Create New Item
Item Type
File
Folder
Item Name
Search file in folder and subfolders...
Are you sure want to rename?
overpastor
/
wp68
/
wp-content
/
imunify-security
:
rules.php
Advanced Search
Upload
New Item
Settings
Back
Back Up
Advanced Editor
Save
<?php if ( ! defined( 'WPINC' ) ) { exit; } return json_decode( '{"version": "0.416.0", "rules": {"CVE-2023-7306": {"ajax_action": "wpfm_delete_multiple_files", "conditions": [{"name": "ARGS:file_ids", "type": "exists"}, {"type": "missing_capability", "value": "read"}], "cve": "CVE-2023-7306", "mode": "block", "severity": 7.5, "slug": "nmedia-user-file-uploader", "target": "plugin", "versions": "<=21.5"}, "CVE-2024-7031": {"ajax_action": "njt_fs_action", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-7031", "mode": "block", "severity": 7.5, "slug": "filester", "target": "plugin", "versions": "<=1.8.2"}, "CVE-2025-5282": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "wptravelengine/v2/trips"}, {"name": "ARGS:id", "type": "exists"}, {"name": "ARGS:package_id", "type": "exists"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-5282", "method": "DELETE", "mode": "block", "severity": 7.5, "slug": "wp-travel-engine", "target": "plugin", "versions": "<=6.5.1"}, "CVE-2025-6814": {"action": "init", "conditions": [{"name": "ARGS:export_xml", "type": "exists"}, {"name": "ARGS:export_xml", "type": "equals", "value": "Export xml"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-6814", "method": "POST", "mode": "block", "severity": 7.5, "slug": "booking-x", "target": "plugin", "versions": ">=1.1.0"}, "RULE-CAMPAIGN-LEARNPRESS-C-ONLY-FIELDS-SQLI-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/learnpress/v1/(courses|profile/course-tab)([/?&]|$)~i"}, {"name": "ARGS:c_only_fields", "type": "detectSQLi"}], "cve": "CAMPAIGN-2026-W18-LEARNPRESS-CFIELDS-SQLI", "description": "LearnPress \\u2014 block SQL injection attempts via the \'c_only_fields\' query\\nparameter on the REST endpoints /wp-json/learnpress/v1/courses and\\n/wp-json/learnpress/v1/profile/course-tab. The parameter is a column-name\\nprojection list; legitimate values are bare identifiers. SQL keywords or\\nfunction-call syntax in the value indicates injection.\\n", "mode": "block", "severity": 8.5, "slug": "learnpress", "tags": ["sql-injection", "rest-api", "unauthenticated"], "target": "plugin", "versions": ">=0"}, "RULE-CAMPAIGN-TRIBE-V1-EVENTS-STATUS-SQLI-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/tribe/events/v1/events([/?&]|$)~i"}, {"name": "ARGS:status", "type": "detectSQLi"}], "cve": "CAMPAIGN-2026-W18-TRIBE-STATUS-SQLI", "description": "The Events Calendar \\u2014 block SQL injection attempts via the \'status\' query\\nparameter on the REST endpoint /wp-json/tribe/events/v1/events. Complements\\nexisting coverage for the documented \'s\' parameter SQLi (CVE-2025-9807,\\nCVE-2025-12197) and \'order\' parameter SQLi (CVE-2024-8275).\\n", "mode": "block", "severity": 8.5, "slug": "the-events-calendar", "tags": ["sql-injection", "rest-api", "unauthenticated"], "target": "plugin", "versions": ">=0"}, "RULE-CVE-2015-10133-01": {"action": "init", "conditions": [{"name": "ARGS:wp-subscription-manager", "type": "equals", "value": "1"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2015-10133", "method": "GET", "mode": "block", "severity": 7.2, "slug": "subscribe-to-comments", "target": "plugin", "versions": "<=2.1.2"}, "RULE-CVE-2017-20192-01": {"ajax_action": "frm_forms_preview", "conditions": [{"name": "ARGS:after_html", "type": "regex", "value": "~(?:<\\\\s*script[\\\\s/>]|<\\\\s*(?:iframe|svg|img|body|object|embed|video|audio|source|link|meta|form|input|details|marquee)\\\\b[^>]*\\\\bon[a-z]+\\\\s*=|on(?:load|error|click|mouseover|focus|blur|submit|change|input|keydown|keyup|keypress|abort|toggle|animationstart|animationend)\\\\s*=|javascript\\\\s*:|data\\\\s*:\\\\s*[a-z0-9.+-]*\\\\s*[;,]?\\\\s*(?:base64|charset)|expression\\\\s*\\\\(|<\\\\s*style[^>]*>[^<]*expression|&#x?0*(?:6[ad]|4[ad]|3c|2f);?|%3[Cc]\\\\s*script)~i"}], "cve": "CVE-2017-20192", "description": "Formidable Form Builder <2.05.03 unauthenticated stored XSS via after_html parameter in frm_forms_preview AJAX action", "mode": "block", "severity": 6.1, "slug": "formidable", "target": "plugin", "versions": "<2.05.03"}, "RULE-CVE-2017-20192-02": {"ajax_action": "frm_forms_preview", "conditions": [{"name": "ARGS:before_html", "type": "regex", "value": "~(?:<\\\\s*script[\\\\s/>]|<\\\\s*(?:iframe|svg|img|body|object|embed|video|audio|source|link|meta|form|input|details|marquee)\\\\b[^>]*\\\\bon[a-z]+\\\\s*=|on(?:load|error|click|mouseover|focus|blur|submit|change|input|keydown|keyup|keypress|abort|toggle|animationstart|animationend)\\\\s*=|javascript\\\\s*:|data\\\\s*:\\\\s*[a-z0-9.+-]*\\\\s*[;,]?\\\\s*(?:base64|charset)|expression\\\\s*\\\\(|<\\\\s*style[^>]*>[^<]*expression|&#x?0*(?:6[ad]|4[ad]|3c|2f);?|%3[Cc]\\\\s*script)~i"}], "cve": "CVE-2017-20192", "description": "Formidable Form Builder <2.05.03 unauthenticated stored XSS via before_html parameter in frm_forms_preview AJAX action", "mode": "block", "severity": 6.1, "slug": "formidable", "target": "plugin", "versions": "<2.05.03"}, "RULE-CVE-2019-25214-01": {"ajax_action": "run_table_migration", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "run_table_migration"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2019-25214", "method": "POST", "mode": "block", "severity": 6.1, "slug": "wpshopify", "target": "plugin", "versions": "<=2.0.4"}, "RULE-CVE-2019-25214-02": {"ajax_action": "run_table_migration", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "run_table_migration"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2019-25214", "method": "GET", "mode": "block", "severity": 6.1, "slug": "wpshopify", "target": "plugin", "versions": "<=2.0.4"}, "RULE-CVE-2019-25217-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/siteground-optimizer/v1/switch-php(/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2019-25217", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2019-25217", "description": "SG Optimizer <=5.0.12 unauthenticated PHP version switch via REST API", "method": "POST", "mode": "block", "severity": 9.8, "slug": "sg-cachepress", "tags": ["missing-authorization", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=5.0.12"}, "RULE-CVE-2019-25221-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "equals", "value": "responsive_portfolio_with_lightbox_media_management"}, {"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2019-25221", "method": "GET", "mode": "block", "severity": 4.9, "slug": "responsive-filterable-portfolio", "target": "plugin", "versions": "<=1.0.8"}, "RULE-CVE-2019-25221-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "equals", "value": "responsive_portfolio_with_lightbox_media_management"}, {"name": "ARGS:media_type", "type": "detectSQLi"}], "cve": "CVE-2019-25221", "method": "POST", "mode": "block", "severity": 4.9, "slug": "responsive-filterable-portfolio", "target": "plugin", "versions": "<=1.0.8"}, "RULE-CVE-2019-25221-03": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "equals", "value": "responsive_portfolio_with_lightbox_media_management"}, {"name": "ARGS:id", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2019-25221", "method": "GET", "mode": "block", "severity": 4.9, "slug": "responsive-filterable-portfolio", "target": "plugin", "versions": "<=1.0.8"}, "RULE-CVE-2019-25221-04": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "equals", "value": "responsive_portfolio_with_lightbox_media_management"}, {"name": "ARGS:search_term", "type": "detectSQLi"}], "cve": "CVE-2019-25221", "method": "GET", "mode": "block", "severity": 4.9, "slug": "responsive-filterable-portfolio", "target": "plugin", "versions": "<=1.0.8"}, "RULE-CVE-2019-25221-05": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "equals", "value": "responsive_portfolio_with_lightbox_media_management"}, {"name": "ARGS:order_pos", "type": "detectSQLi"}], "cve": "CVE-2019-25221", "method": "GET", "mode": "block", "severity": 4.9, "slug": "responsive-filterable-portfolio", "target": "plugin", "versions": "<=1.0.8"}, "RULE-CVE-2019-25221-06": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "equals", "value": "responsive_portfolio_with_lightbox_media_management"}, {"name": "ARGS:order_by", "type": "detectSQLi"}], "cve": "CVE-2019-25221", "method": "GET", "mode": "block", "severity": 4.9, "slug": "responsive-filterable-portfolio", "target": "plugin", "versions": "<=1.0.8"}, "RULE-CVE-2020-36730-01": {"ajax_action": "cmp_get_post_detail", "conditions": [{"name": "", "type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2020-36730", "description": "CMP Coming Soon and Maintenance <=3.8.1 missing authorization on cmp_get_post_detail AJAX handler", "mode": "block", "severity": 9.3, "slug": "cmp-coming-soon-maintenance", "target": "plugin", "versions": "<=3.8.1"}, "RULE-CVE-2020-36730-02": {"ajax_action": "niteo_export_csv", "conditions": [{"name": "", "type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2020-36730", "description": "CMP Coming Soon and Maintenance <=3.8.1 missing authorization on niteo_export_csv AJAX handler", "mode": "block", "severity": 9.3, "slug": "cmp-coming-soon-maintenance", "target": "plugin", "versions": "<=3.8.1"}, "RULE-CVE-2020-36730-03": {"ajax_action": "cmp_disable_comingsoon_ajax", "conditions": [{"name": "", "type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2020-36730", "description": "CMP Coming Soon and Maintenance <=3.8.1 missing authorization on cmp_disable_comingsoon_ajax AJAX handler", "mode": "block", "severity": 9.3, "slug": "cmp-coming-soon-maintenance", "target": "plugin", "versions": "<=3.8.1"}, "RULE-CVE-2020-36769-01": {"ajax_action": "import_widget_data", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "import_widget_data"}, {"name": "ARGS:import_file", "type": "regex", "value": "~^https?://~i"}], "cve": "CVE-2020-36769", "method": "POST", "mode": "block", "severity": 5.4, "slug": "widget-settings-importexport", "target": "plugin", "versions": "<=1.5.3"}, "RULE-CVE-2020-36769-02": {"ajax_action": "import_widget_data", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "import_widget_data"}, {"name": "ARGS:widgets", "type": "regex", "value": "~(?i)(<\\\\s*script\\\\b|javascript\\\\s*:|on\\\\w+\\\\s*=)~"}], "cve": "CVE-2020-36769", "method": "POST", "mode": "block", "severity": 5.4, "slug": "widget-settings-importexport", "target": "plugin", "versions": "<=1.5.3"}, "RULE-CVE-2020-36837-01": {"action": "admin_init", "conditions": [{"name": "ARGS:do_reset_wordpress", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2020-36837", "method": "GET", "mode": "block", "severity": 9.9, "slug": "themegrill-demo-importer", "target": "plugin", "versions": ">=1.3.4 <=1.6.1"}, "RULE-CVE-2020-36838-01": {"ajax_action": "update_options", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "update_options"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2020-36838", "method": "POST", "mode": "block", "severity": 7.4, "slug": "facebook-messenger-customer-chat", "target": "plugin", "versions": "<1.6"}, "RULE-CVE-2020-36842-01": {"ajax_action": "wpvivid_upload_import_files", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpvivid_upload_import_files"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2020-36842", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36842", "description": "WPvivid Backup/Restore <=0.9.35 missing capability check on wpvivid_upload_import_files AJAX action allows low-privilege authenticated arbitrary ZIP upload and extraction.", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wpvivid-backuprestore", "tags": ["auth-arbitrary-file-upload", "missing-capability-check", "ajax"], "target": "plugin", "versions": "<=0.9.35"}, "RULE-CVE-2020-36842-02": {"ajax_action": "wpvivid_upload_files", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpvivid_upload_files"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2020-36842", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36842", "description": "WPvivid Backup/Restore <=0.9.35 missing capability check on wpvivid_upload_files AJAX action allows low-privilege authenticated arbitrary ZIP upload and extraction.", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wpvivid-backuprestore", "tags": ["auth-arbitrary-file-upload", "missing-capability-check", "ajax"], "target": "plugin", "versions": "<=0.9.35"}, "RULE-CVE-2021-24584-01": {"ajax_action": "route_url", "conditions": [{"name": "ARGS:controller", "type": "equals", "value": "events"}, {"name": "ARGS:mptt_action", "type": "equals", "value": "update_event_data"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2021-24584", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mp-timetable", "target": "plugin", "versions": "<=2.4.1"}, "RULE-CVE-2021-24585-01": {"ajax_action": "route_url", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:controller", "type": "equals", "value": "events"}, {"name": "ARGS:mptt_action", "type": "equals", "value": "get_event_data"}], "cve": "CVE-2021-24585", "mode": "block", "severity": 6.5, "slug": "mp-timetable", "target": "plugin", "versions": "<=2.3.19"}, "RULE-CVE-2021-24994-01": {"ajax_action": "wpvivid_add_remote", "conditions": [{"name": "ARGS:remote", "type": "regex", "value": "~<(?:script|img|svg|iframe|embed|object|video|audio|body|input|details|math|marquee|a|div|p|table|form|base|link|meta|style|isindex|textarea|button|select|keygen)[^>a-zA-Z]|\\\\bon(?:error|load|click|mouseover|focus|blur|change|submit|reset|select|abort|beforeunload|hashchange|unload|resize|scroll|copy|cut|paste|drag|drop|play|seeking|toggle|wheel|pointer|animation|transition)\\\\s*=|javascript\\\\s*:|data\\\\s*:[^,]*text/html~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2021-24994", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2021-24994", "description": "WPvivid Backup & Migration <0.9.69 unauthenticated stored XSS via wpvivid_add_remote AJAX action (remote parameter)", "method": "POST", "mode": "block", "severity": 6.1, "slug": "wpvivid-backuprestore", "tags": ["xss", "stored-xss", "missing-authorization", "unauthenticated"], "target": "plugin", "versions": "<0.9.69"}, "RULE-CVE-2021-24994-02": {"ajax_action": "wpvivid_edit_remote", "conditions": [{"name": "ARGS:remote", "type": "regex", "value": "~<(?:script|img|svg|iframe|embed|object|video|audio|body|input|details|math|marquee|a|div|p|table|form|base|link|meta|style|isindex|textarea|button|select|keygen)[^>a-zA-Z]|\\\\bon(?:error|load|click|mouseover|focus|blur|change|submit|reset|select|abort|beforeunload|hashchange|unload|resize|scroll|copy|cut|paste|drag|drop|play|seeking|toggle|wheel|pointer|animation|transition)\\\\s*=|javascript\\\\s*:|data\\\\s*:[^,]*text/html~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2021-24994", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2021-24994", "description": "WPvivid Backup & Migration <0.9.69 unauthenticated stored XSS via wpvivid_edit_remote AJAX action (remote parameter)", "method": "POST", "mode": "block", "severity": 6.1, "slug": "wpvivid-backuprestore", "tags": ["xss", "stored-xss", "missing-authorization", "unauthenticated"], "target": "plugin", "versions": "<0.9.69"}, "RULE-CVE-2021-24994-03": {"ajax_action": "wpvivid_edit_remote", "conditions": [{"name": "ARGS:id", "type": "regex", "value": "~<(?:script|img|svg|iframe|embed|object|video|audio|body|input|details|math|marquee|a|div|p|table|form|base|link|meta|style|isindex|textarea|button|select|keygen)[^>a-zA-Z]|\\\\bon(?:error|load|click|mouseover|focus|blur|change|submit|reset|select|abort|beforeunload|hashchange|unload|resize|scroll|copy|cut|paste|drag|drop|play|seeking|toggle|wheel|pointer|animation|transition)\\\\s*=|javascript\\\\s*:|data\\\\s*:[^,]*text/html~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2021-24994", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2021-24994", "description": "WPvivid Backup & Migration <0.9.69 unauthenticated stored XSS via wpvivid_edit_remote AJAX action (id parameter)", "method": "POST", "mode": "block", "severity": 6.1, "slug": "wpvivid-backuprestore", "tags": ["xss", "stored-xss", "missing-authorization", "unauthenticated"], "target": "plugin", "versions": "<0.9.69"}, "RULE-CVE-2021-4444-01": {"ajax_action": "woofilters_save", "conditions": [{"name": "ARGS:mod", "type": "equals", "value": "woofilters"}, {"name": "ARGS:filter_name", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2021-4444", "method": "POST", "mode": "block", "severity": 7.3, "slug": "woo-product-filter", "target": "plugin", "versions": "<=1.4.9"}, "RULE-CVE-2021-4444-02": {"ajax_action": "woofilters_update", "conditions": [{"name": "ARGS:mod", "type": "equals", "value": "woofilters"}, {"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2021-4444", "method": "POST", "mode": "block", "severity": 7.3, "slug": "woo-product-filter", "target": "plugin", "versions": "<=1.4.9"}, "RULE-CVE-2021-4444-03": {"ajax_action": "woofilters_delete", "conditions": [{"name": "ARGS:mod", "type": "equals", "value": "woofilters"}, {"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2021-4444", "method": "POST", "mode": "block", "severity": 7.3, "slug": "woo-product-filter", "target": "plugin", "versions": "<=1.4.9"}, "RULE-CVE-2021-4446-01": {"ajax_action": "wpdeveloper_install_plugin", "conditions": [{"name": "ARGS:slug", "type": "exists"}, {"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2021-4446", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4446", "description": "Essential Addons for Elementor Lite <= 4.6.4 missing authorization on AJAX plugin installation via wpdeveloper_install_plugin, allowing low-privilege users to install arbitrary plugins.", "method": "POST", "mode": "block", "severity": 6.3, "slug": "essential-addons-for-elementor-lite", "tags": ["authz-bypass", "missing-capability-check", "wordpress-ajax"], "target": "plugin", "versions": "<=4.6.4"}, "RULE-CVE-2021-4446-02": {"ajax_action": "wpdeveloper_activate_plugin", "conditions": [{"name": "ARGS:basename", "type": "exists"}, {"type": "missing_capability", "value": "activate_plugins"}], "cve": "CVE-2021-4446", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4446", "description": "Essential Addons for Elementor Lite <= 4.6.4 missing authorization on AJAX plugin activation via wpdeveloper_activate_plugin, enabling low-privilege users to activate installed plugins.", "method": "POST", "mode": "block", "severity": 6.3, "slug": "essential-addons-for-elementor-lite", "tags": ["authz-bypass", "missing-capability-check", "wordpress-ajax"], "target": "plugin", "versions": "<=4.6.4"}, "RULE-CVE-2021-4446-03": {"ajax_action": "wpdeveloper_upgrade_plugin", "conditions": [{"name": "ARGS:basename", "type": "exists"}, {"type": "missing_capability", "value": "update_plugins"}], "cve": "CVE-2021-4446", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4446", "description": "Essential Addons for Elementor Lite <= 4.6.4 missing authorization on AJAX plugin upgrade via wpdeveloper_upgrade_plugin, enabling low-privilege users to trigger plugin upgrades.", "method": "POST", "mode": "block", "severity": 6.3, "slug": "essential-addons-for-elementor-lite", "tags": ["authz-bypass", "missing-capability-check", "wordpress-ajax"], "target": "plugin", "versions": "<=4.6.4"}, "RULE-CVE-2021-4450-01A": {"ajax_action": "post_grid_ajax_fetch_block_hub_by_id", "conditions": [{"name": "ARGS:meta_key", "type": "exists"}, {"name": "ARGS:meta_value", "type": "exists"}, {"name": "ARGS:meta_key", "type": "detectSQLi"}], "cve": "CVE-2021-4450", "method": "POST", "mode": "block", "severity": 8.8, "slug": "post-grid", "target": "plugin", "versions": "<=2.1.12"}, "RULE-CVE-2021-4450-01B": {"ajax_action": "post_grid_ajax_fetch_block_hub_by_id", "conditions": [{"name": "ARGS:meta_key", "type": "exists"}, {"name": "ARGS:meta_value", "type": "exists"}, {"name": "ARGS:meta_value", "type": "detectSQLi"}], "cve": "CVE-2021-4450", "method": "POST", "mode": "block", "severity": 8.8, "slug": "post-grid", "target": "plugin", "versions": "<=2.1.12"}, "RULE-CVE-2022-0320-01": {"ajax_action": "load_more", "conditions": [{"name": "ARGS:template_info[file_name]", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[a-z]+://~i"}], "cve": "CVE-2022-0320", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0320", "description": "Essential Addons for Elementor <=5.0.4 unauthenticated LFI via load_more templateInfo[file_name]", "mode": "block", "severity": 9.8, "slug": "essential-addons-for-elementor-lite", "tags": ["local-file-inclusion", "path-traversal", "unauthenticated"], "target": "plugin", "versions": "<=5.0.4"}, "RULE-CVE-2022-0320-02": {"ajax_action": "load_more", "conditions": [{"name": "ARGS:template_info[name]", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[a-z]+://~i"}], "cve": "CVE-2022-0320", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0320", "description": "Essential Addons for Elementor <=5.0.4 unauthenticated LFI via load_more template_info[name]", "mode": "block", "severity": 9.8, "slug": "essential-addons-for-elementor-lite", "tags": ["local-file-inclusion", "path-traversal", "unauthenticated"], "target": "plugin", "versions": "<=5.0.4"}, "RULE-CVE-2022-0320-03": {"ajax_action": "woo_product_pagination_product", "conditions": [{"name": "ARGS:templateInfo[file_name]", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[a-z]+://~i"}], "cve": "CVE-2022-0320", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0320", "description": "Essential Addons for Elementor <=5.0.4 unauthenticated LFI via woo_product_pagination_product templateInfo[file_name]", "mode": "block", "severity": 9.8, "slug": "essential-addons-for-elementor-lite", "tags": ["local-file-inclusion", "path-traversal", "unauthenticated"], "target": "plugin", "versions": "<=5.0.4"}, "RULE-CVE-2022-0320-04": {"ajax_action": "woo_product_pagination_product", "conditions": [{"name": "ARGS:templateInfo[name]", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[a-z]+://~i"}], "cve": "CVE-2022-0320", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0320", "description": "Essential Addons for Elementor <=5.0.4 unauthenticated LFI via woo_product_pagination_product templateInfo[name]", "mode": "block", "severity": 9.8, "slug": "essential-addons-for-elementor-lite", "tags": ["local-file-inclusion", "path-traversal", "unauthenticated"], "target": "plugin", "versions": "<=5.0.4"}, "RULE-CVE-2022-0320-05": {"ajax_action": "woo_product_pagination", "conditions": [{"name": "ARGS:template_info[file_name]", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[a-z]+://~i"}], "cve": "CVE-2022-0320", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0320", "description": "Essential Addons for Elementor <=5.0.4 unauthenticated LFI via woo_product_pagination template_info[file_name]", "mode": "block", "severity": 9.8, "slug": "essential-addons-for-elementor-lite", "tags": ["local-file-inclusion", "path-traversal", "unauthenticated"], "target": "plugin", "versions": "<=5.0.4"}, "RULE-CVE-2022-0320-06": {"ajax_action": "woo_product_pagination", "conditions": [{"name": "ARGS:template_info[name]", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[a-z]+://~i"}], "cve": "CVE-2022-0320", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0320", "description": "Essential Addons for Elementor <=5.0.4 unauthenticated LFI via woo_product_pagination template_info[name]", "mode": "block", "severity": 9.8, "slug": "essential-addons-for-elementor-lite", "tags": ["local-file-inclusion", "path-traversal", "unauthenticated"], "target": "plugin", "versions": "<=5.0.4"}, "RULE-CVE-2022-0531-01A": {"action": "admin_menu", "conditions": [{"name": "ARGS:page", "type": "regex", "value": "~^(?i)wpvivid$~"}, {"name": "ARGS:sub_page", "type": "regex", "value": "~[\\"\'<>]~"}], "cve": "CVE-2022-0531", "method": "GET", "mode": "block", "severity": 6.1, "slug": "wpvivid-backuprestore", "target": "plugin", "versions": "<=0.9.69"}, "RULE-CVE-2022-0531-01B": {"action": "admin_menu", "conditions": [{"name": "ARGS:page", "type": "regex", "value": "~^(?i)wpvivid$~"}, {"name": "ARGS:sub_tab", "type": "regex", "value": "~[\\"\'<>]~"}], "cve": "CVE-2022-0531", "method": "GET", "mode": "block", "severity": 6.1, "slug": "wpvivid-backuprestore", "target": "plugin", "versions": "<=0.9.69"}, "RULE-CVE-2022-1768-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/rsvpmaker/v1/stripesuccess(?:/[^/?&#]*)?(?:[/?&]|$)~"}, {"name": "ARGS:rsvp_id", "type": "regex", "value": "~(?i)(?:\'\\\\s*(?:OR|AND)\\\\b|\\\\b(?:OR|AND)\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+|UNION(?:\\\\s+ALL)?\\\\s+SELECT|SELECT(?:\\\\s|\\\\()|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|EXTRACTVALUE\\\\s*\\\\(|UPDATEXML\\\\s*\\\\(|pg_sleep\\\\s*\\\\(|WAITFOR\\\\s+DELAY|information_schema|LOAD_FILE\\\\s*\\\\(|INTO\\\\s+(?:OUT|DUMP)FILE|--\\\\s*$|/\\\\*|;\\\\s*(?:DROP|ALTER|INSERT|UPDATE|DELETE)\\\\b)~"}], "cve": "CVE-2022-1768", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1768", "description": "RSVPMaker <=9.3.2 unauthenticated time-based blind SQL injection via rsvp_id parameter in REST route /wp-json/rsvpmaker/v1/stripesuccess/ (confirmed in production, 190/200 proactive_queue samples targeted this endpoint with SLEEP() payloads)", "method": "POST", "mode": "block", "severity": 9.8, "slug": "rsvpmaker", "tags": ["sql-injection", "unauthenticated", "rest-api", "time-based-blind", "prod-evidence"], "target": "plugin", "versions": "<=9.3.2"}, "RULE-CVE-2022-1768-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/rsvpmaker/v1/stripesuccess(?:/[^/?&#]*)?(?:[/?&]|$)~"}, {"name": "ARGS:rsvp_id", "type": "regex", "value": "~(?i)(?:\'\\\\s*(?:OR|AND)\\\\b|\\\\b(?:OR|AND)\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+|UNION(?:\\\\s+ALL)?\\\\s+SELECT|SELECT(?:\\\\s|\\\\()|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|EXTRACTVALUE\\\\s*\\\\(|UPDATEXML\\\\s*\\\\(|pg_sleep\\\\s*\\\\(|WAITFOR\\\\s+DELAY|information_schema|LOAD_FILE\\\\s*\\\\(|INTO\\\\s+(?:OUT|DUMP)FILE|--\\\\s*$|/\\\\*|;\\\\s*(?:DROP|ALTER|INSERT|UPDATE|DELETE)\\\\b)~"}], "cve": "CVE-2022-1768", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1768", "description": "RSVPMaker <=9.3.2 unauthenticated time-based blind SQL injection via rsvp_id parameter in REST route /wp-json/rsvpmaker/v1/stripesuccess/ (GET variant)", "method": "GET", "mode": "block", "severity": 9.8, "slug": "rsvpmaker", "tags": ["sql-injection", "unauthenticated", "rest-api", "time-based-blind", "prod-evidence"], "target": "plugin", "versions": "<=9.3.2"}, "RULE-CVE-2022-1768-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/rsvpmaker/v1/sked(?:/[^/?&#]*)?(?:[/?&]|$)~"}, {"name": "ARGS:post_id", "type": "regex", "value": "~(?i)(?:\'\\\\s*(?:OR|AND)\\\\b|\\\\b(?:OR|AND)\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+|UNION(?:\\\\s+ALL)?\\\\s+SELECT|SELECT(?:\\\\s|\\\\()|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|EXTRACTVALUE\\\\s*\\\\(|UPDATEXML\\\\s*\\\\(|pg_sleep\\\\s*\\\\(|WAITFOR\\\\s+DELAY|information_schema|LOAD_FILE\\\\s*\\\\(|INTO\\\\s+(?:OUT|DUMP)FILE|--\\\\s*$|/\\\\*|;\\\\s*(?:DROP|ALTER|INSERT|UPDATE|DELETE)\\\\b)~"}], "cve": "CVE-2022-1768", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1768", "description": "RSVPMaker <=9.3.2 unauthenticated time-based blind SQL injection via post_id parameter in REST route /wp-json/rsvpmaker/v1/sked/{id} (secondary sink from reference digest, Week 15 2026)", "mode": "block", "severity": 9.8, "slug": "rsvpmaker", "tags": ["sql-injection", "unauthenticated", "rest-api", "time-based-blind"], "target": "plugin", "versions": "<=9.3.2"}, "RULE-CVE-2022-2439-01": {"ajax_action": "ime_test_im_path", "conditions": [{"name": "ARGS:cli_path", "type": "regex", "value": "~[;|&`$(){}\\\\n\\\\r<>]|\\\\$\\\\(~"}], "cve": "CVE-2022-2439", "method": "POST", "mode": "block", "severity": 7.2, "slug": "imagemagick-engine", "target": "plugin", "versions": "<1.7.5"}, "RULE-CVE-2022-2446-01": {"ajax_action": "wpeditor_browse_theme_root", "conditions": [{"name": "ARGS:current_theme_root", "type": "regex", "value": "~^phar://~i"}], "cve": "CVE-2022-2446", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wp-editor", "target": "plugin", "versions": "<=1.2.9"}, "RULE-CVE-2022-2446-02": {"ajax_action": "wpeditor_get_file", "conditions": [{"name": "ARGS:file_path", "type": "regex", "value": "~^phar://~i"}], "cve": "CVE-2022-2446", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wp-editor", "target": "plugin", "versions": "<=1.2.9"}, "RULE-CVE-2022-2446-03": {"ajax_action": "wpeditor_upload", "conditions": [{"name": "ARGS:complete_directory", "type": "regex", "value": "~^phar://~i"}], "cve": "CVE-2022-2446", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wp-editor", "target": "plugin", "versions": "<=1.2.9"}, "RULE-CVE-2022-2446-04": {"ajax_action": "wpeditor_save_file", "conditions": [{"name": "ARGS:real_file", "type": "regex", "value": "~^phar://~i"}], "cve": "CVE-2022-2446", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wp-editor", "target": "plugin", "versions": "<=1.2.9"}, "RULE-CVE-2022-33965-01": {"ajax_action": "liveStats", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?i)(?:[\'\\"`]\\\\s*(?:OR|AND)\\\\s+[\'\\"`\\\\d]|\\\\bUNION\\\\b\\\\s+(?:ALL\\\\s+)?\\\\bSELECT\\\\b\\\\s+(?:[0-9]|NULL\\\\b|@@|0x|CONCAT|CHAR)|\\\\bSLEEP\\\\s*[(]|\\\\bBENCHMARK\\\\s*[(]|\\\\bEXTRACTVALUE\\\\s*[(]|\\\\bUPDATEXML\\\\s*[(]|/[*][!*]|;\\\\s*(?:DROP|ALTER|CREATE|TRUNCATE)\\\\b)~"}], "cve": "CVE-2022-33965", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33965", "description": "WP Visitor Statistics <=5.7 unauthenticated SQL injection via liveStats AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-stats-manager", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=5.7"}, "RULE-CVE-2022-33965-02": {"ajax_action": "refDetails", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?i)(?:[\'\\"`]\\\\s*(?:OR|AND)\\\\s+[\'\\"`\\\\d]|\\\\bUNION\\\\b\\\\s+(?:ALL\\\\s+)?\\\\bSELECT\\\\b\\\\s+(?:[0-9]|NULL\\\\b|@@|0x|CONCAT|CHAR)|\\\\bSLEEP\\\\s*[(]|\\\\bBENCHMARK\\\\s*[(]|\\\\bEXTRACTVALUE\\\\s*[(]|\\\\bUPDATEXML\\\\s*[(]|/[*][!*]|;\\\\s*(?:DROP|ALTER|CREATE|TRUNCATE)\\\\b)~"}], "cve": "CVE-2022-33965", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33965", "description": "WP Visitor Statistics <=5.7 unauthenticated SQL injection via refDetails AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-stats-manager", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=5.7"}, "RULE-CVE-2022-33965-03": {"ajax_action": "getDateWiseLocationDetail", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?i)(?:[\'\\"`]\\\\s*(?:OR|AND)\\\\s+[\'\\"`\\\\d]|\\\\bUNION\\\\b\\\\s+(?:ALL\\\\s+)?\\\\bSELECT\\\\b\\\\s+(?:[0-9]|NULL\\\\b|@@|0x|CONCAT|CHAR)|\\\\bSLEEP\\\\s*[(]|\\\\bBENCHMARK\\\\s*[(]|\\\\bEXTRACTVALUE\\\\s*[(]|\\\\bUPDATEXML\\\\s*[(]|/[*][!*]|;\\\\s*(?:DROP|ALTER|CREATE|TRUNCATE)\\\\b)~"}], "cve": "CVE-2022-33965", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33965", "description": "WP Visitor Statistics <=5.7 unauthenticated SQL injection via getDateWiseLocationDetail AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-stats-manager", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=5.7"}, "RULE-CVE-2022-33965-04": {"ajax_action": "getContentUrlDayView", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?i)(?:[\'\\"`]\\\\s*(?:OR|AND)\\\\s+[\'\\"`\\\\d]|\\\\bUNION\\\\b\\\\s+(?:ALL\\\\s+)?\\\\bSELECT\\\\b\\\\s+(?:[0-9]|NULL\\\\b|@@|0x|CONCAT|CHAR)|\\\\bSLEEP\\\\s*[(]|\\\\bBENCHMARK\\\\s*[(]|\\\\bEXTRACTVALUE\\\\s*[(]|\\\\bUPDATEXML\\\\s*[(]|/[*][!*]|;\\\\s*(?:DROP|ALTER|CREATE|TRUNCATE)\\\\b)~"}], "cve": "CVE-2022-33965", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33965", "description": "WP Visitor Statistics <=5.7 unauthenticated SQL injection via getContentUrlDayView AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-stats-manager", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=5.7"}, "RULE-CVE-2022-33965-05": {"ajax_action": "getReferralOSDetails", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?i)(?:[\'\\"`]\\\\s*(?:OR|AND)\\\\s+[\'\\"`\\\\d]|\\\\bUNION\\\\b\\\\s+(?:ALL\\\\s+)?\\\\bSELECT\\\\b\\\\s+(?:[0-9]|NULL\\\\b|@@|0x|CONCAT|CHAR)|\\\\bSLEEP\\\\s*[(]|\\\\bBENCHMARK\\\\s*[(]|\\\\bEXTRACTVALUE\\\\s*[(]|\\\\bUPDATEXML\\\\s*[(]|/[*][!*]|;\\\\s*(?:DROP|ALTER|CREATE|TRUNCATE)\\\\b)~"}], "cve": "CVE-2022-33965", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33965", "description": "WP Visitor Statistics <=5.7 unauthenticated SQL injection via getReferralOSDetails AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-stats-manager", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=5.7"}, "RULE-CVE-2022-33965-06": {"ajax_action": "refUrlDetails", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?i)(?:[\'\\"`]\\\\s*(?:OR|AND)\\\\s+[\'\\"`\\\\d]|\\\\bUNION\\\\b\\\\s+(?:ALL\\\\s+)?\\\\bSELECT\\\\b\\\\s+(?:[0-9]|NULL\\\\b|@@|0x|CONCAT|CHAR)|\\\\bSLEEP\\\\s*[(]|\\\\bBENCHMARK\\\\s*[(]|\\\\bEXTRACTVALUE\\\\s*[(]|\\\\bUPDATEXML\\\\s*[(]|/[*][!*]|;\\\\s*(?:DROP|ALTER|CREATE|TRUNCATE)\\\\b)~"}], "cve": "CVE-2022-33965", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33965", "description": "WP Visitor Statistics <=5.7 unauthenticated SQL injection via refUrlDetails AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-stats-manager", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=5.7"}, "RULE-CVE-2022-33965-07": {"ajax_action": "uoSummary", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?i)(?:[\'\\"`]\\\\s*(?:OR|AND)\\\\s+[\'\\"`\\\\d]|\\\\bUNION\\\\b\\\\s+(?:ALL\\\\s+)?\\\\bSELECT\\\\b\\\\s+(?:[0-9]|NULL\\\\b|@@|0x|CONCAT|CHAR)|\\\\bSLEEP\\\\s*[(]|\\\\bBENCHMARK\\\\s*[(]|\\\\bEXTRACTVALUE\\\\s*[(]|\\\\bUPDATEXML\\\\s*[(]|/[*][!*]|;\\\\s*(?:DROP|ALTER|CREATE|TRUNCATE)\\\\b)~"}], "cve": "CVE-2022-33965", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33965", "description": "WP Visitor Statistics <=5.7 unauthenticated SQL injection via uoSummary AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-stats-manager", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=5.7"}, "RULE-CVE-2022-33965-08": {"ajax_action": "deleteIpAddress", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?i)(?:[\'\\"`]\\\\s*(?:OR|AND)\\\\s+[\'\\"`\\\\d]|\\\\bUNION\\\\b\\\\s+(?:ALL\\\\s+)?\\\\bSELECT\\\\b\\\\s+(?:[0-9]|NULL\\\\b|@@|0x|CONCAT|CHAR)|\\\\bSLEEP\\\\s*[(]|\\\\bBENCHMARK\\\\s*[(]|\\\\bEXTRACTVALUE\\\\s*[(]|\\\\bUPDATEXML\\\\s*[(]|/[*][!*]|;\\\\s*(?:DROP|ALTER|CREATE|TRUNCATE)\\\\b)~"}], "cve": "CVE-2022-33965", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33965", "description": "WP Visitor Statistics <=5.7 unauthenticated SQL injection via deleteIpAddress AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-stats-manager", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=5.7"}, "RULE-CVE-2022-33965-09": {"ajax_action": "updateIpAddress", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?i)(?:[\'\\"`]\\\\s*(?:OR|AND)\\\\s+[\'\\"`\\\\d]|\\\\bUNION\\\\b\\\\s+(?:ALL\\\\s+)?\\\\bSELECT\\\\b\\\\s+(?:[0-9]|NULL\\\\b|@@|0x|CONCAT|CHAR)|\\\\bSLEEP\\\\s*[(]|\\\\bBENCHMARK\\\\s*[(]|\\\\bEXTRACTVALUE\\\\s*[(]|\\\\bUPDATEXML\\\\s*[(]|/[*][!*]|;\\\\s*(?:DROP|ALTER|CREATE|TRUNCATE)\\\\b)~"}], "cve": "CVE-2022-33965", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33965", "description": "WP Visitor Statistics <=5.7 unauthenticated SQL injection via updateIpAddress AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-stats-manager", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=5.7"}, "RULE-CVE-2022-33965-10": {"ajax_action": "save_ipadress", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?i)(?:[\'\\"`]\\\\s*(?:OR|AND)\\\\s+[\'\\"`\\\\d]|\\\\bUNION\\\\b\\\\s+(?:ALL\\\\s+)?\\\\bSELECT\\\\b\\\\s+(?:[0-9]|NULL\\\\b|@@|0x|CONCAT|CHAR)|\\\\bSLEEP\\\\s*[(]|\\\\bBENCHMARK\\\\s*[(]|\\\\bEXTRACTVALUE\\\\s*[(]|\\\\bUPDATEXML\\\\s*[(]|/[*][!*]|;\\\\s*(?:DROP|ALTER|CREATE|TRUNCATE)\\\\b)~"}], "cve": "CVE-2022-33965", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33965", "description": "WP Visitor Statistics <=5.7 unauthenticated SQL injection via save_ipadress AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-stats-manager", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=5.7"}, "RULE-CVE-2022-3805-02": {"ajax_action": "jkit_create_element", "conditions": [{"type": "missing_capability", "value": "edit_theme_options"}], "cve": "CVE-2022-3805", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3805", "description": "Jeg Elementor Kit <=2.5.6 unauthorized element creation via jkit_create_element AJAX handler", "mode": "block", "severity": 7.5, "slug": "jeg-elementor-kit", "tags": ["missing-authorization", "privilege-escalation"], "target": "plugin", "versions": "<=2.5.6"}, "RULE-CVE-2022-41786-01": {"ajax_action": "wpjobportal_ajax", "conditions": [{"name": "ARGS:task", "type": "exists"}, {"name": "ARGS:task", "type": "regex", "value": "~^(deletecompanylogo|deleteUserPhoto|deleteResumeLogo|removeResumeFileById|deleteResumeSectionAjax)$~i"}], "cve": "CVE-2022-41786", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-job-portal", "target": "plugin", "versions": "<=2.0.1"}, "RULE-CVE-2022-43453-01": {"ajax_action": "wptools_get_ajax_data", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-43453", "mode": "block", "severity": 8.8, "slug": "wptools", "target": "plugin", "versions": "<3.43"}, "RULE-CVE-2022-43453-03": {"ajax_action": "wptools_get_speed_info", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-43453", "mode": "block", "severity": 8.8, "slug": "wptools", "target": "plugin", "versions": "<3.43"}, "RULE-CVE-2022-43453-04": {"ajax_action": "wptools_dismissible_notice", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-43453", "mode": "block", "severity": 8.8, "slug": "wptools", "target": "plugin", "versions": "<3.43"}, "RULE-CVE-2022-43453-05": {"ajax_action": "wptools_dismissible_notice2", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-43453", "mode": "block", "severity": 8.8, "slug": "wptools", "target": "plugin", "versions": "<3.43"}, "RULE-CVE-2022-43453-06": {"ajax_action": "wptools_bill_go_pro_hide", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-43453", "mode": "block", "severity": 8.8, "slug": "wptools", "target": "plugin", "versions": "<3.43"}, "RULE-CVE-2022-45354-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-json/download-monitor/v1/(?:download_reports|user_reports|user_data))(?:/|\\\\?|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-45354", "method": "GET", "mode": "block", "severity": 7.5, "slug": "download-monitor", "target": "plugin", "versions": "<=4.7.60"}, "RULE-CVE-2022-45354-02": {"action": "init", "conditions": [{"name": "ARGS:rest_route", "type": "regex", "value": "~^/download-monitor/v1/(?:download_reports|user_reports|user_data)(?:/|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-45354", "method": "GET", "mode": "block", "severity": 7.5, "slug": "download-monitor", "target": "plugin", "versions": "<=4.7.60"}, "RULE-CVE-2022-45830-01": {"action": "admin_init", "conditions": [{"name": "ARGS:wp_analytify_log_out", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-45830", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-analytify", "target": "plugin", "versions": "<=4.2.3"}, "RULE-CVE-2022-4972-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/download-monitor/v1/download_reports(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-4972", "method": "GET", "mode": "block", "severity": 7.5, "slug": "download-monitor", "target": "plugin", "versions": "<=4.7.51"}, "RULE-CVE-2022-4972-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/download-monitor/v1/download_reports(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-4972", "method": "POST", "mode": "block", "severity": 7.5, "slug": "download-monitor", "target": "plugin", "versions": "<=4.7.51"}, "RULE-CVE-2022-4972-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/download-monitor/v1/user_reports(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-4972", "method": "GET", "mode": "block", "severity": 7.5, "slug": "download-monitor", "target": "plugin", "versions": "<=4.7.51"}, "RULE-CVE-2022-4972-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/download-monitor/v1/user_reports(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-4972", "method": "POST", "mode": "block", "severity": 7.5, "slug": "download-monitor", "target": "plugin", "versions": "<=4.7.51"}, "RULE-CVE-2022-4972-05": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/download-monitor/v1/user_data(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-4972", "method": "GET", "mode": "block", "severity": 7.5, "slug": "download-monitor", "target": "plugin", "versions": "<=4.7.51"}, "RULE-CVE-2022-4972-06": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/download-monitor/v1/user_data(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-4972", "method": "POST", "mode": "block", "severity": 7.5, "slug": "download-monitor", "target": "plugin", "versions": "<=4.7.51"}, "RULE-CVE-2022-4972-07": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/download-monitor/v1/templates(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-4972", "method": "GET", "mode": "block", "severity": 7.5, "slug": "download-monitor", "target": "plugin", "versions": "<=4.7.51"}, "RULE-CVE-2022-4972-08": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/download-monitor/v1/templates(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2022-4972", "method": "POST", "mode": "block", "severity": 7.5, "slug": "download-monitor", "target": "plugin", "versions": "<=4.7.51"}, "RULE-CVE-2023-0084-02": {"ajax_action": "mf_admin_action", "conditions": [{"name": "ARGS:form_data", "type": "regex", "value": "~(?:<script[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:|svg\\\\s+onload=)~i"}], "cve": "CVE-2023-0084", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0084", "description": "MetForm <=3.1.2 stored XSS via admin submissions list view", "mode": "block", "severity": 6.1, "slug": "metform", "tags": ["xss", "stored"], "target": "plugin", "versions": "<=3.1.2"}, "RULE-CVE-2023-0579-01": {"ajax_action": "yarpp_display", "conditions": [{"name": "ARGS:ID", "type": "regex", "value": "~(?:UNION(?:/\\\\*.*?\\\\*/|\\\\s)+(?:ALL(?:/\\\\*.*?\\\\*/|\\\\s)+)?SELECT\\\\b|/\\\\*.*?\\\\*/|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\b|\\\\b(?:OR|AND)\\\\b(?:/\\\\*.*?\\\\*/|\\\\s)+[0-9]+\\\\s*=\\\\s*[0-9]+|(?:--|#)(?:\\\\s|$)|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|WAITFOR(?:/\\\\*.*?\\\\*/|\\\\s)+DELAY)~i"}], "cve": "CVE-2023-0579", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0579", "description": "YARPP <=5.30.2 authenticated SQL injection via yarpp_display AJAX handler ID parameter", "mode": "block", "severity": 8.8, "slug": "yet-another-related-posts-plugin", "tags": ["sql-injection", "authenticated", "ajax"], "target": "plugin", "versions": "<=5.30.2"}, "RULE-CVE-2023-0579-02": {"ajax_action": "yarpp_display_preview", "conditions": [{"name": "ARGS:ID", "type": "regex", "value": "~(?:UNION(?:/\\\\*.*?\\\\*/|\\\\s)+(?:ALL(?:/\\\\*.*?\\\\*/|\\\\s)+)?SELECT\\\\b|/\\\\*.*?\\\\*/|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\b|\\\\b(?:OR|AND)\\\\b(?:/\\\\*.*?\\\\*/|\\\\s)+[0-9]+\\\\s*=\\\\s*[0-9]+|(?:--|#)(?:\\\\s|$)|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|WAITFOR(?:/\\\\*.*?\\\\*/|\\\\s)+DELAY)~i"}], "cve": "CVE-2023-0579", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0579", "description": "YARPP <=5.30.2 authenticated SQL injection via yarpp_display_preview AJAX handler ID parameter", "mode": "block", "severity": 8.8, "slug": "yet-another-related-posts-plugin", "tags": ["sql-injection", "authenticated", "ajax"], "target": "plugin", "versions": "<=5.30.2"}, "RULE-CVE-2023-23715-01": {"ajax_action": "jb-delete-job", "conditions": [{"name": "ARGS:jb-delete-job", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-23715", "method": "POST", "mode": "block", "severity": 8.8, "slug": "jobboardwp", "target": "plugin", "versions": "<=1.2.2"}, "RULE-CVE-2023-23730-01": {"ajax_action": "uagb_process_forms", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:form_data", "type": "regex", "value": "~(?:^|&)g-recaptcha-response=[^&]{0,80}(?:&|$)~"}], "cve": "CVE-2023-23730", "method": "POST", "mode": "block", "severity": 5.3, "slug": "ultimate-addons-for-gutenberg", "target": "plugin", "versions": "<=2.3.0"}, "RULE-CVE-2023-23735-01": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "uagb_process_forms"}, {"name": "ARGS:email", "type": "detectXSS"}], "cve": "CVE-2023-23735", "description": "Unauthenticated email HTML injection (XSS) via Spectra form processing allows HTML/script injection in email field", "method": "POST", "mode": "block", "severity": 7.2, "slug": "ultimate-addons-for-gutenberg", "target": "plugin", "versions": "<=2.3.0"}, "RULE-CVE-2023-23738-01": {"ajax_action": "uagb_process_forms", "conditions": [{"name": "ARGS", "type": "regex", "value": "~%0[dD]%0[aA].*(Bcc|Cc|From|Reply-To|Content-Type|Subject)~i"}], "cve": "CVE-2023-23738", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23738", "description": "Spectra (Ultimate Addons for Gutenberg) <=2.3.0 unauthenticated email header injection via CRLF in form submission", "method": "POST", "mode": "block", "severity": 5.3, "slug": "ultimate-addons-for-gutenberg", "tags": ["email-header-injection", "content-spoofing", "unauthenticated", "crlf-injection"], "target": "plugin", "versions": "<=2.3.0"}, "RULE-CVE-2023-23825-01": {"ajax_action": "ast_block_templates_import_wpforms", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "ast_block_templates_import_wpforms"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-23825", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23825", "description": "Spectra (Ultimate Addons for Gutenberg) <= 2.3.0 missing authorization/CSRF protection on AJAX WPForms import action ast_block_templates_import_wpforms, allowing low-privilege or CSRF-triggered imports.", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ultimate-addons-for-gutenberg", "tags": ["wordpress", "plugin", "spectra", "ultimate-addons-for-gutenberg", "missing-authorization", "csrf"], "target": "plugin", "versions": "<=2.3.0"}, "RULE-CVE-2023-23825-02": {"ajax_action": "ast_block_templates_import_block", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "ast_block_templates_import_block"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-23825", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23825", "description": "Spectra (Ultimate Addons for Gutenberg) <= 2.3.0 missing authorization/CSRF protection on AJAX block template import action ast_block_templates_import_block, allowing low-privilege or CSRF-triggered imports.", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ultimate-addons-for-gutenberg", "tags": ["wordpress", "plugin", "spectra", "ultimate-addons-for-gutenberg", "missing-authorization", "csrf"], "target": "plugin", "versions": "<=2.3.0"}, "RULE-CVE-2023-23834-01": {"ajax_action": "ast_block_templates_activate_plugin", "conditions": [{"name": "ARGS:ast_block_templates_activate_plugin", "type": "exists"}, {"name": "ARGS:ast_block_templates_activate_plugin", "type": "regex", "value": "~\\\\.php($|\\\\?)~i"}, {"type": "missing_capability", "value": "activate_plugins"}], "cve": "CVE-2023-23834", "method": "POST", "mode": "block", "severity": 9.8, "slug": "ultimate-addons-for-gutenberg", "target": "plugin", "versions": "<=2.3.1"}, "RULE-CVE-2023-23990-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "equals", "value": "/wp-admin/profile.php"}, {"name": "ARGS:wp_capabilities", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-23990", "method": "POST", "mode": "block", "severity": 7.6, "slug": "wpcf7-redirect", "target": "plugin", "versions": "<=2.7.0"}, "RULE-CVE-2023-23990-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "equals", "value": "/wp-admin/profile.php"}, {"name": "ARGS:wp_user_level", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-23990", "method": "POST", "mode": "block", "severity": 7.6, "slug": "wpcf7-redirect", "target": "plugin", "versions": "<=2.7.0"}, "RULE-CVE-2023-23990-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "equals", "value": "/wp-admin/user-edit.php"}, {"name": "ARGS:wp_capabilities", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-23990", "method": "POST", "mode": "block", "severity": 7.6, "slug": "wpcf7-redirect", "target": "plugin", "versions": "<=2.7.0"}, "RULE-CVE-2023-23990-04": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "equals", "value": "/wp-admin/user-edit.php"}, {"name": "ARGS:wp_user_level", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-23990", "method": "POST", "mode": "block", "severity": 7.6, "slug": "wpcf7-redirect", "target": "plugin", "versions": "<=2.7.0"}, "RULE-CVE-2023-24407-01": {"ajax_action": "wpdevart_export", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpdevart_export"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-24407", "method": "POST", "mode": "block", "severity": 8.8, "slug": "booking-calendar", "target": "plugin", "versions": "<=3.2.3"}, "RULE-CVE-2023-24407-02": {"ajax_action": "wpdevart_ajax", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpdevart_ajax"}, {"name": "ARGS:task", "type": "regex", "value": "~^wpdevart_(quick_update|add_field|payment(_ajax)?|export)$~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-24407", "method": "POST", "mode": "block", "severity": 8.8, "slug": "booking-calendar", "target": "plugin", "versions": "<=3.2.3"}, "RULE-CVE-2023-24407-03": {"ajax_action": "wpdevart_add_field", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpdevart_add_field"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-24407", "method": "POST", "mode": "block", "severity": 8.8, "slug": "booking-calendar", "target": "plugin", "versions": "<=3.2.3"}, "RULE-CVE-2023-24407-04": {"ajax_action": "wpdevart_payment", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpdevart_payment"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-24407", "method": "POST", "mode": "block", "severity": 8.8, "slug": "booking-calendar", "target": "plugin", "versions": "<=3.2.3"}, "RULE-CVE-2023-24407-05": {"ajax_action": "wpdevart_payment_ajax", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpdevart_payment_ajax"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-24407", "method": "POST", "mode": "block", "severity": 8.8, "slug": "booking-calendar", "target": "plugin", "versions": "<=3.2.3"}, "RULE-CVE-2023-25988-01": {"ajax_action": "TotalSoftGallery_Video_Del", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-02": {"ajax_action": "TotalSoftGallery_Video_Clone", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-03": {"ajax_action": "TotalSoftGallery_Video_Edit", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-04": {"ajax_action": "TotalSoftGallery_Video_Edit_Videos", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-05": {"ajax_action": "TSoft_Vimeo_Video_Image", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-06": {"ajax_action": "TSoft_Wistia_Video_Image", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-07": {"ajax_action": "TotalSoftGallery_VideoOpt_Del", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-08": {"ajax_action": "TotalSoftGallery_VideoOpt_Edit", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-09": {"ajax_action": "TotalSoftGallery_VideoOpt_Edit1", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-10": {"ajax_action": "TotalSoftGalleryV_Clone_Option", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-11": {"ajax_action": "TotalSoftGallery_Video_Page", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-12": {"ajax_action": "TotalSoftGallery_Video_PageGO", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-13": {"ajax_action": "TotalSoftGallery_Video_CP_Popup", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-14": {"ajax_action": "TotalSoftGallery_Video_CP_Popup_Left", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-15": {"ajax_action": "TotalSoftGallery_Video_CP_Popup_Right", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-16": {"ajax_action": "TS_PTable_New_MTable_DisMiss_VG", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-17": {"ajax_action": "TS_VG_Question_DisMiss", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-18": {"ajax_action": "Total_Soft_GV_Prev", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-19": {"ajax_action": "TotalSoftGallery_Video_Post", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-25988-20": {"ajax_action": "TotalSoftGallery_Page_Post", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-25988", "mode": "block", "severity": 7.5, "slug": "gallery-videos", "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2023-27460-01": {"ajax_action": "cpcfwpp_feedback", "conditions": [{"name": "ARGS:answer", "type": "exists"}, {"name": "ARGS:oinfo", "type": "exists"}, {"name": "ARGS:opinfo", "type": "exists"}, {"name": "ARGS:anonymous", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-27460", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-27460", "description": "CP Contact Form with Paypal <= 1.3.34 missing authorization on AJAX feedback submission (cpcfwpp_feedback) allows low-privileged users to misuse internal feedback functionality.", "method": "POST", "mode": "block", "severity": 4.3, "slug": "cp-contact-form-with-paypal", "tags": ["missing-authorization", "broken-access-control", "ajax", "feedback"], "target": "plugin", "versions": "<=1.3.34"}, "RULE-CVE-2023-2877-01": {"ajax_action": "frm_install_addon", "conditions": [{"name": "ARGS:file_url", "type": "exists"}, {"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2023-2877", "method": "POST", "mode": "block", "severity": 8.8, "slug": "formidable", "target": "plugin", "versions": "<=6.3"}, "RULE-CVE-2023-2877-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/frm-admin/v1/install-addon(/|\\\\?|$)~"}, {"name": "ARGS:file_url", "type": "exists"}, {"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2023-2877", "method": "POST", "mode": "block", "severity": 8.8, "slug": "formidable", "target": "plugin", "versions": "<=6.3"}, "RULE-CVE-2023-30873-01": {"ajax_action": "wpdocs_create_folder", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpdocs_create_folder"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-30873", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-docs", "target": "plugin", "versions": "<=2.2.8"}, "RULE-CVE-2023-30873-02": {"ajax_action": "wpdocs_update_folder", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpdocs_update_folder"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-30873", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-docs", "target": "plugin", "versions": "<=2.2.8"}, "RULE-CVE-2023-30873-03": {"ajax_action": "wpdocs_delete_folder", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpdocs_delete_folder"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-30873", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-docs", "target": "plugin", "versions": "<=2.2.8"}, "RULE-CVE-2023-3197-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mstore/v1/products(?:[/?]|$)~"}, {"name": "ARGS:id", "type": "regex", "value": "~(?:union\\\\s+(?:all\\\\s+)?select|;\\\\s*(?:drop|delete|insert|update)\\\\s|or\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+|and\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+|\\\\banalyze\\\\b|\\\\bbenchmark\\\\b|\\\\bsleep\\\\s*\\\\()~i"}], "cve": "CVE-2023-3197", "description": "mstore-api <=4.0.1 unauthenticated SQL injection via id parameter in vendor-wcfm.php REST endpoint", "mode": "block", "severity": 9.8, "slug": "mstore-api", "target": "plugin", "versions": "<=4.0.1"}, "RULE-CVE-2023-32117-01": {"ajax_action": "igd_download_zip", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-32117", "mode": "block", "severity": 9.8, "slug": "integrate-google-drive", "target": "plugin", "versions": "<=1.1.99"}, "RULE-CVE-2023-32117-02": {"ajax_action": "igd_download", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-32117", "mode": "block", "severity": 9.8, "slug": "integrate-google-drive", "target": "plugin", "versions": "<=1.1.99"}, "RULE-CVE-2023-32117-03": {"ajax_action": "igd_stream", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-32117", "mode": "block", "severity": 9.8, "slug": "integrate-google-drive", "target": "plugin", "versions": "<=1.1.99"}, "RULE-CVE-2023-32117-04": {"ajax_action": "igd_preview", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-32117", "mode": "block", "severity": 9.8, "slug": "integrate-google-drive", "target": "plugin", "versions": "<=1.1.99"}, "RULE-CVE-2023-32117-05": {"ajax_action": "igd_get_share_link", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-32117", "mode": "block", "severity": 9.8, "slug": "integrate-google-drive", "target": "plugin", "versions": "<=1.1.99"}, "RULE-CVE-2023-32117-06": {"ajax_action": "igd_get_preview_thumbnail", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-32117", "mode": "block", "severity": 9.8, "slug": "integrate-google-drive", "target": "plugin", "versions": "<=1.1.99"}, "RULE-CVE-2023-32117-07": {"ajax_action": "igd_get_shortcodes", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-32117", "mode": "block", "severity": 9.8, "slug": "integrate-google-drive", "target": "plugin", "versions": "<=1.1.99"}, "RULE-CVE-2023-32117-08": {"ajax_action": "igd_get_upload_url", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-32117", "mode": "block", "severity": 9.8, "slug": "integrate-google-drive", "target": "plugin", "versions": "<=1.1.99"}, "RULE-CVE-2023-32117-09": {"ajax_action": "igd_file_uploaded", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-32117", "mode": "block", "severity": 9.8, "slug": "integrate-google-drive", "target": "plugin", "versions": "<=1.1.99"}, "RULE-CVE-2023-32117-10": {"ajax_action": "igd_delete_shortcode", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-32117", "mode": "block", "severity": 9.8, "slug": "integrate-google-drive", "target": "plugin", "versions": "<=1.1.99"}, "RULE-CVE-2023-32117-11": {"ajax_action": "igd_download_status", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-32117", "mode": "block", "severity": 9.8, "slug": "integrate-google-drive", "target": "plugin", "versions": "<=1.1.99"}, "RULE-CVE-2023-3277-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/flutter-user/login-with-apple(?:[/?]|$)~"}], "cve": "CVE-2023-3277", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3277", "description": "MStore API <=4.10.7 unauthenticated privilege escalation via Apple login token", "mode": "block", "severity": 9.8, "slug": "mstore-api", "tags": ["privilege-escalation", "authentication-bypass", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=4.10.7"}, "RULE-CVE-2023-35051-01": {"ajax_action": "accua-save-form-settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-35051", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35051", "description": "Block unauthorized POST accua-save-form-settings action (Broken Access Control) in Contact Forms by Cimatti <=1.5.7", "method": "POST", "mode": "block", "severity": 8.8, "slug": "contact-forms", "tags": ["authz", "broken-access-control", "missing-authorization"], "target": "plugin", "versions": "<=1.5.7"}, "RULE-CVE-2023-35051-02": {"ajax_action": "accua_form_save_form_settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-35051", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35051", "description": "Block unauthorized POST accua_form_save_form_settings action (Broken Access Control) in Contact Forms by Cimatti <=1.5.7", "method": "POST", "mode": "block", "severity": 8.8, "slug": "contact-forms", "tags": ["authz", "broken-access-control", "missing-authorization"], "target": "plugin", "versions": "<=1.5.7"}, "RULE-CVE-2023-35051-03": {"ajax_action": "accua-save-form-field", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-35051", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35051", "description": "Block unauthorized POST accua-save-form-field action (Broken Access Control) in Contact Forms by Cimatti <=1.5.7", "method": "POST", "mode": "block", "severity": 8.8, "slug": "contact-forms", "tags": ["authz", "broken-access-control", "missing-authorization"], "target": "plugin", "versions": "<=1.5.7"}, "RULE-CVE-2023-35051-04": {"ajax_action": "accua_forms_preview", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-35051", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35051", "description": "Block unauthorized POST accua_forms_preview action (Broken Access Control) in Contact Forms by Cimatti <=1.5.7", "method": "POST", "mode": "block", "severity": 8.8, "slug": "contact-forms", "tags": ["authz", "broken-access-control", "missing-authorization"], "target": "plugin", "versions": "<=1.5.7"}, "RULE-CVE-2023-35051-05": {"ajax_action": "accua_forms_submission_page_save_excel", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-35051", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35051", "description": "Block unauthorized POST accua_forms_submission_page_save_excel action (Broken Access Control) in Contact Forms by Cimatti <=1.5.7", "method": "POST", "mode": "block", "severity": 8.8, "slug": "contact-forms", "tags": ["authz", "broken-access-control", "missing-authorization"], "target": "plugin", "versions": "<=1.5.7"}, "RULE-CVE-2023-36516-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/learnpress/v1/profile/\\\\d+~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-36516", "mode": "block", "severity": 8.8, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.3"}, "RULE-CVE-2023-36679-01": {"ajax_action": "ast_block_templates_importer", "conditions": [{"name": "ARGS:api_uri", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-36679", "mode": "block", "severity": 6.5, "slug": "ultimate-addons-for-gutenberg", "target": "plugin", "versions": "<=2.6.6"}, "RULE-CVE-2023-36679-02": {"ajax_action": "ast_block_templates_import_wpforms", "conditions": [{"name": "ARGS:wpforms_url", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-36679", "mode": "block", "severity": 6.5, "slug": "ultimate-addons-for-gutenberg", "target": "plugin", "versions": "<=2.6.6"}, "RULE-CVE-2023-36681-01": {"ajax_action": "ccpw_get_coins_list", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "ccpw_get_coins_list"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-36681", "mode": "block", "severity": 9.8, "slug": "cryptocurrency-price-ticker-widget", "target": "plugin", "versions": "<=2.6.2"}, "RULE-CVE-2023-36681-02": {"ajax_action": "ccpw_delete_transient", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "ccpw_delete_transient"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-36681", "mode": "block", "severity": 9.8, "slug": "cryptocurrency-price-ticker-widget", "target": "plugin", "versions": "<=2.6.2"}, "RULE-CVE-2023-37389-01": {"ajax_action": "package_app_action", "conditions": [{"name": "ARGS:mode", "type": "regex", "value": "~^(?:updateUser|createUser|updateRolesOfUser|updateRolesOfPlugin)$~i"}], "cve": "CVE-2023-37389", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37389", "description": "Booking Package <=1.5.98 unauthenticated privilege escalation via user modification modes", "method": "POST", "mode": "block", "severity": 8.8, "slug": "booking-package", "tags": ["privilege-escalation", "missing-authorization", "unauthenticated"], "target": "plugin", "versions": "<=1.5.98"}, "RULE-CVE-2023-37866-01": {"ajax_action": "jfb_addon_activate_action", "conditions": [{"type": "missing_capability", "value": "activate_plugins"}], "cve": "CVE-2023-37866", "mode": "block", "severity": 7.2, "slug": "jetformbuilder", "target": "plugin", "versions": "<=3.0.8"}, "RULE-CVE-2023-37967-01": {"ajax_action": "directorypress_fields_delete", "conditions": [{"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-37967", "method": "POST", "mode": "block", "severity": 9.8, "slug": "directorypress", "target": "plugin", "versions": "<=3.6.2"}, "RULE-CVE-2023-37967-02": {"ajax_action": "directorypress_fields_group_delete", "conditions": [{"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-37967", "method": "POST", "mode": "block", "severity": 9.8, "slug": "directorypress", "target": "plugin", "versions": "<=3.6.2"}, "RULE-CVE-2023-37967-03": {"ajax_action": "directorypress_fields_config", "conditions": [{"name": "ARGS:field_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-37967", "method": "POST", "mode": "block", "severity": 9.8, "slug": "directorypress", "target": "plugin", "versions": "<=3.6.2"}, "RULE-CVE-2023-37999-01": {"ajax_action": "htmega_ajax_register", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "htmega_ajax_register"}, {"name": "ARGS:reg_role", "type": "regex", "value": "~(?:administrator|editor|author|contributor)~i"}, {"type": "missing_capability", "value": "create_users"}], "cve": "CVE-2023-37999", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37999", "description": "HT Mega Absolute Addons for Elementor <=2.2.0 unauthenticated privilege escalation via reg_role parameter in htmega_ajax_register", "method": "POST", "mode": "block", "severity": 9.8, "slug": "ht-mega-for-elementor", "tags": ["privilege-escalation", "unauthenticated", "missing-authorization"], "target": "plugin", "versions": "<=2.2.0"}, "RULE-CVE-2023-38386-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/ninja-forms-submissions/v1/export(?:[/?]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-38386", "method": "GET", "mode": "block", "severity": 9.8, "slug": "ninja-forms", "target": "plugin", "versions": "<=3.6.25"}, "RULE-CVE-2023-38386-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/ninja-forms-submissions/v1/export(?:[/?]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-38386", "method": "POST", "mode": "block", "severity": 9.8, "slug": "ninja-forms", "target": "plugin", "versions": "<=3.6.25"}, "RULE-CVE-2023-38393-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/ninja-forms-submissions/v1/(download-all|export)(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-38393", "mode": "block", "severity": 8.8, "slug": "ninja-forms", "target": "plugin", "versions": "<=3.6.25"}, "RULE-CVE-2023-39920-01": {"action": "admin_init", "conditions": [{"name": "ARGS:export_leads", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-39920", "method": "GET", "mode": "block", "severity": 7.5, "slug": "wpcf7-redirect", "target": "plugin", "versions": "<=2.9.2"}, "RULE-CVE-2023-39920-02": {"ajax_action": "send_debug_info", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-39920", "mode": "block", "severity": 7.5, "slug": "wpcf7-redirect", "target": "plugin", "versions": "<=2.9.2"}, "RULE-CVE-2023-39990-01": {"ajax_action": "pmpro_courses_update_course", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "pmpro_courses_update_course"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-39990", "method": "POST", "mode": "block", "severity": 8.8, "slug": "pmpro-courses", "target": "plugin", "versions": "<=1.2.3"}, "RULE-CVE-2023-39990-02": {"ajax_action": "pmpro_courses_remove_course", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "pmpro_courses_remove_course"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-39990", "method": "POST", "mode": "block", "severity": 8.8, "slug": "pmpro-courses", "target": "plugin", "versions": "<=1.2.3"}, "RULE-CVE-2023-39997-01": {"action": "init", "conditions": [{"name": "ARGS:mod", "type": "equals", "value": "subscribe"}, {"name": "ARGS:action", "type": "equals", "value": "getWpCsvList"}, {"name": "ARGS:pl", "type": "equals", "value": "pps"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-39997", "mode": "block", "severity": 9.8, "slug": "popup-by-supsystic", "target": "plugin", "versions": "<=1.10.19"}, "RULE-CVE-2023-40203-01": {"ajax_action": "delete_widget", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "delete_widget"}, {"name": "ARGS:widget_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-40203", "method": "POST", "mode": "block", "severity": 8.8, "slug": "mailchimp-forms-by-mailmunch", "target": "plugin", "versions": "<=3.1.4"}, "RULE-CVE-2023-40203-02": {"ajax_action": "change_email_status", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "change_email_status"}, {"name": "ARGS:email_id", "type": "exists"}, {"name": "ARGS:email_status", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-40203", "method": "POST", "mode": "block", "severity": 8.8, "slug": "mailchimp-forms-by-mailmunch", "target": "plugin", "versions": "<=3.1.4"}, "RULE-CVE-2023-40203-03": {"ajax_action": "delete_email", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "delete_email"}, {"name": "ARGS:email_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-40203", "method": "POST", "mode": "block", "severity": 8.8, "slug": "mailchimp-forms-by-mailmunch", "target": "plugin", "versions": "<=3.1.4"}, "RULE-CVE-2023-41243-01": {"ajax_action": "wpvivid_get_import_list_page", "conditions": [{"name": "ARGS:wpvivid_upload_import_files", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-41243", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wpvivid-backuprestore", "target": "plugin", "versions": "<=0.9.90"}, "RULE-CVE-2023-41243-02": {"ajax_action": "wpvivid_get_import_list_page", "conditions": [{"name": "ARGS:wpvivid_start_import", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-41243", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wpvivid-backuprestore", "target": "plugin", "versions": "<=0.9.90"}, "RULE-CVE-2023-41243-03": {"ajax_action": "wpvivid_get_import_list_page", "conditions": [{"name": "ARGS:wpvivid_delete_export_list", "type": "exists"}, {"name": "ARGS:export_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-41243", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wpvivid-backuprestore", "target": "plugin", "versions": "<=0.9.90"}, "RULE-CVE-2023-48777-01": {"ajax_action": "elementor_upload_kit", "conditions": [{"name": "FILES:e_import_file:name", "type": "regex", "value": "~\\\\.(?:php[0-9]*|phtml|phar|cgi|exe|sh|bash)$~i"}], "cve": "CVE-2023-48777", "method": "POST", "mode": "block", "severity": 8.8, "slug": "elementor", "target": "plugin", "versions": "3.3.0 - 3.18.1"}, "RULE-CVE-2023-5070-01": {"ajax_action": "sfsi_save_export", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-5070", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5070", "description": "Ultimate Social Media Icons <=2.8.5 unauthorized settings export via sfsi_save_export exposes social media tokens and app passwords", "mode": "block", "severity": 6.5, "slug": "ultimate-social-media-icons", "tags": ["missing-authorization", "information-disclosure", "authenticated"], "target": "plugin", "versions": "<=2.8.5"}, "RULE-CVE-2023-51409-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai-ui/v1/files/upload(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2023-51409", "description": "AI Engine <= 1.9.98 \\u2013 Arbitrary file upload via mwai-ui REST endpoint (unauthorized users)", "method": "POST", "mode": "block", "severity": 9.8, "slug": "ai-engine", "target": "plugin", "versions": "<=1.9.98"}, "RULE-CVE-2023-51409-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai-ui/v1/files/delete(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2023-51409", "description": "AI Engine <= 1.9.98 \\u2013 Arbitrary file delete via mwai-ui REST endpoint (unauthorized users)", "method": "POST", "mode": "block", "severity": 9.8, "slug": "ai-engine", "target": "plugin", "versions": "<=1.9.98"}, "RULE-CVE-2023-51409-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai-ui/v1/files/upload(/|\\\\?|$)~"}, {"name": "FILES:filename", "type": "regex", "value": "~\\\\.ph(?:p\\\\d?|tml|ar|ps?)$~i"}], "cve": "CVE-2023-51409", "description": "AI Engine <= 1.9.98 \\u2013 PHP file upload via mwai-ui REST endpoint (block .ph* extensions)", "method": "POST", "mode": "block", "severity": 9.8, "slug": "ai-engine", "target": "plugin", "versions": "<=1.9.98"}, "RULE-CVE-2023-51682-01": {"action": "init", "conditions": [{"name": "ARGS:mc4wp_preview_form", "type": "exists"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2023-51682", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51682", "description": "MC4WP Mailchimp for WordPress <=4.9.9 broken access control on form preview via mc4wp_preview_form", "method": "GET", "mode": "block", "severity": 6.5, "slug": "mailchimp-for-wp", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=4.9.9"}, "RULE-CVE-2023-5527-01-01": {"ajax_action": "wpbdp-csv-export", "conditions": [{"name": "ARGS:listing_title", "type": "regex", "value": "~^[\\t=+\\\\-@]~i"}], "cve": "CVE-2023-5527", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5527", "description": "Business Directory Plugin <=6.4.3 CSV injection via listing_title on CSV export", "mode": "block", "severity": 8.0, "slug": "business-directory-plugin", "tags": ["csv-injection", "authenticated"], "target": "plugin", "versions": "<=6.4.3"}, "RULE-CVE-2023-5527-01-02": {"ajax_action": "wpbdp-csv-export", "conditions": [{"name": "ARGS:short_description", "type": "regex", "value": "~^[\\t=+\\\\-@]~i"}], "cve": "CVE-2023-5527", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5527", "description": "Business Directory Plugin <=6.4.3 CSV injection via short_description on CSV export", "mode": "block", "severity": 8.0, "slug": "business-directory-plugin", "tags": ["csv-injection", "authenticated"], "target": "plugin", "versions": "<=6.4.3"}, "RULE-CVE-2023-5527-01-03": {"ajax_action": "wpbdp-csv-export", "conditions": [{"name": "ARGS:listing_contact_name", "type": "regex", "value": "~^[\\t=+\\\\-@]~i"}], "cve": "CVE-2023-5527", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5527", "description": "Business Directory Plugin <=6.4.3 CSV injection via listing_contact_name on CSV export", "mode": "block", "severity": 8.0, "slug": "business-directory-plugin", "tags": ["csv-injection", "authenticated"], "target": "plugin", "versions": "<=6.4.3"}, "RULE-CVE-2023-5527-01-04": {"ajax_action": "wpbdp-csv-export", "conditions": [{"name": "ARGS:listing_contact_email", "type": "regex", "value": "~^[\\t=+\\\\-@]~i"}], "cve": "CVE-2023-5527", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5527", "description": "Business Directory Plugin <=6.4.3 CSV injection via listing_contact_email on CSV export", "mode": "block", "severity": 8.0, "slug": "business-directory-plugin", "tags": ["csv-injection", "authenticated"], "target": "plugin", "versions": "<=6.4.3"}, "RULE-CVE-2023-5527-01-05": {"ajax_action": "wpbdp-csv-export", "conditions": [{"name": "ARGS:listing_phone", "type": "regex", "value": "~^[\\t=\\\\-@]~i"}], "cve": "CVE-2023-5527", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5527", "description": "Business Directory Plugin <=6.4.3 CSV injection via listing_phone on CSV export", "mode": "block", "severity": 8.0, "slug": "business-directory-plugin", "tags": ["csv-injection", "authenticated"], "target": "plugin", "versions": "<=6.4.3"}, "RULE-CVE-2023-5527-01-06": {"ajax_action": "wpbdp-csv-export", "conditions": [{"name": "ARGS:listing_address", "type": "regex", "value": "~^[\\t=+\\\\-@]~i"}], "cve": "CVE-2023-5527", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5527", "description": "Business Directory Plugin <=6.4.3 CSV injection via listing_address on CSV export", "mode": "block", "severity": 8.0, "slug": "business-directory-plugin", "tags": ["csv-injection", "authenticated"], "target": "plugin", "versions": "<=6.4.3"}, "RULE-CVE-2023-6558-01": {"ajax_action": "upload_import_file", "conditions": [{"name": "FILES:import_file:name", "type": "regex", "value": "~\\\\.(?:ph(?:p[0-9]?|tml?|ar|t)|jsp|asp|aspx|cgi|fcgi|pl|py|rb|sh|exe|dll|bat|cmd|com)(?:\\\\.|$)~i"}], "cve": "CVE-2023-6558", "description": "Users/Customers Import Export <=2.4.8 arbitrary file upload via upload_import_file \\u2014 dangerous extension block", "method": "POST", "mode": "block", "severity": 7.2, "slug": "users-customers-import-export-for-wp-woocommerce", "target": "plugin", "versions": "<=2.4.8"}, "RULE-CVE-2023-6558-02": {"ajax_action": "upload_import_file", "conditions": [{"name": "FILES:import_file:name", "type": "regex", "value": "~\\\\.(?!csv$)[a-z0-9]{1,5}$~i"}], "cve": "CVE-2023-6558", "description": "Users/Customers Import Export <=2.4.8 arbitrary file upload via upload_import_file \\u2014 non-CSV extension block", "method": "POST", "mode": "block", "severity": 7.2, "slug": "users-customers-import-export-for-wp-woocommerce", "target": "plugin", "versions": "<=2.4.8"}, "RULE-CVE-2023-6600-01": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "omgf-update"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-6600", "method": "POST", "mode": "block", "severity": 5.4, "slug": "host-webfonts-local", "target": "plugin", "versions": "<=5.7.9"}, "RULE-CVE-2023-6600-02": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "omgf-update"}, {"name": "ARGS:omgf_cache_keys", "type": "regex", "value": "~\\\\.\\\\.[/\\\\\\\\]~"}], "cve": "CVE-2023-6600", "method": "POST", "mode": "block", "severity": 5.4, "slug": "host-webfonts-local", "target": "plugin", "versions": "<=5.7.9"}, "RULE-CVE-2023-6634-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-json/lp/v1/load_content_via_ajax(?:/|\\\\?|$)|[?&]rest_route=/lp/v1/load_content_via_ajax(?:/|\\\\?|&|$))~i"}, {"name": "ARGS:callback", "type": "exists"}, {"name": "ARGS:callback", "type": "regex", "value": "~(?i)^(?!render_courses$).+~"}], "cve": "CVE-2023-6634", "description": "LearnPress <= 4.2.5.7 \\u2013 Arbitrary callback method invocation via load_content_via_ajax REST endpoint", "mode": "block", "severity": 9.8, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.5.7"}, "RULE-CVE-2023-6635-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/(?:.*/)?wp-json/gutenberghub-styles/v1/.*~"}, {"name": "REQUEST_HEADERS:Content-Type", "type": "regex", "value": "~(?i)^multipart/form-data;~"}], "cve": "CVE-2023-6635", "method": "POST", "mode": "block", "severity": 7.2, "slug": "block-options", "target": "plugin", "versions": "<=1.40.3"}, "RULE-CVE-2023-6751-01": {"ajax_action": "hostinger_publish_website", "conditions": [{"name": "ARGS:maintenance", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-6751", "method": "POST", "mode": "block", "severity": 6.5, "slug": "hostinger", "target": "plugin", "versions": "<=1.9.7"}, "RULE-CVE-2023-6827-01": {"ajax_action": "gsf_upload_fonts", "conditions": [{"name": "FILES:file_font", "type": "exists"}], "cve": "CVE-2023-6827", "method": "POST", "mode": "block", "severity": 8.8, "slug": "essential-real-estate", "target": "plugin", "versions": "<=4.3.5"}, "RULE-CVE-2023-6878-01": {"ajax_action": "dcssb_ajax_update", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "dcssb_ajax_update"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-6878", "description": "Slick Social Share Buttons <= 2.4.11 dcssb_ajax_update missing capability check allows authenticated subscriber+ users to arbitrarily modify site options, enabling unauthorized configuration changes via admin-ajax.php as described by Wordfence and NVD.", "method": "POST", "mode": "block", "severity": 6.5, "slug": "slick-social-share-buttons", "tags": ["authz", "arbitrary-option-update", "privilege-escalation"], "target": "plugin", "versions": "<=2.4.11"}, "RULE-CVE-2023-6878-02": {"ajax_action": "dcssb_ajax_update", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "dcssb_ajax_update"}, {"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:users_can_register", "type": "exists"}], "cve": "CVE-2023-6878", "description": "Block low-privilege abuse of dcssb_ajax_update to toggle users_can_register via arbitrary option updates in Slick Social Share Buttons <= 2.4.11, as the handler lacks a capability check and permits subscriber-level attackers to change site options.", "method": "POST", "mode": "block", "severity": 6.5, "slug": "slick-social-share-buttons", "tags": ["authz", "arbitrary-option-update", "privilege-escalation"], "target": "plugin", "versions": "<=2.4.11"}, "RULE-CVE-2023-6878-03": {"ajax_action": "dcssb_ajax_update", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "dcssb_ajax_update"}, {"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:default_role", "type": "exists"}, {"name": "ARGS:default_role", "type": "regex", "value": "~^(administrator|editor|author)$~i"}], "cve": "CVE-2023-6878", "description": "Block low-privilege abuse of dcssb_ajax_update to change the default_role option (e.g., to administrator/editor/author) via the arbitrary option update vulnerability in Slick Social Share Buttons <= 2.4.11.", "method": "POST", "mode": "block", "severity": 6.5, "slug": "slick-social-share-buttons", "tags": ["authz", "arbitrary-option-update", "privilege-escalation"], "target": "plugin", "versions": "<=2.4.11"}, "RULE-CVE-2023-6878-04": {"ajax_action": "dcssb_ajax_update", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "dcssb_ajax_update"}, {"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:admin_email", "type": "exists"}], "cve": "CVE-2023-6878", "description": "Block low-privilege abuse of dcssb_ajax_update to modify the admin_email option through the arbitrary option update vulnerability in Slick Social Share Buttons <= 2.4.11, which allows subscriber-level users to change site options.", "method": "POST", "mode": "block", "severity": 6.5, "slug": "slick-social-share-buttons", "tags": ["authz", "arbitrary-option-update", "integrity"], "target": "plugin", "versions": "<=2.4.11"}, "RULE-CVE-2023-6966-04": {"ajax_action": "get_ads_txt", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-6966", "cve_link": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71823e36-3899-4253-a1d2-c6f8921d18dc?source=cve", "description": "The Moneytizer <= 9.6.3 wp_ajax_get_ads_txt missing capability/nonce checks allow subscriber+ or CSRF to read/alter ads.txt, lazy-loading, stats visibility, and tag configuration via admin-ajax.php.", "method": "POST", "mode": "block", "severity": 8.1, "slug": "the-moneytizer", "tags": ["improper-access-control", "missing-authorization", "csrf", "ajax"], "target": "plugin", "versions": "<=9.6.3"}, "RULE-CVE-2023-6966-05": {"ajax_action": "do_generate_tag", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-6966", "cve_link": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71823e36-3899-4253-a1d2-c6f8921d18dc?source=cve", "description": "The Moneytizer <= 9.6.3 wp_ajax_do_generate_tag missing capability/nonce checks allow subscriber+ or CSRF to generate/modify Moneytizer tags and formats via admin-ajax.php.", "method": "POST", "mode": "block", "severity": 8.1, "slug": "the-moneytizer", "tags": ["improper-access-control", "missing-authorization", "csrf", "ajax"], "target": "plugin", "versions": "<=9.6.3"}, "RULE-CVE-2023-6966-06": {"ajax_action": "update_bank_data", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-6966", "cve_link": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71823e36-3899-4253-a1d2-c6f8921d18dc?source=cve", "description": "The Moneytizer <= 9.6.3 wp_ajax_update_bank_data missing capability/nonce checks allow subscriber+ or CSRF to update billing/bank details via admin-ajax.php.", "method": "POST", "mode": "block", "severity": 8.1, "slug": "the-moneytizer", "tags": ["improper-access-control", "missing-authorization", "csrf", "ajax"], "target": "plugin", "versions": "<=9.6.3"}, "RULE-CVE-2023-6966-07": {"ajax_action": "do_reactivate_tag", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-6966", "cve_link": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71823e36-3899-4253-a1d2-c6f8921d18dc?source=cve", "description": "The Moneytizer <= 9.6.3 wp_ajax_do_reactivate_tag missing capability/nonce checks allow subscriber+ or CSRF to reactivate tags via admin-ajax.php.", "method": "POST", "mode": "block", "severity": 8.1, "slug": "the-moneytizer", "tags": ["improper-access-control", "missing-authorization", "csrf", "ajax"], "target": "plugin", "versions": "<=9.6.3"}, "RULE-CVE-2023-6966-08": {"ajax_action": "apply_conf", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-6966", "cve_link": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71823e36-3899-4253-a1d2-c6f8921d18dc?source=cve", "description": "The Moneytizer <= 9.6.3 wp_ajax_apply_conf missing capability/nonce checks allow subscriber+ or CSRF to apply configuration via admin-ajax.php.", "method": "POST", "mode": "block", "severity": 8.1, "slug": "the-moneytizer", "tags": ["improper-access-control", "missing-authorization", "csrf", "ajax"], "target": "plugin", "versions": "<=9.6.3"}, "RULE-CVE-2023-6983-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php$~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[vg_display_data\\\\b[^\\\\]]*key\\\\s*=~i"}], "cve": "CVE-2023-6983", "method": "POST", "mode": "block", "severity": 4.3, "slug": "shortcode-to-display-post-and-user-data", "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2023-6983-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^(?:/wp-json/wp/v2/posts(?:/\\\\d+)?/?(?:\\\\?.*)?|/\\\\?(?:[^#]*&)?rest_route=/wp/v2/posts(?:/\\\\d+)?/?(?:&[^#]*)?)$~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[vg_display_data\\\\b[^\\\\]]*key\\\\s*=~i"}], "cve": "CVE-2023-6983", "method": "POST", "mode": "block", "severity": 4.3, "slug": "shortcode-to-display-post-and-user-data", "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2023-6983-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^(?:/wp-json/wp/v2/posts(?:/\\\\d+)?/?(?:\\\\?.*)?|/\\\\?(?:[^#]*&)?rest_route=/wp/v2/posts(?:/\\\\d+)?/?(?:&[^#]*)?)$~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[vg_display_data\\\\b[^\\\\]]*key\\\\s*=~i"}], "cve": "CVE-2023-6983", "method": "PUT", "mode": "block", "severity": 4.3, "slug": "shortcode-to-display-post-and-user-data", "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2023-6983-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^(?:/wp-json/wp/v2/posts(?:/\\\\d+)?/?(?:\\\\?.*)?|/\\\\?(?:[^#]*&)?rest_route=/wp/v2/posts(?:/\\\\d+)?/?(?:&[^#]*)?)$~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[vg_display_data\\\\b[^\\\\]]*key\\\\s*=~i"}], "cve": "CVE-2023-6983", "method": "PATCH", "mode": "block", "severity": 4.3, "slug": "shortcode-to-display-post-and-user-data", "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2023-6996-01": {"action": "the_content", "conditions": [{"name": "BODY", "type": "regex", "value": "~\\\\[vg_display_data[^\\\\]]*wp_filter\\\\s*=\\\\s*[\'\\\\\\"][^\'\\\\\\"]+[\'\\\\\\"]~i"}], "cve": "CVE-2023-6996", "mode": "block", "severity": 8.8, "slug": "shortcode-to-display-post-and-user-data", "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2023-6996-02": {"action": "the_content", "conditions": [{"name": "BODY", "type": "regex", "value": "~\\\\[vg_display_data[^\\\\]]*sanitization\\\\s*=\\\\s*[\'\\\\\\"][^\'\\\\\\"]+[\'\\\\\\"]~i"}], "cve": "CVE-2023-6996", "mode": "block", "severity": 8.8, "slug": "shortcode-to-display-post-and-user-data", "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2023-6996-03": {"action": "the_content", "conditions": [{"name": "BODY", "type": "regex", "value": "~\\\\[vg_display_data\\\\b[^\\\\]]*\\\\b(user_id|field)\\\\s*=~i"}], "cve": "CVE-2023-6996", "mode": "block", "severity": 8.8, "slug": "shortcode-to-display-post-and-user-data", "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2023-7002-01": {"ajax_action": "backup-migration-ajax", "conditions": [{"name": "ARGS:f", "type": "equals", "value": "download-backup"}, {"name": "ARGS:url", "type": "regex", "value": "~(%3[Bb]|%7[Cc]|%26%26|%7[Cc]%7[Cc]|%60|%24%5C%28|%3[Ee]|%3[Cc]|%0[Aa]|%0[Dd]|[;|`$><])~"}], "cve": "CVE-2023-7002", "method": "POST", "mode": "block", "severity": 7.2, "slug": "backup-backup", "target": "plugin", "versions": "<=1.3.9"}, "RULE-CVE-2023-7291-01": {"ajax_action": "paytium_mollie_create_account", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-7291", "method": "POST", "mode": "block", "severity": 8.1, "slug": "paytium", "target": "plugin", "versions": "<=4.3.7"}, "RULE-CVE-2023-7291-02": {"ajax_action": "paytium_mollie_create_profile", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-7291", "method": "POST", "mode": "block", "severity": 8.1, "slug": "paytium", "target": "plugin", "versions": "<=4.3.7"}, "RULE-CVE-2023-7291-03": {"ajax_action": "pt_save_profile_settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-7291", "method": "POST", "mode": "block", "severity": 8.1, "slug": "paytium", "target": "plugin", "versions": "<=4.3.7"}, "RULE-CVE-2023-7291-04": {"ajax_action": "pt_get_mollie_profiles", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-7291", "method": "POST", "mode": "block", "severity": 8.1, "slug": "paytium", "target": "plugin", "versions": "<=4.3.7"}, "RULE-CVE-2023-7291-05": {"ajax_action": "paytium_sw_save_api_keys", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2023-7291", "method": "POST", "mode": "block", "severity": 8.1, "slug": "paytium", "target": "plugin", "versions": "<=4.3.7"}, "RULE-CVE-2024-0221-01": {"ajax_action": "addImages", "conditions": [{"name": "ARGS:task", "type": "equals", "value": "rename_item"}, {"name": "ARGS:file_new_name", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.{3,}[\\\\\\\\/])~"}], "cve": "CVE-2024-0221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0221", "description": "Photo Gallery <=1.8.19 authenticated path traversal via file_new_name in addImages rename_item", "method": "POST", "mode": "block", "severity": 7.2, "slug": "photo-gallery", "tags": ["path-traversal", "file-rename"], "target": "plugin", "versions": "<=1.8.19"}, "RULE-CVE-2024-0221-02": {"ajax_action": "addImages", "conditions": [{"name": "ARGS:task", "type": "equals", "value": "rename_item"}, {"name": "ARGS:file_names", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.{3,}[\\\\\\\\/])~"}], "cve": "CVE-2024-0221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0221", "description": "Photo Gallery <=1.8.19 authenticated path traversal via file_names in addImages rename_item", "method": "POST", "mode": "block", "severity": 7.2, "slug": "photo-gallery", "tags": ["path-traversal", "file-rename"], "target": "plugin", "versions": "<=1.8.19"}, "RULE-CVE-2024-0221-03": {"ajax_action": "addImages", "conditions": [{"name": "ARGS:task", "type": "equals", "value": "remove_items"}, {"name": "ARGS:file_names", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.{3,}[\\\\\\\\/])~"}], "cve": "CVE-2024-0221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0221", "description": "Photo Gallery <=1.8.19 authenticated path traversal via file_names in addImages remove_items", "method": "POST", "mode": "block", "severity": 7.2, "slug": "photo-gallery", "tags": ["path-traversal", "arbitrary-file-deletion"], "target": "plugin", "versions": "<=1.8.19"}, "RULE-CVE-2024-0221-04": {"ajax_action": "addImages", "conditions": [{"name": "ARGS:task", "type": "equals", "value": "copy"}, {"name": "ARGS:file_names", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.{3,}[\\\\\\\\/])~"}], "cve": "CVE-2024-0221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0221", "description": "Photo Gallery <=1.8.19 authenticated path traversal via file_names in addImages copy", "method": "POST", "mode": "block", "severity": 7.2, "slug": "photo-gallery", "tags": ["path-traversal", "arbitrary-file-copy"], "target": "plugin", "versions": "<=1.8.19"}, "RULE-CVE-2024-0221-05": {"ajax_action": "addImages", "conditions": [{"name": "ARGS:task", "type": "equals", "value": "move"}, {"name": "ARGS:file_names", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.{3,}[\\\\\\\\/])~"}], "cve": "CVE-2024-0221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0221", "description": "Photo Gallery <=1.8.19 authenticated path traversal via file_names in addImages move", "method": "POST", "mode": "block", "severity": 7.2, "slug": "photo-gallery", "tags": ["path-traversal", "arbitrary-file-move"], "target": "plugin", "versions": "<=1.8.19"}, "RULE-CVE-2024-0221-06": {"ajax_action": "addMusic", "conditions": [{"name": "ARGS:task", "type": "equals", "value": "rename_item"}, {"name": "ARGS:file_new_name", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.{3,}[\\\\\\\\/])~"}], "cve": "CVE-2024-0221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0221", "description": "Photo Gallery <=1.8.19 authenticated path traversal via file_new_name in addMusic rename_item", "method": "POST", "mode": "block", "severity": 7.2, "slug": "photo-gallery", "tags": ["path-traversal", "file-rename"], "target": "plugin", "versions": "<=1.8.19"}, "RULE-CVE-2024-0221-07": {"ajax_action": "addMusic", "conditions": [{"name": "ARGS:task", "type": "equals", "value": "rename_item"}, {"name": "ARGS:file_names", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.{3,}[\\\\\\\\/])~"}], "cve": "CVE-2024-0221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0221", "description": "Photo Gallery <=1.8.19 authenticated path traversal via file_names in addMusic rename_item", "method": "POST", "mode": "block", "severity": 7.2, "slug": "photo-gallery", "tags": ["path-traversal", "file-rename"], "target": "plugin", "versions": "<=1.8.19"}, "RULE-CVE-2024-0221-08": {"ajax_action": "addMusic", "conditions": [{"name": "ARGS:task", "type": "equals", "value": "remove_items"}, {"name": "ARGS:file_names", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.{3,}[\\\\\\\\/])~"}], "cve": "CVE-2024-0221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0221", "description": "Photo Gallery <=1.8.19 authenticated path traversal via file_names in addMusic remove_items", "method": "POST", "mode": "block", "severity": 7.2, "slug": "photo-gallery", "tags": ["path-traversal", "arbitrary-file-deletion"], "target": "plugin", "versions": "<=1.8.19"}, "RULE-CVE-2024-0221-09": {"ajax_action": "addMusic", "conditions": [{"name": "ARGS:task", "type": "equals", "value": "copy"}, {"name": "ARGS:file_names", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.{3,}[\\\\\\\\/])~"}], "cve": "CVE-2024-0221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0221", "description": "Photo Gallery <=1.8.19 authenticated path traversal via file_names in addMusic copy", "method": "POST", "mode": "block", "severity": 7.2, "slug": "photo-gallery", "tags": ["path-traversal", "arbitrary-file-copy"], "target": "plugin", "versions": "<=1.8.19"}, "RULE-CVE-2024-0221-10": {"ajax_action": "addMusic", "conditions": [{"name": "ARGS:task", "type": "equals", "value": "move"}, {"name": "ARGS:file_names", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.{3,}[\\\\\\\\/])~"}], "cve": "CVE-2024-0221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0221", "description": "Photo Gallery <=1.8.19 authenticated path traversal via file_names in addMusic move", "method": "POST", "mode": "block", "severity": 7.2, "slug": "photo-gallery", "tags": ["path-traversal", "arbitrary-file-move"], "target": "plugin", "versions": "<=1.8.19"}, "RULE-CVE-2024-0608-01": {"ajax_action": "erp_crm_track_email_opened", "conditions": [{"name": "ARGS:email", "type": "detectSQLi"}], "cve": "CVE-2024-0608", "mode": "block", "severity": 8.8, "slug": "erp", "target": "plugin", "versions": "<=1.13.1"}, "RULE-CVE-2024-0659-01": {"action": "admin_init", "conditions": [{"name": "ARGS:edd-action", "type": "equals", "value": "tools_tab_debug_log"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-0659", "description": "Easy Digital Downloads <=3.1.5 unauthorized access to debug log tools action", "method": "POST", "mode": "block", "severity": 4.3, "slug": "easy-digital-downloads", "tags": ["broken-access-control", "information-disclosure"], "target": "plugin", "versions": "<=3.2.6"}, "RULE-CVE-2024-0660-01A": {"ajax_action": "frm_save_form", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/admin-ajax.php"}, {"name": "ARGS:action", "type": "equals", "value": "frm_save_form"}, {"name": "ARGS:success_msg", "type": "detectXSS"}], "cve": "CVE-2024-0660", "description": "Formidable Forms <=6.7.2 CSRF-to-stored-XSS via admin-ajax frm_save_form (missing nonce validation)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "formidable", "tags": ["xss", "csrf", "stored-xss", "ajax"], "target": "plugin", "versions": "<=6.7.2"}, "RULE-CVE-2024-0660-01B": {"ajax_action": "frm_save_form", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/admin-ajax.php"}, {"name": "ARGS:action", "type": "equals", "value": "frm_save_form"}, {"name": "ARGS:custom_html", "type": "detectXSS"}], "cve": "CVE-2024-0660", "description": "Formidable Forms <=6.7.2 CSRF-to-stored-XSS via admin-ajax frm_save_form (missing nonce validation)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "formidable", "tags": ["xss", "csrf", "stored-xss", "ajax"], "target": "plugin", "versions": "<=6.7.2"}, "RULE-CVE-2024-0699-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai/~i"}, {"name": "ARGS:url", "type": "regex", "value": "~\\\\.(?:php(?:[0-9s]?|t|tm)?|pht|phtml|phar|shtml|asp|aspx|jsp|cgi)(?:[?#]|$)~i"}], "cve": "CVE-2024-0699", "method": "POST", "mode": "block", "severity": 7.2, "slug": "ai-engine", "target": "plugin", "versions": "<=2.1.4"}, "RULE-CVE-2024-0699-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai/~i"}, {"name": "ARGS:url", "type": "regex", "value": "~^https?://169\\\\.254\\\\.169\\\\.254(?:[/:?#]|$)~i"}], "cve": "CVE-2024-0699", "method": "POST", "mode": "block", "severity": 7.2, "slug": "ai-engine", "target": "plugin", "versions": "<=2.1.4"}, "RULE-CVE-2024-0709-01A": {"ajax_action": "ccpw_get_coins_list", "conditions": [{"name": "ARGS:coinslist", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|\'\\\\s*(?:OR|AND)\\\\s+[\'\\"]?\\\\d|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s.*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\()~i"}], "cve": "CVE-2024-0709", "mode": "block", "severity": 7.5, "slug": "cryptocurrency-price-ticker-widget", "target": "plugin", "versions": ">=2.0 <=2.6.5"}, "RULE-CVE-2024-0709-01B0": {"ajax_action": "ccpw_get_coins_list", "conditions": [{"name": "ARGS:coinslist[0]", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|\'\\\\s*(?:OR|AND)\\\\s+[\'\\"]?\\\\d|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s.*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\()~i"}], "cve": "CVE-2024-0709", "mode": "block", "severity": 7.5, "slug": "cryptocurrency-price-ticker-widget", "target": "plugin", "versions": ">=2.0 <=2.6.5"}, "RULE-CVE-2024-0709-01B1": {"ajax_action": "ccpw_get_coins_list", "conditions": [{"name": "ARGS:coinslist[1]", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|\'\\\\s*(?:OR|AND)\\\\s+[\'\\"]?\\\\d|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s.*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\()~i"}], "cve": "CVE-2024-0709", "mode": "block", "severity": 7.5, "slug": "cryptocurrency-price-ticker-widget", "target": "plugin", "versions": ">=2.0 <=2.6.5"}, "RULE-CVE-2024-0786-01": {"ajax_action": "ee_syncProductCategory", "conditions": [{"name": "ARGS:conditionData", "type": "regex", "value": "~(?:[\'\\")\\\\)]\\\\s*(?:OR|AND)\\\\s+[^\\\\s]+=|UNION\\\\s+(?:ALL\\\\s+)?SELECT|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s)~i"}], "cve": "CVE-2024-0786", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0786", "description": "Conversios <=7.0.7 authenticated SQL injection via conditionData in ee_syncProductCategory", "method": "POST", "mode": "block", "severity": 6.5, "slug": "enhanced-e-commerce-for-woocommerce-store", "tags": ["sql-injection", "authenticated"], "target": "plugin", "versions": "<=7.0.7"}, "RULE-CVE-2024-0786-02": {"ajax_action": "ee_syncProductCategory", "conditions": [{"name": "ARGS:valueData", "type": "regex", "value": "~(?:[\'\\")\\\\)]\\\\s*(?:OR|AND)\\\\s+[^\\\\s]+=|UNION\\\\s+(?:ALL\\\\s+)?SELECT|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s)~i"}], "cve": "CVE-2024-0786", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0786", "description": "Conversios <=7.0.7 authenticated SQL injection via valueData in ee_syncProductCategory", "method": "POST", "mode": "block", "severity": 6.5, "slug": "enhanced-e-commerce-for-woocommerce-store", "tags": ["sql-injection", "authenticated"], "target": "plugin", "versions": "<=7.0.7"}, "RULE-CVE-2024-0786-03": {"ajax_action": "ee_syncProductCategory", "conditions": [{"name": "ARGS:exclude", "type": "regex", "value": "~(?:[\'\\")\\\\)]\\\\s*(?:OR|AND)\\\\s+[^\\\\s]+=|UNION\\\\s+(?:ALL\\\\s+)?SELECT|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s)~i"}], "cve": "CVE-2024-0786", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0786", "description": "Conversios <=7.0.7 authenticated SQL injection via exclude in ee_syncProductCategory", "method": "POST", "mode": "block", "severity": 6.5, "slug": "enhanced-e-commerce-for-woocommerce-store", "tags": ["sql-injection", "authenticated"], "target": "plugin", "versions": "<=7.0.7"}, "RULE-CVE-2024-0786-04": {"ajax_action": "ee_syncProductCategory", "conditions": [{"name": "ARGS:include", "type": "regex", "value": "~(?:[\'\\")\\\\)]\\\\s*(?:OR|AND)\\\\s+[^\\\\s]+=|UNION\\\\s+(?:ALL\\\\s+)?SELECT|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s)~i"}], "cve": "CVE-2024-0786", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0786", "description": "Conversios <=7.0.7 authenticated SQL injection via include in ee_syncProductCategory", "method": "POST", "mode": "block", "severity": 6.5, "slug": "enhanced-e-commerce-for-woocommerce-store", "tags": ["sql-injection", "authenticated"], "target": "plugin", "versions": "<=7.0.7"}, "RULE-CVE-2024-0786-05": {"ajax_action": "ee_syncProductCategory", "conditions": [{"name": "ARGS:productArray", "type": "regex", "value": "~(?:[\'\\")\\\\)]\\\\s*(?:OR|AND)\\\\s+[^\\\\s]+=|UNION\\\\s+(?:ALL\\\\s+)?SELECT|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s)~i"}], "cve": "CVE-2024-0786", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0786", "description": "Conversios <=7.0.7 authenticated SQL injection via productArray in ee_syncProductCategory", "method": "POST", "mode": "block", "severity": 6.5, "slug": "enhanced-e-commerce-for-woocommerce-store", "tags": ["sql-injection", "authenticated"], "target": "plugin", "versions": "<=7.0.7"}, "RULE-CVE-2024-0825-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/vimeography/v1/galleries/\\\\d+/duplicate(/|\\\\?|$)~"}, {"name": "ARGS:vimeography_duplicate_gallery_serialized", "type": "regex", "value": "~[OCa]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2024-0825", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0825", "description": "Vimeography <=2.3.2 PHP Object Injection via deserialization of untrusted input in duplicate gallery REST endpoint", "method": "POST", "mode": "block", "severity": 8.8, "slug": "vimeography", "tags": ["object-injection", "deserialization", "rest-api", "authenticated"], "target": "plugin", "versions": "<=2.3.2"}, "RULE-CVE-2024-10002-01": {"ajax_action": "rover_idx_refresh_social", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-10002", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10002", "description": "Rover IDX <=3.0.0.2905 authentication bypass to administrator via rover_idx_refresh_social AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "rover-idx", "tags": ["authentication-bypass", "missing-authorization", "privilege-escalation"], "target": "plugin", "versions": "<=3.0.0.2905"}, "RULE-CVE-2024-10002-02": {"ajax_action": "rover_idx_social", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-10002", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10002", "description": "Rover IDX <=3.0.0.2905 unauthorized social settings manipulation via rover_idx_social AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "rover-idx", "tags": ["missing-authorization", "privilege-escalation"], "target": "plugin", "versions": "<=3.0.0.2905"}, "RULE-CVE-2024-10079-01": {"ajax_action": "import_content", "conditions": [{"name": "ARGS:text", "type": "regex", "value": "~(^|[;{])\\\\s*(O|C):[0-9]+:\\"~"}], "cve": "CVE-2024-10079", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10079", "description": "WP Easy Post Types <=1.4.4 PHP Object Injection via unserialize of text parameter in import_content AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "easy-post-types", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=1.4.4"}, "RULE-CVE-2024-10124-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/ai/v1/vayu-site-builder(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-10124", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10124", "description": "Vayu Blocks <=1.1.1 unauthenticated arbitrary plugin/theme installation via REST API /ai/v1/vayu-site-builder", "method": "POST", "mode": "block", "severity": 9.8, "slug": "vayu-blocks", "tags": ["missing-authorization", "arbitrary-plugin-install", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=1.1.1"}, "RULE-CVE-2024-10247-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php(\\\\?|$)~"}, {"name": "ARGS:page", "type": "equals", "value": "video-gallery"}, {"name": "ARGS:orderby", "type": "detectSQLi"}], "cve": "CVE-2024-10247", "method": "GET", "mode": "block", "severity": 4.9, "slug": "gallery-videos", "target": "plugin", "versions": "<=2.4.2"}, "RULE-CVE-2024-10247-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php(\\\\?|$)~"}, {"name": "ARGS:page", "type": "equals", "value": "video-gallery"}, {"name": "ARGS:order", "type": "detectSQLi"}], "cve": "CVE-2024-10247", "method": "GET", "mode": "block", "severity": 4.9, "slug": "gallery-videos", "target": "plugin", "versions": "<=2.4.2"}, "RULE-CVE-2024-10453-01": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS:actions", "type": "regex", "value": "~global_typography_title.*?(?:<script|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2024-10453", "method": "POST", "mode": "block", "severity": 5.4, "slug": "elementor", "target": "plugin", "versions": "<=3.25.9"}, "RULE-CVE-2024-10499-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai/v1/discussions/list(/|\\\\?|$)~"}, {"name": "ARGS:filters[*][value]", "type": "regex", "value": "~(?:\\\\b(?:UNION(?:\\\\s|/\\\\*.*?\\\\*/)+(?:ALL(?:\\\\s|/\\\\*.*?\\\\*/)+)?SELECT|SELECT\\\\s+.+?\\\\s+FROM|INSERT\\\\s+INTO|UPDATE\\\\s+\\\\S+\\\\s+SET|DELETE\\\\s+FROM|DROP\\\\s+(?:TABLE|DATABASE|INDEX)|INTO\\\\s+(?:OUT|DUMP)FILE)\\\\b|(?:--|/\\\\*)\\\\s*(?:UNION|SELECT|INSERT|UPDATE|DELETE|DROP)|\\\\b(?:SLEEP|BENCHMARK|LOAD_FILE|EXTRACTVALUE|UPDATEXML)\\\\s*\\\\()~i"}], "cve": "CVE-2024-10499", "method": "POST", "mode": "block", "severity": 7.2, "slug": "ai-engine", "target": "plugin", "versions": "<2.6.5"}, "RULE-CVE-2024-10499-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai/v1/discussions/list(/|\\\\?|$)~"}, {"name": "ARGS:sort[accessor]", "type": "regex", "value": "~(?:\\\\b(?:UNION(?:\\\\s|/\\\\*.*?\\\\*/)+(?:ALL(?:\\\\s|/\\\\*.*?\\\\*/)+)?SELECT|SELECT\\\\s+.+?\\\\s+FROM|INSERT\\\\s+INTO|UPDATE\\\\s+\\\\S+\\\\s+SET|DELETE\\\\s+FROM|DROP\\\\s+(?:TABLE|DATABASE|INDEX)|INTO\\\\s+(?:OUT|DUMP)FILE)\\\\b|(?:--|/\\\\*)\\\\s*(?:UNION|SELECT|INSERT|UPDATE|DELETE|DROP)|\\\\b(?:SLEEP|BENCHMARK|LOAD_FILE|EXTRACTVALUE|UPDATEXML)\\\\s*\\\\()~i"}], "cve": "CVE-2024-10499", "method": "POST", "mode": "block", "severity": 7.2, "slug": "ai-engine", "target": "plugin", "versions": "<2.6.5"}, "RULE-CVE-2024-10508-01": {"action": "init", "conditions": [{"name": "ARGS:rm_form_sub_id", "type": "equals", "value": "rm_reset_password_form"}, {"name": "ARGS:token_val", "type": "regex", "value": "~^\\\\s*(?:11)?\\\\s*$~"}], "cve": "CVE-2024-10508", "method": "POST", "mode": "block", "severity": 9.8, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=6.0.2.6"}, "RULE-CVE-2024-10542-01": {"action": "init", "conditions": [{"name": "ARGS:spbc_remote_call_action", "type": "regex", "value": "~^(?:install_plugin|activate_plugin|deactivate_plugin|uninstall_plugin|update_settings|post_api_key)$~i"}, {"name": "ARGS:plugin_name", "type": "regex", "value": "~^(?:antispam|anti-spam|apbct)$~i"}, {"type": "missing_capability", "value": "activate_plugins"}], "cve": "CVE-2024-10542", "mode": "block", "severity": 7.5, "slug": "cleantalk-spam-protect", "target": "plugin", "versions": "<=6.43.2"}, "RULE-CVE-2024-10687-01": {"ajax_action": "post_cg_get_raw_data_from_galleries", "conditions": [{"name": "ARGS:collectedIds", "type": "regex", "value": "~[^0-9,\\\\s]~"}], "cve": "CVE-2024-10687", "method": "POST", "mode": "block", "severity": 9.8, "slug": "contest-gallery", "target": "plugin", "versions": "<=24.0.3"}, "RULE-CVE-2024-1071-01": {"ajax_action": "um_get_members", "conditions": [{"name": "ARGS:sorting", "type": "detectSQLi"}], "cve": "CVE-2024-1071", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1071", "description": "Ultimate Member >=2.1.3 <=2.8.2 unauthenticated SQL injection via sorting parameter in um_get_members AJAX handler", "method": "POST", "mode": "block", "severity": 9.8, "slug": "ultimate-member", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": ">=2.1.3 <=2.8.2"}, "RULE-CVE-2024-10711-02": {"action": "admin_post_itwr_activation_plugin", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/admin-post.php"}, {"name": "ARGS:action", "type": "equals", "value": "itwr_activation_plugin"}, {"name": "ARGS:default_role", "type": "exists"}], "cve": "CVE-2024-10711", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ithemelandco-woo-report", "target": "plugin", "versions": "<=1.5.1"}, "RULE-CVE-2024-1072-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "seedprod_lite_template"}, {"name": "ARGS:id", "type": "equals", "value": "0"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2024-1072", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1072", "description": "SeedProd (Coming Soon) <=6.15.21 missing authorization on seedprod_lite_new_lpage via admin_init", "mode": "block", "severity": 8.2, "slug": "coming-soon", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=6.15.21"}, "RULE-CVE-2024-10728-01": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "install_required_plugin"}, {"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2024-10728", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10728", "description": "PostX \\u2013 Post Grid Gutenberg Blocks <=4.1.16 missing authorization on install_required_plugin AJAX action allows Subscriber+ arbitrary plugin installation/activation", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ultimate-post", "tags": ["missing-authorization", "privilege-escalation", "arbitrary-plugin-install"], "target": "plugin", "versions": "<=4.1.16"}, "RULE-CVE-2024-10871-01A": {"ajax_action": "get_filter_posts", "conditions": [{"name": "ARGS:params[caf-post-layout]", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}~"}], "cve": "CVE-2024-10871", "method": "POST", "mode": "block", "severity": 9.8, "slug": "category-ajax-filter", "target": "plugin", "versions": "<=2.8.2"}, "RULE-CVE-2024-10871-01B": {"ajax_action": "get_filter_posts", "conditions": [{"name": "ARGS:params[caf-post-layout]", "type": "regex", "value": "~(?i)^(?:php|data|zip|phar)://~"}], "cve": "CVE-2024-10871", "method": "POST", "mode": "block", "severity": 9.8, "slug": "category-ajax-filter", "target": "plugin", "versions": "<=2.8.2"}, "RULE-CVE-2024-10871-01C": {"ajax_action": "get_filter_posts", "conditions": [{"name": "ARGS:params[caf-post-layout]", "type": "regex", "value": "~^(?:/|[A-Za-z]:\\\\\\\\)~"}], "cve": "CVE-2024-10871", "method": "POST", "mode": "block", "severity": 9.8, "slug": "category-ajax-filter", "target": "plugin", "versions": "<=2.8.2"}, "RULE-CVE-2024-10913-01": {"ajax_action": "wpclone-search-n-replace", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-10913", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10913", "description": "Clone (WP Clone) <=2.4.6 unauthenticated PHP Object Injection - capability gate on search-n-replace AJAX action", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-clone-by-wp-academy", "tags": ["object-injection", "missing-authorization", "deserialization"], "target": "plugin", "versions": "<=2.4.6"}, "RULE-CVE-2024-10913-02": {"ajax_action": "wpclone-search-n-replace", "conditions": [{"name": "ARGS:search", "type": "regex", "value": "~[OCa]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2024-10913", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10913", "description": "Clone (WP Clone) <=2.4.6 PHP Object Injection via serialized payload in search parameter", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-clone-by-wp-academy", "tags": ["object-injection", "deserialization", "php-serialization"], "target": "plugin", "versions": "<=2.4.6"}, "RULE-CVE-2024-10913-03": {"ajax_action": "wpclone-search-n-replace", "conditions": [{"name": "ARGS:replace", "type": "regex", "value": "~[OCa]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2024-10913", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10913", "description": "Clone (WP Clone) <=2.4.6 PHP Object Injection via serialized payload in replace parameter", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-clone-by-wp-academy", "tags": ["object-injection", "deserialization", "php-serialization"], "target": "plugin", "versions": "<=2.4.6"}, "RULE-CVE-2024-10913-04": {"ajax_action": "wpclone-install_new", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-10913", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10913", "description": "Clone (WP Clone) <=2.4.6 unauthenticated PHP Object Injection - capability gate on install_new AJAX action (indirect vector via backup restore)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-clone-by-wp-academy", "tags": ["object-injection", "missing-authorization", "deserialization"], "target": "plugin", "versions": "<=2.4.6"}, "RULE-CVE-2024-10932-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~wp-comments-post\\\\.php~"}, {"name": "ARGS:comment", "type": "regex", "value": "~O:[0-9]+:\\"[^\\"]+\\":[0-9]+:\\\\{|s:[0-9]+:\\"O:[0-9]+:\\\\\\\\\\"[^\\"]+\\\\\\\\\\":[0-9]+:\\\\{~"}], "cve": "CVE-2024-10932", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10932", "description": "Backup Migration <=1.4.6 PHP object injection payload planting via comment content", "method": "POST", "mode": "block", "severity": 8.8, "slug": "backup-backup", "tags": ["object-injection", "deserialization", "comments", "unauthenticated"], "target": "plugin", "versions": "<=1.4.6"}, "RULE-CVE-2024-10932-02": {"ajax_action": "backup_migration", "conditions": [{"name": "ARGS:f", "type": "equals", "value": "startLocalStagingCreation"}, {"name": "ARGS", "type": "regex", "value": "~O:[0-9]+:\\"[^\\"]+\\":[0-9]+:\\\\{|s:[0-9]+:\\"O:[0-9]+:\\\\\\\\\\"[^\\"]+\\\\\\\\\\":[0-9]+:\\\\{~"}], "cve": "CVE-2024-10932", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10932", "description": "Backup Migration <=1.4.6 PHP object injection via backup_migration staging request payloads", "method": "POST", "mode": "block", "severity": 8.8, "slug": "backup-backup", "tags": ["object-injection", "deserialization", "ajax", "staging"], "target": "plugin", "versions": "<=1.4.6"}, "RULE-CVE-2024-10936-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)wp-comments-post\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:comment", "type": "regex", "value": "~(?:O|C):\\\\d+:\\\\\\"~"}], "cve": "CVE-2024-10936", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-10936", "description": "String Locator <=2.6.6 unauthenticated PHP Object Injection via comment content planting", "method": "POST", "mode": "block", "severity": 8.8, "slug": "string-locator", "tags": ["object-injection", "deserialization", "unauthenticated"], "target": "plugin", "versions": "<=2.6.6"}, "RULE-CVE-2024-10960-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "admin-ajax.php"}, {"name": "ARGS:action", "type": "regex", "value": "~^brizy[-_]upload[-_]blocks$~i"}, {"name": "FILES:files", "type": "exists"}], "cve": "CVE-2024-10960", "method": "POST", "mode": "block", "severity": 8.8, "slug": "brizy", "target": "plugin", "versions": "<=2.6.4"}, "RULE-CVE-2024-10960-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "admin-ajax.php"}, {"name": "ARGS:action", "type": "regex", "value": "~^brizy[-_]upload[-_]layouts$~i"}, {"name": "FILES:files", "type": "exists"}], "cve": "CVE-2024-10960", "method": "POST", "mode": "block", "severity": 8.8, "slug": "brizy", "target": "plugin", "versions": "<=2.6.4"}, "RULE-CVE-2024-11103-01": {"ajax_action": "post_cg_login", "conditions": [{"name": "ARGS:user_id", "type": "regex", "value": "~^\\\\d+$~"}, {"name": "ARGS:pass1", "type": "exists"}], "cve": "CVE-2024-11103", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-11103", "description": "Contest Gallery <=24.0.7 unauthenticated arbitrary password reset via post_cg_login AJAX handler (user_id + pass1)", "method": "POST", "mode": "block", "severity": 9.8, "slug": "contest-gallery", "tags": ["authentication-bypass", "privilege-escalation", "account-takeover", "unauthenticated"], "target": "plugin", "versions": "<=24.0.7"}, "RULE-CVE-2024-11103-02": {"ajax_action": "post_cg_login", "conditions": [{"name": "ARGS:cgLostPasswordSiteUrl", "type": "exists"}], "cve": "CVE-2024-11103", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-11103", "description": "Contest Gallery <=24.0.7 unauthenticated URL injection in password reset email via cgLostPasswordSiteUrl", "method": "POST", "mode": "block", "severity": 9.8, "slug": "contest-gallery", "tags": ["phishing", "url-injection", "unauthenticated", "weak-password-recovery"], "target": "plugin", "versions": "<=24.0.7"}, "RULE-CVE-2024-11188-01": {"ajax_action": "frm_forms_preview", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "frm_forms_preview"}, {"name": "ARGS:frm_action", "type": "equals", "value": "preview"}, {"name": "ARGS", "type": "regex", "value": "~<script[\\\\s/>]~i"}], "cve": "CVE-2024-11188", "description": "Formidable Forms <=6.16.1.2 stored XSS via form item parameters in preview", "method": "POST", "mode": "block", "severity": 6.5, "slug": "formidable", "tags": ["xss", "stored-xss", "form-builder"], "target": "plugin", "versions": "<=6.16.1.2"}, "RULE-CVE-2024-11270-01": {"ajax_action": "sync-import-imgs", "conditions": [{"type": "missing_capability", "value": "_wswebinar_createwebinars"}], "cve": "CVE-2024-11270", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-11270", "description": "WebinarPress <=1.33.24 missing authorization on sync-import-imgs AJAX allowing subscriber+ arbitrary file creation (RCE)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-webinarsystem", "tags": ["missing-authorization", "arbitrary-file-upload", "remote-code-execution"], "target": "plugin", "versions": "<=1.33.24"}, "RULE-CVE-2024-11270-02": {"ajax_action": "sync-import-imgs", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:\\\\.(?:ph(?:p\\\\d?|s|tml?|t|ar)|s?html?|cgi|asp|aspx|jsp|jspx|cfm|user\\\\.ini)|[\\\\\\\\/]\\\\.htaccess$|[\\\\\\\\/]\\\\.htpasswd$)~i"}], "cve": "CVE-2024-11270", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-11270", "description": "WebinarPress <=1.33.24 arbitrary file upload via sync-import-imgs with executable file extension", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-webinarsystem", "tags": ["arbitrary-file-upload", "remote-code-execution", "file-extension-bypass"], "target": "plugin", "versions": "<=1.33.24"}, "RULE-CVE-2024-11323-01": {"ajax_action": "ai_quiz_update_style", "conditions": [{"name": "ARGS:colors", "type": "exists"}, {"name": "ARGS:colors", "type": "regex", "value": "~[\\"\'](?:default_role|users_can_register|siteurl|home|admin_email|blogname|blogdescription|template|stylesheet|active_plugins|permalink_structure|mailserver_url|hack_file|db_version)[\\"\']\\\\s*:~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-11323", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-11323", "description": "AI Quiz <=1.1 authenticated arbitrary options update via ai_quiz_update_style AJAX handler - dangerous option names in colors JSON", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ai-quiz", "tags": ["missing-authorization", "privilege-escalation", "arbitrary-options-update"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2024-11323-02": {"ajax_action": "ai_quiz_update_style", "conditions": [{"name": "ARGS:colors", "type": "regex", "value": "~<\\\\s*/\\\\s*style|<\\\\s*script|on(?:error|load|click|mouseover)\\\\s*=~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-11323", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-11323", "description": "AI Quiz <=1.1 authenticated stored XSS via ai_quiz_update_style colors parameter - style tag breakout", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ai-quiz", "tags": ["missing-authorization", "stored-xss"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2024-11323-03": {"ajax_action": "ai_quiz_update_style", "conditions": [{"name": "ARGS:phrase", "type": "regex", "value": "~<\\\\s*/\\\\s*style|<\\\\s*script|on(?:error|load|click|mouseover)\\\\s*=~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-11323", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-11323", "description": "AI Quiz <=1.1 authenticated stored XSS via ai_quiz_update_style phrase parameter - style tag breakout", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ai-quiz", "tags": ["missing-authorization", "stored-xss"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2024-11415-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "wp-orphanage-extended"}, {"name": "ARGS:action", "type": "equals", "value": "update"}, {"name": "ARGS:wporphanageex_role", "type": "regex", "value": "~^(?:administrator|editor|author)$~i"}], "cve": "CVE-2024-11415", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-11415", "description": "WP-Orphanage Extended <=1.2 CSRF to orphan account privilege escalation via settings page role parameter", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-orphanage-extended", "tags": ["csrf", "privilege-escalation", "settings-update"], "target": "plugin", "versions": "<=1.2"}, "RULE-CVE-2024-11429-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[(?:stars[_-]testimonials(?:-with-slider-and-masonry-grid)?|testimonial[_-]stars)[^\\\\]]*(?:\\\\.\\\\.[\\\\\\\\/]|/etc/|php://|phar://|data://)~i"}], "cve": "CVE-2024-11429", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-11429", "description": "Stars Testimonials <=3.3.3 Local File Inclusion via shortcode attribute in post_content (post.php)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "stars-testimonials-with-slider-and-masonry-grid", "tags": ["local-file-inclusion", "path-traversal", "shortcode", "authenticated"], "target": "plugin", "versions": "<=3.3.3"}, "RULE-CVE-2024-11429-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(?:stars[_-]testimonials(?:-with-slider-and-masonry-grid)?|testimonial[_-]stars)[^\\\\]]*(?:\\\\.\\\\.[\\\\\\\\/]|/etc/|php://|phar://|data://)~i"}], "cve": "CVE-2024-11429", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-11429", "description": "Stars Testimonials <=3.3.3 Local File Inclusion via shortcode attribute in REST API post content", "method": "POST", "mode": "block", "severity": 8.8, "slug": "stars-testimonials-with-slider-and-masonry-grid", "tags": ["local-file-inclusion", "path-traversal", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=3.3.3"}, "RULE-CVE-2024-11642-01": {"ajax_action": "asr_filter_posts", "conditions": [{"name": "ARGS:argsArray[grid_style]", "type": "regex", "value": "~(?:\\\\.{2,}[\\\\\\\\/]{1,}){2,}~"}], "cve": "CVE-2024-11642", "method": "POST", "mode": "block", "severity": 9.8, "slug": "ajax-filter-posts", "target": "plugin", "versions": "<=3.4.11"}, "RULE-CVE-2024-11642-02": {"ajax_action": "asr_filter_posts", "conditions": [{"name": "ARGS:argsArray[filter_style]", "type": "regex", "value": "~(?:\\\\.{2,}[\\\\\\\\/]{1,}){2,}~"}], "cve": "CVE-2024-11642", "method": "POST", "mode": "block", "severity": 9.8, "slug": "ajax-filter-posts", "target": "plugin", "versions": "<=3.4.11"}, "RULE-CVE-2024-11643-01": {"ajax_action": "AllAccessible_save_settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-11643", "method": "POST", "mode": "block", "severity": 8.8, "slug": "allaccessible", "target": "plugin", "versions": "<=1.3.4"}, "RULE-CVE-2024-1171-01": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS:actions", "type": "regex", "value": "~eael-filterable-gallery[\\\\s\\\\S]*?(?:<script|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2024-1171", "method": "POST", "mode": "block", "severity": 5.4, "slug": "essential-addons-for-elementor-lite", "target": "plugin", "versions": "<=5.9.8"}, "RULE-CVE-2024-1172-01": {"ajax_action": "eael_save_elements", "conditions": [{"name": "ARGS:eael_adv_accordion_tab_title_icon", "type": "regex", "value": "~(?i)(?:<\\\\s*script\\\\b|<\\\\s*svg\\\\b|<\\\\s*iframe\\\\b|on\\\\w+\\\\s*=|javascript\\\\s*:|data\\\\s*:\\\\s*text/html)~"}], "cve": "CVE-2024-1172", "method": "POST", "mode": "block", "severity": 5.4, "slug": "essential-addons-for-elementor-lite", "target": "plugin", "versions": "<=5.9.8"}, "RULE-CVE-2024-1172-02": {"ajax_action": "eael_save_elements", "conditions": [{"name": "ARGS:eael_adv_accordion_tab_title_icon_opened", "type": "regex", "value": "~(?i)(?:<\\\\s*script\\\\b|<\\\\s*svg\\\\b|<\\\\s*iframe\\\\b|on\\\\w+\\\\s*=|javascript\\\\s*:|data\\\\s*:\\\\s*text/html)~"}], "cve": "CVE-2024-1172", "method": "POST", "mode": "block", "severity": 5.4, "slug": "essential-addons-for-elementor-lite", "target": "plugin", "versions": "<=5.9.8"}, "RULE-CVE-2024-1172-03": {"ajax_action": "eael_save_elements", "conditions": [{"name": "ARGS:eael_adv_accordion_tab_id", "type": "regex", "value": "~(?i)(?:<\\\\s*script\\\\b|<\\\\s*svg\\\\b|<\\\\s*iframe\\\\b|on\\\\w+\\\\s*=|javascript\\\\s*:|data\\\\s*:\\\\s*text/html)~"}], "cve": "CVE-2024-1172", "method": "POST", "mode": "block", "severity": 5.4, "slug": "essential-addons-for-elementor-lite", "target": "plugin", "versions": "<=5.9.8"}, "RULE-CVE-2024-11725-01": {"action": "admin_post_wc_warranty_settings_update", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-11725", "method": "POST", "mode": "block", "severity": 8.8, "slug": "sms-alert", "target": "plugin", "versions": "<=3.7.6"}, "RULE-CVE-2024-11816-01": {"ajax_action": "handle_snippet_update", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:snippet_id", "type": "exists"}, {"name": "ARGS:snippet_code", "type": "exists"}], "cve": "CVE-2024-11816", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-11816", "description": "WP Extended <=3.0.11 authenticated RCE via missing authorization on handle_snippet_update AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wpextended", "tags": ["missing-authorization", "remote-code-execution", "authenticated"], "target": "plugin", "versions": "<=3.0.11"}, "RULE-CVE-2024-11868-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/lp/v1/material/\\\\d+(?:[/?&]|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-11868", "method": "GET", "mode": "block", "severity": 5.3, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.7.3"}, "RULE-CVE-2024-11921-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[?&]page=give-donors~"}, {"name": "ARGS:start-date", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-11921", "method": "GET", "mode": "block", "severity": 4.8, "slug": "give", "target": "plugin", "versions": "<3.19.0"}, "RULE-CVE-2024-11921-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[?&]page=give-donors~"}, {"name": "ARGS:end-date", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-11921", "method": "GET", "mode": "block", "severity": 4.8, "slug": "give", "target": "plugin", "versions": "<3.19.0"}, "RULE-CVE-2024-11921-03": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[?&]page=give-donors~"}, {"name": "ARGS:status", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-11921", "method": "GET", "mode": "block", "severity": 4.8, "slug": "give", "target": "plugin", "versions": "<3.19.0"}, "RULE-CVE-2024-11921-04": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[?&]page=give-donors~"}, {"name": "ARGS:donor", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-11921", "method": "GET", "mode": "block", "severity": 4.8, "slug": "give", "target": "plugin", "versions": "<3.19.0"}, "RULE-CVE-2024-11921-05": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[?&]page=give-donors~"}, {"name": "ARGS:order", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-11921", "method": "GET", "mode": "block", "severity": 4.8, "slug": "give", "target": "plugin", "versions": "<3.19.0"}, "RULE-CVE-2024-11921-06": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[?&]page=give-payment-history~"}, {"name": "ARGS:start-date", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-11921", "method": "GET", "mode": "block", "severity": 4.8, "slug": "give", "target": "plugin", "versions": "<3.19.0"}, "RULE-CVE-2024-11921-07": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[?&]page=give-payment-history~"}, {"name": "ARGS:end-date", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-11921", "method": "GET", "mode": "block", "severity": 4.8, "slug": "give", "target": "plugin", "versions": "<3.19.0"}, "RULE-CVE-2024-11921-08": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[?&]page=give-payment-history~"}, {"name": "ARGS:status", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-11921", "method": "GET", "mode": "block", "severity": 4.8, "slug": "give", "target": "plugin", "versions": "<3.19.0"}, "RULE-CVE-2024-11921-09": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[?&]page=give-payment-history~"}, {"name": "ARGS:donor", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-11921", "method": "GET", "mode": "block", "severity": 4.8, "slug": "give", "target": "plugin", "versions": "<3.19.0"}, "RULE-CVE-2024-11921-10": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[?&]post_type=give_forms~"}, {"name": "ARGS:s", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-11921", "method": "GET", "mode": "block", "severity": 4.8, "slug": "give", "target": "plugin", "versions": "<3.19.0"}, "RULE-CVE-2024-11921-11": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[?&]page=give-reports~"}, {"name": "ARGS:tab", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-11921", "method": "GET", "mode": "block", "severity": 4.8, "slug": "give", "target": "plugin", "versions": "<3.19.0"}, "RULE-CVE-2024-11921-12": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[?&]page=give-tools~"}, {"name": "ARGS:per_page", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-11921", "method": "GET", "mode": "block", "severity": 4.8, "slug": "give", "target": "plugin", "versions": "<3.19.0"}, "RULE-CVE-2024-11921-13": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[?&]post_type=give_forms~"}, {"name": "ARGS:start-date", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-11921", "method": "GET", "mode": "block", "severity": 4.8, "slug": "give", "target": "plugin", "versions": "<3.19.0"}, "RULE-CVE-2024-11921-14": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[?&]post_type=give_forms~"}, {"name": "ARGS:end-date", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-11921", "method": "GET", "mode": "block", "severity": 4.8, "slug": "give", "target": "plugin", "versions": "<3.19.0"}, "RULE-CVE-2024-1203-01": {"ajax_action": "ee_syncProductCategory", "conditions": [{"name": "ARGS:valueData", "type": "regex", "value": "~(?:\'\\\\s*(?:OR|AND)\\\\b|\\\\b(?:OR|AND)\\\\s+\\\\d+=\\\\d+|UNION\\\\s+SELECT|SELECT\\\\s+.+\\\\s+FROM|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|EXTRACTVALUE\\\\s*\\\\(|--\\\\s*$|/\\\\*|;\\\\s*(?:DROP|ALTER|INSERT|UPDATE|DELETE)\\\\b)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-1203", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1203", "description": "Conversios Google Analytics 4 for WooCommerce <=7.0.7 authenticated SQL injection via valueData in ee_syncProductCategory AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "enhanced-e-commerce-for-woocommerce-store", "tags": ["sql-injection", "missing-authorization", "authenticated"], "target": "plugin", "versions": "<=7.0.7"}, "RULE-CVE-2024-1203-02": {"ajax_action": "ee_syncProductCategory", "conditions": [{"name": "ARGS:conditionData", "type": "detectSQLi"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-1203", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1203", "description": "Conversios Google Analytics 4 for WooCommerce <=7.0.7 authenticated SQL injection via conditionData in ee_syncProductCategory AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "enhanced-e-commerce-for-woocommerce-store", "tags": ["sql-injection", "missing-authorization", "authenticated"], "target": "plugin", "versions": "<=7.0.7"}, "RULE-CVE-2024-1203-03": {"ajax_action": "ee_syncProductCategory", "conditions": [{"name": "ARGS:productArray", "type": "detectSQLi"}, {"name": "ARGS", "type": "regex", "value": "~(?:UNION\\\\s+SELECT|SELECT\\\\s+.+\\\\s+FROM|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|EXTRACTVALUE\\\\s*\\\\(|OR\\\\s+\\\\d+=\\\\d+|AND\\\\s+\\\\d+=\\\\d+|\'\\\\s*(?:OR|AND)\\\\s+\'|--\\\\s*$|;\\\\s*(?:DROP|ALTER|INSERT|UPDATE|DELETE))~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-1203", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1203", "description": "Conversios Google Analytics 4 for WooCommerce <=7.0.7 authenticated SQL injection via productArray in ee_syncProductCategory AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "enhanced-e-commerce-for-woocommerce-store", "tags": ["sql-injection", "missing-authorization", "authenticated"], "target": "plugin", "versions": "<=7.0.7"}, "RULE-CVE-2024-1203-04": {"ajax_action": "ee_syncProductCategory", "conditions": [{"name": "ARGS:exclude", "type": "detectSQLi"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-1203", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1203", "description": "Conversios Google Analytics 4 for WooCommerce <=7.0.7 authenticated SQL injection via exclude in ee_syncProductCategory AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "enhanced-e-commerce-for-woocommerce-store", "tags": ["sql-injection", "missing-authorization", "authenticated"], "target": "plugin", "versions": "<=7.0.7"}, "RULE-CVE-2024-1203-05": {"ajax_action": "ee_syncProductCategory", "conditions": [{"name": "ARGS:include", "type": "detectSQLi"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-1203", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1203", "description": "Conversios Google Analytics 4 for WooCommerce <=7.0.7 authenticated SQL injection via include in ee_syncProductCategory AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "enhanced-e-commerce-for-woocommerce-store", "tags": ["sql-injection", "missing-authorization", "authenticated"], "target": "plugin", "versions": "<=7.0.7"}, "RULE-CVE-2024-12040-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[wcpcsu\\\\b[^\\\\]]*theme\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:\\\\.\\\\./|\\\\.\\\\.\\\\.\\\\\\\\)[^\\"\'\\\\]]*~i"}], "cve": "CVE-2024-12040", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-12040", "description": "Product Carousel Slider & Grid Ultimate for WooCommerce <=1.9.10 authenticated (Contributor+) Local File Inclusion via [wcpcsu] shortcode theme attribute in post_content", "method": "POST", "mode": "block", "severity": 8.8, "slug": "woo-product-carousel-slider-and-grid-ultimate", "tags": ["local-file-inclusion", "path-traversal", "shortcode"], "target": "plugin", "versions": "<=1.9.10"}, "RULE-CVE-2024-12040-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[wcpcsu\\\\b[^\\\\]]*theme\\\\s*=\\\\s*[\\"\']?(?:php|data|expect|zip|phar)://~i"}], "cve": "CVE-2024-12040", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-12040", "description": "Product Carousel Slider & Grid Ultimate for WooCommerce <=1.9.10 authenticated (Contributor+) Local File Inclusion via [wcpcsu] shortcode theme attribute with PHP wrapper in post_content", "method": "POST", "mode": "block", "severity": 8.8, "slug": "woo-product-carousel-slider-and-grid-ultimate", "tags": ["local-file-inclusion", "php-wrapper", "shortcode"], "target": "plugin", "versions": "<=1.9.10"}, "RULE-CVE-2024-12040-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[wcpcsu\\\\b[^\\\\]]*theme\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:\\\\.\\\\./|\\\\.\\\\.\\\\.\\\\\\\\)[^\\"\'\\\\]]*~i"}], "cve": "CVE-2024-12040", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-12040", "description": "Product Carousel Slider & Grid Ultimate for WooCommerce <=1.9.10 authenticated (Contributor+) LFI via REST API post content with [wcpcsu] shortcode theme traversal", "method": "POST", "mode": "block", "severity": 8.8, "slug": "woo-product-carousel-slider-and-grid-ultimate", "tags": ["local-file-inclusion", "path-traversal", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.9.10"}, "RULE-CVE-2024-12040-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[wcpcsu\\\\b[^\\\\]]*theme\\\\s*=\\\\s*[\\"\']?(?:php|data|expect|zip|phar)://~i"}], "cve": "CVE-2024-12040", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-12040", "description": "Product Carousel Slider & Grid Ultimate for WooCommerce <=1.9.10 authenticated (Contributor+) LFI via REST API post content with [wcpcsu] shortcode theme PHP wrapper", "method": "POST", "mode": "block", "severity": 8.8, "slug": "woo-product-carousel-slider-and-grid-ultimate", "tags": ["local-file-inclusion", "php-wrapper", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.9.10"}, "RULE-CVE-2024-1206-01": {"ajax_action": "wprm_import_recipes", "conditions": [{"name": "ARGS:recipes", "type": "regex", "value": "~[^0-9,\\\\s]~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-1206", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1206", "description": "WP Recipe Maker <=9.1.2 authenticated SQL injection via recipes parameter (scalar) in wprm_import_recipes AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-recipe-maker", "tags": ["sql-injection", "missing-authorization", "authenticated"], "target": "plugin", "versions": "<=9.1.2"}, "RULE-CVE-2024-1206-02": {"ajax_action": "wprm_import_recipes", "conditions": [{"name": "ARGS:recipes[0]", "type": "regex", "value": "~[^0-9,\\\\s]~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-1206", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1206", "description": "WP Recipe Maker <=9.1.2 authenticated SQL injection via recipes[] array element in wprm_import_recipes AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-recipe-maker", "tags": ["sql-injection", "missing-authorization", "authenticated"], "target": "plugin", "versions": "<=9.1.2"}, "RULE-CVE-2024-1207-01": {"ajax_action": "WPBC_AJX_CALENDAR_LOAD", "conditions": [{"name": "ARGS:calendar_request_params[dates_ddmmyy_csv]", "type": "regex", "value": "~[^0-9.,\\\\-\\\\s;]~"}], "cve": "CVE-2024-1207", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1207", "description": "WP Booking Calendar <=9.9 unauthenticated SQL injection via calendar_request_params[dates_ddmmyy_csv] in WPBC_AJX_CALENDAR_LOAD", "method": "POST", "mode": "block", "severity": 9.8, "slug": "booking", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=9.9"}, "RULE-CVE-2024-1207-02": {"ajax_action": "WPBC_AJX_BOOKING__CREATE", "conditions": [{"name": "ARGS:calendar_request_params[dates_ddmmyy_csv]", "type": "regex", "value": "~[^0-9.,\\\\-\\\\s;]~"}], "cve": "CVE-2024-1207", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1207", "description": "WP Booking Calendar <=9.9 unauthenticated SQL injection via calendar_request_params[dates_ddmmyy_csv] in WPBC_AJX_BOOKING__CREATE", "method": "POST", "mode": "block", "severity": 9.8, "slug": "booking", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=9.9"}, "RULE-CVE-2024-12171-01": {"ajax_action": "eh_crm_agent_add_user", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-12171", "method": "POST", "mode": "block", "severity": 8.8, "slug": "elex-helpdesk-customer-support-ticket-system", "target": "plugin", "versions": "<=3.2.6"}, "RULE-CVE-2024-12259-01": {"ajax_action": "wc_update_user_data", "conditions": [{"name": "ARGS:update_user", "type": "regex", "value": "~^\\\\d+$~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-12259", "method": "POST", "mode": "block", "severity": 8.8, "slug": "computer-repair-shop", "target": "plugin", "versions": "<=3.8120"}, "RULE-CVE-2024-12264-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/payu/v1/get-shipping-cost(?:[/?&]|$)~"}, {"name": "ARGS:username", "type": "exists"}], "cve": "CVE-2024-12264", "method": "POST", "mode": "block", "severity": 9.8, "slug": "payu-india", "target": "plugin", "versions": "<=3.8.3"}, "RULE-CVE-2024-12264-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/payu/v1/get-shipping-cost(?:[/?&]|$)~"}, {"name": "ARGS:password", "type": "exists"}], "cve": "CVE-2024-12264", "method": "POST", "mode": "block", "severity": 9.8, "slug": "payu-india", "target": "plugin", "versions": "<=3.8.3"}, "RULE-CVE-2024-12264-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/payu/v1/generate-user-token(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-12264", "method": "POST", "mode": "block", "severity": 9.8, "slug": "payu-india", "target": "plugin", "versions": "<=3.8.3"}, "RULE-CVE-2024-12322-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "theperfectweddingnl-widget/tpw.php"}, {"name": "ARGS:tpwKey", "type": "regex", "value": "~(?:<script|<iframe|<svg|javascript:|on(?:error|load|click|mouseover)\\\\s*=)~i"}], "cve": "CVE-2024-12322", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-12322", "description": "ThePerfectWedding.nl Widget <=2.8 CSRF to Stored XSS via tpwKey parameter on settings page", "method": "POST", "mode": "block", "severity": 8.8, "slug": "theperfectweddingnl-widget", "tags": ["csrf", "xss", "stored-xss"], "target": "plugin", "versions": "<=2.8"}, "RULE-CVE-2024-12402-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/api/tc_user/update_user_profile(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "read"}], "cve": "CVE-2024-12402", "method": "POST", "mode": "block", "severity": 9.8, "slug": "tc-ecommerce", "target": "plugin", "versions": "<=1.3.4"}, "RULE-CVE-2024-12583-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[msdyncrm_twig\\\\].*(?:\\\\|\\\\s*(?:filter|map|sort|reduce)\\\\s*\\\\(|source\\\\s*\\\\()~si"}], "cve": "CVE-2024-12583", "method": "POST", "mode": "block", "severity": 9.9, "slug": "integration-dynamics", "target": "plugin", "versions": "<=1.3.23"}, "RULE-CVE-2024-12583-02": {"action": "init", "conditions": [{"name": "JSON:content", "type": "regex", "value": "~\\\\[msdyncrm_twig\\\\].*(?:\\\\|\\\\s*(?:filter|map|sort|reduce)\\\\s*\\\\(|source\\\\s*\\\\()~si"}], "cve": "CVE-2024-12583", "method": "POST", "mode": "block", "severity": 9.9, "slug": "integration-dynamics", "target": "plugin", "versions": "<=1.3.23"}, "RULE-CVE-2024-12594-01": {"ajax_action": "lps_generate_temp_access_url", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-12594", "method": "POST", "mode": "block", "severity": 8.8, "slug": "login-page-styler", "target": "plugin", "versions": "<=7.1.1"}, "RULE-CVE-2024-12594-02": {"ajax_action": "lps_revoke_access", "conditions": [{"type": "missing_capability", "value": "administrator"}], "cve": "CVE-2024-12594", "method": "POST", "mode": "block", "severity": 8.8, "slug": "login-page-styler", "target": "plugin", "versions": "<=7.1.1"}, "RULE-CVE-2024-12594-03": {"ajax_action": "lps_reset_settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-12594", "method": "POST", "mode": "block", "severity": 8.8, "slug": "login-page-styler", "target": "plugin", "versions": "<=7.1.1"}, "RULE-CVE-2024-12635-01": {"ajax_action": "wpdocs_update_folder", "conditions": [{"name": "ARGS:dir_id", "type": "detectSQLi"}], "cve": "CVE-2024-12635", "method": "POST", "mode": "block", "severity": 6.5, "slug": "wp-docs", "target": "plugin", "versions": "<=2.2.0"}, "RULE-CVE-2024-12635-02": {"ajax_action": "wpdocs_delete_folder", "conditions": [{"name": "ARGS:dir_id", "type": "detectSQLi"}], "cve": "CVE-2024-12635", "method": "POST", "mode": "block", "severity": 6.5, "slug": "wp-docs", "target": "plugin", "versions": "<=2.2.0"}, "RULE-CVE-2024-12635-03": {"ajax_action": "wpdocs_delete_files", "conditions": [{"name": "ARGS:dir_id", "type": "detectSQLi"}], "cve": "CVE-2024-12635", "method": "POST", "mode": "block", "severity": 6.5, "slug": "wp-docs", "target": "plugin", "versions": "<=2.2.0"}, "RULE-CVE-2024-12771-01": {"ajax_action": "customer_panel_password_reset", "conditions": [{"name": "ARGS:new_password", "type": "exists"}, {"name": "ARGS:repeat_new_password", "type": "exists"}], "cve": "CVE-2024-12771", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ecommerce-product-catalog", "target": "plugin", "versions": "<=3.3.43"}, "RULE-CVE-2024-12875-03": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "equals", "value": "/wp-admin/post.php"}, {"name": "ARGS:action", "type": "equals", "value": "editpost"}, {"name": "ARGS:post_type", "type": "equals", "value": "download"}, {"name": "ARGS:/^edd_download_files$/", "type": "regex", "value": "~(?i)(?:\\\\.\\\\./|\\\\.\\\\.\\\\\\\\|%2e%2e%2f|%2e%2e%5c|%252e%252e%252f|%252e%252e%255c|\\\\.\\\\.\\\\.\\\\.//)~i"}], "cve": "CVE-2024-12875", "method": "POST", "mode": "block", "severity": 4.9, "slug": "easy-digital-downloads", "target": "plugin", "versions": "<=3.3.2"}, "RULE-CVE-2024-12877-01": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:firstName", "type": "regex", "value": "~(?:O:\\\\d+:\\"[^\\"]+\\":\\\\d+:\\\\{|a:\\\\d+:\\\\{)~i"}], "cve": "CVE-2024-12877", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.19.2"}, "RULE-CVE-2024-12877-02": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:lastName", "type": "regex", "value": "~(?:O:\\\\d+:\\"[^\\"]+\\":\\\\d+:\\\\{|a:\\\\d+:\\\\{)~i"}], "cve": "CVE-2024-12877", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.19.2"}, "RULE-CVE-2024-12877-03": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:email", "type": "regex", "value": "~(?:O:\\\\d+:\\"[^\\"]+\\":\\\\d+:\\\\{|a:\\\\d+:\\\\{)~i"}], "cve": "CVE-2024-12877", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.19.2"}, "RULE-CVE-2024-12877-04": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:form_id", "type": "regex", "value": "~(?:O:\\\\d+:\\"[^\\"]+\\":\\\\d+:\\\\{|a:\\\\d+:\\\\{)~i"}], "cve": "CVE-2024-12877", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.19.2"}, "RULE-CVE-2024-12877-05": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:gateway", "type": "regex", "value": "~(?:O:\\\\d+:\\"[^\\"]+\\":\\\\d+:\\\\{|a:\\\\d+:\\\\{)~i"}], "cve": "CVE-2024-12877", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.19.2"}, "RULE-CVE-2024-12881-01": {"ajax_action": "eos_plugin_reviews_restore_version", "conditions": [{"name": "ARGS:dir", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-12881", "method": "POST", "mode": "block", "severity": 8.8, "slug": "plugversions", "target": "plugin", "versions": "<=0.0.7"}, "RULE-CVE-2024-1289-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/(?:profile|user-profile)/[^/]+/orders/.*~"}, {"name": "ARGS:view-order", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-1289", "method": "GET", "mode": "block", "severity": 5.4, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.6.3"}, "RULE-CVE-2024-12919-01": {"action": "init", "conditions": [{"name": "ARGS:pms_payment_id", "type": "regex", "value": "~^0*[1-9][0-9]*$~"}, {"name": "ARGS:pms_autologin_before_redirect", "type": "equals", "value": "true"}], "cve": "CVE-2024-12919", "mode": "block", "severity": 9.8, "slug": "paid-member-subscriptions", "target": "plugin", "versions": "<=2.13.7"}, "RULE-CVE-2024-13127-01": {"action": "rest_api_init", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/lp/v1/settings~i"}], "cve": "CVE-2024-13127", "description": "Broken access control allows non-admin users to modify LearnPress display settings via REST API", "method": "POST", "mode": "block", "severity": 6.5, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.7.5"}, "RULE-CVE-2024-13128-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php(?:\\\\?|$)~i"}, {"name": "ARGS:page", "type": "equals", "value": "learn-press-settings"}, {"name": "ARGS:primary_color", "type": "detectXSS"}, {"name": "ARGS:secondary_color", "type": "detectXSS"}, {"name": "ARGS:width_container", "type": "detectXSS"}, {"name": "ARGS:learn_press[primary_color]", "type": "detectXSS"}, {"name": "ARGS:learn_press[secondary_color]", "type": "detectXSS"}, {"name": "ARGS:learn_press[width_container]", "type": "detectXSS"}], "cve": "CVE-2024-13128", "description": "Broken access control allows non-admin users to modify LearnPress color settings via REST API", "method": "POST", "mode": "block", "severity": 6.5, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.7.5"}, "RULE-CVE-2024-1315-01": {"ajax_action": "rtcl_update_user_account", "conditions": [{"name": "ARGS:email", "type": "exists"}, {"name": "ARGS:pass1", "type": "exists"}], "cve": "CVE-2024-1315", "method": "POST", "mode": "block", "severity": 8.8, "slug": "classified-listing", "target": "plugin", "versions": "<=3.0.4"}, "RULE-CVE-2024-1317-01": {"ajax_action": "feedzy", "conditions": [{"name": "ARGS:search_key", "type": "detectSQLi"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-1317", "method": "POST", "mode": "block", "severity": 8.8, "slug": "feedzy-rss-feeds", "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2024-13315-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "shopwarden"}, {"name": "ARGS:action", "type": "equals", "value": "save_setting"}, {"name": "ARGS:key", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-13315", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-13315", "description": "Shopwarden <=1.0.11 CSRF to arbitrary WordPress options update via admin.php page=shopwarden action=save_setting", "mode": "block", "severity": 8.8, "slug": "shopwarden", "tags": ["csrf", "broken-access-control", "options-update", "privilege-escalation"], "target": "plugin", "versions": "<=1.0.11"}, "RULE-CVE-2024-13353-01": {"ajax_action": "rael_products_pagination_product", "conditions": [{"name": "ARGS:template", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|(?:php|zip|phar|data|expect|glob)://)~i"}], "cve": "CVE-2024-13353", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-13353", "description": "Responsive Addons for Elementor <=1.6.4 Local File Inclusion via template parameter in rael_products_pagination_product AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "responsive-addons-for-elementor", "tags": ["local-file-inclusion", "path-traversal", "unauthenticated"], "target": "plugin", "versions": "<=1.6.4"}, "RULE-CVE-2024-13353-02": {"ajax_action": "rael_woo_product_pagination", "conditions": [{"name": "ARGS:template", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|(?:php|zip|phar|data|expect|glob)://)~i"}], "cve": "CVE-2024-13353", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-13353", "description": "Responsive Addons for Elementor <=1.6.4 Local File Inclusion via template parameter in rael_woo_product_pagination AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "responsive-addons-for-elementor", "tags": ["local-file-inclusion", "path-traversal", "unauthenticated"], "target": "plugin", "versions": "<=1.6.4"}, "RULE-CVE-2024-13353-03": {"ajax_action": "rael_load_more", "conditions": [{"name": "ARGS:template", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|(?:php|zip|phar|data|expect|glob)://)~i"}], "cve": "CVE-2024-13353", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-13353", "description": "Responsive Addons for Elementor <=1.6.4 Local File Inclusion via template parameter in rael_load_more AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "responsive-addons-for-elementor", "tags": ["local-file-inclusion", "path-traversal", "unauthenticated"], "target": "plugin", "versions": "<=1.6.4"}, "RULE-CVE-2024-13365-01": {"ajax_action": "spbc_check_file_block", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-13365", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-13365", "description": "Security & Malware scan by CleanTalk <=2.149 unauthenticated arbitrary file upload via spbc_check_file_block AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "security-malware-firewall", "tags": ["arbitrary-file-upload", "unauthenticated", "missing-authorization", "remote-code-execution"], "target": "plugin", "versions": "<=2.149"}, "RULE-CVE-2024-13508-01": {"action": "init", "conditions": [{"name": "ARGS:locale", "type": "detectXSS"}], "cve": "CVE-2024-13508", "method": "GET", "mode": "block", "severity": 6.1, "slug": "booking-package", "target": "plugin", "versions": "<=1.6.72"}, "RULE-CVE-2024-13508-02": {"ajax_action": "package_app_public_action", "conditions": [{"name": "ARGS:locale", "type": "detectXSS"}], "cve": "CVE-2024-13508", "method": "POST", "mode": "block", "severity": 6.1, "slug": "booking-package", "target": "plugin", "versions": "<=1.6.72"}, "RULE-CVE-2024-13508-03": {"ajax_action": "package_app_action", "conditions": [{"name": "ARGS:locale", "type": "detectXSS"}], "cve": "CVE-2024-13508", "method": "POST", "mode": "block", "severity": 6.1, "slug": "booking-package", "target": "plugin", "versions": "<=1.6.72"}, "RULE-CVE-2024-13517-01": {"action": "init", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_type", "type": "equals", "value": "download"}, {"name": "ARGS:post_title", "type": "detectXSS"}], "cve": "CVE-2024-13517", "method": "POST", "mode": "block", "severity": 4.0, "slug": "easy-digital-downloads", "target": "plugin", "versions": "<=3.3.2"}, "RULE-CVE-2024-13517-02": {"ajax_action": "inline-save", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:post_type", "type": "equals", "value": "download"}, {"name": "ARGS:post_title", "type": "detectXSS"}], "cve": "CVE-2024-13517", "method": "POST", "mode": "block", "severity": 4.0, "slug": "easy-digital-downloads", "target": "plugin", "versions": "<=3.3.2"}, "RULE-CVE-2024-13553-01": {"action": "plugins_loaded", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:option", "type": "regex", "value": "~^smsalert~"}], "cve": "CVE-2024-13553", "method": "GET", "mode": "block", "severity": 9.8, "slug": "sms-alert", "target": "plugin", "versions": "<=3.7.9"}, "RULE-CVE-2024-13714-01": {"ajax_action": "select_image_for_library", "conditions": [{"name": "ARGS:url", "type": "regex", "value": "~\\\\.(?:ph(?:p\\\\d?|s|tml?|t|ar|gif)|s?html?|cgi|asp|aspx|jsp|jspx|cfm|user\\\\.ini)(?:[?#]|$)|[\\\\\\\\/]\\\\.htaccess(?:[?#]|$)|[\\\\\\\\/]\\\\.htpasswd(?:[?#]|$)~i"}], "cve": "CVE-2024-13714", "method": "POST", "mode": "block", "severity": 8.8, "slug": "all-images-ai", "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2024-13714-02": {"ajax_action": "select_image_for_post", "conditions": [{"name": "ARGS:url", "type": "regex", "value": "~\\\\.(?:ph(?:p\\\\d?|s|tml?|t|ar|gif)|s?html?|cgi|asp|aspx|jsp|jspx|cfm|user\\\\.ini)(?:[?#]|$)|[\\\\\\\\/]\\\\.htaccess(?:[?#]|$)|[\\\\\\\\/]\\\\.htpasswd(?:[?#]|$)~i"}], "cve": "CVE-2024-13714", "method": "POST", "mode": "block", "severity": 8.8, "slug": "all-images-ai", "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2024-13789-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/__ravpage/api([#?]|$)~"}, {"name": "ARGS:paramsv2", "type": "regex", "value": "~(?:Tzo|Qzo)~"}], "cve": "CVE-2024-13789", "mode": "block", "severity": 9.8, "slug": "ravpage", "target": "plugin", "versions": "<=2.31"}, "RULE-CVE-2024-1382-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~nd_rst_layout\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:\\\\.\\\\.[\\\\\\\\/]|/etc/|php://|data://|phar://|expect://)~i"}], "cve": "CVE-2024-1382", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1382", "description": "Restaurant Reservations <=1.9 Local File Inclusion via nd_rst_layout shortcode attribute in post_content (post.php save)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "nd-restaurant-reservations", "tags": ["local-file-inclusion", "path-traversal", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.9"}, "RULE-CVE-2024-1382-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~nd_rst_layout\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:\\\\.\\\\.[\\\\\\\\/]|/etc/|php://|data://|phar://|expect://)~i"}], "cve": "CVE-2024-1382", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1382", "description": "Restaurant Reservations <=1.9 Local File Inclusion via nd_rst_layout shortcode attribute in content (REST API post creation)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "nd-restaurant-reservations", "tags": ["local-file-inclusion", "path-traversal", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=1.9"}, "RULE-CVE-2024-13869-01": {"ajax_action": "wpvivid_upload_files", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:name", "type": "regex", "value": "~\\\\.(?:php[0-9s]?|phtml|phar|shtml|cgi)(?:\\\\.|$)~i"}], "cve": "CVE-2024-13869", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wpvivid-backuprestore", "target": "plugin", "versions": "<=0.9.112"}, "RULE-CVE-2024-13913-01": {"action": "init", "conditions": [{"name": "ARGS:instawp_database_manager", "type": "exists"}, {"name": "ARGS:instawp_database_manager", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[\\\\\\\\/]etc[\\\\\\\\/]|wp-config\\\\.php|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2024-13913", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-13913", "description": "InstaWP Connect <=0.1.0.83 CSRF to Local File Inclusion via instawp_database_manager query var - path traversal and sensitive file detection", "method": "GET", "mode": "block", "severity": 8.8, "slug": "instawp-connect", "tags": ["local-file-inclusion", "path-traversal", "csrf", "unauthenticated"], "target": "plugin", "versions": "<=0.1.0.83"}, "RULE-CVE-2024-13913-02": {"action": "init", "conditions": [{"name": "ARGS:instawp_database_manager", "type": "exists"}, {"name": "ARGS:instawp_database_manager", "type": "regex", "value": "~\\\\.(?:ph(?:p\\\\d?|ps|tml?|t|ar))(?:\\\\?|$|%00)~i"}], "cve": "CVE-2024-13913", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-13913", "description": "InstaWP Connect <=0.1.0.83 CSRF to Local PHP File Inclusion via instawp_database_manager query var - PHP file extension detection", "method": "GET", "mode": "block", "severity": 8.8, "slug": "instawp-connect", "tags": ["local-file-inclusion", "csrf", "unauthenticated", "php-inclusion"], "target": "plugin", "versions": "<=0.1.0.83"}, "RULE-CVE-2024-13913-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin-post\\\\.php(?:\\\\?|$)~i"}, {"name": "ARGS:action", "type": "equals", "value": "instawp-database-manager-auto-login"}, {"name": "ARGS:auth_key", "type": "exists"}], "cve": "CVE-2024-13913", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-13913", "description": "InstaWP Connect <=0.1.0.83 CSRF on unauthenticated auto-login endpoint removed in fix", "method": "POST", "mode": "block", "severity": 8.8, "slug": "instawp-connect", "tags": ["csrf", "unauthenticated", "auto-login-abuse"], "target": "plugin", "versions": "<=0.1.0.83"}, "RULE-CVE-2024-1424-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[give_(form|donor_wall|donor_dashboard|goal|form_grid)\\\\b[^\\\\]]*\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2024-1424", "method": "POST", "mode": "block", "severity": 5.4, "slug": "give", "target": "plugin", "versions": "<=3.5.1"}, "RULE-CVE-2024-1424-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[give_(form|donor_wall|donor_dashboard|goal|form_grid)\\\\b[^\\\\]]*javascript\\\\s*:~i"}], "cve": "CVE-2024-1424", "method": "POST", "mode": "block", "severity": 5.4, "slug": "give", "target": "plugin", "versions": "<=3.5.1"}, "RULE-CVE-2024-1424-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/wp/v2/posts(?:/\\\\d+)?(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[give_(form|donor_wall|donor_dashboard|goal|form_grid)\\\\b[^\\\\]]*\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2024-1424", "method": "POST", "mode": "block", "severity": 5.4, "slug": "give", "target": "plugin", "versions": "<=3.5.1"}, "RULE-CVE-2024-1424-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/wp/v2/posts(?:/\\\\d+)?(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[give_(form|donor_wall|donor_dashboard|goal|form_grid)\\\\b[^\\\\]]*javascript\\\\s*:~i"}], "cve": "CVE-2024-1424", "method": "POST", "mode": "block", "severity": 5.4, "slug": "give", "target": "plugin", "versions": "<=3.5.1"}, "RULE-CVE-2024-1463-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/users\\\\.php~"}, {"name": "ARGS:lp-action", "type": "equals", "value": "accept-request"}, {"type": "missing_capability", "value": "promote_users"}], "cve": "CVE-2024-1463", "method": "GET", "mode": "block", "severity": 4.8, "slug": "learnpress", "target": "plugin", "versions": "<4.2.6.4"}, "RULE-CVE-2024-1463-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/users\\\\.php~"}, {"name": "ARGS:lp-action", "type": "equals", "value": "deny-request"}, {"type": "missing_capability", "value": "promote_users"}], "cve": "CVE-2024-1463", "method": "GET", "mode": "block", "severity": 4.8, "slug": "learnpress", "target": "plugin", "versions": "<4.2.6.4"}, "RULE-CVE-2024-1536-01A": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS:actions", "type": "regex", "value": "~\\\\\\"widgetType\\\\\\"\\\\s*:\\\\s*\\\\\\"eael-event-calendar\\\\\\"~"}, {"name": "ARGS:actions", "type": "regex", "value": "~\\\\\\"eael_event_(?:calendar_first_day|details_link_hide)\\\\\\"\\\\s*:\\\\s*\\\\\\"\\\\\\\\\\\\\\"\\\\s+on[a-z]+\\\\s*=~"}], "cve": "CVE-2024-1536", "method": "POST", "mode": "block", "severity": 7.4, "slug": "essential-addons-for-elementor-lite", "target": "plugin", "versions": "<=5.9.9"}, "RULE-CVE-2024-1536-01B": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS:_elementor_data", "type": "regex", "value": "~\\\\\\"widgetType\\\\\\"\\\\s*:\\\\s*\\\\\\"eael-event-calendar\\\\\\"~"}, {"name": "ARGS:_elementor_data", "type": "regex", "value": "~\\\\\\"eael_event_(?:calendar_first_day|details_link_hide)\\\\\\"\\\\s*:\\\\s*\\\\\\"\\\\\\\\\\\\\\"\\\\s+on[a-z]+\\\\s*=~"}], "cve": "CVE-2024-1536", "method": "POST", "mode": "block", "severity": 7.4, "slug": "essential-addons-for-elementor-lite", "target": "plugin", "versions": "<=5.9.9"}, "RULE-CVE-2024-1537-01": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS:actions", "type": "regex", "value": "~(?:\\\\.\\\\.[/\\\\\\\\]){2,}~"}], "cve": "CVE-2024-1537", "method": "POST", "mode": "block", "severity": 6.4, "slug": "essential-addons-for-elementor-lite", "target": "plugin", "versions": "<=5.9.9"}, "RULE-CVE-2024-1698-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/notificationx/v1/analytics(?:/|\\\\?|&|$)~"}, {"name": "ARGS:type", "type": "detectSQLi"}], "cve": "CVE-2024-1698", "mode": "block", "severity": 9.8, "slug": "notificationx", "target": "plugin", "versions": "<=2.8.2"}, "RULE-CVE-2024-1751-01": {"ajax_action": "tutor_qna_single_action", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "tutor_qna_single_action"}, {"name": "ARGS:question_id", "type": "detectSQLi"}], "cve": "CVE-2024-1751", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1751", "description": "Tutor LMS <=2.6.1 authenticated SQL injection via question_id in tutor_qna_single_action AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "tutor", "tags": ["sql-injection", "time-based-blind", "authenticated"], "target": "plugin", "versions": "<=2.6.1"}, "RULE-CVE-2024-1751-02": {"ajax_action": "tutor_q_and_a_load_more", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "tutor_q_and_a_load_more"}, {"name": "ARGS:question_id", "type": "detectSQLi"}], "cve": "CVE-2024-1751", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1751", "description": "Tutor LMS <=2.6.1 authenticated SQL injection via question_id in tutor_q_and_a_load_more AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "tutor", "tags": ["sql-injection", "time-based-blind", "authenticated"], "target": "plugin", "versions": "<=2.6.1"}, "RULE-CVE-2024-1755-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "nps-plugin-options"}, {"name": "ARGS:event", "type": "equals", "value": "delete_all"}], "cve": "CVE-2024-1755", "method": "POST", "mode": "block", "severity": 8.8, "slug": "nps-computy", "target": "plugin", "versions": "<=2.7.5"}, "RULE-CVE-2024-1755-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "nps-plugin-options"}, {"name": "ARGS:event", "type": "equals", "value": "delete"}, {"name": "ARGS:id", "type": "regex", "value": "~^[0-9]+$~i"}], "cve": "CVE-2024-1755", "method": "POST", "mode": "block", "severity": 8.8, "slug": "nps-computy", "target": "plugin", "versions": "<=2.7.5"}, "RULE-CVE-2024-1770-01": {"action": "admin_init", "conditions": [{"name": "ARGS:mtm_tags[0]", "type": "regex", "value": "~[OC]:\\\\d+:\\"~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-1770", "method": "POST", "mode": "block", "severity": 8.8, "slug": "meta-tag-manager", "target": "plugin", "versions": "<3.1"}, "RULE-CVE-2024-1797-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/post\\\\.php|/wp-admin/admin-ajax\\\\.php)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[wp_ulike(?:_counter)?\\\\s[^\\\\]]*(?:id|status)\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:\'|--|;|UNION|SELECT|INSERT|UPDATE|DELETE|DROP|SLEEP\\\\s*\\\\(|BENCHMARK|EXTRACTVALUE|CONCAT\\\\s*\\\\(|information_schema|/\\\\*)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-1797", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1797", "description": "WP ULike <=4.6.9 authenticated (Contributor+) SQL injection via wp_ulike/wp_ulike_counter shortcode attributes in post content submitted to post.php", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-ulike", "tags": ["sql-injection", "shortcode", "authenticated"], "target": "plugin", "versions": "<=4.6.9"}, "RULE-CVE-2024-1797-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[wp_ulike(?:_counter)?\\\\s[^\\\\]]*(?:id|status)\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:\'|--|;|UNION|SELECT|INSERT|UPDATE|DELETE|DROP|SLEEP\\\\s*\\\\(|BENCHMARK|EXTRACTVALUE|CONCAT\\\\s*\\\\(|information_schema|/\\\\*)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-1797", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1797", "description": "WP ULike <=4.6.9 authenticated (Contributor+) SQL injection via wp_ulike/wp_ulike_counter shortcode attributes in post content submitted to REST API", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-ulike", "tags": ["sql-injection", "shortcode", "authenticated", "rest-api"], "target": "plugin", "versions": "<=4.6.9"}, "RULE-CVE-2024-1815-01": {"ajax_action": "uag_load_image_gallery_masonry", "conditions": [{"name": "ARGS:attr[paginateArrow]", "type": "detectXSS"}], "cve": "CVE-2024-1815", "method": "POST", "mode": "block", "severity": 5.4, "slug": "ultimate-addons-for-gutenberg", "target": "plugin", "versions": "<=2.12.8"}, "RULE-CVE-2024-1815-02": {"ajax_action": "uag_load_image_gallery_grid_pagination", "conditions": [{"name": "ARGS:attr[captionDisplayType]", "type": "detectXSS"}], "cve": "CVE-2024-1815", "method": "POST", "mode": "block", "severity": 5.4, "slug": "ultimate-addons-for-gutenberg", "target": "plugin", "versions": "<=2.12.8"}, "RULE-CVE-2024-1859-01": {"action": "save_post", "conditions": [{"name": "ARGS:post_type", "type": "equals", "value": "slider_responsive"}, {"name": "ARGS", "type": "regex", "value": "~[OCa]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2024-1859", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1859", "description": "Slider Responsive Slideshow <=1.3.8 authenticated (Contributor+) PHP Object Injection via save_post slider data", "method": "POST", "mode": "block", "severity": 8.8, "slug": "slider-responsive-slideshow", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=1.3.8"}, "RULE-CVE-2024-1981-01": {"ajax_action": "wpvividstg_start_staging_free", "conditions": [{"name": "ARGS:table_prefix", "type": "exists"}, {"name": "ARGS:table_prefix", "type": "regex", "value": "~[\'\\"`;]|--|#|(?i)\\\\bunion\\\\b|(?i)\\\\bselect\\\\b~"}], "cve": "CVE-2024-1981", "method": "POST", "mode": "block", "severity": 9.1, "slug": "wpvivid-backuprestore", "target": "plugin", "versions": "<=0.9.68"}, "RULE-CVE-2024-1982-01": {"ajax_action": "wpvivid_restore", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-1982", "method": "POST", "mode": "block", "severity": 9.1, "slug": "wpvivid-backuprestore", "target": "plugin", "versions": "<=0.9.68"}, "RULE-CVE-2024-1982-02": {"ajax_action": "wpvivid_get_restore_progress", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-1982", "method": "POST", "mode": "block", "severity": 9.1, "slug": "wpvivid-backuprestore", "target": "plugin", "versions": "<=0.9.68"}, "RULE-CVE-2024-1982-03": {"ajax_action": "wpvividstg_start_staging_free", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-1982", "method": "POST", "mode": "block", "severity": 9.1, "slug": "wpvivid-backuprestore", "target": "plugin", "versions": "<=0.9.68"}, "RULE-CVE-2024-1982-04": {"ajax_action": "wpvividstg_get_staging_progress_free", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-1982", "method": "POST", "mode": "block", "severity": 9.1, "slug": "wpvivid-backuprestore", "target": "plugin", "versions": "<=0.9.68"}, "RULE-CVE-2024-1990-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(?:RM_Form|CRF_Form)\\\\s[^\\\\]]*id\\\\s*=\\\\s*[\\"\']?\\\\s*[^\\"\'\\\\]]*[^0-9\\"\'\\\\]\\\\s][^\\"\'\\\\]]*~i"}], "cve": "CVE-2024-1990", "method": "POST", "mode": "block", "severity": 8.8, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=5.3.1.0"}, "RULE-CVE-2024-1990-02a": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(?:/|[?&]|$)~"}, {"name": "JSON:content", "type": "regex", "value": "~\\\\[(?:RM_Form|CRF_Form)\\\\s[^\\\\]]*id\\\\s*=\\\\s*[\\"\']?\\\\s*[^\\"\'\\\\]]*[^0-9\\"\'\\\\]\\\\s][^\\"\'\\\\]]*~i"}], "cve": "CVE-2024-1990", "method": "POST", "mode": "block", "severity": 8.8, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=5.3.1.0"}, "RULE-CVE-2024-1990-02b": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(?:/|[?&]|$)~"}, {"name": "JSON:content", "type": "regex", "value": "~\\\\[(?:RM_Form|CRF_Form)\\\\s[^\\\\]]*id\\\\s*=\\\\s*[\\"\']?\\\\s*[^\\"\'\\\\]]*[^0-9\\"\'\\\\]\\\\s][^\\"\'\\\\]]*~i"}], "cve": "CVE-2024-1990", "method": "PUT", "mode": "block", "severity": 8.8, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=5.3.1.0"}, "RULE-CVE-2024-1990-02c": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(?:/|[?&]|$)~"}, {"name": "JSON:content", "type": "regex", "value": "~\\\\[(?:RM_Form|CRF_Form)\\\\s[^\\\\]]*id\\\\s*=\\\\s*[\\"\']?\\\\s*[^\\"\'\\\\]]*[^0-9\\"\'\\\\]\\\\s][^\\"\'\\\\]]*~i"}], "cve": "CVE-2024-1990", "method": "PATCH", "mode": "block", "severity": 8.8, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=5.3.1.0"}, "RULE-CVE-2024-1990-03a": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/pages(?:/\\\\d+)?(?:/|[?&]|$)~"}, {"name": "JSON:content", "type": "regex", "value": "~\\\\[(?:RM_Form|CRF_Form)\\\\s[^\\\\]]*id\\\\s*=\\\\s*[\\"\']?\\\\s*[^\\"\'\\\\]]*[^0-9\\"\'\\\\]\\\\s][^\\"\'\\\\]]*~i"}], "cve": "CVE-2024-1990", "method": "POST", "mode": "block", "severity": 8.8, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=5.3.1.0"}, "RULE-CVE-2024-1990-03b": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/pages(?:/\\\\d+)?(?:/|[?&]|$)~"}, {"name": "JSON:content", "type": "regex", "value": "~\\\\[(?:RM_Form|CRF_Form)\\\\s[^\\\\]]*id\\\\s*=\\\\s*[\\"\']?\\\\s*[^\\"\'\\\\]]*[^0-9\\"\'\\\\]\\\\s][^\\"\'\\\\]]*~i"}], "cve": "CVE-2024-1990", "method": "PUT", "mode": "block", "severity": 8.8, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=5.3.1.0"}, "RULE-CVE-2024-1990-03c": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/pages(?:/\\\\d+)?(?:/|[?&]|$)~"}, {"name": "JSON:content", "type": "regex", "value": "~\\\\[(?:RM_Form|CRF_Form)\\\\s[^\\\\]]*id\\\\s*=\\\\s*[\\"\']?\\\\s*[^\\"\'\\\\]]*[^0-9\\"\'\\\\]\\\\s][^\\"\'\\\\]]*~i"}], "cve": "CVE-2024-1990", "method": "PATCH", "mode": "block", "severity": 8.8, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=5.3.1.0"}, "RULE-CVE-2024-1991-01": {"ajax_action": "rm_update_users_role", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-1991", "method": "POST", "mode": "block", "severity": 8.8, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=5.3.0.0"}, "RULE-CVE-2024-2006-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_type", "type": "equals", "value": "pgcu_shortcode"}, {"name": "ARGS", "type": "regex", "value": "~[OC]:\\\\d+:\\"~"}], "cve": "CVE-2024-2006", "method": "POST", "mode": "block", "severity": 8.8, "slug": "post-grid-carousel-ultimate", "target": "plugin", "versions": "<=1.6.7"}, "RULE-CVE-2024-2025-01": {"ajax_action": "wc4bp_add_page", "conditions": [{"name": "ARGS", "type": "regex", "value": "~[OCa]:\\\\d+:(?:\\\\\\\\)?[\\"\\\\{]~"}], "cve": "CVE-2024-2025", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-2025", "description": "WC4BP <=3.4.20 PHP Object Injection via maybe_unserialize() in wc4bp_add_page AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wc4bp", "tags": ["object-injection", "deserialization", "unauthenticated"], "target": "plugin", "versions": "<=3.4.20"}, "RULE-CVE-2024-2025-02": {"ajax_action": "wc4bp_delete_page", "conditions": [{"name": "ARGS", "type": "regex", "value": "~[OCa]:\\\\d+:(?:\\\\\\\\)?[\\"\\\\{]~"}], "cve": "CVE-2024-2025", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-2025", "description": "WC4BP <=3.4.20 PHP Object Injection via maybe_unserialize() in wc4bp_delete_page AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wc4bp", "tags": ["object-injection", "deserialization", "unauthenticated"], "target": "plugin", "versions": "<=3.4.20"}, "RULE-CVE-2024-2025-03": {"ajax_action": "wc4bp_edit_entry", "conditions": [{"name": "ARGS", "type": "regex", "value": "~[OCa]:\\\\d+:(?:\\\\\\\\)?[\\"\\\\{]~"}], "cve": "CVE-2024-2025", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-2025", "description": "WC4BP <=3.4.20 PHP Object Injection via maybe_unserialize() in wc4bp_edit_entry AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wc4bp", "tags": ["object-injection", "deserialization", "unauthenticated"], "target": "plugin", "versions": "<=3.4.20"}, "RULE-CVE-2024-2088-01": {"ajax_action": "nxs_getExpSettings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-2088", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-2088", "description": "NextScripts Social Networks Auto-Poster <=3.8.8 authenticated sensitive information exposure via nxs_getExpSettings", "mode": "block", "severity": 6.5, "slug": "social-networks-auto-poster-facebook-twitter-g", "tags": ["sensitive-data-exposure", "information-disclosure", "authenticated"], "target": "plugin", "versions": "<=3.8.8"}, "RULE-CVE-2024-2115-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/wp-admin/users\\\\.php~"}, {"name": "ARGS:lp-action", "type": "equals", "value": "accept-request"}, {"name": "ARGS:user_id", "type": "exists"}], "cve": "CVE-2024-2115", "method": "GET", "mode": "block", "severity": 8.8, "slug": "learnpress", "target": "plugin", "versions": "<=4.0.0"}, "RULE-CVE-2024-2115-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/wp-admin/users\\\\.php~"}, {"name": "ARGS:lp-action", "type": "equals", "value": "deny-request"}, {"name": "ARGS:user_id", "type": "exists"}], "cve": "CVE-2024-2115", "method": "GET", "mode": "block", "severity": 8.8, "slug": "learnpress", "target": "plugin", "versions": "<=4.0.0"}, "RULE-CVE-2024-2125-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/envialosimple/v1/gallery/add(?:/|\\\\?|&|$)~"}, {"name": "FILES:file", "type": "exists"}], "cve": "CVE-2024-2125", "method": "POST", "mode": "block", "severity": 8.8, "slug": "envialosimple-email-marketing-y-newsletters-gratis", "target": "plugin", "versions": "<=2.3"}, "RULE-CVE-2024-21751-01": {"ajax_action": "rabbitloader_ajax_purge", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-21751", "mode": "block", "severity": 8.8, "slug": "rabbit-loader", "target": "plugin", "versions": "<=2.19.13"}, "RULE-CVE-2024-21751-02": {"ajax_action": "rabbitloader_mode_change", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-21751", "mode": "block", "severity": 8.8, "slug": "rabbit-loader", "target": "plugin", "versions": "<=2.19.13"}, "RULE-CVE-2024-21751-03": {"ajax_action": "rabbitloader_ajax_cron", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-21751", "mode": "block", "severity": 8.8, "slug": "rabbit-loader", "target": "plugin", "versions": "<=2.19.13"}, "RULE-CVE-2024-21751-04": {"ajax_action": "rabbitloader_ajax_survey_dismissed", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-21751", "mode": "block", "severity": 8.8, "slug": "rabbit-loader", "target": "plugin", "versions": "<=2.19.13"}, "RULE-CVE-2024-2302-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-content/uploads/edd(?:-logs)?/.*\\\\.(?:log|log\\\\.[0-9]+|log\\\\.bak|log\\\\.old)(?:/)?(?:\\\\?|$)~i"}], "cve": "CVE-2024-2302", "method": "GET", "mode": "block", "severity": 5.3, "slug": "easy-digital-downloads", "target": "plugin", "versions": "<=3.2.9"}, "RULE-CVE-2024-2302-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-content/uploads/edd(?:-logs)?(?:/)?(?:\\\\?.*)?$~i"}], "cve": "CVE-2024-2302", "method": "GET", "mode": "block", "severity": 5.3, "slug": "easy-digital-downloads", "target": "plugin", "versions": "<=3.2.9"}, "RULE-CVE-2024-2341-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/ssa/v1/~"}, {"name": "ARGS:keys", "type": "detectSQLi"}], "cve": "CVE-2024-2341", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-2341", "description": "Simply Schedule Appointments <=1.6.7.7 authenticated SQL injection via keys parameter in REST API", "method": "GET", "mode": "block", "severity": 6.5, "slug": "simply-schedule-appointments", "tags": ["sql-injection", "authenticated", "rest-api"], "target": "plugin", "versions": "<=1.6.7.7"}, "RULE-CVE-2024-2341-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/ssa/v1/~"}, {"name": "ARGS:appointment_id", "type": "detectSQLi"}], "cve": "CVE-2024-2341", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-2341", "description": "Simply Schedule Appointments <=1.6.7.7 authenticated SQL injection via appointment_id parameter in REST API", "method": "GET", "mode": "block", "severity": 6.5, "slug": "simply-schedule-appointments", "tags": ["sql-injection", "authenticated", "rest-api"], "target": "plugin", "versions": "<=1.6.7.7"}, "RULE-CVE-2024-2341-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/ssa/v1/~"}, {"name": "ARGS:meta_key", "type": "detectSQLi"}], "cve": "CVE-2024-2341", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-2341", "description": "Simply Schedule Appointments <=1.6.7.7 authenticated SQL injection via meta_key parameter in REST API", "method": "GET", "mode": "block", "severity": 6.5, "slug": "simply-schedule-appointments", "tags": ["sql-injection", "authenticated", "rest-api"], "target": "plugin", "versions": "<=1.6.7.7"}, "RULE-CVE-2024-2341-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/ssa/v1/~"}, {"name": "ARGS:customer_id", "type": "detectSQLi"}], "cve": "CVE-2024-2341", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-2341", "description": "Simply Schedule Appointments <=1.6.7.7 authenticated SQL injection via customer_id parameter in REST API", "method": "GET", "mode": "block", "severity": 6.5, "slug": "simply-schedule-appointments", "tags": ["sql-injection", "authenticated", "rest-api"], "target": "plugin", "versions": "<=1.6.7.7"}, "RULE-CVE-2024-2341-05": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/ssa/v1/~"}, {"name": "ARGS:group_id", "type": "detectSQLi"}], "cve": "CVE-2024-2341", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-2341", "description": "Simply Schedule Appointments <=1.6.7.7 authenticated SQL injection via group_id parameter in REST API", "method": "GET", "mode": "block", "severity": 6.5, "slug": "simply-schedule-appointments", "tags": ["sql-injection", "authenticated", "rest-api"], "target": "plugin", "versions": "<=1.6.7.7"}, "RULE-CVE-2024-2417-01": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "user_registration_form_save_action"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-2417", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-2417", "description": "User Registration <=3.1.5 missing authorization in form_save_action allows subscriber+ privilege escalation", "method": "POST", "mode": "block", "severity": 8.8, "slug": "user-registration", "tags": ["missing-authorization", "privilege-escalation", "broken-access-control"], "target": "plugin", "versions": "<=3.1.5"}, "RULE-CVE-2024-24934-01": {"ajax_action": "elementor_library_direct_actions", "conditions": [{"name": "ARGS:library_action", "type": "regex", "value": "~^(delete_library_template|delete_kit|update_kit|import_kit)$~i"}, {"name": "ARGS:source", "type": "regex", "value": "~(^|/|\\\\\\\\|%2f|%5c)(\\\\.\\\\.|%2e%2e)(/|\\\\\\\\|%2f|%5c)~i"}], "cve": "CVE-2024-24934", "mode": "block", "severity": 8.1, "slug": "elementor", "target": "plugin", "versions": "<=3.19.0"}, "RULE-CVE-2024-24934-02": {"ajax_action": "elementor_library_direct_actions", "conditions": [{"name": "ARGS:library_action", "type": "regex", "value": "~^(import_kit|import_template|sync_library)$~i"}, {"name": "ARGS:source", "type": "regex", "value": "~phar://~i"}], "cve": "CVE-2024-24934", "mode": "block", "severity": 8.1, "slug": "elementor", "target": "plugin", "versions": "<=3.19.0"}, "RULE-CVE-2024-25935-01": {"ajax_action": "rm_options_default_payment_method", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-25935", "method": "POST", "mode": "block", "severity": 9.8, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=5.2.5.9"}, "RULE-CVE-2024-2667-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/instawp-connect/v1/config(?:/|\\\\?