=1.1.0"}, "RULE-CAMPAIGN-LEARNPRESS-C-ONLY-FIELDS-SQLI-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/learnpress/v1/(courses|profile/course-tab)([/?&]|$)~i"}, {"name": "ARGS:c_only_fields", "type": "detectSQLi"}], "cve": "CAMPAIGN-2026-W18-LEARNPRESS-CFIELDS-SQLI", "description": "LearnPress \\u2014 block SQL injection attempts via the \'c_only_fields\' query\\nparameter on the REST endpoints /wp-json/learnpress/v1/courses and\\n/wp-json/learnpress/v1/profile/course-tab. The parameter is a column-name\\nprojection list; legitimate values are bare identifiers. SQL keywords or\\nfunction-call syntax in the value indicates injection.\\n", "mode": "block", "severity": 8.5, "slug": "learnpress", "tags": ["sql-injection", "rest-api", "unauthenticated"], "target": "plugin", "versions": ">=0"}, "RULE-CAMPAIGN-TRIBE-V1-EVENTS-STATUS-SQLI-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/tribe/events/v1/events([/?&]|$)~i"}, {"name": "ARGS:status", "type": "detectSQLi"}], "cve": "CAMPAIGN-2026-W18-TRIBE-STATUS-SQLI", "description": "The Events Calendar \\u2014 block SQL injection attempts via the \'status\' query\\nparameter on the REST endpoint /wp-json/tribe/events/v1/events. Complements\\nexisting coverage for the documented \'s\' parameter SQLi (CVE-2025-9807,\\nCVE-2025-12197) and \'order\' parameter SQLi (CVE-2024-8275).\\n", "mode": "block", "severity": 8.5, "slug": "the-events-calendar", "tags": ["sql-injection", "rest-api", "unauthenticated"], "target": "plugin", "versions": ">=0"}, "RULE-CVE-2015-10133-01": {"action": "init", "conditions": [{"name": "ARGS:wp-subscription-manager", "type": "equals", "value": "1"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2015-10133", "method": "GET", "mode": "block", "severity": 7.2, "slug": "subscribe-to-comments", "target": "plugin", "versions": "<=2.1.2"}, "RULE-CVE-2016-15033-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/wp-content/plugins/delete-all-comments/delete-all-comments\\\\.php~"}, {"name": "ARGS:restorefromfileNAME", "type": "exists"}, {"name": "ARGS:restorefromfileNAME", "type": "regex", "value": "~\\\\.(?:ph(?:p[0-9]?|s|tml?|t|ar)|s?html?|cgi|asp|aspx|jsp|jspx|cfm|user\\\\.ini)$|[\\\\\\\\/]\\\\.htaccess$|[\\\\\\\\/]\\\\.htpasswd$~i"}], "cve": "CVE-2016-15033", "description": "Delete All Comments <=2.0 unauthenticated arbitrary file upload via restorefromfileNAME", "mode": "block", "severity": 9.8, "slug": "delete-all-comments", "target": "plugin", "versions": "<=2.0"}, "RULE-CVE-2017-20192-01": {"ajax_action": "frm_forms_preview", "conditions": [{"name": "ARGS:after_html", "type": "regex", "value": "~(?:<\\\\s*script[\\\\s/>]|<\\\\s*(?:iframe|svg|img|body|object|embed|video|audio|source|link|meta|form|input|details|marquee)\\\\b[^>]*\\\\bon[a-z]+\\\\s*=|on(?:load|error|click|mouseover|focus|blur|submit|change|input|keydown|keyup|keypress|abort|toggle|animationstart|animationend)\\\\s*=|javascript\\\\s*:|data\\\\s*:\\\\s*[a-z0-9.+-]*\\\\s*[;,]?\\\\s*(?:base64|charset)|expression\\\\s*\\\\(|<\\\\s*style[^>]*>[^<]*expression|?0*(?:6[ad]|4[ad]|3c|2f);?|%3[Cc]\\\\s*script)~i"}], "cve": "CVE-2017-20192", "description": "Formidable Form Builder <2.05.03 unauthenticated stored XSS via after_html parameter in frm_forms_preview AJAX action", "mode": "block", "severity": 6.1, "slug": "formidable", "target": "plugin", "versions": "<2.05.03"}, "RULE-CVE-2017-20192-02": {"ajax_action": "frm_forms_preview", "conditions": [{"name": "ARGS:before_html", "type": "regex", "value": "~(?:<\\\\s*script[\\\\s/>]|<\\\\s*(?:iframe|svg|img|body|object|embed|video|audio|source|link|meta|form|input|details|marquee)\\\\b[^>]*\\\\bon[a-z]+\\\\s*=|on(?:load|error|click|mouseover|focus|blur|submit|change|input|keydown|keyup|keypress|abort|toggle|animationstart|animationend)\\\\s*=|javascript\\\\s*:|data\\\\s*:\\\\s*[a-z0-9.+-]*\\\\s*[;,]?\\\\s*(?:base64|charset)|expression\\\\s*\\\\(|<\\\\s*style[^>]*>[^<]*expression|?0*(?:6[ad]|4[ad]|3c|2f);?|%3[Cc]\\\\s*script)~i"}], "cve": "CVE-2017-20192", "description": "Formidable Form Builder <2.05.03 unauthenticated stored XSS via before_html parameter in frm_forms_preview AJAX action", "mode": "block", "severity": 6.1, "slug": "formidable", "target": "plugin", "versions": "<2.05.03"}, "RULE-CVE-2019-25214-01": {"ajax_action": "run_table_migration", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "run_table_migration"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2019-25214", "method": "POST", "mode": "block", "severity": 6.1, "slug": "wpshopify", "target": "plugin", "versions": "<=2.0.4"}, "RULE-CVE-2019-25214-02": {"ajax_action": "run_table_migration", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "run_table_migration"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2019-25214", "method": "GET", "mode": "block", "severity": 6.1, "slug": "wpshopify", "target": "plugin", "versions": "<=2.0.4"}, "RULE-CVE-2019-25217-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/siteground-optimizer/v1/switch-php(/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2019-25217", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2019-25217", "description": "SG Optimizer <=5.0.12 unauthenticated PHP version switch via REST API", "method": "POST", "mode": "block", "severity": 9.8, "slug": "sg-cachepress", "tags": ["missing-authorization", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=5.0.12"}, "RULE-CVE-2019-25221-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "equals", "value": "responsive_portfolio_with_lightbox_media_management"}, {"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2019-25221", "method": "GET", "mode": "block", "severity": 4.9, "slug": "responsive-filterable-portfolio", "target": "plugin", "versions": "<=1.0.8"}, "RULE-CVE-2019-25221-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "equals", "value": "responsive_portfolio_with_lightbox_media_management"}, {"name": "ARGS:media_type", "type": "detectSQLi"}], "cve": "CVE-2019-25221", "method": "POST", "mode": "block", "severity": 4.9, "slug": "responsive-filterable-portfolio", "target": "plugin", "versions": "<=1.0.8"}, "RULE-CVE-2019-25221-03": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "equals", "value": "responsive_portfolio_with_lightbox_media_management"}, {"name": "ARGS:id", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2019-25221", "method": "GET", "mode": "block", "severity": 4.9, "slug": "responsive-filterable-portfolio", "target": "plugin", "versions": "<=1.0.8"}, "RULE-CVE-2019-25221-04": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "equals", "value": "responsive_portfolio_with_lightbox_media_management"}, {"name": "ARGS:search_term", "type": "detectSQLi"}], "cve": "CVE-2019-25221", "method": "GET", "mode": "block", "severity": 4.9, "slug": "responsive-filterable-portfolio", "target": "plugin", "versions": "<=1.0.8"}, "RULE-CVE-2019-25221-05": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "equals", "value": "responsive_portfolio_with_lightbox_media_management"}, {"name": "ARGS:order_pos", "type": "detectSQLi"}], "cve": "CVE-2019-25221", "method": "GET", "mode": "block", "severity": 4.9, "slug": "responsive-filterable-portfolio", "target": "plugin", "versions": "<=1.0.8"}, "RULE-CVE-2019-25221-06": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "equals", "value": "responsive_portfolio_with_lightbox_media_management"}, {"name": "ARGS:order_by", "type": "detectSQLi"}], "cve": "CVE-2019-25221", "method": "GET", "mode": "block", "severity": 4.9, "slug": "responsive-filterable-portfolio", "target": "plugin", "versions": "<=1.0.8"}, "RULE-CVE-2020-36730-01": {"ajax_action": "cmp_get_post_detail", "conditions": [{"name": "", "type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2020-36730", "description": "CMP Coming Soon and Maintenance <=3.8.1 missing authorization on cmp_get_post_detail AJAX handler", "mode": "block", "severity": 9.3, "slug": "cmp-coming-soon-maintenance", "target": "plugin", "versions": "<=3.8.1"}, "RULE-CVE-2020-36730-02": {"ajax_action": "niteo_export_csv", "conditions": [{"name": "", "type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2020-36730", "description": "CMP Coming Soon and Maintenance <=3.8.1 missing authorization on niteo_export_csv AJAX handler", "mode": "block", "severity": 9.3, "slug": "cmp-coming-soon-maintenance", "target": "plugin", "versions": "<=3.8.1"}, "RULE-CVE-2020-36730-03": {"ajax_action": "cmp_disable_comingsoon_ajax", "conditions": [{"name": "", "type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2020-36730", "description": "CMP Coming Soon and Maintenance <=3.8.1 missing authorization on cmp_disable_comingsoon_ajax AJAX handler", "mode": "block", "severity": 9.3, "slug": "cmp-coming-soon-maintenance", "target": "plugin", "versions": "<=3.8.1"}, "RULE-CVE-2020-36769-01": {"ajax_action": "import_widget_data", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "import_widget_data"}, {"name": "ARGS:import_file", "type": "regex", "value": "~^https?://~i"}], "cve": "CVE-2020-36769", "method": "POST", "mode": "block", "severity": 5.4, "slug": "widget-settings-importexport", "target": "plugin", "versions": "<=1.5.3"}, "RULE-CVE-2020-36769-02": {"ajax_action": "import_widget_data", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "import_widget_data"}, {"name": "ARGS:widgets", "type": "regex", "value": "~(?i)(<\\\\s*script\\\\b|javascript\\\\s*:|on\\\\w+\\\\s*=)~"}], "cve": "CVE-2020-36769", "method": "POST", "mode": "block", "severity": 5.4, "slug": "widget-settings-importexport", "target": "plugin", "versions": "<=1.5.3"}, "RULE-CVE-2020-36837-01": {"action": "admin_init", "conditions": [{"name": "ARGS:do_reset_wordpress", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2020-36837", "method": "GET", "mode": "block", "severity": 9.9, "slug": "themegrill-demo-importer", "target": "plugin", "versions": ">=1.3.4 <=1.6.1"}, "RULE-CVE-2020-36838-01": {"ajax_action": "update_options", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "update_options"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2020-36838", "method": "POST", "mode": "block", "severity": 7.4, "slug": "facebook-messenger-customer-chat", "target": "plugin", "versions": "<1.6"}, "RULE-CVE-2020-36842-01": {"ajax_action": "wpvivid_upload_import_files", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpvivid_upload_import_files"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2020-36842", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36842", "description": "WPvivid Backup/Restore <=0.9.35 missing capability check on wpvivid_upload_import_files AJAX action allows low-privilege authenticated arbitrary ZIP upload and extraction.", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wpvivid-backuprestore", "tags": ["auth-arbitrary-file-upload", "missing-capability-check", "ajax"], "target": "plugin", "versions": "<=0.9.35"}, "RULE-CVE-2020-36842-02": {"ajax_action": "wpvivid_upload_files", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpvivid_upload_files"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2020-36842", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36842", "description": "WPvivid Backup/Restore <=0.9.35 missing capability check on wpvivid_upload_files AJAX action allows low-privilege authenticated arbitrary ZIP upload and extraction.", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wpvivid-backuprestore", "tags": ["auth-arbitrary-file-upload", "missing-capability-check", "ajax"], "target": "plugin", "versions": "<=0.9.35"}, "RULE-CVE-2021-24584-01": {"ajax_action": "route_url", "conditions": [{"name": "ARGS:controller", "type": "equals", "value": "events"}, {"name": "ARGS:mptt_action", "type": "equals", "value": "update_event_data"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2021-24584", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mp-timetable", "target": "plugin", "versions": "<=2.4.1"}, "RULE-CVE-2021-24585-01": {"ajax_action": "route_url", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:controller", "type": "equals", "value": "events"}, {"name": "ARGS:mptt_action", "type": "equals", "value": "get_event_data"}], "cve": "CVE-2021-24585", "mode": "block", "severity": 6.5, "slug": "mp-timetable", "target": "plugin", "versions": "<=2.3.19"}, "RULE-CVE-2021-24994-01": {"ajax_action": "wpvivid_add_remote", "conditions": [{"name": "ARGS:remote", "type": "regex", "value": "~<(?:script|img|svg|iframe|embed|object|video|audio|body|input|details|math|marquee|a|div|p|table|form|base|link|meta|style|isindex|textarea|button|select|keygen)[^>a-zA-Z]|\\\\bon(?:error|load|click|mouseover|focus|blur|change|submit|reset|select|abort|beforeunload|hashchange|unload|resize|scroll|copy|cut|paste|drag|drop|play|seeking|toggle|wheel|pointer|animation|transition)\\\\s*=|javascript\\\\s*:|data\\\\s*:[^,]*text/html~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2021-24994", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2021-24994", "description": "WPvivid Backup & Migration <0.9.69 unauthenticated stored XSS via wpvivid_add_remote AJAX action (remote parameter)", "method": "POST", "mode": "block", "severity": 6.1, "slug": "wpvivid-backuprestore", "tags": ["xss", "stored-xss", "missing-authorization", "unauthenticated"], "target": "plugin", "versions": "<0.9.69"}, "RULE-CVE-2021-24994-02": {"ajax_action": "wpvivid_edit_remote", "conditions": [{"name": "ARGS:remote", "type": "regex", "value": "~<(?:script|img|svg|iframe|embed|object|video|audio|body|input|details|math|marquee|a|div|p|table|form|base|link|meta|style|isindex|textarea|button|select|keygen)[^>a-zA-Z]|\\\\bon(?:error|load|click|mouseover|focus|blur|change|submit|reset|select|abort|beforeunload|hashchange|unload|resize|scroll|copy|cut|paste|drag|drop|play|seeking|toggle|wheel|pointer|animation|transition)\\\\s*=|javascript\\\\s*:|data\\\\s*:[^,]*text/html~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2021-24994", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2021-24994", "description": "WPvivid Backup & Migration <0.9.69 unauthenticated stored XSS via wpvivid_edit_remote AJAX action (remote parameter)", "method": "POST", "mode": "block", "severity": 6.1, "slug": "wpvivid-backuprestore", "tags": ["xss", "stored-xss", "missing-authorization", "unauthenticated"], "target": "plugin", "versions": "<0.9.69"}, "RULE-CVE-2021-24994-03": {"ajax_action": "wpvivid_edit_remote", "conditions": [{"name": "ARGS:id", "type": "regex", "value": "~<(?:script|img|svg|iframe|embed|object|video|audio|body|input|details|math|marquee|a|div|p|table|form|base|link|meta|style|isindex|textarea|button|select|keygen)[^>a-zA-Z]|\\\\bon(?:error|load|click|mouseover|focus|blur|change|submit|reset|select|abort|beforeunload|hashchange|unload|resize|scroll|copy|cut|paste|drag|drop|play|seeking|toggle|wheel|pointer|animation|transition)\\\\s*=|javascript\\\\s*:|data\\\\s*:[^,]*text/html~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2021-24994", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2021-24994", "description": "WPvivid Backup & Migration <0.9.69 unauthenticated stored XSS via wpvivid_edit_remote AJAX action (id parameter)", "method": "POST", "mode": "block", "severity": 6.1, "slug": "wpvivid-backuprestore", "tags": ["xss", "stored-xss", "missing-authorization", "unauthenticated"], "target": "plugin", "versions": "<0.9.69"}, "RULE-CVE-2021-4444-01": {"ajax_action": "woofilters_save", "conditions": [{"name": "ARGS:mod", "type": "equals", "value": "woofilters"}, {"name": "ARGS:filter_name", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2021-4444", "method": "POST", "mode": "block", "severity": 7.3, "slug": "woo-product-filter", "target": "plugin", "versions": "<=1.4.9"}, "RULE-CVE-2021-4444-02": {"ajax_action": "woofilters_update", "conditions": [{"name": "ARGS:mod", "type": "equals", "value": "woofilters"}, {"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2021-4444", "method": "POST", "mode": "block", "severity": 7.3, "slug": "woo-product-filter", "target": "plugin", "versions": "<=1.4.9"}, "RULE-CVE-2021-4444-03": {"ajax_action": "woofilters_delete", "conditions": [{"name": "ARGS:mod", "type": "equals", "value": "woofilters"}, {"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2021-4444", "method": "POST", "mode": "block", "severity": 7.3, "slug": "woo-product-filter", "target": "plugin", "versions": "<=1.4.9"}, "RULE-CVE-2021-4446-01": {"ajax_action": "wpdeveloper_install_plugin", "conditions": [{"name": "ARGS:slug", "type": "exists"}, {"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2021-4446", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4446", "description": "Essential Addons for Elementor Lite <= 4.6.4 missing authorization on AJAX plugin installation via wpdeveloper_install_plugin, allowing low-privilege users to install arbitrary plugins.", "method": "POST", "mode": "block", "severity": 6.3, "slug": "essential-addons-for-elementor-lite", "tags": ["authz-bypass", "missing-capability-check", "wordpress-ajax"], "target": "plugin", "versions": "<=4.6.4"}, "RULE-CVE-2021-4446-02": {"ajax_action": "wpdeveloper_activate_plugin", "conditions": [{"name": "ARGS:basename", "type": "exists"}, {"type": "missing_capability", "value": "activate_plugins"}], "cve": "CVE-2021-4446", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4446", "description": "Essential Addons for Elementor Lite <= 4.6.4 missing authorization on AJAX plugin activation via wpdeveloper_activate_plugin, enabling low-privilege users to activate installed plugins.", "method": "POST", "mode": "block", "severity": 6.3, "slug": "essential-addons-for-elementor-lite", "tags": ["authz-bypass", "missing-capability-check", "wordpress-ajax"], "target": "plugin", "versions": "<=4.6.4"}, "RULE-CVE-2021-4446-03": {"ajax_action": "wpdeveloper_upgrade_plugin", "conditions": [{"name": "ARGS:basename", "type": "exists"}, {"type": "missing_capability", "value": "update_plugins"}], "cve": "CVE-2021-4446", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4446", "description": "Essential Addons for Elementor Lite <= 4.6.4 missing authorization on AJAX plugin upgrade via wpdeveloper_upgrade_plugin, enabling low-privilege users to trigger plugin upgrades.", "method": "POST", "mode": "block", "severity": 6.3, "slug": "essential-addons-for-elementor-lite", "tags": ["authz-bypass", "missing-capability-check", "wordpress-ajax"], "target": "plugin", "versions": "<=4.6.4"}, "RULE-CVE-2021-4450-01A": {"ajax_action": "post_grid_ajax_fetch_block_hub_by_id", "conditions": [{"name": "ARGS:meta_key", "type": "exists"}, {"name": "ARGS:meta_value", "type": "exists"}, {"name": "ARGS:meta_key", "type": "detectSQLi"}], "cve": "CVE-2021-4450", "method": "POST", "mode": "block", "severity": 8.8, "slug": "post-grid", "target": "plugin", "versions": "<=2.1.12"}, "RULE-CVE-2021-4450-01B": {"ajax_action": "post_grid_ajax_fetch_block_hub_by_id", "conditions": [{"name": "ARGS:meta_key", "type": "exists"}, {"name": "ARGS:meta_value", "type": "exists"}, {"name": "ARGS:meta_value", "type": "detectSQLi"}], "cve": "CVE-2021-4450", "method": "POST", "mode": "block", "severity": 8.8, "slug": "post-grid", "target": "plugin", "versions": "<=2.1.12"}, "RULE-CVE-2022-0320-01": {"ajax_action": "load_more", "conditions": [{"name": "ARGS:template_info[file_name]", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[a-z]+://~i"}], "cve": "CVE-2022-0320", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0320", "description": "Essential Addons for Elementor <=5.0.4 unauthenticated LFI via load_more templateInfo[file_name]", "mode": "block", "severity": 9.8, "slug": "essential-addons-for-elementor-lite", "tags": ["local-file-inclusion", "path-traversal", "unauthenticated"], "target": "plugin", "versions": "<=5.0.4"}, "RULE-CVE-2022-0320-02": {"ajax_action": "load_more", "conditions": [{"name": "ARGS:template_info[name]", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[a-z]+://~i"}], "cve": "CVE-2022-0320", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0320", "description": "Essential Addons for Elementor <=5.0.4 unauthenticated LFI via load_more template_info[name]", "mode": "block", "severity": 9.8, "slug": "essential-addons-for-elementor-lite", "tags": ["local-file-inclusion", "path-traversal", "unauthenticated"], "target": "plugin", "versions": "<=5.0.4"}, "RULE-CVE-2022-0320-03": {"ajax_action": "woo_product_pagination_product", "conditions": [{"name": "ARGS:templateInfo[file_name]", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[a-z]+://~i"}], "cve": "CVE-2022-0320", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0320", "description": "Essential Addons for Elementor <=5.0.4 unauthenticated LFI via woo_product_pagination_product templateInfo[file_name]", "mode": "block", "severity": 9.8, "slug": "essential-addons-for-elementor-lite", "tags": ["local-file-inclusion", "path-traversal", "unauthenticated"], "target": "plugin", "versions": "<=5.0.4"}, "RULE-CVE-2022-0320-04": {"ajax_action": "woo_product_pagination_product", "conditions": [{"name": "ARGS:templateInfo[name]", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[a-z]+://~i"}], "cve": "CVE-2022-0320", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0320", "description": "Essential Addons for Elementor <=5.0.4 unauthenticated LFI via woo_product_pagination_product templateInfo[name]", "mode": "block", "severity": 9.8, "slug": "essential-addons-for-elementor-lite", "tags": ["local-file-inclusion", "path-traversal", "unauthenticated"], "target": "plugin", "versions": "<=5.0.4"}, "RULE-CVE-2022-0320-05": {"ajax_action": "woo_product_pagination", "conditions": [{"name": "ARGS:template_info[file_name]", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[a-z]+://~i"}], "cve": "CVE-2022-0320", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0320", "description": "Essential Addons for Elementor <=5.0.4 unauthenticated LFI via woo_product_pagination template_info[file_name]", "mode": "block", "severity": 9.8, "slug": "essential-addons-for-elementor-lite", "tags": ["local-file-inclusion", "path-traversal", "unauthenticated"], "target": "plugin", "versions": "<=5.0.4"}, "RULE-CVE-2022-0320-06": {"ajax_action": "woo_product_pagination", "conditions": [{"name": "ARGS:template_info[name]", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[a-z]+://~i"}], "cve": "CVE-2022-0320", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0320", "description": "Essential Addons for Elementor <=5.0.4 unauthenticated LFI via woo_product_pagination template_info[name]", "mode": "block", "severity": 9.8, "slug": "essential-addons-for-elementor-lite", "tags": ["local-file-inclusion", "path-traversal", "unauthenticated"], "target": "plugin", "versions": "<=5.0.4"}, "RULE-CVE-2022-0531-01A": {"action": "admin_menu", "conditions": [{"name": "ARGS:page", "type": "regex", "value": "~^(?i)wpvivid$~"}, {"name": "ARGS:sub_page", "type": "regex", "value": "~[\\"\'<>]~"}], "cve": "CVE-2022-0531", "method": "GET", "mode": "block", "severity": 6.1, "slug": "wpvivid-backuprestore", "target": "plugin", "versions": "<=0.9.69"}, "RULE-CVE-2022-0531-01B": {"action": "admin_menu", "conditions": [{"name": "ARGS:page", "type": "regex", "value": "~^(?i)wpvivid$~"}, {"name": "ARGS:sub_tab", "type": "regex", "value": "~[\\"\'<>]~"}], "cve": "CVE-2022-0531", "method": "GET", "mode": "block", "severity": 6.1, "slug": "wpvivid-backuprestore", "target": "plugin", "versions": "<=0.9.69"}, "RULE-CVE-2022-1707-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[?