관리-도구
편집 파일: wafRules.rules
scores.sqli = 100 scores.xss = 100 scores.rce = 100 blacklistParam(url='/\/wp\-admin[\/]+admin\-ajax\.php/i', param=request.queryString['action']) blacklistParam(url='/\/wp\-admin[\/]+admin\-ajax\.php/i', param=request.queryString['img']) blacklistParam(url='/\/wp\-admin[\/]+admin\-ajax\.php/i', param=request.body['action']) blacklistParam(url='/\/wp\-admin[\/]+admin\-ajax\.php/i', param=request.body['img']) blacklistParam(url='/.*/', param=request.body['nsextt']) blacklistParam(url='/\/uploadify\.php$/i', param=request.fileNames['Filedata']) blacklistParam(url='/.*/', param=request.fileNames['yiw_contact']) blacklistParam(url='/\/license\.php$/i', param=request.fileNames['filename']) blacklistParam(url='/\/wp\-admin[\/]+admin\-ajax\.php$/i', param=request.fileNames['update_file']) blacklistParam(url='/tiny_mce[\/]+plugins[\/]+tinybrowser[\/]+upload_file\.php$/i', param=request.fileNames['Filedata']) blacklistParam(url='/elfinder[\/]+php[\/]+connector\.minimal\.php$/i', param=request.fileNames['upload']) whitelistParam(url='/.*/', param=request.body['excerpt']) whitelistParam(url='/wp-comments-post\.php$/i', param=request.body['comment'], rules=[3, 12, 146]) whitelistParam(url='/\/wp-admin\/admin-ajax\.php$/i', param=request.body['content']) whitelistParam(url='/\/wp-admin\/admin-ajax\.php$/i', param=request.body['data'], rules=[9], conditional=(((notMatch('/^(?:nopriv_)?wpgdprc_process_action$/i', request.body.action) and notMatch('/^(?:nopriv_)?wpgdprc_process_action$/i', request.queryString.action) and notEquals('elementor_js_log', request.body.action) and notEquals('elementor_js_log', request.queryString.action))))) whitelistParam(url='/\/wp\-load\.php$/i', param=request.body['params']['files'], rules=[9]) whitelistParam(url='/\/wp-admin\/(?:network\/)?(?:plugin(?:s|-install)|edit)\.php$/i', param=request.queryString['s'], rules=[3, 9, 12, 13]) whitelistParam(url='/\/wp-admin\/admin-ajax\.php$/i', param=request.body['whitelistedPath']) whitelistParam(url='/\/wp-admin\/admin-ajax\.php$/i', param=request.body['whitelistedParam']) whitelistParam(url='/\/wp-admin\/admin-ajax\.php$/i', param=request.body['oldWhitelistedPath']) whitelistParam(url='/\/wp-admin\/admin-ajax\.php$/i', param=request.body['oldWhitelistedParam']) whitelistParam(url='/\/wp-admin\/admin-ajax\.php$/i', param=request.body['newWhitelistedPath']) whitelistParam(url='/\/wp-admin\/admin-ajax\.php$/i', param=request.body['newWhitelistedParam']) whitelistParam(url='/\/wp-admin\/admin-ajax\.php$/i', param=request.body['bannedURLs']) whitelistParam(url='/\/wp-admin\/admin-ajax\.php$/i', param=request.body['scan_include_extra']) whitelistParam(url='/\/wp-admin\/(?:network\/)?(?:(?:plugin|theme)-editor|admin-ajax)\.php$/i', param=request.body['newcontent']) whitelistParam(url='/\/wp-admin\/admin-ajax\.php$/i', param=request.body['widget-text']) whitelistParam(url='/\/wp-admin\/admin-ajax\.php$/i', param=request.body['widget-custom_html']) whitelistParam(url='/.{0,1}/', param=request.queryString['_wp_http_referer']) whitelistParam(url='#wp\-json\/wp\/v2\/posts\/#', param=request.body['content'], rules=[9]) whitelistParam(url='#wp\-json\/wp\/v2\/pages\/#', param=request.body['content'], rules=[9]) whitelistParam(url='/.*/', param=request.body['_wp_http_referer'], rules=[13]) whitelistParam(url='/\/wp-admin\/(?:network\/)?plugins\.php$/i', param=request.queryString['plugin']) whitelistParam(url='/\/wp-admin\/(?:network\/)?plugins\.php$/i', param=request.queryString['action']) whitelistParam(url='/\/wp-admin\/(?:network\/)?plugins\.php$/i', param=request.queryString['checked']) whitelistParam(url='/\/wp-admin\/(?:network\/)?plugins\.php$/i', param=request.body['action']) whitelistParam(url='/\/wp-admin\/(?:network\/)?plugins\.php$/i', param=request.body['checked']) whitelistParam(url='/\/wp-admin\/(?:network\/)?plugins\.php$/i', param=request.body['submit']) whitelistParam(url='/\/wp-admin\/options\.php$/i', param=request.body['blogname']) whitelistParam(url='/\/wp-admin\/options\.php$/i', param=request.body['blogdescription']) whitelistParam(url='/\/wp-admin\/options\.php$/i', param=request.body['siteurl']) whitelistParam(url='/\/wp-admin\/options\.php$/i', param=request.body['home']) whitelistParam(url='/\/wp-admin\/options\.php$/i', param=request.body['admin_email']) whitelistParam(url='/\/wp-admin\/options\.php$/i', param=request.body['moderation_keys']) whitelistParam(url='/\/wp-admin\/options\.php$/i', param=request.body['blacklist_keys']) whitelistParam(url='/\/wp-admin\/options\.php$/i', param=request.body['permalink_structure']) whitelistParam(url='/\/wp-admin\/options\.php$/i', param=request.body['category_base']) whitelistParam(url='/\/wp-admin\/options\.php$/i', param=request.body['tag_base']) whitelistParam(url='/\/wp-admin\/edit-comments\.php$/i', param=request.queryString['s']) whitelistParam(url='/\/wp-login\.php$/i', param=request.body['pwd']) whitelistParam(url='/\/wp-login\.php$/i', param=request.body['redirect_to']) whitelistParam(url='/\/wp-admin\/network\/(?:user|site)s\.php$/i', param=request.queryString['s']) whitelistParam(url='/\/wp-admin\/network\/site-new\.php$/i', param=request.body['blog']) whitelistParam(url='/\/wp-admin\/admin-ajax\.php$/i', param=request.body['deletedWhitelistedPath']) whitelistParam(url='/\/wp-admin\/admin-ajax\.php$/i', param=request.body['deletedWhitelistedParam']) whitelistParam(url='/\/wp-admin\/options\.php$/i', param=request.body['itsec_global']['log_location']) whitelistParam(url='/\/wp-admin\/options\.php$/i', param=request.body['itsec_backup']['location']) whitelistParam(url='/\/wp-admin\/admin-ajax\.php$/i', param=request.body['dir']) whitelistParam(url='/(?:lint|import)\.php$/i', param=request.body['sql_query']) whitelistParam(url='/\/wp-admin\/admin-ajax\.php$/i', param=request.body['divi_integration_body']) whitelistParam(url='/\/wp-admin\/admin-ajax\.php$/i', param=request.body['divi_integration_head']) whitelistParam(url='/\/wp-admin\/admin-ajax\.php$/i', param=request.body['modules'], rules=[3, 9], conditional=(((equals('et_fb_get_shortcode_from_fb_object', request.body.action) or equals('et_fb_ajax_save', request.body.action)) and (currentUserIs('administrator', server.empty) or currentUserIs('editor', server.empty))))) whitelistParam(url='/.*/', param=request.body['fl_builder_data']['settings']['html'], rules=[9], conditional=((currentUserIs('administrator', server.empty) or currentUserIs('editor', server.empty)))) whitelistParam(url='/.*/', param=request.body['partials'], rules=[9], conditional=((currentUserIs('administrator', server.empty)))) whitelistParam(url='/\/wp\-load\.php$/i', param=request.body['code'], rules=[3], conditional=(((equals('ZXhlYw', request.queryString.action)) and (match('#^define\(\s*\'DONOTCACHEDB\',\s*true\s*\);\s*if\s*\(\s*function_exists\(\s*\'vp_ai_ping_get\'\s*\)\s*\)\s*return\s*vp_ai_ping_get\(\);\s*else\s*return\s*\$this->ai_ping_get\(\);$#', request.body.code))))) whitelistParam(url='/\/vp\-restore\-helper\-[a-zA-Z0-9]+\.php$/i', param=request.body['files'], rules=[3, 9]) whitelistParam(url='/\/wp-admin\/admin-ajax\.php$/i', param=request.body['actions'], rules=[3, 9], conditional=((equals('elementor_ajax', request.body.action) and (currentUserIs('administrator', server.empty) or currentUserIs('editor', server.empty))))) whitelistParam(url='#wp\-admin/+options\-general\.php$#i', param=request.body['ihaf_insert_header'], rules=[9]) whitelistParam(url='#wp\-admin/+options\-general\.php$#i', param=request.body['ihaf_insert_body'], rules=[9]) whitelistParam(url='#wp\-admin/+options\-general\.php$#i', param=request.body['ihaf_insert_footer'], rules=[9]) whitelistParam(url='#wp\-admin/+admin\.php#i', param=request.body['media-placeholder_resp_svg'], rules=[9]) whitelistParam(url='#.*#', param=request.body['customized'], rules=[9], conditional=((currentUserIs('administrator', server.empty)))) whitelistParam(url='/.*/', param=request.body['live_editor_panels_data'], rules=[9], conditional=(((currentUserIs('administrator', server.empty) or currentUserIs('editor', server.empty))))) whitelistParam(url='/.*/', param=request.queryString['xwp-content-rel-to-we-plugin-dir'], rules=[12]) whitelistParam(url='/\/wp-admin\/admin-ajax\.php$/i', param=request.body['tree'], rules=[9], conditional=((equals('breakdance_save', request.body.action) and (currentUserIs('administrator', server.empty) or currentUserIs('editor', server.empty))))) whitelistParam(url='/.*/', param=request.body['bbp_media_gif'], rules=[9], conditional=((equals('true', request.queryString['bbp-ajax'])))) whitelistParam(url='#wp\-admin/+options\-general.php$#i', param=request.body['options']['modules']['ga_code'], rules=[9]) whitelistParam(url='#importbuddy\.php$#i', param=request.fileNames, rules=[76]) sqliRegex = '/(?:[^\w<]|\/\*\![0-9]*|^)(?: @@HOSTNAME| ALTER|ANALYZE|ASENSITIVE| BEFORE|BENCHMARK|BETWEEN|BIGINT|BINARY|BLOB| CALL|CASE|CHANGE|CHAR|CHARACTER|CHAR_LENGTH|COLLATE|COLUMN|CONCAT|CONDITION|CONSTRAINT|CONTINUE|CONVERT|CREATE|CROSS|CURRENT_DATE|CURRENT_TIME|CURRENT_TIMESTAMP|CURRENT_USER|CURSOR| DATABASE|DATABASES|DAY_HOUR|DAY_MICROSECOND|DAY_MINUTE|DAY_SECOND|DECIMAL|DECLARE|DEFAULT|DELAYED|DELETE|DESCRIBE|DETERMINISTIC|DISTINCT|DISTINCTROW|DOUBLE|DROP|DUAL|DUMPFILE| EACH|ELSE|ELSEIF|ELT|ENCLOSED|ESCAPED|EXISTS|EXIT|EXPLAIN|EXTRACTVALUE| FETCH|FLOAT|FLOAT4|FLOAT8|FORCE|FOREIGN|FROM|FULLTEXT| GRANT|GROUP|HAVING|HEX|HIGH_PRIORITY|HOUR_MICROSECOND|HOUR_MINUTE|HOUR_SECOND| IFNULL|IGNORE|INDEX|INFILE|INNER|INOUT|INSENSITIVE|INSERT|INTERVAL|ISNULL|ITERATE| JOIN|KILL|LEADING|LEAVE|LIMIT|LINEAR|LINES|LOAD|LOAD_FILE|LOCALTIME|LOCALTIMESTAMP|LOCK|LONG|LONGBLOB|LONGTEXT|LOOP|LOW_PRIORITY| MASTER_SSL_VERIFY_SERVER_CERT|MATCH|MAXVALUE|MEDIUMBLOB|MEDIUMINT|MEDIUMTEXT|MID|MIDDLEINT|MINUTE_MICROSECOND|MINUTE_SECOND|MODIFIES| NATURAL|NO_WRITE_TO_BINLOG|NULL|NUMERIC|OPTION|ORD|ORDER|OUTER|OUTFILE| PRECISION|PRIMARY|PRIVILEGES|PROCEDURE|PROCESSLIST|PURGE| RANGE|READ_WRITE|REGEXP|RELEASE|REPEAT|REQUIRE|RESIGNAL|RESTRICT|RETURN|REVOKE|RLIKE|ROLLBACK| SCHEMA|SCHEMAS|SECOND_MICROSECOND|SELECT|SENSITIVE|SEPARATOR|SHOW|SIGNAL|SLEEP|SMALLINT|SPATIAL|SPECIFIC|SQLEXCEPTION|SQLSTATE|SQLWARNING|SQL_BIG_RESULT|SQL_CALC_FOUND_ROWS|SQL_SMALL_RESULT|STARTING|STRAIGHT_JOIN|SUBSTR| TABLE|TERMINATED|TINYBLOB|TINYINT|TINYTEXT|TRAILING|TRANSACTION|TRIGGER| UNDO|UNHEX|UNION|UNLOCK|UNSIGNED|UPDATE|UPDATEXML|USAGE|USING|UTC_DATE|UTC_TIME|UTC_TIMESTAMP| VALUES|VARBINARY|VARCHAR|VARCHARACTER|VARYING|WHEN|WHERE|WHILE|WRITE|YEAR_MONTH|ZEROFILL)(?=[^\w]|$)/ix' xssRegex = '/(?: #tags (?:\<|\+ADw\-|\xC2\xBC)\/?(script|iframe|svg|object|embed|applet|link|style|meta|base|\/\/|\?xml\-stylesheet)(?:[^\w]|\xC2\xBE)| #protocols (?:^|[^\w])(?:(?:(?:\s|(?:&\#(?:x0*(?:[0-9a-f]{1,2})|0*(?:[0-9]{1,2}));?|	?|
?))*(?:&\#(?:x0*(?:6a|4a)|0*(?:106|74));?|j)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:61|41)|0*(?:97|65));?|a)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:76|56)|0*(?:118|86));?|v)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:61|41)|0*(?:97|65));?|a)|(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:76|56)|0*(?:118|86));?|v)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:62|42)|0*(?:98|66));?|b)|(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:65|45)|0*(?:101|69));?|e)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:63|43)|0*(?:99|67));?|c)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:6d|4d)|0*(?:109|77));?|m)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:61|41)|0*(?:97|65));?|a)|(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:6c|4c)|0*(?:108|76));?|l)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:69|49)|0*(?:105|73));?|i)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:76|56)|0*(?:118|86));?|v)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:65|45)|0*(?:101|69));?|e))(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:73|53)|0*(?:115|83));?|s)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:63|43)|0*(?:99|67));?|c)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:72|52)|0*(?:114|82));?|r)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:69|49)|0*(?:105|73));?|i)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:70|50)|0*(?:112|80));?|p)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:74|54)|0*(?:116|84));?|t)|(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:6d|4d)|0*(?:109|77));?|m)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:68|48)|0*(?:104|72));?|h)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:74|54)|0*(?:116|84));?|t)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:6d|4d)|0*(?:109|77));?|m)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:6c|4c)|0*(?:108|76));?|l)|(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:6d|4d)|0*(?:109|77));?|m)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:6f|4f)|0*(?:111|79));?|o)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:63|43)|0*(?:99|67));?|c)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:68|48)|0*(?:104|72));?|h)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:61|41)|0*(?:97|65));?|a)|(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:64|44)|0*(?:100|68));?|d)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:61|41)|0*(?:97|65));?|a)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:74|54)|0*(?:116|84));?|t)(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*(?:61|41)|0*(?:97|65));?|a)(?!(?:&\#(?:x0*3a|0*58);?|:?|\:)(?:&\#(?:x0*(?:69|49)|0*(?:105|73));?|i)(?:&\#(?:x0*(?:6d|4d)|0*(?:109|77));?|m)(?:&\#(?:x0*(?:61|41)|0*(?:97|65));?|a)(?:&\#(?:x0*(?:67|47)|0*(?:103|71));?|g)(?:&\#(?:x0*(?:65|45)|0*(?:101|69));?|e)(?:&\#(?:x0*2f|0*47);?|\/)(?:(?:&\#(?:x0*(?:70|50)|0*(?:112|80));?|p)(?:&\#(?:x0*(?:6e|4e)|0*(?:110|78));?|n)(?:&\#(?:x0*(?:67|47)|0*(?:103|71));?|g)|(?:&\#(?:x0*(?:62|42)|0*(?:98|66));?|b)(?:&\#(?:x0*(?:6d|4d)|0*(?:109|77));?|m)(?:&\#(?:x0*(?:70|50)|0*(?:112|80));?|p)|(?:&\#(?:x0*(?:67|47)|0*(?:103|71));?|g)(?:&\#(?:x0*(?:69|49)|0*(?:105|73));?|i)(?:&\#(?:x0*(?:66|46)|0*(?:102|70));?|f)|(?:&\#(?:x0*(?:70|50)|0*(?:112|80));?|p)?(?:&\#(?:x0*(?:6a|4a)|0*(?:106|74));?|j)(?:&\#(?:x0*(?:70|50)|0*(?:112|80));?|p)(?:&\#(?:x0*(?:65|45)|0*(?:101|69));?|e)(?:&\#(?:x0*(?:67|47)|0*(?:103|71));?|g)|(?:&\#(?:x0*(?:74|54)|0*(?:116|84));?|t)(?:&\#(?:x0*(?:69|49)|0*(?:105|73));?|i)(?:&\#(?:x0*(?:66|46)|0*(?:102|70));?|f)(?:&\#(?:x0*(?:66|46)|0*(?:102|70));?|f)|(?:&\#(?:x0*(?:73|53)|0*(?:115|83));?|s)(?:&\#(?:x0*(?:76|56)|0*(?:118|86));?|v)(?:&\#(?:x0*(?:67|47)|0*(?:103|71));?|g)(?:&\#(?:x0*2b|0*43);?|\+)(?:&\#(?:x0*(?:78|58)|0*(?:120|88));?|x)(?:&\#(?:x0*(?:6d|4d)|0*(?:109|77));?|m)(?:&\#(?:x0*(?:6c|4c)|0*(?:108|76));?|l))(?:(?:&\#(?:x0*3b|0*59);?|;)(?:&\#(?:x0*(?:63|43)|0*(?:99|67));?|c)(?:&\#(?:x0*(?:68|48)|0*(?:104|72));?|h)(?:&\#(?:x0*(?:61|41)|0*(?:97|65));?|a)(?:&\#(?:x0*(?:72|52)|0*(?:114|82));?|r)(?:&\#(?:x0*(?:73|53)|0*(?:115|83));?|s)(?:&\#(?:x0*(?:65|45)|0*(?:101|69));?|e)(?:&\#(?:x0*(?:74|54)|0*(?:116|84));?|t)(?:&\#(?:x0*3d|0*61);?|=)[\-a-z0-9]+)?(?:(?:&\#(?:x0*3b|0*59);?|;)(?:&\#(?:x0*(?:62|42)|0*(?:98|66));?|b)(?:&\#(?:x0*(?:61|41)|0*(?:97|65));?|a)(?:&\#(?:x0*(?:73|53)|0*(?:115|83));?|s)(?:&\#(?:x0*(?:65|45)|0*(?:101|69));?|e)(?:&\#(?:x0*36|0*54);?|6)(?:&\#(?:x0*34|0*52);?|4))?(?:&\#(?:x0*2c|0*44);?|,)))(?:\s|(?:&\#(?:x0*(?:9|a|d)|0*(?:9|10|13));?|	?|
?))*(?:&\#(?:x0*3a|0*58);?|&colon|\:)| #css expression (?:^|[^\w])(?:(?:\\0*65|\\0*45|e)(?:\/\*.*?\*\/)*(?:\\0*78|\\0*58|x)(?:\/\*.*?\*\/)*(?:\\0*70|\\0*50|p)(?:\/\*.*?\*\/)*(?:\\0*72|\\0*52|r)(?:\/\*.*?\*\/)*(?:\\0*65|\\0*45|e)(?:\/\*.*?\*\/)*(?:\\0*73|\\0*53|s)(?:\/\*.*?\*\/)*(?:\\0*73|\\0*53|s)(?:\/\*.*?\*\/)*(?:\\0*69|\\0*49|i)(?:\/\*.*?\*\/)*(?:\\0*6f|\\0*4f|o)(?:\/\*.*?\*\/)*(?:\\0*6e|\\0*4e|n))[^\w]*?(?:\\0*28|\()| #css properties (?:^|[^\w])(?:(?:(?:\\0*62|\\0*42|b)(?:\/\*.*?\*\/)*(?:\\0*65|\\0*45|e)(?:\/\*.*?\*\/)*(?:\\0*68|\\0*48|h)(?:\/\*.*?\*\/)*(?:\\0*61|\\0*41|a)(?:\/\*.*?\*\/)*(?:\\0*76|\\0*56|v)(?:\/\*.*?\*\/)*(?:\\0*69|\\0*49|i)(?:\/\*.*?\*\/)*(?:\\0*6f|\\0*4f|o)(?:\/\*.*?\*\/)*(?:\\0*72|\\0*52|r)(?:\/\*.*?\*\/)*)|(?:(?:\\0*2d|\\0*2d|-)(?:\/\*.*?\*\/)*(?:\\0*6d|\\0*4d|m)(?:\/\*.*?\*\/)*(?:\\0*6f|\\0*4f|o)(?:\/\*.*?\*\/)*(?:\\0*7a|\\0*5a|z)(?:\/\*.*?\*\/)*(?:\\0*2d|\\0*2d|-)(?:\/\*.*?\*\/)*(?:\\0*62|\\0*42|b)(?:\/\*.*?\*\/)*(?:\\0*69|\\0*49|i)(?:\/\*.*?\*\/)*(?:\\0*6e|\\0*4e|n)(?:\/\*.*?\*\/)*(?:\\0*64|\\0*44|d)(?:\/\*.*?\*\/)*(?:\\0*69|\\0*49|i)(?:\/\*.*?\*\/)*(?:\\0*6e|\\0*4e|n)(?:\/\*.*?\*\/)*(?:\\0*67|\\0*47|g)(?:\/\*.*?\*\/)*))[^\w]*(?:\\0*3a|\\0*3a|:)[^\w]*(?:\\0*75|\\0*55|u)(?:\\0*72|\\0*52|r)(?:\\0*6c|\\0*4c|l)| #properties (?:^|[^\w])(?:on(?:abort|activate|active|addsourcebuffer|addstream|addtrack|afterprint|afterscriptexecute|afterupdate|alerting|animationcancel|animationend|animationiteration|animationstart|antennaavailablechange|appinstalled|audioend|audioprocess|audiostart|autocomplete|autocompleteerror|auxclick|beforeactivate|beforecopy|beforecut|beforedeactivate|beforeeditfocus|beforeinput|beforeinstallprompt|beforematch|beforepaste|beforeprint|beforescriptexecute|beforetoggle|beforeunload|beforeupdate|beforexrselect|begin|beginevent|blocked|blur|bounce|boundary|broadcast|busy|cached|callschanged|cancel|canplay|canplaythrough|cardstatechange|cellchange|cfstatechange|change|chargingchange|chargingtimechange|checkboxstatechange|checking|click|close|command|commandupdate|compassneedscalibration|complete|compositionend|compositionstart|compositionupdate|connect|connected|connecting|connectioninfoupdate|contactchange|contentvisibilityautostatechange|contextlost|contextmenu|contextrestored|controllerchange|controlselect|copy|cuechange|currentchannelchanged|currentsourcechanged|cut|data|dataavailable|datachange|datachannel|dataerror|datasetchanged|datasetcomplete|dblclick|deactivate|delivered|deliveryerror|deliverysuccess|devicechange|devicelight|devicemotion|deviceorientation|deviceproximity|dialing|disabled|dischargingtimechange|disconnected|disconnecting|domattrmodified|domcharacterdatamodified|domcontentloaded|dommenuitemactive|dommenuiteminactive|dommousescroll|domnodeinserted|domnodeinsertedintodocument|domnoderemoved|domnoderemovedfromdocument|domsubtreemodified|downloading|drag|dragdrop|dragend|dragenter|dragexit|dragleave|dragover|dragstart|drain|drop|durationchange|eitbroadcasted|emptied|enabled|encrypted|end|ended|endevent|enter|enterpictureinpicture|error|errorupdate|exit|failed|fetch|filterchange|finish|focus|focusin|focusout|formchange|formdata|forminput|frequencychange|fullscreenchange|fullscreenerror|gamepadconnected|gamepaddisconnected|gesturechange|gestureend|gesturestart|gotpointercapture|hashchange|headphoneschange|held|help|holding|icccardlockerror|iccinfochange|icecandidate|iceconnectionstatechange|icegatheringstatechange|identityresult|idpassertionerror|idpvalidationerror|inactive|incoming|input|install|invalid|isolationchange|keydown|keypress|keystatuschange|keyup|languagechange|layoutcomplete|leavepictureinpicture|levelchange|load|loaded|loadeddata|loadedmetadata|loadend|loading|loadingdone|loadingerror|loadstart|localized|losecapture|lostpointercapture|mark|mediacomplete|mediaerror|message|messageerror|midimessage|mousedown|mouseenter|mouseleave|mousemove|mouseout|mouseover|mouseup|mousewheel|move|moveend|movestart|mozaudioavailable|mozbrowseractivitydone|mozbrowserasyncscroll|mozbrowseraudioplaybackchange|mozbrowsercaretstatechanged|mozbrowserclose|mozbrowsercontextmenu|mozbrowserdocumentfirstpaint|mozbrowsererror|mozbrowserfindchange|mozbrowserfirstpaint|mozbrowsericonchange|mozbrowserloadend|mozbrowserloadstart|mozbrowserlocationchange|mozbrowsermanifestchange|mozbrowsermetachange|mozbrowseropensearch|mozbrowseropentab|mozbrowseropenwindow|mozbrowserresize|mozbrowserscroll|mozbrowserscrollareachanged|mozbrowserscrollviewchange|mozbrowsersecuritychange|mozbrowserselectionstatechanged|mozbrowsershowmodalprompt|mozbrowsertitlechange|mozbrowserusernameandpasswordrequired|mozbrowservisibilitychange|mozfullscreenchange|mozfullscreenerror|mozgamepadbuttondown|mozgamepadbuttonup|mozinterruptbegin|mozinterruptend|mozmousepixelscroll|mozorientation|mozpointerlockchange|mozpointerlockerror|mozscrolledareachanged|moztimechange|mscontentzoom|msgesturechange|msgesturedoubletap|msgestureend|msgesturehold|msgesturerestart|msgesturestart|msgesturetap|msgotpointercapture|msinertiastart|mslostpointercapture|msmanipulationstatechanged|msneedkey|mspointercancel|mspointerdown|mspointerenter|mspointerhover|mspointerleave|mspointermove|mspointerout|mspointerover|mspointerup|mute|negotiationneeded|nodecreate|nomatch|notificationclick|noupdate|obsolete|offline|online|open|orientationchange|outofsync|overconstrained|overflow|page|pagehide|pagereveal|pageshow|pageswap|paste|pause|peeridentity|peerinfoupdat|play|playing|pointercancel|pointerdown|pointerenter|pointerleave|pointerlockchange|pointerlockerror|pointermove|pointerout|pointerover|pointerrawupdate|pointerup|popstate|popuphidden|popuphiding|popupshowing|popupshown|progress|propertychange|push|pushsubscriptionchange|radiostatechange|ratechange|readystatechange|received|rejectionhandled|removesourcebuffer|removestream|removetrack|repeat|repeatevent|reset|resize|resizeend|resizestart|resourcetimingbufferfull|result|resume|resuming|retrieving|reverse|rowdelete|rowenter|rowexit|rowinserted|rowsdelete|rowsinserted|scanningstatechanged|scroll|scrollend|scrollsnapchange|scrollsnapchanging|search|securitypolicyviolation|seek|seeked|seeking|select|selectionchange|selectstart|sending|sent|sessionavailable|sessionconnect|settingchange|shippingaddresschange|shippingoptionchange|show|signalingstatechange|slotchange|smartcard|sort|soundend|soundstart|sourceclose|sourceended|sourceopen|speakerforcedchange|speechend|speechstart|stalled|start|started|statechange|statuschange|stkcommand|stksessionend|stop|storage|submit|success|suspend|svgabort|svgerror|svgload|svgresize|svgscroll|svgunload|svgzoom|synchrestored|timeerror|timeout|timer|timeupdate|toggle|tonechange|touchcancel|touchend|touchenter|touchleave|touchmove|touchstart|trackchange|transitioncancel|transitionend|transitionrun|transitionstart|underflow|unhandledrejection|unload|unmute|update|updateend|updatefound|updateready|updatestart|upgradeneeded|urlflip|userproximity|ussdreceived|valuechange|versionchange|visibilitychange|voicechange|voiceschanged|volumechange|vrdisplayactivate|vrdisplayblur|vrdisplayconnect|vrdisplayconnected|vrdisplaydeactivate|vrdisplaydisconnect|vrdisplaydisconnected|vrdisplayfocus|vrdisplaypresentchange|waiting|waitingforkey|webglcontextcreationerror|webglcontextlost|webglcontextrestored|webkitanimationend|webkitanimationiteration|webkitanimationstart|webkitfullscreenchange|webkitfullscreenerror|webkitmouseforcechanged|webkitmouseforcedown|webkitmouseforceup|webkitmouseforcewillbegin|webkitplaybacktargetavailabilitychanged|webkitpresentationmodechanged|webkittransitionend|webkitwillrevealbottom|wheel|writeend|zoom)|formaction|data\-bind|ev:event)[^\w] )/ix' if (equals('cyberscan.io', request.headers['User-Agent']) or equals('UT-Dorkbot/1.0', request.headers['User-Agent']) or equals('Nuclei - Open-source project (github.com/projectdiscovery/nuclei)', request.headers['User-Agent']) or match('#OpenVAS#', request.headers['User-Agent']) or match('#WhiteHat Security#', request.headers['User-Agent']) or match('#^Punkspider#', request.headers['User-Agent']) or match('#Greenbone OS#', request.headers['User-Agent']) or match('#^WPScan#', request.headers['User-Agent']) or equals('multipart/form-data; boundary=--Qualys', request.headers['Content-Type']) or equals('Mozilla/5.0 (compatible; Detectify)', request.headers['User-Agent']) or match('#virusdie-sdsnetwork#', request.headers['User-Agent'])): block(id=375, category='security-scanner', score=100, description='Common vulnerability scanner User-Agents', whitelist=0) if (match('#^/api/v2/(cmdb|monitor)/#', request.path, request.uri)): block(id=512, category='auth-bypass', score=100, description='CVE-2022-40684 FortiOS FortiProxy Auth Bypass', whitelist=0) if (match('#/cgi-bin/;.+#', request.path, request.uri)): block(id=468, category='rce', score=100, description='CVE-2016-6277', whitelist=0) if (match('#/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/#', request.uri)): block(id=471, category='rce', score=100, description='VMWare vSphere RCE CVE-2021-21985', whitelist=0) if (match('#_layouts/\d+/Picker\.aspx#', request.uri)): block(id=472, category='rce', score=100, description='Sharepoint RCE CVE-2019-0604', whitelist=0) if (match('#/tmui/login.jsp/..;/#', request.uri)): block(id=474, category='rce', score=100, description='F5 BigIP RCE CVE-2020-5902', whitelist=0) if (match('#\$\{[\w\$\{\}:\-]{0,50}j[\w\$\{\}:\-]{0,50}n[\w\$\{\}:\-]{0,50}d[\w\$\{\}:\-]{0,50}i[\w\$\{\}:\-]{0,50}:[\w\$\{\}:\-]{0,50}l[\w\$\{\}:\-]{0,50}d[\w\$\{\}:\-]{0,50}a[\w\$\{\}:\-]{0,50}p[\w\$\{\}:\-]{0,50}:[\w\$\{\}:\-]{0,50}\/#', request.body, request.rawBody, request.queryString, request.headers)): block(id=470, category='rce', score=100, description='log4j CVE-2021-44228', whitelist=0) if (match('#^(\/\w+)?/public/plugins/\w+\/\.\.\/#', request.uri)): block(id=473, category='traversal', score=100, description='Grafana Directory Traversal CVE-2021-43798', whitelist=0) if (lengthGreaterThan('0', request.headers['X-F5-Auth-Token']) or identical('', request.headers['X-F5-Auth-Token']) or match('#^\/mgmt\/tm\/#i', request.path)): block(id=490, category='rce', score=100, description='CVE-2022-1388 - F5 BIG IP RCE', whitelist=0) if (match('#doar-e, ?ftw, ?imo, ?,#', request.headers['Accept-Encoding'])): log(id=508, category='rce', score=100, description='CVE-2021-31166 Remote Use After Free in Windows Remote Management', whitelist=0) if (match('/(^|;|{|})(?:O|C):\d+:"(?!stdClass")[^"]+":/', request.body, request.headers, request.queryString) and notMatch('#/wp-json/autonami/v1/wc-add-to-cart#', request.path) and notMatch('#/autonami/v1/wc-add-to-cart#', request.queryString['rest_route'])): block(id=662, category='obji', score=100, description='Generic Object Injection', whitelist=0) if (match('#wpgateway\/wpgateway-webservice-new\.php#', request.path) or match('#wpgateway-webservice\.php#', request.path)): block(id=510, category='privesc', score=100, description='WPGateway <= 3.5 - Unauthenticated Privilege Escalation', whitelist=0) if (match('/(^|\/|\\)(\.