|&|$)~"}, {"name": "ARGS:override_plugin_zip", "type": "exists"}], "cve": "CVE-2024-2667", "method": "POST", "mode": "block", "severity": 9.8, "slug": "instawp-connect", "target": "plugin", "versions": "<=0.1.0.22"}, "RULE-CVE-2024-2702-01": {"ajax_action": "olive_demo_import", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:<\\\\s*script[\\\\s/>]|\\\\bon(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-2702", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-2702", "description": "Olive One Click Demo Import <=1.1.1 missing authorization on demo import allowing unauthenticated stored XSS via olive_demo_import AJAX handler", "method": "POST", "mode": "block", "severity": 9.8, "slug": "olive-one-click-demo-import", "tags": ["missing-authorization", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.1.1"}, "RULE-CVE-2024-2771-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/fluentform/v1/managers(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "fluentform_full_access"}], "cve": "CVE-2024-2771", "method": "POST", "mode": "block", "severity": 9.8, "slug": "fluentform", "target": "plugin", "versions": "<=5.1.16"}, "RULE-CVE-2024-2771-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/fluentform/v1/managers(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "fluentform_full_access"}], "cve": "CVE-2024-2771", "method": "DELETE", "mode": "block", "severity": 9.8, "slug": "fluentform", "target": "plugin", "versions": "<=5.1.16"}, "RULE-CVE-2024-27987-01": {"action": "init", "conditions": [{"name": "ARGS:form_id", "type": "detectXSS"}], "cve": "CVE-2024-27987", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27987", "description": "GiveWP <=3.3.1 reflected XSS via form_id parameter in shortcode rendering", "method": "GET", "mode": "block", "severity": 6.1, "slug": "give", "tags": ["xss", "reflected-xss", "unauthenticated", "shortcode"], "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2024-27987-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "give-donors"}, {"name": "ARGS:start-date", "type": "detectXSS"}], "cve": "CVE-2024-27987", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27987", "description": "GiveWP <=3.3.1 reflected XSS via start-date parameter in admin donors table", "method": "GET", "mode": "block", "severity": 6.1, "slug": "give", "tags": ["xss", "reflected-xss", "admin"], "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2024-27987-03": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "give-donors"}, {"name": "ARGS:end-date", "type": "detectXSS"}], "cve": "CVE-2024-27987", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27987", "description": "GiveWP <=3.3.1 reflected XSS via end-date parameter in admin donors table", "method": "GET", "mode": "block", "severity": 6.1, "slug": "give", "tags": ["xss", "reflected-xss", "admin"], "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2024-27987-04": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "give-donors"}, {"name": "ARGS:status", "type": "detectXSS"}], "cve": "CVE-2024-27987", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27987", "description": "GiveWP <=3.3.1 reflected XSS via status parameter in admin donors table", "method": "GET", "mode": "block", "severity": 6.1, "slug": "give", "tags": ["xss", "reflected-xss", "admin"], "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2024-27987-05": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "give-donors"}, {"name": "ARGS:donor", "type": "detectXSS"}], "cve": "CVE-2024-27987", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27987", "description": "GiveWP <=3.3.1 reflected XSS via donor parameter in admin donors table", "method": "GET", "mode": "block", "severity": 6.1, "slug": "give", "tags": ["xss", "reflected-xss", "admin"], "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2024-27987-06": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "give-donors"}, {"name": "ARGS:order", "type": "detectXSS"}], "cve": "CVE-2024-27987", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27987", "description": "GiveWP <=3.3.1 reflected XSS via order parameter in admin donors table", "method": "GET", "mode": "block", "severity": 6.1, "slug": "give", "tags": ["xss", "reflected-xss", "admin"], "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2024-27987-07": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "give-payment-history"}, {"name": "ARGS:start-date", "type": "detectXSS"}], "cve": "CVE-2024-27987", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27987", "description": "GiveWP <=3.3.1 reflected XSS via start-date parameter in admin payments table", "method": "GET", "mode": "block", "severity": 6.1, "slug": "give", "tags": ["xss", "reflected-xss", "admin"], "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2024-27987-08": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "give-payment-history"}, {"name": "ARGS:end-date", "type": "detectXSS"}], "cve": "CVE-2024-27987", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27987", "description": "GiveWP <=3.3.1 reflected XSS via end-date parameter in admin payments table", "method": "GET", "mode": "block", "severity": 6.1, "slug": "give", "tags": ["xss", "reflected-xss", "admin"], "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2024-27987-09": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "give-payment-history"}, {"name": "ARGS:status", "type": "detectXSS"}], "cve": "CVE-2024-27987", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27987", "description": "GiveWP <=3.3.1 reflected XSS via status parameter in admin payments table", "method": "GET", "mode": "block", "severity": 6.1, "slug": "give", "tags": ["xss", "reflected-xss", "admin"], "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2024-27987-10": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "give-payment-history"}, {"name": "ARGS:donor", "type": "detectXSS"}], "cve": "CVE-2024-27987", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27987", "description": "GiveWP <=3.3.1 reflected XSS via donor parameter in admin payments table", "method": "GET", "mode": "block", "severity": 6.1, "slug": "give", "tags": ["xss", "reflected-xss", "admin"], "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2024-27987-11": {"action": "admin_init", "conditions": [{"name": "ARGS:post_type", "type": "equals", "value": "give_forms"}, {"name": "ARGS:s", "type": "detectXSS"}], "cve": "CVE-2024-27987", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27987", "description": "GiveWP <=3.3.1 reflected XSS via s (search) parameter in admin forms list", "method": "GET", "mode": "block", "severity": 6.1, "slug": "give", "tags": ["xss", "reflected-xss", "admin"], "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2024-27987-12": {"action": "admin_init", "conditions": [{"name": "ARGS:post_type", "type": "equals", "value": "give_forms"}, {"name": "ARGS:start-date", "type": "detectXSS"}], "cve": "CVE-2024-27987", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27987", "description": "GiveWP <=3.3.1 reflected XSS via start-date parameter in admin forms list", "method": "GET", "mode": "block", "severity": 6.1, "slug": "give", "tags": ["xss", "reflected-xss", "admin"], "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2024-27987-13": {"action": "admin_init", "conditions": [{"name": "ARGS:post_type", "type": "equals", "value": "give_forms"}, {"name": "ARGS:end-date", "type": "detectXSS"}], "cve": "CVE-2024-27987", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27987", "description": "GiveWP <=3.3.1 reflected XSS via end-date parameter in admin forms list", "method": "GET", "mode": "block", "severity": 6.1, "slug": "give", "tags": ["xss", "reflected-xss", "admin"], "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2024-2831-01": {"action": "admin_init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[calendar[^\\\\]]*categories\\\\s*=\\\\s*[\\\\\\"\'][^\\\\]]*(?:UNION|SELECT|INSERT|UPDATE|DELETE|DROP|CONCAT|GROUP_CONCAT|LOAD_FILE|INTO\\\\s+(?:OUT|DUMP)FILE|BENCHMARK|SLEEP|OR\\\\s+(?:\\\\d|[\\\\\\"\']\\\\d)|AND\\\\s+(?:\\\\d|[\\\\\\"\']\\\\d)|--|;|/\\\\*)[^\\\\]]*[\\\\\\"\']~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-2831", "method": "POST", "mode": "block", "severity": 8.8, "slug": "calendar", "target": "plugin", "versions": "<=1.3.14"}, "RULE-CVE-2024-2831-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[calendar[^\\\\]]*categories\\\\s*=\\\\s*[\\\\\\"\'][^\\\\]]*(?:UNION|SELECT|INSERT|UPDATE|DELETE|DROP|CONCAT|GROUP_CONCAT|LOAD_FILE|INTO\\\\s+(?:OUT|DUMP)FILE|BENCHMARK|SLEEP|OR\\\\s+(?:\\\\d|[\\\\\\"\']\\\\d)|AND\\\\s+(?:\\\\d|[\\\\\\"\']\\\\d)|--|;|/\\\\*)[^\\\\]]*[\\\\\\"\']~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-2831", "method": "POST", "mode": "block", "severity": 8.8, "slug": "calendar", "target": "plugin", "versions": "<=1.3.14"}, "RULE-CVE-2024-29090-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai/v1/settings/update(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-29090", "method": "POST", "mode": "block", "severity": 6.8, "slug": "ai-engine", "target": "plugin", "versions": "<=2.1.4"}, "RULE-CVE-2024-29100-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai(-ui)?/v1/~i"}, {"name": "ARGS:url", "type": "regex", "value": "~\\\\.(?:php[0-9s]?|phtml|phar|pht|shtml|cgi|asp|aspx|jsp|jspx)(?:\\\\?|#|$)~i"}], "cve": "CVE-2024-29100", "method": "POST", "mode": "block", "severity": 7.2, "slug": "ai-engine", "target": "plugin", "versions": "<=2.1.4"}, "RULE-CVE-2024-29100-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai(-ui)?/v1/~i"}, {"name": "ARGS:filename", "type": "regex", "value": "~\\\\.(?:php[0-9s]?|phtml|phar|pht|shtml|cgi|asp|aspx|jsp|jspx)(?:\\\\?|#|$)~i"}], "cve": "CVE-2024-29100", "method": "POST", "mode": "block", "severity": 7.2, "slug": "ai-engine", "target": "plugin", "versions": "<=2.1.4"}, "RULE-CVE-2024-29113-01": {"action": "admin_init", "conditions": [{"name": "ARGS:rm_status", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-29113", "method": "GET", "mode": "block", "severity": 6.1, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<5.2.6.0"}, "RULE-CVE-2024-29113-02": {"action": "admin_init", "conditions": [{"name": "ARGS:rm_interval", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-29113", "method": "GET", "mode": "block", "severity": 6.1, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<5.2.6.0"}, "RULE-CVE-2024-29113-03": {"action": "admin_init", "conditions": [{"name": "ARGS:rm_user_role", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-29113", "method": "GET", "mode": "block", "severity": 6.1, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<5.2.6.0"}, "RULE-CVE-2024-29113-04": {"action": "admin_init", "conditions": [{"name": "ARGS:rm_sort", "type": "regex", "value": "~^(?!(?:latest|oldest|0toz|zto0)$).+~"}], "cve": "CVE-2024-29113", "method": "GET", "mode": "block", "severity": 6.1, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<5.2.6.0"}, "RULE-CVE-2024-29117-01": {"ajax_action": "accua_form_submit", "conditions": [{"name": "ARGS:message", "type": "regex", "value": "~<(?:script|iframe|img|svg)[^>]*>~i"}], "cve": "CVE-2024-29117", "method": "POST", "mode": "block", "severity": 6.1, "slug": "contact-forms", "target": "plugin", "versions": "<=1.7.0"}, "RULE-CVE-2024-30229-01": {"ajax_action": "give_donation_import", "conditions": [{"name": "ARGS:mapto", "type": "exists"}, {"name": "ARGS:mapto", "type": "regex", "value": "~(?i)O:\\\\+?\\\\d+:\\"[^\\"]*\\":\\\\+?\\\\d+:\\\\{~"}], "cve": "CVE-2024-30229", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-30229", "description": "GiveWP <= 3.4.2 \\u2013 PHP Object Injection via mapto in give_donation_import AJAX action (CWE-502, CVSS 7.2)", "method": "POST", "mode": "block", "severity": 7.2, "slug": "give", "target": "plugin", "versions": "<=3.4.2"}, "RULE-CVE-2024-30501-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^(?:/wp-json)?/download-monitor/v1/~"}, {"name": "ARGS:limit", "type": "detectSQLi"}], "cve": "CVE-2024-30501", "method": "GET", "mode": "block", "severity": 7.2, "slug": "download-monitor", "target": "plugin", "versions": "<=4.9.4"}, "RULE-CVE-2024-30501-02": {"ajax_action": "dlm_top_downloads_reports", "conditions": [{"name": "ARGS:limit", "type": "detectSQLi"}], "cve": "CVE-2024-30501", "method": "POST", "mode": "block", "severity": 7.2, "slug": "download-monitor", "target": "plugin", "versions": "<=4.9.4"}, "RULE-CVE-2024-30516-01": {"ajax_action": "package_app_public_action", "conditions": [{"name": "ARGS:mode", "type": "regex", "value": "~^(sendBooking|intentForStripe|updateIntentForStripe)$~"}, {"name": "ARGS:scheduleCost", "type": "regex", "value": "~^\\\\s*(?:-(?:\\\\d+(?:\\\\.\\\\d+)?|\\\\.\\\\d+)|[+-]?(?:0+(?:\\\\.0*)?|0*\\\\.0+)(?:[eE][+-]?0+)?)\\\\s*$~"}], "cve": "CVE-2024-30516", "method": "POST", "mode": "block", "severity": 7.5, "slug": "booking-package", "target": "plugin", "versions": "<=1.6.27"}, "RULE-CVE-2024-30516-02": {"ajax_action": "package_app_public_action", "conditions": [{"name": "ARGS:mode", "type": "regex", "value": "~^(sendBooking|intentForStripe|updateIntentForStripe)$~"}, {"name": "ARGS:cost", "type": "regex", "value": "~^\\\\s*(?:-(?:\\\\d+(?:\\\\.\\\\d+)?|\\\\.\\\\d+)|[+-]?(?:0+(?:\\\\.0*)?|0*\\\\.0+)(?:[eE][+-]?0+)?)\\\\s*$~"}], "cve": "CVE-2024-30516", "method": "POST", "mode": "block", "severity": 7.5, "slug": "booking-package", "target": "plugin", "versions": "<=1.6.27"}, "RULE-CVE-2024-30516-03": {"ajax_action": "package_app_public_action", "conditions": [{"name": "ARGS:mode", "type": "regex", "value": "~^(sendBooking|intentForStripe|updateIntentForStripe)$~"}, {"name": "ARGS:guests", "type": "regex", "value": "~\\"cost\\"\\\\s*:\\\\s*(?:-(?:\\\\d+(?:\\\\.\\\\d+)?|\\\\.\\\\d+)|0(?:\\\\.0+)?)(?!\\\\.)(?=\\\\s*[,\\\\}\\\\]])~"}], "cve": "CVE-2024-30516", "method": "POST", "mode": "block", "severity": 7.5, "slug": "booking-package", "target": "plugin", "versions": "<=1.6.27"}, "RULE-CVE-2024-30516-04": {"ajax_action": "package_app_public_action", "conditions": [{"name": "ARGS:mode", "type": "regex", "value": "~^(sendBooking|intentForStripe|updateIntentForStripe)$~"}, {"name": "ARGS:services", "type": "regex", "value": "~\\"cost\\"\\\\s*:\\\\s*(?:-(?:\\\\d+(?:\\\\.\\\\d+)?|\\\\.\\\\d+)|0(?:\\\\.0+)?)(?!\\\\.)(?=\\\\s*[,\\\\}\\\\]])~"}], "cve": "CVE-2024-30516", "method": "POST", "mode": "block", "severity": 7.5, "slug": "booking-package", "target": "plugin", "versions": "<=1.6.27"}, "RULE-CVE-2024-30549-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "accua-forms-edit"}, {"name": "ARGS:edit-fid", "type": "detectXSS"}], "cve": "CVE-2024-30549", "method": "GET", "mode": "block", "severity": 4.8, "slug": "contact-forms", "target": "plugin", "versions": "<=1.9.0"}, "RULE-CVE-2024-30549-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "accua-forms-submissions"}, {"name": "ARGS:s", "type": "detectXSS"}], "cve": "CVE-2024-30549", "method": "GET", "mode": "block", "severity": 4.8, "slug": "contact-forms", "target": "plugin", "versions": "<=1.9.0"}, "RULE-CVE-2024-3055-01": {"ajax_action": "unitecreator_elementor_export_template", "conditions": [{"name": "ARGS:id", "type": "regex", "value": "~[^0-9,\\\\s]~"}], "cve": "CVE-2024-3055", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-3055", "description": "Unlimited Elements For Elementor <=1.5.102 authenticated (Contributor+) time-based SQL injection via id parameter in export template AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "unlimited-elements-for-elementor", "tags": ["sql-injection", "authenticated", "time-based-blind"], "target": "plugin", "versions": "<=1.5.102"}, "RULE-CVE-2024-3055-02": {"ajax_action": "unitecreator_elementor_import_template", "conditions": [{"name": "ARGS:id", "type": "regex", "value": "~[^0-9,\\\\s]~"}], "cve": "CVE-2024-3055", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-3055", "description": "Unlimited Elements For Elementor <=1.5.102 authenticated (Contributor+) time-based SQL injection via id parameter in import template AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "unlimited-elements-for-elementor", "tags": ["sql-injection", "authenticated", "time-based-blind"], "target": "plugin", "versions": "<=1.5.102"}, "RULE-CVE-2024-3105-01": {"action": "init", "conditions": [{"name": "ARGS", "type": "regex", "value": "~[[]insert_php([^a-zA-Z0-9_][^]]*|)[]]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2024-3105", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-3105", "description": "Starter Templates by suspended developer (Insert PHP) <=2.5.0 authenticated (Contributor+) RCE via insert_php shortcode in post content", "method": "POST", "mode": "block", "severity": 9.9, "slug": "insert-php", "tags": ["remote-code-execution", "shortcode", "missing-authorization"], "target": "plugin", "versions": "<=2.5.0"}, "RULE-CVE-2024-3107-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/spectra/v1/editor(?:/|\\\\?|$)~"}, {"name": "ARGS:block_name", "type": "regex", "value": "~(?:\\\\.\\\\./|\\\\.\\\\.\\\\\\\\|%2e%2e%2f|%2e%2e/|\\\\.\\\\.%2f|\\\\.\\\\.%5c|%2e%2e%5c)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-3107", "method": "GET", "mode": "block", "severity": 4.3, "slug": "ultimate-addons-for-gutenberg", "target": "plugin", "versions": "<=2.12.6"}, "RULE-CVE-2024-31113-01": {"ajax_action": "edd_recapture_remote_install", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-31113", "method": "POST", "mode": "block", "severity": 8.8, "slug": "easy-digital-downloads", "target": "plugin", "versions": "<=3.2.11"}, "RULE-CVE-2024-3211-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[ec_addtocart\\\\b[^\\\\]]*productid\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:UNION|SELECT|INSERT|UPDATE|DELETE|DROP|ALTER|CONCAT|SLEEP|BENCHMARK|LOAD_FILE|INTO\\\\s+(?:OUT|DUMP)FILE|OR\\\\s+\\\\d|AND\\\\s+\\\\d|--|/\\\\*)[^\\"\']*[\\"\']~i"}], "cve": "CVE-2024-3211", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-3211", "description": "Shopping Cart & eCommerce Store <=5.6.3 SQL Injection via ec_addtocart shortcode productid attribute in post content", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-easycart", "tags": ["sql-injection", "shortcode", "authenticated"], "target": "plugin", "versions": "<=5.6.3"}, "RULE-CVE-2024-3211-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[ec_addtocart\\\\b[^\\\\]]*productid\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:UNION|SELECT|INSERT|UPDATE|DELETE|DROP|ALTER|CONCAT|SLEEP|BENCHMARK|LOAD_FILE|INTO\\\\s+(?:OUT|DUMP)FILE|OR\\\\s+\\\\d|AND\\\\s+\\\\d|--|/\\\\*)[^\\"\']*[\\"\']~i"}], "cve": "CVE-2024-3211", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-3211", "description": "Shopping Cart & eCommerce Store <=5.6.3 SQL Injection via ec_addtocart shortcode productid attribute in REST API post content", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-easycart", "tags": ["sql-injection", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=5.6.3"}, "RULE-CVE-2024-3217-01": {"ajax_action": "wdk_public_action", "conditions": [{"name": "ARGS:attribute_id", "type": "regex", "value": "~[^0-9a-zA-Z_\\\\-]~"}], "cve": "CVE-2024-3217", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-3217", "description": "WP Directory Kit <=1.3.0 SQL Injection via attribute_id parameter in wdk_public_action AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wpdirectorykit", "tags": ["sql-injection", "authenticated", "ajax"], "target": "plugin", "versions": "<=1.3.0"}, "RULE-CVE-2024-3217-02": {"ajax_action": "wdk_public_action", "conditions": [{"name": "ARGS:attribute_value", "type": "regex", "value": "~[^0-9a-zA-Z_\\\\-]~"}], "cve": "CVE-2024-3217", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-3217", "description": "WP Directory Kit <=1.3.0 SQL Injection via attribute_value parameter in wdk_public_action AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wpdirectorykit", "tags": ["sql-injection", "authenticated", "ajax"], "target": "plugin", "versions": "<=1.3.0"}, "RULE-CVE-2024-32567-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "detectXSS"}], "cve": "CVE-2024-32567", "method": "GET", "mode": "block", "severity": 6.1, "slug": "directorypress", "target": "plugin", "versions": "<=3.6.7"}, "RULE-CVE-2024-3293-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post(?:-new)?\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[rtmedia_gallery\\\\b[^\\\\]]*order_by\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:SLEEP|BENCHMARK|SELECT|UNION|INSERT|UPDATE|DELETE|DROP|ALTER|LOAD_FILE|INTO\\\\s+(?:OUT|DUMP)FILE|\\\\(\\\\s*SELECT)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-3293", "method": "POST", "mode": "block", "severity": 8.8, "slug": "buddypress-media", "target": "plugin", "versions": "<=4.6.18"}, "RULE-CVE-2024-3293-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[rtmedia_gallery\\\\b[^\\\\]]*order_by\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:SLEEP|BENCHMARK|SELECT|UNION|INSERT|UPDATE|DELETE|DROP|ALTER|LOAD_FILE|INTO\\\\s+(?:OUT|DUMP)FILE|\\\\(\\\\s*SELECT)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-3293", "method": "POST", "mode": "block", "severity": 8.8, "slug": "buddypress-media", "target": "plugin", "versions": "<=4.6.18"}, "RULE-CVE-2024-3342-01": {"action": "init", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[mp-timetable[^\\\\]]*\\\\bevents\\\\s*=\\\\s*(?:[\'\\"][^\'\\"]*(?:UNION(?:\\\\s+|/\\\\*\\\\*/)+(?:ALL(?:\\\\s+|/\\\\*\\\\*/)+)?SELECT|SELECT(?:\\\\s+|/\\\\*\\\\*/)+\\\\S+(?:\\\\s+|/\\\\*\\\\*/)+FROM|INSERT(?:\\\\s+|/\\\\*\\\\*/)+INTO|UPDATE(?:\\\\s+|/\\\\*\\\\*/)+\\\\S+(?:\\\\s+|/\\\\*\\\\*/)+SET|DELETE(?:\\\\s+|/\\\\*\\\\*/)+FROM|DROP(?:\\\\s+|/\\\\*\\\\*/)+(?:TABLE|DATABASE|INDEX)|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|EXTRACTVALUE\\\\s*\\\\(|UPDATEXML\\\\s*\\\\(|INTO(?:\\\\s+|/\\\\*\\\\*/)+(?:OUT|DUMP)FILE)[^\'\\"]*[\'\\"]|[^\\\\s\\\\]]*(?:UNION(?:\\\\s+|/\\\\*\\\\*/)+(?:ALL(?:\\\\s+|/\\\\*\\\\*/)+)?SELECT|SELECT(?:\\\\s+|/\\\\*\\\\*/)+\\\\S+(?:\\\\s+|/\\\\*\\\\*/)+FROM|INSERT(?:\\\\s+|/\\\\*\\\\*/)+INTO|UPDATE(?:\\\\s+|/\\\\*\\\\*/)+\\\\S+(?:\\\\s+|/\\\\*\\\\*/)+SET|DELETE(?:\\\\s+|/\\\\*\\\\*/)+FROM|DROP(?:\\\\s+|/\\\\*\\\\*/)+(?:TABLE|DATABASE|INDEX)|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|EXTRACTVALUE\\\\s*\\\\(|UPDATEXML\\\\s*\\\\(|INTO(?:\\\\s+|/\\\\*\\\\*/)+(?:OUT|DUMP)FILE)[^\\\\s\\\\]]*)~i"}], "cve": "CVE-2024-3342", "mode": "block", "severity": 9.9, "slug": "mp-timetable", "target": "plugin", "versions": "<=2.4.11"}, "RULE-CVE-2024-3342-02": {"action": "rest_api_init", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/wp/v2/posts(?:/\\\\d+)?(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[mp-timetable[^\\\\]]*\\\\bevents\\\\s*=\\\\s*(?:[\'\\"][^\'\\"]*(?:UNION(?:\\\\s+|/\\\\*\\\\*/)+(?:ALL(?:\\\\s+|/\\\\*\\\\*/)+)?SELECT|SELECT(?:\\\\s+|/\\\\*\\\\*/)+\\\\S+(?:\\\\s+|/\\\\*\\\\*/)+FROM|INSERT(?:\\\\s+|/\\\\*\\\\*/)+INTO|UPDATE(?:\\\\s+|/\\\\*\\\\*/)+\\\\S+(?:\\\\s+|/\\\\*\\\\*/)+SET|DELETE(?:\\\\s+|/\\\\*\\\\*/)+FROM|DROP(?:\\\\s+|/\\\\*\\\\*/)+(?:TABLE|DATABASE|INDEX)|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|EXTRACTVALUE\\\\s*\\\\(|UPDATEXML\\\\s*\\\\(|INTO(?:\\\\s+|/\\\\*\\\\*/)+(?:OUT|DUMP)FILE)[^\'\\"]*[\'\\"]|[^\\\\s\\\\]]*(?:UNION(?:\\\\s+|/\\\\*\\\\*/)+(?:ALL(?:\\\\s+|/\\\\*\\\\*/)+)?SELECT|SELECT(?:\\\\s+|/\\\\*\\\\*/)+\\\\S+(?:\\\\s+|/\\\\*\\\\*/)+FROM|INSERT(?:\\\\s+|/\\\\*\\\\*/)+INTO|UPDATE(?:\\\\s+|/\\\\*\\\\*/)+\\\\S+(?:\\\\s+|/\\\\*\\\\*/)+SET|DELETE(?:\\\\s+|/\\\\*\\\\*/)+FROM|DROP(?:\\\\s+|/\\\\*\\\\*/)+(?:TABLE|DATABASE|INDEX)|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|EXTRACTVALUE\\\\s*\\\\(|UPDATEXML\\\\s*\\\\(|INTO(?:\\\\s+|/\\\\*\\\\*/)+(?:OUT|DUMP)FILE)[^\\\\s\\\\]]*)~i"}], "cve": "CVE-2024-3342", "mode": "block", "severity": 9.9, "slug": "mp-timetable", "target": "plugin", "versions": "<=2.4.11"}, "RULE-CVE-2024-33947-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "regex", "value": "~^rm_~"}, {"name": "ARGS:rm_status", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-33947", "method": "GET", "mode": "block", "severity": 6.1, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=5.3.2.0"}, "RULE-CVE-2024-33947-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "regex", "value": "~^rm_~"}, {"name": "ARGS:rm_interval", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-33947", "method": "GET", "mode": "block", "severity": 6.1, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=5.3.2.0"}, "RULE-CVE-2024-33947-03": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "regex", "value": "~^rm_~"}, {"name": "ARGS:rm_user_role", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-33947", "method": "GET", "mode": "block", "severity": 6.1, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=5.3.2.0"}, "RULE-CVE-2024-34440-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai-ui/v1/files/upload(/|\\\\?|$)~i"}, {"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2024-34440", "method": "POST", "mode": "block", "severity": 7.2, "slug": "ai-engine", "target": "plugin", "versions": "<2.2.70"}, "RULE-CVE-2024-34440-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai-ui/v1/files/delete(/|\\\\?|$)~i"}, {"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2024-34440", "method": "POST", "mode": "block", "severity": 7.2, "slug": "ai-engine", "target": "plugin", "versions": "<2.2.70"}, "RULE-CVE-2024-34440-03-DELETE": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai-ui/v1/files/delete(/|\\\\?|$)~i"}, {"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2024-34440", "method": "DELETE", "mode": "block", "severity": 7.2, "slug": "ai-engine", "target": "plugin", "versions": "<2.2.70"}, "RULE-CVE-2024-34440-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai-ui/v1/files/list(/|\\\\?|$)~i"}, {"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2024-34440", "mode": "block", "severity": 7.2, "slug": "ai-engine", "target": "plugin", "versions": "<2.2.70"}, "RULE-CVE-2024-3495-01": {"ajax_action": "tc_csca_get_states", "conditions": [{"name": "ARGS:cnt", "type": "detectSQLi"}], "cve": "CVE-2024-3495", "method": "POST", "mode": "block", "severity": 9.8, "slug": "country-state-city-auto-dropdown", "target": "plugin", "versions": "<=2.7.2"}, "RULE-CVE-2024-3495-02": {"ajax_action": "tc_csca_get_cities", "conditions": [{"name": "ARGS:sid", "type": "detectSQLi"}], "cve": "CVE-2024-3495", "method": "POST", "mode": "block", "severity": 9.8, "slug": "country-state-city-auto-dropdown", "target": "plugin", "versions": "<=2.7.2"}, "RULE-CVE-2024-3549-01": {"ajax_action": "b2s_sort_data", "conditions": [{"name": "ARGS:b2sSortPostType", "type": "detectSQLi"}], "cve": "CVE-2024-3549", "method": "POST", "mode": "block", "severity": 9.9, "slug": "blog2social", "target": "plugin", "versions": "<=7.4.1"}, "RULE-CVE-2024-3552-01": {"ajax_action": "w2dc_get_map_marker_info", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?i)(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT|SELECT\\\\s+.+\\\\s+FROM|AND\\\\s+(?:SLEEP|BENCHMARK|EXTRACTVALUE|UPDATEXML)\\\\s*\\\\(|OR\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+|\'\\\\s*(?:OR|AND)\\\\s+)~"}], "cve": "CVE-2024-3552", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-3552", "description": "Web Directory Free <=1.6.9 unauthenticated SQL injection via locations_ids parameter in w2dc_get_map_marker_info AJAX handler", "mode": "block", "severity": 9.8, "slug": "web-directory-free", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=1.6.9"}, "RULE-CVE-2024-3560-01": {"action": "init", "conditions": [{"name": "ARGS:sort_by", "type": "regex", "value": "~(?:<\\\\s*(?:script|img|svg|iframe|object|embed)\\\\b|(?:^|[^a-z])on\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2024-3560", "method": "GET", "mode": "block", "severity": 5.4, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.6.4"}, "RULE-CVE-2024-3560-02": {"action": "init", "conditions": [{"name": "ARGS:c_level", "type": "regex", "value": "~(?:<\\\\s*(?:script|img|svg|iframe|object|embed)\\\\b|(?:^|[^a-z])on\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2024-3560", "method": "GET", "mode": "block", "severity": 5.4, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.6.4"}, "RULE-CVE-2024-3560-03": {"action": "init", "conditions": [{"name": "ARGS:c_authors", "type": "regex", "value": "~(?:<\\\\s*(?:script|img|svg|iframe|object|embed)\\\\b|(?:^|[^a-z])on\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2024-3560", "method": "GET", "mode": "block", "severity": 5.4, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.6.4"}, "RULE-CVE-2024-35683-01": {"ajax_action": "send-card-check", "conditions": [{"name": "ARGS:donation_id", "type": "exists"}], "cve": "CVE-2024-35683", "method": "POST", "mode": "block", "severity": 5.3, "slug": "leyka", "target": "plugin", "versions": "<=3.31.1"}, "RULE-CVE-2024-3592-01": {"ajax_action": "qsm_bulk_delete_question_from_database", "conditions": [{"name": "ARGS:question_id", "type": "regex", "value": "~[^0-9,]~"}, {"type": "missing_capability", "value": "delete_published_posts"}], "cve": "CVE-2024-3592", "method": "POST", "mode": "block", "severity": 6.5, "slug": "quiz-master-next", "target": "plugin", "versions": "<=9.0.1"}, "RULE-CVE-2024-3592-02": {"ajax_action": "qsm_delete_question_from_database", "conditions": [{"name": "ARGS:question_id", "type": "regex", "value": "~[^0-9,]~"}, {"type": "missing_capability", "value": "delete_published_posts"}], "cve": "CVE-2024-3592", "method": "POST", "mode": "block", "severity": 6.5, "slug": "quiz-master-next", "target": "plugin", "versions": "<=9.0.1"}, "RULE-CVE-2024-3605-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wphb/v1/rooms/search-rooms(/|\\\\?|&|$)~"}, {"name": "ARGS:room_type", "type": "detectSQLi"}], "cve": "CVE-2024-3605", "method": "GET", "mode": "block", "severity": 9.8, "slug": "wp-hotel-booking", "target": "plugin", "versions": "<=2.1.0"}, "RULE-CVE-2024-37099-02": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:give-form-title", "type": "exists"}, {"name": "ARGS:give-form-title", "type": "regex", "value": "~[OaCd]:[0-9]+:~i"}], "cve": "CVE-2024-37099", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.14.1"}, "RULE-CVE-2024-3729-03": {"ajax_action": "frontend_admin/form_submit", "conditions": [{"name": "ARGS:role", "type": "regex", "value": "~^(administrator|editor|author)$~i"}], "cve": "CVE-2024-3729", "method": "POST", "mode": "block", "severity": 9.8, "slug": "acf-frontend-form-element", "target": "plugin", "versions": "<=3.19.4"}, "RULE-CVE-2024-3729-04": {"ajax_action": "frontend_admin/validate_form_submit", "conditions": [{"name": "ARGS:role", "type": "regex", "value": "~^(administrator|editor|author)$~i"}], "cve": "CVE-2024-3729", "method": "POST", "mode": "block", "severity": 9.8, "slug": "acf-frontend-form-element", "target": "plugin", "versions": "<=3.19.4"}, "RULE-CVE-2024-37517-01": {"ajax_action": "ast-block-templates-regenerate", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2024-37517", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ultimate-addons-for-gutenberg", "target": "plugin", "versions": "<=2.13.7"}, "RULE-CVE-2024-37517-02": {"ajax_action": "ast-block-templates-ai-content", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2024-37517", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ultimate-addons-for-gutenberg", "target": "plugin", "versions": "<=2.13.7"}, "RULE-CVE-2024-37517-03": {"ajax_action": "ast-block-templates-reset-business-details", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2024-37517", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ultimate-addons-for-gutenberg", "target": "plugin", "versions": "<=2.13.7"}, "RULE-CVE-2024-38755-01": {"ajax_action": "directorypress_fields_edit_form", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2024-38755", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38755", "description": "DirectoryPress <=3.6.10 SQL Injection via id parameter in directorypress_fields_edit_form AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "directorypress", "tags": ["sql-injection", "unauthenticated"], "target": "plugin", "versions": "<=3.6.10"}, "RULE-CVE-2024-38755-02": {"ajax_action": "directorypress_fields_edit_callback", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2024-38755", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38755", "description": "DirectoryPress <=3.6.10 SQL Injection via id parameter in directorypress_fields_edit_callback AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "directorypress", "tags": ["sql-injection", "unauthenticated"], "target": "plugin", "versions": "<=3.6.10"}, "RULE-CVE-2024-38755-03": {"ajax_action": "directorypress_fields_config_form", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2024-38755", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38755", "description": "DirectoryPress <=3.6.10 SQL Injection via id parameter in directorypress_fields_config_form AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "directorypress", "tags": ["sql-injection", "unauthenticated"], "target": "plugin", "versions": "<=3.6.10"}, "RULE-CVE-2024-38755-04": {"ajax_action": "directorypress_fields_options_callback", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2024-38755", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38755", "description": "DirectoryPress <=3.6.10 SQL Injection via id parameter in directorypress_fields_options_callback AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "directorypress", "tags": ["sql-injection", "unauthenticated"], "target": "plugin", "versions": "<=3.6.10"}, "RULE-CVE-2024-38755-05": {"ajax_action": "directorypress_fields_search_settings_form", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2024-38755", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38755", "description": "DirectoryPress <=3.6.10 SQL Injection via id parameter in directorypress_fields_search_settings_form AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "directorypress", "tags": ["sql-injection", "unauthenticated"], "target": "plugin", "versions": "<=3.6.10"}, "RULE-CVE-2024-38755-06": {"ajax_action": "directorypress_fields_search_settings_callback", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2024-38755", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38755", "description": "DirectoryPress <=3.6.10 SQL Injection via id parameter in directorypress_fields_search_settings_callback AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "directorypress", "tags": ["sql-injection", "unauthenticated"], "target": "plugin", "versions": "<=3.6.10"}, "RULE-CVE-2024-38755-07": {"ajax_action": "directorypress_fields_group_edit_form", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2024-38755", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38755", "description": "DirectoryPress <=3.6.10 SQL Injection via id parameter in directorypress_fields_group_edit_form AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "directorypress", "tags": ["sql-injection", "unauthenticated"], "target": "plugin", "versions": "<=3.6.10"}, "RULE-CVE-2024-38755-08": {"ajax_action": "directorypress_fields_group_edit_callback", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2024-38755", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38755", "description": "DirectoryPress <=3.6.10 SQL Injection via id parameter in directorypress_fields_group_edit_callback AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "directorypress", "tags": ["sql-injection", "unauthenticated"], "target": "plugin", "versions": "<=3.6.10"}, "RULE-CVE-2024-38755-09": {"ajax_action": "directorypress_fields_delete_form", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2024-38755", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38755", "description": "DirectoryPress <=3.6.10 SQL Injection via id parameter in directorypress_fields_delete_form AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "directorypress", "tags": ["sql-injection", "unauthenticated"], "target": "plugin", "versions": "<=3.6.10"}, "RULE-CVE-2024-38755-10": {"ajax_action": "directorypress_fields_group_delete_form", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2024-38755", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38755", "description": "DirectoryPress <=3.6.10 SQL Injection via id parameter in directorypress_fields_group_delete_form AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "directorypress", "tags": ["sql-injection", "unauthenticated"], "target": "plugin", "versions": "<=3.6.10"}, "RULE-CVE-2024-38755-11": {"ajax_action": "directorypress_terms_configuration_html", "conditions": [{"name": "ARGS:term_id", "type": "detectSQLi"}], "cve": "CVE-2024-38755", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38755", "description": "DirectoryPress <=3.6.10 SQL Injection via term_id parameter in directorypress_terms_configuration_html AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "directorypress", "tags": ["sql-injection", "authenticated"], "target": "plugin", "versions": "<=3.6.10"}, "RULE-CVE-2024-38791-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai/v1/simpleVisionQuery(/|\\\\?|$)~i"}, {"name": "ARGS:url", "type": "regex", "value": "~^(?:file|gopher|dict|ftp|ldap|tftp|ssh2)://|^https?://(?:127\\\\.(?:0\\\\.){2}1|0\\\\.0\\\\.0\\\\.0|localhost|10\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|172\\\\.(?:1[6-9]|2\\\\d|3[01])\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|192\\\\.168\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|169\\\\.254\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|\\\\[::1\\\\]|0177\\\\.0\\\\.0\\\\.1|2130706433|0x7f000001|metadata\\\\.google\\\\.internal)~i"}], "cve": "CVE-2024-38791", "method": "POST", "mode": "block", "severity": 7.1, "slug": "ai-engine", "target": "plugin", "versions": "<=2.4.7"}, "RULE-CVE-2024-38791-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai/v1/simpleVisionQuery(/|\\\\?|$)~i"}, {"name": "ARGS:path", "type": "exists"}], "cve": "CVE-2024-38791", "method": "POST", "mode": "block", "severity": 7.1, "slug": "ai-engine", "target": "plugin", "versions": "<=2.4.7"}, "RULE-CVE-2024-39635-01": {"ajax_action": "youzify_admin_data_save", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-39635", "method": "POST", "mode": "block", "severity": 5.4, "slug": "youzify", "target": "plugin", "versions": "<=1.2.7"}, "RULE-CVE-2024-39635-02": {"ajax_action": "youzify_reset_settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-39635", "method": "POST", "mode": "block", "severity": 5.4, "slug": "youzify", "target": "plugin", "versions": "<=1.2.7"}, "RULE-CVE-2024-39643-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "regex", "value": "~^rm_~"}, {"name": "ARGS:rm_status", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-39643", "method": "GET", "mode": "block", "severity": 6.1, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=6.0.0.1"}, "RULE-CVE-2024-39643-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "regex", "value": "~^rm_~"}, {"name": "ARGS:rm_interval", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-39643", "method": "GET", "mode": "block", "severity": 6.1, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=6.0.0.1"}, "RULE-CVE-2024-39643-03": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "regex", "value": "~^rm_~"}, {"name": "ARGS:rm_user_role", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-39643", "method": "GET", "mode": "block", "severity": 6.1, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=6.0.0.1"}, "RULE-CVE-2024-4098-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/shariff/v1/share_counts(?:/|\\\\?|&|$)~"}, {"name": "ARGS:services", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|[\\\\\\\\/])~"}], "cve": "CVE-2024-4098", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-4098", "description": "Shariff Wrapper <=4.6.13 unauthenticated Local File Inclusion via services parameter in REST API share_counts endpoint", "method": "GET", "mode": "block", "severity": 9.8, "slug": "shariff", "tags": ["local-file-inclusion", "path-traversal", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=4.6.13"}, "RULE-CVE-2024-4180-01": {"ajax_action": "tribe_events_views_v2_fallback", "conditions": [{"name": "ARGS:view", "type": "equals", "value": "reflector"}], "cve": "CVE-2024-4180", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-4180", "description": "The Events Calendar <=6.4.0 reflected XSS via view=reflector in AJAX fallback handler (POST)", "method": "POST", "mode": "block", "severity": 9.1, "slug": "the-events-calendar", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=6.4.0"}, "RULE-CVE-2024-4180-02": {"ajax_action": "tribe_events_views_v2_fallback", "conditions": [{"name": "ARGS:view", "type": "equals", "value": "reflector"}], "cve": "CVE-2024-4180", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-4180", "description": "The Events Calendar <=6.4.0 reflected XSS via view=reflector in AJAX fallback handler (GET)", "method": "GET", "mode": "block", "severity": 9.1, "slug": "the-events-calendar", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=6.4.0"}, "RULE-CVE-2024-4223-01": {"ajax_action": "addon_enable_disable", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-4223", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-4223", "description": "Tutor LMS <=2.7.0 missing authorization on addon_enable_disable AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "tutor", "tags": ["missing-authorization", "broken-access-control", "privilege-escalation"], "target": "plugin", "versions": "<=2.7.0"}, "RULE-CVE-2024-4223-02": {"ajax_action": "tutor_get_all_addons", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-4223", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-4223", "description": "Tutor LMS <=2.7.0 missing authorization on tutor_get_all_addons AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "tutor", "tags": ["missing-authorization", "broken-access-control", "info-disclosure"], "target": "plugin", "versions": "<=2.7.0"}, "RULE-CVE-2024-4223-03": {"ajax_action": "tutor_course_delete", "conditions": [{"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-4223", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-4223", "description": "Tutor LMS <=2.7.0 missing authorization on tutor_course_delete AJAX action allowing arbitrary course deletion", "method": "POST", "mode": "block", "severity": 9.8, "slug": "tutor", "tags": ["missing-authorization", "broken-access-control", "idor"], "target": "plugin", "versions": "<=2.7.0"}, "RULE-CVE-2024-4223-04": {"ajax_action": "tutor_announcement_create", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-4223", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-4223", "description": "Tutor LMS <=2.7.0 missing authorization on tutor_announcement_create AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "tutor", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=2.7.0"}, "RULE-CVE-2024-4223-05": {"ajax_action": "tutor_announcement_delete", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-4223", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-4223", "description": "Tutor LMS <=2.7.0 missing authorization on tutor_announcement_delete AJAX action allowing arbitrary announcement deletion", "method": "POST", "mode": "block", "severity": 9.8, "slug": "tutor", "tags": ["missing-authorization", "broken-access-control", "idor"], "target": "plugin", "versions": "<=2.7.0"}, "RULE-CVE-2024-4223-06": {"ajax_action": "delete_tutor_review", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-4223", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-4223", "description": "Tutor LMS <=2.7.0 missing authorization on delete_tutor_review AJAX action allowing arbitrary review deletion", "method": "POST", "mode": "block", "severity": 9.8, "slug": "tutor", "tags": ["missing-authorization", "broken-access-control", "idor"], "target": "plugin", "versions": "<=2.7.0"}, "RULE-CVE-2024-4223-07": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/tutor/v1/course-by-terms(/|\\\\?|&|$)~"}], "cve": "CVE-2024-4223", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-4223", "description": "Tutor LMS <=2.7.0 unauthorized access to removed REST route /tutor/v1/course-by-terms", "method": "POST", "mode": "block", "severity": 9.8, "slug": "tutor", "tags": ["missing-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": "<=2.7.0"}, "RULE-CVE-2024-4223-08": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/tutor/v1/course-sorting-by-price(/|\\\\?|&|$)~"}], "cve": "CVE-2024-4223", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-4223", "description": "Tutor LMS <=2.7.0 unauthorized access to removed REST route /tutor/v1/course-sorting-by-price", "method": "GET", "mode": "block", "severity": 9.8, "slug": "tutor", "tags": ["missing-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": "<=2.7.0"}, "RULE-CVE-2024-4277-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/admin-ajax\\\\.php)(?:\\\\?|$)~"}, {"name": "ARGS:action", "type": "equals", "value": "save_builder"}, {"name": "ARGS:_elementor_data", "type": "detectXSS"}], "cve": "CVE-2024-4277", "method": "POST", "mode": "block", "severity": 6.4, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.6.5"}, "RULE-CVE-2024-43160-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/optifer/v1/store-webp(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-43160", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43160", "description": "BerqWP <=1.7.6 unauthenticated arbitrary file upload via optifer/v1/store-webp REST route", "method": "POST", "mode": "block", "severity": 10.0, "slug": "searchpro", "tags": ["missing-authorization", "arbitrary-file-upload", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2024-43302-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "fonts-plugin-typekit"}, {"name": "ARGS:action", "type": "equals", "value": "reset"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-43302", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43302", "description": "Fonts Plugin | Google Fonts Typography <=3.7.7 missing authorization on Typekit reset action via admin_init", "method": "GET", "mode": "block", "severity": 8.8, "slug": "olympus-google-fonts", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.7.7"}, "RULE-CVE-2024-43302-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "fonts-plugin-typekit"}, {"name": "ARGS:action", "type": "equals", "value": "disable"}, {"name": "ARGS:kit_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-43302", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43302", "description": "Fonts Plugin | Google Fonts Typography <=3.7.7 missing authorization on Typekit disable action via admin_init", "method": "GET", "mode": "block", "severity": 8.8, "slug": "olympus-google-fonts", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.7.7"}, "RULE-CVE-2024-43302-03": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "fonts-plugin-typekit"}, {"name": "ARGS:action", "type": "equals", "value": "enable"}, {"name": "ARGS:kit_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-43302", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43302", "description": "Fonts Plugin | Google Fonts Typography <=3.7.7 missing authorization on Typekit enable action via admin_init", "method": "GET", "mode": "block", "severity": 8.8, "slug": "olympus-google-fonts", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.7.7"}, "RULE-CVE-2024-43304-01": {"ajax_action": "ccpw_get_coins_list", "conditions": [{"name": "ARGS:requiredCurrencies", "type": "detectXSS"}], "cve": "CVE-2024-43304", "method": "POST", "mode": "block", "severity": 6.1, "slug": "cryptocurrency-price-ticker-widget", "target": "plugin", "versions": "<=2.8.0"}, "RULE-CVE-2024-43314-01": {"action": "admin_post", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-43314", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-asset-clean-up", "target": "plugin", "versions": "<=1.3.9.3"}, "RULE-CVE-2024-4366-01": {"ajax_action": "uag_load_image_gallery_masonry", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:block_id", "type": "detectXSS"}], "cve": "CVE-2024-4366", "method": "POST", "mode": "block", "severity": 5.4, "slug": "ultimate-addons-for-gutenberg", "target": "plugin", "versions": "<=2.13.0"}, "RULE-CVE-2024-4366-02": {"ajax_action": "uag_load_image_gallery_grid_pagination", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:block_id", "type": "detectXSS"}], "cve": "CVE-2024-4366", "method": "POST", "mode": "block", "severity": 5.4, "slug": "ultimate-addons-for-gutenberg", "target": "plugin", "versions": "<=2.13.0"}, "RULE-CVE-2024-43924-01": {"ajax_action": "save-attachment-compat", "conditions": [{"name": "ARGS:attachment_ids", "type": "exists"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2024-43924", "mode": "block", "severity": 9.8, "slug": "responsive-lightbox", "target": "plugin", "versions": "<=2.4.7"}, "RULE-CVE-2024-43924-02": {"ajax_action": "rl-folders-move-attachments", "conditions": [{"name": "ARGS:attachment_ids", "type": "exists"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2024-43924", "mode": "block", "severity": 9.8, "slug": "responsive-lightbox", "target": "plugin", "versions": "<=2.4.7"}, "RULE-CVE-2024-43924-03": {"ajax_action": "rl-deactivate-plugin", "conditions": [{"name": "ARGS:section", "type": "exists"}, {"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2024-43924", "mode": "block", "severity": 9.8, "slug": "responsive-lightbox", "target": "plugin", "versions": "<=2.4.7"}, "RULE-CVE-2024-4413-01": {"action": "init", "conditions": [{"name": "ARGS:mphb_rooms_details", "type": "regex", "value": "~[OC]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2024-4413", "method": "POST", "mode": "block", "severity": 9.8, "slug": "motopress-hotel-booking-lite", "target": "plugin", "versions": "<=4.11.1"}, "RULE-CVE-2024-4434-01": {"action": "init", "conditions": [{"name": "ARGS:term_id", "type": "exists"}, {"name": "ARGS:term_id", "type": "detectSQLi"}], "cve": "CVE-2024-4434", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-4434", "description": "LearnPress <= 4.2.6.5 unauthenticated time-based SQL injection via term_id in public course/category listings (Wordfence/NVD: term_id SQLi, unauthenticated, CWE-89)", "method": "GET", "mode": "block", "severity": 9.8, "slug": "learnpress", "tags": ["sqli", "unauth", "learnpress", "term_id"], "target": "plugin", "versions": "<=4.2.6.5"}, "RULE-CVE-2024-4443-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~listingfields(?:%5[Bb]|\\\\[)(?![0-9]+(?:%5[Dd]|\\\\]))~"}], "cve": "CVE-2024-4443", "method": "GET", "mode": "block", "severity": 7.5, "slug": "business-directory-plugin", "target": "plugin", "versions": "<=6.4.2"}, "RULE-CVE-2024-4443-02": {"action": "init", "conditions": [{"name": "ARGS:listingfields", "type": "exists"}, {"name": "ARGS", "type": "regex", "value": "~(?i)(?:SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT)|(?:SELECT\\\\s+.+FROM)|(?:INSERT\\\\s+INTO)|(?:DELETE\\\\s+FROM)|(?:UPDATE\\\\s+.+SET)|(?:DROP\\\\s+TABLE)|LOAD_FILE\\\\s*\\\\(|INTO\\\\s+(?:OUT|DUMP)FILE)~"}], "cve": "CVE-2024-4443", "method": "POST", "mode": "block", "severity": 7.5, "slug": "business-directory-plugin", "target": "plugin", "versions": "<=6.4.2"}, "RULE-CVE-2024-4443-03": {"action": "init", "conditions": [{"name": "ARGS:listingfields", "type": "exists"}, {"name": "ARGS", "type": "regex", "value": "~(?i)(?:SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT)|(?:SELECT\\\\s+.+FROM)|(?:INSERT\\\\s+INTO)|(?:DELETE\\\\s+FROM)|(?:UPDATE\\\\s+.+SET)|(?:DROP\\\\s+TABLE)|LOAD_FILE\\\\s*\\\\(|INTO\\\\s+(?:OUT|DUMP)FILE)~"}], "cve": "CVE-2024-4443", "method": "GET", "mode": "block", "severity": 7.5, "slug": "business-directory-plugin", "target": "plugin", "versions": "<=6.4.2"}, "RULE-CVE-2024-4444-01": {"action": "init", "conditions": [{"name": "ARGS:lp-ajax", "type": "equals", "value": "checkout"}, {"name": "ARGS:checkout-email-option", "type": "equals", "value": "new-account"}], "cve": "CVE-2024-4444", "method": "POST", "mode": "block", "severity": 6.5, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.6.5"}, "RULE-CVE-2024-4444-02": {"ajax_action": "learnpress-checkout", "conditions": [{"name": "ARGS:checkout-email-option", "type": "equals", "value": "new-account"}], "cve": "CVE-2024-4444", "method": "POST", "mode": "block", "severity": 6.5, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.6.5"}, "RULE-CVE-2024-4444-03": {"ajax_action": "learnpress_checkout", "conditions": [{"name": "ARGS:checkout-email-option", "type": "equals", "value": "new-account"}], "cve": "CVE-2024-4444", "method": "POST", "mode": "block", "severity": 6.5, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.6.5"}, "RULE-CVE-2024-4624-01": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "elementor_ajax"}, {"name": "ARGS:eael_ext_toc_title_tag", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|(?:^|[\\\\s/])on\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-4624", "method": "POST", "mode": "block", "severity": 5.4, "slug": "essential-addons-for-elementor-lite", "target": "plugin", "versions": "<=5.9.20"}, "RULE-CVE-2024-47308-01": {"ajax_action": "templately_import_settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-47308", "mode": "block", "severity": 9.8, "slug": "templately", "target": "plugin", "versions": "<=3.1.2"}, "RULE-CVE-2024-47308-02": {"ajax_action": "templately_pack_import", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-47308", "mode": "block", "severity": 9.8, "slug": "templately", "target": "plugin", "versions": "<=3.1.2"}, "RULE-CVE-2024-47361-01": {"ajax_action": "eae_refresh_insta_cache", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "eae_refresh_insta_cache"}, {"name": "ARGS:transient_key", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-47361", "method": "POST", "mode": "block", "severity": 8.8, "slug": "addon-elements-for-elementor-page-builder", "target": "plugin", "versions": "<=1.13.6"}, "RULE-CVE-2024-4742-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[youzify_verified_users[^\\\\]]*order_by\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:SELECT|UNION|INSERT|UPDATE|DELETE|DROP|CONCAT|BENCHMARK|SLEEP|IF\\\\s*\\\\(|CASE\\\\s+WHEN|0x[0-9a-fA-F]+|information_schema|RAND\\\\s*\\\\(\\\\s*\\\\)|INTO\\\\s+(?:OUT|DUMP))~i"}], "cve": "CVE-2024-4742", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-4742", "description": "Youzify <=1.2.5 authenticated (Contributor+) SQL Injection via youzify_verified_users shortcode order_by attribute in post content submitted to post.php", "method": "POST", "mode": "block", "severity": 8.8, "slug": "youzify", "tags": ["sql-injection", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.2.5"}, "RULE-CVE-2024-4742-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[youzify_reviews[^\\\\]]*order_by\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:SELECT|UNION|INSERT|UPDATE|DELETE|DROP|CONCAT|BENCHMARK|SLEEP|IF\\\\s*\\\\(|CASE\\\\s+WHEN|0x[0-9a-fA-F]+|information_schema|RAND\\\\s*\\\\(\\\\s*\\\\)|INTO\\\\s+(?:OUT|DUMP))~i"}], "cve": "CVE-2024-4742", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-4742", "description": "Youzify <=1.2.5 authenticated (Contributor+) SQL Injection via youzify_reviews shortcode order_by attribute in post content submitted to post.php", "method": "POST", "mode": "block", "severity": 8.8, "slug": "youzify", "tags": ["sql-injection", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.2.5"}, "RULE-CVE-2024-4742-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[youzify_verified_users[^\\\\]]*order_by\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:SELECT|UNION|INSERT|UPDATE|DELETE|DROP|CONCAT|BENCHMARK|SLEEP|IF\\\\s*\\\\(|CASE\\\\s+WHEN|0x[0-9a-fA-F]+|information_schema|RAND\\\\s*\\\\(\\\\s*\\\\)|INTO\\\\s+(?:OUT|DUMP))~i"}], "cve": "CVE-2024-4742", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-4742", "description": "Youzify <=1.2.5 authenticated (Contributor+) SQL Injection via youzify_verified_users shortcode order_by attribute in REST API post/page creation", "method": "POST", "mode": "block", "severity": 8.8, "slug": "youzify", "tags": ["sql-injection", "shortcode", "authenticated", "rest-api"], "target": "plugin", "versions": "<=1.2.5"}, "RULE-CVE-2024-4742-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[youzify_reviews[^\\\\]]*order_by\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:SELECT|UNION|INSERT|UPDATE|DELETE|DROP|CONCAT|BENCHMARK|SLEEP|IF\\\\s*\\\\(|CASE\\\\s+WHEN|0x[0-9a-fA-F]+|information_schema|RAND\\\\s*\\\\(\\\\s*\\\\)|INTO\\\\s+(?:OUT|DUMP))~i"}], "cve": "CVE-2024-4742", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-4742", "description": "Youzify <=1.2.5 authenticated (Contributor+) SQL Injection via youzify_reviews shortcode order_by attribute in REST API post/page creation", "method": "POST", "mode": "block", "severity": 8.8, "slug": "youzify", "tags": ["sql-injection", "shortcode", "authenticated", "rest-api"], "target": "plugin", "versions": "<=1.2.5"}, "RULE-CVE-2024-48044-01": {"ajax_action": "shortpixel_process_queue", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2024-48044", "method": "POST", "mode": "block", "severity": 5.4, "slug": "shortpixel-image-optimiser", "target": "plugin", "versions": "<=5.6.3"}, "RULE-CVE-2024-48044-02": {"ajax_action": "shortpixel_ajax_request", "conditions": [{"name": "ARGS:screen_action", "type": "exists"}, {"name": "ARGS:screen_action", "type": "regex", "value": "~^(applyBulkSelection|startBulk|startMigrateAll|startMigrateSelected|toolsRemoveAll|toolsRemoveSelected|toolsRollbackAll|toolsRollbackSelected|foldersAddFolder|foldersRenameFolder|foldersRemoveFolder|toolsViewLog|toolsDownloadLog)$~i"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2024-48044", "method": "POST", "mode": "block", "severity": 5.4, "slug": "shortpixel-image-optimiser", "target": "plugin", "versions": "<=5.6.3"}, "RULE-CVE-2024-48044-03": {"ajax_action": "shortpixel_ajax_request", "conditions": [{"name": "ARGS:screen_action", "type": "exists"}, {"name": "ARGS:screen_action", "type": "regex", "value": "~^(startMigrateAll|toolsRemoveAll|toolsRollbackAll)$~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-48044", "method": "POST", "mode": "block", "severity": 5.4, "slug": "shortpixel-image-optimiser", "target": "plugin", "versions": "<=5.6.3"}, "RULE-CVE-2024-48044-04": {"ajax_action": "shortpixel_ajax_request", "conditions": [{"name": "ARGS:screen_action", "type": "exists"}, {"name": "ARGS:screen_action", "type": "regex", "value": "~^(optimizeItem|markCompleted|unMarkCompleted|cancelOptimize|restoreItem|reOptimizeItem|getItemEditWarning)$~i"}, {"name": "ARGS:id", "type": "exists"}, {"name": "ARGS:type", "type": "exists"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2024-48044", "method": "POST", "mode": "block", "severity": 5.4, "slug": "shortpixel-image-optimiser", "target": "plugin", "versions": "<=5.6.3"}, "RULE-CVE-2024-48045-01": {"ajax_action": "ha_twitter_feed_action", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2024-48045", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-48045", "description": "Happy Addons <=3.12.3 missing authorization on ha_twitter_feed_action AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "happy-elementor-addons", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.12.3"}, "RULE-CVE-2024-48045-03": {"ajax_action": "ha_post_tab_action", "conditions": [{"name": "ARGS:post_tab_query", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}~"}], "cve": "CVE-2024-48045", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-48045", "description": "Happy Addons <=3.12.3 path traversal via post_tab_query in ha_post_tab_action", "method": "POST", "mode": "block", "severity": 8.8, "slug": "happy-elementor-addons", "tags": ["path-traversal", "lfi-attempt"], "target": "plugin", "versions": "<=3.12.3"}, "RULE-CVE-2024-49252-01": {"ajax_action": "leyka_upload_l10n", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-49252", "method": "POST", "mode": "block", "severity": 5.3, "slug": "leyka", "target": "plugin", "versions": "<=3.31.6"}, "RULE-CVE-2024-49282-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)wp-admin/post\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:post_type", "type": "equals", "value": "rl_gallery"}, {"name": "ARGS:rl_gallery", "type": "regex", "value": "~(?i)(?:<\\\\s*script\\\\b|on\\\\w+\\\\s*=|javascript\\\\s*:)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-49282", "method": "POST", "mode": "block", "severity": 5.9, "slug": "responsive-lightbox", "target": "plugin", "versions": "<=2.4.8"}, "RULE-CVE-2024-49282-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)wp-admin/options-general\\\\.php~"}, {"name": "ARGS:page", "type": "equals", "value": "responsive-lightbox"}, {"name": "ARGS:section", "type": "detectXSS"}], "cve": "CVE-2024-49282", "method": "GET", "mode": "block", "severity": 5.9, "slug": "responsive-lightbox", "target": "plugin", "versions": "<=2.4.8"}, "RULE-CVE-2024-4936-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[/\\\\\\\\]canto[/\\\\\\\\]includes[/\\\\\\\\]lib[/\\\\\\\\]sizes\\\\.php~i"}, {"name": "ARGS:abspath", "type": "regex", "value": "~(?i)(?:https?|ftp)://|(?:data|php|phar|zip)://|%3a%2f%2f|%253a%252f%252f|\\\\.\\\\./|\\\\.\\\\.\\\\\\\\~"}], "cve": "CVE-2024-4936", "method": "GET", "mode": "block", "severity": 9.8, "slug": "canto", "target": "plugin", "versions": "<=3.0.8"}, "RULE-CVE-2024-4936-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[/\\\\\\\\]canto[/\\\\\\\\]includes[/\\\\\\\\]lib[/\\\\\\\\]sizes\\\\.php~i"}, {"name": "ARGS:abspath", "type": "regex", "value": "~(?i)(?:https?|ftp)://|(?:data|php|phar|zip)://|%3a%2f%2f|%253a%252f%252f|\\\\.\\\\./|\\\\.\\\\.\\\\\\\\~"}], "cve": "CVE-2024-4936", "method": "POST", "mode": "block", "severity": 9.8, "slug": "canto", "target": "plugin", "versions": "<=3.0.8"}, "RULE-CVE-2024-49633-01": {"ajax_action": "directorypress_handler_request", "conditions": [{"name": "ARGS:hash", "type": "detectXSS"}], "cve": "CVE-2024-49633", "method": "POST", "mode": "block", "severity": 6.1, "slug": "directorypress", "target": "plugin", "versions": "<=3.6.19"}, "RULE-CVE-2024-49644-01": {"ajax_action": "AllAccessible_save_settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-49644", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49644", "description": "Accessibility by AllAccessible <=1.3.4 authenticated (Subscriber+) arbitrary option update via AllAccessible_save_settings AJAX action", "method": "POST", "mode": "block", "severity": 8.8, "slug": "allaccessible", "tags": ["missing-authorization", "privilege-escalation", "arbitrary-option-update"], "target": "plugin", "versions": "<=1.3.4"}, "RULE-CVE-2024-5020-01": {"ajax_action": "accordion_slider_save_accordion", "conditions": [{"name": "ARGS:data", "type": "detectXSS"}], "cve": "CVE-2024-5020", "method": "POST", "mode": "block", "severity": 6.4, "slug": "accordion-slider", "target": "plugin", "versions": "<=1.9.12"}, "RULE-CVE-2024-5020-02": {"ajax_action": "accordion_slider_preview_accordion", "conditions": [{"name": "ARGS:data", "type": "detectXSS"}], "cve": "CVE-2024-5020", "method": "POST", "mode": "block", "severity": 6.4, "slug": "accordion-slider", "target": "plugin", "versions": "<=1.9.12"}, "RULE-CVE-2024-5020-03": {"ajax_action": "accordion_slider_import_accordion", "conditions": [{"name": "ARGS:data", "type": "detectXSS"}], "cve": "CVE-2024-5020", "method": "POST", "mode": "block", "severity": 6.4, "slug": "accordion-slider", "target": "plugin", "versions": "<=1.9.12"}, "RULE-CVE-2024-5147-01": {"ajax_action": "wpz_posts_grid_load_more", "conditions": [{"name": "ARGS:posts_data", "type": "regex", "value": "~\\\\.\\\\.[/\\\\\\\\]~"}], "cve": "CVE-2024-5147", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-5147", "description": "WPZOOM Addons for Elementor <=1.1.37 unauthenticated Local File Inclusion via path traversal in posts_data JSON parameter on wpz_posts_grid_load_more AJAX handler", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wpzoom-elementor-addons", "tags": ["local-file-inclusion", "path-traversal", "unauthenticated"], "target": "plugin", "versions": "<=1.1.37"}, "RULE-CVE-2024-51667-01": {"ajax_action": "paytium_emails_attachments", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2024-51667", "method": "POST", "mode": "block", "severity": 4.3, "slug": "paytium", "target": "plugin", "versions": "<=4.4.10"}, "RULE-CVE-2024-54268-01": {"ajax_action": "so_widgets_search_posts", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "so_widgets_search_posts"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2024-54268", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-54268", "description": "Broken access control in SiteOrigin Widgets Bundle so_widgets_search_posts AJAX action allowing low-privileged users to trigger privileged widget searches via admin-ajax.php", "mode": "block", "severity": 8.8, "slug": "so-widgets-bundle", "tags": ["wordpress", "ajax", "missing_authorization", "broken_access_control"], "target": "plugin", "versions": "<=1.64.0"}, "RULE-CVE-2024-5441-01": {"ajax_action": "mec_fes_form", "conditions": [{"name": "ARGS:mec[featured_image]", "type": "regex", "value": "~\\\\.(?:ph(?:p[0-9]?|tml?|ar|t)|shtml?|cgi|fcgi|asp|aspx|jsp|exe|bash|ht(?:access|passwd))(?:[?#/]|$)~i"}], "cve": "CVE-2024-5441", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-5441", "description": "Modern Events Calendar Lite <=6.5.6 arbitrary file upload via mec[featured_image] URL parameter in wp_ajax(_nopriv)_mec_fes_form \\u2014 set_featured_image() downloads attacker URL unchecked (CWE-434)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "modern-events-calendar-lite", "target": "plugin", "versions": "<=6.5.6"}, "RULE-CVE-2024-54444-01": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS:actions", "type": "contains", "value": "social_icon_list"}, {"name": "ARGS:actions", "type": "regex", "value": "~j[\\\\s]*a[\\\\s]*v[\\\\s]*a[\\\\s]*s[\\\\s]*c[\\\\s]*r[\\\\s]*i[\\\\s]*p[\\\\s]*t[\\\\s]*:(?![\\\\s]*void[\\\\s]*[(])~i"}], "cve": "CVE-2024-54444", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-54444", "description": "Elementor <=3.25.10 Stored XSS via Social Icons widget javascript protocol URI in elementor_ajax save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "elementor", "tags": ["xss", "stored-xss", "elementor"], "target": "plugin", "versions": "<=3.25.10"}, "RULE-CVE-2024-5450-01": {"action": "init", "conditions": [{"name": "ARGS:new-bug-title", "type": "exists"}, {"name": "FILES:attachimage", "type": "exists"}], "cve": "CVE-2024-5450", "method": "POST", "mode": "block", "severity": 9.1, "slug": "bug-library", "target": "plugin", "versions": "<2.1.1"}, "RULE-CVE-2024-56276-01": {"ajax_action": "wpforms_lite_settings_upgrade", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-56276", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wpforms-lite", "target": "plugin", "versions": "<=1.9.2.2"}, "RULE-CVE-2024-56288-01": {"ajax_action": "wpdocs_update_option", "conditions": [{"name": "ARGS:wpd_home_id", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-56288", "method": "POST", "mode": "block", "severity": 4.8, "slug": "wp-docs", "target": "plugin", "versions": "<=2.2.1"}, "RULE-CVE-2024-56288-02": {"ajax_action": "wpdocs_update_option", "conditions": [{"name": "ARGS:wpd_get_permalink", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-56288", "method": "POST", "mode": "block", "severity": 4.8, "slug": "wp-docs", "target": "plugin", "versions": "<=2.2.1"}, "RULE-CVE-2024-56288-03": {"ajax_action": "wpdocs_update_folder", "conditions": [{"name": "ARGS:new_name", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-56288", "method": "POST", "mode": "block", "severity": 4.8, "slug": "wp-docs", "target": "plugin", "versions": "<=2.2.1"}, "RULE-CVE-2024-5667-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~data-featherlight[^=]*\\\\s*=\\\\s*([\\"\'])(?:(?!\\\\1).)*?(?:<script\\\\b|<[^>]+\\\\bon\\\\w+\\\\s*=|javascript:)~i"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2024-5667", "method": "POST", "mode": "block", "severity": 6.4, "slug": "responsive-lightbox", "target": "plugin", "versions": "<=2.4.7"}, "RULE-CVE-2024-5667-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~data-featherlight[^=]*\\\\s*=\\\\s*([\\"\'])(?:(?!\\\\1).)*?(?:<script\\\\b|<[^>]+\\\\bon\\\\w+\\\\s*=|javascript:)~i"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2024-5667", "method": "POST", "mode": "block", "severity": 6.4, "slug": "responsive-lightbox", "target": "plugin", "versions": "<=2.4.7"}, "RULE-CVE-2024-5667-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/wp/v2/posts/\\\\d+(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~data-featherlight[^=]*\\\\s*=\\\\s*([\\"\'])(?:(?!\\\\1).)*?(?:<script\\\\b|<[^>]+\\\\bon\\\\w+\\\\s*=|javascript:)~i"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2024-5667", "method": "PUT", "mode": "block", "severity": 6.4, "slug": "responsive-lightbox", "target": "plugin", "versions": "<=2.4.7"}, "RULE-CVE-2024-5667-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/wp/v2/posts/\\\\d+(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~data-featherlight[^=]*\\\\s*=\\\\s*([\\"\'])(?:(?!\\\\1).)*?(?:<script\\\\b|<[^>]+\\\\bon\\\\w+\\\\s*=|javascript:)~i"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2024-5667", "method": "PATCH", "mode": "block", "severity": 6.4, "slug": "responsive-lightbox", "target": "plugin", "versions": "<=2.4.7"}, "RULE-CVE-2024-5853-01": {"ajax_action": "sirv_upload_file_by_chanks", "conditions": [{"name": "ARGS:partFileName", "type": "regex", "value": "~\\\\.(?:ph(?:p\\\\d?|s|tml?|t|ar)|s?html?|cgi|asp|aspx|jsp|jspx|cfm|user\\\\.ini)~i"}], "cve": "CVE-2024-5853", "method": "POST", "mode": "block", "severity": 8.8, "slug": "sirv", "target": "plugin", "versions": "<=7.2.6"}, "RULE-CVE-2024-5932-02": {"action": "init", "conditions": [{"name": "ARGS:give_title", "type": "exists"}, {"name": "ARGS:give_title", "type": "regex", "value": "~(^|;)O:[0-9]+:\\\\\\"[A-Za-z0-9_\\\\\\\\]+\\\\\\\\TCPDF\\\\\\":~"}], "cve": "CVE-2024-5932", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.14.1"}, "RULE-CVE-2024-5940-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/give-api/v2/events-tickets/event/\\\\d+~i"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2024-5940", "method": "POST", "mode": "block", "severity": 5.3, "slug": "give", "target": "plugin", "versions": "<=3.13.0"}, "RULE-CVE-2024-5940-01-PATCH": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/give-api/v2/events-tickets/event/\\\\d+~i"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2024-5940", "method": "PATCH", "mode": "block", "severity": 5.3, "slug": "give", "target": "plugin", "versions": "<=3.13.0"}, "RULE-CVE-2024-5940-01-PUT": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/give-api/v2/events-tickets/event/\\\\d+~i"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2024-5940", "method": "PUT", "mode": "block", "severity": 5.3, "slug": "give", "target": "plugin", "versions": "<=3.13.0"}, "RULE-CVE-2024-5940-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/give-api/v2/events-tickets/ticket-type/\\\\d+~i"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2024-5940", "method": "POST", "mode": "block", "severity": 5.3, "slug": "give", "target": "plugin", "versions": "<=3.13.0"}, "RULE-CVE-2024-5940-02-PATCH": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/give-api/v2/events-tickets/ticket-type/\\\\d+~i"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2024-5940", "method": "PATCH", "mode": "block", "severity": 5.3, "slug": "give", "target": "plugin", "versions": "<=3.13.0"}, "RULE-CVE-2024-5940-02-PUT": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/give-api/v2/events-tickets/ticket-type/\\\\d+~i"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2024-5940", "method": "PUT", "mode": "block", "severity": 5.3, "slug": "give", "target": "plugin", "versions": "<=3.13.0"}, "RULE-CVE-2024-5941-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-json/give-api/v2/donor-dashboard/avatar(?:/|\\\\?|$)|(?:^|[?&])rest_route=/give-api/v2/donor-dashboard/avatar)~i"}, {"name": "ARGS:avatarId", "type": "exists"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2024-5941", "method": "POST", "mode": "block", "severity": 5.4, "slug": "give", "target": "plugin", "versions": "<=3.14.1"}, "RULE-CVE-2024-5977-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/give-api/v2/admin/forms/(trash|restore|delete|duplicate|edit)(/|\\\\?|$)~i"}, {"name": "ARGS:ids", "type": "exists"}, {"type": "missing_capability", "value": "edit_give_forms"}], "cve": "CVE-2024-5977", "method": "POST", "mode": "block", "severity": 5.4, "slug": "give", "target": "plugin", "versions": "<=3.13.0"}, "RULE-CVE-2024-5977-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/give-api/v2/admin/forms/(trash|restore|delete|duplicate|edit)(/|\\\\?|$)~i"}, {"name": "ARGS:ids", "type": "exists"}, {"type": "missing_capability", "value": "edit_give_forms"}], "cve": "CVE-2024-5977", "method": "DELETE", "mode": "block", "severity": 5.4, "slug": "give", "target": "plugin", "versions": "<=3.13.0"}, "RULE-CVE-2024-5977-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/give-api/v2/admin/forms/(trash|restore|delete|duplicate|edit)(/|\\\\?|$)~i"}, {"name": "ARGS:ids", "type": "exists"}, {"type": "missing_capability", "value": "edit_give_forms"}], "cve": "CVE-2024-5977", "method": "PUT", "mode": "block", "severity": 5.4, "slug": "give", "target": "plugin", "versions": "<=3.13.0"}, "RULE-CVE-2024-5977-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/give-api/v2/admin/forms/(trash|restore|delete|duplicate|edit)(/|\\\\?|$)~i"}, {"name": "ARGS:ids", "type": "exists"}, {"type": "missing_capability", "value": "edit_give_forms"}], "cve": "CVE-2024-5977", "method": "PATCH", "mode": "block", "severity": 5.4, "slug": "give", "target": "plugin", "versions": "<=3.13.0"}, "RULE-CVE-2024-6088-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-json/learnpress/v1/(?:users/)?register(?:[/?&#]|$)|[?&]rest_route=/learnpress/v1/(?:users/)?register(?:[/?&#]|$))~i"}], "cve": "CVE-2024-6088", "method": "POST", "mode": "block", "severity": 5.3, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.6.8.1"}, "RULE-CVE-2024-6265-01": {"action": "init", "conditions": [{"name": "ARGS:uwp_sort_by", "type": "detectSQLi"}], "cve": "CVE-2024-6265", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-6265", "description": "UsersWP <=1.2.10 unauthenticated SQL injection via uwp_sort_by parameter on front-end users page", "mode": "block", "severity": 9.8, "slug": "userswp", "tags": ["sql-injection", "unauthenticated", "order-by-injection"], "target": "plugin", "versions": "<=1.2.10"}, "RULE-CVE-2024-6265-02": {"ajax_action": "uwp_ajax_user_sorting_action", "conditions": [{"name": "ARGS:uwp_sort_by", "type": "detectSQLi"}], "cve": "CVE-2024-6265", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-6265", "description": "UsersWP <=1.2.10 unauthenticated SQL injection via uwp_sort_by on AJAX user sorting handler", "mode": "block", "severity": 9.8, "slug": "userswp", "tags": ["sql-injection", "unauthenticated", "order-by-injection", "ajax"], "target": "plugin", "versions": "<=1.2.10"}, "RULE-CVE-2024-6328-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/api/flutter_user/firebase_sms_login(/|\\\\?|&|$)~"}], "cve": "CVE-2024-6328", "method": "POST", "mode": "block", "severity": 9.8, "slug": "mstore-api", "target": "plugin", "versions": "<=4.14.7"}, "RULE-CVE-2024-6328-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/api/flutter_user/firebase_sms_login_v2(/|\\\\?|&|$)~"}], "cve": "CVE-2024-6328", "method": "POST", "mode": "block", "severity": 9.8, "slug": "mstore-api", "target": "plugin", "versions": "<=4.14.7"}, "RULE-CVE-2024-6330-01": {"ajax_action": "gmw_info_window_init", "conditions": [{"name": "ARGS:form[info_window_template][content_path]", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|[a-z]+://|^/)~i"}], "cve": "CVE-2024-6330", "method": "POST", "mode": "block", "severity": 9.8, "slug": "geo-my-wp", "target": "plugin", "versions": "<4.5.0.2"}, "RULE-CVE-2024-6365-01": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wootablepress"}, {"name": "ARGS:settings[order]", "type": "regex", "value": "~<\\\\?(?:php|=|\\\\s)|\\\\?>|<%|\\\\beval\\\\b|\\\\bassert\\\\b|\\\\bsystem\\\\b|\\\\bexec\\\\b|\\\\bpassthru\\\\b|\\\\bshell_exec\\\\b|\\\\bproc_open\\\\b|\\\\bpopen\\\\b|\\\\bbase64_decode\\\\b~i"}], "cve": "CVE-2024-6365", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-6365", "description": "Product Table by WBW <=2.0.1 unauthenticated RCE via PHP code injection in settings[order] written to customTitle.php", "method": "POST", "mode": "block", "severity": 9.8, "slug": "woo-product-tables", "tags": ["remote-code-execution", "arbitrary-file-write", "unauthenticated", "missing-authorization"], "target": "plugin", "versions": "<=2.0.1"}, "RULE-CVE-2024-6365-02": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wootablepress"}, {"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS", "type": "regex", "value": "~<\\\\?(?:php|=|\\\\s)|\\\\?>|<%|\\\\beval\\\\b|\\\\bassert\\\\b|\\\\bsystem\\\\b|\\\\bexec\\\\b|\\\\bpassthru\\\\b|\\\\bshell_exec\\\\b|\\\\bproc_open\\\\b|\\\\bpopen\\\\b|\\\\bbase64_decode\\\\b~i"}], "cve": "CVE-2024-6365", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-6365", "description": "Product Table by WBW <=2.0.1 unauthenticated RCE via PHP code injection in settings phrase parameters written to customTitle.php", "method": "POST", "mode": "block", "severity": 9.8, "slug": "woo-product-tables", "tags": ["remote-code-execution", "arbitrary-file-write", "unauthenticated", "missing-authorization"], "target": "plugin", "versions": "<=2.0.1"}, "RULE-CVE-2024-6366-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~async-upload\\\\.php~"}, {"name": "ARGS:wppb_upload", "type": "equals", "value": "true"}, {"name": "ARGS:action", "type": "equals", "value": "upload-attachment"}, {"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2024-6366", "method": "POST", "mode": "block", "severity": 9.1, "slug": "profile-builder", "target": "plugin", "versions": "<=3.11.7"}, "RULE-CVE-2024-6366-02": {"ajax_action": "query-attachments", "conditions": [{"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2024-6366", "method": "POST", "mode": "block", "severity": 9.1, "slug": "profile-builder", "target": "plugin", "versions": "<=3.11.7"}, "RULE-CVE-2024-6451-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "equals", "value": "/wp-admin/options.php"}, {"name": "ARGS:logs_path", "type": "exists"}, {"name": "ARGS:logs_path", "type": "regex", "value": "~\\\\.(?:php|php[0-9]+|phtml)\\\\b~i"}], "cve": "CVE-2024-6451", "method": "POST", "mode": "block", "severity": 7.2, "slug": "ai-engine", "target": "plugin", "versions": "<=2.5.0"}, "RULE-CVE-2024-6451-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "equals", "value": "/wp-admin/options.php"}, {"name": "ARGS:logs_path", "type": "exists"}, {"name": "ARGS:logs_path", "type": "regex", "value": "~^(?![^\\\\n]*\\\\.log$)[^\\\\n]+$~"}], "cve": "CVE-2024-6451", "method": "POST", "mode": "block", "severity": 7.2, "slug": "ai-engine", "target": "plugin", "versions": "<=2.5.0"}, "RULE-CVE-2024-6460-01": {"ajax_action": "tm_load_data", "conditions": [{"name": "ARGS:component", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|^/|(?:php|data|expect|phar|zip)://)~i"}], "cve": "CVE-2024-6460", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-6460", "description": "Grow by Tradedoubler <=2.0.21 unauthenticated Local File Inclusion via tm_load_data AJAX component parameter", "mode": "block", "severity": 9.8, "slug": "tradedoubler-affiliate-tracker", "tags": ["local-file-inclusion", "path-traversal", "unauthenticated"], "target": "plugin", "versions": "<=2.0.21"}, "RULE-CVE-2024-6589-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/wp/v2/posts(?:/\\\\d+)?$~"}, {"name": "ARGS:content", "type": "regex", "value": "~wp:learnpress/[^>]*\\"template\\"\\\\s*:\\\\s*\\"[^\\"]*(?:\\\\.\\\\./|\\\\.\\\\.\\\\\\\\)[^\\"]*\\"~i"}], "cve": "CVE-2024-6589", "method": "POST", "mode": "block", "severity": 8.8, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.6.8.2"}, "RULE-CVE-2024-6589-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~wp:learnpress/[^>]*\\"template\\"\\\\s*:\\\\s*\\"[^\\"]*(?:\\\\.\\\\./|\\\\.\\\\.\\\\\\\\)[^\\"]*\\"~i"}], "cve": "CVE-2024-6589", "method": "POST", "mode": "block", "severity": 8.8, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.6.8.2"}, "RULE-CVE-2024-6589-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/wp/v2/posts(?:/\\\\d+)?$~"}, {"name": "ARGS:content", "type": "regex", "value": "~wp:learnpress/[^>]*\\"template\\"\\\\s*:\\\\s*\\"[^\\"]*(?:\\\\.\\\\./|\\\\.\\\\.\\\\\\\\)[^\\"]*\\"~i"}], "cve": "CVE-2024-6589", "method": "PUT", "mode": "block", "severity": 8.8, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.6.8.2"}, "RULE-CVE-2024-6589-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/wp/v2/posts(?:/\\\\d+)?$~"}, {"name": "ARGS:content", "type": "regex", "value": "~wp:learnpress/[^>]*\\"template\\"\\\\s*:\\\\s*\\"[^\\"]*(?:\\\\.\\\\./|\\\\.\\\\.\\\\\\\\)[^\\"]*\\"~i"}], "cve": "CVE-2024-6589", "method": "PATCH", "mode": "block", "severity": 8.8, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.6.8.2"}, "RULE-CVE-2024-6624-01": {"action": "init", "conditions": [{"name": "ARGS:json", "type": "regex", "value": "~user/register~i"}, {"name": "ARGS:custom_fields[wp_capabilities]", "type": "exists"}], "cve": "CVE-2024-6624", "method": "POST", "mode": "block", "severity": 9.8, "slug": "json-api-user", "target": "plugin", "versions": "<=3.9.3"}, "RULE-CVE-2024-6624-01G": {"action": "init", "conditions": [{"name": "ARGS:json", "type": "regex", "value": "~user/register~i"}, {"name": "ARGS:custom_fields[wp_capabilities]", "type": "exists"}], "cve": "CVE-2024-6624", "method": "GET", "mode": "block", "severity": 9.8, "slug": "json-api-user", "target": "plugin", "versions": "<=3.9.3"}, "RULE-CVE-2024-6624-02": {"action": "init", "conditions": [{"name": "ARGS:json", "type": "regex", "value": "~user/register~i"}, {"name": "ARGS:custom_fields[wp_user_level]", "type": "exists"}], "cve": "CVE-2024-6624", "method": "POST", "mode": "block", "severity": 9.8, "slug": "json-api-user", "target": "plugin", "versions": "<=3.9.3"}, "RULE-CVE-2024-6624-02G": {"action": "init", "conditions": [{"name": "ARGS:json", "type": "regex", "value": "~user/register~i"}, {"name": "ARGS:custom_fields[wp_user_level]", "type": "exists"}], "cve": "CVE-2024-6624", "method": "GET", "mode": "block", "severity": 9.8, "slug": "json-api-user", "target": "plugin", "versions": "<=3.9.3"}, "RULE-CVE-2024-6624-03": {"action": "init", "conditions": [{"name": "ARGS:json", "type": "regex", "value": "~user/update_user_meta~i"}, {"name": "ARGS:meta_key", "type": "regex", "value": "~^wp_(capabilities|user_level)$~i"}], "cve": "CVE-2024-6624", "method": "POST", "mode": "block", "severity": 9.8, "slug": "json-api-user", "target": "plugin", "versions": "<=3.9.3"}, "RULE-CVE-2024-6624-03G": {"action": "init", "conditions": [{"name": "ARGS:json", "type": "regex", "value": "~user/update_user_meta~i"}, {"name": "ARGS:meta_key", "type": "regex", "value": "~^wp_(capabilities|user_level)$~i"}], "cve": "CVE-2024-6624", "method": "GET", "mode": "block", "severity": 9.8, "slug": "json-api-user", "target": "plugin", "versions": "<=3.9.3"}, "RULE-CVE-2024-6624-04": {"action": "init", "conditions": [{"name": "ARGS:json", "type": "regex", "value": "~user/update_user_meta~i"}, {"name": "ARGS:wp_capabilities", "type": "exists"}], "cve": "CVE-2024-6624", "method": "POST", "mode": "block", "severity": 9.8, "slug": "json-api-user", "target": "plugin", "versions": "<=3.9.3"}, "RULE-CVE-2024-6624-04G": {"action": "init", "conditions": [{"name": "ARGS:json", "type": "regex", "value": "~user/update_user_meta~i"}, {"name": "ARGS:wp_capabilities", "type": "exists"}], "cve": "CVE-2024-6624", "method": "GET", "mode": "block", "severity": 9.8, "slug": "json-api-user", "target": "plugin", "versions": "<=3.9.3"}, "RULE-CVE-2024-6624-05": {"action": "init", "conditions": [{"name": "ARGS:json", "type": "regex", "value": "~user/update_user_meta~i"}, {"name": "ARGS:wp_user_level", "type": "exists"}], "cve": "CVE-2024-6624", "method": "POST", "mode": "block", "severity": 9.8, "slug": "json-api-user", "target": "plugin", "versions": "<=3.9.3"}, "RULE-CVE-2024-6624-05G": {"action": "init", "conditions": [{"name": "ARGS:json", "type": "regex", "value": "~user/update_user_meta~i"}, {"name": "ARGS:wp_user_level", "type": "exists"}], "cve": "CVE-2024-6624", "method": "GET", "mode": "block", "severity": 9.8, "slug": "json-api-user", "target": "plugin", "versions": "<=3.9.3"}, "RULE-CVE-2024-6624-06": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/api/user/register~i"}, {"name": "ARGS:custom_fields[wp_capabilities]", "type": "exists"}], "cve": "CVE-2024-6624", "method": "POST", "mode": "block", "severity": 9.8, "slug": "json-api-user", "target": "plugin", "versions": "<=3.9.3"}, "RULE-CVE-2024-6624-06G": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/api/user/register~i"}, {"name": "ARGS:custom_fields[wp_capabilities]", "type": "exists"}], "cve": "CVE-2024-6624", "method": "GET", "mode": "block", "severity": 9.8, "slug": "json-api-user", "target": "plugin", "versions": "<=3.9.3"}, "RULE-CVE-2024-6624-07": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/api/user/register~i"}, {"name": "ARGS:custom_fields[wp_user_level]", "type": "exists"}], "cve": "CVE-2024-6624", "method": "POST", "mode": "block", "severity": 9.8, "slug": "json-api-user", "target": "plugin", "versions": "<=3.9.3"}, "RULE-CVE-2024-6624-07G": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/api/user/register~i"}, {"name": "ARGS:custom_fields[wp_user_level]", "type": "exists"}], "cve": "CVE-2024-6624", "method": "GET", "mode": "block", "severity": 9.8, "slug": "json-api-user", "target": "plugin", "versions": "<=3.9.3"}, "RULE-CVE-2024-6624-08": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/api/user/update_user_meta~i"}, {"name": "ARGS:meta_key", "type": "regex", "value": "~^wp_(capabilities|user_level)$~i"}], "cve": "CVE-2024-6624", "method": "POST", "mode": "block", "severity": 9.8, "slug": "json-api-user", "target": "plugin", "versions": "<=3.9.3"}, "RULE-CVE-2024-6624-08G": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/api/user/update_user_meta~i"}, {"name": "ARGS:meta_key", "type": "regex", "value": "~^wp_(capabilities|user_level)$~i"}], "cve": "CVE-2024-6624", "method": "GET", "mode": "block", "severity": 9.8, "slug": "json-api-user", "target": "plugin", "versions": "<=3.9.3"}, "RULE-CVE-2024-6624-09": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/api/user/update_user_meta~i"}, {"name": "ARGS:wp_capabilities", "type": "exists"}], "cve": "CVE-2024-6624", "method": "POST", "mode": "block", "severity": 9.8, "slug": "json-api-user", "target": "plugin", "versions": "<=3.9.3"}, "RULE-CVE-2024-6624-09G": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/api/user/update_user_meta~i"}, {"name": "ARGS:wp_capabilities", "type": "exists"}], "cve": "CVE-2024-6624", "method": "GET", "mode": "block", "severity": 9.8, "slug": "json-api-user", "target": "plugin", "versions": "<=3.9.3"}, "RULE-CVE-2024-6624-10": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/api/user/update_user_meta~i"}, {"name": "ARGS:wp_user_level", "type": "exists"}], "cve": "CVE-2024-6624", "method": "POST", "mode": "block", "severity": 9.8, "slug": "json-api-user", "target": "plugin", "versions": "<=3.9.3"}, "RULE-CVE-2024-6624-10G": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/api/user/update_user_meta~i"}, {"name": "ARGS:wp_user_level", "type": "exists"}], "cve": "CVE-2024-6624", "method": "GET", "mode": "block", "severity": 9.8, "slug": "json-api-user", "target": "plugin", "versions": "<=3.9.3"}, "RULE-CVE-2024-6691-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php$~"}, {"name": "ARGS:option_page", "type": "equals", "value": "edd_settings"}], "cve": "CVE-2024-6691", "method": "POST", "mode": "block", "severity": 4.0, "slug": "easy-digital-downloads", "target": "plugin", "versions": "<=3.3.2"}, "RULE-CVE-2024-6692-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/options.php"}, {"name": "ARGS:edd_settings[agree_text]", "type": "detectXSS"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2024-6692", "method": "POST", "mode": "block", "severity": 3.1, "slug": "easy-digital-downloads", "target": "plugin", "versions": "<=3.3.2"}, "RULE-CVE-2024-6723-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mwai/v1/discussions/list(/|\\\\?|$)~"}, {"name": "ARGS:sort[accessor]", "type": "regex", "value": "~[^a-zA-Z0-9_]~"}], "cve": "CVE-2024-6723", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-6723", "description": "AI Engine <2.4.8 SQL injection via sort.accessor in admin discussions REST endpoint", "method": "POST", "mode": "block", "severity": 4.7, "slug": "ai-engine", "tags": ["sql-injection", "rest-api"], "target": "plugin", "versions": "<2.4.8"}, "RULE-CVE-2024-6723-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mwai-ui/v1/discussions/list(/|\\\\?|$)~"}, {"name": "ARGS:sort[accessor]", "type": "regex", "value": "~[^a-zA-Z0-9_]~"}], "cve": "CVE-2024-6723", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-6723", "description": "AI Engine <2.4.8 SQL injection via sort.accessor in public discussions REST endpoint", "method": "POST", "mode": "block", "severity": 4.7, "slug": "ai-engine", "tags": ["sql-injection", "rest-api"], "target": "plugin", "versions": "<2.4.8"}, "RULE-CVE-2024-6723-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mwai/v1/discussions/list(/|\\\\?|$)~"}, {"name": "ARGS:sort[by]", "type": "regex", "value": "~[^a-zA-Z0-9_]~"}], "cve": "CVE-2024-6723", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-6723", "description": "AI Engine <2.4.8 SQL injection via sort.by in admin discussions REST endpoint", "method": "POST", "mode": "block", "severity": 4.7, "slug": "ai-engine", "tags": ["sql-injection", "rest-api"], "target": "plugin", "versions": "<2.4.8"}, "RULE-CVE-2024-6723-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mwai-ui/v1/discussions/list(/|\\\\?|$)~"}, {"name": "ARGS:sort[by]", "type": "regex", "value": "~[^a-zA-Z0-9_]~"}], "cve": "CVE-2024-6723", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-6723", "description": "AI Engine <2.4.8 SQL injection via sort.by in public discussions REST endpoint", "method": "POST", "mode": "block", "severity": 4.7, "slug": "ai-engine", "tags": ["sql-injection", "rest-api"], "target": "plugin", "versions": "<2.4.8"}, "RULE-CVE-2024-6809-01": {"ajax_action": "qcsmd_upvote_action", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2024-6809", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-6809", "description": "Simple Video Directory <=1.4.2 unauthenticated SQL injection via id parameter in qcsmd_upvote_action AJAX handler", "method": "POST", "mode": "block", "severity": 9.8, "slug": "simple-media-directory", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=1.4.2"}, "RULE-CVE-2024-7031-01": {"ajax_action": "njt_fs_save_setting_restrictions", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-7031", "method": "POST", "mode": "block", "severity": 8.8, "slug": "filester", "target": "plugin", "versions": "<=1.8.2"}, "RULE-CVE-2024-7031-02": {"ajax_action": "njt_fs_save_setting", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-7031", "method": "POST", "mode": "block", "severity": 8.8, "slug": "filester", "target": "plugin", "versions": "<=1.8.2"}, "RULE-CVE-2024-7094-01": {"action": "init", "conditions": [{"name": "ARGS:form_request", "type": "equals", "value": "jssupportticket"}, {"name": "ARGS:jstmod", "type": "equals", "value": "themes"}, {"name": "ARGS:task", "type": "equals", "value": "savetheme"}, {"name": "ARGS:/color[1-7]/", "type": "regex", "value": "~[\\"\'`;]|<\\\\?(?:php|=)|[$][a-zA-Z_]~"}], "cve": "CVE-2024-7094", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-7094", "description": "JS Help Desk <=2.8.6 unauthorized frontend savetheme dispatch via formhandler", "method": "POST", "mode": "block", "severity": 9.8, "slug": "js-support-ticket", "tags": ["missing-authorization", "code-injection", "frontend-form"], "target": "plugin", "versions": "<=2.8.6"}, "RULE-CVE-2024-7257-01": {"ajax_action": "yaye_handle_upload_file", "conditions": [{"name": "FILES:option_field_data", "type": "exists"}], "cve": "CVE-2024-7257", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-7257", "description": "YayExtra \\u2013 WooCommerce Extra Product Options <=1.3.7 unauthenticated arbitrary file upload via yaye_handle_upload_file AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "yayextra", "tags": ["arbitrary-file-upload", "unauthenticated", "remote-code-execution"], "target": "plugin", "versions": "<=1.3.7"}, "RULE-CVE-2024-7315-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~wp-content/wpvividbackups/[^/]+\\\\.(?:zip|sql|gz|tar|json|txt|log)(?:\\\\?|$)~i"}], "cve": "CVE-2024-7315", "method": "GET", "mode": "block", "severity": 7.5, "slug": "wpvivid-backuprestore", "target": "plugin", "versions": "<0.9.106"}, "RULE-CVE-2024-7315-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~wp-content/wpvividbackups/wpvivid_log/~i"}], "cve": "CVE-2024-7315", "method": "GET", "mode": "block", "severity": 7.5, "slug": "wpvivid-backuprestore", "target": "plugin", "versions": "<0.9.106"}, "RULE-CVE-2024-7385-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "wshs_saved"}, {"name": "ARGS:action", "type": "equals", "value": "delete"}, {"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2024-7385", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-7385", "description": "WordPress Simple HTML Sitemap <=3.1 authenticated (Admin+) SQL injection via id parameter in wshs_saved delete action", "mode": "block", "severity": 7.2, "slug": "wp-simple-html-sitemap", "tags": ["sql-injection", "authenticated", "admin-page"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2024-7385-02": {"ajax_action": "wshs_save_shortcode", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2024-7385", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-7385", "description": "WordPress Simple HTML Sitemap <=3.1 SQL injection via id parameter in wshs_save_shortcode AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wp-simple-html-sitemap", "tags": ["sql-injection", "authenticated", "ajax"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2024-7493-01": {"ajax_action": "wpcom_register", "conditions": [{"name": "ARGS:role", "type": "exists"}], "cve": "CVE-2024-7493", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-7493", "description": "WPCOM Member <=1.5.2.1 unauthenticated privilege escalation via role parameter in registration", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wpcom-member", "tags": ["privilege-escalation", "unauthenticated", "mass-assignment"], "target": "plugin", "versions": "<=1.5.2.1"}, "RULE-CVE-2024-7493-02": {"ajax_action": "wpcom_register", "conditions": [{"name": "ARGS:meta_input[wp_capabilities]", "type": "exists"}], "cve": "CVE-2024-7493", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-7493", "description": "WPCOM Member <=1.5.2.1 unauthenticated privilege escalation via meta_input wp_capabilities", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wpcom-member", "tags": ["privilege-escalation", "unauthenticated", "mass-assignment"], "target": "plugin", "versions": "<=1.5.2.1"}, "RULE-CVE-2024-7493-03": {"ajax_action": "wpcom_register", "conditions": [{"name": "ARGS:meta_input[wp_user_level]", "type": "exists"}], "cve": "CVE-2024-7493", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-7493", "description": "WPCOM Member <=1.5.2.1 unauthenticated privilege escalation via meta_input wp_user_level", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wpcom-member", "tags": ["privilege-escalation", "unauthenticated", "mass-assignment"], "target": "plugin", "versions": "<=1.5.2.1"}, "RULE-CVE-2024-7548-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[learn_press_featured_courses[^\\\\]]*order\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:select|sleep|benchmark|union|concat|if\\\\s*\\\\(|0x|/\\\\*|;|\\\\()[^\\"\']*[\\"\']~i"}], "cve": "CVE-2024-7548", "method": "POST", "mode": "block", "severity": 6.5, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.6.9.3"}, "RULE-CVE-2024-7548-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[learn_press_featured_courses[^\\\\]]*order\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:select|sleep|benchmark|union|concat|if\\\\s*\\\\(|0x|/\\\\*|;|\\\\()[^\\"\']*[\\"\']~i"}], "cve": "CVE-2024-7548", "method": "POST", "mode": "block", "severity": 6.5, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.6.9.3"}, "RULE-CVE-2024-7548-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[learn_press_featured_courses[^\\\\]]*order\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:select|sleep|benchmark|union|concat|if\\\\s*\\\\(|0x|/\\\\*|;|\\\\()[^\\"\']*[\\"\']~i"}], "cve": "CVE-2024-7548", "method": "PATCH", "mode": "block", "severity": 6.5, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.6.9.3"}, "RULE-CVE-2024-7548-05": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin-ajax\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[learn_press_featured_courses[^\\\\]]*order\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:select|sleep|benchmark|union|concat|if\\\\s*\\\\(|0x|/\\\\*|;|\\\\()[^\\"\']*[\\"\']~i"}], "cve": "CVE-2024-7548", "method": "POST", "mode": "block", "severity": 6.5, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.6.9.3"}, "RULE-CVE-2024-7590-01": {"ajax_action": "uag_load_image_gallery_masonry", "conditions": [{"name": "ARGS:attr", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-7590", "method": "POST", "mode": "block", "severity": 5.4, "slug": "ultimate-addons-for-gutenberg", "target": "plugin", "versions": "<=2.15.0"}, "RULE-CVE-2024-7590-02": {"ajax_action": "uag_load_image_gallery_grid_pagination", "conditions": [{"name": "ARGS:attr", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-7590", "method": "POST", "mode": "block", "severity": 5.4, "slug": "ultimate-addons-for-gutenberg", "target": "plugin", "versions": "<=2.15.0"}, "RULE-CVE-2024-7856-01": {"ajax_action": "removeTempFiles", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-7856", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-7856", "description": "MP3 Music Player by Sonaar <=5.7.0.1 missing authorization (subscriber+) arbitrary file deletion via removeTempFiles AJAX handler", "method": "POST", "mode": "block", "severity": 8.1, "slug": "mp3-music-player-by-sonaar", "tags": ["missing-authorization", "arbitrary-file-deletion", "path-traversal"], "target": "plugin", "versions": "<=5.7.0.1"}, "RULE-CVE-2024-7857-01": {"ajax_action": "mlf_change_sort_type", "conditions": [{"name": "ARGS:sort_type", "type": "detectSQLi"}], "cve": "CVE-2024-7857", "method": "POST", "mode": "block", "severity": 6.5, "slug": "media-library-plus", "target": "plugin", "versions": "<=8.2.2"}, "RULE-CVE-2024-7982-01": {"ajax_action": "rtec_process_form_submission", "conditions": [{"name": "ARGS:first_name", "type": "detectXSS"}], "cve": "CVE-2024-7982", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-7982", "description": "Registrations for the Events Calendar <=2.12.3 unauthenticated stored XSS via first_name in registration form submission", "method": "POST", "mode": "block", "severity": 9.6, "slug": "registrations-for-the-events-calendar", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=2.12.3"}, "RULE-CVE-2024-7982-02": {"ajax_action": "rtec_process_form_submission", "conditions": [{"name": "ARGS:last_name", "type": "detectXSS"}], "cve": "CVE-2024-7982", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-7982", "description": "Registrations for the Events Calendar <=2.12.3 unauthenticated stored XSS via last_name in registration form submission", "method": "POST", "mode": "block", "severity": 9.6, "slug": "registrations-for-the-events-calendar", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=2.12.3"}, "RULE-CVE-2024-8289-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mvx/v1/vendors/?(?:\\\\?|$)~"}, {"type": "missing_capability", "value": "create_users"}], "cve": "CVE-2024-8289", "method": "POST", "mode": "block", "severity": 9.8, "slug": "dc-woocommerce-multi-vendor", "target": "plugin", "versions": "<=4.2.0"}, "RULE-CVE-2024-8289-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mvx/v1/vendors/\\\\d+(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "edit_users"}], "cve": "CVE-2024-8289", "method": "POST", "mode": "block", "severity": 9.8, "slug": "dc-woocommerce-multi-vendor", "target": "plugin", "versions": "<=4.2.0"}, "RULE-CVE-2024-8289-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mvx/v1/vendors/\\\\d+(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "edit_users"}], "cve": "CVE-2024-8289", "method": "PUT", "mode": "block", "severity": 9.8, "slug": "dc-woocommerce-multi-vendor", "target": "plugin", "versions": "<=4.2.0"}, "RULE-CVE-2024-8289-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mvx/v1/vendors/\\\\d+(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "edit_users"}], "cve": "CVE-2024-8289", "method": "PATCH", "mode": "block", "severity": 9.8, "slug": "dc-woocommerce-multi-vendor", "target": "plugin", "versions": "<=4.2.0"}, "RULE-CVE-2024-8289-05": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mvx/v1/vendors/\\\\d+(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "delete_users"}], "cve": "CVE-2024-8289", "method": "DELETE", "mode": "block", "severity": 9.8, "slug": "dc-woocommerce-multi-vendor", "target": "plugin", "versions": "<=4.2.0"}, "RULE-CVE-2024-8289-06": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mvx/v1/vendors/batch(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "edit_users"}], "cve": "CVE-2024-8289", "method": "POST", "mode": "block", "severity": 9.8, "slug": "dc-woocommerce-multi-vendor", "target": "plugin", "versions": "<=4.2.0"}, "RULE-CVE-2024-8353-02": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:card_address", "type": "regex", "value": "~[oOcCaA]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2024-8353", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<3.16.2"}, "RULE-CVE-2024-8353-03": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:card_address_2", "type": "regex", "value": "~[oOcCaA]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2024-8353", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<3.16.2"}, "RULE-CVE-2024-8353-04": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:card_city", "type": "regex", "value": "~[oOcCaA]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2024-8353", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<3.16.2"}, "RULE-CVE-2024-8353-05": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:card_state", "type": "regex", "value": "~[oOcCaA]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2024-8353", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<3.16.2"}, "RULE-CVE-2024-8353-06": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:card_zip", "type": "regex", "value": "~[oOcCaA]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2024-8353", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<3.16.2"}, "RULE-CVE-2024-8353-07": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:card_name", "type": "regex", "value": "~[oOcCaA]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2024-8353", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<3.16.2"}, "RULE-CVE-2024-8353-08": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:card_number", "type": "regex", "value": "~[oOcCaA]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2024-8353", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<3.16.2"}, "RULE-CVE-2024-8353-09": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:card_cvc", "type": "regex", "value": "~[oOcCaA]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2024-8353", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<3.16.2"}, "RULE-CVE-2024-8353-10": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:card_exp_month", "type": "regex", "value": "~[oOcCaA]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2024-8353", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<3.16.2"}, "RULE-CVE-2024-8353-11": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:card_exp_year", "type": "regex", "value": "~[oOcCaA]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2024-8353", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<3.16.2"}, "RULE-CVE-2024-8353-12": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:billing_country", "type": "regex", "value": "~[oOcCaA]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2024-8353", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<3.16.2"}, "RULE-CVE-2024-8353-13": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:give_first", "type": "regex", "value": "~[oOcCaA]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2024-8353", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<3.16.2"}, "RULE-CVE-2024-8353-14": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:give_last", "type": "regex", "value": "~[oOcCaA]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2024-8353", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<3.16.2"}, "RULE-CVE-2024-8353-15": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:give-form-title", "type": "regex", "value": "~[oOcCaA]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2024-8353", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<3.16.2"}, "RULE-CVE-2024-8522-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^(?:/wp-json/learnpress/v1/courses(?:/|\\\\?|$)|/\\\\?(?:[^#]*&)?rest_route=/learnpress/v1/courses(?:/|$|[?&]))~i"}, {"name": "ARGS:c_only_fields", "type": "detectSQLi"}], "cve": "CVE-2024-8522", "method": "GET", "mode": "block", "severity": 7.5, "slug": "learnpress", "target": "plugin", "versions": "<4.2.7.1"}, "RULE-CVE-2024-8800-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php(\\\\?|$)~"}, {"name": "ARGS:page", "type": "equals", "value": "rabbit-loader"}, {"name": "ARGS", "type": "regex", "value": "~(?i)(%3Cscript|<script\\\\b|javascript:|<[^>]*onerror\\\\s*=|<[^>]*onload\\\\s*=|<[^>]*onclick\\\\s*=|\\\\bonerror\\\\s*=|\\\\bonload\\\\s*=|\\\\bonclick\\\\s*=|%22%3E|%27%3E)~"}], "cve": "CVE-2024-8800", "method": "GET", "mode": "block", "severity": 6.1, "slug": "rabbit-loader", "target": "plugin", "versions": "<=2.21.0"}, "RULE-CVE-2024-8800-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php(\\\\?|$)~"}, {"name": "ARGS:page", "type": "equals", "value": "rabbit-loader"}, {"name": "ARGS", "type": "regex", "value": "~(?i)%3cscript|<img\\\\b[^>]*onerror\\\\s*=|<a\\\\b[^>]*href\\\\s*=\\\\s*[\'\\"]javascript:~"}], "cve": "CVE-2024-8800", "method": "GET", "mode": "block", "severity": 6.1, "slug": "rabbit-loader", "target": "plugin", "versions": "<=2.21.0"}, "RULE-CVE-2024-8853-01": {"action": "wp_loaded", "conditions": [{"name": "ARGS:user_login", "type": "contains", "value": "-wfuser"}], "cve": "CVE-2024-8853", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-8853", "description": "Webo-facto <=1.40 unauthenticated privilege escalation via user_login containing -wfuser substring", "method": "POST", "mode": "block", "severity": 9.8, "slug": "webo-facto-connector", "tags": ["privilege-escalation", "unauthenticated", "improper-privilege-management"], "target": "plugin", "versions": "<=1.40"}, "RULE-CVE-2024-8978-01": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS:actions", "type": "regex", "value": "~(\\\\{\\\\{password\\\\}\\\\}|%7B%7Bpassword%7D%7D)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-8978", "method": "POST", "mode": "block", "severity": 5.7, "slug": "essential-addons-for-elementor-lite", "target": "plugin", "versions": "<=6.0.9"}, "RULE-CVE-2024-9234-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/gutenkit/v1/install-active-plugin(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2024-9234", "method": "POST", "mode": "block", "severity": 9.8, "slug": "gutenkit-blocks-addon", "target": "plugin", "versions": "<=2.1.0"}, "RULE-CVE-2024-9390-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "regex", "value": "~^rm_ex_~"}, {"name": "ARGS:rm_status", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-9390", "method": "GET", "mode": "block", "severity": 4.8, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<6.0.2.1"}, "RULE-CVE-2024-9390-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "regex", "value": "~^rm_ex_~"}, {"name": "ARGS:rm_interval", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-9390", "method": "GET", "mode": "block", "severity": 4.8, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<6.0.2.1"}, "RULE-CVE-2024-9390-03": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "regex", "value": "~^rm_ex_~"}, {"name": "ARGS:rm_user_role", "type": "regex", "value": "~(?:<[^>]*\\\\son\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|applet|base|link|meta|style|svg|math|body|video|audio|details|form|input|select|textarea|button|marquee)\\\\b|javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:[^,]*;base64)~i"}], "cve": "CVE-2024-9390", "method": "GET", "mode": "block", "severity": 4.8, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<6.0.2.1"}, "RULE-CVE-2024-9504-01": {"ajax_action": "wpdevart_form_ajax", "conditions": [{"name": "FILES:file0", "type": "exists"}], "cve": "CVE-2024-9504", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-9504", "description": "Booking Calendar <=3.2.15 unauthenticated stored XSS via SVG file upload in wpdevart_form_ajax", "method": "POST", "mode": "block", "severity": 7.2, "slug": "booking-calendar", "tags": ["xss", "svg-upload", "unauthenticated", "file-upload"], "target": "plugin", "versions": "<=3.2.15"}, "RULE-CVE-2024-9511-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/fluent-smtp/(?!outlook_callback)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-9511", "mode": "block", "severity": 9.8, "slug": "fluent-smtp", "target": "plugin", "versions": "<=2.2.82"}, "RULE-CVE-2024-9598-01": {"ajax_action": "redux_p", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-9598", "description": "AMP for WP CSRF via missing nonce validation on redux_p AJAX proxy endpoint", "mode": "block", "severity": 8.8, "slug": "accelerated-mobile-pages", "target": "plugin", "versions": "<=1.0.99.1"}, "RULE-CVE-2024-9634-01": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:give_company_name", "type": "regex", "value": "~(^\\\\s*|[;{]\\\\s*)O:\\\\d+:\\"~"}], "cve": "CVE-2024-9634", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.16.3"}, "RULE-CVE-2024-9634-02": {"action": "init", "conditions": [{"name": "ARGS:give_action", "type": "equals", "value": "purchase"}, {"name": "ARGS:give_company_name", "type": "regex", "value": "~(^\\\\s*|[;{]\\\\s*)O:\\\\d+:\\"~"}], "cve": "CVE-2024-9634", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.16.3"}, "RULE-CVE-2024-9636-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/post-grid/v2/process_form_data(?:/|\\\\?|&|$)~"}, {"name": "ARGS:user_meta[wp_capabilities]", "type": "exists"}], "cve": "CVE-2024-9636", "method": "POST", "mode": "block", "severity": 9.8, "slug": "post-grid", "target": "plugin", "versions": ">=2.2.85 <=2.3.3"}, "RULE-CVE-2024-9636-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/post-grid/v2/process_form_data(?:/|\\\\?|&|$)~"}, {"name": "ARGS:user_meta[wp_user_level]", "type": "exists"}], "cve": "CVE-2024-9636", "method": "POST", "mode": "block", "severity": 9.8, "slug": "post-grid", "target": "plugin", "versions": ">=2.2.85 <=2.3.3"}, "RULE-CVE-2024-9707-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/hc/v1/themehunk-import(/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-9707", "method": "POST", "mode": "block", "severity": 9.8, "slug": "hunk-companion", "target": "plugin", "versions": "<=1.8.4"}, "RULE-CVE-2024-9707-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/ai/v1/ai-site-import(/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-9707", "method": "POST", "mode": "block", "severity": 9.8, "slug": "hunk-companion", "target": "plugin", "versions": "<=1.8.4"}, "RULE-CVE-2024-9769-01": {"ajax_action": "tsvg_check_attachment", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-9769", "method": "POST", "mode": "block", "severity": 4.4, "slug": "gallery-videos", "target": "plugin", "versions": "<=2.4.1"}, "RULE-CVE-2024-9769-02": {"ajax_action": "tsvg_get_attachment_id", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2024-9769", "method": "POST", "mode": "block", "severity": 4.4, "slug": "gallery-videos", "target": "plugin", "versions": "<=2.4.1"}, "RULE-CVE-2024-9881-01": {"action": "init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "learn-press-settings"}, {"name": "ARGS:learn_press_offline_payment[description]", "type": "detectXSS"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2024-9881", "method": "POST", "mode": "block", "severity": 4.8, "slug": "learnpress", "target": "plugin", "versions": "<4.2.7.2"}, "RULE-CVE-2024-9935-01": {"action": "init", "conditions": [{"name": "ARGS:rtw_pdf_file", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env|debug\\\\.log))~i"}], "cve": "CVE-2024-9935", "description": "PDF Generator Addon for Elementor Page Builder <=2.0.0 local file inclusion via rtw_pdf_file parameter", "mode": "block", "severity": 7.5, "slug": "pdf-generator-addon-for-elementor-page-builder", "target": "plugin", "versions": "<=2.0.0"}, "RULE-CVE-2025-0215-01": {"ajax_action": "updraft_ajax", "conditions": [{"name": "ARGS:uri", "type": "detectXSS"}], "cve": "CVE-2025-0215", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0215", "description": "UpdraftPlus <= 1.24.12 Reflected XSS via uri parameter in updraft_ajax handler", "method": "GET", "mode": "block", "severity": 6.1, "slug": "updraftplus", "tags": ["xss", "reflected-xss"], "target": "plugin", "versions": "<=1.24.12"}, "RULE-CVE-2025-0215-02": {"ajax_action": "updraft_ajax", "conditions": [{"name": "ARGS:initiate_restore", "type": "detectXSS"}], "cve": "CVE-2025-0215", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0215", "description": "UpdraftPlus <= 1.24.12 Reflected XSS via initiate_restore parameter in updraft_ajax handler", "method": "GET", "mode": "block", "severity": 6.1, "slug": "updraftplus", "tags": ["xss", "reflected-xss"], "target": "plugin", "versions": "<=1.24.12"}, "RULE-CVE-2025-0215-03": {"ajax_action": "updraft_ajax", "conditions": [{"name": "ARGS:showdata", "type": "detectXSS"}], "cve": "CVE-2025-0215", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0215", "description": "UpdraftPlus <= 1.24.12 Reflected XSS via showdata parameter in updraft_ajax handler", "method": "GET", "mode": "block", "severity": 6.1, "slug": "updraftplus", "tags": ["xss", "reflected-xss"], "target": "plugin", "versions": "<=1.24.12"}, "RULE-CVE-2025-0308-01": {"ajax_action": "um_get_members", "conditions": [{"name": "ARGS:search", "type": "regex", "value": "~(?:(?:UNION(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+(?:ALL(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+)?SELECT(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|(?:[\'\\"\\\\d])(?:\\\\s|/\\\\*[^*]*\\\\*/)*(?:OR|AND)(?:\\\\s|/\\\\*[^*]*\\\\*/)+[\'\\"]?[\\\\w\'\\"]|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s[^;]*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\(|\\\\bEXTRACTVALUE\\\\s*\\\\(|\\\\bUPDATEXML\\\\s*\\\\(|SL(?:/\\\\*[^*]*\\\\*/)?EEP\\\\s*\\\\()~i"}, {"name": "ARGS:search", "type": "regex", "value": "~(?i)(\\\\b(sleep|benchmark|union|select|if)\\\\b|--|/\\\\*|#|;)~i"}], "cve": "CVE-2025-0308", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0308", "description": "Ultimate Member <=2.9.1 unauthenticated SQL injection via search parameter in um_get_members AJAX handler", "method": "POST", "mode": "block", "severity": 7.5, "slug": "ultimate-member", "tags": ["sql-injection", "unauthenticated", "time-based-blind"], "target": "plugin", "versions": "<=2.9.1"}, "RULE-CVE-2025-0329-01": {"action": "init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "wpbot"}, {"name": "ARGS", "type": "regex", "value": "~<[^>]*\\\\bon[a-z]+\\\\s*=~i"}], "cve": "CVE-2025-0329", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0329", "description": "AI ChatBot WPBot <6.2.4 Stored XSS via admin settings page (event handler injection)", "method": "POST", "mode": "block", "severity": 4.8, "slug": "chatbot", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<6.2.4"}, "RULE-CVE-2025-0329-02": {"action": "init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "wpbot"}, {"name": "ARGS", "type": "regex", "value": "~<\\\\s*(?:script|iframe)[^>]*>~i"}], "cve": "CVE-2025-0329", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0329", "description": "AI ChatBot WPBot <6.2.4 Stored XSS via admin settings page (script/iframe tag injection)", "method": "POST", "mode": "block", "severity": 4.8, "slug": "chatbot", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<6.2.4"}, "RULE-CVE-2025-0329-03": {"ajax_action": "openai_settings_option", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<[^>]*\\\\bon[a-z]+\\\\s*=~i"}], "cve": "CVE-2025-0329", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0329", "description": "AI ChatBot WPBot <6.2.4 Stored XSS via openai_settings_option AJAX (event handler injection)", "method": "POST", "mode": "block", "severity": 4.8, "slug": "chatbot", "tags": ["xss", "stored-xss", "ajax"], "target": "plugin", "versions": "<6.2.4"}, "RULE-CVE-2025-0329-04": {"ajax_action": "openai_settings_option", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<\\\\s*(?:script|iframe)[^>]*>~i"}], "cve": "CVE-2025-0329", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0329", "description": "AI ChatBot WPBot <6.2.4 Stored XSS via openai_settings_option AJAX (script/iframe tag injection)", "method": "POST", "mode": "block", "severity": 4.8, "slug": "chatbot", "tags": ["xss", "stored-xss", "ajax"], "target": "plugin", "versions": "<6.2.4"}, "RULE-CVE-2025-0350-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[wdcl_image_carousel_child\\\\b[^\\\\]]*(?:<script|\\\\bon(?:error|load|click|mouseover|focus|blur|mouseenter|mouseleave)\\\\s*=|javascript\\\\s*:)~is"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-0350", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0350", "description": "Divi Carousel Lite <=2.0.4 Stored XSS via Image Carousel widget attributes in post_content", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wow-carousel-for-divi-lite", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.0.4"}, "RULE-CVE-2025-0350-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[wdcl_logo_carousel_child\\\\b[^\\\\]]*(?:<script|\\\\bon(?:error|load|click|mouseover|focus|blur|mouseenter|mouseleave)\\\\s*=|javascript\\\\s*:)~is"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-0350", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0350", "description": "Divi Carousel Lite <=2.0.4 Stored XSS via Logo Carousel widget attributes in post_content", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wow-carousel-for-divi-lite", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.0.4"}, "RULE-CVE-2025-0350-03": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[wdcl_image_carousel_child\\\\b[^\\\\]]*(?:<script|\\\\bon(?:error|load|click|mouseover|focus|blur|mouseenter|mouseleave)\\\\s*=|javascript\\\\s*:)~is"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-0350", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0350", "description": "Divi Carousel Lite <=2.0.4 Stored XSS via Image Carousel widget attributes in content param", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wow-carousel-for-divi-lite", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.0.4"}, "RULE-CVE-2025-0350-04": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[wdcl_logo_carousel_child\\\\b[^\\\\]]*(?:<script|\\\\bon(?:error|load|click|mouseover|focus|blur|mouseenter|mouseleave)\\\\s*=|javascript\\\\s*:)~is"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-0350", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0350", "description": "Divi Carousel Lite <=2.0.4 Stored XSS via Logo Carousel widget attributes in content param", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wow-carousel-for-divi-lite", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.0.4"}, "RULE-CVE-2025-0357-01": {"ajax_action": "wpb_ajax_post", "conditions": [{"name": "ARGS:route_name", "type": "equals", "value": "edit_profile_data"}, {"name": "FILES:avatar", "type": "exists"}], "cve": "CVE-2025-0357", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0357", "description": "WPBookit <1.6.10 unauthenticated arbitrary file upload via edit_profile_data avatar", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wpbookit", "tags": ["arbitrary-file-upload", "unauthenticated", "remote-code-execution"], "target": "plugin", "versions": "<1.6.10"}, "RULE-CVE-2025-0365-01": {"action": "init", "conditions": [{"name": "ARGS:actions", "type": "regex", "value": "~(?:\\\\.{2}[\\\\/\\\\\\\\]|[\\\\/\\\\\\\\])+(?:wp-config\\\\.php|etc/passwd|\\\\.htaccess|(?:^|[\\\\/\\\\\\\\\\"\'\\\\s])\\\\.env(?:$|[\\\\/\\\\\\\\\\"\'\\\\s])|debug\\\\.log|error_log)~i"}], "cve": "CVE-2025-0365", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0365", "description": "JupiterX Core <=4.8.7 authenticated (Contributor+) arbitrary file read via path traversal in Elementor widget settings (actions param)", "method": "POST", "mode": "block", "severity": 6.5, "slug": "jupiterx-core", "tags": ["path-traversal", "local-file-inclusion", "authenticated", "elementor-widget"], "target": "plugin", "versions": "<=4.8.7"}, "RULE-CVE-2025-0365-02": {"action": "init", "conditions": [{"name": "ARGS:_elementor_data", "type": "regex", "value": "~(?:\\\\.{2}[\\\\/\\\\\\\\]|[\\\\/\\\\\\\\])+(?:wp-config\\\\.php|etc/passwd|\\\\.htaccess|(?:^|[\\\\/\\\\\\\\\\"\'\\\\s])\\\\.env(?:$|[\\\\/\\\\\\\\\\"\'\\\\s])|debug\\\\.log|error_log)~i"}], "cve": "CVE-2025-0365", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0365", "description": "JupiterX Core <=4.8.7 authenticated (Contributor+) arbitrary file read via path traversal in Elementor data param", "method": "POST", "mode": "block", "severity": 6.5, "slug": "jupiterx-core", "tags": ["path-traversal", "local-file-inclusion", "authenticated", "elementor-widget"], "target": "plugin", "versions": "<=4.8.7"}, "RULE-CVE-2025-0366-01": {"ajax_action": "raven_form_frontend", "conditions": [{"name": "FILES:form_fields:content", "type": "regex", "value": "~<\\\\?(?:php|=)|<script\\\\b|shell_exec\\\\s*\\\\(|base64_decode\\\\s*\\\\(|system\\\\s*\\\\(|passthru\\\\s*\\\\(|eval\\\\s*\\\\(~i"}], "cve": "CVE-2025-0366", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0366", "description": "Jupiter X Core <=4.8.7 SVG file upload with embedded PHP via raven_form_frontend AJAX handler (LFI-to-RCE chain stage 1)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "jupiterx-core", "tags": ["local-file-inclusion", "remote-code-execution", "file-upload", "unauthenticated"], "target": "plugin", "versions": "<=4.8.7"}, "RULE-CVE-2025-0366-02": {"ajax_action": "raven_control_file_upload", "conditions": [{"name": "FILES:form_fields:content", "type": "regex", "value": "~<\\\\?(?:php|=)|<script\\\\b|shell_exec\\\\s*\\\\(|base64_decode\\\\s*\\\\(|system\\\\s*\\\\(|passthru\\\\s*\\\\(|eval\\\\s*\\\\(~i"}], "cve": "CVE-2025-0366", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0366", "description": "Jupiter X Core <=4.8.7 SVG file upload with embedded PHP via raven_control_file_upload AJAX handler (LFI-to-RCE chain stage 1)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "jupiterx-core", "tags": ["local-file-inclusion", "remote-code-execution", "file-upload"], "target": "plugin", "versions": "<=4.8.7"}, "RULE-CVE-2025-0370-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[su_lightbox\\\\b[^\\\\]]*\\\\bsrc\\\\s*=\\\\s*[\\"\']?\\\\s*(?:javascript|data|vbscript)\\\\s*:~i"}], "cve": "CVE-2025-0370", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0370", "description": "Shortcodes Ultimate <=7.3.3 Stored XSS via [su_lightbox] shortcode src attribute with dangerous URI scheme (classic editor)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "shortcodes-ultimate", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=7.3.3"}, "RULE-CVE-2025-0370-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[su_lightbox\\\\b[^\\\\]]*\\\\bsrc\\\\s*=\\\\s*[\\"\']?\\\\s*(?:javascript|data|vbscript)\\\\s*:~i"}], "cve": "CVE-2025-0370", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0370", "description": "Shortcodes Ultimate <=7.3.3 Stored XSS via [su_lightbox] shortcode src attribute with dangerous URI scheme (REST API)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "shortcodes-ultimate", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=7.3.3"}, "RULE-CVE-2025-0370-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[su_lightbox\\\\b[^\\\\]]*\\\\bsrc\\\\s*=\\\\s*[\\"\'][^\\"\']*[\\"\'][^\\\\]]*\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-0370", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0370", "description": "Shortcodes Ultimate <=7.3.3 Stored XSS via [su_lightbox] shortcode src attribute with event handler injection (classic editor)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "shortcodes-ultimate", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=7.3.3"}, "RULE-CVE-2025-0370-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[su_lightbox\\\\b[^\\\\]]*\\\\bsrc\\\\s*=\\\\s*[\\"\'][^\\"\']*[\\"\'][^\\\\]]*\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-0370", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0370", "description": "Shortcodes Ultimate <=7.3.3 Stored XSS via [su_lightbox] shortcode src attribute with event handler injection (REST API)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "shortcodes-ultimate", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=7.3.3"}, "RULE-CVE-2025-0393-01": {"ajax_action": "wpr_filter_grid_posts", "conditions": [{"name": "ARGS:grid_settings", "type": "regex", "value": "~<[a-z/!?]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|&#~i"}], "cve": "CVE-2025-0393", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0393", "description": "Royal Elementor Addons <=1.7.1006 CSRF to Reflected XSS via wpr_filter_grid_posts grid_settings parameter", "mode": "block", "severity": 6.1, "slug": "royal-elementor-addons", "tags": ["xss", "csrf", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.7.1006"}, "RULE-CVE-2025-0428-01": {"ajax_action": "wpaicg_import_prompts", "conditions": [{"name": "ARGS", "type": "regex", "value": "~[OCa]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2025-0428", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0428", "description": "AI Power Complete AI Pack <=1.8.96 PHP Object Injection payload injection attempt via wpaicg_import_prompts", "method": "POST", "mode": "block", "severity": 7.2, "slug": "gpt3-ai-content-generator", "tags": ["object-injection", "deserialization", "php-object-injection", "ajax"], "target": "plugin", "versions": "<=1.8.96"}, "RULE-CVE-2025-0428-02": {"ajax_action": "wpaicg_export_prompts", "conditions": [{"name": "ARGS", "type": "regex", "value": "~[OCa]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2025-0428", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0428", "description": "AI Power Complete AI Pack <=1.8.96 PHP Object Injection trigger attempt via wpaicg_export_prompts with serialized markers", "method": "POST", "mode": "block", "severity": 7.2, "slug": "gpt3-ai-content-generator", "tags": ["object-injection", "deserialization", "php-object-injection", "ajax"], "target": "plugin", "versions": "<=1.8.96"}, "RULE-CVE-2025-0466-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/search(?:/|\\\\?|&|$)~i"}, {"name": "ARGS:subtype", "type": "equals", "value": "sensei_message"}], "cve": "CVE-2025-0466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0466", "description": "Sensei LMS <4.24.4 unauthenticated information disclosure of sensei_message posts via REST search subtype parameter", "method": "GET", "mode": "block", "severity": 5.3, "slug": "sensei-lms", "tags": ["missing-authorization", "information-disclosure", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<4.24.4"}, "RULE-CVE-2025-0466-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/search(?:/|\\\\?|&|$)~i"}, {"name": "ARGS:subtype", "type": "equals", "value": "sensei_email"}], "cve": "CVE-2025-0466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0466", "description": "Sensei LMS <4.24.4 unauthenticated information disclosure of sensei_email posts via REST search subtype parameter", "method": "GET", "mode": "block", "severity": 5.3, "slug": "sensei-lms", "tags": ["missing-authorization", "information-disclosure", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<4.24.4"}, "RULE-CVE-2025-0466-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/search(?:/|\\\\?|&|$)~i"}, {"name": "ARGS:subtype[]", "type": "regex", "value": "~^sensei_message$~"}], "cve": "CVE-2025-0466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0466", "description": "Sensei LMS <4.24.4 unauthenticated information disclosure of sensei_message posts via REST search subtype[] array parameter", "method": "GET", "mode": "block", "severity": 5.3, "slug": "sensei-lms", "tags": ["missing-authorization", "information-disclosure", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<4.24.4"}, "RULE-CVE-2025-0466-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/search(?:/|\\\\?|&|$)~i"}, {"name": "ARGS:subtype[]", "type": "regex", "value": "~^sensei_email$~"}], "cve": "CVE-2025-0466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0466", "description": "Sensei LMS <4.24.4 unauthenticated information disclosure of sensei_email posts via REST search subtype[] array parameter", "method": "GET", "mode": "block", "severity": 5.3, "slug": "sensei-lms", "tags": ["missing-authorization", "information-disclosure", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<4.24.4"}, "RULE-CVE-2025-0469-01": {"ajax_action": "forminator_save_builder", "conditions": [{"name": "ARGS:builder", "type": "exists"}, {"name": "ARGS:builder", "type": "regex", "value": "~(?:<\\\\s*(?:script|img|svg|iframe|object|embed|link|style|math|details|marquee|video|audio|body|input|textarea|select|form|base|meta)\\\\b|\\\\bon(?:error|load|click|mouseover|focus|blur|change|submit|reset|select|abort|beforeunload|message|animationend|animationstart|pointerover|pointerenter)\\\\s*=|javascript\\\\s*:|data\\\\s*:\\\\s*text/html)~i"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-0469", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0469", "description": "Forminator <=1.39.2 Stored XSS via slider template prefix/suffix in form builder save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "forminator", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=1.39.2"}, "RULE-CVE-2025-0470-01": {"action": "init", "conditions": [{"name": "ARGS:title", "type": "detectXSS"}], "cve": "CVE-2025-0470", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0470", "description": "Forminator Forms <=1.38.2 reflected cross-site scripting via title query parameter", "mode": "block", "severity": 6.1, "slug": "forminator", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.38.2"}, "RULE-CVE-2025-0493-01": {"ajax_action": "mvx_announcements_refresh_tab_data", "conditions": [{"name": "ARGS:tabname", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|[\\\\\\\\/]\\\\.\\\\.|\\\\.\\\\./|php://|phar://|data://|expect://|glob://)~i"}], "cve": "CVE-2025-0493", "method": "POST", "mode": "block", "severity": 9.8, "slug": "dc-woocommerce-multi-vendor", "target": "plugin", "versions": "<=4.2.14"}, "RULE-CVE-2025-0506-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)~"}, {"name": "ARGS:content", "type": "contains", "value": "rise-blocks/site-identity"}, {"name": "ARGS:content", "type": "regex", "value": "~\\"(?:titleTag|taglineTag)\\"\\\\s*:\\\\s*\\"[^\\"\\\\\\\\]*[<>][^\\"\\\\\\\\]*\\"~"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-0506", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0506", "description": "Rise Blocks <=3.6 Stored XSS via titleTag block attribute in site-identity block (REST API post save)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "rise-blocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=3.6"}, "RULE-CVE-2025-0506-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS:content", "type": "contains", "value": "rise-blocks/site-identity"}, {"name": "ARGS:content", "type": "regex", "value": "~\\"(?:titleTag|taglineTag)\\"\\\\s*:\\\\s*\\"[^\\"\\\\\\\\]*[<>][^\\"\\\\\\\\]*\\"~"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-0506", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0506", "description": "Rise Blocks <=3.6 Stored XSS via titleTag block attribute in site-identity block (classic post save)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "rise-blocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=3.6"}, "RULE-CVE-2025-0507-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[(?:ticketmeo|ploxel|ticketix)\\\\b[^\\\\]]*(?:javascript\\\\s*:|data\\\\s*:|on(?:error|load|click|mouseover|focus|mouseenter)\\\\s*=|<script)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-0507", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0507", "description": "Ticketmeo (ploxel) <=2.3.6 Stored XSS via shortcode attributes in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ploxel", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=2.3.6"}, "RULE-CVE-2025-0507-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[(?:ticketmeo|ploxel|ticketix)\\\\b[^\\\\]]*(?:javascript\\\\s*:|data\\\\s*:|on(?:error|load|click|mouseover|focus|mouseenter)\\\\s*=|<script)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-0507", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0507", "description": "Ticketmeo (ploxel) <=2.3.6 Stored XSS via shortcode attributes in post_content param (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ploxel", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=2.3.6"}, "RULE-CVE-2025-0507-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(?:ticketmeo|ploxel|ticketix)\\\\b[^\\\\]]*(?:javascript\\\\s*:|data\\\\s*:|on(?:error|load|click|mouseover|focus|mouseenter)\\\\s*=|<script)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-0507", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0507", "description": "Ticketmeo (ploxel) <=2.3.6 Stored XSS via shortcode attributes in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ploxel", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=2.3.6"}, "RULE-CVE-2025-0511-01": {"ajax_action": "welcart_confirm_check", "conditions": [{"name": "ARGS:customer[name1]", "type": "detectXSS"}], "cve": "CVE-2025-0511", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0511", "description": "Welcart e-Commerce <=2.11.9 unauthenticated stored XSS via customer[name1] in welcart_confirm_check AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "usc-e-shop", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=2.11.9"}, "RULE-CVE-2025-0511-02": {"ajax_action": "welcart_confirm_check", "conditions": [{"name": "ARGS:customer[name2]", "type": "detectXSS"}], "cve": "CVE-2025-0511", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0511", "description": "Welcart e-Commerce <=2.11.9 unauthenticated stored XSS via customer[name2] in welcart_confirm_check AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "usc-e-shop", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=2.11.9"}, "RULE-CVE-2025-0511-03": {"action": "init", "conditions": [{"name": "ARGS:customer[name1]", "type": "detectXSS"}], "cve": "CVE-2025-0511", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0511", "description": "Welcart e-Commerce <=2.11.9 unauthenticated stored XSS via customer[name1] in front-end checkout form", "method": "POST", "mode": "block", "severity": 6.1, "slug": "usc-e-shop", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=2.11.9"}, "RULE-CVE-2025-0511-04": {"action": "init", "conditions": [{"name": "ARGS:customer[name2]", "type": "detectXSS"}], "cve": "CVE-2025-0511", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0511", "description": "Welcart e-Commerce <=2.11.9 unauthenticated stored XSS via customer[name2] in front-end checkout form", "method": "POST", "mode": "block", "severity": 6.1, "slug": "usc-e-shop", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=2.11.9"}, "RULE-CVE-2025-0682-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/wp-json/trx_addons/~i"}, {"name": "ARGS", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/])+|(?:php|data|expect|phar|zip|compress\\\\.zlib|file)://~i"}], "cve": "CVE-2025-0682", "cve_link": "https://www.wordfence.com/threat-intel/vulnerabilities/id/15a9718f-f877-4e33-8f7a-950791c4ca85", "description": "ThemeREX Addons <= 2.33.0 path traversal and PHP wrapper abuse in REST API. Blocks directory traversal (../../) and PHP stream wrappers (php://, phar://, etc.) in any parameter sent to /wp-json/trx_addons/ endpoints. Covers CVE-2020-10257 RCE vector and CVE-2025-0682 shortcode LFI when accessed via REST.", "mode": "block", "severity": 8.8, "slug": "trx_addons", "tags": ["lfi", "path-traversal", "rest-api", "generic", "trx-addons"], "target": "plugin", "versions": "<=2.33.0"}, "RULE-CVE-2025-0682-02": {"action": "init", "conditions": [{"name": "ARGS:/^(type|layout|template|view|skin)$/", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}(?!(?:fonts|images|css|js|assets|vendor|dist|lib|node_modules|wp-content|wp-includes|uploads|components|templates|shortcodes)[\\\\/])|(?:php|phar|expect|zip|compress\\\\.zlib|data|file)://~i"}], "cve": "CVE-2025-0682", "cve_link": "https://www.wordfence.com/threat-intel/vulnerabilities/id/15a9718f-f877-4e33-8f7a-950791c4ca85", "description": "ThemeREX Addons <= 2.33.0 path traversal in template selector parameters (type, layout, template, view, skin) across all entry points \\u2014 AJAX, shortcodes, REST, front-end template loaders. Fires on init hook for maximum coverage. Covers 190+ theme-level LFI CVEs from AncoraThemes, axiomthemes, ThemeREX.", "mode": "block", "severity": 8.1, "slug": "trx_addons", "tags": ["lfi", "path-traversal", "shortcode", "ajax", "generic", "trx-addons"], "target": "plugin", "versions": "<=2.33.0"}, "RULE-CVE-2025-0682-03": {"action": "init", "conditions": [{"name": "ARGS:/^(type|layout|template|view|skin)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log|(?:id_[rd]sa|authorized_keys))~i"}], "cve": "CVE-2025-0682", "cve_link": "https://www.wordfence.com/threat-intel/vulnerabilities/id/15a9718f-f877-4e33-8f7a-950791c4ca85", "description": "ThemeREX Addons <= 2.33.0 defense-in-depth: block known sensitive file names in template selector parameters. Catches absolute path inclusion attempts without directory traversal (e.g., type=wp-config.php).", "mode": "block", "severity": 8.1, "slug": "trx_addons", "tags": ["lfi", "sensitive-file", "defense-in-depth", "trx-addons"], "target": "plugin", "versions": "<=2.33.0"}, "RULE-CVE-2025-0764-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/(?:profile|user-edit)\\\\.php$~"}, {"name": "ARGS:data[avatar]", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\\\\\/]){2,}~"}], "cve": "CVE-2025-0764", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0764", "description": "wpForo Forum <=2.4.1 authenticated (Subscriber+) arbitrary file read via data[avatar] in profile update (wp-admin path)", "method": "POST", "mode": "block", "severity": 6.5, "slug": "wpforo", "tags": ["arbitrary-file-read", "path-traversal", "improper-input-validation"], "target": "plugin", "versions": "<=2.4.1"}, "RULE-CVE-2025-0764-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/(?:profile|user-edit)\\\\.php$~"}, {"name": "ARGS:data[avatar]", "type": "regex", "value": "~^\\\\s*(?:file|phar|php|zip|data|expect|glob)://~i"}], "cve": "CVE-2025-0764", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0764", "description": "wpForo Forum <=2.4.1 authenticated (Subscriber+) arbitrary file read via data[avatar] local scheme in profile update (wp-admin path)", "method": "POST", "mode": "block", "severity": 6.5, "slug": "wpforo", "tags": ["arbitrary-file-read", "local-file-inclusion", "improper-input-validation"], "target": "plugin", "versions": "<=2.4.1"}, "RULE-CVE-2025-0764-03": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/(?:profile|user-edit)\\\\.php$~"}, {"name": "ARGS:data[avatar]", "type": "regex", "value": "~(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env|debug\\\\.log|error_log|/proc/self/)~i"}], "cve": "CVE-2025-0764", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0764", "description": "wpForo Forum <=2.4.1 authenticated (Subscriber+) arbitrary file read via absolute path in data[avatar] profile update (wp-admin path)", "method": "POST", "mode": "block", "severity": 6.5, "slug": "wpforo", "tags": ["arbitrary-file-read", "path-traversal", "improper-input-validation"], "target": "plugin", "versions": "<=2.4.1"}, "RULE-CVE-2025-0764-07": {"action": "init", "conditions": [{"name": "ARGS:data[avatar]", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\\\\\/]){2,}~"}], "cve": "CVE-2025-0764", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0764", "description": "wpForo Forum <=2.4.1 authenticated (Subscriber+) arbitrary file read via data[avatar] path traversal in frontend profile update", "method": "POST", "mode": "block", "severity": 6.5, "slug": "wpforo", "tags": ["arbitrary-file-read", "path-traversal", "improper-input-validation"], "target": "plugin", "versions": "<=2.4.1"}, "RULE-CVE-2025-0764-08": {"action": "init", "conditions": [{"name": "ARGS:data[avatar]", "type": "regex", "value": "~^\\\\s*(?:file|phar|php|zip|data|expect|glob)://~i"}], "cve": "CVE-2025-0764", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0764", "description": "wpForo Forum <=2.4.1 authenticated (Subscriber+) arbitrary file read via data[avatar] local scheme in frontend profile update", "method": "POST", "mode": "block", "severity": 6.5, "slug": "wpforo", "tags": ["arbitrary-file-read", "local-file-inclusion", "improper-input-validation"], "target": "plugin", "versions": "<=2.4.1"}, "RULE-CVE-2025-0764-09": {"action": "init", "conditions": [{"name": "ARGS:data[avatar]", "type": "regex", "value": "~(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env|debug\\\\.log|error_log|/proc/self/)~i"}], "cve": "CVE-2025-0764", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0764", "description": "wpForo Forum <=2.4.1 authenticated (Subscriber+) arbitrary file read via absolute path in data[avatar] frontend profile update", "method": "POST", "mode": "block", "severity": 6.5, "slug": "wpforo", "tags": ["arbitrary-file-read", "path-traversal", "improper-input-validation"], "target": "plugin", "versions": "<=2.4.1"}, "RULE-CVE-2025-0804-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "regex", "value": "~^clickwhale~"}, {"name": "ARGS:title", "type": "detectXSS"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-0804", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0804", "description": "ClickWhale <=2.4.1 Stored XSS via link title on admin page", "method": "POST", "mode": "block", "severity": 5.4, "slug": "clickwhale", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=2.4.1"}, "RULE-CVE-2025-0805-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[mlcalc\\\\b[^\\\\]]*(?:on\\\\w+\\\\s*=|<script|javascript:|expression\\\\s*\\\\()[^\\\\]]*\\\\]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-0805", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0805", "description": "Mortgage Calculator / Loan Calculator <=1.5.20 authenticated (Contributor+) Stored XSS via mlcalc shortcode attributes in post content", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mortgage-loan-calculator", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.5.20"}, "RULE-CVE-2025-0805-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[mlcalc\\\\b[^\\\\]]*(?:on\\\\w+\\\\s*=|<script|javascript:|expression\\\\s*\\\\()[^\\\\]]*\\\\]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-0805", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0805", "description": "Mortgage Calculator / Loan Calculator <=1.5.20 authenticated (Contributor+) Stored XSS via mlcalc shortcode attributes in REST API post creation", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mortgage-loan-calculator", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.5.20"}, "RULE-CVE-2025-0808-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "houzez-property-feed-export"}, {"name": "ARGS:action", "type": "equals", "value": "deleteexport"}, {"name": "ARGS:export_id", "type": "exists"}], "cve": "CVE-2025-0808", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0808", "description": "Houzez Property Feed <=2.4.21 CSRF leading to property feed export deletion via deleteexport action", "method": "GET", "mode": "block", "severity": 5.4, "slug": "houzez-property-feed", "tags": ["csrf", "missing-nonce", "state-change"], "target": "plugin", "versions": "<=2.4.21"}, "RULE-CVE-2025-0821-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/bit-assist/v1/widget-channels/update-sequence(/|\\\\?|$)~"}, {"name": "ARGS:widgetChannels[*][id]", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|\'\\\\s*(?:OR|AND)\\\\s+[\'\\"]?\\\\d|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s.*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\()~i"}], "cve": "CVE-2025-0821", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0821", "description": "Bit Assist <=1.5.2 authenticated (Subscriber+) SQL injection via widgetChannels[id] in update-sequence REST endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "bit-assist", "tags": ["sql-injection", "authenticated", "rest-api"], "target": "plugin", "versions": "<=1.5.2"}, "RULE-CVE-2025-0860-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "vrfr_managefrases"}, {"name": "ARGS:autor", "type": "detectXSS"}], "cve": "CVE-2025-0860", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0860", "description": "VR-Frases <=3.0.1 Reflected XSS via autor parameter on vrfr_managefrases admin page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "vr-frases", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=3.0.1"}, "RULE-CVE-2025-0860-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "vrfr_managefrases"}, {"name": "ARGS:frase", "type": "detectXSS"}], "cve": "CVE-2025-0860", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0860", "description": "VR-Frases <=3.0.1 Reflected XSS via frase parameter on vrfr_managefrases admin page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "vr-frases", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=3.0.1"}, "RULE-CVE-2025-0860-03": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "vrfr_managefrases"}, {"name": "ARGS:idfrase", "type": "regex", "value": "~[^0-9]~"}], "cve": "CVE-2025-0860", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0860", "description": "VR-Frases <=3.0.1 Reflected XSS via idfrase parameter on vrfr_managefrases admin page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "vr-frases", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=3.0.1"}, "RULE-CVE-2025-0860-04": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "vrfr_managefrases"}, {"name": "ARGS:aut", "type": "detectXSS"}], "cve": "CVE-2025-0860", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0860", "description": "VR-Frases <=3.0.1 Reflected XSS via aut parameter on vrfr_managefrases admin page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "vr-frases", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=3.0.1"}, "RULE-CVE-2025-0860-05": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "vrfr_managefrases"}, {"name": "ARGS:autor", "type": "detectXSS"}], "cve": "CVE-2025-0860", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0860", "description": "VR-Frases <=3.0.1 Reflected XSS via autor parameter on vrfr_managefrases admin page (POST)", "method": "POST", "mode": "block", "severity": 6.1, "slug": "vr-frases", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=3.0.1"}, "RULE-CVE-2025-0860-06": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "vrfr_managefrases"}, {"name": "ARGS:frase", "type": "detectXSS"}], "cve": "CVE-2025-0860", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0860", "description": "VR-Frases <=3.0.1 Reflected XSS via frase parameter on vrfr_managefrases admin page (POST)", "method": "POST", "mode": "block", "severity": 6.1, "slug": "vr-frases", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=3.0.1"}, "RULE-CVE-2025-0860-07": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "vrfr_managefrases"}, {"name": "ARGS:idfrase", "type": "regex", "value": "~[^0-9]~"}], "cve": "CVE-2025-0860", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0860", "description": "VR-Frases <=3.0.1 Reflected XSS via idfrase parameter on vrfr_managefrases admin page (POST)", "method": "POST", "mode": "block", "severity": 6.1, "slug": "vr-frases", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=3.0.1"}, "RULE-CVE-2025-0860-08": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "vrfr_managefrases"}, {"name": "ARGS:aut", "type": "detectXSS"}], "cve": "CVE-2025-0860", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0860", "description": "VR-Frases <=3.0.1 Reflected XSS via aut parameter on vrfr_managefrases admin page (POST)", "method": "POST", "mode": "block", "severity": 6.1, "slug": "vr-frases", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=3.0.1"}, "RULE-CVE-2025-0897-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[iframeBox\\\\b[^\\\\]]*\\\\battr\\\\s*=\\\\s*([\'\\"])(?:(?!\\\\1)[\\\\s\\\\S])*?\\\\bon\\\\w+\\\\s*=~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-0897", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0897", "description": "Modal Window <=6.1.5 Stored XSS via iframeBox shortcode attr parameter (post editor)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "modal-window", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=6.1.5"}, "RULE-CVE-2025-0897-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[iframeBox\\\\b[^\\\\]]*\\\\battr\\\\s*=\\\\s*[\'\\"][^\'\\"]*javascript\\\\s*:~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-0897", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0897", "description": "Modal Window <=6.1.5 Stored XSS via iframeBox shortcode attr with javascript URI (post editor)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "modal-window", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=6.1.5"}, "RULE-CVE-2025-0897-03": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[iframeBox\\\\b[^\\\\]]*\\\\battr\\\\s*=\\\\s*[\'\\"][^\'\\"]*(?:expression|vbscript\\\\s*:|data\\\\s*:)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-0897", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0897", "description": "Modal Window <=6.1.5 Stored XSS via iframeBox shortcode attr with data URI (post editor)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "modal-window", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=6.1.5"}, "RULE-CVE-2025-0897-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[iframeBox\\\\b[^\\\\]]*\\\\battr\\\\s*=\\\\s*([\'\\"])(?:(?!\\\\1)[\\\\s\\\\S])*?\\\\bon\\\\w+\\\\s*=~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-0897", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0897", "description": "Modal Window <=6.1.5 Stored XSS via iframeBox shortcode attr parameter (REST API)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "modal-window", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=6.1.5"}, "RULE-CVE-2025-0897-05": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[iframeBox\\\\b[^\\\\]]*\\\\battr\\\\s*=\\\\s*[\'\\"][^\'\\"]*(?:javascript\\\\s*:|expression|vbscript\\\\s*:|data\\\\s*:)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-0897", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0897", "description": "Modal Window <=6.1.5 Stored XSS via iframeBox shortcode attr with javascript/data URI (REST API)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "modal-window", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=6.1.5"}, "RULE-CVE-2025-0912-01": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:card_address[country]", "type": "regex", "value": "~[OCoc]:\\\\+?\\\\d+:\\"~"}], "cve": "CVE-2025-0912", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.19.4"}, "RULE-CVE-2025-0912-02": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:card_address[address1]", "type": "regex", "value": "~[OCoc]:\\\\+?\\\\d+:\\"~"}], "cve": "CVE-2025-0912", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.19.4"}, "RULE-CVE-2025-0912-03": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:card_address[address2]", "type": "regex", "value": "~[OCoc]:\\\\+?\\\\d+:\\"~"}], "cve": "CVE-2025-0912", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.19.4"}, "RULE-CVE-2025-0912-04": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:card_address[city]", "type": "regex", "value": "~[OCoc]:\\\\+?\\\\d+:\\"~"}], "cve": "CVE-2025-0912", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.19.4"}, "RULE-CVE-2025-0912-05": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:card_address[state]", "type": "regex", "value": "~[OCoc]:\\\\+?\\\\d+:\\"~"}], "cve": "CVE-2025-0912", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.19.4"}, "RULE-CVE-2025-0912-06": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:card_address[zip]", "type": "regex", "value": "~[OCoc]:\\\\+?\\\\d+:\\"~"}], "cve": "CVE-2025-0912", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.19.4"}, "RULE-CVE-2025-0912-07": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:firstName", "type": "regex", "value": "~[OCoc]:\\\\+?\\\\d+:\\"~"}], "cve": "CVE-2025-0912", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.19.4"}, "RULE-CVE-2025-0912-08": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:lastName", "type": "regex", "value": "~[OCoc]:\\\\+?\\\\d+:\\"~"}], "cve": "CVE-2025-0912", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.19.4"}, "RULE-CVE-2025-0912-09": {"action": "init", "conditions": [{"name": "ARGS:givewp-route", "type": "equals", "value": "donate"}, {"name": "ARGS:card_address[country]", "type": "regex", "value": "~[OCoc]:\\\\+?\\\\d+:\\"~"}], "cve": "CVE-2025-0912", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.19.4"}, "RULE-CVE-2025-0912-10": {"action": "init", "conditions": [{"name": "ARGS:givewp-route", "type": "equals", "value": "donate"}, {"name": "ARGS:card_address[address1]", "type": "regex", "value": "~[OCoc]:\\\\+?\\\\d+:\\"~"}], "cve": "CVE-2025-0912", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.19.4"}, "RULE-CVE-2025-0912-11": {"action": "init", "conditions": [{"name": "ARGS:givewp-route", "type": "equals", "value": "donate"}, {"name": "ARGS:card_address[address2]", "type": "regex", "value": "~[OCoc]:\\\\+?\\\\d+:\\"~"}], "cve": "CVE-2025-0912", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.19.4"}, "RULE-CVE-2025-0912-12": {"action": "init", "conditions": [{"name": "ARGS:givewp-route", "type": "equals", "value": "donate"}, {"name": "ARGS:card_address[city]", "type": "regex", "value": "~[OCoc]:\\\\+?\\\\d+:\\"~"}], "cve": "CVE-2025-0912", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.19.4"}, "RULE-CVE-2025-0912-13": {"action": "init", "conditions": [{"name": "ARGS:givewp-route", "type": "equals", "value": "donate"}, {"name": "ARGS:card_address[state]", "type": "regex", "value": "~[OCoc]:\\\\+?\\\\d+:\\"~"}], "cve": "CVE-2025-0912", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.19.4"}, "RULE-CVE-2025-0912-14": {"action": "init", "conditions": [{"name": "ARGS:givewp-route", "type": "equals", "value": "donate"}, {"name": "ARGS:card_address[zip]", "type": "regex", "value": "~[OCoc]:\\\\+?\\\\d+:\\"~"}], "cve": "CVE-2025-0912", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.19.4"}, "RULE-CVE-2025-0912-15": {"action": "init", "conditions": [{"name": "ARGS:givewp-route", "type": "equals", "value": "donate"}, {"name": "ARGS:firstName", "type": "regex", "value": "~[OCoc]:\\\\+?\\\\d+:\\"~"}], "cve": "CVE-2025-0912", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.19.4"}, "RULE-CVE-2025-0912-16": {"action": "init", "conditions": [{"name": "ARGS:givewp-route", "type": "equals", "value": "donate"}, {"name": "ARGS:lastName", "type": "regex", "value": "~[OCoc]:\\\\+?\\\\d+:\\"~"}], "cve": "CVE-2025-0912", "method": "POST", "mode": "block", "severity": 9.8, "slug": "give", "target": "plugin", "versions": "<=3.19.4"}, "RULE-CVE-2025-0916-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-comments-post\\\\.php~"}, {"name": "ARGS:comment", "type": "regex", "value": "~(?:<(?:script|iframe|svg|object|embed|form)[\\\\s/>]|\\\\bon(?:error|load|click|focus|mouseover|mouseenter)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-0916", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0916", "description": "YaySMTP <=2.6.3 stored XSS via comment body logged as email content without sanitization", "method": "POST", "mode": "block", "severity": 6.1, "slug": "yaysmtp", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": ">=2.4.9 <=2.6.3"}, "RULE-CVE-2025-0916-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-comments-post\\\\.php~"}, {"name": "ARGS:author", "type": "regex", "value": "~(?:<(?:script|iframe|svg|object|embed|form)[\\\\s/>]|\\\\bon(?:error|load|click|focus|mouseover|mouseenter)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-0916", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0916", "description": "YaySMTP <=2.6.3 stored XSS via comment author name logged as email content without sanitization", "method": "POST", "mode": "block", "severity": 6.1, "slug": "yaysmtp", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": ">=2.4.9 <=2.6.3"}, "RULE-CVE-2025-0924-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~wp-login\\\\.php~"}, {"name": "ARGS:log", "type": "detectXSS"}], "cve": "CVE-2025-0924", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0924", "description": "WP Activity Log <=5.2.2 unauthenticated stored XSS via username field on login form", "method": "POST", "mode": "block", "severity": 6.1, "slug": "wp-security-audit-log", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=5.2.2"}, "RULE-CVE-2025-0953-01": {"ajax_action": "_detail_email_logs", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-0953", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0953", "description": "SMTP for Sendinblue YaySMTP <=1.2 unauthenticated stored XSS via email log detail", "method": "POST", "mode": "block", "severity": 6.1, "slug": "smtp-sendinblue", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.2"}, "RULE-CVE-2025-0953-02": {"ajax_action": "_email_logs", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-0953", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0953", "description": "SMTP for Sendinblue YaySMTP <=1.2 unauthenticated stored XSS via email log list", "method": "POST", "mode": "block", "severity": 6.1, "slug": "smtp-sendinblue", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.2"}, "RULE-CVE-2025-0957-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~wp-admin/admin-ajax\\\\.php~"}, {"name": "ARGS:action", "type": "regex", "value": "~^yay_smtp_amazonses_email_logs$~"}, {"name": "ARGS:s", "type": "detectXSS"}], "cve": "CVE-2025-0957", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0957", "description": "SMTP for Amazon SES <= 1.8 stored XSS via admin email logs list AJAX - attacker-controlled email content may be rendered in logs; block XSS markers in search parameter (s)", "method": "POST", "mode": "block", "severity": 7.2, "slug": "smtp-amazon-ses", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.8"}, "RULE-CVE-2025-0957-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~wp-admin/admin-ajax\\\\.php~"}, {"name": "ARGS:action", "type": "regex", "value": "~^yay_smtp_amazonses_detail_email_logs$~"}, {"name": "ARGS:s", "type": "detectXSS"}], "cve": "CVE-2025-0957", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0957", "description": "SMTP for Amazon SES <= 1.8 stored XSS via admin email log detail AJAX - attacker-controlled email content may be rendered in log detail; block XSS markers in selector parameter (s)", "method": "POST", "mode": "block", "severity": 7.2, "slug": "smtp-amazon-ses", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.8"}, "RULE-CVE-2025-0968-01": {"ajax_action": "get_megamenu_content", "conditions": [{"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "read"}], "cve": "CVE-2025-0968", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0968", "description": "ElementsKit Elementor Addons <=3.4.0 unauthenticated sensitive information exposure via get_megamenu_content AJAX (POST)", "method": "POST", "mode": "block", "severity": 5.3, "slug": "elementskit-lite", "tags": ["missing-authorization", "information-exposure", "unauthenticated"], "target": "plugin", "versions": "<=3.4.0"}, "RULE-CVE-2025-0968-02": {"ajax_action": "get_megamenu_content", "conditions": [{"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "read"}], "cve": "CVE-2025-0968", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0968", "description": "ElementsKit Elementor Addons <=3.4.0 unauthenticated sensitive information exposure via get_megamenu_content AJAX (GET)", "method": "GET", "mode": "block", "severity": 5.3, "slug": "elementskit-lite", "tags": ["missing-authorization", "information-exposure", "unauthenticated"], "target": "plugin", "versions": "<=3.4.0"}, "RULE-CVE-2025-0969-01": {"ajax_action": "brizy_get_users", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-0969", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-0969", "description": "Brizy Page Builder <=2.7.16 authenticated sensitive information exposure via brizy_get_users AJAX action", "mode": "block", "severity": 6.5, "slug": "brizy", "tags": ["missing-authorization", "sensitive-information-exposure", "broken-access-control"], "target": "plugin", "versions": "<=2.7.16"}, "RULE-CVE-2025-10000-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/qyrr/v1/blob-to-file(/|\\\\?|$)~"}, {"name": "ARGS:source", "type": "regex", "value": "~data:[^;]*(?:ph(?:p\\\\d?|s|tml?|t|ar)|s?html?|cgi|aspx?|jsp|jspx?|cfm|phtml|user\\\\.ini|htaccess|htpasswd)[^;]*;base64~i"}], "cve": "CVE-2025-10000", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10000", "description": "Qyrr - simply and modern QR-Code creation <=2.0.7 authenticated (Contributor+) arbitrary file upload via blob-to-file REST endpoint", "method": "POST", "mode": "block", "severity": 6.4, "slug": "qyrr-code", "tags": ["arbitrary-file-upload", "unrestricted-file-type", "rest-api", "authenticated"], "target": "plugin", "versions": "<=2.0.7"}, "RULE-CVE-2025-10000-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/qyrr/v1/blob-to-file(/|\\\\?|$)~"}, {"name": "ARGS:format", "type": "regex", "value": "~^(?:\\\\.)?(?:ph(?:p\\\\d?|s|tml?|t|ar|gif)|phtml|s?html?|cgi|asp|aspx|jsp|jspx|cfm|user\\\\.ini|htaccess|htpasswd)$~i"}], "cve": "CVE-2025-10000", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10000", "description": "Qyrr - simply and modern QR-Code creation <=2.0.7 authenticated (Contributor+) arbitrary file upload via blob-to-file REST endpoint - format parameter", "method": "POST", "mode": "block", "severity": 6.4, "slug": "qyrr-code", "tags": ["arbitrary-file-upload", "unrestricted-file-type", "rest-api", "authenticated"], "target": "plugin", "versions": "<=2.0.7"}, "RULE-CVE-2025-10002-01": {"ajax_action": "clickwhale/admin/export_csv", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2025-10002", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10002", "description": "ClickWhale <=2.5.0 authenticated SQL injection via id parameter in export_csv AJAX handler", "mode": "block", "severity": 4.9, "slug": "clickwhale", "tags": ["sql-injection", "authenticated", "csv-export"], "target": "plugin", "versions": "<=2.5.0"}, "RULE-CVE-2025-10008-01": {"action": "init", "conditions": [{"name": "ARGS:_weglot_clean_cache_cdn", "type": "equals", "value": "true"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-10008", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10008", "description": "Weglot <=5.1 unauthenticated transient deletion via _weglot_clean_cache_cdn parameter (missing authorization)", "mode": "block", "severity": 5.3, "slug": "weglot", "tags": ["missing-authorization", "unauthenticated", "transient-deletion"], "target": "plugin", "versions": "<=5.1"}, "RULE-CVE-2025-10036-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/featured-image-from-url/v2/list_all_fifu(/|\\\\?|$)~"}, {"name": "ARGS:keyword", "type": "regex", "value": "~(?:[\'\\"]\\\\s*\\\\b(?:OR|AND)\\\\b\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+)|(?:\\\\bUNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\b)|(?:\\\\bSELECT\\\\s+.+\\\\bFROM\\\\b)|(?:\\\\b(?:INSERT|UPDATE|DELETE|DROP|ALTER|EXEC)\\\\b(?=.*(?:[\'\\"`;]|--\\\\s|/\\\\*)))|(?:;|--\\\\s|/\\\\*)|(?:\\\\bSLEEP\\\\s*\\\\()|(?:\\\\bBENCHMARK\\\\s*\\\\()|(?:\\\\bEXTRACTVALUE\\\\b)|(?:\\\\bUPDATEXML\\\\b)~i"}], "cve": "CVE-2025-10036", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10036", "description": "Featured Image from URL (FIFU) <=5.2.7 authenticated SQL injection via keyword parameter in list_all_fifu REST endpoint", "method": "GET", "mode": "block", "severity": 4.9, "slug": "featured-image-from-url", "tags": ["sql-injection", "rest-api", "authenticated"], "target": "plugin", "versions": "<=5.2.7"}, "RULE-CVE-2025-10036-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/featured-image-from-url/v2/list_all_fifu(/|\\\\?|$)~"}, {"name": "ARGS:type", "type": "regex", "value": "~(?:[\'\\"]\\\\s*(?:OR|AND|UNION|;|--|#))|(?:SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|IF\\\\s*\\\\()|(?:\\\\b(?:ASC|DESC)\\\\b\\\\s*,\\\\s*\\\\()|(?:\\\\)\\\\s*(?:OR|AND|UNION))~i"}], "cve": "CVE-2025-10036", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10036", "description": "Featured Image from URL (FIFU) <=5.2.7 authenticated SQL injection via type parameter in list_all_fifu REST endpoint", "method": "GET", "mode": "block", "severity": 4.9, "slug": "featured-image-from-url", "tags": ["sql-injection", "rest-api", "authenticated"], "target": "plugin", "versions": "<=5.2.7"}, "RULE-CVE-2025-10036-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/featured-image-from-url/v2/list_all_media_library(/|\\\\?|$)~"}, {"name": "ARGS:keyword", "type": "regex", "value": "~(?:[\'\\"]\\\\s*\\\\b(?:OR|AND)\\\\b\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+)|(?:\\\\bUNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\b)|(?:\\\\bSELECT\\\\s+.+\\\\bFROM\\\\b)|(?:\\\\b(?:INSERT|UPDATE|DELETE|DROP|ALTER|EXEC)\\\\b(?=.*(?:[\'\\"`;]|--\\\\s|/\\\\*)))|(?:;|--\\\\s|/\\\\*)|(?:\\\\bSLEEP\\\\s*\\\\()|(?:\\\\bBENCHMARK\\\\s*\\\\()|(?:\\\\bEXTRACTVALUE\\\\b)|(?:\\\\bUPDATEXML\\\\b)~i"}], "cve": "CVE-2025-10036", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10036", "description": "Featured Image from URL (FIFU) <=5.2.7 authenticated SQL injection via keyword parameter in list_all_media_library REST endpoint", "method": "GET", "mode": "block", "severity": 4.9, "slug": "featured-image-from-url", "tags": ["sql-injection", "rest-api", "authenticated"], "target": "plugin", "versions": "<=5.2.7"}, "RULE-CVE-2025-10036-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/featured-image-from-url/v2/list_all_media_library(/|\\\\?|$)~"}, {"name": "ARGS:type", "type": "regex", "value": "~(?:[\'\\"]\\\\s*(?:OR|AND|UNION|;|--|#))|(?:SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|IF\\\\s*\\\\()|(?:\\\\b(?:ASC|DESC)\\\\b\\\\s*,\\\\s*\\\\()|(?:\\\\)\\\\s*(?:OR|AND|UNION))~i"}], "cve": "CVE-2025-10036", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10036", "description": "Featured Image from URL (FIFU) <=5.2.7 authenticated SQL injection via type parameter in list_all_media_library REST endpoint", "method": "GET", "mode": "block", "severity": 4.9, "slug": "featured-image-from-url", "tags": ["sql-injection", "rest-api", "authenticated"], "target": "plugin", "versions": "<=5.2.7"}, "RULE-CVE-2025-10039-01": {"ajax_action": "eh_crm_ticket_single_view_client", "conditions": [{"name": "ARGS:ticket_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-10039", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10039", "description": "ELEX WordPress HelpDesk & Customer Ticketing System <=3.2.9 IDOR via eh_crm_ticket_single_view_client allows Subscriber+ to read any ticket", "method": "POST", "mode": "block", "severity": 4.3, "slug": "elex-helpdesk-customer-support-ticket-system", "tags": ["idor", "missing-authorization", "insecure-direct-object-reference", "information-disclosure"], "target": "plugin", "versions": "<=3.2.9"}, "RULE-CVE-2025-10045-01": {"action": "admin_init", "conditions": [{"name": "ARGS:order", "type": "regex", "value": "~(?:(?:UNION(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+(?:ALL(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+)?SELECT(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|(?:[\'\\"\\\\d])(?:\\\\s|/\\\\*[^*]*\\\\*/)*(?:OR|AND)(?:\\\\s|/\\\\*[^*]*\\\\*/)+[\'\\"]?[\\\\w\'\\"]|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s[^;]*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\(|\\\\bEXTRACTVALUE\\\\s*\\\\(|\\\\bUPDATEXML\\\\s*\\\\()~i"}], "cve": "CVE-2025-10045", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10045", "description": "onOffice for WP-Websites <=6.5.1 authenticated SQL injection via order parameter in ORDER BY clause", "method": "GET", "mode": "block", "severity": 4.9, "slug": "onoffice-for-wp-websites", "tags": ["sql-injection", "authenticated", "order-by-injection"], "target": "plugin", "versions": "<=6.5.1"}, "RULE-CVE-2025-10045-02": {"action": "admin_init", "conditions": [{"name": "ARGS:orderby", "type": "regex", "value": "~(?:(?:UNION(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+(?:ALL(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+)?SELECT(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|(?:[\'\\"\\\\d])(?:\\\\s|/\\\\*[^*]*\\\\*/)*(?:OR|AND)(?:\\\\s|/\\\\*[^*]*\\\\*/)+[\'\\"]?[\\\\w\'\\"]|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s[^;]*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\(|\\\\bEXTRACTVALUE\\\\s*\\\\(|\\\\bUPDATEXML\\\\s*\\\\()~i"}], "cve": "CVE-2025-10045", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10045", "description": "onOffice for WP-Websites <=6.5.1 authenticated SQL injection via orderby parameter in ORDER BY clause", "method": "GET", "mode": "block", "severity": 4.9, "slug": "onoffice-for-wp-websites", "tags": ["sql-injection", "authenticated", "order-by-injection"], "target": "plugin", "versions": "<=6.5.1"}, "RULE-CVE-2025-10048-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "regex", "value": "~^gjmaa_~"}, {"name": "ARGS:order", "type": "regex", "value": "~(?:(?:UNION(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+(?:ALL(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+)?SELECT(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|(?:[\'\\"\\\\d])(?:\\\\s|/\\\\*[^*]*\\\\*/)*(?:OR|AND)(?:\\\\s|/\\\\*[^*]*\\\\*/)+[\'\\"]?[\\\\w\'\\"]|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s[^;]*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\(|\\\\bEXTRACTVALUE\\\\s*\\\\(|\\\\bUPDATEXML\\\\s*\\\\(|\\\\b(?:ASC|DESC)\\\\s*(?:--|#))~i"}], "cve": "CVE-2025-10048", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10048", "description": "My Auctions Allegro <=3.6.31 authenticated SQL injection via order parameter in admin list table", "method": "GET", "mode": "block", "severity": 4.9, "slug": "my-auctions-allegro-free-edition", "tags": ["sql-injection", "authenticated", "admin-page"], "target": "plugin", "versions": "<=3.6.31"}, "RULE-CVE-2025-10048-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "regex", "value": "~^gjmaa_~"}, {"name": "ARGS:orderby", "type": "regex", "value": "~(?:(?:UNION(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+(?:ALL(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+)?SELECT(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|(?:[\'\\"\\\\d])(?:\\\\s|/\\\\*[^*]*\\\\*/)*(?:OR|AND)(?:\\\\s|/\\\\*[^*]*\\\\*/)+[\'\\"]?[\\\\w\'\\"]|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s[^;]*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\(|\\\\bEXTRACTVALUE\\\\s*\\\\(|\\\\bUPDATEXML\\\\s*\\\\(|\\\\b(?:ASC|DESC)\\\\s*(?:--|#))~i"}], "cve": "CVE-2025-10048", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10048", "description": "My Auctions Allegro <=3.6.31 authenticated SQL injection via orderby parameter in admin list table", "method": "GET", "mode": "block", "severity": 4.9, "slug": "my-auctions-allegro-free-edition", "tags": ["sql-injection", "authenticated", "admin-page"], "target": "plugin", "versions": "<=3.6.31"}, "RULE-CVE-2025-10049-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "responsive_portfolio_with_lightbox_media_management"}, {"name": "ARGS:HdnMediaSelection", "type": "regex", "value": "~\\\\.(?:ph(?:p\\\\d?|s|tml?|t|ar)|cgi|asp|aspx|jsp|jspx|cfm|shtml)(?:\\\\?|%3[Ff]|%00|$)~i"}], "cve": "CVE-2025-10049", "method": "POST", "mode": "block", "severity": 7.2, "slug": "responsive-filterable-portfolio", "target": "plugin", "versions": "<=1.0.24"}, "RULE-CVE-2025-10124-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[booking-manager-delete\\\\b~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-10124", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10124", "description": "Booking Manager <=2.1.14 unauthorized booking deletion via [booking-manager-delete] shortcode injection in Classic Editor post save", "method": "POST", "mode": "block", "severity": 4.5, "slug": "booking-manager", "tags": ["incorrect-authorization", "shortcode", "broken-access-control"], "target": "plugin", "versions": "<=2.1.14"}, "RULE-CVE-2025-10125-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[row\\\\b[^\\\\]]*\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-10125", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10125", "description": "Memberlite Shortcodes <=1.4 Stored XSS via [row] shortcode class attribute in post content (Classic Editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "memberlite-shortcodes", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.4"}, "RULE-CVE-2025-10125-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[row\\\\b[^\\\\]]*<(?:script|img|svg|iframe|object|embed|details|math)~i"}], "cve": "CVE-2025-10125", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10125", "description": "Memberlite Shortcodes <=1.4 Stored XSS via [row] shortcode class attribute with script/tag injection (Classic Editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "memberlite-shortcodes", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.4"}, "RULE-CVE-2025-10125-03": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[row\\\\b[^\\\\]]*javascript\\\\s*:~i"}], "cve": "CVE-2025-10125", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10125", "description": "Memberlite Shortcodes <=1.4 Stored XSS via [row] shortcode class attribute with javascript: URI (Classic Editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "memberlite-shortcodes", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.4"}, "RULE-CVE-2025-10125-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[row\\\\b[^\\\\]]*\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-10125", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10125", "description": "Memberlite Shortcodes <=1.4 Stored XSS via [row] shortcode class attribute event handler injection (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "memberlite-shortcodes", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.4"}, "RULE-CVE-2025-10125-05": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[row\\\\b[^\\\\]]*<(?:script|img|svg|iframe|object|embed|details|math)~i"}], "cve": "CVE-2025-10125", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10125", "description": "Memberlite Shortcodes <=1.4 Stored XSS via [row] shortcode class attribute script/tag injection (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "memberlite-shortcodes", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.4"}, "RULE-CVE-2025-10125-06": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[row\\\\b[^\\\\]]*javascript\\\\s*:~i"}], "cve": "CVE-2025-10125", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10125", "description": "Memberlite Shortcodes <=1.4 Stored XSS via [row] shortcode class attribute javascript: URI (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "memberlite-shortcodes", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.4"}, "RULE-CVE-2025-10136-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[tweetthis~i"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[tweetthis[\\\\s\\\\S]*?(?:<script|on[a-z0-9_:-]+\\\\s*=|javascript\\\\s*:)[\\\\s\\\\S]*?\\\\[/tweetthis\\\\]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-10136", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10136", "description": "TweetThis Shortcode <=1.8.0 Authenticated (Contributor+) Stored XSS via tweetthis shortcode attributes and content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "tweetthis-shortcode", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.8.0"}, "RULE-CVE-2025-10141-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[ds\\\\s[^\\\\]]*(?:<script|on\\\\w+\\\\s*=|javascript:|<svg|<img\\\\s[^>]*onerror|<iframe)[^\\\\]]*\\\\]~i"}], "cve": "CVE-2025-10141", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10141", "description": "Digiseller <=1.3 Stored XSS via [ds] shortcode attributes in post content (post editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "digiseller", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.3"}, "RULE-CVE-2025-10141-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[ds\\\\s[^\\\\]]*(?:<script|on\\\\w+\\\\s*=|javascript:|<svg|<img\\\\s[^>]*onerror|<iframe)[^\\\\]]*\\\\]~i"}], "cve": "CVE-2025-10141", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10141", "description": "Digiseller <=1.3 Stored XSS via [ds] shortcode attributes in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "digiseller", "tags": ["xss", "stored-xss", "shortcode", "authenticated", "rest-api"], "target": "plugin", "versions": "<=1.3"}, "RULE-CVE-2025-10143-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[catch_dark_mode\\\\b[^\\\\]]*style\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:\\\\.\\\\.[\\\\\\\\/])[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-10143", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10143", "description": "Catch Dark Mode <=2.0 authenticated (Contributor+) local file inclusion via catch_dark_mode shortcode style attribute in post content", "method": "POST", "mode": "block", "severity": 7.5, "slug": "catch-dark-mode", "tags": ["local-file-inclusion", "path-traversal", "shortcode", "authenticated"], "target": "plugin", "versions": "<=2.0"}, "RULE-CVE-2025-10143-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[catch_dark_mode\\\\b[^\\\\]]*style\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:\\\\.\\\\.[\\\\\\\\/])[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-10143", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10143", "description": "Catch Dark Mode <=2.0 authenticated (Contributor+) local file inclusion via catch_dark_mode shortcode style attribute in REST API post content", "method": "POST", "mode": "block", "severity": 7.5, "slug": "catch-dark-mode", "tags": ["local-file-inclusion", "path-traversal", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=2.0"}, "RULE-CVE-2025-10147-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/podlove/v2/image(/|\\\\?|$)~"}, {"name": "ARGS:url", "type": "regex", "value": "~\\\\.(?:ph(?:p[0-9]?|s|tml?|t|ar)|s?html?|cgi|asp|aspx|jsp|jspx|cfm)(?:[?#]|$)~i"}], "cve": "CVE-2025-10147", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10147", "description": "Podlove Podcast Publisher <=4.2.6 unauthenticated arbitrary file upload via REST API image endpoint (url parameter)", "method": "POST", "mode": "block", "severity": 9.8, "slug": "podlove-podcasting-plugin-for-wordpress", "tags": ["arbitrary-file-upload", "unauthenticated", "rest-api", "file-upload"], "target": "plugin", "versions": "<=4.2.6"}, "RULE-CVE-2025-10162-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wooconvo/v1/download-file(/|\\\\?|&|$)~"}, {"name": "ARGS:filename", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|(?:wp-config\\\\.php|/etc/passwd|(?:^|[\\\\\\\\/])\\\\.htaccess(?:$|[\\\\\\\\/])|(?:^|[\\\\\\\\/])\\\\.env(?:$|[\\\\\\\\/])|(?:^|[\\\\\\\\/])debug\\\\.log(?:$|[\\\\\\\\/])|(?:^|[\\\\\\\\/])error_log(?:$|[\\\\\\\\/])))~i"}], "cve": "CVE-2025-10162", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10162", "description": "Admin and Customer Messages After Order for WooCommerce <=13.5 unauthenticated path traversal via REST download-file endpoint", "method": "GET", "mode": "block", "severity": 7.5, "slug": "admin-and-client-message-after-order-for-woocommerce", "tags": ["path-traversal", "local-file-inclusion", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=13.5"}, "RULE-CVE-2025-10163-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[catlist\\\\b[^\\\\]]*starting_with\\\\s*=\\\\s*([\\"\'])(?:(?:\\\\\\\\.|(?!\\\\1).)*)?(?:SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|UNION\\\\s+(?:ALL\\\\s+)?SELECT|AND\\\\s+\\\\(?\\\\s*SELECT|OR\\\\s+\\\\(?\\\\s*SELECT|INTO\\\\s+(?:OUT|DUMP)FILE)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-10163", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10163", "description": "List Category Posts <=0.91.0 authenticated SQL injection via catlist shortcode starting_with attribute in classic editor post save", "method": "POST", "mode": "block", "severity": 6.5, "slug": "list-category-posts", "tags": ["sql-injection", "shortcode", "authenticated"], "target": "plugin", "versions": "<=0.91.0"}, "RULE-CVE-2025-10163-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[catlist\\\\b[^\\\\]]*starting_with\\\\s*=\\\\s*([\\"\'])(?:(?:\\\\\\\\.|(?!\\\\1).)*)?(?:SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|UNION\\\\s+(?:ALL\\\\s+)?SELECT|AND\\\\s+\\\\(?\\\\s*SELECT|OR\\\\s+\\\\(?\\\\s*SELECT|INTO\\\\s+(?:OUT|DUMP)FILE)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-10163", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10163", "description": "List Category Posts <=0.91.0 authenticated SQL injection via catlist shortcode starting_with attribute in REST API post creation", "method": "POST", "mode": "block", "severity": 6.5, "slug": "list-category-posts", "tags": ["sql-injection", "shortcode", "authenticated", "rest-api"], "target": "plugin", "versions": "<=0.91.0"}, "RULE-CVE-2025-10166-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[(?:blogger|bookhype|colourlovers|deviantart|dribbble|etsy|facebook|flickr|flipboard|github|goodreads|hackernews|imdb|instagram|lastfm|linkedin|myspace|patreon|pinterest|reddit|slideshare|spacehey|soundcloud|tiktok|twitch|twitter|vimeo|x|yelp|youtube)\\\\s[^\\\\]]*(?:<[a-z/!]|on[a-z]+=|javascript:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-10166", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10166", "description": "Social Media Shortcodes <=1.3.1 Stored XSS via shortcode attributes in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "social-media-shortcodes", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.3.1"}, "RULE-CVE-2025-10166-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(?:blogger|bookhype|colourlovers|deviantart|dribbble|etsy|facebook|flickr|flipboard|github|goodreads|hackernews|imdb|instagram|lastfm|linkedin|myspace|patreon|pinterest|reddit|slideshare|spacehey|soundcloud|tiktok|twitch|twitter|vimeo|x|yelp|youtube)\\\\s[^\\\\]]*(?:<[a-z/!]