|^sql error[ _-]*pos\d+$|^warning[ _-]*maxdb$|^unclosed quotation mark after the character string$|^microsoft ole db provider for odbc drivers$|^microsoft ole db provider for sql server$|^incorrect syntax near$|^sintaxis incorrecta cerca de$|^syntax error in string in query expression$|^procedure or function .{0,999} expects parameter$|^unclosed quotation mark before the character string$|^syntax error .{0,999} in query expression$|^the used select statements have different number of columns$|^ole db[ _-]*sql server$|^driver.{0,999}sql[ _-]*server$|^sql server.{0,999}driver$|^sql server.{0,999}[0-9a-f]{8}$|^supplied argument is not a valid mysql$|^on mysql result index$|^you have an error in your sql syntax near$|^mysql server version for the right syntax to use$|^sql syntax.{0,999}mysql$|^valid mysql result$|^postgresql.{0,999}error$|^valid postgresql result$|^supplied argument is not a valid postgresql .{0,999}? resource$|^unable to connect to postgresql server$|^warning.{0,999}sybase$|^sybase.{0,999}server message$|^an error has occurred$" "t:lowercase" SecRule REQUEST_METHOD "^POST" "id:77350410,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Unauthenticated privilege escalation in Fluent Forms plugin for WordPress (CVE-2024-2771)||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &REQUEST_COOKIES:/^wordpress_logged_in_/ "@eq 0" "chain,t:none" SecRule REQUEST_FILENAME "@rx \/wp-json\/fluentform\/v1\/managers" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule REQUEST_METHOD "^POST" "id:77350411,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Missing Authorization to Setting Manipulation in Fluent Forms plugin for WordPress (CVE-2024-2782)||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &REQUEST_COOKIES:/^wordpress_logged_in_/ "@eq 0" "chain,t:none" SecRule REQUEST_FILENAME "@rx \/wp-json\/fluentform\/v1\/global-settings" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule &ARGS:wpbdp_view "@eq 1" "id:77350415,chain,phase:2,block,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unauthenticated SQL Injection in Business Directory Plugin for WP (CVE-2024-4443)||RSV:8.02||T:APACHE||Log:%{MATCHED_VAR}||',tag:'wp_core'" SecRule &REQUEST_COOKIES:/wordpress_logged_in_/ "!@eq 1" "chain,t:none" SecRule REQUEST_URI "@rx listingfields\[\S{1,100}]\[\d{1,100}\]" "t:none" SecRule REQUEST_METHOD "^POST" "id:77350423,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Unauthenticated Stored XSS via Avatar Block in WordPress Core < 6.5.2 (CVE-2024-4439)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@pm /wp-comments-post.php /wp-admin/profile.php" "chain,t:none,t:normalizePath" SecRule ARGS:author|ARGS:/_name$/ "@rx \x22\s{0,10}(?:>|on\w{1,20}\s{0,5}=)|<\w{1,20}[\s/>]|\W\w{1,128}\([^\)]{1,64}\);" "t:none" SecRule REQUEST_METHOD "^POST" "id:77350425,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Unauthenticated Stored XSS via Avatar Block in WordPress Core < 6.5.2 (CVE-2024-4439)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@contains _create_item" "chain,t:none" SecRule ARGS:collection_name "@contains avatar" "chain,t:none" SecRule ARGS "@rx onerror\x22:\x22(\w{1,200}\([^\)]{1,128}\))|\W\w{1,128}\([^\)]{1,128}\);|waitfordelay'" "t:none,t:lowercase" SecRule REQUEST_METHOD "^POST" "id:77350441,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Unauthenticated Stored XSS via Avatar track in WordPress Core < 6.5.2 (CVE-2024-4439)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@pm /wp-comments-post.php /wp-admin/profile.php" "chain,t:none,t:normalizePath" SecRule ARGS:author|ARGS:/_name$/ "@rx [\x27\<\>\)\n]|(?i)(on(error|load)=|<script|script>|javascript:|data:text\/html|vbscript:|expression\()" "t:none" SecRule REQUEST_METHOD "^POST" "id:77350426,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authenticated Authorization Bypass and Privilege Escalation in ProfileGrid User Profiles, Groups and Communities plugin for WordPress <= 5.8.9 (CVE-2024-6411)||WPU:%{TX.wp_cookie}||userID:%{tx.user_id}||user_meta:%{tx.user_meta}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq pm_upload_image" "chain,t:none" SecRule ARGS:user_id "!@rx ^$" "chain,t:none,setvar:tx.user_id=%{MATCHED_VAR}" SecRule ARGS:user_meta "@pm administrator editor author" "t:none,setvar:tx.user_meta=%{MATCHED_VAR}" SecRule REQUEST_METHOD "^POST" "id:77350429,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Privilege Escalation in Profile-Builder <=3.11.8 WordPress plugin (CVE-2024-6695)||username:%{tx.username}||email:%{tx.email}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq register" "chain,t:none" SecRule ARGS:username "!@rx ^$" "chain,t:none,setvar:tx.username=%{MATCHED_VAR}" SecRule ARGS:email "@rx ^[\00\t\n\x0b\r\s]|[\00\t\n\x0b\r\s]$" "t:none,setvar:tx.email=%{MATCHED_VAR}" SecRule REQUEST_METHOD "GET|POST" "id:77350430,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: CSRF in WordPress Core < 6.0.3||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-trackback.php" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{REQUEST_HEADERS.Host}" "t:none" SecRule REQUEST_METHOD "GET|POST" "id:77350431,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: CSRF in WordPress Core < 6.0.3||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-trackback.php" "chain,t:none" SecRule TX:wp_cookie "!@rx ^$" "t:none" SecRule REQUEST_METHOD "GET|POST" "id:77350432,chain,phase:2,pass,block,auditlog,severity:2,t:none,msg:'IM360 WAF: CSRF in WordPress Core < 6.0.3||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-trackback.php" "chain,t:none" SecRule REQUEST_HEADERS:Referer "@rx ^(\s*|www.google.com|https?://|https?://(facebook|binance)\.com)$" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77350433,phase:2,chain,severity:5,pass,nolog,auditlog,t:none,msg:'IM360 WAF: SEO Plugin by Squirrly SEO <= 12.3.19 - Authenticated (Contributor+) SQL Injection via url Parameter (CVE-2024-6497)||MV:%{MATCHED_VAR}||WPU:%{tx.wp_user}||Logged:%{IP.wp_logged_in}||RSV:8.02||T:APACHE||',tag:'wp_plugin_squirrly_seo',tag:'noshow',tag:'wp_core'" SecRule ARGS:action "sq_seosettings_save" "t:none,chain" SecRule ARGS:/socials\[\S+_url\]$/|ARGS:/^socials\[\S+_site\]$/|ARGS:/^sq_jsonld\[\S+\]\[url\]$/ "@rx .{10,999}" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77787844,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary file upload in AIT CSV Import/Export <=3.0.3 (CVE‑2020‑36849)||MV:%{TX.ait_csv_ext}||FILES:%{FILES}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@rx ait-csv-import-export/admin/upload-handler\.php" "t:none,chain" SecRule FILES:file "@rx (?:\.php\d{0,2}|\.phtml)$" "capture,setvar:tx.ait_csv_ext=%{TX.0},t:none" SecRule REQUEST_METHOD "^POST$" "id:77787845,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary file upload in AIT CSV Import/Export <=3.0.3 (CVE-2020-36849)||MV:%{TX.ait_csv_ext}||FILES:%{FILES}||FILES_NAMES:%{FILES_NAMES}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@rx ait-csv-import-export/admin/upload-handler\.php" "t:none,chain" SecRule FILES_NAMES|FILES "!@rx ^(.{1,512}\.csv)$" "capture,setvar:tx.ait_csv_ext=%{TX.0},t:none,t:lowercase" SecRule REQUEST_URI "@rx admin/upload-handler\.php" "id:77787846,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary file upload in AIT CSV Import/Export <=3.0.3 (CVE‑2020‑36849)||MV:%{TX.ait_csv_ext}||FILES:%{FILES}||FILES_NAMES:%{FILES_NAMES}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule FILES_NAMES|FILES "!@rx ^(.{1,512}\.csv)$" "capture,setvar:tx.ait_csv_ext=%{TX.0},t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77756301,phase:2,block,severity:2,nolog,auditlog,msg:'IM360 WAF: Arbitrary file uploads in WPBookit plugin for WordPress <= 1.0.4 (CVE-2025-6058)||FILES:%{FILES}||Nonce:%{ARGS._ajax_nonce}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wpbookit'" SecRule REQUEST_METHOD "@streq POST" "chain" SecRule ARGS:route_name "@rx ^(?:add_booking_type|edit_booking_type|clone_booking_type)$" "chain" SecRule ARGS:action "@streq wpb_ajax_post" "chain" SecRule &ARGS:_ajax_nonce "@eq 0" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77756302,phase:2,block,severity:2,nolog,auditlog,msg:'IM360 WAF: Arbitrary file uploads in WPBookit plugin for WordPress <= 1.0.4 (CVE-2025-6058)||FILES:%{FILES}||Nonce:%{ARGS._ajax_nonce}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wpbookit'" SecRule ARGS:route_name "@streq add_booking_type" "chain" SecRule ARGS:action "@streq wpb_ajax_post" "chain" SecRule FILES_NAMES "!@rx \.(?:jpe?g|jpg|png|gif|webp)$" "t:lowercase" SecRule REQUEST_METHOD "^POST" "id:77350434,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQLi in HUSKY - Products Filter Professional for WooCommerce <=1.3.6 (CVE-2024-6457)||MVN1:%{tx.mvn1}||MVN2:%{tx.mvn2}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS "@rx product_query" "chain,t:none,setvar:tx.mvn1=%{MATCHED_VAR_NAME}" SecRule ARGS "@rx woof_author" "t:none,setvar:tx.mvn2=%{MATCHED_VAR_NAME}" SecRule REQUEST_METHOD "^POST" "id:77350435,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQLi in HUSKY - Products Filter Professional for WooCommerce <=1.3.6 (CVE-2024-6457)||action:%{ARGS.action}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:woof_author "!@rx ^$" "t:none" SecRule REQUEST_METHOD "^POST" "id:77350436,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQLi in HUSKY - Products Filter Professional for WooCommerce <=1.3.6 (CVE-2024-6457)||MV:%{MATCHED_VAR}||username:%{tx.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:product_query "!@rx ^$" "chain,t:none" SecRule ARGS:woof_author "!@rx ^$" "t:none" SecRule REQUEST_METHOD "^POST" "id:77350437,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQLi in HUSKY - Products Filter Professional for WooCommerce <=1.3.6 (CVE-2024-6457)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx .php$" "chain,t:none" SecRule ARGS:/query/ "(\[woof_.{3,99})name=\s?\x22[^\x22]+" "t:none" SecRule REQUEST_METHOD "^POST" "id:77350438,chain,phase:2,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: SQLi in HUSKY - Products Filter Professional for WooCommerce <=1.3.6 (CVE-2024-6457)||MV:%{MATCHED_VAR}||Action:%{ARGS.action}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \.php$" "chain,t:none" SecRule ARGS:/query/ "@rx waitfordelay\s*\x27|sleep\s*\(" "t:none" SecRule REQUEST_COOKIES:litespeed_role "!@rx ^$" "id:77350481,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Privilege Escalation in LiteSpeed Cache Plugin <= 6.3.0.1 plugin for WordPress (CVE-2024-28000)||MV:%{MATCHED_VAR}||WPU:%{tx.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-content/debug.log" "id:77350492,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Suspicious access attempt to WordPress debug.log (CVE-2024-44000)||MV:%{MATCHED_VAR}||WPU:%{tx.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-content/plugins/litespeed-cache/readme.txt" "id:77350639,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Suspicious access attempt to WordPress debug.log (CVE-2024-44000)||MV:%{MATCHED_VAR}||WPU:%{tx.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \/wp-content\/litespeed\/debug\/.+\.log$" "id:77350511,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Suspicious access attempt to LiteSepeed Cache Plugin debug folder (CVE-2024-44000)||MV:%{MATCHED_VAR}||WPU:%{tx.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_METHOD "^POST" "id:77350482,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: PHP Object Injection in GiveWP <= 3.14.1 WordPress Plugin (CVE-2024-5932)||MV:%{MATCHED_VAR}||Action:%{ARGS.action}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \.php$" "chain,t:none,t:normalizePath" SecRule ARGS:give-form-title|ARGS:give_title "@rx O:\d+:\x22(?:Stripe\x5c{1,2}StripeObject|TCPDF|Give\x5c(?:PaymentGateways|Vendors))" "t:none,t:urlDecode" SecRule REQUEST_METHOD "^POST" "id:77350483,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: SPHP Object Injection in GiveWP <= 3.14.1 WordPress Plugin (CVE-2024-5932)||MV:%{MATCHED_VAR}||Action:%{ARGS.action}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \.php$" "chain,t:none" SecRule ARGS:give-form-title|ARGS:give_title "@rx [\x00\x60\n\r\x5c]" "t:none,t:urlDecode" SecRule REQUEST_METHOD "^POST" "id:77350484,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: SPHP Object Injection in GiveWP <= 3.14.1 WordPress Plugin (CVE-2024-5932)||MV:%{MATCHED_VAR}||Action:%{ARGS.action}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \.php$" "chain,t:none" SecRule ARGS:give-form-title|ARGS:give_title "@rx (?:shell_exec|exec|system|passthru|popen|proc_open|pcntl_exec|fopen|fwrite|unlink|file_get_contents|file_put_contents|copy|rename|move_uploaded_file|rmdir|mkdir|chmod|chown|chgrp|extract|eval|assert)\(" "t:none,t:urlDecode" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "id:77763167,chain,phase:2,block,severity:2,msg:'IM360 WAF: CSRF in for GiveWP PayPal disconnect (CVE-2024-47315)||RSV:8.02||T:APACHE||',tag:'wp_plugin_give'" SecRule ARGS:action "@streq give_paypal_commerce_disconnect_account" "chain,t:none" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none" SecRule REQUEST_METHOD "^POST" "id:77350494,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authenticated RCE in WPML Multilingual CMS <= 4.6.12 WordPress Plugin (CVE-2024-6386)||MV:%{tx.wpml}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains admin-ajax.php" "chain,t:none" SecRule ARGS:actions|REQUEST_BODY "@contains [wpml_language_switcher]" "chain,t:none" SecRule MATCHED_VAR "@rx \[wpml_language_switcher\](.{2,999}})wpml_language_switcher\]" "chain,t:none,setvar:tx.wpml=%{tx.1}" SecRule TX:wpml "@rx \{[%\{\d]|~\w" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77970443,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authenticated (Contributor+) Local File Inclusion Vulnerability in Hotel Booking <= 3.7 WordPress plugin (CVE-2025-53259)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_yaysmtp'" SecRule &ARGS:/layout/ "@gt 0" "t:none,chain" SecRule ARGS:layout|ARGS:group[layout]|ARGS:creativecontactform_fields[layout]|ARGS:settings[layout_type] "@rx ../../../../../..//?(?:wp-config\.php|\$\{prefix\}/|etc/|usr/)" "t:none" SecRule REQUEST_METHOD "^POST" "id:77350495,chain,phase:2,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: RCE in JS Help Desk <= 2.8.6 WordPress Plugin (CVE-2024-7094)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx \/wp-admin\/admin(?:\.php|-ajax\.php)" "chain,t:none" SecRule ARGS:page "themes" "chain,t:none" SecRule ARGS:task "savetheme" "chain,t:none,t:lowercase" SecRule ARGS:/color/ "!@rx ^#[a-z0-9x]{6}$" "capture,t:none" SecRule REQUEST_METHOD "^POST" "id:77350497,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: SQLi in Woocommerce <= 8.2.3 WordPress Plugin||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /product/" "chain,t:none" SecRule ARGS:is-descendent-of-single-product-block "@rx \x22|\x27|;|\)" "t:none,t:urlDecode" SecRule REQUEST_URI|ARGS:rest_route "@contains /wp-json/wc/v3/products" "id:77350499,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Possible CSRF Vulnerability in WooCommerce < 8.2.3 WordPress Plugin (CVE-2023-52222)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:status "@streq publish" "chain,t:none" SecRule ARGS:user_id "!@rx ^$" "t:none,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350499'" SecRule REQUEST_METHOD "^POST" "id:77350500,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: RCE vulnerability in Bit File Manager 6.0-6.5.5 plugin for WordPress (CVE-2024-7627)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq bit_fm_connector_front" "chain,t:none" SecRule ARGS:content "@rx <\?php|\W\w{1,100}?\([^)]{0,300}?\);" "t:none" SecRule REQUEST_FILENAME "@contains /wp-content/uploads/file-managertemp.php" "id:77350501,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: RCE vulnerability in Bit File Manager 6.0-6.5.5 plugin for WordPress (CVE-2024-7627)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77350502,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: Broken Access Control in WordPress LearnPress Plugin <= 4.2.3 (CVE-2023-36515)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@pm search-users reset-user-courses reset-user-item" "chain,t:none,t:lowercase" SecRule &ARGS:nonce "@eq 0" "t:none,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350502'" SecRule ARGS:action "@rx (?:removeTempFiles|reset_shortcode)" "id:77879328,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Missing authorization in Sonaar Music MP3 Audio Player for Music, Radio & Podcast <= v.5.8 (CVE-2024-56266)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_mp3_music_player_by_sonaar',tag:'wp_core'" SecRule REQUEST_METHOD "@rx POST|GET" "id:77350509,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Missing Authorization in Ninja Forms Form Builder for WordPress (CVE-2023-38393)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains admin-ajax.php" "chain,t:none" SecRule ARGS:post_type "@streq nf_sub" "chain,t:none" SecRule ARGS:action "@streq nf_download_all_subs" "t:none,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350509'" SecRule REQUEST_METHOD "@rx POST|GET" "id:77350510,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Missing Authorization in Ninja Forms Form Builder for WordPress (CVE-2023-38393)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains edit.php" "chain,t:none" SecRule ARGS:action "@streq export" "chain,t:none" SecRule ARGS:download_file "!@rx ^$" "t:none,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350510'" SecRule REQUEST_METHOD "@rx POST" "id:77350512,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Privilege Escalation Vulnerability in Essential Addons for Elementor WordPress Plugin (CVE-2023-41955)||MV:%{TX.1}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:actions "@rx (?i)register_user_role\x22\x3A\x22(administrator|editor|author)" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77350524,phase:2,chain,severity:2,block,nolog,auditlog,t:none,msg:'IM360 WAF: Improper Privilege Management vulnerability in HasThemes HT Mega <= 2.2.0 (CVE-2023-37999)||WPU:%{tx.wp_user}||Logged:%{IP.wp_logged_in}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx ^/wp-admin/admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq htmega_ajax_register" "chain,t:none" SecRule ARGS:reg_role "@rx ." "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350523,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: File upload bypass via Plugin installer (CVE-2024-31210)||File:%{FILES}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith wp-admin/update.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq upload-plugin" "chain,t:none" SecRule FILES "!