\.?(\\|\/)+)+wp\-config\.php/i', request.body, request.queryString) and currentUserIsNot('administrator', server.empty)): block(id=67, category='traversal', score=100, description='Directory Traversal (Requesting wp-config.php)', whitelist=0) if (match('/installer(-backup)?\.php/i', request.path) and equals('3', request.body.action_ajax) and currentUserIsNot('administrator', server.empty)): block(id=119, category='rce', score=100, description='Duplicator <= 1.2.41 - Sensitive Information Disclosure leading to Remote Code Execution', whitelist=0) if (currentUserIsNot('administrator', server.empty) and md5Equals('dd2b27de911dc0bffb0731accfb19ef1', request.md5Body.fb6b8bd57c6b98e7eeeb7df01b99c335, request.md5QueryString.fb6b8bd57c6b98e7eeeb7df01b99c335)): block(id=114, category='backdoor', score=100, description='FB6904-1', whitelist=0) if (currentUserIsNot('administrator', server.empty) and md5Equals('36ea527f1f4ea563e43fec711328d6a5', request.md5Body.e29f37ef46c8a4ce321e40a77efdcaf1, request.md5QueryString.e29f37ef46c8a4ce321e40a77efdcaf1)): block(id=115, category='backdoor', score=100, description='FB6904-2', whitelist=0) if (match('#/wp\-admin/post\.php$#i', server.script_filename) and match(xssRegex, request.body.meta, request.body.metavalue, request.body.metakeyinput, request.body.metakeyselect) and currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty)): block(id=507, category='xss', score=100, description='WordPress Core < 6.0.2 - Authenticated Contributor+ Stored Cross-Site Scripting', whitelist=0) if (notEquals('', request.body.ure_other_roles) and match('#/wp\-admin/(network/)?(profile|user-new)\.php#i', request.path) and currentUserIsNot('administrator', server.empty)): block(id=18, category='priv-esc', score=100, description='User Role Editor <= 4.24 - Authenticated Privilege Escalation', whitelist=0) if ((equals('wp_capabilities', request.body['wp_screen_options']['option']) or equals('wp_user_level', request.body['wp_screen_options']['option']))): block(id=599, category='priv-esc', score=100, description='ReviewX <= 1.6.13 - Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation', whitelist=0) if (lengthGreaterThan('0', request.body.aam_user_roles) and currentUserIsNot('administrator', server.empty)): block(id=272, category='auth-bypass', score=100, description='Advanced Access Manager <= 6.6.1 - Authenticated Authorization Bypass and Privilege Escalation', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('elementor_ajax', request.body.action, request.queryString.action) and match('#meta_callback\":\"(?!(get_permalink|get_the_title|wp_get_attachment_url|wp_get_attachment_image|date|date_i18n|\"))#i', request.body.actions, request.queryString.actions)): block(id=621, category='rce', score=100, description='JetElements <= 2.6.10 - Authenticated (Contributor+) Remote Code Execution', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('update-plugin', request.body.action, request.queryString.action) and match('/(^|\/|\\|%2f|%5c)\.\.(\\|\/|%2f|%5c)/i', request.body, request.queryString)): block(id=66, category='dos', score=100, description='WordPress Core <= 4.5.3 - Denial of Service', whitelist=0) if (md5Equals('0d97ef17e443af0f442712be63a3714e', request.md5Body['01b0357bbb461420eb0aced7e3c2fcb9'], request.md5QueryString['01b0357bbb461420eb0aced7e3c2fcb9']) and notMatch('/^(\w{3,5}:\/\/|wp-content\/uploads\/)/i', request.md5Body['8c7dd922ad47494fc02c388e12c00eac']['45b963397aa40d4a0063e0d85e4fe7a1']) and match('/[\/\\]/i', request.md5Body['8c7dd922ad47494fc02c388e12c00eac']['45b963397aa40d4a0063e0d85e4fe7a1']) and currentUserIsNot('administrator', server.empty)): block(id=502, category='file_delete', score=100, description='WAF-RULE-502', whitelist=0) if (match('#/wp\-admin/#i', server.script_filename) and (equals('deactivate_plugin', request.queryString.action) or equals('activate_plugin', request.queryString.action)) and lengthGreaterThan('0', request.queryString.plugin) and currentUserIsNot('administrator', server.empty)): block(id=286, category='auth-bypass', score=100, description='Epsilon Framework Themes (Various Versions) - Unauthenticated Plugin Activation/Deactivation', whitelist=0) if (match('#/wp\-admin/profile\.php$#i', server.script_filename) and lengthGreaterThan('0', request.body['um-role'], request.queryString['um-role']) and currentUserIsNot('administrator', server.empty)): block(id=292, category='priv-esc', score=100, description='Ultimate Member <= 2.1.11 - Unauthenticated Privilege Escalation via User Roles', whitelist=0) if (match('#/wp\-admin/post\.php$#i', server.script_filename) and equals('editpost', request.body.action, request.queryString.action) and (lengthGreaterThan('0', request.body['obfx-footer-scripts'], request.queryString['obfx-footer-scripts']) or lengthGreaterThan('0', request.body['obfx-header-scripts'], request.queryString['obfx-header-scripts'])) and currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty)): block(id=298, category='xss', score=100, description='Orbit Fox by ThemeIsle <= 2.10.2 - Authenticated (Contributor+) Stored Cross Site Scripting', whitelist=0) if (match('#/wp-admin/#i', server.script_filename) and (lengthGreaterThan('0', request.body['download_csv'], request.queryString['download_csv']) or identical('', request.body['download_csv'], request.queryString['download_csv'])) and (lengthGreaterThan('0',request.body['form_name'], request.queryString['form_name']) or lengthGreaterThan('0', request.body['form_id'], request.queryString['form_id'])) and currentUserIsNot('administrator', server.empty)): block(id=316, category='sde', score=100, description='Elementor Contact Form DB <= 1.5 - Sensitive Information Disclosure', whitelist=0) if ((equals('wppb_page_save', request.body.action, request.queryString.action) or equals('wppb_editor', request.body.action, request.queryString.action)) and currentUserIs('subscriber', server.empty)): block(id=330, category='auth-bypass', score=100, description='WP Page Builder <= 1.2.3 - Insecure Default to Unauthorized Page Editing', whitelist=0) if (match(xssRegex, request.queryString.lang)): blockXSS(id=345, category='xss', score=100, description='Related Posts for WordPress <= 2.0.3 - Reflected Cross-Site Scripting', whitelist=0) if ((match(xssRegex,request.body['mapplic-mapdata']) or match('#\.svg$#i', request.body['new-map']) or match('#"map":"[^"]+\.svg"#i', request.body['mapplic-mapdata'])) and currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor',server.empty)): block(id=350, category='xss', score=100, description='Mapplic Lite and Mapplic <= (Various Versions) - Server Side Request Forgery to Cross-Site Scripting', whitelist=0) if ((match('#wp:php-everywhere-block\/php#i', request.rawBody) or match('#\[php_everywhere#i', request.body.shortcode, request.body.content, request.rawBody, request.queryString.shortcode) or (lengthGreaterThan('0', request.body['php_everywhere_code']) and notEquals('Just+put+[php_everywhere]+where+you+want+the+code+to+be+executed.', request.body['php_everywhere_code']) and notEquals('Just put [php_everywhere] where you want the code to be executed.', request.body['php_everywhere_code']))) and currentUserIsNot('administrator', server.empty)): block(id=440, category='rce', score=100, description='PHP Everywhere <= 2.0.3 - Authenticated (Contributor+) Remote Code Execution via Metabox', whitelist=0) if (match('#[^a-zA-Z]#',request.queryString['sgpb_type'])): block(id=452, category='lfi', score=100, description='Popup Builder <= 4.0.6 - Local File Inclusion to Remote Code Execution', whitelist=0) if (match('#/wp\-admin#i', server.script_filename) and match('#[\r\n\t<>%]#', request.body.page)): block(id=457, category='xss', score=100, description='Reflected XSS via \'page\' parameter', whitelist=0) if ((equals('EWD_FEUP_MassUserAction', request.queryString.Action) OR equals('EWD_FEUP_DeleteAllUsers', request.queryString.Action) OR equals('EWD_FEUP_DeleteUser', request.queryString.Action) OR equals('EWD_FEUP_MassDeleteFields', request.queryString.Action) OR equals('EWD_FEUP_AddPayment', request.queryString.Action) OR equals('EWD_FEUP_EditPayment', request.queryString.Action) OR equals('EWD_FEUP_DeletePayment', request.queryString.Action) OR equals('EWD_FEUP_DeleteLevel', request.queryString.Action) OR equals('EWD_FEUP_MassDeleteLevels', request.queryString.Action) OR equals('EWD_FEUP_ExportToExcel', request.queryString.Action)) AND currentUserIsNot('administrator', server.empty)): block(id=582, category='bypass', score=100, description='Front End Users <= 3.2.24 - Missing Authorization in Multiple Functions', whitelist=0) if (match('#/wp\-admin/post\.php$#i', server.script_filename) and (match(xssRegex, request.queryString.aiosp_title, request.body.aiosp_title) or match(xssRegex, request.queryString.aiosp_description, request.body.aiosp_description)) and currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty)): block(id=263, category='xss', score=100, description='All in One SEO Pack <= 3.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting', whitelist=0) if (match('/phar:\/\//i', request.body, request.queryString)): block(id=146, category='rce', score=100, description='PHAR Deserialization Attack', whitelist=0) if (match('#/wp\-admin/#i', request.path) and equals('tinvwl_import_settings', request.queryString.action, request.body.action) and currentUserIsNot('administrator', server.empty)): block(id=289, category='priv-esc', score=100, description='TI WooCommerce Wishlist <= 1.21.11 and TI WooCommerce Wishlist Pro <= 1.21.4 - Arbitrary Options Update', whitelist=0) if (match('#/wp\-admin/#i', server.script_filename) and (lengthGreaterThan('0', request.body.custom_wpadmin_slug) or identical('', request.body.custom_wpadmin_slug)) and currentUserIsNot('administrator', server.empty)): block(id=491, category='insufficient-auth', score=100, description='HC Custom WP-Admin URL <= 1.4 - Missing Authorization to Login URL Change', whitelist=0) if (match('#/wp\-admin/#i', server.script_filename) and (lengthGreaterThan('0', request.body.rwl_redirect_field) or identical('', request.body.rwl_redirect_field) or lengthGreaterThan('0', request.body.rwl_page) or identical('', request.body.rwl_page)) and currentUserIsNot('administrator', server.empty)): block(id=492, category='insufficient-auth', score=100, description='Change wp-admin login <= 1.0.9 - Missing Authorization Checks', whitelist=0) if (match('#wp\-admin/post.php$#i', server.script_filename) and equals('mfn-live-builder', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty) and currentUserIsNot('author', server.empty) and currentUserIsNot('contributor', server.empty)): block(id=520, category='insufficient-auth', score=100, description='Betheme <= 26.6.2 - Missing Authorization Checks', whitelist=0) if ((lengthGreaterThan('0', request.body['cstu_set_token'], request.queryString['cstu_set_token'], request.body['cstu_check_token'], request.queryString['cstu_check_token'],request.body['cstu_verfiy_wp_user'], request.queryString['cstu_verfiy_wp_user'],request.body['cstu_get_blog_authors'], request.queryString['cstu_get_blog_authors'],request.body['cstu_create_new_post'], request.queryString['cstu_create_new_post'],request.body['cstu_update_post'], request.queryString['cstu_update_post'],request.body['cstu_unset_token'], request.queryString['cstu_unset_token'], request.body['cstu_change_post_status'], request.queryString['cstu_change_post_status'], request.body['cstu_get_metadata'], request.queryString['cstu_get_metadata'], request.body['cstu_is_installed'], request.queryString['cstu_is_installed'],request.body['cstu_create_nonce_for_post'], request.queryString['cstu_create_nonce_for_post']) or identical('', request.body['cstu_set_token'], request.queryString['cstu_set_token'], request.body['cstu_create_nonce_for_post'], request.queryString['cstu_create_nonce_for_post'], request.body['token_validity'], request.queryString['token_validity'], request.body['cstu_change_post_status'], request.queryString['cstu_change_post_status'])) and currentUserIsNot('administrator',server.empty) and currentUserIsNot('editor',server.empty)): block(id=524, category='insufficient-auth', score=100, description='ContentStudio <= 1.1.8/1.2.5 - Missing Authorization', whitelist=0) if (match('#/wp\-admin/post\.php$#i', server.script_filename) and currentUserIsNot('administrator', server.empty) and match(xssRegex, request.body["aioseo-post-settings"])): block(id=535, category='xss', score=100, description='All in One SEO Pack <= 4.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting', whitelist=0) if (lengthGreaterThan('0', request.headers['X-Wcpay-Platform-Checkout-User']) and notequals('0', request.headers['X-Wcpay-Platform-Checkout-User'])): block(id=568, category='auth-bypass', score=100, description='WooCommerce Payments <= 5.6.1 Authentication Bypass and Privilege Escalation', whitelist=0) if (( equals('update_profile', request.queryString.charitable_action, request.body.charitable_action) or equals('save_registration', request.queryString.charitable_action, request.body.charitable_action) ) and lengthGreaterThan(0, request.queryString.role, request.body.role)): block(id=623, category='priv-esc', score=100, description='Donation Forms by Charitable <= 1.7.0.12 - Unauthenticated Privilege Escalation', whitelist=0) if (match('#/wp\-admin/post\.php$#i', server.script_filename) and match(xssRegex,request.body['Powerpress']['podcast']['url'])): block(id=633, category='xss', score=100, description='PowerPress <= 11.0.10 - Authenticated(Contributor+) Stored Cross-Site Scripting via Media URL', whitelist=0) if ((equals('enabled', request.body['ast-advanced-hook-with-php']) or lengthGreaterThan('0', request.body['ast-advanced-hook-php-code'])) and currentUserIsNot('administrator', server.empty)): block(id=656, category='rce', score=100, description='Astra Pro <= 4.3.1 - Authenticated(Contributor+) Remote Code Execution via Metabox', whitelist=0) if (match('#/wp\-admin/post\.php$#i', server.script_filename) and equals('editpost', request.queryString.action, request.body.action) and match('/vc_raw_html|vc_raw_js|custom_onclick_code/', request.queryString.content, request.body.content) and currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty)): block(id=268, category='xss', score=100, description='WPBakery Page Builder <= 6.2.0 Contributor+ Stored XSS Edit Posts', whitelist=0) if (match('#/wp\-admin/(network/)?(profile|user-new)\.php$#i', server.script_filename) and match(xssRegex, request.body, request.queryString)): log(id=374, category='xss', score=100, description='Profile and User-New XSS Logonly Rule', whitelist=0) if (( match('#/wp\-admin/(network/)?(post|profile|user-new|settings)\.php$#i', server.script_filename) ) or ( match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and ( equals('wordfence_loadLiveTraffic', request.body.action) or equals('wordfence_ticker', request.body.action) or equals('rocket_rucss_warmup_resource_fetcher', request.queryString.action) or equals('rocket_saas_warmup', request.queryString.action) or ( equals('acf/validate_save_post', request.queryString.action, request.body.action) and match(xssRegex, request.body.acf) ) or ( currentUserIs('administrator', server.empty) and ( equals('install-plugin', request.body.action) or equals('update-plugin', request.body.action) or equals('delete-plugin', request.body.action) or equals('search-plugins', request.body.action) or equals('search-install-plugins', request.body.action) or equals('activate-plugin', request.body.action) or equals('update-theme', request.body.action) or equals('delete-theme', request.body.action) or equals('install-theme', request.body.action) or equals('customize_save', request.body.action) ) ) ) ) or ( match('#/index\.php$#', server.script_filename) and ( match('#/fluent-crm/v2/#', request.queryString.rest_route) or match('#^/wp-json/fluent-crm/v2/#', request.path) ) )): allow(id=1, category='whitelist', score=100, description='Whitelisted URL') if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (((equals('revslider_show_image', request.queryString.action) or equals('nopriv_revslider_show_image', request.queryString.action)) and match('/\.php$/i', request.queryString.img)) or ((equals('revslider_show_image', request.body.action) or equals('nopriv_revslider_show_image', request.body.action)) and match('/\.php$/i', request.body.img)))): block(id=2, category='lfi', score=100, description='Slider Revolution <= 4.1.4 - Directory Traversal', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (((equals('revslider_ajax_action', request.queryString.action) or equals('nopriv_revslider_ajax_action', request.queryString.action)) and equals('update_plugin', request.queryString.client_action)) or ((equals('revslider_ajax_action', request.body.action) or equals('nopriv_revslider_ajax_action', request.body.action)) and equals('update_plugin', request.body.client_action))) and currentUserIsNot('administrator', server.empty)): block(id=60, category='file_upload', score=100, description='Slider Revolution < 3.0.96 & Showbiz Pro < 1.7.1 - Missing Authorization to Arbitrary File Upload', whitelist=0) if (match('/dzs\-videogallery[\/]+admin[\/]+(?:playlist|tag)seditor[\/]+popup\.php/', request.path) and contains('\'', request.queryString.initer)): blockXSS(id=15, category='xss', score=100, description='DZS Video Gallery <= 8.60 - Reflected Cross-Site Scripting', whitelist=0) if (match('/simple-ads-manager[\/]+sam-ajax-loader\.php/', request.path) and match(sqliRegex, base64decode(request.body.wc))): block(id=16, category='sqli', score=100, description='Simple Ads Manager <= 2.9.4.116 - SQL Injection', whitelist=0) if (match('/gwolle\-gb[\/]+frontend[\/]+captcha[\/]+ajaxresponse\.php/', request.path) and match('/.*/', request.queryString.abspath)): block(id=17, category='rfi', score=100, description='Gwolle Guestbook <= 1.5.3 - Remote File Inclusion', whitelist=0) if (equals('mainwp-setup', request.body.page, request.queryString.page) and currentUserIsNot('administrator', server.empty)): block(id=29, category='xss', score=100, description='MainWP Dashboard – The Private WordPress Manager for Multiple Website Maintenance Plugin <= 3.1.2 - Stored Cross-Site Scripting') if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', request.path) and ((md5Equals('46f5a89acb206a7f58db187e45fa2a4d', request.body.action) and notMatch('/^(?:country|city)$/ix', request.md5Body['5fc75f82e79d75efb9716109034a3209'])))): block(id=33, category='sqli', score=100, description='Kento Post View Counter <= 2.8 - SQL Injection', whitelist=0) if ((match('#/wp\-mobile\-detector[/]+resize\.php#i', request.path) or match('#/wp\-mobile\-detector[/]+timthumb\.php#i', request.path)) and ((lengthGreaterThan('0', request.body.src) and notMatch('/\.(?:png|gif|jpg|jpeg|jif|jfif|svg)$/i', request.body.src)) or (lengthGreaterThan('0', request.queryString.src) and notMatch('/\.(?:png|gif|jpg|jpeg|jif|jfif|svg)$/i', request.queryString.src)))): block(id=36, category='file_upload', score=100, description='WP Mobile Detector <= 3.5 - Arbitrary File Upload', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', request.path) and (currentUserIsNot('administrator', server.empty) or (lengthGreaterThan('0', request.body.id) and notMatch('/^[0-9]+$/', request.body.id))) and equals('populate_download_edit_form', request.body.action, request.queryString.action)): block(id=37, category='sqli', score=100, description='Double Opt-In for Download <= 2.0.9 - SQL Injection', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', request.path) and currentUserIsNot('administrator', server.empty) and md5Equals('9082302c5211de15622f1cfab357f521', request.body.action, request.queryString.action)): block(id=38, category='sde', score=100, description='WP Maintenance Mode <= 2.0.6 - Authenticated Information Disclosure', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', request.path) and currentUserIsNot('administrator', server.empty) and equals('wpmm_reset_settings', request.body.action, request.queryString.action)): block(id=39, category='sde', score=100, description='WP Maintenance Mode <= 2.0.6 - Missing Authorization', whitelist=0) if (currentUserIsNot('administrator', server.empty) and ( identical('', request.body.dpc_save_settings) or lengthGreaterThan('0', request.body.dpc_save_settings) )): block(id=45, category='auth-bypass', score=100, description='DELUCKS SEO <= 1.3.9 - Unauthorized Options Update', whitelist=0) if ((match('/Abonti|aggregator|AhrefsBot|asterias|BDCbot|BLEXBot|BuiltBotTough|Bullseye|BunnySlippers|ca\-crawler|CCBot|Cegbfeieh|CheeseBot|CherryPicker|CopyRightCheck|cosmos|Crescent|discobot|DittoSpyder|DotBot|Download Ninja|EasouSpider|EmailCollector|EmailSiphon|EmailWolf|EroCrawler|Exabot|ExtractorPro|Fasterfox|FeedBooster|Foobot|Genieo|grub\-client|Harvest|hloader|httplib|HTTrack|humanlinks|ieautodiscovery|InfoNaviRobot|IstellaBot|Java\/1\.|JennyBot|k2spider|Kenjin Spider|Keyword Density\/0\.9|larbin|LexiBot|libWeb|libwww|LinkextractorPro|linko|LinkScan\/8\.1a Unix|LinkWalker|LNSpiderguy|lwp\-trivial|magpie|Mata Hari|MaxPointCrawler|MegaIndex|Microsoft URL Control|MIIxpc|Mippin|Missigua Locator|Mister PiX|MJ12bot|moget|MSIECrawler|NetAnts|NICErsPRO|Niki\-Bot|NPBot|Nutch|Offline Explorer|Openfind|panscient\.com|PHP\/5\.\{|ProPowerBot\/2\.14|ProWebWalker|Python\-urllib|QueryN Metasearch|RepoMonkey|RMA|SemrushBot|SeznamBot|SISTRIX|sitecheck\.Internetseer\.com|SiteSnagger|SnapPreviewBot|Sogou|SpankBot|spanner|spbot|Spinn3r|suzuran|Szukacz\/1\.4|Teleport|Telesoft|The Intraformant|TheNomad|TightTwatBot|Titan|toCrawl\/UrlDispatcher|True_Robot|turingos|TurnitinBot|UbiCrawler|UnisterBot|URLy Warning|VCI|WBSearchBot|Web Downloader\/6\.9|Web Image Collector|WebAuto|WebBandit|WebCopier|WebEnhancer|WebmasterWorldForumBot|WebReaper|WebSauger|Website Quester|Webster Pro|WebStripper|WebZip|Wotbox|wsr\-agent|WWW\-Collector\-E|Xenu|Zao|Zeus|ZyBORG|coccoc|Incutio|lmspider|memoryBot|SemrushBot|serf|Unknown|uptime files/i', request.headers['User-Agent']) and match(xssRegex, request.headers['User-Agent'])) or (match('/semalt\.com|kambasoft\.com|savetubevideo\.com|buttons\-for\-website\.com|sharebutton\.net|soundfrost\.org|srecorder\.com|softomix\.com|softomix\.net|myprintscreen\.com|joinandplay\.me|fbfreegifts\.com|openmediasoft\.com|zazagames\.org|extener\.org|openfrost\.com|openfrost\.net|googlsucks\.com|best\-seo\-offer\.com|buttons\-for\-your\-website\.com|www\.Get\-Free\-Traffic\-Now\.com|best\-seo\-solution\.com|buy\-cheap\-online\.info|site3\.free\-share\-buttons\.com|webmaster\-traffic\.co/i', request.headers.Referer) and match(xssRegex, request.headers.Referer))): block(id=48, category='xss', score=100, description='All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic <= 2.3.6 - Stored Cross-Site Scripting', whitelist=0) if (match('/sitemap_.*?<.*?(:?_\d+)?\.xml(:?\.gz)?/i', request.path)): block(id=49, category='xss', score=100, description='All in One SEO Pack <= 2.3.7 - Unauthenticated Stored XSS', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and currentUserIsNot('administrator', server.empty) and lengthGreaterThan('0', request.md5Body.dfff0a7fa1a55c8c1a4966c19f6da452, request.md5QueryString.dfff0a7fa1a55c8c1a4966c19f6da452) and md5Equals('266e0d3d29830abfe7d4ed98b47966f7', request.body.action, request.queryString.action)): block(id=52, category='file_upload', score=100, description='File Manager <= 3.0 - Unauthenticated Arbitrary File Upload/Download', whitelist=0) if (currentUserIsNot('administrator', server.empty) and match('/^(?:lvo_admin_head|lvo_add_new_album|lvo_delete_album|reset_albums|save_lvo_settings|lvo_single_image_upload|lvo_resize_image_and_add|lvo_delete_image|lvo_get_albums_table|lvo_get_albums_images_table|lvo_get_album|lvo_get_album_images|lvo_delete_cache|lvo_reorder_image|lvo_reorder_album|lvo_bulk_delete_albums|lvo_bulk_disable_albums|lvo_bulk_enable_albums|delete_image|lvo_bulk_delete_images|lvo_bulk_disable_images|lvo_bulk_enable_images|lvo_disable_album|lvo_enable_album|lvo_disable_image|lvo_enable_image)$/i', request.body.task, request.queryString.task)): block(id=53, category='file_upload', score=100, description='Levo Slideshow <= 2.3 - Arbitrary File Upload', whitelist=0) if (match('#/form\-lightbox/ajax\.php$#i', server.script_filename) and currentUserIsNot('administrator', server.empty)): block(id=55, category='auth-bypass', score=100, description='Form Lightbox <= 2.1 - Unauthenticated Arbitrary Options Update', whitelist=0) if (currentUserIsNot('administrator', server.empty) and (md5Equals('8c2e1c2817e3de18e2140498bdd4f7fa', request.queryString.Action) or md5Equals('e12a2417ffbd0ae4010210b596a3f230', request.queryString.Action) or md5Equals('df33bf68ad0288e1547139e02c1e096b', request.queryString.Action) or md5Equals('c000b32f92bbd81b6cbbddd101073e54', request.queryString.Action) or md5Equals('cc61a84091dcc8b9bd6ae35cf48d71ab', request.queryString.Action) or md5Equals('c80c9038bbb5910385decc276e42061e', request.queryString.Action) or md5Equals('b81e270701125a0024db04bebdbcfc2a', request.queryString.Action) or md5Equals('2e563359c1b268da0041c5bf822857a1', request.queryString.Action) or md5Equals('4ba84dbaaafd4e7d98f55e9f093fe65a', request.queryString.Action) or md5Equals('1deb089a44f2962f92c678a451e61142', request.queryString.Action) or md5Equals('6ffa8f3e70a6279866e4b2c16fe18729', request.queryString.Action) or md5Equals('aa1c4fd7fb193a2cd1b0cc9150131b31', request.queryString.Action) or md5Equals('91e590bfc230eb3971ef1bb6b97ef974', request.queryString.Action) or md5Equals('d0e980fd7bc681b3c3085b1ac31024d6', request.queryString.Action) or md5Equals('069dde6f8ea27c8618cc8f6c6703a7c7', request.queryString.Action) or md5Equals('819900411c0d5c99c116bbce137ee04b', request.queryString.Action) or md5Equals('097d5401a3ae688b669f29351b9667de', request.queryString.Action) or md5Equals('81f1bbc03176c4525b8801b0058b309a', request.queryString.Action) or md5Equals('a8072b3a87b49ffea18548f35c6abd8c', request.queryString.Action) or md5Equals('364409901cb1fce968104dce4bf7e4fe', request.queryString.Action) or md5Equals('246c8343383408c8644f31b1f42617ce', request.queryString.Action) or md5Equals('66d87c0a0e2c02192c322c61d9d6990a', request.queryString.Action) or md5Equals('67bfe619d00425b51276ae083ae271a5', request.queryString.Action) or md5Equals('4aaddae320d8aaa8241ffd22693dd546', request.queryString.Action) or md5Equals('141f5901534f2b3092be526cac250bb6', request.queryString.Action) or md5Equals('2b7efaffcb87e027a011c33125585db7', request.queryString.Action) or md5Equals('979e32726f541a1e568557e9eb6554aa', request.queryString.Action) or md5Equals('c252a9eb30d304ba6079376ef5231aad', request.queryString.Action) or md5Equals('75b0967858cf244d4e2654e69b33d2f1', request.queryString.Action) or md5Equals('9cfad494bbf947c2ce316fe96eac396d', request.queryString.Action) or md5Equals('a4a148b325f286e07d9f24e3654e2672', request.queryString.Action) or md5Equals('3863850b63dc41d4e6e8cee097644d18', request.queryString.Action) or md5Equals('8fb62eed357b03c7be735352ab247bbe', request.queryString.Action) or md5Equals('a0380a8020e3a09257a6c67a1fe14627', request.queryString.Action) or md5Equals('b0f145120ec76e700969f63c5af3e8f4', request.queryString.Action) or md5Equals('52f6fc037a9e97f93309b1115882c080', request.queryString.Action) or md5Equals('f2a2c32747d2d49ddf682158eb9a510e', request.queryString.Action) or md5Equals('5caa7c3d6bba5a36798619b0ac4747bb', request.queryString.Action) or md5Equals('a0793408acebd97af0414d46b6705a65', request.queryString.Action) or md5Equals('f605a16b247f81f2eb2fdc097e1e1a19', request.queryString.Action) or md5Equals('ea7348459bf68bf881facb0e5d18ccd7', request.queryString.Action) or md5Equals('c747677e1903fdfffd4108f3347cf5ab', request.queryString.Action) or md5Equals('05c0ea3ee2df67b6bc2f3921c3fe2180', request.queryString.Action) or md5Equals('d986eb29534241e46402c30e678af902', request.queryString.Action))): block(id=57, category='priv-esc', score=100, description='Ultimate Product Catalog <= 3.8.1 - Missing Authorization to Plugin Settings Update', whitelist=0) if (match(xssRegex, request.headers['Client-IP'], request.headers['Client-Ip'], request.headers['X-Forwarded-For'], request.headers['X-Forwarded'], request.headers['X-Cluster-Client-IP'], request.headers['Forwarded-For'], request.headers.Forwarded)): block(id=59, category='xss', score=100, description='Generic XSS Injection in IP Forwarding Headers', whitelist=0) if (match('/\/(?:timthumb\.php|img\.php)/i', request.path) and match('/[^A-Za-z0-9\-\.