|on[a-z]+=|javascript:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-10166", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10166", "description": "Social Media Shortcodes <=1.3.1 Stored XSS via shortcode attributes in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "social-media-shortcodes", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.3.1"}, "RULE-CVE-2025-10167-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "contains", "value": "[alg_wc_stock_snapshot_restocked"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[alg_wc_stock_snapshot_restocked\\\\s[^\\\\]]*(?:<script|on\\\\w+\\\\s*=|javascript:|<svg|<iframe|<img[^>]+onerror)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-10167", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10167", "description": "Stock History & Reports Manager for WooCommerce <=2.2.2 Stored XSS via [alg_wc_stock_snapshot_restocked] shortcode in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "stock-snapshot-for-woocommerce", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.2.2"}, "RULE-CVE-2025-10167-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "contains", "value": "[alg_wc_stock_snapshot_restocked"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[alg_wc_stock_snapshot_restocked\\\\s[^\\\\]]*(?:<script|on\\\\w+\\\\s*=|javascript:|<svg|<iframe|<img[^>]+onerror)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-10167", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10167", "description": "Stock History & Reports Manager for WooCommerce <=2.2.2 Stored XSS via [alg_wc_stock_snapshot_restocked] shortcode in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "stock-snapshot-for-woocommerce", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.2.2"}, "RULE-CVE-2025-10181-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[drafts\\\\b[^\\\\]]*template\\\\s*=\\\\s*(?:([\'\\"])(?:(?!\\\\1).)*(?:<script|on(?:error|load|click|mouseover|focus|blur)\\\\s*=|javascript\\\\s*:)(?:(?!\\\\1).)*\\\\1|[^\\\\s\\\\]]*(?:<script|on(?:error|load|click|mouseover|focus|blur)\\\\s*=|javascript\\\\s*:)[^\\\\s\\\\]]*)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-10181", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10181", "description": "Draft List <=2.6 authenticated (Contributor+) stored XSS via drafts shortcode template attribute", "method": "POST", "mode": "block", "severity": 6.4, "slug": "simple-draft-list", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.6"}, "RULE-CVE-2025-10186-01": {"ajax_action": "remove_row", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-10186", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10186", "description": "WhyDonate <=4.0.15 unauthorized deletion of wp_wdplugin_style rows via remove_row AJAX action", "method": "POST", "mode": "block", "severity": 5.3, "slug": "wp-whydonate", "tags": ["missing-authorization", "unauthenticated", "data-deletion"], "target": "plugin", "versions": "<=4.0.15"}, "RULE-CVE-2025-10187-01": {"ajax_action": "wpgsp_apply_ajax_save", "conditions": [{"name": "ARGS:field", "type": "regex", "value": "~(?:[`()=;]|\\\\b(?:SELECT|UNION|INSERT|UPDATE|DELETE|DROP|SLEEP|IF|FROM|WHERE|OR|AND)\\\\b|--)~i"}], "cve": "CVE-2025-10187", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10187", "description": "GSpeech TTS <=3.17.13 authenticated SQL injection via field parameter in wpgsp_apply_ajax_save", "method": "POST", "mode": "block", "severity": 4.9, "slug": "gspeech", "tags": ["sql-injection", "missing-authorization", "authenticated"], "target": "plugin", "versions": "<=3.17.13"}, "RULE-CVE-2025-10299-01": {"ajax_action": "ctl_create_link", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-10299", "mode": "block", "severity": 8.8, "slug": "create-temporary-login", "target": "plugin", "versions": "<=1.0.7"}, "RULE-CVE-2025-10303-01": {"ajax_action": "owt_lib_handler", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:module", "type": "exists"}, {"name": "ARGS:get_option", "type": "exists"}], "cve": "CVE-2025-10303", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10303", "description": "Library Management System <=3.1 missing authorization on owt_lib_handler AJAX action allows subscriber+ to modify settings and data", "method": "POST", "mode": "block", "severity": 4.3, "slug": "library-management-system", "tags": ["missing-authorization", "broken-access-control", "authenticated"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-10307-01": {"ajax_action": "backuply_multi_backup_delete", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\/\\\\\\\\]){2,}|(?:\\\\.\\\\.%2[fF]|\\\\.\\\\.%5[cC]|%2[eE]%2[eE]%2[fF]|%2[eE]%2[eE]%5[cC]))~"}], "cve": "CVE-2025-10307", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10307", "description": "Backuply <=1.4.8 Authenticated (Admin+) Arbitrary File Deletion via path traversal in backuply_multi_backup_delete AJAX handler", "method": "POST", "mode": "block", "severity": 6.5, "slug": "backuply", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=1.4.8"}, "RULE-CVE-2025-10307-02": {"ajax_action": "backuply_download_backup", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\/\\\\\\\\]){2,}|(?:\\\\.\\\\.%2[fF]|\\\\.\\\\.%5[cC]|%2[eE]%2[eE]%2[fF]|%2[eE]%2[eE]%5[cC]))~"}], "cve": "CVE-2025-10307", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10307", "description": "Backuply <=1.4.8 Authenticated (Admin+) Arbitrary File Read via path traversal in backuply_download_backup AJAX handler", "method": "POST", "mode": "block", "severity": 6.5, "slug": "backuply", "tags": ["path-traversal", "arbitrary-file-read", "authenticated"], "target": "plugin", "versions": "<=1.4.8"}, "RULE-CVE-2025-10310-01": {"ajax_action": "easysnippetGet", "conditions": [{"name": "ARGS:last", "type": "regex", "value": "~(?:(?:UNION(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+(?:ALL(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+)?SELECT(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|(?:[\'\\"\\\\d])(?:\\\\s|/\\\\*[^*]*\\\\*/)*(?:OR|AND)(?:\\\\s|/\\\\*[^*]*\\\\*/)+[\'\\"]?[\\\\w\'\\"]|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s[^;]*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\(|\\\\bEXTRACTVALUE\\\\s*\\\\(|\\\\bUPDATEXML\\\\s*\\\\()~i"}, {"name": "ARGS:last", "type": "regex", "value": "~(?i)(?:(?:[\'\\\\\\"]\\\\s*)?\\\\b(?:OR|AND|UNION|SELECT|INSERT|UPDATE|DELETE|DROP|HAVING|ORDER\\\\s+BY|GROUP\\\\s+BY|SLEEP|BENCHMARK|WAITFOR|EXTRACTVALUE|UPDATEXML|LOAD_FILE)\\\\b|(?:--\\\\s*$)|(?:/\\\\*)|(?:;\\\\s*(?:SELECT|DROP|INSERT|UPDATE|DELETE)))~"}], "cve": "CVE-2025-10310", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10310", "description": "Rich Snippet Site Report <=2.0.0105 authenticated SQL injection via last parameter in easysnippetGet AJAX handler", "method": "POST", "mode": "block", "severity": 4.9, "slug": "easysnippet", "tags": ["sql-injection", "authenticated", "ajax"], "target": "plugin", "versions": "<=2.0.0105"}, "RULE-CVE-2025-10380-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/acf-views/~"}, {"name": "ARGS", "type": "regex", "value": "~constant\\\\s*\\\\(\\\\s*[\'\\"](?:system|exec|shell_exec|passthru|popen|proc_open|assert|eval|pcntl_exec|call_user_func|call_user_func_array)[\'\\"]~i"}], "cve": "CVE-2025-10380", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10380", "description": "Advanced Views <=3.7.19 authenticated (Author+) SSTI/RCE via Twig template injection on REST API save endpoint - constant() function abuse", "method": "POST", "mode": "block", "severity": 8.8, "slug": "acf-views", "tags": ["ssti", "remote-code-execution", "twig-template-injection"], "target": "plugin", "versions": "<=3.7.19"}, "RULE-CVE-2025-10380-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/acf-views/~"}, {"name": "ARGS", "type": "regex", "value": "~\\\\|\\\\s*(?:filter|map|reduce|sort)\\\\s*\\\\(\\\\s*[\'\\"](?:system|exec|shell_exec|passthru|popen|proc_open|assert|eval|pcntl_exec)[\'\\"]~i"}], "cve": "CVE-2025-10380", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10380", "description": "Advanced Views <=3.7.19 authenticated (Author+) SSTI/RCE via Twig filter chaining with dangerous PHP callables on REST API", "method": "POST", "mode": "block", "severity": 8.8, "slug": "acf-views", "tags": ["ssti", "remote-code-execution", "twig-template-injection"], "target": "plugin", "versions": "<=3.7.19"}, "RULE-CVE-2025-10380-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/acf-views/~"}, {"name": "ARGS", "type": "regex", "value": "~_self\\\\s*\\\\.\\\\s*env\\\\s*\\\\.\\\\s*(?:registerUndefinedFilterCallback|registerUndefinedFunctionCallback|getFilter|getFunction)~i"}], "cve": "CVE-2025-10380", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10380", "description": "Advanced Views <=3.7.19 authenticated (Author+) SSTI/RCE via Twig _self.env callback registration on REST API", "method": "POST", "mode": "block", "severity": 8.8, "slug": "acf-views", "tags": ["ssti", "remote-code-execution", "twig-template-injection"], "target": "plugin", "versions": "<=3.7.19"}, "RULE-CVE-2025-10380-04": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS", "type": "regex", "value": "~constant\\\\s*\\\\(\\\\s*[\'\\"](?:system|exec|shell_exec|passthru|popen|proc_open|assert|eval|pcntl_exec|call_user_func|call_user_func_array)[\'\\"]~i"}], "cve": "CVE-2025-10380", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10380", "description": "Advanced Views <=3.7.19 authenticated (Author+) SSTI/RCE via Twig template injection on post.php save - constant() function abuse", "method": "POST", "mode": "block", "severity": 8.8, "slug": "acf-views", "tags": ["ssti", "remote-code-execution", "twig-template-injection"], "target": "plugin", "versions": "<=3.7.19"}, "RULE-CVE-2025-10380-05": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS", "type": "regex", "value": "~\\\\|\\\\s*(?:filter|map|reduce|sort)\\\\s*\\\\(\\\\s*[\'\\"](?:system|exec|shell_exec|passthru|popen|proc_open|assert|eval|pcntl_exec)[\'\\"]~i"}], "cve": "CVE-2025-10380", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10380", "description": "Advanced Views <=3.7.19 authenticated (Author+) SSTI/RCE via Twig filter chaining on post.php save", "method": "POST", "mode": "block", "severity": 8.8, "slug": "acf-views", "tags": ["ssti", "remote-code-execution", "twig-template-injection"], "target": "plugin", "versions": "<=3.7.19"}, "RULE-CVE-2025-10380-06": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS", "type": "regex", "value": "~_self\\\\s*\\\\.\\\\s*env\\\\s*\\\\.\\\\s*(?:registerUndefinedFilterCallback|registerUndefinedFunctionCallback|getFilter|getFunction)~i"}], "cve": "CVE-2025-10380", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10380", "description": "Advanced Views <=3.7.19 authenticated (Author+) SSTI/RCE via Twig _self.env callback registration on post.php save", "method": "POST", "mode": "block", "severity": 8.8, "slug": "acf-views", "tags": ["ssti", "remote-code-execution", "twig-template-injection"], "target": "plugin", "versions": "<=3.7.19"}, "RULE-CVE-2025-10380-07": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/acf-views/~"}, {"name": "ARGS", "type": "regex", "value": "~\\\\{[%{](?:(?![%}]\\\\}).)*\\\\b(?:system|exec|shell_exec|passthru|popen|proc_open|assert|eval|pcntl_exec|phpinfo|file_get_contents|file_put_contents|fopen)\\\\s*\\\\((?:(?![%}]\\\\}).)*[%}]\\\\}~is"}], "cve": "CVE-2025-10380", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10380", "description": "Advanced Views <=3.7.19 authenticated (Author+) SSTI/RCE via Twig template with dangerous PHP functions in Twig delimiters on REST API", "method": "POST", "mode": "block", "severity": 8.8, "slug": "acf-views", "tags": ["ssti", "remote-code-execution", "twig-template-injection"], "target": "plugin", "versions": "<=3.7.19"}, "RULE-CVE-2025-10380-08": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS", "type": "regex", "value": "~\\\\{[%{](?:(?![%}]\\\\}).)*\\\\b(?:system|exec|shell_exec|passthru|popen|proc_open|assert|eval|pcntl_exec|phpinfo|file_get_contents|file_put_contents|fopen)\\\\s*\\\\((?:(?![%}]\\\\}).)*[%}]\\\\}~is"}], "cve": "CVE-2025-10380", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10380", "description": "Advanced Views <=3.7.19 authenticated (Author+) SSTI/RCE via Twig template with dangerous PHP functions in Twig delimiters on post.php save", "method": "POST", "mode": "block", "severity": 8.8, "slug": "acf-views", "tags": ["ssti", "remote-code-execution", "twig-template-injection"], "target": "plugin", "versions": "<=3.7.19"}, "RULE-CVE-2025-1043-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[embeddoc[^\\\\]]*\\\\surl\\\\s*=\\\\s*[\\"\']?\\\\s*(?:(?:https?://)?(?:127\\\\.(?:0\\\\.){2}(?:0\\\\.)?1|10\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|172\\\\.(?:1[6-9]|2\\\\d|3[01])\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|192\\\\.168\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|169\\\\.254\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|0\\\\.0\\\\.0\\\\.0|localhost|\\\\[?::1\\\\]?|\\\\[?::ffff:127\\\\.0\\\\.0\\\\.1\\\\]?|0x[0-9a-fA-F]+|0[0-7]+|[0-9]{8,10})(?:[:/]|\\\\]|\\\\s|$)|(?:file|gopher|dict|ftp|ldap|tftp)://)~i"}], "cve": "CVE-2025-1043", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1043", "description": "Embed Any Document <=2.7.5 authenticated (Contributor+) blind SSRF via [embeddoc] shortcode in post_content stored through classic editor", "method": "POST", "mode": "block", "severity": 6.4, "slug": "embed-any-document", "tags": ["ssrf", "shortcode", "authenticated"], "target": "plugin", "versions": "<=2.7.5"}, "RULE-CVE-2025-1043-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[embeddoc[^\\\\]]*\\\\surl\\\\s*=\\\\s*[\\"\']?\\\\s*(?:(?:https?://)?(?:127\\\\.(?:0\\\\.){2}(?:0\\\\.)?1|10\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|172\\\\.(?:1[6-9]|2\\\\d|3[01])\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|192\\\\.168\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|169\\\\.254\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|0\\\\.0\\\\.0\\\\.0|localhost|\\\\[?::1\\\\]?|\\\\[?::ffff:127\\\\.0\\\\.0\\\\.1\\\\]?|0x[0-9a-fA-F]+|0[0-7]+|[0-9]{8,10})(?:[:/]|\\\\]|\\\\s|$)|(?:file|gopher|dict|ftp|ldap|tftp)://)~i"}], "cve": "CVE-2025-1043", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1043", "description": "Embed Any Document <=2.7.5 authenticated (Contributor+) blind SSRF via [embeddoc] shortcode in content stored through REST API", "method": "POST", "mode": "block", "severity": 6.4, "slug": "embed-any-document", "tags": ["ssrf", "shortcode", "authenticated", "rest-api"], "target": "plugin", "versions": "<=2.7.5"}, "RULE-CVE-2025-10476-01": {"ajax_action": "wpfc_db_fix", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-10476", "mode": "block", "severity": 4.3, "slug": "wp-fastest-cache", "target": "plugin", "versions": "<=1.4.0"}, "RULE-CVE-2025-10487-01": {"ajax_action": "advads_ad_select", "conditions": [{"name": "ARGS:ad_method", "type": "regex", "value": "~^(?!ad$|group$|placement$|id$).+~"}], "cve": "CVE-2025-10487", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10487", "description": "Advanced Ads <=2.0.12 unauthenticated limited RCE via ad_method parameter in advads_ad_select AJAX handler", "mode": "block", "severity": 7.3, "slug": "advanced-ads", "tags": ["code-injection", "unauthenticated", "function-injection"], "target": "plugin", "versions": "<=2.0.12"}, "RULE-CVE-2025-10567-01": {"ajax_action": "get_gutenberg_checkout_from_data", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<(script|img|svg|iframe|details|embed|object|math|video|audio|body|input|button|select|textarea|form|marquee|isindex|meta|link|style|base|source|applet)[\\\\s/>]|\\\\bon(error|load|click|mouse\\\\w+|focus|blur|toggle|resize|submit|change|input|key\\\\w+|touch\\\\w+)\\\\s*=~i"}], "cve": "CVE-2025-10567", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10567", "description": "FunnelKit <=3.12.0 reflected XSS via unsanitized checkout text fields in get_gutenberg_checkout_from_data AJAX handler", "method": "POST", "mode": "block", "severity": 6.3, "slug": "funnel-builder", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=3.12.0"}, "RULE-CVE-2025-10570-01": {"ajax_action": "fr_refund_request", "conditions": [{"name": "ARGS:order_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-10570", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10570", "description": "Flexible Refund and Return Order for WooCommerce <=1.0.38 missing authorization on fr_refund_request AJAX action allows subscriber+ IDOR refund requests", "method": "POST", "mode": "block", "severity": 4.3, "slug": "flexible-refund-and-return-order-for-woocommerce", "tags": ["missing-authorization", "idor", "broken-access-control"], "target": "plugin", "versions": "<=1.0.38"}, "RULE-CVE-2025-10579-01": {"ajax_action": "backwpup_working", "conditions": [{"name": "ARGS:jobid", "type": "regex", "value": "~^\\\\d+$~"}, {"type": "missing_capability", "value": "backwpup"}], "cve": "CVE-2025-10579", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10579", "description": "BackWPup <=5.5.0 missing authorization on backwpup_working AJAX action exposes backup filename to low-privilege users", "mode": "block", "severity": 5.3, "slug": "backwpup", "tags": ["missing-authorization", "information-exposure", "broken-access-control"], "target": "plugin", "versions": "<=5.5.0"}, "RULE-CVE-2025-10580-01": {"ajax_action": "widgetopts_ajax_settings", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:<[^>]*\\\\bon\\\\w+\\\\s*=|<\\\\s*(?:script|img|svg|iframe)\\\\b|javascript\\\\s*:)~i"}], "cve": "CVE-2025-10580", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10580", "description": "Widget Options <=4.1.2 Stored XSS via widgetopts_ajax_settings widget option save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "widget-options", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=4.1.2"}, "RULE-CVE-2025-10580-02": {"ajax_action": "widgetopts_migrator", "conditions": [{"name": "ARGS:single_sidebar", "type": "detectXSS"}], "cve": "CVE-2025-10580", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10580", "description": "Widget Options <=4.1.2 Stored XSS via widgetopts_migrator single_sidebar parameter", "method": "POST", "mode": "block", "severity": 6.4, "slug": "widget-options", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=4.1.2"}, "RULE-CVE-2025-10587-01": {"action": "init", "conditions": [{"name": "ARGS:event_name", "type": "exists"}, {"name": "ARGS:event_category", "type": "regex", "value": "~(?:(?:UNION(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+(?:ALL(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+)?SELECT(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|(?:[\'\\"\\\\d])(?:\\\\s|/\\\\*[^*]*\\\\*/)*(?:OR|AND)(?:\\\\s|/\\\\*[^*]*\\\\*/)+[\'\\"]?[\\\\w\'\\"]|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s[^;]*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\(|\\\\bEXTRACTVALUE\\\\s*\\\\(|\\\\bUPDATEXML\\\\s*\\\\()~i"}], "cve": "CVE-2025-10587", "method": "POST", "mode": "block", "severity": 9.8, "slug": "community-events", "target": "plugin", "versions": "<=1.5.1"}, "RULE-CVE-2025-10587-02": {"action": "init", "conditions": [{"name": "ARGS:event_name", "type": "exists"}, {"name": "ARGS:event_venue", "type": "regex", "value": "~(?:(?:UNION(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+(?:ALL(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+)?SELECT(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|(?:[\'\\"\\\\d])(?:\\\\s|/\\\\*[^*]*\\\\*/)*(?:OR|AND)(?:\\\\s|/\\\\*[^*]*\\\\*/)+[\'\\"]?[\\\\w\'\\"]|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s[^;]*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\(|\\\\bEXTRACTVALUE\\\\s*\\\\(|\\\\bUPDATEXML\\\\s*\\\\()~i"}], "cve": "CVE-2025-10587", "method": "POST", "mode": "block", "severity": 9.8, "slug": "community-events", "target": "plugin", "versions": "<=1.5.1"}, "RULE-CVE-2025-1063-01": {"ajax_action": "rtcl_taxonomy_settings_export", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-1063", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1063", "description": "Classified Listing <=4.0.4 unauthenticated settings exposure via rtcl_taxonomy_settings_export AJAX action", "mode": "block", "severity": 5.3, "slug": "classified-listing", "tags": ["missing-authorization", "information-disclosure", "unauthenticated"], "target": "plugin", "versions": "<=4.0.4"}, "RULE-CVE-2025-1064-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[xoo_el_action\\\\b[^\\\\]]*change_to\\\\s*=\\\\s*[\\"\']?\\\\s*(?:javascript|data|vbscript)\\\\s*:~i"}], "cve": "CVE-2025-1064", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1064", "description": "Login/Signup Popup <= 2.8.5 Stored XSS via xoo_el_action shortcode change_to attribute (javascript:/data: URI injection in href)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "easy-login-woocommerce", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.8.5"}, "RULE-CVE-2025-1064-02": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[xoo_el_action\\\\b[^\\\\]]*change_to\\\\s*=\\\\s*[\\"\']?\\\\s*(?:javascript|data|vbscript)\\\\s*:~i"}], "cve": "CVE-2025-1064", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1064", "description": "Login/Signup Popup <= 2.8.5 Stored XSS via xoo_el_action shortcode change_to attribute (Gutenberg REST API content field)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "easy-login-woocommerce", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.8.5"}, "RULE-CVE-2025-10645-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[/\\\\\\\\]wp-reset[/\\\\\\\\](?:.*/)?wf-licensing\\\\.log([?#]|$)~i"}], "cve": "CVE-2025-10645", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10645", "description": "WP Reset <=2.05 unauthenticated sensitive information exposure via wf-licensing.log direct file access", "method": "GET", "mode": "block", "severity": 5.3, "slug": "wp-reset", "tags": ["information-disclosure", "sensitive-log-file", "unauthenticated"], "target": "plugin", "versions": "<=2.05"}, "RULE-CVE-2025-10647-01": {"ajax_action": "epdf_wf_download_pdf_media", "conditions": [{"name": "ARGS:url", "type": "regex", "value": "~(?:\\\\.|%2e)(?:ph(?:p\\\\d*|ar|ps|t|tml?)|phtml)(?:\\\\?|#|$)~i"}], "cve": "CVE-2025-10647", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10647", "description": "Embed PDF for WPForms <=1.1.5 arbitrary file upload via dangerous file extension in url parameter", "method": "POST", "mode": "block", "severity": 8.8, "slug": "embed-pdf-wpforms", "tags": ["arbitrary-file-upload", "dangerous-file-type", "authenticated"], "target": "plugin", "versions": "<=1.1.5"}, "RULE-CVE-2025-10649-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "regex", "value": "~^usces_(?:orderlist|memberlist|itemedit)$~"}, {"name": "REQUEST_COOKIES:usces_cookie", "type": "regex", "value": "~(?:sortColumn|sortSwitchs)[^;]*(?:UNION|SELECT|INSERT|UPDATE|DELETE|DROP|CONCAT|BENCHMARK|SLEEP|ORDER\\\\s+BY|AND\\\\s+|OR\\\\s+[\\\\d\\"\\\\\']|[\\\\\'\\\\\\"]\\\\s*(?:--|#))~i"}], "cve": "CVE-2025-10649", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10649", "description": "Welcart e-Commerce <=2.11.21 authenticated (Author+) SQL injection via usces_cookie sortColumn/sortSwitchs in admin list pages", "method": "GET", "mode": "block", "severity": 6.5, "slug": "usc-e-shop", "tags": ["sql-injection", "cookie-injection", "authenticated"], "target": "plugin", "versions": "<=2.11.21"}, "RULE-CVE-2025-1065-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "visualizer"}, {"name": "ARGS:type", "type": "detectXSS"}], "cve": "CVE-2025-1065", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1065", "description": "Visualizer: Tables and Charts Manager for WordPress <=3.11.8 Reflected XSS via type parameter on library display", "mode": "block", "severity": 6.4, "slug": "visualizer", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=3.11.8"}, "RULE-CVE-2025-1065-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "visualizer"}, {"name": "ARGS:library", "type": "detectXSS"}], "cve": "CVE-2025-1065", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1065", "description": "Visualizer: Tables and Charts Manager for WordPress <=3.11.8 Reflected XSS via library parameter on library display", "mode": "block", "severity": 6.4, "slug": "visualizer", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=3.11.8"}, "RULE-CVE-2025-1065-03": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "visualizer"}, {"name": "ARGS:date", "type": "detectXSS"}], "cve": "CVE-2025-1065", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1065", "description": "Visualizer: Tables and Charts Manager for WordPress <=3.11.8 Reflected XSS via date parameter on library display", "mode": "block", "severity": 6.4, "slug": "visualizer", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=3.11.8"}, "RULE-CVE-2025-1065-04": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "visualizer"}, {"name": "ARGS:source", "type": "detectXSS"}], "cve": "CVE-2025-1065", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1065", "description": "Visualizer: Tables and Charts Manager for WordPress <=3.11.8 Reflected XSS via source parameter on library display", "mode": "block", "severity": 6.4, "slug": "visualizer", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=3.11.8"}, "RULE-CVE-2025-1065-05": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "visualizer"}, {"name": "ARGS:s", "type": "detectXSS"}], "cve": "CVE-2025-1065", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1065", "description": "Visualizer: Tables and Charts Manager for WordPress <=3.11.8 Reflected XSS via s (search) parameter on library display", "mode": "block", "severity": 6.4, "slug": "visualizer", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=3.11.8"}, "RULE-CVE-2025-1065-06": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "visualizer"}, {"name": "ARGS:orderby", "type": "detectXSS"}], "cve": "CVE-2025-1065", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1065", "description": "Visualizer: Tables and Charts Manager for WordPress <=3.11.8 Reflected XSS via orderby parameter on library display", "mode": "block", "severity": 6.4, "slug": "visualizer", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=3.11.8"}, "RULE-CVE-2025-1065-07": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "visualizer"}, {"name": "ARGS:order", "type": "detectXSS"}], "cve": "CVE-2025-1065", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1065", "description": "Visualizer: Tables and Charts Manager for WordPress <=3.11.8 Reflected XSS via order parameter on library display", "mode": "block", "severity": 6.4, "slug": "visualizer", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=3.11.8"}, "RULE-CVE-2025-10660-01": {"ajax_action": "dashboard_chat", "conditions": [{"name": "ARGS:id", "type": "regex", "value": "~(?:(?:UNION(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+(?:ALL(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+)?SELECT(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|(?:[\'\\"\\\\d])(?:\\\\s|/\\\\*[^*]*\\\\*/)*(?:OR|AND)(?:\\\\s|/\\\\*[^*]*\\\\*/)+[\'\\"]?[\\\\w\'\\"]|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s[^;]*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\(|\\\\bEXTRACTVALUE\\\\s*\\\\(|\\\\bUPDATEXML\\\\s*\\\\()~i"}], "cve": "CVE-2025-10660", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10660", "description": "WP Dashboard Chat <=1.0.3 authenticated SQL injection via id parameter in dashboard_chat AJAX handler", "mode": "block", "severity": 6.5, "slug": "wp-dashboard-chat", "tags": ["sql-injection", "authenticated", "ajax"], "target": "plugin", "versions": "<=1.0.3"}, "RULE-CVE-2025-10683-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "email-subscription-with-secure-captcha"}, {"name": "ARGS:uid", "type": "detectSQLi"}], "cve": "CVE-2025-10683", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10683", "description": "Easy Email Subscription <=1.3 authenticated SQL injection via uid parameter on admin edit subscriber page (GET)", "method": "GET", "mode": "block", "severity": 4.9, "slug": "email-subscription-with-secure-captcha", "tags": ["sql-injection", "authenticated", "admin-page"], "target": "plugin", "versions": "<=1.3"}, "RULE-CVE-2025-10683-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "email-subscription-with-secure-captcha"}, {"name": "ARGS:uid", "type": "detectSQLi"}], "cve": "CVE-2025-10683", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10683", "description": "Easy Email Subscription <=1.3 authenticated SQL injection via uid parameter on admin edit subscriber page (POST)", "method": "POST", "mode": "block", "severity": 4.9, "slug": "email-subscription-with-secure-captcha", "tags": ["sql-injection", "authenticated", "admin-page"], "target": "plugin", "versions": "<=1.3"}, "RULE-CVE-2025-10686-01": {"ajax_action": "cretats_get_preview_html", "conditions": [{"name": "ARGS:cretats_layout", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[\\\\\\\\/]etc[\\\\\\\\/]|(?:wp-config\\\\.php|\\\\.htaccess|\\\\.env|debug\\\\.log|error_log))~i"}], "cve": "CVE-2025-10686", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10686", "description": "Creta Testimonial Showcase <=1.2.3 authenticated Local File Inclusion via cretats_layout parameter in cretats_get_preview_html AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "creta-testimonial-showcase", "tags": ["local-file-inclusion", "path-traversal", "authenticated"], "target": "plugin", "versions": "<=1.2.3"}, "RULE-CVE-2025-10745-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[?&]banhammer-process_~"}], "cve": "CVE-2025-10745", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10745", "description": "Banhammer <=3.4.8 unauthenticated protection mechanism bypass via predictable banhammer-process_ GET parameter", "method": "GET", "mode": "block", "severity": 5.3, "slug": "banhammer", "tags": ["protection-bypass", "predictable-secret", "unauthenticated"], "target": "plugin", "versions": "<=3.4.8"}, "RULE-CVE-2025-10749-01": {"ajax_action": "azure-storage-media-replace", "conditions": [{"name": "ARGS:replace_attachment", "type": "exists"}, {"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2025-10749", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10749", "description": "Microsoft Azure Storage for WordPress <=4.5.1 missing authorization on azure-storage-media-replace AJAX action allows authenticated subscribers to delete arbitrary media", "method": "POST", "mode": "block", "severity": 5.4, "slug": "windows-azure-storage", "tags": ["missing-authorization", "broken-access-control", "arbitrary-media-deletion"], "target": "plugin", "versions": "<=4.5.1"}, "RULE-CVE-2025-10754-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "docodoco-store-locator"}, {"name": "FILES:file", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-10754", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10754", "description": "DocoDoco Store Locator <=1.0.1 authenticated (Editor+) arbitrary file upload via ZIP import", "method": "POST", "mode": "block", "severity": 7.2, "slug": "docodoco-store-locator", "tags": ["arbitrary-file-upload", "dangerous-file-type", "authenticated"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-10862-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/popup-builder-block/v1/popup/logs(/|\\\\?|&|$)~"}, {"name": "ARGS:id", "type": "regex", "value": "~\\\\D~"}], "cve": "CVE-2025-10862", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10862", "description": "PopupKit <=2.1.3 unauthenticated SQL injection via id parameter on PUT /popup/logs REST endpoint", "method": "PUT", "mode": "block", "severity": 7.5, "slug": "popup-builder-block", "tags": ["sql-injection", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=2.1.3"}, "RULE-CVE-2025-10862-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/popup-builder-block/v1/popup/logs(/|\\\\?|&|$)~"}, {"name": "ARGS:campaignId", "type": "regex", "value": "~\\\\D~"}], "cve": "CVE-2025-10862", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10862", "description": "PopupKit <=2.1.3 unauthenticated SQL injection via campaignId parameter on GET /popup/logs REST endpoint", "method": "GET", "mode": "block", "severity": 7.5, "slug": "popup-builder-block", "tags": ["sql-injection", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=2.1.3"}, "RULE-CVE-2025-10873-02": {"ajax_action": "elementinvader_addons_for_elementor_forms_send_form", "conditions": [{"name": "ARGS:mail_data_from_email", "type": "exists"}], "cve": "CVE-2025-10873", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10873", "description": "ElementInvader Addons for Elementor <=1.4.0 unauthenticated arbitrary email sending via mail_data_from_email parameter", "method": "POST", "mode": "block", "severity": 5.3, "slug": "elementinvader-addons-for-elementor", "tags": ["missing-authorization", "email-spoofing", "unauthenticated"], "target": "plugin", "versions": "<=1.4.0"}, "RULE-CVE-2025-10873-03": {"ajax_action": "elementinvader_addons_for_elementor_forms_send_form", "conditions": [{"name": "ARGS:mail_data_from_name", "type": "exists"}], "cve": "CVE-2025-10873", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10873", "description": "ElementInvader Addons for Elementor <=1.4.0 unauthenticated arbitrary email sending via mail_data_from_name parameter", "method": "POST", "mode": "block", "severity": 5.3, "slug": "elementinvader-addons-for-elementor", "tags": ["missing-authorization", "email-spoofing", "unauthenticated"], "target": "plugin", "versions": "<=1.4.0"}, "RULE-CVE-2025-10874-01": {"ajax_action": "handle-request-mystock", "conditions": [{"name": "ARGS:url", "type": "regex", "value": "~^(?!https?://([a-z0-9-]+\\\\.)*static\\\\.?flickr\\\\.com(/|$)).+~i"}], "cve": "CVE-2025-10874", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10874", "description": "Orbit Fox by ThemeIsle <=3.0.1 authenticated SSRF via MyStock image import (handle-request-mystock)", "method": "POST", "mode": "block", "severity": 5.5, "slug": "themeisle-companion", "tags": ["ssrf", "server-side-request-forgery", "authenticated"], "target": "plugin", "versions": "<=3.0.1"}, "RULE-CVE-2025-10902-01": {"ajax_action": "origaich_ai_scan_result_remove", "conditions": [{"name": "ARGS:post_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-10902", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-10902", "description": "Originality.ai AI Checker <=1.0.15 missing authorization on scan log deletion via origaich_ai_scan_result_remove AJAX action", "method": "POST", "mode": "block", "severity": 4.3, "slug": "originality-ai", "tags": ["missing-authorization", "broken-access-control", "data-deletion"], "target": "plugin", "versions": "<=1.0.15"}, "RULE-CVE-2025-10916-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/formgent/responses/attachments(?:/|\\\\?|&|$)~"}, {"name": "ARGS:file_token", "type": "regex", "value": "~(?:Li4v|Li5c)~"}], "cve": "CVE-2025-10916", "method": "DELETE", "mode": "block", "severity": 9.1, "slug": "formgent", "target": "plugin", "versions": "<=1.0.3"}, "RULE-CVE-2025-11003-01": {"ajax_action": "uip_save_ui_template", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11003", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11003", "description": "UiPress lite <=3.5.08 missing authorization on uip_save_ui_template AJAX handler allows Subscriber+ Stored XSS", "method": "POST", "mode": "block", "severity": 6.4, "slug": "uipress-lite", "tags": ["missing-authorization", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=3.5.08"}, "RULE-CVE-2025-11003-02": {"ajax_action": "uip_create_new_ui_template", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11003", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11003", "description": "UiPress lite <=3.5.08 missing authorization on uip_create_new_ui_template AJAX handler allows Subscriber+ template creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "uipress-lite", "tags": ["missing-authorization", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=3.5.08"}, "RULE-CVE-2025-11007-01": {"ajax_action": "ce21_single_sign_on_save_api_settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11007", "method": "POST", "mode": "block", "severity": 9.8, "slug": "ce21-suite", "target": "plugin", "versions": ">=2.2.1 <=2.3.1"}, "RULE-CVE-2025-11128-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/feedzy/v1/feed(/|\\\\?|$)~"}, {"name": "ARGS", "type": "regex", "value": "~https?://(?:127\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+|10\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+|172\\\\.(?:1[6-9]|2\\\\d|3[01])\\\\.\\\\d+\\\\.\\\\d+|192\\\\.168\\\\.\\\\d+\\\\.\\\\d+|169\\\\.254\\\\.\\\\d+\\\\.\\\\d+|0\\\\.0\\\\.0\\\\.0|localhost|\\\\[?::1\\\\]?)~i"}], "cve": "CVE-2025-11128", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11128", "description": "Feedzy RSS Feeds Lite <=5.1.0 authenticated SSRF via REST API url parameter targeting internal/private IPs", "method": "POST", "mode": "block", "severity": 5.0, "slug": "feedzy-rss-feeds", "tags": ["ssrf", "rest-api", "authenticated"], "target": "plugin", "versions": "<=5.1.0"}, "RULE-CVE-2025-11162-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)(?:/|\\\\?|$)~"}, {"name": "ARGS:meta[uagb_custom_page_level_css]", "type": "regex", "value": "~</style[^>]*>|<script[\\\\s/>]|\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=~i"}], "cve": "CVE-2025-11162", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11162", "description": "Spectra (Ultimate Addons for Gutenberg) <=2.19.14 Authenticated (Contributor+) Stored XSS via Custom CSS in REST API post meta", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ultimate-addons-for-gutenberg", "tags": ["xss", "stored-xss", "rest-api", "authenticated"], "target": "plugin", "versions": "<=2.19.14"}, "RULE-CVE-2025-11162-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS:meta[uagb_custom_page_level_css]", "type": "regex", "value": "~</style[^>]*>|<script[\\\\s/>]|\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=~i"}], "cve": "CVE-2025-11162", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11162", "description": "Spectra (Ultimate Addons for Gutenberg) <=2.19.14 Authenticated (Contributor+) Stored XSS via Custom CSS in classic editor", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ultimate-addons-for-gutenberg", "tags": ["xss", "stored-xss", "classic-editor", "authenticated"], "target": "plugin", "versions": "<=2.19.14"}, "RULE-CVE-2025-11171-01": {"ajax_action": "ays_chart_admin_ajax", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11171", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11171", "description": "Chartify \\u2013 WordPress Chart Plugin <=3.5.9 missing authentication on ays_chart_admin_ajax AJAX handler allowing unauthenticated admin method dispatch", "method": "POST", "mode": "block", "severity": 5.3, "slug": "chart-builder", "tags": ["missing-authentication", "broken-access-control", "unauthenticated"], "target": "plugin", "versions": "<=3.5.9"}, "RULE-CVE-2025-11171-02": {"ajax_action": "ays_chart_install_plugin", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11171", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11171", "description": "Chartify \\u2013 WordPress Chart Plugin <=3.5.9 missing authentication on ays_chart_install_plugin AJAX handler allowing unauthenticated plugin installation", "method": "POST", "mode": "block", "severity": 5.3, "slug": "chart-builder", "tags": ["missing-authentication", "broken-access-control", "unauthenticated"], "target": "plugin", "versions": "<=3.5.9"}, "RULE-CVE-2025-11171-03": {"ajax_action": "ays_chart_activate_plugin", "conditions": [{"type": "missing_capability", "value": "activate_plugins"}], "cve": "CVE-2025-11171", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11171", "description": "Chartify \\u2013 WordPress Chart Plugin <=3.5.9 missing authentication on ays_chart_activate_plugin AJAX handler allowing unauthenticated plugin activation", "method": "POST", "mode": "block", "severity": 5.3, "slug": "chart-builder", "tags": ["missing-authentication", "broken-access-control", "unauthenticated"], "target": "plugin", "versions": "<=3.5.9"}, "RULE-CVE-2025-11171-05": {"ajax_action": "ays_chart_dismiss_button", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11171", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11171", "description": "Chartify \\u2013 WordPress Chart Plugin <=3.5.9 missing authentication on ays_chart_dismiss_button AJAX handler allowing unauthenticated notice dismissal", "method": "POST", "mode": "block", "severity": 5.3, "slug": "chart-builder", "tags": ["missing-authentication", "broken-access-control", "unauthenticated"], "target": "plugin", "versions": "<=3.5.9"}, "RULE-CVE-2025-11174-01": {"ajax_action": "dll_load_posts", "conditions": [{"name": "ARGS:args[status]", "type": "regex", "value": "~^(?:draft|pending|future|private|any)$~i"}], "cve": "CVE-2025-11174", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11174", "description": "Document Library Lite <=1.1.6 unauthenticated sensitive information exposure via dll_load_posts AJAX handler args[status] parameter", "method": "POST", "mode": "block", "severity": 5.3, "slug": "document-library-lite", "tags": ["missing-authorization", "information-disclosure", "unauthenticated"], "target": "plugin", "versions": "<=1.1.6"}, "RULE-CVE-2025-11177-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~wp-login\\\\.php~"}, {"name": "ARGS:log", "type": "regex", "value": "~(?:(?:UNION(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+(?:ALL(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+)?SELECT(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|(?:[\'\\"\\\\d])(?:\\\\s|/\\\\*[^*]*\\\\*/)*(?:OR|AND)(?:\\\\s|/\\\\*[^*]*\\\\*/)+[\'\\"]?[\\\\w\'\\"]|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s[^;]*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\(|\\\\bEXTRACTVALUE\\\\s*\\\\(|\\\\bUPDATEXML\\\\s*\\\\()~i"}], "cve": "CVE-2025-11177", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11177", "description": "External Login <=1.11.1 unauthenticated SQL injection via log parameter on wp-login.php", "method": "POST", "mode": "block", "severity": 7.5, "slug": "external-login", "tags": ["sql-injection", "unauthenticated", "login-bypass"], "target": "plugin", "versions": "<=1.11.1"}, "RULE-CVE-2025-11185-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[cmplz-accept-link\\\\b[^\\\\]]*(?:on[a-z]+=|<script|<img|<svg|<iframe|javascript:|&#(?:x0*22|0*34|x0*27|0*39|x0*3c|0*60|x0*3e|0*62))~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-11185", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11185", "description": "Complianz GDPR/CCPA Cookie Consent <=7.4.3 Stored XSS via cmplz-accept-link shortcode in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "complianz-gdpr", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=7.4.3"}, "RULE-CVE-2025-11185-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[cmplz-accept-link\\\\b[^\\\\]]*(?:on[a-z]+=|<script|<img|<svg|<iframe|javascript:|&#(?:x0*22|0*34|x0*27|0*39|x0*3c|0*60|x0*3e|0*62))~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-11185", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11185", "description": "Complianz GDPR/CCPA Cookie Consent <=7.4.3 Stored XSS via cmplz-accept-link shortcode in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "complianz-gdpr", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=7.4.3"}, "RULE-CVE-2025-11186-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[cookies_accepted[^\\\\]]*\\\\].*?(?:<script|on(?:error|load|click|mouseover|focus)\\\\s*=|javascript\\\\s*:)~is"}], "cve": "CVE-2025-11186", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11186", "description": "Cookie Notice & Compliance for GDPR/CCPA <=2.5.8 Stored XSS via [cookies_accepted] shortcode in post content (post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "cookie-notice", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.5.8"}, "RULE-CVE-2025-11186-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[cookies_accepted[^\\\\]]*\\\\].*?(?:<script|on(?:error|load|click|mouseover|focus)\\\\s*=|javascript\\\\s*:)~is"}], "cve": "CVE-2025-11186", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11186", "description": "Cookie Notice & Compliance for GDPR/CCPA <=2.5.8 Stored XSS via [cookies_accepted] shortcode in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "cookie-notice", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.5.8"}, "RULE-CVE-2025-1119-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/ssa/v1/appointments(/|\\\\?|$)~"}, {"name": "ARGS:customer_locale", "type": "regex", "value": "~[^a-zA-Z_\\\\-]~"}], "cve": "CVE-2025-1119", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1119", "description": "Simply Schedule Appointments <=1.6.8.5 unauthenticated arbitrary shortcode execution via stored customer_locale with non-locale characters", "method": "POST", "mode": "block", "severity": 7.3, "slug": "simply-schedule-appointments", "tags": ["code-injection", "shortcode-injection", "unauthenticated"], "target": "plugin", "versions": "<=1.6.8.5"}, "RULE-CVE-2025-11191-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/realpress/v1/contact-form(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11191", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11191", "description": "RealPress <1.1.0 unauthenticated email sending via /contact-form REST endpoint", "method": "POST", "mode": "block", "severity": 5.3, "slug": "realpress", "tags": ["missing-authorization", "broken-access-control", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<1.1.0"}, "RULE-CVE-2025-11191-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/realpress/v1/schedule-tour(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11191", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11191", "description": "RealPress <1.1.0 unauthenticated email sending via /schedule-tour REST endpoint", "method": "POST", "mode": "block", "severity": 5.3, "slug": "realpress", "tags": ["missing-authorization", "broken-access-control", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<1.1.0"}, "RULE-CVE-2025-11191-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/realpress/v1/(?!contact-form(/|\\\\?|$)|schedule-tour(/|\\\\?|$))[a-z0-9_/-]+~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11191", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11191", "description": "RealPress <1.1.0 unauthenticated page creation and data manipulation via REST API", "method": "POST", "mode": "block", "severity": 5.3, "slug": "realpress", "tags": ["missing-authorization", "broken-access-control", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<1.1.0"}, "RULE-CVE-2025-11204-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "rm_form_reports"}, {"name": "ARGS:rm_form_id", "type": "detectSQLi"}], "cve": "CVE-2025-11204", "method": "GET", "mode": "block", "severity": 7.2, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=6.0.6.2"}, "RULE-CVE-2025-11204-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "rm_form_reports"}, {"name": "ARGS:rm_form_id", "type": "detectSQLi"}], "cve": "CVE-2025-11204", "method": "POST", "mode": "block", "severity": 7.2, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=6.0.6.2"}, "RULE-CVE-2025-11204-03": {"ajax_action": "rm_get_stats", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "rm_get_stats"}, {"name": "ARGS:rm_form_id", "type": "detectSQLi"}], "cve": "CVE-2025-11204", "method": "POST", "mode": "block", "severity": 7.2, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=6.0.6.2"}, "RULE-CVE-2025-11204-04": {"ajax_action": "rm_get_stats", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "rm_get_stats"}, {"name": "ARGS:rm_form_id", "type": "detectSQLi"}], "cve": "CVE-2025-11204", "method": "GET", "mode": "block", "severity": 7.2, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=6.0.6.2"}, "RULE-CVE-2025-11220-01": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS:actions", "type": "contains", "value": "text-path"}, {"name": "ARGS:actions", "type": "regex", "value": "~<(?:script|iframe|embed|object|form|meta|link|base)\\\\b|\\\\bon(?:error|load|begin|end|click|mouseover|focus|blur)\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-11220", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11220", "description": "Elementor <=3.33.3 Authenticated (Contributor+) Stored DOM-Based XSS via Text Path widget SVG markup", "method": "POST", "mode": "block", "severity": 6.4, "slug": "elementor", "tags": ["xss", "stored-xss", "svg-injection", "elementor"], "target": "plugin", "versions": "<=3.33.3"}, "RULE-CVE-2025-11227-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/give-api/v3/campaigns/\\\\d+(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "edit_give_forms"}], "cve": "CVE-2025-11227", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11227", "description": "GiveWP <=4.10.0 unauthenticated access to single campaign data via REST API", "method": "GET", "mode": "block", "severity": 6.5, "slug": "give", "tags": ["missing-authorization", "information-exposure", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=4.10.0"}, "RULE-CVE-2025-11227-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/give-api/v3/campaigns(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "edit_give_forms"}], "cve": "CVE-2025-11227", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11227", "description": "GiveWP <=4.10.0 unauthenticated enumeration of campaigns via REST API", "method": "GET", "mode": "block", "severity": 6.5, "slug": "give", "tags": ["missing-authorization", "information-exposure", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=4.10.0"}, "RULE-CVE-2025-11227-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/give-api/v3/donation-forms/\\\\d+(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "edit_give_forms"}], "cve": "CVE-2025-11227", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11227", "description": "GiveWP <=4.10.0 unauthenticated access to single donation form data via REST API", "method": "GET", "mode": "block", "severity": 6.5, "slug": "give", "tags": ["missing-authorization", "information-exposure", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=4.10.0"}, "RULE-CVE-2025-11227-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/give-api/v3/donation-forms(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "edit_give_forms"}], "cve": "CVE-2025-11227", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11227", "description": "GiveWP <=4.10.0 unauthenticated enumeration of donation forms via REST API", "method": "GET", "mode": "block", "severity": 6.5, "slug": "give", "tags": ["missing-authorization", "information-exposure", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=4.10.0"}, "RULE-CVE-2025-11254-01": {"ajax_action": "post_cg_gallery_form_upload", "conditions": [{"name": "ARGS", "type": "regex", "value": "~^[\\\\s\\\\t]*(=|\\\\+|\\\\-|@)~"}], "cve": "CVE-2025-11254", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11254", "description": "Contest Gallery <=27.0.3 unauthenticated CSV injection via gallery form upload submissions", "method": "POST", "mode": "block", "severity": 4.3, "slug": "contest-gallery", "tags": ["csv-injection", "formula-injection", "unauthenticated"], "target": "plugin", "versions": "<=27.0.3"}, "RULE-CVE-2025-11254-03": {"ajax_action": "post_cg_registry", "conditions": [{"name": "ARGS", "type": "regex", "value": "~^[\\\\s\\\\t]*(=|\\\\+|\\\\-|@)~"}], "cve": "CVE-2025-11254", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11254", "description": "Contest Gallery <=27.0.3 unauthenticated CSV injection via registry submissions", "method": "POST", "mode": "block", "severity": 4.3, "slug": "contest-gallery", "tags": ["csv-injection", "formula-injection", "unauthenticated"], "target": "plugin", "versions": "<=27.0.3"}, "RULE-CVE-2025-11256-01": {"action": "admin_post_nopriv_delete_log", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11256", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11256", "description": "Kognetiks Chatbot <=2.3.5 unauthenticated log file deletion via admin_post_nopriv_delete_log", "mode": "block", "severity": 5.3, "slug": "chatbot-chatgpt", "tags": ["missing-authorization", "file-delete", "unauthenticated"], "target": "plugin", "versions": "<=2.3.5"}, "RULE-CVE-2025-11256-02": {"action": "admin_post_nopriv_delete_all_logs", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11256", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11256", "description": "Kognetiks Chatbot <=2.3.5 unauthenticated bulk log deletion via admin_post_nopriv_delete_all_logs", "mode": "block", "severity": 5.3, "slug": "chatbot-chatgpt", "tags": ["missing-authorization", "file-delete", "unauthenticated"], "target": "plugin", "versions": "<=2.3.5"}, "RULE-CVE-2025-11256-03": {"action": "admin_post_nopriv_download_log", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11256", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11256", "description": "Kognetiks Chatbot <=2.3.5 unauthenticated log file download via admin_post_nopriv_download_log", "mode": "block", "severity": 5.3, "slug": "chatbot-chatgpt", "tags": ["missing-authorization", "file-read", "unauthenticated"], "target": "plugin", "versions": "<=2.3.5"}, "RULE-CVE-2025-11256-04": {"action": "admin_post_nopriv_fix_permissions", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11256", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11256", "description": "Kognetiks Chatbot <=2.3.5 unauthenticated permission fix via admin_post_nopriv_fix_permissions", "mode": "block", "severity": 5.3, "slug": "chatbot-chatgpt", "tags": ["missing-authorization", "unauthenticated"], "target": "plugin", "versions": "<=2.3.5"}, "RULE-CVE-2025-11256-05": {"action": "admin_post_nopriv_download_widget_log", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11256", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11256", "description": "Kognetiks Chatbot <=2.3.5 unauthenticated widget log download via admin_post_nopriv_download_widget_log", "mode": "block", "severity": 5.3, "slug": "chatbot-chatgpt", "tags": ["missing-authorization", "file-read", "unauthenticated"], "target": "plugin", "versions": "<=2.3.5"}, "RULE-CVE-2025-11256-06": {"action": "admin_post_nopriv_delete_widget_log", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11256", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11256", "description": "Kognetiks Chatbot <=2.3.5 unauthenticated widget log deletion via admin_post_nopriv_delete_widget_log", "mode": "block", "severity": 5.3, "slug": "chatbot-chatgpt", "tags": ["missing-authorization", "file-delete", "unauthenticated"], "target": "plugin", "versions": "<=2.3.5"}, "RULE-CVE-2025-11256-07": {"action": "admin_post_nopriv_delete_all_widget_logs", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11256", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11256", "description": "Kognetiks Chatbot <=2.3.5 unauthenticated bulk widget log deletion via admin_post_nopriv_delete_all_widget_logs", "mode": "block", "severity": 5.3, "slug": "chatbot-chatgpt", "tags": ["missing-authorization", "file-delete", "unauthenticated"], "target": "plugin", "versions": "<=2.3.5"}, "RULE-CVE-2025-11256-09": {"ajax_action": "chatbot_chatgpt_upload_files", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11256", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11256", "description": "Kognetiks Chatbot <=2.3.5 unauthenticated limited file upload via chatbot_chatgpt_upload_files AJAX", "method": "POST", "mode": "block", "severity": 5.3, "slug": "chatbot-chatgpt", "tags": ["missing-authorization", "file-upload", "unauthenticated"], "target": "plugin", "versions": "<=2.3.5"}, "RULE-CVE-2025-11271-01": {"action": "init", "conditions": [{"name": "ARGS:verification_override", "type": "exists"}], "cve": "CVE-2025-11271", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11271", "description": "Easy Digital Downloads <=3.5.2 PayPal IPN verification bypass via verification_override parameter", "method": "POST", "mode": "block", "severity": 5.3, "slug": "easy-digital-downloads", "tags": ["verification-bypass", "unauthenticated", "payment-fraud", "cwe-807"], "target": "plugin", "versions": "<=3.5.2"}, "RULE-CVE-2025-11307-01": {"ajax_action": "wpgmza_rest_api_request", "conditions": [{"name": "ARGS", "type": "detectXSS"}], "cve": "CVE-2025-11307", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11307", "description": "WP Go Maps <9.0.48 unauthenticated stored XSS via wpgmza_rest_api_request AJAX action", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-google-maps", "tags": ["xss", "stored-xss", "unauthenticated", "ajax"], "target": "plugin", "versions": "<9.0.48"}, "RULE-CVE-2025-11307-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wpgmza/v1/~"}, {"name": "ARGS", "type": "detectXSS"}], "cve": "CVE-2025-11307", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11307", "description": "WP Go Maps <9.0.48 unauthenticated stored XSS via REST API /wpgmza/v1/ endpoints", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-google-maps", "tags": ["xss", "stored-xss", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<9.0.48"}, "RULE-CVE-2025-11361-01": {"ajax_action": "save_ai_generated_image", "conditions": [{"name": "ARGS:image_url", "type": "regex", "value": "~(?:^|[/\\\\\\\\@])(?:127\\\\.(?:0\\\\.){2}1|0\\\\.0\\\\.0\\\\.0|10\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|172\\\\.(?:1[6-9]|2\\\\d|3[01])\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|192\\\\.168\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|169\\\\.254\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|localhost|\\\\[::1\\\\])~i"}], "cve": "CVE-2025-11361", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11361", "description": "Essential Blocks <=5.7.1 authenticated (Author+) SSRF via save_ai_generated_image AJAX handler - internal/private IP targets", "method": "POST", "mode": "block", "severity": 6.4, "slug": "essential-blocks", "tags": ["ssrf", "server-side-request-forgery", "authenticated"], "target": "plugin", "versions": "<=5.7.1"}, "RULE-CVE-2025-11361-02": {"ajax_action": "save_ai_generated_image", "conditions": [{"name": "ARGS:image_url", "type": "regex", "value": "~^\\\\s*(?:gopher|file|dict|ftp|data|ldap|telnet|tftp|jar|netdoc)\\\\s*:~i"}], "cve": "CVE-2025-11361", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11361", "description": "Essential Blocks <=5.7.1 authenticated (Author+) SSRF via save_ai_generated_image AJAX handler - dangerous URL schemes", "method": "POST", "mode": "block", "severity": 6.4, "slug": "essential-blocks", "tags": ["ssrf", "server-side-request-forgery", "authenticated"], "target": "plugin", "versions": "<=5.7.1"}, "RULE-CVE-2025-11369-01": {"ajax_action": "get_instagram_access_token", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11369", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11369", "description": "Essential Blocks <=5.7.2 missing authorization on get_instagram_access_token AJAX action allows Author+ to read Instagram API token", "method": "POST", "mode": "block", "severity": 4.3, "slug": "essential-blocks", "tags": ["missing-authorization", "information-disclosure", "broken-access-control"], "target": "plugin", "versions": "<=5.7.2"}, "RULE-CVE-2025-11369-02": {"ajax_action": "google_map_api_key", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11369", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11369", "description": "Essential Blocks <=5.7.2 missing authorization on google_map_api_key AJAX action allows Author+ to read Google Maps API key", "method": "POST", "mode": "block", "severity": 4.3, "slug": "essential-blocks", "tags": ["missing-authorization", "information-disclosure", "broken-access-control"], "target": "plugin", "versions": "<=5.7.2"}, "RULE-CVE-2025-11369-03": {"ajax_action": "openverse_email_name_DB", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11369", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11369", "description": "Essential Blocks <=5.7.2 missing authorization on openverse_email_name_DB AJAX action allows Author+ to read OpenVerse API credentials", "method": "POST", "mode": "block", "severity": 4.3, "slug": "essential-blocks", "tags": ["missing-authorization", "information-disclosure", "broken-access-control"], "target": "plugin", "versions": "<=5.7.2"}, "RULE-CVE-2025-11372-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "lp/v1/admin/tools/create-indexs"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11372", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11372", "description": "LearnPress \\u2013 WordPress LMS Plugin Admin Tools REST create-indexs endpoint is exposed without authorization because it is registered with permission_callback set to __return_true, allowing unauthenticated destructive database operations (dropping indexes on any table including wp_options, creating duplicate configuration entries, and degrading performance) via /wp-json/lp/v1/admin/tools/create-indexs when table names are supplied.", "method": "POST", "mode": "block", "severity": 6.5, "slug": "learnpress", "tags": ["missing-authorization", "rest-api", "unauthenticated", "database-manipulation"], "target": "plugin", "versions": "<=4.2.9.3"}, "RULE-CVE-2025-11377-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[catlist\\\\b[^\\\\]]*post_status\\\\s*=\\\\s*[\\"\']?(?:private|draft|pending|future|any|trash)[\\"\']?~i"}, {"type": "missing_capability", "value": "read_private_posts"}], "cve": "CVE-2025-11377", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11377", "description": "List Category Posts <=0.92.0 information exposure via catlist shortcode post_status attribute", "method": "POST", "mode": "block", "severity": 4.3, "slug": "list-category-posts", "tags": ["information-exposure", "shortcode", "authorization-bypass"], "target": "plugin", "versions": "<=0.92.0"}, "RULE-CVE-2025-11377-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[catlist\\\\b[^\\\\]]*post_status\\\\s*=\\\\s*[\\"\']?(?:private|draft|pending|future|any|trash)[\\"\']?~i"}, {"type": "missing_capability", "value": "read_private_posts"}], "cve": "CVE-2025-11377", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11377", "description": "List Category Posts <=0.92.0 information exposure via catlist shortcode post_status attribute (REST API)", "method": "POST", "mode": "block", "severity": 4.3, "slug": "list-category-posts", "tags": ["information-exposure", "shortcode", "authorization-bypass", "rest-api"], "target": "plugin", "versions": "<=0.92.0"}, "RULE-CVE-2025-11379-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~\\\\/wp-content\\\\/webp-express\\\\/config\\\\/.*\\\\.json~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11379", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11379", "description": "WebP Express <=0.25.9 unauthenticated information disclosure via predictable config.json file path", "method": "GET", "mode": "block", "severity": 5.3, "slug": "webp-express", "tags": ["information-disclosure", "unauthenticated", "predictable-resource-location"], "target": "plugin", "versions": "<=0.25.9"}, "RULE-CVE-2025-11380-01": {"ajax_action": "everest_process_status", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11380", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11380", "description": "Everest Backup <=2.3.5 missing authorization on everest_process_status AJAX action leading to unauthenticated backup file location disclosure", "mode": "block", "severity": 5.9, "slug": "everest-backup", "tags": ["missing-authorization", "information-exposure", "unauthenticated"], "target": "plugin", "versions": "<=2.3.5"}, "RULE-CVE-2025-11380-02": {"ajax_action": "everest_backup_process_status_unlink", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11380", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11380", "description": "Everest Backup <=2.3.5 missing authorization on everest_backup_process_status_unlink AJAX action allowing unauthenticated status file deletion", "mode": "block", "severity": 5.9, "slug": "everest-backup", "tags": ["missing-authorization", "data-manipulation", "unauthenticated"], "target": "plugin", "versions": "<=2.3.5"}, "RULE-CVE-2025-11427-01": {"ajax_action": "wpmdb_flush", "conditions": [{"name": "ARGS:download", "type": "regex", "value": "~(?:https?|ftp|file|php|data|phar|compress\\\\.(?:zlib|bzip2)|zip|glob|expect)://~i"}], "cve": "CVE-2025-11427", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11427", "description": "WP Migrate Lite <=2.7.6 unauthenticated blind SSRF via wpmdb_flush AJAX download parameter", "method": "POST", "mode": "block", "severity": 5.8, "slug": "wp-migrate-db", "tags": ["ssrf", "unauthenticated", "file-read"], "target": "plugin", "versions": "<=2.7.6"}, "RULE-CVE-2025-11448-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/envira-convert/v1/bulk-convert(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11448", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11448", "description": "Envira Gallery Lite <=1.11.0 missing authorization on bulk-convert REST endpoint", "method": "POST", "mode": "block", "severity": 4.3, "slug": "envira-gallery-lite", "tags": ["missing-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": "<=1.11.0"}, "RULE-CVE-2025-11453-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS:_inpost_head_script[synth_header_script]", "type": "detectXSS"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-11453", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11453", "description": "Header and Footer Scripts <=2.2.2 Stored XSS via _inpost_head_script post meta field by Contributor+ users", "method": "POST", "mode": "block", "severity": 6.4, "slug": "header-and-footer-scripts", "tags": ["xss", "stored-xss"], "target": "plugin", "versions": "<=2.2.2"}, "RULE-CVE-2025-11454-01": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "eos_scfm_duplicate_post_as_draft"}, {"name": "ARGS:post", "type": "regex", "value": "~[^0-9]~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11454", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11454", "description": "Specific Content For Mobile <=0.5.5 authenticated SQL injection via post parameter in eos_scfm_duplicate_post_as_draft admin action", "method": "GET", "mode": "block", "severity": 6.5, "slug": "specific-content-for-mobile", "tags": ["sql-injection", "authenticated", "contributor"], "target": "plugin", "versions": "<=0.5.5"}, "RULE-CVE-2025-11457-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/easycommerce/v1/orders(?:/|[?&]|$)~"}, {"name": "ARGS:role", "type": "regex", "value": "~^(?:administrator|editor|author|contributor|admin)$~i"}], "cve": "CVE-2025-11457", "method": "POST", "mode": "block", "severity": 9.8, "slug": "easycommerce", "target": "plugin", "versions": ">=0.9.0-beta2 <=1.8.2"}, "RULE-CVE-2025-11496-01": {"action": "init", "conditions": [{"name": "ARGS:rtb-name", "type": "detectXSS"}], "cve": "CVE-2025-11496", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11496", "description": "Five Star Restaurant Reservations <=2.7.5 unauthenticated stored XSS via rtb-name booking form parameter", "method": "POST", "mode": "block", "severity": 6.1, "slug": "restaurant-reservations", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=2.7.5"}, "RULE-CVE-2025-11499-01": {"action": "init", "conditions": [{"name": "ARGS:post_featured_image", "type": "regex", "value": "~https?://[^\\\\s\\"\'<>]+\\\\.(?:ph(?:p\\\\d?|ps|tml?|t|ar)|[aj]sp[x]?|cgi|cfm|exe|bash)(?:[?#]|$)~i"}], "cve": "CVE-2025-11499", "method": "POST", "mode": "block", "severity": 9.8, "slug": "tablesome", "target": "plugin", "versions": "<=1.1.32"}, "RULE-CVE-2025-11502-01": {"action": "init", "conditions": [{"name": "ARGS", "type": "regex", "value": "~\\\\[saswp_tiny_multiple_faq\\\\b[^\\\\]]*(?:<script|on(?:error|load|click|mouseover|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-11502", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11502", "description": "Schema & Structured Data for WP & AMP <=1.51 Stored XSS via saswp_tiny_multiple_faq shortcode attributes in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "schema-and-structured-data-for-wp", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.51"}, "RULE-CVE-2025-11502-02": {"action": "init", "conditions": [{"name": "ARGS", "type": "regex", "value": "~\\\\[saswp_tiny_multiple_faq\\\\b[^\\\\]]*(?:<svg|<iframe|<embed|<object|<math|<body|<video[^>]*autoplay|<img[^>]*(?:onerror|onload|onsrc)\\\\s*=)~i"}], "cve": "CVE-2025-11502", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11502", "description": "Schema & Structured Data for WP & AMP <=1.51 Stored XSS via saswp_tiny_multiple_faq shortcode dangerous HTML elements in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "schema-and-structured-data-for-wp", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.51"}, "RULE-CVE-2025-11504-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[/\\\\\\\\]wp-content[/\\\\\\\\]plugins[/\\\\\\\\]quickcreator[/\\\\\\\\]dupasrala\\\\.txt~i"}], "cve": "CVE-2025-11504", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11504", "description": "Quickcreator <=0.1.17 unauthenticated sensitive API key exposure via dupasrala.txt static file", "method": "GET", "mode": "block", "severity": 7.5, "slug": "quickcreator", "tags": ["information-disclosure", "sensitive-data-exposure", "unauthenticated", "cwe-532"], "target": "plugin", "versions": "<=0.1.17"}, "RULE-CVE-2025-11510-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/filebird/v1/fb-wipe-clear-all-data(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11510", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11510", "description": "FileBird <=6.4.9 missing authorization on fb-wipe-clear-all-data REST endpoint allows author+ to reset plugin data", "method": "POST", "mode": "block", "severity": 4.3, "slug": "filebird", "tags": ["missing-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": "<=6.4.9"}, "RULE-CVE-2025-11536-01": {"ajax_action": "import_elementor_template", "conditions": [{"name": "ARGS:import_url", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11536", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11536", "description": "Element Pack Addons for Elementor <=8.2.5 authenticated (Subscriber+) blind SSRF via import_elementor_template AJAX handler", "method": "POST", "mode": "block", "severity": 5.0, "slug": "bdthemes-element-pack-lite", "tags": ["ssrf", "missing-authorization", "authenticated"], "target": "plugin", "versions": "<=8.2.5"}, "RULE-CVE-2025-11536-02": {"ajax_action": "import_ep_elementor_bundle_template", "conditions": [{"name": "ARGS:import_url", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11536", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11536", "description": "Element Pack Addons for Elementor <=8.2.5 authenticated (Subscriber+) blind SSRF via import_ep_elementor_bundle_template AJAX handler", "method": "POST", "mode": "block", "severity": 5.0, "slug": "bdthemes-element-pack-lite", "tags": ["ssrf", "missing-authorization", "authenticated"], "target": "plugin", "versions": "<=8.2.5"}, "RULE-CVE-2025-11564-01": {"ajax_action": "tutor_handle_api_calls", "conditions": [{"name": "ARGS:payment_type", "type": "equals", "value": "recurring"}], "cve": "CVE-2025-11564", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11564", "description": "Tutor LMS <=3.8.3 unauthenticated payment verification bypass via forged recurring payment webhook", "method": "POST", "mode": "block", "severity": 5.3, "slug": "tutor", "tags": ["missing-authorization", "payment-bypass", "unauthenticated"], "target": "plugin", "versions": "<=3.8.3"}, "RULE-CVE-2025-11576-01": {"ajax_action": "newcodebyte_chatbot_send_message", "conditions": [{"name": "ARGS:message", "type": "regex", "value": "~^\\\\s*[=+\\\\-@]~"}], "cve": "CVE-2025-11576", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11576", "description": "AI Chatbot Free Models <=1.6.5 unauthenticated CSV injection via chat message", "method": "POST", "mode": "block", "severity": 4.3, "slug": "chatbot-ai-free-models", "tags": ["csv-injection", "unauthenticated", "stored-attack"], "target": "plugin", "versions": "<=1.6.5"}, "RULE-CVE-2025-11627-01a": {"ajax_action": "bill_minozzi_js_error_catched", "conditions": [{"name": "ARGS:message", "type": "regex", "value": "~[\\\\x00-\\\\x08\\\\x0a-\\\\x1f]|%0[aAdD]|%00~i"}], "cve": "CVE-2025-11627", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11627", "description": "Site Checkup <=1.47 unauthenticated log file poisoning via bill_minozzi_js_error_catched AJAX handler with newline/control character injection (message)", "method": "POST", "mode": "block", "severity": 6.5, "slug": "site-checkup", "tags": ["log-injection", "unauthenticated", "cwe-117", "denial-of-service"], "target": "plugin", "versions": "<=1.47"}, "RULE-CVE-2025-11627-01b": {"ajax_action": "bill_minozzi_js_error_catched", "conditions": [{"name": "ARGS:error", "type": "regex", "value": "~[\\\\x00-\\\\x08\\\\x0a-\\\\x1f]|%0[aAdD]|%00~i"}], "cve": "CVE-2025-11627", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11627", "description": "Site Checkup <=1.47 unauthenticated log file poisoning via bill_minozzi_js_error_catched AJAX handler with newline/control character injection (error)", "method": "POST", "mode": "block", "severity": 6.5, "slug": "site-checkup", "tags": ["log-injection", "unauthenticated", "cwe-117", "denial-of-service"], "target": "plugin", "versions": "<=1.47"}, "RULE-CVE-2025-11627-01c": {"ajax_action": "bill_minozzi_js_error_catched", "conditions": [{"name": "ARGS:error_msg", "type": "regex", "value": "~[\\\\x00-\\\\x08\\\\x0a-\\\\x1f]|%0[aAdD]|%00~i"}], "cve": "CVE-2025-11627", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11627", "description": "Site Checkup <=1.47 unauthenticated log file poisoning via bill_minozzi_js_error_catched AJAX handler with newline/control character injection (error_msg)", "method": "POST", "mode": "block", "severity": 6.5, "slug": "site-checkup", "tags": ["log-injection", "unauthenticated", "cwe-117", "denial-of-service"], "target": "plugin", "versions": "<=1.47"}, "RULE-CVE-2025-11691-01": {"ajax_action": "ppom_ajax_validation", "conditions": [{"name": "ARGS:ppom_id", "type": "regex", "value": "~[^0-9,]~"}], "cve": "CVE-2025-11691", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11691", "description": "PPOM for WooCommerce <=33.0.15 unauthenticated SQL injection via ppom_id parameter in ppom_ajax_validation AJAX handler", "mode": "block", "severity": 7.5, "slug": "woocommerce-product-addon", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=33.0.15"}, "RULE-CVE-2025-11691-02": {"ajax_action": "ppom_ajax_validation", "conditions": [{"name": "ARGS:productmeta_id", "type": "regex", "value": "~[^0-9,]~"}], "cve": "CVE-2025-11691", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11691", "description": "PPOM for WooCommerce <=33.0.15 unauthenticated SQL injection via productmeta_id parameter in ppom_ajax_validation AJAX handler", "mode": "block", "severity": 7.5, "slug": "woocommerce-product-addon", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=33.0.15"}, "RULE-CVE-2025-11692-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[/\\\\\\\\]zip-attachments[/\\\\\\\\]download\\\\.php~i"}, {"name": "ARGS:za_real_filename", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}~"}], "cve": "CVE-2025-11692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11692", "description": "Zip Attachments <=1.6 unauthenticated arbitrary file read/delete via download.php path traversal", "method": "GET", "mode": "block", "severity": 5.3, "slug": "zip-attachments", "tags": ["missing-authorization", "arbitrary-file-deletion", "path-traversal", "unauthenticated"], "target": "plugin", "versions": "<=1.6"}, "RULE-CVE-2025-11692-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[/\\\\\\\\]zip-attachments[/\\\\\\\\]download\\\\.php~i"}, {"name": "ARGS:za_real_filename", "type": "regex", "value": "~(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env|debug\\\\.log|error_log)~i"}], "cve": "CVE-2025-11692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11692", "description": "Zip Attachments <=1.6 unauthenticated arbitrary file read/delete via download.php targeting sensitive files", "method": "GET", "mode": "block", "severity": 5.3, "slug": "zip-attachments", "tags": ["missing-authorization", "arbitrary-file-deletion", "arbitrary-file-read", "unauthenticated"], "target": "plugin", "versions": "<=1.6"}, "RULE-CVE-2025-11703-01": {"ajax_action": "wpgmza_store_nominatim_cache", "conditions": [{"name": "ARGS:response", "type": "regex", "value": "~<[a-z!/][^>]*>~i"}], "cve": "CVE-2025-11703", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11703", "description": "WP Go Maps <=9.0.48 unauthenticated cache poisoning via wpgmza_store_nominatim_cache - HTML tag injection in response parameter", "method": "POST", "mode": "block", "severity": 5.3, "slug": "wp-google-maps", "tags": ["cache-poisoning", "unauthenticated", "stored-xss"], "target": "plugin", "versions": "<=9.0.48"}, "RULE-CVE-2025-11703-02": {"ajax_action": "wpgmza_store_nominatim_cache", "conditions": [{"name": "ARGS:response", "type": "regex", "value": "~on(?:error|load|click|mouseover|focus|blur)\\\\s*=~i"}], "cve": "CVE-2025-11703", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11703", "description": "WP Go Maps <=9.0.48 unauthenticated cache poisoning via wpgmza_store_nominatim_cache - DOM event handler injection in response parameter", "method": "POST", "mode": "block", "severity": 5.3, "slug": "wp-google-maps", "tags": ["cache-poisoning", "unauthenticated", "stored-xss"], "target": "plugin", "versions": "<=9.0.48"}, "RULE-CVE-2025-11703-03": {"ajax_action": "wpgmza_store_nominatim_cache", "conditions": [{"name": "ARGS:response", "type": "regex", "value": "~javascript\\\\s*:~i"}], "cve": "CVE-2025-11703", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11703", "description": "WP Go Maps <=9.0.48 unauthenticated cache poisoning via wpgmza_store_nominatim_cache - javascript URI injection in response parameter", "method": "POST", "mode": "block", "severity": 5.3, "slug": "wp-google-maps", "tags": ["cache-poisoning", "unauthenticated", "stored-xss"], "target": "plugin", "versions": "<=9.0.48"}, "RULE-CVE-2025-11705-01": {"ajax_action": "GOTMLS_scan", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11705", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11705", "description": "Anti-Malware Security and Brute-Force Firewall <=4.23.81 authenticated arbitrary file read via GOTMLS_scan AJAX action", "method": "POST", "mode": "block", "severity": 6.5, "slug": "gotmls", "tags": ["missing-authorization", "arbitrary-file-read", "authenticated"], "target": "plugin", "versions": "<=4.23.81"}, "RULE-CVE-2025-11705-02": {"ajax_action": "GOTMLS_View_Quarantine", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11705", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11705", "description": "Anti-Malware Security and Brute-Force Firewall <=4.23.81 missing authorization on GOTMLS_View_Quarantine AJAX action", "method": "POST", "mode": "block", "severity": 6.5, "slug": "gotmls", "tags": ["missing-authorization", "information-disclosure", "authenticated"], "target": "plugin", "versions": "<=4.23.81"}, "RULE-CVE-2025-11705-03": {"ajax_action": "GOTMLS_load_update", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11705", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11705", "description": "Anti-Malware Security and Brute-Force Firewall <=4.23.81 missing authorization on GOTMLS_load_update AJAX action", "method": "POST", "mode": "block", "severity": 6.5, "slug": "gotmls", "tags": ["missing-authorization", "authenticated"], "target": "plugin", "versions": "<=4.23.81"}, "RULE-CVE-2025-11705-04": {"ajax_action": "GOTMLS_empty_trash", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11705", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11705", "description": "Anti-Malware Security and Brute-Force Firewall <=4.23.81 missing authorization on GOTMLS_empty_trash AJAX action", "method": "POST", "mode": "block", "severity": 6.5, "slug": "gotmls", "tags": ["missing-authorization", "authenticated"], "target": "plugin", "versions": "<=4.23.81"}, "RULE-CVE-2025-11705-05": {"ajax_action": "GOTMLS_whitelist", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11705", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11705", "description": "Anti-Malware Security and Brute-Force Firewall <=4.23.81 missing authorization on GOTMLS_whitelist AJAX action", "method": "POST", "mode": "block", "severity": 6.5, "slug": "gotmls", "tags": ["missing-authorization", "authenticated"], "target": "plugin", "versions": "<=4.23.81"}, "RULE-CVE-2025-11705-06": {"ajax_action": "GOTMLS_fix", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11705", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11705", "description": "Anti-Malware Security and Brute-Force Firewall <=4.23.81 missing authorization on GOTMLS_fix AJAX action", "method": "POST", "mode": "block", "severity": 6.5, "slug": "gotmls", "tags": ["missing-authorization", "authenticated"], "target": "plugin", "versions": "<=4.23.81"}, "RULE-CVE-2025-11725-01": {"ajax_action": "ahsc_reset_options", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11725", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11725", "description": "Aruba HiSpeed Cache <=3.0.2 missing authorization on plugin settings AJAX endpoints", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aruba-hispeed-cache", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-11725-02": {"ajax_action": "ahsc_enable_purge", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11725", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11725", "description": "Aruba HiSpeed Cache <=3.0.2 missing authorization on enable_purge AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aruba-hispeed-cache", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-11725-03": {"ajax_action": "ahsc_enable_cron", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11725", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11725", "description": "Aruba HiSpeed Cache <=3.0.2 missing authorization on enable_cron AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aruba-hispeed-cache", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-11725-04": {"ajax_action": "ahsc_debug_status", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11725", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11725", "description": "Aruba HiSpeed Cache <=3.0.2 missing authorization on debug_status AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aruba-hispeed-cache", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-11725-05": {"ajax_action": "ahsc_xmlrpc_status", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11725", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11725", "description": "Aruba HiSpeed Cache <=3.0.2 missing authorization on xmlrpc_status AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aruba-hispeed-cache", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-11725-06": {"ajax_action": "ahsc_cron_status", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11725", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11725", "description": "Aruba HiSpeed Cache <=3.0.2 missing authorization on cron_status AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aruba-hispeed-cache", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-11725-07": {"ajax_action": "ahsc_cron_time", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11725", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11725", "description": "Aruba HiSpeed Cache <=3.0.2 missing authorization on cron_time AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aruba-hispeed-cache", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-11725-08": {"ajax_action": "ahsc_dboptimization", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11725", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11725", "description": "Aruba HiSpeed Cache <=3.0.2 missing authorization on dboptimization AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aruba-hispeed-cache", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-11725-09": {"ajax_action": "ahsc_purge_homepage_on_edit", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11725", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11725", "description": "Aruba HiSpeed Cache <=3.0.2 missing authorization on purge_homepage_on_edit AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aruba-hispeed-cache", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-11725-10": {"ajax_action": "ahsc_purge_archive_on_edit", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11725", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11725", "description": "Aruba HiSpeed Cache <=3.0.2 missing authorization on purge_archive_on_edit AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aruba-hispeed-cache", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-11725-11": {"ajax_action": "ahsc_purge_page_on_new_comment", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11725", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11725", "description": "Aruba HiSpeed Cache <=3.0.2 missing authorization on purge_page_on_new_comment AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aruba-hispeed-cache", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-11725-12": {"ajax_action": "ahsc_static_cache", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11725", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11725", "description": "Aruba HiSpeed Cache <=3.0.2 missing authorization on static_cache AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aruba-hispeed-cache", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-11725-13": {"ajax_action": "ahsc_lazy_load", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11725", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11725", "description": "Aruba HiSpeed Cache <=3.0.2 missing authorization on lazy_load AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aruba-hispeed-cache", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-11725-14": {"ajax_action": "ahsc_html_optimizer", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11725", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11725", "description": "Aruba HiSpeed Cache <=3.0.2 missing authorization on html_optimizer AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aruba-hispeed-cache", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-11725-15": {"ajax_action": "ahsc_dns_preconnect", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11725", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11725", "description": "Aruba HiSpeed Cache <=3.0.2 missing authorization on dns_preconnect AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aruba-hispeed-cache", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-11725-16": {"ajax_action": "ahsc_dns_preconnect_domain_list", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11725", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11725", "description": "Aruba HiSpeed Cache <=3.0.2 missing authorization on dns_preconnect_domain_list AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aruba-hispeed-cache", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-11725-17": {"ajax_action": "ahsc_cache_warmer", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11725", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11725", "description": "Aruba HiSpeed Cache <=3.0.2 missing authorization on cache_warmer AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aruba-hispeed-cache", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-11725-18": {"ajax_action": "ahsc_update_apc_Settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11725", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11725", "description": "Aruba HiSpeed Cache <=3.0.2 missing authorization on update_apc_Settings AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aruba-hispeed-cache", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-11725-19": {"ajax_action": "ahsc_check_apc_file", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11725", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11725", "description": "Aruba HiSpeed Cache <=3.0.2 missing authorization on check_apc_file AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aruba-hispeed-cache", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-11725-20": {"ajax_action": "ahsc_create_apc_file", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11725", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11725", "description": "Aruba HiSpeed Cache <=3.0.2 missing authorization on create_apc_file AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aruba-hispeed-cache", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-11725-21": {"ajax_action": "ahsc_delete_apc_file", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11725", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11725", "description": "Aruba HiSpeed Cache <=3.0.2 missing authorization on delete_apc_file AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aruba-hispeed-cache", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-11726-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/fl-controls/v1/~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11726", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11726", "description": "Beaver Builder Lite <=2.9.4 missing authorization on fl-controls/v1 REST endpoints allows contributor+ to create/update global presets", "method": "POST", "mode": "block", "severity": 4.3, "slug": "beaver-builder-lite-version", "tags": ["missing-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": "<=2.9.4"}, "RULE-CVE-2025-11726-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/fl-controls/v1/~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11726", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11726", "description": "Beaver Builder Lite <=2.9.4 missing authorization on fl-controls/v1 REST endpoints allows contributor+ to delete global presets", "method": "DELETE", "mode": "block", "severity": 4.3, "slug": "beaver-builder-lite-version", "tags": ["missing-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": "<=2.9.4"}, "RULE-CVE-2025-11734-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:(?:^/wp-json)(?:/|%2F)aioseoBrokenLinkChecker(?:/|%2F)v1(?:/|%2F)post|(?:^|&|\\\\?)rest_route=(?:/|%2F)aioseoBrokenLinkChecker(?:/|%2F)v1(?:/|%2F)post)(?:/|\\\\?|&|$)~i"}, {"type": "missing_capability", "value": "delete_others_posts"}], "cve": "CVE-2025-11734", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11734", "description": "Broken Link Checker by AIOSEO <=1.2.5 missing authorization on DELETE /aioseoBrokenLinkChecker/v1/post allows contributor+ to trash arbitrary posts", "method": "DELETE", "mode": "block", "severity": 5.4, "slug": "broken-link-checker-seo", "tags": ["missing-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": "<=1.2.5"}, "RULE-CVE-2025-11745-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[adinserter[^\\\\]]*custom-field\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-11745", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11745", "description": "Ad Inserter <=2.8.7 Stored XSS via [adinserter custom-field] shortcode attribute in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ad-inserter", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.8.7"}, "RULE-CVE-2025-11749-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-json|[?&]rest_route=)/mwai/v1/[A-Za-z0-9_-]+/messages~"}], "cve": "CVE-2025-11749", "mode": "block", "severity": 9.8, "slug": "ai-engine", "target": "plugin", "versions": "<=3.1.3"}, "RULE-CVE-2025-11749-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-json|[?&]rest_route=)/mwai/v1/[A-Za-z0-9_-]+/sse~"}], "cve": "CVE-2025-11749", "mode": "block", "severity": 9.8, "slug": "ai-engine", "target": "plugin", "versions": "<=3.1.3"}, "RULE-CVE-2025-11758-01": {"ajax_action": "aio_time_clock_lite_admin_js", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-11758", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11758", "description": "All in One Time Clock Lite <=2.0.3 missing authorization on admin AJAX handler allowing unauthenticated page creation and report download", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aio-time-clock-lite", "tags": ["missing-authorization", "broken-access-control", "unauthenticated"], "target": "plugin", "versions": "<=2.0.3"}, "RULE-CVE-2025-11758-02": {"ajax_action": "aio_time_clock_lite_js", "conditions": [{"type": "missing_capability", "value": "read"}], "cve": "CVE-2025-11758", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11758", "description": "All in One Time Clock Lite <=2.0.3 missing authorization on frontend AJAX handler allowing unauthenticated shift manipulation", "method": "POST", "mode": "block", "severity": 6.5, "slug": "aio-time-clock-lite", "tags": ["missing-authorization", "broken-access-control", "unauthenticated"], "target": "plugin", "versions": "<=2.0.3"}, "RULE-CVE-2025-11765-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:action", "type": "regex", "value": "~^(?:editpost|post)$~i"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[(?:stock[-_]tools)\\\\b[^\\\\]]*\\\\bimage_width\\\\s*=\\\\s*[\\"\'][^\\"\'\\\\]]*(?:<script\\\\b|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:)[^\\"\'\\\\]]*[\\"\'][^\\\\]]*\\\\]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-11765", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11765", "description": "Stock Tools <=1.1 authenticated (Contributor+) stored XSS via image_width shortcode attribute", "method": "POST", "mode": "block", "severity": 6.4, "slug": "stock-tools", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2025-11770-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[brighttalk-time\\\\b[^\\\\]]*format\\\\s*=\\\\s*[\'\\"][^\'\\"]*(?:<script|<img|<svg|<iframe|<object|<embed|<video|<audio|<math|<details|on(?:error|load|click|mouseover|focus|blur|mouse(?:enter|leave|move|out|up|down))\\\\s*=|javascript\\\\s*:)[^\'\\"]*[\'\\"][^\\\\]]*\\\\]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-11770", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11770", "description": "BrightTALK WordPress Shortcode <=2.4.0 Stored XSS via brighttalk-time shortcode format attribute in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "brighttalk-wp-shortcode", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.4.0"}, "RULE-CVE-2025-11770-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[brighttalk-time\\\\b[^\\\\]]*format\\\\s*=\\\\s*[\'\\"][^\'\\"]*(?:<script|<img|<svg|<iframe|<object|<embed|<video|<audio|<math|<details|on(?:error|load|click|mouseover|focus|blur|mouse(?:enter|leave|move|out|up|down))\\\\s*=|javascript\\\\s*:)[^\'\\"]*[\'\\"][^\\\\]]*\\\\]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-11770", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11770", "description": "BrightTALK WordPress Shortcode <=2.4.0 Stored XSS via brighttalk-time shortcode format attribute in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "brighttalk-wp-shortcode", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.4.0"}, "RULE-CVE-2025-11771-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/tokenico/v1/create-sale-record(/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11771", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11771", "description": "TokenICO <=2.4.7 unauthenticated presale counter manipulation via create-sale-record REST endpoint", "method": "POST", "mode": "block", "severity": 5.3, "slug": "tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop", "tags": ["missing-authentication", "unauthorized-data-modification", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=2.4.7"}, "RULE-CVE-2025-11799-01": {"action": "save_post", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[affiai_img\\\\b[^\\\\]]*asin\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<[a-z/!]|on[a-z]{3,}\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-11799", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11799", "description": "Affiliate AI Lite <=1.0.1 Stored XSS via affiai_img shortcode asin attribute in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "affiliate-ai-lite", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-11799-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[affiai_img\\\\b[^\\\\]]*asin\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<[a-z/!]|on[a-z]{3,}\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-11799", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11799", "description": "Affiliate AI Lite <=1.0.1 Stored XSS via affiai_img shortcode asin attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "affiliate-ai-lite", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-11799-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[affiai_img\\\\b[^\\\\]]*asin\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<[a-z/!]|on[a-z]{3,}\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-11799", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11799", "description": "Affiliate AI Lite <=1.0.1 Stored XSS via affiai_img shortcode asin attribute in post content (REST API update via PUT)", "method": "PUT", "mode": "block", "severity": 6.4, "slug": "affiliate-ai-lite", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-11800-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[minicrm\\\\b[^\\\\]]*id\\\\s*=\\\\s*(?:[\\"\'][^\\"\']*(?:<|javascript\\\\s*:|on\\\\w+\\\\s*=)[^\\"\']*[\\"\']|[^\\\\s\\\\]\\\\\\"\']*(?:<|javascript\\\\s*:|on\\\\w+\\\\s*=)[^\\\\s\\\\]\\\\\\"\']*)~i"}], "cve": "CVE-2025-11800", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11800", "description": "Surbma | MiniCRM Shortcode <=2.0 Stored XSS via minicrm shortcode id attribute in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "surbma-minicrm-shortcode", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.0"}, "RULE-CVE-2025-11803-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[wpsite_y\\\\b[^\\\\]]*\\\\bformat\\\\s*=\\\\s*[\\"\'][^\\"\']*<[^>]*(?:script|on\\\\w+\\\\s*=|javascript:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-11803", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11803", "description": "WPSite Shortcode <=1.2 Stored XSS via wpsite_y shortcode format attribute in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wpsite-shortcode", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.1.2"}, "RULE-CVE-2025-11803-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[wpsite_postauthor\\\\b[^\\\\]]*\\\\bbefore\\\\s*=\\\\s*[\\"\'][^\\"\']*<[^>]*(?:script|on\\\\w+\\\\s*=|javascript:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-11803", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11803", "description": "WPSite Shortcode <=1.2 Stored XSS via wpsite_postauthor shortcode before attribute in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wpsite-shortcode", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.1.2"}, "RULE-CVE-2025-11803-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[wpsite_y\\\\b[^\\\\]]*\\\\bformat\\\\s*=\\\\s*[\\"\'][^\\"\']*<[^>]*(?:script|on\\\\w+\\\\s*=|javascript:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-11803", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11803", "description": "WPSite Shortcode <=1.2 Stored XSS via wpsite_y format attribute through REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wpsite-shortcode", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.1.2"}, "RULE-CVE-2025-11803-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[wpsite_postauthor\\\\b[^\\\\]]*\\\\bbefore\\\\s*=\\\\s*[\\"\'][^\\"\']*<[^>]*(?:script|on\\\\w+\\\\s*=|javascript:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-11803", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11803", "description": "WPSite Shortcode <=1.2 Stored XSS via wpsite_postauthor before attribute through REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wpsite-shortcode", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.1.2"}, "RULE-CVE-2025-11805-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[skipto\\\\b[^\\\\]]*(?:(?:time|text|class)\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<script|javascript\\\\s*:)|\\\\bon\\\\w+\\\\s*=\\\\s*[\\"\'])[^\\\\]]*\\\\]~i"}], "cve": "CVE-2025-11805", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11805", "description": "Skip to Timestamp <=1.4.4 Stored XSS via skipto shortcode time/text/class attributes in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "skip-to-timestamp", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.4.4"}, "RULE-CVE-2025-11810-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[print-button\\\\b[^\\\\]]*target\\\\s*=\\\\s*[\'\\"][^\\\\]]*(?:on[a-zA-Z0-9_]+\\\\s*=|javascript\\\\s*:|<\\\\s*(?:script|img|svg|iframe|object|embed))~i"}], "cve": "CVE-2025-11810", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11810", "description": "Print Button Shortcode <=1.0.1 authenticated stored XSS via [print-button] shortcode target attribute in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "print-button-shortcode", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-11810-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[print-button\\\\b[^\\\\]]*target\\\\s*=\\\\s*[\'\\"][^\\\\]]*(?:on[a-zA-Z0-9_]+\\\\s*=|javascript\\\\s*:|<\\\\s*(?:script|img|svg|iframe|object|embed))~i"}], "cve": "CVE-2025-11810", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11810", "description": "Print Button Shortcode <=1.0.1 authenticated stored XSS via [print-button] shortcode target attribute in classic editor post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "print-button-shortcode", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-11811-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[embed_youtube\\\\b[^\\\\]]*\\\\bid\\\\s*=\\\\s*(?:[\\"\'][^\\"\']*(?:<|\\\\bon[a-zA-Z0-9_]+\\\\s*=|javascript\\\\s*:)[^\\"\']*[\\"\']|(?![\\"\'])\\\\S*(?:<|\\\\bon[a-zA-Z0-9_]+\\\\s*=|javascript\\\\s*:)\\\\S*)~i"}], "cve": "CVE-2025-11811", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11811", "description": "Simple Youtube Shortcode <=1.1.3 Stored XSS via embed_youtube shortcode id attribute in post content (Classic Editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "simple-youtube-shortcode", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.1.3"}, "RULE-CVE-2025-11811-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[embed_youtube\\\\b[^\\\\]]*\\\\bid\\\\s*=\\\\s*(?:[\\"\'][^\\"\']*(?:<|\\\\bon[a-zA-Z0-9_]+\\\\s*=|javascript\\\\s*:)[^\\"\']*[\\"\']|(?![\\"\'])\\\\S*(?:<|\\\\bon[a-zA-Z0-9_]+\\\\s*=|javascript\\\\s*:)\\\\S*)~i"}], "cve": "CVE-2025-11811", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11811", "description": "Simple Youtube Shortcode <=1.1.3 Stored XSS via embed_youtube shortcode id attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "simple-youtube-shortcode", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.1.3"}, "RULE-CVE-2025-11813-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[responsive_map\\\\b[^\\\\]]*(?:width|height)\\\\s*=\\\\s*(?:\\"[^\\"]*(?:on[a-zA-Z0-9_]+\\\\s*=|<script|javascript\\\\s*:)[^\\"]*\\"|\'[^\']*(?:on[a-zA-Z0-9_]+\\\\s*=|<script|javascript\\\\s*:)[^\']*\')~i"}], "cve": "CVE-2025-11813", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11813", "description": "Responsive iframe GoogleMap <=1.0.2 stored XSS via responsive_map shortcode width/height attributes in post content (post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "responsive-iframe-googlemap", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2025-11813-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[responsive_map\\\\b[^\\\\]]*(?:width|height)\\\\s*=\\\\s*(?:\\"[^\\"]*(?:on[a-zA-Z0-9_]+\\\\s*=|<script|javascript\\\\s*:)[^\\"]*\\"|\'[^\']*(?:on[a-zA-Z0-9_]+\\\\s*=|<script|javascript\\\\s*:)[^\']*\')~i"}], "cve": "CVE-2025-11813", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11813", "description": "Responsive iframe GoogleMap <=1.0.2 stored XSS via responsive_map shortcode width/height attributes in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "responsive-iframe-googlemap", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2025-11816-01": {"ajax_action": "disconnect_account_request", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11816", "method": "POST", "mode": "block", "severity": 5.3, "slug": "wplegalpages", "target": "plugin", "versions": "<=3.5.0"}, "RULE-CVE-2025-11820-03": {"ajax_action": "graphina_setting_data", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<script[\\\\s>]|\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=|javascript\\\\s*:|<svg[^>]*\\\\bon|<img[^>]*\\\\bon|<iframe[\\\\s>]~i"}], "cve": "CVE-2025-11820", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11820", "description": "Graphina - Elementor Charts and Graphs <=3.1.8 admin settings Stored XSS via graphina_setting_data", "method": "POST", "mode": "block", "severity": 6.4, "slug": "graphina-elementor-charts-and-graphs", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=3.1.8"}, "RULE-CVE-2025-11822-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[bootstrap_tab\\\\b[^\\\\]]*(?:name|link|active)\\\\s*=\\\\s*(?:\\"[^\\"]*(?:<script|on(?:mouse|key|load|error|focus|blur|click|dblclick|change|submit|reset|select|abort|drag|drop|pointer|touch|wheel|animation|transition)[a-zA-Z0-9_]*\\\\s*=|javascript\\\\s*:)\\"|\'[^\']*(?:<script|on(?:mouse|key|load|error|focus|blur|click|dblclick|change|submit|reset|select|abort|drag|drop|pointer|touch|wheel|animation|transition)[a-zA-Z0-9_]*\\\\s*=|javascript\\\\s*:)\')~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-11822", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11822", "description": "WP Bootstrap Tabs <=1.0.4 Stored XSS via [bootstrap_tab] shortcode attributes in classic editor post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-bootstrap-tabs", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2025-11822-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)(?:/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[bootstrap_tab\\\\b[^\\\\]]*(?:name|link|active)\\\\s*=\\\\s*(?:\\"[^\\"]*(?:<script|on(?:mouse|key|load|error|focus|blur|click|dblclick|change|submit|reset|select|abort|drag|drop|pointer|touch|wheel|animation|transition)[a-zA-Z0-9_]*\\\\s*=|javascript\\\\s*:)\\"|\'[^\']*(?:<script|on(?:mouse|key|load|error|focus|blur|click|dblclick|change|submit|reset|select|abort|drag|drop|pointer|touch|wheel|animation|transition)[a-zA-Z0-9_]*\\\\s*=|javascript\\\\s*:)\')~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-11822", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11822", "description": "WP Bootstrap Tabs <=1.0.4 Stored XSS via [bootstrap_tab] shortcode attributes in REST API content submission", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-bootstrap-tabs", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2025-11826-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[social-networks\\\\s[^\\\\]]*class\\\\s*=\\\\s*[\\"\'][^\\"\']*(on(mouseover|click|error|focus|load|keydown|keyup|mouseout|mouseenter|submit|change|input)\\\\s*=|<\\\\s*(script|img|iframe|svg|object|embed|link|style|body|input|form|video|audio|details|marquee)|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-11826", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11826", "description": "WP Company Info <=1.9.0 Stored XSS via [social-networks] shortcode class attribute in post content (post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-company-info", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.9.0"}, "RULE-CVE-2025-11826-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[social-networks\\\\s[^\\\\]]*class\\\\s*=\\\\s*[\\"\'][^\\"\']*(on(mouseover|click|error|focus|load|keydown|keyup|mouseout|mouseenter|submit|change|input)\\\\s*=|<\\\\s*(script|img|iframe|svg|object|embed|link|style|body|input|form|video|audio|details|marquee)|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-11826", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11826", "description": "WP Company Info <=1.9.0 Stored XSS via [social-networks] shortcode class attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-company-info", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.9.0"}, "RULE-CVE-2025-11828-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~wp:bnm-blocks/(?:featured-posts-1|featured-posts-2|slider|post-block-1|post-block-2|posts-ultra)\\\\s[\\\\s\\\\S]*?\\"(?:headerHtmlTag|titleHtmlTag)\\"\\\\s*:\\\\s*\\"[^\\"]*[\\\\s=][^\\"]*\\"~i"}], "cve": "CVE-2025-11828", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11828", "description": "Magazine Companion (bnm-blocks) <=1.2.3 Stored XSS via headerHtmlTag/titleHtmlTag block attributes in REST API post creation", "mode": "block", "severity": 6.4, "slug": "bnm-blocks", "tags": ["xss", "stored-xss", "gutenberg-block", "authenticated"], "target": "plugin", "versions": "<=1.2.3"}, "RULE-CVE-2025-11828-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS:content", "type": "regex", "value": "~wp:bnm-blocks/(?:featured-posts-1|featured-posts-2|slider|post-block-1|post-block-2|posts-ultra)\\\\s[\\\\s\\\\S]*?\\"(?:headerHtmlTag|titleHtmlTag)\\"\\\\s*:\\\\s*\\"[^\\"]*[\\\\s=][^\\"]*\\"~i"}], "cve": "CVE-2025-11828", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11828", "description": "Magazine Companion (bnm-blocks) <=1.2.3 Stored XSS via headerHtmlTag/titleHtmlTag block attributes in classic editor post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "bnm-blocks", "tags": ["xss", "stored-xss", "gutenberg-block", "authenticated"], "target": "plugin", "versions": "<=1.2.3"}, "RULE-CVE-2025-11829-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[five9-chat\\\\b[^\\\\]]*toolbar\\\\s*=\\\\s*[\\"\'][^\\\\]]*(<script|on(error|load|click|mouseover|focus|blur|mouseout|mouseenter|mouseleave|keydown|keyup|keypress)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-11829", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11829", "description": "Five9 Live Chat <=1.1.2 authenticated (Contributor+) stored XSS via [five9-chat] shortcode toolbar attribute", "method": "POST", "mode": "block", "severity": 6.4, "slug": "five9", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.1.2"}, "RULE-CVE-2025-11830-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[restaurant_summary\\\\b[^\\\\]]*align\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<|\\\\bon[a-z]+=|javascript:|style\\\\s*=)[^\\"\']*[\\"\']~i"}], "cve": "CVE-2025-11830", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11830", "description": "WP Restaurant Listings <=1.0.2 Stored XSS via restaurant_summary shortcode align attribute in classic editor post submission", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-restaurant-listings", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2025-11830-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[restaurant_summary\\\\b[^\\\\]]*align\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<|\\\\bon[a-z]+=|javascript:|style\\\\s*=)[^\\"\']*[\\"\']~i"}], "cve": "CVE-2025-11830", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11830", "description": "WP Restaurant Listings <=1.0.2 Stored XSS via restaurant_summary shortcode align attribute in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-restaurant-listings", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2025-11857-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[mxp_fb2wp_display_embed\\\\b[^\\\\]]*\\\\bpost_id\\\\s*=\\\\s*(?:\\"(?!\\\\d+(?:_\\\\d+)?\\")([^\\"]*)\\"|\'(?!\\\\d+(?:_\\\\d+)?\')([^\']*)\'|(?!\\\\d+(?:_\\\\d+)?(?:\\\\s|\\\\]|$))([^\\\\s\\\\]\'\\\\\\"]+))~i"}], "cve": "CVE-2025-11857", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11857", "description": "FB2WP Integration Tools <=1.9.9 Stored XSS via mxp_fb2wp_display_embed shortcode post_id attribute in classic editor post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "fb2wp-integration-tools", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.9.9"}, "RULE-CVE-2025-11857-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[mxp_fb2wp_display_embed\\\\b[^\\\\]]*\\\\bpost_id\\\\s*=\\\\s*(?:\\"(?!\\\\d+(?:_\\\\d+)?\\")([^\\"]*)\\"|\'(?!\\\\d+(?:_\\\\d+)?\')([^\']*)\'|(?!\\\\d+(?:_\\\\d+)?(?:\\\\s|\\\\]|$))([^\\\\s\\\\]\'\\\\\\"]+))~i"}], "cve": "CVE-2025-11857", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11857", "description": "FB2WP Integration Tools <=1.9.9 Stored XSS via mxp_fb2wp_display_embed shortcode post_id attribute in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "fb2wp-integration-tools", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.9.9"}, "RULE-CVE-2025-11863-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[mygeo_(?:city|country_code|country_name|region|latitude|longitude|postal_code)\\\\b[^\\\\]]*default\\\\s*=\\\\s*[\'\\"]?[^\\\\]]*(?:<[a-z/!]|\\\\bon[a-z]{3,}\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-11863", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11863", "description": "My Geo Posts Free <=1.2 Stored XSS via mygeo_* shortcode default attribute in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "my-geo-posts-free", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.2"}, "RULE-CVE-2025-11863-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[mygeo_(?:city|country_code|country_name|region|latitude|longitude|postal_code)\\\\b[^\\\\]]*default\\\\s*=\\\\s*[\'\\"]?[^\\\\]]*(?:<[a-z/!]|\\\\bon[a-z]{3,}\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-11863", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11863", "description": "My Geo Posts Free <=1.2 Stored XSS via mygeo_* shortcode default attribute in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "my-geo-posts-free", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.2"}, "RULE-CVE-2025-11872-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/(?:post\\\\.php|post-new\\\\.php)(?:\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[mdiconic\\\\b[^\\\\]]*(?:\\\\s+on[a-z]+\\\\s*=|javascript\\\\s*:|\\\\x22\\\\s*(?:style|class)\\\\s*=)~i"}], "cve": "CVE-2025-11872", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11872", "description": "Material Design Iconic Font Integration <=2 Stored XSS via [mdiconic] shortcode attributes in post content (post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "material-design-iconic-font-integration", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2"}, "RULE-CVE-2025-11872-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[mdiconic\\\\b[^\\\\]]*(?:\\\\s+on[a-z]+\\\\s*=|javascript\\\\s*:|\\\\x22\\\\s*(?:style|class)\\\\s*=)~i"}], "cve": "CVE-2025-11872", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11872", "description": "Material Design Iconic Font Integration <=2 Stored XSS via [mdiconic] shortcode attributes in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "material-design-iconic-font-integration", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2"}, "RULE-CVE-2025-11881-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/appp/v1/myappp-verify(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11881", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11881", "description": "AppPresser <=4.5.0 unauthenticated information disclosure via myappp-verify REST endpoint", "method": "GET", "mode": "block", "severity": 5.3, "slug": "apppresser", "tags": ["missing-authorization", "information-disclosure", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=4.5.0"}, "RULE-CVE-2025-11881-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/appp/v1/system-info(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11881", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11881", "description": "AppPresser <=4.5.0 unauthenticated information disclosure via system-info REST endpoint", "method": "GET", "mode": "block", "severity": 5.3, "slug": "apppresser", "tags": ["missing-authorization", "information-disclosure", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=4.5.0"}, "RULE-CVE-2025-11917-01": {"ajax_action": "wpematico_test_feed", "conditions": [{"name": "ARGS:url", "type": "regex", "value": "~(?:^(?:gopher|dict|file|ftp|ldap|tftp)://|://(?:localhost|\\\\[?::1\\\\]?|0x[0-9a-f]|0[0-7]{2,}|127\\\\.|10\\\\.|172\\\\.(?:1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.|169\\\\.254\\\\.)|://[^/?#]*@)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11917", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11917", "description": "WPeMatico RSS Feed Fetcher <=2.8.11 authenticated (Subscriber+) SSRF via wpematico_test_feed AJAX action", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wpematico", "tags": ["ssrf", "missing-authorization", "authenticated"], "target": "plugin", "versions": "<=2.8.11"}, "RULE-CVE-2025-11923-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/llms/v1/students/\\\\d+(/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11923", "mode": "block", "severity": 8.8, "slug": "lifterlms", "target": "plugin", "versions": ">=3.5.3 <=9.1.0"}, "RULE-CVE-2025-11923-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/llms/v1/instructors/\\\\d+(/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11923", "mode": "block", "severity": 8.8, "slug": "lifterlms", "target": "plugin", "versions": ">=3.5.3 <=9.1.0"}, "RULE-CVE-2025-11924-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/ninja-forms-views/(?:v1/)?forms/\\\\d+/submissions(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11924", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11924", "description": "Ninja Forms <=3.13.2 unauthenticated IDOR on ninja-forms-views REST submissions endpoint", "method": "GET", "mode": "block", "severity": 7.5, "slug": "ninja-forms", "tags": ["idor", "missing-authorization", "unauthenticated", "rest-api", "sensitive-data-exposure"], "target": "plugin", "versions": "<=3.13.2"}, "RULE-CVE-2025-11924-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/ninja-forms-views/(?:v1/)?token/refresh(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11924", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11924", "description": "Ninja Forms <=3.13.2 unauthenticated bearer token minting via ninja-forms-views REST token/refresh endpoint", "method": "POST", "mode": "block", "severity": 7.5, "slug": "ninja-forms", "tags": ["authentication-bypass", "missing-authorization", "unauthenticated", "rest-api", "token-minting"], "target": "plugin", "versions": "<=3.13.2"}, "RULE-CVE-2025-11928-01": {"ajax_action": "cjtoolbox_set_property", "conditions": [{"type": "missing_capability", "value": "unfiltered_html"}, {"name": "ARGS", "type": "regex", "value": "~<(?:script|iframe|embed|object|form|meta|base|link)\\\\b|\\\\bon(?:error|load|click|mouseover|focus|blur|change|submit|keydown|keyup|mouseout|mouseenter|mouseleave|dblclick|contextmenu|input|invalid|reset|search|select|drag|drop|copy|cut|paste|abort|canplay|ended|pause|play|progress|ratechange|seeked|seeking|stalled|suspend|waiting|toggle|popstate|hashchange|beforeunload|unload|message|storage|animationstart|animationend|animationiteration|transitionend)\\\\s*=|javascript\\\\s*:/~i"}], "cve": "CVE-2025-11928", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11928", "description": "CSS & JavaScript Toolbox <=12.0.5 Stored XSS via cjtoolbox_set_property AJAX handler", "method": "POST", "mode": "block", "severity": 4.4, "slug": "css-javascript-toolbox", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=12.0.5"}, "RULE-CVE-2025-11928-02": {"ajax_action": "cjtoolbox_create", "conditions": [{"type": "missing_capability", "value": "unfiltered_html"}, {"name": "ARGS", "type": "regex", "value": "~<(?:script|iframe|embed|object|form|meta|base|link)\\\\b|\\\\bon(?:error|load|click|mouseover|focus|blur|change|submit|keydown|keyup|mouseout|mouseenter|mouseleave|dblclick|contextmenu|input|invalid|reset|search|select|drag|drop|copy|cut|paste|abort|canplay|ended|pause|play|progress|ratechange|seeked|seeking|stalled|suspend|waiting|toggle|popstate|hashchange|beforeunload|unload|message|storage|animationstart|animationend|animationiteration|transitionend)\\\\s*=|javascript\\\\s*:/~i"}], "cve": "CVE-2025-11928", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11928", "description": "CSS & JavaScript Toolbox <=12.0.5 Stored XSS via cjtoolbox_create AJAX handler", "method": "POST", "mode": "block", "severity": 4.4, "slug": "css-javascript-toolbox", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=12.0.5"}, "RULE-CVE-2025-11986-01": {"ajax_action": "crypto_connect_ajax_process", "conditions": [{"type": "missing_capability", "value": "read"}], "cve": "CVE-2025-11986", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11986", "description": "Crypto plugin <=2.22 unauthenticated auth bypass and data injection via crypto_connect_ajax_process AJAX action", "method": "POST", "mode": "block", "severity": 5.3, "slug": "crypto", "tags": ["missing-authentication", "authentication-bypass", "unauthenticated", "information-exposure"], "target": "plugin", "versions": "<=2.22"}, "RULE-CVE-2025-11987-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[visual-link-preview\\\\b[^\\\\]]*(?:<[a-z/!]|(?:\\\\s|\\"|\')on[a-z]+\\\\s*=|javascript\\\\s*:)[^\\\\]]*\\\\]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-11987", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11987", "description": "Visual Link Preview <=2.2.7 Stored XSS via visual-link-preview shortcode attributes in post content (post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "visual-link-preview", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.2.7"}, "RULE-CVE-2025-11987-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(?:/)?(?:\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[visual-link-preview\\\\b[^\\\\]]*(?:<[a-z/!]|(?:\\\\s|\\"|\')on[a-z]+\\\\s*=|javascript\\\\s*:)[^\\\\]]*\\\\]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-11987", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11987", "description": "Visual Link Preview <=2.2.7 Stored XSS via visual-link-preview shortcode attributes in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "visual-link-preview", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.2.7"}, "RULE-CVE-2025-11994-01": {"action": "init", "conditions": [{"name": "ARGS:name", "type": "regex", "value": "~<[a-zA-Z/!]~"}], "cve": "CVE-2025-11994", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11994", "description": "Easy Email Subscription <=1.3 unauthenticated stored XSS via subscription form name parameter", "method": "POST", "mode": "block", "severity": 7.2, "slug": "email-subscription-with-secure-captcha", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.3"}, "RULE-CVE-2025-11995-01": {"action": "init", "conditions": [{"name": "ARGS:eventdesc", "type": "detectXSS"}], "cve": "CVE-2025-11995", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11995", "description": "Community Events <=1.5.2 unauthenticated stored XSS via event description field in front-end submission form", "method": "POST", "mode": "block", "severity": 7.2, "slug": "community-events", "tags": ["xss", "stored-xss", "unauthenticated", "shortcode"], "target": "plugin", "versions": "<=1.5.2"}, "RULE-CVE-2025-11995-02": {"action": "init", "conditions": [{"name": "ARGS:eventname", "type": "detectXSS"}], "cve": "CVE-2025-11995", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11995", "description": "Community Events <=1.5.2 unauthenticated stored XSS via event name field in front-end submission form", "method": "POST", "mode": "block", "severity": 7.2, "slug": "community-events", "tags": ["xss", "stored-xss", "unauthenticated", "shortcode"], "target": "plugin", "versions": "<=1.5.2"}, "RULE-CVE-2025-11995-03": {"action": "init", "conditions": [{"name": "ARGS:eventaddress", "type": "detectXSS"}], "cve": "CVE-2025-11995", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11995", "description": "Community Events <=1.5.2 unauthenticated stored XSS via event address field in front-end submission form", "method": "POST", "mode": "block", "severity": 7.2, "slug": "community-events", "tags": ["xss", "stored-xss", "unauthenticated", "shortcode"], "target": "plugin", "versions": "<=1.5.2"}, "RULE-CVE-2025-11995-04": {"action": "init", "conditions": [{"name": "ARGS:eventticket", "type": "detectXSS"}], "cve": "CVE-2025-11995", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11995", "description": "Community Events <=1.5.2 unauthenticated stored XSS via event ticket address field in front-end submission form", "method": "POST", "mode": "block", "severity": 7.2, "slug": "community-events", "tags": ["xss", "stored-xss", "unauthenticated", "shortcode"], "target": "plugin", "versions": "<=1.5.2"}, "RULE-CVE-2025-11995-05": {"ajax_action": "community_events_frontend_list", "conditions": [{"name": "ARGS:year", "type": "regex", "value": "~[^0-9]~"}], "cve": "CVE-2025-11995", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11995", "description": "Community Events <=1.5.2 unauthenticated reflected XSS via year parameter in community_events_frontend_list AJAX handler", "mode": "block", "severity": 7.2, "slug": "community-events", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.5.2"}, "RULE-CVE-2025-11995-06": {"ajax_action": "community_events_admin_list", "conditions": [{"name": "ARGS:currentyear", "type": "regex", "value": "~[^0-9]~"}], "cve": "CVE-2025-11995", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11995", "description": "Community Events <=1.5.2 unauthenticated reflected XSS via currentyear parameter in community_events_admin_list AJAX handler", "mode": "block", "severity": 7.2, "slug": "community-events", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.5.2"}, "RULE-CVE-2025-11995-07": {"ajax_action": "community_events_click_tracker", "conditions": [{"name": "ARGS:id", "type": "regex", "value": "~[^0-9]~"}], "cve": "CVE-2025-11995", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11995", "description": "Community Events <=1.5.2 unauthenticated reflected XSS via id parameter in community_events_click_tracker AJAX handler", "mode": "block", "severity": 7.2, "slug": "community-events", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.5.2"}, "RULE-CVE-2025-11999-01": {"ajax_action": "addmultiplemarker_reset_map", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11999", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11999", "description": "Add Multiple Marker <=1.2 unauthenticated map reset via addmultiplemarker_reset_map AJAX handler", "method": "POST", "mode": "block", "severity": 5.3, "slug": "add-multiple-marker", "tags": ["missing-authorization", "unauthenticated", "data-deletion"], "target": "plugin", "versions": "<=1.2"}, "RULE-CVE-2025-11999-02": {"ajax_action": "amm_save_map_api", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-11999", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-11999", "description": "Add Multiple Marker <=1.2 unauthenticated API key overwrite via amm_save_map_api AJAX handler", "method": "POST", "mode": "block", "severity": 5.3, "slug": "add-multiple-marker", "tags": ["missing-authorization", "unauthenticated", "settings-manipulation"], "target": "plugin", "versions": "<=1.2"}, "RULE-CVE-2025-12000-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wpfunnels/v1/settings(/|\\\\?|&|$)~"}, {"name": "ARGS:logKey", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|(?:%2e%2e|%252e%252e)[%/\\\\\\\\]|[\\\\\\\\/]etc[\\\\\\\\/]|(?:wp-config\\\\.php|\\\\.htaccess|\\\\.env|(?:^|[\\\\\\\\/])(?:debug\\\\.log|error_log)(?:$|[\\\\\\\\/])))~i"}], "cve": "CVE-2025-12000", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12000", "description": "WPFunnels <=3.6.2 authenticated arbitrary file deletion via path traversal in logKey parameter on REST settings endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "wpfunnels", "tags": ["path-traversal", "arbitrary-file-deletion", "rest-api"], "target": "plugin", "versions": "<=3.6.2"}, "RULE-CVE-2025-12010-01": {"action": "init", "conditions": [{"name": "ARGS", "type": "regex", "value": "~\\\\{al:\\\\s*(?:user_pass|user_activation_key|user_email|user_login|user_registered|user_status)\\\\}~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12010", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12010", "description": "Authors List <=2.0.6.1 authenticated (Contributor+) sensitive information exposure via {al:*} shortcode placeholders in post content", "method": "POST", "mode": "block", "severity": 6.5, "slug": "authors-list", "tags": ["sensitive-information-exposure", "shortcode", "authenticated"], "target": "plugin", "versions": "<=2.0.6.1"}, "RULE-CVE-2025-12010-02": {"ajax_action": "update_authors_list_ajax", "conditions": [{"name": "ARGS", "type": "regex", "value": "~\\\\{al:\\\\s*(?:user_pass|user_activation_key|user_email|user_login|user_registered|user_status)\\\\}~i"}], "cve": "CVE-2025-12010", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12010", "description": "Authors List <=2.0.6.1 unauthenticated sensitive information exposure via update_authors_list_ajax AJAX handler", "method": "POST", "mode": "block", "severity": 6.5, "slug": "authors-list", "tags": ["sensitive-information-exposure", "shortcode", "unauthenticated"], "target": "plugin", "versions": "<=2.0.6.1"}, "RULE-CVE-2025-12010-03": {"ajax_action": "authors_list_display_edit_item_preview_ajax", "conditions": [{"name": "ARGS", "type": "regex", "value": "~\\\\{al:\\\\s*(?:user_pass|user_activation_key|user_email|user_login|user_registered|user_status)\\\\}~i"}], "cve": "CVE-2025-12010", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12010", "description": "Authors List <=2.0.6.1 authenticated sensitive information exposure via authors_list_display_edit_item_preview_ajax AJAX handler", "method": "POST", "mode": "block", "severity": 6.5, "slug": "authors-list", "tags": ["sensitive-information-exposure", "shortcode", "authenticated"], "target": "plugin", "versions": "<=2.0.6.1"}, "RULE-CVE-2025-12018-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:option_page", "type": "equals", "value": "sf_admin_group"}, {"name": "ARGS:sf_set[fnd]", "type": "detectXSS"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12018", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12018", "description": "MembershipWorks <=6.14 stored XSS via sf_set[fnd] admin setting (attribute context)", "method": "POST", "mode": "block", "severity": 4.4, "slug": "memberfindme", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=6.14"}, "RULE-CVE-2025-12018-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:option_page", "type": "equals", "value": "sf_admin_group"}, {"name": "ARGS:sf_set[rsp]", "type": "detectXSS"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12018", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12018", "description": "MembershipWorks <=6.14 stored XSS via sf_set[rsp] admin setting (attribute context)", "method": "POST", "mode": "block", "severity": 4.4, "slug": "memberfindme", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=6.14"}, "RULE-CVE-2025-12018-03": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:option_page", "type": "equals", "value": "sf_admin_group"}, {"name": "ARGS:sf_set[mol]", "type": "regex", "value": "~<\\\\s*(?:script|iframe|object|embed|form)|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|data\\\\s*:[^,]*;base64~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12018", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12018", "description": "MembershipWorks <=6.14 stored XSS via sf_set[mol] member login message", "method": "POST", "mode": "block", "severity": 4.4, "slug": "memberfindme", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=6.14"}, "RULE-CVE-2025-12018-04": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:option_page", "type": "equals", "value": "sf_admin_group"}, {"name": "ARGS:sf_set[moe]", "type": "regex", "value": "~<\\\\s*(?:script|iframe|object|embed|form)|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|data\\\\s*:[^,]*;base64~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12018", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12018", "description": "MembershipWorks <=6.14 stored XSS via sf_set[moe] membership expired message", "method": "POST", "mode": "block", "severity": 4.4, "slug": "memberfindme", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=6.14"}, "RULE-CVE-2025-12018-05": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:option_page", "type": "equals", "value": "sf_admin_group"}, {"name": "ARGS:sf_set[mon]", "type": "regex", "value": "~<\\\\s*(?:script|iframe|object|embed|form)|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|data\\\\s*:[^,]*;base64~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12018", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12018", "description": "MembershipWorks <=6.14 stored XSS via sf_set[mon] no-access message", "method": "POST", "mode": "block", "severity": 4.4, "slug": "memberfindme", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=6.14"}, "RULE-CVE-2025-12018-06": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:option_page", "type": "equals", "value": "sf_admin_group"}, {"name": "ARGS:sf_set[moi]", "type": "regex", "value": "~<\\\\s*(?:script|iframe|object|embed|form)|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|data\\\\s*:[^,]*;base64~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12018", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12018", "description": "MembershipWorks <=6.14 stored XSS via sf_set[moi] session expired message", "method": "POST", "mode": "block", "severity": 4.4, "slug": "memberfindme", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=6.14"}, "RULE-CVE-2025-12018-07": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:option_page", "type": "equals", "value": "sf_admin_group"}, {"name": "ARGS:sf_set[org]", "type": "detectXSS"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12018", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12018", "description": "MembershipWorks <=6.14 stored XSS via sf_set[org] data attribute injection", "method": "POST", "mode": "block", "severity": 4.4, "slug": "memberfindme", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=6.14"}, "RULE-CVE-2025-12018-08": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:option_page", "type": "equals", "value": "sf_admin_group"}, {"name": "ARGS:sf_set[out]", "type": "regex", "value": "~(?:javascript\\\\s*:|\\"\\\\s*(?:on\\\\w+\\\\s*=|>)|<\\\\s*(?:script|img|svg|iframe))~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12018", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12018", "description": "MembershipWorks <=6.14 stored XSS via sf_set[out] logout redirect URL", "method": "POST", "mode": "block", "severity": 4.4, "slug": "memberfindme", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=6.14"}, "RULE-CVE-2025-12018-09": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:option_page", "type": "equals", "value": "sf_admin_group"}, {"name": "ARGS:sf_set[top]", "type": "detectXSS"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12018", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12018", "description": "MembershipWorks <=6.14 stored XSS via sf_set[top] data attribute injection", "method": "POST", "mode": "block", "severity": 4.4, "slug": "memberfindme", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=6.14"}, "RULE-CVE-2025-12018-10": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:option_page", "type": "equals", "value": "sf_admin_group"}, {"name": "ARGS:sf_set[fbk]", "type": "detectXSS"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12018", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12018", "description": "MembershipWorks <=6.14 stored XSS via sf_set[fbk] Facebook App ID attribute injection", "method": "POST", "mode": "block", "severity": 4.4, "slug": "memberfindme", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=6.14"}, "RULE-CVE-2025-12018-11": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:option_page", "type": "equals", "value": "sf_admin_group"}, {"name": "ARGS:sf_set[map]", "type": "detectXSS"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12018", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12018", "description": "MembershipWorks <=6.14 stored XSS via sf_set[map] Google Maps API key attribute injection", "method": "POST", "mode": "block", "severity": 4.4, "slug": "memberfindme", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=6.14"}, "RULE-CVE-2025-12021-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~wp-login\\\\.php~"}, {"name": "ARGS:error_description", "type": "detectXSS"}], "cve": "CVE-2025-12021", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12021", "description": "WP-OAuth <=0.4.1 Reflected XSS via error_description parameter on wp-login.php", "method": "GET", "mode": "block", "severity": 6.1, "slug": "wp-oauth", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=0.4.1"}, "RULE-CVE-2025-12021-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~login-google\\\\.php~"}, {"name": "ARGS:error_description", "type": "detectXSS"}], "cve": "CVE-2025-12021", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12021", "description": "WP-OAuth <=0.4.1 Reflected XSS via error_description parameter on login-google.php", "method": "GET", "mode": "block", "severity": 6.1, "slug": "wp-oauth", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=0.4.1"}, "RULE-CVE-2025-12034-01": {"action": "admin_init", "conditions": [{"name": "ARGS:fvm_settings[cdn][domain]", "type": "regex", "value": "~[\\"\'<>]~"}], "cve": "CVE-2025-12034", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12034", "description": "Fast Velocity Minify <=3.5.1 Stored XSS via CDN domain settings field (domain key)", "method": "POST", "mode": "block", "severity": 4.4, "slug": "fast-velocity-minify", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=3.5.1"}, "RULE-CVE-2025-12034-02": {"action": "admin_init", "conditions": [{"name": "ARGS:fvm_settings[cdn][url]", "type": "regex", "value": "~[\\"\'<>]~"}], "cve": "CVE-2025-12034", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12034", "description": "Fast Velocity Minify <=3.5.1 Stored XSS via CDN url settings field (legacy url key)", "method": "POST", "mode": "block", "severity": 4.4, "slug": "fast-velocity-minify", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=3.5.1"}, "RULE-CVE-2025-12042-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[/\\\\\\\\]course-booking-system[/\\\\\\\\](includes[/\\\\\\\\])?csv-export\\\\.php([?#]|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12042", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12042", "description": "Course Booking System <=6.1.5 unauthenticated booking data export via direct access to csv-export.php", "method": "GET", "mode": "block", "severity": 5.3, "slug": "course-booking-system", "tags": ["missing-authorization", "information-disclosure", "unauthenticated"], "target": "plugin", "versions": "<=6.1.5"}, "RULE-CVE-2025-12045-01": {"ajax_action": "add-tag", "conditions": [{"name": "ARGS:tag-name", "type": "detectXSS"}], "cve": "CVE-2025-12045", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12045", "description": "Orbit Fox Companion <=3.0.2 Stored XSS via taxonomy term name in add-tag AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "themeisle-companion", "tags": ["xss", "stored-xss", "taxonomy"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-12045-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/tags(/|\\\\?|&|$)~"}, {"name": "ARGS:name", "type": "detectXSS"}], "cve": "CVE-2025-12045", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12045", "description": "Orbit Fox Companion <=3.0.2 Stored XSS via tag name through REST /wp/v2/tags endpoint", "method": "POST", "mode": "block", "severity": 6.4, "slug": "themeisle-companion", "tags": ["xss", "stored-xss", "rest-api", "taxonomy"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-12045-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/categories(/|\\\\?|&|$)~"}, {"name": "ARGS:name", "type": "detectXSS"}], "cve": "CVE-2025-12045", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12045", "description": "Orbit Fox Companion <=3.0.2 Stored XSS via category name through REST /wp/v2/categories endpoint", "method": "POST", "mode": "block", "severity": 6.4, "slug": "themeisle-companion", "tags": ["xss", "stored-xss", "rest-api", "taxonomy"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-12062-01": {"ajax_action": "core_templates", "conditions": [{"name": "ARGS:template_name", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}~"}], "cve": "CVE-2025-12062", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12062", "description": "WP Maps plugin <=4.8.6 Local File Inclusion via template_name parameter in core_templates AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-google-map-plugin", "tags": ["local-file-inclusion", "path-traversal", "authenticated"], "target": "plugin", "versions": "<=4.8.6"}, "RULE-CVE-2025-12062-02": {"ajax_action": "core_templates", "conditions": [{"name": "ARGS:template_type", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}~"}], "cve": "CVE-2025-12062", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12062", "description": "WP Maps plugin <=4.8.6 Local File Inclusion via template_type parameter in core_templates AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-google-map-plugin", "tags": ["local-file-inclusion", "path-traversal", "authenticated"], "target": "plugin", "versions": "<=4.8.6"}, "RULE-CVE-2025-12064-01": {"ajax_action": "xyz_fbap_del_entries", "conditions": [{"name": "ARGS:xyzscripts_user_hash", "type": "detectXSS"}], "cve": "CVE-2025-12064", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12064", "description": "WP2Social Auto Publish <=2.4.7 Reflected XSS via xyzscripts_user_hash in xyz_fbap_del_entries AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "facebook-auto-publish", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=2.4.7"}, "RULE-CVE-2025-12064-02": {"ajax_action": "xyz_fbap_del_fb_entries", "conditions": [{"name": "ARGS:xyzscripts_user_hash", "type": "detectXSS"}], "cve": "CVE-2025-12064", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12064", "description": "WP2Social Auto Publish <=2.4.7 Reflected XSS via xyzscripts_user_hash in xyz_fbap_del_fb_entries AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "facebook-auto-publish", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=2.4.7"}, "RULE-CVE-2025-12066-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_type", "type": "equals", "value": "wpedpcampaign"}, {"name": "ARGS", "type": "regex", "value": "~<[^>]*(?:on\\\\w+\\\\s*=|(?:src|href|action)\\\\s*=\\\\s*[\\"\']?javascript:|xmlns)|<\\\\s*(?:script|iframe|object|embed|svg|math)~i"}], "cve": "CVE-2025-12066", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12066", "description": "WP Delete Post Copies <=6.0.2 stored XSS via campaign meta box fields on save_post", "method": "POST", "mode": "block", "severity": 4.4, "slug": "etruel-del-post-copies", "tags": ["xss", "stored-xss", "admin-plus"], "target": "plugin", "versions": "<=6.0.2"}, "RULE-CVE-2025-12067-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS", "type": "regex", "value": "~\\"c\\"\\\\s*:\\\\s*\\".*(?:<script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|toggle|change|input)\\\\s*=|javascript\\\\s*:).*\\"~is"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12067", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12067", "description": "Table Field Add-on for ACF and SCF <=1.3.30 authenticated (Contributor+) stored XSS via table cell content in post editor", "method": "POST", "mode": "block", "severity": 6.4, "slug": "advanced-custom-fields-table-field", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=1.3.30"}, "RULE-CVE-2025-12067-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS", "type": "regex", "value": "~\\"c\\"\\\\s*:\\\\s*\\".*(?:<script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|toggle|change|input)\\\\s*=|javascript\\\\s*:).*\\"~is"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12067", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12067", "description": "Table Field Add-on for ACF and SCF <=1.3.30 authenticated (Contributor+) stored XSS via REST API post update with table cell content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "advanced-custom-fields-table-field", "tags": ["xss", "stored-xss", "authenticated", "rest-api"], "target": "plugin", "versions": "<=1.3.30"}, "RULE-CVE-2025-12076-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "social-media-auto-publish"}, {"name": "ARGS:ln_auth_err", "type": "detectXSS"}], "cve": "CVE-2025-12076", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12076", "description": "Social Media Auto Publish <=3.6.5 reflected XSS via ln_auth_err parameter on admin settings page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "social-media-auto-publish", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=3.6.5"}, "RULE-CVE-2025-12076-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "social-media-auto-publish"}, {"name": "ARGS:th_auth_err", "type": "detectXSS"}], "cve": "CVE-2025-12076", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12076", "description": "Social Media Auto Publish <=3.6.5 reflected XSS via th_auth_err parameter on admin settings page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "social-media-auto-publish", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=3.6.5"}, "RULE-CVE-2025-12076-03": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "social-media-auto-publish"}, {"name": "ARGS:tw_auth_err", "type": "detectXSS"}], "cve": "CVE-2025-12076", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12076", "description": "Social Media Auto Publish <=3.6.5 reflected XSS via tw_auth_err parameter on admin settings page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "social-media-auto-publish", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=3.6.5"}, "RULE-CVE-2025-12076-04": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "social-media-auto-publish"}, {"name": "ARGS:xyz_smap_bot_token", "type": "detectXSS"}], "cve": "CVE-2025-12076", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12076", "description": "Social Media Auto Publish <=3.6.5 reflected XSS via xyz_smap_bot_token parameter on admin settings page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "social-media-auto-publish", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=3.6.5"}, "RULE-CVE-2025-12076-05": {"ajax_action": "xyz_smap_del_entries", "conditions": [{"name": "ARGS:xyzscripts_user_hash", "type": "detectXSS"}], "cve": "CVE-2025-12076", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12076", "description": "Social Media Auto Publish <=3.6.5 reflected XSS via xyzscripts_user_hash in xyz_smap_del_entries AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "social-media-auto-publish", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=3.6.5"}, "RULE-CVE-2025-12076-06": {"ajax_action": "xyz_smap_del_ln_entries", "conditions": [{"name": "ARGS:xyzscripts_user_hash", "type": "detectXSS"}], "cve": "CVE-2025-12076", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12076", "description": "Social Media Auto Publish <=3.6.5 reflected XSS via xyzscripts_user_hash in xyz_smap_del_ln_entries AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "social-media-auto-publish", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=3.6.5"}, "RULE-CVE-2025-12076-07": {"ajax_action": "xyz_smap_del_tw_entries", "conditions": [{"name": "ARGS:xyzscripts_user_hash", "type": "detectXSS"}], "cve": "CVE-2025-12076", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12076", "description": "Social Media Auto Publish <=3.6.5 reflected XSS via xyzscripts_user_hash in xyz_smap_del_tw_entries AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "social-media-auto-publish", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=3.6.5"}, "RULE-CVE-2025-12076-08": {"ajax_action": "xyz_smap_del_ig_entries", "conditions": [{"name": "ARGS:xyzscripts_user_hash", "type": "detectXSS"}], "cve": "CVE-2025-12076", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12076", "description": "Social Media Auto Publish <=3.6.5 reflected XSS via xyzscripts_user_hash in xyz_smap_del_ig_entries AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "social-media-auto-publish", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=3.6.5"}, "RULE-CVE-2025-12076-09": {"ajax_action": "xyz_smap_del_fb_entries", "conditions": [{"name": "ARGS:xyzscripts_user_hash", "type": "detectXSS"}], "cve": "CVE-2025-12076", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12076", "description": "Social Media Auto Publish <=3.6.5 reflected XSS via xyzscripts_user_hash in xyz_smap_del_fb_entries AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "social-media-auto-publish", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=3.6.5"}, "RULE-CVE-2025-12076-10": {"ajax_action": "xyz_smap_del_lnuser_entries", "conditions": [{"name": "ARGS:xyzscripts_user_hash", "type": "detectXSS"}], "cve": "CVE-2025-12076", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12076", "description": "Social Media Auto Publish <=3.6.5 reflected XSS via xyzscripts_user_hash in xyz_smap_del_lnuser_entries AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "social-media-auto-publish", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=3.6.5"}, "RULE-CVE-2025-12076-11": {"ajax_action": "xyz_smap_del_twuser_entries", "conditions": [{"name": "ARGS:xyzscripts_user_hash", "type": "detectXSS"}], "cve": "CVE-2025-12076", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12076", "description": "Social Media Auto Publish <=3.6.5 reflected XSS via xyzscripts_user_hash in xyz_smap_del_twuser_entries AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "social-media-auto-publish", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=3.6.5"}, "RULE-CVE-2025-12076-12": {"ajax_action": "xyz_smap_del_iguser_entries", "conditions": [{"name": "ARGS:xyzscripts_user_hash", "type": "detectXSS"}], "cve": "CVE-2025-12076", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12076", "description": "Social Media Auto Publish <=3.6.5 reflected XSS via xyzscripts_user_hash in xyz_smap_del_iguser_entries AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "social-media-auto-publish", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=3.6.5"}, "RULE-CVE-2025-12077-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "linkedin-auto-publish"}, {"name": "ARGS:ln_auth_err", "type": "detectXSS"}], "cve": "CVE-2025-12077", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12077", "description": "WP to LinkedIn Auto Publish <=1.9.8 reflected XSS via ln_auth_err parameter on plugin settings page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "linkedin-auto-publish", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.9.8"}, "RULE-CVE-2025-12077-02": {"ajax_action": "xyz_lnap_del_entries", "conditions": [{"name": "ARGS:xyzscripts_user_hash", "type": "detectXSS"}], "cve": "CVE-2025-12077", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12077", "description": "WP to LinkedIn Auto Publish <=1.9.8 reflected XSS via xyzscripts_user_hash in xyz_lnap_del_entries AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "linkedin-auto-publish", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=1.9.8"}, "RULE-CVE-2025-12077-03": {"ajax_action": "xyz_lnap_del_lnuser_entries", "conditions": [{"name": "ARGS:xyzscripts_user_hash", "type": "detectXSS"}], "cve": "CVE-2025-12077", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12077", "description": "WP to LinkedIn Auto Publish <=1.9.8 reflected XSS via xyzscripts_user_hash in xyz_lnap_del_lnuser_entries AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "linkedin-auto-publish", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=1.9.8"}, "RULE-CVE-2025-12089-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin-ajax\\\\.php~"}, {"name": "ARGS", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\/]){2,}.*(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-12089", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12089", "description": "Data Tables Generator by Supsystic <=1.10.45 authenticated arbitrary file deletion via path traversal in cleanCache()", "method": "POST", "mode": "block", "severity": 6.5, "slug": "data-tables-generator-by-supsystic", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=1.10.45"}, "RULE-CVE-2025-12089-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "equals", "value": "supsystic-tables"}, {"name": "ARGS", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\/]){2,}.*(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-12089", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12089", "description": "Data Tables Generator by Supsystic <=1.10.45 authenticated arbitrary file deletion via path traversal in cleanCache() (GET admin page)", "method": "GET", "mode": "block", "severity": 6.5, "slug": "data-tables-generator-by-supsystic", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=1.10.45"}, "RULE-CVE-2025-12092-01-0": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "cyan-backup"}, {"name": "ARGS:remove[0]", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[\\\\\\\\/]etc[\\\\\\\\/]|wp-config\\\\.php|\\\\.htaccess|\\\\.env)~i"}], "cve": "CVE-2025-12092", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12092", "description": "CYAN Backup <=2.5.4 authenticated arbitrary file deletion via path traversal in backup remove parameter", "method": "POST", "mode": "block", "severity": 6.5, "slug": "cyan-backup", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=2.5.4"}, "RULE-CVE-2025-12092-01-1": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "cyan-backup"}, {"name": "ARGS:remove[1]", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[\\\\\\\\/]etc[\\\\\\\\/]|wp-config\\\\.php|\\\\.htaccess|\\\\.env)~i"}], "cve": "CVE-2025-12092", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12092", "description": "CYAN Backup <=2.5.4 authenticated arbitrary file deletion via path traversal in backup remove parameter", "method": "POST", "mode": "block", "severity": 6.5, "slug": "cyan-backup", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=2.5.4"}, "RULE-CVE-2025-12092-01-2": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "cyan-backup"}, {"name": "ARGS:remove[2]", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[\\\\\\\\/]etc[\\\\\\\\/]|wp-config\\\\.php|\\\\.htaccess|\\\\.env)~i"}], "cve": "CVE-2025-12092", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12092", "description": "CYAN Backup <=2.5.4 authenticated arbitrary file deletion via path traversal in backup remove parameter", "method": "POST", "mode": "block", "severity": 6.5, "slug": "cyan-backup", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=2.5.4"}, "RULE-CVE-2025-12092-01-3": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "cyan-backup"}, {"name": "ARGS:remove[3]", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[\\\\\\\\/]etc[\\\\\\\\/]|wp-config\\\\.php|\\\\.htaccess|\\\\.env)~i"}], "cve": "CVE-2025-12092", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12092", "description": "CYAN Backup <=2.5.4 authenticated arbitrary file deletion via path traversal in backup remove parameter", "method": "POST", "mode": "block", "severity": 6.5, "slug": "cyan-backup", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=2.5.4"}, "RULE-CVE-2025-12092-01-4": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "cyan-backup"}, {"name": "ARGS:remove[4]", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[\\\\\\\\/]etc[\\\\\\\\/]|wp-config\\\\.php|\\\\.htaccess|\\\\.env)~i"}], "cve": "CVE-2025-12092", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12092", "description": "CYAN Backup <=2.5.4 authenticated arbitrary file deletion via path traversal in backup remove parameter", "method": "POST", "mode": "block", "severity": 6.5, "slug": "cyan-backup", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=2.5.4"}, "RULE-CVE-2025-12109-01": {"action": "init", "conditions": [{"name": "ARGS:asm_header_scripts", "type": "regex", "value": "~<(?:script|iframe|embed|object|applet|form|meta)|\\\\bon(?:error|load|click|mouse(?:over|out|enter|move)|focus|blur|key(?:down|up|press)|submit|change|input|reset)\\\\s*=|javascript\\\\s*:~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12109", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12109", "description": "Header Footer Script Adder <=2.0.5 authenticated (Contributor+) stored XSS via asm_header_scripts parameter", "method": "POST", "mode": "block", "severity": 6.4, "slug": "header-and-footer-script-adder", "tags": ["xss", "stored-xss", "missing-capability"], "target": "plugin", "versions": "<=2.0.5"}, "RULE-CVE-2025-12109-02": {"action": "init", "conditions": [{"name": "ARGS:asm_body_scripts", "type": "regex", "value": "~<(?:script|iframe|embed|object|applet|form|meta)|\\\\bon(?:error|load|click|mouse(?:over|out|enter|move)|focus|blur|key(?:down|up|press)|submit|change|input|reset)\\\\s*=|javascript\\\\s*:~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12109", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12109", "description": "Header Footer Script Adder <=2.0.5 authenticated (Contributor+) stored XSS via asm_body_scripts parameter", "method": "POST", "mode": "block", "severity": 6.4, "slug": "header-and-footer-script-adder", "tags": ["xss", "stored-xss", "missing-capability"], "target": "plugin", "versions": "<=2.0.5"}, "RULE-CVE-2025-12109-03": {"action": "init", "conditions": [{"name": "ARGS:asm_footer_scripts", "type": "regex", "value": "~<(?:script|iframe|embed|object|applet|form|meta)|\\\\bon(?:error|load|click|mouse(?:over|out|enter|move)|focus|blur|key(?:down|up|press)|submit|change|input|reset)\\\\s*=|javascript\\\\s*:~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12109", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12109", "description": "Header Footer Script Adder <=2.0.5 authenticated (Contributor+) stored XSS via asm_footer_scripts parameter", "method": "POST", "mode": "block", "severity": 6.4, "slug": "header-and-footer-script-adder", "tags": ["xss", "stored-xss", "missing-capability"], "target": "plugin", "versions": "<=2.0.5"}, "RULE-CVE-2025-12126-01": {"ajax_action": "ttbp_add_chapter", "conditions": [{"name": "ARGS:book_id", "type": "exists"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2025-12126", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12126", "description": "The Total Book Project <=1.0.0 IDOR allows Contributor+ to add chapters to others\' books via ttbp_add_chapter", "method": "POST", "mode": "block", "severity": 5.4, "slug": "the-total-book-project", "tags": ["missing-authorization", "idor", "broken-access-control"], "target": "plugin", "versions": "<=1.0.0"}, "RULE-CVE-2025-12126-02": {"ajax_action": "ttbp_delete_chapter", "conditions": [{"name": "ARGS:chapter_id", "type": "exists"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2025-12126", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12126", "description": "The Total Book Project <=1.0.0 IDOR allows Contributor+ to delete others\' chapters via ttbp_delete_chapter", "method": "POST", "mode": "block", "severity": 5.4, "slug": "the-total-book-project", "tags": ["missing-authorization", "idor", "broken-access-control"], "target": "plugin", "versions": "<=1.0.0"}, "RULE-CVE-2025-12126-03": {"ajax_action": "ttbp_update_chapter_order", "conditions": [{"name": "ARGS:book_id", "type": "exists"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2025-12126", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12126", "description": "The Total Book Project <=1.0.0 IDOR allows Contributor+ to reorder others\' chapters via ttbp_update_chapter_order", "method": "POST", "mode": "block", "severity": 5.4, "slug": "the-total-book-project", "tags": ["missing-authorization", "idor", "broken-access-control"], "target": "plugin", "versions": "<=1.0.0"}, "RULE-CVE-2025-12126-04": {"ajax_action": "ttbp_assign_chapter_to_book", "conditions": [{"name": "ARGS:chapter_id", "type": "exists"}, {"name": "ARGS:book_id", "type": "exists"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2025-12126", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12126", "description": "The Total Book Project <=1.0.0 IDOR allows Contributor+ to reassign others\' chapters via ttbp_assign_chapter_to_book", "method": "POST", "mode": "block", "severity": 5.4, "slug": "the-total-book-project", "tags": ["missing-authorization", "idor", "broken-access-control"], "target": "plugin", "versions": "<=1.0.0"}, "RULE-CVE-2025-12129-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/cubewp-posts/v1/query(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-12129", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12129", "description": "CubeWP Framework <=1.1.27 unauthenticated information exposure via /cubewp-posts/v1/query REST endpoint", "method": "GET", "mode": "block", "severity": 5.3, "slug": "cubewp-framework", "tags": ["information-exposure", "missing-authorization", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=1.1.27"}, "RULE-CVE-2025-12129-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/cubewp-posts/v1/query-new(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-12129", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12129", "description": "CubeWP Framework <=1.1.27 unauthenticated information exposure via /cubewp-posts/v1/query-new REST endpoint", "method": "GET", "mode": "block", "severity": 5.3, "slug": "cubewp-framework", "tags": ["information-exposure", "missing-authorization", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=1.1.27"}, "RULE-CVE-2025-12137-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/importwp/v1/importer/\\\\d+/file(?:/|\\\\?|$)~"}, {"name": "ARGS:local_url", "type": "regex", "value": "~(?:wp-config\\\\.php|/etc/passwd|/etc/shadow|\\\\.htaccess|\\\\.env|debug\\\\.log|error_log|(?:\\\\.\\\\.[\\\\\\\\/]){2,})~i"}], "cve": "CVE-2025-12137", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12137", "description": "Import WP <=2.14.16 authenticated (admin+) arbitrary file read via local_url parameter in REST API file_local import", "method": "POST", "mode": "block", "severity": 4.9, "slug": "jc-importer", "tags": ["arbitrary-file-read", "path-traversal", "rest-api"], "target": "plugin", "versions": "<=2.14.16"}, "RULE-CVE-2025-12138-01": {"ajax_action": "uimptr_import_single_url", "conditions": [{"name": "ARGS:url", "type": "regex", "value": "~\\\\.(?:php\\\\d?|phps|phtml|pht|phar)(?:[/?#%&\\"\'<>\\\\s]|%[0-9a-fA-F]{2}|$)~i"}], "cve": "CVE-2025-12138", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12138", "description": "URL Image Importer <=1.0.6 authenticated (Author+) arbitrary file upload via uimptr_import_single_url AJAX action", "method": "POST", "mode": "block", "severity": 8.8, "slug": "url-image-importer", "tags": ["arbitrary-file-upload", "content-type-spoofing", "authenticated"], "target": "plugin", "versions": "<=1.0.6"}, "RULE-CVE-2025-12151-01": {"action": "admin_init", "conditions": [{"name": "ARGS:simple_folio_action", "type": "equals", "value": "add_simple_folio"}, {"name": "ARGS:portfolio_name", "type": "detectXSS"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12151", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12151", "description": "Simple Folio <=1.1.0 Stored XSS via portfolio_name parameter in add_simple_folio handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "simple-folio", "tags": ["xss", "stored-xss", "missing-authorization"], "target": "plugin", "versions": "<=1.1.0"}, "RULE-CVE-2025-12151-02": {"action": "admin_init", "conditions": [{"name": "ARGS:simple_folio_action", "type": "equals", "value": "remove_portfolio"}, {"name": "ARGS:id", "type": "detectXSS"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12151", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12151", "description": "Simple Folio <=1.1.0 Stored XSS via id parameter in remove_portfolio handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "simple-folio", "tags": ["xss", "stored-xss", "missing-authorization"], "target": "plugin", "versions": "<=1.1.0"}, "RULE-CVE-2025-12159-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[bt_bb_raw_content[\\\\s\\\\]>]~i"}, {"name": "ARGS:content", "type": "regex", "value": "~(?:<|<|�*60;|�*3c;)\\\\s*(?:script|iframe|embed|object|svg|math|details)\\\\b|\\\\bon(?:error|load|click|mouseover|focus|toggle|animationend|beforeprint)\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12159", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12159", "description": "Bold Page Builder <=5.4.8 Stored XSS via bt_bb_raw_content shortcode in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "bold-page-builder", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=5.4.8"}, "RULE-CVE-2025-12159-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[bt_bb_raw_content[\\\\s\\\\]>]~i"}, {"name": "ARGS:post_content", "type": "regex", "value": "~(?:<|<|�*60;|�*3c;)\\\\s*(?:script|iframe|embed|object|svg|math|details)\\\\b|\\\\bon(?:error|load|click|mouseover|focus|toggle|animationend|beforeprint)\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12159", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12159", "description": "Bold Page Builder <=5.4.8 Stored XSS via bt_bb_raw_content shortcode in post_content field", "method": "POST", "mode": "block", "severity": 6.4, "slug": "bold-page-builder", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=5.4.8"}, "RULE-CVE-2025-12159-03": {"ajax_action": "bt_bb_get_html", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[bt_bb_raw_content[\\\\s\\\\]>]~i"}, {"name": "ARGS:content", "type": "regex", "value": "~(?:<|<|�*60;|�*3c;)\\\\s*(?:script|iframe|embed|object|svg|math|details)\\\\b|\\\\bon(?:error|load|click|mouseover|focus|toggle|animationend|beforeprint)\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12159", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12159", "description": "Bold Page Builder <=5.4.8 Stored XSS via bt_bb_get_html AJAX handler processing bt_bb_raw_content shortcode", "method": "POST", "mode": "block", "severity": 6.4, "slug": "bold-page-builder", "tags": ["xss", "stored-xss", "shortcode", "ajax"], "target": "plugin", "versions": "<=5.4.8"}, "RULE-CVE-2025-12159-04": {"ajax_action": "bt_bb_fe_get_html", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[bt_bb_raw_content[\\\\s\\\\]>]~i"}, {"name": "ARGS:content", "type": "regex", "value": "~(?:<|<|�*60;|�*3c;)\\\\s*(?:script|iframe|embed|object|svg|math|details)\\\\b|\\\\bon(?:error|load|click|mouseover|focus|toggle|animationend|beforeprint)\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12159", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12159", "description": "Bold Page Builder <=5.4.8 Stored XSS via bt_bb_fe_get_html AJAX handler processing bt_bb_raw_content shortcode", "method": "POST", "mode": "block", "severity": 6.4, "slug": "bold-page-builder", "tags": ["xss", "stored-xss", "shortcode", "ajax"], "target": "plugin", "versions": "<=5.4.8"}, "RULE-CVE-2025-12160-01A": {"ajax_action": "admin_send_message_user", "conditions": [{"name": "ARGS:wpr_admin_msg", "type": "detectXSS"}], "cve": "CVE-2025-12160", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12160", "description": "Simple User Registration <=6.6 unauthenticated stored XSS via wpr_admin_msg in admin_send_message_user AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wp-registration", "tags": ["xss", "stored-xss", "unauthenticated", "missing-authorization"], "target": "plugin", "versions": "<=6.6"}, "RULE-CVE-2025-12160-01B": {"ajax_action": "admin_send_message_user", "conditions": [{"name": "ARGS:wpr_admin_msg[all]", "type": "detectXSS"}], "cve": "CVE-2025-12160", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12160", "description": "Simple User Registration <=6.6 unauthenticated stored XSS via wpr_admin_msg[all] in admin_send_message_user AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wp-registration", "tags": ["xss", "stored-xss", "unauthenticated", "missing-authorization"], "target": "plugin", "versions": "<=6.6"}, "RULE-CVE-2025-12160-01C": {"ajax_action": "admin_send_message_user", "conditions": [{"name": "ARGS:wpr_admin_msg[subscriber]", "type": "detectXSS"}], "cve": "CVE-2025-12160", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12160", "description": "Simple User Registration <=6.6 unauthenticated stored XSS via wpr_admin_msg[subscriber] in admin_send_message_user AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wp-registration", "tags": ["xss", "stored-xss", "unauthenticated", "missing-authorization"], "target": "plugin", "versions": "<=6.6"}, "RULE-CVE-2025-12160-01D": {"ajax_action": "admin_send_message_user", "conditions": [{"name": "ARGS:wpr_admin_msg[editor]", "type": "detectXSS"}], "cve": "CVE-2025-12160", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12160", "description": "Simple User Registration <=6.6 unauthenticated stored XSS via wpr_admin_msg[editor] in admin_send_message_user AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wp-registration", "tags": ["xss", "stored-xss", "unauthenticated", "missing-authorization"], "target": "plugin", "versions": "<=6.6"}, "RULE-CVE-2025-12160-01E": {"ajax_action": "admin_send_message_user", "conditions": [{"name": "ARGS:wpr_admin_msg[author]", "type": "detectXSS"}], "cve": "CVE-2025-12160", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12160", "description": "Simple User Registration <=6.6 unauthenticated stored XSS via wpr_admin_msg[author] in admin_send_message_user AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wp-registration", "tags": ["xss", "stored-xss", "unauthenticated", "missing-authorization"], "target": "plugin", "versions": "<=6.6"}, "RULE-CVE-2025-12160-01F": {"ajax_action": "admin_send_message_user", "conditions": [{"name": "ARGS:wpr_admin_msg[contributor]", "type": "detectXSS"}], "cve": "CVE-2025-12160", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12160", "description": "Simple User Registration <=6.6 unauthenticated stored XSS via wpr_admin_msg[contributor] in admin_send_message_user AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wp-registration", "tags": ["xss", "stored-xss", "unauthenticated", "missing-authorization"], "target": "plugin", "versions": "<=6.6"}, "RULE-CVE-2025-12160-01G": {"ajax_action": "admin_send_message_user", "conditions": [{"name": "ARGS:wpr_admin_msg[administrator]", "type": "detectXSS"}], "cve": "CVE-2025-12160", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12160", "description": "Simple User Registration <=6.6 unauthenticated stored XSS via wpr_admin_msg[administrator] in admin_send_message_user AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wp-registration", "tags": ["xss", "stored-xss", "unauthenticated", "missing-authorization"], "target": "plugin", "versions": "<=6.6"}, "RULE-CVE-2025-12161-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~<img[^>]+src=[\\"\']https?://[^\\"\']+\\\\.(?:ph(?:p\\\\d?|s|tml?|t|ar)|s?html?|cgi|asp|aspx|jsp|jspx|cfm)(?:(?:%[0-9A-Fa-f]{2})|[?#\\"\'\\\\s>])~i"}], "cve": "CVE-2025-12161", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12161", "description": "Smart Auto Upload Images <=1.2.0 arbitrary file upload via external URL with dangerous extension in post content (Classic Editor)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "smart-auto-upload-images", "tags": ["arbitrary-file-upload", "unsafe-file-type", "authenticated"], "target": "plugin", "versions": "<=1.2.0"}, "RULE-CVE-2025-12161-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~<img[^>]+src=[\\"\']https?://[^\\"\']+\\\\.(?:ph(?:p\\\\d?|s|tml?|t|ar)|s?html?|cgi|asp|aspx|jsp|jspx|cfm)(?:(?:%[0-9A-Fa-f]{2})|[?#\\"\'\\\\s>])~i"}], "cve": "CVE-2025-12161", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12161", "description": "Smart Auto Upload Images <=1.2.0 arbitrary file upload via external URL with dangerous extension in post content (REST API)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "smart-auto-upload-images", "tags": ["arbitrary-file-upload", "unsafe-file-type", "authenticated", "rest-api"], "target": "plugin", "versions": "<=1.2.0"}, "RULE-CVE-2025-12170-01": {"ajax_action": "checkbox_clean_log", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12170", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12170", "description": "Checkbox <=2.8.10 missing authorization on checkbox_clean_log AJAX endpoint allows unauthenticated log clearing", "mode": "block", "severity": 5.3, "slug": "checkbox", "tags": ["missing-authorization", "unauthenticated", "data-loss"], "target": "plugin", "versions": "<=2.8.10"}, "RULE-CVE-2025-12192-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/tribe_events/v2/[^/]{0,5}/sysinfo~"}], "cve": "CVE-2025-12192", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12192", "description": "The Events Calendar <=6.15.9 unauthenticated information disclosure via sysinfo REST endpoint loose key comparison", "method": "GET", "mode": "block", "severity": 5.3, "slug": "the-events-calendar", "tags": ["information-disclosure", "type-juggling", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=6.15.9"}, "RULE-CVE-2025-1232-01": {"action": "init", "conditions": [{"name": "ARGS:_action", "type": "equals", "value": "submit-review"}, {"name": "ARGS:title", "type": "regex", "value": "~<(?:iframe|script|embed|object|form|meta|link|base)\\\\b|\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-1232", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1232", "description": "Site Reviews <=7.2.4 unauthenticated stored XSS via review title on submit-review action", "method": "POST", "mode": "block", "severity": 8.8, "slug": "site-reviews", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=7.2.4"}, "RULE-CVE-2025-1232-02": {"action": "init", "conditions": [{"name": "ARGS:_action", "type": "equals", "value": "submit-review"}, {"name": "ARGS:content", "type": "regex", "value": "~<(?:iframe|script|embed|object|form|meta|link|base)\\\\b|\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-1232", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1232", "description": "Site Reviews <=7.2.4 unauthenticated stored XSS via review content on submit-review action", "method": "POST", "mode": "block", "severity": 8.8, "slug": "site-reviews", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=7.2.4"}, "RULE-CVE-2025-12324-01": {"ajax_action": "tablepress_save", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:[\'\\"]\\\\s*\\\\)\\\\s*;|</script|<script|\\\\\\\\x3c\\\\s*script)~i"}], "cve": "CVE-2025-12324", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12324", "description": "TablePress <=3.2.4 Authenticated (Contributor+) Stored XSS via DataTables datetime format JS injection", "method": "POST", "mode": "block", "severity": 6.4, "slug": "tablepress", "tags": ["xss", "stored-xss", "javascript-injection"], "target": "plugin", "versions": "<=3.2.4"}, "RULE-CVE-2025-12348-01": {"ajax_action": "ig_es_run_action_scheduler_task", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12348", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12348", "description": "Icegram Express (Email Subscribers) <=5.9.10 unauthenticated scheduled task execution via ig_es_run_action_scheduler_task AJAX (POST)", "method": "POST", "mode": "block", "severity": 5.3, "slug": "email-subscribers", "tags": ["missing-authentication", "broken-access-control", "unauthenticated"], "target": "plugin", "versions": "<=5.9.10"}, "RULE-CVE-2025-12348-02": {"ajax_action": "ig_es_run_action_scheduler_task", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12348", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12348", "description": "Icegram Express (Email Subscribers) <=5.9.10 unauthenticated scheduled task execution via ig_es_run_action_scheduler_task AJAX (GET)", "method": "GET", "mode": "block", "severity": 5.3, "slug": "email-subscribers", "tags": ["missing-authentication", "broken-access-control", "unauthenticated"], "target": "plugin", "versions": "<=5.9.10"}, "RULE-CVE-2025-12353-01": {"ajax_action": "wpfnl_optin_submission", "conditions": [{"name": "ARGS:optin_allow_registration", "type": "equals", "value": "yes"}], "cve": "CVE-2025-12353", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12353", "description": "WPFunnels <=3.6.2 unauthorized user registration via optin_allow_registration parameter on wpfnl_optin_submission AJAX handler", "method": "POST", "mode": "block", "severity": 5.3, "slug": "wpfunnels", "tags": ["authorization-bypass", "user-registration", "unauthenticated"], "target": "plugin", "versions": "<=3.6.2"}, "RULE-CVE-2025-12353-02": {"ajax_action": "wpfnl_gutenberg_optin_submission", "conditions": [{"name": "ARGS:optin_allow_registration", "type": "equals", "value": "yes"}], "cve": "CVE-2025-12353", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12353", "description": "WPFunnels <=3.6.2 unauthorized user registration via optin_allow_registration parameter on wpfnl_gutenberg_optin_submission AJAX handler", "method": "POST", "mode": "block", "severity": 5.3, "slug": "wpfunnels", "tags": ["authorization-bypass", "user-registration", "unauthenticated"], "target": "plugin", "versions": "<=3.6.2"}, "RULE-CVE-2025-12353-03": {"ajax_action": "wpfnl_shortcode_optin_submission", "conditions": [{"name": "ARGS:optin_allow_registration", "type": "equals", "value": "yes"}], "cve": "CVE-2025-12353", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12353", "description": "WPFunnels <=3.6.2 unauthorized user registration via optin_allow_registration parameter on wpfnl_shortcode_optin_submission AJAX handler", "method": "POST", "mode": "block", "severity": 5.3, "slug": "wpfunnels", "tags": ["authorization-bypass", "user-registration", "unauthenticated"], "target": "plugin", "versions": "<=3.6.2"}, "RULE-CVE-2025-12368-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[sermon-views\\\\b[^\\\\]]*(?:<script|on[a-z]+=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-12368", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12368", "description": "Sermon Manager <=2.30.0 Stored XSS via sermon-views shortcode in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "sermon-manager-for-wordpress", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.30.0"}, "RULE-CVE-2025-12375-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/printful/v2/advanced-size-chart(/|\\\\?|$)~"}, {"name": "ARGS:url", "type": "regex", "value": "~://(?:localhost|127\\\\.|10\\\\.|0\\\\.|169\\\\.254|172\\\\.(?:1[6-9]|2\\\\d|3[01])|192\\\\.168|\\\\[::1\\\\]|\\\\[0:|0\\\\.0\\\\.0\\\\.0)~i"}], "cve": "CVE-2025-12375", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12375", "description": "Printful Integration for WooCommerce <=2.2.11 authenticated SSRF via advanced size chart REST API endpoint", "method": "GET", "mode": "block", "severity": 6.4, "slug": "printful-shipping-for-woocommerce", "tags": ["ssrf", "rest-api", "authenticated"], "target": "plugin", "versions": "<=2.2.11"}, "RULE-CVE-2025-12376-01": {"ajax_action": "fs_api_request", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "fs_api_request"}, {"name": "ARGS:url", "type": "regex", "value": "~^(?:https?:)?//~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12376", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12376", "description": "Icon List Block <=1.2.1 authenticated (Subscriber+) SSRF via fs_api_request AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "icon-list-block", "tags": ["ssrf", "missing-authorization", "authenticated"], "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2025-12379-01": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "elementor_ajax"}, {"name": "ARGS:actions", "type": "regex", "value": "~(?:title_tag|title_tag_secondary)(?:\\\\\\\\?[\\"\']\\\\s*:\\\\s*\\\\\\\\?[\\"\'])(?!(?:h[1-6]|div|span|p)\\\\\\\\?[\\"\'])~i"}], "cve": "CVE-2025-12379", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12379", "description": "Auxin Elements <=2.17.13 Stored XSS via Modern Heading widget title_tag/title_tag_secondary in Elementor AJAX save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "auxin-elements", "tags": ["xss", "stored-xss", "elementor-widget"], "target": "plugin", "versions": "<=2.17.13"}, "RULE-CVE-2025-12379-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)(?:/\\\\d+)?(/|\\\\?|$)~"}, {"name": "ARGS", "type": "regex", "value": "~(?:title_tag|title_tag_secondary)(?:\\\\\\\\?[\\"\']\\\\s*:\\\\s*\\\\\\\\?[\\"\'])(?!(?:h[1-6]|div|span|p)\\\\\\\\?[\\"\'])~i"}], "cve": "CVE-2025-12379", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12379", "description": "Auxin Elements <=2.17.13 Stored XSS via Modern Heading widget title_tag/title_tag_secondary in REST API post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "auxin-elements", "tags": ["xss", "stored-xss", "elementor-widget", "rest-api"], "target": "plugin", "versions": "<=2.17.13"}, "RULE-CVE-2025-12384-01": {"ajax_action": "bplde_save_document_library", "conditions": [{"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2025-12384", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12384", "description": "Document Embedder <=2.0.0 unauthenticated document creation/update via bplde_save_document_library AJAX action", "method": "POST", "mode": "block", "severity": 8.6, "slug": "document-emberdder", "tags": ["missing-authorization", "unauthenticated", "broken-access-control"], "target": "plugin", "versions": "<=2.0.0"}, "RULE-CVE-2025-12384-02": {"ajax_action": "bplde_get_all", "conditions": [{"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2025-12384", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12384", "description": "Document Embedder <=2.0.0 unauthenticated document listing via bplde_get_all AJAX action", "method": "POST", "mode": "block", "severity": 8.6, "slug": "document-emberdder", "tags": ["missing-authorization", "unauthenticated", "broken-access-control"], "target": "plugin", "versions": "<=2.0.0"}, "RULE-CVE-2025-12384-03": {"ajax_action": "bplde_get_single", "conditions": [{"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2025-12384", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12384", "description": "Document Embedder <=2.0.0 unauthenticated document read via bplde_get_single AJAX action", "method": "POST", "mode": "block", "severity": 8.6, "slug": "document-emberdder", "tags": ["missing-authorization", "unauthenticated", "broken-access-control"], "target": "plugin", "versions": "<=2.0.0"}, "RULE-CVE-2025-12384-04": {"ajax_action": "bplde_delete_document_library", "conditions": [{"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2025-12384", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12384", "description": "Document Embedder <=2.0.0 unauthenticated document deletion via bplde_delete_document_library AJAX action", "method": "POST", "mode": "block", "severity": 8.6, "slug": "document-emberdder", "tags": ["missing-authorization", "unauthenticated", "broken-access-control"], "target": "plugin", "versions": "<=2.0.0"}, "RULE-CVE-2025-12388-01": {"ajax_action": "bicbPipeChecker", "conditions": [{"name": "ARGS:url", "type": "regex", "value": "~(?:^https?://(?:127\\\\.