@rx \.zip$" "t:lowercase" SecRule ARGS:form_id "@rx \D" "id:77350530,chain,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: SQL Injection attempt in GiveWP <= 2.4.0 (CVE-2023-0224)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq give_get_donor_comments" "t:none,t:urlDecodeUni,chain" SecRule ARGS:nonce "@rx ." "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77350532,chain,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unauthenticated SQL Injection in WordPress plugin Dokan Pro up to 3.10.3 (CVE-2024-2879)||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:webhook "@streq dokan-moip" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Content-Type "@contains application/json" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350532" SecRule REQUEST_METHOD "^GET$" "id:77350526,chain,phase:2,block,nolog,auditlog,severity:2,msg:'IM360 WAF: SQL Injection in LearnPress LMS Plugin <= 4.2.7 plugin for WordPress (CVE-2024-8522)||WPU:%{tx.wp_user}||Logged:%{IP.wp_logged_in}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_learnpress'" SecRule REQUEST_FILENAME "wp-json/learnpress/v1/courses$" "chain,t:lowercase" SecRule ARGS:c_only_fields "(?i)[^,\w\-]+" "t:none" SecRule REQUEST_METHOD "^GET$" "id:77350539,chain,phase:2,block,nolog,auditlog,severity:2,msg:'IM360 WAF: SQL Injection vulnerability in WordPress LearnPress LMS Plugin <= 4.2.7 (CVE-2024-8529)||WPU:%{tx.wp_user}||Logged:%{IP.wp_logged_in}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "wp-json/lp/v1/courses/archive-course$" "chain,t:none,t:lowercase" SecRule ARGS:c_fields "(?i)[^,\w\-]+" "t:none" SecRule ARGS:/ays_questions/ "sleep" "id:77350540,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: Time-based SQL Injection in Quiz Maker plugin for WordPress (CVE-2024-6028)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_quiz_maker'" SecRule REQUEST_METHOD "^POST$" "id:77350544,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Arbitrary File Upload in WP Photo Album Plus < 8.7.01.002 plugin for WordPress (CVE-2024-31377)||WPU:%{tx.wp_user}||MV:%{MATCHED_VAR}||wppa:%{TX.wppa}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:/wppa/ "@rx ." "chain,t:none,setvar:tx.wppa=%{MATCHED_VAR}" SecRule FILES "@rx \.(?:ph[p][3-8]?|phtml|htaccess)$" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77350545,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Arbitrary File Upload in WP Photo Album Plus < 8.7.01.002 plugin for WordPress (CVE-2024-31377)||WPU:%{tx.wp_user}||MV:%{MATCHED_VAR}||wppa:%{TX.wppa}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "wppa" "chain,t:none,setvar:tx.wppa=%{MATCHED_VAR}" SecRule FILES "@rx \.(?:ph[p][3-8]?|phtml|htaccess)$" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77350546,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Arbitrary File Upload in ChatGPT Chatbot <= 1.9.98 plugin for WordPress (CVE-2023-51409)||WPU:%{tx.wp_user}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME|ARGS:rest_roure "mwai-ui\/v1\/files\/upload" "chain,t:lowercase" SecRule FILES "@rx \.(?:php[3-8]?|phtml|htaccess)$" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77350547,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Arbitrary File Upload in ChatGPT Chatbot <= 1.9.98 plugin for WordPress (CVE-2023-51409)||WPU:%{tx.wp_user}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME|ARGS:rest_roure "mwai-ui\/v1\/files\/upload" "chain,t:lowercase" SecRule &REQUEST_HEADERS:WP-Nonce "@eq 0" "chain,t:none" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77350549,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: SQLi vulnerability in NotificationX <= 2.8.2 plugin for WordPress (CVE-2024-1698)||WPU:%{tx.wp_user}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME|ARGS:rest_roure "@contains /notificationx/v1/analytics" "chain,t:lowercase" SecRule ARGS:type|ARGS:nx_id "@rx \x27|--|\(" "t:none" SecRule REQUEST_METHOD "^POST" "id:77350551,chain,phase:2,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: SQLi Vulnerability in WP Hotel Booking <= 2.1.0 plugin for WordPress (CVE-2024-3605)||WPU:%{tx.wp_user}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME|ARGS:rest_route "@contains /wphb/v1/rooms/search-rooms" "chain,t:lowercase" SecRule ARGS:room_type "@detectSQLi" "t:none" SecRule ARGS:utm_id "@rx (\x27\x3e|\x22\x3e|<script)" "id:77350552,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,t:urlDecode,msg:'IM360 WAF: Stored XSS in WP Statistics plugin for WordPress before ver 14.5 (CVE-2024-2194)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_statistics'" SecRule REQUEST_METHOD "@rx POST" "id:77350555,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Possible LFI in LearnPress-WordPress LMS Plugin for WordPress (CVE-2024-6589)||MV:%{TX.1}||WPU:%{tx.wp_user}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS:content "@contains learnpress/" "chain,t:none,t:urlDecode" SecRule ARGS:content "@rx :\x22((?:\/|\.\.\/)[^\x22]{1,99}\x22)" "t:none,t:urlDecode" SecRule ARGS:template "@rx (?:\.\.|%2e%2e)[\\/]" "id:77389053,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Possible LFI in LearnPress-WordPress LMS Plugin for WordPress (CVE-2024-6589)||WPU:%{tx.wp_user}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_learnpress'" SecRule ARGS "@rx ^(?:[a-z]:\d{1,3}:\{[a-z]:\d{1,3};)?[A-Z]:\d{1,3}:[\{\"](\w+\\?){1,99}[\{\"]:\d{1,5}:\{" "id:77350521,phase:2,pass,nolog,auditlog,severity:5,t:none,t:urlDecode,msg:'IM360 WAF: Capture PHP Object inject||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_FILENAME "@contains /wp-json/lp/v1/courses/archive-course" "id:77350562,chain,phase:2,block,nolog,auditlog,severity:2,t:lowercase,t:normalizePath,msg:'IM360 WAF: Unauthenticated Time-Based SQL Injection vulnerability in LearnPress LMS <= 4.2.6.5 (CVE-2024-4434)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_learnpress',tag:'wp_core'" SecRule ARGS:term_id "[^\d,\-a-z]|-{2}" "t:none" SecRule REQUEST_URI "@rx \/index.php\/register\/\?\d\." "id:77350566,phase:2,pass,nolog,auditlog,severity:5,t:none,t:lowercase,msg:'IM360 WAF: Unauthenticated Privilege Escalation in Ultimate Member < 2.6.7 (CVE-2023-3460)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_ultimate_member'" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350567,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated Privilege Escalation in Ultimate Member < 2.6.7 (CVE-2023-3460)||WPU:%{TX.wp_user}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_ultimate_member'" SecRule ARGS:/user_login-/ "!@rx ^$" "chain,t:none" SecRule ARGS:/user_password-/ "!@rx ^$" "chain,t:none" SecRule ARGS:/confirm_user_password-/ "!@rx ^$" "chain,t:none" SecRule ARGS:/wp_capabilities/ "!@rx ^$" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350574,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Possible SQL injection in WordPress WPCargo Plugin <= 7.0.6 (CVE-2024-44004)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wpcargo'" SecRule REQUEST_URI "@contains /wp-content/plugins/wpcargo/includes/" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS "@detectSQLi" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350585,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Possible SQL injection in WordPress Email Subscribers by Icegram Express Plugin <= 5.7.14 (CVE-2024-44004, CVE-2024-2876)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_email_subscribers'" SecRule REQUEST_URI "@rx /wp-admin/admin-post\.php$" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:/^advanced_filter/|ARGS:/^list_id/|ARGS:/^lists/|ARGS:/^order/|ARGS:/^date_query/ "@detectSQLi" "t:none,chain" SecRule ARGS:/^advanced_filter/|ARGS:/^list_id/|ARGS:/^lists/|ARGS:/^order/|ARGS:/^date_query/ "@rx ." "t:none,capture" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350578,chain,phase:2,pass,nolog,auditlog,severity:6,t:none,msg:'IM360 WAF: Improper Privilege Management in XTemos Woodmart Core < 1.0.36 (CVE-2023-32244)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-content/plugins/woodmart-core/vendor/opauth" "t:none,t:normalizePath" SecRule REQUEST_METHOD "@rx POST" "id:77350579,chain,phase:2,block,nolog,auditlog,severity:2,msg:'IM360 WAF: Authentication Bypass in Really Simple Security 9.0.0-9.1.1.1 Plugin for WordPress (CVE-2024-10924)||WPU:%{tx.wp_user}||rssn:%{ARGS.login_nonce}||redirect_to:%{ARGS.redirect_to}||user_id:%{ARGS.user_id}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /reallysimplessl/v1/two_fa/skip_onboarding" "chain,t:none,t:normalizePath" SecRule ARGS:user_id "@rx \d" "chain,t:none" SecRule ARGS:login_nonce "@rx ." "chain,t:none" SecRule ARGS:redirect_to "@rx ^\/?$" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350581,chain,phase:2,pass,nolog,auditlog,severity:2,msg:'IM360 WAF: Authentication Bypass in Really Simple Security 9.0.0-9.1.1.1 Plugin for WordPress (CVE-2024-10924)||WPU:%{tx.wp_user}||rssn:%{ARGS.login_nonce}||redirect_to:%{ARGS.redirect_to}||user_id:%{ARGS.user_id}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /reallysimplessl/v1/two_fa/skip_onboarding" "chain,t:none,t:normalizePath" SecRule ARGS:login_nonce "@rx ." "chain,t:none" SecRule &TX:wp_user "@eq 0" "chain,t:none" SecRule ARGS:user_id "@rx ^\d+$" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350580,chain,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: Authentication Bypass in Really Simple Security 9.0.0-9.1.1.1 Plugin for WordPress (CVE-2024-10924)||WPU:%{tx.wp_user}||rssn:%{ARGS.login_nonce}||redirect_to:%{ARGS.redirect_to}||user_id:%{ARGS.user_id}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /reallysimplessl/v1/two_fa/skip_onboarding" "chain,t:none,t:normalizePath" SecRule ARGS:login_nonce "@rx ." "chain,t:none" SecRule ARGS:user_id "@rx ^\d+$" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350597,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Possible SQL injection in WordPress Email Subscribers by Icegram Express Plugin <= 5.7.14 (CVE-2024-44004)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_email_subscribers'" SecRule REQUEST_URI "@rx /wp-admin/admin-post\.php$" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:/^advanced_filter/|ARGS:/^list_id/|ARGS:/^lists/|ARGS:/^order/|ARGS:/^date_query/ "@detectSQLi" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350595,chain,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: SQLi Vulnerability In Ninja Forms Contact Form <= 3.7.1 WordPress Plugin (CVE-2024-0685)||WPU:%{tx.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@pm admin.php post.php admin-ajax.php data.php" "chain,t:none" SecRule ARGS:action "@rx (add_export|data_request)" "chain,t:none" SecRule ARGS "@detectSQLi" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350596,chain,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: SQLi Vulnerability In Cost Calculator Builder <= 3.2.15 WordPress Plugin (CVE-2024-43144)||WPU:%{tx.wp_user}||action:%{ARGS.action}||MVN:%{tx.calc_mvn}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@pm admin-ajax.php post.php admin.php" "chain,t:none,t:normalizePath" SecRule ARGS:content|ARGS:data "@rx (discount|calc|promocode)_id" "chain,t:none,setvar:tx.calc_mvn=%{MATCHED_VAR_NAME}" SecRule ARGS "@detectSQLi" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350598,chain,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: SQLi Vulnerability In Cost Calculator Builder <= 3.2.15 WordPress Plugin (CVE-2024-43144)||WPU:%{tx.wp_user}||action:%{ARGS.action}||MVN:%{tx.calc_mvn}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@pm admin-ajax.php post.php admin.php" "chain,t:none,t:normalizePath" SecRule ARGS:page "@contains cost_calculator" "chain,t:none" SecRule ARGS:content|ARGS:data "@pm _id" "chain,t:none,setvar:tx.calc_mvn=%{MATCHED_VAR_NAME}" SecRule ARGS "@detectSQLi" "t:none" SecRule REQUEST_URI "@contains /admin-ajax.php" "id:77350601,chain,phase:2,block,nolog,auditlog,severity:2,msg:'IM360 WAF: SQLi Vulnerability In Easy Digital Downloads < 3.3.1 WordPress Plugin (CVE-2024-5057)||WPU:%{tx.wp_user}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@contains edd_download_search" "chain,t:none" SecRule ARGS:s "@rx \x27|\x28" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77873579,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Authenticated (Instructor+) SQLi Vulnerability in Tutor LMS <= 2.7.0 WordPress plugin (CVE-2024-4318)||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@rx /admin-(?:ajax|post)\.php$" "chain,t:none" SecRule ARGS:action "@streq destroy-sessions" "chain,t:none" SecRule ARGS:user_id "@detectSQLi" "t:none" SecRule REQUEST_METHOD "POST" "id:77350606,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Missing Authorization in WordPress plugin WPForms prior v.1.9.2.1 (CVE-2024-11205)||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:page "@rx ^wpforms-" "chain,t:none,t:lowercase" SecRule ARGS:action "@rx (wpforms_stripe_payments_refund|wpforms_stripe_payments_cancel|wpforms_payments_cancel_subscription|wpforms_payments_refund)" "t:none,t:normalizePath,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350606" SecRule REQUEST_METHOD "POST" "id:77350607,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Missing Authorization in WordPress plugin WPForms prior v.1.9.2.1 (CVE-2024-11205)||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@rx (wpforms_stripe_payments_refund|wpforms_stripe_payments_cancel|wpforms_payments_cancel_subscription|wpforms_payments_refund)" "t:none,t:normalizePath,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350607" SecRule REQUEST_FILENAME "@rx /post-smtp/v[12]/get-logs" "id:77350604,chain,phase:2,pass,nolog,auditlog,severity:5,t:normalizePath,msg:'IM360 WAF: SQLi in Post SMTP < 2.9.10 WordPress Plugin (CVE-2024-52436)||WPU:%{tx.wp_user}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS "@detectSQLi" "t:none" SecRule REQUEST_URI "@contains admin-ajax.php" "id:77350605,chain,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: SQLi in Post SMTP < 2.9.10 WordPress Plugin (CVE-2024-52436)||WPU:%{tx.wp_user}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq ps-get-email-logs" "chain,t:none" SecRule ARGS "@detectSQLi" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350608,chain,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: SQLi Vulnerability in ShortPixel Image Optimizer <= 5.6.3 WorPress plugin (CVE-2024-48043)||WPU:%{tx.wp_user}||action:%{ARGS.action}||MVN:%{MATCHED_VAR}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:/action/ "@rx CustomFolder" "chain,t:none" SecRule ARGS "@detectSQLi" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350609,chain,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: SQLi Vulnerability in ShortPixel Image Optimizer <= 5.6.3 WorPress plugin (CVE-2024-48043)||WPU:%{tx.wp_user}||action:%{ARGS.action}||MVN:%{MATCHED_VAR}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@rx shortpixel" "chain,t:none" SecRule ARGS "@detectSQLi" "t:none" SecRule REQUEST_METHOD "@pm POST GET" "id:77209027,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Generic RCE attempt via wp-file-upload||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||',tag:'wp_plugin_wp_file_upload'" SecRule REQUEST_URI "@contains /plugins/wp-file-upload/wfu_file_downloader.php" "chain,t:none,t:normalizePath" SecRule ARGS "@rx (file_put_contents|eval|system|shell_exec|passthru|popen|proc_open|assert|base64_decode|php:\/\/|data:|phar:|zip:|expect:)" "t:none,t:urlDecode,t:lowercase,capture" SecRule REQUEST_URI "@contains /plugins/wp-file-upload/wfu_file_downloader.php" "id:77209028,chain,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: Path Traversal attempt via wp-file-upload 4.24.14-4.24.15 (CVE-2024-11613)||RSV:8.02||T:APACHE||MV:%{ARGS.source}||',tag:'wp_plugin_wp_file_upload'" SecRule ARGS:source "@rx \.\.\/" "t:none,t:urlDecode,t:lowercase" SecRule ARGS:handler "@streq dboption" "id:77209029,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: RCE attempt via wp-file-upload <= 4.24.12 (CVE-2024-11635)||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||FullCookie:%{REQUEST_COOKIES.wfu_ABSPATH}||',tag:'wp_plugin_wp_file_upload'" SecRule ARGS:dboption_base "@streq cookies" "chain,t:none,t:lowercase" SecRule REQUEST_URI "@contains /wp-content/plugins/wp-file-upload/wfu_file_downloader.php" "chain,t:none,t:normalizePath" SecRule REQUEST_COOKIES:wfu_ABSPATH "@rx (\.\.\/|php:\/\/|data:|phar:|zip:|expect:)" "t:none,t:urlDecode,t:lowercase" SecRule ARGS:sord "@rx \x27|\(" "id:77350610,phase:2,block,nolog,auditlog,severity:2,msg:'IM360 WAF: SQLi vulnerability in Product Filter by WBW <= 2.7.0 WordPress plugin (CVE-2024-49691)||WPU:%{tx.wp_user}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_woo_product_filter'" SecRule REQUEST_URI "@contains /wp-json/cf7mls/v1/cf7mls_validation" "id:77350611,chain,pass,nolog,auditlog,severity:5,phase:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: SQL Injection vulnerability in NinjaTeam Multi Step for Contact Form <=2.7.7 (CVE-2024-47331)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_plugin_cf7_multi_step',tag:'wp_core'" SecRule REQUEST_METHOD "@rx ^POST$" "chain,t:none" SecRule ARGS:/[\'\"\x22\x27\x60]/ ".{0,99}" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350614,chain,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: Authenticated SQLi Vulnerability in Registrations for the Events Calendar - Event Registration Plugin <= 2.12.2 WordPress plugin (CVE-2024-39638)||WPU:%{tx.wp_user}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@rx rtec_" "chain,t:none" SecRule ARGS:edit_action "delete" "chain,t:none" SecRule ARGS:registrations_to_be_deleted "@detectSQLi" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350615,chain,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: Authenticated SQLi Vulnerability in Registrations for the Events Calendar - Event Registration Plugin <= 2.12.2 WordPress plugin (CVE-2024-39638)||WPU:%{tx.wp_user}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@rx rtec_" "chain,t:none" SecRule ARGS:edit_action "delete|all" "chain,t:none" SecRule ARGS "@detectSQLi" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350616,chain,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: Authenticated SQLi Vulnerability in Registrations for the Events Calendar - Event Registration Plugin <= 2.12.2 WordPress plugin (CVE-2024-39638)||WPU:%{tx.wp_user}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@rx rtec_" "chain,t:none" SecRule ARGS:edit_action "@rx delete" "chain,t:none" SecRule ARGS "@rx \x22|\x27|:|\(" "t:none" SecRule REQUEST_METHOD "POST" "id:77350617,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Command Injection vulnerability in Supsystic Popup <= 1.10.29 (CVE-2024-52434)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_popup_by_supsystic'" SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule ARGS:pl "@streq pps" "chain,t:none" SecRule ARGS:reqType "@streq ajax" "chain,t:none" SecRule ARGS ".{0,50}[\{\}%\$\*].