/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-apache
# ------------------------------------------------------ # Imunify360 ModSecurity Rules # Copyright (C) 2026 CloudLinux Inc All right reserved # The Imunify360 ModSecurity Rules is distributed under # IMUNIFY360 LICENSE AGREEMENT # ------------------------------------------------------ # Imunify360 ModSecurity Base Ruleset SecRule REQUEST_METHOD "@rx POST" "id:77316879,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: File upload vulnerability in Fancy Product Designer < 4.5.1 for WooCommerce for WordPress (CVE-2021-24370)||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains fancy-product-designer/inc/custom-image-handler.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule &ARGS:uploadsDir "@gt 0" "chain,t:none" SecRule &ARGS:uploadsDirURL "@gt 0" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316879" SecRule REQUEST_METHOD "@rx ^POST$" "id:77142133,pass,nolog,auditlog,chain,t:none,severity:5,msg:'IM360 WAF: Track Spam via Contact Form for WordPress||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_URI "@rx \/wp-json\/contact-form-7\/v\d\/contact-forms\/\d{1,3}\/feedback" "t:none,t:normalizePath,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142133" SecRule REQUEST_METHOD "@rx POST" "id:77350241,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Privilege Escalation Vulnerability in WP Project Manager <= 2.6.4 plugin for WordPress (CVE-2023-3636)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains pm/v2/save_users_map_name" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS "@pm github bitbucket" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350241" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350225,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Arbitrary File Upload Vulnerability in User Registration WordPress Plugin (CVE-2023-3342)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "user_registration_profile_pic_upload" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350225" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350226,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Arbitrary File Upload Vulnerability in User Registration WordPress Plugin (CVE-2023-3342)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx (?:save|user_registration_update)_profile_details" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350226" SecRule REQUEST_METHOD "^GET$" "chain,id:77350211,phase:2,severity:7,nolog,auditlog,pass,t:none,msg:'IM360 WAF: Possible Authentication Bypass in WordPress Social Login and Register <= 7.6.4 plugin for WordPress (CVE-2023-2982)||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &ARGS:app_name "@gt 0" "chain,t:none" SecRule &ARGS:wp_nonce "@gt 0" "chain,t:none" SecRule &ARGS:option "@gt 0" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350211" SecRule REQUEST_METHOD "^POST$" "chain,id:77350210,phase:2,severity:5,nolog,auditlog,pass,t:none,msg:'IM360 WAF: Possible Authenticated Insecure Password Change in LearnDash LMS <= 4.6.0 plugin for WordPress (CVE-2023-3105)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &ARGS:learndash-reset-password-form-nonce "@gt 0" "chain,t:none" SecRule &ARGS:user_login "@gt 0" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350210" SecRule REQUEST_URI "@contains fancy-product-designer/inc/custom-image-handler.php" "id:77316880,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: File upload vulnerability in Fancy Product Designer < 4.5.1 for WooCommerce for WordPress (CVE-2021-24370)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule &ARGS:url "@gt 0" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316880" SecRule REQUEST_METHOD "^POST$" "chain,id:77142152,phase:2,severity:7,nolog,auditlog,pass,t:none,msg:'IM360 WAF: WordPress WP Private Content Plus plugin - unauthenticated options change (CVE-2019-15816)||RSV:8.02||T:APACHE||REMOTE_ADDR=%{tx.remote_addr}||class method=save_%{ARGS.wppcp_tab}||',tag:'wp_plugin_wp_private_content_plus'" SecRule ARGS:page "@rx ^wppcp" "chain,t:none" SecRule &ARGS:wppcp_tab "@gt 0" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142152" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316789,chain,pass,nolog,auditlog,t:none,severity:7,msg:'IM360 WAF: Authenticated settings update in Responsive Menu < 4.0.3 WordPress plugin (CVE-2021-24161)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/edit.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule ARGS:post_type "@streq rmp_menu" "chain,t:none" SecRule ARGS:page "@streq settings" "chain,t:none" SecRule FILES "!@rx ^$" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316789" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316790,chain,pass,nolog,auditlog,t:none,severity:7,msg:'IM360 WAF: CSRF vulnerability in Responsive Menu < 4.0.3 WordPress plugin (CVE-2021-24161)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_wp_responsive_menu'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/edit.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule ARGS:post_type "@streq rmp_menu" "chain,t:none" SecRule ARGS:page "@streq themes" "chain,t:none" SecRule FILES "!@rx ^$" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316790" SecRule REQUEST_METHOD "@rx POST" "id:77316835,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unauthenticated Redirect Import/Export in Simple 301 Redirects by BetterLinks for WordPress||File:%{FILES}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php /wp-admin/admin-post.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:page "@streq 301options" "chain,t:none" SecRule &ARGS:import "@gt 0" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316835" SecRule REQUEST_URI "!@rx (?:\/(wp-spamfree|com_breezingforms|midway\/framework\/assets|wp-defender\/index\.php)|(\/wp-content\/uploads\/code-execution\.php))" "chain,id:77140878,phase:request,nolog,auditlog,pass,severity:7,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: Infectors: Suspicious access attempt (webshell)!||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||',tag:'service_im360'" SecRule REQUEST_URI "@rx (\/(images|img(s)?|pictures|upload(s)?)\/[^\.]{0,108}\.(pht|phtml|php\d?$))" "t:none,t:urlDecodeUni,t:normalizePath,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77140878" SecRule REQUEST_HEADERS:User-Agent "!@rx Shopify-Captain-Hook|Mollie HTTP client/1.0" "id:77140880,chain,msg:'IM360 WAF: Infectors: PHP Injection Attack||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||SC:%{SCRIPT_FILENAME}||',phase:2,capture,pass,t:none,severity:7,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77140880" SecRule ARGS|ARGS_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!ARGS:textarea|!ARGS:wpcode_snippet_code|!ARGS:code|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@pm ftp_ fget fgets fgetc fscanf fwrite fopen fread gzencode gzwrite gzcompress gzopen gzread session_start( scandir readfile readgzfile readdir move_uploaded_file proc_open bzopen call_user_func $_get $_post $_session" "chain,t:none,t:lowercase" SecRule MATCHED_VAR "(?i)(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get[sc]?s?|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" "t:none" SecRule !REQUEST_COOKIES:/__utm/|REQUEST_HEADERS:Cookie|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pm ( session_ sqlite_ stream_ preg_ proc_ posix_ runkit_ array_ curl_ create_function eval exec passthru system popen fopen fwrite fread file_ unserialize base64_ assert phpinfo shell_" "id:77134464,chain,pass,nolog,auditlog,phase:2,severity:7,t:none,t:lowercase,capture,msg:'IM360 WAF: Infectors: PHP Injection High-Risk PHP Function||RSV:8.02||T:APACHE||SC:%{SCRIPT_FILENAME}||',tag:'service_im360',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77134464" SecRule MATCHED_VAR "@rx (?i)\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|b(?:(?:son_(?:de|en)|ase64_en)code|zopen)|var_dump)(?:\s|/\*[^\*]*\*/|//|#){0,999}\([^\)]*\)|\bsystem\s{0,100}\(\s{0,100}.