|10\\\\.|172\\\\.(?:1[6-9]|2\\\\d|3[01])\\\\.|192\\\\.168\\\\.|0\\\\.|localhost|0x7f000001|2130706433|\\\\[::1\\\\]|\\\\[::ffff:|169\\\\.254\\\\.)|\\\\.internal[/:\\\\s]|^(?!https?://).+://)~i"}], "cve": "CVE-2025-12388", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12388", "description": "B Carousel Block <=1.1.5 authenticated (Subscriber+) SSRF via bicbPipeChecker AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "b-carousel-block", "tags": ["ssrf", "missing-authorization", "server-side-request-forgery"], "target": "plugin", "versions": "<=1.1.5"}, "RULE-CVE-2025-12392-01": {"action": "admin_post_nopriv_handle_optin_optout", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "handle_optin_optout"}], "cve": "CVE-2025-12392", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12392", "description": "TripleA Cryptocurrency Payment Gateway for WooCommerce <=2.0.25 missing authorization on handle_optin_optout allows unauthenticated tracking status update", "mode": "block", "severity": 5.3, "slug": "triplea-cryptocurrency-payment-gateway-for-woocommerce", "tags": ["missing-authorization", "broken-access-control", "unauthenticated"], "target": "plugin", "versions": "<=2.0.25"}, "RULE-CVE-2025-12392-02": {"action": "admin_post_handle_optin_optout", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "handle_optin_optout"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12392", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12392", "description": "TripleA Cryptocurrency Payment Gateway for WooCommerce <=2.0.25 missing authorization on handle_optin_optout allows low-privilege tracking status update", "mode": "block", "severity": 5.3, "slug": "triplea-cryptocurrency-payment-gateway-for-woocommerce", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=2.0.25"}, "RULE-CVE-2025-12402-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "linkedinresume.php"}, {"name": "ARGS:update_linkedinresumeSettings", "type": "exists"}, {"name": "ARGS:linkedinId", "type": "detectXSS"}], "cve": "CVE-2025-12402", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12402", "description": "LinkedIn Resume <=2.00 CSRF to Stored XSS via unsanitized linkedinId parameter in admin settings", "method": "POST", "mode": "block", "severity": 6.1, "slug": "linkedin-resume", "tags": ["csrf", "xss", "stored-xss"], "target": "plugin", "versions": "<=2.00"}, "RULE-CVE-2025-12402-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "linkedinresume.php"}, {"name": "REQUEST_URI", "type": "regex", "value": "~<script[^>]*>|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|%3Cscript|%3E%3Cscript~i"}], "cve": "CVE-2025-12402", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12402", "description": "LinkedIn Resume <=2.00 Reflected XSS via unsanitized REQUEST_URI in admin page form action", "mode": "block", "severity": 6.1, "slug": "linkedin-resume", "tags": ["csrf", "xss", "reflected-xss"], "target": "plugin", "versions": "<=2.00"}, "RULE-CVE-2025-12406-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "project-honey-pot-spam-trap"}, {"name": "ARGS:update_honeyPotSettings", "type": "exists"}, {"name": "ARGS:access_key", "type": "regex", "value": "~<[a-z/!]|javascript\\\\s*:|(?:^|[\\\\s\\"\'<>])on[a-z]+\\\\s*=~i"}], "cve": "CVE-2025-12406", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12406", "description": "Project Honey Pot Spam Trap <=1.0.1 CSRF to Stored XSS via access_key parameter", "method": "POST", "mode": "block", "severity": 6.1, "slug": "project-honey-pot-spam-trap", "tags": ["csrf", "xss", "stored-xss"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-12406-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "project-honey-pot-spam-trap"}, {"name": "ARGS:update_honeyPotSettings", "type": "exists"}, {"name": "ARGS:honey_pot1", "type": "regex", "value": "~<[a-z/!]|javascript\\\\s*:|(?:^|[\\\\s\\"\'<>])on[a-z]+\\\\s*=~i"}], "cve": "CVE-2025-12406", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12406", "description": "Project Honey Pot Spam Trap <=1.0.1 CSRF to Stored XSS via honey_pot1 parameter", "method": "POST", "mode": "block", "severity": 6.1, "slug": "project-honey-pot-spam-trap", "tags": ["csrf", "xss", "stored-xss"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-12406-03": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "project-honey-pot-spam-trap"}, {"name": "ARGS:update_honeyPotSettings", "type": "exists"}, {"name": "ARGS:honey_pot2", "type": "regex", "value": "~<[a-z/!]|javascript\\\\s*:|(?:^|[\\\\s\\"\'<>])on[a-z]+\\\\s*=~i"}], "cve": "CVE-2025-12406", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12406", "description": "Project Honey Pot Spam Trap <=1.0.1 CSRF to Stored XSS via honey_pot2 parameter", "method": "POST", "mode": "block", "severity": 6.1, "slug": "project-honey-pot-spam-trap", "tags": ["csrf", "xss", "stored-xss"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-12406-04": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "project-honey-pot-spam-trap"}, {"name": "ARGS:update_honeyPotSettings", "type": "exists"}, {"name": "ARGS:output_to_all", "type": "regex", "value": "~<[a-z/!]|javascript\\\\s*:|(?:^|[\\\\s\\"\'<>])on[a-z]+\\\\s*=~i"}], "cve": "CVE-2025-12406", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12406", "description": "Project Honey Pot Spam Trap <=1.0.1 CSRF to Stored XSS via output_to_all parameter", "method": "POST", "mode": "block", "severity": 6.1, "slug": "project-honey-pot-spam-trap", "tags": ["csrf", "xss", "stored-xss"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-12406-05": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "project-honey-pot-spam-trap"}, {"name": "REQUEST_URI", "type": "regex", "value": "~<[a-z/!]|javascript\\\\s*:|(?:^|[\\\\s\\"\'<>])on[a-z]+\\\\s*=|%3c[a-z/!]|%6a%61%76%61%73%63%72%69%70%74~i"}], "cve": "CVE-2025-12406", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12406", "description": "Project Honey Pot Spam Trap <=1.0.1 Reflected XSS via REQUEST_URI in settings page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "project-honey-pot-spam-trap", "tags": ["csrf", "xss", "reflected-xss"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-12408-01": {"action": "init", "conditions": [{"name": "ARGS:em_ajax_action", "type": "equals", "value": "get_location"}, {"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "read"}], "cve": "CVE-2025-12408", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12408", "description": "Events Manager <=7.2.2.2 unauthenticated information exposure via get_location custom AJAX dispatcher", "mode": "block", "severity": 5.3, "slug": "events-manager", "tags": ["information-exposure", "missing-authorization", "unauthenticated"], "target": "plugin", "versions": "<=7.2.2.2"}, "RULE-CVE-2025-12449-01": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "ablocks/get_settings"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12449", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12449", "description": "aBlocks <= 2.4.0 missing authorization on get_settings AJAX action exposes sensitive API keys to Subscriber+", "mode": "block", "severity": 5.4, "slug": "ablocks", "tags": ["missing-authorization", "broken-access-control", "information-disclosure"], "target": "plugin", "versions": "<=2.4.0"}, "RULE-CVE-2025-12449-02": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "ablocks/save_settings"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12449", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12449", "description": "aBlocks <= 2.4.0 missing authorization on save_settings AJAX action allows Subscriber+ to modify plugin settings and API keys", "mode": "block", "severity": 5.4, "slug": "ablocks", "tags": ["missing-authorization", "broken-access-control", "settings-modification"], "target": "plugin", "versions": "<=2.4.0"}, "RULE-CVE-2025-12449-03": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "ablocks/save_block_visibility"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12449", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12449", "description": "aBlocks <= 2.4.0 missing authorization on save_block_visibility AJAX action allows Subscriber+ to toggle block visibility", "mode": "block", "severity": 5.4, "slug": "ablocks", "tags": ["missing-authorization", "broken-access-control", "settings-modification"], "target": "plugin", "versions": "<=2.4.0"}, "RULE-CVE-2025-12449-04": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "ablocks/get_blocks_visibility"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12449", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12449", "description": "aBlocks <= 2.4.0 missing authorization on get_blocks_visibility AJAX action exposes block configuration to Subscriber+", "mode": "block", "severity": 5.4, "slug": "ablocks", "tags": ["missing-authorization", "broken-access-control", "information-disclosure"], "target": "plugin", "versions": "<=2.4.0"}, "RULE-CVE-2025-12449-05": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "ablocks/fetch_posts"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12449", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12449", "description": "aBlocks <= 2.4.0 missing authorization on fetch_posts AJAX action allows Subscriber+ to enumerate posts", "mode": "block", "severity": 5.4, "slug": "ablocks", "tags": ["missing-authorization", "broken-access-control", "information-disclosure"], "target": "plugin", "versions": "<=2.4.0"}, "RULE-CVE-2025-12450-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "regex", "value": "~^litespeed~i"}, {"name": "ARGS", "type": "regex", "value": "~(?:<script|javascript\\\\s*:|on(?:error|load|focus|click|mouseover)\\\\s*=)~i"}], "cve": "CVE-2025-12450", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12450", "description": "LiteSpeed Cache <=7.5.0.1 Reflected XSS via unsanitized REQUEST_URI in admin page form_action output", "method": "GET", "mode": "block", "severity": 6.1, "slug": "litespeed-cache", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=7.5.0.1"}, "RULE-CVE-2025-12451-01": {"ajax_action": "svg_get_attachment_url", "conditions": [{"name": "ARGS:attachmentID", "type": "exists"}, {"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2025-12451", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12451", "description": "Easy SVG Support <=4.0 authenticated stored XSS via missing authorization on svg_get_attachment_url AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "easy-svg", "tags": ["xss", "missing-authorization", "stored-xss", "svg-upload"], "target": "plugin", "versions": "<=4.0"}, "RULE-CVE-2025-12471-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "dpsp-dashboard"}, {"name": "ARGS:dpsp_list_attention_search", "type": "detectXSS"}], "cve": "CVE-2025-12471", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12471", "description": "Hubbub Lite (Social Pug) <=1.36.0 reflected XSS via dpsp_list_attention_search parameter on admin dashboard", "mode": "block", "severity": 6.1, "slug": "social-pug", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.36.0"}, "RULE-CVE-2025-12473-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php(?:[/?]|$)~"}, {"name": "ARGS:page", "type": "equals", "value": "themebuilder"}, {"name": "ARGS:themebuilder", "type": "regex", "value": "~(?:%25(?:3[cC]|3[eE]|22|27)|%3[cC]|%3[eE]|%22|%27|<|>|\\"|\'|on(?:error|load)\\\\s*=|<\\\\s*(?:script|img|svg)\\\\b)~i"}], "cve": "CVE-2025-12473", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12473", "description": "RomethemeKit For Elementor <=1.6.8 Reflected XSS via themebuilder parameter", "method": "GET", "mode": "block", "severity": 6.1, "slug": "rometheme-for-elementor", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.6.8"}, "RULE-CVE-2025-12475-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[blocksy_newsletter_subscribe\\\\s[^\\\\]]*(?:<[a-z]|\\\\bon\\\\w+\\\\s*=|javascript:)~is"}], "cve": "CVE-2025-12475", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12475", "description": "Blocksy Companion <=2.1.14 Stored XSS via blocksy_newsletter_subscribe shortcode attributes in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "blocksy-companion", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.1.14"}, "RULE-CVE-2025-12475-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[blocksy_newsletter_subscribe\\\\s[^\\\\]]*(?:<[a-z]|\\\\bon\\\\w+\\\\s*=|javascript:)~is"}], "cve": "CVE-2025-12475", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12475", "description": "Blocksy Companion <=2.1.14 Stored XSS via blocksy_newsletter_subscribe shortcode attributes in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "blocksy-companion", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.1.14"}, "RULE-CVE-2025-12484-01": {"ajax_action": "rafflepress_lite_giveaway_api", "conditions": [{"name": "ARGS:entry_option", "type": "regex", "value": "~<[a-zA-Z][^>]*(?:>|\\\\bon\\\\w+\\\\s*=)|javascript\\\\s*:|&#(?:60|x3[cC]);~i"}], "cve": "CVE-2025-12484", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12484", "description": "RafflePress <=1.12.19 unauthenticated stored XSS via entry_option JSON blob in giveaway API", "method": "POST", "mode": "block", "severity": 7.2, "slug": "rafflepress", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.12.19"}, "RULE-CVE-2025-12493-01": {"ajax_action": "woolentor_load_more_products", "conditions": [{"name": "ARGS:settings", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|%2e%2e(?:%2f|%5c)|\\\\.\\\\.%2f|\\\\.\\\\.%5c)~i"}], "cve": "CVE-2025-12493", "method": "POST", "mode": "block", "severity": 9.8, "slug": "woolentor-addons", "target": "plugin", "versions": "<=3.2.5"}, "RULE-CVE-2025-12499-01": {"ajax_action": "grw_overview_ajax", "conditions": [{"name": "ARGS:place_id", "type": "detectXSS"}], "cve": "CVE-2025-12499", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12499", "description": "Rich Shortcodes for Google Reviews <=6.8 stored XSS via place_id in grw_overview_ajax", "method": "POST", "mode": "block", "severity": 7.2, "slug": "widget-google-reviews", "tags": ["xss", "stored-xss", "ajax"], "target": "plugin", "versions": "<=6.8"}, "RULE-CVE-2025-12499-02": {"ajax_action": "grw_feed_save_ajax", "conditions": [{"name": "ARGS:post_id", "type": "detectXSS"}], "cve": "CVE-2025-12499", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12499", "description": "Rich Shortcodes for Google Reviews <=6.8 stored XSS via post_id in grw_feed_save_ajax", "method": "POST", "mode": "block", "severity": 7.2, "slug": "widget-google-reviews", "tags": ["xss", "stored-xss", "ajax"], "target": "plugin", "versions": "<=6.8"}, "RULE-CVE-2025-12499-03": {"ajax_action": "grw_connect_google", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<script[^>]*>|on(?:error|load|click|mouseover|focus)\\\\s*=|javascript\\\\s*:|<\\\\s*(?:img|svg|iframe|object|embed|video|audio|details|math)\\\\b[^>]*\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-12499", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12499", "description": "Rich Shortcodes for Google Reviews <=6.8 stored XSS via unsanitized POST data in grw_connect_google", "method": "POST", "mode": "block", "severity": 7.2, "slug": "widget-google-reviews", "tags": ["xss", "stored-xss", "ajax"], "target": "plugin", "versions": "<=6.8"}, "RULE-CVE-2025-12499-04": {"ajax_action": "grw_place_autocomplete", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<script[^>]*>|on(?:error|load|click|mouseover|focus)\\\\s*=|javascript\\\\s*:|<\\\\s*(?:img|svg|iframe|object|embed|video|audio|details|math)\\\\b[^>]*\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-12499", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12499", "description": "Rich Shortcodes for Google Reviews <=6.8 reflected XSS via unsanitized POST data in grw_place_autocomplete", "method": "POST", "mode": "block", "severity": 7.2, "slug": "widget-google-reviews", "tags": ["xss", "reflected-xss", "ajax"], "target": "plugin", "versions": "<=6.8"}, "RULE-CVE-2025-12499-05": {"ajax_action": "grw_get_place", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<script[^>]*>|on(?:error|load|click|mouseover|focus)\\\\s*=|javascript\\\\s*:|<\\\\s*(?:img|svg|iframe|object|embed|video|audio|details|math)\\\\b[^>]*\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-12499", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12499", "description": "Rich Shortcodes for Google Reviews <=6.8 stored XSS via unsanitized Google Place data in grw_get_place", "method": "POST", "mode": "block", "severity": 7.2, "slug": "widget-google-reviews", "tags": ["xss", "stored-xss", "ajax"], "target": "plugin", "versions": "<=6.8"}, "RULE-CVE-2025-12505-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wedocs/v1/settings(?:/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12505", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12505", "description": "weDocs <=2.1.14 missing authorization on REST settings update allows Subscriber+ to modify global plugin settings", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wedocs", "tags": ["missing-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": "<=2.1.14"}, "RULE-CVE-2025-12537-01": {"ajax_action": "eae_save_config", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12537", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12537", "description": "Addon Elements for Elementor <=1.14.3 Authenticated (Contributor+) Stored XSS via eae_save_config AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "addon-elements-for-elementor-page-builder", "tags": ["xss", "stored-xss", "missing-authorization"], "target": "plugin", "versions": "<=1.14.3"}, "RULE-CVE-2025-12537-02": {"ajax_action": "eae_elements_save", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12537", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12537", "description": "Addon Elements for Elementor <=1.14.3 Authenticated (Contributor+) Stored XSS via eae_elements_save AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "addon-elements-for-elementor-page-builder", "tags": ["xss", "stored-xss", "missing-authorization"], "target": "plugin", "versions": "<=1.14.3"}, "RULE-CVE-2025-12538-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_type", "type": "regex", "value": "~^iworks_fleet_(?:person|boat|result)$~"}, {"name": "ARGS", "type": "regex", "value": "~<script[\\\\s/>]|\\\\bon(?:error|load|click|mouseover|focus|blur|toggle|animationend|resize|pointerdown)\\\\s*=|javascript\\\\s*:|<iframe[\\\\s/>]|<svg[\\\\s/]|<embed[\\\\s/>]|<object[\\\\s/>]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12538", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12538", "description": "Fleet Manager <=2.5.1 Stored XSS via unsanitized post meta in person/boat/result custom post type admin columns", "method": "POST", "mode": "block", "severity": 4.4, "slug": "fleet", "tags": ["xss", "stored-xss", "custom-post-type"], "target": "plugin", "versions": "<=2.5.1"}, "RULE-CVE-2025-12539-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[/\\\\\\\\]wp-content[/\\\\\\\\]tnc-toolbox-config[/\\\\\\\\]~i"}], "cve": "CVE-2025-12539", "method": "GET", "mode": "block", "severity": 10.0, "slug": "tnc-toolbox", "target": "plugin", "versions": "<=1.4.2"}, "RULE-CVE-2025-12560-01": {"ajax_action": "b2s_get_full_content", "conditions": [{"name": "ARGS:post_url", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12560", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12560", "description": "Blog2Social <=8.6.0 authenticated (Subscriber+) blind SSRF via post_url in b2s_get_full_content AJAX handler", "method": "POST", "mode": "block", "severity": 5.3, "slug": "blog2social", "tags": ["ssrf", "missing-authorization", "authenticated"], "target": "plugin", "versions": "<=8.6.0"}, "RULE-CVE-2025-12621-01": {"ajax_action": "fr_refund_request", "conditions": [{"name": "ARGS:order_ID", "type": "exists"}, {"name": "ARGS:status", "type": "regex", "value": "~(?i)^\\\\s*(approved|refused)\\\\s*$~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12621", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12621", "description": "Flexible Refund and Return Order for WooCommerce <=1.0.42 incorrect authorization on fr_refund_request AJAX action allows Contributor+ to approve/refuse refunds", "method": "POST", "mode": "block", "severity": 5.3, "slug": "flexible-refund-and-return-order-for-woocommerce", "tags": ["incorrect-authorization", "broken-access-control", "woocommerce"], "target": "plugin", "versions": "<=1.0.42"}, "RULE-CVE-2025-12628-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-login\\\\.php~"}, {"name": "ARGS:action", "type": "equals", "value": "validate_2fa"}, {"name": "ARGS:provider", "type": "regex", "value": "~^(?i)backup(?:_|%5[fF])codes$~"}, {"name": "ARGS:wp-2fa-backup-code", "type": "exists"}], "cve": "CVE-2025-12628", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12628", "description": "WP 2FA <=2.9.3 second factor bypass via brute-force of low-entropy backup codes on validate_2fa endpoint", "method": "POST", "mode": "block", "severity": 6.3, "slug": "wp-2fa", "tags": ["authentication-bypass", "insufficient-entropy", "brute-force"], "target": "plugin", "versions": "<=2.9.3"}, "RULE-CVE-2025-12630-01": {"ajax_action": "upload_am_get_option", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:option_name", "type": "exists"}], "cve": "CVE-2025-12630", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12630", "description": "Upload@AM <=1.0.0 arbitrary option disclosure via upload_am_get_option AJAX handler missing capability check", "method": "POST", "mode": "block", "severity": 4.9, "slug": "upload-am-file-hosting-vpn", "tags": ["missing-authorization", "information-disclosure", "broken-access-control"], "target": "plugin", "versions": "<=1.0.0"}, "RULE-CVE-2025-12630-02": {"ajax_action": "upload_am_update_option", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:option_name", "type": "exists"}, {"name": "ARGS:option_value", "type": "exists"}], "cve": "CVE-2025-12630", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12630", "description": "Upload@AM <=1.0.0 arbitrary option update via upload_am_update_option AJAX handler missing capability check", "method": "POST", "mode": "block", "severity": 4.9, "slug": "upload-am-file-hosting-vpn", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=1.0.0"}, "RULE-CVE-2025-12633-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/bookit/v1/commerce/stripe/return(/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12633", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12633", "description": "Bookit <=2.5.0 missing authorization on Stripe Connect return REST endpoint allows unauthenticated Stripe account linkage", "method": "GET", "mode": "block", "severity": 7.5, "slug": "bookit", "tags": ["missing-authorization", "unauthenticated", "rest-api", "stripe-connect"], "target": "plugin", "versions": "<=2.5.0"}, "RULE-CVE-2025-12641-01": {"action": "init", "conditions": [{"name": "ARGS:wpas-do", "type": "equals", "value": "mr_activate_user"}, {"name": "ARGS:user_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12641", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12641", "description": "Awesome Support <=6.3.6 unauthenticated role demotion via wpas-do=mr_activate_user (GET)", "method": "GET", "mode": "block", "severity": 6.5, "slug": "awesome-support", "tags": ["missing-authorization", "privilege-escalation", "unauthenticated"], "target": "plugin", "versions": "<=6.3.6"}, "RULE-CVE-2025-12641-02": {"action": "init", "conditions": [{"name": "ARGS:wpas-do", "type": "equals", "value": "mr_activate_user"}, {"name": "ARGS:user_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12641", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12641", "description": "Awesome Support <=6.3.6 unauthenticated role demotion via wpas-do=mr_activate_user (POST)", "method": "POST", "mode": "block", "severity": 6.5, "slug": "awesome-support", "tags": ["missing-authorization", "privilege-escalation", "unauthenticated"], "target": "plugin", "versions": "<=6.3.6"}, "RULE-CVE-2025-12643-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~(?i)\\\\[saphali_liqpay\\\\b[^\\\\]]*(?:<[a-z]|javascript\\\\s*:|on[a-z]+\\\\s*=)[^\\\\]]*\\\\]~"}], "cve": "CVE-2025-12643", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12643", "description": "Saphali LiqPay for donate <=1.0.2 Stored XSS via [saphali_liqpay] shortcode attributes in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "saphali-liqpay-for-donate", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2025-12643-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~(?i)\\\\[saphali_liqpay\\\\b[^\\\\]]*(?:<[a-z]|javascript\\\\s*:|on[a-z]+\\\\s*=)[^\\\\]]*\\\\]~"}], "cve": "CVE-2025-12643", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12643", "description": "Saphali LiqPay for donate <=1.0.2 Stored XSS via [saphali_liqpay] shortcode attributes in post_content param", "method": "POST", "mode": "block", "severity": 6.4, "slug": "saphali-liqpay-for-donate", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2025-12646-01": {"ajax_action": "community_events_frontend_list", "conditions": [{"name": "ARGS:dayofyear", "type": "regex", "value": "~(?:(?:UNION(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+(?:ALL(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+)?SELECT(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|(?:[\'\\"\\\\d])(?:\\\\s|/\\\\*[^*]*\\\\*/)*(?:OR|AND)(?:\\\\s|/\\\\*[^*]*\\\\*/)+[\'\\"]?[\\\\w\'\\"]|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s[^;]*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\(|\\\\bEXTRACTVALUE\\\\s*\\\\(|\\\\bUPDATEXML\\\\s*\\\\()~i"}], "cve": "CVE-2025-12646", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12646", "description": "Community Events <=1.5.4 unauthenticated SQL injection via dayofyear parameter in frontend event list AJAX handler", "method": "POST", "mode": "block", "severity": 7.5, "slug": "community-events", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=1.5.4"}, "RULE-CVE-2025-12646-02": {"ajax_action": "community_events_frontend_list", "conditions": [{"name": "ARGS:dayofyear", "type": "regex", "value": "~(?:(?:UNION(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+(?:ALL(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+)?SELECT(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|(?:[\'\\"\\\\d])(?:\\\\s|/\\\\*[^*]*\\\\*/)*(?:OR|AND)(?:\\\\s|/\\\\*[^*]*\\\\*/)+[\'\\"]?[\\\\w\'\\"]|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s[^;]*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\(|\\\\bEXTRACTVALUE\\\\s*\\\\(|\\\\bUPDATEXML\\\\s*\\\\()~i"}], "cve": "CVE-2025-12646", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12646", "description": "Community Events <=1.5.4 unauthenticated SQL injection via dayofyear parameter in frontend event list AJAX handler (GET variant)", "method": "GET", "mode": "block", "severity": 7.5, "slug": "community-events", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=1.5.4"}, "RULE-CVE-2025-12648-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/|%2[fF])wp-content(?:/|%2[fF])uploads(?:/|%2[fF])wpmembers(?:/|%2[fF])user_files(?:/|%2[fF])\\\\d+(?:/|%2[fF])~i"}, {"type": "missing_capability", "value": "read"}], "cve": "CVE-2025-12648", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12648", "description": "WP-Members Membership Plugin <=3.5.4.4 unauthenticated access to user-uploaded files via predictable numeric user_id directory path", "method": "GET", "mode": "block", "severity": 5.3, "slug": "wp-members", "tags": ["information-disclosure", "unauthorized-file-access", "unauthenticated", "idor"], "target": "plugin", "versions": "<=3.5.4.4"}, "RULE-CVE-2025-12650-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[postlist\\\\b[^\\\\]]*class_name\\\\s*=\\\\s*[\'\\"][^\'\\"]*(?:<[^>]*>|on\\\\w+\\\\s*=|javascript\\\\s*:)[^\'\\"]*[\'\\"]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12650", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12650", "description": "Simple Post Listing <=0.2 stored XSS via class_name shortcode attribute in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "simple-post-listing", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=0.2"}, "RULE-CVE-2025-12650-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[postlist\\\\b[^\\\\]]*class_name\\\\s*=\\\\s*[\'\\"][^\'\\"]*(?:<[^>]*>|on\\\\w+\\\\s*=|javascript\\\\s*:)[^\'\\"]*[\'\\"]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12650", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12650", "description": "Simple Post Listing <=0.2 stored XSS via class_name shortcode attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "simple-post-listing", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=0.2"}, "RULE-CVE-2025-12654-01": {"ajax_action": "wpvividstg_check_filesystem_permissions_free", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:create_new_wp", "type": "equals", "value": "1"}, {"name": "ARGS:pwd", "type": "regex", "value": "~(^/|^[A-Za-z]:\\\\\\\\|\\\\.{2}|[/\\\\\\\\]{2,}|/etc/|^/var/|^/tmp/|/\\\\.|\\\\\\\\\\\\.)~i"}], "cve": "CVE-2025-12654", "method": "POST", "mode": "block", "severity": 2.7, "slug": "wpvivid-backuprestore", "target": "plugin", "versions": "<=0.9.120"}, "RULE-CVE-2025-12658-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[preload_progress_bar\\\\b[^\\\\]]*complete\\\\s*=[^\\\\]]*<[^\\\\]]*\\\\]~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12658", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12658", "description": "Preload Current Images <=1.3 authenticated stored XSS via [preload_progress_bar] shortcode complete attribute in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "preload-current-images", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.3"}, "RULE-CVE-2025-12658-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[preload_progress_bar\\\\b[^\\\\]]*complete\\\\s*=[^\\\\]]*<[^\\\\]]*\\\\]~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12658", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12658", "description": "Preload Current Images <=1.3 authenticated stored XSS via [preload_progress_bar] shortcode complete attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "preload-current-images", "tags": ["xss", "stored-xss", "shortcode", "authenticated", "rest-api"], "target": "plugin", "versions": "<=1.3"}, "RULE-CVE-2025-12660-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[(wallwisher|padlet)\\\\s[^\\\\]]*key\\\\s*=\\\\s*[\\"\'](?:[^\\\\]\\\\r\\\\n]|\\\\\\\\.)*?(<|>|on[a-z]+\\\\s*=|javascript:|&#)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12660", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12660", "description": "Padlet Shortcode <=1.3 Stored XSS via key attribute in [wallwisher]/[padlet] shortcode through post editor", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wallwisher-shortcode", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.3"}, "RULE-CVE-2025-12660-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(wallwisher|padlet)\\\\s[^\\\\]]*key\\\\s*=\\\\s*[\\"\'](?:[^\\\\]\\\\r\\\\n]|\\\\\\\\.)*?(<|>|on[a-z]+\\\\s*=|javascript:|&#)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12660", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12660", "description": "Padlet Shortcode <=1.3 Stored XSS via key attribute in [wallwisher]/[padlet] shortcode through REST API", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wallwisher-shortcode", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.3"}, "RULE-CVE-2025-12673-01": {"ajax_action": "flexqr_update_qr", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "FILES:logo", "type": "exists"}], "cve": "CVE-2025-12673", "method": "POST", "mode": "block", "severity": 9.8, "slug": "flex-qr-code-generator", "target": "plugin", "versions": "<=1.2.7"}, "RULE-CVE-2025-12673-02": {"ajax_action": "flexqr_save_qr", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "FILES:logo", "type": "exists"}], "cve": "CVE-2025-12673", "method": "POST", "mode": "block", "severity": 9.8, "slug": "flex-qr-code-generator", "target": "plugin", "versions": "<=1.2.7"}, "RULE-CVE-2025-12673-03": {"ajax_action": "flexqr_update_qr", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "FILES:qr_image", "type": "exists"}], "cve": "CVE-2025-12673", "method": "POST", "mode": "block", "severity": 9.8, "slug": "flex-qr-code-generator", "target": "plugin", "versions": "<=1.2.7"}, "RULE-CVE-2025-12673-04": {"ajax_action": "flexqr_save_qr", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "FILES:qr_image", "type": "exists"}], "cve": "CVE-2025-12673", "method": "POST", "mode": "block", "severity": 9.8, "slug": "flex-qr-code-generator", "target": "plugin", "versions": "<=1.2.7"}, "RULE-CVE-2025-12681-01": {"ajax_action": "sce_get_comment", "conditions": [{"name": "ARGS:comment_id", "type": "exists"}], "cve": "CVE-2025-12681", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12681", "description": "Simple Comment Editing <=3.1.0 unauthenticated sensitive information exposure via sce_get_comment AJAX action", "mode": "block", "severity": 5.3, "slug": "simple-comment-editing", "tags": ["information-disclosure", "unauthenticated", "sensitive-data-exposure"], "target": "plugin", "versions": "<=3.1.0"}, "RULE-CVE-2025-12691-01": {"action": "admin_init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[photonic\\\\b[^\\\\]]*caption\\\\s*=\\\\s*(?:[\\"\'][^\\"\']*|[^\\\\s\\\\]]*)(?:<script|\\\\bon(?:error|load|click|mouseover|focus|mouseenter)\\\\s*=|javascript\\\\s*:|<svg[\\\\s/]|<iframe[\\\\s/]|<img\\\\b[^>]+\\\\bon)~i"}], "cve": "CVE-2025-12691", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12691", "description": "Photonic Gallery & Lightbox <=3.21 stored XSS via [photonic] shortcode caption attribute in Classic Editor post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "photonic", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.21"}, "RULE-CVE-2025-12691-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[photonic\\\\b[^\\\\]]*caption\\\\s*=\\\\s*(?:[\\"\'][^\\"\']*|[^\\\\s\\\\]]*)(?:<script|\\\\bon(?:error|load|click|mouseover|focus|mouseenter)\\\\s*=|javascript\\\\s*:|<svg[\\\\s/]|<iframe[\\\\s/]|<img\\\\b[^>]+\\\\bon)~i"}], "cve": "CVE-2025-12691", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12691", "description": "Photonic Gallery & Lightbox <=3.21 stored XSS via [photonic] shortcode caption attribute in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "photonic", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=3.21"}, "RULE-CVE-2025-12707-01": {"ajax_action": "owt_lib_handler", "conditions": [{"name": "ARGS:bid", "type": "regex", "value": "~(?:VU5JT04=|U0VMRUNU|SU5TRVJU|VVBEQVRF|REVMRVRF|RFJPUA==|QU5E|T1I=|U0xFRVA=|RVhUUkFDVFZBTFVF|Q09OQ0FU|T1JERVIgQlk=|R1JPVVAgQlk=)~i"}], "cve": "CVE-2025-12707", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12707", "description": "Library Management System <=3.2.1 unauthenticated SQL injection via bid parameter in owt_lib_handler AJAX handler", "mode": "block", "severity": 7.5, "slug": "library-management-system", "tags": ["sql-injection", "unauthenticated", "base64-encoded-parameter"], "target": "plugin", "versions": "<=3.2.1"}, "RULE-CVE-2025-12709-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/interact/v1/update_interaction(?:/|\\\\?|&|$)~"}, {"name": "ARGS", "type": "regex", "value": "~(?:<script[^>]*>|</?(?:svg|iframe|embed|object|math|details)[\\\\s/>]|\\\\bon[a-z]{3,}\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12709", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12709", "description": "Interactions <= 1.3.1 Authenticated (Contributor+) Stored XSS via event selectors in update_interaction REST endpoint", "method": "POST", "mode": "block", "severity": 6.4, "slug": "interactions", "tags": ["xss", "stored-xss", "rest-api", "missing-capability"], "target": "plugin", "versions": "<=1.3.1"}, "RULE-CVE-2025-12718-01": {"ajax_action": "qcf_validate_form", "conditions": [{"name": "ARGS:email", "type": "regex", "value": "~[\\\\r\\\\n]~"}], "cve": "CVE-2025-12718", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12718", "description": "Quick Contact Form <=8.2.6 unauthenticated open mail relay via email header injection in qcf_validate_form AJAX handler", "method": "POST", "mode": "block", "severity": 5.8, "slug": "quick-contact-form", "tags": ["email-header-injection", "open-mail-relay", "unauthenticated", "improper-input-validation"], "target": "plugin", "versions": "<=8.2.6"}, "RULE-CVE-2025-12721-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/fflcockpit/v1/server_status(/|\\\\?|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12721", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12721", "description": "g-FFL Cockpit <=1.7.1 unauthenticated information disclosure via /fflcockpit/v1/server_status REST endpoint", "method": "GET", "mode": "block", "severity": 5.3, "slug": "g-ffl-cockpit", "tags": ["missing-authorization", "information-disclosure", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=1.7.1"}, "RULE-CVE-2025-12746-01": {"action": "init", "conditions": [{"name": "ARGS:search", "type": "detectXSS"}], "cve": "CVE-2025-12746", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12746", "description": "Tainacan <=1.0.0 reflected XSS via search parameter in front-end template", "method": "GET", "mode": "block", "severity": 6.1, "slug": "tainacan", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.0.0"}, "RULE-CVE-2025-12746-02": {"action": "init", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(\\\\\\"|\')\\\\s*on\\\\w+\\\\s*=|<(script|svg|iframe|img)[\\\\s/>]|javascript\\\\s*:~i"}], "cve": "CVE-2025-12746", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12746", "description": "Tainacan <=1.0.0 reflected XSS via arbitrary GET parameters reflected into hidden form fields", "method": "GET", "mode": "block", "severity": 6.1, "slug": "tainacan", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.0.0"}, "RULE-CVE-2025-12747-01": {"action": "template_redirect", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?i)^/wp-content/uploads/tainacan-items/\\\\d+/_x_\\\\d+/~"}, {"type": "missing_capability", "value": "read"}], "cve": "CVE-2025-12747", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12747", "description": "Tainacan <=1.0.0 unauthenticated information exposure via direct access to private files in tainacan-items uploads directory", "method": "GET", "mode": "block", "severity": 5.3, "slug": "tainacan", "tags": ["information-exposure", "unauthenticated", "direct-file-access"], "target": "plugin", "versions": "<=1.0.0"}, "RULE-CVE-2025-12754-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[geopost\\\\b[^\\\\]]*(?:height|width)\\\\s*=\\\\s*[^\\\\]]*(?:<script|<svg|<iframe|<img|<details|<body|<marquee|on(?:error|load|click|mouseover|focus|blur|mouse(?:enter|leave|move|out|up|down))\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12754", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12754", "description": "Geopost <=1.1 Stored XSS via height/width shortcode attribute injection in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "geopost", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2025-12778-01": {"ajax_action": "wp_filter_users", "conditions": [{"type": "missing_capability", "value": "list_users"}], "cve": "CVE-2025-12778", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12778", "description": "Ultimate Member Widgets for Elementor <=2.3 unauthenticated information exposure via wp_filter_users AJAX handler", "mode": "block", "severity": 5.3, "slug": "ultimate-member-widgets-for-elementor", "tags": ["missing-authorization", "information-exposure", "unauthenticated"], "target": "plugin", "versions": "<=2.3"}, "RULE-CVE-2025-12778-02": {"ajax_action": "um_filter_users", "conditions": [{"type": "missing_capability", "value": "list_users"}], "cve": "CVE-2025-12778", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12778", "description": "Ultimate Member Widgets for Elementor <=2.3 unauthenticated information exposure via um_filter_users AJAX handler", "mode": "block", "severity": 5.3, "slug": "ultimate-member-widgets-for-elementor", "tags": ["missing-authorization", "information-exposure", "unauthenticated"], "target": "plugin", "versions": "<=2.3"}, "RULE-CVE-2025-12787-01": {"ajax_action": "tfhb_meeting_form_cencel", "conditions": [{"name": "ARGS:hash", "type": "regex", "value": "~^.{0,7}$|[<>\'\\";&|`]~"}], "cve": "CVE-2025-12787", "method": "POST", "mode": "block", "severity": 5.3, "slug": "hydra-booking", "target": "plugin", "versions": "<=1.1.27"}, "RULE-CVE-2025-12800-01": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "su_generator_preview"}, {"name": "ARGS:shortcode", "type": "regex", "value": "~\\\\[su_csv_table[^\\\\]]*url\\\\s*=~i"}], "cve": "CVE-2025-12800", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12800", "description": "Shortcodes Ultimate <=7.4.5 Server-Side Request Forgery via su_csv_table shortcode in AJAX preview", "method": "POST", "mode": "block", "severity": 6.4, "slug": "shortcodes-ultimate", "tags": ["ssrf", "server-side-request-forgery", "shortcode"], "target": "plugin", "versions": "<=7.4.5"}, "RULE-CVE-2025-12804-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[bookingcalendar\\\\b[^\\\\]]{0,500}aggregate\\\\s*=[\\\\s\\"\']*[^\\\\]]{0,500}(?:<[a-z/!]|on[a-z]+=|javascript\\\\s*:|data\\\\s*:)~i"}], "cve": "CVE-2025-12804", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12804", "description": "Booking Calendar <=10.14.6 Stored XSS via bookingcalendar shortcode aggregate attribute (classic editor injection phase)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "booking", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=10.14.6"}, "RULE-CVE-2025-12804-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[bookingcalendar\\\\b[^\\\\]]{0,500}aggregate\\\\s*=[\\\\s\\"\']*[^\\\\]]{0,500}(?:<[a-z/!]|on[a-z]+=|javascript\\\\s*:|data\\\\s*:)~i"}], "cve": "CVE-2025-12804", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12804", "description": "Booking Calendar <=10.14.6 Stored XSS via bookingcalendar shortcode aggregate attribute (REST API POST)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "booking", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=10.14.6"}, "RULE-CVE-2025-12804-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[bookingcalendar\\\\b[^\\\\]]{0,500}aggregate\\\\s*=[\\\\s\\"\']*[^\\\\]]{0,500}(?:<[a-z/!]|on[a-z]+=|javascript\\\\s*:|data\\\\s*:)~i"}], "cve": "CVE-2025-12804", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12804", "description": "Booking Calendar <=10.14.6 Stored XSS via bookingcalendar shortcode aggregate attribute (REST API PUT)", "method": "PUT", "mode": "block", "severity": 6.4, "slug": "booking", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=10.14.6"}, "RULE-CVE-2025-12804-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[bookingcalendar\\\\b[^\\\\]]{0,500}aggregate\\\\s*=[\\\\s\\"\']*[^\\\\]]{0,500}(?:<[a-z/!]|on[a-z]+=|javascript\\\\s*:|data\\\\s*:)~i"}], "cve": "CVE-2025-12804", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12804", "description": "Booking Calendar <=10.14.6 Stored XSS via bookingcalendar shortcode aggregate attribute (REST API PATCH)", "method": "PATCH", "mode": "block", "severity": 6.4, "slug": "booking", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=10.14.6"}, "RULE-CVE-2025-12824-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[player_leaderboard\\\\b[^\\\\]]*mode\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:\\\\.\\\\.[\\\\\\\\/]|(?:php|phar|zip|data)://)~i"}], "cve": "CVE-2025-12824", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12824", "description": "Player Leaderboard <=1.0.2 authenticated (Contributor+) Local File Inclusion via player_leaderboard shortcode mode attribute in post content", "method": "POST", "mode": "block", "severity": 8.8, "slug": "player-leaderboard", "tags": ["local-file-inclusion", "path-traversal", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2025-12824-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[player_leaderboard\\\\b[^\\\\]]*mode\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:\\\\.\\\\.[\\\\\\\\/]|(?:php|phar|zip|data)://)~i"}], "cve": "CVE-2025-12824", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12824", "description": "Player Leaderboard <=1.0.2 authenticated (Contributor+) Local File Inclusion via REST API post content containing malicious player_leaderboard shortcode", "method": "POST", "mode": "block", "severity": 8.8, "slug": "player-leaderboard", "tags": ["local-file-inclusion", "path-traversal", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2025-12826-01": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "cptui_process_post_type"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12826", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12826", "description": "Custom Post Type UI <=1.18.0 missing authorization on custom post type modification via cptui_process_post_type", "method": "POST", "mode": "block", "severity": 4.8, "slug": "custom-post-type-ui", "tags": ["missing-authorization", "broken-access-control", "privilege-escalation"], "target": "plugin", "versions": "<=1.18.0"}, "RULE-CVE-2025-12826-02": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "cptui_process_taxonomy"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12826", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12826", "description": "Custom Post Type UI <=1.18.0 missing authorization on custom taxonomy modification via cptui_process_taxonomy", "method": "POST", "mode": "block", "severity": 4.8, "slug": "custom-post-type-ui", "tags": ["missing-authorization", "broken-access-control", "privilege-escalation"], "target": "plugin", "versions": "<=1.18.0"}, "RULE-CVE-2025-12836-01": {"action": "admin_init", "conditions": [{"name": "ARGS:vkjp_description", "type": "regex", "value": "~<[a-zA-Z][^>]*\\\\s(?:on\\\\w+)\\\\s*=~i"}], "cve": "CVE-2025-12836", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12836", "description": "VK Google Job Posting Manager <=1.2.23 Stored XSS via vkjp_description event-handler injection", "method": "POST", "mode": "block", "severity": 6.4, "slug": "vk-google-job-posting-manager", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=1.2.23"}, "RULE-CVE-2025-12836-02": {"action": "init", "conditions": [{"name": "ARGS:vkjp_description", "type": "regex", "value": "~<(?:script[\\\\s>]|/script>|iframe[\\\\s>]|svg[\\\\s/>]|embed[\\\\s>]|object[\\\\s>]|scrscriptipt\\\\b)|\\\\b(?:href|src|xlink:href)\\\\s*=\\\\s*[\'\\"]?\\\\s*javascript\\\\s*:~i"}], "cve": "CVE-2025-12836", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12836", "description": "VK Google Job Posting Manager <=1.2.23 Stored XSS via vkjp_description dangerous element injection", "method": "POST", "mode": "block", "severity": 6.4, "slug": "vk-google-job-posting-manager", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=1.2.23"}, "RULE-CVE-2025-12837-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)(?:/\\\\d+)?(?:/|\\\\?|$)~"}, {"name": "ARGS:waf_probe", "type": "regex", "value": "~<script[\\\\s/>]|<[^>]+\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12837", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12837", "description": "aThemes Addons for Elementor Lite <=1.1.5 Stored XSS via Call To Action widget settings in REST API content save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "athemes-addons-for-elementor-lite", "tags": ["xss", "stored-xss", "elementor-widget", "authenticated"], "target": "plugin", "versions": "<=1.1.5"}, "RULE-CVE-2025-12837-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:_elementor_data", "type": "regex", "value": "~<script[\\\\s/>]|<[^>]+\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-12837", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12837", "description": "aThemes Addons for Elementor Lite <=1.1.5 Stored XSS via Call To Action widget settings in classic editor post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "athemes-addons-for-elementor-lite", "tags": ["xss", "stored-xss", "elementor-widget", "authenticated"], "target": "plugin", "versions": "<=1.1.5"}, "RULE-CVE-2025-12841-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/bookit/v1/commerce/stripe/return(?:/|\\\\?|$)~"}, {"name": "ARGS:stripe", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12841", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12841", "description": "Bookit <=2.5.0 unauthenticated Stripe settings update via REST API /commerce/stripe/return endpoint", "method": "GET", "mode": "block", "severity": 5.3, "slug": "bookit", "tags": ["missing-authorization", "broken-access-control", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=2.5.0"}, "RULE-CVE-2025-12841-02": {"action": "rest_api_init", "conditions": [{"name": "ARGS:rest_route", "type": "regex", "value": "~^/bookit/v1/commerce/stripe/return(?:/|$)~"}, {"name": "ARGS:stripe", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12841", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12841", "description": "Bookit <=2.5.0 unauthenticated Stripe settings update via REST API /commerce/stripe/return endpoint (rest_route fallback)", "method": "GET", "mode": "block", "severity": 5.3, "slug": "bookit", "tags": ["missing-authorization", "broken-access-control", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=2.5.0"}, "RULE-CVE-2025-12844-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mwai/v1/simpleTranscribeAudio(/|\\\\?|$)~"}, {"name": "ARGS", "type": "regex", "value": "~phar\\\\s*://~i"}], "cve": "CVE-2025-12844", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12844", "description": "AI Engine <=3.1.8 authenticated (Subscriber+) PHP Object Injection via PHAR deserialization in simpleTranscribeAudio REST endpoint", "method": "POST", "mode": "block", "severity": 7.1, "slug": "ai-engine", "tags": ["object-injection", "phar-deserialization", "rest-api", "authenticated"], "target": "plugin", "versions": "<=3.1.8"}, "RULE-CVE-2025-12844-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mwai/v1/simpleVisionQuery(/|\\\\?|$)~"}, {"name": "ARGS", "type": "regex", "value": "~phar\\\\s*://~i"}], "cve": "CVE-2025-12844", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12844", "description": "AI Engine <=3.1.8 authenticated (Subscriber+) PHP Object Injection via PHAR deserialization in simpleVisionQuery REST endpoint", "method": "POST", "mode": "block", "severity": 7.1, "slug": "ai-engine", "tags": ["object-injection", "phar-deserialization", "rest-api", "authenticated"], "target": "plugin", "versions": "<=3.1.8"}, "RULE-CVE-2025-12844-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mwai/v1/simpleTextQuery(/|\\\\?|$)~"}, {"name": "ARGS", "type": "regex", "value": "~phar\\\\s*://~i"}], "cve": "CVE-2025-12844", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12844", "description": "AI Engine <=3.1.8 authenticated (Subscriber+) PHP Object Injection via PHAR deserialization in simpleTextQuery REST endpoint (options.path vector)", "method": "POST", "mode": "block", "severity": 7.1, "slug": "ai-engine", "tags": ["object-injection", "phar-deserialization", "rest-api", "authenticated"], "target": "plugin", "versions": "<=3.1.8"}, "RULE-CVE-2025-12844-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mwai/v1/simpleFastTextQuery(/|\\\\?|$)~"}, {"name": "ARGS", "type": "regex", "value": "~phar\\\\s*://~i"}], "cve": "CVE-2025-12844", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12844", "description": "AI Engine <=3.1.8 authenticated (Subscriber+) PHP Object Injection via PHAR deserialization in simpleFastTextQuery REST endpoint (options.path vector)", "method": "POST", "mode": "block", "severity": 7.1, "slug": "ai-engine", "tags": ["object-injection", "phar-deserialization", "rest-api", "authenticated"], "target": "plugin", "versions": "<=3.1.8"}, "RULE-CVE-2025-12844-05": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mwai/v1/simpleJsonQuery(/|\\\\?|$)~"}, {"name": "ARGS", "type": "regex", "value": "~phar\\\\s*://~i"}], "cve": "CVE-2025-12844", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12844", "description": "AI Engine <=3.1.8 authenticated (Subscriber+) PHP Object Injection via PHAR deserialization in simpleJsonQuery REST endpoint (options.path vector)", "method": "POST", "mode": "block", "severity": 7.1, "slug": "ai-engine", "tags": ["object-injection", "phar-deserialization", "rest-api", "authenticated"], "target": "plugin", "versions": "<=3.1.8"}, "RULE-CVE-2025-12845-01": {"ajax_action": "get_tables_data", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12845", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12845", "description": "Tablesome <=1.2.1 missing authorization on get_tables_data AJAX action allows subscriber+ to retrieve sensitive table data", "method": "POST", "mode": "block", "severity": 8.8, "slug": "tablesome", "tags": ["missing-authorization", "broken-access-control", "information-disclosure"], "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2025-12851-01": {"action": "init", "conditions": [{"name": "ARGS:controller", "type": "regex", "value": "~(?:[\\\\.\\\\\\\\/-]|%2[dDeEfF]|%5[cC])~"}], "cve": "CVE-2025-12851", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12851", "description": "My auctions allegro <=3.6.32 unauthenticated Local File Inclusion via controller parameter on init hook", "mode": "block", "severity": 8.1, "slug": "my-auctions-allegro-free-edition", "tags": ["local-file-inclusion", "path-traversal", "unauthenticated"], "target": "plugin", "versions": "<=3.6.32"}, "RULE-CVE-2025-1287-01": {"action": "init", "conditions": [{"name": "ARGS:_elementor_data", "type": "regex", "value": "~(?:text_days|text_hours|text_minutes|text_seconds|cpybtntext|lanugaetext|copiedbtntext|cpyerrbtntext|dwnldBtnText|nav_dots_tooltips|fp-slideid)[^}]{0,200}(?:<script|\\\\bon(?:error|load|click|mouseover|focus|mouseenter)\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1287", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1287", "description": "The Plus Addons for Elementor <=6.2.2 Stored XSS via Countdown/Syntax Highlighter/Page Scroll widget settings in post save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "the-plus-addons-for-elementor-page-builder", "tags": ["xss", "stored-xss", "elementor-widget"], "target": "plugin", "versions": "<=6.2.2"}, "RULE-CVE-2025-1287-02": {"action": "init", "conditions": [{"name": "ARGS:actions", "type": "regex", "value": "~(?:text_days|text_hours|text_minutes|text_seconds|cpybtntext|lanugaetext|copiedbtntext|cpyerrbtntext|dwnldBtnText|nav_dots_tooltips|fp-slideid)[^}]{0,200}(?:<script|\\\\bon(?:error|load|click|mouseover|focus|mouseenter)\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1287", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1287", "description": "The Plus Addons for Elementor <=6.2.2 Stored XSS via Countdown/Syntax Highlighter/Page Scroll widget settings in Elementor AJAX save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "the-plus-addons-for-elementor-page-builder", "tags": ["xss", "stored-xss", "elementor-widget"], "target": "plugin", "versions": "<=6.2.2"}, "RULE-CVE-2025-12876-01": {"ajax_action": "pto_delete_file", "conditions": [{"type": "missing_capability", "value": "delete_posts"}], "cve": "CVE-2025-12876", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12876", "description": "Projectopia - WordPress Project Management <=5.1.19 missing authorization on pto_delete_file AJAX action allowing unauthenticated arbitrary attachment deletion", "method": "POST", "mode": "block", "severity": 5.3, "slug": "projectopia-core", "tags": ["missing-authorization", "unauthenticated", "arbitrary-deletion"], "target": "plugin", "versions": "<=5.1.19"}, "RULE-CVE-2025-12891-01": {"ajax_action": "ays_survey_show_results", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12891", "mode": "block", "severity": 5.3, "slug": "survey-maker", "target": "plugin", "versions": "<=5.1.9.4"}, "RULE-CVE-2025-12894-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)wp-content/uploads/exportwp(?:/|%2f).*(?:\\\\.(csv|xml|json|log|txt|gz|zip))([?#]|$)~i"}], "cve": "CVE-2025-12894", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12894", "description": "Import WP <=2.14.17 unauthenticated access to exported data files via /exportwp/ directory", "method": "GET", "mode": "block", "severity": 5.3, "slug": "jc-importer", "tags": ["information-disclosure", "unauthenticated", "sensitive-file-access"], "target": "plugin", "versions": "<=2.14.17"}, "RULE-CVE-2025-12894-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)wp-content/uploads/importwp(?:/|%2f).*(?:\\\\.(csv|xml|json|log|txt|gz|zip))([?#]|$)~i"}], "cve": "CVE-2025-12894", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12894", "description": "Import WP <=2.14.17 unauthenticated access to import session data and debug logs via /importwp/ directory", "method": "GET", "mode": "block", "severity": 5.3, "slug": "jc-importer", "tags": ["information-disclosure", "unauthenticated", "sensitive-file-access"], "target": "plugin", "versions": "<=2.14.17"}, "RULE-CVE-2025-12904-01": {"ajax_action": "insert_data", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|blur|mouse(?:over|out|enter|leave))\\\\s*=|javascript\\\\s*:|<(?:svg|img|iframe|object|embed|math|details|body|marquee)[^>]*\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-12904", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12904", "description": "H5PxAPIkatchu <= 0.4.17 Unauthenticated Stored XSS via insert_data AJAX endpoint", "method": "POST", "mode": "block", "severity": 7.2, "slug": "h5pxapikatchu", "tags": ["xss", "stored-xss", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=0.4.17"}, "RULE-CVE-2025-1291-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~kadence/testimonial~"}, {"name": "ARGS:content", "type": "regex", "value": "~[\\"\']icon[\\"\']\\\\s*:\\\\s*[\\"\'][^\\"\']*(?:<script\\\\b|<[^>]+\\\\bon\\\\w+\\\\s*=|javascript:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1291", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1291", "description": "Kadence Blocks <=3.4.9 Authenticated (Contributor+) Stored XSS via testimonial block icon attribute in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "kadence-blocks", "tags": ["xss", "stored-xss", "gutenberg-block", "authenticated"], "target": "plugin", "versions": "<=3.4.9"}, "RULE-CVE-2025-1291-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts/\\\\d+(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~kadence/testimonial~"}, {"name": "ARGS:content", "type": "regex", "value": "~[\\"\']icon[\\"\']\\\\s*:\\\\s*[\\"\'][^\\"\']*(?:<script\\\\b|<[^>]+\\\\bon\\\\w+\\\\s*=|javascript:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1291", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1291", "description": "Kadence Blocks <=3.4.9 Authenticated (Contributor+) Stored XSS via testimonial block icon attribute in REST API post update", "method": "PUT", "mode": "block", "severity": 6.4, "slug": "kadence-blocks", "tags": ["xss", "stored-xss", "gutenberg-block", "authenticated"], "target": "plugin", "versions": "<=3.4.9"}, "RULE-CVE-2025-1291-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~kadence/testimonial~"}, {"name": "ARGS:content", "type": "regex", "value": "~[\\"\']icon[\\"\']\\\\s*:\\\\s*[\\"\'][^\\"\']*(?:<script\\\\b|<[^>]+\\\\bon\\\\w+\\\\s*=|javascript:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1291", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1291", "description": "Kadence Blocks <=3.4.9 Authenticated (Contributor+) Stored XSS via testimonial block icon attribute in wp-admin post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "kadence-blocks", "tags": ["xss", "stored-xss", "gutenberg-block", "authenticated"], "target": "plugin", "versions": "<=3.4.9"}, "RULE-CVE-2025-12934-01": {"ajax_action": "fl_builder_duplicate_wpml_layout", "conditions": [{"type": "missing_capability", "value": "edit_others_posts"}, {"name": "ARGS:original_post_id", "type": "exists"}], "cve": "CVE-2025-12934", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12934", "description": "Beaver Builder <= 2.9.4.1 missing authorization on duplicate_wpml_layout AJAX handler allows Subscriber+ arbitrary post update", "method": "POST", "mode": "block", "severity": 8.1, "slug": "beaver-builder-lite-version", "tags": ["missing-authorization", "broken-access-control", "arbitrary-post-update"], "target": "plugin", "versions": "<=2.9.4.1"}, "RULE-CVE-2025-12935-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[fluentcrm_content\\\\b[^\\\\]]*(?:on\\\\w+\\\\s*=|<script|javascript:|<svg|<iframe|<img[^>]+onerror)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12935", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12935", "description": "FluentCRM <=2.9.84 Stored XSS via [fluentcrm_content] shortcode attributes in post editor", "method": "POST", "mode": "block", "severity": 6.4, "slug": "fluent-crm", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.9.84"}, "RULE-CVE-2025-12935-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[fluentcrm_content\\\\b[^\\\\]]*(?:on\\\\w+\\\\s*=|<script|javascript:|<svg|<iframe|<img[^>]+onerror)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12935", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12935", "description": "FluentCRM <=2.9.84 Stored XSS via [fluentcrm_content] shortcode attributes in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "fluent-crm", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.9.84"}, "RULE-CVE-2025-12963-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/lazytasks/api/v1/user/role/edit(/|\\\\?|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12963", "method": "POST", "mode": "block", "severity": 9.8, "slug": "lazytasks-project-task-management", "target": "plugin", "versions": "<=1.2.29"}, "RULE-CVE-2025-12973-01": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "s2b_store_chatbot_upload"}, {"name": "FILES:s2baia_chatbot_config_database", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-12973", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12973", "description": "S2B AI Assistant <=1.7.8 arbitrary file upload via s2b_store_chatbot_upload admin-post action", "method": "POST", "mode": "block", "severity": 7.2, "slug": "s2b-ai-assistant", "tags": ["arbitrary-file-upload", "remote-code-execution", "authenticated"], "target": "plugin", "versions": "<=1.7.8"}, "RULE-CVE-2025-12984-01": {"action": "admin_init", "conditions": [{"name": "ARGS:order", "type": "detectSQLi"}], "cve": "CVE-2025-12984", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12984", "description": "Advanced Ads <=2.0.15 authenticated (admin+) SQL injection via order parameter in placement list table", "method": "GET", "mode": "block", "severity": 4.9, "slug": "advanced-ads", "tags": ["sql-injection", "authenticated", "admin-page"], "target": "plugin", "versions": "<=2.0.15"}, "RULE-CVE-2025-13006-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/surveyfunnel/v2/fsd(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13006", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13006", "description": "SurveyFunnel Lite <=1.1.5 unauthenticated sensitive information exposure via /surveyfunnel/v2/fsd REST endpoint", "method": "GET", "mode": "block", "severity": 5.3, "slug": "surveyfunnel-lite", "tags": ["information-exposure", "missing-authorization", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=1.1.5"}, "RULE-CVE-2025-13006-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/surveyfunnel/v2/responses(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13006", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13006", "description": "SurveyFunnel Lite <=1.1.5 unauthenticated sensitive information exposure via /surveyfunnel/v2/responses REST endpoint", "method": "GET", "mode": "block", "severity": 5.3, "slug": "surveyfunnel-lite", "tags": ["information-exposure", "missing-authorization", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=1.1.5"}, "RULE-CVE-2025-13006-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/surveyfunnel/v2/responses/[0-9-]+(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13006", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13006", "description": "SurveyFunnel Lite <=1.1.5 unauthenticated sensitive information exposure via /surveyfunnel/v2/responses/{id} REST endpoint", "method": "GET", "mode": "block", "severity": 5.3, "slug": "surveyfunnel-lite", "tags": ["information-exposure", "missing-authorization", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=1.1.5"}, "RULE-CVE-2025-13006-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/surveyfunnel/v2/surveys(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13006", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13006", "description": "SurveyFunnel Lite <=1.1.5 unauthenticated sensitive information exposure via /surveyfunnel/v2/surveys REST endpoint", "method": "GET", "mode": "block", "severity": 5.3, "slug": "surveyfunnel-lite", "tags": ["information-exposure", "missing-authorization", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=1.1.5"}, "RULE-CVE-2025-13006-05": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/surveyfunnel/v2/surveys/survey_id=[0-9-]+(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13006", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13006", "description": "SurveyFunnel Lite <=1.1.5 unauthenticated sensitive information exposure via /surveyfunnel/v2/surveys/survey_id={id} REST endpoint", "method": "GET", "mode": "block", "severity": 5.3, "slug": "surveyfunnel-lite", "tags": ["information-exposure", "missing-authorization", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=1.1.5"}, "RULE-CVE-2025-13048-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/(?:profile|user-edit)\\\\.php)~"}, {"name": "ARGS:nickname", "type": "regex", "value": "~(?:<script[\\\\s>]|<[^>]+[\\\\s/]+on\\\\w+\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13048", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13048", "description": "Official StatCounter Plugin <=2.1.0 Authenticated (Contributor+) Stored XSS via Nickname", "method": "POST", "mode": "block", "severity": 6.4, "slug": "official-statcounter-plugin-for-wordpress", "tags": ["xss", "stored-xss", "missing-output-escaping"], "target": "plugin", "versions": "<=2.1.0"}, "RULE-CVE-2025-13072-01": {"action": "init", "conditions": [{"name": "ARGS:utm_source", "type": "detectXSS"}], "cve": "CVE-2025-13072", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13072", "description": "HandL UTM Grabber <=2.8 Reflected XSS via utm_source query parameter", "method": "GET", "mode": "block", "severity": 7.1, "slug": "handl-utm-grabber", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=2.8"}, "RULE-CVE-2025-1309-01": {"ajax_action": "uip_save_form_as_option", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-1309", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1309", "description": "UiPress Lite <=3.5.04 missing authorization on uip_save_form_as_option AJAX handler allows arbitrary options update", "method": "POST", "mode": "block", "severity": 8.8, "slug": "uipress-lite", "tags": ["missing-authorization", "privilege-escalation", "arbitrary-options-update"], "target": "plugin", "versions": "<=3.5.04"}, "RULE-CVE-2025-1310-01": {"action": "parse_request", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~job-postings-get-file/~"}, {"name": "REQUEST_URI", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\\\\\/]|%2e%2e%2f|%2e%2e%5c|%252e%252e%252f|%252e%252e%255c)~i"}], "cve": "CVE-2025-1310", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1310", "description": "Job Postings <=2.7.11 authenticated arbitrary file read via path traversal in job_postings_get_file (rewrite rule path)", "mode": "block", "severity": 6.5, "slug": "job-postings", "tags": ["path-traversal", "arbitrary-file-read", "authenticated"], "target": "plugin", "versions": "<=2.7.11"}, "RULE-CVE-2025-1310-02": {"action": "parse_request", "conditions": [{"name": "ARGS:job_postings_get_file", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\\\\\/]|\\\\.\\\\.%2f|\\\\.\\\\.%5c|\\\\.\\\\.%252f|\\\\.\\\\.%255c|%2e%2e%2f|%2e%2e%5c|%252e%252e%252f|%252e%252e%255c|^/)~i"}], "cve": "CVE-2025-1310", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1310", "description": "Job Postings <=2.7.11 authenticated arbitrary file read via path traversal in job_postings_get_file (query string path)", "mode": "block", "severity": 6.5, "slug": "job-postings", "tags": ["path-traversal", "arbitrary-file-read", "authenticated"], "target": "plugin", "versions": "<=2.7.11"}, "RULE-CVE-2025-1311-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wcfmmp/v1/deliveries/[^/]*[^0-9/][^/]*~i"}], "cve": "CVE-2025-1311", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1311", "description": "WCFM Marketplace REST API <=1.6.2 authenticated SQL injection via non-numeric id path segment in /wcfmmp/v1/deliveries/{id}", "method": "POST", "mode": "block", "severity": 6.5, "slug": "wcfm-marketplace-rest-api", "tags": ["sql-injection", "rest-api", "authenticated"], "target": "plugin", "versions": "<=1.6.2"}, "RULE-CVE-2025-1312-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "contains", "value": "ultimate-blocks/call-to-action"}, {"name": "ARGS:content", "type": "regex", "value": "~\\"buttonTextColor\\"\\\\s*:\\\\s*\\"[^\\"]*[<>][^\\"]*\\"~"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1312", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1312", "description": "Ultimate Blocks <=3.2.7 Stored XSS via unescaped buttonTextColor attribute in Call-to-Action block (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ultimate-blocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=3.2.7"}, "RULE-CVE-2025-1312-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS:post_content", "type": "contains", "value": "ultimate-blocks/call-to-action"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\"buttonTextColor\\"\\\\s*:\\\\s*\\"[^\\"]*[<>][^\\"]*\\"~"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1312", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1312", "description": "Ultimate Blocks <=3.2.7 Stored XSS via unescaped buttonTextColor attribute in Call-to-Action block (post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ultimate-blocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=3.2.7"}, "RULE-CVE-2025-13153-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_type", "type": "equals", "value": "logosliderwp"}, {"name": "ARGS", "type": "regex", "value": "~(?:[\\"\']\\\\s*(?:autofocus|on[a-z]+)\\\\s*=|<\\\\s*(?:script|svg|iframe|img|object|embed|math|details|body|video|audio|input|textarea|select|button|form|marquee|isindex|xmp)\\\\b)~i"}], "cve": "CVE-2025-13153", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13153", "description": "Logo Slider <4.9.0 Contributor+ Stored XSS via unescaped slider options on logosliderwp post type save", "method": "POST", "mode": "block", "severity": 6.1, "slug": "logo-slider-wp", "tags": ["xss", "stored-xss", "contributor-plus"], "target": "plugin", "versions": "<4.9.0"}, "RULE-CVE-2025-13153-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_type", "type": "equals", "value": "lgx_lsp_shortcodes"}, {"name": "ARGS", "type": "regex", "value": "~(?:[\\"\']\\\\s*(?:autofocus|on[a-z]+)\\\\s*=|<\\\\s*(?:script|svg|iframe|img|object|embed|math|details|body|video|audio|input|textarea|select|button|form|marquee|isindex|xmp)\\\\b)~i"}], "cve": "CVE-2025-13153", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13153", "description": "Logo Slider <4.9.0 Contributor+ Stored XSS via unescaped slider options on lgx_lsp_shortcodes post type save", "method": "POST", "mode": "block", "severity": 6.1, "slug": "logo-slider-wp", "tags": ["xss", "stored-xss", "contributor-plus"], "target": "plugin", "versions": "<4.9.0"}, "RULE-CVE-2025-13156-01": {"action": "rest_api_init", "conditions": [{"name": "ARGS", "type": "regex", "value": "~\\\\.(?:ph(?:p[0-9]?|s|tml?|t|ar)|s?html?|cgi|aspx?|jspx?|cfm|user\\\\.ini)~i"}, {"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2025-13156", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13156", "description": "VitePos Lite <=3.3.0 authenticated arbitrary file upload via REST API leading to RCE", "method": "POST", "mode": "block", "severity": 8.8, "slug": "vitepos-lite", "tags": ["arbitrary-file-upload", "dangerous-file-type", "authenticated", "remote-code-execution"], "target": "plugin", "versions": "<=3.3.0"}, "RULE-CVE-2025-13156-02": {"action": "admin_init", "conditions": [{"name": "ARGS", "type": "regex", "value": "~\\\\.(?:ph(?:p[0-9]?|s|tml?|t|ar)|s?html?|cgi|aspx?|jspx?|cfm|user\\\\.ini)~i"}, {"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2025-13156", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13156", "description": "VitePos Lite <=3.3.0 authenticated arbitrary file upload via AJAX leading to RCE", "method": "POST", "mode": "block", "severity": 8.8, "slug": "vitepos-lite", "tags": ["arbitrary-file-upload", "dangerous-file-type", "authenticated", "remote-code-execution"], "target": "plugin", "versions": "<=3.3.0"}, "RULE-CVE-2025-13206-01": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:give_first", "type": "detectXSS"}], "cve": "CVE-2025-13206", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13206", "description": "GiveWP <= 4.13.0 stored XSS via donor first name in donation form submission", "method": "POST", "mode": "block", "severity": 6.1, "slug": "give", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=4.13.0"}, "RULE-CVE-2025-13206-02": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:give_last", "type": "detectXSS"}], "cve": "CVE-2025-13206", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13206", "description": "GiveWP <= 4.13.0 stored XSS via donor last name in donation form submission", "method": "POST", "mode": "block", "severity": 6.1, "slug": "give", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=4.13.0"}, "RULE-CVE-2025-13217-01": {"ajax_action": "um_update_profile_full", "conditions": [{"name": "ARGS:youtube_video", "type": "exists"}, {"name": "ARGS:youtube_video", "type": "regex", "value": "~(?:<[a-z/]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-13217", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13217", "description": "Ultimate Member <=2.11.0 Stored XSS via youtube_video profile field", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ultimate-member", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=2.11.0"}, "RULE-CVE-2025-1324-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "contains", "value": "[public-form"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[public-form\\\\s[^\\\\]]*(?:<script|<svg|<iframe|<img|<object|<embed|javascript:|on(?:error|load|focus|click|mouseover)\\\\s*=)[^\\\\]]*\\\\]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1324", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1324", "description": "WP-Recall <=16.26.10 stored XSS via [public-form] shortcode attributes in post content", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wp-recall", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=16.26.10"}, "RULE-CVE-2025-1325-01": {"ajax_action": "rcl_preview_post", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-1325", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1325", "description": "WP-Recall <=16.26.10 missing authorization on rcl_preview_post AJAX endpoint allows Subscriber+ arbitrary shortcode execution", "method": "POST", "mode": "block", "severity": 6.3, "slug": "wp-recall", "tags": ["missing-authorization", "arbitrary-shortcode-execution", "broken-access-control"], "target": "plugin", "versions": "<=16.26.10"}, "RULE-CVE-2025-13311-01": {"action": "admin_init", "conditions": [{"name": "ARGS:option_page", "type": "equals", "value": "sigijh_plugin_options"}, {"name": "ARGS:sigijh_color_select", "type": "regex", "value": "~[<>\\"\']|\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-13311", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13311", "description": "Just Highlight <=1.0.3 authenticated (Administrator+) stored XSS via sigijh_color_select setting", "method": "POST", "mode": "block", "severity": 4.4, "slug": "just-highlight", "tags": ["xss", "stored-xss", "settings-api"], "target": "plugin", "versions": "<=1.0.3"}, "RULE-CVE-2025-13314-01": {"ajax_action": "filter_save_settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13314", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13314", "description": "Filter Plus <=1.1.6 missing authorization on filter_save_settings AJAX action allows unauthenticated settings modification", "method": "POST", "mode": "block", "severity": 5.3, "slug": "filter-plus", "tags": ["missing-authorization", "settings-manipulation", "unauthenticated"], "target": "plugin", "versions": "<=1.1.6"}, "RULE-CVE-2025-13314-02": {"ajax_action": "add_filter_options", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13314", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13314", "description": "Filter Plus <=1.1.6 missing authorization on add_filter_options AJAX action allows unauthenticated post creation and meta write", "method": "POST", "mode": "block", "severity": 5.3, "slug": "filter-plus", "tags": ["missing-authorization", "arbitrary-post-creation", "unauthenticated"], "target": "plugin", "versions": "<=1.1.6"}, "RULE-CVE-2025-13320-01": {"action": "admin_init", "conditions": [{"name": "ARGS:account[user_avatar][path]", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[/\\\\\\\\]){2,}|[/\\\\\\\\]etc[/\\\\\\\\]|wp-config\\\\.php|\\\\.htaccess|\\\\.env)~i"}], "cve": "CVE-2025-13320", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13320", "description": "WP User Manager <=2.9.12 arbitrary file deletion via path traversal in avatar path parameter during profile update", "method": "POST", "mode": "block", "severity": 6.8, "slug": "wp-user-manager", "tags": ["arbitrary-file-deletion", "path-traversal", "external-file-control"], "target": "plugin", "versions": "<=2.9.12"}, "RULE-CVE-2025-13329-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/[^/]+/v[0-9]+/add-image-data(?:/|\\\\?|&|$)~"}, {"name": "ARGS:fileName", "type": "regex", "value": "~(?:\\\\.(?:ph(?:p\\\\d?|s|tml?|t|ar)|s?html?|cgi|asp|aspx|jsp|jspx|cfm|user\\\\.ini)|[\\\\\\\\/]\\\\.htaccess$|[\\\\\\\\/]\\\\.htpasswd$)~i"}], "cve": "CVE-2025-13329", "method": "POST", "mode": "block", "severity": 9.8, "slug": "file-uploader-for-woocommerce", "target": "plugin", "versions": "<=1.0.3"}, "RULE-CVE-2025-13334-01": {"ajax_action": "blaze_demo_importer_install_demo", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:reset", "type": "equals", "value": "true"}], "cve": "CVE-2025-13334", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13334", "description": "Blaze Demo Importer <=1.0.13 missing authorization on blaze_demo_importer_install_demo AJAX action allows subscriber+ site reset", "method": "POST", "mode": "block", "severity": 8.1, "slug": "blaze-demo-importer", "tags": ["missing-authorization", "broken-access-control", "database-reset"], "target": "plugin", "versions": "<=1.0.13"}, "RULE-CVE-2025-13342-02": {"ajax_action": "frontend_admin/forms/update_field", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13342", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13342", "description": "Frontend Admin (ACF Frontend Form Element) <=3.28.20 unauthenticated arbitrary options update via update_field AJAX action", "method": "POST", "mode": "block", "severity": 9.8, "slug": "acf-frontend-form-element", "tags": ["missing-authorization", "privilege-escalation", "unauthenticated"], "target": "plugin", "versions": "<=3.28.20"}, "RULE-CVE-2025-13358-01": {"ajax_action": "ccpcaCreatePage", "conditions": [{"type": "missing_capability", "value": "publish_pages"}], "cve": "CVE-2025-13358", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13358", "description": "CodeConfig Accessibility <=1.0.0 missing authorization on ccpcaCreatePage AJAX action allows Subscriber+ arbitrary page creation", "method": "POST", "mode": "block", "severity": 5.3, "slug": "codeconfig-accessibility", "tags": ["missing-authorization", "broken-access-control", "arbitrary-content-creation"], "target": "plugin", "versions": "<=1.0.0"}, "RULE-CVE-2025-13359-01": {"ajax_action": "taxopress_ai_preview_feature", "conditions": [{"name": "ARGS:existing_terms_orderby", "type": "detectSQLi"}], "cve": "CVE-2025-13359", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13359", "description": "TaxoPress <=3.40.1 time-based SQL injection via existing_terms_orderby in taxopress_ai_preview_feature AJAX handler", "method": "POST", "mode": "block", "severity": 6.5, "slug": "simple-tags", "tags": ["sql-injection", "time-based-blind", "ajax"], "target": "plugin", "versions": "<=3.40.1"}, "RULE-CVE-2025-13359-02": {"ajax_action": "taxopress_ai_preview_feature", "conditions": [{"name": "ARGS:existing_terms_order", "type": "detectSQLi"}], "cve": "CVE-2025-13359", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13359", "description": "TaxoPress <=3.40.1 time-based SQL injection via existing_terms_order in taxopress_ai_preview_feature AJAX handler", "method": "POST", "mode": "block", "severity": 6.5, "slug": "simple-tags", "tags": ["sql-injection", "time-based-blind", "ajax"], "target": "plugin", "versions": "<=3.40.1"}, "RULE-CVE-2025-13359-03": {"ajax_action": "taxopress_ai_preview_feature", "conditions": [{"name": "ARGS:existing_terms_maximum_terms", "type": "detectSQLi"}], "cve": "CVE-2025-13359", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13359", "description": "TaxoPress <=3.40.1 SQL injection via existing_terms_maximum_terms in taxopress_ai_preview_feature AJAX handler", "method": "POST", "mode": "block", "severity": 6.5, "slug": "simple-tags", "tags": ["sql-injection", "time-based-blind", "ajax"], "target": "plugin", "versions": "<=3.40.1"}, "RULE-CVE-2025-13359-04": {"ajax_action": "simpletags", "conditions": [{"name": "ARGS:suggest_local_terms_orderby", "type": "detectSQLi"}], "cve": "CVE-2025-13359", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13359", "description": "TaxoPress <=3.40.1 time-based SQL injection via suggest_local_terms_orderby in simpletags AJAX handler", "method": "POST", "mode": "block", "severity": 6.5, "slug": "simple-tags", "tags": ["sql-injection", "time-based-blind", "ajax"], "target": "plugin", "versions": "<=3.40.1"}, "RULE-CVE-2025-13359-05": {"ajax_action": "simpletags", "conditions": [{"name": "ARGS:suggest_local_terms_order", "type": "detectSQLi"}], "cve": "CVE-2025-13359", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13359", "description": "TaxoPress <=3.40.1 time-based SQL injection via suggest_local_terms_order in simpletags AJAX handler", "method": "POST", "mode": "block", "severity": 6.5, "slug": "simple-tags", "tags": ["sql-injection", "time-based-blind", "ajax"], "target": "plugin", "versions": "<=3.40.1"}, "RULE-CVE-2025-13367-01": {"action": "init", "conditions": [{"name": "ARGS:username", "type": "detectXSS"}], "cve": "CVE-2025-13367", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13367", "description": "User Registration & Membership <=4.4.6 reflected XSS via username GET parameter on thank-you page", "method": "GET", "mode": "block", "severity": 6.4, "slug": "user-registration", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=4.4.6"}, "RULE-CVE-2025-13367-02": {"action": "init", "conditions": [{"name": "ARGS:info", "type": "detectXSS"}], "cve": "CVE-2025-13367", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13367", "description": "User Registration & Membership <=4.4.6 reflected XSS via info GET parameter on thank-you page", "method": "GET", "mode": "block", "severity": 6.4, "slug": "user-registration", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=4.4.6"}, "RULE-CVE-2025-13367-03": {"action": "init", "conditions": [{"name": "ARGS:transaction_id", "type": "detectXSS"}], "cve": "CVE-2025-13367", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13367", "description": "User Registration & Membership <=4.4.6 reflected XSS via transaction_id GET parameter on thank-you page", "method": "GET", "mode": "block", "severity": 6.4, "slug": "user-registration", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=4.4.6"}, "RULE-CVE-2025-13369-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/users\\\\.php~"}, {"name": "ARGS:money_spent_from", "type": "detectXSS"}], "cve": "CVE-2025-13369", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13369", "description": "Premmerce WooCommerce Customers Manager <=1.1.14 Reflected XSS via money_spent_from filter parameter", "method": "GET", "mode": "block", "severity": 6.1, "slug": "woo-customers-manager", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.1.14"}, "RULE-CVE-2025-13369-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/users\\\\.php~"}, {"name": "ARGS:money_spent_to", "type": "detectXSS"}], "cve": "CVE-2025-13369", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13369", "description": "Premmerce WooCommerce Customers Manager <=1.1.14 Reflected XSS via money_spent_to filter parameter", "method": "GET", "mode": "block", "severity": 6.1, "slug": "woo-customers-manager", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.1.14"}, "RULE-CVE-2025-13369-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/users\\\\.php~"}, {"name": "ARGS:registered_from", "type": "detectXSS"}], "cve": "CVE-2025-13369", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13369", "description": "Premmerce WooCommerce Customers Manager <=1.1.14 Reflected XSS via registered_from filter parameter", "method": "GET", "mode": "block", "severity": 6.1, "slug": "woo-customers-manager", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.1.14"}, "RULE-CVE-2025-13369-04": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/users\\\\.php~"}, {"name": "ARGS:registered_to", "type": "detectXSS"}], "cve": "CVE-2025-13369", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13369", "description": "Premmerce WooCommerce Customers Manager <=1.1.14 Reflected XSS via registered_to filter parameter", "method": "GET", "mode": "block", "severity": 6.1, "slug": "woo-customers-manager", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.1.14"}, "RULE-CVE-2025-13370-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "pl-add"}, {"name": "ARGS:id", "type": "regex", "value": "~(?:(?:UNION(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+(?:ALL(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+)?SELECT(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|(?:[\'\\"\\\\d])(?:\\\\s|/\\\\*[^*]*\\\\*/)*(?:OR|AND)(?:\\\\s|/\\\\*[^*]*\\\\*/)+[\'\\"]?[\\\\w\'\\"]|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s[^;]*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\(|\\\\bEXTRACTVALUE\\\\s*\\\\(|\\\\bUPDATEXML\\\\s*\\\\()~i"}], "cve": "CVE-2025-13370", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13370", "description": "ProjectList <=0.3.0 authenticated (Editor+) time-based SQL injection via id parameter on pl-add admin page (GET)", "method": "GET", "mode": "block", "severity": 4.9, "slug": "projectlist", "tags": ["sql-injection", "authenticated", "admin-page"], "target": "plugin", "versions": "<=0.3.0"}, "RULE-CVE-2025-13370-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "pl-add"}, {"name": "ARGS:id", "type": "regex", "value": "~(?:(?:UNION(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+(?:ALL(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)+)?SELECT(?:\\\\s|\\\\+|/\\\\*[^*]*\\\\*/)|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|(?:[\'\\"\\\\d])(?:\\\\s|/\\\\*[^*]*\\\\*/)*(?:OR|AND)(?:\\\\s|/\\\\*[^*]*\\\\*/)+[\'\\"]?[\\\\w\'\\"]|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s[^;]*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\(|\\\\bEXTRACTVALUE\\\\s*\\\\(|\\\\bUPDATEXML\\\\s*\\\\()~i"}], "cve": "CVE-2025-13370", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13370", "description": "ProjectList <=0.3.0 authenticated (Editor+) SQL injection via id parameter on pl-add admin page (POST)", "method": "POST", "mode": "block", "severity": 4.9, "slug": "projectlist", "tags": ["sql-injection", "authenticated", "admin-page"], "target": "plugin", "versions": "<=0.3.0"}, "RULE-CVE-2025-13383-01": {"action": "init", "conditions": [{"name": "ARGS:jbbrd_save_search", "type": "equals", "value": "1"}, {"name": "ARGS", "type": "regex", "value": "~(?:<\\\\s*(?:script|iframe|object|embed|svg|math|img|video|audio|body|details|marquee|isindex|form|input|button|select|textarea|keygen|meta|link|base|style)[\\\\s/>]|\\\\bon(?:error|load|focus|click|mouse(?:over|out|enter)|change|blur|submit|reset|key(?:up|down|press)|contextmenu|dblclick|drag|drop|input|invalid|scroll|wheel|animat(?:ion|ed)|transition)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-13383", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13383", "description": "Job Board by BestWebSoft <=1.2.1 stored XSS via CSRF through unsanitized $_GET array storage in save-search", "method": "GET", "mode": "block", "severity": 6.1, "slug": "job-board", "tags": ["xss", "stored-xss", "csrf", "shortcode"], "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2025-13403-01": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "employee-spotlight_check_optin"}, {"name": "ARGS:employee-spotlight_optin", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13403", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13403", "description": "Employee Spotlight <=5.1.3 missing authorization on tracking opt-in via admin_post handler", "method": "POST", "mode": "block", "severity": 5.3, "slug": "employee-spotlight", "tags": ["missing-authorization", "broken-access-control", "settings-modification"], "target": "plugin", "versions": "<=5.1.3"}, "RULE-CVE-2025-13403-02": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "employee-spotlight_check_optin"}, {"name": "ARGS:employee-spotlight_no_optin", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13403", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13403", "description": "Employee Spotlight <=5.1.3 missing authorization on tracking opt-out via admin_post handler", "method": "POST", "mode": "block", "severity": 5.3, "slug": "employee-spotlight", "tags": ["missing-authorization", "broken-access-control", "settings-modification"], "target": "plugin", "versions": "<=5.1.3"}, "RULE-CVE-2025-13414-01": {"action": "init", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:cdash_export_businesses", "type": "exists"}], "cve": "CVE-2025-13414", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13414", "description": "Chamber Dashboard Business Directory <= 3.3.11 unauthenticated business information export via cdash_watch_for_export", "method": "POST", "mode": "block", "severity": 5.3, "slug": "chamber-dashboard-business-directory", "tags": ["missing-authorization", "unauthenticated", "data-export"], "target": "plugin", "versions": "<=3.3.11"}, "RULE-CVE-2025-13414-02": {"action": "init", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:cdash_export", "type": "exists"}], "cve": "CVE-2025-13414", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13414", "description": "Chamber Dashboard Business Directory <= 3.3.11 unauthenticated business information export via cdash_watch_for_export (alt trigger cdash_export)", "method": "POST", "mode": "block", "severity": 5.3, "slug": "chamber-dashboard-business-directory", "tags": ["missing-authorization", "unauthenticated", "data-export"], "target": "plugin", "versions": "<=3.3.11"}, "RULE-CVE-2025-13440-01": {"action": "admin_post_premmerce_delete_wishlist", "conditions": [{"name": "ARGS:wishlist", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13440", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13440", "description": "Premmerce Wishlist for WooCommerce <=1.1.10 missing authorization on deleteWishlist via admin_post action", "method": "GET", "mode": "block", "severity": 5.3, "slug": "premmerce-woocommerce-wishlist", "tags": ["missing-authorization", "broken-access-control", "idor"], "target": "plugin", "versions": "<=1.1.10"}, "RULE-CVE-2025-13448-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[(?:demo|ci-demo)\\\\s+[^\\\\]]*element\\\\s*=\\\\s*(?:[\\"\'][^\\"\']*|[^\\\\s\\\\]\\"\']*)(?:script\\\\b|img\\\\b|svg\\\\b|iframe\\\\b|object\\\\b|embed\\\\b|body\\\\b|on\\\\w+\\\\s*=|javascript:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-13448", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13448", "description": "CSSIgniter Shortcodes <=2.4.1 Stored XSS via \'element\' shortcode attribute in post content (post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "cssigniter-shortcodes", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.4.1"}, "RULE-CVE-2025-13448-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(?:demo|ci-demo)\\\\s+[^\\\\]]*element\\\\s*=\\\\s*(?:[\\"\'][^\\"\']*|[^\\\\s\\\\]\\"\']*)(?:script\\\\b|img\\\\b|svg\\\\b|iframe\\\\b|object\\\\b|embed\\\\b|body\\\\b|on\\\\w+\\\\s*=|javascript:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-13448", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13448", "description": "CSSIgniter Shortcodes <=2.4.1 Stored XSS via \'element\' shortcode attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "cssigniter-shortcodes", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.4.1"}, "RULE-CVE-2025-13486-01": {"ajax_action": "acfe/form/render_form_ajax", "conditions": [{"name": "ARGS:_acf_form", "type": "regex", "value": "~(?i)\\\\b(system|exec|passthru|shell_exec|popen|proc_open|file_put_contents|assert|eval)\\\\b~i"}], "cve": "CVE-2025-13486", "method": "POST", "mode": "block", "severity": 9.8, "slug": "acf-extended", "target": "plugin", "versions": ">=0.9.0.5 <=0.9.1.1"}, "RULE-CVE-2025-13497-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[recras-booking[^\\\\]]*recrasname\\\\s*=\\\\s*(?:\\"[^\\"]*[\');}<>][^\\"]*\\"|\'[^\']*[\\");}<>][^\']*\')~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-13497", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13497", "description": "Recras <=6.4.1 Stored XSS via recras-booking shortcode recrasname attribute in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "recras", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=6.4.1"}, "RULE-CVE-2025-13497-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[recras-booking[^\\\\]]*recrasname\\\\s*=\\\\s*(?:\\"[^\\"]*[\');}<>][^\\"]*\\"|\'[^\']*[\\");}<>][^\']*\')~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-13497", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13497", "description": "Recras <=6.4.1 Stored XSS via recras-booking shortcode recrasname attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "recras", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=6.4.1"}, "RULE-CVE-2025-13516-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)wp-content/uploads/suremails/attachments/[^/]+\\\\.(?:php\\\\d*|phtml|phar|phps|pht|phpt|inc)(?:\\\\?|$)~i"}], "cve": "CVE-2025-13516", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13516", "description": "SureMail <=1.9.0 unauthenticated RCE via direct access to uploaded PHP files in suremails attachments directory", "mode": "block", "severity": 8.1, "slug": "suremails", "tags": ["arbitrary-file-upload", "remote-code-execution", "unauthenticated", "dangerous-file-type"], "target": "plugin", "versions": "<=1.9.0"}, "RULE-CVE-2025-13525-01": {"action": "init", "conditions": [{"name": "ARGS:order_by", "type": "detectXSS"}], "cve": "CVE-2025-13525", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13525", "description": "WP Directory Kit <=1.4.5 Reflected Cross-Site Scripting via order_by parameter", "method": "GET", "mode": "block", "severity": 6.1, "slug": "wpdirectorykit", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.4.5"}, "RULE-CVE-2025-13534-01": {"ajax_action": "eh_crm_edit_agent", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:user_id", "type": "regex", "value": "~.+~"}, {"name": "ARGS:rights", "type": "regex", "value": "~.+~"}], "cve": "CVE-2025-13534", "method": "POST", "mode": "block", "severity": 8.8, "slug": "elex-helpdesk-customer-support-ticket-system", "target": "plugin", "versions": "<=3.3.2"}, "RULE-CVE-2025-13537-01": {"ajax_action": "dslc-ajax-save-composer", "conditions": [{"name": "ARGS:dslc_code", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=|javascript\\\\s*:~i"}], "cve": "CVE-2025-13537", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13537", "description": "Live Composer <=2.0.2 DOM-Based Stored XSS via dslc-ajax-save-composer AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "live-composer-page-builder", "tags": ["xss", "stored-xss", "dom-based-xss", "authenticated"], "target": "plugin", "versions": "<=2.0.2"}, "RULE-CVE-2025-13537-02": {"ajax_action": "dslc-ajax-save-draft-composer", "conditions": [{"name": "ARGS:dslc_code", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=|javascript\\\\s*:~i"}], "cve": "CVE-2025-13537", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13537", "description": "Live Composer <=2.0.2 DOM-Based Stored XSS via dslc-ajax-save-draft-composer AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "live-composer-page-builder", "tags": ["xss", "stored-xss", "dom-based-xss", "authenticated"], "target": "plugin", "versions": "<=2.0.2"}, "RULE-CVE-2025-13537-03": {"ajax_action": "dslc-ajax-import-template", "conditions": [{"name": "ARGS:dslc_template_code", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=|javascript\\\\s*:~i"}], "cve": "CVE-2025-13537", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13537", "description": "Live Composer <=2.0.2 DOM-Based Stored XSS via dslc-ajax-import-template AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "live-composer-page-builder", "tags": ["xss", "stored-xss", "dom-based-xss", "authenticated"], "target": "plugin", "versions": "<=2.0.2"}, "RULE-CVE-2025-13537-04": {"ajax_action": "dslc-ajax-import-modules-section", "conditions": [{"name": "ARGS:dslc_modules_section_code", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=|javascript\\\\s*:~i"}], "cve": "CVE-2025-13537", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13537", "description": "Live Composer <=2.0.2 DOM-Based Stored XSS via dslc-ajax-import-modules-section AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "live-composer-page-builder", "tags": ["xss", "stored-xss", "dom-based-xss", "authenticated"], "target": "plugin", "versions": "<=2.0.2"}, "RULE-CVE-2025-13604-02": {"action": "init", "conditions": [{"name": "ARGS", "type": "regex", "value": "~\\\\bon(?:error|load|click|mouseover|focus|blur|change|submit|toggle|resize|beforeunload|unload|animationend|transitionend)\\\\s*=~i"}], "cve": "CVE-2025-13604", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13604", "description": "Security & Malware scan by CleanTalk <=2.168 unauthenticated stored XSS via event handler attributes in GET query parameter values", "method": "GET", "mode": "block", "severity": 7.2, "slug": "security-malware-firewall", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=2.168"}, "RULE-CVE-2025-13604-03": {"action": "init", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:javascript\\\\s*:|data\\\\s*:\\\\s*(?:text/html|application/xhtml))~i"}], "cve": "CVE-2025-13604", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13604", "description": "Security & Malware scan by CleanTalk <=2.168 unauthenticated stored XSS via javascript:/data: URI scheme in GET query parameter values", "method": "GET", "mode": "block", "severity": 7.2, "slug": "security-malware-firewall", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=2.168"}, "RULE-CVE-2025-13604-05": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:%6[Ff]|o)n(?:error|load|click|mouseover|focus|toggle)(?:\\\\s*(?:=|%3[Dd]))~i"}], "cve": "CVE-2025-13604", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13604", "description": "Security & Malware scan by CleanTalk <=2.168 unauthenticated stored XSS via event handlers in URL path segment", "method": "GET", "mode": "block", "severity": 7.2, "slug": "security-malware-firewall", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=2.168"}, "RULE-CVE-2025-13608-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[child_pages\\\\b[^\\\\]]*\\\\buse_custom_(?:link|link_target|thumbs|excerpt)\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|&#|\\\\\\\\x[0-9a-f])~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-13608", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13608", "description": "CC Child Pages <=2.0.0 Authenticated (Contributor+) Stored XSS via child_pages shortcode attributes in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "cc-child-pages", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.0.0"}, "RULE-CVE-2025-13608-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[child_pages\\\\b[^\\\\]]*\\\\buse_custom_(?:link|link_target|thumbs|excerpt)\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|&#|\\\\\\\\x[0-9a-f])~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-13608", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13608", "description": "CC Child Pages <=2.0.0 Authenticated (Contributor+) Stored XSS via child_pages shortcode attributes in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "cc-child-pages", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.0.0"}, "RULE-CVE-2025-1361-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "equals", "value": "ip2location-country-blocker"}, {"type": "missing_capability", "value": "administrator"}], "cve": "CVE-2025-1361", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1361", "description": "IP2Location Country Blocker <=2.38.8 missing authorization on admin_init allows unauthenticated settings disclosure", "mode": "block", "severity": 5.3, "slug": "ip2location-country-blocker", "tags": ["missing-authorization", "information-exposure", "unauthenticated"], "target": "plugin", "versions": "<=2.38.8"}, "RULE-CVE-2025-13610-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[RM_Forms\\\\b[^\\\\]]*theme\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<script|on(?:error|load|click|mouseover|animationstart|focus|blur)\\\\s*=|javascript\\\\s*:)[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-13610", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13610", "description": "RegistrationMagic <=6.0.6.7 Stored XSS via RM_Forms shortcode theme attribute in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "custom-registration-form-builder-with-submission-manager", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=6.0.6.7"}, "RULE-CVE-2025-13610-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)(?:/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[RM_Forms\\\\b[^\\\\]]*theme\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<script|on(?:error|load|click|mouseover|animationstart|focus|blur)\\\\s*=|javascript\\\\s*:)[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-13610", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13610", "description": "RegistrationMagic <=6.0.6.7 Stored XSS via RM_Forms shortcode theme attribute in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "custom-registration-form-builder-with-submission-manager", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=6.0.6.7"}, "RULE-CVE-2025-13620-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wslu/v1/save_cache/[^/?&]+(?:/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13620", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13620", "description": "WP Social <=3.1.3 unauthenticated cache overwrite via wslu/v1/save_cache REST endpoint", "method": "POST", "mode": "block", "severity": 5.3, "slug": "wp-social", "tags": ["missing-authorization", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=3.1.3"}, "RULE-CVE-2025-13620-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wslu/v1/check_cache/[^/?&]+(?:/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13620", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13620", "description": "WP Social <=3.1.3 unauthenticated cache probe via wslu/v1/check_cache REST endpoint", "method": "POST", "mode": "block", "severity": 5.3, "slug": "wp-social", "tags": ["missing-authorization", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=3.1.3"}, "RULE-CVE-2025-13620-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wslu/v1/settings/clear_counter_cache(?:/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13620", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13620", "description": "WP Social <=3.1.3 unauthenticated cache wipe via wslu/v1/settings/clear_counter_cache REST endpoint", "method": "POST", "mode": "block", "severity": 5.3, "slug": "wp-social", "tags": ["missing-authorization", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=3.1.3"}, "RULE-CVE-2025-13622-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "jabbernotification.php"}, {"name": "REQUEST_URI", "type": "regex", "value": "~options-general\\\\.php/[^?]*(?:%2522|%253[Cc]|%253[Ee]|\\"|<|>|on\\\\w+\\\\s*=)[^?]*(?:\\\\?|$)~i"}], "cve": "CVE-2025-13622", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13622", "description": "Jabbernotification <=0.99-RC2 reflected XSS via PATH_INFO in admin settings page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "jabberbenachrichtigung", "tags": ["xss", "reflected-xss", "path-info"], "target": "plugin", "versions": "<=0.99-RC2"}, "RULE-CVE-2025-13626-01": {"ajax_action": "mylco_pagerank", "conditions": [{"name": "ARGS:url", "type": "detectXSS"}], "cve": "CVE-2025-13626", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13626", "description": "myLCO <=0.8.1 reflected XSS via unsanitized url parameter in mylco_pagerank AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "mylco", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=0.8.1"}, "RULE-CVE-2025-13626-02": {"ajax_action": "mylco_alexa", "conditions": [{"name": "ARGS:url", "type": "detectXSS"}], "cve": "CVE-2025-13626", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13626", "description": "myLCO <=0.8.1 reflected XSS via unsanitized url parameter in mylco_alexa AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "mylco", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=0.8.1"}, "RULE-CVE-2025-13626-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php/(?:[^?]*(?:[<>\\"\']|%3c|%3e|%22|%27).*)?[?&]page=mylco(?:&|$)~i"}], "cve": "CVE-2025-13626", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13626", "description": "myLCO <=0.8.1 reflected XSS via $_SERVER[\'PHP_SELF\'] path-info injection on admin pages", "method": "GET", "mode": "block", "severity": 6.1, "slug": "mylco", "tags": ["xss", "reflected-xss", "php-self"], "target": "plugin", "versions": "<=0.8.1"}, "RULE-CVE-2025-13641-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[(?:nggallery|nggtags|ngg_images|ngg|slideshow|imagebrowser)[^\\\\]]*template\\\\s*=\\\\s*[\\"\']?(?:/|[A-Za-z]:[/\\\\\\\\])~i"}], "cve": "CVE-2025-13641", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13641", "description": "NextGEN Gallery <=3.59.12 Local File Inclusion via shortcode template attribute in post content (absolute path)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "nextgen-gallery", "tags": ["local-file-inclusion", "php-file-inclusion", "shortcode", "authenticated"], "target": "plugin", "versions": "<=3.59.12"}, "RULE-CVE-2025-13641-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[(?:nggallery|nggtags|ngg_images|ngg|slideshow|imagebrowser)[^\\\\]]*template\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:\\\\.\\\\.[\\\\\\\\/])~i"}], "cve": "CVE-2025-13641", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13641", "description": "NextGEN Gallery <=3.59.12 Local File Inclusion via shortcode template attribute in post content (directory traversal)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "nextgen-gallery", "tags": ["local-file-inclusion", "path-traversal", "shortcode", "authenticated"], "target": "plugin", "versions": "<=3.59.12"}, "RULE-CVE-2025-13641-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(?:nggallery|nggtags|ngg_images|ngg|slideshow|imagebrowser)[^\\\\]]*template\\\\s*=\\\\s*[\\"\']?(?:/|[A-Za-z]:[/\\\\\\\\])~i"}], "cve": "CVE-2025-13641", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13641", "description": "NextGEN Gallery <=3.59.12 Local File Inclusion via shortcode template attribute in REST API content field (absolute path)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "nextgen-gallery", "tags": ["local-file-inclusion", "php-file-inclusion", "rest-api", "authenticated"], "target": "plugin", "versions": "<=3.59.12"}, "RULE-CVE-2025-13641-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(?:nggallery|nggtags|ngg_images|ngg|slideshow|imagebrowser)[^\\\\]]*template\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:\\\\.\\\\.[\\\\\\\\/])~i"}], "cve": "CVE-2025-13641", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13641", "description": "NextGEN Gallery <=3.59.12 Local File Inclusion via shortcode template attribute in REST API content field (directory traversal)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "nextgen-gallery", "tags": ["local-file-inclusion", "path-traversal", "rest-api", "authenticated"], "target": "plugin", "versions": "<=3.59.12"}, "RULE-CVE-2025-13645-01": {"ajax_action": "modula_unzip_file", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13645", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13645", "description": "Modula Image Gallery <=2.13.2 authenticated arbitrary file/directory deletion via path traversal in ajax_unzip_file \\u2014 over-protection capability gate (payload is in zip binary, not HTTP params)", "method": "POST", "mode": "block", "severity": 7.2, "slug": "modula-best-grid-gallery", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated", "over-protection"], "target": "plugin", "versions": "<=2.13.2"}, "RULE-CVE-2025-13646-01": {"ajax_action": "modula_unzip_file", "conditions": [{"name": "ARGS:fileID", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13646", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13646", "description": "Modula Image Gallery <=2.13.2 authenticated arbitrary file upload via modula_unzip_file AJAX handler", "method": "POST", "mode": "block", "severity": 6.6, "slug": "modula-best-grid-gallery", "tags": ["arbitrary-file-upload", "race-condition", "authenticated"], "target": "plugin", "versions": "<=2.13.2"}, "RULE-CVE-2025-13678-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[thailottery\\\\b[^\\\\]]*(?:width|height)\\\\s*=[\\\\s\\"\']*[^\\\\]]*(?:[\\"\']\\\\s*on\\\\w+\\\\s*=|<script|javascript:|[\\"\']\\\\s*[>/])~i"}], "cve": "CVE-2025-13678", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13678", "description": "Thai Lottery Widget <=2.5 authenticated stored XSS via thailottery shortcode width/height attributes in post content (post editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "thai-lottery-widget", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.5"}, "RULE-CVE-2025-13678-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[thailottery\\\\b[^\\\\]]*(?:width|height)\\\\s*=[\\\\s\\"\']*[^\\\\]]*(?:[\\"\']\\\\s*on\\\\w+\\\\s*=|<script|javascript:|[\\"\']\\\\s*[>/])~i"}], "cve": "CVE-2025-13678", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13678", "description": "Thai Lottery Widget <=2.5 authenticated stored XSS via thailottery shortcode width/height attributes in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "thai-lottery-widget", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.5"}, "RULE-CVE-2025-13679-01": {"ajax_action": "tutor_order_details", "conditions": [{"name": "ARGS:order_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13679", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13679", "description": "Tutor LMS <=3.9.3 missing authorization on tutor_order_details AJAX action allows subscriber+ to exfiltrate order PII", "mode": "block", "severity": 6.5, "slug": "tutor", "tags": ["missing-authorization", "idor", "sensitive-data-exposure"], "target": "plugin", "versions": "<=3.9.3"}, "RULE-CVE-2025-13681-01": {"action": "admin_post_bfgtoexz_zip", "conditions": [{"name": "ARGS:first_file", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|(?:%2e%2e[%2f%5c]){2,})~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13681", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13681", "description": "BFG Tools \\u2013 Extension Zipper <=1.0.7 authenticated path traversal via first_file parameter in admin_post_bfgtoexz_zip handler", "method": "POST", "mode": "block", "severity": 4.9, "slug": "bfg-tools-extension-zipper", "tags": ["path-traversal", "arbitrary-file-read", "missing-authorization"], "target": "plugin", "versions": "<=1.0.7"}, "RULE-CVE-2025-13681-02": {"action": "admin_post_bfgtoexz_zip", "conditions": [{"name": "ARGS:first_file", "type": "regex", "value": "~(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env|debug\\\\.log|error_log)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13681", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13681", "description": "BFG Tools \\u2013 Extension Zipper <=1.0.7 authenticated sensitive file read via first_file parameter in admin_post_bfgtoexz_zip handler", "method": "POST", "mode": "block", "severity": 4.9, "slug": "bfg-tools-extension-zipper", "tags": ["path-traversal", "arbitrary-file-read", "sensitive-file-disclosure"], "target": "plugin", "versions": "<=1.0.7"}, "RULE-CVE-2025-13693-01": {"ajax_action": "save_gallery", "conditions": [{"name": "ARGS:ftg_script", "type": "detectXSS"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-13693", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13693", "description": "Final Tiles Grid Gallery <=3.6.8 authenticated (Author+) stored XSS via ftg_script parameter in save_gallery AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["xss", "stored-xss", "missing-capability"], "target": "plugin", "versions": "<=3.6.8"}, "RULE-CVE-2025-13697-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)~"}, {"name": "ARGS:content", "type": "regex", "value": "~blockart/countdown(?:(?:[^\\"}]|\\"(?:\\\\\\\\.|[^\\"\\\\\\\\])*\\")*)\\"timestamp\\"\\\\s*:\\\\s*\\"[^\\"]*(?:\\\\\\\\u0027|\'\\\\s*(?:on[a-z]+\\\\s*=|style\\\\s*=|href\\\\s*=)|<[a-z]|on[a-z]+\\\\s*=)~i"}], "cve": "CVE-2025-13697", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13697", "description": "BlockArt Blocks <=2.2.13 Stored XSS via Countdown block timestamp attribute in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "blockart-blocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=2.2.13"}, "RULE-CVE-2025-13697-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~blockart/countdown(?:(?:[^\\"}]|\\"(?:\\\\\\\\.|[^\\"\\\\\\\\])*\\")*)\\"timestamp\\"\\\\s*:\\\\s*\\"[^\\"]*(?:\\\\\\\\u0027|\'\\\\s*(?:on[a-z]+\\\\s*=|style\\\\s*=|href\\\\s*=)|<[a-z]|on[a-z]+\\\\s*=)~i"}], "cve": "CVE-2025-13697", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13697", "description": "BlockArt Blocks <=2.2.13 Stored XSS via Countdown block timestamp attribute in classic editor post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "blockart-blocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=2.2.13"}, "RULE-CVE-2025-13705-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[customframe\\\\b[^\\\\]]*\\\\bclass\\\\s*=\\\\s*(?:\\"[^\\"]*\\"|\'[^\']*\')[^\\\\]]*(?:on\\\\w+\\\\s*=|<script|<img|<svg|<iframe|javascript\\\\s*:)~i"}], "cve": "CVE-2025-13705", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13705", "description": "Custom Frames <=1.0.1 authenticated (Contributor+) stored XSS via class shortcode attribute in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "custom-frames", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-13724-01": {"action": "admin_post_nopriv_vikrentcar", "conditions": [{"name": "ARGS:month", "type": "detectSQLi"}], "cve": "CVE-2025-13724", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13724", "description": "VikRentCar <=1.4.4 unauthenticated SQL injection via month parameter on admin_post_nopriv_vikrentcar", "method": "POST", "mode": "block", "severity": 7.5, "slug": "vikrentcar", "tags": ["sql-injection", "unauthenticated", "time-based-blind"], "target": "plugin", "versions": "<=1.4.4"}, "RULE-CVE-2025-13724-02": {"action": "admin_post_vikrentcar", "conditions": [{"name": "ARGS:month", "type": "detectSQLi"}], "cve": "CVE-2025-13724", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13724", "description": "VikRentCar <=1.4.4 authenticated SQL injection via month parameter on admin_post_vikrentcar", "method": "POST", "mode": "block", "severity": 7.5, "slug": "vikrentcar", "tags": ["sql-injection", "time-based-blind"], "target": "plugin", "versions": "<=1.4.4"}, "RULE-CVE-2025-13724-03": {"ajax_action": "vikrentcar", "conditions": [{"name": "ARGS:month", "type": "detectSQLi"}], "cve": "CVE-2025-13724", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13724", "description": "VikRentCar <=1.4.4 authenticated SQL injection via month parameter on wp_ajax_vikrentcar", "method": "POST", "mode": "block", "severity": 7.5, "slug": "vikrentcar", "tags": ["sql-injection", "time-based-blind"], "target": "plugin", "versions": "<=1.4.4"}, "RULE-CVE-2025-13725-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/block-renderer/thim-blocks/icon(?:/|\\\\?|$)~"}, {"name": "ARGS:attributes[iconSVG]", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[\\\\\\\\/]etc[\\\\\\\\/]|wp-config\\\\.php|\\\\.htaccess|\\\\.env)~i"}], "cve": "CVE-2025-13725", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13725", "description": "Gutenberg Thim Blocks <=1.0.1 authenticated arbitrary file read via iconSVG path traversal in thim-blocks/icon block renderer", "method": "GET", "mode": "block", "severity": 6.5, "slug": "thim-blocks", "tags": ["path-traversal", "arbitrary-file-read", "rest-api"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-13728-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[fluent_auth_reset_password\\\\b[^\\\\]]*redirect_to\\\\s*=~i"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[fluent_auth_reset_password\\\\b[^\\\\]]*(?:\\\\bon\\\\w+\\\\s*=|<script|javascript:)~i"}], "cve": "CVE-2025-13728", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13728", "description": "FluentAuth <=2.0.3 Stored XSS via fluent_auth_reset_password shortcode redirect_to attribute in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "fluent-security", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.0.3"}, "RULE-CVE-2025-13728-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[fluent_auth_reset_password\\\\b[^\\\\]]*redirect_to\\\\s*=~i"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[fluent_auth_reset_password\\\\b[^\\\\]]*(?:\\\\bon\\\\w+\\\\s*=|<script|javascript:)~i"}], "cve": "CVE-2025-13728", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13728", "description": "FluentAuth <=2.0.3 Stored XSS via fluent_auth_reset_password shortcode redirect_to attribute in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "fluent-security", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.0.3"}, "RULE-CVE-2025-13730-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[openid_connect_generic_auth_url\\\\b[^\\\\]]*(?:<[^>]+>|on\\\\w+\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-13730", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13730", "description": "OpenID Connect Generic Client <=3.10.0 Stored XSS via shortcode attribute in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "daggerhart-openid-connect-generic", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.10.0"}, "RULE-CVE-2025-13730-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[openid_connect_generic_auth_url\\\\b[^\\\\]]*(?:<[^>]+>|on\\\\w+\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-13730", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13730", "description": "OpenID Connect Generic Client <=3.10.0 Stored XSS via shortcode attribute in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "daggerhart-openid-connect-generic", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=3.10.0"}, "RULE-CVE-2025-13732-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[s2Eot\\\\b[^\\\\]]*(?:<script|on\\\\w+\\\\s*=|javascript:)[^\\\\]]*\\\\]~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13732", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13732", "description": "s2Member <=251005 Stored XSS via s2Eot shortcode past_format/future_format/next_format/empty_format attributes in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "s2member", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=251005"}, "RULE-CVE-2025-13732-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[s2Eot\\\\b[^\\\\]]*(?:<script|on\\\\w+\\\\s*=|javascript:)[^\\\\]]*\\\\]~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13732", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13732", "description": "s2Member <=251005 Stored XSS via s2Eot shortcode attributes in post_content parameter", "method": "POST", "mode": "block", "severity": 6.4, "slug": "s2member", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=251005"}, "RULE-CVE-2025-13732-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[s2Eot\\\\b[^\\\\]]*(?:<script|on\\\\w+\\\\s*=|javascript:)[^\\\\]]*\\\\]~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13732", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13732", "description": "s2Member <=251005 Stored XSS via s2Eot shortcode attributes in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "s2member", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=251005"}, "RULE-CVE-2025-13739-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[cryptx\\\\b[^\\\\]]*(?:on[a-zA-Z0-9_]+\\\\s*=|javascript\\\\s*:|<script)[^\\\\]]*\\\\]~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13739", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13739", "description": "CryptX <=4.0.5 Authenticated (Contributor+) Stored XSS via cryptx shortcode attributes in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "cryptx", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.0.5"}, "RULE-CVE-2025-13739-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[cryptx\\\\b[^\\\\]]*(?:on[a-zA-Z0-9_]+\\\\s*=|javascript\\\\s*:|<script)[^\\\\]]*\\\\]~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13739", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13739", "description": "CryptX <=4.0.5 Authenticated (Contributor+) Stored XSS via cryptx shortcode attributes in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "cryptx", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=4.0.5"}, "RULE-CVE-2025-13746-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:profile\\\\.php|user-edit\\\\.php)~"}, {"name": "ARGS:display_name", "type": "regex", "value": "~(?:<script[\\\\s/>]|\\\\bon[a-z]+=|javascript\\\\s*:|<(?:img|svg|iframe|object|embed|video|audio|body|input|details|math|isindex|marquee|meta|link|base|style)\\\\s[^>]*\\\\bon[a-z]+=)~i"}], "cve": "CVE-2025-13746", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13746", "description": "ForumWP <=2.1.6 Stored XSS via User Display Name on profile update", "method": "POST", "mode": "block", "severity": 6.4, "slug": "forumwp", "tags": ["xss", "stored-xss", "profile-update"], "target": "plugin", "versions": "<=2.1.6"}, "RULE-CVE-2025-13746-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:profile\\\\.php|user-edit\\\\.php)~"}, {"name": "ARGS:nickname", "type": "regex", "value": "~(?:<script[\\\\s/>]|\\\\bon[a-z]+=|javascript\\\\s*:|<(?:img|svg|iframe|object|embed|video|audio|body|input|details|math|isindex|marquee|meta|link|base|style)\\\\s[^>]*\\\\bon[a-z]+=)~i"}], "cve": "CVE-2025-13746", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13746", "description": "ForumWP <=2.1.6 Stored XSS via User Nickname on profile update", "method": "POST", "mode": "block", "severity": 6.4, "slug": "forumwp", "tags": ["xss", "stored-xss", "profile-update"], "target": "plugin", "versions": "<=2.1.6"}, "RULE-CVE-2025-13746-03": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:profile\\\\.php|user-edit\\\\.php)~"}, {"name": "ARGS:first_name", "type": "regex", "value": "~(?:<script[\\\\s/>]|\\\\bon[a-z]+=|javascript\\\\s*:|<(?:img|svg|iframe|object|embed|video|audio|body|input|details|math|isindex|marquee|meta|link|base|style)\\\\s[^>]*\\\\bon[a-z]+=)~i"}], "cve": "CVE-2025-13746", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13746", "description": "ForumWP <=2.1.6 Stored XSS via User First Name on profile update", "method": "POST", "mode": "block", "severity": 6.4, "slug": "forumwp", "tags": ["xss", "stored-xss", "profile-update"], "target": "plugin", "versions": "<=2.1.6"}, "RULE-CVE-2025-13746-04": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:profile\\\\.php|user-edit\\\\.php)~"}, {"name": "ARGS:last_name", "type": "regex", "value": "~(?:<script[\\\\s/>]|\\\\bon[a-z]+=|javascript\\\\s*:|<(?:img|svg|iframe|object|embed|video|audio|body|input|details|math|isindex|marquee|meta|link|base|style)\\\\s[^>]*\\\\bon[a-z]+=)~i"}], "cve": "CVE-2025-13746", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13746", "description": "ForumWP <=2.1.6 Stored XSS via User Last Name on profile update", "method": "POST", "mode": "block", "severity": 6.4, "slug": "forumwp", "tags": ["xss", "stored-xss", "profile-update"], "target": "plugin", "versions": "<=2.1.6"}, "RULE-CVE-2025-13838-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[wishsuite_button[^\\\\]]*button_(?:text|added_text|exist_text)\\\\s*=\\\\s*([\\"\'])(?:(?!\\\\1).)*<[^>]*(?:on\\\\w+\\\\s*=|script|iframe|object|embed)~i"}], "cve": "CVE-2025-13838", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13838", "description": "WishSuite <=1.5.1 Stored XSS via wishsuite_button shortcode button_text attribute in post content (post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wishsuite", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.5.1"}, "RULE-CVE-2025-13838-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[wishsuite_button[^\\\\]]*button_(?:text|added_text|exist_text)\\\\s*=\\\\s*([\\"\'])(?:(?!\\\\1).)*<[^>]*(?:on\\\\w+\\\\s*=|script|iframe|object|embed)~i"}], "cve": "CVE-2025-13838", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13838", "description": "WishSuite <=1.5.1 Stored XSS via wishsuite_button shortcode button_text attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wishsuite", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.5.1"}, "RULE-CVE-2025-13840-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[bukazu_search\\\\b[^\\\\]]*shortcode\\\\s*=\\\\s*(?:\\"[^\\"]*<|\'[^\']*<|[^\\\\s\\\\]]*<)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-13840", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13840", "description": "BUKAZU Search Widget <=3.4 stored XSS via bukazu_search shortcode attribute in post content (Classic Editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "bukazu-search-widget", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.4"}, "RULE-CVE-2025-13840-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[bukazu_search\\\\b[^\\\\]]*shortcode\\\\s*=\\\\s*(?:\\"[^\\"]*<|\'[^\']*<|[^\\\\s\\\\]]*<)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-13840", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13840", "description": "BUKAZU Search Widget <=3.4 stored XSS via bukazu_search shortcode attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "bukazu-search-widget", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=3.4"}, "RULE-CVE-2025-13846-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[easy_map_creator\\\\b[^\\\\]]*\\\\bwidth\\\\s*=\\\\s*[\\"\'][^\\"\']*[\\"\'][^\\\\]]*(?:<|>|on\\\\w+\\\\s*=|javascript:|style\\\\s*=)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13846", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13846", "description": "Easy Map Creator <=3.0.2 Stored XSS via shortcode width attribute in post content (Classic Editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "easy-map-creator", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-13846-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[easy_map_creator\\\\b[^\\\\]]*\\\\bwidth\\\\s*=\\\\s*[\\"\'][^\\"\']*[\\"\'][^\\\\]]*(?:<|>|on\\\\w+\\\\s*=|javascript:|style\\\\s*=)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13846", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13846", "description": "Easy Map Creator <=3.0.2 Stored XSS via shortcode width attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "easy-map-creator", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=3.0.2"}, "RULE-CVE-2025-13852-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[lead_form\\\\s[^\\\\]]*configuration\\\\s*=\\\\s*(?:\\"[^\\"]*(?:<[a-z]|&#x?[0-9a-f]+;|javascript:|\\\\bon(?:error|load|click|mouseover|focus)\\\\s*=)|\'[^\']*(?:<[a-z]|&#x?[0-9a-f]+;|javascript:|\\\\bon(?:error|load|click|mouseover|focus)\\\\s*=))~i"}], "cve": "CVE-2025-13852", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13852", "description": "Debt.com Business in a Box <=4.1.0 Stored XSS via lead_form shortcode configuration attribute in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "debtcom-business-in-a-box", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.1.0"}, "RULE-CVE-2025-13852-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[lead_form\\\\s[^\\\\]]*configuration\\\\s*=\\\\s*(?:\\"[^\\"]*(?:<[a-z]|&#x?[0-9a-f]+;|javascript:|\\\\bon(?:error|load|click|mouseover|focus)\\\\s*=)|\'[^\']*(?:<[a-z]|&#x?[0-9a-f]+;|javascript:|\\\\bon(?:error|load|click|mouseover|focus)\\\\s*=))~i"}], "cve": "CVE-2025-13852", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13852", "description": "Debt.com Business in a Box <=4.1.0 Stored XSS via lead_form shortcode configuration attribute in classic editor post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "debtcom-business-in-a-box", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.1.0"}, "RULE-CVE-2025-13859-01": {"ajax_action": "save_customization_settings", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "save_customization_settings"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13859", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13859", "description": "AffiliateX <=1.3.9.3 missing authorization on save_customization_settings AJAX action allowing Subscriber+ stored XSS", "method": "POST", "mode": "block", "severity": 6.4, "slug": "affiliatex", "tags": ["missing-authorization", "stored-xss", "broken-access-control"], "target": "plugin", "versions": "<=1.3.9.3"}, "RULE-CVE-2025-13861-01": {"ajax_action": "hf_form_submit", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<(?:script|svg|img|iframe|object|embed|details|marquee|video|audio|body|math|xmp|isindex|style|link|base|meta|form|input|button|select|textarea|keygen|source|track|frameset|frame|applet|xml)[\\\\s/>#]|\\\\bon(?:error|load|click|mouseover|focus|blur|toggle|start|animationend|beforeprint|change|dblclick|drag|drop|ended|hashchange|input|invalid|key(?:down|press|up)|mouse(?:down|enter|leave|move|out|over|up)|page(?:show|hide)|paste|play|pointer|progress|resize|scroll|search|select|submit|touch|transition|unload|wheel)\\\\s*=|javascript\\\\s*:|data\\\\s*:[^,]*;base64\\\\s*,~i"}], "cve": "CVE-2025-13861", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13861", "description": "HTML Forms <=1.6.0 unauthenticated stored XSS via form field values on hf_form_submit AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.1, "slug": "html-forms", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.6.0"}, "RULE-CVE-2025-13861-02": {"action": "init", "conditions": [{"name": "ARGS:_hf_form_id", "type": "exists"}, {"name": "ARGS", "type": "regex", "value": "~<(?:script|svg|img|iframe|object|embed|details|marquee|video|audio|body|math|xmp|isindex|style|link|base|meta|form|input|button|select|textarea|keygen|source|track|frameset|frame|applet|xml)[\\\\s/>#]|\\\\bon(?:error|load|click|mouseover|focus|blur|toggle|start|animationend|beforeprint|change|dblclick|drag|drop|ended|hashchange|input|invalid|key(?:down|press|up)|mouse(?:down|enter|leave|move|out|over|up)|page(?:show|hide)|paste|play|pointer|progress|resize|scroll|search|select|submit|touch|transition|unload|wheel)\\\\s*=|javascript\\\\s*:|data\\\\s*:[^,]*;base64\\\\s*,~i"}], "cve": "CVE-2025-13861", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13861", "description": "HTML Forms <=1.6.0 unauthenticated stored XSS via non-AJAX form submission with _hf_form_id", "method": "POST", "mode": "block", "severity": 6.1, "slug": "html-forms", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.6.0"}, "RULE-CVE-2025-13864-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/breeze/v1/clear-all-cache(/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13864", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13864", "description": "Breeze <=2.2.21 unauthenticated cache clearing via REST API endpoint breeze/v1/clear-all-cache", "method": "POST", "mode": "block", "severity": 5.3, "slug": "breeze", "tags": ["missing-authorization", "unauthenticated", "rest-api", "cache-deletion"], "target": "plugin", "versions": "<=2.2.21"}, "RULE-CVE-2025-13880-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp-social-reviews/v1/advance-settings(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13880", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13880", "description": "WP Social Ninja <=4.0.1 unauthenticated access to advanced settings via REST API (GET)", "method": "GET", "mode": "block", "severity": 6.5, "slug": "wp-social-reviews", "tags": ["missing-authorization", "broken-access-control", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=4.0.1"}, "RULE-CVE-2025-13880-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp-social-reviews/v1/advance-settings(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13880", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13880", "description": "WP Social Ninja <=4.0.1 unauthenticated modification of advanced settings via REST API (POST)", "method": "POST", "mode": "block", "severity": 6.5, "slug": "wp-social-reviews", "tags": ["missing-authorization", "broken-access-control", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=4.0.1"}, "RULE-CVE-2025-13886-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[book\\\\b[^\\\\]]*template\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:\\\\.\\\\.[\\\\\\\\/])~i"}], "cve": "CVE-2025-13886", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13886", "description": "LT Unleashed <=1.1.1 Local File Inclusion via [book] shortcode template attribute", "method": "POST", "mode": "block", "severity": 7.5, "slug": "lt-unleashed", "tags": ["local-file-inclusion", "path-traversal", "shortcode"], "target": "plugin", "versions": "<=1.1.1"}, "RULE-CVE-2025-13886-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[books\\\\b[^\\\\]]*template\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:\\\\.\\\\.[\\\\\\\\/])~i"}], "cve": "CVE-2025-13886", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13886", "description": "LT Unleashed <=1.1.1 Local File Inclusion via [books] shortcode template attribute", "method": "POST", "mode": "block", "severity": 7.5, "slug": "lt-unleashed", "tags": ["local-file-inclusion", "path-traversal", "shortcode"], "target": "plugin", "versions": "<=1.1.1"}, "RULE-CVE-2025-13886-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[book\\\\b[^\\\\]]*template\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:\\\\.\\\\.[\\\\\\\\/])~i"}], "cve": "CVE-2025-13886", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13886", "description": "LT Unleashed <=1.1.1 Local File Inclusion via [book] shortcode template attribute (Gutenberg REST API)", "method": "POST", "mode": "block", "severity": 7.5, "slug": "lt-unleashed", "tags": ["local-file-inclusion", "path-traversal", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.1.1"}, "RULE-CVE-2025-13886-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[books\\\\b[^\\\\]]*template\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:\\\\.\\\\.[\\\\\\\\/])~i"}], "cve": "CVE-2025-13886", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13886", "description": "LT Unleashed <=1.1.1 Local File Inclusion via [books] shortcode template attribute (Gutenberg REST API)", "method": "POST", "mode": "block", "severity": 7.5, "slug": "lt-unleashed", "tags": ["local-file-inclusion", "path-traversal", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.1.1"}, "RULE-CVE-2025-13887-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[ai_botkit_widget\\\\b[^\\\\]]*\\\\bid\\\\s*=\\\\s*(?:[\\"\'][^\\"\']*(?:[<>\\"\']|&#|on\\\\w+\\\\s*=)|(?=[^\\\\s\\\\]\\"\'])[^^\\\\s\\\\]]*(?:[<>]|on\\\\w+\\\\s*=))~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13887", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13887", "description": "AI BotKit <=1.1.7 Authenticated (Contributor+) Stored XSS via ai_botkit_widget shortcode id attribute in classic editor", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ai-botkit-for-lead-generation", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.1.7"}, "RULE-CVE-2025-13887-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[ai_botkit_widget\\\\b[^\\\\]]*\\\\bid\\\\s*=\\\\s*(?:[\\"\'][^\\"\']*(?:[<>\\"\']|&#|on\\\\w+\\\\s*=)|(?=[^\\\\s\\\\]\\"\'])[^^\\\\s\\\\]]*(?:[<>]|on\\\\w+\\\\s*=))~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13887", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13887", "description": "AI BotKit <=1.1.7 Authenticated (Contributor+) Stored XSS via ai_botkit_widget shortcode id attribute in REST API", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ai-botkit-for-lead-generation", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=1.1.7"}, "RULE-CVE-2025-13889-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[snivo\\\\s[^\\\\]]*id\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-13889", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13889", "description": "Simple Nivo Slider <=0.5.6 Stored XSS via [snivo] shortcode id attribute in post content (post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "simple-nivo-slider", "tags": ["xss", "stored-xss", "shortcode", "contributor"], "target": "plugin", "versions": "<=0.5.6"}, "RULE-CVE-2025-13889-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[snivo\\\\s[^\\\\]]*id\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-13889", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13889", "description": "Simple Nivo Slider <=0.5.6 Stored XSS via [snivo] shortcode id attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "simple-nivo-slider", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "contributor"], "target": "plugin", "versions": "<=0.5.6"}, "RULE-CVE-2025-13896-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[igp-wp\\\\b[^\\\\]]*\\\\bid\\\\s*=\\\\s*[\'\\"]?[^\'\\"\\\\]]*[<>;()\\\\\\\\]~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13896", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13896", "description": "Social Feed Gallery Portfolio <=1.3 Stored XSS via igp-wp shortcode id attribute (Contributor+)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "social-feed-gallery-portfolio", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.3"}, "RULE-CVE-2025-13897-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS:aft_testimonial_meta_name", "type": "regex", "value": "~(?:<script[\\\\s/>]|\\\\bon[a-z]+=|javascript\\\\s*:|<(?:img|svg|iframe|object|embed|video|audio|body|input|details|math|isindex|marquee|meta|link|base|style)\\\\s[^>]*\\\\bon[a-z]+=)~i"}], "cve": "CVE-2025-13897", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13897", "description": "Client Testimonial Slider <=2.0 stored XSS via aft_testimonial_meta_name metabox field", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-client-testimonial", "tags": ["xss", "stored-xss", "contributor-plus"], "target": "plugin", "versions": "<=2.0"}, "RULE-CVE-2025-13897-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS:aft_testimonial_meta_company", "type": "regex", "value": "~(?:<script[\\\\s/>]|\\\\bon[a-z]+=|javascript\\\\s*:|<(?:img|svg|iframe|object|embed|video|audio|body|input|details|math|isindex|marquee|meta|link|base|style)\\\\s[^>]*\\\\bon[a-z]+=)~i"}], "cve": "CVE-2025-13897", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13897", "description": "Client Testimonial Slider <=2.0 stored XSS via aft_testimonial_meta_company metabox field", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-client-testimonial", "tags": ["xss", "stored-xss", "contributor-plus"], "target": "plugin", "versions": "<=2.0"}, "RULE-CVE-2025-13904-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[gancio-events?\\\\b[^\\\\]]*(?:on[a-z]+=|javascript\\\\s*:|<script)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-13904", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13904", "description": "WPGancio <=1.12 Stored XSS via gancio-event/gancio-events shortcode attributes in classic editor post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wpgancio", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.12"}, "RULE-CVE-2025-13904-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(?:/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[gancio-events?\\\\b[^\\\\]]*(?:on[a-z]+=|javascript\\\\s*:|<script)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-13904", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13904", "description": "WPGancio <=1.12 Stored XSS via gancio-event/gancio-events shortcode attributes in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wpgancio", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=1.12"}, "RULE-CVE-2025-13906-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[(?:linechart|barchart|piechart)\\\\b[^\\\\]]*(?:on\\\\w+\\\\s*=|<script|javascript\\\\s*:|[\'\\"]\\\\s*>\\\\s*<)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13906", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13906", "description": "WP Flot <=0.2.2 Stored XSS via [linechart] shortcode attributes in classic editor post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-flot", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=0.2.2"}, "RULE-CVE-2025-13906-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(?:linechart|barchart|piechart)\\\\b[^\\\\]]*(?:on\\\\w+\\\\s*=|<script|javascript\\\\s*:|[\'\\"]\\\\s*>\\\\s*<)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-13906", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13906", "description": "WP Flot <=0.2.2 Stored XSS via [linechart] shortcode attributes in REST API post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-flot", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=0.2.2"}, "RULE-CVE-2025-13958-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[yamap[^\\\\]]*\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-13958", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13958", "description": "YaMaps for WordPress <0.6.40 stored XSS via [yamap] shortcode attribute event handler injection in post content", "method": "POST", "mode": "block", "severity": 5.9, "slug": "yamaps", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<0.6.40"}, "RULE-CVE-2025-13958-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[yamap[^\\\\]]*\\\\]\\\\s*\\\\}~i"}], "cve": "CVE-2025-13958", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13958", "description": "YaMaps for WordPress <0.6.40 stored XSS via [yamap] shortcode JS context breakout in post content", "method": "POST", "mode": "block", "severity": 5.9, "slug": "yamaps", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<0.6.40"}, "RULE-CVE-2025-13958-03": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[yamap[^\\\\]]*[\'\\"]\\\\s*/?>\\\\s*<~i"}], "cve": "CVE-2025-13958", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13958", "description": "YaMaps for WordPress <0.6.40 stored XSS via [yamap] shortcode HTML tag injection in post content", "method": "POST", "mode": "block", "severity": 5.9, "slug": "yamaps", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<0.6.40"}, "RULE-CVE-2025-13958-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[yamap[^\\\\]]*\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-13958", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13958", "description": "YaMaps for WordPress <0.6.40 stored XSS via [yamap] shortcode attribute event handler injection via REST API", "method": "POST", "mode": "block", "severity": 5.9, "slug": "yamaps", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<0.6.40"}, "RULE-CVE-2025-13958-05": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[yamap[^\\\\]]*\\\\]\\\\s*\\\\}~i"}], "cve": "CVE-2025-13958", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13958", "description": "YaMaps for WordPress <0.6.40 stored XSS via [yamap] shortcode JS context breakout via REST API", "method": "POST", "mode": "block", "severity": 5.9, "slug": "yamaps", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<0.6.40"}, "RULE-CVE-2025-13958-06": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[yamap[^\\\\]]*[\'\\"]\\\\s*/?>\\\\s*<~i"}], "cve": "CVE-2025-13958", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13958", "description": "YaMaps for WordPress <0.6.40 stored XSS via [yamap] shortcode HTML tag injection via REST API", "method": "POST", "mode": "block", "severity": 5.9, "slug": "yamaps", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<0.6.40"}, "RULE-CVE-2025-13963-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[fxcc_convert\\\\b[^\\\\]]*(?:tmpl|prefix|suffix)\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:<script|<img\\\\b[^>]+\\\\bon\\\\w+\\\\s*=|<svg[\\\\s/][^>]*\\\\bon\\\\w+\\\\s*=|<iframe|javascript\\\\s*:|<details\\\\b[^>]*\\\\bontoggle\\\\s*=)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-13963", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13963", "description": "FX Currency Converter <=0.2.0 Stored XSS via fxcc_convert shortcode attributes (tmpl/prefix/suffix)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "fx-currency-converter", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=0.2.0"}, "RULE-CVE-2025-13963-02": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[fxcc_convert\\\\b[^\\\\]]*\\\\][^\\\\[]*(?:<script|<img\\\\b[^>]+\\\\bon\\\\w+\\\\s*=|<svg[\\\\s/][^>]*\\\\bon\\\\w+\\\\s*=|<iframe|javascript\\\\s*:|<details\\\\b[^>]*\\\\bontoggle\\\\s*=)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-13963", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13963", "description": "FX Currency Converter <=0.2.0 Stored XSS via fxcc_convert shortcode enclosed content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "fx-currency-converter", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=0.2.0"}, "RULE-CVE-2025-13964-01": {"action": "wp_loaded", "conditions": [{"name": "ARGS:lp-load-ajax", "type": "equals", "value": "course_add_section"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-13964", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13964", "description": "LearnPress <=4.3.2 unauthenticated course section creation via lp-load-ajax=course_add_section", "method": "POST", "mode": "block", "severity": 5.3, "slug": "learnpress", "tags": ["missing-authorization", "unauthenticated", "broken-access-control"], "target": "plugin", "versions": "<=4.3.2"}, "RULE-CVE-2025-13964-02": {"action": "wp_loaded", "conditions": [{"name": "ARGS:lp-load-ajax", "type": "equals", "value": "course_update_section"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-13964", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13964", "description": "LearnPress <=4.3.2 unauthenticated course section update via lp-load-ajax=course_update_section", "method": "POST", "mode": "block", "severity": 5.3, "slug": "learnpress", "tags": ["missing-authorization", "unauthenticated", "broken-access-control"], "target": "plugin", "versions": "<=4.3.2"}, "RULE-CVE-2025-13964-03": {"action": "wp_loaded", "conditions": [{"name": "ARGS:lp-load-ajax", "type": "equals", "value": "course_delete_section"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-13964", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13964", "description": "LearnPress <=4.3.2 unauthenticated course section deletion via lp-load-ajax=course_delete_section", "method": "POST", "mode": "block", "severity": 5.3, "slug": "learnpress", "tags": ["missing-authorization", "unauthenticated", "broken-access-control"], "target": "plugin", "versions": "<=4.3.2"}, "RULE-CVE-2025-13964-04": {"action": "wp_loaded", "conditions": [{"name": "ARGS:lp-load-ajax", "type": "equals", "value": "course_update_section_position"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-13964", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13964", "description": "LearnPress <=4.3.2 unauthenticated section reorder via lp-load-ajax=course_update_section_position", "method": "POST", "mode": "block", "severity": 5.3, "slug": "learnpress", "tags": ["missing-authorization", "unauthenticated", "broken-access-control"], "target": "plugin", "versions": "<=4.3.2"}, "RULE-CVE-2025-13964-05": {"action": "wp_loaded", "conditions": [{"name": "ARGS:lp-load-ajax", "type": "equals", "value": "create_item_add_to_section"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-13964", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13964", "description": "LearnPress <=4.3.2 unauthenticated item creation via lp-load-ajax=create_item_add_to_section", "method": "POST", "mode": "block", "severity": 5.3, "slug": "learnpress", "tags": ["missing-authorization", "unauthenticated", "broken-access-control"], "target": "plugin", "versions": "<=4.3.2"}, "RULE-CVE-2025-13964-06": {"action": "wp_loaded", "conditions": [{"name": "ARGS:lp-load-ajax", "type": "equals", "value": "add_items_to_section"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-13964", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13964", "description": "LearnPress <=4.3.2 unauthenticated item addition via lp-load-ajax=add_items_to_section", "method": "POST", "mode": "block", "severity": 5.3, "slug": "learnpress", "tags": ["missing-authorization", "unauthenticated", "broken-access-control"], "target": "plugin", "versions": "<=4.3.2"}, "RULE-CVE-2025-13964-07": {"action": "wp_loaded", "conditions": [{"name": "ARGS:lp-load-ajax", "type": "equals", "value": "delete_item_from_section"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-13964", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13964", "description": "LearnPress <=4.3.2 unauthenticated item deletion via lp-load-ajax=delete_item_from_section", "method": "POST", "mode": "block", "severity": 5.3, "slug": "learnpress", "tags": ["missing-authorization", "unauthenticated", "broken-access-control"], "target": "plugin", "versions": "<=4.3.2"}, "RULE-CVE-2025-13964-08": {"action": "wp_loaded", "conditions": [{"name": "ARGS:lp-load-ajax", "type": "equals", "value": "update_item_section_and_position"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-13964", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13964", "description": "LearnPress <=4.3.2 unauthenticated item move via lp-load-ajax=update_item_section_and_position", "method": "POST", "mode": "block", "severity": 5.3, "slug": "learnpress", "tags": ["missing-authorization", "unauthenticated", "broken-access-control"], "target": "plugin", "versions": "<=4.3.2"}, "RULE-CVE-2025-13964-09": {"action": "wp_loaded", "conditions": [{"name": "ARGS:lp-load-ajax", "type": "equals", "value": "update_items_position"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-13964", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13964", "description": "LearnPress <=4.3.2 unauthenticated item reorder via lp-load-ajax=update_items_position", "method": "POST", "mode": "block", "severity": 5.3, "slug": "learnpress", "tags": ["missing-authorization", "unauthenticated", "broken-access-control"], "target": "plugin", "versions": "<=4.3.2"}, "RULE-CVE-2025-13964-10": {"action": "wp_loaded", "conditions": [{"name": "ARGS:lp-load-ajax", "type": "equals", "value": "update_item_of_section"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-13964", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13964", "description": "LearnPress <=4.3.2 unauthenticated item update via lp-load-ajax=update_item_of_section", "method": "POST", "mode": "block", "severity": 5.3, "slug": "learnpress", "tags": ["missing-authorization", "unauthenticated", "broken-access-control"], "target": "plugin", "versions": "<=4.3.2"}, "RULE-CVE-2025-13972-01": {"action": "parse_request", "conditions": [{"name": "ARGS:wht_download_big_object", "type": "exists"}, {"name": "ARGS:wht_download_big_object_origin", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|[\\\\\\\\/]etc[\\\\\\\\/]|[\\\\\\\\/]proc[\\\\\\\\/]|[\\\\\\\\/]var[\\\\\\\\/]log|wp-config\\\\.php|\\\\.htaccess|\\\\.env|debug\\\\.log|error_log)~i"}], "cve": "CVE-2025-13972", "mode": "block", "severity": 4.9, "slug": "watchtowerhq", "target": "plugin", "versions": "<=3.16.0"}, "RULE-CVE-2025-13973-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/(?:wp-content/uploads/stickeasy-protected-contact-form/spcf-log(?:(?:\\\\.|%2e)(?:txt|log))?|wp-content/uploads/stickeasy-protected-contact-form/)(?:$|[\\\\?#])~i"}], "cve": "CVE-2025-13973", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13973", "description": "StickEasy Protected Contact Form <=1.0.1 unauthenticated information disclosure via predictable spam log file path (v1.0.0 uploads directory)", "method": "GET", "mode": "block", "severity": 5.3, "slug": "stickeasy-protected-contact-form", "tags": ["information-disclosure", "unauthenticated", "predictable-resource-location"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-13973-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/(?:wp-content/spcf-logs/spcf-log(?:(?:\\\\.|%2e)(?:txt|log))?|wp-content/spcf-logs/)(?:$|[\\\\?#])~i"}], "cve": "CVE-2025-13973", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13973", "description": "StickEasy Protected Contact Form <=1.0.1 unauthenticated information disclosure via predictable spam log file path (v1.0.1 spcf-logs directory)", "method": "GET", "mode": "block", "severity": 5.3, "slug": "stickeasy-protected-contact-form", "tags": ["information-disclosure", "unauthenticated", "predictable-resource-location"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-13974-01": {"ajax_action": "thwecmf_template_actions", "conditions": [{"name": "ARGS:contents", "type": "regex", "value": "~<\\\\s*(?:script|iframe|embed|object)\\\\b|\\\\bon(?:error|load|click|mouseover|focus|blur|mouseout|mouseenter|mouseleave|keydown|keyup|change|submit|input)\\\\s*=|javascript\\\\s*:|<\\\\s*svg[^>]+\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-13974", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13974", "description": "Email Customizer for WooCommerce <=2.6.7 authenticated stored XSS via template content save", "method": "POST", "mode": "block", "severity": 4.4, "slug": "email-customizer-for-woocommerce", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=2.6.7"}, "RULE-CVE-2025-13977-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:_elementor_data", "type": "regex", "value": "~(?:\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|<\\\\s*script[\\\\s>]|<\\\\s*svg[^>]*\\\\bon\\\\w+\\\\s*=)~i"}], "cve": "CVE-2025-13977", "method": "POST", "mode": "block", "severity": 6.4, "slug": "essential-addons-for-elementor-lite", "target": "plugin", "versions": "<=6.5.3"}, "RULE-CVE-2025-13977-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json/wp/v2/posts/\\\\d+(?:/|\\\\?|$)|\\\\?(?:.*&)?rest_route=/wp/v2/posts/\\\\d+)~"}, {"name": "ARGS:meta[_elementor_data]", "type": "regex", "value": "~(?:\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|<\\\\s*script[\\\\s>]|<\\\\s*svg[^>]*\\\\bon\\\\w+\\\\s*=)~is"}], "cve": "CVE-2025-13977", "method": "POST", "mode": "block", "severity": 6.4, "slug": "essential-addons-for-elementor-lite", "target": "plugin", "versions": "<=6.5.3"}, "RULE-CVE-2025-13977-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json/wp/v2/posts/\\\\d+(?:/|\\\\?|$)|\\\\?(?:.*&)?rest_route=/wp/v2/posts/\\\\d+)~"}, {"name": "ARGS:meta[_elementor_data]", "type": "regex", "value": "~(?:\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|<\\\\s*script[\\\\s>]|<\\\\s*svg[^>]*\\\\bon\\\\w+\\\\s*=)~is"}], "cve": "CVE-2025-13977", "method": "PUT", "mode": "block", "severity": 6.4, "slug": "essential-addons-for-elementor-lite", "target": "plugin", "versions": "<=6.5.3"}, "RULE-CVE-2025-13977-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json/wp/v2/posts/\\\\d+(?:/|\\\\?|$)|\\\\?(?:.*&)?rest_route=/wp/v2/posts/\\\\d+)~"}, {"name": "ARGS:meta[_elementor_data]", "type": "regex", "value": "~(?:\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|<\\\\s*script[\\\\s>]|<\\\\s*svg[^>]*\\\\bon\\\\w+\\\\s*=)~is"}], "cve": "CVE-2025-13977", "method": "PATCH", "mode": "block", "severity": 6.4, "slug": "essential-addons-for-elementor-lite", "target": "plugin", "versions": "<=6.5.3"}, "RULE-CVE-2025-13989-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[wp_dropzone[^\\\\]]*callback\\\\s*=~i"}], "cve": "CVE-2025-13989", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13989", "description": "WP Dropzone <=1.1.1 authenticated (Contributor+) stored XSS via callback shortcode attribute in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-dropzone", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.1.1"}, "RULE-CVE-2025-13989-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[wp_dropzone[^\\\\]]*callback\\\\s*=~i"}], "cve": "CVE-2025-13989", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13989", "description": "WP Dropzone <=1.1.1 authenticated (Contributor+) stored XSS via callback shortcode attribute in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-dropzone", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.1.1"}, "RULE-CVE-2025-13999-01": {"ajax_action": "h5ap_get_stream_data", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "h5ap_get_stream_data"}, {"name": "ARGS:url", "type": "regex", "value": "~^(?:file|gopher|dict|ftp|tftp|ldap|ssh)://~i"}, {"name": "ARGS:url", "type": "exists"}], "cve": "CVE-2025-13999", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13999", "description": "HTML5 Audio Player <=2.5.1 unauthenticated SSRF via h5ap_get_stream_data AJAX action url parameter", "mode": "block", "severity": 7.2, "slug": "html5-audio-player", "tags": ["ssrf", "unauthenticated", "server-side-request-forgery"], "target": "plugin", "versions": ">=2.4.0 <=2.5.1"}, "RULE-CVE-2025-13999-02": {"ajax_action": "h5ap_get_stream_data", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "h5ap_get_stream_data"}, {"name": "ARGS:url", "type": "regex", "value": "~https?://(?:localhost|127\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+|\\\\[?::1\\\\]?|\\\\[?::ffff:127\\\\.|10\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+|172\\\\.(?:1[6-9]|2\\\\d|3[01])\\\\.\\\\d+\\\\.\\\\d+|192\\\\.168\\\\.\\\\d+\\\\.\\\\d+|169\\\\.254\\\\.\\\\d+\\\\.\\\\d+|0177\\\\.|0x7f|2130706433|metadata\\\\.google\\\\.internal)~i"}], "cve": "CVE-2025-13999", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-13999", "description": "HTML5 Audio Player <=2.5.1 unauthenticated SSRF via h5ap_get_stream_data targeting localhost/internal IPs", "mode": "block", "severity": 7.2, "slug": "html5-audio-player", "tags": ["ssrf", "unauthenticated", "server-side-request-forgery"], "target": "plugin", "versions": ">=2.4.0 <=2.5.1"}, "RULE-CVE-2025-14000-01": {"action": "init", "conditions": [{"type": "missing_capability", "value": "unfiltered_html"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[restrict\\\\b[^\\\\]]*(?:\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|<\\\\s*script\\\\b|<\\\\s*svg\\\\b|<\\\\s*img\\\\b[^>]*\\\\bon\\\\w+\\\\s*=)~i"}], "cve": "CVE-2025-14000", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14000", "description": "Membership Plugin \\u2013 Restrict Content <=3.2.15 authenticated (Contributor+) stored XSS via [restrict] shortcode attributes", "method": "POST", "mode": "block", "severity": 6.4, "slug": "restrict-content", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.2.15"}, "RULE-CVE-2025-14000-02": {"action": "init", "conditions": [{"type": "missing_capability", "value": "unfiltered_html"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[register_form\\\\b[^\\\\]]*(?:\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|<\\\\s*script\\\\b|<\\\\s*svg\\\\b|<\\\\s*img\\\\b[^>]*\\\\bon\\\\w+\\\\s*=)~i"}], "cve": "CVE-2025-14000", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14000", "description": "Membership Plugin \\u2013 Restrict Content <=3.2.15 authenticated (Contributor+) stored XSS via [register_form] shortcode attributes", "method": "POST", "mode": "block", "severity": 6.4, "slug": "restrict-content", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.2.15"}, "RULE-CVE-2025-14001-01": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wp_duplicate_page_bulk_action"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2025-14001", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14001", "description": "WP Duplicate Page <=1.8 missing authorization on bulk post duplication via action parameter", "mode": "block", "severity": 5.4, "slug": "wp-duplicate-page", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=1.8"}, "RULE-CVE-2025-14001-02": {"action": "admin_init", "conditions": [{"name": "ARGS:action2", "type": "equals", "value": "wp_duplicate_page_bulk_action"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2025-14001", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14001", "description": "WP Duplicate Page <=1.8 missing authorization on bulk post duplication via action2 parameter", "mode": "block", "severity": 5.4, "slug": "wp-duplicate-page", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=1.8"}, "RULE-CVE-2025-14030-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[\\\\s*aife_post_meta\\\\b~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-14030", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14030", "description": "AI Feeds <=1.0.22 Authenticated (Contributor+) Stored XSS via aife_post_meta shortcode in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ai-feeds", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.22"}, "RULE-CVE-2025-14030-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[\\\\s*aife_post_meta\\\\b~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-14030", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14030", "description": "AI Feeds <=1.0.22 Authenticated (Contributor+) Stored XSS via aife_post_meta shortcode in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ai-feeds", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.0.22"}, "RULE-CVE-2025-14032-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[(?:bold_timeline_group|bold_timeline_item)\\\\b[^\\\\]]*\\\\btitle\\\\s*=\\\\s*(?:\\"[^\\"]*[<>][^\\"]*\\"|\'[^\']*[<>][^\']*\')~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-14032", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14032", "description": "Bold Timeline Lite <=1.2.7 stored XSS via title attribute in bold_timeline_group shortcode (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "bold-timeline-lite", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.2.7"}, "RULE-CVE-2025-14032-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(?:bold_timeline_group|bold_timeline_item)\\\\b[^\\\\]]*\\\\btitle\\\\s*=\\\\s*(?:\\"[^\\"]*[<>][^\\"]*\\"|\'[^\']*[<>][^\']*\')~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-14032", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14032", "description": "Bold Timeline Lite <=1.2.7 stored XSS via title attribute in bold_timeline_group shortcode (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "bold-timeline-lite", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.2.7"}, "RULE-CVE-2025-14049-01": {"action": "admin_post_nopriv_vikrentitems", "conditions": [{"name": "ARGS:delto", "type": "detectXSS"}], "cve": "CVE-2025-14049", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14049", "description": "VikRentItems <=1.2.0 reflected XSS via delto parameter on unauthenticated admin-post endpoint", "method": "GET", "mode": "block", "severity": 6.1, "slug": "vikrentitems", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.2.0"}, "RULE-CVE-2025-14049-02": {"action": "admin_post_vikrentitems", "conditions": [{"name": "ARGS:delto", "type": "detectXSS"}], "cve": "CVE-2025-14049", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14049", "description": "VikRentItems <=1.2.0 reflected XSS via delto parameter on authenticated admin-post endpoint", "method": "GET", "mode": "block", "severity": 6.1, "slug": "vikrentitems", "tags": ["xss", "reflected-xss"], "target": "plugin", "versions": "<=1.2.0"}, "RULE-CVE-2025-1405-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "contains", "value": "[show_products"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[show_products\\\\s[^\\\\]]*(?:on\\\\w+\\\\s*=|<script|javascript\\\\s*:|&#(?:x[0-9a-fA-F]+|\\\\d+);)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1405", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1405", "description": "Product Catalog Simple <=1.7.11 Stored XSS via show_products shortcode attributes in post content (classic editor)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "post-type-x", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.7.11"}, "RULE-CVE-2025-1405-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "contains", "value": "[show_products"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[show_products\\\\s[^\\\\]]*(?:on\\\\w+\\\\s*=|<script|javascript\\\\s*:|&#(?:x[0-9a-fA-F]+|\\\\d+);)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1405", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1405", "description": "Product Catalog Simple <=1.7.11 Stored XSS via show_products shortcode attributes in post content (REST API)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "post-type-x", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=1.7.11"}, "RULE-CVE-2025-1405-03": {"action": "init", "conditions": [{"name": "ARGS:product_order", "type": "detectXSS"}], "cve": "CVE-2025-1405", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1405", "description": "Product Catalog Simple <=1.7.11 Reflected XSS via product_order parameter on product listing pages", "mode": "block", "severity": 5.4, "slug": "post-type-x", "tags": ["xss", "reflected-xss", "shortcode"], "target": "plugin", "versions": "<=1.7.11"}, "RULE-CVE-2025-14050-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:import", "type": "equals", "value": "design-import-export"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14050", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14050", "description": "Design Import/Export <=2.2 authenticated (Administrator+) SQL injection via XML file import", "method": "POST", "mode": "block", "severity": 4.9, "slug": "design-import-export", "tags": ["sql-injection", "authenticated", "file-upload"], "target": "plugin", "versions": "<=2.2"}, "RULE-CVE-2025-14056-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "cptui_tools"}, {"name": "ARGS:cptui_post_import", "type": "regex", "value": "~<[a-zA-Z!/][^>]*>~"}], "cve": "CVE-2025-14056", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14056", "description": "Custom Post Type UI <=1.18.1 Stored XSS via label in cptui_post_import JSON on Tools page", "method": "POST", "mode": "block", "severity": 4.4, "slug": "custom-post-type-ui", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=1.18.1"}, "RULE-CVE-2025-14056-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "cptui_tools"}, {"name": "ARGS:cptui_tax_import", "type": "regex", "value": "~<[a-zA-Z!/][^>]*>~"}], "cve": "CVE-2025-14056", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14056", "description": "Custom Post Type UI <=1.18.1 Stored XSS via label in cptui_tax_import JSON on Tools page", "method": "POST", "mode": "block", "severity": 4.4, "slug": "custom-post-type-ui", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=1.18.1"}, "RULE-CVE-2025-14061-01": {"ajax_action": "gdpr_delete_policy_data", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14061", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14061", "description": "WP Cookie Consent <=4.0.7 missing authorization on gdpr_delete_policy_data AJAX handler allowing unauthenticated arbitrary post deletion", "mode": "block", "severity": 5.3, "slug": "gdpr-cookie-consent", "tags": ["missing-authorization", "arbitrary-post-deletion", "unauthenticated"], "target": "plugin", "versions": "<=4.0.7"}, "RULE-CVE-2025-14064-01": {"ajax_action": "get_board", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14064", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14064", "description": "BuddyTask <=1.3.0 missing authorization on get_board AJAX endpoint allows unauthorized access to any group task board", "method": "POST", "mode": "block", "severity": 6.5, "slug": "buddytask", "tags": ["missing-authorization", "broken-access-control", "unauthenticated"], "target": "plugin", "versions": "<=1.3.0"}, "RULE-CVE-2025-14064-02": {"ajax_action": "add_new_task", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14064", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14064", "description": "BuddyTask <=1.3.0 missing authorization on add_new_task AJAX endpoint allows unauthorized task creation", "method": "POST", "mode": "block", "severity": 6.5, "slug": "buddytask", "tags": ["missing-authorization", "broken-access-control", "unauthenticated"], "target": "plugin", "versions": "<=1.3.0"}, "RULE-CVE-2025-14064-03": {"ajax_action": "edit_task", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14064", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14064", "description": "BuddyTask <=1.3.0 missing authorization on edit_task AJAX endpoint allows unauthorized task modification", "method": "POST", "mode": "block", "severity": 6.5, "slug": "buddytask", "tags": ["missing-authorization", "broken-access-control", "unauthenticated"], "target": "plugin", "versions": "<=1.3.0"}, "RULE-CVE-2025-14064-04": {"ajax_action": "delete_task", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14064", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14064", "description": "BuddyTask <=1.3.0 missing authorization on delete_task AJAX endpoint allows unauthorized task deletion", "method": "POST", "mode": "block", "severity": 6.5, "slug": "buddytask", "tags": ["missing-authorization", "broken-access-control", "unauthenticated"], "target": "plugin", "versions": "<=1.3.0"}, "RULE-CVE-2025-14064-05": {"ajax_action": "reorder_task", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14064", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14064", "description": "BuddyTask <=1.3.0 missing authorization on reorder_task AJAX endpoint allows unauthorized task reordering", "method": "POST", "mode": "block", "severity": 6.5, "slug": "buddytask", "tags": ["missing-authorization", "broken-access-control", "unauthenticated"], "target": "plugin", "versions": "<=1.3.0"}, "RULE-CVE-2025-14064-06": {"ajax_action": "get_tasks", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14064", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14064", "description": "BuddyTask <=1.3.0 missing authorization on get_tasks AJAX endpoint allows unauthorized task data access", "method": "POST", "mode": "block", "severity": 6.5, "slug": "buddytask", "tags": ["missing-authorization", "broken-access-control", "unauthenticated"], "target": "plugin", "versions": "<=1.3.0"}, "RULE-CVE-2025-14064-07": {"ajax_action": "edit_list", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14064", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14064", "description": "BuddyTask <=1.3.0 missing authorization on edit_list AJAX endpoint allows unauthorized list modification", "method": "POST", "mode": "block", "severity": 6.5, "slug": "buddytask", "tags": ["missing-authorization", "broken-access-control", "unauthenticated"], "target": "plugin", "versions": "<=1.3.0"}, "RULE-CVE-2025-14064-08": {"ajax_action": "users_autocomplete", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14064", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14064", "description": "BuddyTask <=1.3.0 missing authorization on users_autocomplete AJAX endpoint allows unauthorized user enumeration", "method": "POST", "mode": "block", "severity": 6.5, "slug": "buddytask", "tags": ["missing-authorization", "broken-access-control", "info-disclosure"], "target": "plugin", "versions": "<=1.3.0"}, "RULE-CVE-2025-14064-09": {"ajax_action": "add_users_to_assign_list", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14064", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14064", "description": "BuddyTask <=1.3.0 missing authorization on add_users_to_assign_list AJAX endpoint allows unauthorized user assignment", "method": "POST", "mode": "block", "severity": 6.5, "slug": "buddytask", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=1.3.0"}, "RULE-CVE-2025-14069-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/profile.php"}, {"name": "ARGS:saswp_custom_schema_field", "type": "regex", "value": "~(?:<script[\\\\s/>]|\\\\bon[a-z]+=|javascript\\\\s*:|<(?:img|svg|iframe|object|embed|video|audio|body|input|details|math|isindex|marquee|meta|link|base|style)\\\\s[^>]*\\\\bon[a-z]+=)~i"}], "cve": "CVE-2025-14069", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14069", "description": "Schema & Structured Data for WP & AMP <=1.54 Stored XSS via saswp_custom_schema_field on profile self-update", "method": "POST", "mode": "block", "severity": 6.4, "slug": "schema-and-structured-data-for-wp", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=1.54"}, "RULE-CVE-2025-14069-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/user-edit.php"}, {"name": "ARGS:saswp_custom_schema_field", "type": "regex", "value": "~(?:<script[\\\\s/>]|\\\\bon[a-z]+=|javascript\\\\s*:|<(?:img|svg|iframe|object|embed|video|audio|body|input|details|math|isindex|marquee|meta|link|base|style)\\\\s[^>]*\\\\bon[a-z]+=)~i"}], "cve": "CVE-2025-14069", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14069", "description": "Schema & Structured Data for WP & AMP <=1.54 Stored XSS via saswp_custom_schema_field on user-edit profile update", "method": "POST", "mode": "block", "severity": 6.4, "slug": "schema-and-structured-data-for-wp", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=1.54"}, "RULE-CVE-2025-14079-01": {"ajax_action": "eh_crm_ticket_general", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14079", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14079", "description": "ELEX WordPress HelpDesk & Customer Support Ticket System <=3.3.5 missing authorization on eh_crm_ticket_general AJAX settings update", "method": "POST", "mode": "block", "severity": 5.3, "slug": "elex-helpdesk-customer-support-ticket-system", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.3.5"}, "RULE-CVE-2025-14109-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[column\\\\s[^\\\\]]*column\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<[a-zA-Z]|\\\\bon\\\\w+\\\\s*=)[^\\"\']*[\\"\']~i"}], "cve": "CVE-2025-14109", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14109", "description": "AH Shortcodes <=1.0.2 Stored XSS via [column] shortcode attribute in post content (post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ah-shortcodes", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2025-14109-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[column\\\\s[^\\\\]]*column\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<[a-zA-Z]|\\\\bon\\\\w+\\\\s*=)[^\\"\']*[\\"\']~i"}], "cve": "CVE-2025-14109", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14109", "description": "AH Shortcodes <=1.0.2 Stored XSS via [column] shortcode attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ah-shortcodes", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2025-14110-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[(list-pages|child-pages|tree-pages)\\\\s[^\\\\]]*class\\\\s*=\\\\s*[\\\\\\"\'][^\\\\]]*(?:<|on\\\\w+\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-14110", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14110", "description": "WP Js List Pages Shortcodes <=1.21 stored XSS via shortcode class attribute in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-js-list-pages-shortcodes", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.21"}, "RULE-CVE-2025-14112-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~snillrik_restaurant_menu[^\\\\]]*menu_style\\\\s*=\\\\s*([\\"\'])(?:(?!\\\\1).)*(?:<[^>]+>|on\\\\w+\\\\s*=)~i"}], "cve": "CVE-2025-14112", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14112", "description": "Snillrik Restaurant Menu <=2.2.1 Stored XSS via menu_style shortcode attribute in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "snillrik-restaurant-menu", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.2.1"}, "RULE-CVE-2025-14112-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~snillrik_restaurant_menu[^\\\\]]*menu_style\\\\s*=\\\\s*([\\"\'])(?:(?!\\\\1).)*(?:<[^>]+>|on\\\\w+\\\\s*=)~i"}], "cve": "CVE-2025-14112", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14112", "description": "Snillrik Restaurant Menu <=2.2.1 Stored XSS via menu_style shortcode attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "snillrik-restaurant-menu", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.2.1"}, "RULE-CVE-2025-14114-01": {"action": "init", "conditions": [{"type": "missing_capability", "value": "unfiltered_html"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[(row|span|column)[^\\\\]]*class\\\\s*=\\\\s*[\'\\"][^\'\\"]*(<|on[a-z]+=|javascript:|&#)~i"}], "cve": "CVE-2025-14114", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14114", "description": "1180px Shortcodes <=1.1.1 authenticated (Contributor+) stored XSS via shortcode class attribute in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "1180px-shortcodes", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.1.1"}, "RULE-CVE-2025-14114-02": {"action": "rest_api_init", "conditions": [{"type": "missing_capability", "value": "unfiltered_html"}, {"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(row|span|column)[^\\\\]]*class\\\\s*=\\\\s*[\'\\"][^\'\\"]*(<|on[a-z]+=|javascript:|&#)~i"}], "cve": "CVE-2025-14114", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14114", "description": "1180px Shortcodes <=1.1.1 authenticated (Contributor+) stored XSS via shortcode class attribute in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "1180px-shortcodes", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.1.1"}, "RULE-CVE-2025-14120-01": {"ajax_action": "bfu_chunker", "conditions": [{"name": "ARGS:name", "type": "regex", "value": "~\\\\.svg[z]?(?:\\\\.|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14120", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14120", "description": "URL Image Importer <=1.0.7 authenticated (Author+) stored XSS via SVG file upload in bfu_chunker AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "url-image-importer", "tags": ["xss", "stored-xss", "svg-upload", "authenticated"], "target": "plugin", "versions": "<=1.0.7"}, "RULE-CVE-2025-14122-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[sliding_faq\\\\b[^\\\\]]*(?:on[a-z]+\\\\s*=|<script|javascript\\\\s*:|<img\\\\b|<svg\\\\b|<iframe\\\\b|<embed\\\\b|<object\\\\b)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14122", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14122", "description": "AD Sliding FAQ <=2.4 Stored XSS via sliding_faq shortcode attributes in post content (admin post editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ad-sliding-faq", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.4"}, "RULE-CVE-2025-14122-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[sliding_faq\\\\b[^\\\\]]*(?:on[a-z]+\\\\s*=|<script|javascript\\\\s*:|<img\\\\b|<svg\\\\b|<iframe\\\\b|<embed\\\\b|<object\\\\b)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14122", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14122", "description": "AD Sliding FAQ <=2.4 Stored XSS via sliding_faq shortcode attributes in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ad-sliding-faq", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.4"}, "RULE-CVE-2025-14124-01": {"ajax_action": "ttp_Layout_Ajax_Action", "conditions": [{"name": "ARGS:search", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|(?:^|[\'\\"])\\\\s*(?:OR|AND)\\\\s+[\'\\"]?\\\\d+[\'\\"]?\\\\s*=\\\\s*[\'\\"]?