{0,50}" "t:none" SecRule REQUEST_METHOD "@rx POST|GET" "id:77350620,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQL Injection in the Backup and Staging plugin by WP Time Capsule <= 1.22.21 (CVE-2024-48020)||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'wp_plugin_wp_time_capsule'" SecRule ARGS:action "@streq lazy_load_activity_log_wptc" "chain,t:none" SecRule ARGS:action_id "!^\d+$" "t:none,capture" SecRule REQUEST_METHOD "@rx POST|GET" "id:77350621,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQL Injection in the Backup and Staging plugin by WP Time Capsule <= 1.22.21 (CVE-2024-48020)||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'wp_plugin_wp_time_capsule'" SecRule ARGS:action "@streq lazy_load_activity_log_wptc" "chain,t:none" SecRule ARGS:data[action_id] "!^\d+$" "t:none,capture" SecRule ARGS:action "@streq unlimitedelements_ajax_action" "id:77350622,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:lowercase,msg:'IM360 WAF: Command Injection vulnerability in Unlimited Elements For Elementor <= 1.5.121 (CVE-2024-49271)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:client_action "@streq update_addon" "chain,t:none,t:lowercase" SecRule &REQUEST_COOKIES:/wordpress_logged_in/ "@eq 0" "t:none" SecRule ARGS:bwfan-track-id "@rx .{0,99}[^\w\- \x0d\x0a_,]+.{0,99}" "id:77350623,phase:2,block,nolog,auditlog,severity:5,t:utf8toUnicode,t:lowercase,msg:'IM360 WAF: SQL Injection vulnerability in FunnelKit Automation <= 3.1.2 (CVE-2024-47328)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_wp_marketing_automations',tag:'wp_core'" SecRule REQUEST_METHOD "@rx POST" "id:77350627,chain,pass,severity:2,t:none,msg:'IM360 WAF: CSRF in WP-buy WP Content Copy Protection (CVE-2024-49306)||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_content_copy_protector'" SecRule ARGS:page "@streq wccpoptionspro" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule &ARGS:Restore_defaults "@gt 0" "chain,t:none" SecRule &ARGS:_Restore_defaults "@eq 0" "chain,t:none" SecRule &ARGS:_Save_settings "@eq 0" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350628,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:utf8toUnicode,msg:'IM360 WAF: Code Injection vulnerability in Smackcoders WP Ultimate Exporter <=2.9.1 (CVE-2024-56278)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_ultimate_exporter',tag:'wp_core'" SecRule ARGS:action "parse_data" "chain,t:none" SecRule ARGS:exp_type "[^a-zA-Z0-9]" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350629,chain,phase:2,block,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Possible SQL injection attack in WPGrim Classic Editor and Classic Widgets (CVE-2024-47312)||term:%{ARGS.term}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:term "@detectSQLi" "chain,t:none" SecRule ARGS:term "@rx .{9,999}" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350631,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: CSRF vulnerability in Michael Tran Table of Contents Plus plugin < v.2408 (CVE-2024-49250)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_table_of_contents_plus'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/options-general.php" "chain,t:none,t:normalizePath" SecRule ARGS:page "@pm toc" "chain,t:none" SecRule ARGS:toc-admin-options "@rx [\x5C\x2F]" "t:none,t:urlDecode" SecRule ARGS:company|ARGS:give_first|ARGS:give_last|ARGS:give_email|ARGS:/give_/ "@rx (?:O:\d+:|a:\d+:\{).{0,50}(?:s:\d+:|i:\d+;)|[\x00-\x1f].{0,20}(?:O:\d+:|a:\d+:\{)" "id:77350632,chain,phase:2,pass,nolog,auditlog,severity:5,t:urlDecode,msg:'IM360 WAF: PHP Object Injection vulnerability in GiveWP <= 3.19.3 (CVE-2025-22777)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx ^give" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350633,phase:2,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Potential Unauthorized User Creation||WPU:%{TX.wp_user}||User:%{ARGS.user}||Pubkey:%{ARGS.pubkey}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule TX:rbl_infectors "!@eq 0" "chain,t:none" SecRule REQUEST_URI "@rx \/wp-admin\/admin-ajax\.php$" "chain,t:none,t:normalizePath" SecRule TX:wp_user "!@rx admin" "chain,t:none,t:lowercase" SecRule ARGS:user "@streq admin" "chain,t:none" SecRule ARGS:function "@streq register" "chain,t:none" SecRule ARGS:pubkey "!@rx ^$" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-login.php" "id:77896900,chain,phase:2,pass,severity:5,nolog,auditlog,t:none,msg:'IM360 WAF: Prohibited WordPress username login/registration||WPU:%{ARGS.log}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:log|ARGS:user_login "@rx ^(admin\d?backup|wpadminerlzp)$" "t:lowercase,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77896900" SecRule REQUEST_FILENAME "@endsWith /wp-login.php" "id:77896901,chain,phase:2,block,severity:2,nolog,auditlog,t:none,msg:'IM360 WAF: Prohibited WordPress email login/registration||WPU:%{ARGS.log}||Email:%{ARGS.user_email}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:log|ARGS:user_login|ARGS:user_email "@rx ^(admin\d?backup@wordpress\.org|wpadmin@volovmart\.ru)$" "t:lowercase,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77896901" SecRule REQUEST_FILENAME "@endsWith /wp-login.php" "id:77261537,chain,phase:2,block,severity:2,nolog,auditlog,t:none,msg:'IM360 WAF: Prohibited WordPress email login/registration||WPU:%{ARGS.log}||Email:%{ARGS.user_email}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:log|ARGS:user_login|ARGS:user_email "@rx ^(wordpresupport@)" "t:lowercase,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77261537" SecRule REQUEST_HEADERS:Cookie "@rx wordpress_logged_in_[^=]+=((?:admin\d?backup|wpadminerlzp|deleted-|usr_[a-f0-9]{8}))" "id:77896902,phase:2,pass,severity:5,nolog,auditlog,t:none,capture,msg:'IM360 WAF: Prohibited WordPress user cookie||MV:%{tx.wp_user}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',tag:'wp_core',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77896902" SecRule REQUEST_FILENAME "@endsWith /wp-login.php" "id:77896904,chain,phase:2,pass,severity:5,nolog,auditlog,t:none,msg:'IM360 WAF: Tracking Prohibited WordPress username registration attempt||WPU:%{ARGS.user_login}||Action:%{ARGS.action}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq register" "t:lowercase,chain" SecRule ARGS:user_login|ARGS:username "@rx ^(admin\d?backup|wpadminerlzp|usr_[a-f0-9]{8})$" "t:lowercase,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77896904" SecRule REQUEST_FILENAME "@endsWith /wp-login.php" "id:77896903,chain,phase:2,pass,severity:5,nolog,auditlog,t:none,msg:'IM360 WAF: Suspicious WordPress email login/registration||WPU:%{ARGS.log}||Email:%{ARGS.user_email}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:log|ARGS:user_login|ARGS:user_email "@rx @wordpress\.org$" "t:lowercase" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350634,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:utf8toUnicode,msg:'IM360 WAF: SQLi vulnerability in WP Post Author <= 3.8.2 WordPress plugin (CVE-2024-8757) ||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS "@rx awpa" "chain,t:none" SecRule ARGS:/_id/ "@detectSQLi" "t:none" SecRule ARGS:booking_id "@rx \D" "id:77350640,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQL Injection attempt in WordPress Booking Calendar plugin <= 9.4.3 (CVE-2023-23991)||RSV:8.02||T:APACHE||MV:%{ARGS.booking_id}||',tag:'wp_core'" SecRule ARGS:formdata "@detectSQLi" "id:77350641,phase:2,pass,nolog,auditlog,severity:5,t:none,t:urlDecodeUni,msg:'IM360 WAF: SQL Injection attempt in WordPress Booking Calendar plugin <= 9.4.3 (CVE-2023-23991)||RSV:8.02||T:APACHE||MV:%{ARGS.formdata}||',tag:'wp_core'" SecRule REQUEST_METHOD "@rx ^POST" "id:77033832,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: PHP Code Injection All-in-One WP Migration and Backup <= 7.86 WordPress plugin (CVE-2024-9162) ||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_all_in_one_wp_migration'" SecRule &ARGS:ai1wm_manual_export "@gt 0" "chain,t:none" SecRule ARGS:options[replace][new_value][] "@rx \x22|\x27|\x5b|\(" "t:none" SecRule REQUEST_METHOD "@rx ^POST" "id:77350644,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: CSRF vulnerability in User Role Editor <= 4.64.3 (CVE-2024-12293)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_user_role_editor'" SecRule ARGS:action "@rx ure_ajax" "chain,t:none" SecRule ARGS:/ure_add_role/ "!@rx ^$" "t:none,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350644'" SecRule REQUEST_METHOD "@rx ^POST" "id:77350637,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: CSRF vulnerability in User Role Editor <= 4.64.3 (CVE-2024-12293)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_user_role_editor'" SecRule ARGS:action "@rx ure_ajax" "chain,t:none" SecRule ARGS:/ure_revoke_role/ "!@rx ^$" "t:none,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350637'" SecRule REQUEST_METHOD "@rx ^POST" "id:77350638,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: CSRF vulnerability in User Role Editor <= 4.64.3 (CVE-2024-12293)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_user_role_editor'" SecRule ARGS:users "!@rx ^$" "chain,t:none" SecRule ARGS:/ure_revoke_role/ "!@rx ^$" "t:none,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350637'" SecRule REQUEST_METHOD "@rx ^POST$" "id:77347639,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unauthenticated Local File Inclusion in EmbedPress <= 4.0.9 WordPress plugin (CVE-2024-43328)||MV:%{MATCHED_VAR}||page:%{TX.arg_p}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:page "@rx ." "chain,t:none,setvar:tx.arg_p=%{MATCHED_VAR}" SecRule ARGS:page_type "@rx \/|\." "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350643,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Data injection vulnerability in WP Automatic Plugin for WordPress before 3.92.1 (CVE-2024-27956)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_automatic',tag:'wp_core'" SecRule REQUEST_URI "@rx /wp-content/plugins/wp-automatic/inc/csv[^a-zA-Z0-9_]{0,99}\.php" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350643" SecRule REQUEST_METHOD "@rx ^GET$" "id:77350645,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated Plugin Page Content Update in Website Builder by SeedProd before 6.15.22 (CVE-2024-1072)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_coming_soon'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-post.php" "chain,t:none" SecRule ARGS:page "@streq seedprod_lite_template" "chain,t:none" SecRule &ARGS:id "@gt 0" "chain,t:none" SecRule ARGS:type "@rx (mm|p404|cs|loginp)" "t:none" SecRule REQUEST_METHOD "@rx ^GET$" "id:77333133,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Path traversal in Automatic plugin for WordPress before 3.92.0(CVE-2024-27954)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'wp_plugin_wp_automatic'" SecRule ARGS:wp_automatic "@streq download" "chain,t:none" SecRule ARGS:link "@rx file:\/" "t:none" SecRule ARGS:action "wc_ev_send_guest_verification_email" "id:77493677,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQLi vulnerability in WPFactory Email Verification for WooCommerce <= 2.8.10 (CVE-2024-49305)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{ARGS.alg_wc_ev_email}||',tag:'wp_plugin_emails_verification_for_woocommerce',tag:'wp_core'" SecRule &ARGS:alg_wc_ev_email "@gt 0" "t:none" SecRule ARGS:q "@rx .{10,999}" "id:77935323,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:utf8toUnicode,msg:'IM360 WAF: Possible SQL injection attack||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule ARGS:q "[^\d\w\x2d\x2e\x2c\x5c\x3f\x2f\x29\x28\x27\x22]" "chain,t:utf8toUnicode" SecRule ARGS:q "@detectSQLi" "t:none" SecRule ARGS:categoryId "@rx .{10,999}" "id:77931027,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Possible SQL injection attack||MVN:ARGS.categoryId||MV:%{ARGS.categoryId}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:categoryId "[^\d\w-]" "chain,t:none" SecRule ARGS:categoryid "@detectSQLi" "t:none" SecRule ARGS:author "@rx .{10,999}" "id:77350624,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Possible SQL injection attack||MVN:ARGS.submit||MV:%{ARGS.author}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:author "@detectSQLi" "t:none,t:utf8toUnicode,chain" SecRule ARGS:author "[^a-zA-Z0-9\-()\s\._]+" "t:none" SecRule ARGS:action "@rx .{10,999}" "id:77350625,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Possible SQL injection attack||MVN:ARGS.submit||MV:%{ARGS.action}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@detectSQLi" "t:none,t:utf8toUnicode,chain" SecRule ARGS:action "[^a-zA-Z0-9\-()\s\._]+" "t:none" SecRule ARGS:submit "@rx .{10,999}" "id:77350626,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:utf8toUnicode,msg:'IM360 WAF: Possible SQL injection attack||MVN:ARGS.submit||MV:%{ARGS.submit}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:submit "@detectSQLi" "t:none,t:utf8toUnicode,chain" SecRule ARGS:submit "[^a-zA-Z0-9\-()\s\._]+" "t:none" SecRule ARGS:action "@contains qi_addons_for_elementor" "id:77666028,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: PHP Local File Inclusion vulnerability in QODE Interactive Qi Addons For Elementor <= 1.6.3 (CVE-2023-47679)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||Args:%{tx.all_args}||',tag:'wp_plugin_qi_addons_for_elementor',tag:'wp_core'" SecRule &TX:trapped "@eq 0" "t:none,chain" SecRuleScript trap.lua "t:none,chain" SecRule &ARGS "@ge 0" "t:none" SecRule REQUEST_URI "@contains /wp-admin/" "id:77289174,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Manual email check trigger in Post By Email plugin for WordPress <= 1.0.4b (CVE-2025-9762)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_post_by_email'" SecRule ARGS:check_mail "@rx ." "t:none" SecRule REQUEST_URI "@rx /wp-content/uploads/\d{4}/\d{2}/.+\.(?:php|phtml|php\d|phps|phar)$" "id:77100125,phase:2,chain,pass,nolog,auditlog,severity:5,t:lowercase,t:normalizePath,msg:'IM360 WAF: Access to executable file in uploads directory - Post By Email exploit attempt (CVE-2025-9762)||SC:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_post_by_email'" SecRuleScript trap.lua "t:none,chain" SecRule &ARGS "@ge 0" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77350531,phase:2,chain,severity:5,pass,nolog,auditlog,t:none,msg:'IM360 WAF: WPDeveloper Essential Addons for Elementor <= 5.8.8 - Privilege Escalation (CVE-2023-41955)||WPU:%{tx.wp_user}||Logged:%{IP.wp_logged_in}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||',tag:'noshow',tag:'wp_core'" SecRule &ARGS:/eael-register/ "@gt 0" "chain" SecRule ARGS:/role/ "." "t:none" SecRule ARGS:page "@pm nf-import-export nf-submissions nf-settings" "id:77350518,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Reflected XSS vulnerability in the Ninja Forms WordPress plugin (CVE-2024-7354)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS_NAMES "@rx (?i)(?:\b(?:(?:s(?:tyle|rc|cript)|href|lowsrc|on(?:(?:mous|mot|key|load|click|error|unload|change|submit|reset|blur|focus|scroll)(?:over|out|up|down|move)?|abort|beforeunload|stop|start|finish|bounce|dblclick|dragdrop|resize|select|touchstart|touchmove|touchend))\s{0,999}=\s{0,999}(?:\x22[^\x22]{0,999}\x22|\'[^\']{0,999}\'|\S+))|(?:<(?:\/\s{0,999})?(?:(?:script|iframe|object|embed|applet|link|style|layer|ilayer|base|meta)\b|a\s+[^>]{0,999}\bhref\s{0,999}=))|(?:(?:--[^\n]{0,999}$)|(?:\/\*.{0,999}?\*\/)|(?:(?:#|--|{)\s{0,999}$))|(?:\\[^0-9A-Za-z])|(?:!--)|\]>)" "t:none,t:urlDecode,t:lowercase" SecRule REQUEST_METHOD "@streq POST" "id:77119646,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Arbitrary File Upload in Ninja Forms File Uploads before 3.3.27 (CVE-2026-0740)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'wp_plugin_ninja_forms_file_uploads'" SecRule REQUEST_FILENAME "@endsWith /admin-ajax.php" "t:none,chain" SecRule ARGS:action "@streq nf_fu_upload" "t:none,chain" SecRule ARGS "@rx \x2e\x2e[\x2f\x5c]" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@streq POST" "id:77916725,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Arbitrary File Upload in Ninja Forms File Uploads before 3.3.27 (CVE-2026-0740)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'wp_plugin_ninja_forms_file_uploads'" SecRule REQUEST_FILENAME "@endsWith /admin-ajax.php" "t:none,chain" SecRule ARGS:action "@streq nf_fu_upload" "t:none,chain" SecRule ARGS "@rx \x2e(?:php[0-9s]?|phtml|phar|pht)$" "t:none,t:lowercase,t:urlDecodeUni" SecRule REQUEST_METHOD "@streq POST" "id:77175368,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary File Upload in Ninja Forms File Uploads before 3.3.27 (CVE-2026-0740)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_ninja_forms_file_uploads'" SecRule REQUEST_FILENAME "@endsWith /admin-ajax.php" "t:none,chain" SecRule ARGS:action "@streq nf_fu_upload" "t:none,chain" SecRule FILES_NAMES "@rx \x2e(?:php[0-9s]?|phtml|phar|pht)$" "t:none,t:lowercase" SecRule REQUEST_METHOD "^POST$" "id:77350525,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated SQLi in Blog2Social: Social Media Auto Post & Scheduler <= 7.4.1 Plugin For WordPress (CVE-2024-3549)||WPU:%{tx.wp_user}||Logged:%{IP.wp_logged_in}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_blog2social',tag:'noshow'" SecRule REQUEST_FILENAME "^/wp-admin/admin-ajax.php" "chain,t:urlDecode" SecRule ARGS:action "@streq b2s_sort_data" "chain,t:none" SecRule ARGS:b2sSortPostType "@rx [^\w\-_]+|-{2,999}" "t:none" SecRule REQUEST_FILENAME "@contains /wp-json/wishlist/v1/" "id:77350554,chain,phase:1,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: SQL injection in TemplateInvaders TI WooCommerce Wishlist < 2.8.2 (CVE-2024-43917)||WPU:%{tx.wp_user}||Logged:%{IP.wp_logged_in}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_ti_woocommerce_wishlist',tag:'wp_core',tag:'noshow'" SecRule REQUEST_FILENAME "/get_products" "chain,t:normalizePath" SecRule ARGS:order "\W+" "t:none" SecRule REQUEST_METHOD "^GET|POST$" "id:77350599,chain,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQL Injection vulnerability in Email Subscribers <= 5.7.25 (CVE-2024-37252)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'wp_plugin_email_subscribers'" SecRule &ARGS:es "@gt 0" "chain,t:none" SecRule ARGS:hash "@detectSQLi" "t:none,t:base64Decode" SecRule ARGS:action "@streq rank-math-options-titles" "id:77065773,chain,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Code Injection vulnerability in Rank Math SEO <= 1.0.231 (CVE-2024-11620)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'wp_plugin_seo_by_rank_math'" SecRule ARGS:htaccess_content "." "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77949106,chain,phase:2,block,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: LFI in Rank Math SEO plugin for WordPress before 1.0.107.3 (CVE-2023-23888)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_seo_by_rank_math'" SecRule REQUEST_URI "@rx /wp-json/rankmath/v1/updateSchemas" "t:none,t:normalizePath,chain" SecRule REQUEST_BODY|ARGS "@rx @type[\x22\x27]?\s{0,10}:\s{0,10}[\x22\x27][^\x22\x27]{0,50}(?:\.