\_:\/\?\&\+\;\=]/', request.queryString.src) and lengthGreaterThan('0', request.queryString.webshot)): block(id=64, category='rce', score=100, description='TimThumb <= 2.8.13 - Remote Code Execution', whitelist=0) if (match('/\/(?:timthumb\.php|img\.php)/i', request.path) and notMatch('_^[^\?]+?\.(?:jpg|jpeg|gif|png)(?:\?[a-z0-9\-\_\.\~%\!\$&\'\(\)\*\+,;\=\:@\/\?]*)?$_iu', request.queryString.src) and lengthGreaterThan('0', request.queryString.src) and (lengthLessThan('1', request.queryString.webshot) or equals('0', request.queryString.webshot))): block(id=63, category='rfd', score=100, description='TimThumb <= 1.33 - Remote File Download', whitelist=0) if (currentUserIsNot('administrator', server.empty) and match('/^(?:wysija_)+campaigns/i', request.body.page, request.queryString.page) and (equals('themes', request.body.action, request.queryString.action) or equals('themeupload', request.body.action, request.queryString.action))): block(id=65, category='file_upload', score=100, description='MailPoet Newsletters <= 2.6.6 - Arbitrary File Upload', whitelist=0) if ((match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and currentUserIsNot('administrator', server.empty) and match('/^(?:nopriv_)?nm_postfront_save_settings$/i', request.body.action, request.queryString.action)) or (currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty) and currentUserIsNot('author', server.empty) and ((match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and match('/^(?:nopriv_)?nm_postfront_(?:load_post_form|save_post|upload_file)$/i', request.body.action, request.queryString.action)) or match('#/plupload[^/]*/+examples/+upload\.php#i', request.path)))): block(id=69, category='file_upload', score=100, description='N-Media Post Front-end Form < 1.1 - Arbitrary File Upload', whitelist=0) if (match('#/cysteme\-finder[^/]*/+php/+connector\.php#i', request.path) and currentUserIsNot('administrator', server.empty)): block(id=70, category='file_upload', score=100, description='CYSTEME Finder <= 1.3 - Arbitrary File Upload/Read', whitelist=0) if (notMatch('/\.(jpe?g|png|mpeg|mov|flv|pdf|docx?|txt|csv|avi|mp3|wma|wav)($|\.)/i', request.fileNames) and lengthGreaterThan('0', request.body.save_bepro_listing)): block(id=78, category='file_upload', score=100, description='BePro Listings <= 2.2.0020 - Unauthenticated Arbitrary File Upload', whitelist=0) if (equals('fancybox-for-wordpress', request.queryString.page) and match(xssRegex, request.body.mfbfw)): block(id=81, category='xss', score=100, description='FancyBox for WordPress <= 3.0.2 - Stored Cross-Site Scripting', whitelist=0) if ((match('#/delete\-all\-comments/delete\-all\-comments\.php$#i', server.script_filename) or (lengthGreaterThan('0', request.body.restorefromfileNAME) and lengthGreaterThan('0', request.body.restorefromfileURL))) and currentUserIsNot('administrator', server.empty)): block(id=83, category='file_download', score=100, description='Delete All Comments <= 2.0 - Arbitrary File Upload', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', request.path) and currentUserIsNot('administrator', server.empty) and equals('showbiz_ajax_action', request.body.action) and equals('update_plugin', request.body.client_action)): block(id=88, category='file_upload', score=100, description='Showbiz Pro Responsive Teaser WordPress Plugin <= 1.7.1 - Arbitrary File Upload', whitelist=0) if (currentUserIsNot('administrator', server.empty) and match('#monetize[\/]+templatic\-custom_fields[\/]+single\-upload\.php#i', request.path)): block(id=89, category='file_upload', score=100, description='Tevolution < 2.3.0 - Arbitrary File Upload', whitelist=0) if (currentUserIsNot('administrator', server.empty) and match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and match('/^(?:nopriv_)?td_ajax_update_panel$/i', request.body.action, request.queryString.action)): block(id=91, category='auth-bypass', score=100, description='Newspaper - News & WooCommerce WordPress Theme <= 6.7 - Arbitrary Options Update', whitelist=0) if (currentUserIsNot('administrator', server.empty) and match('/Save\sSetting/i', request.body.savesetting) and (match('/(p(h(p|tml)[0-9]?|l|y)|(j|a)sp|aspx|sh|shtml|html?|cgi|htaccess|ini|exe)/i', request.body.accepted_file_types) or match('/(p(h(p|tml)[0-9]?|l|y)|(j|a)sp|aspx|sh|shtml|html?|cgi|htaccess|ini|exe)/i', request.body.inline_file_types))): block(id=94, category='file_upload', score=100, description='jQuery HTML5 File Upload <= 3.0 - Multiple Vulnerabilities', whitelist=0) if (currentUserIsNot('administrator', server.empty) and notEquals('', request.body.email) and equals('loginGuestFacebook', request.body.action)): block(id=99, category='privesc', score=100, description='WP Support Plus Responsive Ticket System <= 7.1.4 - Authentication Bypass', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (md5Equals('da6c71b8bb99069bd8e2fde83d95cf0d', request.body.action, request.queryString.action) or md5Equals('144e471fa0e0005b146b3f10ed5f8192', request.body.action, request.queryString.action)) and (match('/(?:^|&)(?:f|%66)(?:o|%6f)(?:r|%72)(?:m|%6d)(?:_|%5f)(?:d|%64)(?:a|%61)(?:t|%74)(?:a|%61)(?:\[|%5b)(.+?)(?:\]|%5d)(?:\[|%5b)(?:n|%6e)(?:a|%61)(?:m|%6d)(?:e|%65)(?:\]|%5d)=(?:f|%66)(?:o|%6f)(?:r|%72)(?:m|%6d)(?:_|%5f)(?:i|%69)(?:d|%64)&.*?(?:f|%66)(?:o|%6f)(?:r|%72)(?:m|%6d)(?:_|%5f)(?:d|%64)(?:a|%61)(?:t|%74)(?:a|%61)(?:\[|%5b)\1(?:\]|%5d)(?:\[|%5b)(?:v|%76)(?:a|%61)(?:l|%6c)(?:u|%75)(?:e|%65)(?:\]|%5d)=\d*[^\d&]+/i', request.rawBody) or match('/(?:^|&)(?:f|%66)(?:o|%6f)(?:r|%72)(?:m|%6d)(?:_|%5f)(?:d|%64)(?:a|%61)(?:t|%74)(?:a|%61)(?:\[|%5b)(.+?)(?:\]|%5d)(?:\[|%5b)(?:v|%76)(?:a|%61)(?:l|%6c)(?:u|%75)(?:e|%65)(?:\]|%5d)=\d*[^\d&]+[^&]*&.*?(?:f|%66)(?:o|%6f)(?:r|%72)(?:m|%6d)(?:_|%5f)(?:d|%64)(?:a|%61)(?:t|%74)(?:a|%61)(?:\[|%5b)\1(?:\]|%5d)(?:\[|%5b)(?:n|%6e)(?:a|%61)(?:m|%6d)(?:e|%65)(?:\]|%5d)=(?:f|%66)(?:o|%6f)(?:r|%72)(?:m|%6d)(?:_|%5f)(?:i|%69)(?:d|%64)(?:$|&)/i', request.rawBody))): block(id=105, category='sqli', score=100, description='Ultimate Form Builder Lite <= 1.3.6 - SQL Injection to PHP Object Injection', whitelist=0) if (equals('true', request.queryString.up_auto_log)): block(id=106, category='auth-bypass', score=100, description='UserPro - User Profiles with Social Login <= 4.9.17 - Authentication Bypass', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and lengthGreaterThan('0', request.body.before_html, request.queryString.before_html, request.body.after_html, request.queryString.after_html) and match('/^(?:nopriv_)?frm_forms_preview$/i', request.body.action, request.queryString.action)): block(id=107, category='auth-bypass', score=100, description='Formidable Forms < 2.05.03 - Multiple Vulnerabilities', whitelist=0) if (match('/\/wp\-admin\/admin\-ajax\.php$/i', server.script_filename) and ((match('/^ampforwp_(save_installer|get_licence_activate_update|deactivate_license|enable_modules_upgread)$/i', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)) or (match('/^(amppb_(color_picker|textEditor|export_layout_data|save_layout_data)|ampforwp_get_image)$/i', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty) and currentUserIsNot('author', server.empty) and currentUserIsNot('contributor', server.empty)))): block(id=121, category='auth-bypass', score=100, description='AMP for WP <= 0.9.97.19 - Missing Authorization', whitelist=0) if (match('/^yuzo_related_post/', request.body.name_options) and (lengthGreaterThan('0', request.body.save_options) or identical('', request.body.save_options) or lengthGreaterThan('0', request.body.reset_options) or identical('', request.body.reset_options)) and currentUserIsNot('administrator', server.empty)): block(id=137, category='auth-bypass', score=100, description='Yuzo Related Posts <= 5.12.93 - Missing Authorization to Stored Cross-Site Scripting', whitelist=0) if ((identical('', request.queryString.yp_remote_get) or lengthGreaterThan('0', request.queryString.yp_remote_get)) and currentUserIsNot('administrator', server.empty)): block(id=138, category='privesc', score=100, description='Visual CSS Style Editor <= 7.2.0 - Unauthenticated Arbitrary Options Update', whitelist=0) if (match('#/(a|%61|%41)(r|%72|%52)(i|%69|%49)(\-|%2d)(a|%61|%41)(d|%64|%44)(m|%6d|%4D)(i|%69|%49)(n|%6e|%4E)(e|%65|%45)(r|%72|%52)/#i', request.path) and currentUserIsNot('administrator', server.empty)): block(id=139, category='auth-bypass', score=100, description='ARI-Adminer <= 1.1.14 - Missing Authorization and No Direct File Access Restrictions', whitelist=0) if ((identical('', request.body.wpsetting, request.body.wp_db_backup_email_attachment, request.body.wp_db_backup_email_id, request.body.wp_db_backup_destination_Email) or lengthGreaterThan('0', request.body.wpsetting, request.body.wp_db_backup_email_attachment, request.body.wp_db_backup_email_id, request.body.wp_db_backup_destination_Email)) and currentUserIsNot('administrator', server.empty)): block(id=140, category='rce', score=100, description='WP Database Backup <= 5.1.2 - Unauthenticated Settings Update', whitelist=0) if (lengthGreaterThan('0', request.body.wuev_form_type) and currentUserIsNot('administrator', server.empty)): block(id=142, category='auth-bypass', score=100, description='WooCommerce User Email Verification <= 3.3.0 - Unauthenticated Arbitrary Options Update', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and ( equals('update_attachment_wccm', request.body.action, request.queryString.action) or (equals('wooccm_front_enduploadsave', request.body.action, request.queryString.action) and lengthGreaterThan('0',request.body.remove,request.queryString.remove)) ) and currentUserIsNot('administrator', server.empty)): block(id=144, category='auth-bypass', score=100, description='WooCommerce Checkout Manager <= 4.2.6 - Unauthenticated Arbitrary Media Deletion', whitelist=0) if ((identical('', request.body.custom_css) or lengthGreaterThan('0', request.body.custom_css) or lengthGreaterThan('0', request.body.blog_page_display)) and identical('save', request.queryString.action, request.body.action) and identical('true', request.queryString.updated, request.body.updated) and currentUserIsNot('administrator',server.empty)): block(id=145, category='xss', score=100, description='Blog Designer <= 1.8.10 - Unauthenticated Stored Cross-Site Scripting', whitelist=0) if (currentUserIsNot('administrator',server.empty) and ( identical('', request.body.wplc_save_settings) or lengthGreaterThan('0', request.body.wplc_save_settings) or identical('', request.body.wplc_custom_css) or lengthGreaterThan('0', request.body.wplc_custom_css) or identical('', request.body.wplc_custom_js) or lengthGreaterThan('0', request.body.wplc_custom_js) )): block(id=147, category='xss', score=100, description='WP Live Chat Support <= 8.0.27 - Unauthenticated Stored Cross-Site Scripting', whitelist=0) if (match('/application\/json/', request.headers['Content-Type']) and match('/\/graphql/', request.path) and match('/^\s*\{\s*"query"/', request.rawBody) and ( match('/\{\s*(plugins|themes|mediaItems|users|comments|posts|pages)/', request.rawBody) or match('/mutation\s*\{\s*registerUser.*?roles:/s', request.rawBody) ) and currentUserIsNot('administrator', server.empty)): block(id=148, category='auth-bypass', score=100, description='WPGraphQL <= 0.2.3 - Multiple Vulnerable Actions', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('cp_add_subscriber', request.body.action, request.queryString.action) and match('/^(administrator|editor|shop_manager|author)$/i', request.body.cp_set_user) and currentUserIsNot('administrator', server.empty)): block(id=149, category='privesc', score=100, description='Convert Plus <= 3.4.2 - Unauthenticated Administrator Creation', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('ai_ajax_backend', request.body.action, request.queryString.action) and lengthGreaterThan('0', request.body.preview) and lengthGreaterThan('0', request.body.code) and currentUserIsNot('administrator', server.empty)): block(id=153, category='rce', score=100, description='Ad Inserter <= 2.4.21 - Authenticated Remote Code Execution', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('hc_ajax_save_option', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=154, category='privesc', score=100, description='Hybrid Composer <= 1.4.6 - Missing Authorization to Arbitrary Options Update', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', request.path) and currentUserIsNot('administrator', server.empty) and match('#^mk_file_manager_(backup_remove|single_backup_remove|single_backup_logs|single_backup_restore)$#i', request.body.action, request.queryString.action)): block(id=151, category='privesc', score=100, description='File Manager <= 4.8 - Missing Authorization on AJAX Actions', whitelist=0) if (match('/^[0-9a-f]{32}$/', request.md5Body['5f4dcc3b5aa765d61d8327deb882cf99'], request.md5QueryString['5f4dcc3b5aa765d61d8327deb882cf99']) and (md5Equals('808ad1ac54d3a5e6ab09ed69c2a6605d', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5']) or md5Equals('84a1c9137ae2863590475c6c385b92d7', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5']) or md5Equals('0ebbe8a2b6999ec31f44118f5396e3f3', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5']) or md5Equals('770209dbd19d2cd3da20a08cb138036e', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5']) or md5Equals('d480834a6c46e6e0778d0c863a010667', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5']) or md5Equals('9a2f516318cdf6712d01150110b590b8', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5'])) ): block(id=152, category='backdoor', score=100, description='WAF-RULE-152', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and match('#^(?:nopriv_)?nd_[^_]+_import_settings_php_function#i', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=155, category='auth-bypass', score=100, description='ND Shortcodes <= 5.9.1 & ND Booking <= 2.4 - Unauthenticated Arbitrary Options Update', whitelist=0) if (lengthGreaterThan('0',request.files.wbcr_inp_import_files) and currentUserIsNot('administrator', server.empty)): block(id=156, category='file_upload', score=100, description='Woody Ad Snippets <= 2.2.4 - Missing Authorization to Settings Import', whitelist=0) if ((lengthGreaterThan('0', request.body.wpmm_theme_type) or equals('export_wpmm_theme',request.queryString.action)) and currentUserIsNot('administrator', server.empty)): block(id=158, category='xss', score=100, description='WP Mega Menu <= 1.3.6 - Unauthenticated Settings Update to Stored Cross-Site Scripting', whitelist=0) if ((lengthGreaterThan('0',request.body.submit_bulk_301) or identical('',request.body.submit_bulk_301) or equals('bulk301clearlist',request.body.action, request.queryString.action) or equals('bulk301export', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty)): block(id=159, category='file_upload', score=100, description='Simple 301 Redirects Addon Bulk Uploader <= 1.2.4 - Missing Authorization', whitelist=0) if (lengthGreaterThan('0', request.body.wppcp_tab) and currentUserIsNot('administrator', server.empty)): block(id=161, category='auth-bypass', score=100, description='WP Private Content Plus <= 1.31 - Unauthenticated Settings Change', whitelist=0) if (matchCount(sqliRegex, request.body, request.queryString) and currentUserIsNot('administrator', server.empty)): failSQLi(id=3, category='sqli', score=40, description='SQL Injection') if (matchCount(xssRegex, request.body, request.queryString)): failXSS(id=9, category='xss', score=100, description='XSS: Cross Site Scripting') if (match('/\.(p(h(pt?|t(ml?)?|ar)[0-9]?|l|y)|(j|a)sp|aspx|sh|shtml|html?|cgi|htaccess|user\.ini)($|\.)/i', request.fileNames) and currentUserIsNot('administrator', server.empty)): block(id=11, category='file_upload', score=100, description='Malicious File Upload') if (currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty) and currentUserIsNot('author', server.empty) and filePatternsMatch('', request.fileNames)): block(id=68, category='file_upload', score=100, description='Malicious File Upload (Patterns)', whitelist=0) if (match('/(^|\/|\\)\.\.(\\|\/)/', request.body, request.queryString) and currentUserIsNot('administrator', server.empty)): block(id=12, category='traversal', score=100, description='Directory Traversal') if (currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty) and currentUserIsNot('author', server.empty) and fileHasPHP('', request.fileNames)): block(id=76, category='file_upload', score=100, description='Malicious File Upload (PHP)', whitelist=0) if (match('/^\/(?:\.\/)*(?:var|usr|mnt|etc|tmp|dev|proc)\//i', request.body, request.queryString) and currentUserIsNot('administrator', server.empty)): block(id=13, category='lfi', score=100, description='LFI: Local File Inclusion') if (match('/<\!(?:DOCTYPE|ENTITY)\s+(?:%\s*)?\w+\s+SYSTEM/i', request.body, request.queryString)): block(id=14, category='xxe', score=100, description='XXE: External Entity Expansion', whitelist=0) if (match('/^(?:nopriv_)?wpgdprc_process_action$/i', request.body.action, request.queryString.action) and notMatch('/^\{[\'"]type[\'"]:[\'"]access_request[\'"],\s?[\'"]email[\'"]:[\'"][^\'"]+[\'"],\s?[\'"]consent[\'"]:(true|false)\}$/i', request.body.data) and currentUserIsNot('administrator', server.empty)): block(id=120, category='privesc', score=100, description='WP GDPR Compliance <= 1.4.2 - Arbitrary Options Update and Action Calling', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', request.path) and match('/^(?:nopriv_)?kiwi_social_share_set_option$/i', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=122, category='privesc', score=100, description='Kiwi Social Share <= 2.0.10 - Unauthenticated Update Any Option', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', request.path) and match('/^(?:nopriv_)?kiwi_social_share_get_option$/i', request.body.action, request.queryString.action) and (currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty) and currentUserIsNot('author', server.empty))): block(id=123, category='sde', score=100, description='Kiwi Social Share <= 2.0.10 - Unauthenticated Read Any Option', whitelist=0) if ((match('/wp-json[\/]+templates-directory[\/]+import_elementor/i', request.path) or match('/templates-directory[\/]+import_elementor/i', request.body.rest_route, request.queryString.rest_route)) and currentUserIsNot('administrator', server.empty)): block(id=125, category='auth-bypass', score=100, description='Orbit Fox by ThemeIsle <= 2.6.3 - Improper REST Capabilities Checks', whitelist=0) if ((match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) or match('/the-ajax-caller\.php/i', server.script_filename)) and match('/^(nopriv_)?miglaA?_/i', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty) and match('/^(?:nopriv_)?miglaA?_(?:add_(?:amount|options|offline_backend)|change_donation|constantcontact_test|delete_(?:postmeta|mform)|export_report|form_bgcolor|get(?:OffDonation|me(?:_array)?|_(?:option|postmeta))|mailchimp_(?:getlists|test)|new_(?:mform|mCampaignCreator)|purgeCache|remove_(?:donation|options)|report|reset_(?:c?form|theme)|retrieve_cc_lists|save_(?:option|campaign(?:_creator)?)|stripe_(?:add(?:Basic)?|get|delete)Plan|syncPlan|test_(?:email|hEmail|offline_email|constant_contact)|update(?:Undesignated|_(?:me|barinfo|c?form|me(?:tadata)?|arr|us|recurring_plans|report|postmeta)))$/i', request.body.action, request.queryString.action)): block(id=129, category='privesc', score=100, description='Total Donations <= 2.0.5 - Missing Authorization to Arbitrary Options Update', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', request.path) and match('/^userpro_process_form$/i', request.body.action, request.queryString.action) and match('/(?:^|&)((?:f|%66)(?:o|%6f)(?:r|%72)(?:m|%6d)(?:_|%5f))?(?:r|%72)(?:o|%6f)(?:l|%6c)(?:e|%65)(?:(?:-|%2d).+)?=(?:(?:a|%61)(?:d|%64)(?:m|%6d)(?:i|%69)(?:n|%6e)(?:i|%69)(?:s|%73)(?:t|%74)(?:r|%72)(?:a|%61)(?:t|%74)(?:o|%6f)(?:r|%72)|(?:e|%65)(?:d|%64)(?:i|%69)(?:t|%74)(?:o|%6f)(?:r|%72)|(?:s|%73)(?:h|%68)(?:o|%6f)(?:p|%70)(?:_|%5f)(?:m|%6d)(?:a|%61)(?:n|%6e)(?:a|%61)(?:g|%67)(?:e|%65)(?:r|%72))/i', request.rawBody) and currentUserIsNot('administrator', server.empty)): block(id=130, category='bypass', score=100, description='UserPro <= 4.9.20 - Privilege Escalation', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and match('/^fs_set_db_option$/i', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=132, category='privesc', score=100, description='Freemius SDK <= 2.2.3 - Missing Authorization to Arbitrary Options Update', whitelist=0) if ((match('/wp-json[\/]+siteground-optimizer[\/]+v1/i', request.path) or match('/siteground-optimizer[\/]+v1/i', request.body.rest_route, request.queryString.rest_route)) and currentUserIsNot('administrator', server.empty)): block(id=134, category='auth-bypass', score=100, description='SiteGround Optimizer <= 5.0.12 - Missing Authorization', whitelist=0) if ((lengthGreaterThan('0', request.body.swpsmtp_import_settings) or (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and match('/^swpsmtp_(clear_log|self_destruct)$/i', request.body.action, request.queryString.action))) and currentUserIsNot('administrator', server.empty)): block(id=135, category='privesc', score=100, description='Easy WP SMTP <= 1.3.9 - Missing Authorization to Arbitrary Options Update', whitelist=0) if (lengthGreaterThan('0', request.queryString.swp_url) and currentUserIsNot('administrator', server.empty)): block(id=136, category='xss', score=100, description='Social Warfare <= 3.5.2 - Unauthenticated Arbitrary Settings Update', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and match('/^(?:nopriv_)?bt_bb_save_custom_css$/i', request.body.action, request.queryString.action) and (currentUserIsNot('editor', server.empty) and currentUserIsNot('administrator', server.empty))): block(id=162, category='xss', score=100, description='Bold Page Builder <= 2.3.1 - Missing Authorization to Settings Update', whitelist=0) if (lengthGreaterThan('0', request.queryString['give-api']) and notEquals('forms', request.queryString['give-api']) and notMatch('/^[0-9a-fA-F]{32}$/', request.queryString.key) and currentUserIsNot('administrator', server.empty)): block(id=163, category='auth-bypass', score=100, description='GiveWP <= 2.5.4 - Authorization Bypass', whitelist=0) if (lengthGreaterThan('0', request.queryString['aam-media']) and match('/wp\-config\.php/i', request.path, request.queryString['aam-media'])): block(id=164, category='auth-bypass', score=100, description='Advanced Access Manager <= 5.9.8.1 - Unauthenticated Arbitrary File Read', whitelist=0) if (lengthGreaterThan('0', request.files.llms_import) and currentUserIsNot('administrator', server.empty)): block(id=165, category='auth-bypass', score=100, description='LMS by LifterLMS <= 3.35.0 - Stored Cross-Site Scripting via Import', whitelist=0) if (match('/\/qode-instagram-widget\/lib\/instagram-redirect\.php/i', server.script_filename)): block(id=166, category='redirect', score=100, description='Qode Instagram Widget <= 2.0.1 - Unauthenticated Open Redirect', whitelist=0) if ((lengthGreaterThan('0', request.files.import_settings) or lengthGreaterThan('0', request.queryString.export_settings) or identical('', request.queryString.export_settings) or match('/^stm_ajax_(file_)?automanager/i', request.body.action, request.queryString.action) or match('/stm_listings_.