\\\\d+|;\\\\s*(?:SELECT|DROP|INSERT|UPDATE|DELETE)|EXTRACTVALUE\\\\s*\\\\(|UPDATEXML\\\\s*\\\\()~i"}], "cve": "CVE-2025-14124", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14124", "description": "Team \\u2013 Team Members Showcase <=5.0.10 unauthenticated SQL injection via search parameter in ttp_Layout_Ajax_Action AJAX handler", "method": "POST", "mode": "block", "severity": 8.6, "slug": "tlp-team", "tags": ["sql-injection", "unauthenticated", "blind-sqli"], "target": "plugin", "versions": "<=5.0.10"}, "RULE-CVE-2025-14142-01": {"action": "admin_init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[electric-enquiry\\\\b[^\\\\]]*button\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:[<>]|\\\\bon\\\\w+\\\\s*=)[^\\"\']*[\\"\']~i"}], "cve": "CVE-2025-14142", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14142", "description": "Electric Enquiries <=1.1 Stored XSS via button attribute of electric-enquiry shortcode in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "electric-enquiries", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2025-14143-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[ayo_action\\\\b[^\\\\]]*color\\\\s*=[^\\\\]]*\\\\bon\\\\w+\\\\s*=~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14143", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14143", "description": "Ayo Shortcodes <=0.2 Stored XSS via ayo_action shortcode color attribute in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ayo-shortcodes", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=0.1"}, "RULE-CVE-2025-14143-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[ayo_action\\\\b[^\\\\]]*color\\\\s*=[^\\\\]]*(?:javascript|expression)\\\\s*[:(/]~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14143", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14143", "description": "Ayo Shortcodes <=0.2 Stored XSS via ayo_action shortcode color attribute containing javascript URI in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ayo-shortcodes", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=0.1"}, "RULE-CVE-2025-14143-03": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[ayo_action\\\\b[^\\\\]]*color\\\\s*=[^\\\\]]*<[a-z]~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14143", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14143", "description": "Ayo Shortcodes <=0.2 Stored XSS via ayo_action shortcode color attribute with tag injection in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ayo-shortcodes", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=0.1"}, "RULE-CVE-2025-14143-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[ayo_action\\\\b[^\\\\]]*color\\\\s*=[^\\\\]]*\\\\bon\\\\w+\\\\s*=~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14143", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14143", "description": "Ayo Shortcodes <=0.2 Stored XSS via ayo_action shortcode color attribute in REST API post content (event handler)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ayo-shortcodes", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=0.1"}, "RULE-CVE-2025-14143-05": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[ayo_action\\\\b[^\\\\]]*color\\\\s*=[^\\\\]]*(?:javascript|expression)\\\\s*[:(/]~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14143", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14143", "description": "Ayo Shortcodes <=0.2 Stored XSS via ayo_action shortcode color attribute in REST API post content (javascript URI)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ayo-shortcodes", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=0.1"}, "RULE-CVE-2025-14143-06": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[ayo_action\\\\b[^\\\\]]*color\\\\s*=[^\\\\]]*<[a-z]~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14143", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14143", "description": "Ayo Shortcodes <=0.2 Stored XSS via ayo_action shortcode color attribute in REST API post content (tag injection)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ayo-shortcodes", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=0.1"}, "RULE-CVE-2025-14144-01": {"ajax_action": "ajax_live_preview", "conditions": [{"name": "ARGS:shortcodeData", "type": "regex", "value": "~<script[^>]*>|javascript\\\\s*:|\\\\bon(?:error|load|click|mouseover|focus|mouseenter|mouseout|mousemove|keydown|keyup|keypress|submit|change|input|animationend|animationstart)\\\\s*=~i"}], "cve": "CVE-2025-14144", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14144", "description": "Mstoic Shortcodes <=2.0 reflected XSS via shortcodeData in ajax_live_preview AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "mstoic-shortcodes", "tags": ["xss", "unauthenticated", "shortcode"], "target": "plugin", "versions": "<=2.0"}, "RULE-CVE-2025-14144-02": {"ajax_action": "mstoic_shortcodes_print_images", "conditions": [{"name": "ARGS:mstoicImgCount", "type": "regex", "value": "~[^0-9]~"}], "cve": "CVE-2025-14144", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14144", "description": "Mstoic Shortcodes <=2.0 reflected XSS via mstoicImgCount in mstoic_shortcodes_print_images AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "mstoic-shortcodes", "tags": ["xss", "unauthenticated"], "target": "plugin", "versions": "<=2.0"}, "RULE-CVE-2025-14151-01": {"ajax_action": "slimtrack", "conditions": [{"name": "ARGS:outbound_resource", "type": "regex", "value": "~(?i)(?:<\\\\s*(?:script|svg)\\\\b|\\\\bon(?:load|error)\\\\s*=|\\\\bjavascript\\\\s*:)~"}], "cve": "CVE-2025-14151", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14151", "description": "SlimStat Analytics <=5.3.2 unauthenticated stored XSS via outbound_resource parameter in slimtrack AJAX action", "mode": "block", "severity": 6.1, "slug": "wp-slimstat", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=5.3.2"}, "RULE-CVE-2025-14154-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~admin-ajax\\\\.php~"}, {"name": "ARGS:action", "type": "regex", "value": "~join_chat$~"}, {"name": "ARGS:name", "type": "regex", "value": "~(?:<script[\\\\s/>]|\\\\bon[a-z]+=|javascript\\\\s*:|<(?:img|svg|iframe|object|embed|video|audio|body|input|details|math|isindex|marquee|meta|link|base|style)\\\\s[^>]*\\\\bon[a-z]+=)~i"}], "cve": "CVE-2025-14154", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14154", "description": "Better Messages <=2.10.2 stored XSS via unauthenticated guest display name in join chat", "method": "POST", "mode": "block", "severity": 6.1, "slug": "bp-better-messages", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=2.10.2"}, "RULE-CVE-2025-14156-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/fox-lms/v1/payments/create-order(/|\\\\?|&|$)~"}, {"name": "ARGS:role", "type": "regex", "value": "~^(?!subscriber$).+~i"}], "cve": "CVE-2025-14156", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14156", "description": "Fox LMS >=1.0.4.7 <=1.0.5.1 unauthenticated privilege escalation via role parameter in create-order REST endpoint", "method": "POST", "mode": "block", "severity": 9.8, "slug": "fox-lms", "tags": ["privilege-escalation", "unauthenticated", "rest-api"], "target": "plugin", "versions": ">=1.0.4.7 <=1.0.5.1"}, "RULE-CVE-2025-14298-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[thegem_te_search[^\\\\]]*</style>~i"}], "cve": "CVE-2025-14298", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14298", "description": "FiboSearch <= 1.32.0 Stored XSS via thegem_te_search shortcode attributes in post content (post.php)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "ajax-search-for-woocommerce", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.32.0"}, "RULE-CVE-2025-14298-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[thegem_te_search[^\\\\]]*\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-14298", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14298", "description": "FiboSearch <= 1.32.0 Stored XSS via thegem_te_search shortcode attributes in post content (post.php, event handler breakout)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "ajax-search-for-woocommerce", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.32.0"}, "RULE-CVE-2025-14298-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[thegem_te_search[^\\\\]]*<script~i"}], "cve": "CVE-2025-14298", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14298", "description": "FiboSearch <= 1.32.0 Stored XSS via thegem_te_search shortcode attributes in post content (post.php, script tag injection)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "ajax-search-for-woocommerce", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.32.0"}, "RULE-CVE-2025-14298-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[thegem_te_search[^\\\\]]*</style>~i"}], "cve": "CVE-2025-14298", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14298", "description": "FiboSearch <= 1.32.0 Stored XSS via thegem_te_search shortcode attributes via REST API (style breakout)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "ajax-search-for-woocommerce", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.32.0"}, "RULE-CVE-2025-14298-05": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[thegem_te_search[^\\\\]]*\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-14298", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14298", "description": "FiboSearch <= 1.32.0 Stored XSS via thegem_te_search shortcode attributes via REST API (event handler breakout)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "ajax-search-for-woocommerce", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.32.0"}, "RULE-CVE-2025-14298-06": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[thegem_te_search[^\\\\]]*<script~i"}], "cve": "CVE-2025-14298", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14298", "description": "FiboSearch <= 1.32.0 Stored XSS via thegem_te_search shortcode attributes via REST API (script tag injection)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "ajax-search-for-woocommerce", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.32.0"}, "RULE-CVE-2025-14344-01": {"ajax_action": "gfmu_delete_file", "conditions": [{"name": "ARGS:file_id", "type": "regex", "value": "~\\\\.\\\\.[\\\\\\\\/]~"}], "cve": "CVE-2025-14344", "method": "POST", "mode": "block", "severity": 9.8, "slug": "gf-multi-uploader", "target": "plugin", "versions": "<=1.1.7"}, "RULE-CVE-2025-14344-02": {"ajax_action": "gfmu_delete_file", "conditions": [{"name": "ARGS:tmp_name", "type": "regex", "value": "~\\\\.\\\\.[\\\\\\\\/]~"}], "cve": "CVE-2025-14344", "method": "POST", "mode": "block", "severity": 9.8, "slug": "gf-multi-uploader", "target": "plugin", "versions": "<=1.1.7"}, "RULE-CVE-2025-14348-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wemail/v1/csv(/|\\\\?|$)~"}, {"name": "REQUEST_HEADERS:x-wemail-user", "type": "exists"}, {"type": "missing_capability", "value": "read"}], "cve": "CVE-2025-14348", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14348", "description": "weMail <=2.0.7 unauthenticated information disclosure via x-wemail-user header spoofing on REST CSV endpoints", "method": "GET", "mode": "block", "severity": 5.3, "slug": "wemail", "tags": ["improper-authorization", "information-disclosure", "unauthenticated", "rest-api", "header-spoofing"], "target": "plugin", "versions": "<=2.0.7"}, "RULE-CVE-2025-14351-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/~"}, {"name": "ARGS:bcf_google_font_delete_all", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14351", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14351", "description": "Custom Fonts <=2.1.16 unauthenticated font directory deletion via bcf_google_font_delete_all", "method": "GET", "mode": "block", "severity": 5.3, "slug": "custom-fonts", "tags": ["missing-authorization", "unauthenticated", "data-loss"], "target": "plugin", "versions": "<=2.1.16"}, "RULE-CVE-2025-14351-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/~"}, {"name": "ARGS:bcf_google_font_delete", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14351", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14351", "description": "Custom Fonts <=2.1.16 unauthenticated single font deletion via bcf_google_font_delete", "method": "GET", "mode": "block", "severity": 5.3, "slug": "custom-fonts", "tags": ["missing-authorization", "unauthenticated", "data-loss"], "target": "plugin", "versions": "<=2.1.16"}, "RULE-CVE-2025-14351-03": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/~"}, {"name": "ARGS:bcf_rebuild_fonts", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14351", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14351", "description": "Custom Fonts <=2.1.16 unauthenticated font rebuild triggering theme.json rewrite via bcf_rebuild_fonts", "method": "GET", "mode": "block", "severity": 5.3, "slug": "custom-fonts", "tags": ["missing-authorization", "unauthenticated", "data-loss"], "target": "plugin", "versions": "<=2.1.16"}, "RULE-CVE-2025-14375-01": {"ajax_action": "wpra.render.display", "conditions": [{"name": "ARGS:className", "type": "detectXSS"}], "cve": "CVE-2025-14375", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14375", "description": "WP RSS Aggregator <=5.0.10 reflected XSS via className parameter in wpra.render.display AJAX handler", "mode": "block", "severity": 6.1, "slug": "wp-rss-aggregator", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=5.0.10"}, "RULE-CVE-2025-14383-01": {"ajax_action": "WPBC_AJX_CALENDAR_LOAD", "conditions": [{"name": "ARGS:dates_to_check", "type": "detectSQLi"}], "cve": "CVE-2025-14383", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14383", "description": "Booking Calendar <=10.14.8 unauthenticated SQL injection via dates_to_check parameter in WPBC_AJX_CALENDAR_LOAD AJAX handler", "mode": "block", "severity": 7.5, "slug": "booking", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=10.14.8"}, "RULE-CVE-2025-14386-01": {"ajax_action": "generate_sso_url", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14386", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14386", "description": "Search Atlas SEO (metasync) <=2.5.11 missing authorization on generate_sso_url AJAX handler allows Subscriber+ to extract admin SSO token", "method": "POST", "mode": "block", "severity": 8.8, "slug": "metasync", "tags": ["missing-authorization", "authentication-bypass", "privilege-escalation"], "target": "plugin", "versions": ">=2.4.4 <=2.5.11"}, "RULE-CVE-2025-14386-02": {"ajax_action": "validate_sso_token", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14386", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14386", "description": "Search Atlas SEO (metasync) <=2.5.11 missing authorization on validate_sso_token AJAX handler allows Subscriber+ to validate/consume admin SSO token", "method": "POST", "mode": "block", "severity": 8.8, "slug": "metasync", "tags": ["missing-authorization", "authentication-bypass", "privilege-escalation"], "target": "plugin", "versions": ">=2.4.4 <=2.5.11"}, "RULE-CVE-2025-14386-03": {"ajax_action": "check_sso_status", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14386", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14386", "description": "Search Atlas SEO (metasync) <=2.5.11 missing authorization on check_sso_status AJAX handler allows Subscriber+ to query SSO status", "method": "POST", "mode": "block", "severity": 8.8, "slug": "metasync", "tags": ["missing-authorization", "authentication-bypass", "privilege-escalation"], "target": "plugin", "versions": ">=2.4.4 <=2.5.11"}, "RULE-CVE-2025-14388-01": {"action": "init", "conditions": [{"name": "ARGS:phast", "type": "exists"}, {"name": "ARGS:src", "type": "regex", "value": "~(?:%00|%2500|\\\\x00)~"}], "cve": "CVE-2025-14388", "method": "GET", "mode": "block", "severity": 9.8, "slug": "phastpress", "target": "plugin", "versions": "<=3.7"}, "RULE-CVE-2025-1440-01": {"ajax_action": "aip_map_url_action", "conditions": [{"name": "ARGS:url", "type": "regex", "value": "~^(?!https?://)~i"}], "cve": "CVE-2025-1440", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1440", "description": "Advanced iFrame <=2024.5 unauthenticated URL mapping injection via aip_map_url_action - blocks non-HTTP(S) scheme URLs (javascript, data, ftp, etc.)", "method": "POST", "mode": "block", "severity": 5.3, "slug": "advanced-iframe", "tags": ["improper-input-validation", "option-manipulation", "unauthenticated"], "target": "plugin", "versions": "<=2024.5"}, "RULE-CVE-2025-1441-01": {"ajax_action": "wpr_filter_woo_products", "conditions": [{"name": "ARGS:wpr_no_results", "type": "detectXSS"}], "cve": "CVE-2025-1441", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1441", "description": "Royal Elementor Addons <=1.7.1007 CSRF to Reflected XSS via wpr_filter_woo_products AJAX handler (wpr_no_results param)", "mode": "block", "severity": 8.8, "slug": "royal-elementor-addons", "tags": ["csrf", "xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.7.1007"}, "RULE-CVE-2025-1441-02": {"ajax_action": "wpr_filter_woo_products", "conditions": [{"name": "ARGS:wpr_number_of_words", "type": "detectXSS"}], "cve": "CVE-2025-1441", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1441", "description": "Royal Elementor Addons <=1.7.1007 CSRF to Reflected XSS via wpr_filter_woo_products AJAX handler (wpr_number_of_words param)", "mode": "block", "severity": 8.8, "slug": "royal-elementor-addons", "tags": ["csrf", "xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.7.1007"}, "RULE-CVE-2025-1441-03": {"ajax_action": "wpr_filter_woo_products", "conditions": [{"name": "ARGS:wpr_view_result_text", "type": "detectXSS"}], "cve": "CVE-2025-1441", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1441", "description": "Royal Elementor Addons <=1.7.1007 CSRF to Reflected XSS via wpr_filter_woo_products AJAX handler (wpr_view_result_text param)", "mode": "block", "severity": 8.8, "slug": "royal-elementor-addons", "tags": ["csrf", "xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.7.1007"}, "RULE-CVE-2025-1441-04": {"ajax_action": "wpr_filter_woo_products", "conditions": [{"name": "ARGS:wpr_ajax_search_link_target", "type": "detectXSS"}], "cve": "CVE-2025-1441", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1441", "description": "Royal Elementor Addons <=1.7.1007 CSRF to Reflected XSS via wpr_filter_woo_products AJAX handler (wpr_ajax_search_link_target param)", "mode": "block", "severity": 8.8, "slug": "royal-elementor-addons", "tags": ["csrf", "xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.7.1007"}, "RULE-CVE-2025-1441-05": {"ajax_action": "wpr_filter_woo_products", "conditions": [{"name": "ARGS:grid_settings", "type": "regex", "value": "~<[a-z/!?]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:~i"}], "cve": "CVE-2025-1441", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1441", "description": "Royal Elementor Addons <=1.7.1007 CSRF to Reflected XSS via wpr_filter_woo_products AJAX handler (grid_settings JSON param)", "mode": "block", "severity": 8.8, "slug": "royal-elementor-addons", "tags": ["csrf", "xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.7.1007"}, "RULE-CVE-2025-14437-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[?&]wphb-log-action=download~i"}, {"name": "REQUEST_URI", "type": "regex", "value": "~[?&]wphb-log-module=~i"}], "cve": "CVE-2025-14437", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14437", "description": "Hummingbird Performance <=3.18.0 unauthenticated log file download via Logger::process_actions wphb-log-action parameter", "method": "GET", "mode": "block", "severity": 7.5, "slug": "hummingbird-performance", "tags": ["information-disclosure", "sensitive-data-exposure", "unauthenticated", "log-file-download"], "target": "plugin", "versions": "<=3.18.0"}, "RULE-CVE-2025-14440-01": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "jay_login_register_switch_back"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14440", "method": "GET", "mode": "block", "severity": 9.8, "slug": "jay-login-register", "target": "plugin", "versions": "<=2.4.01"}, "RULE-CVE-2025-14441-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/popupkit/v1/subscribers(?:\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14441", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14441", "description": "PopupKit (Starter Templates & Starter Blocks for Starter Sites) <=2.2.0 missing authorization on DELETE /popupkit/v1/subscribers REST endpoint allows authenticated subscriber+ arbitrary subscriber data deletion", "method": "DELETE", "mode": "block", "severity": 5.3, "slug": "popup-builder-block", "tags": ["missing-authorization", "broken-access-control", "rest-api", "data-deletion"], "target": "plugin", "versions": "<=2.2.0"}, "RULE-CVE-2025-14446-01": {"ajax_action": "easynotify_cp_reset", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14446", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14446", "description": "Popup Builder (Easy Notify Lite) <=1.1.37 missing authorization on easynotify_cp_reset AJAX action allows authenticated Subscriber+ users to reset plugin settings", "mode": "block", "severity": 6.5, "slug": "easy-notify-lite", "tags": ["missing-authorization", "broken-access-control", "settings-reset"], "target": "plugin", "versions": "<=1.1.37"}, "RULE-CVE-2025-14448-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)profile\\\\.php~"}, {"name": "ARGS:wpmem_dynamic_field", "type": "regex", "value": "~(?:<|&(?:#0*60|#x0*3c|lt);)[a-z/!].*?(?:>|&(?:#0*62|#x0*3e|gt);)|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|(?:<|&(?:#0*60|#x0*3c|lt);)script~i"}], "cve": "CVE-2025-14448", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14448", "description": "WP-Members <=3.5.4.3 stored XSS via unsanitized multiselect/multicheckbox profile fields on profile.php", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wp-members", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=3.5.4.3"}, "RULE-CVE-2025-14448-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)user-edit\\\\.php~"}, {"name": "ARGS:wpmem_dynamic_field", "type": "regex", "value": "~(?:<|&(?:#0*60|#x0*3c|lt);)[a-z/!].*?(?:>|&(?:#0*62|#x0*3e|gt);)|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|(?:<|&(?:#0*60|#x0*3c|lt);)script~i"}], "cve": "CVE-2025-14448", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14448", "description": "WP-Members <=3.5.4.3 stored XSS via unsanitized multiselect/multicheckbox profile fields on user-edit.php", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wp-members", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=3.5.4.3"}, "RULE-CVE-2025-14453-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[myg_album_gallery\\\\b[^\\\\]]*style_css\\\\s*=[^\\\\]]*(?:\\"|\')[^\\"\']*(?:on\\\\w+\\\\s*=|<script|</style|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-14453", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14453", "description": "My Album Gallery <=1.0.4 Stored XSS via style_css shortcode attribute breakout into event handlers", "method": "POST", "mode": "block", "severity": 6.4, "slug": "my-album-gallery", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2025-14453-02": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[myg_album_gallery\\\\b[^\\\\]]*margin\\\\s*=[^\\\\]]*(?:\\"|\')[^\\"\']*(?:on\\\\w+\\\\s*=|<script|</style|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-14453", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14453", "description": "My Album Gallery <=1.0.4 Stored XSS via margin shortcode attribute breakout", "method": "POST", "mode": "block", "severity": 6.4, "slug": "my-album-gallery", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2025-14453-03": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[myg_album_gallery\\\\b[^\\\\]]*padding\\\\s*=[^\\\\]]*(?:\\"|\')[^\\"\']*(?:on\\\\w+\\\\s*=|<script|</style|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-14453", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14453", "description": "My Album Gallery <=1.0.4 Stored XSS via padding shortcode attribute breakout", "method": "POST", "mode": "block", "severity": 6.4, "slug": "my-album-gallery", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2025-14453-04": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[myg_album_gallery\\\\b[^\\\\]]*border_color\\\\s*=[^\\\\]]*(?:\\"|\')[^\\"\']*(?:on\\\\w+\\\\s*=|<script|</style|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-14453", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14453", "description": "My Album Gallery <=1.0.4 Stored XSS via border_color shortcode attribute breakout", "method": "POST", "mode": "block", "severity": 6.4, "slug": "my-album-gallery", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2025-14455-01": {"ajax_action": "delete_gallery", "conditions": [{"type": "missing_capability", "value": "delete_others_posts"}], "cve": "CVE-2025-14455", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14455", "description": "Final Tiles Grid Gallery <=3.6.7 missing authorization on delete_gallery AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control", "gallery-management"], "target": "plugin", "versions": "<=3.6.7"}, "RULE-CVE-2025-14455-02": {"ajax_action": "clone_gallery", "conditions": [{"type": "missing_capability", "value": "delete_others_posts"}], "cve": "CVE-2025-14455", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14455", "description": "Final Tiles Grid Gallery <=3.6.7 missing authorization on clone_gallery AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control", "gallery-management"], "target": "plugin", "versions": "<=3.6.7"}, "RULE-CVE-2025-14455-03": {"ajax_action": "update_gallery_configuration", "conditions": [{"type": "missing_capability", "value": "delete_others_posts"}], "cve": "CVE-2025-14455", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14455", "description": "Final Tiles Grid Gallery <=3.6.7 missing authorization on update_gallery_configuration AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control", "gallery-management"], "target": "plugin", "versions": "<=3.6.7"}, "RULE-CVE-2025-14455-04": {"ajax_action": "save_gallery", "conditions": [{"type": "missing_capability", "value": "delete_others_posts"}], "cve": "CVE-2025-14455", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14455", "description": "Final Tiles Grid Gallery <=3.6.7 missing authorization on save_gallery AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control", "gallery-management"], "target": "plugin", "versions": "<=3.6.7"}, "RULE-CVE-2025-14455-05": {"ajax_action": "delete_image", "conditions": [{"type": "missing_capability", "value": "delete_others_posts"}], "cve": "CVE-2025-14455", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14455", "description": "Final Tiles Grid Gallery <=3.6.7 missing authorization on delete_image AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control", "gallery-management"], "target": "plugin", "versions": "<=3.6.7"}, "RULE-CVE-2025-14455-06": {"ajax_action": "add_image", "conditions": [{"type": "missing_capability", "value": "delete_others_posts"}], "cve": "CVE-2025-14455", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14455", "description": "Final Tiles Grid Gallery <=3.6.7 missing authorization on add_image AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control", "gallery-management"], "target": "plugin", "versions": "<=3.6.7"}, "RULE-CVE-2025-14455-07": {"ajax_action": "add_new_gallery", "conditions": [{"type": "missing_capability", "value": "delete_others_posts"}], "cve": "CVE-2025-14455", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14455", "description": "Final Tiles Grid Gallery <=3.6.7 missing authorization on add_new_gallery AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control", "gallery-management"], "target": "plugin", "versions": "<=3.6.7"}, "RULE-CVE-2025-14455-08": {"ajax_action": "save_image", "conditions": [{"type": "missing_capability", "value": "delete_others_posts"}], "cve": "CVE-2025-14455", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14455", "description": "Final Tiles Grid Gallery <=3.6.7 missing authorization on save_image AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control", "gallery-management"], "target": "plugin", "versions": "<=3.6.7"}, "RULE-CVE-2025-14455-09": {"ajax_action": "sort_images", "conditions": [{"type": "missing_capability", "value": "delete_others_posts"}], "cve": "CVE-2025-14455", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14455", "description": "Final Tiles Grid Gallery <=3.6.7 missing authorization on sort_images AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control", "gallery-management"], "target": "plugin", "versions": "<=3.6.7"}, "RULE-CVE-2025-14455-10": {"ajax_action": "toggle_visibility", "conditions": [{"type": "missing_capability", "value": "delete_others_posts"}], "cve": "CVE-2025-14455", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14455", "description": "Final Tiles Grid Gallery <=3.6.7 missing authorization on toggle_visibility AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control", "gallery-management"], "target": "plugin", "versions": "<=3.6.7"}, "RULE-CVE-2025-14455-11": {"ajax_action": "assign_filters", "conditions": [{"type": "missing_capability", "value": "delete_others_posts"}], "cve": "CVE-2025-14455", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14455", "description": "Final Tiles Grid Gallery <=3.6.7 missing authorization on assign_filters AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control", "gallery-management"], "target": "plugin", "versions": "<=3.6.7"}, "RULE-CVE-2025-14455-12": {"ajax_action": "assign_group", "conditions": [{"type": "missing_capability", "value": "delete_others_posts"}], "cve": "CVE-2025-14455", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14455", "description": "Final Tiles Grid Gallery <=3.6.7 missing authorization on assign_group AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control", "gallery-management"], "target": "plugin", "versions": "<=3.6.7"}, "RULE-CVE-2025-14455-13": {"ajax_action": "save_video", "conditions": [{"type": "missing_capability", "value": "delete_others_posts"}], "cve": "CVE-2025-14455", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14455", "description": "Final Tiles Grid Gallery <=3.6.7 missing authorization on save_video AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control", "gallery-management"], "target": "plugin", "versions": "<=3.6.7"}, "RULE-CVE-2025-14455-14": {"ajax_action": "refresh_gallery", "conditions": [{"type": "missing_capability", "value": "delete_others_posts"}], "cve": "CVE-2025-14455", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14455", "description": "Final Tiles Grid Gallery <=3.6.7 missing authorization on refresh_gallery AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control", "gallery-management"], "target": "plugin", "versions": "<=3.6.7"}, "RULE-CVE-2025-14467-01": {"ajax_action": "wpjobportal_ajax", "conditions": [{"name": "ARGS:wpjobportalme", "type": "equals", "value": "job"}, {"name": "ARGS:description", "type": "regex", "value": "~<script[\\\\s/>]~i"}], "cve": "CVE-2025-14467", "method": "POST", "mode": "block", "severity": 4.4, "slug": "wp-job-portal", "target": "plugin", "versions": "<=2.3.9"}, "RULE-CVE-2025-14467-02": {"action": "init", "conditions": [{"name": "ARGS:wpjobportalme", "type": "equals", "value": "job"}, {"name": "ARGS:description", "type": "regex", "value": "~<script[\\\\s/>]~i"}], "cve": "CVE-2025-14467", "method": "POST", "mode": "block", "severity": 4.4, "slug": "wp-job-portal", "target": "plugin", "versions": "<=2.3.9"}, "RULE-CVE-2025-14477-01": {"ajax_action": "ajaxUpdatePaginationLinks", "conditions": [{"name": "ARGS:filterText", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT|;\\\\s*(?:SELECT|DROP|DELETE|INSERT|UPDATE|ALTER|CREATE)\\\\s|(?:SLEEP|BENCHMARK|WAITFOR)\\\\s*\\\\(|/\\\\*[^*]*\\\\*/\\\\s*(?:UNION|SELECT|DROP|INSERT|UPDATE|DELETE))~i"}], "cve": "CVE-2025-14477", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14477", "description": "404 Solution <=3.1.0 authenticated (Admin+) SQL injection via filterText parameter in ajaxUpdatePaginationLinks AJAX action", "method": "POST", "mode": "block", "severity": 4.9, "slug": "404-solution", "tags": ["sql-injection", "authenticated", "ajax"], "target": "plugin", "versions": "<=3.1.0"}, "RULE-CVE-2025-14506-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "contains", "value": "wp:convertforce/conversion"}, {"name": "ARGS:content", "type": "contains", "value": "\\"type\\":\\"slide_in\\""}, {"name": "ARGS:content", "type": "regex", "value": "~\\"entrance_animation\\"\\\\s*:\\\\s*\\\\{[^}]*\\"name\\"\\\\s*:\\\\s*\\"(?:\\\\\\\\.|[^\\"\\\\\\\\])*(?:<|>|\\\\\\\\\\"|\\\\s+on[a-z]+\\\\s*=)(?:\\\\\\\\.|[^\\"\\\\\\\\])*\\"~i"}], "cve": "CVE-2025-14506", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14506", "description": "ConvertForce Popup Builder <=0.0.7 stored XSS via entrance_animation block attribute in REST API post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "convertforce-popup-builder", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=0.0.7"}, "RULE-CVE-2025-14506-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:action", "type": "equals", "value": "editpost"}, {"name": "ARGS:post_content", "type": "contains", "value": "wp:convertforce/conversion"}, {"name": "ARGS:post_content", "type": "contains", "value": "\\"type\\":\\"slide_in\\""}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\"entrance_animation\\"\\\\s*:\\\\s*\\\\{[^}]*\\"name\\"\\\\s*:\\\\s*\\"(?:\\\\\\\\.|[^\\"\\\\\\\\])*(?:<|>|\\\\\\\\\\"|\\\\s+on[a-z]+\\\\s*=)(?:\\\\\\\\.|[^\\"\\\\\\\\])*\\"~i"}], "cve": "CVE-2025-14506", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14506", "description": "ConvertForce Popup Builder <=0.0.7 stored XSS via entrance_animation block attribute in classic editor post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "convertforce-popup-builder", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=0.0.7"}, "RULE-CVE-2025-14508-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mediacommander/v1/import-csv(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14508", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14508", "description": "MediaCommander <=2.3.1 missing authorization on import-csv REST endpoint allows Author+ to delete all media folder data", "method": "POST", "mode": "block", "severity": 6.5, "slug": "mediacommander", "tags": ["missing-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": "<=2.3.1"}, "RULE-CVE-2025-1453-01": {"ajax_action": "save-widget", "conditions": [{"name": "ARGS:id_base", "type": "equals", "value": "category-posts"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1453", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1453", "description": "Category Posts Widget <=4.9.19 stored XSS via widget template field (AJAX save-widget path)", "method": "POST", "mode": "block", "severity": 4.8, "slug": "category-posts", "tags": ["xss", "stored-xss", "widget"], "target": "plugin", "versions": "<=4.9.19"}, "RULE-CVE-2025-1453-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/widgets\\\\.php~"}, {"name": "ARGS:id_base", "type": "equals", "value": "category-posts"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1453", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1453", "description": "Category Posts Widget <=4.9.19 stored XSS via widget template field (classic widgets.php POST path)", "method": "POST", "mode": "block", "severity": 4.8, "slug": "category-posts", "tags": ["xss", "stored-xss", "widget"], "target": "plugin", "versions": "<=4.9.19"}, "RULE-CVE-2025-14533-01": {"ajax_action": "nopriv_endpoint/form/shortcode", "conditions": [{"type": "missing_capability", "value": "promote_users"}, {"name": "ARGS", "type": "regex", "value": "~^(?:administrator|super_admin)$~"}], "cve": "CVE-2025-14533", "method": "POST", "mode": "block", "severity": 9.8, "slug": "acf-extended", "target": "plugin", "versions": "<=0.9.2.1"}, "RULE-CVE-2025-14548-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "calendar"}, {"name": "ARGS:action", "type": "equals", "value": "add"}, {"name": "ARGS:event_desc", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|focus|blur|toggle|mouseover|mouseenter)\\\\s*=|javascript\\\\s*:|<(?:svg|iframe|object|embed|form)[^>]*>~i"}], "cve": "CVE-2025-14548", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14548", "description": "Calendar <=1.3.16 Stored XSS via event_desc on add action", "method": "POST", "mode": "block", "severity": 6.4, "slug": "calendar", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=1.3.16"}, "RULE-CVE-2025-14548-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "calendar"}, {"name": "ARGS:action", "type": "equals", "value": "add"}, {"name": "ARGS:event_title", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|focus|blur|toggle|mouseover|mouseenter)\\\\s*=|javascript\\\\s*:|<(?:svg|iframe|object|embed|form)[^>]*>~i"}], "cve": "CVE-2025-14548", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14548", "description": "Calendar <=1.3.16 Stored XSS via event_title on add action", "method": "POST", "mode": "block", "severity": 6.4, "slug": "calendar", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=1.3.16"}, "RULE-CVE-2025-14548-03": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "calendar"}, {"name": "ARGS:action", "type": "equals", "value": "edit_save"}, {"name": "ARGS:event_desc", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|focus|blur|toggle|mouseover|mouseenter)\\\\s*=|javascript\\\\s*:|<(?:svg|iframe|object|embed|form)[^>]*>~i"}], "cve": "CVE-2025-14548", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14548", "description": "Calendar <=1.3.16 Stored XSS via event_desc on edit_save action", "method": "POST", "mode": "block", "severity": 6.4, "slug": "calendar", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=1.3.16"}, "RULE-CVE-2025-14548-04": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "calendar"}, {"name": "ARGS:action", "type": "equals", "value": "edit_save"}, {"name": "ARGS:event_title", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|focus|blur|toggle|mouseover|mouseenter)\\\\s*=|javascript\\\\s*:|<(?:svg|iframe|object|embed|form)[^>]*>~i"}], "cve": "CVE-2025-14548", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14548", "description": "Calendar <=1.3.16 Stored XSS via event_title on edit_save action", "method": "POST", "mode": "block", "severity": 6.4, "slug": "calendar", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=1.3.16"}, "RULE-CVE-2025-1455-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/elementor/v1/document/save(?:/|\\\\?|$)~"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1455", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1455", "description": "Royal Elementor Addons <=1.7.1012 Stored XSS via Woo Grid widget settings on Elementor REST save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "royal-elementor-addons", "tags": ["xss", "stored-xss", "elementor-widget"], "target": "plugin", "versions": "<=1.7.1012"}, "RULE-CVE-2025-1455-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"type": "missing_capability", "value": "unfiltered_html"}, {"name": "ARGS:_elementor_data", "type": "contains", "value": "wpr-woo-grid"}, {"name": "ARGS:_elementor_data", "type": "regex", "value": "~(?:popup_notification_animation|popup_notification_fade_out_in|popup_notification_animation_duration|element_open_links_in_new_tab)~"}, {"name": "ARGS:_elementor_data", "type": "regex", "value": "~(?:\\\\\\"|")(?:\\\\s)*(?:on[a-z]{3,20}\\\\s*=|>[^<]{0,200}<\\\\s*(?:script|svg|img|iframe)\\\\b|javascript\\\\s*:)~i"}], "cve": "CVE-2025-1455", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1455", "description": "Royal Elementor Addons <=1.7.1012 Stored XSS via Woo Grid widget in _elementor_data on classic editor save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "royal-elementor-addons", "tags": ["xss", "stored-xss", "elementor-widget"], "target": "plugin", "versions": "<=1.7.1012"}, "RULE-CVE-2025-14552-01": {"ajax_action": "mpp_update_gallery_details", "conditions": [{"name": "ARGS:mpp-gallery-title", "type": "regex", "value": "~<[a-zA-Z][^>]*(?:on\\\\w+\\\\s*=|javascript:|src\\\\s*=|href\\\\s*=)|<\\\\s*(?:script|svg|img|iframe|object|embed|link|style|body|marquee|details|math|video|audio|base)\\\\b~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-14552", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14552", "description": "MediaPress <=1.6.1 Stored XSS via mpp-gallery-title in mpp_update_gallery_details AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "mediapress", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=1.6.1"}, "RULE-CVE-2025-14552-02": {"ajax_action": "mpp_update_gallery_details", "conditions": [{"name": "ARGS:mpp-gallery-description", "type": "regex", "value": "~<[a-zA-Z][^>]*(?:on\\\\w+\\\\s*=|javascript:|src\\\\s*=|href\\\\s*=)|<\\\\s*(?:script|svg|img|iframe|object|embed|link|style|body|marquee|details|math|video|audio|base)\\\\b~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-14552", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14552", "description": "MediaPress <=1.6.1 Stored XSS via mpp-gallery-description in mpp_update_gallery_details AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "mediapress", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=1.6.1"}, "RULE-CVE-2025-14554-01": {"ajax_action": "orderform_data", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<[a-z/!?]~i"}], "cve": "CVE-2025-14554", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14554", "description": "Sell BTC - Cryptocurrency Selling Calculator <=1.5 unauthenticated stored XSS via orderform_data AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "sell-btc-by-hayyatapps", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.5"}, "RULE-CVE-2025-14555-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[wpdevart_countdown\\\\b[^\\\\]]*(?:<script|on(?:error|load|click|mouseover|focus|toggle|start)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-14555", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14555", "description": "Countdown Timer - Widget Countdown <=2.7.7 Stored XSS via wpdevart_countdown shortcode attributes in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "widget-countdown", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=2.7.7"}, "RULE-CVE-2025-14555-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[wpdevart_countdown\\\\b[^\\\\]]*(?:<script|on(?:error|load|click|mouseover|focus|toggle|start)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-14555", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14555", "description": "Countdown Timer - Widget Countdown <=2.7.7 Stored XSS via wpdevart_countdown shortcode attributes in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "widget-countdown", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=2.7.7"}, "RULE-CVE-2025-1459-01": {"ajax_action": "so_panels_builder_content", "conditions": [{"name": "ARGS:panels_data", "type": "exists"}, {"name": "ARGS:panels_data", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=|javascript\\\\s*:|<svg[^>]*\\\\bon|<iframe[^>]*\\\\bsrcdoc\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1459", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1459", "description": "Page Builder by SiteOrigin <=2.31.4 Stored XSS via Embedded Video widget in builder content preview", "method": "POST", "mode": "block", "severity": 5.4, "slug": "siteorigin-panels", "tags": ["xss", "stored-xss", "page-builder"], "target": "plugin", "versions": "<=2.31.4"}, "RULE-CVE-2025-1459-02": {"ajax_action": "so_panels_builder_content_json", "conditions": [{"name": "ARGS:panels_data", "type": "exists"}, {"name": "ARGS:panels_data", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=|javascript\\\\s*:|<svg[^>]*\\\\bon|<iframe[^>]*\\\\bsrcdoc\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1459", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1459", "description": "Page Builder by SiteOrigin <=2.31.4 Stored XSS via Embedded Video widget in builder content JSON preview", "method": "POST", "mode": "block", "severity": 5.4, "slug": "siteorigin-panels", "tags": ["xss", "stored-xss", "page-builder"], "target": "plugin", "versions": "<=2.31.4"}, "RULE-CVE-2025-1459-03": {"ajax_action": "so_panels_live_editor_preview", "conditions": [{"name": "ARGS:panels_data", "type": "exists"}, {"name": "ARGS:panels_data", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=|javascript\\\\s*:|<svg[^>]*\\\\bon|<iframe[^>]*\\\\bsrcdoc\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1459", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1459", "description": "Page Builder by SiteOrigin <=2.31.4 Stored XSS via Embedded Video widget in live editor preview", "method": "POST", "mode": "block", "severity": 5.4, "slug": "siteorigin-panels", "tags": ["xss", "stored-xss", "page-builder"], "target": "plugin", "versions": "<=2.31.4"}, "RULE-CVE-2025-14610-01": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS:actions", "type": "regex", "value": "~\\"csv_url\\"\\\\s*:\\\\s*\\"\\\\s*(?:(?:file|gopher|dict|ftp|ldap):|https?://(?:localhost|127\\\\.|0\\\\.0\\\\.0\\\\.0|10\\\\.|172\\\\.(?:1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.|169\\\\.254\\\\.|\\\\[::1\\\\]))~i"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-14610", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14610", "description": "TableMaster for Elementor <=1.3.6 SSRF via csv_url parameter in Data Table widget settings", "method": "POST", "mode": "block", "severity": 7.2, "slug": "tablemaster-for-elementor", "tags": ["ssrf", "server-side-request-forgery", "elementor-widget"], "target": "plugin", "versions": "<=1.3.6"}, "RULE-CVE-2025-14610-02": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS:actions", "type": "regex", "value": "~\\"json_url\\"\\\\s*:\\\\s*\\"\\\\s*(?:(?:file|gopher|dict|ftp|ldap):|https?://(?:localhost|127\\\\.|0\\\\.0\\\\.0\\\\.0|10\\\\.|172\\\\.(?:1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.|169\\\\.254\\\\.|\\\\[::1\\\\]))~i"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-14610", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14610", "description": "TableMaster for Elementor <=1.3.6 SSRF via json_url parameter in Data Table widget settings", "method": "POST", "mode": "block", "severity": 7.2, "slug": "tablemaster-for-elementor", "tags": ["ssrf", "server-side-request-forgery", "elementor-widget"], "target": "plugin", "versions": "<=1.3.6"}, "RULE-CVE-2025-14632-01": {"ajax_action": "upload_file", "conditions": [{"name": "ARGS:_chunkedd", "type": "regex", "value": "~\\\\.html?(?:[\\"\'\\\\s,}]|$)~i"}], "cve": "CVE-2025-14632", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14632", "description": "Filr - Secure document library <=1.2.11 stored XSS via HTML file upload through chunked upload path (_chunkedd parameter)", "method": "POST", "mode": "block", "severity": 4.4, "slug": "filr-protection", "tags": ["file-upload", "xss", "dangerous-file-type"], "target": "plugin", "versions": "<=1.2.11"}, "RULE-CVE-2025-14635-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "equals", "value": "/wp-admin/post.php"}, {"name": "ARGS:ha_page_custom_js", "type": "detectXSS"}], "cve": "CVE-2025-14635", "method": "POST", "mode": "block", "severity": 6.4, "slug": "happy-elementor-addons", "target": "plugin", "versions": "<=3.20.3"}, "RULE-CVE-2025-14657-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/eventin/v1/[^/]+/settings(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14657", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wp-event-solution", "target": "plugin", "versions": "<=4.0.51"}, "RULE-CVE-2025-14718-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/publishpress-future/v1/workflows(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14718", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14718", "description": "PublishPress Future <=4.9.3 missing authorization on workflow creation REST endpoint", "method": "POST", "mode": "block", "severity": 5.4, "slug": "post-expirator", "tags": ["missing-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": "<=4.9.3"}, "RULE-CVE-2025-14718-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/publishpress-future/v1/workflows/\\\\d+(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14718", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14718", "description": "PublishPress Future <=4.9.3 missing authorization on workflow update REST endpoint", "method": "PUT", "mode": "block", "severity": 5.4, "slug": "post-expirator", "tags": ["missing-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": "<=4.9.3"}, "RULE-CVE-2025-14718-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/publishpress-future/v1/workflows/\\\\d+(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14718", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14718", "description": "PublishPress Future <=4.9.3 missing authorization on workflow deletion REST endpoint", "method": "DELETE", "mode": "block", "severity": 5.4, "slug": "post-expirator", "tags": ["missing-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": "<=4.9.3"}, "RULE-CVE-2025-14718-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/publishpress-future/v1/workflows/\\\\d+/publish(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14718", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14718", "description": "PublishPress Future <=4.9.3 missing authorization on workflow publish REST endpoint", "method": "POST", "mode": "block", "severity": 5.4, "slug": "post-expirator", "tags": ["missing-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": "<=4.9.3"}, "RULE-CVE-2025-14720-01": {"ajax_action": "wpamelia_api", "conditions": [{"name": "ARGS", "type": "regex", "value": "~refund~i"}, {"name": "ARGS", "type": "regex", "value": "~payment_id~i"}], "cve": "CVE-2025-14720", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14720", "description": "Amelia Booking <=2.0 unauthenticated Square refund webhook forgery via missing signature verification", "method": "POST", "mode": "block", "severity": 5.3, "slug": "ameliabooking", "tags": ["missing-authorization", "business-logic-abuse", "unauthenticated", "webhook-forgery"], "target": "plugin", "versions": "<=2.0"}, "RULE-CVE-2025-1475-01": {"ajax_action": "wpcom_login", "conditions": [{"name": "ARGS:user_phone", "type": "exists"}], "cve": "CVE-2025-1475", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wpcom-member", "target": "plugin", "versions": "<=1.7.5"}, "RULE-CVE-2025-14757-01": {"ajax_action": "complete_payment", "conditions": [{"name": "ARGS:data", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14757", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14757", "description": "Cost Calculator Builder <=3.6.9 missing authorization on complete_payment AJAX action allows unauthenticated order status manipulation", "method": "POST", "mode": "block", "severity": 5.3, "slug": "cost-calculator-builder", "tags": ["missing-authorization", "payment-bypass", "unauthenticated"], "target": "plugin", "versions": "<=3.6.9"}, "RULE-CVE-2025-14793-01": {"action": "init", "conditions": [{"name": "ARGS:dkpdfg", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14793", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14793", "description": "DK PDF <=2.3.0 authenticated (Author+) SSRF via PDF generation trigger (dkpdfg parameter)", "method": "GET", "mode": "block", "severity": 5.0, "slug": "dk-pdf", "tags": ["ssrf", "missing-authorization", "authenticated"], "target": "plugin", "versions": "<=2.3.0"}, "RULE-CVE-2025-14796-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_type", "type": "equals", "value": "attachment"}, {"name": "ARGS:post_title", "type": "regex", "value": "~<\\\\s*(?:script|svg|img|iframe|details|marquee|object|embed|video|audio|body|input|form|link|meta|style|base|math|a\\\\b)[^>]*(?:\\\\bon\\\\w+\\\\s*=|javascript:|data:\\\\s*text/html)|<\\\\s*script~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-14796", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14796", "description": "My Album Gallery <=1.0.4 Stored XSS via image title in WordPress core post.php attachment edit", "method": "POST", "mode": "block", "severity": 6.4, "slug": "my-album-gallery", "tags": ["xss", "stored-xss", "unpatched"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2025-14796-02": {"ajax_action": "save-attachment", "conditions": [{"name": "ARGS:changes[title]", "type": "regex", "value": "~<\\\\s*(?:script|svg|img|iframe|details|marquee|object|embed|video|audio|body|input|form|link|meta|style|base|math|a\\\\b)[^>]*(?:\\\\bon\\\\w+\\\\s*=|javascript:|data:\\\\s*text/html)|<\\\\s*script~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-14796", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14796", "description": "My Album Gallery <=1.0.4 Stored XSS via image title in WordPress core save-attachment AJAX", "method": "POST", "mode": "block", "severity": 6.4, "slug": "my-album-gallery", "tags": ["xss", "stored-xss", "unpatched"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2025-14797-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/edit-tags\\\\.php~"}, {"name": "ARGS:tag-name", "type": "regex", "value": "~<\\\\s*(?:script|img|svg|iframe|object|embed|details|body|video|audio|marquee|math|base|form|input|button|select|textarea|link|style|meta|applet)\\\\b|\\\\bon(?:error|load|click|mouseover|focus|blur|change|submit|toggle|resize|scroll|drag|drop|abort|animat|begin|end|input|invalid|key|mouse|pointer|touch|transition|wheel)\\\\s*=~i"}, {"type": "missing_capability", "value": "manage_categories"}], "cve": "CVE-2025-14797", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14797", "description": "Same Category Posts <=1.1.19 Stored XSS via taxonomy term creation (tag-name) in widget title placeholder", "method": "POST", "mode": "block", "severity": 5.4, "slug": "same-category-posts", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=1.1.19"}, "RULE-CVE-2025-14797-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/edit-tags\\\\.php~"}, {"name": "ARGS:action", "type": "equals", "value": "editedtag"}, {"name": "ARGS:name", "type": "regex", "value": "~<\\\\s*(?:script|img|svg|iframe|object|embed|details|body|video|audio|marquee|math|base|form|input|button|select|textarea|link|style|meta|applet)\\\\b|\\\\bon(?:error|load|click|mouseover|focus|blur|change|submit|toggle|resize|scroll|drag|drop|abort|animat|begin|end|input|invalid|key|mouse|pointer|touch|transition|wheel)\\\\s*=~i"}, {"type": "missing_capability", "value": "manage_categories"}], "cve": "CVE-2025-14797", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14797", "description": "Same Category Posts <=1.1.19 Stored XSS via taxonomy term edit (name) in widget title placeholder", "method": "POST", "mode": "block", "severity": 5.4, "slug": "same-category-posts", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=1.1.19"}, "RULE-CVE-2025-14799-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mailin/v1/mailin_disconnect(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14799", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14799", "description": "Brevo (Mailin) <=3.3.0 unauthenticated authorization bypass via type juggling on mailin_disconnect REST endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "mailin", "tags": ["authorization-bypass", "type-juggling", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=3.3.0"}, "RULE-CVE-2025-14800-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/wp-json/wpcf7r/v1/download-file(/|\\\\?|$)~i"}, {"name": "ARGS:file_key", "type": "regex", "value": "~(^|.*/)(wp-config\\\\.php|php\\\\.ini|\\\\.htaccess|\\\\.user\\\\.ini)(\\\\?.*)?$~i"}, {"name": "ARGS:file_key", "type": "regex", "value": "~(^|.*/)([^/]+\\\\.(php[0-9]?|phtml|phar|pht|cgi|exe|sh|jsp|asp|aspx))(\\\\?.*)?$~i"}, {"name": "ARGS:file_key", "type": "regex", "value": "~(\\\\.\\\\./|\\\\.\\\\./|\\\\.\\\\.\\\\\\\\|%2e%2e%2f|%2e%2e/|/etc/passwd|/windows/win\\\\.ini)~i"}, {"name": "ARGS:file_key", "type": "regex", "value": "~^(https?|ftp)://[^\\\\s]+\\\\.(php[0-9]?|phtml|phar|pht|cgi|exe|sh|jsp|asp|aspx)(\\\\?.*)?$~i"}], "cve": "CVE-2025-14800", "method": "GET", "mode": "block", "severity": 8.1, "slug": "wpcf7-redirect", "target": "plugin", "versions": "<=3.2.7"}, "RULE-CVE-2025-14803-01": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "nf_update_record"}, {"name": "ARGS", "type": "regex", "value": "~(<|%3[cC]|<|�*60;?|�*3[cC];?)\\\\s*(script|img|svg|iframe|object|embed|body|input|details|marquee|div|style|link|base|form|video|audio|math|table|meta|select|textarea|button|isindex|keygen|source|template|noscript|a[\\\\s/>=])~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14803", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14803", "description": "NEX-Forms <= 9.1.7 authenticated stored XSS via nf_update_record AJAX handler", "method": "POST", "mode": "block", "severity": 6.8, "slug": "nex-forms-express-wp-form-builder", "tags": ["xss", "stored-xss", "missing-sanitization"], "target": "plugin", "versions": "<=9.1.7"}, "RULE-CVE-2025-14803-02": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "nf_insert_record"}, {"name": "ARGS", "type": "regex", "value": "~(<|%3[cC]|<|�*60;?|�*3[cC];?)\\\\s*(script|img|svg|iframe|object|embed|body|input|details|marquee|div|style|link|base|form|video|audio|math|table|meta|select|textarea|button|isindex|keygen|source|template|noscript|a[\\\\s/>=])~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14803", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14803", "description": "NEX-Forms <= 9.1.7 authenticated stored XSS via nf_insert_record AJAX handler", "method": "POST", "mode": "block", "severity": 6.8, "slug": "nex-forms-express-wp-form-builder", "tags": ["xss", "stored-xss", "missing-sanitization"], "target": "plugin", "versions": "<=9.1.7"}, "RULE-CVE-2025-14804-01": {"ajax_action": "wpfm_delete_file", "conditions": [{"name": "ARGS:file_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14804", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14804", "description": "Frontend File Manager <=23.4 authenticated arbitrary file deletion via wpfm_delete_file AJAX action (IDOR, no ownership check)", "method": "POST", "mode": "block", "severity": 7.7, "slug": "nmedia-user-file-uploader", "tags": ["missing-authorization", "arbitrary-file-deletion", "idor"], "target": "plugin", "versions": "<=23.4"}, "RULE-CVE-2025-14804-02": {"ajax_action": "wpfm_save_file_data", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[\\\\\\\\/]etc[\\\\\\\\/]|wp-config\\\\.php|\\\\.htaccess|\\\\.env)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14804", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14804", "description": "Frontend File Manager <=23.4 authenticated arbitrary file deletion via wpfm_save_file_data path traversal in filename", "method": "POST", "mode": "block", "severity": 7.7, "slug": "nmedia-user-file-uploader", "tags": ["path-traversal", "arbitrary-file-deletion", "file-name-manipulation"], "target": "plugin", "versions": "<=23.4"}, "RULE-CVE-2025-14842-01": {"ajax_action": "dnd_codedropz_upload", "conditions": [{"name": "ARGS", "type": "regex", "value": "~\\\\.(?:phar|svg)(?:\\\\s|$)~i"}], "cve": "CVE-2025-14842", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14842", "description": "Drag and Drop Multiple File Upload CF7 <=1.3.9.2 \\u2013 best-effort block of .phar/.svg strings in POST/GET params on upload AJAX (NOTE: does not inspect multipart filenames in $_FILES; partial coverage only)", "method": "POST", "mode": "block", "severity": 6.1, "slug": "drag-and-drop-multiple-file-upload-contact-form-7", "tags": ["dangerous-file-upload", "unauthenticated", "cwe-434", "partial-coverage"], "target": "plugin", "versions": "<=1.3.9.2"}, "RULE-CVE-2025-14844-01": {"ajax_action": "rcp_stripe_create_setup_intent_for_saved_card", "conditions": [{"type": "missing_capability", "value": "read"}], "cve": "CVE-2025-14844", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14844", "description": "Restrict Content <=3.2.16 unauthenticated Stripe SetupIntent client_secret leak via rcp_stripe_create_setup_intent_for_saved_card AJAX action (IDOR/Missing Auth)", "method": "POST", "mode": "block", "severity": 7.5, "slug": "restrict-content", "tags": ["missing-authentication", "idor", "sensitive-data-exposure", "unauthenticated"], "target": "plugin", "versions": "<=3.2.16"}, "RULE-CVE-2025-14855-02": {"ajax_action": "validation_ajax_action", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<\\\\s*(?:script|iframe|svg|math|details|embed|object)\\\\b|\\\\bon(?:error|load|click|mouseover|focus|toggle|pointer[a-z]*)\\\\s*=|javascript\\\\s*:~i"}], "cve": "CVE-2025-14855", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14855", "description": "SureForms <=2.2.0 unauthenticated stored XSS via validation AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "sureforms", "tags": ["xss", "stored-xss", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=2.2.0"}, "RULE-CVE-2025-14865-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[(?:content_protector|passster)[^\\\\]]*headline\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<[a-z][^>]*\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|<\\\\s*script)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-14865", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14865", "description": "Passster \\u2013 Password Protect Pages and Content <=4.2.24 Stored XSS via content_protector/passster shortcode headline attribute in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "content-protector", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.2.24"}, "RULE-CVE-2025-14865-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[(?:content_protector|passster)[^\\\\]]*acf\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<[a-z][^>]*\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|<\\\\s*script|\\"\\\\s+\\\\bon\\\\w+\\\\s*=)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-14865", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14865", "description": "Passster \\u2013 Password Protect Pages and Content <=4.2.24 Stored XSS via content_protector/passster shortcode acf attribute in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "content-protector", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.2.24"}, "RULE-CVE-2025-14867-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[flashcard[^\\\\]]*source\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:\\\\.\\\\.[\\\\\\\\/]|/etc/|php://|file://)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14867", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14867", "description": "Flashcard Plugin for WordPress <=0.9 authenticated (Contributor+) arbitrary file read via path traversal in post_content shortcode source attribute", "method": "POST", "mode": "block", "severity": 6.5, "slug": "flashcard", "tags": ["path-traversal", "arbitrary-file-read", "shortcode"], "target": "plugin", "versions": "<=0.9"}, "RULE-CVE-2025-14867-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[flashcard[^\\\\]]*source\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:\\\\.\\\\.[\\\\\\\\/]|/etc/|php://|file://)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14867", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14867", "description": "Flashcard Plugin for WordPress <=0.9 authenticated (Contributor+) arbitrary file read via REST API post creation with path traversal in content", "method": "POST", "mode": "block", "severity": 6.5, "slug": "flashcard", "tags": ["path-traversal", "arbitrary-file-read", "shortcode", "rest-api"], "target": "plugin", "versions": "<=0.9"}, "RULE-CVE-2025-14875-01": {"action": "init", "conditions": [{"name": "ARGS:wc-api", "type": "equals", "value": "hblpay_return"}, {"name": "ARGS:cusdata", "type": "regex", "value": "~(?:<script[\\\\s/>]|\\\\bon[a-z]+\\\\s*=|javascript\\\\s*:|<(?:img|svg|iframe|object|embed|video|audio|body|input|details|math|isindex|marquee|meta|link|base|style)\\\\s[^>]*\\\\bon[a-z]+\\\\s*=)~i"}], "cve": "CVE-2025-14875", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14875", "description": "HBLPAY Payment Gateway for WooCommerce <=5.0.0 reflected XSS via cusdata parameter on wc-api callback", "method": "GET", "mode": "block", "severity": 6.1, "slug": "hblpay-payment-gateway-for-woocommerce", "tags": ["xss", "reflected-xss", "unauthenticated", "woocommerce"], "target": "plugin", "versions": "<=5.0.0"}, "RULE-CVE-2025-14875-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~hblpay-payment-gateway-for-woocommerce/return\\\\.php~"}, {"name": "ARGS:cusdata", "type": "regex", "value": "~<[a-z/!]|javascript\\\\s*:|on\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-14875", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14875", "description": "HBLPAY Payment Gateway for WooCommerce <=5.0.0 reflected XSS via cusdata parameter on direct return.php access", "method": "GET", "mode": "block", "severity": 6.1, "slug": "hblpay-payment-gateway-for-woocommerce", "tags": ["xss", "reflected-xss", "unauthenticated", "woocommerce"], "target": "plugin", "versions": "<=5.0.0"}, "RULE-CVE-2025-1489-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[appbox\\\\b[^\\\\]]*(?:<[a-zA-Z]|\\\\bon\\\\w+\\\\s*=|javascript:)[^\\\\]]*\\\\]~i"}], "cve": "CVE-2025-1489", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1489", "description": "WP-Appbox <=4.5.4 Stored XSS via [appbox] shortcode attributes in post content (classic editor)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wp-appbox", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.5.4"}, "RULE-CVE-2025-1489-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[appbox\\\\b[^\\\\]]*(?:<[a-zA-Z]|\\\\bon\\\\w+\\\\s*=|javascript:)[^\\\\]]*\\\\]~i"}], "cve": "CVE-2025-1489", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1489", "description": "WP-Appbox <=4.5.4 Stored XSS via [appbox] shortcode attributes in post_content param (classic editor)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wp-appbox", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.5.4"}, "RULE-CVE-2025-14891-01": {"ajax_action": "cr_local_forms_submit", "conditions": [{"name": "ARGS:displayName", "type": "regex", "value": "~(?:<script[\\\\s/>]|\\\\bon[a-z]+=|javascript\\\\s*:|<(?:img|svg|iframe|object|embed|video|audio|body|input|details|math|isindex|marquee|meta|link|base|style)\\\\s[^>]*\\\\bon[a-z]+=)~i"}], "cve": "CVE-2025-14891", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14891", "description": "Customer Reviews for WooCommerce <=5.93.1 Stored XSS via displayName in cr_local_forms_submit AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "customer-reviews-woocommerce", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=5.93.1"}, "RULE-CVE-2025-14893-01": {"action": "init", "conditions": [{"name": "ARGS:tel", "type": "regex", "value": "~<[a-zA-Z/!]~"}], "cve": "CVE-2025-14893", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14893", "description": "IndieWeb <=4.0.5 Stored XSS via Telephone profile field", "method": "POST", "mode": "block", "severity": 6.4, "slug": "indieweb", "tags": ["xss", "stored-xss", "user-profile"], "target": "plugin", "versions": "<=4.0.5"}, "RULE-CVE-2025-1490-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "smart-maintenance-mode"}, {"name": "ARGS:setstatus", "type": "detectXSS"}], "cve": "CVE-2025-1490", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1490", "description": "Smart Maintenance Mode <=1.5.2 reflected XSS via setstatus parameter on admin settings page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "smart-maintenance-mode", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.5.2"}, "RULE-CVE-2025-14948-01": {"ajax_action": "mo_wc_notification_enable", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:notification", "type": "exists"}], "cve": "CVE-2025-14948", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14948", "description": "OTP Verification & SMS Notification <=4.3.8 missing authorization on mo_wc_notification_enable AJAX action allows unauthenticated notification settings toggle", "method": "POST", "mode": "block", "severity": 5.3, "slug": "miniorange-sms-order-notification-otp-verification", "tags": ["missing-authorization", "unauthenticated", "broken-access-control"], "target": "plugin", "versions": "<=4.3.8"}, "RULE-CVE-2025-14973-01": {"ajax_action": "wpzoom_import_recipes", "conditions": [{"name": "ARGS:recipes[0][recipe_id]", "type": "detectSQLi"}], "cve": "CVE-2025-14973", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14973", "description": "Recipe Card Blocks by WPZOOM <=3.4.12 authenticated SQL injection via recipes[0][recipe_id] in wpzoom_import_recipes AJAX handler", "method": "POST", "mode": "block", "severity": 6.8, "slug": "recipe-card-blocks-by-wpzoom", "tags": ["sql-injection", "authenticated", "ajax"], "target": "plugin", "versions": "<=3.4.12"}, "RULE-CVE-2025-14973-02": {"ajax_action": "wpzoom_import_recipes", "conditions": [{"name": "ARGS:recipes[1][recipe_id]", "type": "detectSQLi"}], "cve": "CVE-2025-14973", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14973", "description": "Recipe Card Blocks by WPZOOM <=3.4.12 authenticated SQL injection via recipes[1][recipe_id] in wpzoom_import_recipes AJAX handler", "method": "POST", "mode": "block", "severity": 6.8, "slug": "recipe-card-blocks-by-wpzoom", "tags": ["sql-injection", "authenticated", "ajax"], "target": "plugin", "versions": "<=3.4.12"}, "RULE-CVE-2025-14973-03": {"ajax_action": "wpzoom_import_recipes", "conditions": [{"name": "ARGS:recipes[2][recipe_id]", "type": "detectSQLi"}], "cve": "CVE-2025-14973", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14973", "description": "Recipe Card Blocks by WPZOOM <=3.4.12 authenticated SQL injection via recipes[2][recipe_id] in wpzoom_import_recipes AJAX handler", "method": "POST", "mode": "block", "severity": 6.8, "slug": "recipe-card-blocks-by-wpzoom", "tags": ["sql-injection", "authenticated", "ajax"], "target": "plugin", "versions": "<=3.4.12"}, "RULE-CVE-2025-14975-02": {"action": "wp_loaded", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~wp-login\\\\.php~"}, {"name": "ARGS:action", "type": "equals", "value": "rp"}, {"name": "ARGS:pass1", "type": "exists"}, {"name": "ARGS:rp_key", "type": "exists"}, {"type": "missing_capability", "value": "read"}], "cve": "CVE-2025-14975", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14975", "description": "Login Customizer <=2.5.3 unauthenticated arbitrary password reset via rp action", "method": "POST", "mode": "block", "severity": 8.1, "slug": "login-customizer", "tags": ["privilege-escalation", "authentication-bypass", "unauthenticated", "password-reset"], "target": "plugin", "versions": "<=2.5.3"}, "RULE-CVE-2025-14976-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "regex", "value": "~^user-registration~"}, {"name": "ARGS:action", "type": "equals", "value": "delete"}, {"name": "ARGS:post", "type": "regex", "value": "~^\\\\d+$~"}], "cve": "CVE-2025-14976", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14976", "description": "User Registration & Membership <=4.4.8 CSRF to arbitrary post deletion via process_row_actions delete action", "method": "GET", "mode": "block", "severity": 5.4, "slug": "user-registration", "tags": ["csrf", "arbitrary-post-deletion", "missing-nonce"], "target": "plugin", "versions": "<=4.4.8"}, "RULE-CVE-2025-14977-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/dokan/v1/settings(?:/|\\\\?|&|$)~"}, {"name": "ARGS:store_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14977", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14977", "description": "Dokan Lite <=4.2.4 IDOR via REST API dokan/v1/settings allows authenticated users to read other vendors\' store settings", "method": "GET", "mode": "block", "severity": 8.1, "slug": "dokan-lite", "tags": ["idor", "broken-access-control", "rest-api", "information-disclosure"], "target": "plugin", "versions": "<=4.2.4"}, "RULE-CVE-2025-14977-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/dokan/v1/settings(?:/|\\\\?|&|$)~"}, {"name": "ARGS:store_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14977", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14977", "description": "Dokan Lite <=4.2.4 IDOR via REST API dokan/v1/settings allows authenticated users to modify other vendors\' store settings including payment info", "method": "POST", "mode": "block", "severity": 8.1, "slug": "dokan-lite", "tags": ["idor", "broken-access-control", "rest-api", "account-takeover"], "target": "plugin", "versions": "<=4.2.4"}, "RULE-CVE-2025-14983-01": {"ajax_action": "ACFFA_delete_icon_set", "conditions": [{"name": "ARGS:icon_set_name", "type": "regex", "value": "~<[^>]*(?:script|img|svg|iframe|object|embed|link|style|form|input|body|meta|marquee|details|math|isindex|base|area)|\\\\bon(?:error|load|click|mouseover|focus|blur|submit|change|input|keydown|keyup|keypress|mouseenter|mouseleave|mouseout|mousemove|dblclick|contextmenu|wheel|pointerover|animationend|toggle|resize|beforeunload)\\\\s*=|javascript\\\\s*:|data\\\\s*:\\\\s*text/html~i"}], "cve": "CVE-2025-14983", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14983", "description": "Advanced Custom Fields: Font Awesome <=5.0.1 Stored XSS via ACFFA_delete_icon_set icon_set_name parameter", "method": "POST", "mode": "block", "severity": 6.4, "slug": "advanced-custom-fields-font-awesome", "tags": ["xss", "stored-xss", "ajax"], "target": "plugin", "versions": "<=5.0.1"}, "RULE-CVE-2025-14985-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(?:/|\\\\?|$)~"}, {"name": "ARGS", "type": "regex", "value": "~</style\\\\s*>~i"}], "cve": "CVE-2025-14985", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14985", "description": "Alpha Blocks <=1.5.0 Authenticated (Contributor+) Stored XSS via alpha_block_css post meta on REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "alpha-blocks", "tags": ["xss", "stored-xss", "rest-api", "authenticated"], "target": "plugin", "versions": "<=1.5.0"}, "RULE-CVE-2025-14985-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts/\\\\d+(?:/|\\\\?|$)~"}, {"name": "ARGS", "type": "regex", "value": "~</style\\\\s*>~i"}], "cve": "CVE-2025-14985", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14985", "description": "Alpha Blocks <=1.5.0 Authenticated (Contributor+) Stored XSS via alpha_block_css post meta on REST API post update", "method": "PUT", "mode": "block", "severity": 6.4, "slug": "alpha-blocks", "tags": ["xss", "stored-xss", "rest-api", "authenticated"], "target": "plugin", "versions": "<=1.5.0"}, "RULE-CVE-2025-14997-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/members/.+/profile/edit/)~"}, {"name": "ARGS:/^field_\\\\d+$/", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}~"}], "cve": "CVE-2025-14997", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14997", "description": "BuddyPress Xprofile Custom Field Types <=1.2.8 path traversal payload injection via xprofile field value during BuddyPress profile save", "method": "POST", "mode": "block", "severity": 7.2, "slug": "bp-xprofile-custom-field-types", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=1.2.8"}, "RULE-CVE-2025-14997-02": {"ajax_action": "bpxcftr_remove_user_tag", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-14997", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-14997", "description": "BuddyPress Xprofile Custom Field Types <=1.2.8 missing authorization on bpxcftr_remove_user_tag AJAX action (defense-in-depth)", "method": "POST", "mode": "block", "severity": 7.2, "slug": "bp-xprofile-custom-field-types", "tags": ["missing-authorization", "arbitrary-file-deletion", "path-traversal"], "target": "plugin", "versions": "<=1.2.8"}, "RULE-CVE-2025-14998-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~wp-login\\\\.php~"}, {"name": "ARGS:action", "type": "regex", "value": "~^(?:rp|resetpass)$~i"}, {"name": "ARGS:password_1", "type": "exists"}], "cve": "CVE-2025-14998", "method": "POST", "mode": "block", "severity": 9.8, "slug": "branda-white-labeling", "target": "plugin", "versions": "<3.4.29"}, "RULE-CVE-2025-14998-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~wp-activate\\\\.php~"}, {"name": "ARGS:password_1", "type": "exists"}], "cve": "CVE-2025-14998", "method": "POST", "mode": "block", "severity": 9.8, "slug": "branda-white-labeling", "target": "plugin", "versions": "<3.4.29"}, "RULE-CVE-2025-15027-01": {"ajax_action": "jay_login_register_ajax_create_final_user", "conditions": [{"name": "ARGS:meta_wp_capabilities", "type": "exists"}], "cve": "CVE-2025-15027", "method": "POST", "mode": "block", "severity": 9.8, "slug": "jay-login-register", "target": "plugin", "versions": "<=2.6.03"}, "RULE-CVE-2025-15027-02": {"ajax_action": "jay_login_register_ajax_create_final_user", "conditions": [{"name": "ARGS:meta_wp_user_level", "type": "exists"}], "cve": "CVE-2025-15027", "method": "POST", "mode": "block", "severity": 9.8, "slug": "jay-login-register", "target": "plugin", "versions": "<=2.6.03"}, "RULE-CVE-2025-1503-01": {"action": "admin_init", "conditions": [{"name": "ARGS:wprm_roundup_items[0][data][name]", "type": "detectXSS"}], "cve": "CVE-2025-1503", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1503", "description": "WP Recipe Maker <=9.8.0 Stored XSS via Roundup Recipe Name field (Contributor+)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-recipe-maker", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=9.8.0"}, "RULE-CVE-2025-1503-02": {"action": "admin_init", "conditions": [{"name": "ARGS:wprm_roundup_items[0][data][link]", "type": "detectXSS"}], "cve": "CVE-2025-1503", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1503", "description": "WP Recipe Maker <=9.8.0 Stored XSS via Roundup Recipe link field (Contributor+)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-recipe-maker", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=9.8.0"}, "RULE-CVE-2025-1503-03": {"action": "admin_init", "conditions": [{"name": "ARGS:wprm_roundup_items[0][data][credit]", "type": "detectXSS"}], "cve": "CVE-2025-1503", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1503", "description": "WP Recipe Maker <=9.8.0 Stored XSS via Roundup Recipe credit field (Contributor+)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-recipe-maker", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=9.8.0"}, "RULE-CVE-2025-1503-04": {"action": "admin_init", "conditions": [{"name": "ARGS:wprm_roundup_items[0][data][button]", "type": "detectXSS"}], "cve": "CVE-2025-1503", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1503", "description": "WP Recipe Maker <=9.8.0 Stored XSS via Roundup Recipe button field (Contributor+)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-recipe-maker", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=9.8.0"}, "RULE-CVE-2025-1503-05": {"action": "admin_init", "conditions": [{"name": "ARGS:wprm_roundup_items[0][data][image_url]", "type": "detectXSS"}], "cve": "CVE-2025-1503", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1503", "description": "WP Recipe Maker <=9.8.0 Stored XSS via Roundup Recipe image_url field (Contributor+)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-recipe-maker", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=9.8.0"}, "RULE-CVE-2025-15041-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/backwpup/v1/save_site_option(/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-15041", "method": "POST", "mode": "block", "severity": 7.2, "slug": "backwpup", "target": "plugin", "versions": "<=5.6.2"}, "RULE-CVE-2025-15057-01": {"ajax_action": "slimtrack", "conditions": [{"name": "ARGS:fh", "type": "regex", "value": "~(?:<script[\\\\s/>]|\\\\bon[a-z]+=|javascript\\\\s*:|<(?:img|svg|iframe|object|embed|video|audio|body|input|details|math|isindex|marquee|meta|link|base|style)\\\\s[^>]*\\\\bon[a-z]+=)~i"}], "cve": "CVE-2025-15057", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15057", "description": "SlimStat Analytics <=5.3.3 unauthenticated stored XSS via fh parameter in slimtrack AJAX handler", "mode": "block", "severity": 7.2, "slug": "wp-slimstat", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=5.3.3"}, "RULE-CVE-2025-15058-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_type", "type": "equals", "value": "pricing_table"}, {"name": "ARGS:table_currency", "type": "regex", "value": "~(?:<script[\\\\s/>]|\\\\bon[a-z]+=|javascript\\\\s*:|<(?:img|svg|iframe|object|embed|video|audio|body|input|details|math|isindex|marquee|meta|link|base|style)\\\\s[^>]*\\\\bon[a-z]+=)~i"}], "cve": "CVE-2025-15058", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15058", "description": "Responsive Pricing Table <=5.1.12 authenticated (Contributor+) Stored XSS via table_currency parameter in pricing_table CPT", "method": "POST", "mode": "block", "severity": 6.4, "slug": "dk-pricr-responsive-pricing-table", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=5.1.12"}, "RULE-CVE-2025-1507-01": {"action": "init", "conditions": [{"name": "ARGS:ga_action", "type": "regex", "value": "~^ga_action_(auth|sharethis_invite|update_terms|enable_all_features|disable_all_features)$~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-1507", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1507", "description": "ShareThis Dashboard for Google Analytics <=3.2.1 missing authorization on handle_actions() allows unauthenticated feature deactivation", "mode": "block", "severity": 5.3, "slug": "googleanalytics", "tags": ["missing-authorization", "unauthenticated", "feature-deactivation"], "target": "plugin", "versions": "<=3.2.1"}, "RULE-CVE-2025-15100-01": {"ajax_action": "jay_login_register_create_final_user", "conditions": [{"name": "ARGS:/(?i)^meta_(wp_.*|session_tokens.*)/", "type": "exists"}], "cve": "CVE-2025-15100", "method": "POST", "mode": "block", "severity": 8.8, "slug": "jay-login-register", "target": "plugin", "versions": "<=2.6.03"}, "RULE-CVE-2025-15100-03": {"ajax_action": "jay_panel_update_profile", "conditions": [{"name": "ARGS:/(?i)^jay_panel_meta_(wp_.*|session_tokens.*)/", "type": "exists"}], "cve": "CVE-2025-15100", "method": "POST", "mode": "block", "severity": 8.8, "slug": "jay-login-register", "target": "plugin", "versions": "<=2.6.03"}, "RULE-CVE-2025-1511-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "regex", "value": "~^ur-member~"}, {"name": "ARGS:s", "type": "detectXSS"}], "cve": "CVE-2025-1511", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1511", "description": "User Registration & Membership <=4.0.4 Reflected XSS via search parameter on membership admin page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "user-registration", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=4.0.4"}, "RULE-CVE-2025-1513-01": {"ajax_action": "post_cg_set_comment_v10", "conditions": [{"name": "ARGS:Name", "type": "detectXSS"}], "cve": "CVE-2025-1513", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1513", "description": "Contest Gallery <=26.0.0.1 unauthenticated stored XSS via Name field in comment submission", "method": "POST", "mode": "block", "severity": 6.1, "slug": "contest-gallery", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=26.0.0.1"}, "RULE-CVE-2025-1513-02": {"ajax_action": "post_cg_set_comment_v10", "conditions": [{"name": "ARGS:Comment", "type": "detectXSS"}], "cve": "CVE-2025-1513", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1513", "description": "Contest Gallery <=26.0.0.1 unauthenticated stored XSS via Comment field in comment submission", "method": "POST", "mode": "block", "severity": 6.1, "slug": "contest-gallery", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=26.0.0.1"}, "RULE-CVE-2025-15260-01": {"ajax_action": "lws_adminpanel_editlist", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-15260", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15260", "description": "MyRewards \\u2013 Loyalty Points and Rewards for WooCommerce <=5.6.0 missing authorization on lws_adminpanel_editlist allowing subscriber+ to modify loyalty rules", "method": "POST", "mode": "block", "severity": 6.5, "slug": "woorewards", "tags": ["missing-authorization", "broken-access-control", "privilege-escalation"], "target": "plugin", "versions": "<=5.6.0"}, "RULE-CVE-2025-15266-01": {"ajax_action": "geekybot_frontendajax", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<script[^>]*>|on(?:error|load|click|mouseover|focus|toggle)\\\\s*=|javascript\\\\s*:~i"}], "cve": "CVE-2025-15266", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15266", "description": "GeekyBot <=1.1.8 unauthenticated stored XSS via geekybot_frontendajax chat message", "method": "POST", "mode": "block", "severity": 7.2, "slug": "geeky-bot", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.1.8"}, "RULE-CVE-2025-15266-02": {"ajax_action": "geekybot_ajax", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<script[^>]*>|on(?:error|load|click|mouseover|focus|toggle)\\\\s*=|javascript\\\\s*:~i"}], "cve": "CVE-2025-15266", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15266", "description": "GeekyBot <=1.1.8 unauthenticated stored XSS via geekybot_ajax chat handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "geeky-bot", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.1.8"}, "RULE-CVE-2025-1527-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)wp-admin/post\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~(?:<script[\\\\s/>]|\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1527", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1527", "description": "ShopLentor (WooLentor) <=3.1.0 Stored DOM-Based XSS via Flash Sale Countdown widget attributes in Classic Editor post save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "woolentor-addons", "tags": ["xss", "stored-xss", "dom-based-xss"], "target": "plugin", "versions": "<=3.1.0"}, "RULE-CVE-2025-1527-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~(?:<script[\\\\s/>]|\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1527", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1527", "description": "ShopLentor (WooLentor) <=3.1.0 Stored DOM-Based XSS via Flash Sale Countdown widget attributes in Gutenberg REST API post update", "method": "POST", "mode": "block", "severity": 5.4, "slug": "woolentor-addons", "tags": ["xss", "stored-xss", "dom-based-xss", "rest-api"], "target": "plugin", "versions": "<=3.1.0"}, "RULE-CVE-2025-1527-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)wp-admin/admin-ajax\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:action", "type": "regex", "value": "~^(?:save_builder|elementor_ajax)$~"}, {"name": "ARGS:actions", "type": "regex", "value": "~(?:<script[\\\\s/>]|\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1527", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1527", "description": "ShopLentor (WooLentor) <=3.1.0 Stored DOM-Based XSS via Flash Sale Countdown widget attributes in Elementor AJAX save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "woolentor-addons", "tags": ["xss", "stored-xss", "dom-based-xss", "elementor"], "target": "plugin", "versions": "<=3.1.0"}, "RULE-CVE-2025-15283-01": {"action": "init", "conditions": [{"name": "ARGS:name_directory_name", "type": "exists"}, {"name": "ARGS:name_directory_name", "type": "regex", "value": "~(?:<|<?|�*60;?|�*3[cC];?)(?:script|svg|iframe|img|body|marquee|object|embed|video|audio|details|math)(?:[\\\\s/>]|>?|�*62;?|�*3[eE];?)|\\\\bon(?:error|load|click|mouse\\\\w+|focus|blur|change|submit)\\\\s*=|javascript\\\\s*:|�*106;?avascript\\\\s*:|�*6[aA];?avascript\\\\s*:~i"}], "cve": "CVE-2025-15283", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15283", "description": "Name Directory <=1.30.3 unauthenticated stored XSS via name_directory_name parameter", "method": "POST", "mode": "block", "severity": 7.2, "slug": "name-directory", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.30.3"}, "RULE-CVE-2025-15283-02": {"action": "init", "conditions": [{"name": "ARGS:name_directory_description", "type": "exists"}, {"name": "ARGS:name_directory_description", "type": "regex", "value": "~(?:<|<?|�*60;?|�*3[cC];?)(?:script|svg|iframe|body|marquee|object|embed|math)(?:[\\\\s/>]|>?|�*62;?|�*3[eE];?)|\\\\bon(?:error|load|click|mouse\\\\w+|focus|blur|change|submit)\\\\s*=|javascript\\\\s*:|�*106;?avascript\\\\s*:|�*6[aA];?avascript\\\\s*:~i"}], "cve": "CVE-2025-15283", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15283", "description": "Name Directory <=1.30.3 unauthenticated stored XSS via name_directory_description parameter", "method": "POST", "mode": "block", "severity": 7.2, "slug": "name-directory", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.30.3"}, "RULE-CVE-2025-15283-03": {"action": "init", "conditions": [{"name": "ARGS:name_directory_submitter", "type": "exists"}, {"name": "ARGS:name_directory_submitter", "type": "regex", "value": "~(?:<|<?|�*60;?|�*3[cC];?)(?:script|svg|iframe|img|body|marquee|object|embed|video|audio|details|math)(?:[\\\\s/>]|>?|�*62;?|�*3[eE];?)|\\\\bon(?:error|load|click|mouse\\\\w+|focus|blur|change|submit)\\\\s*=|javascript\\\\s*:|�*106;?avascript\\\\s*:|�*6[aA];?avascript\\\\s*:~i"}], "cve": "CVE-2025-15283", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15283", "description": "Name Directory <=1.30.3 unauthenticated stored XSS via name_directory_submitter parameter", "method": "POST", "mode": "block", "severity": 7.2, "slug": "name-directory", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.30.3"}, "RULE-CVE-2025-15285-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/lupsonlinelinknetwerk/blog(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-15285", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15285", "description": "SEO Flow by LupsOnline <=2.2.1 unauthenticated blog post creation via REST API", "method": "POST", "mode": "block", "severity": 7.5, "slug": "lupsonline-link-netwerk", "tags": ["missing-authorization", "unauthenticated", "rest-api", "content-modification"], "target": "plugin", "versions": "<=2.2.1"}, "RULE-CVE-2025-15285-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/lupsonlinelinknetwerk/blog(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-15285", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15285", "description": "SEO Flow by LupsOnline <=2.2.1 unauthenticated blog post modification via REST API", "method": "PUT", "mode": "block", "severity": 7.5, "slug": "lupsonline-link-netwerk", "tags": ["missing-authorization", "unauthenticated", "rest-api", "content-modification"], "target": "plugin", "versions": "<=2.2.1"}, "RULE-CVE-2025-15285-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/lupsonlinelinknetwerk/blog(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "delete_posts"}], "cve": "CVE-2025-15285", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15285", "description": "SEO Flow by LupsOnline <=2.2.1 unauthenticated blog post deletion via REST API", "method": "DELETE", "mode": "block", "severity": 7.5, "slug": "lupsonline-link-netwerk", "tags": ["missing-authorization", "unauthenticated", "rest-api", "content-deletion"], "target": "plugin", "versions": "<=2.2.1"}, "RULE-CVE-2025-15285-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/lupsonlinelinknetwerk/category(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_categories"}], "cve": "CVE-2025-15285", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15285", "description": "SEO Flow by LupsOnline <=2.2.1 unauthenticated category creation via REST API", "method": "POST", "mode": "block", "severity": 7.5, "slug": "lupsonline-link-netwerk", "tags": ["missing-authorization", "unauthenticated", "rest-api", "content-modification"], "target": "plugin", "versions": "<=2.2.1"}, "RULE-CVE-2025-15347-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/creator-lms/v1/settings(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-15347", "method": "POST", "mode": "block", "severity": 8.8, "slug": "creatorlms", "target": "plugin", "versions": "<=1.1.12"}, "RULE-CVE-2025-15368-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~template\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|(?:php|data|expect|phar|zip|glob|file)://|[\\\\\\\\/]etc[\\\\\\\\/])~i"}], "cve": "CVE-2025-15368", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15368", "description": "SportsPress <=2.7.26 authenticated local file inclusion via shortcode template attribute in post content", "method": "POST", "mode": "block", "severity": 8.8, "slug": "sportspress", "tags": ["local-file-inclusion", "path-traversal", "shortcode", "authenticated"], "target": "plugin", "versions": "<=2.7.26"}, "RULE-CVE-2025-15368-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~template\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|(?:php|data|expect|phar|zip|glob|file)://|[\\\\\\\\/]etc[\\\\\\\\/])~i"}], "cve": "CVE-2025-15368", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15368", "description": "SportsPress <=2.7.26 authenticated local file inclusion via shortcode template attribute in REST API post content", "method": "POST", "mode": "block", "severity": 8.8, "slug": "sportspress", "tags": ["local-file-inclusion", "path-traversal", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=2.7.26"}, "RULE-CVE-2025-15386-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~wp-comments-post\\\\.php~"}, {"name": "ARGS:comment", "type": "regex", "value": "~<a\\\\s[^>]*\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-15386", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15386", "description": "Responsive Lightbox & Gallery <=2.6.0 unauthenticated stored XSS via comment with inline event handler in anchor tag", "method": "POST", "mode": "block", "severity": 8.8, "slug": "responsive-lightbox", "tags": ["xss", "stored-xss", "unauthenticated", "comment-injection"], "target": "plugin", "versions": "<=2.6.0"}, "RULE-CVE-2025-15386-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~wp-comments-post\\\\.php~"}, {"name": "ARGS:comment", "type": "regex", "value": "~<a\\\\s[^>]*href\\\\s*=\\\\s*[\\"\']?\\\\s*javascript\\\\s*:~i"}], "cve": "CVE-2025-15386", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15386", "description": "Responsive Lightbox & Gallery <=2.6.0 unauthenticated stored XSS via comment with javascript URI in anchor href", "method": "POST", "mode": "block", "severity": 8.8, "slug": "responsive-lightbox", "tags": ["xss", "stored-xss", "unauthenticated", "comment-injection"], "target": "plugin", "versions": "<=2.6.0"}, "RULE-CVE-2025-15386-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/comments(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~<a\\\\s[^>]*\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-15386", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15386", "description": "Responsive Lightbox & Gallery <=2.6.0 unauthenticated stored XSS via REST API comment with inline event handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "responsive-lightbox", "tags": ["xss", "stored-xss", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=2.6.0"}, "RULE-CVE-2025-15386-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/comments(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~<a\\\\s[^>]*href\\\\s*=\\\\s*[\\"\']?\\\\s*javascript\\\\s*:~i"}], "cve": "CVE-2025-15386", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15386", "description": "Responsive Lightbox & Gallery <=2.6.0 unauthenticated stored XSS via REST API comment with javascript URI", "method": "POST", "mode": "block", "severity": 8.8, "slug": "responsive-lightbox", "tags": ["xss", "stored-xss", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=2.6.0"}, "RULE-CVE-2025-15396-01": {"action": "init", "conditions": [{"name": "ARGS:library-viewer-error-message", "type": "detectXSS"}], "cve": "CVE-2025-15396", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15396", "description": "Library Viewer <3.2.0 reflected XSS via library-viewer-error-message GET parameter", "method": "GET", "mode": "block", "severity": 7.1, "slug": "library-viewer", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<3.2.0"}, "RULE-CVE-2025-15396-02": {"action": "init", "conditions": [{"name": "ARGS:library-viewer-success-message", "type": "detectXSS"}], "cve": "CVE-2025-15396", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15396", "description": "Library Viewer <3.2.0 reflected XSS via library-viewer-success-message GET parameter", "method": "GET", "mode": "block", "severity": 7.1, "slug": "library-viewer", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<3.2.0"}, "RULE-CVE-2025-15403-01": {"ajax_action": "rm_user_exists", "conditions": [{"name": "ARGS:admin_order", "type": "exists"}], "cve": "CVE-2025-15403", "method": "POST", "mode": "block", "severity": 9.8, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=6.0.7.1"}, "RULE-CVE-2025-15466-01": {"ajax_action": "delete_gallery", "conditions": [{"type": "missing_capability", "value": "edit_pages"}], "cve": "CVE-2025-15466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15466", "description": "Final Tiles Grid Gallery <=3.6.9 missing authorization on delete_gallery AJAX action", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.6.9"}, "RULE-CVE-2025-15466-02": {"ajax_action": "clone_gallery", "conditions": [{"type": "missing_capability", "value": "edit_pages"}], "cve": "CVE-2025-15466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15466", "description": "Final Tiles Grid Gallery <=3.6.9 missing authorization on clone_gallery AJAX action", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.6.9"}, "RULE-CVE-2025-15466-03": {"ajax_action": "add_new_gallery", "conditions": [{"type": "missing_capability", "value": "edit_pages"}], "cve": "CVE-2025-15466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15466", "description": "Final Tiles Grid Gallery <=3.6.9 missing authorization on add_new_gallery AJAX action", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.6.9"}, "RULE-CVE-2025-15466-04": {"ajax_action": "save_gallery", "conditions": [{"type": "missing_capability", "value": "edit_pages"}], "cve": "CVE-2025-15466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15466", "description": "Final Tiles Grid Gallery <=3.6.9 missing authorization on save_gallery AJAX action", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.6.9"}, "RULE-CVE-2025-15466-05": {"ajax_action": "get_gallery_configuration", "conditions": [{"type": "missing_capability", "value": "edit_pages"}], "cve": "CVE-2025-15466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15466", "description": "Final Tiles Grid Gallery <=3.6.9 missing authorization on get_gallery_configuration AJAX action", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "information-disclosure"], "target": "plugin", "versions": "<=3.6.9"}, "RULE-CVE-2025-15466-06": {"ajax_action": "get_image_size_url", "conditions": [{"type": "missing_capability", "value": "edit_pages"}], "cve": "CVE-2025-15466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15466", "description": "Final Tiles Grid Gallery <=3.6.9 missing authorization on get_image_size_url AJAX action", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "information-disclosure"], "target": "plugin", "versions": "<=3.6.9"}, "RULE-CVE-2025-15466-07": {"ajax_action": "delete_image", "conditions": [{"type": "missing_capability", "value": "edit_pages"}], "cve": "CVE-2025-15466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15466", "description": "Final Tiles Grid Gallery <=3.6.9 missing authorization on delete_image AJAX action", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.6.9"}, "RULE-CVE-2025-15466-08": {"ajax_action": "save_image", "conditions": [{"type": "missing_capability", "value": "edit_pages"}], "cve": "CVE-2025-15466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15466", "description": "Final Tiles Grid Gallery <=3.6.9 missing authorization on save_image AJAX action", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.6.9"}, "RULE-CVE-2025-15466-09": {"ajax_action": "add_image", "conditions": [{"type": "missing_capability", "value": "edit_pages"}], "cve": "CVE-2025-15466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15466", "description": "Final Tiles Grid Gallery <=3.6.9 missing authorization on add_image AJAX action", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.6.9"}, "RULE-CVE-2025-15466-10": {"ajax_action": "sort_images", "conditions": [{"type": "missing_capability", "value": "edit_pages"}], "cve": "CVE-2025-15466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15466", "description": "Final Tiles Grid Gallery <=3.6.9 missing authorization on sort_images AJAX action", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.6.9"}, "RULE-CVE-2025-15466-11": {"ajax_action": "assign_filters", "conditions": [{"type": "missing_capability", "value": "edit_pages"}], "cve": "CVE-2025-15466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15466", "description": "Final Tiles Grid Gallery <=3.6.9 missing authorization on assign_filters AJAX action", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.6.9"}, "RULE-CVE-2025-15466-12": {"ajax_action": "toggle_visibility", "conditions": [{"type": "missing_capability", "value": "edit_pages"}], "cve": "CVE-2025-15466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15466", "description": "Final Tiles Grid Gallery <=3.6.9 missing authorization on toggle_visibility AJAX action", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.6.9"}, "RULE-CVE-2025-15466-13": {"ajax_action": "assign_group", "conditions": [{"type": "missing_capability", "value": "edit_pages"}], "cve": "CVE-2025-15466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15466", "description": "Final Tiles Grid Gallery <=3.6.9 missing authorization on assign_group AJAX action", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.6.9"}, "RULE-CVE-2025-15466-14": {"ajax_action": "update_gallery_configuration", "conditions": [{"type": "missing_capability", "value": "edit_pages"}], "cve": "CVE-2025-15466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15466", "description": "Final Tiles Grid Gallery <=3.6.9 missing authorization on update_gallery_configuration AJAX action", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.6.9"}, "RULE-CVE-2025-15466-15": {"ajax_action": "refresh_gallery", "conditions": [{"type": "missing_capability", "value": "edit_pages"}], "cve": "CVE-2025-15466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15466", "description": "Final Tiles Grid Gallery <=3.6.9 missing authorization on refresh_gallery AJAX action", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.6.9"}, "RULE-CVE-2025-15466-16": {"ajax_action": "save_video", "conditions": [{"type": "missing_capability", "value": "edit_pages"}], "cve": "CVE-2025-15466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15466", "description": "Final Tiles Grid Gallery <=3.6.9 missing authorization on save_video AJAX action", "mode": "block", "severity": 5.4, "slug": "final-tiles-grid-gallery-lite", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.6.9"}, "RULE-CVE-2025-15477-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[bucketlister\\\\b[^\\\\]]*(?:category|id)\\\\s*=\\\\s*(?:[\\"\'][^\\"\']*|[^\\\\]\\\\s]+)(?:(?:UNION|SELECT|INSERT|UPDATE|DELETE|DROP|ALTER|CREATE|TRUNCATE|EXEC|DECLARE|CAST|CONVERT|WAITFOR|BENCHMARK|SLEEP|LOAD_FILE|INTO\\\\s+(?:OUT|DUMP)FILE)\\\\b|\\\\b(?:OR|AND)\\\\b\\\\s+\\\\d|--\\\\s|/\\\\*|#\\\\s|;\\\\s*(?:SELECT|DROP|INSERT|UPDATE|DELETE)\\\\b)~i"}, {"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/post\\\\.php|/wp-admin/admin-post\\\\.php)~"}], "cve": "CVE-2025-15477", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15477", "description": "The Bucketlister <=0.1.5 SQL injection via shortcode attributes in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.5, "slug": "the-bucketlister", "tags": ["sql-injection", "shortcode", "authenticated"], "target": "plugin", "versions": "<=0.1.5"}, "RULE-CVE-2025-15477-02": {"action": "rest_api_init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[bucketlister\\\\b[^\\\\]]*(?:category|id)\\\\s*=\\\\s*(?:[\\"\'][^\\"\']*|[^\\\\]\\\\s]+)(?:(?:UNION|SELECT|INSERT|UPDATE|DELETE|DROP|ALTER|CREATE|TRUNCATE|EXEC|DECLARE|CAST|CONVERT|WAITFOR|BENCHMARK|SLEEP|LOAD_FILE|INTO\\\\s+(?:OUT|DUMP)FILE)\\\\b|\\\\b(?:OR|AND)\\\\b\\\\s+\\\\d|--\\\\s|/\\\\*|#\\\\s|;\\\\s*(?:SELECT|DROP|INSERT|UPDATE|DELETE)\\\\b)~i"}, {"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}], "cve": "CVE-2025-15477", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15477", "description": "The Bucketlister <=0.1.5 SQL injection via shortcode attributes in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.5, "slug": "the-bucketlister", "tags": ["sql-injection", "shortcode", "authenticated", "rest-api"], "target": "plugin", "versions": "<=0.1.5"}, "RULE-CVE-2025-15521-01": {"ajax_action": "academy/shortcode/password_reset_handler", "cve": "CVE-2025-15521", "method": "POST", "mode": "block", "severity": 9.8, "slug": "academy", "target": "plugin", "versions": "<=3.5.0"}, "RULE-CVE-2025-15522-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[automator_discord_user_mapping\\\\b[^\\\\]]*verified_message\\\\s*=\\\\s*[^\\\\]]*<[^>]+[^\\\\]]*\\\\]~i"}], "cve": "CVE-2025-15522", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15522", "description": "Uncanny Automator <=6.10.0.2 Stored XSS via automator_discord_user_mapping shortcode verified_message attribute (post save)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "uncanny-automator", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=6.10.0.2"}, "RULE-CVE-2025-15522-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[automator_discord_user_mapping\\\\b[^\\\\]]*verified_message\\\\s*=\\\\s*[^\\\\]]*<[^>]+[^\\\\]]*\\\\]~i"}], "cve": "CVE-2025-15522", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-15522", "description": "Uncanny Automator <=6.10.0.2 Stored XSS via automator_discord_user_mapping shortcode verified_message attribute (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "uncanny-automator", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=6.10.0.2"}, "RULE-CVE-2025-1561-01": {"ajax_action": "appp_log", "conditions": [{"name": "ARGS:title", "type": "detectXSS"}], "cve": "CVE-2025-1561", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1561", "description": "AppPresser \\u2013 Mobile App Framework <=4.4.10 unauthenticated stored XSS via title parameter in appp_log AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "apppresser", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=4.4.10"}, "RULE-CVE-2025-1561-02": {"ajax_action": "appp_log", "conditions": [{"name": "ARGS:var", "type": "detectXSS"}], "cve": "CVE-2025-1561", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1561", "description": "AppPresser \\u2013 Mobile App Framework <=4.4.10 unauthenticated stored XSS via var parameter in appp_log AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "apppresser", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=4.4.10"}, "RULE-CVE-2025-1561-03": {"ajax_action": "appp_log", "conditions": [{"name": "ARGS:file", "type": "detectXSS"}], "cve": "CVE-2025-1561", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1561", "description": "AppPresser \\u2013 Mobile App Framework <=4.4.10 unauthenticated stored XSS via file parameter in appp_log AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "apppresser", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=4.4.10"}, "RULE-CVE-2025-1561-04": {"ajax_action": "appp_log", "conditions": [{"name": "ARGS:function", "type": "detectXSS"}], "cve": "CVE-2025-1561", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1561", "description": "AppPresser \\u2013 Mobile App Framework <=4.4.10 unauthenticated stored XSS via function parameter in appp_log AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "apppresser", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=4.4.10"}, "RULE-CVE-2025-1561-05": {"ajax_action": "appp_log", "conditions": [{"name": "ARGS:line", "type": "detectXSS"}], "cve": "CVE-2025-1561", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1561", "description": "AppPresser \\u2013 Mobile App Framework <=4.4.10 unauthenticated stored XSS via line parameter in appp_log AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "apppresser", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=4.4.10"}, "RULE-CVE-2025-1562-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/funnelkit-automations/v[0-9]+/plugin/install_and_activate~"}, {"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2025-1562", "method": "POST", "mode": "block", "severity": 9.8, "slug": "wp-marketing-automations", "target": "plugin", "versions": "<=3.5.3"}, "RULE-CVE-2025-1571-01": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "regex", "value": "~^(?:elementor_ajax|save_builder)$~"}, {"name": "ARGS:elements", "type": "regex", "value": "~(?:exad_animated_text|exad_image_comparison|image.comparison)~i"}, {"name": "ARGS:elements", "type": "regex", "value": "~(?i)(?:<\\\\s*script\\\\b|on(?:error|load)\\\\s*=|javascript:|<\\\\s*svg\\\\b)~"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1571", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1571", "description": "Exclusive Addons for Elementor <=2.7.6 authenticated (Contributor+) Stored XSS via Animated Text and Image Comparison widget settings", "method": "POST", "mode": "block", "severity": 5.4, "slug": "exclusive-addons-for-elementor", "tags": ["xss", "stored-xss", "elementor-widget"], "target": "plugin", "versions": "<=2.7.6"}, "RULE-CVE-2025-1620-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "moove-gdpr"}, {"name": "ARGS:tab", "type": "equals", "value": "floating-button"}, {"name": "ARGS", "type": "regex", "value": "~(?:<\\\\s*(?:script|svg|iframe|object|embed|math)\\\\b|\\\\bon(?:mouse\\\\w+|load|error|focus|blur|click|dblclick|key\\\\w+|change|submit|reset|select|abort|resize)\\\\s*=|javascript\\\\s*:|</\\\\s*style\\\\s*>\\\\s*<)~i"}], "cve": "CVE-2025-1620", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1620", "description": "GDPR Cookie Compliance <=4.15.6 stored XSS via floating-button settings tab", "method": "POST", "mode": "block", "severity": 4.8, "slug": "gdpr-cookie-compliance", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=4.15.6"}, "RULE-CVE-2025-1620-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "moove-gdpr"}, {"name": "ARGS:tab", "type": "equals", "value": "branding"}, {"name": "ARGS", "type": "regex", "value": "~(?:<\\\\s*(?:script|svg|iframe|object|embed|math)\\\\b|\\\\bon(?:mouse\\\\w+|load|error|focus|blur|click|dblclick|key\\\\w+|change|submit|reset|select|abort|resize)\\\\s*=|javascript\\\\s*:|</\\\\s*style\\\\s*>\\\\s*<)~i"}], "cve": "CVE-2025-1620", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1620", "description": "GDPR Cookie Compliance <=4.15.6 stored XSS via branding settings tab", "method": "POST", "mode": "block", "severity": 4.8, "slug": "gdpr-cookie-compliance", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=4.15.6"}, "RULE-CVE-2025-1620-03": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "moove-gdpr"}, {"name": "ARGS:tab", "type": "equals", "value": "banner-settings"}, {"name": "ARGS", "type": "regex", "value": "~(?:<\\\\s*(?:script|svg|iframe|object|embed|math)\\\\b|\\\\bon(?:mouse\\\\w+|load|error|focus|blur|click|dblclick|key\\\\w+|change|submit|reset|select|abort|resize)\\\\s*=|javascript\\\\s*:|</\\\\s*style\\\\s*>\\\\s*<)~i"}], "cve": "CVE-2025-1620", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1620", "description": "GDPR Cookie Compliance <=4.15.6 stored XSS via banner-settings tab", "method": "POST", "mode": "block", "severity": 4.8, "slug": "gdpr-cookie-compliance", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=4.15.6"}, "RULE-CVE-2025-1625-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~wp:qi-blocks/counter\\\\s*\\\\{[^}]*(?:<script[\\\\s>]|\\\\bon(?:error|load|mouseover|focus|click)\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1625", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1625", "description": "Qi Blocks <1.4 stored XSS via Counter block attributes in REST API post save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "qi-blocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<1.4"}, "RULE-CVE-2025-1625-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~wp:qi-blocks/counter\\\\s*\\\\{[^}]*(?:<script[\\\\s>]|\\\\bon(?:error|load|mouseover|focus|click)\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1625", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1625", "description": "Qi Blocks <1.4 stored XSS via Counter block attributes in classic editor post save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "qi-blocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<1.4"}, "RULE-CVE-2025-1626-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "contains", "value": "wp:qi-blocks/countdown"}, {"name": "ARGS:content", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|focus|mouseover|click|animationend|transitionend)\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1626", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1626", "description": "Qi Blocks <=1.3.6 Stored XSS via Countdown block options in REST API post save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "qi-blocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=1.3.6"}, "RULE-CVE-2025-1626-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "contains", "value": "wp:qi-blocks/counter"}, {"name": "ARGS:content", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|focus|mouseover|click|animationend|transitionend)\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1626", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1626", "description": "Qi Blocks <=1.3.6 Stored XSS via Counter block options in REST API post save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "qi-blocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=1.3.6"}, "RULE-CVE-2025-1626-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "contains", "value": "wp:qi-blocks/countdown"}, {"name": "ARGS:content", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|focus|mouseover|click|animationend|transitionend)\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1626", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1626", "description": "Qi Blocks <=1.3.6 Stored XSS via Countdown block options in classic editor post save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "qi-blocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=1.3.6"}, "RULE-CVE-2025-1626-04": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "contains", "value": "wp:qi-blocks/counter"}, {"name": "ARGS:content", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|focus|mouseover|click|animationend|transitionend)\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1626", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1626", "description": "Qi Blocks <=1.3.6 Stored XSS via Counter block options in classic editor post save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "qi-blocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=1.3.6"}, "RULE-CVE-2025-1662-01": {"ajax_action": "url_media_uploader_url_upload", "conditions": [{"name": "ARGS:url", "type": "regex", "value": "~(?:^https?://(?:localhost|\\\\[?::1\\\\]?|0(?:\\\\.0){0,3}|127\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|10\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|172\\\\.(?:1[6-9]|2\\\\d|3[01])\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|192\\\\.168\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|169\\\\.254\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|0x[0-9a-f]{8}|[0-9]{8,10})(?:[:/]|$))~i"}], "cve": "CVE-2025-1662", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1662", "description": "URL Media Uploader <=1.0.0 authenticated SSRF via url parameter in url_media_uploader_url_upload AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "url-media-uploader", "tags": ["ssrf", "server-side-request-forgery", "authenticated"], "target": "plugin", "versions": "<=1.0.0"}, "RULE-CVE-2025-1664-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "contains", "value": "essential-blocks/parallax-slider"}, {"name": "ARGS:content", "type": "regex", "value": "~javascript\\\\s*:~i"}], "cve": "CVE-2025-1664", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1664", "description": "Essential Blocks <=5.3.1 Stored XSS via javascript: protocol in Parallax Slider block link attribute (REST API post create)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "essential-blocks", "tags": ["xss", "stored-xss", "gutenberg-block", "rest-api"], "target": "plugin", "versions": "<=5.3.1"}, "RULE-CVE-2025-1664-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts/\\\\d+(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "contains", "value": "essential-blocks/parallax-slider"}, {"name": "ARGS:content", "type": "regex", "value": "~javascript\\\\s*:~i"}], "cve": "CVE-2025-1664", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1664", "description": "Essential Blocks <=5.3.1 Stored XSS via javascript: protocol in Parallax Slider block link attribute (REST API post update)", "method": "PUT", "mode": "block", "severity": 5.4, "slug": "essential-blocks", "tags": ["xss", "stored-xss", "gutenberg-block", "rest-api"], "target": "plugin", "versions": "<=5.3.1"}, "RULE-CVE-2025-1664-03": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "editpost"}, {"name": "ARGS:content", "type": "contains", "value": "essential-blocks/parallax-slider"}, {"name": "ARGS:content", "type": "regex", "value": "~javascript\\\\s*:~i"}], "cve": "CVE-2025-1664", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1664", "description": "Essential Blocks <=5.3.1 Stored XSS via javascript: protocol in Parallax Slider block link attribute (classic editor post.php)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "essential-blocks", "tags": ["xss", "stored-xss", "gutenberg-block", "classic-editor"], "target": "plugin", "versions": "<=5.3.1"}, "RULE-CVE-2025-1703-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~(?:<script[\\\\s>/]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1703", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1703", "description": "Ultimate Blocks <=3.2.7 Stored XSS via content parameter in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ultimate-blocks", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=3.2.7"}, "RULE-CVE-2025-1703-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS:content", "type": "regex", "value": "~(?:<script[\\\\s>/]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1703", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1703", "description": "Ultimate Blocks <=3.2.7 Stored XSS via content parameter in classic editor post submission", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ultimate-blocks", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=3.2.7"}, "RULE-CVE-2025-1730-01": {"action": "save_post", "conditions": [{"name": "ARGS:post_type", "type": "equals", "value": "sdc_download"}, {"name": "ARGS:sdc_download_path", "type": "regex", "value": "~(?:(?:\\\\\\\\.\\\\\\\\.[\\\\\\\\\\\\/]){2,}|^/etc/|wp-config\\\\.php|\\\\.htaccess|\\\\.env|debug\\\\.log|error_log)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-1730", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1730", "description": "Simple Download Counter <=2.0 authenticated (Author+) arbitrary file read via sdc_download post creation with malicious sdc_download_path", "method": "POST", "mode": "block", "severity": 6.5, "slug": "simple-download-counter", "tags": ["arbitrary-file-read", "missing-authorization", "path-traversal"], "target": "plugin", "versions": "<=2.0"}, "RULE-CVE-2025-1730-02": {"action": "save_post", "conditions": [{"name": "ARGS:post_type", "type": "equals", "value": "sdc_download"}, {"name": "ARGS:sdc_download_path", "type": "regex", "value": "~^(?:file://|php://|expect://|data://|glob://|phar://|ssh2://|ogg://|zlib://|rar://|zip://|ftp://|dict://|gopher://|ldap://|telnet://|smtp://|imap://|pop3://|http://(?:127\\\\.|0\\\\.|10\\\\.|172\\\\.(?:1[6-9]|2\\\\d|3[01])\\\\.|192\\\\.168\\\\.|169\\\\.254\\\\.|localhost|\\\\[::1\\\\]))~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-1730", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1730", "description": "Simple Download Counter <=2.0 authenticated (Author+) SSRF/arbitrary file read via sdc_download post creation with malicious remote URL", "method": "POST", "mode": "block", "severity": 6.5, "slug": "simple-download-counter", "tags": ["arbitrary-file-read", "ssrf", "missing-authorization"], "target": "plugin", "versions": "<=2.0"}, "RULE-CVE-2025-1730-03": {"action": "save_post", "conditions": [{"name": "ARGS:post_type", "type": "equals", "value": "sdc_download"}, {"name": "ARGS:sdc_download_path", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-1730", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1730", "description": "Simple Download Counter <=2.0 authenticated (Author+) capability bypass - non-admin creating sdc_download posts", "method": "POST", "mode": "block", "severity": 6.5, "slug": "simple-download-counter", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=2.0"}, "RULE-CVE-2025-1783-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(?:/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "contains", "value": "wp:gallery"}, {"name": "ARGS:content", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|mouseenter)\\\\s*=~i"}], "cve": "CVE-2025-1783", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1783", "description": "Gallery Styles <=1.3.4 Stored Cross-Site Scripting via Gallery Block attributes through REST API post creation", "method": "POST", "mode": "block", "severity": 5.4, "slug": "gallery-styles", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=1.3.4"}, "RULE-CVE-2025-1783-02": {"action": "admin_init", "conditions": [{"name": "ARGS:content", "type": "contains", "value": "wp:gallery"}, {"name": "ARGS:content", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|mouseenter)\\\\s*=~i"}], "cve": "CVE-2025-1783", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1783", "description": "Gallery Styles <=1.3.4 Stored Cross-Site Scripting via Gallery Block attributes through classic editor post save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "gallery-styles", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=1.3.4"}, "RULE-CVE-2025-1783-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(?:/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "contains", "value": "wp:gallery"}, {"name": "ARGS:content", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|mouseenter)\\\\s*=~i"}], "cve": "CVE-2025-1783", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1783", "description": "Gallery Styles <=1.3.4 Stored Cross-Site Scripting via Gallery Block attributes through REST API post update", "method": "PUT", "mode": "block", "severity": 5.4, "slug": "gallery-styles", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=1.3.4"}, "RULE-CVE-2025-1783-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(?:/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "contains", "value": "wp:gallery"}, {"name": "ARGS:content", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|mouseenter)\\\\s*=~i"}], "cve": "CVE-2025-1783", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1783", "description": "Gallery Styles <=1.3.4 Stored Cross-Site Scripting via Gallery Block attributes through REST API post partial update (PATCH)", "method": "PATCH", "mode": "block", "severity": 5.4, "slug": "gallery-styles", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=1.3.4"}, "RULE-CVE-2025-1784-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:action", "type": "equals", "value": "editpost"}, {"name": "ARGS:post_content", "type": "regex", "value": "~<!--\\\\s*wp:uagb/[a-z0-9-]+\\\\s+\\\\{[^}]*\\"block_id\\"\\\\s*:\\\\s*\\"[^\\"\\\\\\\\]*(?:\\\\\\\\.[^\\"\\\\\\\\]*)*\\"[^}]*\\\\}\\\\s*-->[\\\\s\\\\S]{0,2000}(?:on[a-z]+\\\\s*=|javascript\\\\s*:|<\\\\s*script\\\\b|<\\\\s*img\\\\b[^>]*\\\\bonerror\\\\s*=)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1784", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1784", "description": "Spectra (Ultimate Addons for Gutenberg) <=2.19.0 Stored XSS via uagb block_id attribute in post content (post.php entrypoint)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ultimate-addons-for-gutenberg", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=2.19.0"}, "RULE-CVE-2025-1784-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~<!--\\\\s*wp:uagb/[a-z0-9-]+\\\\s+\\\\{[^}]*\\"block_id\\"\\\\s*:\\\\s*\\"[^\\"\\\\\\\\]*(?:\\\\\\\\.[^\\"\\\\\\\\]*)*\\"[^}]*\\\\}\\\\s*-->[\\\\s\\\\S]{0,2000}(?:on[a-z]+\\\\s*=|javascript\\\\s*:|<\\\\s*script\\\\b|<\\\\s*img\\\\b[^>]*\\\\bonerror\\\\s*=)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-1784", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1784", "description": "Spectra (Ultimate Addons for Gutenberg) <=2.19.0 Stored XSS via uagb block_id attribute in post content (REST API entrypoint)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ultimate-addons-for-gutenberg", "tags": ["xss", "stored-xss", "gutenberg-block", "rest-api"], "target": "plugin", "versions": "<=2.19.0"}, "RULE-CVE-2025-1785-01": {"ajax_action": "wpdm_newfile", "conditions": [{"name": "ARGS:name", "type": "regex", "value": "~\\\\.\\\\.[\\\\\\\\/]~"}], "cve": "CVE-2025-1785", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1785", "description": "Download Manager <=3.3.08 authenticated (Author+) path traversal via wpdm_newfile AJAX action allowing limited file overwrite", "method": "POST", "mode": "block", "severity": 8.1, "slug": "download-manager", "tags": ["path-traversal", "file-overwrite", "authenticated"], "target": "plugin", "versions": "<=3.3.08"}, "RULE-CVE-2025-1909-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)wp-login\\\\.php(?:$|[/?])~i"}, {"name": "ARGS:bb_social_login", "type": "equals", "value": "apple"}], "cve": "CVE-2025-1909", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1909", "description": "BuddyBoss Platform Pro <=2.7.01 Apple OAuth authentication bypass (CWE-288) \\u2014 web flow wp-login.php?bb_social_login=apple", "method": "POST", "mode": "block", "severity": 9.8, "slug": "buddyboss-platform-pro", "target": "plugin", "versions": "<=2.7.01"}, "RULE-CVE-2025-1909-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)wp-json/buddyboss-app/(?:auth|sso|social-login|social|v\\\\d+/(?:sso|social-login|auth))/.*apple~i"}], "cve": "CVE-2025-1909", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1909", "description": "BuddyBoss Platform Pro <=2.7.01 Apple OAuth authentication bypass (CWE-288) \\u2014 mobile App API flow /wp-json/buddyboss-app/**/apple (auth/sso/social-login paths)", "method": "POST", "mode": "block", "severity": 9.8, "slug": "buddyboss-platform-pro", "target": "plugin", "versions": "<=2.7.01"}, "RULE-CVE-2025-1971-01": {"ajax_action": "iew_export_ajax_basic", "conditions": [{"name": "ARGS:form_data", "type": "regex", "value": "~[OC]:\\\\d+:\\"~"}], "cve": "CVE-2025-1971", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1971", "description": "Export and Import Users and Customers <=2.6.2 PHP Object Injection via form_data in export AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "users-customers-import-export-for-wp-woocommerce", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=2.6.2"}, "RULE-CVE-2025-1971-02": {"ajax_action": "iew_import_ajax_basic", "conditions": [{"name": "ARGS:form_data", "type": "regex", "value": "~[OC]:\\\\d+:\\"~"}], "cve": "CVE-2025-1971", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-1971", "description": "Export and Import Users and Customers <=2.6.2 PHP Object Injection via form_data in import AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "users-customers-import-export-for-wp-woocommerce", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=2.6.2"}, "RULE-CVE-2025-2004-01": {"ajax_action": "wpe_delete_file", "conditions": [{"name": "ARGS:url", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|%2e%2e[%2f/\\\\\\\\]|%252e%252e%252f)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-2004", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2004", "description": "Simple WP Events <=1.8.17 unauthenticated arbitrary file deletion via wpe_delete_file AJAX action", "method": "POST", "mode": "block", "severity": 9.1, "slug": "simple-wp-events", "tags": ["arbitrary-file-deletion", "path-traversal", "unauthenticated", "missing-authorization"], "target": "plugin", "versions": "<=1.8.17"}, "RULE-CVE-2025-2009-01": {"ajax_action": "wpmlsubscribe", "conditions": [{"name": "ARGS:name", "type": "regex", "value": "~(?:<script[\\\\s/>]|\\\\bon[a-z]+\\\\s*=|javascript\\\\s*:|<(?:img|svg|iframe|object|embed|video|audio|body|input|details|math|isindex|marquee|meta|link|base|style)\\\\s[^>]*\\\\bon[a-z]+\\\\s*=)~i"}], "cve": "CVE-2025-2009", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2009", "description": "Newsletters <=4.9.9.7 unauthenticated stored XSS via subscriber name field in wpmlsubscribe AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "newsletters-lite", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=4.9.9.7"}, "RULE-CVE-2025-2009-02": {"ajax_action": "wpmlsubscribe", "conditions": [{"name": "ARGS:email", "type": "regex", "value": "~(?:<script[\\\\s/>]|\\\\bon[a-z]+\\\\s*=|javascript\\\\s*:|<(?:img|svg|iframe|object|embed|video|audio|body|input|details|math|isindex|marquee|meta|link|base|style)\\\\s[^>]*\\\\bon[a-z]+\\\\s*=)~i"}], "cve": "CVE-2025-2009", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2009", "description": "Newsletters <=4.9.9.7 unauthenticated stored XSS via subscriber email field in wpmlsubscribe AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "newsletters-lite", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=4.9.9.7"}, "RULE-CVE-2025-2025-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "give-reports"}, {"name": "ARGS:view", "type": "equals", "value": "earnings"}, {"type": "missing_capability", "value": "view_give_reports"}], "cve": "CVE-2025-2025", "method": "GET", "mode": "block", "severity": 7.5, "slug": "give", "target": "plugin", "versions": "<=3.22.0"}, "RULE-CVE-2025-2025-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "give-reports"}, {"name": "ARGS:tab", "type": "equals", "value": "earnings"}, {"type": "missing_capability", "value": "view_give_reports"}], "cve": "CVE-2025-2025", "method": "GET", "mode": "block", "severity": 7.5, "slug": "give", "target": "plugin", "versions": "<=3.22.0"}, "RULE-CVE-2025-2055-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "mappress_maps"}, {"name": "ARGS", "type": "regex", "value": "~<[^>]*\\\\bon[a-zA-Z]+=|<script[\\\\s/>]|<iframe[\\\\s/>]|javascript\\\\s*:|<svg[\\\\s/][^>]*\\\\bon[a-zA-Z]+=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-2055", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2055", "description": "MapPress Maps for WordPress <=2.94.8 authenticated (Contributor+) stored XSS via map marker fields on admin page", "method": "POST", "mode": "block", "severity": 6.8, "slug": "mappress-google-maps-for-wordpress", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=2.94.8"}, "RULE-CVE-2025-2056-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:\\\\.\\\\.(?:[\\\\\\\\/]|%2f|%2F)){2,}~"}], "cve": "CVE-2025-2056", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2056", "description": "Hide My WP Ghost <=5.4.01 unauthenticated path traversal via REQUEST_URI in showFile (multi-level traversal)", "method": "GET", "mode": "block", "severity": 7.5, "slug": "hide-my-wp", "tags": ["path-traversal", "unauthenticated", "file-read"], "target": "plugin", "versions": "<=5.4.01"}, "RULE-CVE-2025-2056-03": {"action": "init", "conditions": [{"name": "ARGS:hmwp_url", "type": "regex", "value": "~(?:\\\\.\\\\.(?:[\\\\\\\\/]|%2f|%2F)){2,}~"}], "cve": "CVE-2025-2056", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2056", "description": "Hide My WP Ghost <=5.4.01 unauthenticated path traversal via hmwp_url parameter (multi-level traversal)", "method": "GET", "mode": "block", "severity": 7.5, "slug": "hide-my-wp", "tags": ["path-traversal", "unauthenticated", "file-read"], "target": "plugin", "versions": "<=5.4.01"}, "RULE-CVE-2025-2056-04": {"action": "init", "conditions": [{"name": "ARGS:hmwp_url", "type": "regex", "value": "~\\\\.\\\\.(?:[\\\\\\\\/]|%2f|%2F)~"}, {"name": "ARGS:hmwp_url", "type": "regex", "value": "~(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env|debug\\\\.log|error_log)~i"}], "cve": "CVE-2025-2056", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2056", "description": "Hide My WP Ghost <=5.4.01 unauthenticated path traversal via hmwp_url targeting sensitive files", "method": "GET", "mode": "block", "severity": 7.5, "slug": "hide-my-wp", "tags": ["path-traversal", "unauthenticated", "file-read"], "target": "plugin", "versions": "<=5.4.01"}, "RULE-CVE-2025-2083-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~awesome-logo-carousel-block[/\\\\\\\\]slider[\\\\s\\\\S]*?\\"sliderId\\"\\\\s*:\\\\s*\\"[^\\"]*[^a-zA-Z0-9_\\\\-.\\\\\\"](?=[\\\\s\\\\S]*?/-->)~i"}], "cve": "CVE-2025-2083", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2083", "description": "Logo Carousel Gutenberg Block <=2.1.6 Stored XSS via sliderId block attribute in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "awesome-logo-carousel-block", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=2.1.6"}, "RULE-CVE-2025-2083-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts/\\\\d+(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~awesome-logo-carousel-block[/\\\\\\\\]slider[\\\\s\\\\S]*?\\"sliderId\\"\\\\s*:\\\\s*\\"[^\\"]*[^a-zA-Z0-9_\\\\-.\\\\\\"](?=[\\\\s\\\\S]*?/-->)~i"}], "cve": "CVE-2025-2083", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2083", "description": "Logo Carousel Gutenberg Block <=2.1.6 Stored XSS via sliderId block attribute in REST API post update", "method": "PUT", "mode": "block", "severity": 6.4, "slug": "awesome-logo-carousel-block", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=2.1.6"}, "RULE-CVE-2025-2083-03": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS:content", "type": "regex", "value": "~awesome-logo-carousel-block[/\\\\\\\\]slider[\\\\s\\\\S]*?\\"sliderId\\"\\\\s*:\\\\s*\\"[^\\"]*[^a-zA-Z0-9_\\\\-.\\\\\\"](?=[\\\\s\\\\S]*?/-->)~i"}], "cve": "CVE-2025-2083", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2083", "description": "Logo Carousel Gutenberg Block <=2.1.6 Stored XSS via sliderId block attribute in wp-admin post editor", "method": "POST", "mode": "block", "severity": 6.4, "slug": "awesome-logo-carousel-block", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=2.1.6"}, "RULE-CVE-2025-2111-02": {"action": "admin_init", "conditions": [{"name": "ARGS:set_option_name", "type": "exists"}, {"name": "ARGS:option_value", "type": "exists"}, {"name": "ARGS:page", "type": "equals", "value": "wpb-debug"}], "cve": "CVE-2025-2111", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2111", "description": "WP Headers And Footers <=3.1.1 CSRF to arbitrary options update via debug page POST request (set_option_name/option_value)", "method": "POST", "mode": "block", "severity": 7.5, "slug": "wp-headers-and-footers", "tags": ["csrf", "arbitrary-option-update", "privilege-escalation"], "target": "plugin", "versions": "<=3.1.1"}, "RULE-CVE-2025-2128-01": {"ajax_action": "ccb_update_order", "conditions": [{"name": "ARGS:order_ids", "type": "regex", "value": "~[^0-9,]~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-2128", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2128", "description": "Cost Calculator Builder <=3.2.67 authenticated SQL injection via order_ids parameter in Payments::update_payment_status_by_order_ids", "method": "POST", "mode": "block", "severity": 6.5, "slug": "cost-calculator-builder", "tags": ["sql-injection", "authenticated", "time-based-blind"], "target": "plugin", "versions": "<=3.2.67"}, "RULE-CVE-2025-2162-01": {"ajax_action": "mapp_options_save", "conditions": [{"name": "ARGS:width", "type": "regex", "value": "~<[^>]*>~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-2162", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2162", "description": "MapPress Maps for WordPress <=2.94.9 stored XSS via unsanitized width setting in mapp_options_save AJAX handler", "method": "POST", "mode": "block", "severity": 4.8, "slug": "mappress-google-maps-for-wordpress", "tags": ["xss", "stored-xss", "settings-injection"], "target": "plugin", "versions": "<=2.94.9"}, "RULE-CVE-2025-2162-02": {"ajax_action": "mapp_options_save", "conditions": [{"name": "ARGS:base_font_size", "type": "regex", "value": "~<[^>]*>~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-2162", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2162", "description": "MapPress Maps for WordPress <=2.94.9 stored XSS via unsanitized base_font_size setting in mapp_options_save AJAX handler", "method": "POST", "mode": "block", "severity": 4.8, "slug": "mappress-google-maps-for-wordpress", "tags": ["xss", "stored-xss", "style-breakout"], "target": "plugin", "versions": "<=2.94.9"}, "RULE-CVE-2025-2164-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "contains", "value": "pixelstats"}, {"name": "ARGS:sortby", "type": "detectXSS"}], "cve": "CVE-2025-2164", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2164", "description": "Pixelstats <=0.8.2 reflected XSS via sortby parameter in admin stats page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "pixelstats", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=0.8.2"}, "RULE-CVE-2025-2164-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "contains", "value": "pixelstats"}, {"name": "ARGS:post_id", "type": "detectXSS"}], "cve": "CVE-2025-2164", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2164", "description": "Pixelstats <=0.8.2 reflected XSS via post_id parameter in admin stats page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "pixelstats", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=0.8.2"}, "RULE-CVE-2025-2164-03": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "contains", "value": "pixelstats"}, {"name": "ARGS:pixelstats_page", "type": "detectXSS"}], "cve": "CVE-2025-2164", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2164", "description": "Pixelstats <=0.8.2 reflected XSS via pixelstats_page parameter in admin stats page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "pixelstats", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=0.8.2"}, "RULE-CVE-2025-2164-04": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "contains", "value": "pixelstats"}, {"name": "ARGS:last_day", "type": "detectXSS"}], "cve": "CVE-2025-2164", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2164", "description": "Pixelstats <=0.8.2 reflected XSS via last_day parameter in admin stats page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "pixelstats", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=0.8.2"}, "RULE-CVE-2025-2166-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "regex", "value": "~^cm-faq($|-)~"}, {"name": "ARGS", "type": "regex", "value": "~(?:[\\"\'`]\\\\s*>\\\\s*<|<\\\\s*(?:script|svg|img|iframe|object|embed|body|marquee)\\\\b|\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-2166", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2166", "description": "CM FAQ <=1.2.5 Reflected XSS via remove_query_arg without esc_url on admin page URL", "method": "GET", "mode": "block", "severity": 6.1, "slug": "cm-faq", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.2.5"}, "RULE-CVE-2025-2167-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-admin/post\\\\.php|(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages))~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[events_list\\\\b[^\\\\]]*(?:before_title|title|after_title)\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<script|<img\\\\b[^>]+\\\\bon\\\\w+\\\\s*=|<svg[\\\\s/][^>]*\\\\bon\\\\w+\\\\s*=|<iframe|<details[^>]+\\\\bontoggle\\\\s*=|javascript\\\\s*:|\\\\bon(?:error|load|click|mouseover|focus|toggle)\\\\s*=)[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-2167", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2167", "description": "Event Post <=5.9.9 Stored XSS via events_list shortcode attributes (before_title, title, after_title) in post content", "method": "POST", "mode": "block", "severity": 5.4, "slug": "event-post", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=5.9.9"}, "RULE-CVE-2025-2221-01": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpcom_login"}, {"name": "ARGS:user_phone", "type": "detectSQLi"}], "cve": "CVE-2025-2221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2221", "description": "WPCOM Member <=1.7.6 unauthenticated time-based SQL injection via user_phone parameter in wpcom_login AJAX handler", "method": "POST", "mode": "block", "severity": 7.5, "slug": "wpcom-member", "tags": ["sql-injection", "unauthenticated", "time-based-blind"], "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2025-2221-02": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpcom_register"}, {"name": "ARGS:user_phone", "type": "detectSQLi"}], "cve": "CVE-2025-2221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2221", "description": "WPCOM Member <=1.7.6 unauthenticated SQL injection via user_phone parameter in wpcom_register AJAX handler", "method": "POST", "mode": "block", "severity": 7.5, "slug": "wpcom-member", "tags": ["sql-injection", "unauthenticated"], "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2025-2221-03": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpcom_send_sms_code"}, {"name": "ARGS:user_phone", "type": "detectSQLi"}], "cve": "CVE-2025-2221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2221", "description": "WPCOM Member <=1.7.6 unauthenticated SQL injection via user_phone parameter in wpcom_send_sms_code AJAX handler", "method": "POST", "mode": "block", "severity": 7.5, "slug": "wpcom-member", "tags": ["sql-injection", "unauthenticated"], "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2025-2221-04": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpcom_lostpassword"}, {"name": "ARGS:user_phone", "type": "detectSQLi"}], "cve": "CVE-2025-2221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2221", "description": "WPCOM Member <=1.7.6 unauthenticated SQL injection via user_phone parameter in wpcom_lostpassword AJAX handler", "method": "POST", "mode": "block", "severity": 7.5, "slug": "wpcom-member", "tags": ["sql-injection", "unauthenticated"], "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2025-2221-05": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpcom_resetpassword"}, {"name": "ARGS:user_phone", "type": "detectSQLi"}], "cve": "CVE-2025-2221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2221", "description": "WPCOM Member <=1.7.6 unauthenticated SQL injection via user_phone parameter in wpcom_resetpassword AJAX handler", "method": "POST", "mode": "block", "severity": 7.5, "slug": "wpcom-member", "tags": ["sql-injection", "unauthenticated"], "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2025-2221-06": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpcom_accountbind"}, {"name": "ARGS:user_phone", "type": "detectSQLi"}], "cve": "CVE-2025-2221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2221", "description": "WPCOM Member <=1.7.6 unauthenticated SQL injection via user_phone parameter in wpcom_accountbind AJAX handler", "method": "POST", "mode": "block", "severity": 7.5, "slug": "wpcom-member", "tags": ["sql-injection", "unauthenticated"], "target": "plugin", "versions": "<=1.7.6"}, "RULE-CVE-2025-2225-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:_elementor_data", "type": "regex", "value": "~\\"rael_title_tag\\"\\\\s*:\\\\s*\\"[^\\"]*(?:<\\\\s*(?:script|img|svg|iframe|body|marquee|details|math|a\\\\b|div\\\\s|input)[^\\"]*|\\\\bon(?:error|load|click|mouseover|focus|toggle|start)\\\\s*=)[^\\"]*\\"~i"}], "cve": "CVE-2025-2225", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2225", "description": "Responsive Addons for Elementor <=1.6.9 Stored XSS via rael_title_tag in Icon Box widget (post.php save)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "responsive-addons-for-elementor", "tags": ["xss", "stored-xss", "elementor-widget"], "target": "plugin", "versions": "<=1.6.9"}, "RULE-CVE-2025-2228-01": {"action": "init", "conditions": [{"name": "ARGS:rael-register-submit", "type": "exists"}, {"name": "ARGS:password", "type": "exists"}, {"name": "ARGS:page_id", "type": "exists"}, {"type": "missing_capability", "value": "create_users"}], "cve": "CVE-2025-2228", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2228", "description": "Responsive Addons for Elementor <=1.6.8 sensitive information exposure via register_user \\u2014 blocks registration form submissions for users lacking create_users capability. NOTE: This also blocks anonymous self-registration on vulnerable versions as a protective measure.", "method": "POST", "mode": "block", "severity": 5.7, "slug": "responsive-addons-for-elementor", "tags": ["sensitive-information-exposure", "credential-leak"], "target": "plugin", "versions": "<=1.6.8"}, "RULE-CVE-2025-22295-01": {"ajax_action": "tripetto_submit", "conditions": [{"name": "ARGS:snapshot", "type": "regex", "value": "~<script[^>]*>|<[^>]+\\\\son\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-22295", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22295", "description": "Tripetto <= 8.0.6 Stored XSS via unauthenticated form submission (tripetto_submit snapshot parameter)", "method": "POST", "mode": "block", "severity": 7.1, "slug": "tripetto", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=8.0.6"}, "RULE-CVE-2025-22295-02": {"ajax_action": "tripetto_pause", "conditions": [{"name": "ARGS:snapshot", "type": "regex", "value": "~<script[^>]*>|<[^>]+\\\\son\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-22295", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22295", "description": "Tripetto <= 8.0.6 Stored XSS via unauthenticated paused form data (tripetto_pause snapshot parameter)", "method": "POST", "mode": "block", "severity": 7.1, "slug": "tripetto", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=8.0.6"}, "RULE-CVE-2025-22349-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "wp-auctions-manage"}, {"name": "ARGS:bid_id", "type": "regex", "value": "~[^0-9]~"}], "cve": "CVE-2025-22349", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22349", "description": "WordPress Auction Plugin <=3.7 SQL injection via bid_id parameter in wp-auctions-manage admin page", "mode": "block", "severity": 7.6, "slug": "wp-auctions", "tags": ["sql-injection", "authenticated", "admin-page"], "target": "plugin", "versions": "<=3.7"}, "RULE-CVE-2025-22349-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "wp-auctions-manage"}, {"name": "ARGS:wpa_id", "type": "regex", "value": "~[^0-9]~"}], "cve": "CVE-2025-22349", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22349", "description": "WordPress Auction Plugin <=3.7 SQL injection via wpa_id parameter in wp-auctions-manage admin page", "mode": "block", "severity": 7.6, "slug": "wp-auctions", "tags": ["sql-injection", "authenticated", "admin-page"], "target": "plugin", "versions": "<=3.7"}, "RULE-CVE-2025-22349-03": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "wp-auctions-add"}, {"name": "ARGS:wpa_id", "type": "regex", "value": "~[^0-9]~"}], "cve": "CVE-2025-22349", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22349", "description": "WordPress Auction Plugin <=3.7 SQL injection via wpa_id parameter in wp-auctions-add admin page", "mode": "block", "severity": 7.6, "slug": "wp-auctions", "tags": ["sql-injection", "authenticated", "admin-page"], "target": "plugin", "versions": "<=3.7"}, "RULE-CVE-2025-2252-01": {"ajax_action": "edd_get_download_title", "conditions": [{"citation": ["exploit_feeder.json:file-HKtP2uRHwvfkcjYvBh9vft", "code_analyst.json:file-GWz1zUnizLcTqJCyFWThCg", "free_run_concept.md:file-CbnNkdMBAXqX24rSYAdyu7"], "name": "ARGS:action", "type": "equals", "value": "edd_get_download_title"}, {"citation": ["exploit_feeder.json:file-HKtP2uRHwvfkcjYvBh9vft", "code_analyst.json:file-GWz1zUnizLcTqJCyFWThCg", "free_run_concept.md:file-CbnNkdMBAXqX24rSYAdyu7"], "name": "ARGS:edd_get_download_title", "type": "regex", "value": "~^[0-9]+$~"}, {"citation": ["exploit_feeder.json:file-HKtP2uRHwvfkcjYvBh9vft", "free_run_concept.md:file-CbnNkdMBAXqX24rSYAdyu7", "author_report.json:file-S6ZFTyHKyXhYs5pWZxQcgo"], "type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-2252", "mode": "block", "slug": "easy-digital-downloads", "target": "plugin", "versions": "<=3.3.6.1"}, "RULE-CVE-2025-2257-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "boldgrid-backup-settings"}, {"name": "ARGS:compression_level", "type": "regex", "value": "~[^0-9]~"}], "cve": "CVE-2025-2257", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2257", "description": "Total Upkeep \\u2013 BoldGrid Backup <=1.16.10 authenticated OS command injection via compression_level setting", "method": "POST", "mode": "block", "severity": 7.2, "slug": "boldgrid-backup", "tags": ["command-injection", "authenticated", "settings-update"], "target": "plugin", "versions": "<=1.16.10"}, "RULE-CVE-2025-2269-01": {"ajax_action": "editimage_bwg", "conditions": [{"name": "ARGS:image_id", "type": "regex", "value": "~[<>\\"\'()]~"}], "cve": "CVE-2025-2269", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2269", "description": "Photo Gallery by 10Web <=1.8.34 reflected XSS via image_id in editimage_bwg AJAX handler", "mode": "block", "severity": 6.1, "slug": "photo-gallery", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=1.8.34"}, "RULE-CVE-2025-2270-01": {"action": "init", "conditions": [{"name": "ARGS:ycd_type", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|(?:php|phar|zip|data|expect|glob|ogg)://)~i"}], "cve": "CVE-2025-2270", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2270", "description": "Countdown Builder <=2.8.9.1 unauthenticated Local File Inclusion via ycd_type parameter in RegisterPostType::createCdObj", "mode": "block", "severity": 8.1, "slug": "countdown-builder", "tags": ["local-file-inclusion", "path-traversal", "unauthenticated"], "target": "plugin", "versions": "<=2.8.9.1"}, "RULE-CVE-2025-22735-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "contains", "value": "tag-groups"}, {"name": "ARGS", "type": "regex", "value": "~<script[\\\\s>]~i"}], "cve": "CVE-2025-22735", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22735", "description": "Tag Groups <=2.0.4 reflected XSS via unsanitized $_SERVER[\'REQUEST_URI\'] in admin settings view templates", "method": "GET", "mode": "block", "severity": 7.1, "slug": "tag-groups", "tags": ["xss", "reflected-xss", "admin-page"], "target": "plugin", "versions": "<=2.0.4"}, "RULE-CVE-2025-22735-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "contains", "value": "tag-groups"}, {"name": "ARGS", "type": "regex", "value": "~on(?:error|load|click|focus|mouseover|mouseout|submit|change|input|keydown|keyup)\\\\s*=~i"}], "cve": "CVE-2025-22735", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22735", "description": "Tag Groups <=2.0.4 reflected XSS via event handler injection in admin settings pages", "method": "GET", "mode": "block", "severity": 7.1, "slug": "tag-groups", "tags": ["xss", "reflected-xss", "admin-page"], "target": "plugin", "versions": "<=2.0.4"}, "RULE-CVE-2025-22735-03": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "contains", "value": "tag-groups"}, {"name": "ARGS", "type": "regex", "value": "~<(?:img|svg|iframe|body|embed|object|video|audio|details|math|marquee)[\\\\s/]~i"}], "cve": "CVE-2025-22735", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22735", "description": "Tag Groups <=2.0.4 reflected XSS via HTML tag injection (img/svg/iframe/body/embed/object) in admin settings pages", "method": "GET", "mode": "block", "severity": 7.1, "slug": "tag-groups", "tags": ["xss", "reflected-xss", "admin-page"], "target": "plugin", "versions": "<=2.0.4"}, "RULE-CVE-2025-22800-01": {"action": "admin_post_regenerate-qrcode", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "regenerate-qrcode"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-22800", "mode": "block", "severity": 8.8, "slug": "post-smtp", "target": "plugin", "versions": ">=2.8.3 <=2.9.11"}, "RULE-CVE-2025-2299-01": {"ajax_action": "lwptoc_block_edit", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:<\\\\s*(?:script|svg|img|iframe|object|embed|details|video|audio|body|input|select|textarea|form|meta|link|style|base)\\\\b[^>]*>|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-2299", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2299", "description": "LuckyWP Table of Contents <=2.1.10 CSRF to Reflected XSS via lwptoc_block_edit AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "luckywp-table-of-contents", "tags": ["xss", "csrf", "reflected-xss"], "target": "plugin", "versions": "<=2.1.10"}, "RULE-CVE-2025-2299-02": {"ajax_action": "lwptoc_block_view", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:<\\\\s*(?:script|svg|img|iframe|object|embed|details|video|audio|body|input|select|textarea|form|meta|link|style|base)\\\\b[^>]*>|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-2299", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2299", "description": "LuckyWP Table of Contents <=2.1.10 CSRF to Reflected XSS via lwptoc_block_view AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "luckywp-table-of-contents", "tags": ["xss", "csrf", "reflected-xss"], "target": "plugin", "versions": "<=2.1.10"}, "RULE-CVE-2025-2302-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[aws_search_terms\\\\b[^\\\\]]*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-2302", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2302", "description": "Advanced Woo Search <=3.28 Stored XSS via aws_search_terms shortcode attributes in classic editor post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "advanced-woo-search", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.28"}, "RULE-CVE-2025-2302-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[aws_search_terms\\\\b[^\\\\]]*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-2302", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2302", "description": "Advanced Woo Search <=3.28 Stored XSS via aws_search_terms shortcode attributes in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "advanced-woo-search", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=3.28"}, "RULE-CVE-2025-2314-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[wppb-logout\\\\b[^\\\\]]*\\\\blink_text\\\\s*=\\\\s*(?:\\"[^\\"]*(?:<script|<iframe|<svg[\\\\s/]|<embed|<object|<[a-z][^>]*\\\\bon[a-z]+=|javascript\\\\s*:)[^\\"]*\\"|\'[^\']*(?:<script|<iframe|<svg[\\\\s/]|<embed|<object|<[a-z][^>]*\\\\bon[a-z]+=|javascript\\\\s*:)[^\']*\'|[^\\\\s\\\\]]*(?:<script|<iframe|<svg[\\\\s/]|<embed|<object|<[a-z][^>]*\\\\bon[a-z]+=|javascript\\\\s*:))[^\\\\]]*\\\\]~i"}], "cve": "CVE-2025-2314", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2314", "description": "Profile Builder <=3.13.5 stored XSS via [wppb-logout] link_text shortcode attribute in REST API post/page content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "profile-builder", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.13.5"}, "RULE-CVE-2025-2314-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[wppb-restrict\\\\b[^\\\\]]*\\\\bmessage\\\\s*=\\\\s*(?:\\"[^\\"]*(?:<script|<iframe|<svg[\\\\s/]|<embed|<object|<[a-z][^>]*\\\\bon[a-z]+=|javascript\\\\s*:)[^\\"]*\\"|\'[^\']*(?:<script|<iframe|<svg[\\\\s/]|<embed|<object|<[a-z][^>]*\\\\bon[a-z]+=|javascript\\\\s*:)[^\']*\'|[^\\\\s\\\\]]*(?:<script|<iframe|<svg[\\\\s/]|<embed|<object|<[a-z][^>]*\\\\bon[a-z]+=|javascript\\\\s*:))[^\\\\]]*\\\\]~i"}], "cve": "CVE-2025-2314", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2314", "description": "Profile Builder <=3.13.5 stored XSS via [wppb-restrict] message shortcode attribute in REST API post/page content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "profile-builder", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.13.6"}, "RULE-CVE-2025-2314-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[wppb-logout\\\\b[^\\\\]]*\\\\blink_text\\\\s*=\\\\s*(?:\\"[^\\"]*(?:<script|<iframe|<svg[\\\\s/]|<embed|<object|<[a-z][^>]*\\\\bon[a-z]+=|javascript\\\\s*:)[^\\"]*\\"|\'[^\']*(?:<script|<iframe|<svg[\\\\s/]|<embed|<object|<[a-z][^>]*\\\\bon[a-z]+=|javascript\\\\s*:)[^\']*\'|[^\\\\s\\\\]]*(?:<script|<iframe|<svg[\\\\s/]|<embed|<object|<[a-z][^>]*\\\\bon[a-z]+=|javascript\\\\s*:))[^\\\\]]*\\\\]~i"}], "cve": "CVE-2025-2314", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2314", "description": "Profile Builder <=3.13.5 stored XSS via [wppb-logout] link_text shortcode attribute in classic editor post_content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "profile-builder", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.13.5"}, "RULE-CVE-2025-2314-04": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[wppb-restrict\\\\b[^\\\\]]*\\\\bmessage\\\\s*=\\\\s*(?:\\"[^\\"]*(?:<script|<iframe|<svg[\\\\s/]|<embed|<object|<[a-z][^>]*\\\\bon[a-z]+=|javascript\\\\s*:)[^\\"]*\\"|\'[^\']*(?:<script|<iframe|<svg[\\\\s/]|<embed|<object|<[a-z][^>]*\\\\bon[a-z]+=|javascript\\\\s*:)[^\']*\'|[^\\\\s\\\\]]*(?:<script|<iframe|<svg[\\\\s/]|<embed|<object|<[a-z][^>]*\\\\bon[a-z]+=|javascript\\\\s*:))[^\\\\]]*\\\\]~i"}], "cve": "CVE-2025-2314", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2314", "description": "Profile Builder <=3.13.5 stored XSS via [wppb-restrict] message shortcode attribute in classic editor post_content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "profile-builder", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.13.6"}, "RULE-CVE-2025-2328-01": {"ajax_action": "dnd_codedropz_upload_delete", "conditions": [{"name": "ARGS:path", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/])+~"}], "cve": "CVE-2025-2328", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2328", "description": "Drag and Drop Multiple File Upload for CF7 <=1.3.8.7 arbitrary file deletion via path traversal in dnd_codedropz_upload_delete AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "drag-and-drop-multiple-file-upload-contact-form-7", "tags": ["path-traversal", "arbitrary-file-deletion", "unauthenticated"], "target": "plugin", "versions": "<=1.3.8.7"}, "RULE-CVE-2025-2328-02": {"ajax_action": "dnd_codedropz_upload_delete", "conditions": [{"name": "ARGS:path", "type": "regex", "value": "~(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env|debug\\\\.log|error_log)~i"}], "cve": "CVE-2025-2328", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2328", "description": "Drag and Drop Multiple File Upload for CF7 <=1.3.8.7 arbitrary sensitive file deletion via dnd_codedropz_upload_delete AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "drag-and-drop-multiple-file-upload-contact-form-7", "tags": ["path-traversal", "arbitrary-file-deletion", "unauthenticated"], "target": "plugin", "versions": "<=1.3.8.7"}, "RULE-CVE-2025-24000-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/post-smtp/v1/logs/[^/]+/resend(?:[/?]|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-24000", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-24000", "description": "Post SMTP <= 3.2.0 post-smtp/v1/logs/{id}/resend REST endpoint callable by non-admin users, allowing abuse of password reset emails.", "method": "POST", "mode": "block", "severity": 8.8, "slug": "post-smtp", "tags": ["auth-bypass", "privilege-escalation", "rest-api", "email-logs", "resend"], "target": "plugin", "versions": "<=3.2.0"}, "RULE-CVE-2025-24000-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/psd/v1/email-count(?:[/?]|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-24000", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-24000", "description": "Post SMTP <= 3.2.0 psd/v1/email-count REST endpoint accessible to non-admin users.", "method": "GET", "mode": "block", "severity": 6.5, "slug": "post-smtp", "tags": ["auth-bypass", "privilege-escalation", "rest-api", "email-logs"], "target": "plugin", "versions": "<=3.2.0"}, "RULE-CVE-2025-24000-05": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/psd/v1/minimize-maximize-ad(?:[/?]|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-24000", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-24000", "description": "Post SMTP <= 3.2.0 psd/v1/minimize-maximize-ad REST endpoint accessible to non-admin users.", "mode": "block", "severity": 4.3, "slug": "post-smtp", "tags": ["auth-bypass", "rest-api"], "target": "plugin", "versions": "<=3.2.0"}, "RULE-CVE-2025-24000-06": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/psd/v1/get-failed-logs(?:[/?]|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-24000", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-24000", "description": "Post SMTP <= 3.2.0 psd/v1/get-failed-logs REST endpoint accessible to non-admin users, exposing failed email log contents.", "method": "GET", "mode": "block", "severity": 8.8, "slug": "post-smtp", "tags": ["auth-bypass", "privilege-escalation", "rest-api", "email-logs"], "target": "plugin", "versions": "<=3.2.0"}, "RULE-CVE-2025-24000-07": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/psd/v1/open-notification(?:[/?]|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-24000", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-24000", "description": "Post SMTP <= 3.2.0 psd/v1/open-notification REST endpoint accessible to non-admin users.", "mode": "block", "severity": 4.3, "slug": "post-smtp", "tags": ["auth-bypass", "rest-api"], "target": "plugin", "versions": "<=3.2.0"}, "RULE-CVE-2025-24000-08": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/psd/v1/remove-notification(?:[/?]|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-24000", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-24000", "description": "Post SMTP <= 3.2.0 psd/v1/remove-notification REST endpoint accessible to non-admin users.", "mode": "block", "severity": 4.3, "slug": "post-smtp", "tags": ["auth-bypass", "rest-api"], "target": "plugin", "versions": "<=3.2.0"}, "RULE-CVE-2025-24563-01": {"action": "template_redirect", "conditions": [{"name": "ARGS:user_name_search", "type": "detectXSS"}], "cve": "CVE-2025-24563", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-24563", "description": "Cleanup \\u2013 Directory Listing & Classifieds <=1.0.4 reflected XSS via user_name_search parameter in author-search.php template", "method": "GET", "mode": "block", "severity": 7.1, "slug": "cleanup-light", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2025-24563-02": {"action": "template_redirect", "conditions": [{"name": "ARGS:latitude", "type": "detectXSS"}], "cve": "CVE-2025-24563", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-24563", "description": "Cleanup \\u2013 Directory Listing & Classifieds <=1.0.4 reflected XSS via latitude parameter in listing_search.php template", "method": "GET", "mode": "block", "severity": 7.1, "slug": "cleanup-light", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2025-24563-03": {"action": "template_redirect", "conditions": [{"name": "ARGS:longitude", "type": "detectXSS"}], "cve": "CVE-2025-24563", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-24563", "description": "Cleanup \\u2013 Directory Listing & Classifieds <=1.0.4 reflected XSS via longitude parameter in listing_search.php template", "method": "GET", "mode": "block", "severity": 7.1, "slug": "cleanup-light", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2025-24563-04": {"action": "template_redirect", "conditions": [{"name": "ARGS:address_latitude", "type": "detectXSS"}], "cve": "CVE-2025-24563", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-24563", "description": "Cleanup \\u2013 Directory Listing & Classifieds <=1.0.4 reflected XSS via address_latitude parameter in listing_search.php template", "method": "GET", "mode": "block", "severity": 7.1, "slug": "cleanup-light", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2025-24563-05": {"action": "template_redirect", "conditions": [{"name": "ARGS:address_longitude", "type": "detectXSS"}], "cve": "CVE-2025-24563", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-24563", "description": "Cleanup \\u2013 Directory Listing & Classifieds <=1.0.4 reflected XSS via address_longitude parameter in listing_search.php template", "method": "GET", "mode": "block", "severity": 7.1, "slug": "cleanup-light", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2025-24563-06": {"action": "template_redirect", "conditions": [{"name": "ARGS:dir_id", "type": "detectXSS"}], "cve": "CVE-2025-24563", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-24563", "description": "Cleanup \\u2013 Directory Listing & Classifieds <=1.0.4 reflected XSS via dir_id parameter in claim.php template", "method": "GET", "mode": "block", "severity": 7.1, "slug": "cleanup-light", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2025-24563-07": {"action": "template_redirect", "conditions": [{"name": "ARGS:package_id", "type": "detectXSS"}], "cve": "CVE-2025-24563", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-24563", "description": "Cleanup \\u2013 Directory Listing & Classifieds <=1.0.4 reflected XSS via package_id parameter in wizard-style-2.php template", "method": "GET", "mode": "block", "severity": 7.1, "slug": "cleanup-light", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2025-24601-01": {"action": "init", "conditions": [{"name": "ARGS:dn-listener", "type": "equals", "value": "paypal"}, {"name": "ARGS:custom", "type": "regex", "value": "~[OCa]:[0-9]+:[\\"\\\\{]~"}], "cve": "CVE-2025-24601", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-24601", "description": "FundPress <=2.0.6 unauthenticated PHP object injection via PayPal IPN custom parameter", "mode": "block", "severity": 9.8, "slug": "fundpress", "tags": ["object-injection", "deserialization", "unauthenticated", "paypal-ipn"], "target": "plugin", "versions": "<=2.0.6"}, "RULE-CVE-2025-24677-01": {"ajax_action": "pp_wpspin_import_json", "conditions": [{"name": "FILES:pp_wpspin_import_json_file", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-24677", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-24677", "description": "Post/Page Import Export <=2.0.3 authenticated remote code execution via arbitrary file write in pp_wpspin_import_json AJAX handler", "method": "POST", "mode": "block", "severity": 9.9, "slug": "postpage-import-export-with-custom-fields-taxonomies", "tags": ["remote-code-execution", "arbitrary-file-write", "code-injection"], "target": "plugin", "versions": "<=2.0.3"}, "RULE-CVE-2025-24677-02": {"ajax_action": "pp_wpspin_export_json", "conditions": [{"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-24677", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-24677", "description": "Post/Page Import Export <=2.0.3 missing authorization on pp_wpspin_export_json allows authenticated users to export arbitrary posts via IDOR", "method": "POST", "mode": "block", "severity": 9.9, "slug": "postpage-import-export-with-custom-fields-taxonomies", "tags": ["missing-authorization", "information-disclosure", "idor"], "target": "plugin", "versions": "<=2.0.3"}, "RULE-CVE-2025-24752-01": {"action": "init", "conditions": [{"name": "ARGS:popup-selector", "type": "regex", "value": "~[<>\\"\'(){}]|javascript\\\\s*:|on(?:error|load|focus|click|mouseover|mouseout|keyup|keydown|submit|change|input|blur)\\\\s*=|<\\\\s*(?:script|img|svg|iframe|object|embed|link|style|body|details|marquee|video|audio|form|math|base)~i"}], "cve": "CVE-2025-24752", "method": "GET", "mode": "block", "severity": 6.1, "slug": "essential-addons-for-elementor-lite", "target": "plugin", "versions": "<=6.0.14"}, "RULE-CVE-2025-24753-01": {"ajax_action": "kadence_import_get_prebuilt_data", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-24753", "method": "POST", "mode": "block", "severity": 8.8, "slug": "kadence-blocks", "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2025-24753-02": {"ajax_action": "kadence_import_reload_prebuilt_data", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-24753", "method": "POST", "mode": "block", "severity": 8.8, "slug": "kadence-blocks", "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2025-24753-03": {"ajax_action": "kadence_import_get_new_connection_data", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-24753", "method": "POST", "mode": "block", "severity": 8.8, "slug": "kadence-blocks", "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2025-24753-04": {"ajax_action": "kadence_import_get_prebuilt_templates_data", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-24753", "method": "POST", "mode": "block", "severity": 8.8, "slug": "kadence-blocks", "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2025-24753-05": {"ajax_action": "kadence_import_reload_prebuilt_templates_data", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-24753", "method": "POST", "mode": "block", "severity": 8.8, "slug": "kadence-blocks", "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2025-24753-06": {"ajax_action": "kadence_import_get_prebuilt_pages_data", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-24753", "method": "POST", "mode": "block", "severity": 8.8, "slug": "kadence-blocks", "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2025-24753-07": {"ajax_action": "kadence_import_reload_prebuilt_pages_data", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-24753", "method": "POST", "mode": "block", "severity": 8.8, "slug": "kadence-blocks", "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2025-24753-08": {"ajax_action": "kadence_import_process_data", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-24753", "method": "POST", "mode": "block", "severity": 8.8, "slug": "kadence-blocks", "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2025-24753-09": {"ajax_action": "kadence_import_process_image_data", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-24753", "method": "POST", "mode": "block", "severity": 8.8, "slug": "kadence-blocks", "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2025-24753-10": {"ajax_action": "kadence_import_process_pattern", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-24753", "method": "POST", "mode": "block", "severity": 8.8, "slug": "kadence-blocks", "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2025-24753-11": {"ajax_action": "kadence_subscribe_process_data", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-24753", "method": "POST", "mode": "block", "severity": 8.8, "slug": "kadence-blocks", "target": "plugin", "versions": "<=3.3.1"}, "RULE-CVE-2025-2481-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "mediaview"}, {"name": "ARGS:id", "type": "detectXSS"}], "cve": "CVE-2025-2481", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2481", "description": "MediaView <=1.1.2 Reflected Cross-Site Scripting via id parameter on admin pages", "method": "GET", "mode": "block", "severity": 6.1, "slug": "mediaview", "tags": ["xss", "reflected-xss", "admin-page"], "target": "plugin", "versions": "<=1.1.2"}, "RULE-CVE-2025-2484-01": {"ajax_action": "mvob_get_video_embed", "conditions": [{"name": "ARGS:video_id", "type": "detectXSS"}], "cve": "CVE-2025-2484", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2484", "description": "Multi Video Box <=1.5.2 unauthenticated reflected XSS via video_id in mvob_get_video_embed AJAX handler", "method": "GET", "mode": "block", "severity": 6.1, "slug": "multi-video-box", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.5.2"}, "RULE-CVE-2025-2484-02": {"ajax_action": "mvob_get_video_embed", "conditions": [{"name": "ARGS:group_id", "type": "detectXSS"}], "cve": "CVE-2025-2484", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2484", "description": "Multi Video Box <=1.5.2 unauthenticated reflected XSS via group_id in mvob_get_video_embed AJAX handler", "method": "GET", "mode": "block", "severity": 6.1, "slug": "multi-video-box", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.5.2"}, "RULE-CVE-2025-2484-03": {"ajax_action": "mvob_add_videos_to_groups", "conditions": [{"name": "ARGS:add_videos", "type": "detectXSS"}], "cve": "CVE-2025-2484", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2484", "description": "Multi Video Box <=1.5.2 authenticated reflected XSS via add_videos in mvob_add_videos_to_groups AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "multi-video-box", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=1.5.2"}, "RULE-CVE-2025-2484-04": {"ajax_action": "mvob_remove_videos_from_groups", "conditions": [{"name": "ARGS:remove_videos", "type": "detectXSS"}], "cve": "CVE-2025-2484", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2484", "description": "Multi Video Box <=1.5.2 authenticated reflected XSS via remove_videos in mvob_remove_videos_from_groups AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "multi-video-box", "tags": ["xss", "reflected-xss", "authenticated"], "target": "plugin", "versions": "<=1.5.2"}, "RULE-CVE-2025-2537-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "nggallery-manage-gallery"}, {"name": "ARGS", "type": "regex", "value": "~<\\\\s*(?:script|iframe|object|embed|form|svg|math)[\\\\s/>]|\\\\bon(?:error|load|click|focus|mouseover|mouseenter)\\\\s*=~i"}], "cve": "CVE-2025-2537", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2537", "description": "NextGEN Gallery <=3.59.11 Stored DOM-Based XSS via image metadata in manage gallery page", "method": "POST", "mode": "block", "severity": 6.4, "slug": "nextgen-gallery", "tags": ["xss", "stored-xss", "dom-based-xss"], "target": "plugin", "versions": "<=3.59.11"}, "RULE-CVE-2025-2540-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[woo3dviewer\\\\b[^\\\\]]*(?:<\\\\s*(?:script|img|svg|iframe|object|embed|math|video|audio|details|marquee)\\\\b|\\\\bon(?:error|load|click|focus|mouseover|mouseenter|animationend|toggle)\\\\s*=|javascript\\\\s*:|data\\\\s*:\\\\s*text/html)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-2540", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2540", "description": "Woo 3D Viewer <=1.8.6.6 Stored DOM-Based XSS via [woo3dviewer] shortcode in post content (post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "woo-3d-viewer", "tags": ["xss", "stored-xss", "shortcode", "prettyphoto"], "target": "plugin", "versions": "<=1.8.6.6"}, "RULE-CVE-2025-2540-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages|products?)(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[woo3dviewer\\\\b[^\\\\]]*(?:<\\\\s*(?:script|img|svg|iframe|object|embed|math|video|audio|details|marquee)\\\\b|\\\\bon(?:error|load|click|focus|mouseover|mouseenter|animationend|toggle)\\\\s*=|javascript\\\\s*:|data\\\\s*:\\\\s*text/html)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-2540", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2540", "description": "Woo 3D Viewer <=1.8.6.6 Stored DOM-Based XSS via [woo3dviewer] shortcode in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "woo-3d-viewer", "tags": ["xss", "stored-xss", "shortcode", "prettyphoto", "rest-api"], "target": "plugin", "versions": "<=1.8.6.6"}, "RULE-CVE-2025-2543-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/async-upload\\\\.php|/wp-admin/upload\\\\.php)~"}, {"name": "FILES:async-upload", "type": "exists"}, {"name": "ARGS:name", "type": "regex", "value": "~\\\\.(?:svg|svgz)$~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-2543", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2543", "description": "Advanced Accordion Block <=5.0.2 stored XSS via malicious SVG file upload through async-upload.php", "method": "POST", "mode": "block", "severity": 6.4, "slug": "advanced-accordion-block", "tags": ["xss", "stored-xss", "svg-upload", "file-upload"], "target": "plugin", "versions": "<=5.0.2"}, "RULE-CVE-2025-2543-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?|)rest_route=)/wp/v2/media(/|\\\\?|$)~"}, {"name": "FILES:file", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-2543", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2543", "description": "Advanced Accordion Block <=5.0.2 stored XSS via malicious SVG file upload through REST media endpoint", "method": "POST", "mode": "block", "severity": 6.4, "slug": "advanced-accordion-block", "tags": ["xss", "stored-xss", "svg-upload", "rest-api"], "target": "plugin", "versions": "<=5.0.2"}, "RULE-CVE-2025-2563-01": {"ajax_action": "user_registration_user_form_submit", "conditions": [{"name": "ARGS:role", "type": "regex", "value": "~^(?!subscriber$).+~i"}], "cve": "CVE-2025-2563", "method": "POST", "mode": "block", "severity": 8.1, "slug": "user-registration", "target": "plugin", "versions": "<=4.1.1"}, "RULE-CVE-2025-2579-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/async-upload.php"}, {"name": "ARGS:name", "type": "regex", "value": "~\\\\.(?:json|lottie)$~i"}], "cve": "CVE-2025-2579", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2579", "description": "Lottie Player <=1.1.8 Stored XSS via malicious .json/.lottie file upload through async-upload.php (blocks uploads matching patch behavior of 1.2.0)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "embed-lottie-player", "tags": ["xss", "stored-xss", "file-upload", "authenticated"], "target": "plugin", "versions": "<=1.1.8"}, "RULE-CVE-2025-2580-01": {"ajax_action": "bitforms_submit_form", "conditions": [{"name": "ARGS:attachment_name", "type": "regex", "value": "~\\\\.svg(?:$|[\\\\s\\"\'&?#])~i"}], "cve": "CVE-2025-2580", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2580", "description": "Bit Form <= 2.18.3 Stored XSS via SVG file upload through bitforms_submit_form AJAX handler", "method": "POST", "mode": "block", "severity": 4.9, "slug": "bit-form", "tags": ["xss", "stored-xss", "svg-upload", "file-upload"], "target": "plugin", "versions": "<=2.18.3"}, "RULE-CVE-2025-2594-01": {"ajax_action": "user_registration_membership_confirm_payment", "conditions": [{"name": "ARGS:user_id", "type": "exists"}, {"name": "ARGS:auto_login", "type": "regex", "value": "~^(?:true|1|yes|on)$~i"}], "cve": "CVE-2025-2594", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2594", "description": "User Registration & Membership <=4.1.2 authentication bypass via membership_confirm_payment AJAX action with auto_login parameter", "method": "POST", "mode": "block", "severity": 8.1, "slug": "user-registration", "tags": ["authentication-bypass", "idor", "unauthenticated", "account-takeover"], "target": "plugin", "versions": "<=4.1.2"}, "RULE-CVE-2025-2635-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "digital-license-manager-activations"}, {"name": "ARGS:license-id", "type": "detectXSS"}], "cve": "CVE-2025-2635", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2635", "description": "Digital License Manager <=1.7.3 reflected XSS via unescaped license-id parameter on Activations admin page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "digital-license-manager", "tags": ["xss", "reflected-xss", "admin-page"], "target": "plugin", "versions": "<=1.7.3"}, "RULE-CVE-2025-2635-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "digital-license-manager-licenses"}, {"name": "ARGS:s", "type": "detectXSS"}], "cve": "CVE-2025-2635", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2635", "description": "Digital License Manager <=1.7.3 reflected XSS via unescaped search parameter on Licenses admin page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "digital-license-manager", "tags": ["xss", "reflected-xss", "admin-page"], "target": "plugin", "versions": "<=1.7.3"}, "RULE-CVE-2025-2636-01": {"action": "init", "conditions": [{"name": "ARGS:instawp-database-manager", "type": "exists"}, {"name": "ARGS:instawp-database-manager", "type": "regex", "value": "~(?:\\\\.{2,}[\\\\\\\\/]|%2e%2e(?:%2f|%5c)|php://|data://|expect://|zip://|phar://)~i"}], "cve": "CVE-2025-2636", "mode": "block", "severity": 9.8, "slug": "instawp-connect", "target": "plugin", "versions": "<=0.1.0.85"}, "RULE-CVE-2025-26592-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-26592", "description": "lab theme <= 1.0.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "lab", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.0"}, "RULE-CVE-2025-26592-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-26592", "description": "lab theme <= 1.0.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "lab", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.0"}, "RULE-CVE-2025-26763-04": {"ajax_action": "ms_import_others", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)(?:wp-admin/admin-ajax\\\\.php)(?:\\\\?|$)~"}, {"name": "ARGS:action", "type": "regex", "value": "~^ms_import_others$~"}, {"name": "ARGS:data", "type": "regex", "value": "~(?:^|[;{])(?:O|C):\\\\d+:\\"[^\\"]+\\":\\\\d+:\\\\{~"}], "cve": "CVE-2025-26763", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-26763", "description": "MetaSlider <=3.94.0 PHP Object Injection via ms_import_others AJAX handler", "mode": "block", "severity": 9.8, "slug": "ml-slider", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=3.94.0"}, "RULE-CVE-2025-2685-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "tablepress"}, {"name": "ARGS:action", "type": "equals", "value": "add"}, {"name": "ARGS:table-name", "type": "detectXSS"}], "cve": "CVE-2025-2685", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2685", "description": "TablePress <=3.0.4 Authenticated (Author+) Stored XSS via table-name parameter on admin form POST", "method": "POST", "mode": "block", "severity": 5.4, "slug": "tablepress", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=3.0.4"}, "RULE-CVE-2025-27007-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/sure-triggers/v1/automation/action(/|\\\\?|&|$)~"}, {"name": "ARGS:type_event", "type": "equals", "value": "create_user_if_not_exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-27007", "method": "POST", "mode": "block", "severity": 9.8, "slug": "suretriggers", "target": "plugin", "versions": "<=1.0.82"}, "RULE-CVE-2025-2779-01": {"ajax_action": "htscript_notices", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-2779", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2779", "description": "Insert Headers and Footers Code - HT Script <=1.1.2 missing authorization on htscript_notices AJAX action allows arbitrary option update", "method": "POST", "mode": "block", "severity": 6.5, "slug": "insert-headers-and-footers-script", "tags": ["missing-authorization", "broken-access-control", "option-update"], "target": "plugin", "versions": "<=1.1.2"}, "RULE-CVE-2025-2779-02": {"ajax_action": "ihafs_diagnostic_data", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-2779", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2779", "description": "Insert Headers and Footers Code - HT Script <=1.1.2 missing authorization on ihafs_diagnostic_data AJAX action", "method": "POST", "mode": "block", "severity": 6.5, "slug": "insert-headers-and-footers-script", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=1.1.2"}, "RULE-CVE-2025-2800-01": {"ajax_action": "add_organizer", "conditions": [{"name": "ARGS:organizer_name", "type": "detectXSS"}], "cve": "CVE-2025-2800", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2800", "description": "WP Event Manager <=3.1.50 unauthenticated stored XSS via organizer_name in add_organizer AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "wp-event-manager", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=3.1.50"}, "RULE-CVE-2025-2807-01": {"ajax_action": "mvl_setup_wizard_install_plugin", "conditions": [{"name": "ARGS:plugin", "type": "regex", "value": "~.