{0,1000}(?:;|&&|\||\$_(?:GET|POST)).{0,1000}\)" "t:none" SecRule REQUEST_URI "!@pm cpanel AdminTranslations /administrator/ post.php /wp-admin/admin.php" "id:77140882,chain,phase:2,pass,severity:2,nolog,auditlog,t:none,t:normalizePath,msg:'IM360 WAF: Infectors: OS File Access Attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||SC:%{SCRIPT_FILENAME}||',tag:'service_im360'" SecRule ARGS|REQUEST_COOKIES|XML:/*|!ARGS:/body/|!ARGS:code|!ARGS:/content/|!ARGS:/description/|!ARGS:/install\[values\]\[\w+\]\[fileDenyPattern\]/|!ARGS:/message/|!ARGS:/post/|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:wpTextbox1 "(?:\W(?:\.(?:ht(?:group|passwd)|www_{0,1}acl)|boot\.ini|global\.asa|httpd\.conf)\b|^/etc/)" "t:none,capture,t:cmdLine,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77140882" SecRule REQUEST_URI "!@rx \/stats\/(?:alive|success|failure)$" "id:77140883,chain,phase:2,pass,nolog,auditlog,t:none,t:normalizePath,severity:7,msg:'IM360 WAF: RBL track known shells||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||ARGS.path:%{MATCHED_VAR}||ARGS.url:%{tx.140883_url}||SC:%{SCRIPT_FILENAME}||',tag:'service_im360'" SecRule ARGS:url "!@rx ^$" "chain,t:none,setvar:tx.140883_url=%{MATCHED_VAR}" SecRule ARGS:path "!@rx ^$" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77140883" SecRule REQUEST_COOKIES:f_pp|ARGS:f_pp "!@rx ^$" "id:77140885,phase:2,nolog,auditlog,pass,severity:7,msg:'IM360 WAF: RBL track known shells||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||',tag:'service_im360',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77140885" SecRule ARGS:z0 "!@rx ^$" "id:77140886,phase:2,nolog,auditlog,pass,severity:7,msg:'IM360 WAF: RBL track known shells||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||',tag:'service_im360',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77140886" SecRule REQUEST_METHOD "@pm GET POST" "id:77140942,chain,pass,nolog,auditlog,severity:5,phase:2,t:none,msg:'IM360 WAF: Possible WordPress Dashboard access for infectors||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains wp-json/wp/v2/users" "t:none,t:normalizePath,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77140942" SecRule ARGS:up_auto_log "@streq true" "id:77140957,phase:2,pass,auditlog,t:none,severity:5,msg:'IM360 WAF: Track WordPress (CVE-2017-16562)||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_wp_user_profiles',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77140957" SecRule &ARGS:sc "@gt 0" "id:77141009,chain,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress ThemeREX Plugin RCE remote check (CVE-2020-10257)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{ARGS.sc}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /trx_addons/v2/" "t:none,t:normalizePath,t:urlDecodeUni,t:lowercase,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77141009" SecRule REQUEST_FILENAME "@endsWith /adminer/inc/editor/index.php" "id:77141024,pass,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Plugin Adminer <= 1.4.5 Security Bypass (CVE-2017-20066)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_adminer',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77141024" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/indeed-membership-pro/export.xml" "id:77141028,pass,nolog,auditlog,severity:5,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Plugin Ultimate Membership Pro < 8.6.1 - Multiple Critical Vulnerabilities||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_ultimate_member',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77141028" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/brizy/admin/site-settings.php" "id:77141078,pass,nolog,auditlog,severity:7,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: PHPMailer < 5.2.20 - Remote Code Execution||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_brizy',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77141078" SecRule REQUEST_METHOD "@streq GET" "chain,id:77141084,pass,t:none,severity:7,msg:'IM360 WAF: Tracking suspicious file access||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wordpress/license.txt" "t:none,t:urlDecodeUni,t:normalizePath,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77141084" SecRule REQUEST_URI "@pm /wp-admin/post.php /wp-admin/admin-ajax.php" "id:77142108,chain,phase:2,pass,nolog,auditlog,severity:5,t:normalizePath,msg:'IM360 WAF: Directory traversal via plugin for WordPress||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS "@contains ../" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142108" SecRule ARGS:lang "@rx \W" "id:77142202,phase:2,severity:5,pass,nolog,auditlog,t:none,t:urlDecodeUni,msg:'IM360 WAF: Track generic SQLi attack vector||RSV:8.02||T:APACHE||',tag:'service_im360',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142202" SecRule ARGS:cffaction "@pm test_db_connection test_db_query get_data_from_database get_post_types get_posts get_available_taxonomies get_taxonomies get_users" "id:77142220,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unauthenticated SQL Injection in Payment Form For Paypal Pro < 1.1.65 (CVE-2020-14092)||RSV:8.02||T:APACHE||ARGS.cffaction:%{ARGS.cffaction}||',tag:'wp_plugin_payment_form_for_paypal_pro',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142220" SecRule REQUEST_FILENAME "@endsWith /bamegamenu/ajax_phpcode.php" "chain,id:77142250,phase:2,severity:5,pass,nolog,auditlog,t:none,t:normalizePath,msg:'IM360 WAF: PrestaShop Responsive Mega Menu module < 1.7.2.5 arbitrary code execution (CVE-2018-8823)||RSV:8.02||T:APACHE||ARGS.code:%{ARGS.code}||',tag:'service_im360'" SecRule &ARGS:code "@gt 0" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142250" SecRule ARGS:es "@streq open" "id:77316723,chain,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: SQL Injection in Plugin Email Subscribers & Newsletters 4.2.2 for WordPress (CVE-2019-20361)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_email_subscribers'" SecRule &ARGS:hash "@gt 0" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316723" SecRule ARGS:a "@pm fetch display" "id:77316725,chain,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: File Upload/RCE in ThinkCMF||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule &ARGS:templateFile "@gt 0" "chain,t:none" SecRule ARGS:prefix "@contains '" "t:none,t:htmlEntityDecode,t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316725" SecRule ARGS|REQUEST_URI|XML:/* "@rx ;[\s\+]*wget\s+https?:\/\/([^\s\+])" "id:77142263,phase:2,pass,nolog,auditlog,severity:5,t:none,t:urlDecode,t:lowercase,msg:'IM360 WAF: IOT unauthenticated file upload and RCE||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_im360',t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142263" SecRule ARGS|REQUEST_URI|XML:/* "@rx \$\{IFS\}" "id:77142266,pass,phase:2,nolog,auditlog,severity:7,t:none,t:htmlEntityDecode,msg:'IM360 WAF: Special shell symbol in request||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_im360',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142266" SecRule REQUEST_URI "!@pm /wp-admin/admin-ajax.php /wp-json/wp/v2/media/ /configproducts.php /api/webhooks/update/product /mollie/checkout/webhook/" "id:77142267,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Special shell symbol in request||MV:%{MATCHED_VAR}||MVN:%{TX.mvn}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS:User-Agent "!