&]s=~"}, {"name": "ARGS:s", "type": "regex", "value": "~<(?:script|img|object|iframe|embed|svg)[^>]*>|javascript:|on(?:error|load|click|mouseover)\\\\s*=~i"}], "cve": "CVE-2022-1707", "description": "Google Tag Manager for WordPress <=1.15 reflected XSS via s parameter", "mode": "block", "severity": 6.1, "slug": "duracelltomi-google-tag-manager", "target": "plugin", "versions": "<=1.15"}, "RULE-CVE-2022-1768-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/rsvpmaker/v1/stripesuccess(?:/[^/?]*)?(?:[/?&]|$)~"}, {"name": "ARGS:rsvp_id", "type": "regex", "value": "~(?i)(?:\'\\\\s*(?:OR|AND)\\\\b|\\\\b(?:OR|AND)\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+|UNION(?:\\\\s+ALL)?\\\\s+SELECT|SELECT(?:\\\\s|\\\\()|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|EXTRACTVALUE\\\\s*\\\\(|UPDATEXML\\\\s*\\\\(|pg_sleep\\\\s*\\\\(|WAITFOR\\\\s+DELAY|information_schema|LOAD_FILE\\\\s*\\\\(|INTO\\\\s+(?:OUT|DUMP)FILE|--\\\\s*$|/\\\\*|;\\\\s*(?:DROP|ALTER|INSERT|UPDATE|DELETE)\\\\b)~"}], "cve": "CVE-2022-1768", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1768", "description": "RSVPMaker <=9.3.2 unauthenticated time-based blind SQL injection via rsvp_id parameter in REST route /wp-json/rsvpmaker/v1/stripesuccess/ (confirmed in production, 190/200 proactive_queue samples targeted this endpoint with SLEEP() payloads)", "method": "POST", "mode": "block", "severity": 9.8, "slug": "rsvpmaker", "tags": ["sql-injection", "unauthenticated", "rest-api", "time-based-blind", "prod-evidence"], "target": "plugin", "versions": "<=9.3.2"}, "RULE-CVE-2022-1768-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/rsvpmaker/v1/stripesuccess(?:/[^/?]*)?(?:[/?&]|$)~"}, {"name": "ARGS:rsvp_id", "type": "regex", "value": "~(?i)(?:\'\\\\s*(?:OR|AND)\\\\b|\\\\b(?:OR|AND)\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+|UNION(?:\\\\s+ALL)?\\\\s+SELECT|SELECT(?:\\\\s|\\\\()|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|EXTRACTVALUE\\\\s*\\\\(|UPDATEXML\\\\s*\\\\(|pg_sleep\\\\s*\\\\(|WAITFOR\\\\s+DELAY|information_schema|LOAD_FILE\\\\s*\\\\(|INTO\\\\s+(?:OUT|DUMP)FILE|--\\\\s*$|/\\\\*|;\\\\s*(?:DROP|ALTER|INSERT|UPDATE|DELETE)\\\\b)~"}], "cve": "CVE-2022-1768", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1768", "description": "RSVPMaker <=9.3.2 unauthenticated time-based blind SQL injection via rsvp_id parameter in REST route /wp-json/rsvpmaker/v1/stripesuccess/ (GET variant)", "method": "GET", "mode": "block", "severity": 9.8, "slug": "rsvpmaker", "tags": ["sql-injection", "unauthenticated", "rest-api", "time-based-blind", "prod-evidence"], "target": "plugin", "versions": "<=9.3.2"}, "RULE-CVE-2022-1768-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/rsvpmaker/v1/sked(?:/[^/?]*)?(?:[/?&]|$)~"}, {"name": "ARGS:post_id", "type": "regex", "value": "~(?i)(?:\'\\\\s*(?:OR|AND)\\\\b|\\\\b(?:OR|AND)\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+|UNION(?:\\\\s+ALL)?\\\\s+SELECT|SELECT(?:\\\\s|\\\\()|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|EXTRACTVALUE\\\\s*\\\\(|UPDATEXML\\\\s*\\\\(|pg_sleep\\\\s*\\\\(|WAITFOR\\\\s+DELAY|information_schema|LOAD_FILE\\\\s*\\\\(|INTO\\\\s+(?:OUT|DUMP)FILE|--\\\\s*$|/\\\\*|;\\\\s*(?:DROP|ALTER|INSERT|UPDATE|DELETE)\\\\b)~"}], "cve": "CVE-2022-1768", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1768", "description": "RSVPMaker <=9.3.2 unauthenticated time-based blind SQL injection via post_id parameter in REST route /wp-json/rsvpmaker/v1/sked/{id} (secondary sink from reference digest, Week 15 2026)", "mode": "block", "severity": 9.8, "slug": "rsvpmaker", "tags": ["sql-injection", "unauthenticated", "rest-api", "time-based-blind"], "target": "plugin", "versions": "<=9.3.2"}, "RULE-CVE-2022-1985-01": {"action": "init", "conditions": [{"name": "ARGS:frameid", "type": "regex", "value": "~(?:]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2022-1985", "description": "Download Manager <=3.2.42 reflected XSS via frameid parameter in shortcode-iframe.php", "mode": "block", "severity": 6.1, "slug": "download-manager", "target": "plugin", "versions": "<=3.2.42"}, "RULE-CVE-2022-2439-01": {"ajax_action": "ime_test_im_path", "conditions": [{"name": "ARGS:cli_path", "type": "regex", "value": "~[;|&`$(){}\\\\n\\\\r<>]|\\\\$\\\\(~"}], "cve": "CVE-2022-2439", "method": "POST", "mode": "block", "severity": 7.2, "slug": "imagemagick-engine", "target": "plugin", "versions": "<1.7.5"}, "RULE-CVE-2022-2446-01": {"ajax_action": "wpeditor_browse_theme_root", "conditions": [{"name": "ARGS:current_theme_root", "type": "regex", "value": "~^phar://~i"}], "cve": "CVE-2022-2446", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wp-editor", "target": "plugin", "versions": "<=1.2.9"}, "RULE-CVE-2022-2446-02": {"ajax_action": "wpeditor_get_file", "conditions": [{"name": "ARGS:file_path", "type": "regex", "value": "~^phar://~i"}], "cve": "CVE-2022-2446", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wp-editor", "target": "plugin", "versions": "<=1.2.9"}, "RULE-CVE-2022-2446-03": {"ajax_action": "wpeditor_upload", "conditions": [{"name": "ARGS:complete_directory", "type": "regex", "value": "~^phar://~i"}], "cve": "CVE-2022-2446", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wp-editor", "target": "plugin", "versions": "<=1.2.9"}, "RULE-CVE-2022-2446-04": {"ajax_action": "wpeditor_save_file", "conditions": [{"name": "ARGS:real_file", "type": "regex", "value": "~^phar://~i"}], "cve": "CVE-2022-2446", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wp-editor", "target": "plugin", "versions": "<=1.2.9"}, "RULE-CVE-2022-33965-01": {"ajax_action": "liveStats", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?i)(?:[\'\\"`]\\\\s*(?:OR|AND)\\\\s+[\'\\"`\\\\d]|\\\\bUNION\\\\b\\\\s+(?:ALL\\\\s+)?\\\\bSELECT\\\\b\\\\s+(?:[0-9]|NULL\\\\b|@@|0x|CONCAT|CHAR)|\\\\bSLEEP\\\\s*[(]|\\\\bBENCHMARK\\\\s*[(]|\\\\bEXTRACTVALUE\\\\s*[(]|\\\\bUPDATEXML\\\\s*[(]|/[*][!*]|;\\\\s*(?:DROP|ALTER|CREATE|TRUNCATE)\\\\b)~"}], "cve": "CVE-2022-33965", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33965", "description": "WP Visitor Statistics <=5.7 unauthenticated SQL injection via liveStats AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-stats-manager", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=5.7"}, "RULE-CVE-2022-33965-02": {"ajax_action": "refDetails", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?i)(?:[\'\\"`]\\\\s*(?:OR|AND)\\\\s+[\'\\"`\\\\d]|\\\\bUNION\\\\b\\\\s+(?:ALL\\\\s+)?\\\\bSELECT\\\\b\\\\s+(?:[0-9]|NULL\\\\b|@@|0x|CONCAT|CHAR)|\\\\bSLEEP\\\\s*[(]|\\\\bBENCHMARK\\\\s*[(]|\\\\bEXTRACTVALUE\\\\s*[(]|\\\\bUPDATEXML\\\\s*[(]|/[*][!*]|;\\\\s*(?:DROP|ALTER|CREATE|TRUNCATE)\\\\b)~"}], "cve": "CVE-2022-33965", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33965", "description": "WP Visitor Statistics <=5.7 unauthenticated SQL injection via refDetails AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-stats-manager", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=5.7"}, "RULE-CVE-2022-33965-03": {"ajax_action": "getDateWiseLocationDetail", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?i)(?:[\'\\"`]\\\\s*(?:OR|AND)\\\\s+[\'\\"`\\\\d]|\\\\bUNION\\\\b\\\\s+(?:ALL\\\\s+)?\\\\bSELECT\\\\b\\\\s+(?:[0-9]|NULL\\\\b|@@|0x|CONCAT|CHAR)|\\\\bSLEEP\\\\s*[(]|\\\\bBENCHMARK\\\\s*[(]|\\\\bEXTRACTVALUE\\\\s*[(]|\\\\bUPDATEXML\\\\s*[(]|/[*][!*]|;\\\\s*(?:DROP|ALTER|CREATE|TRUNCATE)\\\\b)~"}], "cve": "CVE-2022-33965", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33965", "description": "WP Visitor Statistics <=5.7 unauthenticated SQL injection via getDateWiseLocationDetail AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-stats-manager", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=5.7"}, "RULE-CVE-2022-33965-04": {"ajax_action": "getContentUrlDayView", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?i)(?:[\'\\"`]\\\\s*(?:OR|AND)\\\\s+[\'\\"`\\\\d]|\\\\bUNION\\\\b\\\\s+(?:ALL\\\\s+)?\\\\bSELECT\\\\b\\\\s+(?:[0-9]|NULL\\\\b|@@|0x|CONCAT|CHAR)|\\\\bSLEEP\\\\s*[(]|\\\\bBENCHMARK\\\\s*[(]|\\\\bEXTRACTVALUE\\\\s*[(]|\\\\bUPDATEXML\\\\s*[(]|/[*][!*]|;\\\\s*(?:DROP|ALTER|CREATE|TRUNCATE)\\\\b)~"}], "cve": "CVE-2022-33965", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33965", "description": "WP Visitor Statistics <=5.7 unauthenticated SQL injection via getContentUrlDayView AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-stats-manager", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=5.7"}, "RULE-CVE-2022-33965-05": {"ajax_action": "getReferralOSDetails", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?i)(?:[\'\\"`]\\\\s*(?:OR|AND)\\\\s+[\'\\"`\\\\d]|\\\\bUNION\\\\b\\\\s+(?:ALL\\\\s+)?\\\\bSELECT\\\\b\\\\s+(?:[0-9]|NULL\\\\b|@@|0x|CONCAT|CHAR)|\\\\bSLEEP\\\\s*[(]|\\\\bBENCHMARK\\\\s*[(]|\\\\bEXTRACTVALUE\\\\s*[(]|\\\\bUPDATEXML\\\\s*[(]|/[*][!*]|;\\\\s*(?:DROP|ALTER|CREATE|TRUNCATE)\\\\b)~"}], "cve": "CVE-2022-33965", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33965", "description": "WP Visitor Statistics <=5.7 unauthenticated SQL injection via getReferralOSDetails AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-stats-manager", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=5.7"}, "RULE-CVE-2022-33965-06": {"ajax_action": "refUrlDetails", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?i)(?:[\'\\"`]\\\\s*(?:OR|AND)\\\\s+[\'\\"`\\\\d]|\\\\bUNION\\\\b\\\\s+(?:ALL\\\\s+)?\\\\bSELECT\\\\b\\\\s+(?:[0-9]|NULL\\\\b|@@|0x|CONCAT|CHAR)|\\\\bSLEEP\\\\s*[(]|\\\\bBENCHMARK\\\\s*[(]|\\\\bEXTRACTVALUE\\\\s*[(]|\\\\bUPDATEXML\\\\s*[(]|/[*][!*]|;\\\\s*(?:DROP|ALTER|CREATE|TRUNCATE)\\\\b)~"}], "cve": "CVE-2022-33965", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33965", "description": "WP Visitor Statistics <=5.7 unauthenticated SQL injection via refUrlDetails AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-stats-manager", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=5.7"}, "RULE-CVE-2022-33965-07": {"ajax_action": "uoSummary", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?i)(?:[\'\\"`]\\\\s*(?:OR|AND)\\\\s+[\'\\"`\\\\d]|\\\\bUNION\\\\b\\\\s+(?:ALL\\\\s+)?\\\\bSELECT\\\\b\\\\s+(?:[0-9]|NULL\\\\b|@@|0x|CONCAT|CHAR)|\\\\bSLEEP\\\\s*[(]|\\\\bBENCHMARK\\\\s*[(]|\\\\bEXTRACTVALUE\\\\s*[(]|\\\\bUPDATEXML\\\\s*[(]|/[*][!*]|;\\\\s*(?:DROP|ALTER|CREATE|TRUNCATE)\\\\b)~"}], "cve": "CVE-2022-33965", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33965", "description": "WP Visitor Statistics <=5.7 unauthenticated SQL injection via uoSummary AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-stats-manager", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=5.7"}, "RULE-CVE-2022-33965-08": {"ajax_action": "deleteIpAddress", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?i)(?:[\'\\"`]\\\\s*(?:OR|AND)\\\\s+[\'\\"`\\\\d]|\\\\bUNION\\\\b\\\\s+(?:ALL\\\\s+)?\\\\bSELECT\\\\b\\\\s+(?:[0-9]|NULL\\\\b|@@|0x|CONCAT|CHAR)|\\\\bSLEEP\\\\s*[(]|\\\\bBENCHMARK\\\\s*[(]|\\\\bEXTRACTVALUE\\\\s*[(]|\\\\bUPDATEXML\\\\s*[(]|/[*][!*]|;\\\\s*(?:DROP|ALTER|CREATE|TRUNCATE)\\\\b)~"}], "cve": "CVE-2022-33965", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33965", "description": "WP Visitor Statistics <=5.7 unauthenticated SQL injection via deleteIpAddress AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-stats-manager", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=5.7"}, "RULE-CVE-2022-33965-09": {"ajax_action": "updateIpAddress", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?i)(?:[\'\\"`]\\\\s*(?:OR|AND)\\\\s+[\'\\"`\\\\d]|\\\\bUNION\\\\b\\\\s+(?:ALL\\\\s+)?\\\\bSELECT\\\\b\\\\s+(?:[0-9]|NULL\\\\b|@@|0x|CONCAT|CHAR)|\\\\bSLEEP\\\\s*[(]|\\\\bBENCHMARK\\\\s*[(]|\\\\bEXTRACTVALUE\\\\s*[(]|\\\\bUPDATEXML\\\\s*[(]|/[*][!*]|;\\\\s*(?:DROP|ALTER|CREATE|TRUNCATE)\\\\b)~"}], "cve": "CVE-2022-33965", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33965", "description": "WP Visitor Statistics <=5.7 unauthenticated SQL injection via updateIpAddress AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-stats-manager", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=5.7"}, "RULE-CVE-2022-33965-10": {"ajax_action": "save_ipadress", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?i)(?:[\'\\"`]\\\\s*(?:OR|AND)\\\\s+[\'\\"`\\\\d]|\\\\bUNION\\\\b\\\\s+(?:ALL\\\\s+)?\\\\bSELECT\\\\b\\\\s+(?:[0-9]|NULL\\\\b|@@|0x|CONCAT|CHAR)|\\\\bSLEEP\\\\s*[(]|\\\\bBENCHMARK\\\\s*[(]|\\\\bEXTRACTVALUE\\\\s*[(]|\\\\bUPDATEXML\\\\s*[(]|/[*][!*]|;\\\\s*(?:DROP|ALTER|CREATE|TRUNCATE)\\\\b)~"}], "cve": "CVE-2022-33965", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33965", "description": "WP Visitor Statistics <=5.7 unauthenticated SQL injection via save_ipadress AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-stats-manager", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=5.7"}, "RULE-CVE-2022-3805-02": {"ajax_action": "jkit_create_element", "conditions": [{"type": "missing_capability", "value": "edit_theme_options"}], "cve": "CVE-2022-3805", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3805", "description": "Jeg Elementor Kit <=2.5.6 unauthorized element creation via jkit_create_element AJAX handler", "mode": "block", "severity": 7.5, "slug": "jeg-elementor-kit", "tags": ["missing-authorization", "privilege-escalation"], "target": "plugin", "versions": "<=2.5.6"}, "RULE-CVE-2022-41786-01": {"ajax_action": "wpjobportal_ajax", "conditions": [{"name": "ARGS:task", "type": "exists"}, {"name": "ARGS:task", "type": "regex", "value": "~^(deletecompanylogo|deleteUserPhoto|deleteResumeLogo|removeResumeFileById|deleteResumeSectionAjax)$~i"}], "cve": "CVE-2022-41786", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-job-portal", "target": "plugin", "versions": "<=2.0.1"}, "RULE-CVE-2022-4290-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/edit-tags\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:tag-name", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|/\\\\*.*\\\\*/|\\\\b(?:SLEEP|BENCHMARK)\\\\s*\\\\(|\\\\binformation_schema\\\\b|\\\\b(?:OR|AND)\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+|--\\\\s|0x[0-9a-fA-F]{4,})~i"}], "cve": "CVE-2022-4290", "description": "Cyr to Lat <=3.5 authenticated SQL injection via tag/term name in ctl_sanitize_title (edit-tags.php)", "mode": "block", "severity": 8.8, "slug": "cyr3lat", "target": "plugin", "versions": "<=3.5"}, "RULE-CVE-2022-4290-02": {"ajax_action": "add-tag", "conditions": [{"name": "ARGS:tag-name", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|/\\\\*.*\\\\*/|\\\\b(?:SLEEP|BENCHMARK)\\\\s*\\\\(|\\\\binformation_schema\\\\b|\\\\b(?:OR|AND)\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+|--\\\\s|0x[0-9a-fA-F]{4,})~i"}], "cve": "CVE-2022-4290", "description": "Cyr to Lat <=3.5 authenticated SQL injection via add-tag AJAX tag-name", "mode": "block", "severity": 8.8, "slug": "cyr3lat", "target": "plugin", "versions": "<=3.5"}, "RULE-CVE-2022-43453-01": {"ajax_action": "wptools_get_ajax_data", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-43453", "mode": "block", "severity": 8.8, "slug": "wptools", "target": "plugin", "versions": "<3.43"}, "RULE-CVE-2022-43453-03": {"ajax_action": "wptools_get_speed_info", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-43453", "mode": "block", "severity": 8.8, "slug": "wptools", "target": "plugin", "versions": "<3.43"}, "RULE-CVE-2022-43453-04": {"ajax_action": "wptools_dismissible_notice", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-43453", "mode": "block", "severity": 8.8, "slug": "wptools", "target": "plugin", "versions": "<3.43"}, "RULE-CVE-2022-43453-05": {"ajax_action": "wptools_dismissible_notice2", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-43453", "mode": "block", "severity": 8.8, "slug": "wptools", "target": "plugin", "versions": "<3.43"}, "RULE-CVE-2022-43453-06": {"ajax_action": "wptools_bill_go_pro_hide", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-43453", "mode": "block", "severity": 8.8, "slug": "wptools", "target": "plugin", "versions": "<3.43"}, "RULE-CVE-2022-4501-01": {"ajax_action": "vc_save_data", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-4501", "description": "Mega Addons For WPBakery Page Builder <=4.3.0 missing authorization on vc_save_data AJAX action allows subscriber+ to overwrite plugin settings", "mode": "block", "severity": 6.5, "slug": "mega-addons-for-visual-composer", "target": "plugin", "versions": "<=4.3.0"}, "RULE-CVE-2022-45354-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-json/download-monitor/v1/(?:download_reports|user_reports|user_data))(?:/|\\\\?|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-45354", "method": "GET", "mode": "block", "severity": 7.5, "slug": "download-monitor", "target": "plugin", "versions": "<=4.7.60"}, "RULE-CVE-2022-45354-02": {"action": "init", "conditions": [{"name": "ARGS:rest_route", "type": "regex", "value": "~^/download-monitor/v1/(?:download_reports|user_reports|user_data)(?:/|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-45354", "method": "GET", "mode": "block", "severity": 7.5, "slug": "download-monitor", "target": "plugin", "versions": "<=4.7.60"}, "RULE-CVE-2022-45830-01": {"action": "admin_init", "conditions": [{"name": "ARGS:wp_analytify_log_out", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-45830", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-analytify", "target": "plugin", "versions": "<=4.2.3"}, "RULE-CVE-2022-4972-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/download-monitor/v1/download_reports(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-4972", "method": "GET", "mode": "block", "severity": 7.5, "slug": "download-monitor", "target": "plugin", "versions": "<=4.7.51"}, "RULE-CVE-2022-4972-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/download-monitor/v1/download_reports(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-4972", "method": "POST", "mode": "block", "severity": 7.5, "slug": "download-monitor", "target": "plugin", "versions": "<=4.7.51"}, "RULE-CVE-2022-4972-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/download-monitor/v1/user_reports(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-4972", "method": "GET", "mode": "block", "severity": 7.5, "slug": "download-monitor", "target": "plugin", "versions": "<=4.7.51"}, "RULE-CVE-2022-4972-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/download-monitor/v1/user_reports(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-4972", "method": "POST", "mode": "block", "severity": 7.5, "slug": "download-monitor", "target": "plugin", "versions": "<=4.7.51"}, "RULE-CVE-2022-4972-05": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/download-monitor/v1/user_data(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-4972", "method": "GET", "mode": "block", "severity": 7.5, "slug": "download-monitor", "target": "plugin", "versions": "<=4.7.51"}, "RULE-CVE-2022-4972-06": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/download-monitor/v1/user_data(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-4972", "method": "POST", "mode": "block", "severity": 7.5, "slug": "download-monitor", "target": "plugin", "versions": "<=4.7.51"}, "RULE-CVE-2022-4972-07": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/download-monitor/v1/templates(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-4972", "method": "GET", "mode": "block", "severity": 7.5, "slug": "download-monitor", "target": "plugin", "versions": "<=4.7.51"}, "RULE-CVE-2022-4972-08": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/download-monitor/v1/templates(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-4972", "method": "POST", "mode": "block", "severity": 7.5, "slug": "download-monitor", "target": "plugin", "versions": "<=4.7.51"}, "RULE-CVE-2023-0084-02": {"ajax_action": "mf_admin_action", "conditions": [{"name": "ARGS:form_data", "type": "regex", "value": "~(?:]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:|svg\\\\s+onload=)~i"}], "cve": "CVE-2023-0084", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0084", "description": "MetForm <=3.1.2 stored XSS via admin submissions list view", "mode": "block", "severity": 6.1, "slug": "metform", "tags": ["xss", "stored"], "target": "plugin", "versions": "<=3.1.2"}, "RULE-CVE-2023-0579-01": {"ajax_action": "yarpp_display", "conditions": [{"name": "ARGS:ID", "type": "regex", "value": "~(?:UNION(?:/\\\\*.