\./|%2e%2e%2f)" "t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:action "@streq woof_sd_get_options" "id:77155358,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Path Traversal and Code Injection vulnerabilities in PluginUS HUSKY – Products Filter for WooCommerce <= 1.3.5.2 (CVE-2024-32680)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_woocommerce_products_filter',tag:'wp_core'" SecRule &ARGS:sd_nonce "@gt 0" "chain" SecRule ARGS:type "\.\.|\/" "t:urlDecode" SecRule ARGS:action "@streq woof_sd_get_options" "id:77155359,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Path Traversal and Code Injection vulnerabilities in PluginUS HUSKY – Products Filter for WooCommerce <= 1.3.5.2 (CVE-2024-32680)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_woocommerce_products_filter',tag:'wp_core'" SecRule &ARGS:sd_nonce "@gt 0" "chain" SecRule ARGS:type "@validateByteRange 1-255" "t:none" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "id:77639054,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:urlDecodeUni,t:lowercase,msg:'IM360 WAF: Local File Inclusion in HUSKY Products Filter Professional plugin for WordPress < 1.3.7.1 (CVE-2025-52708)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_woocommerce_products_filter'" SecRule ARGS:action "@streq woof_form_builder_get_section_options" "chain,t:none" SecRule ARGS:section_key "@rx (?:\.\.\/|%2e%2e/|%252e%252e|/etc/|/var/|/proc/|wp-config|%00|\\x00)" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_URI "@contains block-renderer/core/latest-comments" "id:77592377,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Remote Code Execution vulnerability in The Widget Options <=4.0.7 (CVE-2024-8672)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||URI:{REQUEST_URI}||RSV:8.02||T:APACHE||',tag:'wp_plugin_widget_options'" SecRule ARGS:/extended_widget_opts/ "(?i)(\binsert\b|\bupdate\b|\bdelete\b|\breplace\b|\bselect\b|\bdrop\b|\balter\b|\bwp_insert_post\b|\bwp_update_post\b|\bwp_delete_post\b|\bwp_insert_user\b|\bwp_update_user\b|\bwp_delete_user\b|\badd_option\b|\bupdate_option\b|\bdelete_option\b|\bwpdb\b|<script\b[^>]*>(.+?)<\/script>|<style\b[^>]*>(.+?)<\/style>|\bfile_put_contents\b|\bfile_get_contents\b|\bfopen\b|\bfwrite\b|\bunlink\b|\brename\b|\bchmod\b|\bchown\b|\bcopy\b|\bscandir\b|\bwp_remote_get\b|\bwp_remote_post\b|\bcurl_init\b|\bstream_context_create\b|\bReflectionClass\b|\bReflectionMethod\b|\bReflectionProperty\b|\bcall_user_func\b|\bcall_user_func_array\b|\bextract\b|\bparse_str\b|\beval\b|\bsystem\b|\bshell_exec\b|\bpassthru\b|\bexec\b|\bpopen\b)" "t:none" SecRule REQUEST_METHOD "^POST" "id:77472934,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated SQLi in Blog2Social: SQLi vulnerabity in Media Library Folders <=8.2.2 WordPress plugin (CVE-2024-7857)||WPU:%{tx.wp_user}||Logged:%{IP.wp_logged_in}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_media_library_plus'" SecRule REQUEST_FILENAME "@rx admin-ajax.php" "chain,t:urlDecode" SecRule ARGS:action "@rx ^mlf_" "chain,t:none" SecRule ARGS:sort_type "@rx \W" "t:none" SecRule REQUEST_FILENAME "@contains .php" "id:77923014,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated SQLi vulnerability in WP User Frontend <= 4.0.7 WordPress plugin (CVE-2024-38693)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS "@rx ^wpuf_" "chain,t:none" SecRule ARGS:orderby "@rx ." "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx ^POST$" "id:77837062,phase:2,chain,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: SQL injection vulnerability in WordPress <=5.8.3 (CVE-2022-21661)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{TX.1}||',tag:'wp_core'" SecRule ARGS:query_vars "@rx \bterm_taxonomy_id\b" "t:none,chain" SecRule ARGS:query_vars "@rx (\bterms\b.{0,200})" "t:none,chain,capture" SecRule ARGS:query_vars "@detectSQLi" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77458362,phase:2,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: SQL injection vulnerability in WordPress <=5.8.3 (CVE-2022-21661)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{TX.1}||',tag:'wp_core',tag:'noshow'" SecRule ARGS:query_vars "@rx (\bterms\b.{0,200})" "t:none,capture" SecRule REQUEST_METHOD "@rx ^GET$" "id:77037727,phase:2,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Cross-Site Scripting vulnerability in Essential Addons for Elementor < 6.0.15 (CVE-2025-24752)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'noshow'" SecRule ARGS:eael-lostpassword "@streq 1" "t:none,chain" SecRule ARGS:popup-selector "[<>=]" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77678931,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Stored XSS via dangerous file upload in Drag and Drop Multiple File Upload plugin for WordPress < 1.1.1 (CVE-2023-4821)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq dnd_codedropz_upload_wc" "t:none,chain" SecRule FILES "@rx \.(?:svg|shtml|php\d?\.)$" "t:none,t:lowercase,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77678931'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77678932,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Stored XSS/RCE via dangerous file upload in Drag and Drop Multiple File Upload plugin for WordPress < 1.1.1 (CVE-2023-4821)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq dnd_codedropz_upload_wc" "t:none,chain" SecRule ARGS:supported_type "@rx ^\.$" "t:none,t:lowercase,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77678932'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77678933,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Stored XSS/File include via dangerous file upload in Drag and Drop Multiple File Upload plugin for WordPress < 1.1.1 (CVE-2023-4821)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:dnd-wc-upload-file "@rx \.(?:svg|shtml|php\d?\.)$" "t:none, t:lowercase,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77678933'" SecRule REQUEST_FILENAME "@rx \/wp-content\/uploads\/wc_drag-n-drop_uploads\/\S+\.(?:svg|shtml|php\d?\.)$" "id:77678934,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Access to suspicious file in Drag and Drop Multiple File Upload plugin uploads directory for WordPress < 1.1.1 (CVE-2023-4821)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core',setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77678934'" SecRule REQUEST_METHOD "POST" "id:77730904,phase:2,chain,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Unauthenticated Local PHP File Inclusion in Swift Performance Lite <= 2.3.7.1 WordpressPlugin (CVE-2024-10516)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "swift_performance_ajaxify" "chain,t:none" SecRule ARGS:data "@rx ^\[\x22template-part" "chain,t:none,t:base64Decode" SecRule ARGS:data "@rx \.\./\.\./\.\./" "t:none,t:base64Decode" SecRule REQUEST_METHOD "POST" "id:77730905,phase:2,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Unauthenticated Local PHP File Inclusion in Swift Performance Lite <= 2.3.7.1 WordpressPlugin (CVE-2024-10516)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "swift_performance_ajaxify" "chain,t:none" SecRule ARGS:data "@rx ^\[\x22template-part" "chain,t:none,t:base64Decode" SecRule ARGS:data "@rx [?[\]\/\\=<>:;,'\"&$#*()|~\x60!{}%+\x00]" "t:none,t:base64Decode" SecRule REQUEST_URI "@contains /admin-ajax.php" "id:77170635,phase:5,pass,chain,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Unrestricted Upload of File with Dangerous Type vulnerability in Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress <= 1.3.8.9 (CVE-2025-3515)||MV:%{FILES.upload-file}||RSV:8.02||T:APACHE||',tag:'wp_plugin_drag_and_drop_multiple_file_upload_contact_form_7'" SecRule ARGS:action "@streq dnd_codedropz_upload" "t:none,chain" SecRule ARGS:form_id "." "t:none,chain" SecRule FILES:upload-file "@rx \.(php|phtml|php3|php4|php5|pht|phar|phps|jsp|asp|aspx|sh|pl|py|rb|exe|scr|bat|cmd|com|pif|vbs|js|jar|class|htaccess)$" "t:none" SecRule REQUEST_METHOD "@rx ^(?:POST|PUT)$" "id:77674904,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary File Upload in Contact Form 7 plugin for WordPress before 5.8.4 (CVE-2023-6449)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_contact_form_7'" SecRule REQUEST_URI "@rx /wp-json/contact-form-7/v[0-9]/contact-forms/[0-9]{1,10}/feedback" "t:none,t:lowercase,chain" SecRule FILES_NAMES "@rx \.(?:ph(?:p|tml)|p[ly]|rb|cgi)\d{0,2}(?:[\x3f\x3b\x3a\x5b\x5d\x5c\x3d\x3c\x3e\x26\x24\x23\x7c\x21\x7b\x7d\x25\x2b\x27\x22\x28\x29]|\.(?:jpe?g|png|gif|webp|svg|pdf|docx?|zip))" "t:none,t:urlDecode,t:lowercase" SecRule ARGS:action "@streq wppa" "id:77199428,phase:2,chain,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unrestricted Upload of File with Dangerous Type vulnerability in WP Photo Album Plus < 8.6.03.005 (CVE-2024-31286)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||File:%{FILES}||',tag:'wp_core',tag:'noshow'" SecRule FILES "@rx (\.(pht|phtml|php\d?|s?p?html?|phar)$)" "t:none,t:lowercase" SecRule ARGS:page "@streq wppa_upload_photos" "id:77028648,phase:2,chain,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unrestricted Upload of File with Dangerous Type vulnerability in WP Photo Album Plus < 8.6.03.005 (CVE-2024-31286)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||File:%{FILES}||',tag:'wp_core',tag:'noshow'" SecRule FILES "@rx (\.(pht|phtml|php\d?|s?p?html?|phar)$)" "t:none,t:lowercase" SecRule REQUEST_METHOD "POST" "id:77222206,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQL Injection vulnerability in StoreApps Smart Manager <=8.52.0 (CVE-2025-22710)||MV:%{TX.1}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq sm_beta_include_file" "chain,t:none" SecRule ARGS:advanced_search_query "\x22value\x22:\x22(.{2,200}?)\x22" "chain,t:none,capture" SecRule TX:1 "@detectSQLi" "t:none" SecRule REQUEST_FILENAME "@contains /wp-admin/" "id:77451816,phase:2,chain,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Unauthenticated Local File Inclusion in Premmerce Permalink Manager for WooCommerce <= 2.3.10 WordPress plugin (CVE-2024-27971)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_woo_permalink_manager'" SecRule ARGS:tab "@rx (?i)<\/script|\)&\x60'|'\);|^\/\w+\/\w+$|-q=cname|\.gethostbyname\(|\);$\w+='|convert\(varchar,|php:\/\/|file:\/\/|expect:\/\/|zip:\/\/|data:\/\/|\.\.\/|\.\.\\|phar:\/\/|\(document\.domain\)|DBMS_PIPE.RECEIVE_MESSAGE" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@rx /(newlogin|core|lib|storage|writer|modules|views|comments|ajax-call|ghost-(?:login|admin))/" "id:77899261,skip:1,phase:2,chain,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: LFI vulnerability in the WP Ghost plugin (CVE-2025-26909)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_hide_my_wp'" SecRule REQUEST_URI "@rx php:\/\/|file:\/\/|expect:\/\/|zip:\/\/|\Wdata:\/\/|\/\.\.\/\.\.\/\.\.\/\.\.|\\\/\/\\\.\.\\|phar:\/\/|alert\(document\.domain\)|DBMS_PIPE.RECEIVE_MESSAGE" "t:none" SecRule REQUEST_URI "@rx php:\/\/|file:\/\/|expect:\/\/|zip:\/\/|\Wdata:\/\/|\/\.\.\/\.\.\/\.\.\/\.\.|\\\/\/\\\.\.\\|phar:\/\/|alert\(document\.domain\)|DBMS_PIPE.RECEIVE_MESSAGE" "id:77899262,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Suspicious input in URI tracking||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_URI "@contains /wp-admin/admin.php" "id:77567308,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: SQL Injection vulnerability in StoreApps Smart Manager <=8.52.0 (CVE-2025-22710)||MV:%{TX.0}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:page "@streq ts-poll" "chain,t:none" SecRule ARGS:orderby "@rx \W" "t:none" SecRule REQUEST_METHOD "POST" "id:77960685,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary File Upload Vulnerability in WP Time Capsule <= 1.22.21 WordPress plugin (CVE-2024-8856)||MV:%{TX.0}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/upload/php/index.php" "chain,t:none" SecRule FILES "!@rx \.(sql|gz|crypt)$|^$" "t:none,t:lowercase" SecRule REQUEST_METHOD "POST" "id:77514033,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary File Upload Vulnerability in WP Time Capsule <= 1.22.21 WordPress plugin (CVE-2024-8856)||MV:%{TX.0}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/upload/php/index.php" "chain,t:none" SecRule FILES "!@rx ^$" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77722346,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: [RBL] CSRF in Royal Elementor Addons and Templates plugin for WordPress (CVE-2025-1441)||WPU:%{tx.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_plugin_royal_elementor_addons'" SecRule ARGS:action "@rx ^(wpr_filter_woo_products|wpr_get_woo_filtered_count)$" "chain,t:none,t:lowercase,t:urlDecode,t:normalizePath" SecRule &ARGS:nonce "@eq 0" "t:none,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77722346'" SecRule REQUEST_METHOD "POST" "id:77748422,phase:2,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Arbitrary File Upload Vulnerability in The Slider and Carousel slider by Depicter <= 3.1.1 plugin for WordPress (CVE-2024-4389)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "depicter-media-upload" "chain,t:none" SecRule FILES "!@rx \.(jpg|jpeg|png|gif|webp|ico|svg|pdf|doc|docx|ppt|pptx|xls|xlsx|odt|zip|gz|gzip|mp3|m4a|ogg|wav|mp4|m4v|mov|wmv|avi|txt|csv|tsv|rtf)$" "t:none,t:lowercase" SecRule REQUEST_METHOD "POST" "id:77748423,phase:2,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Arbitrary File Upload Vulnerability in The Slider and Carousel slider by Depicter <= 3.1.1 plugin for WordPress (CVE-2024-4389)||action:%{ARGS.action}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx .php$" "chain,t:none" SecRule ARGS:action "depicter" "chain,t:none" SecRule FILES "@rx \.(php\d*|phtml|phar)" "t:none,t:lowercase" SecRule REQUEST_METHOD "POST" "id:77418405,phase:2,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Code Injection vulnerability in The The NitroPack <= 1.67 WordPress plugin (CVE-2024-43922)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{TX.1}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@rx nitro_shortcode_ajax" "chain,t:none" SecRule ARGS:tags|ARGS:data "@rx (?i)(.{0,30}(?:<\?php|(eval|system|passthru|shell_exec|base64_decode|alert|confirm|prompt|onerror|onload)\s*\x28|\x60|<\s*(?:script|iframe|object|embed|img|svg|base|form|input|body|link|meta|audio|video)).{8,300})" "t:none,capture" SecRule REQUEST_METHOD "POST" "id:77418406,phase:2,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Code Injection vulnerability in The The NitroPack <= 1.67 WordPress plugin (CVE-2024-43922)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{TX.1}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@rx nitro_shortcode_ajax" "chain,t:none" SecRule ARGS:tags|ARGS:data "@rx (?i)\x5b([^\x5d]{0,100}(?:<\?php|(eval|system|passthru|shell_exec|base64_decode|alert|confirm|prompt|onerror|onload)\s*\x28|\x60|<\s*(?:script|iframe|object|embed|img|svg|base|form|input|body|link|meta|audio|video)\s)[^\x5d]{8,300})" "t:none,t:base64Decode,capture" SecRule ARGS:mla_stream_file "@rx -->\x27\\\x22\x22<|^(?:php|phar|file|data|ftps?|https?):\/\/" "id:77890475,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Remote Code Execution in The Media Library Assistant plugin for WordPress (CVE-2024-51661)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_plugin_media_library_assistant'" SecRule ARGS:mla_download_file "@rx ^(../../../|/etc/)" "id:77890476,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Authenticated (Administrator+) Remote Code Execution in The Media Library Assistant plugin for WordPress (CVE-2024-51661)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_plugin_media_library_assistant'" SecRule ARGS:action "@streq proxy_image" "id:77623484,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Arbitrary File Read in Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress < 4.0.27 (CVE-2025-3419)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_event_solution'" SecRule ARGS_GET:url "@rx \.\.\/|wp-config\.php" "t:none" SecRule &ARGS:hash "@gt 0" "id:77845934,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: SQLi vulnerability in Icegram Express <= 5.7.23 plugin for WordPress & WooCommerce(CVE-2024-5756)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_email_subscribers'" SecRule ARGS:es "@detectSQLi" "t:none" SecRule &ARGS:es "@gt 0" "id:77845935,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: SQLi vulnerability in Icegram Express <= 5.7.23 plugin for WordPress & WooCommerce(CVE-2024-5756)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_email_subscribers'" SecRule ARGS:hash "@detectSQLi" "t:none,t:base64Decode" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77643956,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: PHP Object Injection in All-in-One WP Migration plugin (File Upload) for WordPress < 7.90 (CVE-2024-10942)||RSV:8.02||T:APACHE||',tag:'wp_plugin_all_in_one_wp_migration'" SecRule ARGS:action "@streq ai1wm_import" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77643956" SecRule REQUEST_METHOD "@streq POST" "id:77352312,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQLi in Events Manager plugin for WordPress < 6.6.4 (CVE-2024-11260)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_events_manager'" SecRule ARGS:action "@streq em_search_events" "t:none,chain" SecRule REQUEST_FILENAME "@rx /wp-json/em/v2/events|/wp-admin/admin-ajax\.php" "t:none,chain" SecRule ARGS:active_status "@rx [^0-9,\s-]" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77352312" SecRule REQUEST_URI "@rx /wp-admin/admin\.php" "id:77406198,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:urlDecodeUni,msg:'IM360 WAF: SQL Injection in Paid Memberships Pro plugin < 3.0.6 (CVE-2024-37486)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_paid_memberships_pro'" SecRule ARGS:page "@rx ^(?:pmpro-orders|pmpro-discountcodes)$" "t:none,chain" SecRule ARGS:order "@detectSQLi" "t:none,t:urlDecodeUni,t:utf8toUnicode,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77406198" SecRule REQUEST_METHOD "@rx ^POST$" "id:77106703,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Authenticated (Instructor+) SQLi Vulnerability in Tutor LMS <= 2.7.0 WordPress plugin (CVE-2024-4318)||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@rx /admin-(?:ajax|post)\.php" "chain,t:none" SecRule ARGS:action "@streq destroy-sessions" "chain,t:none" SecRule ARGS:user_id "@detectSQLi" "t:none" SecRule ARGS_NAMES "@rx ^billing_|^shipping_" "id:77864032,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:urlDecode,t:htmlEntityDecode,msg:'IM360 WAF: Stored XSS in WooCommerce plugin for WordPress < 9.7.1 (CVE-2025-26762)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_accounting_for_woocommerce'" SecRule REQUEST_HEADERS:Content-Type "!@contains application/json" "t:none,chain" SecRule ARGS "!