@rx Shopify-Captain-Hook|Mollie HTTP client/1.0" "chain,t:none" SecRule ARGS|REQUEST_URI|XML:/* "@rx \$\{([^\}\)]+[\}\)])" "chain,t:none,t:htmlEntityDecode,capture,setvar:tx.mvn=%{MATCHED_VAR_NAME}" SecRule TX:1 "!@pm itemURL} innerHtml[index].link} eventId} city} term} api_itech} userSignature} href} name} endDate( startDate( Prospects" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142267" SecRule ARGS|REQUEST_LINE "@rx (?:wget https?\:\/\/pastebin\.com\/raw\/)" "id:77316744,phase:2,nolog,auditlog,pass,severity:7,t:urlDecode,t:lowercase,t:htmlEntityDecode,msg:'IM360 WAF: Suspicious url download attempt||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_im360',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316744" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "id:33341,pass,nolog,auditlog,severity:5,phase:2,t:none,ctl:ruleEngine=On,msg:'IM360 WAF: Track file upload for Infectors||RSV:8.02||T:APACHE||SC:%{SCRIPT_FILENAME}||User:%{SCRIPT_USERNAME}||WPU:%{TX.wp_user}||',tag:'service_im360',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r33341" SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php /wp-content/plugins/wp-total-donations/the-ajax-caller.php wp-cron.php" "id:77140752,chain,phase:2,pass,nolog,auditlog,severity:7,t:urlDecode,t:normalizePath,msg:'IM360 WAF: WP Total Donations abandoned Plugin vulnerability (CVE-2019-6703)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@pm miglaA_update_me miglaA_update_arr miglaA_update_barinfo miglaA_stripe_addPlan miglaA_syncPlan miglaA_stripe_deletePlan miglaA_mailchimp_getlists miglaA_retrieve_cc_lists miglaA_test_email" "t:none,t:urlDecode,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77140752" SecRule ARGS|ARGS_NAMES|REQUEST_URI|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Cookie|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@pm print( echo( eval( exec(" "id:77140881,chain,msg:'IM360 WAF: Infectors: Arbitrary code execution vulnerability in Request URI||RSV:8.02||T:APACHE||SC:%{SCRIPT_FILENAME}||',phase:2,pass,nolog,auditlog,t:none,t:lowercase,severity:5,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77140881" SecRule MATCHED_VAR "@rx (?:print|echo|eval|exec)\s*\(" "t:none" SecRule ARGS:a "!@rx ^$" "id:77140884,chain,phase:2,pass,nolog,auditlog,severity:7,msg:'IM360 WAF: RBL track known shells||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||',tag:'service_im360'" SecRule ARGS:p1 "!@rx ^$" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77140884" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin.php" "id:77140985,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress Plugin WP Database Reset Auth Bypass vulnerability (CVE-2020-7048)||MVN:%{MATCHED_VAR_NAME}||DB:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wordpress_database_reset'" SecRule ARGS:db-reset-tables[] "@rx ." "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77140985" SecRule REQUEST_METHOD "@rx ^POST$" "id:77140990,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: WordPress Plugin InfiniteWP Auth Bypass vulnerability||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_iwp_client'" SecRule ARGS|REQUEST_BODY "@rx ^_IWP_JSON_PREFIX_" "chain,capture,t:none,t:urlDecodeUni" SecRule TX:0 "@rx \x22iwp_action\x22\s{0,128}\:\s{0,128}\x22(?:add_site|readd_site)\x22" "chain,t:none,t:urlDecodeUni" SecRule TX:0 "@rx \x22username\x22\s{0,128}\:\s{0,128}\x22\w{0,128}\x22" "t:none,t:urlDecodeUni,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77140990" SecRule REQUEST_METHOD "@rx ^POST$" "id:77140980,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: WordPress Plugin Time Capsule Auth Bypass vulnerability||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS|REQUEST_BODY "@rx IWP_JSON_PREFIX" "t:none,t:urlDecodeUni,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77140980" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77141060,chain,pass,t:none,nolog,auditlog,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: Authenticated Privilege Escalation in RegistrationMagic Plugin for WordPress (CVE-2021-24862)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:page "@streq rm_submissions" "chain,t:none" SecRule ARGS:rm_slug "@pm rm_user_edit rm_form_export" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77141060" SecRule REQUEST_METHOD "@rx ^POST$" "id:77142118,chain,pass,nolog,auditlog,t:none,severity:7,msg:'IM360 WAF: Logged suspicious request||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx ^$" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142118" SecRule REQUEST_METHOD "@rx ^POST$" "id:77142138,chain,pass,nolog,auditlog,t:none,severity:7,msg:'IM360 WAF: RCE vulnerability in Breezy - Page Builder plugin for WordPress||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule ARGS:/^brizy-settings-ta/ "@streq code-injection" "chain,t:none" SecRule ARGS:footer_code|ARGS:header_code "@contains String.fromCharCode" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142138" SecRule ARGS:otw_pctl_action "@rx ^(manage_otw_pctl_custom_templates|delete_otw_pctl_custom_template|manage_otw_pctl_options)$" "id:77142169,phase:2,severity:7,pass,nolog,auditlog,t:none,capture,msg:'IM360 WAF: WordPress Post Custom Templates Lite <= 1.6 - Persistent Cross-Site Scripting (CVE-2017-0001)||RSV:8.02||T:APACHE||otw_pctl_action = %{TX.1}||',tag:'wp_plugin_post_custom_templates_lite',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142169" SecRule REQUEST_URI "@pm jquery-file-upload/server/php/index.php server/php/upload.class.php server/php/UploadHandler.php example/upload.php" "id:77142199,pass,nolog,auditlog,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: jQuery-File-Upload - Arbitrary File Upload (CVE-2018-9206)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142199" SecRule REQUEST_FILENAME "@endsWith index.php" "id:77142206,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,t:normalizePath,msg:'IM360 WAF: Joomla Com_Fabrik Vulnerabilities (RBL)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'joomla_plugin'" SecRule ARGS:option "@streq com_fabrik" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142206" SecRule REQUEST_FILENAME "@rx \/wp-content\/plugins\/pw-bulk-edit\/(readme\.txt|results\.js|license\.txt)" "id:77142209,pass,nolog,auditlog,severity:7,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: XSS in PW WooCommerce Bulk Edit (CVE-2019-14796)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_pw_bulk_edit',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142209" SecRule REQUEST_METHOD "@rx ^POST$" "id:77142212,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Shell Upload in Joomla 3.x (CVE-2016-9836)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'joomla_core'" SecRule REQUEST_FILENAME "@endsWith /administrator/index.php" "chain,t:none,t:normalizePath" SecRule ARGS:option "@streq com_templates" "chain,t:none" SecRule ARGS:view "@streq template" "chain,t:none" SecRule &ARGS:id "@gt 0" "chain,t:none" SecRule &ARGS:file "@gt 0" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142212" SecRule ARGS:tccj-update "@streq Update" "chain,id:77142228,phase:2,severity:7,pass,nolog,auditlog,t:none,msg:'IM360 WAF: WordPress plugin TC Custom JavaScript - Unauthenticated Stored Cross-Site Scripting (CVE-2020-14063) - direct exploitation variation||RSV:8.02||T:APACHE||ARGS.tccj-update:%{ARGS.tccj-update}||ARGS.tccj-content:%{ARGS.tccj-content}||',tag:'service_im360'" SecRule &ARGS:tccj-content "@gt 0" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142228" SecRule FILES "@rx ^\." "id:77316727,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Suspicious file upload detection||RSV:8.02||T:APACHE||FILES:%{FILES}||',tag:'service_im360',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316727" SecRule REQUEST_METHOD "POST" "id:77316731,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: File Upload in Front-end Editor plugin for WordPress||RSV:8.02||T:APACHE||Files:%{FILES}||',tag:'service_im360'" SecRule REQUEST_FILENAME "@contains /wp-content/plugins/front-end-editor/lib/aloha-editor/plugins/extra/draganddropfiles/demo/" "chain,t:none,t:normalizePath" SecRule FILES "!