*?\\\\*/|\\\\s)+(?:ALL(?:/\\\\*.*?\\\\*/|\\\\s)+)?SELECT\\\\b|/\\\\*.*?\\\\*/|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\b|\\\\b(?:OR|AND)\\\\b(?:/\\\\*.*?\\\\*/|\\\\s)+[0-9]+\\\\s*=\\\\s*[0-9]+|(?:--|#)(?:\\\\s|$)|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|WAITFOR(?:/\\\\*.*?\\\\*/|\\\\s)+DELAY)~i"}], "cve": "CVE-2023-0579", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0579", "description": "YARPP <=5.30.2 authenticated SQL injection via yarpp_display AJAX handler ID parameter", "mode": "block", "severity": 8.8, "slug": "yet-another-related-posts-plugin", "tags": ["sql-injection", "authenticated", "ajax"], "target": "plugin", "versions": "<=5.30.2"}, "RULE-CVE-2023-0579-02": {"ajax_action": "yarpp_display_preview", "conditions": [{"name": "ARGS:ID", "type": "regex", "value": "~(?:UNION(?:/\\\\*.*?\\\\*/|\\\\s)+(?:ALL(?:/\\\\*.*?\\\\*/|\\\\s)+)?SELECT\\\\b|/\\\\*.*?\\\\*/|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\b|\\\\b(?:OR|AND)\\\\b(?:/\\\\*.*?\\\\*/|\\\\s)+[0-9]+\\\\s*=\\\\s*[0-9]+|(?:--|#)(?:\\\\s|$)|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|WAITFOR(?:/\\\\*.*?\\\\*/|\\\\s)+DELAY)~i"}], "cve": "CVE-2023-0579", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0579", "description": "YARPP <=5.30.2 authenticated SQL injection via yarpp_display_preview AJAX handler ID parameter", "mode": "block", "severity": 8.8, "slug": "yet-another-related-posts-plugin", "tags": ["sql-injection", "authenticated", "ajax"], "target": "plugin", "versions": "<=5.30.2"}, "RULE-CVE-2023-23715-01": {"ajax_action": "jb-delete-job", "conditions": [{"name": "ARGS:jb-delete-job", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-23715", "method": "POST", "mode": "block", "severity": 8.8, "slug": "jobboardwp", "target": "plugin", "versions": "<=1.2.2"}, "RULE-CVE-2023-23730-01": {"ajax_action": "uagb_process_forms", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:form_data", "type": "regex", "value": "~(?:^|&)g-recaptcha-response=[^&]{0,80}(?:&|$)~"}], "cve": "CVE-2023-23730", "method": "POST", "mode": "block", "severity": 5.3, "slug": "ultimate-addons-for-gutenberg", "target": "plugin", "versions": "<=2.3.0"}, "RULE-CVE-2023-23735-01": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "uagb_process_forms"}, {"name": "ARGS:email", "type": "detectXSS"}], "cve": "CVE-2023-23735", "description": "Unauthenticated email HTML injection (XSS) via Spectra form processing allows HTML/script injection in email field", "method": "POST", "mode": "block", "severity": 7.2, "slug": "ultimate-addons-for-gutenberg", "target": "plugin", "versions": "<=2.3.0"}, "RULE-CVE-2023-23738-01": {"ajax_action": "uagb_process_forms", "conditions": [{"name": "ARGS", "type": "regex", "value": "~%0[dD]%0[aA].*(Bcc|Cc|From|Reply-To|Content-Type|Subject)~i"}], "cve": "CVE-2023-23738", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23738", "description": "Spectra (Ultimate Addons for Gutenberg) <=2.3.0 unauthenticated email header injection via CRLF in form submission", "method": "POST", "mode": "block", "severity": 5.3, "slug": "ultimate-addons-for-gutenberg", "tags": ["email-header-injection", "content-spoofing", "unauthenticated", "crlf-injection"], "target": "plugin", "versions": "<=2.3.0"}, "RULE-CVE-2023-23825-01": {"ajax_action": "ast_block_templates_import_wpforms", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "ast_block_templates_import_wpforms"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-23825", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23825", "description": "Spectra (Ultimate Addons for Gutenberg) <= 2.3.0 missing authorization/CSRF protection on AJAX WPForms import action ast_block_templates_import_wpforms, allowing low-privilege or CSRF-triggered imports.", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ultimate-addons-for-gutenberg", "tags": ["wordpress", "plugin", "spectra", "ultimate-addons-for-gutenberg", "missing-authorization", "csrf"], "target": "plugin", "versions": "<=2.3.0"}, "RULE-CVE-2023-23825-02": {"ajax_action": "ast_block_templates_import_block", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "ast_block_templates_import_block"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-23825", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23825", "description": "Spectra (Ultimate Addons for Gutenberg) <= 2.3.0 missing authorization/CSRF protection on AJAX block template import action ast_block_templates_import_block, allowing low-privilege or CSRF-triggered imports.", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ultimate-addons-for-gutenberg", "tags": ["wordpress", "plugin", "spectra", "ultimate-addons-for-gutenberg", "missing-authorization", "csrf"], "target": "plugin", "versions": "<=2.3.0"}, "RULE-CVE-2023-23834-01": {"ajax_action": "ast_block_templates_activate_plugin", "conditions": [{"name": "ARGS:ast_block_templates_activate_plugin", "type": "exists"}, {"name": "ARGS:ast_block_templates_activate_plugin", "type": "regex", "value": "~\\\\.php($|\\\\?)~i"}, {"type": "missing_capability", "value": "activate_plugins"}], "cve": "CVE-2023-23834", "method": "POST", "mode": "block", "severity": 9.8, "slug": "ultimate-addons-for-gutenberg", "target": "plugin", "versions": "<=2.3.1"}, "RULE-CVE-2023-23990-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "equals", "value": "/wp-admin/profile.php"}, {"name": "ARGS:wp_capabilities", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-23990", "method": "POST", "mode": "block", "severity": 7.6, "slug": "wpcf7-redirect", "target": "plugin", "versions": "<=2.7.0"}, "RULE-CVE-2023-23990-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "equals", "value": "/wp-admin/profile.php"}, {"name": "ARGS:wp_user_level", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-23990", "method": "POST", "mode": "block", "severity": 7.6, "slug": "wpcf7-redirect", "target": "plugin", "versions": "<=2.7.0"}, "RULE-CVE-2023-23990-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "equals", "value": "/wp-admin/user-edit.php"}, {"name": "ARGS:wp_capabilities", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-23990", "method": "POST", "mode": "block", "severity": 7.6, "slug": "wpcf7-redirect", "target": "plugin", "versions": "<=2.7.0"}, "RULE-CVE-2023-23990-04": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "equals", "value": "/wp-admin/user-edit.php"}, {"name": "ARGS:wp_user_level", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-23990", "method": "POST", "mode": "block", "severity": 7.6, "slug": "wpcf7-redirect", "target": "plugin", "versions": "<=2.7.0"}, "RULE-CVE-2023-24407-01": {"ajax_action": "wpdevart_export", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpdevart_export"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-24407", "method": "POST", "mode": "block", "severity": 8.8, "slug": "booking-calendar", "target": "plugin", "versions": "<=3.2.3"}, "RULE-CVE-2023-24407-02": {"ajax_action": "wpdevart_ajax", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpdevart_ajax"}, {"name": "ARGS:task", "type": "regex", "value": "~^wpdevart_(quick_update|add_field|payment(_ajax)?|export)$~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-24407", "method": "POST", "mode": "block", "severity": 8.8, "slug": "booking-calendar", "target": "plugin", "versions": "<=3.2.3"}, "RULE-CVE-2023-24407-03": {"ajax_action": "wpdevart_add_field", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpdevart_add_field"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-24407", "method": "POST", "mode": "block", "severity": 8.8, "slug": "booking-calendar", "target": "plugin", "versions": "<=3.2.3"}, "RULE-CVE-2023-24407-04": {"ajax_action": "wpdevart_payment", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpdevart_payment"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-24407", "method": "POST", "mode": "block", "severity": 8.8, "slug": "booking-calendar", "target": "plugin", "versions": "<=3.2.3"}, "RULE-CVE-2023-24407-05": {"ajax_action": "wpdevart_payment_ajax", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpdevart_payment_ajax"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-24407", "method": "POST", "mode": "block", "severity": 8.8, "slug": "booking-calendar", "target": "plugin", "versions": "<=3.2.3"}, "RULE-CVE-2023-25988-01": {"ajax_action": "TotalSoftGallery_Video_Del", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-02": {"ajax_action": "TotalSoftGallery_Video_Clone", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-03": {"ajax_action": "TotalSoftGallery_Video_Edit", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-04": {"ajax_action": "TotalSoftGallery_Video_Edit_Videos", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-05": {"ajax_action": "TSoft_Vimeo_Video_Image", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-06": {"ajax_action": "TSoft_Wistia_Video_Image", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-07": {"ajax_action": "TotalSoftGallery_VideoOpt_Del", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-08": {"ajax_action": "TotalSoftGallery_VideoOpt_Edit", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-09": {"ajax_action": "TotalSoftGallery_VideoOpt_Edit1", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-10": {"ajax_action": "TotalSoftGalleryV_Clone_Option", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-11": {"ajax_action": "TotalSoftGallery_Video_Page", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-12": {"ajax_action": "TotalSoftGallery_Video_PageGO", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-13": {"ajax_action": "TotalSoftGallery_Video_CP_Popup", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-14": {"ajax_action": "TotalSoftGallery_Video_CP_Popup_Left", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-15": {"ajax_action": "TotalSoftGallery_Video_CP_Popup_Right", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-16": {"ajax_action": "TS_PTable_New_MTable_DisMiss_VG", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-17": {"ajax_action": "TS_VG_Question_DisMiss", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-18": {"ajax_action": "Total_Soft_GV_Prev", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-19": {"ajax_action": "TotalSoftGallery_Video_Post", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-20": {"ajax_action": "TotalSoftGallery_Page_Post", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-2732-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/listings(/|\\\\?|$)~"}, {"name": "ARGS:user_id", "type": "exists"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2023-2732", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2732", "description": "mstore-api <=3.9.2 authentication bypass via user_id parameter in listings REST API", "method": "POST", "mode": "block", "severity": 9.8, "slug": "mstore-api", "tags": ["authentication-bypass", "privilege-escalation", "rest-api"], "target": "plugin", "versions": "<=3.9.2"}, "RULE-CVE-2023-27460-01": {"ajax_action": "cpcfwpp_feedback", "conditions": [{"name": "ARGS:answer", "type": "exists"}, {"name": "ARGS:oinfo", "type": "exists"}, {"name": "ARGS:opinfo", "type": "exists"}, {"name": "ARGS:anonymous", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-27460", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-27460", "description": "CP Contact Form with Paypal <= 1.3.34 missing authorization on AJAX feedback submission (cpcfwpp_feedback) allows low-privileged users to misuse internal feedback functionality.", "method": "POST", "mode": "block", "severity": 4.3, "slug": "cp-contact-form-with-paypal", "tags": ["missing-authorization", "broken-access-control", "ajax", "feedback"], "target": "plugin", "versions": "<=1.3.34"}, "RULE-CVE-2023-2877-01": {"ajax_action": "frm_install_addon", "conditions": [{"name": "ARGS:file_url", "type": "exists"}, {"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2023-2877", "method": "POST", "mode": "block", "severity": 8.8, "slug": "formidable", "target": "plugin", "versions": "<=6.3"}, "RULE-CVE-2023-2877-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/frm-admin/v1/install-addon(/|\\\\?|$)~"}, {"name": "ARGS:file_url", "type": "exists"}, {"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2023-2877", "method": "POST", "mode": "block", "severity": 8.8, "slug": "formidable", "target": "plugin", "versions": "<=6.3"}, "RULE-CVE-2023-30873-01": {"ajax_action": "wpdocs_create_folder", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpdocs_create_folder"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-30873", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-docs", "target": "plugin", "versions": "<=2.2.8"}, "RULE-CVE-2023-30873-02": {"ajax_action": "wpdocs_update_folder", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpdocs_update_folder"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-30873", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-docs", "target": "plugin", "versions": "<=2.2.8"}, "RULE-CVE-2023-30873-03": {"ajax_action": "wpdocs_delete_folder", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpdocs_delete_folder"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-30873", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-docs", "target": "plugin", "versions": "<=2.2.8"}, "RULE-CVE-2023-3197-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mstore/v1/products(?:[/?]|$)~"}, {"name": "ARGS:id", "type": "regex", "value": "~(?:union\\\\s+(?:all\\\\s+)?select|;\\\\s*(?:drop|delete|insert|update)\\\\s|or\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+|and\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+|\\\\banalyze\\\\b|\\\\bbenchmark\\\\b|\\\\bsleep\\\\s*\\\\()~i"}], "cve": "CVE-2023-3197", "description": "mstore-api <=4.0.1 unauthenticated SQL injection via id parameter in vendor-wcfm.php REST endpoint", "mode": "block", "severity": 9.8, "slug": "mstore-api", "target": "plugin", "versions": "<=4.0.1"}, "RULE-CVE-2023-32117-01": {"ajax_action": "igd_download_zip", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-32117", "mode": "block", "severity": 9.8, "slug": "integrate-google-drive", "target": "plugin", "versions": "<=1.1.99"}, "RULE-CVE-2023-32117-02": {"ajax_action": "igd_download", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-32117", "mode": "block", "severity": 9.8, "slug": "integrate-google-drive", "target": "plugin", "versions": "<=1.1.99"}, "RULE-CVE-2023-32117-03": {"ajax_action": "igd_stream", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-32117", "mode": "block", "severity": 9.8, "slug": "integrate-google-drive", "target": "plugin", "versions": "<=1.1.99"}, "RULE-CVE-2023-32117-04": {"ajax_action": "igd_preview", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-32117", "mode": "block", "severity": 9.8, "slug": "integrate-google-drive", "target": "plugin", "versions": "<=1.1.99"}, "RULE-CVE-2023-32117-05": {"ajax_action": "igd_get_share_link", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-32117", "mode": "block", "severity": 9.8, "slug": "integrate-google-drive", "target": "plugin", "versions": "<=1.1.99"}, "RULE-CVE-2023-32117-06": {"ajax_action": "igd_get_preview_thumbnail", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-32117", "mode": "block", "severity": 9.8, "slug": "integrate-google-drive", "target": "plugin", "versions": "<=1.1.99"}, "RULE-CVE-2023-32117-07": {"ajax_action": "igd_get_shortcodes", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-32117", "mode": "block", "severity": 9.8, "slug": "integrate-google-drive", "target": "plugin", "versions": "<=1.1.99"}, "RULE-CVE-2023-32117-08": {"ajax_action": "igd_get_upload_url", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-32117", "mode": "block", "severity": 9.8, "slug": "integrate-google-drive", "target": "plugin", "versions": "<=1.1.99"}, "RULE-CVE-2023-32117-09": {"ajax_action": "igd_file_uploaded", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-32117", "mode": "block", "severity": 9.8, "slug": "integrate-google-drive", "target": "plugin", "versions": "<=1.1.99"}, "RULE-CVE-2023-32117-10": {"ajax_action": "igd_delete_shortcode", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-32117", "mode": "block", "severity": 9.8, "slug": "integrate-google-drive", "target": "plugin", "versions": "<=1.1.99"}, "RULE-CVE-2023-32117-11": {"ajax_action": "igd_download_status", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-32117", "mode": "block", "severity": 9.8, "slug": "integrate-google-drive", "target": "plugin", "versions": "<=1.1.99"}, "RULE-CVE-2023-3277-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/flutter-user/login-with-apple(?:[/?]|$)~"}], "cve": "CVE-2023-3277", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3277", "description": "MStore API <=4.10.7 unauthenticated privilege escalation via Apple login token", "mode": "block", "severity": 9.8, "slug": "mstore-api", "tags": ["privilege-escalation", "authentication-bypass", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=4.10.7"}, "RULE-CVE-2023-35051-01": {"ajax_action": "accua-save-form-settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-35051", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35051", "description": "Block unauthorized POST accua-save-form-settings action (Broken Access Control) in Contact Forms by Cimatti <=1.5.7", "method": "POST", "mode": "block", "severity": 8.8, "slug": "contact-forms", "tags": ["authz", "broken-access-control", "missing-authorization"], "target": "plugin", "versions": "<=1.5.7"}, "RULE-CVE-2023-35051-02": {"ajax_action": "accua_form_save_form_settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-35051", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35051", "description": "Block unauthorized POST accua_form_save_form_settings action (Broken Access Control) in Contact Forms by Cimatti <=1.5.7", "method": "POST", "mode": "block", "severity": 8.8, "slug": "contact-forms", "tags": ["authz", "broken-access-control", "missing-authorization"], "target": "plugin", "versions": "<=1.5.7"}, "RULE-CVE-2023-35051-03": {"ajax_action": "accua-save-form-field", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-35051", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35051", "description": "Block unauthorized POST accua-save-form-field action (Broken Access Control) in Contact Forms by Cimatti <=1.5.7", "method": "POST", "mode": "block", "severity": 8.8, "slug": "contact-forms", "tags": ["authz", "broken-access-control", "missing-authorization"], "target": "plugin", "versions": "<=1.5.7"}, "RULE-CVE-2023-35051-04": {"ajax_action": "accua_forms_preview", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-35051", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35051", "description": "Block unauthorized POST accua_forms_preview action (Broken Access Control) in Contact Forms by Cimatti <=1.5.7", "method": "POST", "mode": "block", "severity": 8.8, "slug": "contact-forms", "tags": ["authz", "broken-access-control", "missing-authorization"], "target": "plugin", "versions": "<=1.5.7"}, "RULE-CVE-2023-35051-05": {"ajax_action": "accua_forms_submission_page_save_excel", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-35051", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35051", "description": "Block unauthorized POST accua_forms_submission_page_save_excel action (Broken Access Control) in Contact Forms by Cimatti <=1.5.7", "method": "POST", "mode": "block", "severity": 8.8, "slug": "contact-forms", "tags": ["authz", "broken-access-control", "missing-authorization"], "target": "plugin", "versions": "<=1.5.7"}, "RULE-CVE-2023-36516-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/learnpress/v1/profile/\\\\d+~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-36516", "mode": "block", "severity": 8.8, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.3"}, "RULE-CVE-2023-36679-01": {"ajax_action": "ast_block_templates_importer", "conditions": [{"name": "ARGS:api_uri", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-36679", "mode": "block", "severity": 