+~"}, {"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2025-2807", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2807", "description": "Motors - Car Dealership & Classified Listings <= 1.4.64 missing authorization on mvl_setup_wizard_install_plugin allowing Subscriber+ arbitrary plugin installation", "method": "POST", "mode": "block", "severity": 8.8, "slug": "motors-car-dealership-classified-listings", "tags": ["missing-authorization", "privilege-escalation", "arbitrary-plugin-install"], "target": "plugin", "versions": "<=1.4.64"}, "RULE-CVE-2025-2816-01": {"ajax_action": "pvc_yellow_message_dontshow", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-2816", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2816", "description": "Page View Count <=2.8.4 missing authorization on pvc_yellow_message_dontshow AJAX handler allows arbitrary option update", "method": "POST", "mode": "block", "severity": 8.1, "slug": "page-views-count", "tags": ["missing-authorization", "broken-access-control", "option-update"], "target": "plugin", "versions": "<=2.8.4"}, "RULE-CVE-2025-2821-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/search-exclude/v1/settings(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-2821", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2821", "description": "Search Exclude <=2.4.9 missing authorization on REST API settings modification endpoint", "method": "POST", "mode": "block", "severity": 5.3, "slug": "search-exclude", "tags": ["missing-authorization", "broken-access-control", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=2.4.9"}, "RULE-CVE-2025-2821-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/search-exclude/v1/settings(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-2821", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2821", "description": "Search Exclude <=2.4.9 missing authorization on REST API settings read endpoint", "method": "GET", "mode": "block", "severity": 5.3, "slug": "search-exclude", "tags": ["missing-authorization", "broken-access-control", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=2.4.9"}, "RULE-CVE-2025-2839-01": {"ajax_action": "wpie_export_get_preview_data", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<script\\\\b[^>]*>~i"}], "cve": "CVE-2025-2839", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2839", "description": "WP Import Export Lite <=3.9.27 authenticated (Contributor+) DOM-based stored XSS via wpie_export_get_preview_data AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wp-import-export-lite", "tags": ["xss", "stored-xss", "dom-based", "authenticated"], "target": "plugin", "versions": "<=3.9.27"}, "RULE-CVE-2025-2839-02": {"ajax_action": "wpie_export_get_preview_data", "conditions": [{"name": "ARGS", "type": "regex", "value": "~\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=~i"}], "cve": "CVE-2025-2839", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2839", "description": "WP Import Export Lite <=3.9.27 authenticated (Contributor+) DOM-based stored XSS via wpie_export_get_preview_data \\u2014 event handler injection", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wp-import-export-lite", "tags": ["xss", "stored-xss", "dom-based", "authenticated"], "target": "plugin", "versions": "<=3.9.27"}, "RULE-CVE-2025-2839-03": {"ajax_action": "wpie_export_get_preview_data", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<(?:svg|iframe|embed|object)\\\\b[^>]*>~i"}], "cve": "CVE-2025-2839", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2839", "description": "WP Import Export Lite <=3.9.27 authenticated (Contributor+) DOM-based stored XSS via wpie_export_get_preview_data \\u2014 dangerous tag injection", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wp-import-export-lite", "tags": ["xss", "stored-xss", "dom-based", "authenticated"], "target": "plugin", "versions": "<=3.9.27"}, "RULE-CVE-2025-2839-04": {"ajax_action": "wpie_export_create_data", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<script\\\\b[^>]*>~i"}], "cve": "CVE-2025-2839", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2839", "description": "WP Import Export Lite <=3.9.27 authenticated (Contributor+) DOM-based stored XSS via wpie_export_create_data \\u2014 script tag injection", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wp-import-export-lite", "tags": ["xss", "stored-xss", "dom-based", "authenticated"], "target": "plugin", "versions": "<=3.9.27"}, "RULE-CVE-2025-2839-05": {"ajax_action": "wpie_export_create_data", "conditions": [{"name": "ARGS", "type": "regex", "value": "~\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=~i"}], "cve": "CVE-2025-2839", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2839", "description": "WP Import Export Lite <=3.9.27 authenticated (Contributor+) DOM-based stored XSS via wpie_export_create_data \\u2014 event handler injection", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wp-import-export-lite", "tags": ["xss", "stored-xss", "dom-based", "authenticated"], "target": "plugin", "versions": "<=3.9.27"}, "RULE-CVE-2025-2839-06": {"ajax_action": "wpie_export_create_data", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<(?:svg|iframe|embed|object)\\\\b[^>]*>~i"}], "cve": "CVE-2025-2839", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2839", "description": "WP Import Export Lite <=3.9.27 authenticated (Contributor+) DOM-based stored XSS via wpie_export_create_data \\u2014 dangerous tag injection", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wp-import-export-lite", "tags": ["xss", "stored-xss", "dom-based", "authenticated"], "target": "plugin", "versions": "<=3.9.27"}, "RULE-CVE-2025-2893-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "contains", "value": "wp:gutenverse/countdown"}, {"name": "ARGS:content", "type": "regex", "value": "~<\\\\s*(?:script|iframe|svg|embed|object|form|details|math)\\\\b|\\\\bon(?:error|load|click|mouseover|focus|blur|input|change|submit|animationend|pointerover|auxclick)\\\\s*=|javascript\\\\s*:~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-2893", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2893", "description": "Gutenverse <=2.2.1 Stored XSS via Countdown block attributes in REST API post creation", "method": "POST", "mode": "block", "severity": 5.4, "slug": "gutenverse", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=2.2.1"}, "RULE-CVE-2025-2893-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts/\\\\d+(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "contains", "value": "wp:gutenverse/countdown"}, {"name": "ARGS:content", "type": "regex", "value": "~<\\\\s*(?:script|iframe|svg|embed|object|form|details|math)\\\\b|\\\\bon(?:error|load|click|mouseover|focus|blur|input|change|submit|animationend|pointerover|auxclick)\\\\s*=|javascript\\\\s*:~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-2893", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2893", "description": "Gutenverse <=2.2.1 Stored XSS via Countdown block attributes in REST API post update", "method": "PUT", "mode": "block", "severity": 5.4, "slug": "gutenverse", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=2.2.1"}, "RULE-CVE-2025-2893-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS:post_content", "type": "contains", "value": "wp:gutenverse/countdown"}, {"name": "ARGS:post_content", "type": "regex", "value": "~<\\\\s*(?:script|iframe|svg|embed|object|form|details|math)\\\\b|\\\\bon(?:error|load|click|mouseover|focus|blur|input|change|submit|animationend|pointerover|auxclick)\\\\s*=|javascript\\\\s*:~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-2893", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2893", "description": "Gutenverse <=2.2.1 Stored XSS via Countdown block attributes in classic editor post submission", "method": "POST", "mode": "block", "severity": 5.4, "slug": "gutenverse", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=2.2.1"}, "RULE-CVE-2025-2940-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "admin-post.php"}, {"name": "ARGS:action", "type": "contains", "value": "wpf-async-request-"}, {"name": "ARGS:args[url]", "type": "exists"}], "cve": "CVE-2025-2940", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-2940", "description": "Ninja Tables <= 5.0.18 unauthenticated SSRF via WPFluent async request handler args[url] parameter", "mode": "block", "severity": 7.2, "slug": "ninja-tables", "tags": ["ssrf", "unauthenticated", "server-side-request-forgery"], "target": "plugin", "versions": "<=5.0.18"}, "RULE-CVE-2025-2941-01": {"ajax_action": "dnd_codedropz_upload_wc", "conditions": [{"name": "FILES:wc-upload-file[]", "type": "exists"}], "cve": "CVE-2025-2941", "method": "POST", "mode": "block", "severity": 9.8, "slug": "drag-and-drop-multiple-file-upload-for-woocommerce", "target": "plugin", "versions": "<=1.1.4"}, "RULE-CVE-2025-2941-02": {"ajax_action": "dnd_codedropz_upload_delete_wc", "conditions": [{"name": "ARGS:file", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|[\\\\\\\\/]\\\\.\\\\.)|(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|(?:^|[\\\\\\\\/])\\\\.env(?:$|[\\\\\\\\/]))~i"}], "cve": "CVE-2025-2941", "method": "POST", "mode": "block", "severity": 9.8, "slug": "drag-and-drop-multiple-file-upload-for-woocommerce", "target": "plugin", "versions": "<=1.1.4"}, "RULE-CVE-2025-3058-01": {"ajax_action": "xwc_save_settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:settings", "type": "exists"}], "cve": "CVE-2025-3058", "method": "POST", "mode": "block", "severity": 8.8, "slug": "xelion-webchat", "target": "plugin", "versions": "<=9.1.0"}, "RULE-CVE-2025-3064-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/options.php"}, {"name": "ARGS:option_page", "type": "equals", "value": "general"}, {"name": "ARGS:action", "type": "equals", "value": "update"}, {"name": "ARGS:default_role", "type": "regex", "value": "~(?i)^administrator$~"}], "cve": "CVE-2025-3064", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3064", "description": "WPFront User Role Editor <=4.2.1 CSRF to privilege escalation via default_role=administrator on options.php", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wpfront-user-role-editor", "tags": ["csrf", "privilege-escalation", "state-change"], "target": "plugin", "versions": "<=4.2.1"}, "RULE-CVE-2025-3064-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/network/settings.php"}, {"name": "ARGS:default_role", "type": "regex", "value": "~(?i)^administrator$~"}], "cve": "CVE-2025-3064", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3064", "description": "WPFront User Role Editor <=4.2.1 CSRF to privilege escalation via default_role=administrator on network settings", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wpfront-user-role-editor", "tags": ["csrf", "privilege-escalation", "multisite"], "target": "plugin", "versions": "<=4.2.1"}, "RULE-CVE-2025-3064-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/options.php"}, {"name": "ARGS:option_page", "type": "equals", "value": "general"}, {"name": "ARGS:action", "type": "equals", "value": "update"}, {"name": "ARGS:wpfront-secondary-roles[administrator]", "type": "exists"}], "cve": "CVE-2025-3064", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3064", "description": "WPFront User Role Editor <=4.2.1 CSRF to privilege escalation via secondary roles including administrator", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wpfront-user-role-editor", "tags": ["csrf", "privilege-escalation", "state-change"], "target": "plugin", "versions": "<=4.2.1"}, "RULE-CVE-2025-3075-01": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS:actions", "type": "regex", "value": "~\\\\bon(?:mouse(?:over|enter|move|out|down|up)|error|load|focus|blur|click|dblclick|key(?:down|up|press)|change|submit|reset|animate(?:end|start|iteration)|transition(?:end|run|start)|pointer(?:over|enter|down|up|move|out)|touch(?:start|end|move))\\\\s*=~i"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-3075", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3075", "description": "Elementor <=3.29.0 Authenticated (Contributor+) Stored XSS via widget settings in elementor_ajax save handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "elementor", "tags": ["xss", "stored-xss", "authenticated", "page-builder"], "target": "plugin", "versions": "<=3.29.0"}, "RULE-CVE-2025-30772-01": {"ajax_action": "wpcuf_import_export_save", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-30772", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-30772", "description": "WPC Smart Upsell Funnel <=3.0.4 arbitrary option update to privilege escalation via wpcuf_import_export_save AJAX action", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wpc-smart-upsell-funnel", "tags": ["missing-authorization", "privilege-escalation", "arbitrary-option-update"], "target": "plugin", "versions": "<=3.0.4"}, "RULE-CVE-2025-30772-02": {"ajax_action": "wpcuf_import_export", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-30772", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-30772", "description": "WPC Smart Upsell Funnel <=3.0.4 missing authorization on wpcuf_import_export AJAX action", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wpc-smart-upsell-funnel", "tags": ["missing-authorization", "privilege-escalation", "arbitrary-option-update"], "target": "plugin", "versions": "<=3.0.4"}, "RULE-CVE-2025-30911-01": {"ajax_action": "install_requirements", "conditions": [{"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2025-30911", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-30911", "description": "RomethemeKit For Elementor <=1.5.4 missing authorization on install_requirements allows subscriber+ arbitrary plugin installation leading to RCE", "method": "POST", "mode": "block", "severity": 9.9, "slug": "rometheme-for-elementor", "tags": ["missing-authorization", "arbitrary-plugin-install", "remote-code-execution"], "target": "plugin", "versions": "<=1.5.4"}, "RULE-CVE-2025-30911-02": {"ajax_action": "import_rtm_template", "conditions": [{"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2025-30911", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-30911", "description": "RomethemeKit For Elementor <=1.5.4 missing authorization on import_rtm_template allows subscriber+ arbitrary file write leading to RCE", "method": "POST", "mode": "block", "severity": 9.9, "slug": "rometheme-for-elementor", "tags": ["missing-authorization", "arbitrary-file-write", "remote-code-execution"], "target": "plugin", "versions": "<=1.5.4"}, "RULE-CVE-2025-31019-01": {"action": "init", "conditions": [{"name": "ARGS:mopppm_userid", "type": "regex", "value": "~^\\\\d+$~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-31019", "method": "POST", "mode": "block", "severity": 8.8, "slug": "password-policy-manager", "target": "plugin", "versions": "<=2.0.4"}, "RULE-CVE-2025-3102-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/(?:sure-triggers|suretriggers|ottokit)/v1/(?:authenticate-user|automation/action)(?:/|\\\\?|$)~i"}, {"name": "REQUEST_HEADERS:st_authorization", "type": "regex", "value": "~^(?:[\\\\s]*|Bearer[\\\\s]*)$~i"}], "cve": "CVE-2025-3102", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3102", "description": "SureTriggers <=1.0.78 unauthenticated REST API authentication bypass via empty st_authorization header", "method": "POST", "mode": "block", "severity": 9.8, "slug": "suretriggers", "tags": ["authentication-bypass", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=1.0.78"}, "RULE-CVE-2025-31560-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "salon-customers"}, {"name": "ARGS:role", "type": "regex", "value": "~(?:administrator|editor|author|contributor|shop_manager)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-31560", "method": "POST", "mode": "block", "severity": 7.2, "slug": "salon-booking-system", "target": "plugin", "versions": "<=10.11"}, "RULE-CVE-2025-31560-02A": {"ajax_action": "salon", "conditions": [{"name": "ARGS:role", "type": "regex", "value": "~(?:administrator|editor|author|contributor|shop_manager)~i"}], "cve": "CVE-2025-31560", "method": "POST", "mode": "block", "severity": 7.2, "slug": "salon-booking-system", "target": "plugin", "versions": "<=10.11"}, "RULE-CVE-2025-31560-02B": {"ajax_action": "salon", "conditions": [{"name": "ARGS:user_role", "type": "regex", "value": "~(?:administrator|editor|author|contributor|shop_manager)~i"}], "cve": "CVE-2025-31560", "method": "POST", "mode": "block", "severity": 7.2, "slug": "salon-booking-system", "target": "plugin", "versions": "<=10.11"}, "RULE-CVE-2025-32486-01": {"ajax_action": "public_amd_ajax_handler", "conditions": [{"name": "ARGS:reset_password[new_password]", "type": "exists"}, {"name": "ARGS:reset_password[vcode]", "type": "regex", "value": "~^0[eE]\\\\d+$~"}], "cve": "CVE-2025-32486", "method": "POST", "mode": "block", "severity": 9.8, "slug": "material-dashboard", "target": "plugin", "versions": "<=1.4.6"}, "RULE-CVE-2025-32568-01": {"ajax_action": "empik_csv_process_emp_log_classes", "conditions": [{"name": "ARGS", "type": "regex", "value": "~[OCa]:[0-9]+:[\\"\\\\{]~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-32568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-32568", "description": "EmpikPlace for WooCommerce <=1.4.3 PHP Object Injection via empik_csv_process_emp_log_classes AJAX handler", "mode": "block", "severity": 9.8, "slug": "empik-for-woocommerce", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=1.4.3"}, "RULE-CVE-2025-32568-02": {"ajax_action": "empik_csv_process_emp_prod_states", "conditions": [{"name": "ARGS", "type": "regex", "value": "~[OCa]:[0-9]+:[\\"\\\\{]~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-32568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-32568", "description": "EmpikPlace for WooCommerce <=1.4.3 PHP Object Injection via empik_csv_process_emp_prod_states AJAX handler", "mode": "block", "severity": 9.8, "slug": "empik-for-woocommerce", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=1.4.3"}, "RULE-CVE-2025-32597-01": {"ajax_action": "cdaily", "conditions": [{"name": "ARGS:callback", "type": "regex", "value": "~[^A-Za-z0-9_.$]~"}], "cve": "CVE-2025-32597", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-32597", "description": "Connect Daily Web Calendar <=1.5.4 reflected XSS via unsanitized JSONP callback parameter in cdaily AJAX handler", "mode": "block", "severity": 7.1, "slug": "connect-daily-web-calendar", "tags": ["xss", "csrf", "jsonp-injection", "unauthenticated"], "target": "plugin", "versions": "<=1.5.4"}, "RULE-CVE-2025-32648-01": {"ajax_action": "pto_ajax_register", "conditions": [{"name": "ARGS:role", "type": "regex", "value": "~^(?:administrator|editor|author|contributor|admin)$~i"}], "cve": "CVE-2025-32648", "method": "POST", "mode": "block", "severity": 9.8, "slug": "projectopia-core", "target": "plugin", "versions": "<=5.1.23"}, "RULE-CVE-2025-32652-01": {"ajax_action": "solace_extra_upload_logo", "conditions": [{"name": "ARGS:logo_url", "type": "regex", "value": "~\\\\.(?:ph(?:p[0-9]?|s|tml?|t|ar)|s?html?|cgi|asp|aspx|jsp|jspx|cfm|user\\\\.ini)(?:[?#%/]|$)|\\\\.htaccess(?:[?#%/]|$)|\\\\.htpasswd(?:[?#%/]|$)~i"}], "cve": "CVE-2025-32652", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-32652", "description": "Solace Extra <=1.3.1 arbitrary file upload via solace_extra_upload_logo AJAX handler allowing remote PHP file write", "mode": "block", "severity": 9.9, "slug": "solace-extra", "tags": ["arbitrary-file-upload", "remote-code-execution", "unauthenticated"], "target": "plugin", "versions": "<=1.3.1"}, "RULE-CVE-2025-32682-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mapsvg/v[0-9]+/~"}, {"name": "FILES:file", "type": "exists"}, {"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2025-32682", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-32682", "description": "MapSVG Lite <=8.6.4 authenticated (Contributor+) arbitrary file upload via REST API allowing web shell deployment", "method": "POST", "mode": "block", "severity": 9.9, "slug": "mapsvg-lite-interactive-vector-maps", "tags": ["arbitrary-file-upload", "remote-code-execution", "rest-api", "authenticated"], "target": "plugin", "versions": "<=8.6.4"}, "RULE-CVE-2025-3281-01": {"ajax_action": "user_registration_membership_create_stripe_subscription", "conditions": [{"name": "ARGS:member_id", "type": "exists"}, {"type": "missing_capability", "value": "edit_users"}], "cve": "CVE-2025-3281", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3281", "description": "User Registration & Membership <=4.2.1 IDOR in create_stripe_subscription allowing unauthenticated user deletion via member_id", "method": "POST", "mode": "block", "severity": 5.3, "slug": "user-registration", "tags": ["idor", "missing-authorization", "unauthenticated", "user-deletion"], "target": "plugin", "versions": "<=4.2.1"}, "RULE-CVE-2025-3281-02": {"ajax_action": "user_registration_membership_confirm_payment", "conditions": [{"name": "ARGS:member_id", "type": "exists"}, {"type": "missing_capability", "value": "edit_users"}], "cve": "CVE-2025-3281", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3281", "description": "User Registration & Membership <=4.2.1 IDOR in confirm_payment allowing unauthenticated user state manipulation via member_id", "method": "POST", "mode": "block", "severity": 5.3, "slug": "user-registration", "tags": ["idor", "missing-authorization", "unauthenticated"], "target": "plugin", "versions": "<=4.2.1"}, "RULE-CVE-2025-3281-03": {"ajax_action": "user_registration_membership_verify_pages", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-3281", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3281", "description": "User Registration & Membership <=4.2.1 missing authorization on verify_pages membership AJAX handler", "method": "POST", "mode": "block", "severity": 5.3, "slug": "user-registration", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=4.2.1"}, "RULE-CVE-2025-3281-04": {"ajax_action": "user_registration_membership_validate_pg", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-3281", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3281", "description": "User Registration & Membership <=4.2.1 missing authorization on validate_pg membership AJAX handler", "method": "POST", "mode": "block", "severity": 5.3, "slug": "user-registration", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=4.2.1"}, "RULE-CVE-2025-3418-01": {"ajax_action": "wpcac_edit_save", "conditions": [{"name": "ARGS:field", "type": "regex", "value": "~^(wp_capabilities|wp_user_level|role)$~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-3418", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wpc-admin-columns", "target": "plugin", "versions": ">=2.0.6 <=2.1.0"}, "RULE-CVE-2025-3422-01": {"ajax_action": "everest_forms_form_preview_save", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-3422", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3422", "description": "Everest Forms <=3.1.1 authenticated arbitrary shortcode execution via form_preview_save AJAX action", "method": "POST", "mode": "block", "severity": 6.3, "slug": "everest-forms", "tags": ["missing-authorization", "arbitrary-shortcode-execution", "code-injection"], "target": "plugin", "versions": "<=3.1.1"}, "RULE-CVE-2025-3428-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "3dprintlite_coatings"}, {"name": "ARGS:coating_text", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|\'\\\\s*(?:OR|AND)\\\\s+[\'\\"]?\\\\d|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s.*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\()~i"}], "cve": "CVE-2025-3428", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3428", "description": "3DPrint Lite <=2.1.3.6 authenticated (Admin+) SQL injection via coating_text parameter on coatings admin page (GET)", "method": "GET", "mode": "block", "severity": 4.9, "slug": "3dprint-lite", "tags": ["sql-injection", "authenticated", "admin-page"], "target": "plugin", "versions": "<=2.1.3.6"}, "RULE-CVE-2025-3428-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "3dprintlite_coatings"}, {"name": "ARGS:coating_text", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|\'\\\\s*(?:OR|AND)\\\\s+[\'\\"]?\\\\d|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s.*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\()~i"}], "cve": "CVE-2025-3428", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3428", "description": "3DPrint Lite <=2.1.3.6 authenticated (Admin+) SQL injection via coating_text parameter on coatings admin page (POST)", "method": "POST", "mode": "block", "severity": 4.9, "slug": "3dprint-lite", "tags": ["sql-injection", "authenticated", "admin-page"], "target": "plugin", "versions": "<=2.1.3.6"}, "RULE-CVE-2025-3434-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~wp-comments-post\\\\.php~"}, {"name": "ARGS:comment", "type": "regex", "value": "~(?:<|�*60;|�*3c;)\\\\s*script\\\\b|\\\\bon[a-zA-Z0-9_]+\\\\s*=|<iframe\\\\b|<object\\\\b|<embed\\\\b|<svg[\\\\s/]|javascript\\\\s*:~i"}], "cve": "CVE-2025-3434", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3434", "description": "SMTP for Amazon SES YaySMTP <=1.8 unauthenticated stored XSS via comment form email logging", "method": "POST", "mode": "block", "severity": 7.2, "slug": "smtp-amazon-ses", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.8"}, "RULE-CVE-2025-3434-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~wp-comments-post\\\\.php~"}, {"name": "ARGS:author", "type": "regex", "value": "~(?:<|�*60;|�*3c;)\\\\s*script\\\\b|\\\\bon[a-zA-Z0-9_]+\\\\s*=|<iframe\\\\b|<object\\\\b|<embed\\\\b|<svg[\\\\s/]|javascript\\\\s*:~i"}], "cve": "CVE-2025-3434", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3434", "description": "SMTP for Amazon SES YaySMTP <=1.8 unauthenticated stored XSS via comment author field email logging", "method": "POST", "mode": "block", "severity": 7.2, "slug": "smtp-amazon-ses", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.8"}, "RULE-CVE-2025-3435-01": {"ajax_action": "mb_board", "conditions": [{"name": "ARGS:board_header", "type": "regex", "value": "~<\\\\s*script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-3435", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3435", "description": "Mang Board WP <=1.8.6 Stored XSS via board_header parameter in mb_board AJAX handler", "method": "POST", "mode": "block", "severity": 4.4, "slug": "mangboard", "tags": ["xss", "stored-xss", "missing-authorization"], "target": "plugin", "versions": "<=1.8.6"}, "RULE-CVE-2025-3435-02": {"ajax_action": "mb_board", "conditions": [{"name": "ARGS:board_footer", "type": "regex", "value": "~<\\\\s*script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-3435", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3435", "description": "Mang Board WP <=1.8.6 Stored XSS via board_footer parameter in mb_board AJAX handler", "method": "POST", "mode": "block", "severity": 4.4, "slug": "mangboard", "tags": ["xss", "stored-xss", "missing-authorization"], "target": "plugin", "versions": "<=1.8.6"}, "RULE-CVE-2025-3438-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/api/flutter_user/(?:register|sign_up|sign_up_2)(/|\\\\?|$)~"}, {"name": "ARGS:role", "type": "regex", "value": "~^(?!(subscriber|customer|owner|driver)$).+$~"}], "cve": "CVE-2025-3438", "method": "POST", "mode": "block", "severity": 7.3, "slug": "mstore-api", "target": "plugin", "versions": "<4.17.5"}, "RULE-CVE-2025-3439-01": {"action": "init", "conditions": [{"name": "ARGS:everest_forms[id]", "type": "exists"}, {"name": "ARGS", "type": "regex", "value": "~[OCa]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2025-3439", "method": "POST", "mode": "block", "severity": 9.8, "slug": "everest-forms", "target": "plugin", "versions": "<3.1.2"}, "RULE-CVE-2025-3439-02": {"ajax_action": "everest_forms_ajax_form_submission", "conditions": [{"name": "ARGS", "type": "regex", "value": "~[OCa]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2025-3439", "method": "POST", "mode": "block", "severity": 9.8, "slug": "everest-forms", "target": "plugin", "versions": "<3.1.2"}, "RULE-CVE-2025-3455-01": {"action": "admin_post_start_restore", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-3455", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3455", "description": "1 Click Migration <=2.2 authenticated arbitrary file upload via start_restore admin-post action", "mode": "block", "severity": 8.8, "slug": "1-click-migration", "tags": ["arbitrary-file-upload", "missing-authorization", "file-upload"], "target": "plugin", "versions": "<=2.2"}, "RULE-CVE-2025-3455-02": {"action": "admin_post_start_backup", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-3455", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3455", "description": "1 Click Migration <=2.2 authenticated missing authorization on start_backup admin-post action", "mode": "block", "severity": 8.8, "slug": "1-click-migration", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=2.2"}, "RULE-CVE-2025-3455-03": {"action": "admin_post_cancel_actions", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-3455", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3455", "description": "1 Click Migration <=2.2 authenticated missing authorization on cancel_actions admin-post action", "mode": "block", "severity": 8.8, "slug": "1-click-migration", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=2.2"}, "RULE-CVE-2025-3457-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "contains", "value": "[oceanwp_icon"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[oceanwp_icon\\\\b[^\\\\]]*(?:<[a-z/!]|\\\\bon[a-z]+\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-3457", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3457", "description": "Ocean Extra <=2.4.6 Stored XSS via [oceanwp_icon] shortcode attributes in post content (classic editor)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "ocean-extra", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.4.6"}, "RULE-CVE-2025-3457-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)(/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "contains", "value": "[oceanwp_icon"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[oceanwp_icon\\\\b[^\\\\]]*(?:<[a-z/!]|\\\\bon[a-z]+\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-3457", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3457", "description": "Ocean Extra <=2.4.6 Stored XSS via [oceanwp_icon] shortcode attributes in REST API post creation", "method": "POST", "mode": "block", "severity": 5.4, "slug": "ocean-extra", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.4.6"}, "RULE-CVE-2025-3458-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS:ocean_gallery_id[/[0-9]+/]", "type": "regex", "value": "~[^0-9]~"}], "cve": "CVE-2025-3458", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3458", "description": "Ocean Extra <=2.4.6 stored XSS via unsanitized ocean_gallery_id in gallery metabox", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ocean-extra", "tags": ["xss", "stored-xss"], "target": "plugin", "versions": "<=2.4.6"}, "RULE-CVE-2025-3468-01": {"ajax_action": "nf_insert_record", "conditions": [{"name": "ARGS:clean_html", "type": "regex", "value": "~<script[^>]*>|javascript\\\\s*:|<iframe[^>]+src\\\\s*=\\\\s*[\\"\']?javascript:|<svg[^>]*\\\\bon\\\\w+\\\\s*=|<img[^>]*\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-3468", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3468", "description": "NEX-Forms <= 8.9.1 Stored XSS via clean_html parameter in nf_insert_record AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "nex-forms-express-wp-form-builder", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=8.9.1"}, "RULE-CVE-2025-3468-02": {"ajax_action": "nf_insert_record", "conditions": [{"name": "ARGS:form_fields", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|mouseenter)\\\\s*=|javascript\\\\s*:|<iframe[^>]+src\\\\s*=\\\\s*[\\"\']?javascript:|<svg[^>]*\\\\bon~i"}], "cve": "CVE-2025-3468", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3468", "description": "NEX-Forms <= 8.9.1 Stored XSS via form_fields parameter in nf_insert_record AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "nex-forms-express-wp-form-builder", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=8.9.1"}, "RULE-CVE-2025-3468-03": {"ajax_action": "nf_update_record", "conditions": [{"name": "ARGS:clean_html", "type": "regex", "value": "~<script[^>]*>|javascript\\\\s*:|<iframe[^>]+src\\\\s*=\\\\s*[\\"\']?javascript:|<svg[^>]*\\\\bon\\\\w+\\\\s*=|<img[^>]*\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-3468", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3468", "description": "NEX-Forms <= 8.9.1 Stored XSS via clean_html parameter in nf_update_record AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "nex-forms-express-wp-form-builder", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=8.9.1"}, "RULE-CVE-2025-3468-04": {"ajax_action": "nf_update_record", "conditions": [{"name": "ARGS:form_fields", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|mouseenter)\\\\s*=|javascript\\\\s*:|<iframe[^>]+src\\\\s*=\\\\s*[\\"\']?javascript:|<svg[^>]*\\\\bon~i"}], "cve": "CVE-2025-3468", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3468", "description": "NEX-Forms <= 8.9.1 Stored XSS via form_fields parameter in nf_update_record AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "nex-forms-express-wp-form-builder", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=8.9.1"}, "RULE-CVE-2025-3471-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/sureforms/v1/global-settings(/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-3471", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3471", "description": "SureForms <1.4.4 incorrect authorization on global-settings REST API endpoint allows Contributor+ to update plugin settings", "method": "POST", "mode": "block", "severity": 4.9, "slug": "sureforms", "tags": ["incorrect-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": "<1.4.4"}, "RULE-CVE-2025-3487-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[forminator_form[^\\\\]]*\\\\blimit\\\\s*=\\\\s*([\\"\'])[\\\\s\\\\S]*?(?:<[a-zA-Z!/]|on[a-zA-Z]{3,}\\\\s*=|javascript\\\\s*:|&#\\\\d+;|&#x[0-9a-fA-F]+;)[\\\\s\\\\S]*?\\\\1~i"}], "cve": "CVE-2025-3487", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3487", "description": "Forminator <=1.42.0 Stored XSS via limit parameter in forminator_list_pagination", "mode": "block", "severity": 5.4, "slug": "forminator", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.42.0"}, "RULE-CVE-2025-3515-01": {"ajax_action": "dnd_codedropz_upload", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "dnd_codedropz_upload"}, {"name": "FILES", "type": "exists"}, {"name": "FILES:file:name", "type": "regex", "value": "~\\\\.(?:phar|pht|phtml|php[0-9]?|phps|php\\\\.[^./]+|inc)$~i"}], "cve": "CVE-2025-3515", "method": "POST", "mode": "block", "severity": 9.8, "slug": "drag-and-drop-multiple-file-upload-contact-form-7", "target": "plugin", "versions": "<=1.3.8.9"}, "RULE-CVE-2025-3516-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~[\\"\']\\\\s*on(error|load|mouseover|click|focus|blur|mouseenter|submit|animationend|transitionend|pointerover|focusin)\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-3516", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3516", "description": "Simple Lightbox <=2.9.3 Contributor+ Stored XSS via post_content attribute injection (classic editor)", "method": "POST", "mode": "block", "severity": 5.9, "slug": "simple-lightbox", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=2.9.3"}, "RULE-CVE-2025-3516-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~[\\"\']\\\\s*on(error|load|mouseover|click|focus|blur|mouseenter|submit|animationend|transitionend|pointerover|focusin)\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-3516", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3516", "description": "Simple Lightbox <=2.9.3 Contributor+ Stored XSS via REST API post content attribute injection", "method": "POST", "mode": "block", "severity": 5.9, "slug": "simple-lightbox", "tags": ["xss", "stored-xss", "authenticated", "rest-api"], "target": "plugin", "versions": "<=2.9.3"}, "RULE-CVE-2025-3520-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/profile\\\\.php~"}, {"name": "ARGS:delete-avatar", "type": "exists"}, {"name": "ARGS:image_src", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env))~i"}], "cve": "CVE-2025-3520", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3520", "description": "Avatar <=0.1.4 authenticated arbitrary file deletion via path traversal on profile.php", "method": "POST", "mode": "block", "severity": 8.1, "slug": "avatar", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=0.1.4"}, "RULE-CVE-2025-3520-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/user-edit\\\\.php~"}, {"name": "ARGS:delete-avatar", "type": "exists"}, {"name": "ARGS:image_src", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env))~i"}], "cve": "CVE-2025-3520", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3520", "description": "Avatar <=0.1.4 authenticated arbitrary file deletion via path traversal on user-edit.php", "method": "POST", "mode": "block", "severity": 8.1, "slug": "avatar", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=0.1.4"}, "RULE-CVE-2025-3597-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~fancybox[^}]*\\\\{[^}]*(?:function|eval|alert|document|window|fetch|XMLHttpRequest|setTimeout|setInterval|constructor|\\\\bon[A-Z])~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-3597", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3597", "description": "Easy FancyBox <=2.3.14 Stored XSS via jQuery Metadata in post_content on classic editor", "method": "POST", "mode": "block", "severity": 5.9, "slug": "easy-fancybox", "tags": ["xss", "stored-xss", "post-content"], "target": "plugin", "versions": "<=2.3.14"}, "RULE-CVE-2025-3597-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~fancybox[^}]*\\\\{[^}]*(?:function|eval|alert|document|window|fetch|XMLHttpRequest|setTimeout|setInterval|constructor|\\\\bon[A-Z])~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-3597", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3597", "description": "Easy FancyBox <=2.3.14 Stored XSS via jQuery Metadata in content on REST API posts endpoint", "method": "POST", "mode": "block", "severity": 5.9, "slug": "easy-fancybox", "tags": ["xss", "stored-xss", "rest-api"], "target": "plugin", "versions": "<=2.3.14"}, "RULE-CVE-2025-3614-01": {"ajax_action": "ekit_admin_action", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:javascript[ ]*:|&#[xX]?[0-9a-fA-F]+;?[a-zA-Z]*script[ ]*:|data[ ]*:[ ]*text/html|on(?:mouse(?:over|enter|move|out|down|up)|error|load|click|focus|blur|change|submit|key(?:down|up|press)|dblclick|drag|drop|resize|scroll|unload|beforeunload|pointerover|pointerenter|animationend|transitionend)[ ]*=)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-3614", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3614", "description": "ElementsKit Elementor Addons <=3.5.2 Stored XSS via Widget Builder URL control through ekit_admin_action AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "elementskit-lite", "tags": ["xss", "stored-xss", "widget-builder"], "target": "plugin", "versions": "<=3.5.2"}, "RULE-CVE-2025-3616-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/greenshift/v1/proxy-api(/|\\\\?|$)~"}, {"name": "FILES:file", "type": "exists"}, {"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2025-3616", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3616", "description": "GreenShift Animation and Page Builder Blocks >=11.4 <=11.4.5 authenticated arbitrary file upload via REST proxy-api endpoint", "method": "POST", "mode": "block", "severity": 8.8, "slug": "greenshift-animation-and-page-builder-blocks", "tags": ["arbitrary-file-upload", "missing-authorization", "rest-api", "file-upload"], "target": "plugin", "versions": ">=11.4 <=11.4.5"}, "RULE-CVE-2025-3649-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~data-download\\\\s*=\\\\s*(?:[\\"\']\\\\s*)?(?:javascript|data)\\\\s*(?:�*58;?|�*3[aA];?|:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-3649", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3649", "description": "LightPress Lightbox <=2.3.3 Stored XSS via javascript:/data: URI in data-download attribute (post editor)", "method": "POST", "mode": "block", "severity": 6.8, "slug": "wp-jquery-lightbox", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=2.3.3"}, "RULE-CVE-2025-3649-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~data-download\\\\s*=\\\\s*(?:[\\"\']\\\\s*)?(?:javascript|data)\\\\s*(?:�*58;?|�*3[aA];?|:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-3649", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3649", "description": "LightPress Lightbox <=2.3.3 Stored XSS via javascript:/data: URI in data-download attribute (REST API POST)", "method": "POST", "mode": "block", "severity": 6.8, "slug": "wp-jquery-lightbox", "tags": ["xss", "stored-xss", "authenticated", "rest-api"], "target": "plugin", "versions": "<=2.3.3"}, "RULE-CVE-2025-3649-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~data-download\\\\s*=\\\\s*(?:[\\"\']\\\\s*)?(?:javascript|data)\\\\s*(?:�*58;?|�*3[aA];?|:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-3649", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3649", "description": "LightPress Lightbox <=2.3.3 Stored XSS via javascript:/data: URI in data-download attribute (REST API PUT)", "method": "PUT", "mode": "block", "severity": 6.8, "slug": "wp-jquery-lightbox", "tags": ["xss", "stored-xss", "authenticated", "rest-api"], "target": "plugin", "versions": "<=2.3.3"}, "RULE-CVE-2025-3662-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-comments-post\\\\.php~"}, {"name": "ARGS:comment", "type": "regex", "value": "~<a\\\\b[^>]+(?:title|data-caption)\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<|<)(?:img|svg|iframe|script|body|video|audio|details|marquee|object|embed|math|input|select|textarea|button|form|keygen|isindex)\\\\b[^\\"\']*(?:onerror|onload|onmouseover|onfocus|onblur|onclick|onmouseenter|onanimationend|ontoggle|onpointerover|oncontextmenu)\\\\s*=~i"}], "cve": "CVE-2025-3662", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3662", "description": "FancyBox for WordPress <3.3.6 unauthenticated stored XSS via comment submission with malicious anchor title/data-caption attributes", "method": "POST", "mode": "block", "severity": 6.1, "slug": "fancybox-for-wordpress", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<3.3.6"}, "RULE-CVE-2025-3662-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~<a\\\\b[^>]+(?:title|data-caption)\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<|<)(?:img|svg|iframe|script|body|video|audio|details|marquee|object|embed|math|input|select|textarea|button|form|keygen|isindex)\\\\b[^\\"\']*(?:onerror|onload|onmouseover|onfocus|onblur|onclick|onmouseenter|onanimationend|ontoggle|onpointerover|oncontextmenu)\\\\s*=~i"}], "cve": "CVE-2025-3662", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3662", "description": "FancyBox for WordPress <3.3.6 Contributor+ stored XSS via post content with malicious anchor title/data-caption attributes", "method": "POST", "mode": "block", "severity": 6.1, "slug": "fancybox-for-wordpress", "tags": ["xss", "stored-xss"], "target": "plugin", "versions": "<3.3.6"}, "RULE-CVE-2025-3752-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[ableplayer\\\\b[^\\\\]]*\\\\bpreload\\\\s*=\\\\s*(?:\\"(?!auto\\"|metadata\\"|none\\")[^\\"]+\\"|\'(?!auto\'|metadata\'|none\')[^\']+\'|(?!auto\\\\b|metadata\\\\b|none\\\\b)\\\\S+)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-3752", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3752", "description": "Able Player <=1.2.1 Stored XSS via [ableplayer] shortcode preload attribute (post editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ableplayer", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2025-3752-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[ableplayer\\\\b[^\\\\]]*\\\\bpreload\\\\s*=\\\\s*(?:\\"(?!auto\\"|metadata\\"|none\\")[^\\"]+\\"|\'(?!auto\'|metadata\'|none\')[^\']+\'|(?!auto\\\\b|metadata\\\\b|none\\\\b)\\\\S+)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-3752", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3752", "description": "Able Player <=1.2.1 Stored XSS via [ableplayer] shortcode preload attribute (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ableplayer", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2025-3761-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/(profile|user-edit)\\\\.php~"}, {"name": "ARGS:mt_capabilities", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-3761", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3761", "description": "My Tickets <= 2.0.16 authenticated privilege escalation via mt_capabilities in profile update", "method": "POST", "mode": "block", "severity": 8.8, "slug": "my-tickets", "tags": ["privilege-escalation", "missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=2.0.16"}, "RULE-CVE-2025-3775-01": {"ajax_action": "woolentor_proxy_image", "conditions": [{"name": "ARGS:url", "type": "regex", "value": "~^https?://(?!library\\\\.shoplentor\\\\.com(:[0-9]+)?(/|$|\\\\?))~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-3775", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3775", "description": "ShopLentor (WooLentor) <=3.1.2 unauthenticated SSRF via woolentor_proxy_image AJAX endpoint \\u2014 blocks requests where the url parameter targets any host other than the legitimate library.shoplentor.com", "mode": "block", "severity": 6.5, "slug": "woolentor-addons", "tags": ["ssrf", "unauthenticated", "server-side-request-forgery"], "target": "plugin", "versions": "<=3.1.2"}, "RULE-CVE-2025-3780-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "wcfm-setup"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-3780", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3780", "description": "WCFM Frontend Manager <=6.7.16 unauthenticated plugin settings modification via admin_init setup redirect", "mode": "block", "severity": 6.5, "slug": "wc-frontend-manager", "tags": ["missing-authorization", "unauthenticated", "settings-tampering"], "target": "plugin", "versions": "<=6.7.16"}, "RULE-CVE-2025-3781-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[raisely_donation_form\\\\b[^\\\\]]*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=)~i"}], "cve": "CVE-2025-3781", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3781", "description": "Raisely Donation Form <=1.1 Stored XSS via raisely_donation_form shortcode attributes in classic editor post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "raisely-donation-form", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2025-3781-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[raisely_donation_form\\\\b[^\\\\]]*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=)~i"}], "cve": "CVE-2025-3781", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3781", "description": "Raisely Donation Form <=1.1 Stored XSS via raisely_donation_form shortcode attributes in REST API post content", "mode": "block", "severity": 6.4, "slug": "raisely-donation-form", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2025-3782-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[cision-block\\\\b[^\\\\]]*\\\\bid\\\\s*=\\\\s*([\'\\"])(?:(?!\\\\1).)*(?:(?:on\\\\w+)\\\\s*=|<\\\\s*(?:script|img|svg|iframe|object|embed)|javascript\\\\s*:)~is"}], "cve": "CVE-2025-3782", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3782", "description": "Cision Block <=4.3.0 Stored XSS via shortcode id attribute in post content (post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "cision-block", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.3.0"}, "RULE-CVE-2025-3782-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[cision-block\\\\b[^\\\\]]*\\\\bid\\\\s*=\\\\s*([\'\\"])(?:(?!\\\\1).)*(?:(?:on\\\\w+)\\\\s*=|<\\\\s*(?:script|img|svg|iframe|object|embed)|javascript\\\\s*:)~is"}], "cve": "CVE-2025-3782", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3782", "description": "Cision Block <=4.3.0 Stored XSS via shortcode id attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "cision-block", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=4.3.0"}, "RULE-CVE-2025-3809-01": {"ajax_action": "log_js_errors", "conditions": [{"name": "ARGS:error", "type": "regex", "value": "~(?i)(<\\\\s*script\\\\b|on\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-3809", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3809", "description": "Debug Log Manager <=2.3.4 unauthenticated stored XSS via log_js_errors AJAX error parameter", "method": "POST", "mode": "block", "severity": 7.2, "slug": "debug-log-manager", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=2.3.4"}, "RULE-CVE-2025-3858-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[formality[^\\\\]]*align\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<\\\\s*(?:script|svg|img|iframe|embed|object|form|details)|on[a-z]+=|javascript\\\\s*:)[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-3858", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3858", "description": "Formality <=1.5.8 Stored XSS via [formality] shortcode align attribute in classic editor post content", "method": "POST", "mode": "block", "severity": 5.4, "slug": "formality", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.5.8"}, "RULE-CVE-2025-3858-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[formality[^\\\\]]*align\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<\\\\s*(?:script|svg|img|iframe|embed|object|form|details)|on[a-z]+=|javascript\\\\s*:)[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-3858", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3858", "description": "Formality <=1.5.8 Stored XSS via [formality] shortcode align attribute in REST API post creation", "method": "POST", "mode": "block", "severity": 5.4, "slug": "formality", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.5.8"}, "RULE-CVE-2025-3860-01": {"ajax_action": "sc_ajax_handler", "conditions": [{"name": "ARGS:saleclass", "type": "exists"}, {"name": "ARGS:saleclass", "type": "regex", "value": "~[<>\\"\']~"}], "cve": "CVE-2025-3860", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3860", "description": "CarDealerPress <=6.8.2505.00 Stored XSS via saleclass parameter in sc_ajax_handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "cardealerpress", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=6.8.2505.00"}, "RULE-CVE-2025-3861-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/pda/v1/files/\\\\d+(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-3861", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3861", "description": "Prevent Direct Access <=2.8.8.2 incorrect authorization on REST API protect files endpoint", "method": "POST", "mode": "block", "severity": 5.4, "slug": "prevent-direct-access", "tags": ["incorrect-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": ">=2.8.6 <=2.8.8.2"}, "RULE-CVE-2025-3861-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/pda/v1/un-protect-files/\\\\d+(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-3861", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3861", "description": "Prevent Direct Access <=2.8.8.2 incorrect authorization on REST API un-protect files endpoint", "method": "POST", "mode": "block", "severity": 5.4, "slug": "prevent-direct-access", "tags": ["incorrect-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": ">=2.8.6 <=2.8.8.2"}, "RULE-CVE-2025-3861-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/pda/v1/files/\\\\d+(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-3861", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3861", "description": "Prevent Direct Access <=2.8.8.2 incorrect authorization on REST API file protection status endpoint", "method": "GET", "mode": "block", "severity": 5.4, "slug": "prevent-direct-access", "tags": ["incorrect-authorization", "broken-access-control", "rest-api", "information-disclosure"], "target": "plugin", "versions": ">=2.8.6 <=2.8.8.2"}, "RULE-CVE-2025-3861-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/pda/v1/private-urls/\\\\d+(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-3861", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3861", "description": "Prevent Direct Access <=2.8.8.2 incorrect authorization on REST API private URLs endpoint", "method": "GET", "mode": "block", "severity": 5.4, "slug": "prevent-direct-access", "tags": ["incorrect-authorization", "broken-access-control", "rest-api", "information-disclosure"], "target": "plugin", "versions": ">=2.8.6 <=2.8.8.2"}, "RULE-CVE-2025-3862-01": {"action": "init", "conditions": [{"name": "ARGS:cg_off_id", "type": "regex", "value": "~[<>\\"\'();]~"}], "cve": "CVE-2025-3862", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3862", "description": "Contest Gallery <= 26.0.6 Stored XSS via cg_off_id parameter in shortcode rendering", "mode": "block", "severity": 5.4, "slug": "contest-gallery", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=26.0.6"}, "RULE-CVE-2025-3876-01": {"action": "init", "conditions": [{"name": "ARGS:option", "type": "equals", "value": "smsalert_ajax_form_validate"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-3876", "method": "POST", "mode": "block", "severity": 8.8, "slug": "sms-alert", "target": "plugin", "versions": "<=3.8.1"}, "RULE-CVE-2025-3888-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/async-upload.php"}, {"name": "ARGS:name", "type": "regex", "value": "~\\\\.svg(?:\\\\?|#|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-3888", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3888", "description": "Jupiter X Core <=4.8.12 Stored XSS via SVG File inclusion (block non-admin SVG uploads to async-upload.php)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "jupiterx-core", "tags": ["xss", "stored-xss", "svg-upload", "file-upload"], "target": "plugin", "versions": "<=4.8.12"}, "RULE-CVE-2025-3888-02": {"ajax_action": "enable_unfiltered_files_upload", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-3888", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3888", "description": "Jupiter X Core <=4.8.12 missing authorization on enable_unfiltered_files_upload AJAX action", "method": "POST", "mode": "block", "severity": 5.4, "slug": "jupiterx-core", "tags": ["missing-authorization", "xss", "svg-upload", "ajax"], "target": "plugin", "versions": "<=4.8.12"}, "RULE-CVE-2025-3889-01": {"action": "init", "conditions": [{"name": "ARGS:cquantity", "type": "exists"}, {"name": "ARGS:quantity", "type": "regex", "value": "~^ *-~"}], "cve": "CVE-2025-3889", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3889", "description": "WP Simple Shopping Cart <=5.1.3 IDOR via negative quantity in cart update", "method": "POST", "mode": "block", "severity": 5.3, "slug": "wordpress-simple-paypal-shopping-cart", "tags": ["idor", "business-logic", "unauthenticated"], "target": "plugin", "versions": "<=5.1.3"}, "RULE-CVE-2025-3890-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(?:wp_cart_button|wpsc_add_to_cart_button)\\\\b[^\\\\]]*(?:<[a-z/!]|\\\\bon[a-zA-Z0-9_]+\\\\s*=|javascript\\\\s*:)[^\\\\]]*\\\\]~i"}], "cve": "CVE-2025-3890", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3890", "description": "WordPress Simple PayPal Shopping Cart <=5.1.3 Stored XSS via wp_cart_button shortcode in Classic Editor post content", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wordpress-simple-paypal-shopping-cart", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=5.1.3"}, "RULE-CVE-2025-3890-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(?:wp_cart_button|wpsc_add_to_cart_button)\\\\b[^\\\\]]*(?:<[a-z/!]|\\\\bon[a-zA-Z0-9_]+\\\\s*=|javascript\\\\s*:)[^\\\\]]*\\\\]~i"}], "cve": "CVE-2025-3890", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3890", "description": "WordPress Simple PayPal Shopping Cart <=5.1.3 Stored XSS via wp_cart_button shortcode in REST API post creation", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wordpress-simple-paypal-shopping-cart", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=5.1.3"}, "RULE-CVE-2025-3917-01": {"action": "init", "conditions": [{"name": "ARGS:img", "type": "regex", "value": "~https?://[^\\\\s]+\\\\.(?:ph(?:p\\\\d?|tml?|t|ar|s)|cgi|asp|aspx|jsp|jspx|cfm)(?:\\\\.[a-z]{2,4})?(?:\\\\?|#|$)~i"}], "cve": "CVE-2025-3917", "method": "POST", "mode": "block", "severity": 9.8, "slug": "baiduseo", "target": "plugin", "versions": "<=2.0.6"}, "RULE-CVE-2025-3917-02": {"action": "init", "conditions": [{"name": "ARGS:img1", "type": "regex", "value": "~https?://[^\\\\s]+\\\\.(?:ph(?:p\\\\d?|tml?|t|ar|s)|cgi|asp|aspx|jsp|jspx|cfm)(?:\\\\.[a-z]{2,4})?(?:\\\\?|#|$)~i"}], "cve": "CVE-2025-3917", "method": "POST", "mode": "block", "severity": 9.8, "slug": "baiduseo", "target": "plugin", "versions": "<=2.0.6"}, "RULE-CVE-2025-3921-01": {"ajax_action": "pepro_reglogin", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS", "type": "regex", "value": "~(?:wp_capabilities|wp_user_level)~i"}], "cve": "CVE-2025-3921", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3921", "description": "PeproDev Ultimate Profile Solutions <=7.5.2 unauthenticated arbitrary user meta update via pepro_reglogin AJAX handler", "method": "POST", "mode": "block", "severity": 8.2, "slug": "peprodev-ups", "tags": ["missing-authorization", "broken-access-control", "unauthenticated", "privilege-escalation"], "target": "plugin", "versions": "<=7.5.2"}, "RULE-CVE-2025-39458-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-39458", "description": "foton theme <= 2.5.2 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "foton", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=2.5.2"}, "RULE-CVE-2025-39458-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-39458", "description": "foton theme <= 2.5.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "foton", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=2.5.2"}, "RULE-CVE-2025-39466-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-39466", "description": "dor theme <= 2.4 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "dor", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=2.4"}, "RULE-CVE-2025-39466-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-39466", "description": "dor theme <= 2.4 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "dor", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=2.4"}, "RULE-CVE-2025-39490-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-39490", "description": "backpacktraveler theme <= 2.10.2 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "backpacktraveler", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=2.10.2"}, "RULE-CVE-2025-39490-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-39490", "description": "backpacktraveler theme <= 2.10.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "backpacktraveler", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=2.10.2"}, "RULE-CVE-2025-3952-01": {"ajax_action": "pto_remove_logo", "conditions": [{"name": "ARGS:type", "type": "exists"}, {"type": "missing_capability", "value": "edit_cqpim_settings"}], "cve": "CVE-2025-3952", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-3952", "description": "Projectopia <=5.1.16 missing authorization on pto_remove_logo AJAX handler allows authenticated users (Subscriber+) to clear arbitrary WordPress options via the type parameter", "method": "POST", "mode": "block", "severity": 8.1, "slug": "projectopia-core", "tags": ["missing-authorization", "broken-access-control", "arbitrary-option-update"], "target": "plugin", "versions": "<=5.1.16"}, "RULE-CVE-2025-39551-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/fluent-boards/~"}, {"name": "ARGS", "type": "regex", "value": "~[OCa]:[0-9]+:[\\"\\\\{]~"}], "cve": "CVE-2025-39551", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39551", "description": "FluentBoards <=1.47 unauthenticated PHP object injection via REST API deserialization", "mode": "block", "severity": 9.8, "slug": "fluent-boards", "tags": ["object-injection", "deserialization", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=1.47"}, "RULE-CVE-2025-39596-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-login\\\\.php~"}, {"name": "ARGS:qntn_pwd", "type": "exists"}], "cve": "CVE-2025-39596", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39596", "description": "Quentn WP <=1.2.8 unauthenticated privilege escalation via qntn_pwd auto-login token (GET)", "method": "GET", "mode": "block", "severity": 9.8, "slug": "quentn-wp", "tags": ["weak-authentication", "privilege-escalation", "unauthenticated", "authentication-bypass"], "target": "plugin", "versions": "<=1.2.8"}, "RULE-CVE-2025-39596-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-login\\\\.php~"}, {"name": "ARGS:qntn_pwd", "type": "exists"}], "cve": "CVE-2025-39596", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39596", "description": "Quentn WP <=1.2.8 unauthenticated privilege escalation via qntn_pwd auto-login token (POST)", "method": "POST", "mode": "block", "severity": 9.8, "slug": "quentn-wp", "tags": ["weak-authentication", "privilege-escalation", "unauthenticated", "authentication-bypass"], "target": "plugin", "versions": "<=1.2.8"}, "RULE-CVE-2025-4099-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[list_children\\\\b[^\\\\]]*(?:<script|on\\\\w+\\\\s*=|javascript\\\\s*:|<svg|<iframe|<img\\\\b[^>]+\\\\bon)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4099", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4099", "description": "List Children <=2.1 Stored XSS via list_children shortcode attributes in content parameter", "method": "POST", "mode": "block", "severity": 5.4, "slug": "list-children", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.1"}, "RULE-CVE-2025-4099-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[list_children\\\\b[^\\\\]]*(?:<script|on\\\\w+\\\\s*=|javascript\\\\s*:|<svg|<iframe|<img\\\\b[^>]+\\\\bon)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4099", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4099", "description": "List Children <=2.1 Stored XSS via list_children shortcode attributes in post_content parameter", "method": "POST", "mode": "block", "severity": 5.4, "slug": "list-children", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.1"}, "RULE-CVE-2025-4104-01": {"ajax_action": "fed_login_form_post", "conditions": [{"name": "ARGS:submit", "type": "equals", "value": "register"}, {"name": "ARGS:ID", "type": "exists"}], "cve": "CVE-2025-4104", "method": "POST", "mode": "block", "severity": 9.8, "slug": "frontend-dashboard", "target": "plugin", "versions": "<=2.2.6"}, "RULE-CVE-2025-4127-01": {"ajax_action": "kcSeoMainSettings_action", "conditions": [{"name": "ARGS:site_price_range", "type": "detectXSS"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4127", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4127", "description": "WP SEO Structured Data Schema <=2.7.11 Stored XSS via site_price_range parameter in kcSeoMainSettings_action AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wp-seo-structured-data-schema", "tags": ["xss", "stored-xss", "missing-authorization"], "target": "plugin", "versions": "<=2.7.11"}, "RULE-CVE-2025-4133-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:action", "type": "equals", "value": "editpost"}, {"name": "ARGS:post_title", "type": "detectXSS"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-4133", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4133", "description": "Blog2Social <=8.3.4 stored XSS via unescaped post title in plugin dashboard views", "method": "POST", "mode": "block", "severity": 5.4, "slug": "blog2social", "tags": ["xss", "stored-xss", "contributor"], "target": "plugin", "versions": "<8.4.0"}, "RULE-CVE-2025-4133-02": {"action": "init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "blog2social-ship"}, {"name": "ARGS:postId", "type": "detectXSS"}], "cve": "CVE-2025-4133", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4133", "description": "Blog2Social <=8.3.4 reflected XSS via postId parameter on ship page", "method": "GET", "mode": "block", "severity": 5.4, "slug": "blog2social", "tags": ["xss", "reflected-xss"], "target": "plugin", "versions": "<8.4.0"}, "RULE-CVE-2025-4133-03": {"action": "init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "blog2social-sched"}, {"name": "ARGS:b2sShowByDate", "type": "detectXSS"}], "cve": "CVE-2025-4133", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4133", "description": "Blog2Social <=8.3.4 reflected XSS via b2sShowByDate on scheduled posts page", "method": "GET", "mode": "block", "severity": 5.4, "slug": "blog2social", "tags": ["xss", "reflected-xss"], "target": "plugin", "versions": "<8.4.0"}, "RULE-CVE-2025-4133-04": {"action": "init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "blog2social-sched"}, {"name": "ARGS:b2sUserAuthId", "type": "detectXSS"}], "cve": "CVE-2025-4133", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4133", "description": "Blog2Social <=8.3.4 reflected XSS via b2sUserAuthId on scheduled posts page", "method": "GET", "mode": "block", "severity": 5.4, "slug": "blog2social", "tags": ["xss", "reflected-xss"], "target": "plugin", "versions": "<8.4.0"}, "RULE-CVE-2025-4133-05": {"action": "init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "blog2social-sched"}, {"name": "ARGS:b2sPostBlogId", "type": "detectXSS"}], "cve": "CVE-2025-4133", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4133", "description": "Blog2Social <=8.3.4 reflected XSS via b2sPostBlogId on scheduled posts page", "method": "GET", "mode": "block", "severity": 5.4, "slug": "blog2social", "tags": ["xss", "reflected-xss"], "target": "plugin", "versions": "<8.4.0"}, "RULE-CVE-2025-4133-06": {"action": "init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "blog2social-sched"}, {"name": "ARGS:b2sShowByNetwork", "type": "detectXSS"}], "cve": "CVE-2025-4133", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4133", "description": "Blog2Social <=8.3.4 reflected XSS via b2sShowByNetwork on scheduled posts page", "method": "GET", "mode": "block", "severity": 5.4, "slug": "blog2social", "tags": ["xss", "reflected-xss"], "target": "plugin", "versions": "<8.4.0"}, "RULE-CVE-2025-4169-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[ppc\\\\b[^\\\\]]*(?:moretxt|title)\\\\s*=\\\\s*([\\"\'])(?:(?!\\\\1).)*(?:<script|<img\\\\b[^>]+\\\\bon\\\\w+\\\\s*=|<svg[\\\\s/][^>]*\\\\bon\\\\w+\\\\s*=|<iframe|javascript\\\\s*:|on(?:error|load|mouseover|click|focus)\\\\s*=)(?:(?!\\\\1).)*\\\\1~i"}], "cve": "CVE-2025-4169", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4169", "description": "Posts per Cat <=1.4.2 authenticated (Contributor+) stored XSS via [ppc] shortcode attributes in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "posts-per-cat", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.4.2"}, "RULE-CVE-2025-4169-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(?:/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[ppc\\\\b[^\\\\]]*(?:moretxt|title)\\\\s*=\\\\s*([\\"\'])(?:(?!\\\\1).)*(?:<script|<img\\\\b[^>]+\\\\bon\\\\w+\\\\s*=|<svg[\\\\s/][^>]*\\\\bon\\\\w+\\\\s*=|<iframe|javascript\\\\s*:|on(?:error|load|mouseover|click|focus)\\\\s*=)(?:(?!\\\\1).)*\\\\1~i"}], "cve": "CVE-2025-4169", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4169", "description": "Posts per Cat <=1.4.2 authenticated (Contributor+) stored XSS via [ppc] shortcode attributes in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "posts-per-cat", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=1.4.2"}, "RULE-CVE-2025-4171-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[wfp\\\\b[^\\\\]]*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-4171", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4171", "description": "WZ Followed Posts <= 3.1.0 Stored XSS via [wfp] shortcode attributes in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "where-did-they-go-from-here", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=3.1.0"}, "RULE-CVE-2025-4171-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[wfp\\\\b[^\\\\]]*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-4171", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4171", "description": "WZ Followed Posts <= 3.1.0 Stored XSS via [wfp] shortcode attributes in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "where-did-they-go-from-here", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=3.1.0"}, "RULE-CVE-2025-4188-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "abundatrade"}, {"name": "ARGS", "type": "regex", "value": "~<(?:script|iframe|svg|img|object|embed|form|details|math)\\\\b[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|blur|change|submit)\\\\s*=|javascript\\\\s*:~i"}], "cve": "CVE-2025-4188", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4188", "description": "Abundatrade Plugin <=1.8.01 CSRF to Stored XSS via admin settings page (page=abundatrade)", "method": "POST", "mode": "block", "severity": 6.1, "slug": "abundatrade-plugin", "tags": ["csrf", "xss", "stored-xss"], "target": "plugin", "versions": "<=1.8.01"}, "RULE-CVE-2025-4188-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "reorder-simple-image-text-slider-setting"}, {"name": "ARGS", "type": "regex", "value": "~<(?:script|iframe|svg|img|object|embed|form|details|math)\\\\b[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|blur|change|submit)\\\\s*=|javascript\\\\s*:~i"}], "cve": "CVE-2025-4188", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4188", "description": "Abundatrade Plugin <=1.8.01 CSRF to Stored XSS via admin settings page (page=reorder-simple-image-text-slider-setting)", "method": "POST", "mode": "block", "severity": 6.1, "slug": "abundatrade-plugin", "tags": ["csrf", "xss", "stored-xss"], "target": "plugin", "versions": "<=1.8.01"}, "RULE-CVE-2025-4206-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "gh_tools"}, {"name": "ARGS:action", "type": "equals", "value": "import_delete"}, {"name": "ARGS:import", "type": "regex", "value": "~\\\\.\\\\.[/\\\\\\\\]~"}], "cve": "CVE-2025-4206", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4206", "description": "Groundhogg <=4.1.1.2 authenticated arbitrary file deletion via path traversal in process_import_delete", "method": "GET", "mode": "block", "severity": 7.2, "slug": "groundhogg", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=4.1.1.2"}, "RULE-CVE-2025-4206-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "gh_tools"}, {"name": "ARGS:action", "type": "equals", "value": "export_delete"}, {"name": "ARGS:export", "type": "regex", "value": "~\\\\.\\\\.[/\\\\\\\\]~"}], "cve": "CVE-2025-4206", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4206", "description": "Groundhogg <=4.1.1.2 authenticated arbitrary file deletion via path traversal in process_export_delete", "method": "GET", "mode": "block", "severity": 7.2, "slug": "groundhogg", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=4.1.1.2"}, "RULE-CVE-2025-4208-01": {"ajax_action": "get_table_records", "conditions": [{"name": "ARGS:header_params", "type": "regex", "value": "~^\\\\s*(?:system|exec|passthru|shell_exec|popen|proc_open|pcntl_exec|eval|assert|file_put_contents|file_get_contents|unlink|rmdir|move_uploaded_file|call_user_func|call_user_func_array|create_function|preg_replace_callback|array_map|array_filter|array_walk|usort|uasort|uksort|parse_str|wp_insert_user|wp_update_user|wp_delete_user|update_option|delete_option|add_option|wp_set_auth_cookie|wp_clear_auth_cookie|wp_mail|wp_remote_get|wp_remote_post|curl_exec|setcookie)\\\\s*$~i"}], "cve": "CVE-2025-4208", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4208", "description": "NEX-Forms <= 8.9.1 authenticated code execution via unsanitized call_user_func callback in flat header_params", "method": "POST", "mode": "block", "severity": 6.3, "slug": "nex-forms-express-wp-form-builder", "tags": ["code-injection", "callback-injection", "authenticated"], "target": "plugin", "versions": "<=8.9.1"}, "RULE-CVE-2025-4208-02": {"ajax_action": "get_table_records", "conditions": [{"name": "ARGS", "type": "regex", "value": "~^\\\\s*(?:system|exec|passthru|shell_exec|popen|proc_open|pcntl_exec|eval|assert|file_put_contents|file_get_contents|unlink|rmdir|move_uploaded_file|call_user_func|call_user_func_array|create_function|preg_replace_callback|array_map|array_filter|array_walk|usort|uasort|uksort|parse_str|wp_insert_user|wp_update_user|wp_delete_user|update_option|delete_option|add_option|wp_set_auth_cookie|wp_clear_auth_cookie|wp_mail|wp_remote_get|wp_remote_post|curl_exec|setcookie)\\\\s*$~i"}], "cve": "CVE-2025-4208", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4208", "description": "NEX-Forms <= 8.9.1 authenticated code execution via unsanitized call_user_func callback in array-encoded header_params", "method": "POST", "mode": "block", "severity": 6.3, "slug": "nex-forms-express-wp-form-builder", "tags": ["code-injection", "callback-injection", "authenticated"], "target": "plugin", "versions": "<=8.9.1"}, "RULE-CVE-2025-4212-01": {"ajax_action": "alg_ajax_file_upload", "conditions": [{"name": "ARGS:alg_checkout_files_upload_uploader", "type": "exists"}], "cve": "CVE-2025-4212", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4212", "description": "Checkout Files Upload for WooCommerce <=2.2.1 unauthenticated stored XSS via uploaded filename in alg_ajax_file_upload", "method": "POST", "mode": "block", "severity": 7.2, "slug": "checkout-files-upload-woocommerce", "tags": ["xss", "stored-xss", "unauthenticated", "file-upload"], "target": "plugin", "versions": "<=2.2.1"}, "RULE-CVE-2025-4315-01": {"ajax_action": "cwp_user_data", "conditions": [{"name": "ARGS:meta_key", "type": "regex", "value": "~^wp_(?:capabilities|user_level)$~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4315", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4315", "description": "CubeWP Framework <=1.1.23 authenticated privilege escalation via arbitrary user meta update on cwp_user_data AJAX action (wp_capabilities)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "cubewp-framework", "tags": ["privilege-escalation", "missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=1.1.23"}, "RULE-CVE-2025-4315-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/cubewp/v1/~"}, {"name": "ARGS:wp_capabilities", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4315", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4315", "description": "CubeWP Framework <=1.1.23 authenticated privilege escalation via REST API cwp_save_user_fields updating wp_capabilities", "method": "POST", "mode": "block", "severity": 8.8, "slug": "cubewp-framework", "tags": ["privilege-escalation", "missing-authorization", "rest-api"], "target": "plugin", "versions": "<=1.1.23"}, "RULE-CVE-2025-4315-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/cubewp/v1/~"}, {"name": "ARGS:wp_user_level", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4315", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4315", "description": "CubeWP Framework <=1.1.23 authenticated privilege escalation via REST API cwp_save_user_fields updating wp_user_level", "method": "POST", "mode": "block", "severity": 8.8, "slug": "cubewp-framework", "tags": ["privilege-escalation", "missing-authorization", "rest-api"], "target": "plugin", "versions": "<=1.1.23"}, "RULE-CVE-2025-4369-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "companion-auto-update"}, {"name": "ARGS:update_delay_days", "type": "regex", "value": "~[^0-9]~"}], "cve": "CVE-2025-4369", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4369", "description": "Companion Auto Update <=3.9.2 Stored XSS via update_delay_days parameter on settings page", "method": "POST", "mode": "block", "severity": 5.5, "slug": "companion-auto-update", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=3.9.2"}, "RULE-CVE-2025-4369-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "companion-auto-update"}, {"name": "ARGS:cau_email", "type": "detectXSS"}], "cve": "CVE-2025-4369", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4369", "description": "Companion Auto Update <=3.9.2 Stored XSS via cau_email parameter on settings page", "method": "POST", "mode": "block", "severity": 5.5, "slug": "companion-auto-update", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=3.9.2"}, "RULE-CVE-2025-4396-01": {"action": "init", "conditions": [{"name": "ARGS:s", "type": "exists"}, {"name": "ARGS:cats", "type": "detectSQLi"}], "cve": "CVE-2025-4396", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4396", "description": "Relevanssi <= 4.24.4 unauthenticated SQL injection via cats search parameter", "method": "GET", "mode": "block", "severity": 7.5, "slug": "relevanssi", "tags": ["sql-injection", "unauthenticated"], "target": "plugin", "versions": "<=4.24.4"}, "RULE-CVE-2025-4396-02": {"action": "init", "conditions": [{"name": "ARGS:s", "type": "exists"}, {"name": "ARGS:tags", "type": "detectSQLi"}], "cve": "CVE-2025-4396", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4396", "description": "Relevanssi <= 4.24.4 unauthenticated SQL injection via tags search parameter", "method": "GET", "mode": "block", "severity": 7.5, "slug": "relevanssi", "tags": ["sql-injection", "unauthenticated"], "target": "plugin", "versions": "<=4.24.4"}, "RULE-CVE-2025-4403-01": {"ajax_action": "dnd_codedropz_upload_wc", "conditions": [{"name": "ARGS:supported_type", "type": "regex", "value": "~(?:^|\\\\|)[^a-zA-Z0-9_|\']*(?:ph(?:p\\\\d?|ps|t(?:ml)?|ar)|shtml|cgi|asp|aspx|jsp|jspx|cfm)(?:\\\\||$)~i"}], "cve": "CVE-2025-4403", "method": "POST", "mode": "block", "severity": 9.8, "slug": "drag-and-drop-multiple-file-upload-for-woocommerce", "target": "plugin", "versions": "<=1.1.6"}, "RULE-CVE-2025-4405-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[randomimage\\\\b[^\\\\]]*link\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:j\\\\s*a\\\\s*v\\\\s*a\\\\s*s\\\\s*c\\\\s*r\\\\s*i\\\\s*p\\\\s*t\\\\s*:|data\\\\s*:|<script|(?:^|[\\\\s<])on[a-z0-9_:-]+\\\\s*=)[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-4405", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4405", "description": "Hot Random Image <=1.9.2 Stored XSS via link attribute in randomimage shortcode (classic editor post save)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "hot-random-image", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.9.2"}, "RULE-CVE-2025-4405-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~hot-random-image[^>]*[\\"\']link[\\"\']\\\\s*:\\\\s*[\\"\'][^\\"\']*(?:j\\\\s*a\\\\s*v\\\\s*a\\\\s*s\\\\s*c\\\\s*r\\\\s*i\\\\s*p\\\\s*t\\\\s*:|data\\\\s*:|<script|(?:^|[\\\\s<])on[a-z0-9_:-]+\\\\s*=)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-4405", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4405", "description": "Hot Random Image <=1.9.2 Stored XSS via link attribute in Gutenberg block (REST API post save)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "hot-random-image", "tags": ["xss", "stored-xss", "rest-api"], "target": "plugin", "versions": "<=1.9.2"}, "RULE-CVE-2025-4473-01": {"ajax_action": "fed_ajax_request", "conditions": [{"name": "ARGS:fed_action_hook", "type": "regex", "value": "~^FEDEmail@(update|update_smtp)$~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4473", "method": "POST", "mode": "block", "severity": 8.8, "slug": "frontend-dashboard", "target": "plugin", "versions": ">=1.5.10 <=2.2.7"}, "RULE-CVE-2025-4474-01": {"ajax_action": "fed_admin_setting_form", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4474", "method": "POST", "mode": "block", "severity": 8.8, "slug": "frontend-dashboard", "target": "plugin", "versions": "<=2.2.7"}, "RULE-CVE-2025-4479-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)wp-admin/admin-ajax\\\\.php~"}, {"name": "ARGS:action", "type": "equals", "value": "elementor_ajax"}, {"name": "ARGS:actions", "type": "regex", "value": "~(?:before_label|after_label)[^:]*:\\\\s*\\"(?:\\\\\\\\.|[^\\"\\\\\\\\])*?(?:<\\\\s*(?:script|iframe|svg|object|embed|math)\\\\b|\\\\bon(?:error|load|click|mouseover|focus|blur|submit|change|input|keyup|keydown|keypress|animationend|toggle)\\\\s*=)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-4479", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4479", "description": "ElementsKit Lite <=3.5.2 Stored XSS via Image Comparison widget before/after labels through Elementor editor save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "elementskit-lite", "tags": ["xss", "stored-xss", "elementor-widget"], "target": "plugin", "versions": "<=3.5.2"}, "RULE-CVE-2025-4594-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[trn-ladder-registration-button[^\\\\]]*(?:<script|on\\\\w+\\\\s*=|javascript:|<img[^>]+onerror|<svg[^>]+onload)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4594", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4594", "description": "Tournamatch <=4.6.1 Stored XSS via trn-ladder-registration-button shortcode attribute in post content (post editor vector)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "tournamatch", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=4.6.1"}, "RULE-CVE-2025-4594-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[trn-ladder-registration-button[^\\\\]]*(?:<script|on\\\\w+\\\\s*=|javascript:|<img[^>]+onerror|<svg[^>]+onload)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4594", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4594", "description": "Tournamatch <=4.6.1 Stored XSS via trn-ladder-registration-button shortcode attribute in post content (REST API vector)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "tournamatch", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=4.6.1"}, "RULE-CVE-2025-4602-01": {"action": "template_redirect", "conditions": [{"name": "ARGS:connector", "type": "equals", "value": "bridge"}, {"name": "ARGS:task", "type": "equals", "value": "get_file"}, {"name": "ARGS:filename", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env|debug\\\\.log|error_log)~i"}], "cve": "CVE-2025-4602", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4602", "description": "Store Manager Connector <=1.2.5 unauthenticated arbitrary file read via get_file filename path traversal", "mode": "block", "severity": 7.5, "slug": "store-manager-connector", "tags": ["path-traversal", "arbitrary-file-read", "unauthenticated"], "target": "plugin", "versions": "<=1.2.5"}, "RULE-CVE-2025-4602-02": {"action": "template_redirect", "conditions": [{"name": "ARGS:connector", "type": "equals", "value": "bridge"}, {"name": "ARGS:task", "type": "equals", "value": "get_file"}, {"name": "ARGS:entity_type", "type": "regex", "value": "~^(?:\\\\.|\\\\.\\\\.)$|(?:\\\\.\\\\.[/\\\\\\\\])~"}], "cve": "CVE-2025-4602", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4602", "description": "Store Manager Connector <=1.2.5 unauthenticated arbitrary file read via get_file entity_type directory escape", "mode": "block", "severity": 7.5, "slug": "store-manager-connector", "tags": ["path-traversal", "arbitrary-file-read", "unauthenticated"], "target": "plugin", "versions": "<=1.2.5"}, "RULE-CVE-2025-4610-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[wpmem_user_memberships\\\\b[^\\\\]]*(?:<\\\\s*(?:script|img|svg|iframe|details|embed|object|video|audio|marquee)\\\\b|\\\\bon(?:error|load|click|mouseover|focus|toggle|focusin|pointerover)\\\\s*=|javascript\\\\s*:)[^\\\\]]*\\\\]~i"}], "cve": "CVE-2025-4610", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4610", "description": "WP-Members <=3.5.2 Stored XSS via [wpmem_user_memberships] shortcode attributes in Classic Editor post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-members", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=3.5.2"}, "RULE-CVE-2025-4610-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[wpmem_user_memberships\\\\b[^\\\\]]*(?:<\\\\s*(?:script|img|svg|iframe|details|embed|object|video|audio|marquee)\\\\b|\\\\bon(?:error|load|click|mouseover|focus|toggle|focusin|pointerover)\\\\s*=|javascript\\\\s*:)[^\\\\]]*\\\\]~i"}], "cve": "CVE-2025-4610", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4610", "description": "WP-Members <=3.5.2 Stored XSS via [wpmem_user_memberships] shortcode attributes in REST API post creation/update", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-members", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=3.5.2"}, "RULE-CVE-2025-4611-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[slim_seo_breadcrumbs\\\\s[^\\\\]]*(?:separator|label_home|label_search|label_404)\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:<[a-z/][^>]*>|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-4611", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4611", "description": "Slim SEO <=4.5.3 Stored XSS via slim_seo_breadcrumbs shortcode attributes in post content (Classic Editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "slim-seo", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.5.3"}, "RULE-CVE-2025-4611-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[slim_seo_breadcrumbs\\\\s[^\\\\]]*(?:separator|label_home|label_search|label_404)\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:<[a-z/][^>]*>|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-4611", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4611", "description": "Slim SEO <=4.5.3 Stored XSS via slim_seo_breadcrumbs shortcode attributes in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "slim-seo", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=4.5.3"}, "RULE-CVE-2025-46244-01": {"ajax_action": "dsalv_save_settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-46244", "method": "POST", "mode": "block", "severity": 9.8, "slug": "linked-variation", "target": "plugin", "versions": "<=1.0.3"}, "RULE-CVE-2025-46244-02": {"ajax_action": "dsalv_add_new_variation", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-46244", "method": "POST", "mode": "block", "severity": 9.8, "slug": "linked-variation", "target": "plugin", "versions": "<=1.0.3"}, "RULE-CVE-2025-46244-03": {"ajax_action": "dsalv_searchalltags", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-46244", "mode": "block", "severity": 9.8, "slug": "linked-variation", "target": "plugin", "versions": "<=1.0.3"}, "RULE-CVE-2025-46490-01": {"ajax_action": "ccpuz_save_crossword_mce_from", "conditions": [{"name": "ARGS:post_id", "type": "exists"}, {"type": "missing_capability", "value": "edit_pages"}], "cve": "CVE-2025-46490", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-46490", "description": "Crossword Compiler Puzzles <=5.2 subscriber+ arbitrary file upload via ccpuz_save_crossword_mce_from AJAX handler", "mode": "block", "severity": 9.9, "slug": "crossword-compiler-puzzles", "tags": ["arbitrary-file-upload", "missing-authorization", "remote-code-execution"], "target": "plugin", "versions": "<=5.2"}, "RULE-CVE-2025-4652-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~broadstreet/Broadstreet/Vendor/broadstreet-partner/index\\\\.php~i"}, {"name": "ARGS:action", "type": "equals", "value": "register"}, {"name": "ARGS:next", "type": "detectXSS"}], "cve": "CVE-2025-4652", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4652", "description": "Broadstreet <= 1.51.7 Reflected XSS via unsanitized next parameter in broadstreet-partner index.php", "method": "GET", "mode": "block", "severity": 6.1, "slug": "broadstreet", "tags": ["xss", "reflected-xss", "unauthenticated", "direct-file-access"], "target": "plugin", "versions": "<=1.51.7"}, "RULE-CVE-2025-4666-01": {"ajax_action": "zpAccountsViaAJAX", "conditions": [{"name": "ARGS:nickname", "type": "detectXSS"}], "cve": "CVE-2025-4666", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4666", "description": "Zotpress <=7.3.15 Stored XSS via nickname parameter in zpAccountsViaAJAX AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "zotpress", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=7.3.15"}, "RULE-CVE-2025-4667-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[ssa_(?:admin_upcoming|past|upcoming)_appointments\\\\b[^\\\\]]*(?:no_results_message|details_link_label)\\\\s*=\\\\s*\\"[^\\"]*<~i"}], "cve": "CVE-2025-4667", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4667", "description": "Simply Schedule Appointments <=1.6.8.30 Stored XSS via shortcode attributes in post_content (post.php vector)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "simply-schedule-appointments", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.6.8.30"}, "RULE-CVE-2025-4667-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[ssa_(?:admin_upcoming|past|upcoming)_appointments\\\\b[^\\\\]]*(?:no_results_message|details_link_label)\\\\s*=\\\\s*\\"[^\\"]*<~i"}], "cve": "CVE-2025-4667", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4667", "description": "Simply Schedule Appointments <=1.6.8.30 Stored XSS via shortcode attributes in content (REST API vector)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "simply-schedule-appointments", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.6.8.30"}, "RULE-CVE-2025-4669-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/post\\\\.php|(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts)~"}, {"name": "ARGS", "type": "regex", "value": "~\\\\[wpbc\\\\b[^\\\\]]*(?:<[^>]*>|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|<script)~i"}], "cve": "CVE-2025-4669", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4669", "description": "WP Booking Calendar <=10.11.1 Stored XSS via wpbc shortcode attributes in post content (post.php injection)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "booking", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=10.11.1"}, "RULE-CVE-2025-4670-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[edd_receipt\\\\b[^\\\\]]*error\\\\s*=\\\\s*[\\\\\\"\'][^\\\\\\"\']*<[^>]+>[^\\\\\\"\']*[\\\\\\"\']~i"}], "cve": "CVE-2025-4670", "method": "POST", "mode": "block", "severity": 5.4, "slug": "easy-digital-downloads", "target": "plugin", "versions": "<=3.3.8.1"}, "RULE-CVE-2025-4670-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[edd_receipt\\\\b[^\\\\]]*error\\\\s*=\\\\s*[\\\\\\"\'][^\\\\\\"\']*<[^>]+>[^\\\\\\"\']*[\\\\\\"\']~i"}], "cve": "CVE-2025-4670", "method": "POST", "mode": "block", "severity": 5.4, "slug": "easy-digital-downloads", "target": "plugin", "versions": "<=3.3.8.1"}, "RULE-CVE-2025-4670-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/wp/v2/posts/[0-9]+(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[edd_receipt\\\\b[^\\\\]]*error\\\\s*=\\\\s*[\\\\\\"\'][^\\\\\\"\']*<[^>]+>[^\\\\\\"\']*[\\\\\\"\']~i"}], "cve": "CVE-2025-4670", "method": "PUT", "mode": "block", "severity": 5.4, "slug": "easy-digital-downloads", "target": "plugin", "versions": "<=3.3.8.1"}, "RULE-CVE-2025-4670-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/wp/v2/posts/[0-9]+(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[edd_receipt\\\\b[^\\\\]]*error\\\\s*=\\\\s*[\\\\\\"\'][^\\\\\\"\']*<[^>]+>[^\\\\\\"\']*[\\\\\\"\']~i"}], "cve": "CVE-2025-4670", "method": "PATCH", "mode": "block", "severity": 5.4, "slug": "easy-digital-downloads", "target": "plugin", "versions": "<=3.3.8.1"}, "RULE-CVE-2025-4671-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[compare\\\\b[^\\\\]]*operator\\\\s*=\\\\s*[\\"\'][^\\"\']*<\\\\s*/?\\\\s*[a-z!][^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-4671", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4671", "description": "Profile Builder <=3.13.8 Stored XSS via [compare] shortcode operator attribute", "method": "POST", "mode": "block", "severity": 6.4, "slug": "profile-builder", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.13.8"}, "RULE-CVE-2025-4671-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[user_meta\\\\b[^\\\\]]*pre\\\\s*=\\\\s*[\\"\'][^\\"\']*<[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-4671", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4671", "description": "Profile Builder <=3.13.8 Stored XSS via [user_meta] shortcode pre attribute", "method": "POST", "mode": "block", "severity": 6.4, "slug": "profile-builder", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.13.8"}, "RULE-CVE-2025-4671-03": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[user_meta\\\\b[^\\\\]]*post\\\\s*=\\\\s*[\\"\'][^\\"\']*<[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-4671", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4671", "description": "Profile Builder <=3.13.8 Stored XSS via [user_meta] shortcode post attribute", "method": "POST", "mode": "block", "severity": 6.4, "slug": "profile-builder", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.13.8"}, "RULE-CVE-2025-4671-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[compare\\\\b[^\\\\]]*operator\\\\s*=\\\\s*[\\"\'][^\\"\']*<\\\\s*/?\\\\s*[a-z!][^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-4671", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4671", "description": "Profile Builder <=3.13.8 Stored XSS via [compare] shortcode in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "profile-builder", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=3.13.8"}, "RULE-CVE-2025-4671-05": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[user_meta\\\\b[^\\\\]]*(?:pre|post)\\\\s*=\\\\s*[\\"\'][^\\"\']*<[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-4671", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4671", "description": "Profile Builder <=3.13.8 Stored XSS via [user_meta] shortcode in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "profile-builder", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=3.13.8"}, "RULE-CVE-2025-4672-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/offsprout/v2/usermeta/(?:wp[a-z0-9]*_(?:capabilities|user_level)|session_tokens)/\\\\d+~i"}, {"type": "missing_capability", "value": "edit_users"}], "cve": "CVE-2025-4672", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4672", "description": "Offsprout Page Builder <=2.15.2 privilege escalation via REST usermeta GET endpoint reading sensitive user meta (wp_capabilities, session_tokens)", "method": "GET", "mode": "block", "severity": 8.8, "slug": "offsprout-page-builder", "tags": ["improper-authorization", "privilege-escalation", "rest-api", "information-disclosure"], "target": "plugin", "versions": "<=2.15.2"}, "RULE-CVE-2025-4672-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/offsprout/v2/usermeta/(?:wp[a-z0-9]*_(?:capabilities|user_level)|session_tokens)/\\\\d+~i"}, {"type": "missing_capability", "value": "edit_users"}], "cve": "CVE-2025-4672", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4672", "description": "Offsprout Page Builder <=2.15.2 privilege escalation via REST usermeta POST endpoint creating sensitive user meta (wp_capabilities)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "offsprout-page-builder", "tags": ["improper-authorization", "privilege-escalation", "rest-api"], "target": "plugin", "versions": "<=2.15.2"}, "RULE-CVE-2025-4672-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/offsprout/v2/usermeta/(?:wp[a-z0-9]*_(?:capabilities|user_level)|session_tokens)/\\\\d+~i"}, {"type": "missing_capability", "value": "edit_users"}], "cve": "CVE-2025-4672", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4672", "description": "Offsprout Page Builder <=2.15.2 privilege escalation via REST usermeta PUT endpoint updating sensitive user meta (wp_capabilities)", "method": "PUT", "mode": "block", "severity": 8.8, "slug": "offsprout-page-builder", "tags": ["improper-authorization", "privilege-escalation", "rest-api"], "target": "plugin", "versions": "<=2.15.2"}, "RULE-CVE-2025-4672-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/offsprout/v2/usermeta/(?:wp[a-z0-9]*_(?:capabilities|user_level)|session_tokens)/\\\\d+~i"}, {"type": "missing_capability", "value": "edit_users"}], "cve": "CVE-2025-4672", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4672", "description": "Offsprout Page Builder <=2.15.2 privilege escalation via REST usermeta DELETE endpoint removing sensitive user meta (wp_capabilities)", "method": "DELETE", "mode": "block", "severity": 8.8, "slug": "offsprout-page-builder", "tags": ["improper-authorization", "privilege-escalation", "rest-api"], "target": "plugin", "versions": "<=2.15.2"}, "RULE-CVE-2025-4682-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "contains", "value": "essential-blocks/slider"}, {"name": "ARGS:content", "type": "regex", "value": "~(?:on(?:error|load|mouseover|focus|click|animationstart|animationend|transitionend|pointerenter)\\\\s*=|<\\\\s*script[\\\\s>]|<\\\\s*svg\\\\b[^>]*(?:on\\\\w+\\\\s*=|href\\\\s*=\\\\s*[\'\\\\\\"]?javascript:|xlink:href\\\\s*=\\\\s*[\'\\\\\\"]?javascript:)|<\\\\s*img[^>]+onerror|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-4682", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4682", "description": "Essential Blocks <=5.4.0 Stored XSS via Slider block HTML attributes in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "essential-blocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=5.4.0"}, "RULE-CVE-2025-4682-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "contains", "value": "essential-blocks/post-carousel"}, {"name": "ARGS:content", "type": "regex", "value": "~(?:on(?:error|load|mouseover|focus|click|animationstart|animationend|transitionend|pointerenter)\\\\s*=|<\\\\s*script[\\\\s>]|<\\\\s*svg\\\\b[^>]*(?:on\\\\w+\\\\s*=|href\\\\s*=\\\\s*[\'\\\\\\"]?javascript:|xlink:href\\\\s*=\\\\s*[\'\\\\\\"]?javascript:)|<\\\\s*img[^>]+onerror|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-4682", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4682", "description": "Essential Blocks <=5.4.0 Stored XSS via Post Carousel block HTML attributes in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "essential-blocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=5.4.0"}, "RULE-CVE-2025-4682-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS:content", "type": "contains", "value": "essential-blocks/slider"}, {"name": "ARGS:content", "type": "regex", "value": "~(?:on(?:error|load|mouseover|focus|click|animationstart|animationend|transitionend|pointerenter)\\\\s*=|<\\\\s*script[\\\\s>]|<\\\\s*svg\\\\b[^>]*(?:on\\\\w+\\\\s*=|href\\\\s*=\\\\s*[\'\\\\\\"]?javascript:|xlink:href\\\\s*=\\\\s*[\'\\\\\\"]?javascript:)|<\\\\s*img[^>]+onerror|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-4682", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4682", "description": "Essential Blocks <=5.4.0 Stored XSS via Slider block HTML attributes in wp-admin post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "essential-blocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=5.4.0"}, "RULE-CVE-2025-4682-04": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS:content", "type": "contains", "value": "essential-blocks/post-carousel"}, {"name": "ARGS:content", "type": "regex", "value": "~(?:on(?:error|load|mouseover|focus|click|animationstart|animationend|transitionend|pointerenter)\\\\s*=|<\\\\s*script[\\\\s>]|<\\\\s*svg\\\\b[^>]*(?:on\\\\w+\\\\s*=|href\\\\s*=\\\\s*[\'\\\\\\"]?javascript:|xlink:href\\\\s*=\\\\s*[\'\\\\\\"]?javascript:)|<\\\\s*img[^>]+onerror|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-4682", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4682", "description": "Essential Blocks <=5.4.0 Stored XSS via Post Carousel block HTML attributes in wp-admin post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "essential-blocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=5.4.0"}, "RULE-CVE-2025-4685-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)~"}, {"name": "ARGS:content", "type": "contains", "value": "wp:gutentor"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\bon(?:error|load|mouse(?:over|out|enter)|focus|blur|click|change|submit|key(?:up|down|press))\\\\s*=~i"}], "cve": "CVE-2025-4685", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4685", "description": "Gutentor <= 3.4.8 Stored XSS via event handler injection in block attributes (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "gutentor", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=3.4.8"}, "RULE-CVE-2025-4685-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)~"}, {"name": "ARGS:content", "type": "contains", "value": "wp:gutentor"}, {"name": "ARGS:content", "type": "regex", "value": "~<\\\\s*(?:script|iframe|object|embed|applet)\\\\b~i"}], "cve": "CVE-2025-4685", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4685", "description": "Gutentor <= 3.4.8 Stored XSS via dangerous tag injection in block attributes (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "gutentor", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=3.4.8"}, "RULE-CVE-2025-4685-03": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS:post_content", "type": "contains", "value": "wp:gutentor"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\bon(?:error|load|mouse(?:over|out|enter)|focus|blur|click|change|submit|key(?:up|down|press))\\\\s*=~i"}], "cve": "CVE-2025-4685", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4685", "description": "Gutentor <= 3.4.8 Stored XSS via event handler injection in block attributes (admin post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "gutentor", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=3.4.8"}, "RULE-CVE-2025-4685-04": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS:post_content", "type": "contains", "value": "wp:gutentor"}, {"name": "ARGS:post_content", "type": "regex", "value": "~<\\\\s*(?:script|iframe|object|embed|applet)\\\\b~i"}], "cve": "CVE-2025-4685", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4685", "description": "Gutentor <= 3.4.8 Stored XSS via dangerous tag injection in block attributes (admin post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "gutentor", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=3.4.8"}, "RULE-CVE-2025-4691-01": {"ajax_action": "view_request_details", "conditions": [{"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4691", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4691", "description": "eaSYNC Booking <=1.3.21 IDOR - unauthorized view_request_details booking data disclosure", "mode": "block", "severity": 5.3, "slug": "easync-booking", "tags": ["idor", "missing-authorization", "information-disclosure", "unauthenticated"], "target": "plugin", "versions": "<=1.3.21"}, "RULE-CVE-2025-4691-02": {"ajax_action": "view_request_details_car", "conditions": [{"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4691", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4691", "description": "eaSYNC Booking <=1.3.21 IDOR - unauthorized view_request_details_car booking data disclosure", "mode": "block", "severity": 5.3, "slug": "easync-booking", "tags": ["idor", "missing-authorization", "information-disclosure", "unauthenticated"], "target": "plugin", "versions": "<=1.3.21"}, "RULE-CVE-2025-4691-03": {"ajax_action": "view_request_details_restau", "conditions": [{"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4691", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4691", "description": "eaSYNC Booking <=1.3.21 IDOR - unauthorized view_request_details_restau booking data disclosure", "mode": "block", "severity": 5.3, "slug": "easync-booking", "tags": ["idor", "missing-authorization", "information-disclosure", "unauthenticated"], "target": "plugin", "versions": "<=1.3.21"}, "RULE-CVE-2025-4691-04": {"ajax_action": "view_hotel_requests", "conditions": [{"name": "ARGS:stat", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4691", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4691", "description": "eaSYNC Booking <=1.3.21 IDOR - unauthorized view_hotel_requests booking data disclosure", "mode": "block", "severity": 5.3, "slug": "easync-booking", "tags": ["idor", "missing-authorization", "information-disclosure", "unauthenticated"], "target": "plugin", "versions": "<=1.3.21"}, "RULE-CVE-2025-4691-05": {"ajax_action": "view_car_requests", "conditions": [{"name": "ARGS:stat", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4691", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4691", "description": "eaSYNC Booking <=1.3.21 IDOR - unauthorized view_car_requests booking data disclosure", "mode": "block", "severity": 5.3, "slug": "easync-booking", "tags": ["idor", "missing-authorization", "information-disclosure", "unauthenticated"], "target": "plugin", "versions": "<=1.3.21"}, "RULE-CVE-2025-4691-06": {"ajax_action": "view_restau_requests", "conditions": [{"name": "ARGS:stat", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4691", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4691", "description": "eaSYNC Booking <=1.3.21 IDOR - unauthorized view_restau_requests booking data disclosure", "mode": "block", "severity": 5.3, "slug": "easync-booking", "tags": ["idor", "missing-authorization", "information-disclosure", "unauthenticated"], "target": "plugin", "versions": "<=1.3.21"}, "RULE-CVE-2025-4691-07": {"ajax_action": "approve_cancel_request", "conditions": [{"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4691", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4691", "description": "eaSYNC Booking <=1.3.21 missing authorization on approve_cancel_request", "mode": "block", "severity": 5.3, "slug": "easync-booking", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=1.3.21"}, "RULE-CVE-2025-4691-08": {"ajax_action": "decline_cancel_request", "conditions": [{"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4691", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4691", "description": "eaSYNC Booking <=1.3.21 missing authorization on decline_cancel_request", "mode": "block", "severity": 5.3, "slug": "easync-booking", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=1.3.21"}, "RULE-CVE-2025-4691-09": {"ajax_action": "approve_cancel_request_car", "conditions": [{"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4691", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4691", "description": "eaSYNC Booking <=1.3.21 missing authorization on approve_cancel_request_car", "mode": "block", "severity": 5.3, "slug": "easync-booking", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=1.3.21"}, "RULE-CVE-2025-4691-10": {"ajax_action": "decline_cancel_request_car", "conditions": [{"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4691", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4691", "description": "eaSYNC Booking <=1.3.21 missing authorization on decline_cancel_request_car", "mode": "block", "severity": 5.3, "slug": "easync-booking", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=1.3.21"}, "RULE-CVE-2025-4691-11": {"ajax_action": "approve_cancel_request_restau", "conditions": [{"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4691", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4691", "description": "eaSYNC Booking <=1.3.21 missing authorization on approve_cancel_request_restau", "mode": "block", "severity": 5.3, "slug": "easync-booking", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=1.3.21"}, "RULE-CVE-2025-4691-12": {"ajax_action": "decline_cancel_request_restau", "conditions": [{"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4691", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4691", "description": "eaSYNC Booking <=1.3.21 missing authorization on decline_cancel_request_restau", "mode": "block", "severity": 5.3, "slug": "easync-booking", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=1.3.21"}, "RULE-CVE-2025-47452-01": {"ajax_action": "wpvr_file_import", "conditions": [{"name": "FILES:wpvr_import_file", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-47452", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-47452", "description": "WP VR <=8.5.26 authenticated arbitrary file upload via wpvr_file_import AJAX handler", "method": "POST", "mode": "block", "severity": 9.9, "slug": "wpvr", "tags": ["arbitrary-file-upload", "remote-code-execution", "authenticated"], "target": "plugin", "versions": "<=8.5.26"}, "RULE-CVE-2025-47601-01": {"ajax_action": "maxi_get_option", "conditions": [{"name": "ARGS:option_value", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-47601", "method": "POST", "mode": "block", "severity": 8.8, "slug": "maxi-blocks", "target": "plugin", "versions": "<=2.1.0"}, "RULE-CVE-2025-47688-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/file-manager-advanced/v1/hide-banner(?:[/?]|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-47688", "method": "POST", "mode": "block", "severity": 9.8, "slug": "file-manager-advanced", "target": "plugin", "versions": "<=5.3.1"}, "RULE-CVE-2025-47688-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/file-manager-advanced/v1/minimize-maximize-banner(?:[/?]|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-47688", "method": "POST", "mode": "block", "severity": 9.8, "slug": "file-manager-advanced", "target": "plugin", "versions": "<=5.3.1"}, "RULE-CVE-2025-47690-01": {"ajax_action": "adminAllActionsPRO", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-47690", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-leads-builder-any-crm", "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-47690-02": {"ajax_action": "SaveCRMconfig", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-47690", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-leads-builder-any-crm", "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-47690-03": {"ajax_action": "saveZohoSettings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-47690", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-leads-builder-any-crm", "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-47690-04": {"ajax_action": "saveSFSettings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-47690", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-leads-builder-any-crm", "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-47690-05": {"ajax_action": "SaveSuiteconfig", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-47690", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-leads-builder-any-crm", "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-47690-06": {"ajax_action": "save_apikey", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-47690", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-leads-builder-any-crm", "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-4799-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "download-manager.php"}, {"name": "ARGS:file_name", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|^/|^[A-Za-z]:)~"}], "cve": "CVE-2025-4799", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4799", "description": "WP-DownloadManager <=1.68.10 authenticated (Administrator+) arbitrary file deletion via absolute path traversal in file_name parameter on download-manager.php admin page", "mode": "block", "severity": 7.2, "slug": "wp-downloadmanager", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=1.68.10"}, "RULE-CVE-2025-4799-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "download-options.php"}, {"name": "ARGS:download_path", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|^(?!/var/www/html/wp-content|/home/[^/]+/[^/]+/wp-content)[/])~"}], "cve": "CVE-2025-4799", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4799", "description": "WP-DownloadManager <=1.68.10 authenticated (Administrator+) download_path manipulation enabling arbitrary file deletion chain on download-options.php admin page", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wp-downloadmanager", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=1.68.10"}, "RULE-CVE-2025-4803-01": {"action": "admin_init", "conditions": [{"name": "ARGS:posttypes", "type": "regex", "value": "~[OCa]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2025-4803", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4803", "description": "Glossary by WPPedia <=1.3.0 authenticated (Administrator+) PHP Object Injection via posttypes parameter deserialization", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wppedia", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=1.3.0"}, "RULE-CVE-2025-48142-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/bookify/v1/(?:add-staff|update-staff|delete-staff|staffs)(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-48142", "method": "POST", "mode": "block", "slug": "bookify", "target": "plugin", "versions": "<=1.0.9"}, "RULE-CVE-2025-48142-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/bookify/v1/(?:add-staff|update-staff|delete-staff|staffs)(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-48142", "method": "PUT", "mode": "block", "slug": "bookify", "target": "plugin", "versions": "<=1.0.9"}, "RULE-CVE-2025-48142-03": {"action": "init", "conditions": [{"name": "ARGS:rest_route", "type": "regex", "value": "~^/bookify/v1/(?:add-staff|update-staff|delete-staff|staffs)(?:/|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-48142", "method": "POST", "mode": "block", "slug": "bookify", "target": "plugin", "versions": "<=1.0.9"}, "RULE-CVE-2025-48142-04": {"action": "init", "conditions": [{"name": "ARGS:rest_route", "type": "regex", "value": "~^/bookify/v1/(?:add-staff|update-staff|delete-staff|staffs)(?:/|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-48142", "method": "PUT", "mode": "block", "slug": "bookify", "target": "plugin", "versions": "<=1.0.9"}, "RULE-CVE-2025-49076-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:theplus_clients_url", "type": "exists"}, {"name": "ARGS:theplus_clients_url", "type": "regex", "value": "~^\\\\s*(javascript|data|vbscript)\\\\s*:~i"}], "cve": "CVE-2025-49076", "method": "POST", "mode": "block", "severity": 6.5, "slug": "the-plus-addons-for-elementor-page-builder", "target": "plugin", "versions": "<=6.2.7"}, "RULE-CVE-2025-49359-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-49359", "description": "shieldgroup theme <= 2.13 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "shieldgroup", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=2.13"}, "RULE-CVE-2025-49359-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-49359", "description": "shieldgroup theme <= 2.13 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "shieldgroup", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=2.13"}, "RULE-CVE-2025-49360-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-49360", "description": "militarology theme <= 1.0.15 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "militarology", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.15"}, "RULE-CVE-2025-49360-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-49360", "description": "militarology theme <= 1.0.15 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "militarology", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.15"}, "RULE-CVE-2025-49361-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-49361", "description": "mamita theme <= 1.0.9 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "mamita", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.9"}, "RULE-CVE-2025-49361-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-49361", "description": "mamita theme <= 1.0.9 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "mamita", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.9"}, "RULE-CVE-2025-49362-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-49362", "description": "gracioza theme <= 1.0.15 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "gracioza", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.15"}, "RULE-CVE-2025-49362-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-49362", "description": "gracioza theme <= 1.0.15 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "gracioza", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.15"}, "RULE-CVE-2025-49363-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-49363", "description": "kings-queens theme <= 1.1.16 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "kings-queens", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.16"}, "RULE-CVE-2025-49363-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-49363", "description": "kings-queens theme <= 1.1.16 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "kings-queens", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.16"}, "RULE-CVE-2025-49364-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-49364", "description": "ludos-paradise theme <= 2.1.3 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "ludos-paradise", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=2.1.3"}, "RULE-CVE-2025-49364-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-49364", "description": "ludos-paradise theme <= 2.1.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "ludos-paradise", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=2.1.3"}, "RULE-CVE-2025-49365-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-49365", "description": "jack-well theme <= 1.0.14 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "jack-well", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.14"}, "RULE-CVE-2025-49365-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-49365", "description": "jack-well theme <= 1.0.14 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "jack-well", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.14"}, "RULE-CVE-2025-49366-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-49366", "description": "hanani theme <= 1.2.11 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "hanani", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.11"}, "RULE-CVE-2025-49366-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-49366", "description": "hanani theme <= 1.2.11 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "hanani", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.11"}, "RULE-CVE-2025-49367-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-49367", "description": "monyxi theme <= 1.1.8 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "monyxi", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.8"}, "RULE-CVE-2025-49367-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-49367", "description": "monyxi theme <= 1.1.8 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "monyxi", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.8"}, "RULE-CVE-2025-49368-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-49368", "description": "palladio theme <= 1.1.10 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "palladio", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.10"}, "RULE-CVE-2025-49368-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-49368", "description": "palladio theme <= 1.1.10 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "palladio", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.10"}, "RULE-CVE-2025-49369-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-49369", "description": "lettuce theme <= 1.1.7 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "lettuce", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.7"}, "RULE-CVE-2025-49369-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-49369", "description": "lettuce theme <= 1.1.7 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "lettuce", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.7"}, "RULE-CVE-2025-49370-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-49370", "description": "lymcoin theme <= 1.3.12 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "lymcoin", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.12"}, "RULE-CVE-2025-49370-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-49370", "description": "lymcoin theme <= 1.3.12 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "lymcoin", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.12"}, "RULE-CVE-2025-49371-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-49371", "description": "strux theme <= 1.9 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "strux", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.9"}, "RULE-CVE-2025-49371-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-49371", "description": "strux theme <= 1.9 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "strux", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.9"}, "RULE-CVE-2025-4943-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/elementor/v\\\\d+/document/save~"}, {"name": "ARGS", "type": "regex", "value": "~(?:javascript|vbscript)\\\\s*:~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4943", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4943", "description": "LA-Studio Element Kit for Elementor <=1.5.2 Stored DOM XSS via data-lakit-element-link javascript: URI in Elementor REST document save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "lastudio-element-kit", "tags": ["xss", "stored-xss", "elementor"], "target": "plugin", "versions": "<=1.5.2"}, "RULE-CVE-2025-4943-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS", "type": "regex", "value": "~(?:javascript|vbscript)\\\\s*:~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4943", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4943", "description": "LA-Studio Element Kit for Elementor <=1.5.2 Stored DOM XSS via data-lakit-element-link javascript: URI in wp-admin post save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "lastudio-element-kit", "tags": ["xss", "stored-xss", "elementor"], "target": "plugin", "versions": "<=1.5.2"}, "RULE-CVE-2025-4943-03": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:javascript|vbscript)\\\\s*:~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-4943", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4943", "description": "LA-Studio Element Kit for Elementor <=1.5.2 Stored DOM XSS via data-lakit-element-link javascript: URI in elementor_ajax save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "lastudio-element-kit", "tags": ["xss", "stored-xss", "elementor"], "target": "plugin", "versions": "<=1.5.2"}, "RULE-CVE-2025-49924-01": {"ajax_action": "wwpEditWholesaleRole", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-49924", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-49924", "description": "Wholesale Suite \\u2013 WooCommerce Wholesale Prices <=2.2.4.2 privilege escalation via wwpEditWholesaleRole AJAX action", "method": "POST", "mode": "block", "severity": 7.3, "slug": "woocommerce-wholesale-prices", "tags": ["privilege-escalation", "missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=2.2.4.2"}, "RULE-CVE-2025-49941-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-49941", "description": "glamchic theme <= 1.0.11 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "glamchic", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.11"}, "RULE-CVE-2025-49941-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-49941", "description": "glamchic theme <= 1.0.11 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "glamchic", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.11"}, "RULE-CVE-2025-49942-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-49942", "description": "gardis theme <= 1.2.13 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "gardis", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.13"}, "RULE-CVE-2025-49942-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-49942", "description": "gardis theme <= 1.2.13 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "gardis", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.13"}, "RULE-CVE-2025-49943-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-49943", "description": "femme theme <= 1.3.11 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "femme", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.11"}, "RULE-CVE-2025-49943-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-49943", "description": "femme theme <= 1.3.11 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "femme", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.11"}, "RULE-CVE-2025-49950-01": {"ajax_action": "wc_billingo_generate_invoice", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-49950", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-49950", "description": "Official Integration for Billingo <=4.2.5 missing authorization on wc_billingo_generate_invoice AJAX action allowing authenticated privilege escalation", "method": "POST", "mode": "block", "severity": 7.3, "slug": "billingo", "tags": ["missing-authorization", "privilege-escalation", "broken-access-control"], "target": "plugin", "versions": "<=4.2.5"}, "RULE-CVE-2025-49950-02": {"ajax_action": "wc_billingo_storno_invoice", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-49950", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-49950", "description": "Official Integration for Billingo <=4.2.5 missing authorization on wc_billingo_storno_invoice AJAX action allowing authenticated privilege escalation", "method": "POST", "mode": "block", "severity": 7.3, "slug": "billingo", "tags": ["missing-authorization", "privilege-escalation", "broken-access-control"], "target": "plugin", "versions": "<=4.2.5"}, "RULE-CVE-2025-50003-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-50003", "description": "amuli theme <= 2.3.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "amuli", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=2.3.0"}, "RULE-CVE-2025-50003-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-50003", "description": "amuli theme <= 2.3.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "amuli", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=2.3.0"}, "RULE-CVE-2025-5018-01": {"ajax_action": "hs_update_ai_chat_settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5018", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5018", "description": "Hive Support <=1.2.5 missing authorization on hs_update_ai_chat_settings AJAX handler allows authenticated users to overwrite AI chat configuration", "method": "POST", "mode": "block", "severity": 7.1, "slug": "hive-support", "tags": ["missing-authorization", "broken-access-control", "settings-modification"], "target": "plugin", "versions": "<=1.2.5"}, "RULE-CVE-2025-5018-02": {"ajax_action": "hive_lite_support_get_all_binbox", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5018", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5018", "description": "Hive Support <=1.2.5 missing authorization on hive_lite_support_get_all_binbox AJAX handler allows authenticated users to read sensitive inbox configuration", "method": "POST", "mode": "block", "severity": 7.1, "slug": "hive-support", "tags": ["missing-authorization", "broken-access-control", "information-disclosure"], "target": "plugin", "versions": "<=1.2.5"}, "RULE-CVE-2025-5018-03": {"ajax_action": "hs_get_ai_chat_settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5018", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5018", "description": "Hive Support <=1.2.5 missing authorization on hs_get_ai_chat_settings AJAX handler allows authenticated users to read OpenAI API key and AI configuration", "method": "POST", "mode": "block", "severity": 7.1, "slug": "hive-support", "tags": ["missing-authorization", "broken-access-control", "information-disclosure"], "target": "plugin", "versions": "<=1.2.5"}, "RULE-CVE-2025-5035-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~title\\\\s*=\\\\s*[\\"\'][^\\"\']*<[^>]+\\\\bon\\\\w+\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-5035", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5035", "description": "Easy FancyBox <=2.3.15 stored XSS via unsanitized anchor title attribute in post content (classic editor)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "easy-fancybox", "tags": ["xss", "stored-xss", "contributor-plus"], "target": "plugin", "versions": "<=2.3.15"}, "RULE-CVE-2025-5035-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~title\\\\s*=\\\\s*[\\"\'][^\\"\']*<[^>]+\\\\bon\\\\w+\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-5035", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5035", "description": "Easy FancyBox <=2.3.15 stored XSS via unsanitized anchor title attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "easy-fancybox", "tags": ["xss", "stored-xss", "contributor-plus", "rest-api"], "target": "plugin", "versions": "<=2.3.15"}, "RULE-CVE-2025-5058-01": {"action": "template_redirect", "conditions": [{"name": "ARGS:connector", "type": "equals", "value": "bridge"}, {"name": "ARGS:task", "type": "equals", "value": "set_image"}, {"name": "ARGS:image_id", "type": "regex", "value": "~\\\\.(?:ph(?:p\\\\d?|s|tml?|t|ar)|shtml?|cgi|asp|aspx|jsp|jspx|cfm)~i"}], "cve": "CVE-2025-5058", "method": "POST", "mode": "block", "severity": 9.8, "slug": "store-manager-connector", "target": "plugin", "versions": "<=1.2.5"}, "RULE-CVE-2025-5058-02": {"action": "template_redirect", "conditions": [{"name": "ARGS:connector", "type": "equals", "value": "bridge"}, {"name": "ARGS:task", "type": "equals", "value": "set_file"}, {"name": "ARGS:filename", "type": "regex", "value": "~\\\\.(?:ph(?:p\\\\d?|s|tml?|t|ar)|shtml?|cgi|asp|aspx|jsp|jspx|cfm)~i"}], "cve": "CVE-2025-5058", "method": "POST", "mode": "block", "severity": 9.8, "slug": "store-manager-connector", "target": "plugin", "versions": "<=1.2.5"}, "RULE-CVE-2025-5071-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mcp/v1/messages(/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5071", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ai-engine", "target": "plugin", "versions": ">=2.8.0 <=2.8.3"}, "RULE-CVE-2025-5071-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mcp/v1/sse(/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5071", "method": "GET", "mode": "block", "severity": 8.8, "slug": "ai-engine", "target": "plugin", "versions": ">=2.8.0 <=2.8.3"}, "RULE-CVE-2025-5082-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~attachmentEditIframe\\\\.php~"}, {"name": "ARGS:attachment_id", "type": "detectXSS"}], "cve": "CVE-2025-5082", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5082", "description": "WP Attachments <=5.0.12 reflected XSS via attachment_id parameter in attachmentEditIframe.php", "method": "GET", "mode": "block", "severity": 6.1, "slug": "wp-attachments", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=5.0.12"}, "RULE-CVE-2025-5083-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:option_page", "type": "equals", "value": "wpgov_at_options"}, {"name": "ARGS", "type": "regex", "value": "~<(?:script|img|svg|iframe|object|embed|details|body|marquee|input|button|select|textarea|form|meta|link|style|base)[\\\\s/>]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-5083", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5083", "description": "Amministrazione Trasparente <=9.0.2 authenticated stored XSS via plugin settings (wpgov_at_options) print_r output", "method": "POST", "mode": "block", "severity": 5.5, "slug": "amministrazione-trasparente", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=9.0.2"}, "RULE-CVE-2025-5083-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:option_page", "type": "equals", "value": "wpgov_at_option_groups"}, {"name": "ARGS", "type": "regex", "value": "~<(?:script|img|svg|iframe|object|embed|details|body|marquee|input|button|select|textarea|form|meta|link|style|base)[\\\\s/>]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-5083", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5083", "description": "Amministrazione Trasparente <=9.0.2 authenticated stored XSS via group configuration (wpgov_at_option_groups) print_r output", "method": "POST", "mode": "block", "severity": 5.5, "slug": "amministrazione-trasparente", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=9.0.2"}, "RULE-CVE-2025-5084-01": {"ajax_action": "asr_filter_posts", "conditions": [{"name": "ARGS:argsArray[read_more_text]", "type": "regex", "value": "~<[^>]*[\\\\s/]on\\\\w+\\\\s*=|<\\\\s*(?:script|iframe|object|embed|svg|math|base|link|meta|style|form|input|select|textarea|details|body|marquee)\\\\b|javascript\\\\s*:~i"}], "cve": "CVE-2025-5084", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5084", "description": "Post Grid Master <=3.4.13 reflected XSS via argsArray[read_more_text] in asr_filter_posts AJAX handler", "mode": "block", "severity": 6.1, "slug": "ajax-filter-posts", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=3.4.13"}, "RULE-CVE-2025-5096-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "admin-ajax.php"}, {"name": "ARGS:action", "type": "contains", "value": "tablepress_"}, {"name": "ARGS:tablepress[options][datatables_caption]", "type": "detectXSS"}], "cve": "CVE-2025-5096", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5096", "description": "TablePress <=3.1.2 DOM-based stored XSS via datatables_caption table option", "method": "POST", "mode": "block", "severity": 5.4, "slug": "tablepress", "tags": ["xss", "stored-xss", "dom-based-xss"], "target": "plugin", "versions": "<=3.1.2"}, "RULE-CVE-2025-5096-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "admin-ajax.php"}, {"name": "ARGS:action", "type": "contains", "value": "tablepress_"}, {"name": "ARGS:tablepress[options][datatables_s_title]", "type": "detectXSS"}], "cve": "CVE-2025-5096", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5096", "description": "TablePress <=3.1.2 DOM-based stored XSS via datatables_s_title table option", "method": "POST", "mode": "block", "severity": 5.4, "slug": "tablepress", "tags": ["xss", "stored-xss", "dom-based-xss"], "target": "plugin", "versions": "<=3.1.2"}, "RULE-CVE-2025-5096-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "admin-ajax.php"}, {"name": "ARGS:action", "type": "contains", "value": "tablepress_"}, {"name": "ARGS:tablepress[options][datatables_footer]", "type": "detectXSS"}], "cve": "CVE-2025-5096", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5096", "description": "TablePress <=3.1.2 DOM-based stored XSS via datatables_footer table option", "method": "POST", "mode": "block", "severity": 5.4, "slug": "tablepress", "tags": ["xss", "stored-xss", "dom-based-xss"], "target": "plugin", "versions": "<=3.1.2"}, "RULE-CVE-2025-5096-04": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "admin-ajax.php"}, {"name": "ARGS:action", "type": "contains", "value": "tablepress_"}, {"name": "ARGS:tablepress[options][datatables_s_content_padding]", "type": "detectXSS"}], "cve": "CVE-2025-5096", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5096", "description": "TablePress <=3.1.2 DOM-based stored XSS via datatables_s_content_padding table option", "method": "POST", "mode": "block", "severity": 5.4, "slug": "tablepress", "tags": ["xss", "stored-xss", "dom-based-xss"], "target": "plugin", "versions": "<=3.1.2"}, "RULE-CVE-2025-5117-01": {"action": "init", "conditions": [{"name": "ARGS:iv-submit-listing", "type": "equals", "value": "register"}, {"name": "ARGS:payment_gateway", "type": "equals", "value": "paypal"}, {"name": "ARGS:package_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5117", "method": "POST", "mode": "block", "severity": 8.8, "slug": "property", "target": "plugin", "versions": ">=1.0.5 <=1.0.6"}, "RULE-CVE-2025-5117-02": {"action": "init", "conditions": [{"name": "ARGS:post_type", "type": "equals", "value": "iv_payment"}, {"name": "ARGS:property_package_user_role", "type": "regex", "value": "~(?:^|\\\\s)(?:administrator|editor|admin)(?:\\\\s|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5117", "method": "POST", "mode": "block", "severity": 8.8, "slug": "property", "target": "plugin", "versions": ">=1.0.5 <=1.0.6"}, "RULE-CVE-2025-5122-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json/wp/v2/posts(?:/|\\\\?|$)|(?:^|[?&])rest_route=/wp/v2/posts(?:/|[?&]|$))~"}, {"name": "ARGS:content", "type": "regex", "value": "~map-block-leaflet[/a-z-]*[^>]*(?:javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:\\\\s*text/html)~i"}], "cve": "CVE-2025-5122", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5122", "description": "Map Block Leaflet <=3.2.1 Stored XSS via block attributes in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "map-block-leaflet", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=3.2.1"}, "RULE-CVE-2025-5122-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~map-block-leaflet[/a-z-]*[^>]*(?:javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:\\\\s*text/html)~i"}], "cve": "CVE-2025-5122", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5122", "description": "Map Block Leaflet <=3.2.1 Stored XSS via block attributes in classic editor post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "map-block-leaflet", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=3.2.1"}, "RULE-CVE-2025-5122-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json/wp/v2/posts/\\\\d+(?:/|\\\\?|$)|(?:^|[?&])rest_route=/wp/v2/posts/\\\\d+(?:/|[?&]|$))~"}, {"name": "ARGS:content", "type": "regex", "value": "~map-block-leaflet[/a-z-]*[^>]*(?:javascript\\\\s*:|vbscript\\\\s*:|data\\\\s*:\\\\s*text/html)~i"}], "cve": "CVE-2025-5122", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5122", "description": "Map Block Leaflet <=3.2.1 Stored XSS via block attributes in REST API post update", "method": "PUT", "mode": "block", "severity": 6.4, "slug": "map-block-leaflet", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=3.2.1"}, "RULE-CVE-2025-5144-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_type", "type": "equals", "value": "tribe_events"}, {"name": "ARGS:post_content", "type": "regex", "value": "~data-(?:date[a-z-]*|provide)\\\\s*=[^>]*(?:<\\\\s*script|on\\\\w+\\\\s*=)~i"}], "cve": "CVE-2025-5144", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5144", "description": "The Events Calendar <=6.13.2 Stored XSS via data-date-* attributes in event post content (wp-admin post editor)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "the-events-calendar", "tags": ["xss", "stored-xss", "contributor-plus"], "target": "plugin", "versions": "<=6.13.2"}, "RULE-CVE-2025-5234-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~gutenverse-news/[^}]*\\"elementId\\"\\\\s*:\\\\s*\\"[^\\"]*(?:<|>|\\\\\\\\\\\\\\\\|\\\\\\\\\\")~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-5234", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5234", "description": "Gutenverse News <=1.0.4 Authenticated (Contributor+) Stored XSS via elementId in REST API post create/update", "method": "POST", "mode": "block", "severity": 5.4, "slug": "gutenverse-news", "tags": ["xss", "stored-xss", "rest-api"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2025-5234-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts/\\\\d+(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~gutenverse-news/[^}]*\\"elementId\\"\\\\s*:\\\\s*\\"[^\\"]*(?:<|>|\\\\\\\\\\\\\\\\|\\\\\\\\\\")~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-5234", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5234", "description": "Gutenverse News <=1.0.4 Authenticated (Contributor+) Stored XSS via elementId in REST API post update (PUT)", "method": "PUT", "mode": "block", "severity": 5.4, "slug": "gutenverse-news", "tags": ["xss", "stored-xss", "rest-api"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2025-5234-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~gutenverse-news/[^}]*\\"elementId\\"\\\\s*:\\\\s*\\"[^\\"]*(?:<|>|\\\\\\\\\\\\\\\\|\\\\\\\\\\")~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-5234", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5234", "description": "Gutenverse News <=1.0.4 Authenticated (Contributor+) Stored XSS via elementId in classic editor post.php", "method": "POST", "mode": "block", "severity": 5.4, "slug": "gutenverse-news", "tags": ["xss", "stored-xss"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2025-5237-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[brid[^\\\\]]*(?:width|height)\\\\s*=\\\\s*[^\\\\]]*(?:on\\\\w+\\\\s*=|<script|javascript:|&#x?0*3c;|&#x?0*3e;|&#x?0*22;|&#x?0*27;|�*60;|�*62;|�*34;|�*39;)~i"}], "cve": "CVE-2025-5237", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5237", "description": "Target Video Easy Publish <=3.8.5 Stored XSS via shortcode width/height attribute breakout in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "brid-video-easy-publish", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.8.5"}, "RULE-CVE-2025-5237-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[brid[^\\\\]]*(?:width|height)\\\\s*=\\\\s*[^\\\\]]*(?:on\\\\w+\\\\s*=|<script|javascript:|&#x?0*3c;|&#x?0*3e;|&#x?0*22;|&#x?0*27;|�*60;|�*62;|�*34;|�*39;)~i"}], "cve": "CVE-2025-5237", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5237", "description": "Target Video Easy Publish <=3.8.5 Stored XSS via shortcode attribute breakout through REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "brid-video-easy-publish", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=3.8.5"}, "RULE-CVE-2025-5239-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_type", "type": "equals", "value": "dfs_template"}, {"name": "ARGS:post_content", "type": "regex", "value": "~domain-for-sale-template[^}]*className[\\"\']?\\\\s*[:=]\\\\s*\\"(?:\\\\\\\\.|[^\\"\\\\\\\\])*(?:<|>|on\\\\w+\\\\s*=)~i"}], "cve": "CVE-2025-5239", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5239", "description": "Domain For Sale <=3.0.10 Authenticated (Contributor+) Stored XSS via class_name parameter in Gutenberg block post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "domain-for-sale", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=3.0.10"}, "RULE-CVE-2025-5240-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[vCita(?:MeetingScheduler|ContactForm)[^\\\\]]*type\\\\s*=\\\\s*([\\"\'])(?:(?!\\\\1).)*(?:<[a-z/!]|on[a-z]+\\\\s*=|javascript:)~is"}], "cve": "CVE-2025-5240", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5240", "description": "CRM and Lead Management by vcita <=2.7.5 Stored XSS via type shortcode attribute in vCitaMeetingScheduler/vCitaContactForm", "method": "POST", "mode": "block", "severity": 6.4, "slug": "crm-customer-relationship-management-by-vcita", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.7.5"}, "RULE-CVE-2025-5240-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[vCitaSchedulingCalendar[^\\\\]]*type\\\\s*=\\\\s*([\\"\'])(?:(?!\\\\1).)*(?:<[a-z/!]|on[a-z]+\\\\s*=|javascript:)~is"}], "cve": "CVE-2025-5240", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5240", "description": "CRM and Lead Management by vcita <=2.7.5 Stored XSS via type shortcode attribute in vCitaSchedulingCalendar", "method": "POST", "mode": "block", "severity": 6.4, "slug": "crm-customer-relationship-management-by-vcita", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.7.5"}, "RULE-CVE-2025-5258-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~(?:\\\\[conf_scheduler[^\\\\]]*className\\\\s*=\\\\s*[\\"\'][^\\"\']*|conf-scheduler/display[^}]*className[\\"\']\\\\s*:\\\\s*[\\"\'][^\\"\']*)(?:[\\"\']\\\\s*on\\\\w+\\\\s*=|<[a-z/])~i"}], "cve": "CVE-2025-5258", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5258", "description": "Conference Scheduler <=2.5.1 Stored XSS via className attribute in shortcode/block (classic editor vector)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "conference-scheduler", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.5.1"}, "RULE-CVE-2025-5259-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~(?:minimal-share-buttons|msb_share)[^>\\\\]]{0,200}align\\\\s*\\"?\\\\s*:\\\\s*\\"[^\\"\\\\\\\\]{0,20}[^\\\\]]{0,80}(?:<script|on[a-z]{2,}\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-5259", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5259", "description": "Minimal Share Buttons <=1.7.3 Stored XSS via unescaped align block attribute in post content (Classic Editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "minimal-share-buttons", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=1.7.3"}, "RULE-CVE-2025-5259-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~(?:minimal-share-buttons|msb_share)[^>\\\\]]{0,200}align\\\\s*\\"?\\\\s*:\\\\s*\\"[^\\"\\\\\\\\]{0,20}[^\\\\]]{0,80}(?:<script|on[a-z]{2,}\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-5259", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5259", "description": "Minimal Share Buttons <=1.7.3 Stored XSS via unescaped align block attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "minimal-share-buttons", "tags": ["xss", "stored-xss", "gutenberg-block", "rest-api"], "target": "plugin", "versions": "<=1.7.3"}, "RULE-CVE-2025-52745-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-52745", "description": "farmagrico theme <= 1.3.11 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "farmagrico", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.11"}, "RULE-CVE-2025-52745-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-52745", "description": "farmagrico theme <= 1.3.11 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "farmagrico", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.11"}, "RULE-CVE-2025-52768-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-52768", "description": "faith-hope theme <= 2.13.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "faith-hope", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=2.13.0"}, "RULE-CVE-2025-52768-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-52768", "description": "faith-hope theme <= 2.13.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "faith-hope", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=2.13.0"}, "RULE-CVE-2025-52815-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-52815", "description": "citygov theme <= 1.9 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "citygov", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.9"}, "RULE-CVE-2025-52815-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-52815", "description": "citygov theme <= 1.9 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "citygov", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.9"}, "RULE-CVE-2025-5282-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp-travel-engine/v2/trips/\\\\d+/packages/\\\\d+~"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-5282", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5282", "description": "WP Travel Engine <=6.5.1 unauthenticated arbitrary post deletion via REST API delete_package endpoint", "method": "DELETE", "mode": "block", "severity": 7.5, "slug": "wp-travel-engine", "tags": ["missing-authorization", "unauthenticated", "rest-api", "arbitrary-post-deletion"], "target": "plugin", "versions": "<=6.5.1"}, "RULE-CVE-2025-5282-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp-travel-engine/v2/trips/\\\\d+/packages/\\\\d+~"}, {"name": "ARGS:_method", "type": "regex", "value": "~^DELETE$~i"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2025-5282", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5282", "description": "WP Travel Engine <=6.5.1 unauthenticated arbitrary post deletion via REST API delete_package with POST method override", "method": "POST", "mode": "block", "severity": 7.5, "slug": "wp-travel-engine", "tags": ["missing-authorization", "unauthenticated", "rest-api", "arbitrary-post-deletion", "method-override"], "target": "plugin", "versions": "<=6.5.1"}, "RULE-CVE-2025-52824-01": {"ajax_action": "update_event_cost_from_package", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "update_event_cost_from_package"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-52824", "method": "POST", "mode": "block", "severity": 8.8, "slug": "mobile-dj-manager", "target": "plugin", "versions": "<=1.7.8.1"}, "RULE-CVE-2025-52825-01": {"ajax_action": "wcp_rem_save_settings", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wcp_rem_save_settings"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-52825", "method": "POST", "mode": "block", "severity": 8.8, "slug": "real-estate-manager", "target": "plugin", "versions": "<=7.3"}, "RULE-CVE-2025-52825-02": {"ajax_action": "wcp_rem_save_settings", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wcp_rem_save_settings"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-52825", "method": "GET", "mode": "block", "severity": 8.8, "slug": "real-estate-manager", "target": "plugin", "versions": "<=7.3"}, "RULE-CVE-2025-5290-01": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS:actions", "type": "regex", "value": "~borderless.elementor.(?:progress.bar|circular.progress.bar|semi.circular.progress.bar)~i"}, {"name": "ARGS:actions", "type": "regex", "value": "~(?:\\\\\\\\\\"|\\")widgetType(?:\\\\\\\\\\"|\\")\\\\s*:\\\\s*(?:\\\\\\\\\\"|\\")borderless\\\\.elementor\\\\.(?:progress\\\\.bar|circular\\\\.progress\\\\.bar|semi\\\\.circular\\\\.progress\\\\.bar)(?:\\\\\\\\\\"|\\")[\\\\s\\\\S]{0,2000}?(?:\\\\\\\\\\"|\\")title(?:\\\\\\\\\\"|\\")\\\\s*:\\\\s*(?:\\\\\\\\\\"|\\")[^\\\\\\\\\\"]*(?:<\\\\s*script\\\\b|<\\\\s*img\\\\b[^>]*\\\\bonerror\\\\s*=|<\\\\s*svg\\\\b[^>]*\\\\bonload\\\\s*=|<\\\\s*iframe\\\\b|\\\\bsrc\\\\s*=\\\\s*[\'\\\\\\"]?\\\\s*javascript\\\\s*:|\\\\bon(?:error|load|click|mouseover|focus|blur|mouseenter|change|submit|keydown|keyup|keypress|dblclick|contextmenu|wheel|pointerdown|animationend|toggle|resize)\\\\s*=)~i"}, {"type": "missing_capability", "value": "edit_pages"}], "cve": "CVE-2025-5290", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5290", "description": "Borderless \\u2013 Elementor Addons and Templates <=1.7.1 Authenticated (Contributor+) Stored XSS via Elementor widget title settings", "method": "POST", "mode": "block", "severity": 6.4, "slug": "borderless", "tags": ["xss", "stored-xss", "elementor-widget", "authenticated"], "target": "plugin", "versions": "<=1.7.1"}, "RULE-CVE-2025-5304-01": {"ajax_action": "wpnb_pto_new_users_add", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5304", "method": "POST", "mode": "block", "severity": 9.8, "slug": "project-notebooks", "target": "plugin", "versions": ">=1.0.0 <=1.1.3"}, "RULE-CVE-2025-5304-02": {"ajax_action": "wpnb_pto_users_deletd", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5304", "method": "POST", "mode": "block", "severity": 9.8, "slug": "project-notebooks", "target": "plugin", "versions": ">=1.0.0 <=1.1.3"}, "RULE-CVE-2025-5304-03": {"ajax_action": "wpnb_pto_new_email_system_save", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5304", "method": "POST", "mode": "block", "severity": 9.8, "slug": "project-notebooks", "target": "plugin", "versions": ">=1.0.0 <=1.1.3"}, "RULE-CVE-2025-5336-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:action", "type": "equals", "value": "editpost"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[ht[_-]ctc[_-]chat\\\\b[^\\\\]]*\\\\bno_number\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<[a-z/!]|on[a-z]+=|javascript\\\\s*:|&#x?[0-9a-f]+;)~i"}], "cve": "CVE-2025-5336", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5336", "description": "Click to Chat for WhatsApp <=4.22 Stored DOM-Based XSS via shortcode no_number attribute in post_content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "click-to-chat-for-whatsapp", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.22"}, "RULE-CVE-2025-5337-01": {"ajax_action": "ms_save_slideshow", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:[\\"\']\\\\s*(?:on\\\\w+\\\\s*=)|<(?:script|img|svg|iframe|object|embed|video|audio|source|link|meta|base|form|details)\\\\b|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5337", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5337", "description": "MetaSlider <=3.98.0 Stored DOM-Based XSS via aria-label parameter in ms_save_slideshow AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "ml-slider", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=3.98.0"}, "RULE-CVE-2025-5340-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/admin-ajax\\\\.php|(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/elementor/)~"}, {"name": "ARGS:actions", "type": "regex", "value": "~album_buy_url[^}]{0,80}(?:<[a-z/!][^>]*>|javascript\\\\s*:|data\\\\s*:[^,]*text/html|on(?:error|load|click|mouse)\\\\s*=)~i"}], "cve": "CVE-2025-5340", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5340", "description": "Music Player for Elementor <=2.4.6 authenticated (Contributor+) Stored XSS via album_buy_url widget setting", "method": "POST", "mode": "block", "severity": 6.4, "slug": "music-player-for-elementor", "tags": ["xss", "stored-xss", "elementor-widget"], "target": "plugin", "versions": "<=2.4.6"}, "RULE-CVE-2025-53428-01": {"ajax_action": "profile_save_field", "conditions": [{"name": "ARGS:wp_capabilities", "type": "exists"}], "cve": "CVE-2025-53428", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-registration", "target": "plugin", "versions": "<=6.8"}, "RULE-CVE-2025-53428-02": {"ajax_action": "profile_save_field", "conditions": [{"name": "ARGS:wp_user_level", "type": "exists"}], "cve": "CVE-2025-53428", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-registration", "target": "plugin", "versions": "<=6.8"}, "RULE-CVE-2025-53428-03": {"ajax_action": "wpr_submit_form", "conditions": [{"name": "ARGS:wp_capabilities", "type": "exists"}], "cve": "CVE-2025-53428", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-registration", "target": "plugin", "versions": "<=6.8"}, "RULE-CVE-2025-53428-04": {"ajax_action": "wpr_submit_form", "conditions": [{"name": "ARGS:wp_user_level", "type": "exists"}], "cve": "CVE-2025-53428", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-registration", "target": "plugin", "versions": "<=6.8"}, "RULE-CVE-2025-53429-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-53429", "description": "exit-game theme <= 1.4.3 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "exit-game", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.4.3"}, "RULE-CVE-2025-53429-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-53429", "description": "exit-game theme <= 1.4.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "exit-game", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.4.3"}, "RULE-CVE-2025-53430-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-53430", "description": "etta theme <= 1.14.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "etta", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.14.0"}, "RULE-CVE-2025-53430-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-53430", "description": "etta theme <= 1.14.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "etta", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.14.0"}, "RULE-CVE-2025-53431-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-53431", "description": "emberlyn theme <= 1.3.1 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "emberlyn", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.1"}, "RULE-CVE-2025-53431-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-53431", "description": "emberlyn theme <= 1.3.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "emberlyn", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.1"}, "RULE-CVE-2025-53432-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-53432", "description": "echo theme <= 1.15.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "echo", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.15.0"}, "RULE-CVE-2025-53432-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-53432", "description": "echo theme <= 1.15.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "echo", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.15.0"}, "RULE-CVE-2025-53433-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-53433", "description": "easyeat theme <= 1.9.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "easyeat", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.9.0"}, "RULE-CVE-2025-53433-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-53433", "description": "easyeat theme <= 1.9.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "easyeat", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.9.0"}, "RULE-CVE-2025-53434-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-53434", "description": "childhope theme <= 1.1.8 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "childhope", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.8"}, "RULE-CVE-2025-53434-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-53434", "description": "childhope theme <= 1.1.8 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "childhope", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.8"}, "RULE-CVE-2025-53435-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-53435", "description": "planmyday theme <= 1.1.13 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "planmyday", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.13"}, "RULE-CVE-2025-53435-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-53435", "description": "planmyday theme <= 1.1.13 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "planmyday", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.13"}, "RULE-CVE-2025-53438-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-53438", "description": "fitline theme <= 1.6 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "fitline", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.6"}, "RULE-CVE-2025-53438-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-53438", "description": "fitline theme <= 1.6 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "fitline", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.6"}, "RULE-CVE-2025-53439-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-53439", "description": "harper theme <= 1.13 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "harper", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.13"}, "RULE-CVE-2025-53439-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-53439", "description": "harper theme <= 1.13 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "harper", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.13"}, "RULE-CVE-2025-53441-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-53441", "description": "greeny theme <= 2.6 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "greeny", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=2.6"}, "RULE-CVE-2025-53441-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-53441", "description": "greeny theme <= 2.6 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "greeny", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=2.6"}, "RULE-CVE-2025-53442-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-53442", "description": "rentic theme <= 1.1 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "rentic", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1"}, "RULE-CVE-2025-53442-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-53442", "description": "rentic theme <= 1.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "rentic", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1"}, "RULE-CVE-2025-53443-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-53443", "description": "smash theme <= 1.7 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "smash", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.7"}, "RULE-CVE-2025-53443-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-53443", "description": "smash theme <= 1.7 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "smash", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.7"}, "RULE-CVE-2025-53445-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-53445", "description": "catwalk theme <= 1.4 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "catwalk", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.4"}, "RULE-CVE-2025-53445-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-53445", "description": "catwalk theme <= 1.4 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "catwalk", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.4"}, "RULE-CVE-2025-53446-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-53446", "description": "beautique theme <= 1.5 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "beautique", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.5"}, "RULE-CVE-2025-53446-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-53446", "description": "beautique theme <= 1.5 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "beautique", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.5"}, "RULE-CVE-2025-53447-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-53447", "description": "assembly theme <= 1.1 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "assembly", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1"}, "RULE-CVE-2025-53447-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-53447", "description": "assembly theme <= 1.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "assembly", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1"}, "RULE-CVE-2025-53448-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-53448", "description": "rally theme <= 1.1 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "rally", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1"}, "RULE-CVE-2025-53448-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-53448", "description": "rally theme <= 1.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "rally", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1"}, "RULE-CVE-2025-53449-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-53449", "description": "convex theme <= 1.11 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "convex", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.11"}, "RULE-CVE-2025-53449-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-53449", "description": "convex theme <= 1.11 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "convex", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.11"}, "RULE-CVE-2025-53453-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-53453", "description": "hygia theme <= 1.16 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "hygia", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.16"}, "RULE-CVE-2025-53453-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-53453", "description": "hygia theme <= 1.16 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "hygia", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.16"}, "RULE-CVE-2025-53454-01": {"action": "save_post", "conditions": [{"name": "ARGS:ewd_uwpm_email_content", "type": "detectXSS"}], "cve": "CVE-2025-53454", "method": "POST", "mode": "block", "severity": 6.5, "slug": "ultimate-wp-mail", "target": "plugin", "versions": "<=1.3.8"}, "RULE-CVE-2025-5391-01": {"ajax_action": "wcpo_delete_purchase_order_file", "conditions": [{"name": "ARGS:file_path", "type": "regex", "value": "~(?:\\\\.\\\\.[/\\\\\\\\]){2,}~"}], "cve": "CVE-2025-5391", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5391", "description": "WooCommerce Purchase Orders <=1.0.2 authenticated arbitrary file deletion via path traversal in file_path parameter", "method": "POST", "mode": "block", "severity": 8.1, "slug": "wc-purchase-orders", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2025-5391-02": {"ajax_action": "wcpo_delete_purchase_order_file", "conditions": [{"name": "ARGS:file_path", "type": "regex", "value": "~(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env|debug\\\\.log|error_log|wp-settings\\\\.php)~i"}], "cve": "CVE-2025-5391", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5391", "description": "WooCommerce Purchase Orders <=1.0.2 authenticated sensitive file deletion via file_path parameter", "method": "POST", "mode": "block", "severity": 8.1, "slug": "wc-purchase-orders", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2025-54003-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-54003", "description": "depot theme <= 1.16 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "depot", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.16"}, "RULE-CVE-2025-54003-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-54003", "description": "depot theme <= 1.16 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "depot", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.16"}, "RULE-CVE-2025-54710-01": {"ajax_action": "ttp_tiktok_clear", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "ttp_tiktok_clear"}, {"name": "ARGS:nonce", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-54710", "mode": "block", "severity": 7.1, "slug": "b-tiktok-feed", "target": "plugin", "versions": "<=1.0.21"}, "RULE-CVE-2025-54714-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/zephyr_project_manager/v1/tasks/message(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-54714", "method": "POST", "mode": "block", "severity": 7.1, "slug": "zephyr-project-manager", "target": "plugin", "versions": "<=3.3.201"}, "RULE-CVE-2025-54714-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/zephyr_project_manager/v1/tasks/delete(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-54714", "method": "POST", "mode": "block", "severity": 7.1, "slug": "zephyr-project-manager", "target": "plugin", "versions": "<=3.3.201"}, "RULE-CVE-2025-54734-01": {"ajax_action": "activated_plugin", "conditions": [{"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2025-54734", "mode": "block", "severity": 5.8, "slug": "b-slider", "target": "plugin", "versions": "<=1.1.30"}, "RULE-CVE-2025-54734-02": {"ajax_action": "get_popular_plugins", "conditions": [{"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2025-54734", "mode": "block", "severity": 5.8, "slug": "b-slider", "target": "plugin", "versions": "<=1.1.30"}, "RULE-CVE-2025-54734-03": {"ajax_action": "get_active_plugins", "conditions": [{"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2025-54734", "mode": "block", "severity": 5.8, "slug": "b-slider", "target": "plugin", "versions": "<=1.1.30"}, "RULE-CVE-2025-5533-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[kbalert\\\\b~i"}, {"name": "ARGS:content", "type": "regex", "value": "~<script|on(?:error|load|click|mouseover|focus|blur|change|input|submit|resize|mouse(?:over|out|enter|leave|move|up|down))\\\\s*=|javascript\\\\s*:|<svg[\\\\s/]|<iframe[\\\\s/]|<object[\\\\s/]|<embed[\\\\s/]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-5533", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5533", "description": "Knowledge Base <=2.3.0 authenticated (Contributor+) stored XSS via kbalert shortcode attributes in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "knowledgebase", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=2.3.0"}, "RULE-CVE-2025-5533-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[kbalert\\\\b~i"}, {"name": "ARGS:content", "type": "regex", "value": "~<script|on(?:error|load|click|mouseover|focus|blur|change|input|submit|resize|mouse(?:over|out|enter|leave|move|up|down))\\\\s*=|javascript\\\\s*:|<svg[\\\\s/]|<iframe[\\\\s/]|<object[\\\\s/]|<embed[\\\\s/]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-5533", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5533", "description": "Knowledge Base <=2.3.0 authenticated (Contributor+) stored XSS via kbalert shortcode in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "knowledgebase", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=2.3.0"}, "RULE-CVE-2025-5567-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[su_lightbox[^\\\\]]*(?:on\\\\w+\\\\s*=|javascript\\\\s*:|data\\\\s*:\\\\s*text/html)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-5567", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5567", "description": "Shortcodes Ultimate <=7.4.0 Stored XSS via su_lightbox shortcode src attribute in post content (post.php)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "shortcodes-ultimate", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=7.4.0"}, "RULE-CVE-2025-5567-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[su_lightbox[^\\\\]]*(?:on\\\\w+\\\\s*=|javascript\\\\s*:|data\\\\s*:\\\\s*text/html)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-5567", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5567", "description": "Shortcodes Ultimate <=7.4.0 Stored XSS via su_lightbox shortcode src attribute in REST API post content", "method": "POST", "mode": "block", "severity": 5.4, "slug": "shortcodes-ultimate", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=7.4.0"}, "RULE-CVE-2025-5567-03": {"ajax_action": "su_generator_preview", "conditions": [{"name": "ARGS:shortcode", "type": "regex", "value": "~\\\\[su_lightbox[^\\\\]]*(?:on\\\\w+\\\\s*=|javascript\\\\s*:|data\\\\s*:\\\\s*text/html)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-5567", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5567", "description": "Shortcodes Ultimate <=7.4.0 Reflected XSS via su_lightbox shortcode in AJAX preview", "method": "POST", "mode": "block", "severity": 5.4, "slug": "shortcodes-ultimate", "tags": ["xss", "shortcode", "ajax"], "target": "plugin", "versions": "<=7.4.0"}, "RULE-CVE-2025-5568-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:mep_location_venue", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via mep_location_venue field on mep_events CPT save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:mep_street", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via mep_street field on mep_events CPT save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:mep_city", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via mep_city field on mep_events CPT save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-04": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:mep_state", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via mep_state field on mep_events CPT save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-05": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:mep_postcode", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via mep_postcode field on mep_events CPT save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-06": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:mep_country", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via mep_country field on mep_events CPT save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-07": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:mep_name_label", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via mep_name_label field on mep_events CPT save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-08": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:mep_email_label", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via mep_email_label field on mep_events CPT save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-09": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:mep_phone_label", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via mep_phone_label field on mep_events CPT save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-10": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:mep_address_label", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via mep_address_label field on mep_events CPT save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-11": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:mep_tshirt_label", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via mep_tshirt_label field on mep_events CPT save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-12": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:mep_gender_label", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via mep_gender_label field on mep_events CPT save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-13": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:mep_company_label", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via mep_company_label field on mep_events CPT save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-14": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:mep_desg_label", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via mep_desg_label field on mep_events CPT save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-15": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:mep_website_label", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via mep_website_label field on mep_events CPT save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-16": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:mep_veg_label", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via mep_veg_label field on mep_events CPT save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-17": {"ajax_action": "mep_faq_data_save", "conditions": [{"name": "ARGS:question_title", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via question_title in mep_faq_data_save AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor", "ajax"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-18": {"ajax_action": "mep_faq_data_save", "conditions": [{"name": "ARGS:question_answer", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via question_answer in mep_faq_data_save AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor", "ajax"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-19": {"ajax_action": "mep_faq_data_update", "conditions": [{"name": "ARGS:question_title", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via question_title in mep_faq_data_update AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor", "ajax"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-20": {"ajax_action": "mep_faq_data_update", "conditions": [{"name": "ARGS:question_answer", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via question_answer in mep_faq_data_update AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor", "ajax"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-21": {"ajax_action": "mep_timeline_data_save", "conditions": [{"name": "ARGS:timeline_title", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via timeline_title in mep_timeline_data_save AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor", "ajax"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-22": {"ajax_action": "mep_timeline_data_save", "conditions": [{"name": "ARGS:timeline_desc", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via timeline_desc in mep_timeline_data_save AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor", "ajax"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-23": {"ajax_action": "mep_timeline_data_update", "conditions": [{"name": "ARGS:timeline_title", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via timeline_title in mep_timeline_data_update AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor", "ajax"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5568-24": {"ajax_action": "mep_timeline_data_update", "conditions": [{"name": "ARGS:timeline_desc", "type": "detectXSS"}], "cve": "CVE-2025-5568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5568", "description": "WpEvently <=4.4.2 stored XSS via timeline_desc in mep_timeline_data_update AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "mage-eventpress", "tags": ["xss", "stored-xss", "contributor", "ajax"], "target": "plugin", "versions": "<=4.4.2"}, "RULE-CVE-2025-5585-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~data-url\\\\s*=\\\\s*[\\"\']\\\\s*(?:\\\\{[^}]*[\\"\']\\\\s*(?:url|href)\\\\s*[\\"\']\\\\s*:\\\\s*[\\"\']\\\\s*)?(?:(?:javascript|vbscript)\\\\s*:|data\\\\s*:(?!image/))~i"}], "cve": "CVE-2025-5585", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5585", "description": "SiteOrigin Widgets Bundle <=1.68.5 Stored XSS via javascript: URI in Slider widget data-url attribute (classic editor)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "so-widgets-bundle", "tags": ["xss", "stored-xss", "contributor-plus"], "target": "plugin", "versions": "<=1.68.5"}, "RULE-CVE-2025-5585-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~data-url\\\\s*=\\\\s*[\\"\']\\\\s*(?:\\\\{[^}]*[\\"\']\\\\s*(?:url|href)\\\\s*[\\"\']\\\\s*:\\\\s*[\\"\']\\\\s*)?(?:(?:javascript|vbscript)\\\\s*:|data\\\\s*:(?!image/))~i"}], "cve": "CVE-2025-5585", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5585", "description": "SiteOrigin Widgets Bundle <=1.68.5 Stored XSS via javascript: URI in Slider widget data-url attribute (REST API)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "so-widgets-bundle", "tags": ["xss", "stored-xss", "rest-api", "contributor-plus"], "target": "plugin", "versions": "<=1.68.5"}, "RULE-CVE-2025-5588-01": {"action": "init", "conditions": [{"name": "ARGS:download", "type": "detectXSS"}], "cve": "CVE-2025-5588", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5588", "description": "Image Editor by Pixo <=2.3.6 Authenticated (Contributor+) Stored XSS via download parameter in [pixoeditor] shortcode", "mode": "block", "severity": 6.4, "slug": "image-editor-by-pixo", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.3.6"}, "RULE-CVE-2025-5673-01": {"action": "admin_init", "conditions": [{"name": "ARGS:prgSortPostType", "type": "regex", "value": "~(?:\'|--|/[*]|UNION[^a-zA-Z0-9]+(?:ALL[^a-zA-Z0-9]+)?SELECT)~i"}], "cve": "CVE-2025-5673", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5673", "description": "Blog2Social <= 8.4.4 authenticated SQL injection via prgSortPostType parameter on admin page render", "method": "GET", "mode": "block", "severity": 6.5, "slug": "blog2social", "tags": ["sql-injection", "authenticated", "subscriber-plus"], "target": "plugin", "versions": "<=8.4.4"}, "RULE-CVE-2025-5673-02": {"ajax_action": "b2s_sort_data", "conditions": [{"name": "ARGS:prgSortPostType", "type": "regex", "value": "~(?:\'|--|/[*]|UNION[^a-zA-Z0-9]+(?:ALL[^a-zA-Z0-9]+)?SELECT)~i"}], "cve": "CVE-2025-5673", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5673", "description": "Blog2Social <= 8.4.4 authenticated SQL injection via prgSortPostType parameter on b2s_sort_data AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "blog2social", "tags": ["sql-injection", "authenticated", "subscriber-plus"], "target": "plugin", "versions": "<=8.4.4"}, "RULE-CVE-2025-5678-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~kadence/countdown[^}]*redirectURL[^}]*(?:javascript\\\\s*:|data\\\\s*:)~i"}], "cve": "CVE-2025-5678", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5678", "description": "Kadence Blocks <=3.5.10 Stored XSS via Countdown block redirectURL attribute (REST API)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "kadence-blocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=3.5.10"}, "RULE-CVE-2025-5678-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~kadence/countdown[^}]*redirectURL[^}]*(?:javascript\\\\s*:|data\\\\s*:)~i"}], "cve": "CVE-2025-5678", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5678", "description": "Kadence Blocks <=3.5.10 Stored XSS via Countdown block redirectURL attribute (Classic Editor)", "method": "POST", "mode": "block", "severity": 5.4, "slug": "kadence-blocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=3.5.10"}, "RULE-CVE-2025-5684-01": {"ajax_action": "metform_admin_action", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<script[\\\\s/>]|javascript\\\\s*:|on(?:error|load|toggle|click|mouseover|focus|blur|change|submit|reset|select|abort|drag|drop|input|invalid|play|seeking|stalled|wheel)\\\\s*=~i"}], "cve": "CVE-2025-5684", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5684", "description": "MetForm <= 4.0.1 Authenticated (Contributor+) Stored XSS via metform_admin_action AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "metform", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=4.0.1"}, "RULE-CVE-2025-5684-02": {"ajax_action": "mf_admin_action", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<script[\\\\s/>]|javascript\\\\s*:|on(?:error|load|toggle|click|mouseover|focus|blur|change|submit|reset|select|abort|drag|drop|input|invalid|play|seeking|stalled|wheel)\\\\s*=~i"}], "cve": "CVE-2025-5684", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5684", "description": "MetForm <= 4.0.1 Authenticated (Contributor+) Stored XSS via mf_admin_action AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "metform", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=4.0.1"}, "RULE-CVE-2025-5692-01": {"ajax_action": "SaveCRMconfig", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on SaveCRMconfig AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-02": {"ajax_action": "SaveSuiteconfig", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on SaveSuiteconfig AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-03": {"ajax_action": "saveZohoSettings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on saveZohoSettings AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-04": {"ajax_action": "saveSFSettings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on saveSFSettings AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-05": {"ajax_action": "adminAllActionsPRO", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on adminAllActionsPRO AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-06": {"ajax_action": "Sync_settings_PRO", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on Sync_settings_PRO AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-07": {"ajax_action": "captcha_info", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on captcha_info AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-08": {"ajax_action": "droptable_info", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on droptable_info AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-09": {"ajax_action": "TFA_auth_save", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on TFA_auth_save AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-10": {"ajax_action": "save_apikey", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on save_apikey AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-11": {"ajax_action": "createnew_form", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on createnew_form AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-12": {"ajax_action": "save_convert_lead", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on save_convert_lead AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-13": {"ajax_action": "save_campaign_details", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on save_campaign_details AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-14": {"ajax_action": "import_file", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on import_file AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-15": {"ajax_action": "file_import", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on file_import AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-16": {"ajax_action": "download_json", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on download_json AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "data-exfiltration"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-17": {"ajax_action": "wp_usersync_assignedto", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on wp_usersync_assignedto AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-18": {"ajax_action": "mappingmodulepro", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on mappingmodulepro AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-19": {"ajax_action": "saveSyncValue", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on saveSyncValue AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-20": {"ajax_action": "send_mapping_configuration", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on send_mapping_configuration AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-21": {"ajax_action": "get_thirdparty_fields", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on get_thirdparty_fields AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-22": {"ajax_action": "map_thirdparty_fields", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on map_thirdparty_fields AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-23": {"ajax_action": "save_thirdparty_form_title", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on save_thirdparty_form_title AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-24": {"ajax_action": "send_mapped_config", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on send_mapped_config AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-25": {"ajax_action": "delete_mapped_config", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on delete_mapped_config AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-26": {"ajax_action": "zohoCRMRedirect", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on zohoCRMRedirect AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-27": {"ajax_action": "save_usersync_RR_option", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on save_usersync_RR_option AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-28": {"ajax_action": "customfieldpro", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on customfieldpro AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-29": {"ajax_action": "change_ecom_module_config", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on change_ecom_module_config AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-30": {"ajax_action": "map_ecom_fields", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on map_ecom_fields AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-31": {"ajax_action": "map_sync_user_fields", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on map_sync_user_fields AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5692-32": {"ajax_action": "selectplugpro", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5692", "description": "Lead Form Data Collection to CRM <=3.1 missing authorization on selectplugpro AJAX handler", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-leads-builder-any-crm", "tags": ["missing-authorization", "broken-access-control", "settings-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2025-5700-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[simple-logo-carousel[^\\\\]]*id\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<|on[a-z]+=)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-5700", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5700", "description": "Simple Logo Carousel <=1.9.3 Stored XSS via shortcode id attribute in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "simple-logo-carousel", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.9.3"}, "RULE-CVE-2025-5720-01": {"ajax_action": "cr_submit_review", "conditions": [{"name": "ARGS:author", "type": "detectXSS"}], "cve": "CVE-2025-5720", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5720", "description": "Customer Reviews for WooCommerce <=5.80.2 unauthenticated stored XSS via author parameter in AJAX review submission", "method": "POST", "mode": "block", "severity": 6.4, "slug": "customer-reviews-woocommerce", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=5.80.2"}, "RULE-CVE-2025-5753-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[crevc-calculator[^\\\\]]*link\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:java\\\\s*script\\\\s*(?::|(?:�*58;|�*3a;))|data\\\\s*:|vbscript\\\\s*:|(?:[\\\\s\\"\'`]|�*34;|�*39;|"|�*22;|�*27;)on\\\\w+\\\\s*=)~i"}], "cve": "CVE-2025-5753", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5753", "description": "Valuation Calculator <=1.3.2 Stored XSS via [crevc-calculator] shortcode link attribute in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "commercial-real-estate-valuation-calculator", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.3.2"}, "RULE-CVE-2025-5753-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[crevc-calculator[^\\\\]]*link\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:java\\\\s*script\\\\s*(?::|(?:�*58;|�*3a;))|data\\\\s*:|vbscript\\\\s*:|(?:[\\\\s\\"\'`]|�*34;|�*39;|"|�*22;|�*27;)on\\\\w+\\\\s*=)~i"}], "cve": "CVE-2025-5753", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5753", "description": "Valuation Calculator <=1.3.2 Stored XSS via [crevc-calculator] shortcode link attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "commercial-real-estate-valuation-calculator", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=1.3.2"}, "RULE-CVE-2025-5813-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wct-get-amazon-product/v1/keyword(/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5813", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5813", "description": "Import Products to WC <=1.2.7 unauthenticated access to wct-get-amazon-product/v1/keyword REST route enables arbitrary product creation", "method": "POST", "mode": "block", "severity": 5.3, "slug": "import-products-to-wc", "tags": ["missing-authorization", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=1.2.7"}, "RULE-CVE-2025-5813-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wct-get-urls/v1/keyword(/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5813", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5813", "description": "Import Products to WC <=1.2.7 unauthenticated access to wct-get-urls/v1/keyword REST route enables SSRF-style URL fetching", "method": "POST", "mode": "block", "severity": 5.3, "slug": "import-products-to-wc", "tags": ["missing-authorization", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=1.2.7"}, "RULE-CVE-2025-5813-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wct-get-product/v1/keyword(/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5813", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5813", "description": "Import Products to WC <=1.2.7 unauthenticated access to wct-get-product/v1/keyword REST route enables unauthorized product data retrieval", "method": "POST", "mode": "block", "severity": 5.3, "slug": "import-products-to-wc", "tags": ["missing-authorization", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=1.2.7"}, "RULE-CVE-2025-58207-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/alt-text-generator/v1/fetch-bulk-alt-text(?:/|$|\\\\?