@rx <!DOCTYPE\s" "t:none,chain" SecRule REQUEST_URI "@rx /wp-json/wc/v[123]/checkout|/checkout/\?" "t:none,chain" SecRule ARGS "@rx (?i)(<[^>]*>|data:|script:|on\w+=['\"])" "t:none" SecRule REQUEST_METHOD "POST" "id:77515592,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Directory Traversal in Unlimited Elements For Elementor plugin for WordPress < 1.5.67 (CVE-2023-33930)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/" "chain,t:none" SecRule ARGS:action "@pm unlimitedelements_ajax_action import_addon_file" "chain,t:none,t:lowercase" SecRule FILES "@endsWith .zip" "t:none,t:lowercase" SecRule REQUEST_METHOD "POST" "id:77515593,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Zip upload with path traversal in Unlimited Elements For Elementor plugin for WordPress < 1.5.67 (CVE-2023-33930)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains unlimitedelements" "chain,t:none" SecRule FILES_NAMES "@rx \.\.\/" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "POST" "id:77515594,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Suspicious access to Unlimited Elements For Elementor plugin for WordPress < 1.5.67 (CVE-2023-33930)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@pm unlimited-elements-for-elementor unitecreator_exporter" "t:none,t:urlDecodeUni,t:normalizePath" SecRule REQUEST_METHOD "@rx ^POST$" "id:77842027,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated Arbitrary File Upload in CMP-Coming Soon & Maintenance <= 4.1.13 WordPress plugin (CVE-2025-32118)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_cmp_coming_soon_maintenance'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "chain,t:none,t:normalizePath" SecRule ARGS:page "@streq cmp-settings" "chain,t:none" SecRule ARGS:submit_theme "@streq Install Theme" "chain,t:none" SecRule FILES:fileToUpload "@rx \.(php|phtml|php3|php4|php5|php7|phar|inc|htaccess|htpasswd|config|log|sql|asp|aspx|jsp|jspx|exe|dll|bat|cmd|sh|bash|pl|py|rb|js)$" "t:none" SecRule ARGS:addonID|ARGS:addons_order|ARGS:/widget\sid/|ARGS:/Widget\sID/ "@detectSQLi" "id:77842648,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated (Contributor+) Blind SQLi Vulnerability in Unlimited Elements For Elementor <= 1.5.109 (CVE-2024-5329)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_unlimited_elements_for_elementor'" SecRule REQUEST_METHOD "@rx POST" "id:77500238,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authenticated Local File Inclusion Vulnerability in The Post Grid <= 7.7.17 WordPress plugin (CVE-2025-30814)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@rx /wp-admin/" "chain,t:none" SecRule ARGS:card_address "@rx eval\(base64_decode\(\$|;if\(md5\(\$_COOKIE\[\x22" "t:none,t:base64Decode" SecRule REQUEST_METHOD "@rx POST" "id:77500239,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authenticated (Contributor+) Local File Inclusion Vulnerability in The Post Grid <= 7.7.17 WordPress plugin (CVE-2025-30814)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_the_post_grid'" SecRule REQUEST_URI "@rx /wp-admin/" "chain,t:none" SecRule ARGS:/params/|ARGS:/layout/ "@rx (\.<>\./\.<>\./\.<>\./\.<>\./\.<>\./\.<>\./\.<>\./\.<>\.|\.\./\.\./\.\./\.\./\.\./\.\./\.\.)/{1.3}(?:opt/alt|tmp|usr/local|etc)/\w" "t:none,t:base64Decode" SecRule REQUEST_METHOD "@rx POST" "id:77500240,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated (Contributor+) Local File Inclusion Vulnerability in The Post Grid <= 7.7.17 WordPress plugin (CVE-2025-30814)||MVN:%{tx.mvn}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@rx /wp-admin/" "chain,t:none" SecRule ARGS "@rx (\.<>\./\.<>\./\.<>\./\.<>\./\.<>\./\.<>\./\.<>\./\.<>\.|\.\./\.\./\.\./\.\./\.\./\.\./\.\.)/{1.3}" "chain,t:none,t:none,t:urlDecode,setvar:tx.mvn=%{MATCHED_VAR_NAME}" SecRule MATCHED_VAR "@contains /php/pearcmd" SecRule REQUEST_METHOD "@rx ^POST$" "id:77830603,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated (Contributor+) SQLi vulnerability in Quiz And Survey Master - Best Quiz, Exam and Survey <= 9.0.1 Plugin for WordPress <= 9.0.1 (CVE-2024-3592)||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@rx get_question|qsm_bulk_delete_question_from_database" "chain,t:none" SecRule ARGS:question_id "@detectSQLi" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77110078,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Privilege Escalation via MCP token disclosure in AI Engine plugin for WordPress before 3.1.4 (CVE-2025-11749)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_ai_engine'" SecRule REQUEST_URI "@rx /wp-json/mcp/v1/[^/]+/sse" "t:none,t:lowercase,chain" SecRule REQUEST_BODY "@rx wp_create_user" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77836476,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Privilege Escalation vulnerability in Brainstorm Force SureTriggers plugin for Wordpress <= 1.0.82 (CVE-2025-27007)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_suretriggers'" SecRule REQUEST_FILENAME "@contains /wp-json/sure-triggers/v1/automation/action" "t:none,chain" SecRule REQUEST_HEADERS:St-Authorization "@rx ^$" "t:none,chain" SecRule ARGS:type_event "@pm create_user_if_not_exists" "t:none,chain" SecRule ARGS:selected_options[role] "." "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77026115,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Privilege Escalation in Flynax Bridge plugin for WordPress < 2.2.1 (CVE-2025-3604)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_flynax_bridge'" SecRule REQUEST_URI "@contains /flynax-bridge/request.php" "t:none,t:lowercase,chain" SecRule ARGS:route "@rx ^(?:update-user|update-password|register-user|delete-user)$" "t:none,t:lowercase,chain" SecRule &ARGS:ID "@ge 1" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77119613,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Privilege Escalation in REST API Custom API Generator plugin for WordPress before 2.0.4 (CVE-2025-5288)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_import_export_with_custom_rest_api'" SecRule ARGS:import_api "@rx ^https?://" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@rx /everest_forms_uploads/" "id:77842649,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in Everest Forms <= 3.0.9.4 WordPress plugin (CVE-2025-1128)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_everest_forms'" SecRule REQUEST_BASENAME "\.(phar|ph[\dp]|js)" "t:none" SecRule ARGS:action "@rx everest_forms_remove_file" "id:77842650,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in Everest Forms <= 3.0.9.4 WordPress plugin (CVE-2025-1128)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_everest_forms'" SecRule ARGS:file "@rx ../../../|^/" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77842651,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in Everest Forms <= 3.0.9.4 WordPress plugin (CVE-2025-1128)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_everest_forms'" SecRule ARGS:action "@rx everest_forms_upload_file" "chain,t:none" SecRule FILES "\.(php|phtml|php3|php4|php5|php7|phar|inc|htaccess|htpasswd|config|log|sql|asp|aspx|jsp|jspx|sh|bash|pl|py|rb|js)" "t:none" SecRule ARGS:name|ARGS:template|ARGS:data|ARGS:content "@rx \.\./(?:wp-config.php|/etc/passwd|/proc/self/environ)|php://filter/(?:read|write|resource|convert|zlib)[^=]*?=(?:http|/|\.|convert|string)|\.\./(?:usr|bin)/|file://etc/group" "id:77789664,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authenticated (Contributor+) LFI Vulnerability in Download Monitor <= 5.0.22 WordPress plugin (CVE-2025-47439)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:name|ARGS:template|ARGS:data|ARGS:content "@rx add_action|do_action|wp-config.php|/(?:usr|bin|opt|tmp|etc|proc)/|//filter/|(?:eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|assert)\s*?\(" "id:77065534,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated (Contributor+) LFI Vulnerability in Download Monitor <= 5.0.22 WordPress plugin (CVE-2025-47439)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_METHOD "@rx POST" "id:77065535,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authenticated suspicious date insert attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@rx admin-ajax.php|/wp-admin/" "chain,t:none" SecRule ARGS:newcontent "@contains if die('WP ADMIN USER EXISTS'))" "chain,t:none" SecRule ARGS:newcontent "@rx 'user_login'\s=>\s'admin2backup|wpadminerlzp'" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77065536,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated suspicious date insert attempt||MVN:%{TX.matched_name}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@rx admin-ajax.php|/wp-admin/|wp-json|post.php" "chain,t:none,t:normalizePath" SecRule ARGS "@rx function_exists\('(?:wp_enqueue_async_script|add_action|wp_die|get_user_by|is_wp_error|get_current_user_id|get_option|add_action|add_filter|wp_insert_user|update_option)'\)" "chain,t:none,setvar:tx.matched_name=%{MATCHED_VAR_NAME}" SecRule MATCHED_VAR "@rx 'role'\s? =>\s?'administrator'" "t:none" SecRule ARGS:/name/|ARGS:/template/|ARGS:/data/|ARGS:/content/|ARGS:/options/|ARGS:/post/ "@rx (?i)\.\./\.\./\.\./\.\./|\.\./wp-config|/etc/passwd|/proc/self/environ|php://|filter//?(?:read|write|resource|convert|zlib)|/(?:usr|bin|opt|tmp|etc|proc)/|\$CONFIG\b|error_reporting[:=\s\x22\x27]+?false|add_action|do_action|//filter/" "id:77789665,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated (Contributor+) LFI Vulnerability in Download Monitor <= 5.0.22 WordPress plugin (CVE-2025-47439)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &REQUEST_HEADERS:Mwp-Action "@eq 0" "id:77764168,phase:1,pass,nolog,noauditlog,severity:5,t:none,msg:'IM360 WAF: check for skip ManageWP rules',tag:'wp_core',skip:1" SecRule REQUEST_HEADERS:Content-Type "application/json" "id:77764167,phase:1,pass,nolog,noauditlog,severity:5,t:none,t:lowercase,ctl:requestBodyProcessor=JSON,msg:'IM360 WAF: set JSON body processor',tag:'wp_core'" SecRule &REQUEST_HEADERS:Mwp-Action "@eq 0" "id:77764173,phase:2,pass,skipAfter:ManageWP_Marker,nolog,noauditlog,severity:5,t:none,msg:'IM360 WAF: skip ManageWP rules',tag:'wp_core'" SecRule REQUEST_METHOD "POST" "id:77764169,phase:2,pass,chain,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Found ManageWP PHP code execution payload||REQ_BODY_SIZE:%{REQUEST_BODY_LENGTH}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_HEADERS:Mwp-Action "@streq execute_php_code" "t:none,chain" SecRule ARGS:params.code64 "^.{2}(.{0,9999})$" "t:none,chain,capture" SecRule TX:1 "." "t:base64DecodeExt,setvar:'tx.managewp_code=%{MATCHED_VAR}',chain" SecRuleScript detectlua.lua "t:none,chain" SecRule &ARGS "@ge 0" "t:none" SecRule tx:managewp_code "@pm administrator" "id:77764170,phase:2,pass,chain,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: ManageWP PHP payload matched a key word||CODE:%{TX.1}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule tx:managewp_code "(.{1,9999})" "t:none,t:base64Encode,capture" SecRule &TX:lua_present "@eq 1" "id:77764178,nolog,auditlog,pass,chain,severity:5,phase:2,t:none,msg:'IM360 WAF: Attempt to execute malicious PHP with ManageWP||Action:%{ARGS.action}||Scan duration:%{TX.lua_scan_duration}||User:%{SCRIPT_USERNAME}||WPU:%{TX.wp_user}||SC:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||CODE:%{TX.1}||',tag:'wp_core',setvar:'tx.managewp_code_raw=raw_code:%{tx.managewp_code}'" SecRule tx:managewp_code_raw "@inspectFile inspectfile.lua" "t:none,chain" SecRule tx:managewp_code "(.{1,9999})" "t:none,t:base64Encode,capture" SecMarker ManageWP_Marker SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77401493,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unauthenticated (Limited) Remote Code Execution in Time Clock <= 1.2.2 WordPress plugin (CVE-2024-9593)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||func:%{ARGS.function}',tag:'wp_core'" SecRule ARGS:action "@streq etimeclockwp_load_function" "chain,t:none" SecRule ARGS "@rx (?:\b(?:eval|assert|system|passthru|shell_exec|exec|popen|proc_open|pcntl_exec|base64_decode|gzinflate|gzuncompress|str_rot13|strrev|urldecode|rawurldecode|\$)\s*\(|[o]:\d+:\x22|;|&&|backticks|\.\./|\x2e\x2e\x2f|etc/passwd|boot\.ini|wp-config\.php)" SecRule REQUEST_METHOD "^POST$" "id:77249011,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Authenticated (Contributor+) Arbitrary File Upload Vulnerability in Brizy - Page Builder <= 2.6.4 WordPress plugin (CVE-2024-10960)||ACTION:%{ARGS.action}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@rx admin-ajax\.php" "chain,t:none" SecRule ARGS:action "@rx ^brizy_" "chain,t:none" SecRule FILES "@rx \.(php|phtml|php3|php4|php5|php7|phar|inc|htaccess|htpasswd|config|log|sql|asp|aspx|jsp|jspx|sh|bash|pl|py|rb|js)$" "t:none" SecRule ARGS:option "@streq oauthredirect" "id:77044418,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Local File Inclusion Vulnerability in WordPress Social Login and Register <= 7.6.10 WordPress plugin (CVE-2025-47670)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:app_name "@rx \.<>\./\.<>\./|\.\./\.\./" "t:none" SecRule ARGS:option "@streq oauthredirect" "id:77044419,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unauthenticated Local File Inclusion Vulnerability in WordPress Social Login and Register <= 7.6.10 WordPress plugin (CVE-2025-47670)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:app_name "@rx ^/|/(etc|usr|opt|etc|s?bin|proc)/" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77828522,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Authenticated (Contributor+) SQLi Vulnerability in LearnPress-WordPress LMS Plugin <= 4.2.6.9.3 (CVE-2024-7548)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_BODY "@rx (?i)shortcode learn_press" "chain,t:none" SecRule REQUEST_BODY "@rx (?i)order=([^\x22\x27]+)" "chain,t:none,capture,setvar:tx.lp_order=%{TX.1}" SecRule TX:lp_order "@detectSQLi" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77828523,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Unauthenticated SQLi In Cost Calculator Builder <= 3.2.65 (CVE-2025-39587)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@rx admin-ajax\.php" "chain,t:none" SecRule ARGS:action "@rx ^update_order_status$" "chain,t:none" SecRule ARGS:data "@detectSQLi" "t:none,t:base64Decode" SecRule REQUEST_METHOD "^POST$" "id:77376057,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unauthenticated Local File Inclusion Vulnerability in HUSKY - Products Filter Professional for WooCommerce <= 1.3.6.4 (CVE-2025-26890)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq woof_form_builder_get_section_options" "chain,t:none" SecRule ARGS:data "@rx [^a-z0-9_\-]" "t:none" SecRule REQUEST_METHOD "@rx GET" "id:77116464,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: PHP Local File Inclusion in Funnel Builder plugin for Wordpress <= 3.11.1 (CVE-2025-54750)||MV:%{ARGS.log_selected}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-json/funnelkit-app/funnels/tools/view-log-file" "chain,t:none,t:normalizePath" SecRule &ARGS:log_selected "@gt 0" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77546626,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation in RomethemeKit For Elementor <= 1.5.4 Wordpress plugin (CVE-2025-30911)||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq install_requirements" "chain,t:none" SecRule ARGS:plugin "@rx ." "t:none" SecRule REQUEST_FILENAME "@contains /members/" "id:77708668,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: SQLi in wpForo Forum plugin for WordPress <= 2.4.8 (CVE-2025-4203)||WPU:%{tx.wp_user}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wpforo'" SecRule ARGS:offset|ARGS:row_count|ARGS:wpfpaged "PROCEDURE ANALYSE" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77797884,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unauthenticated SQL Injection Vulnerability in WP Sessions Time Monitoring Full Automatic <= 1.0.9 (CVE-2024-49681)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@rx admin-ajax.php|activitytime/v1/action" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx activitytime_action" "chain,t:none" SecRule REQUEST_URI|REMOTE_ADDR|REQUEST_HEADERS:X-Forwarded-For "@detectSQLi" "t:none" SecRule REQUEST_METHOD "POST" "id:77205657,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQL Injection vulnerability in quadlayers Perfect Brands for WooCommerce <= 3.6.0 (CVE-2025-58686)||WPU:%{tx.wp_user}||MV:%{TX.1}||MVN:%{tx.mvn1}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:content|ARGS:post_content|ARGS:shortcode "@rx \[products.{0,300}brands=['\"](.{0,999})['\"]" "t:none,t:utf8toUnicode,t:lowercase,capture,chain,setvar:tx.mvn1=%{MATCHED_VAR_NAME}" SecRule TX:1 "@detectSQLi" "t:none" SecRule REQUEST_URI "@rx /wp-admin/admin-ajax\.php$" "id:77771664,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in Jupiter X Core <= 4.6.5 WordPress plugin (CVE-2024-7772)||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@rx raven.form.frontend" "chain,t:lowercase" SecRule FILES "@rx \.(php|phtml|php3|php4|php5|pht|phar|phps|jsp|asp|aspx|sh|pl|py|rb|exe|scr|bat|cmd|com|pif|vbs|js|jar|class|war|zip|rar|7z|tar|gz)$" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77980114,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated Arbitrary File Upload Vulnerability in LearnPress - WordPress LMS Plugin <= 4.2.6.5 WordPress plugin (CVE-2024-4397)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@rx /wp-json/learnpress/v1/materials/" "chain,t:none" SecRule FILES "@rx \.(php|phtml|php3|php4|php5|pht|phar|phps|jsp|asp|aspx|sh|pl|py|rb|exe|scr|bat|cmd|com|pif|vbs|js|jar|class|war|zip|rar|7z|tar|gz)$" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77110928,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary file deletion in Contact Form 7 plugin for WordPress <= 3.2.4 (CVE-2025-8141)||MV:%{ARGS.wpcf7-redirect}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:wpcf7-redirect[] "@rx \.\.\/\.\.\/\.\.\/|^\/" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77793724,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Local File Inclusion and Remote Code Execution in Jupiter X Core plugin for WordPress (CVE-2025-0366)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@rx /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@rx raven_form_frontend" "chain,t:none" SecRule ARGS:/fields/ "@rx \.\./(?:wp-config.php|/etc/passwd|/proc/self/environ)|php://filter/(?:read|write|resource|convert|zlib)[^=]*?=(?:http|/|\.|convert|string)|\.\./(?:usr|bin)/|file://etc/group|(/etc/passwd|/proc/self/environ|php://|data://|input://|zip://|phar://|file://|/usr/|/bin/)|\b(__wakeup|__destruct|exec|passthru|system|unserialize|eval)\(" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77793725,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Local File Inclusion and Remote Code Execution in Jupiter X Core plugin for WordPress (CVE-2025-0366)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@rx /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq elementor_ajax" "chain,t:none" SecRule ARGS:device_frame|ARGS:settings "@rx \.