+option/i', request.body.action, request.queryString.action) or lengthGreaterThan('0', request.queryString.stm_xml_do_import_automanager) or identical('', request.queryString.stm_xml_do_import_automanager)) and currentUserIsNot('administrator', server.empty)): block(id=167, category='auth-bypass', score=100, description='Motors Car Dealer & Classified Ads <= 1.4.0 - Unauthenticated Settings Import/Export', whitelist=0) if (equals('br-aapf-setup', request.queryString.page) and currentUserIsNot('administrator', server.empty)): block(id=168, category='auth-bypass', score=100, description='WooCommerce AJAX Product Filters <= 1.3.6 - Arbitrary Settings Update', whitelist=0) if ((equals('rr-update-options', request.body.update) or equals('rr-update-support', request.body.update) or equals('rr-update-support-prompt', request.body.update)) and currentUserIsNot('administrator', server.empty)): block(id=170, category='auth-bypass', score=100, description='Rich Reviews <= 1.7.4 - Stored Cross-Site Scripting', whitelist=0) if (equals('simple_fields_do_import', request.queryString.action, request.body.action) and currentUserIsNot('administrator', server.empty)): block(id=172, category='xss', score=100, description='Simple Fields <= 1.4.11 - Cross-Site Scripting', whitelist=0) if (match('#/wp\-json/wpshopify/v1/settings#i', request.path) and currentUserIsNot('administrator', server.empty)): block(id=176, category='xss', score=100, description='ShopWP <= 2.0.4 - Missing Authorization to Stored Cross-Site Scripting', whitelist=0) if (lengthGreaterThan('0', request.queryString.status, request.body.status) and lengthGreaterThan('0', request.queryString.report, request.body.report) and currentUserIsNot('administrator', server.empty)): block(id=177, category='file-download', score=100, description='Email Subscribers & Newsletters <= 4.2.2 - Unauthenticated File Download w/ Information Disclosure', whitelist=0) if (equals('es_send_test_email', request.queryString.action, request.body.action) and currentUserIsNot('administrator', server.empty)): block(id=179, category='bypass', score=100, description='Email Subscribers & Newsletters <= 4.2.2 - Missing Authorization to Test Email', whitelist=0) if (equals('fastvelocity_min_files', request.queryString.action, request.body.action) and currentUserIsNot('administrator', server.empty)): block(id=182, category='auth-bypass', score=100, description='Fast Velocity Minify <= 2.7.6 - Full Path Disclosure', whitelist=0) if (match('/\/qode-twitter-feed\/lib\/twitter-redirect\.php/i', server.script_filename)): block(id=184, category='redirect', score=100, description='Bridge Theme <= 18.2, Qode Instagram Widget <=2.0.1, Qode Twitter Feed <= 2.0.0 - Open Redirect', whitelist=0) if ((identical('', request.queryString.stripe_publishable_key) or lengthGreaterThan('0', request.queryString.stripe_publishable_key)) and currentUserIsNot('administrator', server.empty)): block(id=185, category='auth-bypass', score=100, description='GiveWP <= 2.5.9 - Missing Authorization to Settings Update', whitelist=0) if (lengthGreaterThan('0', request.body.companion_disable_popup_wpnonce) and currentUserIsNot('administrator', server.empty)): block(id=186, category='priv-esc', score=100, description='Mesmerize <= 1.6.89 & Materialis <= 1.0.172 - Authenticated Arbitrary Options Update', whitelist=0) if (equals('heateor_sss_sharing_count', request.queryString.action) and (contains("%3C", request.uri) or contains("<", request.uri) or contains("%3c", request.uri)) and contains('urls', request.uri)): block(id=187, category='xss', score=100, description='Sassy Social Share <= 3.3.3 - Reflected Cross-Site Scripting', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and ( equals('eps_redirect_get_new_entry', request.queryString.action, request.body.action) or equals('eps_redirect_delete_entry', request.queryString.action, request.body.action) or equals('eps_redirect_get_inline_edit_entry', request.queryString.action, request.body.action) or equals('eps_redirect_save', request.queryString.action, request.body.action)) and currentUserIsNot('administrator', server.empty)): block(id=189, category='bypass', score=100, description='301 Redirects - Easy Redirect Manager <= 2.40 - Missing Authorization') if (equals('csmm_change_status', request.queryString.action, request.body.action) and (equals('enabled', request.queryString.new_status, request.body.new_status) or equals('disabled', request.queryString.new_status, request.body.new_status)) and currentUserIsNot('administrator', server.empty)): block(id=190, category='auth-bypass', score=100, description='Minimal Coming Soon & Maintenance Mode <= 2.10 - Missing Authorization', whitelist=0) if ((equals('csmm_export_settings', request.queryString.action, request.body.action) or equals('csmm_activate_theme', request.queryString.action, request.body.action)) and currentUserIsNot('administrator', server.empty)): block(id=191, category='bypass', score=100, description='Minimal Coming Soon & Maintenance Mode <= 2.16 - Missing Authorization to Export Settings/Theme Change', whitelist=0) if ((lengthGreaterThan('0', request.queryString['db-reset-code'], request.body['db-reset-code']) or lengthGreaterThan('0', request.queryString['db-reset-code-confirm'], request.body['db-reset-code-confirm']) or identical('',request.queryString['db-reset-code'], request.body['db-reset-code']) or identical('',request.queryString['db-reset-code-confirm'], request.body['db-reset-code-confirm'])) and currentUserIsNot('administrator', server.empty)): block(id=192, category='priv-esc', score=100, description='WordPress Database Reset <= 3.1 - Privilege Escalation', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('importJSONTable', request.queryString.action, request.body.action) or equals('getJSONExportTable', request.queryString.action, request.body.action) or equals('createFromTpl', request.queryString.action, request.body.action)) and currentUserIsNot('administrator', server.empty)): block(id=194, category='xss', score=100, description='Pricing Table by Supsystic <= 1.8.1 - Missing Authorization on AJAX Actions', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('supsystic-tables', request.queryString.action, request.body.action) and currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty)): block(id=196, category='auth-bypass', score=100, description='Data Tables Generator by Supsystic <= 1.9.91 - Missing Authorization on AJAX Actions', whitelist=0) if (equals('elementor-system-info', request.queryString.page) and match('/(?:%22|")/', request.uri)): block(id=199, category='xss', score=100, description='Elementor Website Builder <= 2.8.4 - Reflected Cross-Site Scripting', whitelist=0) if ((lengthGreaterThan(0, request.queryString.auto_login) or identical('', request.queryString.auto_login)) and lengthGreaterThan(0, request.queryString.mwp_goto) and lengthGreaterThan(0, request.queryString.service_sign) and lengthGreaterThan(0, request.queryString.service_key) and lengthGreaterThan(0, request.queryString.username) and lengthGreaterThan(0, request.queryString.message_id) and notMatch('/^[0-9a-f]+_\d+$/', request.queryString.message_id)): block(id=200, category='auth-bypass', score=100, description='Manage WP Worker <= 4.9.2 - Authentication Bypass', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('cli_policy_generator', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=201, category='auth-bypass', score=100, description='GDPR Cookie Consent & Compliance Notice <= 1.8.2 - Authenticated Stored Cross-Site Scripting and Authorization Bypass', whitelist=0) if ((lengthGreaterThan('0', request.body.custom_field_user_role) and match("/administrator/i", request.body.custom_field_user_role)) and currentUserIsNot('administrator', server.empty)): block(id=204, category='auth-bypass', score=100, description='Profile Builder <= 3.1.0 - Privilege Escalation', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('my_wpc_fetch_authkey', request.queryString.action, request.body.action) and currentUserIsNot('administrator', server.empty)): block(id=205, category='auth-bypass', score=100, description='wpCentral <= 1.4.7 - Privilege Escalation', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and match('#^my_wpc_#', request.queryString.action, request.body.action) and lengthGreaterThan('0', request.body.auth_key, request.queryString.auth_key) and notEquals('192.200.108.100',request.ip)): block(id=206, category='privesc', score=100, description='wpCentral <= 1.5.0 - Improper Access Control to Privilege Escalation', whitelist=0) if ((lengthGreaterThan('0', request.queryString.do_reset_wordpress) or identical('', request.queryString.do_reset_wordpress)) and currentUserIsNot('administrator', server.empty)): block(id=207, category='auth-bypass', score=100, description='ThemeGrill Demo Importer 1.3.4 - 1.6.1 - Authorization Bypass to Site Reset', whitelist=0) if ((match('/wp-json[\/]+trx_addons[\/]+V2[\/]+get[\/]+sc_layout/i', request.path) or match('/trx_addons[\/]+V2[\/]+get[\/]+sc_layout/i', request.body.rest_route, request.queryString.rest_route)) and currentUserIsNot('administrator', server.empty)): block(id=209, category='rce', score=100, description='ThemeREX Addons (Various Versions) - Missing Authorization', whitelist=0) if (((match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('send_email_user_view', request.body.action, request.queryString.action) or equals('rm_admin_upload_template', request.body.action, request.queryString.action) or equals('import_first', request.body.action, request.queryString.action) or equals('set_default_form', request.body.action, request.queryString.action) or equals('rm_save_form_view_sett', request.body.action, request.queryString.action))) or equals('rm_form_export', request.body.rm_slug, request.queryString.rm_slug) or equals('rm_user_edit', request.body.rm_slug, request.queryString.rm_slug)) and currentUserIsNot('administrator', server.empty)): block(id=210, category='privesc', score=100, description='Registration Magic <= 4.6.0.3 - Multiple Vulnerabilities', whitelist=0) if (lengthGreaterThan('0', request.body['smart_coupon_amount']) and lengthGreaterThan('15', request.queryString.page) and lengthGreaterThan('20', request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=211, category='auth-bypass', score=100, description='WooCommerce Smart Coupons <= 4.6.0 - Unauthenticated Coupon Creation', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('ihc_ajax_admin_popup', request.queryString.action, request.body.action) or equals('ihc_get_font_awesome_popup', request.queryString.action, request.body.action) or equals('ihc_delete_user_via_ajax', request.queryString.action, request.body.action) or equals('ihc_ajax_admin_popup_the_forms', request.queryString.action, request.body.action) or equals('ihc_ajax_template_popup_preview', request.queryString.action, request.body.action) or equals('ihc_login_form_preview', request.queryString.action, request.body.action) or equals('ihc_locker_preview_ajax', request.queryString.action, request.body.action) or equals('ihc_register_preview_ajax', request.queryString.action, request.body.action) or equals('ihc_approve_new_user', request.queryString.action, request.body.action) or equals('ihc_approve_user_email', request.queryString.action, request.body.action) or equals('ihc_reorder_levels', request.queryString.action, request.body.action) or equals('ihc_preview_select_level', request.queryString.action, request.body.action) or equals('ihc_update_aweber', request.queryString.action, request.body.action) or equals('ihc_get_cc_list', request.queryString.action, request.body.action) or equals('ihc_return_csv_link', request.queryString.action, request.body.action) or equals('ihc_delete_coupon_ajax', request.queryString.action, request.body.action) or equals('ihc_notification_templates_ajax', request.queryString.action, request.body.action) or equals('ihc_delete_currency_code_ajax', request.queryString.action, request.body.action) or equals('ihc_preview_user_listing', request.queryString.action, request.body.action) or equals('ihc_delete_user_level_relationship', request.queryString.action, request.body.action) or equals('ihc_make_user_affiliate', request.queryString.action, request.body.action) or equals('ihc_check_mail_server', request.queryString.action, request.body.action) or equals('ihc_do_generate_individual_pages', request.queryString.action, request.body.action) or equals('ihc_preview_invoice_via_ajax', request.queryString.action, request.body.action) or equals('ihc_run_custom_process', request.queryString.action, request.body.action) or equals('ihc_do_delete_woo_ihc_relation', request.queryString.action, request.body.action) or equals('ihc_make_export_file', request.queryString.action, request.body.action) or equals('ihc_admin_send_email_popup', request.queryString.action, request.body.action) or equals('ihc_admin_do_send_email', request.queryString.action, request.body.action) or equals('ihc_admin_do_send_email', request.queryString.action, request.body.action) or equals('ihc_generate_direct_link', request.queryString.action, request.body.action) or equals('ihc_generate_direct_link_by_uid', request.queryString.action, request.body.action) or equals('ihc_direct_login_delete_item', request.queryString.action, request.body.action) or equals('ihc_save_reason_for_cancel_delete_level', request.queryString.action, request.body.action) or equals('ihc_close_admin_notice', request.queryString.action, request.body.action) or equals('ihc_update_list_notification_constants', request.queryString.action, request.body.action) or equals('ihc_admin_delete_level', request.queryString.action, request.body.action) or equals('ihc_admin_delete_order', request.queryString.action, request.body.action) or equals('ihc_admin_delete_locker', request.queryString.action, request.body.action) or equals('ihc_admin_delete_register_field', request.queryString.action, request.body.action) or equals('ihc_admin_delete_payment_transaction', request.queryString.action, request.body.action)) and currentUserIsNot('administrator', server.empty)): block(id=212, category='auth-bypass', score=100, description='Indeed Membership Pro 7.3 - 8.6 - Missing Authorization Checks and Authentication Bypass', whitelist=0) if ((equals('inspire_checkout_fields_settings', request.body.option_page) or equals('inspire_checkout_fields_checkboxes', request.body.option_page)) and currentUserIsNot('administrator', server.empty)): block(id=213, category='bypass', score=100, description='Flexible Checkout Fields for WooCommerce <= 2.3.1 - Unauthenticated Arbitrary Plugin Settings Update', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('mec_save_notifications', request.queryString.action, request.body.action) or equals('nopriv_import_settings', request.queryString.action, request.body.action) or equals('import_settings', request.queryString.action, request.body.action)) and currentUserIsNot('administrator', server.empty)): block(id=215, category='auth-bypass', score=100, description='Modern Events Calendar Lite <= 5.1.6 - Missing Authorization to Stored Cross-Site Scripting and Settings Update', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', request.path) and equals('aj_steps', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=216, category='auth-bypass', score=100, description='Async JavaScript <= 2.19.07.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting', whitelist=0) if (match('#\/wp\-admin\/#', request.path) and lengthGreaterThan('0', request.body.page, request.queryString.page) and lengthGreaterThan('0', request.body.step, request.queryString.step) and currentUserIsNot('administrator', server.empty) and ( lengthGreaterThan('0', request.body["map_api_key"]) or lengthGreaterThan('0', request.body["map_language"]) or lengthGreaterThan('0', request.body["choose_marker_icon"]) or lengthGreaterThan('0', request.body["marker_default_icon"]) or lengthGreaterThan('0', request.body["center_address"]) or lengthGreaterThan('0', request.body["center_lat"]) or lengthGreaterThan('0', request.body["center_lng"]) or lengthGreaterThan('0', request.body["zoom_level"]) or lengthGreaterThan('0', request.body["whell_scrolling"]) or lengthGreaterThan('0', request.body["map_draggable"]) or lengthGreaterThan('0', request.body["gdpr"]) or lengthGreaterThan('0', request.body["gdpr_text"]) or identical('', request.body["map_api_key"]) or identical('', request.body["map_language"]) or identical('', request.body["choose_marker_icon"]) or identical('', request.body["marker_default_icon"]) or identical('', request.body["center_address"]) or identical('', request.body["center_lat"]) or identical('', request.body["center_lng"]) or identical('', request.body["zoom_level"]) or identical('', request.body["whell_scrolling"]) or identical('', request.body["map_draggable"]) or identical('', request.body["gdpr"]) or identical('', request.body["gdpr_text"]))): block(id=217, category='auth-bypass', score=100, description='10WebMapBuilder <= 1.0.63 - Unauthenticated Stored Cross-Site Scripting via Plugin Settings Change', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and (equals('create_dynamic_page', request.body.action, request.queryString.action) or equals('delete_dynamic_page', request.body.action, request.queryString.action) or match('#^idx_#', request.body.action, request.queryString.action)) and notEquals('idx_get_saves', request.queryString.action) and notEquals ('idx_check_login', request.queryString.action) and currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty)): block(id=220, category='auth-bypass', score=100, description='IMPress for IDX Broker <= 2.6.1 - Multiple Vulnerabilities', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('responsive-ready-sites-import-xml', request.queryString.action, request.body.action) or equals('responsive-ready-sites-import-wpforms', request.queryString.action, request.body.action) or equals('responsive-ready-sites-import-customizer-settings', request.queryString.action, request.body.action) or equals('responsive-ready-sites-import-widgets', request.queryString.action, request.body.action) or equals('responsive-ready-sites-import-options', request.queryString.action, request.body.action) or equals('responsive-ready-sites-reset-customizer-data', request.queryString.action, request.body.action) or equals('responsive-ready-sites-reset-site-options', request.queryString.action, request.body.action) or equals('responsive-ready-sites-reset-widgets-data', request.queryString.action, request.body.action) or equals('responsive-ready-sites-delete-posts', request.queryString.action, request.body.action) or equals('responsive-ready-sites-delete-wp-forms', request.queryString.action, request.body.action) or equals('responsive-ready-sites-delete-terms', request.queryString.action, request.body.action) or equals('responsive-wxr-import', request.queryString.action, request.body.action) or equals('responsive-ready-sites-activate-theme', request.queryString.action, request.body.action) or equals('responsive-ready-sites-required-plugin-activate', request.queryString.action, request.body.action) or equals('responsive-ready-sites-import-end', request.queryString.action, request.body.action) or equals('set-user-consent', request.queryString.action, request.body.action)) and currentUserIsNot('administrator', server.empty)): block(id=222, category='auth-bypass', score=100, description='Responsive Ready Sites Importer <= 2.2.6 - Unprotected AJAX Actions', whitelist=0) if (match('#/wp\-admin/admin\-(?:ajax|post)\.php$#i', server.script_filename) and (match('#^c(?:ore)?37_lp_#', request.body.action, request.queryString.action) or match('#^wplx_campaign#', request.body.action, request.queryString.action) or equals('c37_wpl_import_template', request.body.action, request.queryString.action) or equals('nopriv_c37_wpl_import_template', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty)): block(id=224, category='xss', score=100, description='WordPress Landing Page – Squeeze Page – Responsive Landing Page Builder Free – WP Lead Plus X <= 0.98 - Authenticated Stored Cross-Site Scripting', whitelist=0) if ((match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('sgpb_autosave', request.body.action, request.queryString.action) or equals('nopriv_sgpb_autosave', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty)) or (match('#/wp\-admin/admin\-post\.php$#i', server.script_filename) and (equals('sgpb_system_info', request.body.action, request.queryString.action) or equals('sgpbSaveSettings', request.body.action, request.queryString.action) or equals('csv_file', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty))): block(id=225, category='xss', score=100, description='Popup Builder <= 3.63 - Authenticated Settings Modification, Configuration Disclosure, and User Data Export', whitelist=0) if ((lengthGreaterThan('0', request.queryString['sds-del-entry-first-entry-id']) or identical('', request.queryString['sds-del-entry-first-entry-id']) or lengthGreaterThan('0', request.body['ghazale-sds-submit-field-name']) or identical('', request.body['ghazale-sds-submit-field-name']) or lengthGreaterThan('0', request.queryString['sds-total-del-form-table']) or identical('', request.queryString['sds-total-del-form-table']) or lengthGreaterThan('0', request.queryString['sds-delete-field-id']) or identical('', request.queryString['sds-delete-field-id']) or lengthGreaterThan('0', request.body['ghazale_sds_edit_field']) or identical('', request.body['ghazale_sds_edit_field']) or lengthGreaterThan('0', request.body['submit-update-single-entry']) or identical('', request.body['submit-update-single-entry']) or lengthGreaterThan('0', request.queryString['sds-del-data-input-table']) or identical('', request.queryString['sds-del-data-input-table']) or lengthGreaterThan('0', request.queryString['sds-total-del-input-table-and-corresponding-form']) or identical('', request.queryString['sds-total-del-input-table-and-corresponding-form']) or lengthGreaterThan('0', request.body['sds-submit-upload-csv-file']) or identical('', request.body['sds-submit-upload-csv-file']) or lengthGreaterThan('0', request.body['ghazale_sds_submit_new_form']) or identical('', request.body['ghazale_sds_submit_new_form'])) and currentUserIsNot('administrator', server.empty)): block(id=226, category='auth-bypass', score=100, description='Custom Searchable Data Entry System <= 1.7.1 Unauthenticated data modification/deletion', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('wpfc_delete_current_page_cache', request.body.action, request.queryString.action) and match('/\.