|&)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-58207", "method": "POST", "mode": "block", "severity": 8.2, "slug": "ai-image-alt-text-generator-for-wp", "target": "plugin", "versions": "<=1.1.5"}, "RULE-CVE-2025-58207-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/alt-text-generator/v1/delete-bulk-generating-status(?:/|$|\\\\?|&)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-58207", "method": "POST", "mode": "block", "severity": 8.2, "slug": "ai-image-alt-text-generator-for-wp", "target": "plugin", "versions": "<=1.1.5"}, "RULE-CVE-2025-58207-03": {"ajax_action": "send_bulk_images", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-58207", "method": "POST", "mode": "block", "severity": 8.2, "slug": "ai-image-alt-text-generator-for-wp", "target": "plugin", "versions": "<=1.1.5"}, "RULE-CVE-2025-58225-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58225", "description": "paragon theme <= 1.1 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "paragon", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1"}, "RULE-CVE-2025-58225-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58225", "description": "paragon theme <= 1.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "paragon", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1"}, "RULE-CVE-2025-5845-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~affr/reviews-grid[^}]*\\"numColumns\\"\\\\s*:\\\\s*\\"[^\\"]*[^0-9\\"][^\\"]*\\"~i"}], "cve": "CVE-2025-5845", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5845", "description": "Affiliate Reviews <=1.0.6 Stored XSS via numColumns block attribute in reviews-grid block (Classic Editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "affiliate-reviews", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=1.0.6"}, "RULE-CVE-2025-5845-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~affr/reviews-table[^}]*\\"numColumns\\"\\\\s*:\\\\s*\\"[^\\"]*[^0-9\\"][^\\"]*\\"~i"}], "cve": "CVE-2025-5845", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5845", "description": "Affiliate Reviews <=1.0.6 Stored XSS via numColumns block attribute in reviews-table block (Classic Editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "affiliate-reviews", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=1.0.6"}, "RULE-CVE-2025-58706-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58706", "description": "woohoo theme <= 1.25 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "woohoo", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.25"}, "RULE-CVE-2025-58706-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58706", "description": "woohoo theme <= 1.25 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "woohoo", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.25"}, "RULE-CVE-2025-58708-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58708", "description": "triple-seven theme <= 1.3 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "triple-seven", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3"}, "RULE-CVE-2025-58708-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58708", "description": "triple-seven theme <= 1.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "triple-seven", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3"}, "RULE-CVE-2025-58709-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58709", "description": "legacy theme <= 1.9 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "legacy", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.9"}, "RULE-CVE-2025-58709-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58709", "description": "legacy theme <= 1.9 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "legacy", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.9"}, "RULE-CVE-2025-58803-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58803", "description": "algenix theme <= 1.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "algenix", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0"}, "RULE-CVE-2025-58803-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58803", "description": "algenix theme <= 1.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "algenix", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0"}, "RULE-CVE-2025-58879-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58879", "description": "festy theme <= 1.13.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "festy", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.13.0"}, "RULE-CVE-2025-58879-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58879", "description": "festy theme <= 1.13.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "festy", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.13.0"}, "RULE-CVE-2025-58885-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58885", "description": "pathfinder theme <= 1.16 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "pathfinder", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.16"}, "RULE-CVE-2025-58885-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58885", "description": "pathfinder theme <= 1.16 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "pathfinder", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.16"}, "RULE-CVE-2025-58888-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58888", "description": "theflash theme <= 1.15 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "theflash", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.15"}, "RULE-CVE-2025-58888-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58888", "description": "theflash theme <= 1.15 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "theflash", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.15"}, "RULE-CVE-2025-58889-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58889", "description": "towny theme <= 1.16 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "towny", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.16"}, "RULE-CVE-2025-58889-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58889", "description": "towny theme <= 1.16 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "towny", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.16"}, "RULE-CVE-2025-58890-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58890", "description": "playful theme <= 1.19.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "playful", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.19.0"}, "RULE-CVE-2025-58890-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58890", "description": "playful theme <= 1.19.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "playful", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.19.0"}, "RULE-CVE-2025-58891-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58891", "description": "sanger theme <= 1.24.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "sanger", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.24.0"}, "RULE-CVE-2025-58891-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58891", "description": "sanger theme <= 1.24.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "sanger", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.24.0"}, "RULE-CVE-2025-58892-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58892", "description": "tourimo theme <= 1.2.3 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "tourimo", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.3"}, "RULE-CVE-2025-58892-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58892", "description": "tourimo theme <= 1.2.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "tourimo", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.3"}, "RULE-CVE-2025-58893-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58893", "description": "alright theme <= 1.6.1 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "alright", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.6.1"}, "RULE-CVE-2025-58893-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58893", "description": "alright theme <= 1.6.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "alright", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.6.1"}, "RULE-CVE-2025-58894-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58894", "description": "good-mood theme <= 1.16 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "good-mood", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.16"}, "RULE-CVE-2025-58894-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58894", "description": "good-mood theme <= 1.16 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "good-mood", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.16"}, "RULE-CVE-2025-58895-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58895", "description": "integro theme <= 1.8.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "integro", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.8.0"}, "RULE-CVE-2025-58895-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58895", "description": "integro theme <= 1.8.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "integro", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.8.0"}, "RULE-CVE-2025-58896-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58896", "description": "otaku theme <= 1.8.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "otaku", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.8.0"}, "RULE-CVE-2025-58896-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58896", "description": "otaku theme <= 1.8.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "otaku", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.8.0"}, "RULE-CVE-2025-58898-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58898", "description": "healthhub theme <= 1.3.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "healthhub", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.0"}, "RULE-CVE-2025-58898-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58898", "description": "healthhub theme <= 1.3.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "healthhub", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.0"}, "RULE-CVE-2025-58899-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58899", "description": "frame theme <= 2.4.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "frame", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=2.4.0"}, "RULE-CVE-2025-58899-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58899", "description": "frame theme <= 2.4.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "frame", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=2.4.0"}, "RULE-CVE-2025-58900-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58900", "description": "unitravel theme <= 1.4.2 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "unitravel", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.4.2"}, "RULE-CVE-2025-58900-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58900", "description": "unitravel theme <= 1.4.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "unitravel", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.4.2"}, "RULE-CVE-2025-58901-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58901", "description": "takeout theme <= 1.3.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "takeout", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.0"}, "RULE-CVE-2025-58901-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58901", "description": "takeout theme <= 1.3.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "takeout", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.0"}, "RULE-CVE-2025-58923-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58923", "description": "critique theme <= 1.17 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "critique", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.17"}, "RULE-CVE-2025-58923-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58923", "description": "critique theme <= 1.17 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "critique", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.17"}, "RULE-CVE-2025-58925-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58925", "description": "neptunus theme <= 1.0.11 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "neptunus", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.11"}, "RULE-CVE-2025-58925-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58925", "description": "neptunus theme <= 1.0.11 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "neptunus", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.11"}, "RULE-CVE-2025-58926-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58926", "description": "cerebrum theme <= 1.12 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "cerebrum", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.12"}, "RULE-CVE-2025-58926-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58926", "description": "cerebrum theme <= 1.12 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "cerebrum", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.12"}, "RULE-CVE-2025-58927-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58927", "description": "stallion theme <= 1.17 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "stallion", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.17"}, "RULE-CVE-2025-58927-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58927", "description": "stallion theme <= 1.17 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "stallion", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.17"}, "RULE-CVE-2025-58928-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58928", "description": "heart theme <= 1.8 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "heart", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.8"}, "RULE-CVE-2025-58928-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58928", "description": "heart theme <= 1.8 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "heart", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.8"}, "RULE-CVE-2025-58929-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58929", "description": "pantry theme <= 1.4 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "pantry", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.4"}, "RULE-CVE-2025-58929-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58929", "description": "pantry theme <= 1.4 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "pantry", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.4"}, "RULE-CVE-2025-58930-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58930", "description": "fitflex theme <= 1.6 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "fitflex", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.6"}, "RULE-CVE-2025-58930-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58930", "description": "fitflex theme <= 1.6 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "fitflex", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.6"}, "RULE-CVE-2025-58931-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58931", "description": "palatio theme <= 1.6 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "palatio", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.6"}, "RULE-CVE-2025-58931-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58931", "description": "palatio theme <= 1.6 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "palatio", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.6"}, "RULE-CVE-2025-58932-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58932", "description": "prisma theme <= 1.10 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "prisma", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.10"}, "RULE-CVE-2025-58932-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58932", "description": "prisma theme <= 1.10 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "prisma", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.10"}, "RULE-CVE-2025-58933-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58933", "description": "anubis theme <= 1.25 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "anubis", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.25"}, "RULE-CVE-2025-58933-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58933", "description": "anubis theme <= 1.25 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "anubis", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.25"}, "RULE-CVE-2025-58934-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58934", "description": "thegig theme <= 1.18.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "thegig", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.18.0"}, "RULE-CVE-2025-58934-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58934", "description": "thegig theme <= 1.18.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "thegig", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.18.0"}, "RULE-CVE-2025-58935-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58935", "description": "lunna theme <= 1.15 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "lunna", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.15"}, "RULE-CVE-2025-58935-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58935", "description": "lunna theme <= 1.15 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "lunna", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.15"}, "RULE-CVE-2025-58936-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58936", "description": "catamaran theme <= 1.15 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "catamaran", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.15"}, "RULE-CVE-2025-58936-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58936", "description": "catamaran theme <= 1.15 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "catamaran", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.15"}, "RULE-CVE-2025-58937-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58937", "description": "tacticool theme <= 1.0.13 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "tacticool", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.13"}, "RULE-CVE-2025-58937-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58937", "description": "tacticool theme <= 1.0.13 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "tacticool", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.13"}, "RULE-CVE-2025-58940-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58940", "description": "basil theme <= 1.3.12 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "basil", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.12"}, "RULE-CVE-2025-58940-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58940", "description": "basil theme <= 1.3.12 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "basil", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.12"}, "RULE-CVE-2025-58941-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58941", "description": "fabric theme <= 1.5.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "fabric", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.5.0"}, "RULE-CVE-2025-58941-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58941", "description": "fabric theme <= 1.5.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "fabric", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.5.0"}, "RULE-CVE-2025-58942-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58942", "description": "dwell theme <= 1.7.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "dwell", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.7.0"}, "RULE-CVE-2025-58942-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58942", "description": "dwell theme <= 1.7.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "dwell", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.7.0"}, "RULE-CVE-2025-58943-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58943", "description": "agricola theme <= 1.1.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "agricola", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.0"}, "RULE-CVE-2025-58943-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58943", "description": "agricola theme <= 1.1.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "agricola", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.0"}, "RULE-CVE-2025-58944-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58944", "description": "manufactory theme <= 1.4 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "manufactory", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.4"}, "RULE-CVE-2025-58944-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58944", "description": "manufactory theme <= 1.4 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "manufactory", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.4"}, "RULE-CVE-2025-58945-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58945", "description": "ecogrow theme <= 1.7 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "ecogrow", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.7"}, "RULE-CVE-2025-58945-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58945", "description": "ecogrow theme <= 1.7 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "ecogrow", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.7"}, "RULE-CVE-2025-58946-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58946", "description": "vocal theme <= 1.12 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "vocal", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.12"}, "RULE-CVE-2025-58946-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58946", "description": "vocal theme <= 1.12 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "vocal", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.12"}, "RULE-CVE-2025-58947-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58947", "description": "athos theme <= 1.9 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "athos", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.9"}, "RULE-CVE-2025-58947-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58947", "description": "athos theme <= 1.9 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "athos", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.9"}, "RULE-CVE-2025-58948-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58948", "description": "aromatica theme <= 1.8 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "aromatica", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.8"}, "RULE-CVE-2025-58948-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58948", "description": "aromatica theme <= 1.8 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "aromatica", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.8"}, "RULE-CVE-2025-58949-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58949", "description": "spock theme <= 1.17 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "spock", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.17"}, "RULE-CVE-2025-58949-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58949", "description": "spock theme <= 1.17 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "spock", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.17"}, "RULE-CVE-2025-58950-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-58950", "description": "lione theme <= 1.16 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "lione", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.16"}, "RULE-CVE-2025-58950-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-58950", "description": "lione theme <= 1.16 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "lione", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.16"}, "RULE-CVE-2025-5919-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/timetics/v1/bookings(/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "read"}], "cve": "CVE-2025-5919", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5919", "description": "Timetics <= 1.0.36 unauthenticated booking access and modification via REST API /timetics/v1/bookings/", "mode": "block", "severity": 6.5, "slug": "timetics", "tags": ["missing-authorization", "unauthenticated", "rest-api", "information-disclosure", "data-modification"], "target": "plugin", "versions": "<=1.0.36"}, "RULE-CVE-2025-5921-03": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "sureforms_entries"}, {"name": "ARGS:s", "type": "detectXSS"}], "cve": "CVE-2025-5921", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5921", "description": "SureForms <=1.7.1 reflected XSS via search parameter in admin entries list table", "method": "GET", "mode": "block", "severity": 5.8, "slug": "sureforms", "tags": ["xss", "reflected-xss"], "target": "plugin", "versions": "<=1.7.1"}, "RULE-CVE-2025-5921-04": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "sureforms_entries"}, {"name": "ARGS:form_id", "type": "detectXSS"}], "cve": "CVE-2025-5921", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5921", "description": "SureForms <=1.7.1 reflected XSS via form_id parameter in admin entries list table filter", "method": "GET", "mode": "block", "severity": 5.8, "slug": "sureforms", "tags": ["xss", "reflected-xss"], "target": "plugin", "versions": "<=1.7.1"}, "RULE-CVE-2025-5923-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)~"}, {"name": "ARGS:content", "type": "regex", "value": "~game-review-block/game-table[^}]*\\"className\\"\\\\s*:\\\\s*\\"(?:\\\\\\\\\\"|[^\\"])*[\'<>()=]~i"}], "cve": "CVE-2025-5923", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5923", "description": "Game Review Block <=4.8.1 Stored XSS via className block attribute in REST API post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "game-review-block", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=4.8.1"}, "RULE-CVE-2025-5923-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~game-review-block/game-table[^}]*\\"className\\"\\\\s*:\\\\s*\\"(?:\\\\\\\\\\"|[^\\"])*[\'<>()=]~i"}], "cve": "CVE-2025-5923", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5923", "description": "Game Review Block <=4.8.1 Stored XSS via className block attribute in classic editor post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "game-review-block", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=4.8.1"}, "RULE-CVE-2025-5929-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~wp:the-countdown[\\\\s\\\\S]{0,500}clientId\\\\s*\\"?\\\\s*:\\\\s*\\\\\\"[^\\\\\\"]{0,200}(?:</script|[;=()\\\\x27<>])~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-5929", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5929", "description": "The Countdown <=2.0.1 Stored XSS via clientId block attribute in classic editor post save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "the-countdown", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=2.0.0"}, "RULE-CVE-2025-5950-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~indieblocks/facepile-content\\\\s[^>]*\\"type\\"\\\\s*:\\\\s*\\\\[\\\\s*\\"(?!(?:bookmark|like|repost)\\"\\\\s*[\\\\],])~i"}], "cve": "CVE-2025-5950", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5950", "description": "IndieBlocks <=0.13.2 Stored XSS via Facepile Content block kind parameter on REST API post creation", "method": "POST", "mode": "block", "severity": 5.4, "slug": "indieblocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=0.13.2"}, "RULE-CVE-2025-5950-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts/\\\\d+(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~indieblocks/facepile-content\\\\s[^>]*\\"type\\"\\\\s*:\\\\s*\\\\[\\\\s*\\"(?!(?:bookmark|like|repost)\\"\\\\s*[\\\\],])~i"}], "cve": "CVE-2025-5950", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5950", "description": "IndieBlocks <=0.13.2 Stored XSS via Facepile Content block kind parameter on REST API post update", "method": "PUT", "mode": "block", "severity": 5.4, "slug": "indieblocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=0.13.2"}, "RULE-CVE-2025-5950-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~indieblocks/facepile-content\\\\s[^>]*\\"type\\"\\\\s*:\\\\s*\\\\[\\\\s*\\"(?!(?:bookmark|like|repost)\\"\\\\s*[\\\\],])~i"}], "cve": "CVE-2025-5950", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5950", "description": "IndieBlocks <=0.13.2 Stored XSS via Facepile Content block kind parameter on classic editor post save", "method": "POST", "mode": "block", "severity": 5.4, "slug": "indieblocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=0.13.2"}, "RULE-CVE-2025-5953-01": {"ajax_action": "hrm_insert_employee", "conditions": [{"name": "ARGS:role", "type": "regex", "value": "~^(administrator|editor|author|contributor)$~i"}, {"type": "missing_capability", "value": "promote_users"}], "cve": "CVE-2025-5953", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5953", "description": "WP Human Resource Management <=2.2.17 missing authorization on hrm_insert_employee allows authenticated privilege escalation via role parameter", "method": "POST", "mode": "block", "severity": 8.8, "slug": "hrm", "tags": ["missing-authorization", "privilege-escalation"], "target": "plugin", "versions": "<=2.2.17"}, "RULE-CVE-2025-5957-01": {"ajax_action": "guest_support_handler", "conditions": [{"name": "ARGS:request", "type": "equals", "value": "delete_tickets"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5957", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5957", "description": "Guest Support <=1.2.2 missing authorization on mass ticket deletion via guest_support_handler AJAX endpoint", "method": "POST", "mode": "block", "severity": 5.3, "slug": "guest-support", "tags": ["missing-authorization", "unauthenticated", "data-loss"], "target": "plugin", "versions": "<=1.2.2"}, "RULE-CVE-2025-5961-01": {"ajax_action": "wpvivid_upload_import_files", "conditions": [{"name": "ARGS:name", "type": "regex", "value": "~\\\\.(?:php\\\\d*|phtml|phar|shtml|cgi|asp|aspx|jsp|jspx)(?:\\\\x00|%00|$)~i"}], "cve": "CVE-2025-5961", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wpvivid-backuprestore", "target": "plugin", "versions": "<=0.9.116"}, "RULE-CVE-2025-5983-01": {"action": "admin_init", "conditions": [{"name": "ARGS:mtm_meta[type]", "type": "equals", "value": "http-equiv"}, {"name": "ARGS:mtm_meta[value]", "type": "equals", "value": "refresh"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-5983", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-5983", "description": "Meta Tag Manager <3.3 Contributor+ open redirect via http-equiv refresh meta tag injection on post save", "method": "POST", "mode": "block", "severity": 6.5, "slug": "meta-tag-manager", "tags": ["open-redirect", "missing-authorization", "meta-refresh"], "target": "plugin", "versions": "<3.3"}, "RULE-CVE-2025-60041-01": {"ajax_action": "secas_navigate_to_page", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-60041", "mode": "block", "severity": 8.8, "slug": "emails-catch-all", "target": "plugin", "versions": "<=3.5.3"}, "RULE-CVE-2025-60042-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60042", "description": "chinchilla theme <= 1.16 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "chinchilla", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.16"}, "RULE-CVE-2025-60042-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60042", "description": "chinchilla theme <= 1.16 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "chinchilla", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.16"}, "RULE-CVE-2025-60043-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60043", "description": "wanderic theme <= 1.0.10 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "wanderic", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.10"}, "RULE-CVE-2025-60043-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60043", "description": "wanderic theme <= 1.0.10 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "wanderic", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.10"}, "RULE-CVE-2025-60044-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60044", "description": "fribbo theme <= 1.1.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "fribbo", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.0"}, "RULE-CVE-2025-60044-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60044", "description": "fribbo theme <= 1.1.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "fribbo", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.0"}, "RULE-CVE-2025-60046-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60046", "description": "heartstar theme <= 1.0.14 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "heartstar", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.14"}, "RULE-CVE-2025-60046-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60046", "description": "heartstar theme <= 1.0.14 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "heartstar", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.14"}, "RULE-CVE-2025-60047-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60047", "description": "ipharm theme <= 1.2.3 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "ipharm", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.3"}, "RULE-CVE-2025-60047-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60047", "description": "ipharm theme <= 1.2.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "ipharm", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.3"}, "RULE-CVE-2025-60048-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60048", "description": "tripster theme <= 1.0.10 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "tripster", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.10"}, "RULE-CVE-2025-60048-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60048", "description": "tripster theme <= 1.0.10 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "tripster", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.10"}, "RULE-CVE-2025-60049-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60049", "description": "soleil theme <= 1.17 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "soleil", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.17"}, "RULE-CVE-2025-60049-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60049", "description": "soleil theme <= 1.17 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "soleil", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.17"}, "RULE-CVE-2025-60050-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60050", "description": "panda theme <= 1.21 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "panda", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.21"}, "RULE-CVE-2025-60050-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60050", "description": "panda theme <= 1.21 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "panda", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.21"}, "RULE-CVE-2025-60051-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60051", "description": "rareradio theme <= 1.0.15.1 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "rareradio", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.15.1"}, "RULE-CVE-2025-60051-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60051", "description": "rareradio theme <= 1.0.15.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "rareradio", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.15.1"}, "RULE-CVE-2025-60052-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60052", "description": "wd theme <= 1.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "wd", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0"}, "RULE-CVE-2025-60052-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60052", "description": "wd theme <= 1.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "wd", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0"}, "RULE-CVE-2025-60053-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60053", "description": "maxcube theme <= 1.3.1 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "maxcube", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.1"}, "RULE-CVE-2025-60053-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60053", "description": "maxcube theme <= 1.3.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "maxcube", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.1"}, "RULE-CVE-2025-60054-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60054", "description": "onleash theme <= 1.5.2 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "onleash", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.5.2"}, "RULE-CVE-2025-60054-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60054", "description": "onleash theme <= 1.5.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "onleash", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.5.2"}, "RULE-CVE-2025-60055-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60055", "description": "fabrica theme <= 1.8.1 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "fabrica", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.8.1"}, "RULE-CVE-2025-60055-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60055", "description": "fabrica theme <= 1.8.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "fabrica", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.8.1"}, "RULE-CVE-2025-60056-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60056", "description": "winger theme <= 1.0.16 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "winger", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.16"}, "RULE-CVE-2025-60056-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60056", "description": "winger theme <= 1.0.16 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "winger", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.16"}, "RULE-CVE-2025-60057-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60057", "description": "dj-rainflow theme <= 1.3.13 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "dj-rainflow", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.13"}, "RULE-CVE-2025-60057-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60057", "description": "dj-rainflow theme <= 1.3.13 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "dj-rainflow", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.13"}, "RULE-CVE-2025-60058-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60058", "description": "detailx theme <= 1.10.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "detailx", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.10.0"}, "RULE-CVE-2025-60058-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60058", "description": "detailx theme <= 1.10.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "detailx", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.10.0"}, "RULE-CVE-2025-60060-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60060", "description": "pubzinne theme <= 1.0.12 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "pubzinne", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.12"}, "RULE-CVE-2025-60060-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60060", "description": "pubzinne theme <= 1.0.12 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "pubzinne", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.12"}, "RULE-CVE-2025-60061-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60061", "description": "kicker theme <= 2.2.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "kicker", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=2.2.0"}, "RULE-CVE-2025-60061-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60061", "description": "kicker theme <= 2.2.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "kicker", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=2.2.0"}, "RULE-CVE-2025-60063-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60063", "description": "rosalinda theme <= 1.2.3 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "rosalinda", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.3"}, "RULE-CVE-2025-60063-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60063", "description": "rosalinda theme <= 1.2.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "rosalinda", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.3"}, "RULE-CVE-2025-60064-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60064", "description": "renewal theme <= 1.2.2 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "renewal", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.2"}, "RULE-CVE-2025-60064-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60064", "description": "renewal theme <= 1.2.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "renewal", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.2"}, "RULE-CVE-2025-60065-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60065", "description": "pinevale theme <= 1.0.14 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "pinevale", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.14"}, "RULE-CVE-2025-60065-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60065", "description": "pinevale theme <= 1.0.14 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "pinevale", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.14"}, "RULE-CVE-2025-60066-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60066", "description": "katelyn theme <= 1.0.10 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "katelyn", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.10"}, "RULE-CVE-2025-60066-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60066", "description": "katelyn theme <= 1.0.10 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "katelyn", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.10"}, "RULE-CVE-2025-60067-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-60067", "description": "giardino theme <= 1.1.10 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "giardino", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.10"}, "RULE-CVE-2025-60067-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-60067", "description": "giardino theme <= 1.1.10 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "giardino", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.10"}, "RULE-CVE-2025-60195-01": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpf_create_account"}, {"name": "ARGS:role", "type": "regex", "value": "~^\\\\s*(?:administrator|editor|author)\\\\s*$~i"}], "cve": "CVE-2025-60195", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-60195", "description": "Atarim Visual Collaboration <=4.2.1 unauthenticated privilege escalation via wpf_create_account AJAX action with attacker-supplied role parameter", "method": "POST", "mode": "block", "severity": 9.8, "slug": "atarim-visual-collaboration", "tags": ["privilege-escalation", "incorrect-privilege-assignment", "unauthenticated"], "target": "plugin", "versions": "<=4.2.1"}, "RULE-CVE-2025-6025-01": {"ajax_action": "apply_tip", "conditions": [{"name": "ARGS:tip", "type": "regex", "value": "~^\\\\s*-~"}], "cve": "CVE-2025-6025", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6025", "description": "Order Tip for WooCommerce <=1.5.4 unauthenticated negative tip manipulation via apply_tip AJAX action", "method": "POST", "mode": "block", "severity": 7.5, "slug": "order-tip-woo", "tags": ["improper-input-validation", "business-logic", "unauthenticated"], "target": "plugin", "versions": "<=1.5.4"}, "RULE-CVE-2025-6184-01": {"action": "init", "conditions": [{"name": "ARGS:order", "type": "detectSQLi"}], "cve": "CVE-2025-6184", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6184", "description": "Tutor LMS Pro <=3.7.0 authenticated SQL injection via order parameter in assignment listing", "method": "GET", "mode": "block", "severity": 8.8, "slug": "tutor", "tags": ["sql-injection", "authenticated"], "target": "plugin", "versions": "<=3.7.0"}, "RULE-CVE-2025-62007-01": {"ajax_action": "bplvf_save_global", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "bplvf_save_global"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62007", "method": "POST", "mode": "block", "severity": 8.8, "slug": "voice-feedback", "target": "plugin", "versions": "<=1.0.3"}, "RULE-CVE-2025-62007-02": {"ajax_action": "bplvf_delete_user_feedback", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "bplvf_delete_user_feedback"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62007", "method": "POST", "mode": "block", "severity": 8.8, "slug": "voice-feedback", "target": "plugin", "versions": "<=1.0.3"}, "RULE-CVE-2025-62007-03": {"ajax_action": "bplvf_toggle_resolved", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "bplvf_toggle_resolved"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62007", "method": "POST", "mode": "block", "severity": 8.8, "slug": "voice-feedback", "target": "plugin", "versions": "<=1.0.3"}, "RULE-CVE-2025-62007-04": {"ajax_action": "bplvf_get_global", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "bplvf_get_global"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62007", "method": "POST", "mode": "block", "severity": 8.8, "slug": "voice-feedback", "target": "plugin", "versions": "<=1.0.3"}, "RULE-CVE-2025-6201-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[conversion-pixel[^\\\\]]*(?:<[a-z/!]|on[a-z]+\\\\s*=|javascript\\\\s*:|&#)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-6201", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6201", "description": "Pixel Manager for WooCommerce <=1.49.0 Stored XSS via conversion-pixel shortcode attributes in classic editor (REST API JSON body vector not interceptable due to engine limitation)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "woocommerce-google-adwords-conversion-tracking-tag", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.49.0"}, "RULE-CVE-2025-62022-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/buddypress/v1/signups/activate(/|\\\\?|$)~"}, {"name": "ARGS:activation_key", "type": "regex", "value": "~^0*[0-9]{1,20}$~"}], "cve": "CVE-2025-62022", "method": "POST", "mode": "block", "severity": 7.5, "slug": "buddypress", "target": "plugin", "versions": "<=14.3.4"}, "RULE-CVE-2025-62022-02": {"action": "init", "conditions": [{"name": "ARGS:rest_route", "type": "regex", "value": "~^/buddypress/v1/signups/activate(/|$)~"}, {"name": "ARGS:activation_key", "type": "regex", "value": "~^0*[0-9]{1,20}$~"}], "cve": "CVE-2025-62022", "method": "POST", "mode": "block", "severity": 7.5, "slug": "buddypress", "target": "plugin", "versions": "<=14.3.4"}, "RULE-CVE-2025-62065-01": {"ajax_action": "rtm_handle_upload_template", "conditions": [{"name": "FILES:file", "type": "exists"}, {"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2025-62065", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-62065", "description": "RomethemeKit <=1.6.5 authenticated arbitrary file upload via rtm_handle_upload_template AJAX handler", "method": "POST", "mode": "block", "severity": 9.9, "slug": "rometheme-for-elementor", "tags": ["arbitrary-file-upload", "remote-code-execution", "authenticated"], "target": "plugin", "versions": "<=1.6.5"}, "RULE-CVE-2025-6207-01": {"ajax_action": "wpie_tempalte_import", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-6207", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6207", "description": "WP Import Export Lite <=3.9.28 authenticated arbitrary file upload via wpie_tempalte_import AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-import-export-lite", "tags": ["arbitrary-file-upload", "dangerous-file-type", "authenticated"], "target": "plugin", "versions": "<=3.9.28"}, "RULE-CVE-2025-6221-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~<!--\\\\s*wp:embed-bokun/(?:product|product-list)[^>]*\\\\{[^}]*\\"align\\"\\\\s*:\\\\s*\\"[^\\"]*(?:<(?:script|img|iframe|svg|embed|object)\\\\b|\\\\\\\\u003[cC](?:script|img|iframe|svg|embed|object)\\\\b|on(?:error|load|click|mouseover|focus|blur)\\\\s*=|javascript\\\\s*:|\\\\\\\\[\\"\\\\\\\\]|&(?:quot|apos|#0*34|#0*39);|\\\\\\\\u00(?:22|27))~i"}], "cve": "CVE-2025-6221", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6221", "description": "Embed Bokun <=0.23 Stored XSS via align parameter in Gutenberg block attributes within post_content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "embed-bokun", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=0.23"}, "RULE-CVE-2025-6236-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:paypal", "type": "detectXSS"}], "cve": "CVE-2025-6236", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6236", "description": "Hostel <=1.1.5.8 stored XSS via PayPal email setting on admin options page", "method": "POST", "mode": "block", "severity": 4.8, "slug": "hostel", "tags": ["xss", "stored-xss", "settings-api"], "target": "plugin", "versions": "<=1.1.5.8"}, "RULE-CVE-2025-6236-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:pdt_token", "type": "detectXSS"}], "cve": "CVE-2025-6236", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6236", "description": "Hostel <=1.1.5.8 stored XSS via PayPal PDT token setting on admin options page", "method": "POST", "mode": "block", "severity": 4.8, "slug": "hostel", "tags": ["xss", "stored-xss", "settings-api"], "target": "plugin", "versions": "<=1.1.5.8"}, "RULE-CVE-2025-6238-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json/mcp/oauth/authorize(?:/|\\\\?|$)|^/\\\\?(?:[^#]*&)?rest_route=/mcp/oauth/authorize(?:[/?&]|$))~i"}, {"name": "ARGS:redirect_uri", "type": "regex", "value": "~^(?:https?:)?//(?!vulnerable-site\\\\.test(?:/|$))~i"}], "cve": "CVE-2025-6238", "method": "GET", "mode": "block", "severity": 8.0, "slug": "ai-engine", "target": "plugin", "versions": "2.8.4"}, "RULE-CVE-2025-6238-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json/mcp/oauth/token(?:/|\\\\?|$)|^/\\\\?(?:[^#]*&)?rest_route=/mcp/oauth/token(?:[/?&]|$))~i"}, {"name": "ARGS:redirect_uri", "type": "regex", "value": "~^(?:https?:)?//(?!vulnerable-site\\\\.test(?:/|$))~i"}], "cve": "CVE-2025-6238", "method": "POST", "mode": "block", "severity": 8.0, "slug": "ai-engine", "target": "plugin", "versions": "2.8.4"}, "RULE-CVE-2025-6251-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin-ajax\\\\.php~"}, {"name": "ARGS:action", "type": "regex", "value": "~^(?:elementor_ajax|save_builder)$~"}, {"name": "ARGS:actions", "type": "regex", "value": "~field_id[\\"\']?\\\\s*[:,]\\\\s*[\\"\'][^\\"\']*(?:<[a-z/]|\\\\bon\\\\w+\\\\s*=)~i"}], "cve": "CVE-2025-6251", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6251", "description": "Royal Elementor Addons <=1.7.1036 Stored XSS via Form Builder field_id in Elementor editor save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "royal-elementor-addons", "tags": ["xss", "stored-xss", "elementor", "authenticated"], "target": "plugin", "versions": "<=1.7.1036"}, "RULE-CVE-2025-6251-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:action", "type": "equals", "value": "editpost"}, {"name": "ARGS", "type": "regex", "value": "~field_id[\\"\']?\\\\s*[:,]\\\\s*[\\"\'][^\\"\']*(?:<[a-z/]|\\\\bon\\\\w+\\\\s*=)~i"}], "cve": "CVE-2025-6251", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6251", "description": "Royal Elementor Addons <=1.7.1036 Stored XSS via Form Builder field_id in classic post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "royal-elementor-addons", "tags": ["xss", "stored-xss", "elementor", "authenticated"], "target": "plugin", "versions": "<=1.7.1036"}, "RULE-CVE-2025-6253-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/uielem/v1/prepare_template(?:/|\\\\?|&|$)~"}, {"name": "ARGS:data", "type": "regex", "value": "~(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env|debug\\\\.log|error_log|(?:\\\\.\\\\.[\\\\\\\\/]){2,})~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-6253", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6253", "description": "UiCore Elements <=1.3.0 unauthenticated arbitrary file read via prepare_template REST endpoint", "method": "POST", "mode": "block", "severity": 7.5, "slug": "uicore-elements", "tags": ["missing-authorization", "arbitrary-file-read", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=1.3.0"}, "RULE-CVE-2025-6256-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~thumbnailHoverEffect[\\"\']\\\\s*:\\\\s*[\\"\'][^\\"\']*(?:[\\"\']\\\\s*(?:on\\\\w+\\\\s*=|style\\\\s*=)|<\\\\s*(?:script|img|svg|iframe|object|embed|video|audio|math|details|marquee))~i"}], "cve": "CVE-2025-6256", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6256", "description": "Flex Guten <=1.2.5 stored XSS via thumbnailHoverEffect block attribute in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "flex-guten", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=1.2.5"}, "RULE-CVE-2025-6256-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts/\\\\d+(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~thumbnailHoverEffect[\\"\']\\\\s*:\\\\s*[\\"\'][^\\"\']*(?:[\\"\']\\\\s*(?:on\\\\w+\\\\s*=|style\\\\s*=)|<\\\\s*(?:script|img|svg|iframe|object|embed|video|audio|math|details|marquee))~i"}], "cve": "CVE-2025-6256", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6256", "description": "Flex Guten <=1.2.5 stored XSS via thumbnailHoverEffect block attribute in REST API post update", "method": "PUT", "mode": "block", "severity": 6.4, "slug": "flex-guten", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=1.2.5"}, "RULE-CVE-2025-6256-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~thumbnailHoverEffect[\\"\']\\\\s*:\\\\s*[\\"\'][^\\"\']*(?:[\\"\']\\\\s*(?:on\\\\w+\\\\s*=|style\\\\s*=)|<\\\\s*(?:script|img|svg|iframe|object|embed|video|audio|math|details|marquee))~i"}], "cve": "CVE-2025-6256", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6256", "description": "Flex Guten <=1.2.5 stored XSS via thumbnailHoverEffect block attribute in classic editor post submission", "method": "POST", "mode": "block", "severity": 6.4, "slug": "flex-guten", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=1.2.5"}, "RULE-CVE-2025-6257-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[(?:currency|currency_legal)\\\\b[^\\\\]]*(?:<[a-zA-Z/!][^>]*>|on\\\\w+\\\\s*=|javascript:)[^\\\\]]*\\\\]~i"}], "cve": "CVE-2025-6257", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6257", "description": "Euro FxRef Currency Converter <=2.0.2 Stored XSS via [currency] shortcode attributes in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "euro-fxref-currency-converter", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.0.2"}, "RULE-CVE-2025-6257-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(?:currency|currency_legal)\\\\b[^\\\\]]*(?:<[a-zA-Z/!][^>]*>|on\\\\w+\\\\s*=|javascript:)[^\\\\]]*\\\\]~i"}], "cve": "CVE-2025-6257", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6257", "description": "Euro FxRef Currency Converter <=2.0.2 Stored XSS via [currency] shortcode attributes in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "euro-fxref-currency-converter", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.0.2"}, "RULE-CVE-2025-6261-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "contains", "value": "fleetwire_list"}, {"name": "ARGS:post_content", "type": "regex", "value": "~fleetwire_list[^\\\\]]*(?:<[a-z/!]|(?:�*60;|�*3c;|<)[a-z/!]|\\\\bon(?:error|load|click|mouseover|focus|mouseenter|mouseleave|keyup|keydown)\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-6261", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6261", "description": "Fleetwire Fleet Management Plugin <=1.0.19 Authenticated (Contributor+) Stored XSS via fleetwire_list shortcode attributes in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "fleetwire-fleet-management", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.0.19"}, "RULE-CVE-2025-6261-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "contains", "value": "fleetwire_list"}, {"name": "ARGS:content", "type": "regex", "value": "~fleetwire_list[^\\\\]]*(?:<[a-z/!]|(?:�*60;|�*3c;|<)[a-z/!]|\\\\bon(?:error|load|click|mouseover|focus|mouseenter|mouseleave|keyup|keydown)\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-6261", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6261", "description": "Fleetwire Fleet Management Plugin <=1.0.19 Authenticated (Contributor+) Stored XSS via fleetwire_list shortcode attributes in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "fleetwire-fleet-management", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=1.0.19"}, "RULE-CVE-2025-6262-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[muse-ai\\\\s[^\\\\]]*\\\\bon\\\\w+\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-6262", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6262", "description": "Muse.ai Video Embedding <=0.4.1 Stored XSS via muse-ai shortcode event handler injection in post_content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "muse-ai", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=0.4.1"}, "RULE-CVE-2025-6262-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[muse-ai\\\\s[^\\\\]]*<script~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-6262", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6262", "description": "Muse.ai Video Embedding <=0.4.1 Stored XSS via script tag injection in muse-ai shortcode in post_content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "muse-ai", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=0.4.1"}, "RULE-CVE-2025-6262-03": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[muse-ai\\\\s[^\\\\]]*javascript\\\\s*:~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-6262", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6262", "description": "Muse.ai Video Embedding <=0.4.1 Stored XSS via javascript: URI in muse-ai shortcode in post_content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "muse-ai", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=0.4.1"}, "RULE-CVE-2025-62889-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/kingaddons/v1/ajaxselect2/[a-zA-Z0-9_]+/?~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62889", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-62889", "description": "King Addons for Elementor <=51.1.37 missing authorization on ajaxselect2 REST endpoint", "mode": "block", "severity": 8.8, "slug": "king-addons", "tags": ["missing-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": "<=51.1.37"}, "RULE-CVE-2025-62902-01": {"ajax_action": "shortcode_Api_Add", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "shortcode_Api_Add"}, {"name": "ARGS:getlead", "type": "exists"}], "cve": "CVE-2025-62902", "method": "POST", "mode": "block", "severity": 7.5, "slug": "wp-popup-builder", "target": "plugin", "versions": "<=1.3.6"}, "RULE-CVE-2025-62906-01": {"ajax_action": "delete_all_log_link", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "delete_all_log_link"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62906", "method": "POST", "mode": "block", "severity": 9.8, "slug": "referral-link-tracker", "target": "plugin", "versions": "<=1.1.4"}, "RULE-CVE-2025-62915-01": {"ajax_action": "clicksend_send_sms", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "clicksend_send_sms"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62915", "method": "POST", "mode": "block", "severity": 8.1, "slug": "clicksend-contactform7", "target": "plugin", "versions": "<=1.4.0"}, "RULE-CVE-2025-62915-02": {"ajax_action": "delete_message", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "delete_message"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62915", "method": "POST", "mode": "block", "severity": 8.1, "slug": "clicksend-contactform7", "target": "plugin", "versions": "<=1.4.0"}, "RULE-CVE-2025-62918-01": {"ajax_action": "idf_stock_item_click", "conditions": [{"name": "ARGS:idf_stock_item_click", "type": "exists"}, {"type": "missing_capability", "value": "read"}], "cve": "CVE-2025-62918", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ignitiondeck", "target": "plugin", "versions": "<=2.0.13"}, "RULE-CVE-2025-62919-01": {"ajax_action": "setup_widgets", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "setup_widgets"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62919", "method": "POST", "mode": "block", "severity": 9.1, "slug": "ts-demo-importer", "target": "plugin", "versions": "<=0.1.3"}, "RULE-CVE-2025-62924-01": {"ajax_action": "post_grid_layout_content_ajax", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "post_grid_layout_content_ajax"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62924", "method": "POST", "mode": "block", "severity": 8.8, "slug": "post-grid", "target": "plugin", "versions": "<=2.3.17"}, "RULE-CVE-2025-62925-01": {"ajax_action": "save_analytics_data", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62925", "method": "POST", "mode": "block", "severity": 8.1, "slug": "enhanced-e-commerce-for-woocommerce-store", "target": "plugin", "versions": "<=7.2.13"}, "RULE-CVE-2025-62925-02": {"ajax_action": "get_analytics_web_properties", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62925", "method": "POST", "mode": "block", "severity": 8.1, "slug": "enhanced-e-commerce-for-woocommerce-store", "target": "plugin", "versions": "<=7.2.13"}, "RULE-CVE-2025-62925-03": {"ajax_action": "get_analytics_account_list", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62925", "method": "POST", "mode": "block", "severity": 8.1, "slug": "enhanced-e-commerce-for-woocommerce-store", "target": "plugin", "versions": "<=7.2.13"}, "RULE-CVE-2025-62928-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^(?:/wp-json/seo-meta/v1/update/\\\\d+|/(?:index\\\\.php)?\\\\?(?:[^#]*&)?rest_route=/seo-meta/v1/update/\\\\d+)(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62928", "method": "POST", "mode": "block", "severity": 8.1, "slug": "seo-meta-description-updater", "target": "plugin", "versions": "<=1.2.0"}, "RULE-CVE-2025-62931-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(^/wp-json/microsoft/v1/redeemCode(/|\\\\?|$))|(^/\\\\?rest_route=/microsoft/v1/redeemCode(/|&|$))~"}, {"type": "missing_capability", "value": "activate_plugins"}], "cve": "CVE-2025-62931", "method": "POST", "mode": "block", "severity": 8.8, "slug": "microsoft-start", "target": "plugin", "versions": "<=2.8.7"}, "RULE-CVE-2025-62932-01": {"ajax_action": "riovizual_divi_preview", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62932", "method": "POST", "mode": "block", "severity": 8.8, "slug": "riovizual", "target": "plugin", "versions": "<=3.0.0"}, "RULE-CVE-2025-62938-01": {"ajax_action": "validate_reoon_api", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "validate_reoon_api"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62938", "method": "POST", "mode": "block", "severity": 8.1, "slug": "reoon-email-verifier", "target": "plugin", "versions": "<=2.0.1"}, "RULE-CVE-2025-62938-02": {"ajax_action": "validate_reoon_email", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "validate_reoon_email"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62938", "method": "POST", "mode": "block", "severity": 8.1, "slug": "reoon-email-verifier", "target": "plugin", "versions": "<=2.0.1"}, "RULE-CVE-2025-62938-03": {"ajax_action": "reoon_remove_api_key", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "reoon_remove_api_key"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62938", "method": "POST", "mode": "block", "severity": 8.1, "slug": "reoon-email-verifier", "target": "plugin", "versions": "<=2.0.1"}, "RULE-CVE-2025-62952-01": {"ajax_action": "wpbo_search_response_catlist", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpbo_search_response_catlist"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62952", "method": "POST", "mode": "block", "severity": 8.8, "slug": "chatbot", "target": "plugin", "versions": "<=7.7.3"}, "RULE-CVE-2025-62954-01": {"ajax_action": "rop_notice_dismissed", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "rop_notice_dismissed"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62954", "method": "POST", "mode": "block", "severity": 8.8, "slug": "tweet-old-post", "target": "plugin", "versions": "<=9.3.3"}, "RULE-CVE-2025-62965-01": {"ajax_action": "ame_ajax_save_linkcategories", "conditions": [{"name": "ARGS:ame_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62965", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-62965", "description": "Admin Management Xtended <=2.5.1 missing authorization on ame_ajax_save_linkcategories AJAX action", "method": "POST", "mode": "block", "severity": 7.2, "slug": "admin-management-xtended", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=2.5.1"}, "RULE-CVE-2025-62967-01": {"ajax_action": "directorypress_save_category_fields_ajax", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:term_id", "type": "exists"}], "cve": "CVE-2025-62967", "method": "POST", "mode": "block", "severity": 6.5, "slug": "directorypress", "target": "plugin", "versions": "<=3.6.25"}, "RULE-CVE-2025-62980-01": {"ajax_action": "pfmsz_emptyOptions_AjaxConf", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "pfmsz_emptyOptions_AjaxConf"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62980", "method": "POST", "mode": "block", "severity": 8.8, "slug": "persian-admin-fonts", "target": "plugin", "versions": "<=4.1.03"}, "RULE-CVE-2025-62980-02": {"ajax_action": "pfmdz_writetocssfile_ajax", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "pfmdz_writetocssfile_ajax"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62980", "method": "POST", "mode": "block", "severity": 8.8, "slug": "persian-admin-fonts", "target": "plugin", "versions": "<=4.1.03"}, "RULE-CVE-2025-62980-03": {"ajax_action": "pfmdz_nightMode_ajax", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "pfmdz_nightMode_ajax"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62980", "method": "POST", "mode": "block", "severity": 8.8, "slug": "persian-admin-fonts", "target": "plugin", "versions": "<=4.1.03"}, "RULE-CVE-2025-62980-04": {"ajax_action": "pfmdz_addgoog_fonts", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "pfmdz_addgoog_fonts"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-62980", "method": "POST", "mode": "block", "severity": 8.8, "slug": "persian-admin-fonts", "target": "plugin", "versions": "<=4.1.03"}, "RULE-CVE-2025-63077-01": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "ha_library_new_post"}, {"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php(?:\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-63077", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-63077", "description": "Happy Addons for Elementor <=3.20.3 missing authorization on ha_library_new_post admin action allows contributor+ users to create arbitrary Theme Builder templates", "mode": "block", "severity": 4.3, "slug": "happy-elementor-addons", "tags": ["missing-authorization", "broken-access-control", "privilege-escalation"], "target": "plugin", "versions": "<=3.20.3"}, "RULE-CVE-2025-6326-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-6326", "description": "inset theme <= 1.18.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "inset", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.18.0"}, "RULE-CVE-2025-6326-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-6326", "description": "inset theme <= 1.18.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "inset", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.18.0"}, "RULE-CVE-2025-6327-01": {"ajax_action": "king_addons_upload_file", "conditions": [{"name": "ARGS:uploaded_file", "type": "regex", "value": "~\\\\.(?:ph(?:p[0-9s]*|tml?|t|ar)|cgi|fcgi|shtml|asp|aspx|jsp|jspx|sh|bash)($|[?#])~i"}], "cve": "CVE-2025-6327", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6327", "description": "King Addons <=51.1.36 unauthenticated arbitrary file upload via king_addons_upload_file", "method": "POST", "mode": "block", "severity": 10.0, "slug": "king-addons", "tags": ["arbitrary-file-upload", "unauthenticated", "remote-code-execution"], "target": "plugin", "versions": "<=51.1.36"}, "RULE-CVE-2025-6350-01": {"ajax_action": "wpvr_save", "conditions": [{"name": "ARGS:panodata", "type": "regex", "value": "~<(?:script|iframe|embed|object|applet|form|svg|math)[\\\\s/>]|\\\\bon(?:error|load|click|mouse(?:over|out|enter|move)|focus|blur|change|submit|key(?:up|down|press))\\\\s*=|javascript\\\\s*:~i"}], "cve": "CVE-2025-6350", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6350", "description": "WP VR <=8.5.32 Stored XSS via hotspot-hover in panodata JSON on wpvr_save AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wpvr", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=8.5.32"}, "RULE-CVE-2025-6380-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=)/onlyoffice/oo\\\\.callback(?:/|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-6380", "method": "POST", "mode": "block", "severity": 9.8, "slug": "onlyoffice", "target": "plugin", "versions": ">=1.1.0 <=2.2.0"}, "RULE-CVE-2025-6382-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[taeggie-feed[^\\\\]]*name\\\\s*=\\\\s*[\\"\']?[^\\\\]]*(?:<[a-z/!]|on(?:load|error|click|mouse[a-zA-Z0-9_]+|focus|blur)\\\\s*=|javascript:|[\\"\']\\\\s*[);])[^\\\\]]*\\\\]~i"}], "cve": "CVE-2025-6382", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6382", "description": "Taeggie Feed <=0.1.10 Stored XSS via taeggie-feed shortcode name attribute in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "taeggie-feed", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=0.1.10"}, "RULE-CVE-2025-64352-01": {"action": "admin_action_eae_duplicate", "conditions": [{"name": "ARGS:post", "type": "exists"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2025-64352", "mode": "block", "severity": 2.7, "slug": "essential-addons-for-elementor-lite", "target": "plugin", "versions": "<=6.2.4"}, "RULE-CVE-2025-6462-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[SQLREPORT\\\\b[^\\\\]]*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-6462", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6462", "description": "EZ SQL Reports <= 5.25.11 Stored XSS via SQLREPORT shortcode name attribute in post content", "method": "POST", "mode": "block", "severity": 5.4, "slug": "elisqlreports", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=5.25.11"}, "RULE-CVE-2025-6462-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[SQLREPORT\\\\b[^\\\\]]*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-6462", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6462", "description": "EZ SQL Reports <= 5.25.11 Stored XSS via SQLREPORT shortcode name attribute in REST API post content", "method": "POST", "mode": "block", "severity": 5.4, "slug": "elisqlreports", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=5.25.11"}, "RULE-CVE-2025-6464-01": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "regex", "value": "~^forminator_submit_form_~"}, {"name": "ARGS", "type": "regex", "value": "~[OCa]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2025-6464", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6464", "description": "Forminator <=1.44.2 unauthenticated PHP Object Injection via form submission PHAR upload", "method": "POST", "mode": "block", "severity": 8.8, "slug": "forminator", "tags": ["object-injection", "phar-deserialization", "unauthenticated", "file-upload"], "target": "plugin", "versions": "<=1.44.2"}, "RULE-CVE-2025-6464-02": {"ajax_action": "forminator_multiple_file_upload", "conditions": [{"name": "ARGS", "type": "regex", "value": "~[OCa]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2025-6464", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6464", "description": "Forminator <=1.44.2 unauthenticated PHP Object Injection via multiple file upload PHAR", "method": "POST", "mode": "block", "severity": 8.8, "slug": "forminator", "tags": ["object-injection", "phar-deserialization", "unauthenticated", "file-upload"], "target": "plugin", "versions": "<=1.44.2"}, "RULE-CVE-2025-6540-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[web[_-]cam\\\\b[^\\\\]]*\\\\bslug\\\\s*=\\\\s*(?:\\"[^\\"\\\\r\\\\n]*[<>\'\\\\\\\\][^\\"\\\\r\\\\n]*\\"|\'[^\'\\\\r\\\\n]*[<>\\"\\\\\\\\][^\'\\\\r\\\\n]*\')~i"}], "cve": "CVE-2025-6540", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6540", "description": "Web Cam <=3.0 Stored XSS via slug shortcode attribute in post content (post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "web-cam", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.0"}, "RULE-CVE-2025-6540-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[web[_-]cam\\\\b[^\\\\]]*\\\\bslug\\\\s*=\\\\s*(?:\\"[^\\"\\\\r\\\\n]*[<>\'\\\\\\\\][^\\"\\\\r\\\\n]*\\"|\'[^\'\\\\r\\\\n]*[<>\\"\\\\\\\\][^\'\\\\r\\\\n]*\')~i"}], "cve": "CVE-2025-6540", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6540", "description": "Web Cam <=3.0 Stored XSS via slug shortcode attribute in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "web-cam", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=3.0"}, "RULE-CVE-2025-6540-03": {"action": "init", "conditions": [{"name": "ARGS:image", "type": "exists"}, {"name": "ARGS:slug", "type": "regex", "value": "~[<>\\"\'\\\\\\\\]~"}], "cve": "CVE-2025-6540", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6540", "description": "Web Cam <=3.0 Stored XSS via slug parameter in frontend form submission", "method": "POST", "mode": "block", "severity": 6.4, "slug": "web-cam", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=3.0"}, "RULE-CVE-2025-6586-01": {"action": "admin_init", "conditions": [{"name": "ARGS:dpwap_locInstall", "type": "exists"}, {"name": "FILES:dpwap_locFiles", "type": "exists"}], "cve": "CVE-2025-6586", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6586", "description": "Download Plugin <=2.2.8 authenticated (Administrator+) arbitrary file upload via dpwap_plugin_locInstall", "method": "POST", "mode": "block", "severity": 7.2, "slug": "download-plugin", "tags": ["arbitrary-file-upload", "file-upload", "remote-code-execution"], "target": "plugin", "versions": "<=2.2.8"}, "RULE-CVE-2025-66054-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-json/lp/v1/load_content_via_ajax|[?&]rest_route=/lp/v1/load_content_via_ajax)~"}, {"name": "ARGS:callback", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-66054", "mode": "block", "severity": 7.5, "slug": "learnpress", "target": "plugin", "versions": "<=4.2.9.4"}, "RULE-CVE-2025-66533-01": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:give-form-title", "type": "regex", "value": "~\\\\[(?:\\\\/)?give_[a-zA-Z0-9_\\\\-]+(?:\\\\s+[^\\\\]]+)?\\\\]~"}], "cve": "CVE-2025-66533", "method": "POST", "mode": "block", "severity": 7.8, "slug": "give", "target": "plugin", "versions": "<=4.13.1"}, "RULE-CVE-2025-66533-02": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:give-current-url", "type": "regex", "value": "~\\\\[(?:\\\\/)?give_[a-zA-Z0-9_\\\\-]+(?:\\\\s+[^\\\\]]+)?\\\\]~"}], "cve": "CVE-2025-66533", "method": "POST", "mode": "block", "severity": 7.8, "slug": "give", "target": "plugin", "versions": "<=4.13.1"}, "RULE-CVE-2025-66533-03": {"ajax_action": "give_process_donation", "conditions": [{"name": "ARGS:give-form-hash", "type": "regex", "value": "~\\\\[(?:\\\\/)?give_[a-zA-Z0-9_\\\\-]+(?:\\\\s+[^\\\\]]+)?\\\\]~"}], "cve": "CVE-2025-66533", "method": "POST", "mode": "block", "severity": 7.8, "slug": "give", "target": "plugin", "versions": "<=4.13.1"}, "RULE-CVE-2025-66533-04": {"ajax_action": "give_load_receipt", "conditions": [{"name": "ARGS:shortcode_tag", "type": "regex", "value": "~\\\\[(?:\\\\/)?give_[a-zA-Z0-9_\\\\-]+(?:\\\\s+[^\\\\]]+)?\\\\]~"}], "cve": "CVE-2025-66533", "method": "POST", "mode": "block", "severity": 7.8, "slug": "give", "target": "plugin", "versions": "<=4.13.1"}, "RULE-CVE-2025-6673-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "contains", "value": "nsc_eprm_menu_link"}, {"name": "ARGS:content", "type": "regex", "value": "~nsc_eprm_menu_link[^\\\\]]*restaurant_menu_type\\\\s*=\\\\s*([\\"\']).*?\\\\1[^\\\\]]*(?:on\\\\w+\\\\s*=|javascript:|<|>)~is"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-6673", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6673", "description": "Easy Restaurant Menu Manager <=2.0.1 Stored XSS via nsc_eprm_menu_link shortcode restaurant_menu_type attribute (Classic Editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "easy-pdf-restaurant-menu-upload", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.0.1"}, "RULE-CVE-2025-6673-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "contains", "value": "nsc_eprm_menu_link"}, {"name": "ARGS:content", "type": "regex", "value": "~nsc_eprm_menu_link[^\\\\]]*restaurant_menu_type\\\\s*=\\\\s*([\\"\']).*?\\\\1[^\\\\]]*(?:on\\\\w+\\\\s*=|javascript:|<|>)~is"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-6673", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6673", "description": "Easy Restaurant Menu Manager <=2.0.1 Stored XSS via nsc_eprm_menu_link shortcode restaurant_menu_type attribute (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "easy-pdf-restaurant-menu-upload", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.0.1"}, "RULE-CVE-2025-6715-01": {"ajax_action": "latepoint_route_call", "conditions": [{"name": "ARGS:layout", "type": "regex", "value": "~(?:\\\\.[\\\\.][\\\\\\\\/]|\\\\.[\\\\.]%2[fF]|\\\\.[\\\\.]%5[cC]|php://|data://|expect://|zip://|phar://)~i"}], "cve": "CVE-2025-6715", "mode": "block", "severity": 9.8, "slug": "latepoint", "target": "plugin", "versions": "<5.1.94"}, "RULE-CVE-2025-6717-01": {"ajax_action": "b1_view_detail_log", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2025-6717", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6717", "description": "B1.lt for WooCommerce <=2.2.56 authenticated SQL injection via id parameter in b1_view_detail_log AJAX handler", "method": "POST", "mode": "block", "severity": 6.5, "slug": "b1-accounting", "tags": ["sql-injection", "authenticated", "ajax"], "target": "plugin", "versions": "<=2.2.56"}, "RULE-CVE-2025-6717-02": {"ajax_action": "b1_view_detail_validation_log", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2025-6717", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6717", "description": "B1.lt for WooCommerce <=2.2.56 authenticated SQL injection via id parameter in b1_view_detail_validation_log AJAX handler", "method": "POST", "mode": "block", "severity": 6.5, "slug": "b1-accounting", "tags": ["sql-injection", "authenticated", "ajax"], "target": "plugin", "versions": "<=2.2.56"}, "RULE-CVE-2025-6740-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/contact-form-7/v1/contact-forms/\\\\d+/feedback(/|\\\\?|$)~"}, {"name": "ARGS", "type": "regex", "value": "~(?:<script|<img\\\\b[^>]+\\\\bon\\\\w+\\\\s*=|<svg\\\\b[^>]+\\\\bon\\\\w+\\\\s*=|<iframe|<object|<embed|javascript\\\\s*:|\\\\bon(?:error|load|click|focus|mouseover)\\\\s*=)~i"}], "cve": "CVE-2025-6740", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6740", "description": "Contact Form 7 Database Addon <=1.3.1 unauthenticated stored XSS via CF7 form submission fields", "method": "POST", "mode": "block", "severity": 6.1, "slug": "contact-form-cfdb7", "tags": ["xss", "stored-xss", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=1.3.1"}, "RULE-CVE-2025-6740-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "regex", "value": "~^cfdb7-list~"}, {"name": "ARGS", "type": "regex", "value": "~(?:<script|<img\\\\b[^>]+\\\\bon\\\\w+\\\\s*=|<svg\\\\b[^>]+\\\\bon\\\\w+\\\\s*=|<iframe|<object|<embed|javascript\\\\s*:|\\\\bon(?:error|load|click|focus|mouseover)\\\\s*=|\'\\\\s*(?:on\\\\w+|style|class)\\\\s*=)~i"}], "cve": "CVE-2025-6740", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6740", "description": "Contact Form 7 Database Addon <=1.3.1 reflected XSS via single-quote attribute breakout on admin list page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "contact-form-cfdb7", "tags": ["xss", "reflected-xss"], "target": "plugin", "versions": "<=1.3.1"}, "RULE-CVE-2025-67515-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-67515", "description": "wilmer theme <= 3.5 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "wilmer", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=3.5"}, "RULE-CVE-2025-67515-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-67515", "description": "wilmer theme <= 3.5 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "wilmer", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=3.5"}, "RULE-CVE-2025-6754-01": {"ajax_action": "seo_metrics_handle_connect_button_click", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "seo_metrics_handle_connect_button_click"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-6754", "method": "POST", "mode": "block", "severity": 8.8, "slug": "seo-metrics-helper", "target": "plugin", "versions": "1.0.5 - 1.0.15"}, "RULE-CVE-2025-6754-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-content/plugins/seo-metrics-helper/endpoint\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:token", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-6754", "method": "GET", "mode": "block", "severity": 8.8, "slug": "seo-metrics-helper", "target": "plugin", "versions": "1.0.5 - 1.0.15"}, "RULE-CVE-2025-67563-01": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "gmail_oauth_redirect"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-67563", "method": "GET", "mode": "block", "severity": 5.3, "slug": "post-smtp", "target": "plugin", "versions": "<=3.6.1"}, "RULE-CVE-2025-6757-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[rpwe\\\\b[^\\\\]]*(?:<script|on(?:error|load|click|mouseover|focus|blur|mouseout|mouseenter|mouseleave|change|submit|keydown|keyup|keypress)\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-6757", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6757", "description": "Recent Posts Widget Extended <=2.0.2 Stored XSS via rpwe shortcode attributes in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "recent-posts-widget-extended", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.0.2"}, "RULE-CVE-2025-6757-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[rpwe\\\\b[^\\\\]]*(?:<script|on(?:error|load|click|mouseover|focus|blur|mouseout|mouseenter|mouseleave|change|submit|keydown|keyup|keypress)\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-6757", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6757", "description": "Recent Posts Widget Extended <=2.0.2 Stored XSS via rpwe shortcode attributes in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "recent-posts-widget-extended", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.0.2"}, "RULE-CVE-2025-67574-01": {"action": "admin_init", "conditions": [{"name": "ARGS:task", "type": "equals", "value": "recreate_db"}], "cve": "CVE-2025-67574", "mode": "block", "severity": 5.3, "slug": "booking-calendar", "target": "plugin", "versions": "<=3.2.30"}, "RULE-CVE-2025-67588-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^(?:/wp-json/wp/v2/e-floating-buttons(?:/|\\\\?|$)|/\\\\?(?:[^#]*&)?rest_route=/wp/v2/e-floating-buttons(?:/|$|&))~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-67588", "method": "POST", "mode": "block", "severity": 4.3, "slug": "elementor", "target": "plugin", "versions": "<=3.33.0"}, "RULE-CVE-2025-67588-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^(?:/wp-json/wp/v2/e-floating-buttons(?:/|\\\\?|$)|/\\\\?(?:[^#]*&)?rest_route=/wp/v2/e-floating-buttons(?:/|$|&))~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-67588", "method": "PUT", "mode": "block", "severity": 4.3, "slug": "elementor", "target": "plugin", "versions": "<=3.33.0"}, "RULE-CVE-2025-67588-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^(?:/wp-json/wp/v2/e-floating-buttons(?:/|\\\\?|$)|/\\\\?(?:[^#]*&)?rest_route=/wp/v2/e-floating-buttons(?:/|$|&))~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-67588", "method": "PATCH", "mode": "block", "severity": 4.3, "slug": "elementor", "target": "plugin", "versions": "<=3.33.0"}, "RULE-CVE-2025-67588-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^(?:/wp-json/wp/v2/e-floating-buttons(?:/|\\\\?|$)|/\\\\?(?:[^#]*&)?rest_route=/wp/v2/e-floating-buttons(?:/|$|&))~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-67588", "method": "DELETE", "mode": "block", "severity": 4.3, "slug": "elementor", "target": "plugin", "versions": "<=3.33.0"}, "RULE-CVE-2025-6792-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/guppylite/v2/channel-authorize(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "read"}], "cve": "CVE-2025-6792", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6792", "description": "WP Guppy Lite <=1.1.4 unauthenticated information disclosure via channel-authorize REST endpoint", "method": "POST", "mode": "block", "severity": 5.3, "slug": "wpguppy-lite", "tags": ["missing-authentication", "information-disclosure", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=1.1.4"}, "RULE-CVE-2025-67934-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-67934", "description": "wellspring theme <= 2.8 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "wellspring", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=2.8"}, "RULE-CVE-2025-67934-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-67934", "description": "wellspring theme <= 2.8 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "wellspring", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=2.8"}, "RULE-CVE-2025-67935-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-67935", "description": "optimizewp theme <= 2.4 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "optimizewp", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=2.4"}, "RULE-CVE-2025-67935-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-67935", "description": "optimizewp theme <= 2.4 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "optimizewp", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=2.4"}, "RULE-CVE-2025-67936-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-67936", "description": "curly theme <= 3.3 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "curly", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=3.3"}, "RULE-CVE-2025-67936-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-67936", "description": "curly theme <= 3.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "curly", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=3.3"}, "RULE-CVE-2025-67937-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-67937", "description": "hendon theme <= 1.7 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "hendon", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.7"}, "RULE-CVE-2025-67937-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-67937", "description": "hendon theme <= 1.7 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "hendon", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.7"}, "RULE-CVE-2025-67938-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-67938", "description": "biagiotti theme <= 3.5.2 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "biagiotti", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=3.5.2"}, "RULE-CVE-2025-67938-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-67938", "description": "biagiotti theme <= 3.5.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "biagiotti", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=3.5.2"}, "RULE-CVE-2025-67940-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-67940", "description": "powerlift theme <= 3.2.1 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "powerlift", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=3.2.1"}, "RULE-CVE-2025-67940-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-67940", "description": "powerlift theme <= 3.2.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "powerlift", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=3.2.1"}, "RULE-CVE-2025-68027-01": {"ajax_action": "tfhb_registration", "conditions": [{"name": "ARGS:role", "type": "regex", "value": "~(?:administrator|editor|author|contributor)~i"}], "cve": "CVE-2025-68027", "method": "POST", "mode": "block", "severity": 7.3, "slug": "hydra-booking", "target": "plugin", "versions": "<=1.1.32"}, "RULE-CVE-2025-68027-02": {"ajax_action": "tfhb_registration", "conditions": [{"name": "ARGS:user_role", "type": "regex", "value": "~(?:administrator|editor|author|contributor)~i"}], "cve": "CVE-2025-68027", "method": "POST", "mode": "block", "severity": 7.3, "slug": "hydra-booking", "target": "plugin", "versions": "<=1.1.32"}, "RULE-CVE-2025-68027-03": {"ajax_action": "tfhb_registration", "conditions": [{"name": "ARGS:tfhb_role", "type": "regex", "value": "~(?:administrator|editor|author|contributor)~i"}], "cve": "CVE-2025-68027", "method": "POST", "mode": "block", "severity": 7.3, "slug": "hydra-booking", "target": "plugin", "versions": "<=1.1.32"}, "RULE-CVE-2025-68055-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)wp-json/hydra-booking/v[0-9]+/booking/lists(?:/|\\\\?|$)~i"}, {"name": "ARGS:filter_data", "type": "regex", "value": "~(?i)(?:union\\\\s+(?:all\\\\s+)?select|sleep\\\\s*\\\\(|benchmark\\\\s*\\\\(|(?:[\'\\"\\\\s])or\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+|drop\\\\s+table|information_schema|load_file\\\\s*\\\\(|into\\\\s+(?:out|dump)file|;\\\\s*(?:drop|insert|update|delete)\\\\b)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-68055", "method": "POST", "mode": "block", "severity": 8.5, "slug": "hydra-booking", "target": "plugin", "versions": "<=1.1.32"}, "RULE-CVE-2025-68055-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)wp-json/hydra-booking/v[0-9]+/booking/filter(?:/|\\\\?|$)~i"}, {"name": "ARGS:filter_data", "type": "regex", "value": "~(?i)(?:union\\\\s+(?:all\\\\s+)?select|sleep\\\\s*\\\\(|benchmark\\\\s*\\\\(|(?:[\'\\"\\\\s])or\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+|drop\\\\s+table|information_schema|load_file\\\\s*\\\\(|into\\\\s+(?:out|dump)file|;\\\\s*(?:drop|insert|update|delete)\\\\b)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-68055", "method": "GET", "mode": "block", "severity": 8.5, "slug": "hydra-booking", "target": "plugin", "versions": "<=1.1.32"}, "RULE-CVE-2025-6813-01": {"action": "init", "conditions": [{"name": "ARGS:_aap_action", "type": "regex", "value": "~(?i)^auto_login$~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-6813", "method": "POST", "mode": "block", "severity": 8.8, "slug": "aapanel-wp-toolkit", "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2025-6813-02": {"action": "init", "conditions": [{"name": "ARGS:_aap_action", "type": "regex", "value": "~(?i)^security_key_info$~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-6813", "method": "POST", "mode": "block", "severity": 8.8, "slug": "aapanel-wp-toolkit", "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2025-6815-01": {"ajax_action": "latepoint_route_call", "conditions": [{"name": "ARGS:service[name]", "type": "detectXSS"}], "cve": "CVE-2025-6815", "method": "POST", "mode": "block", "severity": 5.5, "slug": "latepoint", "target": "plugin", "versions": "<=5.1.94"}, "RULE-CVE-2025-6831-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[urcr_restrict\\\\b[^\\\\]]*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-6831", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6831", "description": "User Registration <=4.2.4 Stored XSS via urcr_restrict shortcode in classic editor post_content param", "method": "POST", "mode": "block", "severity": 6.4, "slug": "user-registration", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.2.4"}, "RULE-CVE-2025-6831-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[urcr_restrict\\\\b[^\\\\]]*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-6831", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6831", "description": "User Registration <=4.2.4 Stored XSS via urcr_restrict shortcode in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "user-registration", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=4.2.4"}, "RULE-CVE-2025-6831-03-PATCH": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[urcr_restrict\\\\b[^\\\\]]*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-6831", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6831", "description": "User Registration <=4.2.4 Stored XSS via urcr_restrict shortcode in REST API post content (PATCH)", "method": "PATCH", "mode": "block", "severity": 6.4, "slug": "user-registration", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=4.2.4"}, "RULE-CVE-2025-6831-03-PUT": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[urcr_restrict\\\\b[^\\\\]]*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-6831", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6831", "description": "User Registration <=4.2.4 Stored XSS via urcr_restrict shortcode in REST API post content (PUT)", "method": "PUT", "mode": "block", "severity": 6.4, "slug": "user-registration", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=4.2.4"}, "RULE-CVE-2025-6851-01": {"ajax_action": "blnotifier_blinks", "conditions": [{"name": "ARGS:link", "type": "regex", "value": "~(?:^(?:gopher|dict|file|ftp|ldap|tftp|ssh)://|^https?://(?:localhost(?=[:/]|$)|\\\\[?::1\\\\]?|0\\\\.|127\\\\.|10\\\\.|172\\\\.(?:1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.|169\\\\.254\\\\.|metadata\\\\.google\\\\.internal(?=[:/]|$)))~i"}], "cve": "CVE-2025-6851", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6851", "description": "Broken Link Notifier <=1.3.0 unauthenticated SSRF via blnotifier_blinks AJAX action", "method": "POST", "mode": "block", "severity": 6.5, "slug": "broken-link-notifier", "tags": ["ssrf", "unauthenticated", "cwe-918"], "target": "plugin", "versions": "<=1.3.0"}, "RULE-CVE-2025-6851-02": {"ajax_action": "blnotifier_rescan", "conditions": [{"name": "ARGS:link", "type": "regex", "value": "~(?:^(?:gopher|dict|file|ftp|ldap|tftp|ssh)://|^https?://(?:localhost(?=[:/]|$)|\\\\[?::1\\\\]?|0\\\\.|127\\\\.|10\\\\.|172\\\\.(?:1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.|169\\\\.254\\\\.|metadata\\\\.google\\\\.internal(?=[:/]|$)))~i"}], "cve": "CVE-2025-6851", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6851", "description": "Broken Link Notifier <=1.3.0 unauthenticated SSRF via blnotifier_rescan AJAX action", "method": "POST", "mode": "block", "severity": 6.5, "slug": "broken-link-notifier", "tags": ["ssrf", "unauthenticated", "cwe-918"], "target": "plugin", "versions": "<=1.3.0"}, "RULE-CVE-2025-6895-01": {"action": "init", "conditions": [{"name": "ARGS:mls_temp_user_token", "type": "exists"}], "cve": "CVE-2025-6895", "method": "GET", "mode": "block", "severity": 9.8, "slug": "melapress-login-security", "target": "plugin", "versions": ">=2.1.0 <=2.1.1"}, "RULE-CVE-2025-6895-02": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "delete_link"}, {"name": "ARGS:user_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-6895", "mode": "block", "severity": 9.8, "slug": "melapress-login-security", "target": "plugin", "versions": ">=2.1.0 <2.1.1"}, "RULE-CVE-2025-6895-03": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "disable_link"}, {"name": "ARGS:user_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-6895", "mode": "block", "severity": 9.8, "slug": "melapress-login-security", "target": "plugin", "versions": ">=2.1.0 <2.1.1"}, "RULE-CVE-2025-6895-04": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "enable_link"}, {"name": "ARGS:user_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-6895", "mode": "block", "severity": 9.8, "slug": "melapress-login-security", "target": "plugin", "versions": ">=2.1.0 <2.1.1"}, "RULE-CVE-2025-68974-01": {"ajax_action": "mo_openid_app_instructions", "conditions": [{"name": "ARGS:app_name", "type": "regex", "value": "~(?:\\\\.\\\\.[/\\\\\\\\]|(?:php|phar|data|expect|zip)://)~i"}], "cve": "CVE-2025-68974", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68974", "description": "WordPress Social Login and Register <=7.7.0 authenticated local file inclusion via app_name in mo_openid_app_instructions AJAX handler", "method": "POST", "mode": "block", "severity": 9.8, "slug": "miniorange-login-openid", "tags": ["local-file-inclusion", "path-traversal", "php-stream-wrapper", "authenticated"], "target": "plugin", "versions": "<=7.7.0"}, "RULE-CVE-2025-69034-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-69034", "description": "lekker theme <= 1.8 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "lekker", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.8"}, "RULE-CVE-2025-69034-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-69034", "description": "lekker theme <= 1.8 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "lekker", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.8"}, "RULE-CVE-2025-69058-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-69058", "description": "partymaker theme <= 1.1.15 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "partymaker", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.15"}, "RULE-CVE-2025-69058-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-69058", "description": "partymaker theme <= 1.1.15 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "partymaker", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.15"}, "RULE-CVE-2025-69059-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-69059", "description": "diveit theme <= 1.4.3 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "diveit", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.4.3"}, "RULE-CVE-2025-69059-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-69059", "description": "diveit theme <= 1.4.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "diveit", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.4.3"}, "RULE-CVE-2025-69060-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-69060", "description": "ureach theme <= 1.3.3 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "ureach", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.3"}, "RULE-CVE-2025-69060-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-69060", "description": "ureach theme <= 1.3.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "ureach", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.3"}, "RULE-CVE-2025-69061-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-69061", "description": "moveme theme <= 1.2.15 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "moveme", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.15"}, "RULE-CVE-2025-69061-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-69061", "description": "moveme theme <= 1.2.15 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "moveme", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.15"}, "RULE-CVE-2025-69062-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-69062", "description": "weedles theme <= 1.1.12 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "weedles", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.12"}, "RULE-CVE-2025-69062-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-69062", "description": "weedles theme <= 1.1.12 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "weedles", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.12"}, "RULE-CVE-2025-69064-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-69064", "description": "petsland theme <= 1.2.8 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "petsland", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.8"}, "RULE-CVE-2025-69064-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-69064", "description": "petsland theme <= 1.2.8 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "petsland", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.8"}, "RULE-CVE-2025-69065-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-69065", "description": "snowmountain theme <= 1.4.3 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "snowmountain", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.4.3"}, "RULE-CVE-2025-69065-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-69065", "description": "snowmountain theme <= 1.4.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "snowmountain", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.4.3"}, "RULE-CVE-2025-69066-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-69066", "description": "indoor-plants theme <= 1.2.7 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "indoor-plants", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.7"}, "RULE-CVE-2025-69066-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-69066", "description": "indoor-plants theme <= 1.2.7 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "indoor-plants", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.7"}, "RULE-CVE-2025-69067-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-69067", "description": "tails theme <= 1.4.12 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "tails", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.4.12"}, "RULE-CVE-2025-69067-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-69067", "description": "tails theme <= 1.4.12 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "tails", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.4.12"}, "RULE-CVE-2025-69068-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-69068", "description": "muji theme <= 1.2.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "muji", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.0"}, "RULE-CVE-2025-69068-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-69068", "description": "muji theme <= 1.2.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "muji", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.0"}, "RULE-CVE-2025-69070-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-69070", "description": "tornados theme <= 2.1 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "tornados", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=2.1"}, "RULE-CVE-2025-69070-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-69070", "description": "tornados theme <= 2.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "tornados", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=2.1"}, "RULE-CVE-2025-69071-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-69071", "description": "tantum theme <= 1.1.13 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "tantum", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.13"}, "RULE-CVE-2025-69071-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-69071", "description": "tantum theme <= 1.1.13 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "tantum", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.13"}, "RULE-CVE-2025-69072-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-69072", "description": "prider theme <= 1.1.3.1 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "prider", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.3.1"}, "RULE-CVE-2025-69072-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-69072", "description": "prider theme <= 1.1.3.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "prider", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.3.1"}, "RULE-CVE-2025-69073-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-69073", "description": "piqes theme <= 1.0.11 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "piqes", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.11"}, "RULE-CVE-2025-69073-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-69073", "description": "piqes theme <= 1.0.11 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "piqes", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.11"}, "RULE-CVE-2025-69074-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-69074", "description": "pearsonspecter theme <= 1.11.3 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "pearsonspecter", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.11.3"}, "RULE-CVE-2025-69074-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-69074", "description": "pearsonspecter theme <= 1.11.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "pearsonspecter", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.11.3"}, "RULE-CVE-2025-69075-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-69075", "description": "yolox theme <= 1.0.15 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "yolox", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.15"}, "RULE-CVE-2025-69075-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-69075", "description": "yolox theme <= 1.0.15 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "yolox", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.15"}, "RULE-CVE-2025-69076-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-69076", "description": "modernhousewife theme <= 1.0.12 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "modernhousewife", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.12"}, "RULE-CVE-2025-69076-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-69076", "description": "modernhousewife theme <= 1.0.12 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "modernhousewife", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.12"}, "RULE-CVE-2025-69077-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-69077", "description": "hobo theme <= 1.0.10 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "hobo", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.10"}, "RULE-CVE-2025-69077-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-69077", "description": "hobo theme <= 1.0.10 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "hobo", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.10"}, "RULE-CVE-2025-69078-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-69078", "description": "malta theme <= 1.3.3 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "malta", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.3"}, "RULE-CVE-2025-69078-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-69078", "description": "malta theme <= 1.3.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "malta", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.3"}, "RULE-CVE-2025-69408-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-69408", "description": "healthfirst theme <= 1.0.1 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "healthfirst", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.0.1"}, "RULE-CVE-2025-69408-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-69408", "description": "healthfirst theme <= 1.0.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "healthfirst", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.1"}, "RULE-CVE-2025-69409-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2025-69409", "description": "pj theme <= 3.0.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "pj", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=3.0.0"}, "RULE-CVE-2025-69409-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2025-69409", "description": "pj theme <= 3.0.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "pj", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=3.0.0"}, "RULE-CVE-2025-6941-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[latepoint_resources\\\\s[^\\\\]]*\\\\bid\\\\s*=\\\\s*(?:\\"[^\\"]*(?:<[a-z]|on\\\\w+\\\\s*=|javascript\\\\s*:|&#|\\\\\\\\x[0-9a-f])|\\\\\'[^\\\\\']*(?:<[a-z]|on\\\\w+\\\\s*=|javascript\\\\s*:|&#|\\\\\\\\x[0-9a-f])|[^\\\\]]*?(?:<[a-z]|on\\\\w+\\\\s*=|javascript\\\\s*:|&#|\\\\\\\\x[0-9a-f]))~i"}], "cve": "CVE-2025-6941", "method": "POST", "mode": "block", "severity": 6.4, "slug": "latepoint", "target": "plugin", "versions": "<=5.1.94"}, "RULE-CVE-2025-6941-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/wp-json/wp/v[12]/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[latepoint_resources\\\\s[^\\\\]]*\\\\bid\\\\s*=\\\\s*(?:\\"[^\\"]*(?:<[a-z]|on\\\\w+\\\\s*=|javascript\\\\s*:|&#|\\\\\\\\x[0-9a-f])|\\\\\'[^\\\\\']*(?:<[a-z]|on\\\\w+\\\\s*=|javascript\\\\s*:|&#|\\\\\\\\x[0-9a-f])|[^\\\\]]*?(?:<[a-z]|on\\\\w+\\\\s*=|javascript\\\\s*:|&#|\\\\\\\\x[0-9a-f]))~i"}], "cve": "CVE-2025-6941", "method": "POST", "mode": "block", "severity": 6.4, "slug": "latepoint", "target": "plugin", "versions": "<=5.1.94"}, "RULE-CVE-2025-6976-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[(events_list|events_calendar|locations_list|events_list_grouped)\\\\b[^\\\\]]*(?:no_results_msg)\\\\s*=[^\\\\]]*<~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-6976", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6976", "description": "Events Manager <=7.0.3 Stored XSS via shortcode attributes (format_header, format_footer, no_results_msg, format) in post content", "method": "POST", "mode": "block", "severity": 5.4, "slug": "events-manager", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=7.0.3"}, "RULE-CVE-2025-6976-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(events_list|events_calendar|locations_list|events_list_grouped)\\\\b[^\\\\]]*(?:no_results_msg)\\\\s*=[^\\\\]]*<~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-6976", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6976", "description": "Events Manager <=7.0.3 Stored XSS via shortcode attributes in REST API post creation", "method": "POST", "mode": "block", "severity": 5.4, "slug": "events-manager", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=7.0.3"}, "RULE-CVE-2025-6987-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[advanced_iframe\\\\b[^\\\\]]*(?:on(?:load|error|click|mouseover|focus|blur|mouseout|mousemove|keydown|keyup|keypress)\\\\s*=|javascript\\\\s*:|<\\\\s*(?:script|/script|img\\\\b[^>]+onerror|svg\\\\b[^>]+onload|iframe\\\\b[^>]+srcdoc))~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-6987", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6987", "description": "Advanced iFrame <=2025.5 authenticated (Contributor+) Stored XSS via advanced_iframe shortcode in classic editor post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "advanced-iframe", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=2025.5"}, "RULE-CVE-2025-6987-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[advanced_iframe\\\\b[^\\\\]]*(?:on(?:load|error|click|mouseover|focus|blur|mouseout|mousemove|keydown|keyup|keypress)\\\\s*=|javascript\\\\s*:|<\\\\s*(?:script|/script|img\\\\b[^>]+onerror|svg\\\\b[^>]+onload|iframe\\\\b[^>]+srcdoc))~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-6987", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-6987", "description": "Advanced iFrame <=2025.5 authenticated (Contributor+) Stored XSS via advanced_iframe shortcode in REST API post/page creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "advanced-iframe", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=2025.5"}, "RULE-CVE-2025-6993-01": {"ajax_action": "ewd_uwpm_get_email_log_details", "conditions": [{"name": "ARGS:post_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-6993", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ultimate-wp-mail", "target": "plugin", "versions": ">=1.0.17 <=1.3.6"}, "RULE-CVE-2025-7035-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[mla_(tag_cloud|term_list)\\\\b[^\\\\]]*\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-7035", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7035", "description": "Media Library Assistant <=3.26 stored XSS via mla_tag_cloud/mla_term_list shortcode event handler injection in post_content", "method": "POST", "mode": "block", "severity": 5.4, "slug": "media-library-assistant", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.26"}, "RULE-CVE-2025-7035-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[mla_(tag_cloud|term_list)\\\\b[^\\\\]]*javascript\\\\s*:~i"}], "cve": "CVE-2025-7035", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7035", "description": "Media Library Assistant <=3.26 stored XSS via mla_tag_cloud/mla_term_list shortcode javascript URI injection in post_content", "method": "POST", "mode": "block", "severity": 5.4, "slug": "media-library-assistant", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.26"}, "RULE-CVE-2025-7035-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[mla_(tag_cloud|term_list)\\\\b[^\\\\]]*\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-7035", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7035", "description": "Media Library Assistant <=3.26 stored XSS via mla_tag_cloud/mla_term_list shortcode event handler injection in REST API post content", "method": "POST", "mode": "block", "severity": 5.4, "slug": "media-library-assistant", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=3.26"}, "RULE-CVE-2025-7035-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[mla_(tag_cloud|term_list)\\\\b[^\\\\]]*javascript\\\\s*:~i"}], "cve": "CVE-2025-7035", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7035", "description": "Media Library Assistant <=3.26 stored XSS via mla_tag_cloud/mla_term_list shortcode javascript URI injection in REST API post content", "method": "POST", "mode": "block", "severity": 5.4, "slug": "media-library-assistant", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=3.26"}, "RULE-CVE-2025-7038-01": {"ajax_action": "latepoint_route_call", "conditions": [{"name": "ARGS:route_name", "type": "regex", "value": "~^steps__load_step$~i"}, {"name": "ARGS:customer[email]", "type": "regex", "value": "~.+~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-7038", "method": "POST", "mode": "block", "severity": 8.2, "slug": "latepoint", "target": "plugin", "versions": "<=5.1.94"}, "RULE-CVE-2025-7040-01": {"action": "admin_post_nopriv_set_organization_settings", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "set_organization_settings"}], "cve": "CVE-2025-7040", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7040", "method": "POST", "mode": "block", "severity": 8.2, "slug": "cloud-sso-single-sign-on", "tags": ["cwe-862", "missing-authorization", "csrf", "sso"], "target": "plugin", "versions": "<=1.0.19"}, "RULE-CVE-2025-7040-02": {"action": "admin_post_set_organization_settings", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "set_organization_settings"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-7040", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7040", "method": "POST", "mode": "block", "severity": 8.2, "slug": "cloud-sso-single-sign-on", "tags": ["cwe-862", "missing-authorization", "csrf", "sso"], "target": "plugin", "versions": "<=1.0.19"}, "RULE-CVE-2025-7045-01": {"action": "init", "conditions": [{"name": "ARGS:csso_action", "type": "equals", "value": "delete_config"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-7045", "method": "POST", "mode": "block", "severity": 6.5, "slug": "cloud-sso-single-sign-on", "target": "plugin", "versions": "<=1.0.19"}, "RULE-CVE-2025-7052-01": {"ajax_action": "latepoint_route_call", "conditions": [{"name": "ARGS:route_name", "type": "equals", "value": "customer_cabinet__change_password"}], "cve": "CVE-2025-7052", "method": "POST", "mode": "block", "severity": 8.8, "slug": "latepoint", "target": "plugin", "versions": "<=5.1.94"}, "RULE-CVE-2025-7052-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "admin-post.php"}, {"name": "ARGS:action", "type": "equals", "value": "latepoint_route_call"}, {"name": "ARGS:route_name", "type": "equals", "value": "customer_cabinet__change_password"}], "cve": "CVE-2025-7052", "method": "POST", "mode": "block", "severity": 8.8, "slug": "latepoint", "target": "plugin", "versions": "<=5.1.94"}, "RULE-CVE-2025-7354-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[su_(?:button|expand|members|post|user)\\\\s[^\\\\]]*(?:<\\\\s*(?:script|svg|img|iframe|object|embed|video|audio|body|input|details|marquee)\\\\b|\\\\bon(?:error|load|click|mouseover|focus|blur|mouseout|mouseenter|mouseleave|submit|change|input|keydown|keyup|keypress)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-7354", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7354", "description": "Shortcodes Ultimate <=7.4.2 Stored XSS via malicious shortcode attributes in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "shortcodes-ultimate", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=7.4.2"}, "RULE-CVE-2025-7354-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[su_(?:button|expand|members|post|user)\\\\s[^\\\\]]*(?:<\\\\s*(?:script|svg|img|iframe|object|embed|video|audio|body|input|details|marquee)\\\\b|\\\\bon(?:error|load|click|mouseover|focus|blur|mouseout|mouseenter|mouseleave|submit|change|input|keydown|keyup|keypress)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-7354", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7354", "description": "Shortcodes Ultimate <=7.4.2 Stored XSS via malicious shortcode attributes in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "shortcodes-ultimate", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=7.4.2"}, "RULE-CVE-2025-7367-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin-post\\\\.php~"}, {"name": "ARGS:action", "type": "equals", "value": "wpmtst_update_custom_fields"}, {"name": "ARGS", "type": "regex", "value": "~<script[^>]*>|<iframe[^>]*>|<svg[^>]*>|<embed[^>]*>|<object[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|blur|toggle|animationend|beforeprint)\\\\s*=|javascript\\\\s*:~i"}], "cve": "CVE-2025-7367", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7367", "description": "Strong Testimonials <=3.2.11 Stored XSS via custom field values on admin-post.php wpmtst_update_custom_fields action", "method": "POST", "mode": "block", "severity": 6.4, "slug": "strong-testimonials", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=3.2.11"}, "RULE-CVE-2025-7367-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_type", "type": "equals", "value": "wpm-testimonial"}, {"name": "ARGS:action", "type": "equals", "value": "editpost"}, {"name": "ARGS", "type": "regex", "value": "~<script[^>]*>|<iframe[^>]*>|<svg[^>]*>|<embed[^>]*>|<object[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|blur|toggle|animationend|beforeprint)\\\\s*=|javascript\\\\s*:~i"}], "cve": "CVE-2025-7367", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7367", "description": "Strong Testimonials <=3.2.11 Stored XSS via custom field values on post.php wpm-testimonial post type save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "strong-testimonials", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=3.2.11"}, "RULE-CVE-2025-7369-01": {"ajax_action": "su_generator_preview", "conditions": [{"name": "ARGS:shortcode", "type": "regex", "value": "~(?:javascript\\\\s*:|on(?:abort|blur|change|click|dblclick|error|focus|input|keydown|keypress|keyup|load|mousedown|mouseenter|mouseleave|mousemove|mouseout|mouseover|mouseup|pointerdown|pointerenter|pointerleave|pointermove|pointerout|pointerover|pointerup|reset|resize|scroll|select|submit|touchcancel|touchend|touchmove|touchstart|unload|wheel|animationend|animationiteration|animationstart|transitionend|transitionrun|transitionstart|toggle|contextmenu|drag|dragend|dragenter|dragleave|dragover|dragstart|drop|focusin|focusout|gotpointercapture|lostpointercapture|paste|copy|cut|beforeunload|hashchange|message|offline|online|pagehide|pageshow|popstate|storage|afterprint|beforeprint)\\\\s*=|<(?:iframe|embed|object|form|svg|math)[\\\\s/>])~i"}], "cve": "CVE-2025-7369", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7369", "description": "Shortcodes Ultimate <=7.4.2 CSRF to arbitrary shortcode execution via su_generator_preview AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "shortcodes-ultimate", "tags": ["csrf", "xss", "shortcode-execution"], "target": "plugin", "versions": "<=7.4.2"}, "RULE-CVE-2025-7431-01": {"action": "admin_init", "conditions": [{"name": "ARGS:kb_slug", "type": "regex", "value": "~[<>\\"\']|on[a-zA-Z0-9_]+ *=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-7431", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7431", "description": "Knowledge Base <=2.3.1 Authenticated (Administrator+) Stored XSS via kb_slug setting", "method": "POST", "mode": "block", "severity": 4.4, "slug": "knowledgebase", "tags": ["xss", "stored-xss", "settings-abuse"], "target": "plugin", "versions": "<=2.3.1"}, "RULE-CVE-2025-7431-02": {"action": "admin_init", "conditions": [{"name": "ARGS:category_slug", "type": "regex", "value": "~[<>\\"\']|on[a-zA-Z0-9_]+ *=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-7431", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7431", "description": "Knowledge Base <=2.3.1 Authenticated (Administrator+) Stored XSS via category_slug setting", "method": "POST", "mode": "block", "severity": 4.4, "slug": "knowledgebase", "tags": ["xss", "stored-xss", "settings-abuse"], "target": "plugin", "versions": "<=2.3.1"}, "RULE-CVE-2025-7431-03": {"action": "admin_init", "conditions": [{"name": "ARGS:tag_slug", "type": "regex", "value": "~[<>\\"\']|on[a-zA-Z0-9_]+ *=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-7431", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7431", "description": "Knowledge Base <=2.3.1 Authenticated (Administrator+) Stored XSS via tag_slug setting", "method": "POST", "mode": "block", "severity": 4.4, "slug": "knowledgebase", "tags": ["xss", "stored-xss", "settings-abuse"], "target": "plugin", "versions": "<=2.3.1"}, "RULE-CVE-2025-7495-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[wpmem_(?:login|reg)_link\\\\s+(?=[^\\\\]]*\\\\b(?!(?:id|class|href)\\\\b)[a-z][a-z0-9_-]*\\\\s*=)~i"}], "cve": "CVE-2025-7495", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7495", "description": "WP-Members <=3.5.4.1 Stored XSS via wpmem_login_link/wpmem_reg_link shortcode attributes in post content (post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-members", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.5.4.1"}, "RULE-CVE-2025-7495-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[wpmem_(?:login|reg)_link\\\\s+(?=[^\\\\]]*\\\\b(?!(?:id|class|href)\\\\b)[a-z][a-z0-9_-]*\\\\s*=)~i"}], "cve": "CVE-2025-7495", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7495", "description": "WP-Members <=3.5.4.1 Stored XSS via wpmem_login_link/wpmem_reg_link shortcode attributes in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-members", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=3.5.4.1"}, "RULE-CVE-2025-7500-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_title", "type": "regex", "value": "~(?:<script[^>]*>|(?:<|�*60;|�*3c;)\\\\s*script\\\\b|\\\\bon\\\\w+\\\\s*=|\\\\bjavascript\\\\s*:|<(?:iframe|embed|object|svg|math)[^>]*>|(?:<|�*60;|�*3c;)\\\\s*(?:iframe|embed|object|svg|math)\\\\b)~i"}], "cve": "CVE-2025-7500", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7500", "description": "Ocean Social Sharing <=2.2.1 Stored XSS via post_title in wp-admin post editor", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ocean-social-sharing", "tags": ["xss", "stored-xss", "contributor"], "target": "plugin", "versions": "<=2.2.1"}, "RULE-CVE-2025-7500-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:title", "type": "regex", "value": "~(?:<script[^>]*>|(?:<|�*60;|�*3c;)\\\\s*script\\\\b|\\\\bon\\\\w+\\\\s*=|\\\\bjavascript\\\\s*:|<(?:iframe|embed|object|svg|math)[^>]*>|(?:<|�*60;|�*3c;)\\\\s*(?:iframe|embed|object|svg|math)\\\\b)~i"}], "cve": "CVE-2025-7500", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7500", "description": "Ocean Social Sharing <=2.2.1 Stored XSS via title in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ocean-social-sharing", "tags": ["xss", "stored-xss", "rest-api", "contributor"], "target": "plugin", "versions": "<=2.2.1"}, "RULE-CVE-2025-7638-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "regex", "value": "~^forminator-(?:entries|report)$~"}, {"name": "ARGS:order_by", "type": "exists"}, {"name": "ARGS:order_by", "type": "regex", "value": "~^(?!entries\\\\.(?:date_created|entry_id)$).+~i"}], "cve": "CVE-2025-7638", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7638", "description": "Forminator Forms <=1.45.0 authenticated (Administrator+) SQL injection via order_by parameter in entries listing", "method": "GET", "mode": "block", "severity": 4.9, "slug": "forminator", "tags": ["sql-injection", "authenticated", "order-by-injection"], "target": "plugin", "versions": "<=1.45.0"}, "RULE-CVE-2025-7638-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "regex", "value": "~^forminator-(?:entries|report)$~"}, {"name": "ARGS:order", "type": "exists"}, {"name": "ARGS:order", "type": "regex", "value": "~^(?!(?:DESC|ASC)$).+~i"}], "cve": "CVE-2025-7638", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7638", "description": "Forminator Forms <=1.45.0 authenticated (Administrator+) SQL injection via order parameter in entries listing", "method": "GET", "mode": "block", "severity": 4.9, "slug": "forminator", "tags": ["sql-injection", "authenticated", "order-by-injection"], "target": "plugin", "versions": "<=1.45.0"}, "RULE-CVE-2025-7650-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[bizcalv[^\\\\]]*(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.\\\\.%2[fF])~i"}], "cve": "CVE-2025-7650", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7650", "description": "BizCalendar Web <=1.1.0.53 authenticated (Contributor+) Local File Inclusion via bizcalv shortcode path traversal in post_content", "method": "POST", "mode": "block", "severity": 7.5, "slug": "bizcalendar-web", "tags": ["local-file-inclusion", "path-traversal", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.1.0.53"}, "RULE-CVE-2025-7650-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[bizcalv[^\\\\]]*(?:php://|data://|expect://|phar://|/etc/|/var/|/tmp/|/proc/)~i"}], "cve": "CVE-2025-7650", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7650", "description": "BizCalendar Web <=1.1.0.53 authenticated (Contributor+) Local File Inclusion via bizcalv shortcode PHP wrapper or absolute path in post_content", "method": "POST", "mode": "block", "severity": 7.5, "slug": "bizcalendar-web", "tags": ["local-file-inclusion", "php-wrapper", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.1.0.53"}, "RULE-CVE-2025-7650-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[bizcalv[^\\\\]]*(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.\\\\.%2[fF])~i"}], "cve": "CVE-2025-7650", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7650", "description": "BizCalendar Web <=1.1.0.53 authenticated (Contributor+) Local File Inclusion via bizcalv shortcode path traversal in REST API content", "method": "POST", "mode": "block", "severity": 7.5, "slug": "bizcalendar-web", "tags": ["local-file-inclusion", "path-traversal", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.1.0.53"}, "RULE-CVE-2025-7650-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[bizcalv[^\\\\]]*(?:php://|data://|expect://|phar://|/etc/|/var/|/tmp/|/proc/)~i"}], "cve": "CVE-2025-7650", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7650", "description": "BizCalendar Web <=1.1.0.53 authenticated (Contributor+) Local File Inclusion via bizcalv shortcode PHP wrapper or absolute path in REST API content", "method": "POST", "mode": "block", "severity": 7.5, "slug": "bizcalendar-web", "tags": ["local-file-inclusion", "php-wrapper", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.1.0.53"}, "RULE-CVE-2025-7654-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[wf_get_cookie\\\\b~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-7654", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7654", "description": "FunnelKit Funnel Builder <=3.11.0.1 sensitive information exposure via wf_get_cookie shortcode in post content", "method": "POST", "mode": "block", "severity": 8.8, "slug": "funnel-builder", "tags": ["sensitive-info-exposure", "shortcode", "cookie-disclosure", "stored-content"], "target": "plugin", "versions": "<=3.11.0.1"}, "RULE-CVE-2025-7654-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[wf_get_cookie\\\\b~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-7654", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7654", "description": "FunnelKit Funnel Builder <=3.11.0.1 sensitive information exposure via wf_get_cookie shortcode in REST API post content", "method": "POST", "mode": "block", "severity": 8.8, "slug": "funnel-builder", "tags": ["sensitive-info-exposure", "shortcode", "cookie-disclosure", "rest-api"], "target": "plugin", "versions": "<=3.11.0.1"}, "RULE-CVE-2025-7661-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[martinus\\\\b[^\\\\]]*(?:on\\\\w+\\\\s*=|javascript\\\\s*:|data\\\\s*:|</?script|\\\\\\\\x[0-9a-fA-F]|&#(?:x[0-9a-fA-F]+|\\\\d+);)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-7661", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7661", "description": "Partnersk\\u00fd syst\\u00e9m Martinus <=1.7.1 Stored XSS via [martinus] shortcode attributes in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "martinus-partnersky-system", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.7.1"}, "RULE-CVE-2025-7661-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[martinus\\\\b[^\\\\]]*(?:on\\\\w+\\\\s*=|javascript\\\\s*:|data\\\\s*:|</?script|\\\\\\\\x[0-9a-fA-F]|&#(?:x[0-9a-fA-F]+|\\\\d+);)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-7661", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7661", "description": "Partnersk\\u00fd syst\\u00e9m Martinus <=1.7.1 Stored XSS via [martinus] shortcode attributes in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "martinus-partnersky-system", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.7.1"}, "RULE-CVE-2025-7665-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/(?:wp-admin/)?(?:admin-post\\\\.php|admin-ajax\\\\.php)(?:\\\\?|$)~"}, {"name": "ARGS:default_user_role", "type": "equals", "value": "administrator"}], "cve": "CVE-2025-7665", "method": "POST", "mode": "block", "severity": 8.1, "slug": "miniorange-firebase-sms-otp-verification", "target": "plugin", "versions": ">=3.1.0 <=3.6.2"}, "RULE-CVE-2025-7670-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/js-archive-list/v1/archive(?:/|[?&]|$)~"}, {"name": "ARGS:include", "type": "detectSQLi"}], "cve": "CVE-2025-7670", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7670", "description": "JS Archive List <=6.1.5 unauthenticated SQL injection via include parameter on REST archives endpoint", "method": "GET", "mode": "block", "severity": 7.5, "slug": "jquery-archive-list-widget", "tags": ["sql-injection", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=6.1.5"}, "RULE-CVE-2025-7670-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/js-archive-list/v1/archive(?:/|[?&]|$)~"}, {"name": "ARGS:exclude", "type": "detectSQLi"}], "cve": "CVE-2025-7670", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7670", "description": "JS Archive List <=6.1.5 unauthenticated SQL injection via exclude parameter on REST archives endpoint", "method": "GET", "mode": "block", "severity": 7.5, "slug": "jquery-archive-list-widget", "tags": ["sql-injection", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=6.1.5"}, "RULE-CVE-2025-7696-01": {"action": "init", "conditions": [{"name": "ARGS", "type": "regex", "value": "~[OC]:\\\\d+:\\"~"}], "cve": "CVE-2025-7696", "method": "POST", "mode": "block", "severity": 9.8, "slug": "integration-for-contact-form-7-and-pipedrive", "target": "plugin", "versions": "<=1.2.3"}, "RULE-CVE-2025-7711-01": {"ajax_action": "rtcl_post_new_listing", "conditions": [{"name": "ARGS:description", "type": "regex", "value": "~\\\\[\\\\s*[A-Za-z_][A-Za-z0-9_-]{2,}[\\\\s\\\\]/]~"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2025-7711", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7711", "description": "Classified Listing <=5.0.3 authenticated (Subscriber+) arbitrary shortcode execution via listing description on rtcl_post_new_listing", "method": "POST", "mode": "block", "severity": 5.4, "slug": "classified-listing", "tags": ["code-injection", "shortcode-execution", "authenticated"], "target": "plugin", "versions": "<=5.0.3"}, "RULE-CVE-2025-7711-02": {"ajax_action": "rtcl_update_listing", "conditions": [{"name": "ARGS:description", "type": "regex", "value": "~\\\\[\\\\s*[A-Za-z_][A-Za-z0-9_-]{2,}[\\\\s\\\\]/]~"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2025-7711", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7711", "description": "Classified Listing <=5.0.3 authenticated (Subscriber+) arbitrary shortcode execution via listing description on rtcl_update_listing", "method": "POST", "mode": "block", "severity": 5.4, "slug": "classified-listing", "tags": ["code-injection", "shortcode-execution", "authenticated"], "target": "plugin", "versions": "<=5.0.3"}, "RULE-CVE-2025-7727-04": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~wp:gutenverse/animated-text[^}]*[\\"\']htmlTag[\\"\']\\\\s*:\\\\s*[\\"\']script[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-7727", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7727", "description": "Gutenverse <=3.1.0 Stored XSS via Animated Text block htmlTag attribute injection through classic editor", "method": "POST", "mode": "block", "severity": 6.4, "slug": "gutenverse", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=3.1.0"}, "RULE-CVE-2025-7727-05": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~wp:gutenverse/fun-?fact[^>]*>.*?\\\\bon(?:error|load|click|mouseover|focus)\\\\s*=~is"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-7727", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7727", "description": "Gutenverse <=3.1.0 Stored XSS via Fun Fact block event handler injection through classic editor", "method": "POST", "mode": "block", "severity": 6.4, "slug": "gutenverse", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=3.1.0"}, "RULE-CVE-2025-7780-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai/v1/simpleTranscribeAudio(/|\\\\?|$)~i"}, {"name": "ARGS:url", "type": "regex", "value": "~^(?:(?!https?://)\\\\S+://|/|\\\\.{1,2}/|[A-Za-z]:\\\\\\\\)~i"}], "cve": "CVE-2025-7780", "description": "AI Engine <= 2.9.4 \\u2013 Arbitrary file read via non-HTTP scheme in simpleTranscribeAudio url param (file_get_contents sink)", "method": "POST", "mode": "block", "severity": 6.5, "slug": "ai-engine", "target": "plugin", "versions": "<=2.9.4"}, "RULE-CVE-2025-7808-01": {"action": "init", "conditions": [{"name": "ARGS:product", "type": "detectXSS"}], "cve": "CVE-2025-7808", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7808", "description": "WP Shopify <1.5.4 Reflected XSS via product query parameter in [wp-shopify-continue-shopping] shortcode", "method": "GET", "mode": "block", "severity": 6.1, "slug": "wp-shopify", "tags": ["xss", "reflected-xss", "shortcode", "unauthenticated"], "target": "plugin", "versions": "<1.5.4"}, "RULE-CVE-2025-7847-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mwai(?:-ui)?/v1/(?:files/upload|simpleFileUpload)(/|\\\\?|$)~i"}, {"name": "ARGS:filename", "type": "regex", "value": "~\\\\.(?:php[0-8]?|phps|pht|phtml|phar|cgi|pl|sh|htaccess)$~i"}], "cve": "CVE-2025-7847", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-7847", "description": "AI Engine >=2.9.3 <=2.9.4 authenticated arbitrary file upload via simpleFileUpload REST endpoint", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ai-engine", "tags": ["arbitrary-file-upload", "rest-api", "authenticated"], "target": "plugin", "versions": ">=2.9.3 <=2.9.4"}, "RULE-CVE-2025-8059-01": {"ajax_action": "rgfr_registration", "conditions": [{"name": "ARGS:role", "type": "regex", "value": "~(?:^|,)\\\\s*administrator\\\\s*(?:,|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-8059", "method": "POST", "mode": "block", "severity": 9.8, "slug": "b-blocks", "target": "plugin", "versions": "<=2.0.6"}, "RULE-CVE-2025-8072-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~placeholder_img\\\\s*=\\\\s*([\\"\'])(?:(?!\\\\1).){0,300}?(?:<script|\\\\bon(?:error|load|mouseover|click|focus|mouseenter)\\\\s*=|javascript\\\\s*:)~is"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-8072", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8072", "description": "Target Video Easy Publish <=3.8.8 Stored XSS via placeholder_img shortcode attribute in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "brid-video-easy-publish", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.8.8"}, "RULE-CVE-2025-8073-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[plugincy_filters_single\\\\b[^\\\\]]*name\\\\s*=\\\\s*[\\"\'][^\\"\']*<[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "edit_pages"}], "cve": "CVE-2025-8073", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8073", "description": "Dynamic AJAX Product Filters for WooCommerce <=1.3.7 Stored XSS via plugincy_filters_single shortcode name attribute (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "dynamic-ajax-product-filters-for-woocommerce", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.3.7"}, "RULE-CVE-2025-8073-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[plugincy_filters_single\\\\b[^\\\\]]*name\\\\s*=\\\\s*[\\"\'][^\\"\']*<[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "edit_pages"}], "cve": "CVE-2025-8073", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8073", "description": "Dynamic AJAX Product Filters for WooCommerce <=1.3.7 Stored XSS via plugincy_filters_single shortcode name attribute (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "dynamic-ajax-product-filters-for-woocommerce", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.3.7"}, "RULE-CVE-2025-8081-01": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS:actions", "type": "regex", "value": "~tmp_name[\\"\']?\\\\s*[:=]\\\\s*[\\"\']?(?:\\\\.\\\\.[\\\\\\\\/]|/(?:etc|proc|var|usr|home|root)/|[a-zA-Z]:\\\\\\\\|wp-config\\\\.php|%00|\\\\\\\\x00|\\\\\\\\u002e)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-8081", "method": "POST", "mode": "block", "severity": 4.9, "slug": "elementor", "target": "plugin", "versions": "<=3.30.2"}, "RULE-CVE-2025-8081-02": {"ajax_action": "elementor_library_direct_actions", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-8081", "method": "POST", "mode": "block", "severity": 4.9, "slug": "elementor", "target": "plugin", "versions": "<=3.30.2"}, "RULE-CVE-2025-8084-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai/v1/helpers/create-images(/|\\\\?|$)~i"}, {"name": "ARGS:url", "type": "exists"}, {"name": "ARGS:url", "type": "regex", "value": "~https?://(?:127\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+|10\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+|172\\\\.(?:1[6-9]|2\\\\d|3[01])\\\\.\\\\d+\\\\.\\\\d+|192\\\\.168\\\\.\\\\d+\\\\.\\\\d+|169\\\\.254\\\\.\\\\d+\\\\.\\\\d+|0+177\\\\.|0x7f|0x0*a\\\\.|0x0*ac\\\\.(?:1[0-9a-f]|2[0-9a-f]|3[01])|0x0*c0\\\\.a8|localhost|\\\\[?::1\\\\]?|metadata\\\\.google\\\\.internal)~i"}], "cve": "CVE-2025-8084", "method": "POST", "mode": "block", "severity": 6.8, "slug": "ai-engine", "target": "plugin", "versions": "<=3.1.8"}, "RULE-CVE-2025-8084-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai/v1/helpers/create-images(/|\\\\?|$)~i"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2025-8084", "method": "POST", "mode": "block", "severity": 6.8, "slug": "ai-engine", "target": "plugin", "versions": "<=3.1.8"}, "RULE-CVE-2025-8089-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[advanced[_-]iframe[^\\\\]]*additional\\\\s*=[^\\\\]]*\\\\bon\\\\w+\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-8089", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8089", "description": "Advanced iFrame <=2025.6 Stored XSS via shortcode \'additional\' attribute - Classic Editor event handler injection", "method": "POST", "mode": "block", "severity": 5.4, "slug": "advanced-iframe", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2025.6"}, "RULE-CVE-2025-8089-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[advanced[_-]iframe[^\\\\]]*additional\\\\s*=[^\\\\]]*(?:<script|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-8089", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8089", "description": "Advanced iFrame <=2025.6 Stored XSS via shortcode \'additional\' attribute - Classic Editor script/javascript injection", "method": "POST", "mode": "block", "severity": 5.4, "slug": "advanced-iframe", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2025.6"}, "RULE-CVE-2025-8089-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[advanced[_-]iframe[^\\\\]]*additional\\\\s*=[^\\\\]]*\\\\bon\\\\w+\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-8089", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8089", "description": "Advanced iFrame <=2025.6 Stored XSS via shortcode \'additional\' attribute - REST API event handler injection", "method": "POST", "mode": "block", "severity": 5.4, "slug": "advanced-iframe", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2025.6"}, "RULE-CVE-2025-8089-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[advanced[_-]iframe[^\\\\]]*additional\\\\s*=[^\\\\]]*(?:<script|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-8089", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8089", "description": "Advanced iFrame <=2025.6 Stored XSS via shortcode \'additional\' attribute - REST API script/javascript injection", "method": "POST", "mode": "block", "severity": 5.4, "slug": "advanced-iframe", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2025.6"}, "RULE-CVE-2025-8100-01": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "elementor_ajax"}, {"name": "ARGS:actions", "type": "contains", "value": "marker_content"}, {"name": "ARGS:actions", "type": "regex", "value": "~marker_content[^}]*(?:<\\\\s*script|\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=|javascript\\\\s*:|<\\\\s*(?:iframe|embed|object|svg)[^>]*\\\\bon\\\\w+\\\\s*=)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-8100", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8100", "description": "Element Pack Elementor Addons <=8.1.5 Stored XSS via Open Street Map widget marker_content", "method": "POST", "mode": "block", "severity": 5.4, "slug": "bdthemes-element-pack-lite", "tags": ["xss", "stored-xss", "elementor-widget"], "target": "plugin", "versions": "<=8.1.5"}, "RULE-CVE-2025-8102-01": {"action": "admin_init", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:edd-action", "type": "regex", "value": "~^tools_tab_debug_log$~"}], "cve": "CVE-2025-8102", "mode": "block", "severity": 6.5, "slug": "easy-digital-downloads", "target": "plugin", "versions": "<4.0"}, "RULE-CVE-2025-8268-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-json/mwai-ui/v1/files/list|[?&]rest_route=/mwai-ui/v1/files/list)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-8268", "method": "POST", "mode": "block", "severity": 6.5, "slug": "ai-engine", "target": "plugin", "versions": "<=2.9.5"}, "RULE-CVE-2025-8268-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-json/mwai-ui/v1/files/delete|[?&]rest_route=/mwai-ui/v1/files/delete)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-8268", "method": "POST", "mode": "block", "severity": 6.5, "slug": "ai-engine", "target": "plugin", "versions": "<=2.9.5"}, "RULE-CVE-2025-8294-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[download_counter_url\\\\s[^\\\\]]*name\\\\s*=\\\\s*(?:\'[^\']*(?:<[^>]+>|on[a-zA-Z]+=)[^\']*\'|\\"[^\\"]*(?:<[^>]+>|on[a-zA-Z]+=)[^\\"]*\\"|[^\\\\]\\\\s\'\\"]*(?:<[^>]+>|on[a-zA-Z]+=)[^\\\\]\\\\s]*)~i"}], "cve": "CVE-2025-8294", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8294", "description": "Download Counter <=1.3 Authenticated (Contributor+) Stored XSS via download_counter_url shortcode name attribute in post_content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "download-counter", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.3"}, "RULE-CVE-2025-8398-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[(?:url|link)\\\\s*=\\\\s*[\\"\']?\\\\s*(?:javascript|vbscript|data)\\\\s*:~i"}], "cve": "CVE-2025-8398", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8398", "description": "azurecurve BBCode <=2.0.4 Stored XSS via [url] shortcode in post content (post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "azurecurve-bbcode", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.0.4"}, "RULE-CVE-2025-8398-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(?:url|link)\\\\s*=\\\\s*[\\"\']?\\\\s*(?:javascript|vbscript|data)\\\\s*:~i"}], "cve": "CVE-2025-8398", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8398", "description": "azurecurve BBCode <=2.0.4 Stored XSS via [url] shortcode in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "azurecurve-bbcode", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.0.4"}, "RULE-CVE-2025-8420-01": {"ajax_action": "emd_form_builder_lite_pagenum", "conditions": [{"name": "ARGS:form", "type": "regex", "value": "~(?i)\\\\b(?:phpinfo|system|exec|shell_exec|passthru|assert|eval|base64_decode|unlink|file_get_contents|file_put_contents|fopen|fwrite|popen|proc_open|pcntl_exec|dl|mail|header|setcookie|ini_set|ini_restore|putenv|apache_setenv|phpversion|php_uname|php_sapi_name|getmypid|getmyuid|get_current_user|posix_getuid|posix_getpwuid|posix_kill|disk_free_space|disk_total_space|readfile|highlight_file|show_source|wp_die|wp_logout|wp_cache_flush|wp_set_auth_cookie|wp_clear_auth_cookie|delete_option|update_option)\\\\b~"}], "cve": "CVE-2025-8420", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8420", "description": "Campus Directory <=1.9.2 unauthenticated limited RCE via dynamic function call in emd_form_builder_lite_pagenum AJAX handler (form parameter)", "method": "POST", "mode": "block", "severity": 8.1, "slug": "campus-directory", "tags": ["remote-code-execution", "eval-injection", "unauthenticated", "function-injection"], "target": "plugin", "versions": "<=1.9.2"}, "RULE-CVE-2025-8420-02": {"ajax_action": "emd_form_builder_lite_pagenum", "conditions": [{"name": "ARGS:app", "type": "regex", "value": "~(?i)\\\\b(?:phpinfo|system|exec|shell_exec|passthru|assert|eval|base64_decode|unlink|file_get_contents|file_put_contents|fopen|fwrite|popen|proc_open|pcntl_exec|dl|mail|header|setcookie|ini_set|ini_restore|putenv|apache_setenv|phpversion|php_uname|php_sapi_name|getmypid|getmyuid|get_current_user|posix_getuid|posix_getpwuid|posix_kill|disk_free_space|disk_total_space|readfile|highlight_file|show_source|wp_die|wp_logout|wp_cache_flush|wp_set_auth_cookie|wp_clear_auth_cookie|delete_option|update_option)\\\\b~"}], "cve": "CVE-2025-8420", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8420", "description": "Campus Directory <=1.9.2 unauthenticated limited RCE via dynamic function call in emd_form_builder_lite_pagenum AJAX handler (app parameter)", "method": "POST", "mode": "block", "severity": 8.1, "slug": "campus-directory", "tags": ["remote-code-execution", "eval-injection", "unauthenticated", "function-injection"], "target": "plugin", "versions": "<=1.9.2"}, "RULE-CVE-2025-8425-01": {"ajax_action": "ajax_import_strings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-8425", "mode": "block", "severity": 8.8, "slug": "my-wp-translate", "target": "plugin", "versions": "<=1.1.0"}, "RULE-CVE-2025-8483-01": {"ajax_action": "ajax_validation", "conditions": [{"name": "ARGS", "type": "regex", "value": "~\\\\[\\\\s*[a-zA-Z_][a-zA-Z0-9_-]*(?:\\\\s[^\\\\]]*)?\\\\]~"}], "cve": "CVE-2025-8483", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8483", "description": "Discussion Board <= 2.5.5 arbitrary shortcode execution via ajax_validation AJAX handler", "method": "POST", "mode": "block", "severity": 6.3, "slug": "wp-discussion-board", "tags": ["code-injection", "shortcode-injection", "unauthenticated"], "target": "plugin", "versions": "<=2.5.5"}, "RULE-CVE-2025-8484-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/|^)wp-content/(?:code-quality-logs/[^/]*[.](log|ini)|_php_errors(?:[.]count)?[.]log|_php_code_control[.]ini)(?:[?#]|$)~i"}], "cve": "CVE-2025-8484", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8484", "description": "Code Quality Control Tool <= 2.1 unauthenticated sensitive information exposure via publicly accessible log files", "method": "GET", "mode": "block", "severity": 5.3, "slug": "code-quality-control-tool", "tags": ["information-exposure", "unauthenticated", "log-file-disclosure"], "target": "plugin", "versions": "<=2.1"}, "RULE-CVE-2025-8484-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/|^)wp-content/code-quality-logs/?(?:[?#]|$)~i"}], "cve": "CVE-2025-8484", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8484", "description": "Code Quality Control Tool <= 2.1 unauthenticated directory listing of log directory", "method": "GET", "mode": "block", "severity": 5.3, "slug": "code-quality-control-tool", "tags": ["information-exposure", "unauthenticated", "directory-listing"], "target": "plugin", "versions": "<=2.1"}, "RULE-CVE-2025-8489-01": {"ajax_action": "king_addons_register", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "king_addons_register"}, {"name": "ARGS:user_role", "type": "regex", "value": "~^(administrator|editor|author|contributor|shop_manager)$~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-8489", "method": "POST", "mode": "block", "severity": 9.8, "slug": "king-addons", "target": "plugin", "versions": ">=24.12.92 <=51.1.14"}, "RULE-CVE-2025-8562-01": {"action": "template_redirect", "conditions": [{"name": "ARGS:lens", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.{2,}[\\\\\\\\/]+|%2e%2e(?:%2f|%5c)|%252e%252e)~i"}], "cve": "CVE-2025-8562", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8562", "description": "Custom Query Shortcode <=0.4.0 authenticated path traversal via lens parameter", "mode": "block", "severity": 6.5, "slug": "custom-query-shortcode", "tags": ["path-traversal", "local-file-inclusion", "shortcode"], "target": "plugin", "versions": "<=0.4.0"}, "RULE-CVE-2025-8562-02": {"action": "template_redirect", "conditions": [{"name": "ARGS:twig_template", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|\\\\.{2,}[\\\\\\\\/]+|%2e%2e(?:%2f|%5c)|%252e%252e)~i"}], "cve": "CVE-2025-8562", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8562", "description": "Custom Query Shortcode <=0.4.0 authenticated path traversal via twig_template parameter", "mode": "block", "severity": 6.5, "slug": "custom-query-shortcode", "tags": ["path-traversal", "local-file-inclusion", "shortcode"], "target": "plugin", "versions": "<=0.4.0"}, "RULE-CVE-2025-8566-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~gutenbee/countup[^}]*(?:prefix|suffix)[^}]*(?:<script|<img[^>]+onerror|<svg[^>]+onload|<[^>]+on(?:error|load|click|mouseover|focus)\\\\s*=|javascript:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-8566", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8566", "description": "GutenBee <=2.18.0 Stored XSS via CountUp block prefix/suffix attributes in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "gutenbee", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=2.18.0"}, "RULE-CVE-2025-8566-02": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~gutenbee/google-maps[^}]*(?:<script|<img[^>]+onerror|<svg[^>]+onload|<[^>]+on(?:error|load|click|mouseover|focus)\\\\s*=|javascript:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-8566", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8566", "description": "GutenBee <=2.18.0 Stored XSS via Google Maps block marker popup attributes in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "gutenbee", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=2.18.0"}, "RULE-CVE-2025-8605-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~wp:gutenify/countup(?:-v2)?~"}, {"name": "ARGS:content", "type": "regex", "value": "~<\\\\s*(?:script[\\\\s>]|(?:iframe|embed|object|svg|img|a)\\\\b[^>]*(?:on[a-z]+=|javascript\\\\s*:|data\\\\s*:\\\\s*text/html))~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-8605", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8605", "description": "Gutenify <=1.5.9 Authenticated (Contributor+) Stored XSS via Count Up block attributes in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "gutenify", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=1.5.9"}, "RULE-CVE-2025-8605-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~wp:gutenify/countup(?:-v2)?~"}, {"name": "ARGS:content", "type": "regex", "value": "~<\\\\s*(?:script[\\\\s>]|(?:iframe|embed|object|svg|img|a)\\\\b[^>]*(?:on[a-z]+=|javascript\\\\s*:|data\\\\s*:\\\\s*text/html))~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-8605", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8605", "description": "Gutenify <=1.5.9 Authenticated (Contributor+) Stored XSS via Count Up block attributes in classic editor", "method": "POST", "mode": "block", "severity": 6.4, "slug": "gutenify", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=1.5.9"}, "RULE-CVE-2025-8625-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/copypress/v1/image(/|\\\\?|$)~"}, {"name": "ARGS:filename", "type": "regex", "value": "~\\\\.(?:ph(?:p[0-9]?|t|tml)|phtml)$~i"}], "cve": "CVE-2025-8625", "method": "POST", "mode": "block", "severity": 9.8, "slug": "copypress-rest-api", "target": "plugin", "versions": ">=1.1 <=1.2"}, "RULE-CVE-2025-8625-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/copypress/v1/image(/|\\\\?|$)~"}, {"name": "ARGS:image_url", "type": "regex", "value": "~\\\\.ph(?:p[0-9]?|t|tml)(?:$|[?#])~i"}], "cve": "CVE-2025-8625", "method": "POST", "mode": "block", "severity": 9.8, "slug": "copypress-rest-api", "target": "plugin", "versions": ">=1.1 <=1.2"}, "RULE-CVE-2025-8676-01": {"ajax_action": "get_active_plugins", "conditions": [{"type": "missing_capability", "value": "activate_plugins"}], "cve": "CVE-2025-8676", "mode": "block", "severity": 4.3, "slug": "b-slider", "target": "plugin", "versions": "<=2.0.0"}, "RULE-CVE-2025-8676-02": {"ajax_action": "get_popular_plugins", "conditions": [{"type": "missing_capability", "value": "activate_plugins"}], "cve": "CVE-2025-8676", "mode": "block", "severity": 4.3, "slug": "b-slider", "target": "plugin", "versions": "<=2.0.0"}, "RULE-CVE-2025-8680-01": {"ajax_action": "fs_api_request", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-8680", "method": "POST", "mode": "block", "severity": 4.3, "slug": "b-slider", "target": "plugin", "versions": "<=2.0.0"}, "RULE-CVE-2025-8689-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)wp-admin/admin-ajax\\\\.php~"}, {"name": "ARGS:action", "type": "equals", "value": "elementor_ajax"}, {"name": "ARGS:actions", "type": "regex", "value": "~ep-image-comparison|ep-hotspot|ep-google-maps~i"}, {"name": "ARGS:actions", "type": "regex", "value": "~<script[\\\\s>]|javascript\\\\s*:|<[a-zA-Z][^>]*[[:space:]]+on[a-z]+=|<iframe[\\\\s>]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-8689", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8689", "description": "Elements Plus! <=2.16.4 Stored XSS via Image Comparison, HotSpot Plus, Google Maps widgets (Elementor AJAX save)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "elements-plus", "tags": ["xss", "stored-xss", "elementor-widget"], "target": "plugin", "versions": "<=2.16.4"}, "RULE-CVE-2025-8689-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/elementor/v\\\\d+/document(/|\\\\?|$)~"}, {"name": "ARGS", "type": "regex", "value": "~ep-image-comparison|ep-hotspot|ep-google-maps~i"}, {"name": "ARGS", "type": "regex", "value": "~<script[\\\\s>]|javascript\\\\s*:|<[a-zA-Z][^>]*[[:space:]]+on[a-z]+=|<iframe[\\\\s>]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-8689", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8689", "description": "Elements Plus! <=2.16.4 Stored XSS via Image Comparison, HotSpot Plus, Google Maps widgets (Elementor REST save)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "elements-plus", "tags": ["xss", "stored-xss", "elementor-widget", "rest-api"], "target": "plugin", "versions": "<=2.16.4"}, "RULE-CVE-2025-8689-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)wp-admin/post\\\\.php~"}, {"name": "ARGS:_elementor_data", "type": "regex", "value": "~ep-image-comparison|ep-hotspot|ep-google-maps~i"}, {"name": "ARGS:_elementor_data", "type": "regex", "value": "~<script[\\\\s>]|javascript\\\\s*:|<[a-zA-Z][^>]*[[:space:]]+on[a-z]+=|<iframe[\\\\s>]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-8689", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8689", "description": "Elements Plus! <=2.16.4 Stored XSS via Image Comparison, HotSpot Plus, Google Maps widgets (classic editor save)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "elements-plus", "tags": ["xss", "stored-xss", "elementor-widget"], "target": "plugin", "versions": "<=2.16.4"}, "RULE-CVE-2025-8721-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[workable_jobs\\\\b[^\\\\]]*(?:<script|<iframe|<svg|<img|<object|<embed|<link|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)[^\\\\]]*\\\\]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-8721", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8721", "description": "Workable API <=1.0.4 Stored XSS via workable_jobs shortcode attributes in classic editor post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wrapper-for-workable-api", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2025-8721-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[workable_jobs\\\\b[^\\\\]]*(?:<script|<iframe|<svg|<img|<object|<embed|<link|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)[^\\\\]]*\\\\]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-8721", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8721", "description": "Workable API <=1.0.4 Stored XSS via workable_jobs shortcode attributes in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wrapper-for-workable-api", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2025-8722-01": {"ajax_action": "pagination_request", "conditions": [{"name": "ARGS:sid", "type": "detectXSS"}], "cve": "CVE-2025-8722", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8722", "description": "Content Views <= 4.1 reflected XSS via sid parameter in pagination_request AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "content-views-query-and-display-post-page", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=4.1"}, "RULE-CVE-2025-8722-02": {"ajax_action": "preview_request", "conditions": [{"type": "missing_capability", "value": "unfiltered_html"}, {"name": "ARGS", "type": "regex", "value": "~<script[^>]*>|on(?:error|load|click|mouseover|focus|blur)\\\\s*=|javascript\\\\s*:|<iframe[^>]*>~i"}], "cve": "CVE-2025-8722", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8722", "description": "Content Views <= 4.1 stored XSS via preview_request AJAX handler - contributor+ can inject malicious widget attributes", "method": "POST", "mode": "block", "severity": 6.4, "slug": "content-views-query-and-display-post-page", "tags": ["xss", "stored-xss", "contributor"], "target": "plugin", "versions": "<=4.1"}, "RULE-CVE-2025-8723-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/settings(?:/|\\\\?|$)~"}, {"name": "ARGS", "type": "regex", "value": "~cf_image_resizing_~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-8723", "method": "POST", "mode": "block", "severity": 9.8, "slug": "cf-image-resizing", "target": "plugin", "versions": "<=1.5.6"}, "RULE-CVE-2025-8781-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/bookster/v1/~"}, {"name": "ARGS:raw", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|\'\\\\s*(?:OR|AND)\\\\s+[\'\\"]?\\\\d|(?:SELECT|INSERT|UPDATE|DELETE)\\\\s.*\\\\bFROM\\\\b|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\()~i"}], "cve": "CVE-2025-8781", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8781", "description": "Bookster <=2.1.1 authenticated SQL Injection via raw parameter on REST API endpoints", "mode": "block", "severity": 4.9, "slug": "bookster", "tags": ["sql-injection", "rest-api", "authenticated"], "target": "plugin", "versions": "<=2.1.1"}, "RULE-CVE-2025-8896-01": {"action": "init", "conditions": [{"name": "ARGS:gdpr_communication_preferences[/[0-9]+/]", "type": "regex", "value": "~(?:<[a-z/!][^>]*>|on(?:load|error|mouseover|click|focus|blur|mouseout|mousemove|mousedown|mouseup|keydown|keyup|keypress|change|submit|reset|select|abort|dblclick|drag|dragend|dragenter|dragleave|dragover|dragstart|drop|input|contextmenu|pointerdown|pointerenter|pointerleave|pointermove|pointerout|pointerover|pointerup) *=|javascript *:)~i"}], "cve": "CVE-2025-8896", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8896", "description": "Profile Builder <=3.14.3 Stored XSS via gdpr_communication_preferences[] parameter", "method": "POST", "mode": "block", "severity": 6.4, "slug": "profile-builder", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.14.3"}, "RULE-CVE-2025-8977-01": {"ajax_action": "sdm_export_logs", "conditions": [{"name": "ARGS:order", "type": "detectSQLi"}], "cve": "CVE-2025-8977", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8977", "description": "Simple Download Monitor <=3.9.33 authenticated SQL injection via order parameter in sdm_export_logs AJAX handler", "method": "POST", "mode": "block", "severity": 6.5, "slug": "simple-download-monitor", "tags": ["sql-injection", "authenticated", "broken-access-control"], "target": "plugin", "versions": "<=3.9.33"}, "RULE-CVE-2025-8977-02": {"ajax_action": "sdm_export_logs", "conditions": [{"name": "ARGS:orderby", "type": "detectSQLi"}], "cve": "CVE-2025-8977", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8977", "description": "Simple Download Monitor <=3.9.33 authenticated SQL injection via orderby parameter in sdm_export_logs AJAX handler", "method": "POST", "mode": "block", "severity": 6.5, "slug": "simple-download-monitor", "tags": ["sql-injection", "authenticated", "broken-access-control"], "target": "plugin", "versions": "<=3.9.33"}, "RULE-CVE-2025-8994-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/pm/v2/projects/\\\\d+/tasks(?:[/?&]|$)~"}, {"name": "ARGS:completed_at_operator", "type": "regex", "value": "~(?i)(?:OR|AND)\\\\s+(?:SLEEP|BENCHMARK|WAITFOR|IF\\\\s*\\\\(|EXTRACTVALUE|UPDATEXML|\\\\d+\\\\s*=\\\\s*\\\\d+)~"}], "cve": "CVE-2025-8994", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-8994", "description": "WP Project Manager <=2.6.26 authenticated (Subscriber+) time-based SQL injection via completed_at_operator REST parameter", "method": "GET", "mode": "block", "severity": 6.5, "slug": "wedevs-project-manager", "tags": ["sql-injection", "rest-api", "authenticated"], "target": "plugin", "versions": "<=2.6.26"}, "RULE-CVE-2025-9045-01": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS:actions", "type": "regex", "value": "~eead-countdown~"}, {"name": "ARGS:actions", "type": "regex", "value": "~(?:prefix_text|suffix_text)~"}, {"name": "ARGS:actions", "type": "regex", "value": "~(?:<\\\\s*(?:script|svg|iframe|embed|object|form)\\\\b|<[^>]*\\\\bon\\\\w+\\\\s*=|javascript:|<details[^>]*\\\\bopen\\\\b)~i"}], "cve": "CVE-2025-9045", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9045", "description": "Easy Elementor Addons <=2.2.9 Authenticated (Contributor+) Stored XSS via Countdown widget prefix_text/suffix_text", "method": "POST", "mode": "block", "severity": 6.4, "slug": "easy-elementor-addons", "tags": ["xss", "stored-xss", "elementor-widget"], "target": "plugin", "versions": "<=2.2.9"}, "RULE-CVE-2025-9045-02": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS:actions", "type": "regex", "value": "~eead-image-comparison~"}, {"name": "ARGS:actions", "type": "regex", "value": "~(?:before_label|after_label)~"}, {"name": "ARGS:actions", "type": "regex", "value": "~(?:<\\\\s*(?:script|svg|iframe|embed|object|form)\\\\b|<[^>]*\\\\bon\\\\w+\\\\s*=|javascript:|<details[^>]*\\\\bopen\\\\b)~i"}], "cve": "CVE-2025-9045", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9045", "description": "Easy Elementor Addons <=2.2.9 Authenticated (Contributor+) Stored XSS via Image Comparison widget before_label/after_label", "method": "POST", "mode": "block", "severity": 6.4, "slug": "easy-elementor-addons", "tags": ["xss", "stored-xss", "elementor-widget"], "target": "plugin", "versions": "<=2.2.9"}, "RULE-CVE-2025-9077-01": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS:actions", "type": "regex", "value": "~ut_type_out_animated_heading.{0,500}?(?:<[a-zA-Z/!]|\\\\\\\\u003[cC])~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-9077", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9077", "description": "Ultra Addons Lite for Elementor <=1.1.9 authenticated stored XSS via Typeout Widget Animated Text field (AJAX save)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ut-elementor-addons-lite", "tags": ["xss", "stored-xss", "elementor-widget"], "target": "plugin", "versions": "<=1.1.9"}, "RULE-CVE-2025-9123-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:_cbxgooglemap_heading", "type": "detectXSS"}], "cve": "CVE-2025-9123", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9123", "description": "CBX Map for Google Map & OpenStreetMap <=2.0.1 authenticated (Contributor+) stored XSS via popup heading meta field", "method": "POST", "mode": "block", "severity": 6.4, "slug": "cbxgooglemap", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=2.0.1"}, "RULE-CVE-2025-9123-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:_cbxgooglemap_address", "type": "detectXSS"}], "cve": "CVE-2025-9123", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9123", "description": "CBX Map for Google Map & OpenStreetMap <=2.0.1 authenticated (Contributor+) stored XSS via location address meta field", "method": "POST", "mode": "block", "severity": 6.4, "slug": "cbxgooglemap", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=2.0.1"}, "RULE-CVE-2025-9129-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[flexi-form-tag\\\\b[^\\\\]]*(?:on\\\\w+\\\\s*=|<script|javascript:|<img[^>]+onerror|<svg[^>]+onload|<iframe)[^\\\\]]*\\\\]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-9129", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9129", "description": "Flexi <= 4.28 Stored XSS via flexi-form-tag shortcode in post content (Classic Editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "flexi", "tags": ["xss", "stored-xss", "shortcode", "contributor"], "target": "plugin", "versions": "<=4.28"}, "RULE-CVE-2025-9129-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[flexi-form-tag\\\\b[^\\\\]]*(?:on\\\\w+\\\\s*=|<script|javascript:|<img[^>]+onerror|<svg[^>]+onload|<iframe)[^\\\\]]*\\\\]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-9129", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9129", "description": "Flexi <= 4.28 Stored XSS via flexi-form-tag shortcode in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "flexi", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "contributor"], "target": "plugin", "versions": "<=4.28"}, "RULE-CVE-2025-9130-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[unify_checkout\\\\b[^\\\\]]*(?:<script|\\\\bon(?:error|load|click|mouseover|focus|change|submit|focusin)\\\\s*=|javascript\\\\s*:|data\\\\s*:\\\\s*text/html)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-9130", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9130", "description": "Unify <=3.4.7 Authenticated (Contributor+) Stored XSS via unify_checkout shortcode token attribute in classic editor post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "unify", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=3.4.7"}, "RULE-CVE-2025-9130-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[unify_checkout\\\\b[^\\\\]]*(?:<script|\\\\bon(?:error|load|click|mouseover|focus|change|submit|focusin)\\\\s*=|javascript\\\\s*:|data\\\\s*:\\\\s*text/html)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-9130", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9130", "description": "Unify <=3.4.7 Authenticated (Contributor+) Stored XSS via unify_checkout shortcode token attribute in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "unify", "tags": ["xss", "stored-xss", "shortcode", "authenticated", "rest-api"], "target": "plugin", "versions": "<=3.4.7"}, "RULE-CVE-2025-9204-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:_elementor_data", "type": "regex", "value": "~xaddons_button_url[\\"\']\\\\s*:\\\\s*[\\"\'][^\\"\']*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-9204", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9204", "description": "X Addons for Elementor <=1.0.16 authenticated (Contributor+) stored XSS via _elementor_data on post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "x-addons-elementor", "tags": ["xss", "stored-xss", "elementor-widget"], "target": "plugin", "versions": "<=1.0.16"}, "RULE-CVE-2025-9215-01": {"ajax_action": "storeengine_csv/file_download", "conditions": [{"name": "ARGS:filename", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}~"}], "cve": "CVE-2025-9215", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9215", "description": "StoreEngine <=1.5.0 authenticated path traversal via file_download AJAX handler (filename parameter with directory traversal sequences)", "method": "POST", "mode": "block", "severity": 6.5, "slug": "storeengine", "tags": ["path-traversal", "arbitrary-file-read", "authenticated"], "target": "plugin", "versions": "<=1.5.0"}, "RULE-CVE-2025-9215-02": {"ajax_action": "storeengine_csv/file_download", "conditions": [{"name": "ARGS:filename", "type": "regex", "value": "~(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env|debug\\\\.log|error_log)~i"}], "cve": "CVE-2025-9215", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9215", "description": "StoreEngine <=1.5.0 authenticated sensitive file read via file_download AJAX handler (filename parameter targeting known sensitive files)", "method": "POST", "mode": "block", "severity": 6.5, "slug": "storeengine", "tags": ["path-traversal", "arbitrary-file-read", "sensitive-file-read", "authenticated"], "target": "plugin", "versions": "<=1.5.0"}, "RULE-CVE-2025-9216-01": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "storeengine_csv/import"}, {"name": "FILES:file", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-9216", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9216", "description": "StoreEngine <=1.5.0 authenticated arbitrary file upload via storeengine_csv/import AJAX action", "method": "POST", "mode": "block", "severity": 8.8, "slug": "storeengine", "tags": ["arbitrary-file-upload", "missing-authorization", "remote-code-execution", "authenticated"], "target": "plugin", "versions": "<=1.5.0"}, "RULE-CVE-2025-9219-01": {"ajax_action": "update_post_smtp_pro_option", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-9219", "method": "POST", "mode": "block", "severity": 4.3, "slug": "post-smtp", "target": "plugin", "versions": "<=3.4.1"}, "RULE-CVE-2025-9243-01": {"ajax_action": "get_cc_orders", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-9243", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9243", "description": "Cost Calculator Builder <=3.5.32 missing authorization on get_cc_orders AJAX handler allowing Subscriber+ order data access", "method": "POST", "mode": "block", "severity": 8.1, "slug": "cost-calculator-builder", "tags": ["missing-authorization", "broken-access-control", "authenticated"], "target": "plugin", "versions": "<=3.5.32"}, "RULE-CVE-2025-9243-02": {"ajax_action": "update_order_status", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-9243", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9243", "description": "Cost Calculator Builder <=3.5.32 missing authorization on update_order_status AJAX handler allowing Subscriber+ order modification", "method": "POST", "mode": "block", "severity": 8.1, "slug": "cost-calculator-builder", "tags": ["missing-authorization", "broken-access-control", "authenticated"], "target": "plugin", "versions": "<=3.5.32"}, "RULE-CVE-2025-9260-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)wp-admin/profile\\\\.php~"}, {"name": "ARGS:description", "type": "regex", "value": "~O:\\\\d+:\\"~"}], "cve": "CVE-2025-9260", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9260", "description": "Fluent Forms 5.1.16-6.1.1 PHP Object Injection via serialized payload in user profile description (profile.php)", "method": "POST", "mode": "block", "severity": 6.5, "slug": "fluentform", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": ">=5.1.16 <=6.1.1"}, "RULE-CVE-2025-9260-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/users(/|\\\\?|$)~"}, {"name": "ARGS:description", "type": "regex", "value": "~O:\\\\d+:\\"~"}], "cve": "CVE-2025-9260", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9260", "description": "Fluent Forms 5.1.16-6.1.1 PHP Object Injection via serialized payload in user profile description (REST API)", "method": "POST", "mode": "block", "severity": 6.5, "slug": "fluentform", "tags": ["object-injection", "deserialization", "authenticated", "rest-api"], "target": "plugin", "versions": ">=5.1.16 <=6.1.1"}, "RULE-CVE-2025-9286-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/appy-pie-connect-for-woocommerce/v1/reset_user_password(?:/|\\\\?|&|$)~"}], "cve": "CVE-2025-9286", "method": "POST", "mode": "block", "severity": 9.8, "slug": "appy-pie-connect-for-woocommerce", "target": "plugin", "versions": "<=1.1.2"}, "RULE-CVE-2025-9322-01": {"action": "admin_init", "conditions": [{"name": "ARGS:wpfs-form-name", "type": "detectSQLi"}], "cve": "CVE-2025-9322", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9322", "description": "WP Full Stripe Free <=8.3.1 unauthenticated SQL injection via wpfs-form-name parameter in wpfs-check-coupon AJAX handler", "method": "POST", "mode": "block", "severity": 7.5, "slug": "wp-full-stripe-free", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=8.3.1"}, "RULE-CVE-2025-9343-01": {"ajax_action": "eh_crm_new_ticket_post", "conditions": [{"name": "ARGS:subject", "type": "detectXSS"}], "cve": "CVE-2025-9343", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9343", "description": "ELEX WordPress HelpDesk & Customer Ticketing System <=3.3.4 unauthenticated stored XSS via ticket subject in eh_crm_new_ticket_post", "method": "POST", "mode": "block", "severity": 7.2, "slug": "elex-helpdesk-customer-support-ticket-system", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=3.3.4"}, "RULE-CVE-2025-9344-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[uwp_profile(?:_header)?\\\\s+[^\\\\]]*disable_greedy\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<[a-z/!]|on[a-z]+=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-9344", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9344", "description": "UsersWP <=1.2.42 Stored XSS via disable_greedy shortcode attribute in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "userswp", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.2.42"}, "RULE-CVE-2025-9344-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[uwp_profile(?:_header)?\\\\s+[^\\\\]]*disable_greedy\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<[a-z/!]