\./(?:wp-config.php|/etc/passwd|/proc/self/environ)|php://filter/(?:read|write|resource|convert|zlib)[^=]*?=(?:http|/|\.|convert|string)|\.\./(?:usr|bin)/|file://etc/group|(/etc/passwd|/proc/self/environ|php://|data://|input://|zip://|phar://|file://|/usr/|/bin/)|\b(__wakeup|__destruct|exec|passthru|system|unserialize|eval)\(" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77280957,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: PHP Object Injection via unsafe deserialization in Redirection for Contact Form 7 plugin for WordPress <= 3.2.4 (CVE-2025-8289)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wpcf7_redirect'" SecRule REQUEST_URI "@rx /wp-json/contact-form-7/v1/contact-forms/\d+/feedback" "chain,t:none,t:normalizePath" SecRule ARGS "@rx (?:O:\d+:|a:\d+:\{).{1,999}(?:s:\d+:\"(?:path|file)|\.\.\/)" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@streq POST" "id:77280958,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Serialized PHP object detected in Contact Form 7 file upload (CVE-2025-8289)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wpcf7_redirect'" SecRule REQUEST_URI "@rx /wp-json/contact-form-7/v1/contact-forms/\d+/feedback" "chain,t:none,t:normalizePath" SecRule ARGS:/file/|ARGS:/upload/|ARGS:/attachment/ "@rx ^(?:O:\d+:|a:\d+:\{)" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@streq POST" "id:77280959,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Path traversal in serialized file metadata in Redirection for Contact Form 7 plugin (CVE-2025-8289)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wpcf7_redirect'" SecRule REQUEST_URI "@contains /wp-admin/post.php" "chain,t:none,t:normalizePath" SecRule ARGS "@rx (?:O:\d+:|a:\d+:\{).{1,999}(?:\.\.\/|\/etc\/|wp-config)" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@streq POST" "id:77821451,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: PHP Object Injection in Redirection for Contact Form 7 plugin for WordPress before 3.2.5 (CVE-2025-8145)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wpcf7_redirect'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "t:none,chain" SecRule ARGS:action "@streq wpcf7_submit" "t:none,chain" SecRule REQUEST_BODY|ARGS "@rx (?:O:\d+:\x22[^\x22\s]{1,100}\x22:\d+:\x7b|a:\d+:\x7b.{0,100}(?:s:\d+:\x22|i:\d+;))" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@streq POST" "id:77821452,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: PHP Object Injection in Redirection for Contact Form 7 plugin for WordPress before 3.2.5 (CVE-2025-8145)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wpcf7_redirect'" SecRule REQUEST_URI "@rx /wp-json/contact-form-7/v1/contact-forms/\d{1,10}/feedback" "t:none,t:normalizePath,chain" SecRule REQUEST_BODY|ARGS "@rx (?:O:\d+:\x22[^\x22\s]{1,100}\x22:\d+:\x7b|a:\d+:\x7b.{0,100}(?:s:\d+:\x22|i:\d+;))" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "GET" "id:77010197,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authentication Bypass in Melapress Login Security plugin for WordPress (CVE-2025-6895)||MV:%{ARGS.mls_temp_user_token}||RSV:8.02||T:APACHE||',tag:'wp_plugin_melapress_login_security'" SecRule ARGS:mls_temp_user_token "@rx [^_\-a-f0-9]" "t:none" SecRule REQUEST_METHOD "POST" "id:77461933,phase:2,nolog,auditlog,pass,severity:2,t:none,msg:'IM360 WAF: LFI/path traversal attempt in Devnex Addons For Elementor <= 1.0.9 (CVE-2025-53339)||MV:%{TX.body_parsing_lfi}||RSV:8.02||T:APACHE||',tag:'wp_core',chain" SecRule ARGS:action "@rx ^devnex" "chain,t:none" SecRule FILES_NAMES|FILES_TMPNAMES "\.json$" "chain,t:lowercase" SecRule ARGS|REQUEST_BODY "@rx .{0,99}(?:\.\./|etc/passwd|wp\-config).{0,99}" "capture,setvar:tx.body_parsing_lfi=%{TX.0},chain,t:none" SecRule TX:body_parsing_lfi "!(/fonts/|/css/|/js/|/assets/)" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77987058,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Stored XSS in Elementor Website Builder plugin for WordPress < 3.27.5 (CVE-2024-13445)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_elementor',tag:'noshow'" SecRule REQUEST_URI "@contains /admin-ajax.php" "t:none,chain" SecRule ARGS:action "@streq elementor_ajax" "t:none,chain" SecRule ARGS:actions "@rx _(?:margin|border|padding|gap)_placeholder[\"']\s{0,128}:\s{0,128}[\"']{0,128}(?:<(?:script|img|iframe|svg|object)|javascript:|on(?:load|error|click|mouse)\s{0,128}=)" "t:none,capture,setvar:'tx.elementor_xss_payload=%{TX.0}'" SecRule &TX:elementor_xss_payload "@eq 1" "id:77987059,nolog,auditlog,pass,phase:2,severity:5,t:none,msg:'IM360 WAF: Stored XSS in Elementor Website Builder plugin for WordPress < 3.27.5 (CVE-2024-13445)||PayloadB64:%{TX.0}||RSV:8.02||T:APACHE||',tag:'wp_plugin_elementor',chain" SecRule TX:elementor_xss_payload "@rx .{1,999}" "t:none,capture" SecRule REQUEST_METHOD "POST" "id:77085763,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Stored XSS in Houzez Theme Functionality plugin for WordPress < 4.2.0 (CVE-2025-62057)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_houzez_theme_functionality',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77085763" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "t:none,t:normalizePath,chain" SecRule ARGS:action "@rx ^houzez_(ele_)?contact_form$" "t:none,chain" SecRule ARGS:first_name|ARGS:last_name|ARGS:message "@detectXSS" "t:none,t:urlDecode,t:htmlEntityDecode" SecRule REQUEST_METHOD "POST" "id:77085764,chain,phase:2,block,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: reCAPTCHA bypass attempt in Houzez Theme Functionality plugin for WordPress (CVE-2025-62057)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_houzez_theme_functionality'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "t:none,t:normalizePath,chain" SecRule ARGS:action "@rx ^houzez_(ele_)?contact_form$" "t:none,chain" SecRule ARGS:google_recaptcha "@streq false" "t:none,t:lowercase" SecRule ARGS:page "@rx (?i)(?:\.{2}[\\/]|[\\/]\.{2}|\.{2}\\|\\\.{2}|(?:etc|usr|var|tmp|boot|root)[\\/]|[\\/](?:etc|usr|var|tmp|boot|root)[\\/]|\.{2}(?:%2f|%5c|%2e)|(?:%2e){2}(?:%2f|%5c)|[\\/]\.{2}[\\/]|(?:proc|sys|dev)[\\/]|php:[\\/]{2}|(?:file|zlib|data|glob|phar|ssh2|rar|ogg|expect):[\\/]{2})" "id:77905388,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Local File Inclusion in School Management System for Wordpress plugin < 1.93.1 (CVE-2025-3740)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_school_management_system_for_wordpress',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77905388" SecRule REQUEST_URI "@contains /wp-content/plugins/joomsport-sports-league-results-management/" "id:77729907,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Local File Inclusion in JoomSport plugin for WordPress < 5.7.4 (CVE-2025-7721)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_joomsport_sports_league_results_management'" SecRule ARGS:task "@rx \.\.\/" "t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77729907" SecRule REQUEST_METHOD "@streq POST" "id:77742668,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Local File Inclusion in ShopLentor plugin for WordPress < 3.2.6 (CVE-2025-12493)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_woolentor_addons'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq woolentor_load_more_products" "chain,t:none" SecRule ARGS:settings "@rx (?:\.\./|%(?:2e){2}%2f|(?:style|template)[\"\x27\s]*:[\"\x27\s]*(?:/|\.\.)|\/etc\/|wp-config|\/passwd|\.htaccess|\.\.%|%00)" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_METHOD "POST" "id:77640713,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQL Injection vulnerability in LifterLMS <= 8.0.6 (CVE-2025-52717) ||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_lifterlms'" SecRule REQUEST_FILENAME "@rx myaccount/redeem-voucher" "chain,t:normalizePath" SecRule ARGS:llms_voucher_code|ARGS:llms_voucher "@detectSQLi" "t:none" SecRule REQUEST_METHOD "POST" "id:77640714,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQL Injection vulnerability in LifterLMS <= 8.0.6 (CVE-2025-52717) ||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_lifterlms'" SecRule ARGS:llms_voucher_code|ARGS:llms_voucher "@detectSQLi" "t:none" SecRule REQUEST_URI "@contains /wp-json/jalw/v1/archive" "id:77683072,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQL Injection in JS Archive List plugin for WordPress <= 6.1.5 (CVE-2025-7670)||WPU:%{tx.wp_user}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:type|ARGS:onlycats|ARGS:cats "@detectSQLi" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77902078,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQL Injection in Product Filter by WBW plugin for Wordpress <= 2.9.7 (CVE-2025-8416)||RSV:8.02||T:APACHE||MV:%{TX.wpf_settings}||',tag:'wp_plugin_woo_product_filter'" SecRule ARGS:action "filtersFrontend" "t:none,chain" SecRule ARGS:filterSettings "@rx filtering_by_variations" "t:none,chain" SecRule ARGS:filtersDataBackend "@rx ['\x22]logic['\x22]:['\x22]not['\x22]" "t:none,chain" SecRule ARGS:filtersDataBackend "@rx ['\x22]settings['\x22]:(.{1,999})[,\x7d]" "capture,t:none,setvar:tx.wpf_settings=%{TX.1}" SecRule REQUEST_METHOD "^POST$" "id:77942163,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Upload of File with Dangerous Type vulnerability in CreedAlly Bulk Featured Image plugin for Wordpress <= 1.2.2 (CVE-2025-58819)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq bfi_form_action" "chain,t:none" SecRule ARGS:/bfi_upload_file/|FILES|FILES_NAMES "@rx \.(php\d?|7z|asp|aspx|bash|bat|class|cmd|com|config|dll|exe|gz|htaccess|htpasswd|inc|jar|js|jsp|jspx|log|phar|phps|pht|phtml|pif|pl|py|rar|rb|scr|sh|sql|tar|vbs|war|zip)$" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77183007,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authentication bypass in LatePoint plugin for WordPress < 5.1.95 (CVE-2025-7038)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_latepoint'" SecRule REQUEST_URI "@rx /wp-admin/admin-(ajax|post)\.php" "chain,t:none" SecRule ARGS:action "@streq latepoint_route_call" "chain,t:none" SecRule ARGS:route_name "@streq steps__load_step" "chain,t:none" SecRule &REQUEST_COOKIES:/wordpress_logged_in/ "@eq 0" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77183007" SecRule ARGS:action "@streq jay_login_register_switch_back" "id:77975524,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authentication Bypass in JAY Login & Register plugin for WordPress before 2.4.02 (CVE-2025-14440)||MV:%{MATCHED_VAR}||TargetUserID:%{REQUEST_COOKIES.jay_login_register_switched_from_user}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_COOKIES:jay_login_register_switched_from_user "@rx ^\d" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-post.php" "id:77725447,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Server-Side Request Forgery in Ninja Tables Wordpress plugin <= 5.0.18 (CVE-2025-2940)||MV:%{ARGS.url}||MV1:%{ARGS.method}||MV2:%{ARGS.callback}||RSV:8.02||T:APACHE||',tag:'wp_plugin_ninja_tables'" SecRule ARGS:action "^wpf-async-request-" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-post.php" "id:77725448,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Server-Side Request Forgery in Ninja Tables Wordpress plugin <= 5.0.18 (CVE-2025-2940)||MV:%{ARGS.url}||MV1:%{ARGS.method}||MV2:%{ARGS.callback}||RSV:8.02||T:APACHE||',tag:'wp_plugin_ninja_tables'" SecRule ARGS:action "^wpf-async-request-" "chain,t:none" SecRule ARGS:url "!@contains %{SERVER_ADDR}" "chain,t:none" SecRule ARGS:url "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-post.php" "id:77725449,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Server-Side Request Forgery in Ninja Tables Wordpress plugin <= 5.0.18 (CVE-2025-2940)||MV:%{ARGS.url}||MV1:%{ARGS.method}||MV2:%{ARGS.callback}||RSV:8.02||T:APACHE||',tag:'wp_plugin_ninja_tables'" SecRule ARGS:action "^wpf-async-request-" "chain,t:none" SecRule &TX:wp_user "@eq 0" "t:none" SecRule REQUEST_METHOD "@rx ^(?:GET|POST)$" "id:77640187,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Blind SQLi via distance filter in GeoDirectory <= 2.8.97 (CVE-2024-13507)||WPU:%{TX.wp_user}||Payload:%{ARGS.dist}||SearchDist:%{ARGS.sdistance}||RSV:8.02||T:APACHE||',tag:'wp_plugin_geodirectory'" SecRule &ARGS:geodir_search "@gt 0" "chain,t:none" SecRule &ARGS:dist "@gt 0" "chain,t:none" SecRule ARGS:dist "!@rx ^$" "chain,t:none" SecRule ARGS:dist "!@rx ^[+]?([0-9]{0,99}[\.\,])?[0-9]{0,99}$" "t:none" SecRule REQUEST_METHOD "@rx ^(?:GET|POST)$" "id:77320586,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQLi in WordPress MDTF Plugin <= 1.3.3.7 (CVE-2025-54707)||WPU:%{TX.wp_user}||Payload:%{ARGS.mdf_search_by_author}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_meta_data_filter_and_taxonomy_filter'" SecRule ARGS:mdf_search_by_author "!@rx ^[0-9]{1,99}$" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77385892,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated SQL Injection vulnerability in YayCommerce YaySMTP <= 2.6.5 (CVE-2025-53256)||MV:%{ARGS.from}||MV1:%{ARGS.to}||MV2:%{ARGS.searchKey}||MV3:%{ARGS.searchValue}||RSV:8.02||T:APACHE||',tag:'wp_plugin_yaysmtp'" SecRule ARGS:action "yaysmtp_export_email_log" "chain,t:none" SecRule ARGS:params[from]|ARGS:params[to]|ARGS:params[searchKey]|ARGS:params[searchValue] "@detectSQLi" "t:none" SecRule REQUEST_METHOD "POST" "id:77743376,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary file uploads in Booster for WooCommerce plugin for WordPress >= 7.2.4 (CVE-2024-13342)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &ARGS:add-to-cart|&ARGS:/attribute_pa_/ "@gt 0" "chain,t:none" SecRule ARGS:/wcj_product_input_fields_/ "(.{1,100}\..{1,100}\..{1,100})" "t:none" SecRule REQUEST_METHOD "POST" "id:77743377,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary file uploads in Booster for WooCommerce plugin for WordPress >= 7.2.4 (CVE-2024-13342)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "/product/.{1,300}/" "chain,t:none" SecRule ARGS:/wcj_product_input_fields_/ "(.{1,100}\..{1,100}\..{1,100})" "t:none" SecRule REQUEST_METHOD "POST" "id:77743378,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary file uploads in Booster for WooCommerce plugin for WordPress >= 7.2.4 (CVE-2024-13342)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@rx /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq woocommerce_add_to_cart" "chain,t:none" SecRule FILES_NAMES|FILES "(.{1,100}\..{1,100}\..{1,100})" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350720,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQL Injection vulnerability in ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes Plugin <= 1.4.9 (CVE-2025-47645)||WPU:%{tx.wp_user}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:product_title_text|ARGS:product_title_select|ARGS:product_filter_data "@detectSQLi" "t:urlDecodeUni,t:htmlEntityDecode" SecRule REQUEST_METHOD "^POST$" "id:77839622,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: XML-RPC Suspicious blog attempt||Username:%{TX.xml_username}.%{REQUEST_HEADERS.host}||ServerName:%{SERVER_NAME}||Method:%{TX.xml_method}||BlogID:%{TX.xml_blogid}||TitleSHA:%{TX.xml_title_sha}||Title:%{TX.xml_title}||RSV:8.02||T:APACHE||',tag:'wp_core',chain" SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" "t:none,chain" SecRule XML://methodName/text() "@rx ^(?:wp\.getUsersBlogs|wp\.(?:newPost|editPost|newComment|editComment|editTerm)|metaWeblog\.(?:newPost|editPost)|blogger\.getUsersBlogs)$" "t:none,chain,capture,setvar:tx.xml_method=%{MATCHED_VAR}" SecRule XML://params/param[1]/value/*/text() "@rx ^(\d{1})$" "t:none,chain,capture,setvar:tx.xml_blogid=%{TX.1}" SecRule XML://params/param[2]/value/*/text() "!@rx ^$" "t:none,chain,capture,setvar:tx.xml_username=%{MATCHED_VAR}" SecRule XML://params/param[4]/value/struct/member[name='title']/value/*/text() "@rx (?s)(.{1,99})" "t:trim,chain,capture,setvar:tx.xml_title=%{MATCHED_VAR}" SecRule TX:xml_title "!@rx ^$" "t:sha1,t:hexEncode,capture,setvar:tx.xml_title_sha=%{MATCHED_VAR}" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350722,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQL Injection in product filter - ELEX WooCommerce Advanced Bulk Edit Plugin <= 1.4.9 (CVE-2025-47645)||WPU:%{tx.wp_user}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq eh_bep_filter_products" "chain,t:none" SecRule ARGS:product_title_text|ARGS:product_title_select "@detectSQLi" "t:urlDecodeUni,t:htmlEntityDecode" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350723,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Missing CSRF nonce in ELEX WooCommerce Advanced Bulk Edit Plugin CVE-2025-47645||WPU:%{tx.wp_user}||action:%{ARGS.action}||title_text:%{ARGS.product_title_text}||title_select:%{ARGS.product_title_select}||filter_data:%{ARGS.product_filter_data}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@rx ^eh_bep_(filter_products|update_products|all_products|count_products)$" "chain,t:none" SecRule &ARGS:_ajax_eh_bep_nonce "@eq 0" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77082018,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: CSRF in LatePoint plugin for WordPress < 5.2.0 (CVE-2025-7052)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_latepoint'" SecRule REQUEST_URI "@contains /wp-admin/admin-post.php" "chain,t:none" SecRule ARGS:action "@streq latepoint_route_call" "chain,t:none" SecRule ARGS:route_name "@streq customer_cabinet__change_password" "chain,t:none" SecRule &ARGS:password "@ge 1" "chain,t:none" SecRule &ARGS:change_password_nonce "@eq 0" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77082018" SecRule REQUEST_URI "@contains /wp-admin/admin.php" "id:77273133,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: CSRF vulnerability in LoginPress plugin for WordPress < 4.0.0 (CVE-2025-1764)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_loginpress'" SecRule ARGS:page "@streq wpb-debug-mode" "t:none,chain" SecRule &ARGS:_wpnonce "@eq 0" "t:none,chain" SecRule ARGS:set_option_name "@rx ." "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77016264,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary File Upload in Customer Reviews for WooCommerce <= 5.38.9 (CVE-2023-6979)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||action:%{ARGS.action}T:APACHE||',tag:'wp_plugin_customer_reviews_woocommerce'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq ivole_import_upload" "chain,t:none" SecRule FILES "@rx ." "t:none" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "id:77552667,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: CSRF to Arbitrary File Upload in Newscrunch theme for WordPress before 1.8.4.1 (CVE-2025-1306)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_theme_newscrunch'" SecRule ARGS:action "@streq newscrunch_install_activate_plugin" "t:none,chain" SecRule ARGS:plugin_url "@rx ^https?://" "t:none,chain" SecRule &ARGS:_ajax_nonce "@eq 0" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77839621,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: XML-RPC Authentication attempt with prohibited username||Username:%{TX.xml_username}.