@rx ^$" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316731" SecRule REQUEST_METHOD "POST" "id:77316732,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: File Upload Vulnerability in Awesome Support plugin for WordPress||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||Files:%{FILES}||',tag:'service_im360'" SecRule REQUEST_FILENAME "@rx \/wp-content\/plugins\/awesome-support\/plugins\/jquery\.fineuploader-[^\/]\/server\/php\/" "chain,t:none,t:htmlEntityDecode,t:normalizePath" SecRule FILES "!@rx ^$" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316732" SecRule REQUEST_METHOD "POST" "id:77316733,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: File Upload Vulnerability in Fluid forms plugin for WordPress||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||Files:%{FILES}||',tag:'service_im360'" SecRule REQUEST_FILENAME "@contains /wp-content/plugins/fluid_forms/file-upload/server/php/" "chain,t:none,t:normalizePath" SecRule FILES "!@rx ^$" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316733" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/simplepress/resources/jscript/sp-common.min.js" "id:77316735,pass,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: WordPress Simple:Press - Broken Access Control||RSV:8.02||T:APACHE||',tag:'wp_plugin_simplepress',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316735" SecRule REQUEST_METHOD "^POST$" "id:77316797,chain,pass,nolog,auditlog,t:none,severity:7,msg:'IM360 WAF: RCE in uri used by KashmirBlack||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_URI "!@rx (?:/sam-ajax|/login/keep-alive$|magmi_saveprofile)" "chain,t:none" SecRule REQUEST_URI "@pmFromFile rce_uri" "t:none,t:urlDecodeUni,t:normalizePath,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316797" SecRule REQUEST_METHOD "^POST$" "id:77316800,chain,pass,nolog,auditlog,t:none,severity:7,msg:'IM360 WAF: RCE in vBulletin (CVE-2019-16759)||Code:%{ARGS}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS:/subWidgets[\d][template]/ "@streq widget_php" "chain,t:none" SecRule &ARGS:/subWidgets[\d][config][code]/ "@gt 0" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316800" SecRule REQUEST_METHOD "@rx POST" "id:77316812,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Unauthenticated file upload in multiple Thrive Themes for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@contains /wp-json/thrive/kraken" "chain,t:none,t:normalizePath" SecRule &ARGS:attachment_ID "@gt 0" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316812" SecRule REQUEST_METHOD "@rx POST" "id:77316832,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Suspicious Joomla plugin installation attempt||File:%{FILES}||RSV:8.02||T:APACHE||Install directory:%{ARGS.install_directory}||',tag:'joomla_plugin'" SecRule REQUEST_FILENAME "@endsWith /administrator/index.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:option "@streq com_installer" "chain,t:none" SecRule ARGS:task "@streq install.install" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316832" SecRule REQUEST_METHOD "@rx POST" "id:77316833,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Suspicious OpenCart plugin installation attempt||File:%{FILES}||RSV:8.02||T:APACHE||Install directory:%{ARGS.install_directory}||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith /admin/index.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:route "@streq marketplace/installer/upload" "chain,t:none" SecRule &ARGS:user_token "@gt 0" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316833" SecRule REQUEST_METHOD "POST" "id:77316856,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Privilege Escalation in WP User Avatar plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule ARGS:/wp_capabilities/ "@streq administrator" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316856" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77316773,chain,pass,nolog,auditlog,severity:7,t:none,t:normalizePath,msg:'IM360 WAF: Privilege escalation vulnerability in Orbit Fox < 2.10.2 WordPress plugin||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS:action "@streq save_builder" "chain,t:none,t:lowercase" SecRule ARGS:user_role "@rx ." "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316773" SecRule REQUEST_METHOD "@pm GET POST" "id:77231170,chain,pass,nolog,auditlog,phase:2,severity:7,t:none,msg:'IM360 WAF: XSS vulnerability in the Inline Entity Form module 7.x-1.x before 7.x-1.6 for Drupal (CVE-2015-5507)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'drupal_core'" SecRule ARGS:form_id "@contains field_ui_field_edit_form" "chain,t:none" SecRule ARGS:instance[description] "@contains <" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77231170" SecRule &ARGS:action "@lt 1" "id:77316865,pass,phase:2,nolog,severity:5,skipAfter:MARKER_action_infectors,msg:'IM360 WAF: ARGS action optimization||RSV:8.02||T:APACHE||',tag:'noshow',tag:'service_im360'" SecRule REQUEST_METHOD "@rx POST" "id:77316822,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Privilege escalation in Store Locator Plus plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'wp_core',tag:'noshow'" SecRule REQUEST_URI "@contains /wp-admin/admin.php" "chain,t:none,t:normalizePath" SecRule ARGS:page "^slp_" "chain,t:none" SecRule ARGS:action "@streq update" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316822" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77141043,chain,pass,nolog,auditlog,phase:2,severity:7,t:none,t:normalizePath,msg:'IM360 WAF: XSS vulnerability in Pricing Table by Supsystic Plugin||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360',tag:'wp_plugin_pricing_table'" SecRule ARGS:mod "@streq tables" "chain,t:none" SecRule &ARGS:unique_id "@gt 0" "chain,t:none" SecRule ARGS:action "@pm getJSONExportTable importJSONTable createFromTpl" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77141043" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142189,chain,pass,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: Possible WordPress site takeover||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule &ARGS:action "@gt 0" "chain,t:none,t:lowercase,t:urlDecodeUni" SecRule ARGS:/option/ "@rx (users_can_register|default_role)" "t:none,t:urlDecodeUni,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142189" SecRule REQUEST_METHOD "@rx ^POST$" "id:77142216,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Rewriting configuration variables in PrestaShop from version 1.6.0.1 - 1.7.6.6||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith /index.php" "chain,t:none,t:normalizePath" SecRule ARGS:controller "@streq AdminDashboard" "chain" SecRule ARGS:action "@streq refreshDashboard" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142216" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316786,chain,pass,nolog,auditlog,t:none,severity:7,msg:'IM360 WAF: Authenticated file upload vulnerability in Responsive Menu < 4.0.3 WordPress plugin (CVE-2021-24161)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-post.