|%2E/', request.queryString.path)): block(id=227, category='lfi', score=100, description='WP Fastest Cache <= 0.9.0.2 - Authenticated (Subscriber+) Arbitrary File Deletion', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('wpvivid_upload_import_files', request.body.action, request.queryString.action) or equals('wpvivid_upload_files', request.body.action, request.queryString.action) or equals('wpvivid_rescan_local_folder', request.body.action, request.queryString.action) or equals('wpvivid_add_remote', request.body.action, request.queryString.action) or equals('wpvivid_generate_url', request.body.action, request.queryString.action) or equals('wpvivid_get_post_list', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty)): block(id=230, category='file_upload', score=100, description='Migration, Backup, Staging – WPvivid <= 0.9.35 - Multiple Vulnerabilities', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and ((equals('wfu_ajax_action_ask_server', request.body.action, request.queryString.action) and match('#2e2e(2f|5c)#i', request.body.filenames)) or (equals('wfu_ajax_action', request.body.action, request.queryString.action) and match('#2e2e(2f|5c)#i',request.body.uploadedfile_1_name)))): block(id=231, category='rce', score=100, description='WordPress File Upload <= 4.12.2 Remote Code Execution via Upload', whitelist=0) if (match('#/wp\-admin/#i', server.script_filename) and (equals('learnpress_be_teacher', request.body.action, request.queryString.action) or equals('learnpress_plugin_install', request.body.action, request.queryString.action) or equals('learnpress_update_order_status', request.body.action, request.queryString.action) or equals('learnpress_create_page', request.body.action, request.queryString.action) or equals('accept-to-be-teacher', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty)): block(id=232, category='priv-esc', score=100, description='LearnPress <= 3.2.6.8 - Privilege Escalation via accept-to-be-teacher action parameter', whitelist=0) if ((match('/wp-json[\/]+rankmath[\/]+v1[\/]+update/i', request.path) or match('/rankmath[\/]+v1[\/]+update/i', request.body.rest_route, request.queryString.rest_route)) and currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty)): block(id=233, category='priv-esc', score=100, description='Rank Math SEO <= 1.0.40.2 - Unprotected REST API Endpoints', whitelist=0) if (((match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('elementor_ajax', request.body.action, request.queryString.action) and match('#enable_safe_mode#', request.body.actions, request.queryString.actions)) or equals('safe', request.body['elementor-mode'], request.queryString['elementor-mode'])) and currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty)): block(id=234, category='auth-bypass', score=100, description='Elementor Website Builder <= 2.9.5 - Authorization Bypass', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('export_admin_table', request.body.action, request.queryString.action) or equals('get_admin_table_data', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty)): block(id=235, category='rce', score=100, description='LifterLMS Wordpress Plugin <= 3.37.14 - Arbitrary File Write', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('mapp_tpl_save', request.body.action, request.queryString.action) or equals('mapp_tpl_delete', request.body.action, request.queryString.action) or equals('mapp_tpl_get', request.body.action, request.queryString.action) or equals('mapp_save', request.body.action, request.queryString.action) or equals('mapp_delete', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty)): block(id=236, category='file_upload', score=100, description='MapPress Maps for WordPress <=2.53.8 - Authenticated Map Creation/Deletion to Stored Cross-Site Scripting & Remote Code Execution', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and match('#(?:nopriv_)?onetone_#', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty)): block(id=237, category='auth-bypass', score=100, description='OneTone <= 3.0.6 & OneTone Companion <= 1.1.1 - Unauthenticated Settings Update', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('change_klarna_addon_status', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=238, category='auth-bypass', score=100, description='Klarna Checkout for WooCommerce <= 2.0.9 - Arbitrary Plugin Installation, Activation and Deactivation', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('route_url', request.body.action, request.queryString.action) and lengthGreaterThan('0', request.body.mptt_action, request.queryString.mptt_action) and currentUserIsNot('administrator', server.empty)): block(id=239, category='auth-bypass', score=100, description='Timetable and Event Schedule by MotoPress <= 2.3.8 XSS and Unsafe Extraction', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('pagelayer_save_content', request.queryString.action, request.body.action) or equals('pagelayer_do_shortcodes', request.queryString.action, request.body.action) or equals('pagelayer_get_taxonomy_list', request.queryString.action, request.body.action) or equals('pagelayer_apply_revision', request.queryString.action, request.body.action) or equals('pagelayer_post_nav', request.queryString.action, request.body.action) or equals('pagelayer_get_revision', request.queryString.action, request.body.action) or equals('pagelayer_post_info', request.queryString.action, request.body.action) or equals('pagelayer_posts_data', request.queryString.action, request.body.action) or equals('pagelayer_products_ajax', request.queryString.action, request.body.action) or equals('pagelayer_product_archives', request.queryString.action, request.body.action) or equals('pagelayer_create_post_autosave', request.queryString.action, request.body.action) or equals('pagelayer_get_pages_list', request.queryString.action, request.body.action)) and currentUserIsNot('administrator', server.empty) and currentUserIsNot('author', server.empty) and currentUserIsNot('contributor', server.empty) and currentUserIsNot('editor', server.empty)): block(id=243, category='xss', score=100, description='Page Builder: Pagelayer – Drag and Drop website builder <= 1.1.1 - Missing Authorization to Cross-Site Scripting') if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('elementor_ajax', request.queryString.action, request.body.action) and lengthGreaterThan('0', request.files.zip_upload) and currentUserIsNot('administrator', server.empty)): block(id=244, category='file_upload', score=100, description='Elementor Pro <= 2.9.3 - Authenticated (Subscriber+) Arbitrary File Upload', whitelist=0) if ((match('/wp-json[\/]+wp-product-review[\/]+update-review/i', request.path) or match('/wp-product-review[\/]+update-review/i', request.body.rest_route, request.queryString.rest_route)) and currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty)): block(id=247, category='xss', score=100, description='WP Product Review Lite <= 3.7.5 - Unauthenticated Stored Cross Site Scripting', whitelist=0) if ((match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and match('#bwg_frontend_data#', request.body.action, request.queryString.action) and match('#[\r\n\t<>]#',request.body, request.queryString)) or match('#[\r\n\t<>]|\%[\da-f]{2}#', request.body['bwg_search_0'], request.queryString['bwg_search_0'])): block(id=248, category='bypass', score=100, description='Photo Gallery by 10Web <= 1.5.54 - SQL Injection via bwg_search_x Parameter', whitelist=0) if (equals('bbpress', request.queryString.option_page, request.body.option_page) and lengthGreaterThan('0', request.body._bbp_allow_super_mods, request.queryString._bbp_allow_super_mods) and currentUserIsNot('administrator', server.empty)): block(id=250, category='priv-esc', score=100, description='bbPress <= 2.6.4 - Unauthenticated Privilege Escalation', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('builder_contact_send', request.queryString.action, request.body.action) and (contains("%3C", request.queryString['contact-message'], request.body['contact-message']) or contains("<", request.queryString['contact-message'], request.body['contact-message']) or contains("%3c", request.queryString['contact-message'], request.body['contact-message']))): block(id=251, category='spam', score=100, description='Contact Builder by Themify <= 1.4.5 - Email Injection', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('backup_guard_modalManualBackup', request.queryString.action, request.body.action) and currentUserIsNot('administrator', server.empty)): block(id=254, category='bypass', score=100, description='JetBackup – WP Backup, Migrate & Restore <= 1.4.0 - Sensitive Information Disclosure', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and match('/brizy(\-|_)(?!(timestamp|submit_form|heartbeat))/', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty) and currentUserIsNot('author', server.empty) and currentUserIsNot('editor', server.empty)): block(id=255, category='auth-bypass', score=100, description='Brizy < 1.0.126 - Authorization Bypass to Settings Updates', whitelist=0) if (lengthGreaterThan('0', request.body['tccj-content'], request.body['tccj-update']) and currentUserIsNot('administrator', server.empty)): block(id=257, category='xss', score=100, description='TC Custom JavaScript <= 1.2.1 - Unauthenticated Stored Cross-Site Scripting', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('_ning_upload_image', request.queryString.action, request.body.action) or equals('_ning_remove_image', request.queryString.action, request.body.action)) and currentUserIsNot('administrator', server.empty)): block(id=260, category='file_upload', score=100, description='Adning Advertising <= 1.5.5 - Arbitrary File Upload and Arbitrary File Deletion', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('tnpc_render', request.body.action, request.queryString.action) and (match(xssRegex, base64decode(request.body['encoded_options'])) or match('#(\\u003c|\\u003e)#i', base64decode(request.body['encoded_options'])))): block(id=264, category='xss', score=100, description='Newsletter <= 6.8.1 - Reflected Cross-Site Scripting', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('vc_save', request.body.action, request.queryString.action) and (match(xssRegex, request.body.content, request.queryString.content) or match('/vc_raw_html|vc_raw_js|custom_onclick_code/', request.queryString.content, request.body.content)) and currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty)): block(id=266, category='xss', score=100, description='WPBakery Page Builder <= 6.2.0 Contributor+ Stored XSS FE Save Post', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('vc_save_template', request.body.action, request.queryString.action) and match('/vc_raw_html|vc_raw_js|custom_onclick_code/', request.queryString.template, request.body.template) and currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty)): block(id=270, category='xss', score=100, description='WPBakery Page Builder <= 6.2.0 Contributor+ Stored XSS FE Save Template', whitelist=0) if ((match('/^\/(?:\.\/)*(?:var|home|usr|mnt|media|etc|tmp|dev|proc)\/|(^|\/|\\)\.\.(\\|\/)/i', request.body, request.queryString) and equals('qsm_remove_file_fd_question', request.queryString.action, request.body.action)) or (match('/\.(p(h(p|tml)[0-9]?|l|y)|(j|a)sp|aspx|sh|shtml|html?|cgi|htaccess|user\.ini)($|\.)/i', request.fileNames) and equals('qsm_upload_image_fd_question', request.queryString.action, request.body.action))): block(id=271, category='file_upload', score=100, description='Quiz and Survey Master <= 7.0.1 - Arbitrary File Deletion and Upload', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('restore_backup', request.queryString.action, request.body.action) and (equals('write_file', request.queryString.xcloner_action, request.body.xcloner_action) or equals('restore_mysql_backup', request.queryString.xcloner_action, request.body.xcloner_action) or equals('list_backup_files', request.queryString.xcloner_action, request.body.xcloner_action) or equals('restore_finish', request.queryString.xcloner_action, request.body.xcloner_action) or equals('list_mysqldump_backups', request.queryString.xcloner_action, request.body.xcloner_action) or equals('list_backup_archives', request.queryString.xcloner_action, request.body.xcloner_action) or equals('restore_backup_to_path', request.queryString.action, request.body.xcloner_action) or equals('get_current_directory', request.queryString.xcloner_action, request.body.xcloner_action)) and currentUserIsNot('administrator', server.empty)): block(id=273, category='bypass', score=100, description='Backup, Restore and Migrate WordPress Sites With the XCloner Plugin 4.2.1 - 4.2.12 - Unprotected AJAX Actions', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and match('#^(?:nopriv_)?wdr_ajax#', request.body.action, request.queryString.action) and notEquals('get_price_html', request.body.method) and notEquals('get_variable_product_bulk_table', request.body.method) and currentUserIsNot('administrator', server.empty)): block(id=274, category='xss', score=100, description='Discount Rules for WooCommerce < 2.1.0 - Missing Authorization', whitelist=0) if ((lengthGreaterThan('0', request.queryString['awdr_switch_plugin_to']) or (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('forceValidateLicenseKey', request.body.action, request.queryString.action) or equals('savePriceRule', request.body.action, request.queryString.action) or equals('saveCartRule', request.body.action, request.queryString.action) or equals('saveConfig', request.body.action, request.queryString.action) or equals('resetWDRCache', request.body.action, request.queryString.action) or equals('loadProductSelectBox', request.body.action, request.queryString.action) or equals('loadCoupons', request.body.action, request.queryString.action) or equals('UpdateStatus', request.body.action, request.queryString.action) or equals('RemoveRule', request.body.action, request.queryString.action) or equals('doBulkAction', request.body.action, request.queryString.action) or equals('createDuplicateRule', request.body.action, request.queryString.action)))) and currentUserIsNot('administrator', server.empty)): block(id=275, category='xss', score=100, description='Discount Rules for WooCommerce <= 2.1.1 - Missing Authorization', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('kaliforms_update_option_ajax', request.queryString.action, request.body.action) or equals('kaliforms_clear_log', request.queryString.action, request.body.action) or equals('kaliforms_form_delete_uploaded_file', request.queryString.action, request.body.action) or equals('nopriv_kaliforms_form_delete_uploaded_file', request.queryString.action, request.body.action)) and currentUserIsNot('administrator', server.empty)): block(id=276, category='bypass', score=100, description='Kali Forms <= 2.1.1 - Missing Authorization to Settings Update', whitelist=0) if (match('#/php/connector.minimal.php$#i', server.script_filename)): block(id=278, category='rce', score=100, description='File Manager <= 6.8 - Arbitrary File Upload/Remote Code Execution', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('nxs_snap_aj', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=279, category='auth-bypass', score=100, description='NextScripts: Social Networks Auto-Poster <= 4.3.17 - Missing Authorization', whitelist=0) if (equals('forminator_export_entries', request.body.action) and currentUserIsNot('administrator', server.empty)): block(id=283, category='auth-bypass', score=100, description='Forminator < 1.13.5 - Unauthenticated Sensitive Data Export', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('tve_dash_backend_ajax', request.queryString.action, request.body.action) and currentUserIsNot('administrator', server.empty)): block(id=284, category='priv-esc', score=100, description='Thrive Themes Plugins <= 1.3.4 Unprotected AJAX', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (match('#(?:nopriv_)?epsilon_framework_ajax_action#', request.body.action, request.queryString.action) or match('#(?:nopriv_)?welcome_screen_ajax_callback#', request.body.action, request.queryString.action) or match('#(?:nopriv_)?epsilon_dashboard_ajax_callback#', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty)): block(id=285, category='rce', score=100, description='Epsilon Framework Themes (Various Versions) - Function Injection', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('get_table_records', request.queryString.action, request.body.action) or equals('nf_insert_record', request.queryString.action, request.body.action) or equals('nf_update_record', request.queryString.action, request.body.action) or equals('nf_delete_record', request.queryString.action, request.body.action) or equals('nf_duplicate_record', request.queryString.action, request.body.action) or equals('nf_delete_file', request.queryString.action, request.body.action) or equals('nf_populate_form_entry_dashboard', request.queryString.action, request.body.action) or equals('do_form_entry_save', request.queryString.action, request.body.action) or equals('nf_send_test_email', request.queryString.action, request.body.action) or equals('save_other_config', request.queryString.action, request.body.action) or equals('save_email_config', request.queryString.action, request.body.action) or equals('save_script_config', request.queryString.action, request.body.action) or equals('save_gr_key', request.queryString.action, request.body.action) or equals('save_mc_key', request.queryString.action, request.body.action) or equals('do_form_import', request.queryString.action, request.body.action) or equals('deactivate_license', request.queryString.action, request.body.action) or equals('save_style_config', request.queryString.action, request.body.action) or equals('save_field_pref', request.queryString.action, request.body.action) or equals('save_validation_pref', request.queryString.action, request.body.action) or equals('save_email_pref', request.queryString.action, request.body.action) or equals('save_other_pref', request.queryString.action, request.body.action) or equals('do_upload_image', request.queryString.action, request.body.action) or equals('save_email_config', request.queryString.action, request.body.action) or equals('save_script_config', request.queryString.action, request.body.action) or equals('preview_nex_form', request.queryString.action, request.body.action) or equals('nf_print_chart', request.queryString.action, request.body.action) or equals('nf_print_to_pdf', request.queryString.action, request.body.action) or equals('nf_print_report_to_pdf', request.queryString.action, request.body.action) or equals('nopriv_nf_print_report_to_pdf', request.queryString.action, request.body.action) or equals('nopriv_ nf_print_to_pdf', request.queryString.action, request.body.action) or equals('nf_get_email_setup', request.queryString.action, request.body.action) or equals('nf_get_pdf_setup', request.queryString.action, request.body.action) or equals('nf_get_options_setup', request.queryString.action, request.body.action) or equals('nf_create_custom_layout', request.queryString.action, request.body.action) or equals('nf_delete_custom_layout', request.queryString.action, request.body.action) or equals('update_paypal', request.queryString.action, request.body.action) or equals('nf_get_forms', request.queryString.action, request.body.action) or equals('nf_load_form_entries', request.queryString.action, request.body.action) or equals('submission_report', request.queryString.action, request.body.action) or equals('nf_hidden_fields', request.queryString.action, request.body.action)) and currentUserIsNot('administrator', server.empty)): block(id=287, category='priv-esc', score=100, description='NEX-Forms <= 7.7.1 - Missing Authorization on Various AJAX Actions', whitelist=0) if (lengthGreaterThan('0', request.body.form_id, request.queryString.form_id) and ((lengthGreaterThan('0', request.body.role) and notMatch('#^um_#i', request.body.role)) or lengthGreaterThan('0', request.body['wp_capabilities']) or identical('', request.body['wp_capabilities']) or lengthGreaterThan('0', request.body['wp_user_level'])) and currentUserIsNot('administrator', server.empty)): block(id=291, category='priv-esc', score=100, description='Ultimate Member <= 2.1.11 - Unauthenticated Privilege Escalation via User Meta', whitelist=0) if (matchCount('/(^|;|{|})C:+?\+*[0-9]+:"\\?Requests_Utility_FilteredIterator"/i', request.headers, request.cookies, request.body, request.queryString)): block(id=294, category='obji', score=100, description='WordPress Core < 5.5.3 - PHP Object Injection Gadget') if (match('#(?:%2f|/)(?:%77|%57|w)(?:%70|%50|p)(?:%2d|-)(?:%61|%41|a)(?:%64|%44|d)(?:%6d|%4d|m)(?:%69|%49|i)(?:%6e|%4e|n)(?:%2f|/).*(?:%2f|/)(?:%77|%57|w)(?:%70|%50|p)(?:%2d|-)(?:%61|%41|a)(?:%64|%44|d)(?:%6d|%4d|m)(?:%69|%49|i)(?:%6e|%4e|n)(?:%2f|/).*%27#i', request.path)): blockXSS(id=295, category='xss', score=100, description='WordPress Core < 5.5.2 - Reflected Cross-Site Scripting via Global Variables') if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('lp_cc_addons_actions', request.body.action, request.queryString.action) or equals('nopriv_lp_cc_addons_actions', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty)): block(id=303, category='file_upload', score=100, description='ListingPro - WordPress Directory & Listing Theme < 2.6.1 - Arbitrary Plugin Installation, Activation and Deactivation', whitelist=0) if ((match('/^\/(?:\.\/)*(?:var|home|usr|mnt|media|etc|tmp|dev|proc)\//i', request.body['photocrati-nextgen_basic_thumbnails']['template'],request.body['photocrati-nextgen_basic_imagebrowser']['template'],request.body['photocrati-nextgen_basic_singlepic']['template'],request.body['photocrati-nextgen_basic_compact_album']['template'], request.body['photocrati-nextgen_basic_extended_album']['template'],request.body['photocrati-nextgen_basic_thumbnails']['display_view'],request.body['photocrati-nextgen_basic_imagebrowser']['display_view'],request.body['photocrati-nextgen_basic_singlepic']['display_view'],request.body['photocrati-nextgen_basic_compact_album']['display_view'], request.body['photocrati-nextgen_basic_extended_album']['display_view'],request.body['photocrati-nextgen_basic_slideshow']['display_view']) or match('/(^|\/|\\)\.\.(\\|\/)/', request.body['photocrati-nextgen_basic_thumbnails']['template'],request.body['photocrati-nextgen_basic_imagebrowser']['template'],request.body['photocrati-nextgen_basic_singlepic']['template'],request.body['photocrati-nextgen_basic_compact_album']['template'], request.body['photocrati-nextgen_basic_extended_album']['template'])) and lengthLessThan('1',request.body.nonce)): block(id=305, category='lfi', score=100, description='WordPress Gallery Plugin – NextGEN Gallery <= 3.4.7 - Cross-Site Request Forgery', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('tutor_add_instructor', request.queryString.action, request.body.action) or equals('instructor_approval_action', request.queryString.action, request.body.action) or equals('setup_action', request.queryString.action, request.body.action) or equals('addon_enable_disable', request.queryString.action, request.body.action)) and currentUserIsNot('administrator', server.empty)): block(id=308, category='priv-esc', score=100, description='Tutor LMS – eLearning and online course solution <= 1.7.6 - Unprotected AJAX including Privilege Escalation', whitelist=0) if (match('#/wp\-admin/admin\-post\.php$#i', server.script_filename) and equals('rmp_upload_theme_file', request.queryString.action, request.body.action) and currentUserIsNot('administrator', server.empty)): block(id=310, category='file_upload', score=100, description='Responsive Menu 4.0 - 4.0.3 - Authenticated Arbitrary File Upload', whitelist=0) if ((equals('wcuf_file_chunk_upload', request.body.action, request.queryString.action) or equals('nopriv_wcuf_file_chunk_upload', request.body.action, request.queryString.action)) and match('#(?:\.php|\.\.\/|\.jsp|\.vbs|\.exe|\.bat|\.php5|\.pht|\.phtml|\.shtml|\.asa|\.cer|\.asax|\.swf|\.xap|;|\.asp|\.aspx|\*|<|>|::)#i', request.body['wcuf_file_name'], request.body['wcuf_upload_field_name'], request.body['wcuf_current_upload_session_id'])): block(id=314, category='file_upload', score=100, description='WooCommerce Upload Files <= 59.3 - Arbitrary File Upload', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('fv_player_db_save', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty)): block(id=317, category='xss', score=100, description='FV Flowplayer Video Player <= 7.4.37.727 - Authenticated Stored Cross-Site Scripting', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('nf_oauth_connect', request.body.action, request.queryString.action) and lengthGreaterThan('0', request.body.redirect, request.queryString.redirect) and notMatch('#^https:\/\/my.ninjaforms.com\/#', request.queryString.redirect)): block(id=318, category='redirect', score=100, description='Ninja Forms Contact Form <= 3.4.33 - Administrator Open Redirect', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('ninja_forms_sendwp_remote_install', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=319, category='auth-bypass', score=100, description='Ninja Forms Contact Form <= 3.4.33 - Authenticated SendWP Plugin Installation and Client Secret Key Disclosure', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('nf_oauth', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=320, category='auth-bypass', score=100, description='Ninja Forms <= 3.4.34 - Authenticated OAuth Connection Key Disclosure', whitelist=0) if ((equals('sgpb_subscribers_delete', request.body.action, request.queryString.action) or equals('sgpb_add_subscribers', request.body.action, request.queryString.action) or equals('sgpb_import_subscribers', request.body.action, request.queryString.action) or equals('sgpb_save_imported_subscribers', request.body.action, request.queryString.action) or equals('sgpb_send_newsletter', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty)): block(id=323, category='auth-bypass', score=100, description='Popup Builder <= 3.72 Missing Authorization on AJAX actions', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('upload-remote-file', request.queryString.action, request.body.action) and currentUserIsNot('administrator', server.empty)): block(id=324, category='file_upload', score=100, description='External Media <= 1.0.33 - Authenticated Arbitrary File Upload', whitelist=0) if ((lengthGreaterThan('0', request.body['ct-ultimate-gdpr-export']) or lengthGreaterThan('0', request.body['ct-ultimate-gdpr-export-services']) or lengthGreaterThan('0', request.body['ct-ultimate-gdpr-import']) or lengthGreaterThan('0',request.body['ct-ultimate-gdpr-import-services'])) and currentUserIsNot('administrator', server.empty)): block(id=325, category='auth-bypass', score=100, description='Ultimate GDPR & CCPA <= 2.4 - Unauthenticated Settings Import & Export', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('wpcf7r_delete_action', request.body.action, request.queryString.action) or equals('wpcf7r_add_action', request.body.action, request.queryString.action) or equals('wpcf7r_make_api_test', request.body.action, request.queryString.action) or equals('activate_wpcf7r_extension', request.body.action, request.queryString.action) or equals('deactivate_wpcf7r_extension', request.body.action, request.queryString.action) or equals('wpcf7r_extension_update', request.body.action, request.queryString.action) or equals('wpcf7r_reset_settings', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty)): block(id=329, category='bypass', score=100, description='Redirection for Contact Form 7 <= 2.3.3 - Unprotected AJAX Actions', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('nopriv_wpcf7r_get_nonce', request.body.action, request.queryString.action) or equals('wpcf7r_get_nonce', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty)): block(id=328, category='bypass', score=100, description='Redirection for Contact Form 7 <= 2.3.3 - Unauthenticated Arbitrary Nonce Generation', whitelist=0) if ((match('/wp-json[\/]+mpp[\/]+v2[\/]+get_users/i', request.path) or match('/mpp[\/]+v2[\/]+get_users/i', request.body.rest_route, request.queryString.rest_route)) and currentUserIsNot('administrator', server.empty)): block(id=331, category='information-disclosure', score=100, description='User Profile Picture <= 2.4.0 - Sensitive Information Disclosure', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('quadmenu_compiler_save', request.body.action, request.queryString.action) or equals('nopriv_quadmenu_compiler_save', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty)): block(id=333, category='file_upload', score=100, description='WordPress Mega Menu <= 2.0.6 - Arbitrary File Creation', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('elementor_ajax', request.body.action, request.queryString.action) and match('#(?:["_]tag|header_size|title_size)":"(?!