6.5, "slug": "ultimate-addons-for-gutenberg", "target": "plugin", "versions": "<=2.6.6"}, "RULE-CVE-2023-36679-02": {"ajax_action": "ast_block_templates_import_wpforms", "conditions": [{"name": "ARGS:wpforms_url", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-36679", "mode": "block", "severity": 6.5, "slug": "ultimate-addons-for-gutenberg", "target": "plugin", "versions": "<=2.6.6"}, "RULE-CVE-2023-36681-01": {"ajax_action": "ccpw_get_coins_list", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "ccpw_get_coins_list"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-36681", "mode": "block", "severity": 9.8, "slug": "cryptocurrency-price-ticker-widget", "target": "plugin", "versions": "<=2.6.2"}, "RULE-CVE-2023-36681-02": {"ajax_action": "ccpw_delete_transient", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "ccpw_delete_transient"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-36681", "mode": "block", "severity": 9.8, "slug": "cryptocurrency-price-ticker-widget", "target": "plugin", "versions": "<=2.6.2"}, "RULE-CVE-2023-37389-01": {"ajax_action": "package_app_action", "conditions": [{"name": "ARGS:mode", "type": "regex", "value": "~^(?:updateUser|createUser|updateRolesOfUser|updateRolesOfPlugin)$~i"}], "cve": "CVE-2023-37389", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37389", "description": "Booking Package <=1.5.98 unauthenticated privilege escalation via user modification modes", "method": "POST", "mode": "block", "severity": 8.8, "slug": "booking-package", "tags": ["privilege-escalation", "missing-authorization", "unauthenticated"], "target": "plugin", "versions": "<=1.5.98"}, "RULE-CVE-2023-37866-01": {"ajax_action": "jfb_addon_activate_action", "conditions": [{"type": "missing_capability", "value": "activate_plugins"}], "cve": "CVE-2023-37866", "mode": "block", "severity": 7.2, "slug": "jetformbuilder", "target": "plugin", "versions": "<=3.0.8"}, "RULE-CVE-2023-37967-01": {"ajax_action": "directorypress_fields_delete", "conditions": [{"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-37967", "method": "POST", "mode": "block", "severity": 9.8, "slug": "directorypress", "target": "plugin", "versions": "<=3.6.2"}, "RULE-CVE-2023-37967-02": {"ajax_action": "directorypress_fields_group_delete", "conditions": [{"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-37967", "method": "POST", "mode": "block", "severity": 9.8, "slug": "directorypress", "target": "plugin", "versions": "<=3.6.2"}, "RULE-CVE-2023-37967-03": {"ajax_action": "directorypress_fields_config", "conditions": [{"name": "ARGS:field_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-37967", "method": "POST", "mode": "block", "severity": 9.8, "slug": "directorypress", "target": "plugin", "versions": "<=3.6.2"}, "RULE-CVE-2023-37999-01": {"ajax_action": "htmega_ajax_register", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "htmega_ajax_register"}, {"name": "ARGS:reg_role", "type": "regex", "value": "~(?:administrator|editor|author|contributor)~i"}, {"type": "missing_capability", "value": "create_users"}], "cve": "CVE-2023-37999", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37999", "description": "HT Mega Absolute Addons for Elementor <=2.2.0 unauthenticated privilege escalation via reg_role parameter in htmega_ajax_register", "method": "POST", "mode": "block", "severity": 9.8, "slug": "ht-mega-for-elementor", "tags": ["privilege-escalation", "unauthenticated", "missing-authorization"], "target": "plugin", "versions": "<=2.2.0"}, "RULE-CVE-2023-38386-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/ninja-forms-submissions/v1/export(?:[/?]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-38386", "method": "GET", "mode": "block", "severity": 9.8, "slug": "ninja-forms", "target": "plugin", "versions": "<=3.6.25"}, "RULE-CVE-2023-38386-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/ninja-forms-submissions/v1/export(?:[/?]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-38386", "method": "POST", "mode": "block", "severity": 9.8, "slug": "ninja-forms", "target": "plugin", "versions": "<=3.6.25"}, "RULE-CVE-2023-38393-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/ninja-forms-submissions/v1/(download-all|export)(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-38393", "mode": "block", "severity": 8.8, "slug": "ninja-forms", "target": "plugin", "versions": "<=3.6.25"}, "RULE-CVE-2023-39920-01": {"action": "admin_init", "conditions": [{"name": "ARGS:export_leads", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-39920", "method": "GET", "mode": "block", "severity": 7.5, "slug": "wpcf7-redirect", "target": "plugin", "versions": "<=2.9.2"}, "RULE-CVE-2023-39920-02": {"ajax_action": "send_debug_info", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-39920", "mode": "block", "severity": 7.5, "slug": "wpcf7-redirect", "target": "plugin", "versions": "<=2.9.2"}, "RULE-CVE-2023-39990-01": {"ajax_action": "pmpro_courses_update_course", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "pmpro_courses_update_course"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-39990", "method": "POST", "mode": "block", "severity": 8.8, "slug": "pmpro-courses", "target": "plugin", "versions": "<=1.2.3"}, "RULE-CVE-2023-39990-02": {"ajax_action": "pmpro_courses_remove_course", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "pmpro_courses_remove_course"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-39990", "method": "POST", "mode": "block", "severity": 8.8, "slug": "pmpro-courses", "target": "plugin", "versions": "<=1.2.3"}, "RULE-CVE-2023-39997-01": {"action": "init", "conditions": [{"name": "ARGS:mod", "type": "equals", "value": "subscribe"}, {"name": "ARGS:action", "type": "equals", "value": "getWpCsvList"}, {"name": "ARGS:pl", "type": "equals", "value": "pps"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-39997", "mode": "block", "severity": 9.8, "slug": "popup-by-supsystic", "target": "plugin", "versions": "<=1.10.19"}, "RULE-CVE-2023-40203-01": {"ajax_action": "delete_widget", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "delete_widget"}, {"name": "ARGS:widget_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-40203", "method": "POST", "mode": "block", "severity": 8.8, "slug": "mailchimp-forms-by-mailmunch", "target": "plugin", "versions": "<=3.1.4"}, "RULE-CVE-2023-40203-02": {"ajax_action": "change_email_status", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "change_email_status"}, {"name": "ARGS:email_id", "type": "exists"}, {"name": "ARGS:email_status", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-40203", "method": "POST", "mode": "block", "severity": 8.8, "slug": "mailchimp-forms-by-mailmunch", "target": "plugin", "versions": "<=3.1.4"}, "RULE-CVE-2023-40203-03": {"ajax_action": "delete_email", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "delete_email"}, {"name": "ARGS:email_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-40203", "method": "POST", "mode": "block", "severity": 8.8, "slug": "mailchimp-forms-by-mailmunch", "target": "plugin", "versions": "<=3.1.4"}, "RULE-CVE-2023-41243-01": {"ajax_action": "wpvivid_get_import_list_page", "conditions": [{"name": "ARGS:wpvivid_upload_import_files", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-41243", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wpvivid-backuprestore", "target": "plugin", "versions": "<=0.9.90"}, "RULE-CVE-2023-41243-02": {"ajax_action": "wpvivid_get_import_list_page", "conditions": [{"name": "ARGS:wpvivid_start_import", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-41243", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wpvivid-backuprestore", "target": "plugin", "versions": "<=0.9.90"}, "RULE-CVE-2023-41243-03": {"ajax_action": "wpvivid_get_import_list_page", "conditions": [{"name": "ARGS:wpvivid_delete_export_list", "type": "exists"}, {"name": "ARGS:export_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-41243", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wpvivid-backuprestore", "target": "plugin", "versions": "<=0.9.90"}, "RULE-CVE-2023-48777-01": {"ajax_action": "elementor_upload_kit", "conditions": [{"name": "FILES:e_import_file:name", "type": "regex", "value": "~\\\\.(?:php[0-9]*|phtml|phar|cgi|exe|sh|bash)$~i"}], "cve": "CVE-2023-48777", "method": "POST", "mode": "block", "severity": 8.8, "slug": "elementor", "target": "plugin", "versions": "3.3.0 - 3.18.1"}, "RULE-CVE-2023-5070-01": {"ajax_action": "sfsi_save_export", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-5070", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5070", "description": "Ultimate Social Media Icons <=2.8.5 unauthorized settings export via sfsi_save_export exposes social media tokens and app passwords", "mode": "block", "severity": 6.5, "slug": "ultimate-social-media-icons", "tags": ["missing-authorization", "information-disclosure", "authenticated"], "target": "plugin", "versions": "<=2.8.5"}, "RULE-CVE-2023-51409-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai-ui/v1/files/upload(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2023-51409", "description": "AI Engine <= 1.9.98 \\u2013 Arbitrary file upload via mwai-ui REST endpoint (unauthorized users)", "method": "POST", "mode": "block", "severity": 9.8, "slug": "ai-engine", "target": "plugin", "versions": "<=1.9.98"}, "RULE-CVE-2023-51409-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai-ui/v1/files/delete(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2023-51409", "description": "AI Engine <= 1.9.98 \\u2013 Arbitrary file delete via mwai-ui REST endpoint (unauthorized users)", "method": "POST", "mode": "block", "severity": 9.8, "slug": "ai-engine", "target": "plugin", "versions": "<=1.9.98"}, "RULE-CVE-2023-51409-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai-ui/v1/files/upload(/|\\\\?|$)~"}, {"name": "FILES:filename", "type": "regex", "value": "~\\\\.ph(?:p\\\\d?|tml|ar|ps?)$~i"}], "cve": "CVE-2023-51409", "description": "AI Engine <= 1.9.98 \\u2013 PHP file upload via mwai-ui REST endpoint (block .ph* extensions)", "method": "POST", "mode": "block", "severity": 9.8, "slug": "ai-engine", "target": "plugin", "versions": "<=1.9.98"}, "RULE-CVE-2023-51682-01": {"action": "init", "conditions": [{"name": "ARGS:mc4wp_preview_form", "type": "exists"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2023-51682", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51682", "description": "MC4WP Mailchimp for WordPress <=4.9.9 broken access control on form preview via mc4wp_preview_form", "method": "GET", "mode": "block", "severity": 6.5, "slug": "mailchimp-for-wp", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=4.9.9"}, "RULE-CVE-2023-5527-01-01": {"ajax_action": "wpbdp-csv-export", "conditions": [{"name": "ARGS:listing_title", "type": "regex", "value": "~^[\\t=+\\\\-@]~i"}], "cve": "CVE-2023-5527", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5527", "description": "Business Directory Plugin <=6.4.3 CSV injection via listing_title on CSV export", "mode": "block", "severity": 8.0, "slug": "business-directory-plugin", "tags": ["csv-injection", "authenticated"], "target": "plugin", "versions": "<=6.4.3"}, "RULE-CVE-2023-5527-01-02": {"ajax_action": "wpbdp-csv-export", "conditions": [{"name": "ARGS:short_description", "type": "regex", "value": "~^[\\t=+\\\\-@]~i"}], "cve": "CVE-2023-5527", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5527", "description": "Business Directory Plugin <=6.4.3 CSV injection via short_description on CSV export", "mode": "block", "severity": 8.0, "slug": "business-directory-plugin", "tags": ["csv-injection", "authenticated"], "target": "plugin", "versions": "<=6.4.3"}, "RULE-CVE-2023-5527-01-03": {"ajax_action": "wpbdp-csv-export", "conditions": [{"name": "ARGS:listing_contact_name", "type": "regex", "value": "~^[\\t=+\\\\-@]~i"}], "cve": "CVE-2023-5527", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5527", "description": "Business Directory Plugin <=6.4.3 CSV injection via listing_contact_name on CSV export", "mode": "block", "severity": 8.0, "slug": "business-directory-plugin", "tags": ["csv-injection", "authenticated"], "target": "plugin", "versions": "<=6.4.3"}, "RULE-CVE-2023-5527-01-04": {"ajax_action": "wpbdp-csv-export", "conditions": [{"name": "ARGS:listing_contact_email", "type": "regex", "value": "~^[\\t=+\\\\-@]~i"}], "cve": "CVE-2023-5527", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5527", "description": "Business Directory Plugin <=6.4.3 CSV injection via listing_contact_email on CSV export", "mode": "block", "severity": 8.0, "slug": "business-directory-plugin", "tags": ["csv-injection", "authenticated"], "target": "plugin", "versions": "<=6.4.3"}, "RULE-CVE-2023-5527-01-05": {"ajax_action": "wpbdp-csv-export", "conditions": [{"name": "ARGS:listing_phone", "type": "regex", "value": "~^[\\t=\\\\-@]~i"}], "cve": "CVE-2023-5527", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5527", "description": "Business Directory Plugin <=6.4.3 CSV injection via listing_phone on CSV export", "mode": "block", "severity": 8.0, "slug": "business-directory-plugin", "tags": ["csv-injection", "authenticated"], "target": "plugin", "versions": "<=6.4.3"}, "RULE-CVE-2023-5527-01-06": {"ajax_action": "wpbdp-csv-export", "conditions": [{"name": "ARGS:listing_address", "type": "regex", "value": "~^[\\t=+\\\\-@]~i"}], "cve": "CVE-2023-5527", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5527", "description": "Business Directory Plugin <=6.4.3 CSV injection via listing_address on CSV export", "mode": "block", "severity": 8.0, "slug": "business-directory-plugin", "tags": ["csv-injection", "authenticated"], "target": "plugin", "versions": "<=6.4.3"}, "RULE-CVE-2023-6558-01": {"ajax_action": "upload_import_file", "conditions": [{"name": "FILES:import_file:name", "type": "regex", "value": "~\\\\.(?:ph(?:p[0-9]?|tml?|ar|t)|jsp|asp|aspx|cgi|fcgi|pl|py|rb|sh|exe|dll|bat|cmd|com)(?:\\\\.|$)~i"}], "cve": "CVE-2023-6558", "description": "Users/Customers Import Export <=2.4.8 arbitrary file upload via upload_import_file \\u2014 dangerous extension block", "method": "POST", "mode": "block", "severity": 7.2, "slug": "users-customers-import-export-for-wp-woocommerce", "target": "plugin", "versions": "<=2.4.8"}, "RULE-CVE-2023-6558-02": {"ajax_action": "upload_import_file", "conditions": [{"name": "FILES:import_file:name", "type": "regex", "value": "~\\\\.(?!csv$)[a-z0-9]{1,5}$~i"}], "cve": "CVE-2023-6558", "description": "Users/Customers Import Export <=2.4.8 arbitrary file upload via upload_import_file \\u2014 non-CSV extension block", "method": "POST", "mode": "block", "severity": 7.2, "slug": "users-customers-import-export-for-wp-woocommerce", "target": "plugin", "versions": "<=2.4.8"}, "RULE-CVE-2023-6600-01": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "omgf-update"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-6600", "method": "POST", "mode": "block", "severity": 5.4, "slug": "host-webfonts-local", "target": "plugin", "versions": "<=5.7.9"}, "RULE-CVE-2023-6600-02": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "omgf-update"}, {"name": "ARGS:omgf_cache_keys", "type": "regex", "value": "~\\\\.\\\\.[/\\\\\\\\]~"}], "cve": "CVE-2023-6600", "method": "POST", "mode": "block", "severity": 5.4, "slug": "host-webfonts-local", "target": "plugin", "versions": "<=5.7.9"}, "RULE-CVE-2023-6634-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-json/lp/v1/load_content_via_ajax(?:/|\\\\?|$)|[?&]rest_route=/lp/v1/load_content_via_ajax(?:/|\\\\?|&|$))~i"}, {"name": "ARGS:callback", "type": "exists"}, {"name": "ARGS:callback", "type": "regex", "value": "~(?i)^(?!render_courses$).+~"}], "cve": "CVE-2023-6634", "description": "LearnPress <= 4.2.5.7 \\u2013 Arbitrary callback method invocation via load_content_via_ajax REST endpoint", "mode": "block", "severity": 9.8, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.5.7"}, "RULE-CVE-2023-6635-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/(?:.*/)?wp-json/gutenberghub-styles/v1/.*~"}, {"name": "REQUEST_HEADERS:Content-Type", "type": "regex", "value": "~(?i)^multipart/form-data;~"}], "cve": "CVE-2023-6635", "method": "POST", "mode": "block", "severity": 7.2, "slug": "block-options", "target": "plugin", "versions": "<=1.40.3"}, "RULE-CVE-2023-6697-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "equals", "value": "wpgmza_map_editor"}, {"name": "ARGS:action", "type": "equals", "value": "edit"}, {"name": "ARGS:map_id", "type": "regex", "value": "~(?:]|on(?:error|load|click|mouseover|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2023-6697", "description": "WP Google Maps <=9.0.28 reflected XSS via map_id in Atlas Novus map editor page", "mode": "block", "severity": 6.1, "slug": "wp-google-maps", "target": "plugin", "versions": ">=9.0.0 <=9.0.28"}, "RULE-CVE-2023-6751-01": {"ajax_action": "hostinger_publish_website", "conditions": [{"name": "ARGS:maintenance", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-6751", "method": "POST", "mode": "block", "severity": 6.5, "slug": "hostinger", "target": "plugin", "versions": "<=1.9.7"}, "RULE-CVE-2023-6827-01": {"ajax_action": "gsf_upload_fonts", "conditions": [{"name": "FILES:file_font", "type": "exists"}], "cve": "CVE-2023-6827", "method": "POST", "mode": "block", "severity": 8.8, "slug": "essential-real-estate", "target": "plugin", "versions": "<=4.3.5"}, "RULE-CVE-2023-6877-01": {"ajax_action": "feedzy_categories", "conditions": [{"name": "ARGS:feedzy_category_feed", "type": "regex", "value": "~(?:]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2023-6877", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6877", "description": "Feedzy RSS Feeds <=4.3.3 stored XSS via feedzy_category_feed AJAX handler", "mode": "block", "severity": 5.4, "slug": "feedzy-rss-feeds", "tags": ["xss", "stored", "authenticated"], "target": "plugin", "versions": "<=4.3.3"}, "RULE-CVE-2023-6877-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/edit\\\\.php~"}, {"name": "ARGS:post_type", "type": "equals", "value": "feedzy_imports"}, {"name": "ARGS:column", "type": "regex", "value": "~(?:]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2023-6877", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6877", "description": "Feedzy RSS Feeds <=4.3.3 stored XSS via admin column display in feedzy_imports post type", "method": "GET", "mode": "block", "severity": 5.4, "slug": "feedzy-rss-feeds", "tags": ["xss", "stored", "authenticated"], "target": "plugin", "versions": "<=4.3.3"}, "RULE-CVE-2023-6878-01": {"ajax_action": "dcssb_ajax_update", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "dcssb_ajax_update"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-6878", "description": "Slick Social Share Buttons <= 2.4.11 dcssb_ajax_update missing capability check allows authenticated subscriber+ users to arbitrarily modify site options, enabling unauthorized configuration changes via admin-ajax.php as described by Wordfence and NVD.", "method": "POST", "mode": "block", "severity": 6.5, "slug": "slick-social-share-buttons", "tags": ["authz", "arbitrary-option-update", "privilege-escalation"], "target": "plugin", "versions": "<=2.4.11"}, "RULE-CVE-2023-6878-02": {"ajax_action": "dcssb_ajax_update", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "dcssb_ajax_update"}, {"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:users_can_register", "type": "exists"}], "cve": "CVE-2023-6878", "description": "Block low-privilege abuse of dcssb_ajax_update to toggle users_can_register via arbitrary option updates in Slick Social Share Buttons <= 2.4.11, as the handler lacks a capability check and permits subscriber-level attackers to change site options.", "method": "POST", "mode": "block", "severity": 6.5, "slug": "slick-social-share-buttons", "tags": ["authz", "arbitrary-option-update", "privilege-escalation"], "target": "plugin", "versions": "<=2.4.11"}, "RULE-CVE-2023-6878-03": {"ajax_action": "dcssb_ajax_update", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "dcssb_ajax_update"}, {"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:default_role", "type": "exists"}, {"name": "ARGS:default_role", "type": "regex", "value": "~^(administrator|editor|author)$~i"}], "cve": "CVE-2023-6878", "description": "Block low-privilege abuse of dcssb_ajax_update to change the default_role option (e.g., to administrator/editor/author) via the arbitrary option update vulnerability in Slick Social Share Buttons <= 2.4.11.", "method": "POST", "mode": "block", "severity": 6.5, "slug": "slick-social-share-buttons", "tags": ["authz", "arbitrary-option-update", "privilege-escalation"], "target": "plugin", "versions": "<=2.4.11"}, "RULE-CVE-2023-6878-04": {"ajax_action": "dcssb_ajax_update", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "dcssb_ajax_update"}, {"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:admin_email", "type": "exists"}], "cve": "CVE-2023-6878", "description": "Block low-privilege abuse of dcssb_ajax_update to modify the admin_email option through the arbitrary option update vulnerability in Slick Social Share Buttons <= 2.4.11, which allows subscriber-level users to change site options.", "method": "POST", "mode": "block", "severity": 6.5, "slug": "slick-social-share-buttons", "tags": ["authz", "arbitrary-option-update", "integrity"], "target": "plugin", "versions": "<=2.4.11"}, "RULE-CVE-2023-6964-01": {"ajax_action": "kadence_import_get_new_connection_data", "conditions": [{"name": "ARGS:url", "type": "regex", "value": "~^(?!https?://(?:api\\\\.kadenceblocks\\\\.com|cdn\\\\.kadenceblocks\\\\.com)/)~i"}, {"name": "ARGS:url", "type": "regex", "value": "~(?:127\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+|localhost|(?:10|172\\\\.