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule ARGS:action "@pm admin_post_rmp_upload_theme_file admin_post" "chain,t:none" SecRule FILES "!@rx ^$" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316786" SecRule REQUEST_METHOD "@rx POST" "id:77316818,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: XSS vulnerability in WP Page Builder plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@pm wppb_page_save" "chain,t:none" SecRule &ARGS:page_builder_data|&ARGS:wppb_page_css "@gt 0" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316818" SecRule REQUEST_METHOD "@rx POST" "id:77316831,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Suspicious WordPress plugin installation attempt||File:%{FILES}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith wp-admin/update.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@streq upload-plugin" "chain,t:none" SecRule &ARGS:install-plugin-submit "@gt 0" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316831" SecRule REQUEST_METHOD "@rx POST" "id:77316834,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Unauthenticated Redirect Import/Export in Simple 301 Redirects by BetterLinks for WordPress||File:%{FILES}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php /wp-admin/admin-post.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@pm admin_init" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316834" SecRule REQUEST_METHOD "@rx POST" "id:77316836,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Authenticated Arbitrary Plugin Installation/Activation in Simple 301 Redirects by BetterLinks for WordPress||File:%{FILES}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@pm /wp-admin/admin.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@rx simple301redirects/admin/(?:install|activate)_plugin" "chain,t:none" SecRule &ARGS:slug|&ARGS:basename "@gt 0" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316836" SecRule REQUEST_METHOD "@rx POST" "id:77316839,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Remote file upload in Fancy Product Designer for WordPress||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php /wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@rx fpd_custom_uplod_file" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316839" SecRule REQUEST_METHOD "POST" "id:77316855,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Authenticated Privilege Escalation in WP User Avatar plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@streq update" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316855" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140965,chain,phase:2,pass,auditlog,severity:7,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: Track authentication bypass in WordPress Ultimate Addons for Elementor < 1.20.1||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@rx (uael_login_form_google|uael_login_form_facebook)" "chain,t:none,t:lowercase" SecRule ARGS:data[name] "!@rx ^$" "t:none" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77140966,chain,phase:2,pass,auditlog,severity:7,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: Track authentication bypass in WordPress Ultimate Addons for Beaver Builder < 1.24.1||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||E:%{ARGS.email}||',tag:'wp_plugin_ultimate_addons_for_beaver_builder'" SecRule ARGS:action "@rx (uabb-lf-google-submit|uabb-lf-facebook-submit)" "chain,t:none,t:lowercase" SecRule ARGS:email "!@rx ^$" "chain,t:none" SecRule ARGS:name "!@rx ^$" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77140966" SecRule SCRIPT_FILENAME|REQUEST_FILENAME "@endsWith wp-central/wpcentral.php" "id:77140996,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: WordPress wpCentral Plugin Auth Bypass vulnerability||A:%{ARGS.action}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_wp_central'" SecRule ARGS:action "@rx wpc_fetch_authkey" "t:none,t:lowercase,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77140996" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141017,chain,pass,nolog,auditlog,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress GDPR Cookie Consent < 1.8.3 Improper Access Controls||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_wp_cookie_law_info'" SecRule ARGS:action "@streq cli_policy_generator" "chain,t:none,t:lowercase" SecRule ARGS:cli_policy_generator_action "@streq save_contentdata" "t:none,t:lowercase,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77141017" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141027,chain,pass,nolog,auditlog,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Plugin Ultimate Membership Pro < 8.6.1 - Multiple Critical Vulnerabilities||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_ultimate_member'" SecRule ARGS:action "@streq ihc_make_export_file" "chain,t:none,t:lowercase" SecRule ARGS:import_users|ARGS:import_settings|ARGS:import_postmeta "!@rx ^$" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77141027" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141029,chain,pass,nolog,auditlog,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Plugin Ultimate Membership Pro < 8.6.1 - Multiple Critical Vulnerabilities||RSV:8.02||T:APACHE||UN:%{ARGS.username}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_ultimate_member'" SecRule ARGS:action "@streq ihc_generate_direct_link" "chain,t:none,t:lowercase" SecRule &ARGS:username "@gt 0" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77141029" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141030,chain,pass,nolog,auditlog,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Plugin Ultimate Membership Pro < 8.6.1 - Multiple Critical Vulnerabilities||RSV:8.02||T:APACHE||UID:%{ARGS.uid}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_ultimate_member'" SecRule ARGS:action "@streq ihc_generate_direct_link_by_uid" "chain,t:none,t:lowercase" SecRule &ARGS:uid "@gt 0" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77141030" SecRule REQUEST_FILENAME "@endsWith admin-post.php" "id:77141049,chain,pass,nolog,auditlog,severity:7,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress popup-builder Authenticated Settings Modification||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_popup_builder'" SecRule ARGS:action "@pm sgpbSaveSettings csv_file sgpb_system_info" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77141049" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141052,chain,msg:'IM360 WAF: WordPress WPvivid Backup < 0.9.36 Auth Bypass||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,tag:'wp_core',tag:'wp_plugin_wpvivid_backuprestore'" SecRule ARGS:action "@contains wpvivid_add_remote" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_COOKIES:/wordpress_logged_in_/ "!