(?:div|header|footer|main|article|section|aside|nav|span|p|a|none|h1|h2|h3|h4|h5|h6|null|large|custom|ul|)")#i', request.body.actions) and currentUserIsNot('administrator',server.empty)): block(id=335, category='xss', score=100, description='Elementor <= 3.1.2 Elements Kit Lite/Pro <= 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting', whitelist=0) if ((match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('tutor_place_rating', request.body.action, request.queryString.action) or equals('tutor_mark_answer_as_correct', request.body.action, request.queryString.action) or equals('tutor_quiz_builder_get_question_form', request.body.action, request.queryString.action) or equals('tutor_quiz_builder_get_answers_by_question', request.body.action, request.queryString.action)) and match('#[\r\n\t<>]#', request.body, request.queryString)) or (equals('tutor_answering_quiz_question', request.body['tutor_action'], request.queryString['tutor_action']) and match('#[\r\n\t<>]#', request.body, request.queryString))): block(id=336, category='sqli', score=100, description='Tutor LMS <= 1.8.3 - SQL Injection via Bypass', whitelist=0) if (matchCount(sqliRegex, request.headers['User-Agent'])): failSQLi(id=338, category='sqli', score=40, description='SQL Injection in User-Agent String', whitelist=0) if ((match('/wp-json[\/]+store-locator-plus[\/]+v2[\/]+options[\/]+all/i', request.path) or match('/store-locator-plus[\/]+v2[\/]+options[\/]+all/i', request.body.rest_route, request.queryString.rest_route) or match('/wp-json[\/]+store-locator-plus[\/]+v2[\/]+options[\/]+import/i', request.path) or match('/store-locator-plus[\/]+v2[\/]+options[\/]+import/i', request.body.rest_route, request.queryString.rest_route)) and currentUserIsNot('administrator', server.empty)): block(id=341, category='information-disclosure', score=100, description='Store Locator Plus <= 5.12.3 - Unauthenticated Stored Cross-Site Scripting', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('theplus_ajax_login', request.body.action, request.queryString.action) or equals('theplus_google_ajax_register', request.body.action, request.queryString.action)) and (lengthGreaterThan('0', request.body.email, request.queryString.email) or identical('', request.body.email, request.queryString.email))): block(id=343, category='auth-bypass', score=100, description='Plus Addons for Elementor Page Builder <= 4.1.6 - Authentication Bypass Method #2', whitelist=0) if (match('/(^|;|{|})(?:O|C):\d+:"(?!stdClass")[^"]+":/', request.cookies)): block(id=344, category='obji', score=100, description='PHP Object Injection in Cookies', whitelist=0) if ((match('/wp-json[\/]+td[\/]+v1[\/]+optin[\/]+subscription/i', request.path) or match('/td[\/]+v1[\/]+optin[\/]+subscription/i', request.body.rest_route, request.queryString.rest_route)) and (identical('', request.body['api_key'],request.queryString['api_key']) or match('#api_key":""#i', request.body, request.rawBody) or match('#(?:hook_url|hookUrl)":"\{#i', request.body, request.rawBody) or match('#[\{\}]#', request.body['hook_url'],request.body['hookUrl'],request.queryString['hook_url'],request.queryString['hookUrl']))): block(id=348, category='file_upload', score=100, description='Multiple Thrive Themes and Plugins (Various Versions) - Arbitrary Options Update', whitelist=0) if ((match('/wp-json[\/]+thrive[\/]+kraken/i', request.path) or match('/thrive[\/]+kraken/i', request.body.rest_route, request.queryString.rest_route)) and (match('#^(?![0-9a-f]{32}).#', request.body.id,request.queryString.id) or match('#"id":"(?![0-9a-f]{32})#i',request.body,request.rawBody))): block(id=349, category='rfd', score=100, description='Multiple Thrive Themes < 2.0.0 - Arbitrary File Upload', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('upload_csv', request.body.action) or equals('wccm_export_csv', request.body.action) or equals('wccm_export_guests_csv', request.body.action)) and currentUserIsNot('administrator', server.empty)): block(id=351, category='auth-bypass', score=100, description='Woocommerce Customers Manager <= 26.4 - Authenticated Account Creation and Privilege Escalation', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('iva_bh_ajax_action', request.body.action) or equals('nopriv_iva_bh_ajax_action', request.body.action) or equals('iva_bh_import_ajax_action', request.body.action) or equals('nopriv_iva_bh_import_ajax_action', request.body.action)) and currentUserIsNot('administrator', server.empty)): block(id=352, category='file_upload', score=100, description='Business Hours Pro <= 5.5.0 - Arbitrary File Upload', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and match('#"(?:loop_)?svg_image":\{[^\}]*"url":"[^"]+\.(?!svg)\w+"#', request.body.actions) and equals('elementor_ajax', request.body.action, request.queryString.action)): block(id=353, category='lfi', score=100, description='The Plus Addons for Elementor PRO <= 4.1.9 & The Plus Addons for Elementor <= 2.0.6 - Authenticated (Contributor+) Arbitrary File Read', whitelist=0) if (match('#/wp\-admin#i', server.script_filename) and equals('301options', request.body.page, request.queryString.page) and (lengthGreaterThan('0', request.body.export, request.queryString.export) or lengthGreaterThan('0', request.body.import, request.queryString.import)) and currentUserIsNot('administrator', server.empty)): block(id=356, category='redirect', score=100, description='Simple 301 Redirects 2.0.0 - 2.0.3 - Unauthenticated Redirect Import/Export', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('simple301redirects/admin/wildcard', request.body.action, request.queryString.action) or equals('simple301redirects/admin/install_plugin', request.body.action, request.queryString.action) or equals('simple301redirects/admin/activate_plugin', request.body.action, request.queryString.action) or equals('simple301redirects/admin/hide_notice', request.body.action, request.queryString.action) or equals('simple301redirects/admin/get_import_info', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty)): block(id=357, category='file_upload', score=100, description='Simple 301 Redirects by BetterLinks 2.0.0 - 2.0.1 - Unprotected AJAX Actions', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and contains('eael-login-register', request.body.actions, request.queryString.actions) and match('#register_user_role":"(?!subscriber|customer)[^"]#', request.body.actions, request.queryString.actions) and equals('elementor_ajax', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=359, category='priv-esc', score=100, description='Essential Addons for Elementor <= 4.6.4 - Authenticated (Contributor+) Privilege Escalation', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('wpdeveloper_install_plugin', request.body.action, request.queryString.action) or equals('wpdeveloper_activate_plugin', request.body.action, request.queryString.action) or equals('save_settings_with_ajax', request.body.action, request.queryString.action) or equals('clear_cache_files_with_ajax', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty)): block(id=360, category='bypass', score=100, description='Essential Addons for Elementor <= 4.6.4 - Missing Authorization', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (contains('kaswara', request.body.action, request.queryString.action) or equals('uploadFontIcon', request.body.action, request.queryString.action) or equals('nopriv_uploadFontIcon', request.body.action, request.queryString.action)) and match('/(\.zip)($|\.)/i', request.fileNames) and currentUserIsNot('administrator', server.empty)): block(id=361, category='file_upload', score=100, description='Kaswara Modern VC Addons <= 3.0.1 - Arbitrary File Upload', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (contains('kaswara', request.body.action, request.queryString.action) or equals('exportShortcodeData', request.body.action, request.queryString.action) or equals('nopriv_exportShortcodeData', request.body.action, request.queryString.action) or equals('importShortcodeData', request.body.action, request.queryString.action) or equals('nopriv_importShortcodeData', request.body.action, request.queryString.action) or equals('exportCf7Styles', request.body.action, request.queryString.action) or equals('nopriv_exportCf7Styles', request.body.action, request.queryString.action) or equals('importCf7Styles', request.body.action, request.queryString.action) or equals('nopriv_importCf7Styles', request.body.action, request.queryString.action) or equals('deleteFontIcon', request.body.action, request.queryString.action) or equals('nopriv_deleteFontIcon', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty)): block(id=362, category='bypass', score=100, description='Kaswara Modern VC Addons <= 3.0.1 - Missing Authorization', whitelist=0) if (equals('wpf', request.queryString.pl, request.body.pl) and (equals('save', request.queryString.action, request.body.action) or equals('deleteByID', request.queryString.action, request.body.action) or equals('drawFilterAjax', request.queryString.action, request.body.action) or equals('removeGroup', request.queryString.action, request.body.action) or equals('saveGroup', request.queryString.action, request.body.action) or equals('createTable', request.queryString.action, request.body.action)) and currentUserIsNot('administrator', server.empty)): block(id=364, category='auth-bypass', score=100, description='WooCommerce Product Filter by WooBeWoo <= 1.4.9 Unprotected AJAXs', whitelist=0) if (match('/(^|;|{|})(?:O|C):\d+:"(?!stdClass")[^"]+":/', base64decode(request.body['__tcb_lg_msg']),base64decode(request.body['__tcb_lg_fc']),base64decode(request.body['consent_config']),base64decode(request.body['tve_mapping']),base64decode(request.body['tve_labels']),base64decode(request.body['config']))): block(id=365, category='obji', score=100, description='Thrive Plugins < 2021-05-11 Object Injection', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('pp_ajax_signup', request.body.action, request.queryString.action) or equals('pp_ajax_editprofile', request.body.action, request.queryString.action)) and (lengthGreaterThan('0', request.body['wp_capabilities']) or identical('', request.body['wp_capabilities']) or lengthGreaterThan('0', request.body['wp_user_level']))): block(id=369, category='priv-esc', score=100, description='User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar) 3.0.0 - 3.1.3 - Unauthenticated Privilege Escalation', whitelist=0) if ((lengthGreaterThan('0', request.body['wp_capabilities']) or identical('', request.body['wp_capabilities']) or lengthGreaterThan('0', request.body['wp_user_level'])) and currentUserIsNot('administrator', server.empty)): block(id=370, category='priv-esc', score=100, description='Privilege Escalation via User Meta Updates', whitelist=0) if ((match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('fpd_custom_uplod_file', request.body.action, request.queryString.action) or equals('nopriv_fpd_custom_uplod_file', request.body.action, request.queryString.action)) and match('#\.[^a-z0-9\.]*p[^a-z0-9\.]*h[^a-z0-9\.]*p#i', request.fileNames)) or match('#/custom\-image\-handler\.php$#i', server.script_filename)): block(id=371, category='file_upload', score=100, description='Fancy Product Designer <= 4.6.8 - Unauthenticated Arbitrary File Upload', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and match('#^fpd_(?:create_|update_|delete_|get_|upload_|export|reset_)#', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=372, category='auth-bypass', score=100, description='Fancy Product Designer <= 4.6.9 Unprotected AJAX actions', whitelist=0) if (match('#\/dzs\-zoomsounds\/savepng\.php#i', server.script_filename)): block(id=376, category='file_upload', score=100, description='ZoomSounds <= 5.96 - Unauthenticated Arbitrary File Upload', whitelist=0) if (equals('recover_password2', request.body.action2) and (notMatch('#^[a-zA-Z0-9]{20}$#', request.body.key) or match('#key(\[|\%5b)#', request.rawBody))): block(id=381, category='auth-bypass', score=100, description='Profile Builder <= 3.4.8 - Admin Access via Password Reset', whitelist=0) if (match('/seopress[\/]+v1[\/]+posts/i', request.path, request.body.rest_route, request.queryString.rest_route) and match('#^put$#i',request.method, request.headers['X-Http-Method-Override'],request.headers['X-Method-Override']) and currentUserIsNot('administrator',server.empty) and currentUserIsNot('editor', server.empty)): block(id=383, category='xss', score=100, description='SEOPress 5.0.0 - 5.0.3 - Stored Cross-Site Scripting', whitelist=0) if (match('/redux[\/]+v1[\/]+templates/i', request.path, request.body.rest_route, request.queryString.rest_route) and currentUserIsNot('administrator', server.empty)): block(id=386, category='insufficient-auth', score=100, description='Gutenberg Template Library & Redux Framework <= 4.2.11 - Missing Authorization to Sensitive Information Disclosure', whitelist=0) if (match('/ninja-forms-submissions/i', request.path, request.body.rest_route, request.queryString.rest_route) and currentUserIsNot('administrator', server.empty)): block(id=387, category='auth-bypass', score=100, description='Ninja Forms <= 3.5.7 - Unprotected REST-API to Sensitive Information Disclosure', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('plugin_offline_installer', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=390, category='file_upload', score=100, description='AccessPress Themes and Plugin <= Various Versions - Authenticated (Subscriber+) Arbitrary File Upload', whitelist=0) if (equals('under-construction', request.queryString.page) and match('#wp-admin[\/]+admin\.php.+#i', request.path)): block(id=391, category='xss', score=100, description='underConstruction <= 1.18 - Reflected Cross-Site Scripting', whitelist=0) if (equals('cnss_social_icon_page', request.queryString.page) and match('#wp-admin[\/]+admin\.php.+#i', request.path)): block(id=392, category='xss', score=100, description='Easy Social Icons <= 3.0.8 – Reflected Cross-Site Scripting', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and match('#^hdi_#', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=393, category='auth-bypass', score=100, description='HashThemes Demo Importer <= 1.1.1 - Missing Authorization to Database Wipe', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('pa_dismiss_admin_notice', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=396, category='auth-bypass', score=100, description='Premium Addons for Elementor <= 4.5.1 - Authenticated (Subscriber+) Limited Arbitrary Option Update', whitelist=0) if ((lengthGreaterThan('0',request.files['rp_wcdpd_settings'], request.body['rp_wcdpd_export_settings'], request.queryString['rp_wcdpd_export_settings']) or identical('', request.body['rp_wcdpd_export_settings'], request.queryString['rp_wcdpd_export_settings'])) and currentUserIsNot('administrator', server.empty)): block(id=397, category='auth-bypass', score=100, description='WooCommerce Dynamic Pricing and Discounts <= 2.4.1 - Unauthenticated Settings Import/Export', whitelist=0) if (((match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('envato_elements', request.body.action, request.queryString.action) or equals('template_kit_import', request.body.action, request.queryString.action))) or match('/envato-elements\/v2/i', request.path, request.body.rest_route, request.queryString.rest_route) or match('/template-kit-import\/v2/i', request.path, request.body.rest_route, request.queryString.rest_route)) and currentUserIsNot('administrator', server.empty)): block(id=399, category='file_upload', score=100, description='Envato Elements <= 2.0.9 - Contributor+ Arbitrary File Upload', whitelist=0) if ((equals('settings', request.queryString['wp_pinterest_automatic'], request.body['wp_pinterest_automatic']) and currentUserIsNot('administrator', server.empty)) or (match('#/wp\-automatic\/process_form\.php#i', server.script_filename))): block(id=400, category='auth-bypass', score=100, description='WordPress Automatic <= 3.53.2 + Pinterest Automatic <= 4.14.3 - Unauthenticated Arbitrary Options Update', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('svx_ajax_factory', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=405, category='auth-bypass', score=100, description='Multiple XforWooCommerce Add-On Plugins (Various Versions) - Missing Authorization', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (match('#^(nopriv_)?SPDSGVO-integration-#i', request.body.action, request.queryString.action) or equals('admin-dismiss-unsubscribe', request.body.action, request.queryString.action) or equals('nopriv_admin-dismiss-unsubscribe', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty)): block(id=407, category='auth-bypass', score=100, description='WP DSGVO Tools (GDPR) <= 3.1.22 - Missing Authorization', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (match('/wcfmvm_(vendor_approval_html|vendor_approval_response_update|membership_change|change_next_renewal)/', request.body.action, request.queryString.action) or equals('delete_wcfm_membership', request.body.action, request.queryString.action) or ((equals('wcfm_ajax_controller', request.body.action, request.queryString.action) or equals('nopriv_wcfm_ajax_controller', request.body.action, request.queryString.action)) and (match('/wcfm-(memberships|memberships-manage|memberships-settings)$/', request.body.controller, request.queryString.controller) or match('#[\r\n\t<>\%]#', request.body.controller, request.queryString.controller)))) and currentUserIsNot('administrator', server.empty)): block(id=413, category='auth-bypass', score=100, description='WCFM Membership <= 2.10.0 - Missing Authorization', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (match('/wcfm_(messages_bulk_mark_read|messages_bulk_mark_delete)/', request.body.action, request.queryString.action) or ((equals('wcfm_ajax_controller', request.body.action, request.queryString.action) or equals('nopriv_wcfm_ajax_controller', request.body.action, request.queryString.action)) and match('/wcfm-(refund-requests|vendor-orders|orders|enquiry|reviews)/', request.body.controller, request.queryString.controller))) and match('#[\r\n\t<>%]#', request.body)): block(id=415, category='sqli', score=100, description='WCFM Marketplace <= 3.4.11 - Missing Authorization', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and match('#^rmp_#', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=421, category='auth-bypass', score=100, description='Responsive Menu <= 4.1.7 - Missing Authorization Checks', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('xoo_admin_settings_save', request.queryString.action, request.body.action) and match('#(administrator|siteurl|users_can_register|default_role|admin_email|mailserver_url|mailserver_login|rewrite_rules|wp_user_roles)#', request.body.form)): block(id=427, category='csrf', score=100, description='Login/Signup Popup <= 2.2 - Cross-Site Request Forgery to Arbitrary Options Update', whitelist=0) if ((match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename)) and (equals('tawkto_setwidget', request.body.action, request.queryString.action) or equals('tawkto_removewidget', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty)): block(id=429, category='auth-bypass', score=100, description='Tawk.To Live Chat <= 0.5.4 - Missing Authorization to Visitor Monitoring & Chat Removal', whitelist=0) if (match('#/wp-admin/#i', server.script_filename) and (equals('update_product_attr_type', request.body.action, request.queryString.action) or equals('update_attribute_type_setting', request.body.action, request.queryString.action) or equals('tawcvs_save_settings', request.body.action, request.queryString.action) or lengthGreaterThan('0', request.body['woosuite_saving_variation_settings'])) and currentUserIsNot('administrator', server.empty)): block(id=431, category='insufficient-auth', score=100, description='Variation Swatches for WooCommerce <= 2.1.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting', whitelist=0) if ((match('/wp-json[\/]+.*[\/]+(v1|v2)[\/]+(oxi_settings|addons_settings)/i', request.path) or match('/\/.*[\/]+(v1|v2)[\/]+(oxi_settings|addons_settings)/i', request.body.rest_route, request.queryString.rest_route)) and currentUserIsNot('administrator', server.empty)): block(id=436, category='options_update', score=100, description='Oxilab Plugins <= (Various Versions) Unauthenticated Arbitrary Options Update', whitelist=0) if (((match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('add-meta', request.body.action, request.queryString.action)) or (match('#/wp\-admin/post\.php$#i', server.script_filename) and equals('editpost', request.body.action, request.queryString.action))) and (match(sqliRegex, request.body.meta) or match(sqliRegex, request.body.metakeyinput) or match('#[\r\n\t<>]#', request.body.meta) or match('#[\r\n\t<>]#', request.body.metakeyinput)) and currentUserIsNot('administrator', server.empty)): block(id=437, category='sqli', score=100, description='Page Duplication Function (Various Plugins) Second Order SQLi', whitelist=0) if (match('/whm[\/]+v3[\/]+themesettings/i', request.path, request.body.rest_route, request.queryString.rest_route) and currentUserIsNot('administrator', server.empty)): block(id=439, category='xss', score=100, description='WP HTML Mail <= 3.0.9 - Missing Authorization on Rest Route', whitelist=0) if ((match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename)) and match('#ewd_ufaq_welcome_#i', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty) and currentUserIsNot('editor', server.empty)): block(id=441, category='auth-bypass', score=100, description='Ultimate FAQ <= 2.1.1 - Missing Authorization to Arbitrary FAQ Creation', whitelist=0) if ((match('/[\/]+(ImageHoverUltimate|ShortCodeAddonsUltimate|oxilabtabsultimate)[\/]+(v1|v2)[\/]/i', request.path, request.body.rest_route, request.queryString.rest_route) or (match('/\/wp\-admin\/admin\-ajax\.php$/i', server.script_filename) and (equals('image_hover_ultimate', request.body.action, request.queryString.action) or equals('oxi_flip_box_data', request.body.action, request.queryString.action)))) and currentUserIsNot('administrator', server.empty)): block(id=442, category='auth-bypass', score=100, description='Oxilab Plugins <= Various Versions Unprotected AJAX and Rest Routes', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('insight_customizer_options_import', request.queryString.action, request.body.action) or equals('import_dummy', request.queryString.action, request.body.action)) and currentUserIsNot('administrator', server.empty)): block(id=444, category='auth-bypass', score=100, description='Insight Core <= 1.0 - Authenticated PHP Object Injection & Stored Cross-Site Scripting', whitelist=0) if ((lengthGreaterThan('0', request.body['submit-uaf-font-php'], request.body['submit-uaf-font-js']) or identical('',request.body['submit-uaf-font-php'], request.body['submit-uaf-font-js'])) and currentUserIsNot('administrator', server.empty)): block(id=455, category='auth-bypass', score=100, description='Use Any Font < 6.2.1 - Unauthenticated Arbitrary CSS Appending', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('stm_lms_register', request.body.action, request.queryString.action) and match('/(wp_capabilities|wp_user_level)/i', request.rawBody)): block(id=456, category='priv-esc', score=100, description='MasterStudy LMS < 2.7.6 - Unauthenticated Admin Account Creation', whitelist=0) if (match('#/wp\-admin/#i', server.script_filename) and (equals('updraft_download_backup', request.body.action, request.queryString.action) or (equals('heartbeat', request.body.action, request.queryString.action) and (lengthGreaterThan('0', request.body.data['updraftplus']) or identical('', request.body.data['updraftplus']['log_nonce'])) )) and currentUserIsNot('administrator', server.empty)): block(id=459, category='auth-bypass', score=100, description='UpdraftPlus WordPress Backup Plugin < 1.22.3 - Sensitive Information Disclosure', whitelist=0) if (equals('heartbeat', request.body.action, request.queryString.action) and lengthGreaterThan('0', request.body.data['hmbkp_schedule_id']) and currentUserIsNot('administrator', server.empty)): block(id=460, category='file_download', score=100, description='BackupWordPress <= 3.12 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure', whitelist=0) if (equals('heartbeat', request.body.action, request.queryString.action) and lengthGreaterThan('0', request.body.data['boldgrid_backup_in_progress']) and currentUserIsNot('administrator', server.empty)): block(id=461, category='information-disclosure', score=100, description='Total Upkeep <= 1.14.13 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (match('/(fs_dismiss_notice_action_|fs_retry_connectivity_test_|fs_resolve_firewall_issues_)/i', request.body.action, request.queryString.action) or equals('fs_toggle_debug_mode', request.body.action, request.queryString.action) or equals('fs_get_debug_log', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty)): block(id=462, category='insufficient-auth', score=100, description='Freemius <= 2.4.2 - Missing Authorization on AJAX actions', whitelist=0) if (lengthGreaterThan('0',request.queryString['__proto__'],request.queryString['constructor'], request.queryString['prototype'])): block(id=478, category='xss', score=100, description='WordPress Core < 5.9.2 & Gutenberg < 12.7.2 - Prototype Pollution', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and match('#(?:nopriv_)?add_custom_font#', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=482, category='rce', score=100, description='Tatsu <= 3.3.12 - Unauthenticated Remote Code Execution', whitelist=0) if ((md5Equals('9419144043c824fe684399c5ff5ba46d', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5']) or md5Equals('82bc3ff3aa0b29f7a326c88b6b53617a', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5']) or md5Equals('1bc92cdc15368557981fcab5dfca2979', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5']) or md5Equals('e81f641f598c43fd2923236d0e398ec2', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5']) or md5Equals('dd46145d9f2c386a47527d9d204f264a', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5']) or md5Equals('d84b5d5582f4dd40688105bf48ef1b07', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5'])) and currentUserIsNot('administrator', server.empty)): block(id=483, category='rce', score=100, description='WAF-RULE-483', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (match('#^abb_(?!