(?:1[6-9]|2\\\\d|3[01])|192\\\\.168)\\\\.\\\\d+\\\\.\\\\d+|0\\\\.0\\\\.0\\\\.0|/etc/passwd|file://|gopher://|dict://|ftp://)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-6964", "description": "Kadence Blocks <=3.1.26 authenticated SSRF via url parameter in kadence_import_get_new_connection_data AJAX handler", "mode": "block", "severity": 6.4, "slug": "kadence-blocks", "target": "plugin", "versions": "<=3.1.26"}, "RULE-CVE-2023-6966-04": {"ajax_action": "get_ads_txt", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-6966", "cve_link": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71823e36-3899-4253-a1d2-c6f8921d18dc?source=cve", "description": "The Moneytizer <= 9.6.3 wp_ajax_get_ads_txt missing capability/nonce checks allow subscriber+ or CSRF to read/alter ads.txt, lazy-loading, stats visibility, and tag configuration via admin-ajax.php.", "method": "POST", "mode": "block", "severity": 8.1, "slug": "the-moneytizer", "tags": ["improper-access-control", "missing-authorization", "csrf", "ajax"], "target": "plugin", "versions": "<=9.6.3"}, "RULE-CVE-2023-6966-05": {"ajax_action": "do_generate_tag", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-6966", "cve_link": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71823e36-3899-4253-a1d2-c6f8921d18dc?source=cve", "description": "The Moneytizer <= 9.6.3 wp_ajax_do_generate_tag missing capability/nonce checks allow subscriber+ or CSRF to generate/modify Moneytizer tags and formats via admin-ajax.php.", "method": "POST", "mode": "block", "severity": 8.1, "slug": "the-moneytizer", "tags": ["improper-access-control", "missing-authorization", "csrf", "ajax"], "target": "plugin", "versions": "<=9.6.3"}, "RULE-CVE-2023-6966-06": {"ajax_action": "update_bank_data", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-6966", "cve_link": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71823e36-3899-4253-a1d2-c6f8921d18dc?source=cve", "description": "The Moneytizer <= 9.6.3 wp_ajax_update_bank_data missing capability/nonce checks allow subscriber+ or CSRF to update billing/bank details via admin-ajax.php.", "method": "POST", "mode": "block", "severity": 8.1, "slug": "the-moneytizer", "tags": ["improper-access-control", "missing-authorization", "csrf", "ajax"], "target": "plugin", "versions": "<=9.6.3"}, "RULE-CVE-2023-6966-07": {"ajax_action": "do_reactivate_tag", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-6966", "cve_link": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71823e36-3899-4253-a1d2-c6f8921d18dc?source=cve", "description": "The Moneytizer <= 9.6.3 wp_ajax_do_reactivate_tag missing capability/nonce checks allow subscriber+ or CSRF to reactivate tags via admin-ajax.php.", "method": "POST", "mode": "block", "severity": 8.1, "slug": "the-moneytizer", "tags": ["improper-access-control", "missing-authorization", "csrf", "ajax"], "target": "plugin", "versions": "<=9.6.3"}, "RULE-CVE-2023-6966-08": {"ajax_action": "apply_conf", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-6966", "cve_link": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71823e36-3899-4253-a1d2-c6f8921d18dc?source=cve", "description": "The Moneytizer <= 9.6.3 wp_ajax_apply_conf missing capability/nonce checks allow subscriber+ or CSRF to apply configuration via admin-ajax.php.", "method": "POST", "mode": "block", "severity": 8.1, "slug": "the-moneytizer", "tags": ["improper-access-control", "missing-authorization", "csrf", "ajax"], "target": "plugin", "versions": "<=9.6.3"}, "RULE-CVE-2023-6983-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php$~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[vg_display_data\\\\b[^\\\\]]*key\\\\s*=~i"}], "cve": "CVE-2023-6983", "method": "POST", "mode": "block", "severity": 4.3, "slug": "shortcode-to-display-post-and-user-data", "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2023-6983-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^(?:/wp-json/wp/v2/posts(?:/\\\\d+)?/?(?:\\\\?.*)?|/\\\\?(?:[^#]*&)?rest_route=/wp/v2/posts(?:/\\\\d+)?/?(?:&[^#]*)?)$~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[vg_display_data\\\\b[^\\\\]]*key\\\\s*=~i"}], "cve": "CVE-2023-6983", "method": "POST", "mode": "block", "severity": 4.3, "slug": "shortcode-to-display-post-and-user-data", "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2023-6983-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^(?:/wp-json/wp/v2/posts(?:/\\\\d+)?/?(?:\\\\?.*)?|/\\\\?(?:[^#]*&)?rest_route=/wp/v2/posts(?:/\\\\d+)?/?(?:&[^#]*)?)$~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[vg_display_data\\\\b[^\\\\]]*key\\\\s*=~i"}], "cve": "CVE-2023-6983", "method": "PUT", "mode": "block", "severity": 4.3, "slug": "shortcode-to-display-post-and-user-data", "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2023-6983-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^(?:/wp-json/wp/v2/posts(?:/\\\\d+)?/?(?:\\\\?.*)?|/\\\\?(?:[^#]*&)?rest_route=/wp/v2/posts(?:/\\\\d+)?/?(?:&[^#]*)?)$~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[vg_display_data\\\\b[^\\\\]]*key\\\\s*=~i"}], "cve": "CVE-2023-6983", "method": "PATCH", "mode": "block", "severity": 4.3, "slug": "shortcode-to-display-post-and-user-data", "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2023-6996-01": {"action": "the_content", "conditions": [{"name": "BODY", "type": "regex", "value": "~\\\\[vg_display_data[^\\\\]]*wp_filter\\\\s*=\\\\s*[\'\\\\\\"][^\'\\\\\\"]+[\'\\\\\\"]~i"}], "cve": "CVE-2023-6996", "mode": "block", "severity": 8.8, "slug": "shortcode-to-display-post-and-user-data", "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2023-6996-02": {"action": "the_content", "conditions": [{"name": "BODY", "type": "regex", "value": "~\\\\[vg_display_data[^\\\\]]*sanitization\\\\s*=\\\\s*[\'\\\\\\"][^\'\\\\\\"]+[\'\\\\\\"]~i"}], "cve": "CVE-2023-6996", "mode": "block", "severity": 8.8, "slug": "shortcode-to-display-post-and-user-data", "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2023-6996-03": {"action": "the_content", "conditions": [{"name": "BODY", "type": "regex", "value": "~\\\\[vg_display_data\\\\b[^\\\\]]*\\\\b(user_id|field)\\\\s*=~i"}], "cve": "CVE-2023-6996", "mode": "block", "severity": 8.8, "slug": "shortcode-to-display-post-and-user-data", "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2023-7002-01": {"ajax_action": "backup-migration-ajax", "conditions": [{"name": "ARGS:f", "type": "equals", "value": "download-backup"}, {"name": "ARGS:url", "type": "regex", "value": "~(%3[Bb]|%7[Cc]|%26%26|%7[Cc]%7[Cc]|%60|%24%5C%28|%3[Ee]|%3[Cc]|%0[Aa]|%0[Dd]|[;|`$><])~"}], "cve": "CVE-2023-7002", "method": "POST", "mode": "block", "severity": 7.2, "slug": "backup-backup", "target": "plugin", "versions": "<=1.3.9"}, "RULE-CVE-2023-7291-01": {"ajax_action": "paytium_mollie_create_account", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-7291", "method": "POST", "mode": "block", "severity": 8.1, "slug": "paytium", "target": "plugin", "versions": "<=4.3.7"}, "RULE-CVE-2023-7291-02": {"ajax_action": "paytium_mollie_create_profile", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-7291", "method": "POST", "mode": "block", "severity": 8.1, "slug": "paytium", "target": "plugin", "versions": "<=4.3.7"}, "RULE-CVE-2023-7291-03": {"ajax_action": "pt_save_profile_settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-7291", "method": "POST", "mode": "block", "severity": 8.1, "slug": "paytium", "target": "plugin", "versions": "<=4.3.7"}, "RULE-CVE-2023-7291-04": {"ajax_action": "pt_get_mollie_profiles", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-7291", "method": "POST", "mode": "block", "severity": 8.1, "slug": "paytium", "target": "plugin", "versions": "<=4.3.7"}, "RULE-CVE-2023-7291-05": {"ajax_action": "paytium_sw_save_api_keys", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-7291", "method": "POST", "mode": "block", "severity": 8.1, "slug": "paytium", "target": "plugin", "versions": "<=4.3.7"}, "RULE-CVE-2024-0221-01": {"ajax_action": "addImages", "conditions": [{"name": "ARGS:task", "type": "equals", "value": "rename_item"}, {"name": "ARGS:file_new_name", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.{3,}[\\\\\\\\/])~"}], "cve": "CVE-2024-0221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0221", "description": "Photo Gallery <=1.8.19 authenticated path traversal via file_new_name in addImages rename_item", "method": "POST", "mode": "block", "severity": 7.2, "slug": "photo-gallery", "tags": ["path-traversal", "file-rename"], "target": "plugin", "versions": "<=1.8.19"}, "RULE-CVE-2024-0221-02": {"ajax_action": "addImages", "conditions": [{"name": "ARGS:task", "type": "equals", "value": "rename_item"}, {"name": "ARGS:file_names", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.{3,}[\\\\\\\\/])~"}], "cve": "CVE-2024-0221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0221", "description": "Photo Gallery <=1.8.19 authenticated path traversal via file_names in addImages rename_item", "method": "POST", "mode": "block", "severity": 7.2, "slug": "photo-gallery", "tags": ["path-traversal", "file-rename"], "target": "plugin", "versions": "<=1.8.19"}, "RULE-CVE-2024-0221-03": {"ajax_action": "addImages", "conditions": [{"name": "ARGS:task", "type": "equals", "value": "remove_items"}, {"name": "ARGS:file_names", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.{3,}[\\\\\\\\/])~"}], "cve": "CVE-2024-0221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0221", "description": "Photo Gallery <=1.8.19 authenticated path traversal via file_names in addImages remove_items", "method": "POST", "mode": "block", "severity": 7.2, "slug": "photo-gallery", "tags": ["path-traversal", "arbitrary-file-deletion"], "target": "plugin", "versions": "<=1.8.19"}, "RULE-CVE-2024-0221-04": {"ajax_action": "addImages", "conditions": [{"name": "ARGS:task", "type": "equals", "value": "copy"}, {"name": "ARGS:file_names", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.{3,}[\\\\\\\\/])~"}], "cve": "CVE-2024-0221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0221", "description": "Photo Gallery <=1.8.19 authenticated path traversal via file_names in addImages copy", "method": "POST", "mode": "block", "severity": 7.2, "slug": "photo-gallery", "tags": ["path-traversal", "arbitrary-file-copy"], "target": "plugin", "versions": "<=1.8.19"}, "RULE-CVE-2024-0221-05": {"ajax_action": "addImages", "conditions": [{"name": "ARGS:task", "type": "equals", "value": "move"}, {"name": "ARGS:file_names", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.{3,}[\\\\\\\\/])~"}], "cve": "CVE-2024-0221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0221", "description": "Photo Gallery <=1.8.19 authenticated path traversal via file_names in addImages move", "method": "POST", "mode": "block", "severity": 7.2, "slug": "photo-gallery", "tags": ["path-traversal", "arbitrary-file-move"], "target": "plugin", "versions": "<=1.8.19"}, "RULE-CVE-2024-0221-06": {"ajax_action": "addMusic", "conditions": [{"name": "ARGS:task", "type": "equals", "value": "rename_item"}, {"name": "ARGS:file_new_name", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.{3,}[\\\\\\\\/])~"}], "cve": "CVE-2024-0221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0221", "description": "Photo Gallery <=1.8.19 authenticated path traversal via file_new_name in addMusic rename_item", "method": "POST", "mode": "block", "severity": 7.2, "slug": "photo-gallery", "tags": ["path-traversal", "file-rename"], "target": "plugin", "versions": "<=1.8.19"}, "RULE-CVE-2024-0221-07": {"ajax_action": "addMusic", "conditions": [{"name": "ARGS:task", "type": "equals", "value": "rename_item"}, {"name": "ARGS:file_names", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.{3,}[\\\\\\\\/])~"}], "cve": "CVE-2024-0221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0221", "description": "Photo Gallery <=1.8.19 authenticated path traversal via file_names in addMusic rename_item", "method": "POST", "mode": "block", "severity": 7.2, "slug": "photo-gallery", "tags": ["path-traversal", "file-rename"], "target": "plugin", "versions": "<=1.8.19"}, "RULE-CVE-2024-0221-08": {"ajax_action": "addMusic", "conditions": [{"name": "ARGS:task", "type": "equals", "value": "remove_items"}, {"name": "ARGS:file_names", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.{3,}[\\\\\\\\/])~"}], "cve": "CVE-2024-0221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0221", "description": "Photo Gallery <=1.8.19 authenticated path traversal via file_names in addMusic remove_items", "method": "POST", "mode": "block", "severity": 7.2, "slug": "photo-gallery", "tags": ["path-traversal", "arbitrary-file-deletion"], "target": "plugin", "versions": "<=1.8.19"}, "RULE-CVE-2024-0221-09": {"ajax_action": "addMusic", "conditions": [{"name": "ARGS:task", "type": "equals", "value": "copy"}, {"name": "ARGS:file_names", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.{3,}[\\\\\\\\/])~"}], "cve": "CVE-2024-0221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0221", "description": "Photo Gallery <=1.8.19 authenticated path traversal via file_names in addMusic copy", "method": "POST", "mode": "block", "severity": 7.2, "slug": "photo-gallery", "tags": ["path-traversal", "arbitrary-file-copy"], "target": "plugin", "versions": "<=1.8.19"}, "RULE-CVE-2024-0221-10": {"ajax_action": "addMusic", "conditions": [{"name": "ARGS:task", "type": "equals", "value": "move"}, {"name": "ARGS:file_names", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.{3,}[\\\\\\\\/])~"}], "cve": "CVE-2024-0221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0221", "description": "Photo Gallery <=1.8.19 authenticated path traversal via file_names in addMusic move", "method": "POST", "mode": "block", "severity": 7.2, "slug": "photo-gallery", "tags": ["path-traversal", "arbitrary-file-move"], "target": "plugin", "versions": "<=1.8.19"}, "RULE-CVE-2024-0608-01": {"ajax_action": "erp_crm_track_email_opened", "conditions": [{"name": "ARGS:email", "type": "detectSQLi"}], "cve": "CVE-2024-0608", "mode": "block", "severity": 8.8, "slug": "erp", "target": "plugin", "versions": "<=1.13.1"}, "RULE-CVE-2024-0659-01": {"action": "admin_init", "conditions": [{"name": "ARGS:edd-action", "type": "equals", "value": "tools_tab_debug_log"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-0659", "description": "Easy Digital Downloads <=3.1.5 unauthorized access to debug log tools action", "method": "POST", "mode": "block", "severity": 4.3, "slug": "easy-digital-downloads", "tags": ["broken-access-control", "information-disclosure"], "target": "plugin", "versions": "<=3.2.6"}, "RULE-CVE-2024-0660-01A": {"ajax_action": "frm_save_form", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/admin-ajax.php"}, {"name": "ARGS:action", "type": "equals", "value": "frm_save_form"}, {"name": "ARGS:success_msg", "type": "detectXSS"}], "cve": "CVE-2024-0660", "description": "Formidable Forms <=6.7.2 CSRF-to-stored-XSS via admin-ajax frm_save_form (missing nonce validation)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "formidable", "tags": ["xss", "csrf", "stored-xss", "ajax"], "target": "plugin", "versions": "<=6.7.2"}, "RULE-CVE-2024-0660-01B": {"ajax_action": "frm_save_form", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/admin-ajax.php"}, {"name": "ARGS:action", "type": "equals", "value": "frm_save_form"}, {"name": "ARGS:custom_html", "type": "detectXSS"}], "cve": "CVE-2024-0660", "description": "Formidable Forms <=6.7.2 CSRF-to-stored-XSS via admin-ajax frm_save_form (missing nonce validation)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "formidable", "tags": ["xss", "csrf", "stored-xss", "ajax"], "target": "plugin", "versions": "<=6.7.2"}, "RULE-CVE-2024-0668-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "regex", "value": "~^advanced_db_cleaner~"}, {"name": "ARGS:aDBc_cron_elements", "type": "regex", "value": "~(?:^|%[0-9A-Fa-f]{2}|[&=\\\\[\\\\]\\"\'])[OCa]\\\\s*(?::|%3[Aa])\\\\s*[0-9]+\\\\s*(?::|%3[Aa])~"}], "cve": "CVE-2024-0668", "description": "Advanced Database Cleaner <=3.1.3 authenticated PHP object injection via process_bulk_action unserialize of aDBc_cron_elements on plugin admin page", "mode": "block", "severity": 7.2, "slug": "advanced-database-cleaner", "target": "plugin", "versions": "<=3.1.3"}, "RULE-CVE-2024-0668-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "regex", "value": "~^advanced_db_cleaner~"}, {"name": "ARGS", "type": "regex", "value": "~[OCa]:[0-9]+:\\"[A-Za-z_\\\\\\\\][A-Za-z0-9_\\\\\\\\]*\\":[0-9]+:\\\\{~"}], "cve": "CVE-2024-0668", "description": "Advanced Database Cleaner <=3.1.3 PHP object injection payload in any plugin admin POST parameter via bulk action serialized object marker", "mode": "block", "severity": 7.2, "slug": "advanced-database-cleaner", "target": "plugin", "versions": "<=3.1.3"}, "RULE-CVE-2024-0699-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai/~i"}, {"name": "ARGS:url", "type": "regex", "value": "~\\\\.(?:php(?:[0-9s]?|t|tm)?|pht|phtml|phar|shtml|asp|aspx|jsp|cgi)(?:[?#]|$)~i"}], "cve": "CVE-2024-0699", "method": "POST", "mode": "block", "severity": 7.2, "slug": "ai-engine", "target": "plugin", "versions": "<=2.1.4"}, "RULE-CVE-2024-0699-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai/~i"}, {"name": "ARGS:url", "type": "regex", "value": "~^https?://169\\\\.254\\\\.169\\\\.254(?:[/:?#]|$)~i"}], "cve": "CVE-2024-0699", "method": "POST", "mode": "block", "severity": 7.2, "slug": "ai-engine", "target": "plugin", "versions": "<=2.1.4"}, "RULE-CVE-2024-0709-01A": {"ajax_action": "ccpw_get_coins_list", "conditions": [{"name": "ARGS:coinslist", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|\'\\\\s*(?:OR|AND)\\\\s+[\'\\"]?\\\\d|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s.*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\()~i"}], "cve": "CVE-2024-0709", "mode": "block", "severity": 7.5, "slug": "cryptocurrency-price-ticker-widget", "target": "plugin", "versions": ">=2.0 <=2.6.5"}, "RULE-CVE-2024-0709-01B0": {"ajax_action": "ccpw_get_coins_list", "conditions": [{"name": "ARGS:coinslist[0]", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|\'\\\\s*(?:OR|AND)\\\\s+[\'\\"]?\\\\d|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s.*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\()~i"}], "cve": "CVE-2024-0709", "mode": "block", "severity": 7.5, "slug": "cryptocurrency-price-ticker-widget", "target": "plugin", "versions": ">=2.0 <=2.6.5"}, "RULE-CVE-2024-0709-01B1": {"ajax_action": "ccpw_get_coins_list", "conditions": [{"name": "ARGS:coinslist[1]", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|\'\\\\s*(?:OR|AND)\\\\s+[\'\\"]?\\\\d|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s.*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\()~i"}], "cve": "CVE-2024-0709", "mode": "block", "severity": 7.5, "slug": "cryptocurrency-price-ticker-widget", "target": "plugin", "versions": ">=2.0 <=2.6.5"}, "RULE-CVE-2024-0786-01": {"ajax_action": "ee_syncProductCategory", "conditions": [{"name": "ARGS:conditionData", "type": "regex", "value": "~(?:[\'\\")\\\\)]\\\\s*(?:OR|AND)\\\\s+[^\\\\s]+=|UNION\\\\s+(?:ALL\\\\s+)?SELECT|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s)~i"}], "cve": "CVE-2024-0786", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0786", "description": "Conversios <=7.0.7 authenticated SQL injection via conditionData in ee_syncProductCategory", "method": "POST", "mode": "block", "severity": 6.5, "slug": "enhanced-e-commerce-for-woocommerce-store", "tags": ["sql-injection", "authenticated"], "target": "plugin", "versions": "<=7.0.7"}, "RULE-CVE-2024-0786-02": {"ajax_action": "ee_syncProductCategory", "conditions": [{"name": "ARGS:valueData", "type": "regex", "value": "~(?:[\'\\")\\\\)]\\\\s*(?:OR|AND)\\\\s+[^\\\\s]+=|UNION\\\\s+(?:ALL\\\\s+)?SELECT|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s)~i"}], "cve": "CVE-2024-0786", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0786", "description": "Conversios <=7.0.7 authenticated SQL injection via valueData in ee_syncProductCategory", "method": "POST", "mode": "block", "severity": 6.5, "slug": "enhanced-e-commerce-for-woocommerce-store", "tags": ["sql-injection", "authenticated"], "target": "plugin", "versions": "<=7.0.7"}, "RULE-CVE-2024-0786-03": {"ajax_action": "ee_syncProductCategory", "conditions": [{"name": "ARGS:exclude", "type": "regex", "value": "~(?:[\'\\")\\\\)]\\\\s*(?:OR|AND)\\\\s+[^\\\\s]+=|UNION\\\\s+(?:ALL\\\\s+)?SELECT|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s)~i"}], "cve": "CVE-2024-0786", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0786", "description": "Conversios <=7.0.7 authenticated SQL injection via exclude in ee_syncProductCategory", "method": "POST", "mode": "block", "severity": 6.5, "slug": "enhanced-e-commerce-for-woocommerce-store", "tags": ["sql-injection", "authenticated"], "target": "plugin", "versions": "<=7.0.7"}, "RULE-CVE-2024-0786-04": {"ajax_action": "ee_syncProductCategory", "conditions": [{"name": "ARGS:include", "type": "regex", "value": "~(?:[\'\\")\\\\)]\\\\s*(?:OR|AND)\\\\s+[^\\\\s]+=|UNION\\\\s+(?:ALL\\\\s+)?SELECT|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s)~i"}], "cve": "CVE-2024-0786", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0786", "description": "Conversios <=7.0.7 authenticated SQL injection via include in ee_syncProductCategory", "method": "POST", "mode": "block", "severity": 6.5, "slug": "enhanced-e-commerce-for-woocommerce-store", "tags": ["sql-injection", "authenticated"], "target": "plugin", "versions": "<=7.0.7"}, "RULE-CVE-2024-0786-05": {"ajax_action": "ee_syncProductCategory", "conditions": [{"name": "ARGS:productArray", "type": "regex", "value": "~(?:[\'\\")\\\\)]\\\\s*(?:OR|AND)\\\\s+[^\\\\s]+=|UNION\\\\s+(?:ALL\\\\s+)?SELECT|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s)~i"}], "cve": "CVE-2024-0786", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0786", "description": "Conversios <=7.0.7 authenticated SQL injection via productArray in ee_syncProductCategory", "method": "POST", "mode": "block", "severity": 6.5, "slug": "enhanced-e-commerce-for-woocommerce-store", "tags": ["sql-injection", "authenticated"], "target": "plugin", "versions": "<=7.0.7"}, "RULE-CVE-2024-0825-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/vimeography/v1/galleries/\\\\d+/duplicate(/|\\\\?