@rx ^$" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77141052" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141055,chain,pass,nolog,auditlog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: IMPress for IDX Broker < 2.6.2 - Authenticated Post manipulations CVE-2020-9514||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_idx_broker_platinum'" SecRule ARGS:action "@streq create_dynamic_page" "chain,t:none,t:lowercase" SecRule &ARGS:post_title "@gt 0" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77141055" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141056,chain,pass,nolog,auditlog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: IMPress for IDX Broker < 2.6.2 - Authenticated Post manipulations CVE-2020-9514||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_idx_broker_platinum'" SecRule ARGS:action "@rx (create|delete)_dynamic_page" "chain,t:none,t:lowercase" SecRule &ARGS:wrapper_page_id "@gt 0" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77141056" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141067,chain,pass,nolog,auditlog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: WordPress Gutenberg & Elementor Templates Importer For Responsive < 2.2.6 - Unprotected AJAX Endpoints (CVE-2020-12073)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_responsive_add_ons'" SecRule ARGS:action "@rx (responsive-ready-sites-(import-set-site-data-free|import-xml|import-options|import-wpforms|import-widgets|import-customizer-settings|import-end|reset-customizer-data|reset-site-options|reset-widgets-data|delete-posts|delete-wp-forms|delete-terms|set-reset-data))|(admin_(init|notices|enqueue_scripts))" "t:none,t:urlDecodeUni,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77141067" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141083,phase:2,chain,pass,nolog,auditlog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: Klarna Checkout for WooCommerce < 2.0.10 - Authenticated Arbitrary Plugin Deactivation, Activation and Installation||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_klarna_checkout_for_woocommerce'" SecRule ARGS:action "^change_klarna_addon_status$" "t:none,t:urlDecodeUni,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77141083" SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77141088,chain,pass,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: WordPress Responsive Poll through 1.3.4 - Unauthenticated endpoints manipulation (CVE-2020-11673)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_poll_wp'" SecRule ARGS:action "@pm TotalSoftPoll_Clone TotalSoftPoll_Del TotalSoftPoll_Edit TotalSoftPoll_Edit_Q_M TotalSoftPoll_Edit_Ans TotalSoftPoll_Theme_Clone TotalSoftPoll_Theme_Edit TotalSoftPoll_Theme_Edit1 TotalSoftPoll_1_Vote TotalSoftPoll_1_Results TotalSoftPoll_Clone_Set TotalSoftPoll_Edit_Set TotalSoftPoll_Del_Set TS_PTable_New_MTable_DisMiss_Callback_Poll TS_Poll_Question_DisMiss Total_Soft_Poll_Prev" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77141088" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141090,phase:2,chain,pass,nolog,auditlog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: WordPress Plugin MapPress Maps < 2.53.9 RCE (CVE-2020-12077)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_mappress'" SecRule ARGS:action "@streq mapp_tpl_save" "chain,t:none,t:urlDecodeUni" SecRule &ARGS:name "@gt 0" "chain,t:none" SecRule &ARGS:content "@gt 0" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77141090" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142101,chain,pass,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: Newspaper WordPress Theme - Privilege Escalation (CVE-2016-10972)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq td_ajax_update_panel" "chain,t:none,t:urlDecodeUni" SecRule ARGS:/wp_option/ "@rx (administrator|subscriber|users_can_register|1|0)" "t:none,t:urlDecodeUni,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142101" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142104,chain,pass,nolog,auditlog,severity:7,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Elementor Page Builder < 2.9.6 - Authenticated Safe Mode Privilege Escalation||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_elementor'" SecRule ARGS:action "@streq elementor_ajax" "chain,t:none,t:lowercase" SecRule ARGS:actions "@contains enable_safe_mode" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142104" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142106,phase:2,severity:7,pass,nolog,auditlog,t:none,t:normalizePath,msg:'IM360 WAF: WordPress GDPR Compliance plugin - Unauthorized option update (string variant)||TYPE=%{TX._WPGDPRC_TYPE}||OPTION=%{TX._WPGDPRC_OPTION}||VALUE=%{TX._WPGDPRC_VALUE}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp_gdpr_compliance'" SecRule ARGS:action "@streq wpgdprc_process_action" "chain,t:none" SecRule ARGS:data "@rx ^(?s:\{.{0,999}\})$" "chain,t:none,t:trim,capture,setvar:TX._WPGDPRC_DATA=%{TX.0}" SecRule TX:_WPGDPRC_DATA "@rx (?s:\"type\".+?\"(.+?)\")" "chain,t:none,capture,setvar:TX._WPGDPRC_TYPE=%{TX.1}" SecRule TX:_WPGDPRC_DATA "@rx (?s:\"option\".+?\"(.+?)\")" "chain,t:none,capture,setvar:TX._WPGDPRC_OPTION=%{TX.1}" SecRule TX:_WPGDPRC_DATA "@rx (?s:\"value\".+?\"(.+?)\")" "chain,t:none,capture,setvar:TX._WPGDPRC_VALUE=%{TX.1}" SecRule TX:_WPGDPRC_TYPE "@streq save_setting" "chain,t:none" SecRule TX:_WPGDPRC_OPTION "!@rx ^wpgdprc" "t:none,t:lowercase,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142106" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142130,chain,pass,nolog,auditlog,severity:7,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Revslider Revolution UpdatedCaptionsCSS Content Injection||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq revslider_ajax_action" "chain,t:none,t:lowercase,t:urlDecodeUni" SecRule ARGS:client_action "@streq get_captions_css" "t:none,t:lowercase,t:urlDecodeUni,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142130" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142140,chain,pass,nolog,auditlog,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Plugin UpdraftPlus SSRF (CVE-2017-16870)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_updraftplus'" SecRule ARGS:action "@streq updraft_ajax" "chain,t:none,t:lowercase" SecRule ARGS:subaction "@streq httpget" "chain,t:none,t:lowercase" SecRule &ARGS:curl "@gt 0" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142140" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142162,chain,pass,nolog,auditlog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: Newspaper WordPress Theme - Privilege Escalation (CVE-2016-10972)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq td_ajax_update_panel" "chain,t:none" SecRule &ARGS:wp_option[siteurl]|&ARGS:wp_option[home]|&ARGS:wp_option[users_can_register]|&ARGS:wp_option[default_role] "@ge 1" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142162" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142177,phase:2,severity:7,pass,nolog,auditlog,t:none,t:normalizePath,msg:'IM360 WAF: WordPress PageLayer <= 1.1.1 - Unprotected AJAX endpoints||RSV:8.02||T:APACHE||endpoint = %{TX.1}||',tag:'wp_plugin_pagelayer'" SecRule ARGS:action "@rx (?s)^pagelayer" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142177" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142234,phase:2,severity:7,pass,nolog,auditlog,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (astra-sites-import-widgets v1)||RSV:8.02||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.widgets_data:%{ARGS.widgets_data}||',tag:'service_im360'" SecRule ARGS:action "@streq astra-sites-import-widgets" "chain,t:none" SecRule &ARGS:widgets_data "@gt 0" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142234" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77316734,chain,pass,nolog,auditlog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: Unprotected AJAX Action in XCloner Backup and Restore Plugin||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@rx restore_backup" "t:none,t:lowercase,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316734" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77316753,chain,pass,nolog,auditlog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: WordPress Plugin Audio Record 1.0 - Arbitrary File Upload||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@rx save_record" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316753" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316776,chain,pass,nolog,auditlog,t:none,severity:7,msg:'IM360 WAF: WordPress Plugin 123contactform-for-wordpress