\w+_action)#', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5']) or match('#^jupiterx_[^l]#', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5'])) and currentUserIsNot('administrator', server.empty)): block(id=485, category='privesc', score=100, description='WAF-RULE-485', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and match('/(cool_plugins_(install|activate))/i', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=486, category='file_upload', score=100, description='Cool Plugins (Various Versions) - Arbitrary Plugin Installation and Activation', whitelist=0) if (match('#yikes/cpt/v1/settings#i', request.path, request.body.rest_route, request.queryString.rest_route) and currentUserIsNot('administrator', server.empty)): block(id=499, category='auth-bypass', score=100, description='Custom Product Tabs for WooCommerce <= 1.7.7 - Subscriber+ Settings Update', whitelist=0) if (match('#/dup\-installer/main\.installer\.php$#i', server.script_filename) and currentUserIsNot('administrator', server.empty)): block(id=503, category='information-disclosure', score=100, description='Duplicator – WordPress Migration Plugin <= 1.4.7 - Unauthenticated Backup Download', whitelist=0) if (((match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and match('#^jkit_#', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5'])) or ((lengthGreaterThan('0', request.md5Body['42dd1238ecd3cea6190ca8155ef9b7bb'], request.md5QueryString['42dd1238ecd3cea6190ca8155ef9b7bb']) or identical('', request.md5Body['42dd1238ecd3cea6190ca8155ef9b7bb'], request.md5QueryString['42dd1238ecd3cea6190ca8155ef9b7bb'])) and (lengthGreaterThan('0', request.md5Body['3c1d76e6a2e9e5afed4be33600b638f9']) or identical('', request.md5Body['3c1d76e6a2e9e5afed4be33600b638f9'])) ) ) and currentUserIsNot('administrator', server.empty)): block(id=514, category='auth-bypass', score=100, description='WAF-RULE-514', whitelist=0) if ((equals('b2s_save_social_meta_tags', request.body.action, request.queryString.action) or (equals('b2s_user_network_settings', request.body.action, request.queryString.action) and (lengthGreaterThan('0', request.body.legacy_mode) or identical('', request.body.legacy_mode))) or equals('b2s_lock_auto_post_import', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty)): block(id=515, category='insufficient-auth', score=100, description='Blog2Social <= 6.9.11 - Missing Authorization to Authenticated (Subscriber+) Settings Update', whitelist=0) if ((match('/wp-json[\/]+web-stories[\/]+v1[\/]+hotlink[\/]+proxy/i', request.path) or match('/web-stories[\/]+v1[\/]+hotlink[\/]+proxy/i', request.body.rest_route, request.queryString.rest_route)) and match('/\/\/(0|127|10|172|192|169|100)\./i', request.queryString.url)): block(id=516, category='ssrf', score=100, description='Web Stories <= 1.24.0 - Server Side Request Forgery', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('dpwap_plugin_download_url', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=517, category='auth-bypass', score=100, description='Download Plugin <= 1.6.2 - Missing Authorization and Sensitive Information Exposure', whitelist=0) if (equals('td_ajax_fb_login_user', request.body.action, request.queryString.action) and lengthGreaterThan('0', request.body.user.email)): block(id=518, category='priv-esc', score=100, description='tagDiv Composer < 3.5 - Unauthorized Account Access and Privilege Escalation', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('antihacker_install_plugin', request.body.action, request.queryString.action) or equals('stopbadbots_install_plugin', request.body.action, request.queryString.action) or equals('wpmemory_install_plugin', request.body.action, request.queryString.action) or equals('cardealer_install_plugin', request.body.action, request.queryString.action) or equals('wptools_install_plugin', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty)): block(id=519, category='auth-bypass', score=100, description='Multiple Bill Minozzi Plugins - Authenticated (Subscriber+) Missing Authorization to Arbitrary Plugin Install', whitelist=0) if (match('#wp\/+v2\/+tags#i', request.path, request.body.rest_route, request.queryString.rest_route) and contains('\'', request.rawBody) and match(sqliRegex, request.rawBody)): block(id=523, category='sqli', score=100, description='Cyr to Lat <= 3.5 - Authenticated SQL Injection', whitelist=0) if (match('/\/wp\-admin\/admin\-ajax\.php$/i', server.script_filename) and (equals('berocket_admin_close_notice', request.queryString.action, request.body.action) OR equals('berocket_subscribe_email', request.queryString.action, request.body.action) OR equals('berocket_rate_stars_close', request.queryString.action, request.body.action) OR equals('berocket_feature_request_send', request.queryString.action, request.body.action) OR equals('berocket_error_notices_get', request.queryString.action, request.body.action) OR equals('berocket_information_close_notice', request.queryString.action, request.body.action) OR equals('br_test_key', request.queryString.action, request.body.action)) and currentUserIsNot('administrator', server.empty)): block(id=526, category='auth-bypass', score=100, description='BeRocket Plugins <= (Various Versions) - Missing Authorization', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('ajax_save_options', request.body.action, request.queryString.action) or equals('quick_generator_api', request.body.action, request.queryString.action) or equals('integrate_setup', request.body.action, request.queryString.action) or equals('toggle_services', request.body.action, request.queryString.action) or equals('save_public_api_key', request.body.action, request.queryString.action) or equals('auto_detect_forms', request.body.action, request.queryString.action) or equals('update_options', request.body.action, request.queryString.action) or equals('radar_percentage_reload', request.body.action, request.queryString.action) or equals('cs_configuration', request.body.action, request.queryString.action) or equals('pp_configuration', request.body.action, request.queryString.action) or equals('tc_configuration', request.body.action, request.queryString.action) or equals('cons_configuration', request.body.action, request.queryString.action) or equals('frontpage_main_box', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty)): block(id=528, category='privesc', score=100, description='iubenda <= 3.3.2 - Authenticated (Subscriber+) Privilege Escalation', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (md5Equals('b254c456fc0fea3d356dbac744ba1394', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5']) or md5Equals('79eb411a0574474c9b544c3fcd76a056', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5']) or md5Equals('6ee5d32bb9ef333e8d23a4a84aa80777', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5']) or md5Equals('be422283e46ff4557994546f1afb59ca', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5']) or md5Equals('603e8e451644f9a9704cd2ce61e9d4de', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5']) or md5Equals('207940e9eb2165482ba653b169e56f92', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5']) or md5Equals('b777e22f790d44cc1315dcd12d47953e', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5']) or md5Equals('0cdf70afbfad8fc504c4d6c911feb621', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5']) or md5Equals('a48b99906c864bc7c919ac6e7f6ef968', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5']) or md5Equals('8365bd60f38f7952add8d300c517676d', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5']) or md5Equals('8d2086d798c5bd532b6e60c6d8920629', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5']) or md5Equals('5b5c5ed0942517f1a27d9f3d45ace6a6', request.md5Body['418c5509e2171d55b0aee5c2ea4442b5'], request.md5QueryString['418c5509e2171d55b0aee5c2ea4442b5'])) and currentUserIsNot('administrator', server.empty)): block(id=529, category='auth-bypass', score=100, description='WAF-RULE-529', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('upg_datatable', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=530, category='rce', score=100, description='User Post Gallery - UPG <= 2.19 - Missing Authorization to Remote Command Execution', whitelist=0) if ((equals('erm_update_menu_item', request.body.action, request.queryString.action) or equals('erm_delete_menu_item', request.body.action, request.queryString.action) or equals('erm_create_menu_item', request.body.action, request.queryString.action) or equals('erm_update_list_menu_items', request.body.action, request.queryString.action) or equals('erm_list_menu_items', request.body.action, request.queryString.action) or equals('erm_update_menu_week', request.body.action, request.queryString.action)) and currentUserIsNot('administrator',server.empty)): block(id=532, category='insufficient-auth', score=100, description='Quick Restaurant Menu <= 2.0.2 - Missing Authorization', whitelist=0) if (match('#\/+lp\/+v1#i', request.path, request.body.rest_route, request.queryString.rest_route) and match('#(\/|\%2F)(?:(\.|\%2E)(\/|\%2F))*(?:var|usr|mnt|etc|tmp|dev|proc|home)(\/|\%2F)|(\.|\%2E)(\.|\%2E)(\\|\/|\%2F|\%5C)#i', request.rawBody)): block(id=537, category='lfi', score=100, description='LearnPress <= 4.1.7.3.2 - Unauthenticated Local File Inclusion', whitelist=0) if (match('#\/+lp\/+v1#i', request.path, request.body.rest_route, request.queryString.rest_route) and matchCount(sqliRegex, request.rawBody)): block(id=538, category='sqli', score=30, description='LearnPress <= 4.1.7.3.2 - Unauthenticated SQL Injection', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and match('/(irAddRedirect|irInstantEditRedirect|irLoadRedirectSettings|irSaveRedirectSettings|irDeleteRedirect|irStatusBulkEdit|irBulkDelete|irRedirectionPageContent|irLiveSearch|irSelectAll|irLogPageContent|irLogFilter|irAddRedirectRule|irLoadTab|irSaveSettings|irLoadSettings|inisev_installation)/i', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=548, category='insufficient-auth', score=100, description='Redirect Redirection <= 1.1.3 - Missing Authorization Checks on Various Functions', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and (equals('wpms_regenerate_sitemaps', request.body.action, request.queryString.action) or equals('wpms_save_sitemap_settings', request.body.action, request.queryString.action) or equals('wpms_list_posts_category', request.body.action, request.queryString.action) or equals('wpms_sitemap_check_all_category', request.body.action, request.queryString.action) or equals('wpms_gg_save_information', request.body.action, request.queryString.action) or equals('wpms_set_ignore', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty)): block(id=551, category='auth-bypass', score=100, description='WP Meta SEO <= 4.5.3 - Missing Authorization', whitelist=0) if (match('#click5_sitemap\/+API\/+update_html_option_AJAX#i', request.path, request.body.rest_route, request.queryString.rest_route) and currentUserIsNot('administrator', server.empty)): block(id=557, category='options_update', score=100, description='Sitemap by click5 <= 1.0.35 - Arbitrary Options Update', whitelist=0) if (equals('elementor_ajax', request.body.action, request.queryString.action) and match('#pro_woocommerce_update_page_option#', request.body.actions, request.queryString.actions) and currentUserIsNot('administrator', server.empty)): block(id=570, category='priv-esc', score=100, description='Elementor Pro <= 3.11.6 - Authenticated(Subscriber+) Privilege Escalation via update_page_option', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('get_acf_post_meta', request.queryString.action, request.body.action) and currentUserIsNot('administrator', server.empty)): block(id=575, category='insufficient-auth', score=100, description='ACF Quick Edit Fields <= 3.2.2 - Authenticated (Contributor+) Insecure Direct Object Reference', whitelist=0) if (match('#/getwid/v1/get_remote_content#i', request.body.rest_route, request.queryString.rest_route, request.path) and match('/\/\/(0|127|10|172|192|169|100)\./i', request.queryString['get_content_url'])): block(id=579, category='ssrf', score=100, description='Getwid – Gutenberg Blocks <= 1.8.3 - Authenticated(Subscriber+) Server Side Request Forgery', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('wpfc_preload_single', request.queryString.action, request.body.action) OR equals('wpfc_purgecache_varnish', request.queryString.action, request.body.action) OR equals('wpfc_clear_cache_of_allsites', request.queryString.action, request.body.action) OR equals('wpfc_delete_cache_and_minified', request.queryString.action, request.body.action)) and currentUserIsNot('administrator', server.empty)): block(id=581, category='insufficient-auth', score=100, description='WP Fastest Cache <= 1.1.2 - Missing Authorization', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('thegem_theme_options_api', request.queryString.action, request.body.action) and currentUserIsNot('administrator', server.empty)): block(id=593, category='insufficient-auth', score=100, description='TheGem < 5.8.1.1 - Missing Authorization', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('unlimitedelements_ajax_action', request.body.action, request.queryString.action) and match('#^assets_#', request.body['client_action'], request.queryString['client_action']) and currentUserIsNot('administrator', server.empty)): block(id=601, category='file_upload', score=100, description='Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.60 - Arbitrary File Upload in File Manager', whitelist=0) if (match('#frm-admin/v1/install-addon#i', request.path, request.body.rest_route, request.queryString.rest_route) and currentUserIsNot('administrator', server.empty)): block(id=605, category='insufficient-auth', score=100, description='Formidable Forms <= 6.3 - Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('pm_test_smtp', request.queryString.action, request.body.action) and currentUserIsNot('administrator', server.empty)): block(id=612, category='options_update', score=100, description='ProfileGrid <= 5.4.8 - Authenticated (Subscriber+) Arbitrary Option Update', whitelist=0) if (match('/\/aft-wp-post-author\/v1\/set-user-data/i', request.path, request.body.rest_route, request.queryString.rest_route) and currentUserIsNot('administrator', server.empty)): block(id=613, category='priv-esc', score=100, description='WP Post Author <= 3.3.0 - Privilege Escalation', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('avc_send_invitations', request.queryString.action, request.body.action) OR equals('avc_delete_invitations', request.queryString.action, request.body.action)) and currentUserIsNot('administrator', server.empty)): block(id=615, category='bypass', score=100, description='Atarim - Client Interface <= 3.9.1 - Missing Authorization via AJAX actions', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and (equals('htmega_ajax_register', request.queryString.action, request.body.action) or equals('nopriv_htmega_ajax_register', request.queryString.action, request.body.action)) and lengthGreaterThan(0, request.queryString.reg_role, request.body.reg_role)): block(id=616, category='priv-esc', score=100, description='HT Mega – Absolute Addons for Elementor <= 2.2.0 - Missing Authorization to Privilege Escalation', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and ((equals('ast_block_templates_importer', request.body.action, request.queryString.action) and lengthGreaterThan('0', request.body.api_uri, request.queryString.api_uri)) or (equals('ast_block_templates_import_wpforms', request.body.action, request.queryString.action) and lengthGreaterThan('0', request.body.wpforms_url, request.queryString.wpforms_url))) and currentUserIsNot('administrator', server.empty)): block(id=619, category='ssrf', score=100, description='Spectra <= 2.6.6 - Authenticated (Contributor+) Server-Side Request Forgery in template_importer and import_wpforms', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and ( ( equals('w3dev_toggle_ban_user', request.queryString.action, request.body.action) and lengthGreaterThan(0, request.queryString.user_id, request.body.user_id) ) or equals('w3dev_save_ban_user_settings', request.body.action, request.queryString.action) ) and currentUserIsNot('administrator', server.empty)): block(id=622, category='priv-esc', score=100, description='BAN Users <= 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Settings Update & Privilege Escalation', whitelist=0) if (equals('wpvividstg_start_staging_free', request.body.action, request.queryString.action) or equals('wpvividstg_get_staging_progress_free', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=631, category='privesc', score=100, description='WPvivid Backup Plugin <= 0.9.90 - Missing Authorization via start_staging and get_staging_progress', whitelist=0) if (match('#/mvx_module/v1/#i', request.body.rest_route, request.queryString.rest_route, request.path) and currentUserIsNot('administrator', server.empty)): block(id=632, category='auth-bypass', score=100, description='MultiVendorX <= 4.0.25 - Improper Authorization on REST Routes via save_settings_permission', whitelist=0) if (match('#\/superstorefinder\-wp\/sendMail\.php$#i', server.script_filename) and currentUserIsNot('administrator', server.empty)): block(id=634, category='spam', score=100, description='Super Store Finder <= 6.9.2 - Unauthenticated Email Creation/Sending', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and ( equals('sfsi_save_export', request.queryString.action, request.body.action) ) and currentUserIsNot('administrator', server.empty)): block(id=635, category='auth-bypass', score=100, description='Social Media Share Buttons & Social Sharing Icons <= 2.8.5 - Information Exposure', whitelist=0) if (match('#\[(php|allowphp)#i', request.rawBody, request.body.content, request.body.shortcode) and currentUserIsNot('administrator', server.empty)): block(id=636, category='rce', score=100, description='Allow PHP in Posts and Pages <= 3.0.4 - Authenticated (Subscriber+) Remote Code Execution via Shortcode', whitelist=0) if (equals('wpas_import_product_from_amazon', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=639, category='file_upload', score=100, description='Dropshipping & Affiliation with Amazon <= 2.1.2 - Authenticated (Subscriber+) Arbitrary File Upload', whitelist=0) if (equals('parse-media-shortcode', request.body.action, request.queryString.action) and notMatch('/^\[(audio|embed|playlist|video|gallery)/i', request.body.shortcode)): block(id=640, category='auth-bypass', score=100, description='WordPress Core < 6.3.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and match('/(two_init_flow_score|nopriv_two_init_flow_score|activate_score_check|nopriv_activate_score_check)/i', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=644, category='insufficient-auth', score=100, description='10Web Booster <= 2.24.14 - Unauthenticated Arbitrary Option Deletion', whitelist=0) if (equals('byconsolewooodt_admin_fields_setting_files', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=646, category='priv-esc', score=100, description='WooODT Lite <= 2.4.6 - Missing Authorization to Arbitrary Options Update', whitelist=0) if (equals('save_fe_option', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=648, category='priv-esc', score=100, description='WP Courses LMS <= 3.2.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update', whitelist=0) if (match('#/includes/backup-heart.php$#i', server.script_filename)): block(id=652, category='rce', score=100, description='WAF-RULE-652', whitelist=0) if (match('/(^|;|{|})(?:O|C):\d+:"WP_HTML_Token/i', request.headers, request.cookies, request.body, request.queryString, request.rawBody)): block(id=653, category='rce', score=100, description='WordPress Core 6.4-6.4.1 - Remote Code Execution POP Chain via Object Injection', whitelist=0) if (equals('omgf-update', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=655, category='insufficient-auth', score=100, description='OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. <= 5.7.6 - Missing Authorization to Unauthenticated Directory Deletion and Cross-Site Scripting', whitelist=0) if (equals('rednao_smart_forms_save_settings', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=657, category='priv-esc', score=100, description='Smart Forms <= 2.6.84 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update', whitelist=0) if (equals('unitecreator_elementor_import_template', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=660, category='rce', score=100, description='Unlimited Elements for Elementor <= 1.5.88 - Authenticated(Contributor+) Remote Code Execution via template import', whitelist=0) if (match('#/post-smtp/v1/connect-app#i', request.path, request.body.rest_route, request.queryString.rest_route) and (lengthLessThan('1', request.headers['Auth-Key']) or equals('0', request.headers['Auth-Key']))): block(id=661, category='auth-bypass', score=100, description='POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.6 - Authorization Bypass via type connect-app API', whitelist=0) if (match('/(^|\/|\\)\.\.(\\|\/)/', request.headers) and currentUserIsNot('administrator', server.empty)): block(id=664, category='traversal', score=100, description='Directory Traversal via HTTP Headers') if ((equals('mk_check_filemanager_php_syntax', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)) or match('#/wp\-content/uploads/fm_temp\.php$#i', server.script_filename)): block(id=665, category='rce', score=100, description='File Manager Pro <= 8.3.4 - Authenticated(Subscriber+) Remote Code Execution via mk_check_filemanager_php_syntax', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('um_get_members', request.body.action, request.queryString.action) and notMatch('/^[a-z_-]*$/ix', request.body['sorting'])): block(id=672, category='sqli', score=100, description='Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin 2.1.3 - 2.8.2 - Unauthenticated SQL Injection', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('slimstat_manage_filters', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=673, category='insufficient-auth', score=100, description='SlimStat Analytics <= 5.1.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting', whitelist=0) if ((match('/wp-json[\/]+lc_public_api[\/]+v1[\/]+proxy/i', request.path) or match('/lc_public_api[\/]+v1[\/]+proxy/i', request.body.rest_route, request.queryString.rest_route)) and equals('wp_delete_post', request.body.endpoint, request.queryString.endpoint) and (currentUserIsNot('editor', server.empty) and currentUserIsNot('administrator', server.empty))): block(id=675, category='insufficient-auth', score=100, description='LeadConnector <= 1.7 - Missing Authorization to Unauthenticated Arbitrary Post Deletion', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('pbs_inspector_dropdown_db', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=676, category='information-disclosure', score=100, description='Page Builder Sandwich – Front End WordPress Page Builder Plugin <= 5.1.0 - Sensitive Information Exposure', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('wpr_addons_upload_file', request.body.action, request.queryString.action) and match('/\.(xml|svgz)($|\.)/i', request.fileNames) and currentUserIsNot('administrator', server.empty)): block(id=678, category='file_upload', score=100, description='WAF-RULE-678', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('unitecreator_ajax_action', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=680, category='file_upload', score=100, description='Addon Library <= 1.3.76 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('rm_update_users_role', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=681, category='priv-esc', score=100, description='RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 5.2.6.0 - Authenticated (Subscriber+) Privilege Escalation', whitelist=0) if (equals('mo_wpns_change_password', request.body.option)): block(id=682, category='priv-esc', score=100, description='Malware Scanner <= 4.7.2 - Unauthenticated Privilege Escalation', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('user_registration_form_save_action', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=684, category='priv-esc', score=100, description='User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin <= 3.1.5 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation', whitelist=0) if ((match('/wp-json[\/]+fluentform[\/]+v1[\/]+global-settings/i', request.path) or match('/wp-json[\/]+fluentform[\/]+v1[\/]+managers/i', request.path) or match('/fluentform[\/]+v1[\/]+global-settings/i', request.body.rest_route, request.queryString.rest_route) or match('/fluentform[\/]+v1[\/]+managers/i', request.body.rest_route, request.queryString.rest_route)) and currentUserIsNot('administrator', server.empty)): block(id=686, category='insufficient-auth', score=100, description='WAF-RULE-686', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and contains('pp-registration-form', request.body.actions, request.queryString.actions) and contains('user_role', request.body.actions, request.queryString.actions) and equals('elementor_ajax', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=690, category='priv-esc', score=100, description='PowerPack Pro for Elementor <= 2.10.17 - Authenticated (Contributor+) Privilege Escalation', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('visualizer-fetch-db-data', request.body.action, request.queryString.action) and matchCount(sqliRegex, request.body.params.query) and currentUserIsNot('administrator', server.empty)): block(id=691, category='sqli', score=100, description='Visualizer: Tables and Charts Manager for WordPress <= 3.10.15 - Missing Authorization to Arbitrary SQL Execution', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('wpdp_add_new_datepicker_ajax', request.body.action, request.queryString.action) and lengthGreaterThan('0', request.body.wpdp_form_data) and currentUserIsNot('administrator', server.empty)): block(id=692, category='options_update', score=100, description='WP Datepicker <= 2.1.