|$)~"}, {"name": "ARGS:vimeography_duplicate_gallery_serialized", "type": "regex", "value": "~[OCa]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2024-0825", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0825", "description": "Vimeography <=2.3.2 PHP Object Injection via deserialization of untrusted input in duplicate gallery REST endpoint", "method": "POST", "mode": "block", "severity": 8.8, "slug": "vimeography", "tags": ["object-injection", "deserialization", "rest-api", "authenticated"], "target": "plugin", "versions": "<=2.3.2"}, "RULE-CVE-2024-10002-01": {"ajax_action": "rover_idx_refresh_social", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-10002", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10002", "description": "Rover IDX <=3.0.0.2905 authentication bypass to administrator via rover_idx_refresh_social AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "rover-idx", "tags": ["authentication-bypass", "missing-authorization", "privilege-escalation"], "target": "plugin", "versions": "<=3.0.0.2905"}, "RULE-CVE-2024-10002-02": {"ajax_action": "rover_idx_social", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-10002", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10002", "description": "Rover IDX <=3.0.0.2905 unauthorized social settings manipulation via rover_idx_social AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "rover-idx", "tags": ["missing-authorization", "privilege-escalation"], "target": "plugin", "versions": "<=3.0.0.2905"}, "RULE-CVE-2024-10079-01": {"ajax_action": "import_content", "conditions": [{"name": "ARGS:text", "type": "regex", "value": "~(^|[;{])\\\\s*(O|C):[0-9]+:\\"~"}], "cve": "CVE-2024-10079", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10079", "description": "WP Easy Post Types <=1.4.4 PHP Object Injection via unserialize of text parameter in import_content AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "easy-post-types", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=1.4.4"}, "RULE-CVE-2024-10124-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/ai/v1/vayu-site-builder(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-10124", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10124", "description": "Vayu Blocks <=1.1.1 unauthenticated arbitrary plugin/theme installation via REST API /ai/v1/vayu-site-builder", "method": "POST", "mode": "block", "severity": 9.8, "slug": "vayu-blocks", "tags": ["missing-authorization", "arbitrary-plugin-install", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=1.1.1"}, "RULE-CVE-2024-10247-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php(\\\\?|$)~"}, {"name": "ARGS:page", "type": "equals", "value": "video-gallery"}, {"name": "ARGS:orderby", "type": "detectSQLi"}], "cve": "CVE-2024-10247", "method": "GET", "mode": "block", "severity": 4.9, "slug": "gallery-videos", "target": "plugin", "versions": "<=2.4.2"}, "RULE-CVE-2024-10247-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php(\\\\?|$)~"}, {"name": "ARGS:page", "type": "equals", "value": "video-gallery"}, {"name": "ARGS:order", "type": "detectSQLi"}], "cve": "CVE-2024-10247", "method": "GET", "mode": "block", "severity": 4.9, "slug": "gallery-videos", "target": "plugin", "versions": "<=2.4.2"}, "RULE-CVE-2024-10453-01": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS:actions", "type": "regex", "value": "~global_typography_title.*?(?:]|on(?:error|load|mouseover|click|focus|blur|mouseenter|toggle|animationstart)\\\\s*=|javascript\\\\s*:|<\\\\s*(?:img|svg|iframe|object|embed|video|audio|body|input|details|marquee)[\\\\s>])~i"}], "cve": "CVE-2024-1070", "description": "SiteOrigin Widgets Bundle <=1.58.2 contributor+ stored XSS via Features widget instance fields on so_widgets_setting_save", "mode": "block", "severity": 5.4, "slug": "so-widgets-bundle", "target": "plugin", "versions": "<=1.58.2"}, "RULE-CVE-2024-1070-02": {"ajax_action": "so_widgets_preview", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:<\\\\s*script[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur|mouseenter|toggle|animationstart)\\\\s*=|javascript\\\\s*:|<\\\\s*(?:img|svg|iframe|object|embed|video|audio|body|input|details|marquee)[\\\\s>])~i"}], "cve": "CVE-2024-1070", "description": "SiteOrigin Widgets Bundle <=1.58.2 contributor+ stored XSS via Features widget rendered through so_widgets_preview AJAX", "mode": "block", "severity": 5.4, "slug": "so-widgets-bundle", "target": "plugin", "versions": "<=1.58.2"}, "RULE-CVE-2024-1071-01": {"ajax_action": "um_get_members", "conditions": [{"name": "ARGS:sorting", "type": "detectSQLi"}], "cve": "CVE-2024-1071", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1071", "description": "Ultimate Member >=2.1.3 <=2.8.2 unauthenticated SQL injection via sorting parameter in um_get_members AJAX handler", "method": "POST", "mode": "block", "severity": 9.8, "slug": "ultimate-member", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": ">=2.1.3 <=2.8.2"}, "RULE-CVE-2024-10711-02": {"action": "admin_post_itwr_activation_plugin", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/admin-post.php"}, {"name": "ARGS:action", "type": "equals", "value": "itwr_activation_plugin"}, {"name": "ARGS:default_role", "type": "exists"}], "cve": "CVE-2024-10711", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ithemelandco-woo-report", "target": "plugin", "versions": "<=1.5.1"}, "RULE-CVE-2024-1072-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "seedprod_lite_template"}, {"name": "ARGS:id", "type": "equals", "value": "0"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2024-1072", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1072", "description": "SeedProd (Coming Soon) <=6.15.21 missing authorization on seedprod_lite_new_lpage via admin_init", "mode": "block", "severity": 8.2, "slug": "coming-soon", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=6.15.21"}, "RULE-CVE-2024-10728-01": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "install_required_plugin"}, {"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2024-10728", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10728", "description": "PostX \\u2013 Post Grid Gutenberg Blocks <=4.1.16 missing authorization on install_required_plugin AJAX action allows Subscriber+ arbitrary plugin installation/activation", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ultimate-post", "tags": ["missing-authorization", "privilege-escalation", "arbitrary-plugin-install"], "target": "plugin", "versions": "<=4.1.16"}, "RULE-CVE-2024-10871-01A": {"ajax_action": "get_filter_posts", "conditions": [{"name": "ARGS:params[caf-post-layout]", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}~"}], "cve": "CVE-2024-10871", "method": "POST", "mode": "block", "severity": 9.8, "slug": "category-ajax-filter", "target": "plugin", "versions": "<=2.8.2"}, "RULE-CVE-2024-10871-01B": {"ajax_action": "get_filter_posts", "conditions": [{"name": "ARGS:params[caf-post-layout]", "type": "regex", "value": "~(?i)^(?:php|data|zip|phar)://~"}], "cve": "CVE-2024-10871", "method": "POST", "mode": "block", "severity": 9.8, "slug": "category-ajax-filter", "target": "plugin", "versions": "<=2.8.2"}, "RULE-CVE-2024-10871-01C": {"ajax_action": "get_filter_posts", "conditions": [{"name": "ARGS:params[caf-post-layout]", "type": "regex", "value": "~^(?:/|[A-Za-z]:\\\\\\\\)~"}], "cve": "CVE-2024-10871", "method": "POST", "mode": "block", "severity": 9.8, "slug": "category-ajax-filter", "target": "plugin", "versions": "<=2.8.2"}, "RULE-CVE-2024-10913-01": {"ajax_action": "wpclone-search-n-replace", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-10913", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10913", "description": "Clone (WP Clone) <=2.4.6 unauthenticated PHP Object Injection - capability gate on search-n-replace AJAX action", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-clone-by-wp-academy", "tags": ["object-injection", "missing-authorization", "deserialization"], "target": "plugin", "versions": "<=2.4.6"}, "RULE-CVE-2024-10913-02": {"ajax_action": "wpclone-search-n-replace", "conditions": [{"name": "ARGS:search", "type": "regex", "value": "~[OCa]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2024-10913", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10913", "description": "Clone (WP Clone) <=2.4.6 PHP Object Injection via serialized payload in search parameter", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-clone-by-wp-academy", "tags": ["object-injection", "deserialization", "php-serialization"], "target": "plugin", "versions": "<=2.4.6"}, "RULE-CVE-2024-10913-03": {"ajax_action": "wpclone-search-n-replace", "conditions": [{"name": "ARGS:replace", "type": "regex", "value": "~[OCa]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2024-10913", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10913", "description": "Clone (WP Clone) <=2.4.6 PHP Object Injection via serialized payload in replace parameter", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-clone-by-wp-academy", "tags": ["object-injection", "deserialization", "php-serialization"], "target": "plugin", "versions": "<=2.4.6"}, "RULE-CVE-2024-10913-04": {"ajax_action": "wpclone-install_new", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-10913", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10913", "description": "Clone (WP Clone) <=2.4.6 unauthenticated PHP Object Injection - capability gate on install_new AJAX action (indirect vector via backup restore)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-clone-by-wp-academy", "tags": ["object-injection", "missing-authorization", "deserialization"], "target": "plugin", "versions": "<=2.4.6"}, "RULE-CVE-2024-10932-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~wp-comments-post\\\\.php~"}, {"name": "ARGS:comment", "type": "regex", "value": "~O:[0-9]+:\\"[^\\"]+\\":[0-9]+:\\\\{|s:[0-9]+:\\"O:[0-9]+:\\\\\\\\\\"[^\\"]+\\\\\\\\\\":[0-9]+:\\\\{~"}], "cve": "CVE-2024-10932", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10932", "description": "Backup Migration <=1.4.6 PHP object injection payload planting via comment content", "method": "POST", "mode": "block", "severity": 8.8, "slug": "backup-backup", "tags": ["object-injection", "deserialization", "comments", "unauthenticated"], "target": "plugin", "versions": "<=1.4.6"}, "RULE-CVE-2024-10932-02": {"ajax_action": "backup_migration", "conditions": [{"name": "ARGS:f", "type": "equals", "value": "startLocalStagingCreation"}, {"name": "ARGS", "type": "regex", "value": "~O:[0-9]+:\\"[^\\"]+\\":[0-9]+:\\\\{|s:[0-9]+:\\"O:[0-9]+:\\\\\\\\\\"[^\\"]+\\\\\\\\\\":[0-9]+:\\\\{~"}], "cve": "CVE-2024-10932", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10932", "description": "Backup Migration <=1.4.6 PHP object injection via backup_migration staging request payloads", "method": "POST", "mode": "block", "severity": 8.8, "slug": "backup-backup", "tags": ["object-injection", "deserialization", "ajax", "staging"], "target": "plugin", "versions": "<=1.4.6"}, "RULE-CVE-2024-10936-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)wp-comments-post\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:comment", "type": "regex", "value": "~(?:O|C):\\\\d+:\\\\\\"~"}], "cve": "CVE-2024-10936", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10936", "description": "String Locator <=2.6.6 unauthenticated PHP Object Injection via comment content planting", "method": "POST", "mode": "block", "severity": 8.8, "slug": "string-locator", "tags": ["object-injection", "deserialization", "unauthenticated"], "target": "plugin", "versions": "<=2.6.6"}, "RULE-CVE-2024-10942-01": {"ajax_action": "ai1wm_import", "conditions": [{"name": "FILES:import:content", "type": "regex", "value": "~[OCa]:[0-9]+:~"}], "cve": "CVE-2024-10942", "description": "All in One WP Migration <=7.89 unauthenticated PHP object injection via backup file import", "mode": "block", "severity": 7.5, "slug": "all-in-one-wp-migration", "target": "plugin", "versions": "<=7.89"}, "RULE-CVE-2024-10960-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "admin-ajax.php"}, {"name": "ARGS:action", "type": "regex", "value": "~^brizy[-_]upload[-_]blocks$~i"}, {"name": "FILES:files", "type": "exists"}], "cve": "CVE-2024-10960", "method": "POST", "mode": "block", "severity": 8.8, "slug": "brizy", "target": "plugin", "versions": "<=2.6.4"}, "RULE-CVE-2024-10960-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "admin-ajax.php"}, {"name": "ARGS:action", "type": "regex", "value": "~^brizy[-_]upload[-_]layouts$~i"}, {"name": "FILES:files", "type": "exists"}], "cve": "CVE-2024-10960", "method": "POST", "mode": "block", "severity": 8.8, "slug": "brizy", "target": "plugin", "versions": "<=2.6.4"}, "RULE-CVE-2024-11103-01": {"ajax_action": "post_cg_login", "conditions": [{"name": "ARGS:user_id", "type": "regex", "value": "~^\\\\d+$~"}, {"name": "ARGS:pass1", "type": "exists"}], "cve": "CVE-2024-11103", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-11103", "description": "Contest Gallery <=24.0.7 unauthenticated arbitrary password reset via post_cg_login AJAX handler (user_id + pass1)", "method": "POST", "mode": "block", "severity": 9.8, "slug": "contest-gallery", "tags": ["authentication-bypass", "privilege-escalation", "account-takeover", "unauthenticated"], "target": "plugin", "versions": "<=24.0.7"}, "RULE-CVE-2024-11103-02": {"ajax_action": "post_cg_login", "conditions": [{"name": "ARGS:cgLostPasswordSiteUrl", "type": "exists"}], "cve": "CVE-2024-11103", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-11103", "description": "Contest Gallery <=24.0.7 unauthenticated URL injection in password reset email via cgLostPasswordSiteUrl", "method": "POST", "mode": "block", "severity": 9.8, "slug": "contest-gallery", "tags": ["phishing", "url-injection", "unauthenticated", "weak-password-recovery"], "target": "plugin", "versions": "<=24.0.7"}, "RULE-CVE-2024-11188-01": {"ajax_action": "frm_forms_preview", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "frm_forms_preview"}, {"name": "ARGS:frm_action", "type": "equals", "value": "preview"}, {"name": "ARGS", "type": "regex", "value": "~]~i"}], "cve": "CVE-2024-11188", "description": "Formidable Forms <=6.16.1.2 stored XSS via form item parameters in preview", "method": "POST", "mode": "block", "severity": 6.5, "slug": "formidable", "tags": ["xss", "stored-xss", "form-builder"], "target": "plugin", "versions": "<=6.16.1.2"}, "RULE-CVE-2024-11270-01": {"ajax_action": "sync-import-imgs", "conditions": [{"type": "missing_capability", "value": "_wswebinar_createwebinars"}], "cve": "CVE-2024-11270", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-11270", "description": "WebinarPress <=1.33.24 missing authorization on sync-import-imgs AJAX allowing subscriber+ arbitrary file creation (RCE)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-webinarsystem", "tags": ["missing-authorization", "arbitrary-file-upload", "remote-code-execution"], "target": "plugin", "versions": "<=1.33.24"}, "RULE-CVE-2024-11270-02": {"ajax_action": "sync-import-imgs", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:\\\\.(?:ph(?:p\\\\d?|s|tml?|t|ar)|s?html?|cgi|asp|aspx|jsp|jspx|cfm|user\\\\.ini)|[\\\\\\\\/]\\\\.htaccess$|[\\\\\\\\/]\\\\.htpasswd$)~i"}], "cve": "CVE-2024-11270", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-11270", "description": "WebinarPress <=1.33.24 arbitrary file upload via sync-import-imgs with executable file extension", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-webinarsystem", "tags": ["arbitrary-file-upload", "remote-code-execution", "file-extension-bypass"], "target": "plugin", "versions": "<=1.33.24"}, "RULE-CVE-2024-11323-01": {"ajax_action": "ai_quiz_update_style", "conditions": [{"name": "ARGS:colors", "type": "exists"}, {"name": "ARGS:colors", "type": "regex", "value": "~[\\"\'](?:default_role|users_can_register|siteurl|home|admin_email|blogname|blogdescription|template|stylesheet|active_plugins|permalink_structure|mailserver_url|hack_file|db_version)[\\"\']\\\\s*:~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-11323", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-11323", "description": "AI Quiz <=1.1 authenticated arbitrary options update via ai_quiz_update_style AJAX handler - dangerous option names in colors JSON", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ai-quiz", "tags": ["missing-authorization", "privilege-escalation", "arbitrary-options-update"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2024-11323-02": {"ajax_action": "ai_quiz_update_style", "conditions": [{"name": "ARGS:colors", "type": "regex", "value": "~<\\\\s*/\\\\s*style|<\\\\s*script|on(?:error|load|click|mouseover)\\\\s*=~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-11323", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-11323", "description": "AI Quiz <=1.1 authenticated stored XSS via ai_quiz_update_style colors parameter - style tag breakout", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ai-quiz", "tags": ["missing-authorization", "stored-xss"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2024-11323-03": {"ajax_action": "ai_quiz_update_style", "conditions": [{"name": "ARGS:phrase", "type": "regex", "value": "~<\\\\s*/\\\\s*style|<\\\\s*script|on(?:error|load|click|mouseover)\\\\s*=~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-11323", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-11323", "description": "AI Quiz <=1.1 authenticated stored XSS via ai_quiz_update_style phrase parameter - style tag breakout", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ai-quiz", "tags": ["missing-authorization", "stored-xss"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2024-11415-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "wp-orphanage-extended"}, {"name": "ARGS:action", "type": "equals", "value": "update"}, {"name": "ARGS:wporphanageex_role", "type": "regex", "value": "~^(?:administrator|editor|author)$~i"}], "cve": "CVE-2024-11415", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-11415", "description": "WP-Orphanage Extended <=1.2 CSRF to orphan account privilege escalation via settings page role parameter", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-orphanage-extended", "tags": ["csrf", "privilege-escalation", "settings-update"], "target": "plugin", "versions": "<=1.2"}, "RULE-CVE-2024-11429-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[(?:stars[_-]testimonials(?:-with-slider-and-masonry-grid)?|testimonial[_-]stars)[^\\\\]]*(?:\\\\.\\\\.[\\\\\\\\/]|/etc/|php://|phar://|data://)~i"}], "cve": "CVE-2024-11429", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-11429", "description": "Stars Testimonials <=3.3.3 Local File Inclusion via shortcode attribute in post_content (post.php)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "stars-testimonials-with-slider-and-masonry-grid", "tags": ["local-file-inclusion", "path-traversal", "shortcode", "authenticated"], "target": "plugin", "versions": "<=3.3.3"}, "RULE-CVE-2024-11429-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(?:stars[_-]testimonials(?:-with-slider-and-masonry-grid)?|testimonial[_-]stars)[^\\\\]]*(?:\\\\.\\\\.[\\\\\\\\/]|/etc/|php://|phar://|data://)~i"}], "cve": "CVE-2024-11429", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-11429", "description": "Stars Testimonials <=3.3.3 Local File Inclusion via shortcode attribute in REST API post content", "method": "POST", "mode": "block", "severity": 8.8, "slug": "stars-testimonials-with-slider-and-masonry-grid", "tags": ["local-file-inclusion", "path-traversal", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=3.3.3"}, "RULE-CVE-2024-11642-01": {"ajax_action": "asr_filter_posts", "conditions": [{"name": "ARGS:argsArray[grid_style]", "type": "regex", "value": "~(?:\\\\.