Validation Bypass||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@pm cfp-connect" "chain,t:none" SecRule &ARGS:pk "@gt 0" "chain,t:none" SecRule &ARGS:signature "@gt 0" "chain,t:none" SecRule &ARGS:message "@gt 0" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316776" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316777,chain,pass,nolog,auditlog,t:none,severity:7,msg:'IM360 WAF: WordPress Plugin 123contactform-for-wordpress Arbitrary Post Creation||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@pm cfp-new-post cfp-new-post" "chain,t:none" SecRule &ARGS:post_content "@gt 0" "chain,t:none" SecRule &ARGS:post_status "@gt 0" "chain,t:none" SecRule &ARGS:post_author "@gt 0" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316777" SecRule REQUEST_METHOD "@rx ^POST$" "id:77142124,chain,pass,nolog,auditlog,t:none,severity:7,msg:'IM360 WAF: Track WordPress registration flood||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "@contains wp-login.php" "chain,t:none,t:urlDecode" SecRule ARGS:action "@contains register" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77142124" SecRule REQUEST_URI "@contains /my-account/" "chain,id:77316899,phase:2,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Authentication Bypass in Booster for WooCommerce < 5.4.4 (CVE-2021-34646)||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &ARGS:wcj_verify_email "@gt 0" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316899" SecRule REQUEST_METHOD "@rx ^POST$" "id:77317986,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Authenticated track Import to Stored XSS in Starter Templates Plugin for WordPress (CVE-2021-42360)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq astra-page-elementor-batch-process" "chain,t:none" SecRule &ARGS:id "@gt 0" "chain,t:none" SecRule &ARGS:url "@gt 0" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77317986" SecMarker MARKER_action_infectors SecRule REQUEST_METHOD "@rx ^POST$" "id:77316931,chain,pass,nolog,auditlog,t:none,severity:7,msg:'IM360 WAF: REST-API in the ninja-forms plugin for WordPress to Sensitive Information Disclosure (CVE-2021-34647)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-json/ninja-forms-submissions/export" "chain,t:none,t:urlDecode" SecRule &ARGS:form_ids "@gt 0" "chain,t:none" SecRule &ARGS:start_date "@gt 0" "chain,t:none" SecRule &ARGS:end_date "@gt 0" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316931" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316932,chain,pass,nolog,auditlog,t:none,severity:7,msg:'IM360 WAF: REST-API in the ninja-forms plugin for WordPress to Email Injection (CVE-2021-34647)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-json/ninja-forms-submissions/email-action" "chain,t:none,t:urlDecode" SecRule &ARGS:submission "@gt 0" "chain,t:none" SecRule &ARGS:action_settings "@gt 0" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77316932" SecRule REQUEST_METHOD "@rx ^POST$" "id:77317952,chain,pass,nolog,auditlog,severity:5,phase:2,t:none,msg:'IM360 WAF: Authenticated File Upload vulnerability in Access Demo Importer WordPress plugin (CVE-2021-39317)||File:%{FILES}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule &ARGS:file_location "@gt 0" "chain" SecRule &ARGS:file "@gt 0" "chain" SecRule &ARGS:host_type "@gt 0" "chain" SecRule &ARGS:class_name "@gt 0" "chain" SecRule &ARGS:slug "@gt 0" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77317952" SecRule REQUEST_URI "@contains /wp-json/omapp/v1/" "id:77317977,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,t:lowercase,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77317977,msg:'IM360 WAF: Sensitive Information Disclosure in OptinMonster plugin for WordPress (CVE-2021-39341)||RSV:8.02||T:APACHE||User:%{SCRIPT_USERNAME}||',tag:'wp_core'" SecRule REQUEST_METHOD "@rx POST" "id:77317990,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authentication Bypass Vulnerability in User Registration Plugin for WordPress (CVE-2021-4073)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq rm_login_social_user" "chain,t:none" SecRule ARGS:email "!@rx ^$" "setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77317990" SecRule REQUEST_URI "@contains /wp-admin/options-general.php" "id:77350007,chain,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Sensitive data disclosure vulnerability in UpdraftPlus Backup plugin for WordPress (CVE-2022-0633)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "@streq updraft_download_backup" "chain,t:none" SecRule ARGS:page "@streq updraftplus" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350007" SecRule REQUEST_METHOD "POST" "id:77350028,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Possible PHP Object Injection Vulnerability in Booking Calendar Plugin <= 9.1 for WordPress (CVE-2022-1463)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{ARGS.options}||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq wpbc_flextimeline_nav" "chain,t:none,t:lowercase" SecRule ARGS:options "@rx O:\d+:|a:\d+:\x7b" "t:none,t:urlDecode,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350028" SecRule REQUEST_METHOD "POST" "id:77350037,chain,pass,t:none,severity:5,msg:'IM360 WAF: Infectors File Upload in Tatsu Plugin for WordPress (CVE-2021-25094)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "add_custom_font" "chain,t:none" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule FILES "!@rx ^$" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350037" SecRule REQUEST_URI "@rx /wp-admin/admin-ajax.php" "id:77350041,chain,pass,t:none,severity:5,msg:'IM360 WAF: Possible Authenticated Privilege Escalation and Post deletion in Jupiter Theme <= 6.10.1 and JupiterX Core Plugin <= 2.0.7 for WordPress (CVE-2022-1654)||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS:action "(?:abb|jupiterx_core_cp)_uninstall_template" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350041" SecRule REQUEST_URI "@rx /wp-admin/admin-ajax.php" "id:77350042,chain,pass,t:none,severity:5,msg:'IM360 WAF: Possible Authenticated Path Traversal and Local File Inclusion in JupiterX Theme <= 2.0.6 and Jupiter Theme <= 6.10.1 for WordPress (CVE-2022-1657)||RSV:8.02||T:APACHE||MV:%{ARGS.slug}||',tag:'wp_core'" SecRule ARGS:action "(?:jupiterx|mka)_cp_load_pane_action" "chain,t:none" SecRule &ARGS:slug "@gt 0" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350042" SecRule REQUEST_METHOD "POST" "id:77350123,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Code Injection in Ninja Forms Contact Form for WordPress||Action:%{ARGS.action}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule ARGS:action "@rx kbj_test|ninja_forms_render_default_value|ninja_forms_merge_tags|ninja_forms_calc_setting|ninja_forms_save_sub|nf_get_form_id|^init$|^$" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350123" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350131,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: RCE vulnerability in MailPress plugin for WordPress||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq _ning_upload_image" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350131" SecRule REQUEST_URI "@contains /wp-json/whm/v3/themesettings" "id:77318031,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: XSS Vulnerability in HTML Email Template Designer Plugin for WordPress (CVE-2022-0218)||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77318031" SecRule REQUEST_METHOD "POST" "id:77350165,chain,pass,t:none,severity:5,msg:'IM360 WAF: Infectors Arbitrary Post Deletion in Quick Restaurant Menu <= 2.0.2 plugin for WordPress (CVE-2023-0555)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx erm_delete_menu_item" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350165" SecRule REQUEST_METHOD "@rx POST" "id:77350167,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: XSS vulnerability in Metform Elementor Contact Form Builder <= 3.1.2 plugin for WordPress (CVE-2023-0084)||WPU:%{TX.wp_user}||MV:%{MATCHED_VAR}||AC:%{ARGS.actions}||RSV:8.02||T:APACHE||',tag:'wp_plugin_metform'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq elementor_ajax" "chain,t:none" SecRule ARGS:actions "@detectXSS" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350167" SecRule REQUEST_METHOD "@rx POST" "id:77350406,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: XSS vulnerability in Metform Elementor Contact Form Builder <= 3.1.2 plugin for WordPress (CVE-2023-0084)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains metform/v1/entries/" "chain,t:none,t:normalizePath" SecRule ARGS:/^mf-/ "@rx [\x22\x27\x3c]" "t:none,t:urlDecode,t:htmlEntityDecode,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350406" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350187,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Privilege Escalation in WP Data Access <= 5.3.7 plugin for WordPress (CVE-2023-1874)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx profile_update" "chain,t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350187" SecRule ARGS:/wpda_role/ "@rx ." "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77140992,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Track access attempt (WP folders)!||SC:%{SCRIPT_FILENAME}||MV:%{MATCHED_VAR}||ARGS.action:%{ARGS.action}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_FILENAME "@rx wp-(?:includes|content|admin)" "chain,t:none" SecRule REQUEST_URI "!@pm doing_wp_cron wffn_frontend_analytics guest.vary.php confirmation.php stripe ajax" "chain,t:none" SecRule REQUEST_FILENAME "!@rx (?:(guest\.vary|ajax|wp-login|wp-load|post|confirmation)\.php$|stripe)" "chain,t:none" SecRule REQUEST_FILENAME "@rx (?:\.htaccess|\.(pht|phtml|php\d?|txt|md|shtml|xml)$)" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77140992" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77350196,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Essential Addons for Elementor < 5.7.2 - Privilege Escalation (CVE-2023-32243)||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:action "@streq login_or_register_user" "chain,t:none,t:lowercase" SecRule ARGS:eael-resetpassword-submit "@streq true" "chain,t:none,t:lowercase" SecRule &ARGS:eael-pass1 "@eq 1" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350196" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/essential-addons-for-elementor-lite/readme.txt" "id:77350197,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Essential Addons for Elementor < 5.7.2 - Vulnerable version discovery (CVE-2023-32243)||RSV:8.02||T:APACHE||',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350197,tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-json/getwid/" "id:77350204,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated SSRF in Getwid <= 1.8.3 plugin for WordPress (CVE-2023-1895)||RSV:8.02||T:APACHE||',tag:'wp_plugin_getwid'" SecRule REQUEST_URI "@pm /get_remote_templates /get_remote_content /taxonomies /terms /templates" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350204" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350205,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Authenticated Privilege Escalation in Directorist <= 7.5.4 WordPress plugin (CVE-2023-1888)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||argsUser:%{ARGS.user}||argsEmail:%{ARGS.email}||',tag:'wp_core'" SecRule REQUEST_URI "@rx \/login" "chain,t:none,t:normalizePath" SecRule ARGS:directorist_reset_password "!@rx ^$" "chain,t:none" SecRule ARGS:password_1 "!@rx ^$" "chain,t:none" SecRule ARGS:password_2 "!@rx ^$" "chain,t:none" SecRule ARGS:user "!@rx ^$" "chain,t:none" SecRule ARGS:email "!@rx ^$" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350205" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350206,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Authenticated Arbitrary Post Deletion in Directorist <= 7.5.4 WordPress plugin (CVE-2023-1889)||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@rx directorist_dashboard_listing_tab" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350206" SecRule &ARGS:wcal_action "@gt 0" "id:77350208,chain,pass,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Possible Authentication Bypass in Abandoned Cart Lite <= 5.14.2 for WooCommerce WordPress Plugin (CVE-2023-2986)||MV:%{ARGS.validate}||MV:%{ARGS.wcal_action}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule &ARGS:validate "@gt 0" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350208" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350209,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Possible Authentication Bypass in BookIt <= 2.3.7 WordPress Plugin (CVE-2023-2834)||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath" SecRule ARGS:action "@streq bookit_day_appointments" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350209" SecRule &TX:rbl_whitelist_check "@eq 0" "id:77316900,phase:2,pass,nolog,severity:5,t:none,skipAfter:RBL_WHITELIST" SecRule &TX:rbl_infectors_rule "!@eq 0" "chain,id:77316861,block,nolog,auditlog,severity:2,msg:'IM360 WAF: Block IP which is in the infectors RBL||Rules:%{tx.rbl_infectors_rule}||MV:%{MATCHED_VAR}||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule &REQUEST_HEADERS:Referer|&REQUEST_HEADERS:Content-Type|&REQUEST_COOKIES "@eq 0" "chain,t:none,setvar:tx.rbl_perf=1" SecRule TX:RBL_IP "@rbl infectors.v2.rbl.imunify.com." "chain,t:none" SecRule TX:RBL_IP "!@rbl nxdomain.v2.rbl.imunify.com." "t:none" SecRule &TX:rbl_www_brute_rule "!@eq 0" "chain,id:77641943,block,nolog,auditlog,severity:2,msg:'IM360 WAF: Block IP which is in the www-brute RBL||Rules:%{tx.rbl_www_brute_rule}||MV:%{MATCHED_VAR}||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule &REQUEST_HEADERS:Referer|&REQUEST_HEADERS:Content-Type|&REQUEST_COOKIES "@eq 0" "chain,t:none,setvar:tx.rbl_perf=1" SecRule TX:RBL_IP "@rbl www-brute.v2.rbl.imunify.com." "t:none,chain" SecRule TX:RBL_IP "!@rbl nxdomain.v2.rbl.imunify.com." "t:none,initcol:ip=%{tx.remote_addr},setvar:ip.rbl_brute=1,expirevar:ip.rbl_brute=300" SecMarker RBL_WHITELIST
.
Edit
..
Edit
000_i360_init.conf
Edit
001_i360_pass.conf
Edit
002_i360_basic.conf
Edit
003_i360_wp_logic.conf
Edit
004_i360_vectors.conf
Edit
005_i360_bruteforce.conf
Edit
006_i360_malware.conf
Edit
007_i360_custom.conf
Edit
008_i360_wordpress.conf
Edit
009_i360_joomla.conf
Edit
010_i360_drupal.conf
Edit
011_i360_otherapps.conf
Edit
012_i360_spam.conf
Edit
013_i360_generic.conf
Edit
014_i360_infectors.conf
Edit
015_i360_filescan.conf
Edit
016_i360_monitor.conf
Edit
017_i360_weak_pass.conf
Edit
018_Disable_WP_Redirect.conf
Edit
IM360-LICENSE.txt
Edit
RELEASE
Edit
VERSION
Edit
bl_agents
Edit
bl_chains
Edit
bl_db_list
Edit
bl_db_list_ext
Edit
bl_ips
Edit
bl_os_files
Edit
bl_path_files
Edit
bl_scanners
Edit
bl_uri
Edit
bl_web_files
Edit
bl_wpboost_uri
Edit
bl_xss_input
Edit
changelog.json
Edit
changelog.txt
Edit
cloudav_list
Edit
crawlers-google-iplist.data
Edit
crawlers-iplist.data
Edit
crawlers-ualist.data
Edit
danme_top100
Edit
detectlua.lua
Edit
inspectfile.lua
Edit
ip-record.db
Edit
java_data
Edit
malware_found.list
Edit
malware_found_b64.list
Edit
malware_standalone.list
Edit
malware_standalone_b64.list
Edit
path_traversal
Edit
php_data
Edit
rbl_whitelist
Edit
rce_uri
Edit
risky-actions.list
Edit
trap.lua
Edit
trap_cookie.lua
Edit
userdata_dirb_URLs.data
Edit