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('yotu_pagination', request.body.action, request.queryString.action) and (match('/(^|(\%2F)|(\%5C))\.\.((\%2F)|(\%5C))/', base64decode(request.body.settings)) or match('/(^|\/|\\)\.\.(\\|\/)/', base64decode(request.body.settings)))): block(id=693, category='lfi', score=100, description='WAF-RULE-693', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('ig_es_do_import', request.body.action, request.queryString.action) and matchCount(sqliRegex, request.body.options.list_id, request.queryString.options.list_id) and currentUserIsNot('administrator', server.empty)): block(id=699, category='sqli', score=100, description='WAF-RULE-699', whitelist=0) if ((match('/wp-json[\/]+instawp-connect[\/]+v1[\/]+config/i', request.path) or match('/instawp-connect[\/]+v1[\/]+config/i', request.body.rest_route, request.queryString.rest_route)) and currentUserIsNot('administrator', server.empty)): block(id=700, category='insufficient-auth', score=100, description='WAF-RULE-700', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and match('/xoo_admin_settings_(?:import|export)/i', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=701, category='options_update', score=100, description='XootiX Framework <= Various Plugin Versions - Missing Authorization to Arbitrary Options Update', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('mec_fes_form', request.body.action, request.queryString.action) and lengthGreaterThan('0', request.body.mec.featured_image) and notMatch('/^(?!:.*\.[^.]+\.)(?:[^.]+)\.(png|gif|jpg|jpeg|jif|jfif)$/i', request.body.mec.featured_image) and currentUserIsNot('administrator', server.empty)): block(id=702, category='file_upload', score=100, description='Modern Events Calendar <= 7.10.0 - Authenticated (Subscriber+) Arbitrary File Upload', whitelist=0) if ((identical('', request.body.epform) or lengthGreaterThan('0', request.body.epform)) and currentUserIsNot('administrator',server.empty)): block(id=703, category='xss', score=100, description='Easy Pixels by JEVNET <= 2.13 - Unauthenticated Stored Cross-Site Scripting', whitelist=0) if (lengthGreaterThan('0', request.queryString.delete_hb) and lengthGreaterThan('0', request.queryString.hb, request.body.hb) and currentUserIsNot('administrator',server.empty)): block(id=704, category='insufficient-auth', score=100, description='WordPress Header Builder Plugin – Pearl <= 1.3.7 - Missing Authorization to Unauthenticated Arbitrary Site Options Deletion', whitelist=0) if (equals('post', request.queryString.__kds_flag) and equals('keydatas.com', request.body.kds_password)): block(id=707, category='file_upload', score=100, description='Keydatas <= 2.5.2 - Unauthenticated Arbitrary File Upload', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and (equals('eventon_import_settings', request.body.action, request.queryString.action) or equals('nopriv_eventon_import_settings', request.body.action, request.queryString.action)) and currentUserIsNot('administrator', server.empty)): block(id=708, category='insufficient-auth', score=100, description='EventON <= 2.2.15 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting and Plugin Settings Updates', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('createTable', request.queryString.action, request.body.action) and equals('wtbp', request.queryString.pl, request.body.pl) and equals('wootablepress', request.queryString.mod, request.body.mod)): block(id=711, category='rce', score=100, description='WAF-RULE-711', whitelist=0) if ((match('/wp-json[\/]+full-customer[\/]+license/i', request.path) or match('/full-customer[\/]+license/i', request.body.rest_route, request.queryString.rest_route)) and currentUserIsNot('administrator', server.empty)): block(id=714, category='insufficient-auth', score=100, description='FULL <= 3.1.12 - Unauthenticated Stored Cross-Site Scripting via License Plan Parameter', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('bookingpress_save_lite_wizard_settings', request.queryString.action, request.body.action) and currentUserIsNot('administrator', server.empty)): block(id=717, category='file_upload', score=100, description='BookingPress Appointment Booking <= 1.1.5 - Authenticated (Subscriber+) Arbitrary File Read to Arbitrary File Creation', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('bookingpress_import_data_process', request.queryString.action, request.body.action) and currentUserIsNot('administrator', server.empty)): block(id=719, category='insufficient-auth', score=100, description='BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin <= 1.1.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update and Arbitrary File Upload', whitelist=0) if (( equals('jssupportticket', request.body.form_request) or equals('jstask', request.queryString.action) ) and equals('themes', request.queryString.page, request.body.page) and equals('savetheme', request.queryString.task, request.body.task) and currentUserIsNot('administrator', server.empty)): block(id=721, category='rce', score=100, description='JS Help Desk – The Ultimate Help Desk & Support Plugin <= 2.8.6 - Unauthenticated PHP Code Injection to Remote Code Execution', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('wpcom_register', request.body.action, request.queryString.action) and ( lengthGreaterThan('0', request.body.role) or lengthGreaterThan('0', request.body.wp_capabilities) or identical('', request.body.wp_capabilities) or lengthGreaterThan('0', request.body.wp_user_level) )): block(id=723, category='priv-esc', score=100, description='WPCOM Member <= 1.5.2.1 - Unauthenticated Privilege Escalation via User Meta', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and ( equals('bit_fm_connector_front', request.body.action, request.queryString.action) or equals('nopriv_bit_fm_connector_front', request.body.action, request.queryString.action) or equals('bit_fm_connector', request.body.action, request.queryString.action) ) and equals('put', request.body.cmd, request.queryString.cmd) and currentUserIsNot('administrator', server.empty)): block(id=724, category='rce', score=100, description='Bit File Manager 6.0 - 6.5.5 - Unauthenticated Remote Code Execution via Race Condition', whitelist=0) if (( equals('wpjobportal', request.body.form_request) or equals('wpjobportaltask', request.queryString.action) ) and equals('configuration', request.queryString.wpjobportalme, request.body.wpjobportalme) and ( equals('handleRequest', request.queryString.task, request.body.task) or equals('saveconfiguration', request.queryString.task, request.body.task) ) and currentUserIsNot('administrator', server.empty)): block(id=727, category='priv-esc', score=100, description='WAF-RULE-727', whitelist=0) if (lengthGreaterThan('0', request.cookies['litespeed_role']) and lengthGreaterThan('0', request.cookies['litespeed_hash']) and currentUserIsNot('administrator', server.empty)): block(id=728, category='priv-esc', score=100, description='LiteSpeed Cache <= 6.3.0.1 - Unauthenticated Privilege Escalation', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('wcfm_ajax_controller', request.body.action, request.queryString.action) and equals('wcfm-customers-manage', request.body.controller) and ( contains('customer_id', request.body.wcfm_customers_manage_form) or contains('customer%5Fid', request.body.wcfm_customers_manage_form) ) and currentUserIsNot('administrator', server.empty)): block(id=733, category='priv-esc', score=100, description='WAF-RULE-733', whitelist=0) if (equals('submit', request.queryString['dhvc-form-ajax']) and equals('register', request.body['_dhvc_form_action']) and lengthGreaterThan('0', request.body['role']) and currentUserIsNot('administrator', server.empty)): block(id=738, category='priv-esc', score=100, description='WAF-RULE-738', whitelist=0) if (match('#/inc/barcode.php$#i', server.script_filename) and lengthGreaterThan('0', request.queryString.filepath)): block(id=739, category='traversal', score=100, description='WooEvents <= 4.1.2 - Unauthenticated Arbitrary File Overwrite', whitelist=0) if (equals('save_registration', request.queryString.charitable_action, request.body.charitable_action) and lengthGreaterThan('0', request.body.ID) and currentUserIsNot('administrator', server.empty)): block(id=740, category='priv-esc', score=100, description='Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress <= 1.8.1.14 - Insecure Direct Object Reference to Account Takeover and Privilege Escalation', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('latepoint_route_call', request.queryString.action, request.body.action) and equals('customer_cabinet__change_password', request.queryString.route_name, request.body.route_name) and ( lengthGreaterThan('0', request.body.params) and match('/password_reset_token/', request.body.params) and notMatch('/password_reset_token(?:%3D|=)[a-f0-9]{40}/', request.body.params) ) or ( lengthGreaterThan('0', request.body.params.password_reset_token) and notMatch('/^[a-f0-9]{40}$/', request.body.params.password_reset_token) ) or ( lengthGreaterThan('0', request.queryString.password_reset_token) and notMatch('/^[a-f0-9]{40}$/', request.queryString.password_reset_token) )): block(id=741, category='sqli', score=100, description='LatePoint <= 5.0.11 - Unauthenticated Arbitrary User Password Change via SQL Injection', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('latepoint_route_call', request.queryString.action, request.body.action) and equals('steps__load_step', request.queryString.route_name, request.body.route_name) and ( match('/customer(?:%5B|\[)(id|wordpress_user_id)(?:%5D|\])(?:%3D|=)\d+/', request.body.params) or lengthGreaterThan('0', request.body.params.customer.id, request.body.params.customer.wordpress_user_id) or lengthGreaterThan('0', request.queryString.customer.id, request.queryString.customer.wordpress_user_id) )): block(id=742, category='auth-bypass', score=100, description='LatePoint <= 5.0.12 - Authentication Bypass', whitelist=0) if (match('#/wfu_file_downloader.php$#i', server.script_filename) and ( match('/(^|\/|\\)\.\.(\\|\/)/', request.cookies.wfu_storage_) or match('/^\/(?:\.\/)*(?:var|usr|mnt|etc|tmp|dev|proc)\//i', request.cookies.wfu_storage_) ) and equals('cookies', request.body.dboption_base, request.queryString.dboption_base)): block(id=744, category='file_delete', score=100, description='WAF-RULE-744', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('rate_request_result', request.body.action, request.queryString.action) and ( contains('capabilities', request.body.slug) or contains('user_level', request.body.slug) )): block(id=748, category='priv-esc', score=100, description='WP Video Robot <= 1.20.0 - Authenticated (Subscriber+) Privilege Escalation via User Meta Update', whitelist=0) if (( match('/wp-json[\/]+gutenkit[\/]+v1[\/]+install-active-plugin/i', request.path) or match('/gutenkit[\/]+v1[\/]+install-active-plugin/i', request.body.rest_route, request.queryString.rest_route) ) and currentUserIsNot('administrator', server.empty)): block(id=749, category='file_upload', score=100, description='GutenKit <= 2.1.0 - Unauthenticated Arbitrary File Upload', whitelist=0) if (( match('/wp-json[\/]+timetics[\/]+v1[\/]+customers/i', request.path) or match('/timetics[\/]+v1[\/]+customers/i', request.body.rest_route, request.queryString.rest_route) ) and currentUserIsNot('administrator', server.empty)): block(id=750, category='priv-esc', score=100, description='WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin <= 1.0.25 - Insecure Direct Object Reference to Unauthenticated Arbitrary User Password/Email Reset/Account Takeover', whitelist=0) if (lengthGreaterThan('0', request.body.echo_user_input) and lengthGreaterThan('0', request.body.echo_user_input_name) and lengthGreaterThan('0', request.body.echo_user_input_email) and lengthGreaterThan('0', request.body.echo_user_input_pass) and ( notEquals('subscriber', request.body.echo_new_user_role) and notEquals('contributor', request.body.echo_new_user_role) ) and currentUserIsNot('administrator', server.empty)): block(id=751, category='priv-esc', score=100, description='Echo RSS Feed Post Generator <= 5.4.6 - Unauthenticated Privilege Escalation', whitelist=0) if (( match('/wp-json[\/]+mapster-wp-maps[\/]+set-option/i', request.path) or match('/mapster-wp-maps[\/]+set-option/i', request.body.rest_route, request.queryString.rest_route) ) and currentUserIsNot('administrator', server.empty)): block(id=752, category='options_update', score=100, description='WAF-RULE-752', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('rtwwwap_login_request', request.body.action, request.queryString.action) and equals('true', request.body.email_valid) and lengthGreaterThan('0', request.body.user_id_email)): block(id=753, category='auth-bypass', score=100, description='WordPress & WooCommerce Affiliate Program <= 8.4.1 - Authentication Bypass to Account Takeover and Privilege Escalation', whitelist=0) if (( match('/wp-json[\/]+hc[\/]+v1[\/]+themehunk-import/i', request.path) or match('/hc[\/]+v1[\/]+themehunk-import/i', request.body.rest_route, request.queryString.rest_route) ) and currentUserIsNot('administrator', server.empty)): block(id=755, category='file_upload', score=100, description='Hunk Companion <= 1.8.4 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation', whitelist=0) if (match('#/envato-setup-export.php$#i', server.script_filename) and ( match('/(^|\/|\\)\.\.(\\|\/)/', request.body.zip_file) or match('/^\/(?:\.\/)*(?:var|usr|mnt|etc|tmp|dev|proc)\//i', request.body.zip_file) ) and ( lengthGreaterThan('0', request.body.download_export_zip) or identical('', request.body.download_export_zip) ) and currentUserIsNot('administrator', server.empty)): block(id=757, category='file_delete', score=100, description='WAF-RULE-757', whitelist=0) if (equals('rm_reset_password_form', request.body.rm_form_sub_id, request.queryString.rm_form_sub_id) and identical('', request.body.token_val, request.queryString.token_val)): block(id=758, category='priv-esc', score=100, description='RegistrationMagic – User Registration Plugin with Custom Registration Forms <= 6.0.2.6 - Unauthenticated Privilege Escalation via Password Recovery', whitelist=0) if (( equals('antispam', request.queryString.plugin_name) or equals('anti-spam', request.queryString.plugin_name) or equals('apbct', request.queryString.plugin_name) ) and ( equals('d41d8cd98f00b204e9800998ecf8427e', request.queryString.spbc_remote_call_token) or equals('e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855', request.queryString.spbc_remote_call_token) ) and lengthGreaterThan('0', request.queryString.spbc_remote_call_action)): block(id=761, category='insufficient-auth', score=100, description='WAF-RULE-761', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('post_cg_login', request.body.action, request.queryString.action) and lengthGreaterThan('0', request.body.cgResetPasswordWpUserID, request.queryString.cgResetPasswordWpUserID) and lengthGreaterThan('0', request.body.cgLostPasswordNew, request.queryString.cgLostPasswordNew)): block(id=767, category='priv-esc', score=100, description='Contest Gallery <= 24.0.7 - Unauthenticated Arbitrary Password Reset to Privilege Escalation/Account Takeover', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and ( equals('wpforms_stripe_payments_refund', request.body.action, request.queryString.action) or equals('wpforms_stripe_payments_cancel', request.body.action, request.queryString.action) ) and currentUserIsNot('administrator', server.empty)): block(id=768, category='insufficient-auth', score=100, description='WAF-RULE-768', whitelist=0) if (( match('/wp-json[\/]+appp[\/]+v1[\/]+reset-password/i', request.path) or match('/appp[\/]+v1[\/]+reset-password/i', request.body.rest_route, request.queryString.rest_route) ) and ( identical('', request.queryString.code, request.body.code) or ( equals('', request.queryString.code, request.body.code) and lengthGreaterThan('0', request.queryString.code, request.body.code) ) )): block(id=771, category='priv-esc', score=100, description='AppPresser – Mobile App Framework <= 4.4.6 - Unauthenticated Privilege Escalation via Password Reset', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('nitropack_dismiss_notice_forever', request.body.action, request.queryString.action) and ( ( lengthGreaterThan('0', request.body.notice) and notEquals('nitropack-noticeOptimizeCPT', request.body.notice) ) or ( lengthGreaterThan('0', request.queryString.notice) and notEquals('nitropack-noticeOptimizeCPT', request.queryString.notice) ) )): block(id=773, category='options_update', score=100, description='WAF-RULE-773', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('royal_restore_backup', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=775, category='options_update', score=100, description='WAF-RULE-775', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('ironMusic_ajax', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=776, category='options_update', score=100, description='WAF-RULE-776', whitelist=0) if (equals('wp_job_board_pro_ajax_register', request.body['wjbp-ajax'], request.queryString['wjbp-ajax']) and lengthGreaterThan('0', request.body.role) and notEquals('subscriber', request.body.role)): block(id=777, category='privesc', score=100, description='WAF-RULE-777', whitelist=0) if (( match('/wp-json[\/]+mvsp[\/]+v1[\/]+export-db/i', request.path) or match('/mvsp[\/]+v1[\/]+export-db/i', request.body.rest_route, request.queryString.rest_route) ) and currentUserIsNot('administrator', server.empty)): block(id=778, category='insufficient-auth', score=100, description='WAF-RULE-778', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('homey_save_profile', request.body.action, request.queryString.action) and lengthGreaterThan('0', request.body.role) and notEquals('subscriber', request.body.role)): block(id=780, category='privesc', score=100, description='WAF-RULE-780', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('homey_register', request.body.action, request.queryString.action) and lengthGreaterThan('0', request.body.role) and notEquals('subscriber', request.body.role)): block(id=781, category='privesc', score=100, description='WAF-RULE-781', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('apus_import_sample', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=783, category='options_update', score=100, description='WAF-RULE-783', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and ( equals('lps_generate_temp_access_url', request.body.action, request.queryString.action) or equals('lps_reset_settings', request.body.action, request.queryString.action) or equals('lps_revoke_access', request.body.action, request.queryString.action) ) and currentUserIsNot('administrator', server.empty)): block(id=786, category='insufficient-auth', score=100, description='ALL In One Custom Login Page <= 7.1.1 - Missing Authorization to Authenticated (Subscriber+)Privilege Escalation', whitelist=0) if (lengthGreaterThan('0', request.body['likedin-login-request'], request.queryString['likedin-login-request'])): block(id=790, category='auth-bypass', score=100, description='WAF-RULE-790', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('foodbakery_registration_validation', request.body.action, request.queryString.action) and match('/(capabilities|user_level|role)/i', request.body.social_meta_key, request.queryString.social_meta_key)): block(id=791, category='priv-esc', score=100, description='WAF-RULE-791', whitelist=0) if (equals('social_login', request.body.action, request.queryString.action) and equals('ajax', request.body.login_submit, request.queryString.login_submit) and equals('twitter', request.body.social_login_provider, request.queryString.social_login_provider) and match('/\.php.?$/i', request.body.publisher_profile_image_url, request.queryString.publisher_profile_image_url)): block(id=792, category='file_upload', score=100, description='WAF-RULE-792', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('um_get_members', request.body.action, request.queryString.action) and match(sqliRegex, request.body.search)): block(id=793, category='sqli', score=100, description='WAF-RULE-793', whitelist=0) if (match('#/wp\-admin/admin\-ajax\.php$#i', server.script_filename) and equals('raven_form_frontend', request.body.action, request.queryString.action) and match('/\.(svg|svgz)($|\.)/i', request.fileNames) and currentUserIsNot('editor', server.empty) and currentUserIsNot('administrator', server.empty)): block(id=794, category='file_upload', score=100, description='WAF-RULE-794', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('wccm_customer_assign_roles', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=795, category='priv-esc', score=100, description='WAF-RULE-795', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and ( equals('gsf_save_options', request.body.action, request.queryString.action) or equals('gsf_upload_fonts', request.body.action, request.queryString.action) or equals('gsf_import_theme_options', request.body.action, request.queryString.action) or equals('gsf_reset_section_options', request.body.action, request.queryString.action) or equals('gsf_create_preset_options', request.body.action, request.queryString.action) or equals('gsf_delete_preset', request.body.action, request.queryString.action) or equals('gsf_delete_custom_font', request.body.action, request.queryString.action) or equals('gsf_change_font', request.body.action, request.queryString.action) ) and currentUserIsNot('administrator', server.empty)): block(id=799, category='insufficient-auth', score=100, description='WAF-RULE-799', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('ct_add_new_member', request.body.action, request.queryString.action) and lengthGreaterThan('0', request.body.ct_user_role) and ( notEquals('subscriber', request.body.ct_user_role) and notEquals('buyer', request.body.ct_user_role) and notEquals('seller', request.body.ct_user_role) and notEquals('agent', request.body.ct_user_role) )): block(id=800, category='priv-esc', score=100, description='Real Estate 7 WordPress <= 3.5.1 - Unauthenticated Privilege Escalation to Administrator', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and ( equals('newsblogger_install_activate_plugin', request.body.action, request.queryString.action) or equals('newscrunch_install_activate_plugin', request.body.action, request.queryString.action) ) and currentUserIsNot('administrator', server.empty)): block(id=809, category='file_upload', score=100, description='WAF-RULE-809', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('uip_save_form_as_option', request.body.action, request.queryString.action) and currentUserIsNot('administrator', server.empty)): block(id=810, category='options_update', score=100, description='WAF-RULE-810', whitelist=0) if (( match('/wp-json[\/]+sure-triggers[\/]+v1[\/]+automation/i', request.path) or match('/sure-triggers[\/]+v1[\/]+automation/i', request.body.rest_route, request.queryString.rest_route) or match('/wp-json[\/]+sure-triggers[\/]+v1[\/]+connection[\/]+(?:revoke|child-integration-verify|update|disconnect)/i', request.path) or match('/sure-triggers[\/]+v1[\/]+connection[\/]+(?:revoke|child-integration-verify|update|disconnect)/i', request.body.rest_route, request.queryString.rest_route) ) and ( lengthLessThan('1', request.headers['St-Authorization']) or equals('0', request.headers['St-Authorization']) or identical('', request.headers['St-Authorization']) )): block(id=819, category='insufficient-auth', score=100, description='SureTriggers <= 1.0.78 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Administrative User Creation', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('urbango_membership_register_user', request.body.action, request.queryString.action) and match('#user_register_role(?:%3D|=)(?:administrator|editor|shop_manager)#i', request.body.register_data)): block(id=820, category='priv-esc', score=100, description='UrbanGo Membership <= 1.0.4 - Unauthenticated Privilege Escalation', whitelist=0) if (match('/\/wp\-admin[\/]+admin\-ajax\.php/i', server.script_filename) and equals('reales_update_user_profile', request.body.action, request.queryString.action) and lengthGreaterThan('0', request.body.user_id)): block(id=821, category='priv-esc', score=100, description='WAF-RULE-821', whitelist=0) if (lengthGreaterThan('0', request.md5QueryString['c790cbc3c4338d1467a98957996811c0']) or (match('/wp-json[\/]+custom[\/]+v1[\/]+admin-command/i', request.path) or match('/custom[\/]+v1[\/]+admin-command/i', request.md5Body['c98d48a702d2fb75df0353af9c222655'], request.md5QueryString['c98d48a702d2fb75df0353af9c222655'])) ): block(id=824, category='backdoor', score=100, description='WAF-RULE-824', whitelist=0) if (equals('Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)', request.headers['User-Agent']) or match('#mozlila#i',request.headers['User-Agent']) or equals('Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0', request.headers['User-Agent']) or equals('Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0', request.headers['User-Agent']) or equals('Mozilla/5.0 (Windows NT 10.0; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0', request.headers['User-Agent']) or match('#^anonymousfox#i', request.headers['Referer']) or equals('Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0', request.headers['User-Agent']) or equals('wp_is_mobile', request.headers['User-Agent']) or equals('ALittle Client', request.headers['User-Agent']) or equals('ALittleClient', request.headers['User-Agent']) or match('#colonel#i', request.headers['User-Agent'])): block(id=307, category='brute-force', score=100, description='Known malicious User-Agents', whitelist=0)