%{REQUEST_HEADERS.host}||Method:%{TX.xml_method}||FaulCount:%{SESSION.xmlrpc_faultcode_limit}||RSV:8.02||T:APACHE||',tag:'wp_core',chain" SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" "t:none,chain" SecRule XML://methodName/text() "@rx ^(?:wp\.getUsersBlogs|wp\.(?:newPost|editPost|newComment|editComment|editTerm)|metaWeblog\.(?:newPost|editPost)|blogger\.getUsersBlogs)$" "t:none,chain,capture,setvar:tx.xml_method=%{MATCHED_VAR}" SecRule XML://params/param[position()=1]/value/string/text() "@rx (?i)^(?:admin\d?backup|backdoor\d?admin|wpadminerlzp|deleted-|-deleted|wpadmin@volovmart\.ru|.{1,99}@wordpress\.org)$" "t:none,capture,setvar:tx.xml_username=%{MATCHED_VAR}" SecRule REQUEST_METHOD "@streq GET" "id:77617987,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Suspicious request to WooCommerce endpoint||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule &TX:rbl_whitelist_check "@eq 0" "chain,t:none" SecRule REQUEST_HEADERS:User-Agent "!@rx (?:openai|developers\.facebook\.com|blexbot|MJ12bot|SeekportBot|AliyunSecBot|Googlebot|amazonproductbot|Linguee|Applebot|serpstatbot|YandexBot|ComparorBot|GoogleOther)" "chain,t:none" SecRule ARGS:_wpnonce "!@rx ^$" "chain,t:none" SecRule ARGS:add_to_wishlist "!@rx ^$" "chain,t:none" SecRule ARGS:add-to-cart "!@rx ^$" "t:none" SecRule REQUEST_METHOD "@rx POST|PUT" "id:77247770,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Dangerous file upload in Bit File Manager <= 6.5.5 (CVE-2024-7770)||Action:%{ARGS.action}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_file_manager'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx ^bit_fm_connector" "chain,t:none" SecRule FILES "@rx (?i)(?:\.htaccess|\.htpasswd|\.user\.ini|web\.config|\.phar|php\.ini)$" "t:none" SecRule REQUEST_METHOD "@rx POST|PUT" "id:77247771,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary File Upload in Bit File Manager <= 6.5.5 (CVE-2024-7770) - MIME bypass||Action:%{ARGS.action}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_file_manager'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx ^bit_fm_connector" "chain,t:none" SecRule FILES "@rx ." "t:none" SecRule REQUEST_METHOD "@streq GET" "id:77617988,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Suspicious request to eShop endpoint||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule &TX:rbl_whitelist_check "@eq 0" "chain,t:none" SecRule REQUEST_HEADERS:User-Agent "!@rx (?:openai|developers\.facebook\.com|blexbot|MJ12bot|SeekportBot|AliyunSecBot|Googlebot|amazonproductbot|Linguee|Applebot|serpstatbot|YandexBot|ComparorBot|GoogleOther)" "chain,t:none" SecRule REQUEST_FILENAME "@streq /shop" "chain,t:none" SecRule ARGS:filter_brand "!@rx ^$" "chain,t:none" SecRule ARGS:/filter_cat/ "!@rx ^$" "t:none" SecRule REQUEST_METHOD "POST" "id:77545828,chain,phase:5,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Object Injection in Quiz And Survey Master plugin for Wordpress <= 10.2.5 (CVE-2025-49401)||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq qmn_process_quiz" "t:none,chain" SecRule ARGS "@pmFromFile bl_chains" "t:none" SecRule REQUEST_METHOD "POST" "id:77545829,chain,phase:5,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Object Injection in Quiz And Survey Master plugin for Wordpress <= 10.2.5 (CVE-2025-49401)||RSV:8.02||T:APACHE||MV:%{ARGS.quiz_answer_random_ids}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq qmn_process_quiz" "t:none,chain" SecRule ARGS:quiz_answer_random_ids "@rx [^0-9ai{};:]" "t:none" SecRule REQUEST_METHOD "POST" "id:77545830,chain,phase:5,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Object Injection in Quiz And Survey Master plugin for Wordpress <= 10.2.5 (CVE-2025-49401)||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq qmn_process_quiz" "t:none,chain" SecRule ARGS:quiz_answer_random_ids "@rx (.{0,100}[\00\x00\x0a\x0d].{0,300})" "t:none,t:urlDecode" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "id:77481717,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Password reset brute force in Material Dashboard plugin for WordPress < 1.4.7 (CVE-2025-32486)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq public_amd_ajax_handler" "t:none,chain" SecRule ARGS:reset_password[vcode] "@rx ^[0-9]{6}$" "t:none" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "id:77604295,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Password reset initiation in Material Dashboard plugin for WordPress < 1.4.7 (CVE-2025-32486)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq public_amd_ajax_handler" "t:none,chain" SecRule &ARGS:reset_password[email] "@eq 1" "t:none,chain" SecRule &ARGS:reset_password[vcode] "@eq 0" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77623486,phase:2,block,chain,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Remote Code Execution via Code Injection in Ultimate CSV XML Importer for WordPress plugin for WordPress <= 7.28 (CVE-2025-10057)||MV:%{TX.1}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_ultimate_csv_importer'" SecRule REQUEST_URI "@contains /admin-ajax.php" "t:none,t:normalizePath,chain" SecRule ARGS:action "@streq saveMappedFields" "t:none,chain" SecRule ARGS:MappedFields "@rx [^'\x22]+->cus2['\x22]:['\x22](.{1,999})" "capture,t:none" SecRule ARGS:__wpdmxp "@rx [\[\]]" "id:77719311,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Arbitrary Shortcode Execution in Download Manager plugin for WordPress < 3.3.04 (CVE-2024-11740)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_download_manager'" SecRule REQUEST_URI "@contains admin-ajax.php" "id:77211092,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Arbitrary Shortcode Execution in kk Star Ratings plugin for WordPress < 5.4.10.2 (CVE-2024-11977)||MVN:%{MATCHED_VAR_NAME}|||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_kk_star_ratings'" SecRule ARGS:action "@streq kk-star-ratings" "chain,t:none" SecRule ARGS "@rx \[\w{1,999}\]" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77579694,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unrestricted file upload in TI WooCommerce Wishlist plugin for WordPress < 2.10.0 (CVE-2025-47577)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@rx (?:\?wc-ajax=tinvwl|/product/)" "t:none,chain" SecRule ARGS "@rx (?:tinvwl|add_to_wishlist)" "t:none,chain" SecRule FILES_NAMES "@rx ^wcc[pv]f_" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77225181,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unrestricted file upload in TI WooCommerce Wishlist plugin for WordPress < 2.10.0 (CVE-2025-47577)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "t:none,chain" SecRule ARGS:action "@contains tinvwl" "t:none,chain" SecRule FILES_NAMES "@rx ^wcc[pv]f_" "t:none" SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" "id:77447665,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary file upload in WPBookit <=1.0.6 (CVE-2025-7852)||Route:%{ARGS.route_name}||Action:%{ARGS.action}||File:%{FILES.add-image.name}||CT:%{FILES.add-image.content_type}||FILES:%{FILES}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wpbookit'" SecRule REQUEST_METHOD "@streq POST" "chain,t:none" SecRule ARGS:action "@streq wpb_ajax_post" "chain,t:none" SecRule ARGS:route_name "@streq add_newdata_customer" "chain,t:none" SecRule FILES:add-image.name "!@rx \.(?:jpe?g|png|gif|webp)$" "t:none" SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" "id:77447667,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary file upload in WPBookit <=1.0.6 (CVE-2025-7852)||Route:%{ARGS.route_name}||Action:%{ARGS.action}||File:%{FILES.add-image.name}||CT:%{FILES.add-image.content_type}||FILES:%{FILES}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wpbookit'" SecRule REQUEST_METHOD "@streq POST" "chain,t:none" SecRule ARGS:action "@streq wpb_ajax_post" "chain,t:none" SecRule ARGS:route_name "@streq add_newdata_customer" "chain,t:none" SecRule FILES:add-image.content_type "!@rx ^image/(?:jpeg|png|gif|webp)$" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77084284,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQLi in CleverReach WP <=1.5.20 (CVE-2025-7036)||Title:%{ARGS.title}||URI:%{REQUEST_URI}||Ctrl:%{ARGS.cleverreach_wp_controller}||Get:%{ARGS.get}||ID:%{ARGS.id}||',tag:'wp_plugin_cleverreach_wc'" SecRule &ARGS:/cleverreach/ "@gt 0" "chain,t:none" SecRule ARGS:title "@detectSQLi" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77839624,phase:2,pass,severity:5,nolog,auditlog,msg:'IM360 WAF: WordPress application-password creation by prohibited user||WPU:%{TX.wp_user}||Name:%{ARGS.name}||RSV:8.02||T:APACHE||',tag:'wp_core',t:none,setvar:tx.wp_ap_compromised=1,chain" SecRule REQUEST_URI "@rx /wp/v2/users/\\d+/application-passwords" "chain,t:none" SecRule ARGS:name "!@rx ^$" "chain,t:none" SecRule TX:wp_user "@rx ^(?:deleted-|wpsupp.?user|wp.?configuser\\.|wp_update-|wadminw|yanz\\@123457|greeceman|adm1nlxg1n|admnlxgxn|wordpresupport@|admin\\d?backup|wpadminerlzp|@wordpress\\.org|95191841|martin_smith|wpadmin@volovmart\\.ru)$" "t:lowercase" SecRule REQUEST_METHOD "@streq POST" "id:77839625,phase:2,pass,severity:5,nolog,auditlog,msg:'IM360 WAF: WP application-password creation by compomised user||WPU:%{TX.wp_user}||Name:%{ARGS.name}||RSV:8.02||T:APACHE||',tag:'wp_core',t:none,setvar:tx.wp_ap_compromised=1,chain" SecRule REQUEST_URI "@rx /wp/v2/users/\\d+/application-passwords" "chain,t:none" SecRule ARGS:name "!@rx ^$" "chain,t:none,setvar:tx.rbl_perf=1" SecRule TX:wp_user "!@rx ^$" "chain,t:none,t:urlDecode,capture,t:sha1,t:hexEncode,setvar:tx.wp_compromised_user=%{MATCHED_VAR}.%{REQUEST_HEADERS.host}" SecRule TX:wp_compromised_user "@rbl wp-compromised.v2.rbl.imunify.com." "chain,t:none" SecRule TX:wp_compromised_user "!@rbl nxdomain.v2.rbl.imunify.com." "t:none" SecRule ARGS:action "@streq woof_text_autocomplete" "id:77258992,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Blind SQLi in Products Filter Professional for WooCommerce plugin for WordPress <= 1.3.7.1 (CVE-2025-11735)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'wp_plugin_woocommerce_products_filter'" SecRule ARGS:woof_text|ARGS:phrase|ARGS:s "@detectSQLi" "t:none" SecRule TX:wp_ap_compromised "@eq 1" "id:77839629,phase:4,pass,severity:5,nolog,auditlog,t:none,chain,msg:'IM360 WAF: WordPress application-password created||WPU:%{TX.wp_user}||Name:%{ARGS.name}||UUID:%{TX.wp_uuid}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule RESPONSE_STATUS "@streq 201" "chain,t:none" SecRule RESPONSE_HEADERS:Location "@rx /application-passwords/([0-9a-fA-F-]{36})(?:$|[?#])" "t:none,capture,setvar:'tx.wp_uuid=%{TX.1}'" SecRule REQUEST_METHOD "@rx ^POST" "id:77332953,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQLi Vulnerability in HUSKY - Products Filter for WooCommerce Professional <= 1.3.5.2 plugin for WordPress (CVE-2024-1795)||WPU:%{tx.wp_user}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_woocommerce_products_filter'" SecRule REQUEST_URI "@rx /wp-json/wp/v2/posts|/wp-admin/post.php" "chain,t:none,t:normalizePath" SecRule ARGS:/content/ "@contains woof_front_builder" "chain,t:none" SecRule ARGS:/content/ "@detectSQLi" "t:none" SecRule REQUEST_METHOD "@rx ^POST" "id:77332954,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQLi Vulnerability in HUSKY - Products Filter for WooCommerce Professional <= 1.3.5.2 plugin for WordPress (CVE-2024-1795)||WPU:%{tx.wp_user}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_woocommerce_products_filter'" SecRule REQUEST_URI "@rx /xmlrpc.php" "chain,t:none,t:normalizePath" SecRule XML:/* "@contains woof_front_builder" "chain,t:none" SecRule ARGS "@detectSQLi" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77517931,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Malicious file upload attempt in WooCommerce Designer Pro theme for WordPress < 1.9.29 (CVE-2025-10897)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wc_designer_pro'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq wcdp_save_canvas_design_ajax" "chain,t:none" SecRule &ARGS:params "@gt 0" "chain,t:none" SecRule FILES "@rx \.(?:php|phtml|php\d|pht|phps|phar|phpt|pgif|shtml|htaccess|inc|suspected)$" "t:none,t:lowercase" SecRule REQUEST_METHOD "@streq POST" "id:77517932,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Monitor file upload attempt in WooCommerce Designer Pro theme for WordPress < 1.9.29 (CVE-2025-10897)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wc_designer_pro'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq wcdp_save_canvas_design_ajax" "chain,t:none" SecRule ARGS:params "@rx ." "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77517933,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Malicious file upload attempt in WooCommerce Designer Pro theme for WordPress < 1.9.29 (CVE-2025-10897)||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wc_designer_pro'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq wcdp_save_canvas_design_ajax" "chain,t:none" SecRule FILES "@rx \.(?:php|phtml|php\d|pht|phps|phar|phpt|pgif|shtml|htaccess|inc|suspected)$" "t:none,t:lowercase" SecRule ARGS:wpf "." "id:77216094,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQLi in Themify WooCommerce Product Filter plugin for WordPress before 1.5.0 (CVE-2024-6027)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_themify_wc_product_filter'" SecRule ARGS:/^pa_/ "@rx (?:[\"\x27]\s{0,10}\)|[\"\x27]\s{0,10},|(?:SLEEP|BENCHMARK|UNION\s{1,20}SELECT)\s{0,10}\(|--\s{0,10}$|#\s{0,10}$)" "t:none,t:urlDecodeUni" SecRule ARGS:wpf "." "id:77216095,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQLi in Themify WooCommerce Product Filter plugin for WordPress before 1.5.0 (CVE-2024-6027)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_themify_wc_product_filter'" SecRule ARGS:wpf_cat|ARGS:wpf_tag "@rx (?:[\"\x27]\s{0,10}\)|[\"\x27]\s{0,10},|(?:SLEEP|BENCHMARK|UNION\s{1,20}SELECT)\s{0,10}\(|--\s{0,10}$|#\s{0,10}$)" "t:none,t:urlDecodeUni" SecRule REQUEST_URI "@rx /wp-content/uploads/wcdp-uploads/.{1,999}\.(?:php|phtml|php\d|pht|phps|phar|phpt|pgif|shtml|htaccess|inc|suspected)(?:\?|$)" "id:77191096,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: Access to PHP file in WCDP uploads blocked (CVE-2025-6440)||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx /wp-content/uploads/wcdp-uploads/.{1,999}\.(?:php|phtml|php\d|pht|phps|phar|phpt|pgif|shtml|htaccess|inc|suspected)(?:\?|$)" "id:77517934,phase:1,block,nolog,auditlog,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: Access to PHP file in WCDP uploads blocked (CVE-2025-6440)||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wc_designer_pro'" SecRule REQUEST_METHOD "POST" "id:77785878,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authenticated File Upload Vulnerability in Advanced File Manager <= 5.2.8 plugin for WordPress (CVE-2024-8126)||MV:%{MATCHED_VAR}||FILES:%{FILES}||RSV:8.02||T:APACHE||',tag:'wp_plugin_file_manager_advanced'" SecRule REQUEST_URI "@rx /file-manager-advanced/application/.{1,500}\.php$" "t:none" SecRule REQUEST_METHOD "POST" "id:77435789,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authenticated File Upload Vulnerability in Advanced File Manager <= 5.2.8 plugin for WordPress (CVE-2024-8126)||MV:%{MATCHED_VAR}||FILES:%{FILES}||RSV:8.02||T:APACHE||',tag:'wp_plugin_file_manager_advanced'" SecRule ARGS:cmd "@streq upload" "chain,t:none" SecRule ARGS:action "@rx ^fma_load_(?:action|fma_ui)$" "chain,t:none" SecRule FILES "@rx (?i)(?:\.htaccess|\.htpasswd|\.user\.ini|web\.config|php\.ini|\.phtml|\.phar)$" "t:none" SecRule REQUEST_METHOD "POST" "id:77435790,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authenticated File Upload Vulnerability in Advanced File Manager <= 5.2.8 plugin for WordPress (CVE-2024-8126)||MV:%{MATCHED_VAR}||FILES:%{FILES}||RSV:8.02||T:APACHE||',tag:'wp_plugin_file_manager_advanced'" SecRule REQUEST_URI "@endsWith /admin-ajax.php" "t:none,chain,t:normalizePath" SecRule ARGS:action "@streq fma_load_fma_ui" "t:none,chain" SecRule FILES "@rx (?i)(?:\.htaccess|\.(?:php|phtml|phar))$" "t:none" SecRule REQUEST_URI "!@rx (?i)/file-manager-advanced/application/(?:class_fma_|library/(?:php/elFinder|php-parser/vendor|codemirror|exec-with-fallback|themes)|svg-sanitizer/(?:includes/(?:phpunit|sebastian|doctrine|myclabs|phar-io)|src/(?:data/AllowedTags|Exceptions/[A-Za-z]+Exception))\.php|pages/(?:main|buy_shortcode)\.php)" "id:77435791,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,chain,msg:'IM360 WAF: Webshell access in Advanced File Manager plugin directory (CVE-2024-8126)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_file_manager_advanced'" SecRule REQUEST_URI "@rx (?i)/file-manager-advanced/application/.{1,500}\.(?:php[3-8]?|phtml|phar)$" "t:none,t:normalizePath" SecRule REQUEST_METHOD "@streq POST" "id:77839626,phase:2,pass,severity:5,nolog,auditlog,msg:'IM360 WAF: WP application-password revoke||WPU:%{TX.wp_user}||UUID:%{TX.1}||RSV:8.02||T:APACHE||',tag:'wp_core',t:none,chain" SecRule REQUEST_URI "@rx /wp/v2/users/\\d+/application-passwords/([0-9a-fA-F-]{36})" "chain,t:none,capture" SecRule REQUEST_HEADERS:X-Http-Method-Override "@streq DELETE" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77773665,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated PHP Object Injection Vulnerability in Slider, Gallery, and Carousel by MetaSlider- Image Slider, Video Slider <= 3.94.0 (CVE-2025-26763)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||log:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@rx /wp-admin/|/admin-ajax\.php" "chain,t:none" SecRule ARGS:action|ARGS:page "@rx ^ms_|metaslider" "chain,t:none" SecRule ARGS|FILES "@rx O:\d+:\x22|\x00.{1,50}(?:O:|a:|s:)|\xc0[\xa7\xa2]|\%25(?:00|22).{0,20}(?:O:|a:)|(?i)(?:phar|php\d?|file|data)://" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77773666,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated PHP Object Injection Vulnerability in Slider, Gallery, and Carousel by MetaSlider- Image Slider, Video Slider <= 3.94.0 (CVE-2025-26763)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||log:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /metaslider/v1/" "chain,t:none" SecRule ARGS|FILES "@rx O:\d+:\x22|\x00.{1,50}(?:O:|a:|s:)|\xc0[\xa7\xa2]|\%25(?:00|22).{0,20}(?:O:|a:)|(?i)(?:phar|php\d?|file|data)://" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77839627,phase:2,pass,severity:5,nolog,auditlog,msg:'IM360 WAF: WP application-password revoke all||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core',t:none,chain" SecRule REQUEST_URI "@rx /wp/v2/users/\\d+/application-passwords(?:$|[?&#])" "chain,t:none" SecRule REQUEST_HEADERS:X-Http-Method-Override "@streq DELETE" "chain,t:none" SecRule REQUEST_URI "!