{2,}[\\\\\\\\/]{1,}){2,}~"}], "cve": "CVE-2024-11642", "method": "POST", "mode": "block", "severity": 9.8, "slug": "ajax-filter-posts", "target": "plugin", "versions": "<=3.4.11"}, "RULE-CVE-2024-11642-02": {"ajax_action": "asr_filter_posts", "conditions": [{"name": "ARGS:argsArray[filter_style]", "type": "regex", "value": "~(?:\\\\.{2,}[\\\\\\\\/]{1,}){2,}~"}], "cve": "CVE-2024-11642", "method": "POST", "mode": "block", "severity": 9.8, "slug": "ajax-filter-posts", "target": "plugin", "versions": "<=3.4.11"}, "RULE-CVE-2024-11643-01": {"ajax_action": "AllAccessible_save_settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-11643", "method": "POST", "mode": "block", "severity": 8.8, "slug": "allaccessible", "target": "plugin", "versions": "<=1.3.4"}, "RULE-CVE-2024-1166-01": {"ajax_action": "eihe_top_notice", "conditions": [{"type": "missing_capability", "value": "activate_plugins"}], "cve": "CVE-2024-1166", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1166", "description": "Image Hover Effects Addon for Elementor <=1.4.1 missing authorization on eihe_top_notice AJAX handler", "mode": "block", "severity": 6.4, "slug": "image-hover-effects-addon-for-elementor", "tags": ["missing-authorization", "csrf"], "target": "plugin", "versions": "<=1.4.1"}, "RULE-CVE-2024-1171-01": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS:actions", "type": "regex", "value": "~eael-filterable-gallery[\\\\s\\\\S]*?(?:]*>|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|%3Cscript|%3E%3Cscript~i"}], "cve": "CVE-2025-12402", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12402", "description": "LinkedIn Resume <=2.00 Reflected XSS via unsanitized REQUEST_URI in admin page form action", "mode": "block", "severity": 6.1, "slug": "linkedin-resume", "tags": ["csrf", "xss", "reflected-xss"], "target": "plugin", "versions": "<=2.00"}, "RULE-CVE-2025-12406-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "project-honey-pot-spam-trap"}, {"name": "ARGS:update_honeyPotSettings", "type": "exists"}, {"name": "ARGS:access_key", "type": "regex", "value": "~<[a-z/!]|javascript\\\\s*:|(?:^|[\\\\s\\"\'<>])on[a-z]+\\\\s*=~i"}], "cve": "CVE-2025-12406", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12406", "description": "Project Honey Pot Spam Trap <=1.0.1 CSRF to Stored XSS via access_key parameter", "method": "POST", "mode": "block", "severity": 6.1, "slug": "project-honey-pot-spam-trap", "tags": ["csrf", "xss", "stored-xss"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-12406-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "project-honey-pot-spam-trap"}, {"name": "ARGS:update_honeyPotSettings", "type": "exists"}, {"name": "ARGS:honey_pot1", "type": "regex", "value": "~<[a-z/!]|javascript\\\\s*:|(?:^|[\\\\s\\"\'<>])on[a-z]+\\\\s*=~i"}], "cve": "CVE-2025-12406", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12406", "description": "Project Honey Pot Spam Trap <=1.0.1 CSRF to Stored XSS via honey_pot1 parameter", "method": "POST", "mode": "block", "severity": 6.1, "slug": "project-honey-pot-spam-trap", "tags": ["csrf", "xss", "stored-xss"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-12406-03": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "project-honey-pot-spam-trap"}, {"name": "ARGS:update_honeyPotSettings", "type": "exists"}, {"name": "ARGS:honey_pot2", "type": "regex", "value": "~<[a-z/!]|javascript\\\\s*:|(?:^|[\\\\s\\"\'<>])on[a-z]+\\\\s*=~i"}], "cve": "CVE-2025-12406", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12406", "description": "Project Honey Pot Spam Trap <=1.0.1 CSRF to Stored XSS via honey_pot2 parameter", "method": "POST", "mode": "block", "severity": 6.1, "slug": "project-honey-pot-spam-trap", "tags": ["csrf", "xss", "stored-xss"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-12406-04": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "project-honey-pot-spam-trap"}, {"name": "ARGS:update_honeyPotSettings", "type": "exists"}, {"name": "ARGS:output_to_all", "type": "regex", "value": "~<[a-z/!]|javascript\\\\s*:|(?:^|[\\\\s\\"\'<>])on[a-z]+\\\\s*=~i"}], "cve": "CVE-2025-12406", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12406", "description": "Project Honey Pot Spam Trap <=1.0.1 CSRF to Stored XSS via output_to_all parameter", "method": "POST", "mode": "block", "severity": 6.1, "slug": "project-honey-pot-spam-trap", "tags": ["csrf", "xss", "stored-xss"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-12406-05": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "project-honey-pot-spam-trap"}, {"name": "REQUEST_URI", "type": "regex", "value": "~<[a-z/!]|javascript\\\\s*:|(?:^|[\\\\s\\"\'<>])on[a-z]+\\\\s*=|%3c[a-z/!]|%6a%61%76%61%73%63%72%69%70%74~i"}], "cve": "CVE-2025-12406", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12406", "description": "Project Honey Pot Spam Trap <=1.0.1 Reflected XSS via REQUEST_URI in settings page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "project-honey-pot-spam-trap", "tags": ["csrf", "xss", "reflected-xss"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-12408-01": {"action": "init", "conditions": [{"name": "ARGS:em_ajax_action", "type": "equals", "value": "get_location"}, {"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "read"}], "cve": "CVE-2025-12408", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12408", "description": "Events Manager <=7.2.2.2 unauthenticated information exposure via get_location custom AJAX dispatcher", "mode": "block", "severity": 5.3, "slug": "events-manager", "tags": ["information-exposure", "missing-authorization", "unauthenticated"], "target": "plugin", "versions": "<=7.2.2.2"}, "RULE-CVE-2025-12449-01": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "ablocks/get_settings"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12449", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12449", "description": "aBlocks <= 2.4.0 missing authorization on get_settings AJAX action exposes sensitive API keys to Subscriber+", "mode": "block", "severity": 5.4, "slug": "ablocks", "tags": ["missing-authorization", "broken-access-control", "information-disclosure"], "target": "plugin", "versions": "<=2.4.0"}, "RULE-CVE-2025-12449-02": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "ablocks/save_settings"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12449", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12449", "description": "aBlocks <= 2.4.0 missing authorization on save_settings AJAX action allows Subscriber+ to modify plugin settings and API keys", "mode": "block", "severity": 5.4, "slug": "ablocks", "tags": ["missing-authorization", "broken-access-control", "settings-modification"], "target": "plugin", "versions": "<=2.4.0"}, "RULE-CVE-2025-12449-03": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "ablocks/save_block_visibility"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12449", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12449", "description": "aBlocks <= 2.4.0 missing authorization on save_block_visibility AJAX action allows Subscriber+ to toggle block visibility", "mode": "block", "severity": 5.4, "slug": "ablocks", "tags": ["missing-authorization", "broken-access-control", "settings-modification"], "target": "plugin", "versions": "<=2.4.0"}, "RULE-CVE-2025-12449-04": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "ablocks/get_blocks_visibility"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12449", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12449", "description": "aBlocks <= 2.4.0 missing authorization on get_blocks_visibility AJAX action exposes block configuration to Subscriber+", "mode": "block", "severity": 5.4, "slug": "ablocks", "tags": ["missing-authorization", "broken-access-control", "information-disclosure"], "target": "plugin", "versions": "<=2.4.0"}, "RULE-CVE-2025-12449-05": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "ablocks/fetch_posts"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12449", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12449", "description": "aBlocks <= 2.4.0 missing authorization on fetch_posts AJAX action allows Subscriber+ to enumerate posts", "mode": "block", "severity": 5.4, "slug": "ablocks", "tags": ["missing-authorization", "broken-access-control", "information-disclosure"], "target": "plugin", "versions": "<=2.4.0"}, "RULE-CVE-2025-12450-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "regex", "value": "~^litespeed~i"}, {"name": "ARGS", "type": "regex", "value": "~(?:])~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-5929", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5929", "description": "The Countdown <=2.0.1 Stored XSS via clientId block attribute in classic editor post save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "the-countdown", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=2.0.0"}, "RULE-CVE-2025-5950-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~indieblocks/facepile-content\\\\s[^>]*\\"type\\"\\\\s*:\\\\s*\\\\[\\\\s*\\"(?!(?:bookmark|like|repost)\\"\\\\s*[\\\\],])~i"}], "cve": "CVE-2025-5950", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5950", "description": "IndieBlocks <=0.13.2 Stored XSS via Facepile Content block kind parameter on REST API post creation", "method": "POST", "mode": "block", "severity": 5.4, "slug": "indieblocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=0.13.2"}, "RULE-CVE-2025-5950-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts/\\\\d+(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~indieblocks/facepile-content\\\\s[^>]*\\"type\\"\\\\s*:\\\\s*\\\\[\\\\s*\\"(?!(?:bookmark|like|repost)\\"\\\\s*[\\\\],])~i"}], "cve": "CVE-2025-5950", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5950", "description": "IndieBlocks <=0.13.2 Stored XSS via Facepile Content block kind parameter on REST API post update", "method": "PUT", "mode": "block", "severity": 5.4, "slug": "indieblocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=0.13.2"}, "RULE-CVE-2025-5950-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~indieblocks/facepile-content\\\\s[^>]*\\"type\\"\\\\s*:\\\\s*\\\\[\\\\s*\\"(?!(?:bookmark|like|repost)\\"\\\\s*[\\\\],])~i"}], "cve": "CVE-2025-5950", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5950", "description": "IndieBlocks <=0.13.2 Stored XSS via Facepile Content block kind parameter on classic editor post save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "indieblocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=0.13.2"}, "RULE-CVE-2025-5953-01": {"ajax_action": "hrm_insert_employee", "conditions": [{"name": "ARGS:role", "type": "regex", "value": "~^(administrator|editor|author|contributor)$~i"}, {"type": "missing_capability", "value": "promote_users"}], "cve": "CVE-2025-5953", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5953", "description": "WP Human Resource Management <=2.2.17 missing authorization on hrm_insert_employee allows authenticated privilege escalation via role parameter", "method": "POST", "mode": "block", "severity": 8.8, "slug": "hrm", "tags": ["missing-authorization", "privilege-escalation"], "target": "plugin", "versions": "<=2.2.17"}, "RULE-CVE-2025-5957-01": {"ajax_action": "guest_support_handler", "conditions": [{"name": "ARGS:request", "type": "equals", "value": "delete_tickets"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5957", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5957", "description": "Guest Support <=1.2.2 missing authorization on mass ticket deletion via guest_support_handler AJAX endpoint", "method": "POST", "mode": "block", "severity": 5.3, "slug": "guest-support", "tags": ["missing-authorization", "unauthenticated", "data-loss"], "target": "plugin", "versions": "<=1.2.2"}, "RULE-CVE-2025-5961-01": {"ajax_action": "wpvivid_upload_import_files", "conditions": [{"name": "ARGS:name", "type": "regex", "value": "~\\\\.(?:php\\\\d*|phtml|phar|shtml|cgi|asp|aspx|jsp|jspx)(?:\\\\x00|%00|$)~i"}], "cve": "CVE-2025-5961", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wpvivid-backuprestore", "target": "plugin", "versions": "<=0.9.116"}, "RULE-CVE-2025-5983-01": {"action": "admin_init", "conditions": [{"name": "ARGS:mtm_meta[type]", "type": "equals", "value": "http-equiv"}, {"name": "ARGS:mtm_meta[value]", "type": "equals", "value": "refresh"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5983", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5983", "description": "Meta Tag Manager <3.3 Contributor+ open redirect via http-equiv refresh meta tag injection on post save", "method": "POST", "mode": "block", "severity": 6.5, "slug": "meta-tag-manager", "tags": ["open-redirect", "missing-authorization", "meta-refresh"], "target": "plugin", "versions": "<3.3"}, "RULE-CVE-2025-60041-01": {"ajax_action": "secas_navigate_to_page", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-60041", "mode": "block", "severity": 8.8, "slug": "emails-catch-all", "target": "plugin", "versions": "<=3.5.3"}, "RULE-CVE-2025-60042-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60042", "description": "chinchilla theme <= 1.16 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "chinchilla", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.16"}, "RULE-CVE-2025-60042-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60042", "description": "chinchilla theme <= 1.16 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "chinchilla", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.16"}, "RULE-CVE-2025-60043-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60043", "description": "wanderic theme <= 1.0.10 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "wanderic", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.10"}, "RULE-CVE-2025-60043-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60043", "description": "wanderic theme <= 1.0.10 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "wanderic", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.10"}, "RULE-CVE-2025-60044-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60044", "description": "fribbo theme <= 1.1.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "fribbo", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.0"}, "RULE-CVE-2025-60044-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60044", "description": "fribbo theme <= 1.1.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "fribbo", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.0"}, "RULE-CVE-2025-60046-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60046", "description": "heartstar theme <= 1.0.14 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "heartstar", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.14"}, "RULE-CVE-2025-60046-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60046", "description": "heartstar theme <= 1.0.14 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "heartstar", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.14"}, "RULE-CVE-2025-60047-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60047", "description": "ipharm theme <= 1.2.3 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "ipharm", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.3"}, "RULE-CVE-2025-60047-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60047", "description": "ipharm theme <= 1.2.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "ipharm", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.3"}, "RULE-CVE-2025-60048-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60048", "description": "tripster theme <= 1.0.10 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "tripster", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.10"}, "RULE-CVE-2025-60048-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60048", "description": "tripster theme <= 1.0.10 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "tripster", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.10"}, "RULE-CVE-2025-60049-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60049", "description": "soleil theme <= 1.17 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "soleil", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.17"}, "RULE-CVE-2025-60049-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60049", "description": "soleil theme <= 1.17 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "soleil", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.17"}, "RULE-CVE-2025-60050-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60050", "description": "panda theme <= 1.21 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "panda", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.21"}, "RULE-CVE-2025-60050-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60050", "description": "panda theme <= 1.21 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "panda", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.21"}, "RULE-CVE-2025-60051-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60051", "description": "rareradio theme <= 1.0.15.1 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "rareradio", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.15.1"}, "RULE-CVE-2025-60051-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60051", "description": "rareradio theme <= 1.0.15.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "rareradio", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.15.1"}, "RULE-CVE-2025-60052-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60052", "description": "wd theme <= 1.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "wd", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0"}, "RULE-CVE-2025-60052-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60052", "description": "wd theme <= 1.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "wd", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0"}, "RULE-CVE-2025-60053-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60053", "description": "maxcube theme <= 1.3.1 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "maxcube", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.1"}, "RULE-CVE-2025-60053-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60053", "description": "maxcube theme <= 1.3.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "maxcube", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.1"}, "RULE-CVE-2025-60054-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60054", "description": "onleash theme <= 1.5.2 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "onleash", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.5.2"}, "RULE-CVE-2025-60054-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60054", "description": "onleash theme <= 1.5.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "onleash", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.5.2"}, "RULE-CVE-2025-60055-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60055", "description": "fabrica theme <= 1.8.1 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "fabrica", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.8.1"}, "RULE-CVE-2025-60055-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60055", "description": "fabrica theme <= 1.8.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "fabrica", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.8.1"}, "RULE-CVE-2025-60056-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60056", "description": "winger theme <= 1.0.16 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "winger", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.16"}, "RULE-CVE-2025-60056-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60056", "description": "winger theme <= 1.0.16 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "winger", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.16"}, "RULE-CVE-2025-60057-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60057", "description": "dj-rainflow theme <= 1.3.13 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "dj-rainflow", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.13"}, "RULE-CVE-2025-60057-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60057", "description": "dj-rainflow theme <= 1.3.13 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "dj-rainflow", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.13"}, "RULE-CVE-2025-60058-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60058", "description": "detailx theme <= 1.10.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "detailx", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.10.0"}, "RULE-CVE-2025-60058-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60058", "description": "detailx theme <= 1.10.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "detailx", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.10.0"}, "RULE-CVE-2025-60060-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60060", "description": "pubzinne theme <= 1.0.12 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "pubzinne", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.12"}, "RULE-CVE-2025-60060-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60060", "description": "pubzinne theme <= 1.0.12 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "pubzinne", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.12"}, "RULE-CVE-2025-60061-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60061", "description": "kicker theme <= 2.2.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "kicker", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=2.2.0"}, "RULE-CVE-2025-60061-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60061", "description": "kicker theme <= 2.2.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "kicker", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=2.2.0"}, "RULE-CVE-2025-60063-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60063", "description": "rosalinda theme <= 1.2.3 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "rosalinda", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.3"}, "RULE-CVE-2025-60063-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60063", "description": "rosalinda theme <= 1.2.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "rosalinda", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.3"}, "RULE-CVE-2025-60064-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60064", "description": "renewal theme <= 1.2.2 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "renewal", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.2"}, "RULE-CVE-2025-60064-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60064", "description": "renewal theme <= 1.2.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "renewal", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.2"}, "RULE-CVE-2025-60065-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60065", "description": "pinevale theme <= 1.0.14 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "pinevale", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.14"}, "RULE-CVE-2025-60065-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60065", "description": "pinevale theme <= 1.0.14 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "pinevale", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.14"}, "RULE-CVE-2025-60066-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60066", "description": "katelyn theme <= 1.0.10 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "katelyn", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.10"}, "RULE-CVE-2025-60066-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60066", "description": "katelyn theme <= 1.0.10 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "katelyn", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.10"}, "RULE-CVE-2025-60067-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60067", "description": "giardino theme <= 1.1.10 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "giardino", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.10"}, "RULE-CVE-2025-60067-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60067", "description": "giardino theme <= 1.1.10 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "giardino", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.10"}, "RULE-CVE-2025-60195-01": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpf_create_account"}, {"name": "ARGS:role", "type": "regex", "value": "~^\\\\s*(?:administrator|editor|author)\\\\s*$~i"}], "cve": "CVE-2025-60195", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-60195", "description": "Atarim Visual Collaboration <=4.2.1 unauthenticated privilege escalation via wpf_create_account AJAX action with attacker-supplied role parameter", "method": "POST", "mode": "block", "severity": 9.8, "slug": "atarim-visual-collaboration", "tags": ["privilege-escalation", "incorrect-privilege-assignment", "unauthenticated"], "target": "plugin", "versions": "<=4.2.1"}, "RULE-CVE-2025-6025-01": {"ajax_action": "apply_tip", "conditions": [{"name": "ARGS:tip", "type": "regex", "value": "~^\\\\s*-~"}], "cve": "CVE-2025-6025", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6025", "description": "Order Tip for WooCommerce <=1.5.4 unauthenticated negative tip manipulation via apply_tip AJAX action", "method": "POST", "mode": "block", "severity": 7.5, "slug": "order-tip-woo", "tags": ["improper-input-validation", "business-logic", "unauthenticated"], "target": "plugin", "versions": "<=1.5.4"}, "RULE-CVE-2025-6184-01": {"action": "init", "conditions": [{"name": "ARGS:order", "type": "detectSQLi"}], "cve": "CVE-2025-6184", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6184", "description": "Tutor LMS Pro <=3.7.0 authenticated SQL injection via order parameter in assignment listing", "method": "GET", "mode": "block", "severity": 8.8, "slug": "tutor", "tags": ["sql-injection", "authenticated"], "target": "plugin", "versions": "<=3.7.0"}, "RULE-CVE-2025-62007-01": {"ajax_action": "bplvf_save_global", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "bplvf_save_global"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62007", "method": "POST", "mode": "block", "severity": 8.8, "slug": "voice-feedback", "target": "plugin", "versions": "<=1.0.3"}, "RULE-CVE-2025-62007-02": {"ajax_action": "bplvf_delete_user_feedback", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "bplvf_delete_user_feedback"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62007", "method": "POST", "mode": "block", "severity": 8.8, "slug": "voice-feedback", "target": "plugin", "versions": "<=1.0.3"}, "RULE-CVE-2025-62007-03": {"ajax_action": "bplvf_toggle_resolved", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "bplvf_toggle_resolved"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62007", "method": "POST", "mode": "block", "severity": 8.8, "slug": "voice-feedback", "target": "plugin", "versions": "<=1.0.3"}, "RULE-CVE-2025-62007-04": {"ajax_action": "bplvf_get_global", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "bplvf_get_global"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62007", "method": "POST", "mode": "block", "severity": 8.8, "slug": "voice-feedback", "target": "plugin", "versions": "<=1.0.3"}, "RULE-CVE-2025-6201-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[conversion-pixel[^\\\\]]*(?:<[a-z/!]|on[a-z]+\\\\s*=|javascript\\\\s*:|)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-6201", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6201", "description": "Pixel Manager for WooCommerce <=1.49.0 Stored XSS via conversion-pixel shortcode attributes in classic editor (REST API JSON body vector not interceptable due to engine limitation)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "woocommerce-google-adwords-conversion-tracking-tag", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.49.0"}, "RULE-CVE-2025-62022-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/buddypress/v1/signups/activate(/|\\\\?|$)~"}, {"name": "ARGS:activation_key", "type": "regex", "value": "~^0*[0-9]{1,20}$~"}], "cve": "CVE-2025-62022", "method": "POST", "mode": "block", "severity": 7.5, "slug": "buddypress", "target": "plugin", "versions": "<=14.3.4"}, "RULE-CVE-2025-62022-02": {"action": "init", "conditions": [{"name": "ARGS:rest_route", "type": "regex", "value": "~^/buddypress/v1/signups/activate(/|$)~"}, {"name": "ARGS:activation_key", "type": "regex", "value": "~^0*[0-9]{1,20}$~"}], "cve": "CVE-2025-62022", "method": "POST", "mode": "block", "severity": 7.5, "slug": "buddypress", "target": "plugin", "versions": "<=14.3.4"}, "RULE-CVE-2025-62065-01": {"ajax_action": "rtm_handle_upload_template", "conditions": [{"name": "FILES:file", "type": "exists"}, {"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2025-62065", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-62065", "description": "RomethemeKit <=1.6.5 authenticated arbitrary file upload via rtm_handle_upload_template AJAX handler", "method": "POST", "mode": "block", "severity": 9.9, "slug": "rometheme-for-elementor", "tags": ["arbitrary-file-upload", "remote-code-execution", "authenticated"], "target": "plugin", "versions": "<=1.6.5"}, "RULE-CVE-2025-6207-01": {"ajax_action": "wpie_tempalte_import", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-6207", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6207", "description": "WP Import Export Lite <=3.9.28 authenticated arbitrary file upload via wpie_tempalte_import AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-import-export-lite", "tags": ["arbitrary-file-upload", "dangerous-file-type", "authenticated"], "target": "plugin", "versions": "<=3.9.28"}, "RULE-CVE-2025-6221-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24526", "cve_link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24526", "description": "Stored XSS via unescaped Gutenberg block attributes (textAlign/width) in product-inquiry-button block render callback", "method": "POST", "mode": "block", "severity": 6.5, "slug": "woocommerce-email-inquiry-cart-options", "tags": ["xss", "stored-xss", "gutenberg-block", "woocommerce"], "target": "plugin", "versions": "<=3.4.3"}, "RULE-CVE-2026-24529-01": {"ajax_action": "cancel", "conditions": [{"name": "ARGS:post_id", "type": "exists"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2026-24529", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24529", "description": "Quick Restaurant Reservations <=1.6.7 missing authorization on cancel AJAX action allows authenticated users to cancel bookings", "method": "POST", "mode": "block", "severity": 5.3, "slug": "quick-restaurant-reservations", "tags": ["missing-authorization", "broken-access-control", "idor"], "target": "plugin", "versions": "<=1.6.7"}, "RULE-CVE-2026-24529-02": {"ajax_action": "confirm_email", "conditions": [{"name": "ARGS:post_id", "type": "exists"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2026-24529", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24529", "description": "Quick Restaurant Reservations <=1.6.7 missing authorization on confirm_email AJAX action allows authenticated users to confirm bookings", "method": "POST", "mode": "block", "severity": 5.3, "slug": "quick-restaurant-reservations", "tags": ["missing-authorization", "broken-access-control", "idor"], "target": "plugin", "versions": "<=1.6.7"}, "RULE-CVE-2026-24529-03": {"ajax_action": "pending_email", "conditions": [{"name": "ARGS:post_id", "type": "exists"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2026-24529", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24529", "description": "Quick Restaurant Reservations <=1.6.7 missing authorization on pending_email AJAX action allows authenticated users to set bookings to pending", "method": "POST", "mode": "block", "severity": 5.3, "slug": "quick-restaurant-reservations", "tags": ["missing-authorization", "broken-access-control", "idor"], "target": "plugin", "versions": "<=1.6.7"}, "RULE-CVE-2026-24529-04": {"ajax_action": "reject_email", "conditions": [{"name": "ARGS:post_id", "type": "exists"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2026-24529", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24529", "description": "Quick Restaurant Reservations <=1.6.7 missing authorization on reject_email AJAX action allows authenticated users to reject bookings", "method": "POST", "mode": "block", "severity": 5.3, "slug": "quick-restaurant-reservations", "tags": ["missing-authorization", "broken-access-control", "idor"], "target": "plugin", "versions": "<=1.6.7"}, "RULE-CVE-2026-24532-01": {"ajax_action": "sitelock_scan", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24532", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24532", "description": "SiteLock Security <=5.0.2 missing authorization on sitelock_scan AJAX handler allows subscribers to trigger scans", "method": "POST", "mode": "block", "severity": 4.3, "slug": "sitelock", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=5.0.2"}, "RULE-CVE-2026-24532-02": {"ajax_action": "sitelock_dismiss_notice", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24532", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24532", "description": "SiteLock Security <=5.0.2 missing authorization on sitelock_dismiss_notice AJAX handler allows subscribers to dismiss admin notices", "method": "POST", "mode": "block", "severity": 4.3, "slug": "sitelock", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=5.0.2"}, "RULE-CVE-2026-24565-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[?&]page=bab_Dashboard~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24565", "mode": "block", "severity": 6.5, "slug": "b-accordion", "target": "plugin", "versions": "<=2.0.2"}, "RULE-CVE-2026-24572-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/nelio-content/v1/posts(/|\\\\?|$)~"}, {"name": "ARGS:searchTerm", "type": "regex", "value": "~(?:\'[ \\\\t]*(?:OR|AND)[ \\\\t]+[0-9]|UNION[ \\\\t]+(?:ALL[ \\\\t]+)?SELECT|\'[ \\\\t]*(?:--|#)|SLEEP[ \\\\t]*\\\\(|BENCHMARK[ \\\\t]*\\\\()~i"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2026-24572", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24572", "description": "Nelio Content <=4.2.0 authenticated (Contributor+) SQL injection via searchTerm in REST posts endpoint", "method": "GET", "mode": "block", "severity": 8.8, "slug": "nelio-content", "tags": ["sql-injection", "rest-api", "authenticated"], "target": "plugin", "versions": "<=4.2.0"}, "RULE-CVE-2026-24616-01": {"ajax_action": "wppopups_settings_provider_add", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24616", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24616", "description": "WP Popups <=2.2.0.5 missing authorization on wppopups_settings_provider_add AJAX handler", "method": "POST", "mode": "block", "severity": 6.5, "slug": "wp-popups-lite", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=2.2.0.5"}, "RULE-CVE-2026-24616-02": {"ajax_action": "wppopups_settings_provider_disconnect", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24616", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24616", "description": "WP Popups <=2.2.0.5 missing authorization on wppopups_settings_provider_disconnect AJAX handler", "method": "POST", "mode": "block", "severity": 6.5, "slug": "wp-popups-lite", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=2.2.0.5"}, "RULE-CVE-2026-24623-01": {"action": "init", "conditions": [{"name": "ARGS:forum", "type": "regex", "value": "~(?:]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-24623", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24623", "description": "NeoForum <=1.0 unauthenticated reflected XSS via forum parameter in shortcode rendering", "mode": "block", "severity": 6.5, "slug": "neoforum", "tags": ["xss", "reflected", "unauthenticated", "shortcode"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24623-02": {"action": "init", "conditions": [{"name": "ARGS:topic", "type": "regex", "value": "~(?:]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-24623", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24623", "description": "NeoForum <=1.0 unauthenticated reflected XSS via topic parameter in shortcode rendering", "mode": "block", "severity": 6.5, "slug": "neoforum", "tags": ["xss", "reflected", "unauthenticated", "shortcode"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24623-03": {"ajax_action": "neoforum_get_new_topic_form", "conditions": [{"name": "ARGS:forumid", "type": "regex", "value": "~(?:]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-24623", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24623", "description": "NeoForum <=1.0 authenticated reflected XSS via forumid parameter in neoforum_get_new_topic_form AJAX handler", "mode": "block", "severity": 6.5, "slug": "neoforum", "tags": ["xss", "reflected", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-01": {"ajax_action": "neoforum_close_forum", "conditions": [{"name": "ARGS:forumid", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via forumid in close_forum AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-02": {"ajax_action": "neoforum_restrict_forum", "conditions": [{"name": "ARGS:forumid", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via forumid in restrict_forum AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-03": {"ajax_action": "neoforum_delete_forum", "conditions": [{"name": "ARGS:forumid", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via forumid in delete_forum AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-04": {"ajax_action": "neoforum_edit_forum_title", "conditions": [{"name": "ARGS:data", "type": "regex", "value": "~(?:SLEEP\\\\s*[(]|BENCHMARK\\\\s*[(]|UNION\\\\s+(?:ALL\\\\s+)?SELECT|(?:^|[^a-zA-Z0-9_])(?:OR|AND)\\\\s+[0-9]+\\\\s*=\\\\s*[0-9]+)~i"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via data in edit_forum_title AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-05": {"ajax_action": "neoforum_edit_forum_descr", "conditions": [{"name": "ARGS:data", "type": "regex", "value": "~(?:SLEEP\\\\s*[(]|BENCHMARK\\\\s*[(]|UNION\\\\s+(?:ALL\\\\s+)?SELECT|(?:^|[^a-zA-Z0-9_])(?:OR|AND)\\\\s+[0-9]+\\\\s*=\\\\s*[0-9]+)~i"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via data in edit_forum_descr AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-06": {"ajax_action": "neoforum_delete_moderators", "conditions": [{"name": "ARGS:type", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via type in delete_moderators AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-07": {"ajax_action": "neoforum_add_moderators", "conditions": [{"name": "ARGS:forumid", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via forumid in add_moderators AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-08": {"ajax_action": "neoforum_topic_restore", "conditions": [{"name": "ARGS:topicid", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via topicid in topic_restore AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-09": {"ajax_action": "neoforum_topic_eradicate", "conditions": [{"name": "ARGS:topicid", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via topicid in topic_eradicate AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-10": {"ajax_action": "neoforum_post_restore", "conditions": [{"name": "ARGS:postid", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via postid in post_restore AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-11": {"ajax_action": "neoforum_post_eradicate", "conditions": [{"name": "ARGS:postid", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via postid in post_eradicate AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-12": {"ajax_action": "neoforum_report_leave_post", "conditions": [{"name": "ARGS:reportid", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via reportid in report_leave_post AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-13": {"ajax_action": "neoforum_report_delete_post", "conditions": [{"name": "ARGS:reportid", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via reportid in report_delete_post AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-14": {"ajax_action": "neoforum_ban_user", "conditions": [{"name": "ARGS:ban", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via ban in ban_user AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-15": {"ajax_action": "neoforum_unban_user", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via id in unban_user AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-16": {"ajax_action": "neoforum_make_admin", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via id in make_admin AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-17": {"ajax_action": "neoforum_remove_admin", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via id in remove_admin AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-18": {"ajax_action": "neoforum_delete_topic", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via id in delete_topic AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-19": {"ajax_action": "neoforum_theme_descr", "conditions": [{"name": "ARGS:theme", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\/\\\\\\\\]){2,}|[\\\\/\\\\\\\\]etc[\\\\/\\\\\\\\]|wp-config\\\\.php)~i"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated local file inclusion via theme in theme_descr AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["local-file-inclusion", "path-traversal", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-2471-01": {"action": "init", "conditions": [{"name": "ARGS", "type": "regex", "value": "~[OC]:\\\\d+:\\"[^\\"]*\\":\\\\d+:\\\\{~"}], "cve": "CVE-2026-2471", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2471", "description": "WP Mail Logging <=1.15.0 unauthenticated PHP Object Injection via serialized object payload in form fields logged by wp_mail hook", "method": "POST", "mode": "block", "severity": 7.5, "slug": "wp-mail-logging", "tags": ["object-injection", "deserialization", "unauthenticated", "stored-payload"], "target": "plugin", "versions": "<=1.15.0"}, "RULE-CVE-2026-2479-01": {"ajax_action": "rl_upload_image", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2479", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2479", "description": "Responsive Lightbox & Gallery <=2.7.1 SSRF via strpos()-based hostname bypass in rl_upload_image AJAX handler", "method": "POST", "mode": "block", "severity": 5.0, "slug": "responsive-lightbox", "tags": ["ssrf", "hostname-bypass", "authenticated"], "target": "plugin", "versions": "<=2.7.1"}, "RULE-CVE-2026-2486-01": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS:actions", "type": "regex", "value": "~ma_el_bh_table_btn_text[\\\\\\"\']\\\\s*:\\\\s*[\\\\\\"\'][^\\\\\\"\']*(?:<[^>]+\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|