@rx /wp/v2/users/\\d+/application-passwords/[0-9a-fA-F-]{36}" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77079578,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQLi in Vibes plugin for WordPress < 2.2.1 (CVE-2025-9172)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-json/vibes/v1/beacon" "t:none,chain" SecRule REQUEST_HEADERS:Content-Type "@contains application/json" "t:none,chain" SecRule REQUEST_BODY "@contains \x22type\x22:\x22resource\x22" "t:none,chain" SecRule REQUEST_BODY "@rx \x22resource\x22:[^\x22]*'[^\x22]*(?:sleep|benchmark|waitfor|union|select)" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77788525,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated SQLi in POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP <= 2.9.3 WordPress plugin (CVE-2024-5207)||MV:%{MATCHED_VAR}||log:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_plugin_post_smtp'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none" SecRule ARGS:action "@rx ^ps-" "chain,t:none" SecRule ARGS "@detectSQLi" "t:none" SecRule REQUEST_URI "@contains /wp-admin/admin.php" "id:77446048,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQLi vulnerability in SEO Plugin by Squirrly SEO <= 12.4.03 plugin for WordPress (CVE-2025-22783)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||log:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_plugin_squirrly_seo'" SecRule ARGS:page "@rx ^sq_" "chain,t:none" SecRule ARGS:/keyword/|ARGS:/params/ "@detectSQLi" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77344336,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary file write in Ebook Store <= 5.8012 (CVE-2025-7437)||Payload:%{ARGS.md5_nonce}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_plugin_ebook_store'" SecRule ARGS:action "@streq ebook_store_save_form" "chain,t:none,t:lowercase" SecRule ARGS:md5_nonce "!@rx (?i)^[a-f0-9]{32}$" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule &ARGS:gmedia_module "@gt 0" "id:77435788,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: PHP Remote File Inclusion vulnerability in Gmedia Photo Gallery <= 1.23.0 (CVE-2025-53257)||MV:%{ARGS.gmedia_module}||MV1:%{ARGS.gmedia}||MV2:%{ARGS.t}||RSV:8.02||T:APACHE||',tag:'wp_plugin_grand_media'" SecRule &ARGS:t "@gt 0" "chain,t:none" SecRule &ARGS:gmedia "@gt 0" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77240145,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQLi in Custom Field Suite plugin for WordPress before version 2.6.7 (CVE-2024-3561)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'wp_plugin_custom_field_suite'" SecRule REQUEST_URI "@contains /wp-admin/post.php" "t:none,chain" SecRule ARGS:/cfs\[/ "@detectSQLi" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@rx ^/wp-config.php.backup$" "id:77487778,phase:1,block,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Information Disclosure Vulnerability in WordPress plugin||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_METHOD "@rx ^(?:GET|POST)$" "id:77605023,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Modular Connector routing telemetry (CVE-2026-23550)||WPU:%{tx.wp_user}||type_h:%{REQUEST_HEADERS.X-Mo-Type}||type_a:%{ARGS.type}||origin:%{ARGS.origin}||mrid_h:%{REQUEST_HEADERS.X-Mo-Mrid}||mrid_a:%{ARGS.mrid}||RSV:8.02||T:APACHE||',tag:'wp_plugin_modular_connector'" SecRule REQUEST_URI "@rx ^/(?:wp-login\.php/+.|api/modular-connector/)" "t:none,t:normalizePath,t:lowercase,chain" SecRule ARGS:type|REQUEST_HEADERS:X-Mo-Type|ARGS:origin "@rx ." "t:none" SecRule REQUEST_URI "@rx ^/api/modular-connector/" "id:77605025,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Modular Connector API auth bypass (CVE-2026-23550)||WPU:%{tx.wp_user}||type_a:%{ARGS.type}||origin:%{ARGS.origin}||RSV:8.02||T:APACHE||',tag:'wp_plugin_modular_connector'" SecRule ARGS:origin "@streq mo" "t:none,t:lowercase,chain" SecRule &REQUEST_COOKIES:/wordpress_logged_in_/ "@eq 0" "t:none" SecRule REQUEST_URI "@rx /wpquads/v1" "id:77444517,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF:SQLi vulnerability in The Ads by WPQuads plugin for WordPress (CVE-2025-30876)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||log:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_plugin_quick_adsense_reloaded'" SecRule ARGS:refId "@detectSQLi" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77674284,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Shell upload attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-load.php" "chain,t:none" SecRule ARGS:/code/|ARGS:/params/|ARGS:/act/|ARGS:a "@rx eval\s*\(\s*gzinflate\s*\(\s*base64_decode\(" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "^POST$" "id:77674285,chain,phase:2,pass,nolog,auditlog,skip:1,t:none,severity:5,msg:'IM360 WAF: Track upload attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx /(wp-load|functions|admin-ajax|xmlrpc)\.php" "chain,t:none" SecRule ARGS "@rx (?i)(?:eval|assert|create_function|passthru|exec|system|shell_exec|base64_decode|gzinflate|str_rot13|hex2bin)" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "^POST$" "id:77674286,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Internal file access attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@rx /(wp-load|functions)\.php" "chain,t:none" SecRule ARGS "@rx [^\x2f\x5c\x2e\w\:\-]" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@streq POST" "id:77830643,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary File Upload in Blubrry PowerPress <= 11.15.2 (CVE-2025-13536)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_powerpress'" SecRule &ARGS:/owerpress/ "@gt 0" "chain,t:none" SecRule ARGS:/images/ "@rx ." "t:none" SecRule REQUEST_METHOD "@rx ^POST" "id:77607606,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: File Upload Vulnerability in Royal Elementor Addons and Templates <= 1.3.94 plugin for WordPress (CVE-2024-1567)||WPU:%{tx.wp_user}||uploaded_file:%{ARGS.uploaded_file}||allowed_file_types:%{ARGS.allowed_file_types}||RSV:8.02||T:APACHE||',tag:'wp_plugin_royal_elementor_addons'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq wpr_addons_upload_file" "chain,t:none" SecRule ARGS:uploaded_file "@rx ." "chain,t:none" SecRule ARGS:allowed_file_types "@rx (?i)(?:php|php\d|htaccess|phtml|ph\$p|p\$hp)$|\$|~%|\x7b|\x5b|\+|\x00" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx ^POST" "id:77607607,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: File Upload Vulnerability in Royal Elementor Addons and Templates <= 1.3.94 plugin for WordPress (CVE-2024-1567)||WPU:%{tx.wp_user}||uploaded_file:%{ARGS.uploaded_file}||allowed_file_types:%{ARGS.allowed_file_types}||RSV:8.02||T:APACHE||',tag:'wp_plugin_royal_elementor_addons'" SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq wpr_addons_upload_file" "chain,t:none" SecRule ARGS:allowed_file_types "@rx ." "chain,t:none" SecRule ARGS:uploaded_file "@rx (?i)\.(?:php|php\d|htaccess|phtml|ph\$p|p\$hp)$|\$|~%|\x7b|\x5b|\+|\x00" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77126926,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Arbitrary File Upload in Metform Elementor Contact Form Builder before 3.3.0 (CVE-2023-0714)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_metform'" SecRule REQUEST_URI "@rx /wp-json/metform/v1/entries/insert/\d{1,10}" "t:none,t:lowercase,chain" SecRule FILES "@rx \.(?:ph(?:p|tml|ar|t)|p[ly]|rb|cgi|asp|aspx?|jsp|sh)\d{0,2}\.(?:jpe?g|png|gif|webp|svg|pdf|docx?|txt|zip)" "t:none,t:urlDecode,t:lowercase" SecRule REQUEST_METHOD "@rx POST" "id:77722723,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQLi Vulnerability in Booking Calendar <= 10.14.8 plugin for WordPress (CVE-2025-14383)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||log:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_plugin_booking'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none" SecRule ARGS:action "@rx (?i)wpbc_ajx_calendar_load" "chain,t:none" SecRule ARGS:/calendar_request_params/ "@detectSQLi" "t:none" SecRule REQUEST_URI "@rx /api/modular-connector/(?:login|users)/" "id:77196360,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Unauthenticated Privilege Escalation in Modular DS before 2.5.2 (CVE-2026-23550)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_modular_connector'" SecRule ARGS:origin "@streq mo" "t:none,t:lowercase" SecRule REQUEST_URI "@rx /api/modular-connector/(?:login|users)/" "id:77196361,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Unauthenticated Privilege Escalation in Modular DS before 2.5.2 (CVE-2026-23550)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_modular_connector'" SecRule REQUEST_HEADERS:User-Agent "@rx ^ModularConnector/" "t:none" SecRule REQUEST_URI "@contains /api/modular-connector/" "id:77196362,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Suspicious request to Modular DS API with direct request params (CVE-2026-23550)||MV:%{MATCHED_VAR}||Origin:%{ARGS.origin}||Type:%{ARGS.type}||RSV:8.02||T:APACHE||',tag:'wp_plugin_modular_connector'" SecRule ARGS:origin "@streq mo" "chain,t:none,t:lowercase" SecRule &ARGS:type "@gt 0" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77169345,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Missing Authorization in Social Icons Widget by WPZOOM plugin for WordPress before 4.2.16 (CVE-2024-30464)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_social_icons_widget_by_wpzoom'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "t:none,chain" SecRule ARGS:action "@streq zoom_ajax_set_pointer_transient" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77393689,chain,phase:2,block,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Backdoor in LA-Studio Element Kit before 1.6.0 (CVE-2026-0920)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_lastudio_element_kit'" SecRule REQUEST_FILENAME "@endsWith /admin-ajax.php" "chain,t:none" SecRule ARGS:lakit_bkrole "@rx ." "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77093225,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Privilege Escalation in User Registration & Membership before 5.1.3 (CVE-2026-1492)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_user_registration'" SecRule REQUEST_FILENAME "@endsWith /admin-ajax.php" "chain,t:none" SecRule ARGS:action "@streq user_registration_membership_register_member" "chain,t:none" SecRule ARGS:members_data "@rx (?i)[\x22\x5C']+role[\x22\x5C']+\s*:\s*[\x22\x5C']+(?:administrator|editor|author)" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@streq POST" "id:77433249,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Track WordPress admin user creation||WPU:%{TX.wp_user}||NewUser:%{ARGS.user_login}||Email:%{ARGS.email}||Role:%{ARGS.role}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /user-new.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq createuser" "chain,t:none" SecRule ARGS:user_login "@rx ." "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77433250,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Track WordPress user self-registration||NewUser:%{ARGS.user_login}||Email:%{ARGS.user_email}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-login.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq register" "chain,t:none" SecRule ARGS:user_login "@rx ." "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77433251,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Track WordPress REST API user creation||WPU:%{TX.wp_user}||NewUser:%{ARGS.username}||Email:%{ARGS.email}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-json/wp/v2/users" "chain,t:none,t:normalizePath" SecRule ARGS:username "@rx ." "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77433252,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Track WordPress Multisite user signup||NewUser:%{ARGS.user_name}||Email:%{ARGS.user_email}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-signup.php" "chain,t:none,t:normalizePath" SecRule ARGS:stage "@streq validate-user-signup" "chain,t:none" SecRule ARGS:user_name "@rx ." "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77433253,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Track WooCommerce user registration||NewUser:%{ARGS.username}||Email:%{ARGS.email}||RSV:8.02||T:APACHE||',tag:'wp_plugin_woocommerce'" SecRule ARGS:register "@rx ." "chain,t:none" SecRule ARGS:woocommerce-register-nonce "@rx ." "chain,t:none" SecRule ARGS:email "@rx ." "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77433254,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Track Ultimate Member user registration||NewUser:%{ARGS.user_login}||Email:%{ARGS.user_email}||RSV:8.02||T:APACHE||',tag:'wp_plugin_ultimate_member'" SecRule ARGS:um_request "@rx ." "chain,t:none" SecRule ARGS:user_email "@rx ." "chain,t:none" SecRule ARGS:user_password "@rx ." "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77433255,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Track User Registration plugin user registration||NewUser:%{ARGS.user_login}||Email:%{ARGS.user_email}||RSV:8.02||T:APACHE||',tag:'wp_plugin_user_registration'" SecRule ARGS:ur_frontend_form_nonce "@rx ." "chain,t:none" SecRule ARGS:ur-user-form-id "@rx ." "t:none" SecRule REQUEST_URI "@rx \/wp-content\/mu-plugins\/wp-[a-f0-9]{4,8}-(?:loader|helper|cache|core|init)\.php" "id:77433256,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Suspicious mu-plugin access (possible malware dropper)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_METHOD "@streq POST" "id:77433257,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress REST API backdoor user creation attempt||NewUser:%{ARGS.username}||Email:%{ARGS.email}||Roles:%{ARGS.roles}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-json/wp/v2/users" "chain,t:none,t:normalizePath" SecRule ARGS:username "@rx ^usr_[a-f0-9]{6,10}$" "t:none,t:lowercase" SecRule REQUEST_METHOD "@streq POST" "id:77433258,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress backdoor user creation attempt||NewUser:%{ARGS.user_login}||Email:%{ARGS.email}||Role:%{ARGS.role}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /user-new.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq createuser" "chain,t:none" SecRule ARGS:user_login "@rx ^usr_[a-f0-9]{6,10}$" "t:none,t:lowercase" SecRule REQUEST_METHOD "^GET|^POST" "chain,id:77433260,pass,nolog,auditlog,phase:2,severity:5,t:none,msg:'IM360 WAF: Imunify Security plugin deactivation detected||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@contains /wp-admin/plugins.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq deactivate" "chain,t:none" SecRule ARGS:plugin "@contains imunify-security" "t:none,t:lowercase" SecRule REQUEST_METHOD "@streq POST" "chain,id:77433261,pass,nolog,auditlog,phase:2,severity:5,t:none,msg:'IM360 WAF: Imunify Security plugin bulk deactivation detected||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@contains /wp-admin/plugins.php" "chain,t:none,t:normalizePath" SecRule ARGS:action2|ARGS:action "@streq deactivate-selected" "chain,t:none" SecRule ARGS:checked[] "@contains imunify-security" "t:none,t:lowercase" SecRule REQUEST_METHOD "@rx ^(?:POST|PUT)$" "chain,id:77433262,pass,nolog,auditlog,phase:2,severity:5,t:none,msg:'IM360 WAF: Imunify Security plugin REST API deactivation detected||Status:%{ARGS.status}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx /wp-json/wp/v2/plugins/imunify-security" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:status "@streq inactive" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77352390,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Unauthenticated unserialize RCE via wpos-analytics REST endpoint in WP Online Support plugins||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||UA:%{REQUEST_HEADERS.User-Agent}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wpos_analytics'" SecRule REQUEST_URI|ARGS:rest_route "@rx (?:popup-anything-on-click|wp-logo-showcase-responsive-slider|countdown-timer-ultimate|wprps-post-slider|wp-news-and-scrolling-widgets|wp-slick-slider-and-image-carousel|album-and-image-gallery-plus-lightbox|wp-testimonials-with-rotator-widget|wp-blog-and-widget|blog-designer-post-and-widget|meta-slider-and-carousel-with-lightbox|post-grid-and-filter-ultimate|timeline-and-history-slider|wp-responsive-faq-with-category-plugin|wp-team-showcase-and-slider|accordion-and-accordion-slider|wp-trending-post-slider-and-widget|featured-post-creative|portfolio-and-projects|ticker-ultimate|video-gallery-and-player|wp-featured-content-and-slider)/v1/analytics" "t:none,t:normalizePath,t:lowercase" SecRule REQUEST_FILENAME "@rx (?:/wp-comments-post\.php$|/wp-json/wp/v2/comments(?:/|$))" "id:77113439,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,msg:'IM360 WAF: Arbitrary File Upload via Gravatar fetcher in Breeze Cache <= 2.4.4 (CVE-2026-3844)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'wp_plugin_breeze'" SecRule REQUEST_METHOD "@rx ^(?:POST|PUT)$" "chain,t:none" SecRule ARGS:author|ARGS:email|ARGS:url|ARGS:author_name|ARGS:author_email|ARGS:author_url "@rx (?i)\bsrc(?:set)?\s*=\s*[\x22\x27]?\s*https?://[^\s\x22\x27<>]{1,500}\.(?:php[3-8s]?|phtml|phar|pht|inc|phps|jsp|aspx?|cgi|pl|py|rb|sh|exe|htaccess)(?:[?#/\s\x22\x27&]|$)" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule REQUEST_FILENAME "@rx (?i)/wp-content/cache/breeze-extra/gravatars/[^/]+\.(?:php[3-8s]?|phtml|phar|pht|inc|phps|jsp|aspx?|cgi|pl|py|rb|sh|exe|htaccess)(?:$|/|\?)" "id:77414537,phase:2,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: Access to executable in Breeze Cache gravatar dir (CVE-2026-3844 post-exploit)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_breeze'"
.
Edit
..
Edit
000_i360_init.conf
Edit
001_i360_pass.conf
Edit
002_i360_basic.conf
Edit
003_i360_wp_logic.conf
Edit
004_i360_vectors.conf
Edit
005_i360_bruteforce.conf
Edit
006_i360_malware.conf
Edit
007_i360_custom.conf
Edit
008_i360_wordpress.conf
Edit
009_i360_joomla.conf
Edit
010_i360_drupal.conf
Edit
011_i360_otherapps.conf
Edit
012_i360_spam.conf
Edit
013_i360_generic.conf
Edit
014_i360_infectors.conf
Edit
015_i360_filescan.conf
Edit
016_i360_monitor.conf
Edit
017_i360_weak_pass.conf
Edit
018_Disable_WP_Redirect.conf
Edit
IM360-LICENSE.txt
Edit
RELEASE
Edit
VERSION
Edit
bl_agents
Edit
bl_chains
Edit
bl_db_list
Edit
bl_db_list_ext
Edit
bl_ips
Edit
bl_os_files
Edit
bl_path_files
Edit
bl_scanners
Edit
bl_uri
Edit
bl_web_files
Edit
bl_wpboost_uri
Edit
bl_xss_input
Edit
changelog.json
Edit
changelog.txt
Edit
cloudav_list
Edit
crawlers-google-iplist.data
Edit
crawlers-iplist.data
Edit
crawlers-ualist.data
Edit
danme_top100
Edit
detectlua.lua
Edit
inspectfile.lua
Edit
ip-record.db
Edit
java_data
Edit
malware_found.list
Edit
malware_found_b64.list
Edit
malware_standalone.list
Edit
malware_standalone_b64.list
Edit
path_traversal
Edit
php_data
Edit
rbl_whitelist
Edit
rce_uri
Edit
risky-actions.list
Edit
trap.lua
Edit
trap_cookie.lua
Edit
userdata_dirb_URLs.data
Edit