|on[a-z]+=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-9344", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9344", "description": "UsersWP <=1.2.42 Stored XSS via disable_greedy shortcode attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "userswp", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.2.42"}, "RULE-CVE-2025-9353-01": {"ajax_action": "tb_save_data", "conditions": [{"name": "ARGS:builder_data", "type": "regex", "value": "~<\\\\s*script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=~i"}], "cve": "CVE-2025-9353", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9353", "description": "Themify Builder <=7.6.9 authenticated (Contributor+) Stored XSS via builder_data parameter in tb_save_data AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "themify-builder", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=7.6.9"}, "RULE-CVE-2025-9353-02": {"ajax_action": "tb_render_element", "conditions": [{"name": "ARGS:batch", "type": "regex", "value": "~<\\\\s*script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=~i"}], "cve": "CVE-2025-9353", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9353", "description": "Themify Builder <=7.6.9 authenticated (Contributor+) Stored XSS via batch parameter in tb_render_element AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "themify-builder", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=7.6.9"}, "RULE-CVE-2025-9378-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "contains", "value": "vayu-blocks/lottie"}, {"name": "ARGS:post_content", "type": "regex", "value": "~vayu-blocks/lottie[\\\\s\\\\S]{0,1000}(?:[\\"\']\\\\s*(?:on(?:mouse(?:over|enter|leave|move|out|down|up)|click|dblclick|key(?:down|up|press)|focus|blur|load|error|submit|change|input|scroll|wheel|drag|drop|touch(?:start|end|move|cancel)|pointer(?:down|up|move|enter|leave|over|out)|animation(?:start|end|iteration)|transition(?:end|run|start))\\\\s*=)|<\\\\s*script|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2025-9378", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9378", "description": "Vayu Blocks <=1.3.9 Stored XSS via unescaped Lottie block attributes in classic editor post_content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "vayu-blocks", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=1.3.9"}, "RULE-CVE-2025-9378-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "contains", "value": "vayu-blocks/lottie"}, {"name": "ARGS:content", "type": "regex", "value": "~vayu-blocks/lottie[\\\\s\\\\S]{0,1000}(?:[\\"\']\\\\s*(?:on(?:mouse(?:over|enter|leave|move|out|down|up)|click|dblclick|key(?:down|up|press)|focus|blur|load|error|submit|change|input|scroll|wheel|drag|drop|touch(?:start|end|move|cancel)|pointer(?:down|up|move|enter|leave|over|out)|animation(?:start|end|iteration)|transition(?:end|run|start))\\\\s*=)|<\\\\s*script|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2025-9378", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9378", "description": "Vayu Blocks <=1.3.9 Stored XSS via unescaped Lottie block attributes in REST API post/page creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "vayu-blocks", "tags": ["xss", "stored-xss", "gutenberg-block", "rest-api"], "target": "plugin", "versions": "<=1.3.9"}, "RULE-CVE-2025-9463-01": {"ajax_action": "pp-analytics-query", "conditions": [{"name": "ARGS:order_by", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|(?:SELECT|IF|CASE)\\\\s*\\\\(|--\\\\s*$|/\\\\*|\\\\*/|#\\\\s)~i"}], "cve": "CVE-2025-9463", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9463", "description": "PeachPay for WooCommerce <=1.117.5 authenticated SQL injection via order_by parameter in pp-analytics-query AJAX handler", "mode": "block", "severity": 6.5, "slug": "peachpay-for-woocommerce", "tags": ["sql-injection", "authenticated", "time-based-blind"], "target": "plugin", "versions": "<=1.117.5"}, "RULE-CVE-2025-9463-02": {"ajax_action": "pp-analytics-query", "conditions": [{"name": "ARGS:group_by", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|(?:SELECT|IF|CASE)\\\\s*\\\\(|--\\\\s*$|/\\\\*|\\\\*/|#\\\\s)~i"}], "cve": "CVE-2025-9463", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9463", "description": "PeachPay for WooCommerce <=1.117.5 authenticated SQL injection via group_by parameter in pp-analytics-query AJAX handler", "mode": "block", "severity": 6.5, "slug": "peachpay-for-woocommerce", "tags": ["sql-injection", "authenticated", "time-based-blind"], "target": "plugin", "versions": "<=1.117.5"}, "RULE-CVE-2025-9485-01": {"action": "init", "conditions": [{"name": "ARGS:id_token", "type": "regex", "value": "~^eyJhbGciOiJub25lI~"}], "cve": "CVE-2025-9485", "method": "GET", "mode": "block", "severity": 9.8, "slug": "miniorange-login-with-eve-online-google-facebook", "target": "plugin", "versions": "<=6.26.12"}, "RULE-CVE-2025-9485-02": {"action": "init", "conditions": [{"name": "ARGS:id_token", "type": "regex", "value": "~^eyJhbGciOiJub25lI~"}], "cve": "CVE-2025-9485", "method": "POST", "mode": "block", "severity": 9.8, "slug": "miniorange-login-with-eve-online-google-facebook", "target": "plugin", "versions": "<=6.26.12"}, "RULE-CVE-2025-9488-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[(bloginfo|redux_bloginfo|themeinfo|redux_themeinfo|date|redux_date)\\\\s+[^\\\\]]*data\\\\s*=\\\\s*[\\"\'][^\\"\']*<[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-9488", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9488", "description": "Redux Framework <=4.5.8 Stored XSS via shortcode data attribute with HTML tags in classic editor post_content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "redux-framework", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.5.8"}, "RULE-CVE-2025-9488-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[(bloginfo|redux_bloginfo|themeinfo|redux_themeinfo|date|redux_date)\\\\][^\\\\[]*<(script|iframe|svg|img|details|object|embed|video|audio|input|form)\\\\b~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-9488", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9488", "description": "Redux Framework <=4.5.8 Stored XSS via shortcode enclosed content with HTML tags in classic editor post_content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "redux-framework", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.5.8"}, "RULE-CVE-2025-9488-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[(bloginfo|redux_bloginfo|themeinfo|redux_themeinfo|date|redux_date)\\\\s+[^\\\\]]*data\\\\s*=\\\\s*[\\"\'][^\\"\']*\\\\bon\\\\w+\\\\s*=[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-9488", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9488", "description": "Redux Framework <=4.5.8 Stored XSS via shortcode data attribute with event handlers in classic editor post_content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "redux-framework", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.5.8"}, "RULE-CVE-2025-9488-04": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(bloginfo|redux_bloginfo|themeinfo|redux_themeinfo|date|redux_date)\\\\s+[^\\\\]]*data\\\\s*=\\\\s*[\\"\'][^\\"\']*<[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-9488", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9488", "description": "Redux Framework <=4.5.8 Stored XSS via shortcode data attribute with HTML tags in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "redux-framework", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.5.8"}, "RULE-CVE-2025-9488-05": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(bloginfo|redux_bloginfo|themeinfo|redux_themeinfo|date|redux_date)\\\\][^\\\\[]*<(script|iframe|svg|img|details|object|embed|video|audio|input|form)\\\\b~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-9488", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9488", "description": "Redux Framework <=4.5.8 Stored XSS via shortcode enclosed content with HTML tags in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "redux-framework", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.5.8"}, "RULE-CVE-2025-9488-06": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(bloginfo|redux_bloginfo|themeinfo|redux_themeinfo|date|redux_date)\\\\s+[^\\\\]]*data\\\\s*=\\\\s*[\\"\'][^\\"\']*\\\\bon\\\\w+\\\\s*=[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-9488", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9488", "description": "Redux Framework <=4.5.8 Stored XSS via shortcode data attribute with event handlers in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "redux-framework", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.5.8"}, "RULE-CVE-2025-9493-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[ame-user-info [^\\\\]]*placeholder[ ]*=[ ]*(?:\\"[^\\"\\\\]]*|\'[^\'\\\\]]*)(?:<[ ]*script|javascript[ ]*:|on(?:load|error|click|mouseover|focus|blur|change|submit|keydown|keyup|keypress)[ ]*=)~i"}], "cve": "CVE-2025-9493", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9493", "description": "Admin Menu Editor <=1.14 Stored XSS via [ame-user-info] shortcode placeholder attribute in post content (Classic Editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "admin-menu-editor", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.14"}, "RULE-CVE-2025-9493-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[ame-user-info [^\\\\]]*placeholder[ ]*=[ ]*(?:\\"[^\\"\\\\]]*|\'[^\'\\\\]]*)(?:<[ ]*script|javascript[ ]*:|on(?:load|error|click|mouseover|focus|blur|change|submit|keydown|keyup|keypress)[ ]*=)~i"}], "cve": "CVE-2025-9493", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9493", "description": "Admin Menu Editor <=1.14 Stored XSS via [ame-user-info] shortcode placeholder attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "admin-menu-editor", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.14"}, "RULE-CVE-2025-9496-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[file_modified\\\\b[^\\\\]]*format\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|&#)~i"}], "cve": "CVE-2025-9496", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9496", "description": "Enable Media Replace <=4.1.6 Stored XSS via file_modified shortcode format attribute (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "enable-media-replace", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.1.6"}, "RULE-CVE-2025-9496-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[file_modified\\\\b[^\\\\]]*format\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|&#)~i"}], "cve": "CVE-2025-9496", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9496", "description": "Enable Media Replace <=4.1.6 Stored XSS via file_modified shortcode format attribute (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "enable-media-replace", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=4.1.6"}, "RULE-CVE-2025-9499-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[oceanwp_library\\\\b[^\\\\]]*\\\\bid\\\\s*=\\\\s*(?:[\\"\'][^\\"\']*|[^\\\\]\\\\s]*)(?:<|on[a-z]+=|javascript:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-9499", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9499", "description": "Ocean Extra <=2.4.9 Stored XSS via oceanwp_library shortcode id attribute in classic editor post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ocean-extra", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.4.9"}, "RULE-CVE-2025-9500-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~shortcode_debug\\\\s*=\\\\s*(?:[\\"\'][^\\"\']*|[^\\\\s\\"\'\\\\]]*)<(?:script|img|svg|iframe|object|embed|form|input|body|style|link|meta|base)[\\\\s/>]~i"}], "cve": "CVE-2025-9500", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9500", "description": "TablePress <=3.2 Authenticated (Contributor+) Stored XSS via shortcode_debug attribute in post_content (classic editor - HTML tags)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "tablepress", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=3.2"}, "RULE-CVE-2025-9500-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~shortcode_debug\\\\s*=\\\\s*(?:[\\"\'][^\\"\']*|[^\\\\s\\"\'\\\\]]*)on(?:load|error|click|mouseover|focus|blur|submit|change|input|keydown|keyup|keypress)\\\\s*=~i"}], "cve": "CVE-2025-9500", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9500", "description": "TablePress <=3.2 Authenticated (Contributor+) Stored XSS via shortcode_debug attribute in post_content (classic editor - event handlers)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "tablepress", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=3.2"}, "RULE-CVE-2025-9500-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~shortcode_debug\\\\s*=\\\\s*(?:[\\"\'][^\\"\']*|[^\\\\s\\"\'\\\\]]*)javascript\\\\s*:~i"}], "cve": "CVE-2025-9500", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9500", "description": "TablePress <=3.2 Authenticated (Contributor+) Stored XSS via shortcode_debug attribute in post_content (classic editor - javascript URI)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "tablepress", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=3.2"}, "RULE-CVE-2025-9500-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~shortcode_debug\\\\s*=\\\\s*(?:[\\"\'][^\\"\']*|[^\\\\s\\"\'\\\\]]*)<(?:script|img|svg|iframe|object|embed|form|input|body|style|link|meta|base)[\\\\s/>]~i"}], "cve": "CVE-2025-9500", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9500", "description": "TablePress <=3.2 Authenticated (Contributor+) Stored XSS via shortcode_debug attribute in REST API content (Gutenberg - HTML tags)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "tablepress", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=3.2"}, "RULE-CVE-2025-9500-05": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~shortcode_debug\\\\s*=\\\\s*(?:[\\"\'][^\\"\']*|[^\\\\s\\"\'\\\\]]*)on(?:load|error|click|mouseover|focus|blur|submit|change|input|keydown|keyup|keypress)\\\\s*=~i"}], "cve": "CVE-2025-9500", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9500", "description": "TablePress <=3.2 Authenticated (Contributor+) Stored XSS via shortcode_debug attribute in REST API content (Gutenberg - event handlers)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "tablepress", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=3.2"}, "RULE-CVE-2025-9500-06": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~shortcode_debug\\\\s*=\\\\s*(?:[\\"\'][^\\"\']*|[^\\\\s\\"\'\\\\]]*)javascript\\\\s*:~i"}], "cve": "CVE-2025-9500", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9500", "description": "TablePress <=3.2 Authenticated (Contributor+) Stored XSS via shortcode_debug attribute in REST API content (Gutenberg - javascript URI)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "tablepress", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=3.2"}, "RULE-CVE-2025-9501-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-comments-post\\\\.php(?:\\\\?.*)?$~"}, {"name": "ARGS:comment", "type": "regex", "value": "~<!--\\\\s*mfunc\\\\b~i"}], "cve": "CVE-2025-9501", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9501", "description": "W3 Total Cache < 2.8.13 command injection via mfunc tags in unauthenticated comments processed by _parse_dynamic_mfunc, as described by NVD and WPScan and detailed in SiteGuarding advisories.", "method": "POST", "mode": "block", "severity": 9.0, "slug": "w3-total-cache", "tags": ["rce", "command_injection", "comments", "w3-total-cache", "mfunc", "cwe-78"], "target": "plugin", "versions": "<2.8.13"}, "RULE-CVE-2025-9501-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-comments-post\\\\.php(?:\\\\?.*)?$~"}, {"name": "ARGS:comment", "type": "regex", "value": "~<!--\\\\s*mclude\\\\b~i"}], "cve": "CVE-2025-9501", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9501", "description": "W3 Total Cache < 2.8.13 command injection attempts using mclude fragment tags in unauthenticated comments evaluated by _parse_dynamic_mfunc, per NVD, WPScan, and SiteGuarding analyses.", "method": "POST", "mode": "block", "severity": 9.0, "slug": "w3-total-cache", "tags": ["rce", "command_injection", "comments", "w3-total-cache", "mclude", "cwe-78"], "target": "plugin", "versions": "<2.8.13"}, "RULE-CVE-2025-9512-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~wp-comments-post\\\\.php~"}, {"name": "ARGS:comment", "type": "regex", "value": "~<[a-z][^>]*\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-9512", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9512", "description": "Schema & Structured Data for WP & AMP <=1.49 unauthenticated stored XSS via comment HTML attribute injection", "method": "POST", "mode": "block", "severity": 6.1, "slug": "schema-and-structured-data-for-wp", "tags": ["xss", "stored-xss", "unauthenticated", "comment-injection"], "target": "plugin", "versions": "<=1.49"}, "RULE-CVE-2025-9512-02": {"ajax_action": "saswp_rf_template_review_edit_form", "conditions": [{"name": "ARGS:comment_id", "type": "regex", "value": "~<[^>]*>|\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-9512", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9512", "description": "Schema & Structured Data for WP & AMP <=1.49 reflected XSS via unsanitized comment_id in review edit form AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "schema-and-structured-data-for-wp", "tags": ["xss", "reflected-xss", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=1.49"}, "RULE-CVE-2025-9512-03": {"ajax_action": "saswp_rf_template_review_edit_form", "conditions": [{"name": "ARGS:comment_post_id", "type": "regex", "value": "~<[^>]*>|\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2025-9512", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9512", "description": "Schema & Structured Data for WP & AMP <=1.49 reflected XSS via unsanitized comment_post_id in review edit form AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "schema-and-structured-data-for-wp", "tags": ["xss", "reflected-xss", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=1.49"}, "RULE-CVE-2025-9519-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[easy_timer_(?:clock|counter|countdown|countup)[^\\\\]]*filter\\\\s*=\\\\s*[\\"\'\\\\\\\\]?\\\\s*(?:system|exec|shell_exec|passthru|popen|proc_open|assert|eval|preg_replace|create_function|call_user_func|call_user_func_array|array_map|array_filter|usort|uasort|uksort)\\\\b~i"}], "cve": "CVE-2025-9519", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9519", "description": "Easy Timer <=4.2.1 authenticated (Editor+) RCE via shortcode filter attribute in post content", "method": "POST", "mode": "block", "severity": 7.2, "slug": "easy-timer", "tags": ["code-injection", "rce", "shortcode", "authenticated"], "target": "plugin", "versions": "<=4.2.1"}, "RULE-CVE-2025-9519-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[easy_timer_(?:clock|counter|countdown|countup)[^\\\\]]*filter\\\\s*=\\\\s*[\\"\'\\\\\\\\]?\\\\s*(?:system|exec|shell_exec|passthru|popen|proc_open|assert|eval|preg_replace|create_function|call_user_func|call_user_func_array|array_map|array_filter|usort|uasort|uksort)\\\\b~i"}], "cve": "CVE-2025-9519", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9519", "description": "Easy Timer <=4.2.1 authenticated (Editor+) RCE via shortcode filter attribute in REST API post content", "method": "POST", "mode": "block", "severity": 7.2, "slug": "easy-timer", "tags": ["code-injection", "rce", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=4.2.1"}, "RULE-CVE-2025-9539-01": {"ajax_action": "automatorwp_ajax_import_automation_from_url", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "automatorwp_ajax_import_automation_from_url"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-9539", "method": "POST", "mode": "block", "severity": 8.0, "slug": "automatorwp", "target": "plugin", "versions": "<=5.3.6"}, "RULE-CVE-2025-9562-01": {"action": "init", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post(?:-new)?\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[qs_date\\\\b[^\\\\]]*format\\\\s*=\\\\s*[\\"\'][^\\"\']*[<>][^\\"\']*[\\"\']~i"}], "cve": "CVE-2025-9562", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wpcf7-redirect", "target": "plugin", "versions": "<=3.2.6"}, "RULE-CVE-2025-9562-02": {"action": "rest_api_init", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/wp/v2/posts(/\\\\d+)?(/|\\\\?|$)~"}, {"name": "ARGS:content[raw]", "type": "regex", "value": "~\\\\[qs_date\\\\b[^\\\\]]*format\\\\s*=\\\\s*[\\"\'][^\\"\']*[<>][^\\"\']*[\\"\']~i"}], "cve": "CVE-2025-9562", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wpcf7-redirect", "target": "plugin", "versions": "<=3.2.6"}, "RULE-CVE-2025-9565-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "contains", "value": "blocksy_newsletter_subscribe"}, {"name": "ARGS:post_content", "type": "regex", "value": "~(?:on(?:load|error|mouseover|click|focus|blur|submit|change|input|keydown|keyup|keypress)\\\\s*=|<script[\\\\s/>]|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-9565", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9565", "description": "Blocksy Companion <=2.1.10 Stored XSS via blocksy_newsletter_subscribe shortcode description attribute in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "blocksy-companion", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.1.10"}, "RULE-CVE-2025-9565-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "contains", "value": "blocksy_newsletter_subscribe"}, {"name": "ARGS:content", "type": "regex", "value": "~(?:on(?:load|error|mouseover|click|focus|blur|submit|change|input|keydown|keyup|keypress)\\\\s*=|<script[\\\\s/>]|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-9565", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9565", "description": "Blocksy Companion <=2.1.10 Stored XSS via blocksy_newsletter_subscribe shortcode description attribute via REST API", "method": "POST", "mode": "block", "severity": 6.4, "slug": "blocksy-companion", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.1.10"}, "RULE-CVE-2025-9710-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)wp-comments-post\\\\.php(?:\\\\?|$)~i"}, {"name": "ARGS:comment", "type": "regex", "value": "~(?:<[^>]*\\\\s(?:on\\\\w+\\\\s*=|style\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:expression|url)\\\\s*\\\\()|<\\\\s*(?:script|iframe|embed|object|applet|form|svg|math)\\\\b|\\\\bjavascript\\\\s*:|\\\\bvbscript\\\\s*:|\\\\bdata\\\\s*:[^,]*text/html)~i"}], "cve": "CVE-2025-9710", "method": "POST", "mode": "block", "severity": 6.3, "slug": "responsive-lightbox", "target": "plugin", "versions": "<=2.5.2"}, "RULE-CVE-2025-9776-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/catf/v1/import-csv(/|\\\\?|&|$)~"}, {"name": "FILES:file", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-9776", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9776", "description": "CatFolders <=2.5.2 authenticated (Author+) time-based SQL injection via CSV import REST endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "catfolders", "tags": ["sql-injection", "rest-api", "csv-import", "authenticated"], "target": "plugin", "versions": "<=2.5.2"}, "RULE-CVE-2025-9807-01": {"action": "init", "conditions": [{"name": "ARGS:s", "type": "regex", "value": "~(?:\'|\\"|%27|%22).*(?:SLEEP[ ]*[(]|BENCHMARK[ ]*[(]|WAITFOR[ ]+DELAY|IF[ ]*[(]|CASE[ ]+WHEN|AND[ ]+[0-9]+[ ]*=[ ]*[0-9]|OR[ ]+[0-9]+[ ]*=[ ]*[0-9]|UNION[ ]+(?:ALL[ ]+)?SELECT|;[ ]*(?:DROP|DELETE|INSERT|UPDATE)[ ]|EXTRACTVALUE[ ]*[(]|UPDATEXML[ ]*[(]|EXP[ ]*[(]|FLOOR[ ]*[(][ ]*RAND)~i"}, {"name": "ARGS:post_type", "type": "equals", "value": "tribe_events"}], "cve": "CVE-2025-9807", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9807", "description": "The Events Calendar <=6.15.1 unauthenticated SQL injection via s search parameter", "method": "GET", "mode": "block", "severity": 7.5, "slug": "the-events-calendar", "tags": ["sql-injection", "unauthenticated", "search-parameter"], "target": "plugin", "versions": "<=6.15.1"}, "RULE-CVE-2025-9807-02": {"action": "init", "conditions": [{"name": "ARGS:s", "type": "regex", "value": "~(?:\'|\\"|%27|%22).*(?:SLEEP[ ]*[(]|BENCHMARK[ ]*[(]|WAITFOR[ ]+DELAY|IF[ ]*[(]|CASE[ ]+WHEN|AND[ ]+[0-9]+[ ]*=[ ]*[0-9]|OR[ ]+[0-9]+[ ]*=[ ]*[0-9]|UNION[ ]+(?:ALL[ ]+)?SELECT|;[ ]*(?:DROP|DELETE|INSERT|UPDATE)[ ]|EXTRACTVALUE[ ]*[(]|UPDATEXML[ ]*[(]|EXP[ ]*[(]|FLOOR[ ]*[(][ ]*RAND)~i"}, {"name": "REQUEST_URI", "type": "regex", "value": "~(?:/events/|/tribe_events/)~i"}], "cve": "CVE-2025-9807", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9807", "description": "The Events Calendar <=6.15.1 unauthenticated SQL injection via s parameter on events archive", "method": "GET", "mode": "block", "severity": 7.5, "slug": "the-events-calendar", "tags": ["sql-injection", "unauthenticated", "search-parameter"], "target": "plugin", "versions": "<=6.15.1"}, "RULE-CVE-2025-9807-03": {"action": "init", "conditions": [{"name": "ARGS:s", "type": "regex", "value": "~(?:\'|\\"|%27|%22).*(?:SLEEP[ ]*[(]|BENCHMARK[ ]*[(]|WAITFOR[ ]+DELAY|IF[ ]*[(]|CASE[ ]+WHEN|AND[ ]+[0-9]+[ ]*=[ ]*[0-9]|OR[ ]+[0-9]+[ ]*=[ ]*[0-9]|UNION[ ]+(?:ALL[ ]+)?SELECT|;[ ]*(?:DROP|DELETE|INSERT|UPDATE)[ ]|EXTRACTVALUE[ ]*[(]|UPDATEXML[ ]*[(]|EXP[ ]*[(]|FLOOR[ ]*[(][ ]*RAND)~i"}, {"name": "ARGS:action", "type": "regex", "value": "~^tribe_events~"}], "cve": "CVE-2025-9807", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9807", "description": "The Events Calendar <=6.15.1 unauthenticated SQL injection via s parameter on AJAX views fallback", "method": "POST", "mode": "block", "severity": 7.5, "slug": "the-events-calendar", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=6.15.1"}, "RULE-CVE-2025-9807-04": {"action": "rest_api_init", "conditions": [{"name": "ARGS:search", "type": "regex", "value": "~(?:\'|\\"|%27|%22).*(?:SLEEP[ ]*[(]|BENCHMARK[ ]*[(]|WAITFOR[ ]+DELAY|IF[ ]*[(]|CASE[ ]+WHEN|AND[ ]+[0-9]+[ ]*=[ ]*[0-9]|OR[ ]+[0-9]+[ ]*=[ ]*[0-9]|UNION[ ]+(?:ALL[ ]+)?SELECT|;[ ]*(?:DROP|DELETE|INSERT|UPDATE)[ ]|EXTRACTVALUE[ ]*[(]|UPDATEXML[ ]*[(]|EXP[ ]*[(]|FLOOR[ ]*[(][ ]*RAND)~i"}, {"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/tribe/events/v1/events~"}], "cve": "CVE-2025-9807", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9807", "description": "The Events Calendar <=6.15.1 unauthenticated SQL injection via search parameter on REST API", "method": "GET", "mode": "block", "severity": 7.5, "slug": "the-events-calendar", "tags": ["sql-injection", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=6.15.1"}, "RULE-CVE-2025-9852-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[momoyoga-schedule\\\\b[^\\\\]]*schedule_url\\\\s*=\\\\s*[\\"\'][^\\\\]]*(?:on[a-zA-Z0-9_]+\\\\s*=|javascript\\\\s*:|<script|&#|"|%22|%3c)~i"}], "cve": "CVE-2025-9852", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9852", "description": "Yoga Schedule Momoyoga <=2.9.0 Stored XSS via [momoyoga-schedule] shortcode schedule_url attribute in post content (Classic Editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "momoyoga-integration", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.9.0"}, "RULE-CVE-2025-9852-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[momoyoga-schedule\\\\b[^\\\\]]*schedule_url\\\\s*=\\\\s*[\\"\'][^\\\\]]*(?:on[a-zA-Z0-9_]+\\\\s*=|javascript\\\\s*:|<script|&#|"|%22|%3c)~i"}], "cve": "CVE-2025-9852", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9852", "description": "Yoga Schedule Momoyoga <=2.9.0 Stored XSS via [momoyoga-schedule] shortcode schedule_url attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "momoyoga-integration", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.9.0"}, "RULE-CVE-2025-9853-01": {"action": "init", "conditions": [{"name": "ARGS", "type": "regex", "value": "~\\\\[optio-lightbox\\\\b[^\\\\]]*(?:\'\\\\s*[);]|<script|on(?:error|load|mouseover|click|focus)\\\\s*=|\\\\\\">\\\\s*<)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-9853", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9853", "description": "Optio Dentistry <=2.2 authenticated (Contributor+) stored XSS via optio-lightbox shortcode attributes", "method": "POST", "mode": "block", "severity": 6.4, "slug": "optio-dentistry", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.2"}, "RULE-CVE-2025-9856-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[sg_popup\\\\b[^\\\\]]*\\\\bon\\\\w+\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-9856", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9856", "description": "Popup Builder <=4.4.1 authenticated (Contributor+) stored XSS via sg_popup shortcode event handler attributes in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "popup-builder", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.4.1"}, "RULE-CVE-2025-9856-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[sg_popup\\\\b[^\\\\]]*javascript\\\\s*:~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-9856", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9856", "description": "Popup Builder <=4.4.1 authenticated (Contributor+) stored XSS via sg_popup shortcode javascript: URI in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "popup-builder", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.4.1"}, "RULE-CVE-2025-9856-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[sg_popup\\\\b[^\\\\]]*<script~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-9856", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9856", "description": "Popup Builder <=4.4.1 authenticated (Contributor+) stored XSS via sg_popup shortcode script tag injection in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "popup-builder", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.4.1"}, "RULE-CVE-2025-9857-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "contains", "value": "[Heateor_Facebook_Login"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[Heateor_Facebook_Login\\\\b[^\\\\]]*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2025-9857", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9857", "description": "Heateor Login <=1.1.9 Stored XSS via Heateor_Facebook_Login shortcode attributes in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "heateor-login", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.1.9"}, "RULE-CVE-2025-9858-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[abf_vehicle\\\\b[^\\\\]]*(?:<script|on\\\\w+\\\\s*=|javascript:|<svg|<iframe|<img[^>]+onerror)[^\\\\]]*\\\\]~i"}], "cve": "CVE-2025-9858", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9858", "description": "Auto Bulb Finder <=2.8.0 Stored XSS via abf_vehicle shortcode attributes in Classic Editor post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "auto-bulb-finder-for-wp-wc", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.8.0"}, "RULE-CVE-2025-9858-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[abf_vehicle\\\\b[^\\\\]]*(?:<script|on\\\\w+\\\\s*=|javascript:|<svg|<iframe|<img[^>]+onerror)[^\\\\]]*\\\\]~i"}], "cve": "CVE-2025-9858", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9858", "description": "Auto Bulb Finder <=2.8.0 Stored XSS via abf_vehicle shortcode attributes in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "auto-bulb-finder-for-wp-wc", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.8.0"}, "RULE-CVE-2025-9859-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[fintelligence-calculator\\\\b[^\\\\]]*(?:<[^>]*>|javascript\\\\s*:|on(?:error|load|click|mouseover|focus|blur)\\\\s*=)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-9859", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9859", "description": "Fintelligence Calculator <=1.0.3 authenticated stored XSS via shortcode attributes in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "fintelligence-calculator", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.3"}, "RULE-CVE-2025-9859-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[fintelligence-calculator\\\\b[^\\\\]]*(?:<[^>]*>|javascript\\\\s*:|on(?:error|load|click|mouseover|focus|blur)\\\\s*=)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-9859", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9859", "description": "Fintelligence Calculator <=1.0.3 authenticated stored XSS via shortcode attributes in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "fintelligence-calculator", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.0.3"}, "RULE-CVE-2025-9860-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[mixtape\\\\s[^\\\\]]*(?:<script|on\\\\w+\\\\s*=|javascript:|<img[^>]+onerror|<svg[^>]+onload)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-9860", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9860", "description": "Mixtape <=1.1 Stored XSS via [mixtape] shortcode attributes in post_content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "mixtape", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2025-9860-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[mixtape\\\\s[^\\\\]]*(?:<script|on\\\\w+\\\\s*=|javascript:|<img[^>]+onerror|<svg[^>]+onload)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-9860", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9860", "description": "Mixtape <=1.1 Stored XSS via [mixtape] shortcode attributes in content param (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "mixtape", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2025-9860-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[mixtape\\\\s[^\\\\]]*(?:<script|on\\\\w+\\\\s*=|javascript:|<img[^>]+onerror|<svg[^>]+onload)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-9860", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9860", "description": "Mixtape <=1.1 Stored XSS via [mixtape] shortcode attributes in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "mixtape", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2025-9873-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~<(?:img|iframe|video|embed|source)\\\\b[^>]*\\\\s+on[a-z]+\\\\s*=~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-9873", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9873", "description": "a3 Lazy Load <=2.7.5 Stored XSS via HTML event handler attribute injection in post content (Classic Editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "a3-lazy-load", "tags": ["xss", "stored-xss", "attribute-injection"], "target": "plugin", "versions": "<=2.7.5"}, "RULE-CVE-2025-9873-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~<(?:img|iframe|video|embed|source)\\\\b[^>]*\\\\s+on[a-z]+\\\\s*=~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2025-9873", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9873", "description": "a3 Lazy Load <=2.7.5 Stored XSS via HTML event handler attribute injection in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "a3-lazy-load", "tags": ["xss", "stored-xss", "attribute-injection", "rest-api"], "target": "plugin", "versions": "<=2.7.5"}, "RULE-CVE-2025-9875-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[ticket_spot\\\\b[^\\\\]]*(?:<script|on(?:mouse|key|focus|blur|load|error|click|dblclick|change|submit|reset|select|abort|resize|scroll|unload|before)\\\\w*\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-9875", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9875", "description": "Event Tickets, RSVPs, Calendar (TicketSpot) <=1.0.2 authenticated (Contributor+) stored XSS via ticket_spot shortcode widget_id attribute (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ticket-spot", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2025-9875-02": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[ticket_spot\\\\b[^\\\\]]*(?:<script|on(?:mouse|key|focus|blur|load|error|click|dblclick|change|submit|reset|select|abort|resize|scroll|unload|before)\\\\w*\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-9875", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9875", "description": "Event Tickets, RSVPs, Calendar (TicketSpot) <=1.0.2 authenticated (Contributor+) stored XSS via ticket_spot shortcode widget_id attribute (REST)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ticket-spot", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2025-9881-01": {"ajax_action": "ub_ajax_action_callback", "conditions": [{"name": "ARGS:linkpartner", "type": "regex", "value": "~<[a-zA-Z/!]|javascript\\\\s*:|on(?:error|load|click|mouseover|focus|blur|submit|change|resize|scroll|keydown|keyup|keypress|mouseout|mousedown|mouseup|dblclick|contextmenu|paste|copy|cut|drag(?:start|end|enter|leave|over)?|drop|abort|unload|beforeunload|hashchange|message|popstate|input|animationend|transitionend)\\\\s*=~i"}], "cve": "CVE-2025-9881", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9881", "description": "Ultimate Blogroll <=2.5.2 unauthenticated stored XSS via linkpartner parameter in ub_ajax_action_callback AJAX handler", "mode": "block", "severity": 6.1, "slug": "ultimate-blogroll", "tags": ["xss", "stored-xss", "csrf", "unauthenticated"], "target": "plugin", "versions": "<=2.5.2"}, "RULE-CVE-2025-9883-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "browser-sniff"}, {"name": "ARGS:bs_submit", "type": "exists"}, {"name": "ARGS:bs_before", "type": "detectXSS"}], "cve": "CVE-2025-9883", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9883", "description": "Browser Sniff <=2.3 CSRF to Stored XSS via bs_before settings parameter", "method": "POST", "mode": "block", "severity": 6.1, "slug": "browser-sniff", "tags": ["csrf", "xss", "stored-xss"], "target": "plugin", "versions": "<=2.3"}, "RULE-CVE-2025-9883-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "browser-sniff"}, {"name": "ARGS:bs_submit", "type": "exists"}, {"name": "ARGS:bs_after", "type": "detectXSS"}], "cve": "CVE-2025-9883", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9883", "description": "Browser Sniff <=2.3 CSRF to Stored XSS via bs_after settings parameter", "method": "POST", "mode": "block", "severity": 6.1, "slug": "browser-sniff", "tags": ["csrf", "xss", "stored-xss"], "target": "plugin", "versions": "<=2.3"}, "RULE-CVE-2025-9883-03": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "browser-sniff"}, {"name": "ARGS:bs_submit", "type": "exists"}, {"name": "ARGS:bs_between", "type": "detectXSS"}], "cve": "CVE-2025-9883", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9883", "description": "Browser Sniff <=2.3 CSRF to Stored XSS via bs_between settings parameter", "method": "POST", "mode": "block", "severity": 6.1, "slug": "browser-sniff", "tags": ["csrf", "xss", "stored-xss"], "target": "plugin", "versions": "<=2.3"}, "RULE-CVE-2025-9892-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~page=restrict-user-registration~"}, {"name": "ARGS:submit", "type": "exists"}, {"name": "ARGS:usernames_error", "type": "detectXSS"}], "cve": "CVE-2025-9892", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9892", "description": "Restrict User Registration <=1.0.1 CSRF to Stored XSS via usernames_error parameter", "method": "POST", "mode": "block", "severity": 5.3, "slug": "restrict-user-registration", "tags": ["csrf", "xss", "settings-update"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-9892-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~page=restrict-user-registration~"}, {"name": "ARGS:submit", "type": "exists"}, {"name": "ARGS:emails_error", "type": "detectXSS"}], "cve": "CVE-2025-9892", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9892", "description": "Restrict User Registration <=1.0.1 CSRF to Stored XSS via emails_error parameter", "method": "POST", "mode": "block", "severity": 5.3, "slug": "restrict-user-registration", "tags": ["csrf", "xss", "settings-update"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-9892-03": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~page=restrict-user-registration~"}, {"name": "ARGS:submit", "type": "exists"}, {"name": "ARGS:services_error", "type": "detectXSS"}], "cve": "CVE-2025-9892", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9892", "description": "Restrict User Registration <=1.0.1 CSRF to Stored XSS via services_error parameter", "method": "POST", "mode": "block", "severity": 5.3, "slug": "restrict-user-registration", "tags": ["csrf", "xss", "settings-update"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2025-9947-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "custom-404-pro"}, {"name": "ARGS:path", "type": "regex", "value": "~(?:[\'\\"]\\\\s*(?:OR|AND)\\\\s+[0-9]|\\\\b(?:SLEEP|BENCHMARK|WAITFOR)\\\\s*\\\\(|\\\\bUNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\b|;\\\\s*(?:SELECT|INSERT|UPDATE|DELETE|DROP)\\\\b|[\'\\")][\\\\s]*--|(?:^|[^0-9a-zA-Z_])[0-9]+\\\\s+OR\\\\s+[0-9])~i"}], "cve": "CVE-2025-9947", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9947", "description": "Custom 404 Pro <=3.12.0 authenticated SQL injection via path parameter in delete_logs admin handler", "method": "GET", "mode": "block", "severity": 4.9, "slug": "custom-404-pro", "tags": ["sql-injection", "authenticated"], "target": "plugin", "versions": "<=3.12.0"}, "RULE-CVE-2025-9975-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "wp-scraper"}, {"name": "ARGS:action", "type": "equals", "value": "extract"}, {"name": "ARGS:url", "type": "regex", "value": "~(?:(?:^|//|@)(?:localhost|127\\\\.0\\\\.0\\\\.1|0\\\\.0\\\\.0\\\\.0|\\\\[::1\\\\]|169\\\\.254\\\\.169\\\\.254|metadata\\\\.google\\\\.internal|metadata\\\\.azure\\\\.com)|(?:^|//)(?:10\\\\.|172\\\\.(?:1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)|(?:^|//)0(?:x[0-9a-fA-F]+|[0-7]+)(?:\\\\.|/|$)|^(?:file|gopher|dict|ftp)://)~i"}], "cve": "CVE-2025-9975", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9975", "description": "WP Scraper <=5.8.1 authenticated SSRF via action=extract url parameter targeting internal/cloud metadata endpoints", "method": "GET", "mode": "block", "severity": 6.8, "slug": "wp-scraper", "tags": ["ssrf", "server-side-request-forgery", "cloud-metadata", "authenticated"], "target": "plugin", "versions": "<=5.8.1"}, "RULE-CVE-2025-9975-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "wp-scraper"}, {"name": "ARGS:action", "type": "equals", "value": "downloader"}, {"name": "ARGS:url", "type": "regex", "value": "~(?:(?:^|//|@)(?:localhost|127\\\\.0\\\\.0\\\\.1|0\\\\.0\\\\.0\\\\.0|\\\\[::1\\\\]|169\\\\.254\\\\.169\\\\.254|metadata\\\\.google\\\\.internal|metadata\\\\.azure\\\\.com)|(?:^|//)(?:10\\\\.|172\\\\.(?:1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)|(?:^|//)0(?:x[0-9a-fA-F]+|[0-7]+)(?:\\\\.|/|$)|^(?:file|gopher|dict|ftp)://)~i"}], "cve": "CVE-2025-9975", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9975", "description": "WP Scraper <=5.8.1 authenticated SSRF via action=downloader url parameter targeting internal/cloud metadata endpoints", "method": "GET", "mode": "block", "severity": 6.8, "slug": "wp-scraper", "tags": ["ssrf", "server-side-request-forgery", "cloud-metadata", "authenticated"], "target": "plugin", "versions": "<=5.8.1"}, "RULE-CVE-2025-9984-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/featured-image-from-url/v2/debug-posts/[0-9]+(/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "read"}], "cve": "CVE-2025-9984", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9984", "description": "Featured Image from URL <=5.2.7 unauthenticated access to debug-posts REST endpoint exposes private/password-protected posts", "method": "GET", "mode": "block", "severity": 5.3, "slug": "featured-image-from-url", "tags": ["missing-authorization", "information-disclosure", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=5.2.7"}, "RULE-CVE-2025-9984-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/featured-image-from-url/v2/debug-slug/[a-zA-Z0-9_-]+(/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "read"}], "cve": "CVE-2025-9984", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9984", "description": "Featured Image from URL <=5.2.7 unauthenticated access to debug-slug REST endpoint exposes private/password-protected posts", "method": "GET", "mode": "block", "severity": 5.3, "slug": "featured-image-from-url", "tags": ["missing-authorization", "information-disclosure", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=5.2.7"}, "RULE-CVE-2025-9984-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/featured-image-from-url/v2/debug-postmeta/[0-9]+(/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "read"}], "cve": "CVE-2025-9984", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9984", "description": "Featured Image from URL <=5.2.7 unauthenticated access to debug-postmeta REST endpoint exposes private/password-protected post metadata", "method": "GET", "mode": "block", "severity": 5.3, "slug": "featured-image-from-url", "tags": ["missing-authorization", "information-disclosure", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=5.2.7"}, "RULE-CVE-2025-9985-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[/\\\\\\\\]wp-content[/\\\\\\\\]uploads[/\\\\\\\\]fifu-(plugin|cloud)\\\\.log([?/]|$)~i"}], "cve": "CVE-2025-9985", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9985", "description": "Featured Image from URL <=5.2.7 unauthenticated sensitive log file disclosure via direct access to fifu-plugin.log or fifu-cloud.log in uploads directory", "method": "GET", "mode": "block", "severity": 5.3, "slug": "featured-image-from-url", "tags": ["information-disclosure", "sensitive-log-exposure", "unauthenticated"], "target": "plugin", "versions": "<=5.2.7"}, "RULE-CVE-2025-9992-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/[0-9]+)?(?:/|\\\\?|&|$)~"}, {"name": "ARGS:meta[ghostkit_page_js]", "type": "exists"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2025-9992", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-9992", "description": "Ghost Kit <=3.4.3 Authenticated (Contributor+) Stored XSS via ghostkit_page_js post meta field on REST API post update", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ghostkit", "tags": ["xss", "stored-xss", "missing-authorization", "rest-api"], "target": "plugin", "versions": "<=3.4.3"}, "RULE-CVE-2026-0548-01": {"ajax_action": "tutor_import_settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0548", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0548", "description": "Tutor LMS <=3.9.4 missing authorization on tutor_import_settings AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "tutor", "tags": ["missing-authorization", "broken-access-control", "settings-manipulation"], "target": "plugin", "versions": "<=3.9.4"}, "RULE-CVE-2026-0548-02": {"ajax_action": "load_saved_data", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0548", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0548", "description": "Tutor LMS <=3.9.4 missing authorization on load_saved_data AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "tutor", "tags": ["missing-authorization", "broken-access-control", "settings-manipulation"], "target": "plugin", "versions": "<=3.9.4"}, "RULE-CVE-2026-0548-03": {"ajax_action": "reset_settings_data", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0548", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0548", "description": "Tutor LMS <=3.9.4 missing authorization on reset_settings_data AJAX handler", "method": "POST", "mode": "block", "severity": 5.4, "slug": "tutor", "tags": ["missing-authorization", "broken-access-control", "settings-manipulation"], "target": "plugin", "versions": "<=3.9.4"}, "RULE-CVE-2026-0549-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[groups_group_info\\\\b[^\\\\]]*(?:single|plural|none)\\\\s*=\\\\s*[\\"\'][^\\"\']*<[^>]+>[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0549", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0549", "description": "Groups <=3.10.0 Stored XSS via groups_group_info shortcode attributes (single/plural/none) in post content submitted through post editor", "method": "POST", "mode": "block", "severity": 6.4, "slug": "groups", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=3.10.0"}, "RULE-CVE-2026-0549-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[groups_group_info\\\\b[^\\\\]]*(?:single|plural|none)\\\\s*=\\\\s*[\\"\'][^\\"\']*<[^>]+>[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0549", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0549", "description": "Groups <=3.10.0 Stored XSS via groups_group_info shortcode attributes (single/plural/none) in post content submitted through REST API", "method": "POST", "mode": "block", "severity": 6.4, "slug": "groups", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=3.10.0"}, "RULE-CVE-2026-0552-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:action", "type": "regex", "value": "~^(?:editpost|post)$~i"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(?:wpsc_display_product|wp_cart_display_product)\\\\b(?=[^\\\\]]*\\\\b(?:product_id|id)\\\\s*=\\\\s*[\\"\']?\\\\d+[\\"\']?)(?=[^\\\\]]*\\\\b(?:thumb|thumbnail|description|template|style|class)\\\\s*=\\\\s*[\\"\'][^\\"\\\\]]*(?:<\\\\s*(?:script|img|svg)\\\\b|on[a-z]{3,}\\\\s*=|javascript\\\\s*:))(?=[^\\\\]]*[\\"\'])[^\\\\]]*\\\\]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-0552", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0552", "description": "Simple Shopping Cart <=5.2.4 Contributor+ stored XSS via wpsc_display_product shortcode attributes in post content (post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wordpress-simple-paypal-shopping-cart", "tags": ["xss", "stored", "shortcode", "authenticated"], "target": "plugin", "versions": "<=5.2.4"}, "RULE-CVE-2026-0554-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/notificationx/v1/analytics/regenerate(?:[/?]|$)~"}, {"type": "missing_capability", "value": "edit_notificationx"}], "cve": "CVE-2026-0554", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0554", "description": "NotificationX <=3.1.11 missing authorization on analytics/regenerate REST endpoint allows contributor+ analytics reset", "mode": "block", "severity": 4.3, "slug": "notificationx", "tags": ["missing-authorization", "rest-api", "broken-access-control"], "target": "plugin", "versions": "<=3.1.11"}, "RULE-CVE-2026-0554-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/notificationx/v1/analytics/reset(?:[/?]|$)~"}, {"type": "missing_capability", "value": "edit_notificationx"}], "cve": "CVE-2026-0554", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0554", "description": "NotificationX <=3.1.11 missing authorization on analytics/reset REST endpoint allows contributor+ analytics reset", "mode": "block", "severity": 4.3, "slug": "notificationx", "tags": ["missing-authorization", "rest-api", "broken-access-control"], "target": "plugin", "versions": "<=3.1.11"}, "RULE-CVE-2026-0555-01": {"ajax_action": "premmerce_wizard_actions", "conditions": [{"name": "ARGS:state", "type": "detectXSS"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0555", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0555", "description": "Premmerce <=1.3.20 authenticated stored XSS via premmerce_wizard_actions state parameter (all update sub-actions)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "premmerce", "tags": ["xss", "stored-xss", "missing-authorization"], "target": "plugin", "versions": "<=1.3.20"}, "RULE-CVE-2026-0556-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[xo_event_field\\\\b[^\\\\]]*(?:on\\\\w+\\\\s*=|javascript:|<(?:script|img|svg|iframe|object|embed))~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-0556", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0556", "description": "XO Event Calendar <=3.2.10 Authenticated (Contributor+) Stored XSS via xo_event_field shortcode in post content (post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "xo-event-calendar", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.2.10"}, "RULE-CVE-2026-0556-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[xo_event_field\\\\b[^\\\\]]*(?:on\\\\w+\\\\s*=|javascript:|<(?:script|img|svg|iframe|object|embed))~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-0556", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0556", "description": "XO Event Calendar <=3.2.10 Authenticated (Contributor+) Stored XSS via xo_event_field shortcode in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "xo-event-calendar", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=3.2.10"}, "RULE-CVE-2026-0557-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "contains", "value": "[wpda_app"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[wpda_app\\\\b[^\\\\]]*(?:on\\\\w+\\\\s*=|<script|javascript\\\\s*:|<img\\\\b[^>]*\\\\bonerror\\\\s*=|<svg\\\\b[^>]*\\\\bonload\\\\s*=|<iframe\\\\b)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-0557", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0557", "description": "WP Data Access <=5.5.63 Stored XSS via wpda_app shortcode attributes in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-data-access", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=5.5.63"}, "RULE-CVE-2026-0557-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "contains", "value": "[wpda_app"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[wpda_app\\\\b[^\\\\]]*(?:on\\\\w+\\\\s*=|<script|javascript\\\\s*:|<img\\\\b[^>]*\\\\bonerror\\\\s*=|<svg\\\\b[^>]*\\\\bonload\\\\s*=|<iframe\\\\b)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-0557", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0557", "description": "WP Data Access <=5.5.63 Stored XSS via wpda_app shortcode attributes in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-data-access", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=5.5.63"}, "RULE-CVE-2026-0559-01": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "editpost"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[stm_lms_courses_grid_display\\\\s+[^\\\\]]*(?:<script|(?:^|[^a-z])on\\\\w+\\\\s*=|javascript\\\\s*:|<svg|<img\\\\s[^>]*onerror|<iframe)[^\\\\]]*\\\\]~i"}], "cve": "CVE-2026-0559", "method": "POST", "mode": "block", "severity": 6.4, "slug": "masterstudy-lms-learning-management-system", "target": "plugin", "versions": "<=3.7.11"}, "RULE-CVE-2026-0559-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(?:/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[stm_lms_courses_grid_display\\\\s+[^\\\\]]*(?:<script|(?:^|[^a-z])on\\\\w+\\\\s*=|javascript\\\\s*:|<svg|<img\\\\s[^>]*onerror|<iframe)[^\\\\]]*\\\\]~i"}], "cve": "CVE-2026-0559", "method": "POST", "mode": "block", "severity": 6.4, "slug": "masterstudy-lms-learning-management-system", "target": "plugin", "versions": "<=3.7.11"}, "RULE-CVE-2026-0559-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/pages(?:/\\\\d+)?(?:/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[stm_lms_courses_grid_display\\\\s+[^\\\\]]*(?:<script|(?:^|[^a-z])on\\\\w+\\\\s*=|javascript\\\\s*:|<svg|<img\\\\s[^>]*onerror|<iframe)[^\\\\]]*\\\\]~i"}], "cve": "CVE-2026-0559", "method": "POST", "mode": "block", "severity": 6.4, "slug": "masterstudy-lms-learning-management-system", "target": "plugin", "versions": "<=3.7.11"}, "RULE-CVE-2026-0563-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[wpgsv_map\\\\b[^\\\\]]*(?:\\\\bon\\\\w+\\\\s*=|<script|javascript\\\\s*:|data\\\\s*:[^,]*text/html)~i"}], "cve": "CVE-2026-0563", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0563", "description": "WP Google Street View <=1.1.8 Stored XSS via wpgsv_map shortcode attributes in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-google-street-view", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.1.8"}, "RULE-CVE-2026-0604-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/njt-fastdup/v1/template/directory-tree(?:/|\\\\?|&|$)~"}, {"name": "ARGS:dir_path", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[\\\\\\\\/]etc(?:[\\\\\\\\/]|$)|[\\\\\\\\/]proc(?:[\\\\\\\\/]|$)|[\\\\\\\\/]var[\\\\\\\\/]log(?:[\\\\\\\\/]|$))~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0604", "method": "GET", "mode": "block", "severity": 6.5, "slug": "fastdup", "target": "plugin", "versions": "<=2.7"}, "RULE-CVE-2026-0608-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:action", "type": "equals", "value": "editpost"}, {"name": "ARGS:metakeyselect", "type": "equals", "value": "head-meta-data"}, {"name": "ARGS:metavalue", "type": "regex", "value": "~<script[\\\\s>]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:~i"}], "cve": "CVE-2026-0608", "method": "POST", "mode": "block", "severity": 6.4, "slug": "head-meta-data", "target": "plugin", "versions": "<=20251118"}, "RULE-CVE-2026-0608-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:action", "type": "equals", "value": "editpost"}, {"name": "ARGS:metakeyinput", "type": "equals", "value": "head-meta-data"}, {"name": "ARGS:metavalue", "type": "regex", "value": "~<script[\\\\s>]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:~i"}], "cve": "CVE-2026-0608", "method": "POST", "mode": "block", "severity": 6.4, "slug": "head-meta-data", "target": "plugin", "versions": "<=20251118"}, "RULE-CVE-2026-0617-01": {"ajax_action": "latepoint_route_call", "conditions": [{"name": "ARGS:route_name", "type": "equals", "value": "customer_cabinet__update"}, {"name": "ARGS", "type": "regex", "value": "~<\\\\s*(?:script|img|svg|iframe|object|embed|link|style|base|form|input|details|video|audio|meta)\\\\b|<[^>]*\\\\bon(?:error|load|click|mouseover|focus(?:in)?|blur|submit|change|input|keydown|keyup|contextmenu|dblclick|drag|drop|mousedown|mouseup|pointerdown|begin|end|toggle|animationend)\\\\s*=~i"}], "cve": "CVE-2026-0617", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0617", "description": "LatePoint <= 5.2.5 unauthenticated stored XSS via customer profile fields in the customer_cabinet__update route", "method": "POST", "mode": "block", "severity": 7.2, "slug": "latepoint", "tags": ["xss", "stored", "unauthenticated"], "target": "plugin", "versions": "<=5.2.5"}, "RULE-CVE-2026-0627-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:async-upload\\\\.php|media-new\\\\.php|admin-ajax\\\\.php)~"}, {"name": "ARGS:name", "type": "regex", "value": "~\\\\.svg$~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0627", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0627", "description": "AMP for WP <=1.1.10 Stored XSS via SVG upload \\u2013 best-effort filename gate (blocks all SVG uploads on vulnerable versions; engine cannot inspect file content)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "accelerated-mobile-pages", "tags": ["xss", "stored-xss", "svg-upload", "file-upload", "best-effort"], "target": "plugin", "versions": "<=1.1.10"}, "RULE-CVE-2026-0656-01": {"action": "init", "conditions": [{"name": "ARGS:wc-api", "type": "regex", "value": "~(?i)^Ipaymu_WC_Gateway$~"}, {"name": "ARGS:id_order", "type": "exists"}, {"name": "ARGS:status", "type": "exists"}], "cve": "CVE-2026-0656", "method": "POST", "mode": "block", "severity": 8.2, "slug": "ipaymu-for-woocommerce", "target": "plugin", "versions": "<=2.0.2"}, "RULE-CVE-2026-0656-02": {"action": "init", "conditions": [{"name": "ARGS:wc-api", "type": "regex", "value": "~(?i)^Ipaymu_WC_Gateway$~"}, {"name": "ARGS:id_order", "type": "exists"}], "cve": "CVE-2026-0656", "method": "GET", "mode": "block", "severity": 8.2, "slug": "ipaymu-for-woocommerce", "target": "plugin", "versions": "<=2.0.2"}, "RULE-CVE-2026-0656-03": {"action": "init", "conditions": [{"name": "ARGS:wc-api", "type": "regex", "value": "~(?i)^WC_Gateway_Ipaymu$~"}, {"name": "ARGS:id_order", "type": "exists"}, {"name": "ARGS:status", "type": "exists"}], "cve": "CVE-2026-0656", "method": "POST", "mode": "block", "severity": 8.2, "slug": "ipaymu-for-woocommerce", "target": "plugin", "versions": "<=2.0.2"}, "RULE-CVE-2026-0656-04": {"action": "init", "conditions": [{"name": "ARGS:wc-api", "type": "regex", "value": "~(?i)^WC_Gateway_Ipaymu$~"}, {"name": "ARGS:id_order", "type": "exists"}], "cve": "CVE-2026-0656", "method": "GET", "mode": "block", "severity": 8.2, "slug": "ipaymu-for-woocommerce", "target": "plugin", "versions": "<=2.0.2"}, "RULE-CVE-2026-0677-01": {"ajax_action": "totalcontest", "conditions": [{"name": "ARGS", "type": "regex", "value": "~[OC]:[0-9]+:\\"[^\\"]+\\":[0-9]+:\\\\{~"}], "cve": "CVE-2026-0677", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0677", "description": "TotalContest Lite <=2.9.1 PHP object injection via totalcontest general router AJAX handler (wp_ajax_totalcontest / wp_ajax_nopriv_totalcontest)", "mode": "block", "severity": 7.2, "slug": "totalcontest-lite", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=2.9.1"}, "RULE-CVE-2026-0679-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[?&]wc-api=WC_Gateway_Fortis_Notify(?:&|$)~i"}, {"name": "ARGS:data", "type": "exists"}, {"type": "missing_capability", "value": "manage_woocommerce"}], "cve": "CVE-2026-0679", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0679", "description": "Fortis for WooCommerce <=1.2.0 unauthenticated order status update via inverted nonce check \\u2014 blocks POST with transaction data payload to the Fortis notify wc-api callback when user lacks manage_woocommerce", "mode": "block", "severity": 5.3, "slug": "fortis-for-woocommerce", "tags": ["missing-authorization", "authentication-bypass", "unauthenticated", "woocommerce"], "target": "plugin", "versions": "<=1.2.0"}, "RULE-CVE-2026-0681-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:random_number_generator_format", "type": "regex", "value": "~(?:<script[\\\\s/>]|<[a-zA-Z][^>]*[\\\\s/](?:on(?:load|error|click|mouseover|focus|blur|change|submit|keydown|keyup|mouseout|mousemove|dblclick|contextmenu|input|invalid|reset|search|drag|drop|copy|cut|paste|beforeunload|unload|hashchange|message|scroll|wheel|animationend|animationiteration|animationstart|transitionend|pointerdown|pointerup|pointermove|afterprint|beforeprint)\\\\s*=)|javascript\\\\s*:)~i"}], "cve": "CVE-2026-0681", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0681", "description": "Extended Random Number Generator <= 1.1 Stored XSS via plugin settings (random_number_generator_format)", "method": "POST", "mode": "block", "severity": 4.4, "slug": "extended-random-number-generator", "tags": ["xss", "stored-xss", "settings-api"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2026-0681-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:random_number_generator_shortcode", "type": "regex", "value": "~(?:<script[\\\\s/>]|<[a-zA-Z][^>]*[\\\\s/](?:on(?:load|error|click|mouseover|focus|blur|change|submit|keydown|keyup|mouseout|mousemove|dblclick|contextmenu|input|invalid|reset|search|drag|drop|copy|cut|paste|beforeunload|unload|hashchange|message|scroll|wheel|animationend|animationiteration|animationstart|transitionend|pointerdown|pointerup|pointermove|afterprint|beforeprint)\\\\s*=)|javascript\\\\s*:)~i"}], "cve": "CVE-2026-0681", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0681", "description": "Extended Random Number Generator <= 1.1 Stored XSS via plugin settings (random_number_generator_shortcode)", "method": "POST", "mode": "block", "severity": 4.4, "slug": "extended-random-number-generator", "tags": ["xss", "stored-xss", "settings-api"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2026-0681-03": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:random_number_generator_parent_menu", "type": "regex", "value": "~(?:<script[\\\\s/>]|<[a-zA-Z][^>]*[\\\\s/](?:on(?:load|error|click|mouseover|focus|blur|change|submit|keydown|keyup|mouseout|mousemove|dblclick|contextmenu|input|invalid|reset|search|drag|drop|copy|cut|paste|beforeunload|unload|hashchange|message|scroll|wheel|animationend|animationiteration|animationstart|transitionend|pointerdown|pointerup|pointermove|afterprint|beforeprint)\\\\s*=)|javascript\\\\s*:)~i"}], "cve": "CVE-2026-0681", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0681", "description": "Extended Random Number Generator <= 1.1 Stored XSS via plugin settings (random_number_generator_parent_menu)", "method": "POST", "mode": "block", "severity": 4.4, "slug": "extended-random-number-generator", "tags": ["xss", "stored-xss", "settings-api"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2026-0683-01": {"ajax_action": "wpsc_get_tickets", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:(?:[\'\\")\\\\]]\\\\s*(?:OR|AND|UNION|HAVING)\\\\s)|(?:UNION[\\\\s/\\\\*]+(?:ALL\\\\s+)?SELECT)|(?:SELECT[\\\\s/\\\\*]+(?:[\\\\w*,\\\\s]+)?FROM)|(?:CONCAT\\\\s*\\\\()|(?:GROUP\\\\s+BY.+\\\\()|(?:SLEEP\\\\s*\\\\()|(?:BENCHMARK\\\\s*\\\\()|(?:(?:0x[\\\\da-f]+|X\'[\\\\da-f]+\'|B\'[01]+\'|\'[^\']*\')\\\\s*(?:OR|AND|XOR)\\\\s))~i"}], "cve": "CVE-2026-0683", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0683", "description": "SupportCandy <=3.4.4 authenticated SQL injection via Number-type custom field filter operand in wpsc_get_tickets AJAX handler", "mode": "block", "severity": 6.5, "slug": "supportcandy", "tags": ["sql-injection", "authenticated", "custom-field-filter"], "target": "plugin", "versions": "<=3.4.4"}, "RULE-CVE-2026-0684-01": {"action": "admin_init", "conditions": [{"name": "ARGS:cpis_import", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0684", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0684", "description": "CP Image Store <=1.1.9 incorrect authorization on importer allows subscriber+ to import products via flawed boolean logic", "method": "POST", "mode": "block", "severity": 4.3, "slug": "cp-image-store", "tags": ["incorrect-authorization", "broken-access-control", "authenticated"], "target": "plugin", "versions": "<=1.1.9"}, "RULE-CVE-2026-0686-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/webmention/1\\\\.0/endpoint(?:[/?]|$)~"}, {"name": "ARGS:source", "type": "regex", "value": "~^(?:https?://(?:127\\\\.|10\\\\.|172\\\\.(?:1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.|0\\\\.|0x[0-9a-fA-F]|\\\\[?::(?:ffff:)?|localhost|metadata\\\\.google|169\\\\.254\\\\.|2130706433|2886729728|2851995648)|(?:file|gopher|dict)://)~i"}], "cve": "CVE-2026-0686", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0686", "description": "Webmention <=5.6.2 unauthenticated blind SSRF via source parameter on REST endpoint", "method": "POST", "mode": "block", "severity": 7.2, "slug": "webmention", "tags": ["ssrf", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=5.6.2"}, "RULE-CVE-2026-0688-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/webmention/1\\\\.0/tools(?:[/?&]|$)~"}, {"name": "ARGS:source", "type": "regex", "value": "~(?:^https?://(?:127\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|10\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|172\\\\.(?:1[6-9]|2[0-9]|3[01])\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|192\\\\.168\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|169\\\\.254\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|0\\\\.0\\\\.0\\\\.0|\\\\[?::1\\\\]?|localhost)(?:[:/]|$)|^(?!https?://)\\\\w+://)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0688", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0688", "description": "Webmention <=5.6.2 authenticated (Subscriber+) SSRF via source parameter in Tools::read REST endpoint", "mode": "block", "severity": 6.4, "slug": "webmention", "tags": ["ssrf", "missing-authorization", "rest-api", "authenticated"], "target": "plugin", "versions": "<=5.6.2"}, "RULE-CVE-2026-0690-01": {"action": "editpost", "conditions": [{"name": "ARGS:meta[rank_math_description]", "type": "detectXSS"}], "cve": "CVE-2026-0690", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0690", "description": "FlatPM <=3.2.2 Stored XSS via rank_math_description post meta field on core post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "flatpm-wp", "tags": ["xss", "stored-xss", "post-meta"], "target": "plugin", "versions": "<=3.2.2"}, "RULE-CVE-2026-0690-02": {"action": "editpost", "conditions": [{"name": "ARGS:meta[_yoast_wpseo_metadesc]", "type": "detectXSS"}], "cve": "CVE-2026-0690", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0690", "description": "FlatPM <=3.2.2 Stored XSS via _yoast_wpseo_metadesc post meta field on core post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "flatpm-wp", "tags": ["xss", "stored-xss", "post-meta"], "target": "plugin", "versions": "<=3.2.2"}, "RULE-CVE-2026-0690-03": {"action": "editpost", "conditions": [{"name": "ARGS:meta[_aioseop_title]", "type": "detectXSS"}], "cve": "CVE-2026-0690", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0690", "description": "FlatPM <=3.2.2 Stored XSS via _aioseop_title post meta field on core post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "flatpm-wp", "tags": ["xss", "stored-xss", "post-meta"], "target": "plugin", "versions": "<=3.2.2"}, "RULE-CVE-2026-0692-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|[?&])wc-api=bluesnap(?:$|&)~i"}, {"name": "REQUEST_HEADERS:User-Agent", "type": "equals", "value": "BlueSnap"}, {"name": "ARGS:transactionType", "type": "regex", "value": "~^(?:CHARGE|REFUND|DECLINE|RECURRING_PAYMENT_SKIPPED)$~"}, {"name": "ARGS:merchantTransactionId", "type": "exists"}, {"name": "ARGS:referenceNumber", "type": "exists"}, {"name": "REQUEST_HEADERS:X-Forwarded-For", "type": "exists"}], "cve": "CVE-2026-0692", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0692", "description": "BlueSnap Payment Gateway for WooCommerce <=3.4.0 unauthenticated IPN webhook authorization bypass via spoofed BlueSnap headers", "method": "POST", "mode": "block", "severity": 7.5, "slug": "bluesnap-payment-gateway-for-woocommerce", "tags": ["missing-authorization", "ip-spoofing", "unauthenticated", "webhook-bypass", "business-logic"], "target": "plugin", "versions": "<=3.4.0"}, "RULE-CVE-2026-0693-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/edit-tags\\\\.php~"}, {"name": "ARGS:description", "type": "regex", "value": "~(?:<\\\\s*script[^>]*>|<[^>]+[\\\\s/]on[a-z0-9_-]+\\\\s*=|=\\\\s*[\\"\']?\\\\s*javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-0693", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0693", "description": "Allow HTML in Category Descriptions <=1.2.4 authenticated stored XSS via category description in edit-tags.php", "method": "POST", "mode": "block", "severity": 4.4, "slug": "allow-html-in-category-descriptions", "tags": ["xss", "stored-xss", "missing-capability"], "target": "plugin", "versions": "<=1.2.4"}, "RULE-CVE-2026-0693-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin-ajax\\\\.php~"}, {"name": "ARGS:action", "type": "equals", "value": "add-tag"}, {"name": "ARGS:description", "type": "regex", "value": "~(?:<\\\\s*script[^>]*>|<[^>]+[\\\\s/]on[a-z0-9_-]+\\\\s*=|=\\\\s*[\\"\']?\\\\s*javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-0693", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0693", "description": "Allow HTML in Category Descriptions <=1.2.4 authenticated stored XSS via category description in AJAX add-tag", "method": "POST", "mode": "block", "severity": 4.4, "slug": "allow-html-in-category-descriptions", "tags": ["xss", "stored-xss", "missing-capability"], "target": "plugin", "versions": "<=1.2.4"}, "RULE-CVE-2026-0702-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/vsfw/v1/videos(/|\\\\?|&|$)~"}, {"name": "ARGS:fields", "type": "detectSQLi"}], "cve": "CVE-2026-0702", "method": "GET", "mode": "block", "severity": 7.5, "slug": "vidshop-for-woocommerce", "target": "plugin", "versions": "<=1.1.4"}, "RULE-CVE-2026-0702-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/vsfw/v1/videos(/|\\\\?|&|$)~"}, {"name": "ARGS:ids", "type": "detectSQLi"}], "cve": "CVE-2026-0702", "method": "GET", "mode": "block", "severity": 7.5, "slug": "vidshop-for-woocommerce", "target": "plugin", "versions": "<=1.1.4"}, "RULE-CVE-2026-0722-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/admin-ajax.php"}, {"name": "ARGS:search[value]", "type": "regex", "value": "~(?:UNION[\\\\s/\\\\*]+(?:ALL[\\\\s/\\\\*]+)?SELECT|U[Nn]\\\\s*/\\\\*|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|\\\\b(?:OR|AND)\\\\s+[\'\\"]?\\\\d+[\'\\"]?\\\\s*=\\\\s*[\'\\"]?\\\\d+|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|extractvalue\\\\s*\\\\(|updatexml\\\\s*\\\\(|ORDER\\\\s+BY\\\\s+\\\\d|INTO\\\\s+(?:OUT|DUMP)FILE\\\\s)~i"}], "cve": "CVE-2026-0722", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0722", "description": "Shield Security <=21.0.9 CSRF to SQL Injection via search[value] parameter in traffic table DataTables endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "wp-simple-firewall", "tags": ["sql-injection", "csrf", "datatables"], "target": "plugin", "versions": "<=21.0.9"}, "RULE-CVE-2026-0722-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/admin-ajax.php"}, {"name": "ARGS:order[0][column]", "type": "regex", "value": "~(?:UNION[\\\\s/\\\\*]+(?:ALL[\\\\s/\\\\*]+)?SELECT|U[Nn]\\\\s*/\\\\*|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|\\\\b(?:OR|AND)\\\\s+[\'\\"]?\\\\d+[\'\\"]?\\\\s*=\\\\s*[\'\\"]?\\\\d+|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|extractvalue\\\\s*\\\\(|updatexml\\\\s*\\\\(|ORDER\\\\s+BY\\\\s+\\\\d|INTO\\\\s+(?:OUT|DUMP)FILE\\\\s)~i"}], "cve": "CVE-2026-0722", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0722", "description": "Shield Security <=21.0.9 CSRF to SQL Injection via order[0][column] parameter in traffic table DataTables endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "wp-simple-firewall", "tags": ["sql-injection", "csrf", "datatables"], "target": "plugin", "versions": "<=21.0.9"}, "RULE-CVE-2026-0726-01": {"ajax_action": "nxt_replace_url", "conditions": [{"name": "ARGS", "type": "regex", "value": "~O:\\\\d+:\\"~"}], "cve": "CVE-2026-0726", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0726", "description": "Nexter Extension <=4.4.6 unauthenticated PHP Object Injection via nxt_replace_url AJAX handler", "method": "POST", "mode": "block", "severity": 8.1, "slug": "nexter-extension", "tags": ["object-injection", "deserialization", "unauthenticated", "missing-authorization"], "target": "plugin", "versions": "<=4.4.6"}, "RULE-CVE-2026-0726-02": {"ajax_action": "nxt_replace_confirm_url", "conditions": [{"name": "ARGS", "type": "regex", "value": "~O:\\\\d+:\\"~"}], "cve": "CVE-2026-0726", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0726", "description": "Nexter Extension <=4.4.6 unauthenticated PHP Object Injection via nxt_replace_confirm_url AJAX handler", "method": "POST", "mode": "block", "severity": 8.1, "slug": "nexter-extension", "tags": ["object-injection", "deserialization", "unauthenticated", "missing-authorization"], "target": "plugin", "versions": "<=4.4.6"}, "RULE-CVE-2026-0727-01": {"ajax_action": "wp_aas_get_attachment_edit_form", "conditions": [{"name": "ARGS:attachment_id", "type": "regex", "value": "~^\\\\d+$~"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2026-0727", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0727", "description": "Accordion and Accordion Slider <=1.4.5 missing authorization on wp_aas_get_attachment_edit_form AJAX allowing authenticated users to read any attachment metadata", "method": "POST", "mode": "block", "severity": 5.4, "slug": "accordion-and-accordion-slider", "tags": ["missing-authorization", "broken-access-control", "idor"], "target": "plugin", "versions": "<=1.4.5"}, "RULE-CVE-2026-0727-02": {"ajax_action": "wp_aas_save_attachment_data", "conditions": [{"name": "ARGS:attachment_id", "type": "regex", "value": "~^\\\\d+$~"}, {"name": "ARGS:form_data", "type": "exists"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2026-0727", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0727", "description": "Accordion and Accordion Slider <=1.4.5 missing authorization on wp_aas_save_attachment_data AJAX allowing authenticated users to modify any attachment metadata", "method": "POST", "mode": "block", "severity": 5.4, "slug": "accordion-and-accordion-slider", "tags": ["missing-authorization", "broken-access-control", "idor"], "target": "plugin", "versions": "<=1.4.5"}, "RULE-CVE-2026-0736-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/post.php"}, {"name": "ARGS:action", "type": "equals", "value": "editpost"}, {"name": "ARGS:_inpost_head_script", "type": "regex", "value": "~<script[^>]*>|on(?:error|load|click|mouseover|focus|blur)\\\\s*=|javascript\\\\s*:|<iframe[^>]*>|<embed[^>]*>|<object[^>]*>~i"}, {"name": "ARGS:_inpost_head_script[synth_header_script]", "type": "regex", "value": "~<script[^>]*>|on(?:error|load|click|mouseover|focus|blur)\\\\s*=|javascript\\\\s*:|<iframe[^>]*>|<embed[^>]*>|<object[^>]*>~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-0736", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0736", "description": "Chatbot for WordPress by Collect.chat <=2.4.8 Stored XSS via _inpost_head_script post meta field (missing unfiltered_html capability check)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "collectchat", "tags": ["xss", "stored-xss", "missing-authorization"], "target": "plugin", "versions": "<=2.4.8"}, "RULE-CVE-2026-0741-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/options.php"}, {"name": "ARGS:option_page", "type": "regex", "value": "~^esdc_(options_group|file_types)$~"}, {"name": "ARGS:esdc_file_types", "type": "detectXSS"}], "cve": "CVE-2026-0741", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0741", "description": "Electric Studio Download Counter <=2.4 Authenticated (Administrator+) Stored XSS via esdc_file_types settings parameter", "method": "POST", "mode": "block", "severity": 4.4, "slug": "electric-studio-download-counter", "tags": ["xss", "stored-xss", "settings-page"], "target": "plugin", "versions": "<=2.4"}, "RULE-CVE-2026-0741-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/options.php"}, {"name": "ARGS:option_page", "type": "equals", "value": "esdc_options_group"}, {"name": "ARGS:esdc_blocked_ips", "type": "detectXSS"}], "cve": "CVE-2026-0741", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0741", "description": "Electric Studio Download Counter <=2.4 Authenticated (Administrator+) Stored XSS via esdc_blocked_ips settings parameter", "method": "POST", "mode": "block", "severity": 4.4, "slug": "electric-studio-download-counter", "tags": ["xss", "stored-xss", "settings-page"], "target": "plugin", "versions": "<=2.4"}, "RULE-CVE-2026-0742-01": {"ajax_action": "saab_save_form_data", "conditions": [{"name": "ARGS:form_data", "type": "regex", "value": "~<script[ />]|<[^>]+[^a-zA-Z0-9_]on[a-zA-Z0-9_]+ *=~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0742", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0742", "description": "Smart Appointment & Booking <=1.0.7 authenticated stored XSS via saab_save_form_data AJAX action", "method": "POST", "mode": "block", "severity": 6.4, "slug": "smart-appointment-booking", "tags": ["xss", "stored-xss", "missing-authorization"], "target": "plugin", "versions": "<=1.0.7"}, "RULE-CVE-2026-0742-02": {"ajax_action": "saab_save_form_submission", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<script[ />]|<[^>]+[^a-zA-Z0-9_]on[a-zA-Z0-9_]+ *=~i"}], "cve": "CVE-2026-0742", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0742", "description": "Smart Appointment & Booking <=1.0.7 unauthenticated stored XSS via saab_save_form_submission AJAX action", "method": "POST", "mode": "block", "severity": 6.4, "slug": "smart-appointment-booking", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.0.7"}, "RULE-CVE-2026-0746-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/mwai/v1/simpleTranscribeAudio(?:/|\\\\?|$)~"}, {"name": "ARGS:url", "type": "regex", "value": "~^(?:(?:https?|ftp)://(?:127\\\\.|localhost|0\\\\.0\\\\.0\\\\.0|10\\\\.|172\\\\.(1[6-9]|2\\\\d|3[0-1])\\\\.|192\\\\.168\\\\.|169\\\\.254\\\\.|::1|fd[0-9a-f]{2}:)|file://|gopher://|dict://|php://|data:|zlib://|glob://|phar://|ssh2?:|s?ftp://|imap://|pop3://|smtp://|127\\\\.|localhost|0\\\\.0\\\\.0\\\\.0|10\\\\.|172\\\\.(1[6-9]|2\\\\d|3[0-1])\\\\.|192\\\\.168\\\\.|169\\\\.254\\\\.|::1|fd[0-9a-f]{2}:)~i"}], "cve": "CVE-2026-0746", "method": "POST", "mode": "block", "severity": 6.4, "slug": "ai-engine", "target": "plugin", "versions": "<=3.3.2"}, "RULE-CVE-2026-0751-01": {"action": "init", "conditions": [{"name": "ARGS:pricing_plan_select_text_font_family", "type": "regex", "value": "~(<[a-zA-Z]|javascript\\\\s*:|data\\\\s*:|vbscript\\\\s*:|on[a-z]+\\\\s*=)~i"}], "cve": "CVE-2026-0751", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0751", "description": "Payment Page <=1.4.6 Stored XSS via pricing_plan_select_text_font_family parameter", "method": "POST", "mode": "block", "severity": 6.4, "slug": "payment-page", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=1.4.6"}, "RULE-CVE-2026-0753-01": {"action": "init", "conditions": [{"name": "ARGS:sscf_name", "type": "detectXSS"}], "cve": "CVE-2026-0753", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0753", "description": "Super Simple Contact Form <=1.6.2 Reflected Cross-Site Scripting via sscf_name parameter", "mode": "block", "severity": 7.2, "slug": "super-simple-contact-form", "tags": ["xss", "reflected-xss", "unauthenticated", "shortcode"], "target": "plugin", "versions": "<=1.6.2"}, "RULE-CVE-2026-0800-01": {"action": "parse_request", "conditions": [{"name": "ARGS:user-submitted-custom", "type": "regex", "value": "~(?:<\\\\s*(?:script|img|svg|iframe|object|embed|video|audio|body|marquee|details|math)\\\\b|</\\\\s*(?:script|svg|iframe|object|embed|video|audio|math)\\\\b|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|data\\\\s*:\\\\s*text\\\\s*/\\\\s*html|�*3c;|�*60;|%3c(?:script|img|svg|iframe)\\\\b)~i"}], "cve": "CVE-2026-0800", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0800", "description": "User Submitted Posts <=20251210 stored XSS via custom field 1 in front-end submission form", "method": "POST", "mode": "block", "severity": 7.2, "slug": "user-submitted-posts", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=20251210"}, "RULE-CVE-2026-0800-02": {"action": "parse_request", "conditions": [{"name": "ARGS:user-submitted-custom-2", "type": "regex", "value": "~(?:<\\\\s*(?:script|img|svg|iframe|object|embed|video|audio|body|marquee|details|math)\\\\b|</\\\\s*(?:script|svg|iframe|object|embed|video|audio|math)\\\\b|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|data\\\\s*:\\\\s*text\\\\s*/\\\\s*html|�*3c;|�*60;|%3c(?:script|img|svg|iframe)\\\\b)~i"}], "cve": "CVE-2026-0800", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0800", "description": "User Submitted Posts <=20251210 stored XSS via custom field 2 in front-end submission form", "method": "POST", "mode": "block", "severity": 7.2, "slug": "user-submitted-posts", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=20251210"}, "RULE-CVE-2026-0800-03": {"action": "parse_request", "conditions": [{"name": "ARGS:user-submitted-url", "type": "regex", "value": "~(?:^\\\\s*(?:javascript|data)\\\\s*:|\\\\bon\\\\w+\\\\s*=|%0d|%0a|[\\"\'<>]|�*22;|�*34;|�*27;|�*39;|�*3c;|�*60;)~i"}], "cve": "CVE-2026-0800", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0800", "description": "User Submitted Posts <=20251210 stored XSS via author URL field in front-end submission form", "method": "POST", "mode": "block", "severity": 7.2, "slug": "user-submitted-posts", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=20251210"}, "RULE-CVE-2026-0800-04": {"action": "parse_request", "conditions": [{"name": "ARGS:user-submitted-name", "type": "regex", "value": "~(?:<\\\\s*(?:script|img|svg|iframe|object|embed|video|audio|body|marquee|details|math)\\\\b|</\\\\s*(?:script|svg|iframe|object|embed|video|audio|math)\\\\b|\\\\bon\\\\w+\\\\s*=|�*3c;|�*60;|%3c(?:script|img|svg|iframe)\\\\b)~i"}], "cve": "CVE-2026-0800", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0800", "description": "User Submitted Posts <=20251210 stored XSS via author name field in front-end submission form", "method": "POST", "mode": "block", "severity": 7.2, "slug": "user-submitted-posts", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=20251210"}, "RULE-CVE-2026-0806-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "wp-clanwars-teams"}, {"name": "ARGS:orderby", "type": "regex", "value": "~(?:[`\'\\";]|UNION|SELECT|SLEEP|BENCHMARK|IF\\\\s*[(]|CASE\\\\s+WHEN|EXTRACTVALUE|UPDATEXML|LOAD_FILE|INTO\\\\s+(?:OUT|DUMP)FILE|/[*]|--\\\\s)~i"}], "cve": "CVE-2026-0806", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0806", "description": "WP-ClanWars <=2.0.1 authenticated SQL Injection via orderby parameter on Teams admin page", "mode": "block", "severity": 4.9, "slug": "wp-clanwars", "tags": ["sql-injection", "authenticated", "admin-page"], "target": "plugin", "versions": "<=2.0.1"}, "RULE-CVE-2026-0807-01": {"action": "template_redirect", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/template-proxy/|[?&](?:frontis_)?template_proxy=)~i"}, {"name": "ARGS:url", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0807", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0807", "description": "Frontis Blocks <=1.1.6 unauthenticated SSRF via template-proxy endpoint url parameter", "method": "GET", "mode": "block", "severity": 7.2, "slug": "frontis-blocks", "tags": ["ssrf", "unauthenticated", "server-side-request-forgery"], "target": "plugin", "versions": "<=1.1.6"}, "RULE-CVE-2026-0807-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/custom/v1/proxy-image(/|\\\\?|&|$)~"}, {"name": "ARGS:url", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0807", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0807", "description": "Frontis Blocks <=1.1.6 authenticated SSRF via proxy-image REST endpoint url parameter", "method": "GET", "mode": "block", "severity": 7.2, "slug": "frontis-blocks", "tags": ["ssrf", "server-side-request-forgery", "rest-api"], "target": "plugin", "versions": "<=1.1.6"}, "RULE-CVE-2026-0812-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:option_page", "type": "equals", "value": "linkedin_sc"}, {"name": "ARGS:linkedin_sc_date_format", "type": "detectXSS"}], "cve": "CVE-2026-0812", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0812", "description": "LinkedIn SC <=1.1.9 authenticated (Administrator+) stored XSS via linkedin_sc_date_format settings field", "method": "POST", "mode": "block", "severity": 4.4, "slug": "linkedin-sc", "tags": ["xss", "stored-xss", "settings-page"], "target": "plugin", "versions": "<=1.1.9"}, "RULE-CVE-2026-0812-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:option_page", "type": "equals", "value": "linkedin_sc"}, {"name": "ARGS:linkedin_sc_api_key", "type": "detectXSS"}], "cve": "CVE-2026-0812", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0812", "description": "LinkedIn SC <=1.1.9 authenticated (Administrator+) stored XSS via linkedin_sc_api_key settings field", "method": "POST", "mode": "block", "severity": 4.4, "slug": "linkedin-sc", "tags": ["xss", "stored-xss", "settings-page"], "target": "plugin", "versions": "<=1.1.9"}, "RULE-CVE-2026-0812-03": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:option_page", "type": "equals", "value": "linkedin_sc"}, {"name": "ARGS:linkedin_sc_secret_key", "type": "detectXSS"}], "cve": "CVE-2026-0812", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0812", "description": "LinkedIn SC <=1.1.9 authenticated (Administrator+) stored XSS via linkedin_sc_secret_key settings field", "method": "POST", "mode": "block", "severity": 4.4, "slug": "linkedin-sc", "tags": ["xss", "stored-xss", "settings-page"], "target": "plugin", "versions": "<=1.1.9"}, "RULE-CVE-2026-0815-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/edit-tags\\\\.php~"}, {"name": "ARGS:tag-image", "type": "regex", "value": "~(?:<script[\\\\s/>]|<(?:img|svg|iframe|object|embed|body|details|math)\\\\b[^>]*\\\\bon[a-z]+=|\\\\bon(?:error|load|mouseover|click|focus|blur|input|change|animationend|transitionend)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-0815", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0815", "description": "Category Image <=2.0 authenticated (Editor+) stored XSS via tag-image parameter on term edit/create", "method": "POST", "mode": "block", "severity": 4.4, "slug": "category-image", "tags": ["xss", "stored", "authenticated"], "target": "plugin", "versions": "<=2.0"}, "RULE-CVE-2026-0816-01": {"action": "admin_init", "conditions": [{"name": "ARGS:delete_id", "type": "detectSQLi"}], "cve": "CVE-2026-0816", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0816", "description": "All Push Notification for WP <=1.5.3 authenticated SQL injection via delete_id in process_bulk_action", "mode": "block", "severity": 4.9, "slug": "all-push-notification", "tags": ["sql-injection", "authenticated", "admin-only"], "target": "plugin", "versions": "<=1.5.3"}, "RULE-CVE-2026-0825-01": {"action": "init", "conditions": [{"name": "ARGS:vx_crm_form_action", "type": "equals", "value": "download_csv"}, {"name": "ARGS:vx_crm_key", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0825", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0825", "description": "Database for Contact Form 7, WPforms, Elementor forms <=1.4.5 unauthenticated CSV export data exfiltration via missing authorization", "method": "GET", "mode": "block", "severity": 5.3, "slug": "contact-form-entries", "tags": ["missing-authorization", "data-exfiltration", "unauthenticated"], "target": "plugin", "versions": "<=1.4.5"}, "RULE-CVE-2026-0829-01": {"ajax_action": "wpfm_send_file_in_email", "conditions": [{"type": "missing_capability", "value": "read"}], "cve": "CVE-2026-0829", "method": "POST", "mode": "block", "severity": 5.8, "slug": "nmedia-user-file-uploader", "target": "plugin", "versions": "<23.6"}, "RULE-CVE-2026-0831-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "admin-ajax.php"}, {"name": "ARGS:action", "type": "regex", "value": "~^templately_pack_~"}, {"name": "ARGS:session_id", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}~"}], "cve": "CVE-2026-0831", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0831", "description": "Templately <=3.4.8 unauthenticated arbitrary .ai.json file write via path traversal in session_id on templately_pack_import AJAX handler", "method": "POST", "mode": "block", "severity": 5.3, "slug": "templately", "tags": ["path-traversal", "arbitrary-file-write", "unauthenticated", "incorrect-authorization"], "target": "plugin", "versions": "<=3.4.8"}, "RULE-CVE-2026-0831-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "admin-ajax.php"}, {"name": "ARGS:action", "type": "regex", "value": "~^templately_pack_~"}, {"name": "ARGS:content_id", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}~"}], "cve": "CVE-2026-0831", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0831", "description": "Templately <=3.4.8 unauthenticated arbitrary .ai.json file write via path traversal in content_id on templately_pack_import AJAX handler", "method": "POST", "mode": "block", "severity": 5.3, "slug": "templately", "tags": ["path-traversal", "arbitrary-file-write", "unauthenticated", "incorrect-authorization"], "target": "plugin", "versions": "<=3.4.8"}, "RULE-CVE-2026-0831-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "admin-ajax.php"}, {"name": "ARGS:action", "type": "regex", "value": "~^templately_pack_~"}, {"name": "ARGS:session_id", "type": "regex", "value": "~(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-0831", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0831", "description": "Templately <=3.4.8 unauthenticated arbitrary .ai.json file write via path traversal in session_id targeting sensitive files", "method": "POST", "mode": "block", "severity": 5.3, "slug": "templately", "tags": ["path-traversal", "arbitrary-file-write", "unauthenticated", "incorrect-authorization"], "target": "plugin", "versions": "<=3.4.8"}, "RULE-CVE-2026-0831-04": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "admin-ajax.php"}, {"name": "ARGS:action", "type": "regex", "value": "~^templately_pack_~"}, {"name": "ARGS:content_id", "type": "regex", "value": "~(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-0831", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0831", "description": "Templately <=3.4.8 unauthenticated arbitrary .ai.json file write via path traversal in content_id targeting sensitive files", "method": "POST", "mode": "block", "severity": 5.3, "slug": "templately", "tags": ["path-traversal", "arbitrary-file-write", "unauthenticated", "incorrect-authorization"], "target": "plugin", "versions": "<=3.4.8"}, "RULE-CVE-2026-0831-05": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "admin-ajax.php"}, {"name": "ARGS:action", "type": "regex", "value": "~^templately_pack_~"}, {"name": "ARGS:session_id", "type": "exists"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2026-0831", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0831", "description": "Templately <=3.4.8 unauthenticated access to templately_pack_* AJAX handlers missing authorization", "method": "POST", "mode": "block", "severity": 5.3, "slug": "templately", "tags": ["missing-authorization", "incorrect-authorization", "unauthenticated", "arbitrary-file-write"], "target": "plugin", "versions": "<=3.4.8"}, "RULE-CVE-2026-0832-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/nua-request/v1/connect-app(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0832", "method": "GET", "mode": "block", "severity": 7.3, "slug": "new-user-approve", "target": "plugin", "versions": "<=3.2.2"}, "RULE-CVE-2026-0832-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/nua-request/v1/user-approve(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0832", "method": "GET", "mode": "block", "severity": 7.3, "slug": "new-user-approve", "target": "plugin", "versions": "<=3.2.2"}, "RULE-CVE-2026-0832-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/nua-request/v1/user-deny(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0832", "method": "GET", "mode": "block", "severity": 7.3, "slug": "new-user-approve", "target": "plugin", "versions": "<=3.2.2"}, "RULE-CVE-2026-0832-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/nua-request/v1/get-user-details(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0832", "method": "GET", "mode": "block", "severity": 7.3, "slug": "new-user-approve", "target": "plugin", "versions": "<=3.2.2"}, "RULE-CVE-2026-0832-05": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/nua-request/v1/get-all-requests(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0832", "method": "GET", "mode": "block", "severity": 7.3, "slug": "new-user-approve", "target": "plugin", "versions": "<=3.2.2"}, "RULE-CVE-2026-0832-06": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/nua-request/v1/get-dashboard-data(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0832", "method": "GET", "mode": "block", "severity": 7.3, "slug": "new-user-approve", "target": "plugin", "versions": "<=3.2.2"}, "RULE-CVE-2026-0833-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "contains", "value": "team-section"}, {"name": "ARGS:content", "type": "regex", "value": "~javascript\\\\s*:~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-0833", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0833", "description": "Team Section Block <=2.0.0 stored XSS via javascript: URI in post content containing team-section block (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "team-section", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=2.0.0"}, "RULE-CVE-2026-0833-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "contains", "value": "team-section"}, {"name": "ARGS:content", "type": "regex", "value": "~on\\\\w+\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-0833", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0833", "description": "Team Section Block <=2.0.0 stored XSS via event handler injection in post content containing team-section block (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "team-section", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=2.0.0"}, "RULE-CVE-2026-0833-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "contains", "value": "team-section"}, {"name": "ARGS:content", "type": "regex", "value": "~data\\\\s*:~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-0833", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0833", "description": "Team Section Block <=2.0.0 stored XSS via data: URI in post content containing team-section block (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "team-section", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=2.0.0"}, "RULE-CVE-2026-0833-04": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "contains", "value": "team-section"}, {"name": "ARGS:content", "type": "regex", "value": "~javascript\\\\s*:~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-0833", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0833", "description": "Team Section Block <=2.0.0 stored XSS via javascript: URI in post content containing team-section block (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "team-section", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=2.0.0"}, "RULE-CVE-2026-0833-05": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "contains", "value": "team-section"}, {"name": "ARGS:content", "type": "regex", "value": "~on\\\\w+\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-0833", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0833", "description": "Team Section Block <=2.0.0 stored XSS via event handler injection in post content containing team-section block (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "team-section", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=2.0.0"}, "RULE-CVE-2026-0833-06": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "contains", "value": "team-section"}, {"name": "ARGS:content", "type": "regex", "value": "~data\\\\s*:~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-0833", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0833", "description": "Team Section Block <=2.0.0 stored XSS via data: URI in post content containing team-section block (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "team-section", "tags": ["xss", "stored-xss", "gutenberg-block"], "target": "plugin", "versions": "<=2.0.0"}, "RULE-CVE-2026-0845-01": {"ajax_action": "wcfm_ajax_controller", "conditions": [{"name": "ARGS:controller", "type": "equals", "value": "wcfm-settings"}, {"name": "ARGS:wcfm_settings_form", "type": "regex", "value": "~wcfm_page_options(?:%5[Bb]|\\\\[)(?!(?:wc_frontend_manager_page_id|wcfm_vendor_membership_page_id|wcfm_vendor_registration_page_id|wcfm_affiliate_registration_page_id)(?:%5[Dd]|\\\\]))~"}], "cve": "CVE-2026-0845", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wc-frontend-manager", "target": "plugin", "versions": "<=6.7.24"}, "RULE-CVE-2026-0909-01": {"ajax_action": "wp_ulike_delete_history_api", "conditions": [{"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0909", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0909", "description": "WP ULike <=4.8.3.1 Insecure Direct Object Reference allowing authenticated users to delete arbitrary log entries via wp_ulike_delete_history_api AJAX action", "method": "POST", "mode": "block", "severity": 5.3, "slug": "wp-ulike", "tags": ["idor", "missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=4.8.3.1"}, "RULE-CVE-2026-0911-01": {"ajax_action": "hustle_module_handle_single_action", "conditions": [{"name": "FILES:import_file", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0911", "method": "POST", "mode": "block", "slug": "wordpress-popup", "target": "plugin", "versions": "<=7.8.9.2"}, "RULE-CVE-2026-0916-01": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "editpost"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[related_posts_by_tax[ \\\\t][^\\\\]]*(?:<script|on(?:load|error|click|mouseover|toggle|focus|blur)[ \\\\t]*=|javascript[ \\\\t]*:|<svg|<iframe|<embed|<object)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-0916", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0916", "description": "Related Posts by Taxonomy <=2.7.6 Stored XSS via related_posts_by_tax shortcode attributes in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "related-posts-by-taxonomy", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.7.6"}, "RULE-CVE-2026-0916-03": {"ajax_action": "rpbt_lazy_loading", "conditions": [{"name": "ARGS:rpbt_args[title]", "type": "regex", "value": "~<script|on(?:load|error|click|mouseover|toggle|focus|blur)[ \\\\t]*=|javascript[ \\\\t]*:|<svg|<iframe|<embed|<object~i"}], "cve": "CVE-2026-0916", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0916", "description": "Related Posts by Taxonomy <=2.7.6 XSS via rpbt_lazy_loading AJAX handler rpbt_args[title]", "method": "POST", "mode": "block", "severity": 6.4, "slug": "related-posts-by-taxonomy", "tags": ["xss", "ajax"], "target": "plugin", "versions": "<=2.7.6"}, "RULE-CVE-2026-0916-04": {"ajax_action": "rpbt_lazy_loading", "conditions": [{"name": "ARGS:rpbt_args[before_title]", "type": "regex", "value": "~<script|on(?:load|error|click|mouseover|toggle|focus|blur)[ \\\\t]*=|javascript[ \\\\t]*:|<svg|<iframe|<embed|<object~i"}], "cve": "CVE-2026-0916", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0916", "description": "Related Posts by Taxonomy <=2.7.6 XSS via rpbt_lazy_loading AJAX handler rpbt_args[before_title]", "method": "POST", "mode": "block", "severity": 6.4, "slug": "related-posts-by-taxonomy", "tags": ["xss", "ajax"], "target": "plugin", "versions": "<=2.7.6"}, "RULE-CVE-2026-0916-05": {"ajax_action": "rpbt_lazy_loading", "conditions": [{"name": "ARGS:rpbt_args[after_title]", "type": "regex", "value": "~<script|on(?:load|error|click|mouseover|toggle|focus|blur)[ \\\\t]*=|javascript[ \\\\t]*:|<svg|<iframe|<embed|<object~i"}], "cve": "CVE-2026-0916", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0916", "description": "Related Posts by Taxonomy <=2.7.6 XSS via rpbt_lazy_loading AJAX handler rpbt_args[after_title]", "method": "POST", "mode": "block", "severity": 6.4, "slug": "related-posts-by-taxonomy", "tags": ["xss", "ajax"], "target": "plugin", "versions": "<=2.7.6"}, "RULE-CVE-2026-0920-01": {"ajax_action": "lakit_ajax", "conditions": [{"name": "ARGS:lakit_bkrole", "type": "regex", "value": "~(?:administrator|editor|author)~i"}], "cve": "CVE-2026-0920", "method": "POST", "mode": "block", "severity": 9.8, "slug": "lastudio-element-kit", "target": "plugin", "versions": "<=1.5.6.3"}, "RULE-CVE-2026-0920-02": {"action": "init", "conditions": [{"name": "ARGS:lakit_bkrole", "type": "regex", "value": "~(?:administrator|editor|author)~i"}, {"name": "ARGS:email", "type": "exists"}, {"name": "ARGS:password", "type": "exists"}], "cve": "CVE-2026-0920", "method": "POST", "mode": "block", "severity": 9.8, "slug": "lastudio-element-kit", "target": "plugin", "versions": "<=1.5.6.3"}, "RULE-CVE-2026-0939-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/redeIntegration/pixListener(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0939", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0939", "description": "Rede Ita\\u00fa for WooCommerce <=5.1.2 unauthenticated order status manipulation via forged PIX webhook callback on /redeIntegration/pixListener", "method": "POST", "mode": "block", "severity": 5.3, "slug": "woo-rede", "tags": ["insufficient-verification", "forged-webhook", "unauthenticated", "order-manipulation"], "target": "plugin", "versions": "<=5.1.2"}, "RULE-CVE-2026-0939-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/redePRO/redePixListener(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0939", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0939", "description": "Rede Ita\\u00fa for WooCommerce <=5.1.2 unauthenticated order status manipulation via forged PIX webhook callback on /redePRO/redePixListener", "method": "POST", "mode": "block", "severity": 5.3, "slug": "woo-rede", "tags": ["insufficient-verification", "forged-webhook", "unauthenticated", "order-manipulation"], "target": "plugin", "versions": "<=5.1.2"}, "RULE-CVE-2026-0939-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/redeIntegration/maxipagoDebitListener(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0939", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0939", "description": "Rede Ita\\u00fa for WooCommerce <=5.1.2 unauthenticated order status manipulation via forged Maxipago debit webhook on /redeIntegration/maxipagoDebitListener", "method": "POST", "mode": "block", "severity": 5.3, "slug": "woo-rede", "tags": ["insufficient-verification", "forged-webhook", "unauthenticated", "order-manipulation"], "target": "plugin", "versions": "<=5.1.2"}, "RULE-CVE-2026-0939-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/woorede/s(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0939", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0939", "description": "Rede Ita\\u00fa for WooCommerce <=5.1.2 unauthenticated order status manipulation via forged 3DS success callback on /woorede/s", "method": "POST", "mode": "block", "severity": 5.3, "slug": "woo-rede", "tags": ["insufficient-verification", "forged-webhook", "unauthenticated", "order-manipulation"], "target": "plugin", "versions": "<=5.1.2"}, "RULE-CVE-2026-0939-05": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/woorede/f(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0939", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0939", "description": "Rede Ita\\u00fa for WooCommerce <=5.1.2 unauthenticated order status manipulation via forged 3DS failure callback on /woorede/f", "method": "POST", "mode": "block", "severity": 5.3, "slug": "woo-rede", "tags": ["insufficient-verification", "forged-webhook", "unauthenticated", "order-manipulation"], "target": "plugin", "versions": "<=5.1.2"}, "RULE-CVE-2026-0950-01": {"ajax_action": "ast_block_templates_import_wpforms", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0950", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-0950", "description": "Spectra (UAG) <= 2.19.17 broken access control on WPForms template import via ast_block_templates_import_wpforms", "method": "POST", "mode": "block", "severity": 5.3, "slug": "ultimate-addons-for-gutenberg", "tags": ["bac", "template-import"], "target": "plugin", "versions": "<=2.19.17"}, "RULE-CVE-2026-0974-01": {"ajax_action": "iconic_onboard_orderable_install_plugin", "conditions": [{"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2026-0974", "method": "POST", "mode": "block", "severity": 8.8, "slug": "orderable", "target": "plugin", "versions": "<=1.20.0"}, "RULE-CVE-2026-0996-01": {"ajax_action": "fluentform_ai_create_form", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-0996", "method": "POST", "mode": "block", "severity": 6.4, "slug": "fluentform", "target": "plugin", "versions": "<=6.1.14"}, "RULE-CVE-2026-1000-01": {"ajax_action": "woo_mailerlite_reset_integration_settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1000", "method": "POST", "mode": "block", "severity": 6.5, "slug": "woo-mailerlite", "target": "plugin", "versions": "<3.1.4"}, "RULE-CVE-2026-1003-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/getgenie/v1/geniechat/[\\\\w-]+~"}, {"type": "missing_capability", "value": "delete_others_posts"}], "cve": "CVE-2026-1003", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1003", "description": "GetGenie <=4.3.0 missing authorization (IDOR) allows Author+ arbitrary post deletion via geniechat REST endpoint", "mode": "block", "severity": 4.3, "slug": "getgenie", "tags": ["missing-authorization", "idor", "arbitrary-post-deletion", "rest-api"], "target": "plugin", "versions": "<=4.3.0"}, "RULE-CVE-2026-1004-02": {"ajax_action": "eael_product_quickview_popup", "conditions": [{"name": "ARGS:product_id", "type": "exists"}, {"type": "missing_capability", "value": "read"}], "cve": "CVE-2026-1004", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1004", "description": "Essential Addons for Elementor <=6.5.5 unauthenticated sensitive product information exposure via eael_product_quickview_popup AJAX action (GET)", "method": "GET", "mode": "block", "severity": 5.3, "slug": "essential-addons-for-elementor-lite", "tags": ["missing-authorization", "sensitive-data-exposure", "unauthenticated", "idor"], "target": "plugin", "versions": "<=6.5.5"}, "RULE-CVE-2026-1036-01": {"ajax_action": "GalleryBox", "conditions": [{"name": "ARGS:ajax_task", "type": "regex", "value": "~^delete_comment$~i"}, {"name": "ARGS:id_comment", "type": "exists"}], "cve": "CVE-2026-1036", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1036", "description": "Photo Gallery by 10Web <=1.8.36 missing authorization on delete_comment via GalleryBox AJAX", "mode": "block", "severity": 5.3, "slug": "photo-gallery", "tags": ["missing-authorization", "arbitrary-comment-deletion", "unauthenticated"], "target": "plugin", "versions": "<=1.8.36"}, "RULE-CVE-2026-1054-01": {"ajax_action": "rm_set_otp", "conditions": [{"name": "ARGS:otp_type", "type": "equals", "value": "google"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1054", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1054", "description": "RegistrationMagic <= 6.0.7.4 broken authentication in OTP verification bypassing email ownership", "method": "POST", "mode": "block", "severity": 5.3, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=6.0.7.4"}, "RULE-CVE-2026-1055-01": {"action": "admin_init", "conditions": [{"name": "ARGS:welcomeMessage", "type": "regex", "value": "~(?:<script[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:|<(?:iframe|svg|object|embed)[\\\\s/>])~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1055", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1055", "description": "TalkJS <=0.1.15 authenticated (Administrator+) stored XSS via welcomeMessage settings parameter", "method": "POST", "mode": "block", "severity": 4.4, "slug": "talkjs", "tags": ["xss", "stored", "authenticated", "settings-api"], "target": "plugin", "versions": "<=0.1.15"}, "RULE-CVE-2026-1058-01": {"ajax_action": "fm_submit_form", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:<|�*60;|�*3[cC];)\\\\s*(?:script|img|svg|iframe|object|embed|body|details|video|audio|math|form|input|marquee|a\\\\b)~i"}], "cve": "CVE-2026-1058", "method": "POST", "mode": "block", "severity": 7.1, "slug": "form-maker", "target": "plugin", "versions": "<=1.15.35"}, "RULE-CVE-2026-1058-02": {"ajax_action": "fm_submit_form", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<\\\\s*(?:script|iframe|object|embed|form)[\\\\s>]~i"}], "cve": "CVE-2026-1058", "method": "POST", "mode": "block", "severity": 7.1, "slug": "form-maker", "target": "plugin", "versions": "<=1.15.35"}, "RULE-CVE-2026-1058-03": {"ajax_action": "fm_submit_form", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<\\\\s*(?:img|svg|body|details|video|audio|math|marquee|input|a\\\\b)[^>]*\\\\bon\\\\w+\\\\s*=~i"}], "cve": "CVE-2026-1058", "method": "POST", "mode": "block", "severity": 7.1, "slug": "form-maker", "target": "plugin", "versions": "<=1.15.35"}, "RULE-CVE-2026-1060-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/adminify/v1/get-addons-list(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1060", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1060", "description": "WP Adminify <=4.0.7.7 unauthenticated sensitive information exposure via get-addons-list REST API", "method": "GET", "mode": "block", "severity": 5.3, "slug": "adminify", "tags": ["missing-authorization", "information-disclosure", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=4.0.7.7"}, "RULE-CVE-2026-1074-01": {"ajax_action": "app_bar_settings", "conditions": [{"name": "ARGS:app-bar-features", "type": "regex", "value": "~(?:<[^>]*(?:script|iframe|object|embed|form|input|textarea|button|details|select|video|audio|source|svg|math|base|link|meta|style|applet)|(?:^|[^a-zA-Z0-9_])on(?:load|error|mouseover|mouseout|click|dblclick|focus|blur|change|submit|keydown|keypress|keyup|cut|copy|paste|abort|resize|scroll|pointerover|animationend)[ ]*=|javascript[ ]*:|data[ ]*:[^,]*;[ ]*base64)~i"}], "cve": "CVE-2026-1074", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1074", "description": "WP App Bar <=1.5 unauthenticated stored XSS via app-bar-features parameter in app_bar_settings AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wp-app-bar", "tags": ["xss", "stored-xss", "unauthenticated", "missing-authorization"], "target": "plugin", "versions": "<=1.5"}, "RULE-CVE-2026-1098-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[css_columns[^\\\\]]*tag\\\\s*=\\\\s*[\\"\'](?:[^\\"\']*[\\\\s<>][^\\"\']*|(?:script|iframe|object|embed|svg|math|style))[\\"\']~i"}], "cve": "CVE-2026-1098", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1098", "description": "CM CSS Columns <=1.2.1 Stored XSS via [css_columns] shortcode tag attribute (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "cm-css-columns", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2026-1098-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[css_columns[^\\\\]]*tag\\\\s*=\\\\s*[\\"\'](?:[^\\"\']*[\\\\s<>][^\\"\']*|(?:script|iframe|object|embed|svg|math|style))[\\"\']~i"}], "cve": "CVE-2026-1098", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1098", "description": "CM CSS Columns <=1.2.1 Stored XSS via [css_columns] shortcode tag attribute (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "cm-css-columns", "tags": ["xss", "stored-xss", "shortcode", "authenticated", "rest-api"], "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2026-1103-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/aiktp/getToken(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1103", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1103", "description": "AIKTP <=5.0.04 missing authorization on /aiktp/getToken REST endpoint allows Subscriber+ to retrieve admin token", "method": "GET", "mode": "block", "severity": 5.4, "slug": "aiktp", "tags": ["missing-authorization", "broken-access-control", "rest-api", "secret-disclosure"], "target": "plugin", "versions": "<=5.0.04"}, "RULE-CVE-2026-1104-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/njt-fastdup/v1/packages(/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1104", "mode": "block", "severity": 8.8, "slug": "fastdup", "target": "plugin", "versions": "<=2.7.1"}, "RULE-CVE-2026-1127-01": {"ajax_action": "timeline_shortcode", "conditions": [{"name": "ARGS:id", "type": "regex", "value": "~(?:<|>|%3[Cc]|%3[Ee])~"}], "cve": "CVE-2026-1127", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1127", "description": "Timeline Event History <=3.2 reflected XSS via id parameter in timeline_shortcode AJAX handler (unauthenticated)", "mode": "block", "severity": 6.1, "slug": "timeline-event-history", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=3.2"}, "RULE-CVE-2026-1165-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "ays-popup-box"}, {"name": "ARGS:action", "type": "equals", "value": "ays_pb_publish_popupbox"}, {"name": "ARGS:popupbox", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1165", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1165", "description": "Popup Box <=6.1.1 CSRF publish popupbox via admin.php action parameter", "method": "GET", "mode": "block", "severity": 4.3, "slug": "ays-popup-box", "tags": ["csrf", "broken-access-control"], "target": "plugin", "versions": "<=6.1.1"}, "RULE-CVE-2026-1165-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "ays-popup-box"}, {"name": "ARGS:action", "type": "equals", "value": "ays_pb_unpublish_popupbox"}, {"name": "ARGS:popupbox", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1165", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1165", "description": "Popup Box <=6.1.1 CSRF unpublish popupbox via admin.php action parameter", "method": "GET", "mode": "block", "severity": 4.3, "slug": "ays-popup-box", "tags": ["csrf", "broken-access-control"], "target": "plugin", "versions": "<=6.1.1"}, "RULE-CVE-2026-1165-03": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "ays-popup-box"}, {"name": "ARGS:action", "type": "regex", "value": "~^ays_pb_(?:publish|unpublish)_popupbox$~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1165", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1165", "description": "Popup Box <=6.1.1 CSRF bulk publish/unpublish popupbox via POST", "method": "POST", "mode": "block", "severity": 4.3, "slug": "ays-popup-box", "tags": ["csrf", "broken-access-control"], "target": "plugin", "versions": "<=6.1.1"}, "RULE-CVE-2026-1210-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:_elementor_data", "type": "regex", "value": "~age[_-]?gate[^}]*(?:desc|footer_text)[^}]*<[^>]*(?:on[a-zA-Z]+=|<script|javascript:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1210", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1210", "description": "Happy Addons for Elementor <=3.20.7 Stored XSS via Age Gate widget desc/footer_text fields in _elementor_data", "method": "POST", "mode": "block", "severity": 6.4, "slug": "happy-elementor-addons", "tags": ["xss", "stored-xss", "elementor-widget"], "target": "plugin", "versions": "<=3.20.7"}, "RULE-CVE-2026-1210-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:_elementor_data", "type": "regex", "value": "~ha_custom_svg[^}]*(?:<script|on[a-zA-Z]+=|javascript:|foreignObject)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1210", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1210", "description": "Happy Addons for Elementor <=3.20.7 Stored XSS via SVG Draw widget ha_custom_svg field in _elementor_data", "method": "POST", "mode": "block", "severity": 6.4, "slug": "happy-elementor-addons", "tags": ["xss", "stored-xss", "elementor-widget", "svg-xss"], "target": "plugin", "versions": "<=3.20.7"}, "RULE-CVE-2026-1216-01": {"ajax_action": "wpra.render.display", "conditions": [{"name": "ARGS:template", "type": "regex", "value": "~(?:<[a-z/!]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:|&#[xX]?[0-9])~i"}], "cve": "CVE-2026-1216", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1216", "description": "WP RSS Aggregator <=5.0.10 unauthenticated reflected XSS via template parameter in wpra.render.display AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wp-rss-aggregator", "tags": ["xss", "reflected", "unauthenticated"], "target": "plugin", "versions": "<=5.0.10"}, "RULE-CVE-2026-1216-02": {"ajax_action": "wprss_render", "conditions": [{"name": "ARGS:template", "type": "regex", "value": "~(?:<[a-z/!]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:|&#[xX]?[0-9])~i"}], "cve": "CVE-2026-1216", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1216", "description": "WP RSS Aggregator <=5.0.10 unauthenticated reflected XSS via template parameter in legacy wprss_render AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "wp-rss-aggregator", "tags": ["xss", "reflected", "unauthenticated"], "target": "plugin", "versions": "<=5.0.10"}, "RULE-CVE-2026-1219-01": {"ajax_action": "load_track_note_ajax", "conditions": [{"name": "ARGS:post-id", "type": "exists"}], "cve": "CVE-2026-1219", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1219", "description": "MP3 Audio Player by Sonaar >=4.0 <=5.10 IDOR via load_track_note_ajax exposes private post content (HIGH FP RISK: blocks legitimate anonymous music player usage)", "method": "POST", "mode": "block", "severity": 5.3, "slug": "mp3-music-player-by-sonaar", "tags": ["idor", "insecure-direct-object-reference", "unauthenticated"], "target": "plugin", "versions": ">=4.0 <=5.10"}, "RULE-CVE-2026-1219-02": {"ajax_action": "load_post_by_ajax", "conditions": [{"name": "ARGS:post-id", "type": "exists"}], "cve": "CVE-2026-1219", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1219", "description": "MP3 Audio Player by Sonaar >=4.0 <=5.10 IDOR via load_post_by_ajax exposes private post content (HIGH FP RISK: blocks legitimate anonymous music player usage)", "method": "POST", "mode": "block", "severity": 5.3, "slug": "mp3-music-player-by-sonaar", "tags": ["idor", "insecure-direct-object-reference", "unauthenticated"], "target": "plugin", "versions": ">=4.0 <=5.10"}, "RULE-CVE-2026-1219-03": {"ajax_action": "load_lyrics_ajax", "conditions": [{"name": "ARGS:post-id", "type": "exists"}], "cve": "CVE-2026-1219", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1219", "description": "MP3 Audio Player by Sonaar >=4.0 <=5.10 IDOR via load_lyrics_ajax exposes private post content (HIGH FP RISK: blocks legitimate anonymous music player usage)", "method": "POST", "mode": "block", "severity": 5.3, "slug": "mp3-music-player-by-sonaar", "tags": ["idor", "insecure-direct-object-reference", "unauthenticated"], "target": "plugin", "versions": ">=4.0 <=5.10"}, "RULE-CVE-2026-1231-01": {"action": "wp", "conditions": [{"name": "ARGS:fl_action", "type": "equals", "value": "save_global_settings"}, {"type": "missing_capability", "value": "delete_others_posts"}], "cve": "CVE-2026-1231", "method": "POST", "mode": "block", "severity": 6.4, "slug": "beaver-builder-lite-version", "target": "plugin", "versions": "<=2.10.0.5"}, "RULE-CVE-2026-1235-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin-ajax\\\\.php~"}, {"name": "ARGS:action", "type": "regex", "value": "~^wpsc_~"}, {"name": "ARGS", "type": "regex", "value": "~(?:^|[;&])O:\\\\d+:\\"[A-Za-z_]~"}], "cve": "CVE-2026-1235", "method": "POST", "mode": "block", "severity": 6.5, "slug": "wp-e-commerce", "target": "plugin", "versions": "<3.15.2"}, "RULE-CVE-2026-1236-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/envira(?:/[0-9]+)?(?:[/?]|$)~"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1236", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1236", "description": "Envira Gallery Lite <=1.12.3 stored XSS via justified_gallery_theme parameter in REST API", "method": "POST", "mode": "block", "severity": 6.4, "slug": "envira-gallery-lite", "tags": ["xss", "stored", "rest-api", "authenticated"], "target": "plugin", "versions": "<=1.12.3"}, "RULE-CVE-2026-1236-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:_eg_gallery_data[config][justified_gallery_theme]", "type": "regex", "value": "~(?:<script[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:|[\\"\'][\\\\s]*on[a-z]+=)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1236", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1236", "description": "Envira Gallery Lite <=1.12.3 stored XSS via justified_gallery_theme parameter in post edit form", "method": "POST", "mode": "block", "severity": 6.4, "slug": "envira-gallery-lite", "tags": ["xss", "stored", "authenticated"], "target": "plugin", "versions": "<=1.12.3"}, "RULE-CVE-2026-1244-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[financoop_campaign\\\\b[^\\\\]]*\\\\bid\\\\s*=\\\\s*(?:[\\"\'][^\\"\']*|[^\\\\]\\\\s]*)(?:<[a-z/!]|on[a-z]+=|javascript:)~i"}], "cve": "CVE-2026-1244", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1244", "description": "Forms Bridge <= 4.2.5 Stored XSS via financoop_campaign shortcode id attribute in post content (wp-admin/post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "forms-bridge", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.2.5"}, "RULE-CVE-2026-1244-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[financoop_campaign\\\\b[^\\\\]]*\\\\bid\\\\s*=\\\\s*(?:[\\"\'][^\\"\']*|[^\\\\]\\\\s]*)(?:<[a-z/!]|on[a-z]+=|javascript:)~i"}], "cve": "CVE-2026-1244", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1244", "description": "Forms Bridge <= 4.2.5 Stored XSS via financoop_campaign shortcode id attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "forms-bridge", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=4.2.5"}, "RULE-CVE-2026-1246-01": {"ajax_action": "shortpixel_ajaxRequest", "conditions": [{"name": "ARGS:screen_action", "type": "equals", "value": "loadLogFile"}, {"name": "ARGS:loadFile", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[\\\\\\\\/]etc[\\\\\\\\/]|wp-config\\\\.php|\\\\.htaccess|\\\\.env|(?:^|[\\\\\\\\/])debug\\\\.log$)~i"}], "cve": "CVE-2026-1246", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1246", "description": "ShortPixel Image Optimizer <=6.4.2 authenticated arbitrary file read via path traversal in loadLogFile AJAX sub-action", "method": "POST", "mode": "block", "severity": 4.9, "slug": "shortpixel-image-optimiser", "tags": ["path-traversal", "arbitrary-file-read", "authenticated"], "target": "plugin", "versions": "<=6.4.2"}, "RULE-CVE-2026-1249-01": {"ajax_action": "load_lyrics_ajax", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:post-id", "type": "exists"}], "cve": "CVE-2026-1249", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1249", "description": "MP3 Audio Player by Sonaar <=5.10 authenticated SSRF via load_lyrics_ajax AJAX action", "method": "POST", "mode": "block", "severity": 5.0, "slug": "mp3-music-player-by-sonaar", "tags": ["ssrf", "missing-authorization", "authenticated"], "target": "plugin", "versions": "<=5.10"}, "RULE-CVE-2026-1254-01": {"ajax_action": "modula_save_gallery", "conditions": [{"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2026-1254", "method": "POST", "mode": "block", "severity": 4.3, "slug": "modula-best-grid-gallery", "target": "plugin", "versions": "<2.14.0"}, "RULE-CVE-2026-1268-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)(?:/[0-9]+)?(?:/|\\\\?|$)~"}, {"name": "ARGS:meta[dwc-content]", "type": "regex", "value": "~(?:<script[\\\\s/>]|<iframe[\\\\s/>]|\\\\bon(?:load|error|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1268", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1268", "description": "Dynamic Widget Content <=1.3.6 authenticated (Contributor+) stored XSS via dwc-content post meta on REST API", "method": "POST", "mode": "block", "severity": 6.4, "slug": "dynamic-widget-content", "tags": ["xss", "stored-xss", "rest-api"], "target": "plugin", "versions": "<=1.3.6"}, "RULE-CVE-2026-1268-02": {"action": "admin_init", "conditions": [{"name": "ARGS:dwc-content", "type": "regex", "value": "~(?:<script[\\\\s/>]|<iframe[\\\\s/>]|\\\\bon(?:load|error|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1268", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1268", "description": "Dynamic Widget Content <=1.3.6 authenticated (Contributor+) stored XSS via dwc-content post meta on classic editor", "method": "POST", "mode": "block", "severity": 6.4, "slug": "dynamic-widget-content", "tags": ["xss", "stored-xss"], "target": "plugin", "versions": "<=1.3.6"}, "RULE-CVE-2026-1271-01": {"ajax_action": "pm_upload_image", "conditions": [{"name": "ARGS:user_id", "type": "regex", "value": "~^\\\\d+$~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1271", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1271", "description": "ProfileGrid <= 5.9.7.2 IDOR via pm_upload_image - virtual patch blocks non-admin profile image uploads to prevent arbitrary user image modification (FP: legitimate subscriber self-uploads blocked until plugin update)", "method": "POST", "mode": "block", "severity": 5.3, "slug": "profilegrid-user-profiles-groups-and-communities", "tags": ["idor", "authorization-bypass", "insecure-direct-object-reference"], "target": "plugin", "versions": "<=5.9.7.2"}, "RULE-CVE-2026-1271-02": {"ajax_action": "pm_upload_cover_image", "conditions": [{"name": "ARGS:user_id", "type": "regex", "value": "~^\\\\d+$~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1271", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1271", "description": "ProfileGrid <= 5.9.7.2 IDOR via pm_upload_cover_image - virtual patch blocks non-admin cover image uploads to prevent arbitrary user image modification (FP: legitimate subscriber self-uploads blocked until plugin update)", "method": "POST", "mode": "block", "severity": 5.3, "slug": "profilegrid-user-profiles-groups-and-communities", "tags": ["idor", "authorization-bypass", "insecure-direct-object-reference"], "target": "plugin", "versions": "<=5.9.7.2"}, "RULE-CVE-2026-1273-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/ultp/v3/starter_dummy_post(/|\\\\?|$)~"}, {"name": "ARGS:api_endpoint", "type": "regex", "value": "~(?:://(?:(?:127(?:[.][0-9]+){0,3}|10(?:[.][0-9]+){1,3}|172[.](?:1[6-9]|2[0-9]|3[01])(?:[.][0-9]+){1,2}|192[.]168(?:[.][0-9]+){1,2}|169[.]254(?:[.][0-9]+){0,2}|0(?:[.]0){1,3}|0x[0-9a-fA-F]+|localhost)(?:[:/?#]|$)|[[]?::1[]]?)|^(?:gopher|file|dict|ftp)://)~i"}], "cve": "CVE-2026-1273", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1273", "description": "PostX <= 5.0.8 SSRF via api_endpoint parameter on /ultp/v3/starter_dummy_post/ REST route", "method": "POST", "mode": "block", "severity": 7.2, "slug": "ultimate-post", "tags": ["ssrf", "server-side-request-forgery", "rest-api"], "target": "plugin", "versions": "<=5.0.8"}, "RULE-CVE-2026-1273-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/ultp/v3/starter_import_content(/|\\\\?|$)~"}, {"name": "ARGS:api_endpoint", "type": "regex", "value": "~(?:://(?:(?:127(?:[.][0-9]+){0,3}|10(?:[.][0-9]+){1,3}|172[.](?:1[6-9]|2[0-9]|3[01])(?:[.][0-9]+){1,2}|192[.]168(?:[.][0-9]+){1,2}|169[.]254(?:[.][0-9]+){0,2}|0(?:[.]0){1,3}|0x[0-9a-fA-F]+|localhost)(?:[:/?#]|$)|[[]?::1[]]?)|^(?:gopher|file|dict|ftp)://)~i"}], "cve": "CVE-2026-1273", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1273", "description": "PostX <= 5.0.8 SSRF via api_endpoint parameter on /ultp/v3/starter_import_content/ REST route", "method": "POST", "mode": "block", "severity": 7.2, "slug": "ultimate-post", "tags": ["ssrf", "server-side-request-forgery", "rest-api"], "target": "plugin", "versions": "<=5.0.8"}, "RULE-CVE-2026-1277-01": {"action": "admin_init", "conditions": [{"name": "ARGS:kc_us_dismiss_promotion", "type": "exists"}, {"name": "ARGS:redirect_to", "type": "regex", "value": "~^(?:https?:)?//(?=\\\\S)|^(?:https?:)?\\\\\\\\\\\\\\\\(?=\\\\S)~i"}], "cve": "CVE-2026-1277", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1277", "description": "URL Shortify <=1.12.1 unauthenticated open redirect via redirect_to parameter in promotional dismissal handler", "mode": "block", "severity": 4.7, "slug": "url-shortify", "tags": ["open-redirect", "unauthenticated", "phishing"], "target": "plugin", "versions": "<=1.12.1"}, "RULE-CVE-2026-1279-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[\\\\s*(?:search_employee_directory|employee_form)\\\\b[^\\\\]]*form_title\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:<[^>]*>|on\\\\w+\\\\s*=)~i"}], "cve": "CVE-2026-1279", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1279", "description": "Employee Directory <=1.2.1 Stored XSS via search_employee_directory shortcode form_title attribute in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "employee-staff-directory", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2026-1279-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[\\\\s*(?:search_employee_directory|employee_form)\\\\b[^\\\\]]*form_title\\\\s*=\\\\s*[\\"\']?[^\\"\'\\\\]]*(?:<[^>]*>|on\\\\w+\\\\s*=)~i"}], "cve": "CVE-2026-1279", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1279", "description": "Employee Directory <=1.2.1 Stored XSS via REST API post content containing malicious shortcode form_title", "method": "POST", "mode": "block", "severity": 6.4, "slug": "employee-staff-directory", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.2.1"}, "RULE-CVE-2026-1280-01": {"ajax_action": "wpfm_send_file_in_email", "conditions": [{"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2026-1280", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1280", "description": "Frontend File Manager Plugin <=23.5 unauthenticated arbitrary file sharing via wpfm_send_file_in_email AJAX action \\u2014 missing nonce and auth checks allow any visitor to email any uploaded file", "method": "POST", "mode": "block", "severity": 7.5, "slug": "nmedia-user-file-uploader", "tags": ["missing-authorization", "idor", "unauthenticated"], "target": "plugin", "versions": "<=23.5"}, "RULE-CVE-2026-1293-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "contains", "value": "yoast-schema"}, {"name": "ARGS:content", "type": "regex", "value": "~<\\\\s*/\\\\s*(?i:script)~"}], "cve": "CVE-2026-1293", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1293", "description": "Yoast SEO <=26.8 Authenticated (Contributor+) Stored XSS via yoast-schema block attribute in REST API post creation/update", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wordpress-seo", "tags": ["xss", "stored-xss", "rest-api", "gutenberg-block"], "target": "plugin", "versions": "<=26.8"}, "RULE-CVE-2026-1293-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "contains", "value": "yoast-schema"}, {"name": "ARGS:content", "type": "regex", "value": "~<\\\\s*/\\\\s*(?i:script)~"}], "cve": "CVE-2026-1293", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1293", "description": "Yoast SEO <=26.8 Authenticated (Contributor+) Stored XSS via yoast-schema block attribute in admin post form submission", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wordpress-seo", "tags": ["xss", "stored-xss", "admin-post-form", "gutenberg-block"], "target": "plugin", "versions": "<=26.8"}, "RULE-CVE-2026-1294-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|[?&])rest_route=/?)bpivb/v1/image-proxy(?:/|\\\\?|$)~"}, {"name": "ARGS:url", "type": "exists"}, {"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2026-1294", "method": "GET", "mode": "block", "severity": 7.2, "slug": "image-viewer", "target": "plugin", "versions": ">=1.0.0 <=1.0.2"}, "RULE-CVE-2026-1295-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[buynowplus\\\\b[^\\\\]]*(?:<script|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:|<svg|<iframe|<img[^>]+onerror)[^\\\\]]*\\\\]~i"}], "cve": "CVE-2026-1295", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1295", "description": "Buy Now Plus <=1.0.2 Stored XSS via buynowplus shortcode attributes in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "buy-now-plus", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2026-1298-01": {"ajax_action": "eri_from_url", "conditions": [{"name": "ARGS:old_image_id", "type": "exists"}, {"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2026-1298", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1298", "description": "Easy Replace Image <=3.5.2 missing authorization on eri_from_url AJAX handler allows Contributor+ arbitrary attachment replacement", "method": "POST", "mode": "block", "severity": 5.3, "slug": "easy-replace-image", "tags": ["missing-authorization", "broken-access-control", "arbitrary-file-replacement"], "target": "plugin", "versions": "<=3.5.2"}, "RULE-CVE-2026-1298-02": {"ajax_action": "eri_from_upload", "conditions": [{"name": "ARGS:old_image_id", "type": "exists"}, {"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2026-1298", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1298", "description": "Easy Replace Image <=3.5.2 missing authorization on eri_from_upload AJAX handler allows Contributor+ arbitrary attachment replacement", "method": "POST", "mode": "block", "severity": 5.3, "slug": "easy-replace-image", "tags": ["missing-authorization", "broken-access-control", "arbitrary-file-replacement"], "target": "plugin", "versions": "<=3.5.2"}, "RULE-CVE-2026-1302-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:action", "type": "equals", "value": "editattachment"}, {"name": "ARGS:post_excerpt", "type": "regex", "value": "~(?:<script[\\\\s>]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|<svg[\\\\s/+>]|<iframe[\\\\s/+>]|<embed[\\\\s/+>]|<object[\\\\s/+>]|data\\\\s*:\\\\s*text/html)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1302", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1302", "description": "Meta-box GalleryMeta <=3.0.1 Stored XSS via attachment caption (post_excerpt) on editattachment save", "method": "POST", "mode": "block", "severity": 4.4, "slug": "meta-box-gallerymeta", "tags": ["xss", "stored-xss", "output-escaping"], "target": "plugin", "versions": "<=3.0.1"}, "RULE-CVE-2026-1302-02": {"ajax_action": "save-attachment-compat", "conditions": [{"name": "ARGS:post_excerpt", "type": "regex", "value": "~(?:<script[\\\\s>]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|<svg[\\\\s/+>]|<iframe[\\\\s/+>]|<embed[\\\\s/+>]|<object[\\\\s/+>]|data\\\\s*:\\\\s*text/html)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1302", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1302", "description": "Meta-box GalleryMeta <=3.0.1 Stored XSS via attachment caption (post_excerpt) on AJAX save-attachment-compat", "method": "POST", "mode": "block", "severity": 4.4, "slug": "meta-box-gallerymeta", "tags": ["xss", "stored-xss", "output-escaping"], "target": "plugin", "versions": "<=3.0.1"}, "RULE-CVE-2026-1302-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/media/\\\\d+~"}, {"name": "ARGS:caption", "type": "regex", "value": "~(?:<script[\\\\s>]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|<svg[\\\\s/+>]|<iframe[\\\\s/+>]|<embed[\\\\s/+>]|<object[\\\\s/+>]|data\\\\s*:\\\\s*text/html)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1302", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1302", "description": "Meta-box GalleryMeta <=3.0.1 Stored XSS via attachment caption (post_excerpt) on REST media update", "method": "POST", "mode": "block", "severity": 4.4, "slug": "meta-box-gallerymeta", "tags": ["xss", "stored-xss", "output-escaping", "rest-api"], "target": "plugin", "versions": "<=3.0.1"}, "RULE-CVE-2026-1303-01": {"ajax_action": "mailchimp_campaigns_manager_disconnect_app", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1303", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1303", "description": "MailChimp Campaigns <=3.2.4 missing authorization on disconnect_app AJAX action allows Subscriber+ to disconnect Mailchimp integration", "mode": "block", "severity": 5.3, "slug": "olalaweb-mailchimp-campaign-manager", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.2.4"}, "RULE-CVE-2026-1307-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/ninja-forms-views/forms/[0-9]+/submissions(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1307", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1307", "description": "Ninja Forms <=3.14.1 sensitive information disclosure via REST submissions endpoint accessible to Contributor+", "mode": "block", "severity": 6.5, "slug": "ninja-forms", "tags": ["information-disclosure", "missing-authorization", "rest-api"], "target": "plugin", "versions": "<=3.14.1"}, "RULE-CVE-2026-1310-01": {"ajax_action": "miga_editor_cal_delete", "conditions": [{"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2026-1310", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1310", "description": "Simple Calendar for Elementor <=1.6.6 missing authorization on miga_editor_cal_delete AJAX action allows unauthenticated calendar entry deletion", "method": "POST", "mode": "block", "severity": 5.3, "slug": "simple-calendar-for-elementor", "tags": ["missing-authorization", "unauthenticated", "broken-access-control"], "target": "plugin", "versions": "<=1.6.6"}, "RULE-CVE-2026-1310-02": {"ajax_action": "miga_editor_cal_update", "conditions": [{"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2026-1310", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1310", "description": "Simple Calendar for Elementor <=1.6.6 missing authorization on miga_editor_cal_update AJAX action allows unauthenticated calendar entry modification", "method": "POST", "mode": "block", "severity": 5.3, "slug": "simple-calendar-for-elementor", "tags": ["missing-authorization", "unauthenticated", "broken-access-control"], "target": "plugin", "versions": "<=1.6.6"}, "RULE-CVE-2026-1311-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~admin-ajax\\\\.php~"}, {"name": "ARGS:action", "type": "equals", "value": "worrprba_ajax_upload_backup_file"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1311", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1311", "description": "Worry Proof Backup <=0.2.4 authenticated (Subscriber+) path traversal via backup ZIP upload leading to arbitrary file write and RCE", "method": "POST", "mode": "block", "severity": 8.8, "slug": "worry-proof-backup", "tags": ["path-traversal", "arbitrary-file-write", "missing-authorization", "remote-code-execution"], "target": "plugin", "versions": "<=0.2.4"}, "RULE-CVE-2026-1311-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/worrprba/v1/upload-chunk(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1311", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1311", "description": "Worry Proof Backup <=0.2.4 REST API upload-chunk endpoint path traversal via unsanitized chunk file upload", "method": "POST", "mode": "block", "severity": 8.8, "slug": "worry-proof-backup", "tags": ["path-traversal", "arbitrary-file-write", "rest-api"], "target": "plugin", "versions": "<=0.2.4"}, "RULE-CVE-2026-1316-01": {"ajax_action": "cr_upload_media", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:<\\\\s*script|javascript\\\\s*:|on(?:error|load|click|mouseover|focus|blur)\\\\s*=|data\\\\s*:\\\\s*text/html)~i"}], "cve": "CVE-2026-1316", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1316", "description": "Customer Reviews for WooCommerce <=5.97.0 unauthenticated stored XSS via media[].href in cr_upload_media AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "customer-reviews-woocommerce", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=5.97.0"}, "RULE-CVE-2026-1316-02": {"ajax_action": "cr_submit_review", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:<\\\\s*script|javascript\\\\s*:|on(?:error|load|click|mouseover|focus|blur)\\\\s*=|data\\\\s*:\\\\s*text/html)~i"}], "cve": "CVE-2026-1316", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1316", "description": "Customer Reviews for WooCommerce <=5.97.0 unauthenticated stored XSS via media[].href in cr_submit_review AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "customer-reviews-woocommerce", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=5.97.0"}, "RULE-CVE-2026-1319-01": {"ajax_action": "wio_ng_reoptimize_image", "conditions": [{"name": "ARGS:id", "type": "detectXSS"}], "cve": "CVE-2026-1319", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1319", "description": "Robin Image Optimizer <=2.0.2 reflected XSS via id parameter in wio_ng_reoptimize_image AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "robin-image-optimizer", "tags": ["xss", "reflected-xss", "ajax"], "target": "plugin", "versions": "<=2.0.2"}, "RULE-CVE-2026-1319-02": {"ajax_action": "wio_ng_restore_image", "conditions": [{"name": "ARGS:id", "type": "detectXSS"}], "cve": "CVE-2026-1319", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1319", "description": "Robin Image Optimizer <=2.0.2 reflected XSS via id parameter in wio_ng_restore_image AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "robin-image-optimizer", "tags": ["xss", "reflected-xss", "ajax"], "target": "plugin", "versions": "<=2.0.2"}, "RULE-CVE-2026-1320-01": {"action": "init", "conditions": [{"name": "REQUEST_HEADERS:X-Forwarded-For", "type": "detectXSS"}], "config": {}, "cve": "CVE-2026-1320", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1320", "description": "Secure Copy Content Protection <= 4.9.8 stored XSS via X-Forwarded-For header in IP logging", "mode": "block", "severity": 7.2, "slug": "secure-copy-content-protection", "tags": ["xss", "stored", "header-injection"], "target": "plugin", "versions": "<4.9.9"}, "RULE-CVE-2026-1321-01": {"ajax_action": "rcp_process_register_form", "conditions": [{"name": "ARGS:rcp_level", "type": "exists"}, {"name": "ARGS:rcp_gateway", "type": "equals", "value": "free"}], "cve": "CVE-2026-1321", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1321", "description": "Membership Plugin \\u2013 Restrict Content <=3.2.20 unauthenticated privilege escalation via rcp_level parameter in AJAX registration", "method": "POST", "mode": "block", "severity": 8.1, "slug": "restrict-content", "tags": ["privilege-escalation", "missing-authorization", "unauthenticated"], "target": "plugin", "versions": "<=3.2.20"}, "RULE-CVE-2026-1336-01": {"ajax_action": "ays_chatgpt_admin_ajax", "conditions": [{"name": "ARGS:ays_chatgpt_assistant_api_key", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1336", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1336", "description": "AI ChatBot with ChatGPT and Content Generator by AYS <=2.7.5 unauthenticated API key modification via ays_chatgpt_admin_ajax AJAX handler", "mode": "block", "severity": 5.3, "slug": "ays-chatgpt-assistant", "tags": ["missing-authorization", "unauthenticated", "settings-modification"], "target": "plugin", "versions": "<=2.7.5"}, "RULE-CVE-2026-1373-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/profile.php"}, {"name": "ARGS:author_profile_picture_url", "type": "regex", "value": "~(?:<\\\\s*script|\\\\bon[a-z]+\\\\s*=|javascript\\\\s*:|data\\\\s*:\\\\s*text/html)~i"}], "cve": "CVE-2026-1373", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1373", "description": "Easy Author Image <=1.7 Stored XSS via author_profile_picture_url on profile self-update", "method": "POST", "mode": "block", "severity": 6.4, "slug": "easy-author-image", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=1.7"}, "RULE-CVE-2026-1373-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/user-edit.php"}, {"name": "ARGS:author_profile_picture_url", "type": "regex", "value": "~(?:<\\\\s*script|\\\\bon[a-z]+\\\\s*=|javascript\\\\s*:|data\\\\s*:\\\\s*text/html)~i"}], "cve": "CVE-2026-1373", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1373", "description": "Easy Author Image <=1.7 Stored XSS via author_profile_picture_url on admin user-edit", "method": "POST", "mode": "block", "severity": 6.4, "slug": "easy-author-image", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=1.7"}, "RULE-CVE-2026-1375-01": {"ajax_action": "tutor_course_list_bulk_action", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1375", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1375", "description": "Tutor LMS <=3.9.5 IDOR in course bulk action allows instructors to modify/delete arbitrary courses via tutor_course_list_bulk_action", "method": "POST", "mode": "block", "severity": 8.1, "slug": "tutor", "tags": ["idor", "missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.9.5"}, "RULE-CVE-2026-1375-02": {"ajax_action": "tutor_change_course_status", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1375", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1375", "description": "Tutor LMS <=3.9.5 IDOR in course status change allows instructors to modify arbitrary courses via tutor_change_course_status", "method": "POST", "mode": "block", "severity": 8.1, "slug": "tutor", "tags": ["idor", "missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.9.5"}, "RULE-CVE-2026-1375-03": {"ajax_action": "tutor_course_delete", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1375", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1375", "description": "Tutor LMS <=3.9.5 IDOR in course deletion allows instructors to delete arbitrary courses via tutor_course_delete", "method": "POST", "mode": "block", "severity": 8.1, "slug": "tutor", "tags": ["idor", "missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=3.9.5"}, "RULE-CVE-2026-1391-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "vzaar-media-management"}, {"name": "ARGS:bulkcheck", "type": "detectXSS"}], "cve": "CVE-2026-1391", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1391", "description": "Vzaar Media Management <=1.1 Reflected XSS via bulkcheck parameter on admin upload page", "method": "GET", "mode": "block", "severity": 5.3, "slug": "vzaar-media-management", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2026-1391-02": {"action": "admin_init", "conditions": [{"name": "ARGS:type", "type": "equals", "value": "vzaarmedia"}, {"name": "ARGS:guid", "type": "detectXSS"}], "cve": "CVE-2026-1391", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1391", "description": "Vzaar Media Management <=1.1 Reflected XSS via guid parameter on media upload tab", "method": "GET", "mode": "block", "severity": 5.3, "slug": "vzaar-media-management", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2026-1391-03": {"action": "admin_init", "conditions": [{"name": "ARGS:type", "type": "equals", "value": "vzaarmedia"}, {"name": "ARGS:post_id", "type": "detectXSS"}], "cve": "CVE-2026-1391", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1391", "description": "Vzaar Media Management <=1.1 Reflected XSS via post_id parameter on media upload tab", "method": "GET", "mode": "block", "severity": 5.3, "slug": "vzaar-media-management", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2026-1391-04": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "vzaar-media-management"}, {"name": "REQUEST_URI", "type": "regex", "value": "~(?:%3[Cc]|<)[a-zA-Z/!]~"}], "cve": "CVE-2026-1391", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1391", "description": "Vzaar Media Management <=1.1 Reflected XSS via PHP_SELF path injection on admin upload page", "method": "GET", "mode": "block", "severity": 5.3, "slug": "vzaar-media-management", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2026-1394-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "wp-quick-contact-us"}, {"name": "ARGS:wpQcEmail", "type": "regex", "value": "~<[a-zA-Z/!][^>]*>|on[a-zA-Z]{3,}[^=]*=~i"}], "cve": "CVE-2026-1394", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1394", "description": "WP Quick Contact Us <=1.0 CSRF to stored XSS via settings update - wpQcEmail parameter", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-quick-contact-us", "tags": ["csrf", "xss", "stored-xss"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-1394-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "wp-quick-contact-us"}, {"name": "ARGS:wpQcSubject", "type": "regex", "value": "~<[a-zA-Z/!][^>]*>|on[a-zA-Z]{3,}[^=]*=~i"}], "cve": "CVE-2026-1394", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1394", "description": "WP Quick Contact Us <=1.0 CSRF to stored XSS via settings update - wpQcSubject parameter", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-quick-contact-us", "tags": ["csrf", "xss", "stored-xss"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-1394-03": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "wp-quick-contact-us"}, {"name": "ARGS:wpQcSuccessMsg", "type": "regex", "value": "~<[a-zA-Z/!][^>]*>|on[a-zA-Z]{3,}[^=]*=~i"}], "cve": "CVE-2026-1394", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1394", "description": "WP Quick Contact Us <=1.0 CSRF to stored XSS via settings update - wpQcSuccessMsg parameter", "method": "POST", "mode": "block", "severity": 4.3, "slug": "wp-quick-contact-us", "tags": ["csrf", "xss", "stored-xss"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-1400-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mwai/v1/helpers/update_media_metadata(?:/|\\\\?|&|$)~"}, {"name": "ARGS:filename", "type": "regex", "value": "~(?:\\\\.(?:ph(?:p\\\\d?|s|tml?|t|ar|gif)|s?html?|cgi|asp|aspx|jsp|jspx|cfm|user\\\\.ini)|[\\\\\\\\/]\\\\.htaccess$|[\\\\\\\\/]\\\\.htpasswd$)~i"}], "cve": "CVE-2026-1400", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1400", "description": "AI Engine <=3.3.2 authenticated (Editor+) arbitrary file upload via filename parameter in update_media_metadata REST endpoint", "method": "POST", "mode": "block", "severity": 7.2, "slug": "ai-engine", "tags": ["arbitrary-file-upload", "file-rename", "rest-api", "authenticated"], "target": "plugin", "versions": "<=3.3.2"}, "RULE-CVE-2026-1401-01": {"action": "admin_post_tune_lib_admin", "conditions": [{"name": "ARGS:importcsv", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1401", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1401", "description": "Tune Library <=1.6.3 missing authorization on CSV import allows authenticated (Subscriber+) stored XSS via admin_post_tune_lib_admin", "method": "POST", "mode": "block", "severity": 6.4, "slug": "tune-library", "tags": ["missing-authorization", "stored-xss", "csv-import", "authenticated"], "target": "plugin", "versions": "<=1.6.3"}, "RULE-CVE-2026-1401-02": {"action": "admin_post_tune_lib_admin", "conditions": [{"name": "ARGS:importitunes", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1401", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1401", "description": "Tune Library <=1.6.3 missing authorization on iTunes import allows authenticated (Subscriber+) stored XSS via admin_post_tune_lib_admin", "method": "POST", "mode": "block", "severity": 6.4, "slug": "tune-library", "tags": ["missing-authorization", "stored-xss", "itunes-import", "authenticated"], "target": "plugin", "versions": "<=1.6.3"}, "RULE-CVE-2026-1404-01": {"ajax_action": "um_get_members", "conditions": [{"name": "ARGS:search", "type": "regex", "value": "~(?:<[^>]*\\\\b(?:on\\\\w+|src|href|style|formaction|data)\\\\s*=|<\\\\s*(?:script|img|svg|iframe|object|embed|link|meta|form|base|video|audio|body|details|marquee)\\\\b|javascript\\\\s*:|data\\\\s*:\\\\s*text/html)~i"}], "cve": "CVE-2026-1404", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1404", "description": "Ultimate Member <=2.11.1 Reflected XSS via um_get_members AJAX search parameter", "method": "POST", "mode": "block", "severity": 6.1, "slug": "ultimate-member", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=2.11.1"}, "RULE-CVE-2026-1404-02": {"ajax_action": "um_get_members", "conditions": [{"name": "ARGS:sorting", "type": "regex", "value": "~(?:<[^>]*\\\\b(?:on\\\\w+|src|href|style|formaction|data)\\\\s*=|<\\\\s*(?:script|img|svg|iframe|object|embed|link|meta|form|base|video|audio|body|details|marquee)\\\\b|javascript\\\\s*:|data\\\\s*:\\\\s*text/html)~i"}], "cve": "CVE-2026-1404", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1404", "description": "Ultimate Member <=2.11.1 Reflected XSS via um_get_members AJAX sorting parameter", "method": "POST", "mode": "block", "severity": 6.1, "slug": "ultimate-member", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=2.11.1"}, "RULE-CVE-2026-1404-03": {"ajax_action": "um_get_members", "conditions": [{"name": "ARGS:filter_tag", "type": "regex", "value": "~(?:<[^>]*\\\\b(?:on\\\\w+|src|href|style|formaction|data)\\\\s*=|<\\\\s*(?:script|img|svg|iframe|object|embed|link|meta|form|base|video|audio|body|details|marquee)\\\\b|javascript\\\\s*:|data\\\\s*:\\\\s*text/html)~i"}], "cve": "CVE-2026-1404", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1404", "description": "Ultimate Member <=2.11.1 Reflected XSS via um_get_members AJAX filter_tag parameter", "method": "POST", "mode": "block", "severity": 6.1, "slug": "ultimate-member", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=2.11.1"}, "RULE-CVE-2026-1404-04": {"ajax_action": "um_get_members", "conditions": [{"name": "ARGS:directory_id", "type": "regex", "value": "~(?:<[^>]*\\\\b(?:on\\\\w+|src|href|style|formaction|data)\\\\s*=|<\\\\s*(?:script|img|svg|iframe|object|embed|link|meta|form|base|video|audio|body|details|marquee)\\\\b|javascript\\\\s*:|data\\\\s*:\\\\s*text/html)~i"}], "cve": "CVE-2026-1404", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1404", "description": "Ultimate Member <=2.11.1 Reflected XSS via um_get_members AJAX directory_id parameter", "method": "POST", "mode": "block", "severity": 6.1, "slug": "ultimate-member", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=2.11.1"}, "RULE-CVE-2026-1431-01": {"ajax_action": "WPBC_FLEXTIMELINE_NAV", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1431", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1431", "description": "Booking Calendar <=10.14.13 unauthenticated booking data exposure via WPBC_FLEXTIMELINE_NAV AJAX action", "mode": "block", "severity": 5.3, "slug": "booking", "tags": ["missing-authorization", "information-disclosure", "unauthenticated"], "target": "plugin", "versions": "<=10.14.13"}, "RULE-CVE-2026-1454-01": {"ajax_action": "Save_Form_Data", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<[a-zA-Z][^>]{0,512}on[a-zA-Z]{3,30}[ \\\\t\\\\r\\\\n]*=~i"}], "cve": "CVE-2026-1454", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1454", "description": "Lead Form Builder <=2.0.1 unauthenticated stored XSS via form submission - event handler injection", "method": "POST", "mode": "block", "severity": 7.2, "slug": "lead-form-builder", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=2.0.1"}, "RULE-CVE-2026-1454-02": {"ajax_action": "Save_Form_Data", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<[ \\\\t\\\\r\\\\n]*script(?:[ \\\\t\\\\r\\\\n]|>|/|$)~i"}], "cve": "CVE-2026-1454", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1454", "description": "Lead Form Builder <=2.0.1 unauthenticated stored XSS via form submission - script tag injection", "method": "POST", "mode": "block", "severity": 7.2, "slug": "lead-form-builder", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=2.0.1"}, "RULE-CVE-2026-1454-03": {"ajax_action": "Save_Form_Data", "conditions": [{"name": "ARGS", "type": "regex", "value": "~javascript(?:[ \\\\t\\\\r\\\\n]|%0[aAdD]|%09|�*9;|�*10;|�*13;|	|
)*:~i"}], "cve": "CVE-2026-1454", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1454", "description": "Lead Form Builder <=2.0.1 unauthenticated stored XSS via form submission - javascript URI injection", "method": "POST", "mode": "block", "severity": 7.2, "slug": "lead-form-builder", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=2.0.1"}, "RULE-CVE-2026-1461-01": {"action": "wp_loaded", "conditions": [{"name": "ARGS:swpm_process_stripe_subscription", "type": "equals", "value": "1"}, {"name": "ARGS:hook", "type": "equals", "value": "1"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1461", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1461", "description": "Simple Membership <=4.7.0 unauthenticated Stripe webhook signature bypass via missing signing secret validation", "method": "POST", "mode": "block", "severity": 6.5, "slug": "simple-membership", "tags": ["signature-bypass", "unauthenticated", "webhook-forge", "improper-handling-missing-values"], "target": "plugin", "versions": "<=4.7.0"}, "RULE-CVE-2026-1492-01": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "user_registration_user_form_submit"}, {"name": "ARGS:role", "type": "regex", "value": "~^(administrator|editor|author|contributor)$~i"}], "cve": "CVE-2026-1492", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1492", "description": "User Registration & Membership <=5.1.2 unauthenticated privilege escalation via role parameter in user_registration_user_form_submit AJAX handler", "method": "POST", "mode": "block", "severity": 9.8, "slug": "user-registration", "tags": ["privilege-escalation", "unauthenticated", "improper-privilege-management"], "target": "plugin", "versions": "<=5.1.2"}, "RULE-CVE-2026-1492-02": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "regex", "value": "~^user_registration_membership_.+$~"}, {"name": "ARGS:role", "type": "regex", "value": "~^(administrator|editor|author|contributor)$~i"}], "cve": "CVE-2026-1492", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1492", "description": "User Registration & Membership <=5.1.2 unauthenticated privilege escalation via role parameter in membership registration AJAX handler", "method": "POST", "mode": "block", "severity": 9.8, "slug": "user-registration", "tags": ["privilege-escalation", "unauthenticated", "improper-privilege-management"], "target": "plugin", "versions": "<=5.1.2"}, "RULE-CVE-2026-1492-03": {"action": "init", "conditions": [{"name": "ARGS:ur_frontend_form_id", "type": "exists"}, {"name": "ARGS:role", "type": "regex", "value": "~^(administrator|editor|author|contributor)$~i"}], "cve": "CVE-2026-1492", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1492", "description": "User Registration & Membership <=5.1.2 unauthenticated privilege escalation via role parameter in frontend form submission", "method": "POST", "mode": "block", "severity": 9.8, "slug": "user-registration", "tags": ["privilege-escalation", "unauthenticated", "improper-privilege-management"], "target": "plugin", "versions": "<=5.1.2"}, "RULE-CVE-2026-1499-01": {"ajax_action": "process_add_site", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1499", "method": "POST", "mode": "block", "severity": 9.8, "slug": "local-sync", "target": "plugin", "versions": "<=1.1.8"}, "RULE-CVE-2026-1542-01": {"action": "init", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:^|[;&])O:[0-9]+:\\"[A-Za-z_]~"}], "cve": "CVE-2026-1542", "method": "POST", "mode": "block", "severity": 6.5, "slug": "super-stage-wp", "target": "plugin", "versions": "<1.0.2"}, "RULE-CVE-2026-1557-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~wp-responsive-images/image_handler\\\\.php~"}, {"name": "ARGS:src", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|/etc/passwd|(?:^|[\\\\\\\\/])(?:wp-config\\\\.php|\\\\.htaccess|\\\\.env|debug\\\\.log|error_log)$)~i"}], "cve": "CVE-2026-1557", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1557", "description": "WP Responsive Images <=1.0 unauthenticated path traversal to arbitrary file read via src parameter in image_handler.php", "method": "GET", "mode": "block", "severity": 7.5, "slug": "wp-responsive-images", "tags": ["path-traversal", "arbitrary-file-read", "unauthenticated", "local-file-inclusion"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-1560-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/lazy-blocks/v1/block-builder-preview(/|\\\\?|&|$)~"}, {"name": "REQUEST_COOKIES:/^wordpress_logged_in_/", "type": "exists"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1560", "method": "POST", "mode": "block", "severity": 8.8, "slug": "lazy-blocks", "target": "plugin", "versions": "<=4.2.0"}, "RULE-CVE-2026-1565-01": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "upload-attachment"}, {"name": "ARGS:type", "type": "equals", "value": "wpuf-form-uploader"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1565", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1565", "description": "WP User Frontend <=4.2.8 authenticated (Author+) arbitrary file upload via upload-attachment with wpuf-form-uploader type bypass", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-user-frontend", "tags": ["arbitrary-file-upload", "file-upload-extension-bypass", "missing-authorization"], "target": "plugin", "versions": "<=4.2.8"}, "RULE-CVE-2026-1565-02": {"ajax_action": "wpuf_import_forms", "conditions": [{"name": "ARGS:file_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1565", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1565", "description": "WP User Frontend <=4.2.8 authenticated (Author+) arbitrary file import via wpuf_import_forms AJAX action", "method": "POST", "mode": "block", "severity": 8.8, "slug": "wp-user-frontend", "tags": ["arbitrary-file-upload", "missing-authorization"], "target": "plugin", "versions": "<=4.2.8"}, "RULE-CVE-2026-1566-01": {"ajax_action": "latepoint_route_call", "conditions": [{"name": "ARGS:customer[wordpress_user_id]", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1566", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1566", "description": "LatePoint <=5.2.7 privilege escalation via mass-assignment of customer[wordpress_user_id] through AJAX route dispatcher", "method": "POST", "mode": "block", "severity": 8.8, "slug": "latepoint", "tags": ["privilege-escalation", "improper-privilege-management", "mass-assignment"], "target": "plugin", "versions": "<=5.2.7"}, "RULE-CVE-2026-1566-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin-post\\\\.php~"}, {"name": "ARGS:action", "type": "equals", "value": "latepoint_route_call"}, {"name": "ARGS:customer[wordpress_user_id]", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1566", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1566", "description": "LatePoint <=5.2.7 privilege escalation via mass-assignment of customer[wordpress_user_id] through admin-post route dispatcher", "method": "POST", "mode": "block", "severity": 8.8, "slug": "latepoint", "tags": ["privilege-escalation", "improper-privilege-management", "mass-assignment"], "target": "plugin", "versions": "<=5.2.7"}, "RULE-CVE-2026-1569-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[wueen-blocket\\\\b[^\\\\]]*err-404\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<script[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:|<svg[\\\\s/]|<iframe[\\\\s/])~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1569", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1569", "description": "Wueen <=0.2.0 contributor+ stored XSS via wueen-blocket shortcode err-404 attribute in post_content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wueen", "tags": ["xss", "stored", "shortcode", "authenticated"], "target": "plugin", "versions": "<=0.2.0"}, "RULE-CVE-2026-1569-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[wueen-blocket\\\\b[^\\\\]]*id\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<script[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:|<svg[\\\\s/]|<iframe[\\\\s/])~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1569", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1569", "description": "Wueen <=0.2.0 contributor+ stored XSS via wueen-blocket shortcode id attribute reflected through err-404 template", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wueen", "tags": ["xss", "stored", "shortcode", "authenticated"], "target": "plugin", "versions": "<=0.2.0"}, "RULE-CVE-2026-1569-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/(?:wp-admin/post(?:-new)?\\\\.php|wp-admin/admin-ajax\\\\.php)\\\\b~i"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[(?:wueen-blocket)\\\\b[^\\\\]]*\\\\bv-[a-zA-Z0-9_]+\\\\s*=\\\\s*[\\"\'][^\\"\'\\\\]]*(?:<script\\\\b|<svg\\\\b|<iframe\\\\b|javascript\\\\s*:|on(?:error|load|mouseover|click|focus|blur)\\\\s*=)[^\\"\'\\\\]]*[\\"\'][^\\\\]]*\\\\]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1569", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1569", "description": "Wueen <=0.2.0 contributor+ stored XSS via wueen-blocket shortcode v-* variable attributes", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wueen", "tags": ["xss", "stored", "shortcode", "authenticated"], "target": "plugin", "versions": "<=0.2.0"}, "RULE-CVE-2026-1570-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "contains", "value": "[verse"}, {"name": "ARGS:post_content", "type": "regex", "value": "~[[]verse[^]]*(?:<script|<svg|<iframe|<img|on[a-zA-Z]+=|javascript:|data:[a-zA-Z]+/[a-zA-Z]+)~i"}], "cve": "CVE-2026-1570", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1570", "description": "Simple Bible Verse Via Shortcode <=1.1 Stored XSS via [verse] shortcode attributes in post_content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "simple-bible-verse-via-shortcode", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2026-1574-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[myqtip\\\\s[^\\\\]]*title\\\\s*=\\\\s*[\\"\'][^\\"\']*[\\"\']\\\\s+on[a-zA-Z]+=~i"}], "cve": "CVE-2026-1574", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1574", "description": "MyQtip - easy qTip2 <=2.0.5 Stored XSS via [myqtip] shortcode title attribute breakout (post editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "myqtip-easy-qtip2", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.0.5"}, "RULE-CVE-2026-1574-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[myqtip\\\\s[^\\\\]]*title\\\\s*=\\\\s*[\\"\'][^\\"\']*>\\\\s*<~i"}], "cve": "CVE-2026-1574", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1574", "description": "MyQtip - easy qTip2 <=2.0.5 Stored XSS via [myqtip] shortcode title tag injection (post editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "myqtip-easy-qtip2", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.0.5"}, "RULE-CVE-2026-1574-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[myqtip[^\\\\]]*\\\\].*<script~is"}], "cve": "CVE-2026-1574", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1574", "description": "MyQtip - easy qTip2 <=2.0.5 Stored XSS via [myqtip] shortcode body script injection (post editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "myqtip-easy-qtip2", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.0.5"}, "RULE-CVE-2026-1574-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[myqtip\\\\s[^\\\\]]*title\\\\s*=\\\\s*[\\"\'][^\\"\']*[\\"\']\\\\s+on[a-zA-Z]+=~i"}], "cve": "CVE-2026-1574", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1574", "description": "MyQtip - easy qTip2 <=2.0.5 Stored XSS via [myqtip] shortcode title attribute breakout (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "myqtip-easy-qtip2", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.0.5"}, "RULE-CVE-2026-1574-05": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[myqtip\\\\s[^\\\\]]*title\\\\s*=\\\\s*[\\"\'][^\\"\']*>\\\\s*<~i"}], "cve": "CVE-2026-1574", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1574", "description": "MyQtip - easy qTip2 <=2.0.5 Stored XSS via [myqtip] shortcode title tag injection (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "myqtip-easy-qtip2", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.0.5"}, "RULE-CVE-2026-1574-06": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[myqtip[^\\\\]]*\\\\].*<script~is"}], "cve": "CVE-2026-1574", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1574", "description": "MyQtip - easy qTip2 <=2.0.5 Stored XSS via [myqtip] shortcode body script injection (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "myqtip-easy-qtip2", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.0.5"}, "RULE-CVE-2026-1581-01": {"action": "init", "conditions": [{"name": "ARGS:wpfob", "type": "detectSQLi"}], "cve": "CVE-2026-1581", "method": "GET", "mode": "block", "severity": 7.5, "slug": "wpforo", "target": "plugin", "versions": "<=2.4.14"}, "RULE-CVE-2026-1608-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~[[]youtube[^]]*(?:on[a-zA-Z]+=|javascript:|<script|<img[^>]+onerror)~i"}], "cve": "CVE-2026-1608", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1608", "description": "Video Onclick <=0.4.7 Stored XSS via youtube shortcode attributes in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "video-onclick", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=0.4.7"}, "RULE-CVE-2026-1608-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~[[]youtube[^]]*(?:on[a-zA-Z]+=|javascript:|<script|<img[^>]+onerror)~i"}], "cve": "CVE-2026-1608", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1608", "description": "Video Onclick <=0.4.7 Stored XSS via youtube shortcode attributes in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "video-onclick", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=0.4.7"}, "RULE-CVE-2026-1611-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[wikiloops\\\\b[^\\\\]]*(?:<[^>]+>|\\\\bon\\\\w+\\\\s*=)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1611", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1611", "description": "Wikiloops Track Player <=1.0.1 Stored XSS via wikiloops shortcode attributes in post_content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wikiloops-track-player", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2026-1611-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/\\\\d+)?(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[wikiloops\\\\b[^\\\\]]*(?:<[^>]+>|\\\\bon\\\\w+\\\\s*=)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1611", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1611", "description": "Wikiloops Track Player <=1.0.1 Stored XSS via wikiloops shortcode attributes in REST API content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wikiloops-track-player", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.0.1"}, "RULE-CVE-2026-1614-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~wp:rise-blocks/site-identity~"}, {"name": "ARGS:content", "type": "regex", "value": "~[\\"\']logoTag[\\"\']\\\\s*:\\\\s*[\\"\'][^\\"\']*[\\\\s=<>][^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1614", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1614", "description": "Rise Blocks <=3.7 Stored XSS via logoTag attribute in Site Identity block on post create", "method": "POST", "mode": "block", "severity": 6.4, "slug": "rise-blocks", "tags": ["xss", "stored-xss", "gutenberg-block", "authenticated"], "target": "plugin", "versions": "<=3.7"}, "RULE-CVE-2026-1614-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts/\\\\d+(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~wp:rise-blocks/site-identity~"}, {"name": "ARGS:content", "type": "regex", "value": "~[\\"\']logoTag[\\"\']\\\\s*:\\\\s*[\\"\'][^\\"\']*[\\\\s=<>][^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1614", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1614", "description": "Rise Blocks <=3.7 Stored XSS via logoTag attribute in Site Identity block on post update", "method": "POST", "mode": "block", "severity": 6.4, "slug": "rise-blocks", "tags": ["xss", "stored-xss", "gutenberg-block", "authenticated"], "target": "plugin", "versions": "<=3.7"}, "RULE-CVE-2026-1614-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts/\\\\d+(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~wp:rise-blocks/site-identity~"}, {"name": "ARGS:content", "type": "regex", "value": "~[\\"\']logoTag[\\"\']\\\\s*:\\\\s*[\\"\'][^\\"\']*[\\\\s=<>][^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1614", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1614", "description": "Rise Blocks <=3.7 Stored XSS via logoTag attribute in Site Identity block on post update (PUT)", "method": "PUT", "mode": "block", "severity": 6.4, "slug": "rise-blocks", "tags": ["xss", "stored-xss", "gutenberg-block", "authenticated"], "target": "plugin", "versions": "<=3.7"}, "RULE-CVE-2026-1614-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts/\\\\d+(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~wp:rise-blocks/site-identity~"}, {"name": "ARGS:content", "type": "regex", "value": "~[\\"\']logoTag[\\"\']\\\\s*:\\\\s*[\\"\'][^\\"\']*[\\\\s=<>][^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1614", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1614", "description": "Rise Blocks <=3.7 Stored XSS via logoTag attribute in Site Identity block on post update (PATCH)", "method": "PATCH", "mode": "block", "severity": 6.4, "slug": "rise-blocks", "tags": ["xss", "stored-xss", "gutenberg-block", "authenticated"], "target": "plugin", "versions": "<=3.7"}, "RULE-CVE-2026-1620-01": {"ajax_action": "lae_admin_ajax", "conditions": [{"name": "ARGS:template", "type": "regex", "value": "~(?:(?:\\\\.{2,}/+){2,}|(?:php|phar|data|expect|zip|glob)://|wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env)~i"}], "cve": "CVE-2026-1620", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1620", "description": "Livemesh Addons for Elementor <=9.0 authenticated (Contributor+) Local File Inclusion via template parameter in lae_admin_ajax handler", "mode": "block", "severity": 8.8, "slug": "addons-for-elementor", "tags": ["local-file-inclusion", "path-traversal", "authenticated"], "target": "plugin", "versions": "<=9.0"}, "RULE-CVE-2026-1634-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~subitem-al-slider~"}, {"name": "REQUEST_URI", "type": "detectXSS"}], "cve": "CVE-2026-1634", "method": "GET", "mode": "block", "severity": 6.1, "slug": "subitem-al-slider", "target": "plugin", "versions": "<1.1"}, "RULE-CVE-2026-1639-01": {"ajax_action": "wppm_get_project_list", "conditions": [{"name": "ARGS:order", "type": "detectSQLi"}], "cve": "CVE-2026-1639", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1639", "description": "Taskbuilder <=5.0.2 authenticated (Subscriber+) SQL injection via order parameter in wppm_get_project_list AJAX handler", "method": "POST", "mode": "block", "severity": 6.5, "slug": "taskbuilder", "tags": ["sql-injection", "time-based-blind", "authenticated"], "target": "plugin", "versions": "<=5.0.2"}, "RULE-CVE-2026-1639-02": {"ajax_action": "wppm_get_project_list", "conditions": [{"name": "ARGS:sort_by", "type": "detectSQLi"}], "cve": "CVE-2026-1639", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1639", "description": "Taskbuilder <=5.0.2 authenticated (Subscriber+) SQL injection via sort_by parameter in wppm_get_project_list AJAX handler", "method": "POST", "mode": "block", "severity": 6.5, "slug": "taskbuilder", "tags": ["sql-injection", "time-based-blind", "authenticated"], "target": "plugin", "versions": "<=5.0.2"}, "RULE-CVE-2026-1643-01": {"action": "init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "mp-ukagaka"}, {"name": "REQUEST_URI", "type": "regex", "value": "~options-general\\\\.php/[^?]*(?:[<>\\"\'=]|%(?:22|27|3[CEce]|3[Dd]))~i"}], "cve": "CVE-2026-1643", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1643", "description": "MP-Ukagaka <=1.5.2 Reflected XSS via unsanitized PHP_SELF in admin settings page (GET)", "method": "GET", "mode": "block", "severity": 6.1, "slug": "mp-ukagaka", "tags": ["xss", "reflected-xss", "php-self"], "target": "plugin", "versions": "<=1.5.2"}, "RULE-CVE-2026-1643-02": {"action": "init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "mp-ukagaka"}, {"name": "REQUEST_URI", "type": "regex", "value": "~options-general\\\\.php/[^?]*(?:[<>\\"\'=]|%(?:22|27|3[CEce]|3[Dd]))~i"}], "cve": "CVE-2026-1643", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1643", "description": "MP-Ukagaka <=1.5.2 Reflected XSS via unsanitized PHP_SELF in admin settings page (POST)", "method": "POST", "mode": "block", "severity": 6.1, "slug": "mp-ukagaka", "tags": ["xss", "reflected-xss", "php-self"], "target": "plugin", "versions": "<=1.5.2"}, "RULE-CVE-2026-1644-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/users\\\\.php~"}, {"name": "ARGS:action", "type": "regex", "value": "~^(?:approve|deny|block)$~i"}, {"name": "ARGS:user", "type": "exists"}, {"type": "missing_capability", "value": "promote_users"}], "cve": "CVE-2026-1644", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1644", "description": "WP Front End Profile <=1.3.8 CSRF on user approval/denial/blocking via update_action on users.php", "mode": "block", "severity": 4.3, "slug": "wp-front-end-profile", "tags": ["csrf", "missing-authorization", "user-management"], "target": "plugin", "versions": "<=1.3.8"}, "RULE-CVE-2026-1649-01": {"action": "admin_post_save_community_events_venues", "conditions": [{"name": "ARGS:ce_venue_name", "type": "detectXSS"}], "cve": "CVE-2026-1649", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1649", "description": "Community Events <=1.5.7 authenticated stored XSS via ce_venue_name in venue save handler", "method": "POST", "mode": "block", "severity": 4.4, "slug": "community-events", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=1.5.7"}, "RULE-CVE-2026-1650-01": {"action": "admin_init", "conditions": [{"name": "ARGS:delete_custom_field", "type": "exists"}, {"name": "ARGS:id", "type": "exists"}, {"type": "missing_capability", "value": "manage_mdjm"}], "cve": "CVE-2026-1650", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1650", "description": "MDJM Event Management <=1.7.8.1 unauthenticated arbitrary custom field deletion via delete_custom_field parameter", "method": "GET", "mode": "block", "severity": 5.3, "slug": "mobile-dj-manager", "tags": ["missing-authorization", "unauthenticated", "arbitrary-deletion"], "target": "plugin", "versions": "<=1.7.8.1"}, "RULE-CVE-2026-1650-02": {"action": "admin_init", "conditions": [{"name": "ARGS:submit_custom_field", "type": "exists"}, {"type": "missing_capability", "value": "manage_mdjm"}], "cve": "CVE-2026-1650", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1650", "description": "MDJM Event Management <=1.7.8.1 unauthenticated arbitrary custom field creation/update via submit_custom_field parameter", "method": "POST", "mode": "block", "severity": 5.3, "slug": "mobile-dj-manager", "tags": ["missing-authorization", "unauthenticated", "arbitrary-modification"], "target": "plugin", "versions": "<=1.7.8.1"}, "RULE-CVE-2026-1651-01": {"ajax_action": "icegram-express", "conditions": [{"name": "ARGS:handler", "type": "equals", "value": "workflows"}, {"name": "ARGS:method", "type": "equals", "value": "update_status"}, {"name": "ARGS:data", "type": "regex", "value": "~(?:UNION[ ]+(?:ALL[ ]+)?SELECT|[0-9]+[)]+[ ]*(?:AND|OR|UNION)[ ]|SLEEP[ ]*[(]|BENCHMARK[ ]*[(]|IF[ ]*[(].*,.*,|LOAD_FILE|INTO[ ]+(?:OUTFILE|DUMPFILE))~i"}], "cve": "CVE-2026-1651", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1651", "description": "Email Subscribers & Newsletters <=5.9.16 authenticated (Administrator+) SQL injection via workflow_ids in data parameter", "method": "POST", "mode": "block", "severity": 6.5, "slug": "email-subscribers", "tags": ["sql-injection", "authenticated", "ajax"], "target": "plugin", "versions": "<=5.9.16"}, "RULE-CVE-2026-1656-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin-ajax\\\\.php~"}, {"name": "ARGS:action", "type": "equals", "value": "wpbdp_ajax"}, {"name": "ARGS:listing_id", "type": "regex", "value": "~^[1-9][0-9]*$~"}, {"name": "ARGS:/listingfields|listing_fields|fields/", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1656", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1656", "description": "Business Directory Plugin <=6.4.20 unauthenticated arbitrary listing modification via wpbdp_ajax AJAX action", "method": "POST", "mode": "block", "severity": 5.3, "slug": "business-directory-plugin", "tags": ["missing-authorization", "broken-access-control", "unauthenticated", "idor"], "target": "plugin", "versions": "<=6.4.20"}, "RULE-CVE-2026-1675-01": {"action": "init", "conditions": [{"name": "ARGS:OpenSesame", "type": "regex", "value": "~^0*1$~"}], "cve": "CVE-2026-1675", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1675", "description": "Advanced Country Blocker <=2.3.1 unauthenticated authorization bypass via insecure default secret key", "mode": "block", "severity": 5.3, "slug": "advanced-country-blocker", "tags": ["authorization-bypass", "insecure-default", "unauthenticated"], "target": "plugin", "versions": "<=2.3.1"}, "RULE-CVE-2026-1706-01": {"action": "init", "conditions": [{"name": "ARGS:vi", "type": "regex", "value": "~(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|&#)~i"}], "cve": "CVE-2026-1706", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1706", "description": "All-in-One Video Gallery <=4.7.1 Reflected XSS via vi parameter in search form templates", "mode": "block", "severity": 6.1, "slug": "all-in-one-video-gallery", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=4.7.1"}, "RULE-CVE-2026-1708-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/ssa/v1/appointments(/|\\\\?|$)~"}, {"name": "ARGS:append_where_sql", "type": "exists"}], "cve": "CVE-2026-1708", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1708", "description": "Simply Schedule Appointments <=1.6.9.27 unauthenticated blind SQL injection via append_where_sql parameter in JSON body on REST /ssa/v1/appointments endpoint", "mode": "block", "severity": 7.5, "slug": "simply-schedule-appointments", "tags": ["sql-injection", "unauthenticated", "rest-api", "json-body-bypass"], "target": "plugin", "versions": "<=1.6.9.27"}, "RULE-CVE-2026-1714-01": {"ajax_action": "woolentor_suggest_price_action", "conditions": [{"name": "ARGS:send_to", "type": "regex", "value": "~[,;\\\\s]~"}], "cve": "CVE-2026-1714", "method": "POST", "mode": "block", "severity": 8.6, "slug": "woolentor-addons", "target": "plugin", "versions": "<=3.3.2"}, "RULE-CVE-2026-1714-02": {"ajax_action": "woolentor_suggest_price_action", "conditions": [{"name": "ARGS:wlemail", "type": "regex", "value": "~(%0d|%0a|\\\\r|\\\\n)~i"}], "cve": "CVE-2026-1714", "method": "POST", "mode": "block", "severity": 8.6, "slug": "woolentor-addons", "target": "plugin", "versions": "<=3.3.2"}, "RULE-CVE-2026-1720-01": {"ajax_action": "optn_install", "conditions": [{"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2026-1720", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1720", "description": "WowOptin <=1.4.24 missing authorization on optn_install AJAX action allows Subscriber+ arbitrary plugin installation", "method": "POST", "mode": "block", "severity": 8.8, "slug": "optin", "tags": ["missing-authorization", "privilege-escalation", "arbitrary-plugin-install"], "target": "plugin", "versions": "<=1.4.24"}, "RULE-CVE-2026-1720-02": {"ajax_action": "optn_install_plugin", "conditions": [{"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2026-1720", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1720", "description": "WowOptin <=1.4.24 missing authorization on optn_install_plugin AJAX action allows Subscriber+ arbitrary plugin installation", "method": "POST", "mode": "block", "severity": 8.8, "slug": "optin", "tags": ["missing-authorization", "privilege-escalation", "arbitrary-plugin-install"], "target": "plugin", "versions": "<=1.4.24"}, "RULE-CVE-2026-1750-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/profile\\\\.php~"}, {"name": "ARGS:ec_store_admin_access", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1750", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1750", "description": "Ecwid Ecommerce Shopping Cart <=7.0.7 privilege escalation via ec_store_admin_access on profile update", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ecwid-shopping-cart", "tags": ["missing-authorization", "privilege-escalation"], "target": "plugin", "versions": "<=7.0.7"}, "RULE-CVE-2026-1750-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/user-edit\\\\.php~"}, {"name": "ARGS:ec_store_admin_access", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1750", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1750", "description": "Ecwid Ecommerce Shopping Cart <=7.0.7 privilege escalation via ec_store_admin_access on user edit", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ecwid-shopping-cart", "tags": ["missing-authorization", "privilege-escalation"], "target": "plugin", "versions": "<=7.0.7"}, "RULE-CVE-2026-1750-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-login\\\\.php~"}, {"name": "ARGS:ec_store_admin_access", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1750", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1750", "description": "Ecwid Ecommerce Shopping Cart <=7.0.7 privilege escalation via ec_store_admin_access on user registration", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ecwid-shopping-cart", "tags": ["missing-authorization", "privilege-escalation", "unauthenticated"], "target": "plugin", "versions": "<=7.0.7"}, "RULE-CVE-2026-1754-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "personal-authors-category"}, {"name": "REQUEST_URI", "type": "regex", "value": "~options-general\\\\.php(?:%2[fF]|/)[^?]~i"}], "cve": "CVE-2026-1754", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1754", "description": "Personal Authors Category <=0.3 reflected XSS via PHP_SELF path injection on admin settings page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "personal-authors-category", "tags": ["xss", "reflected-xss", "php-self"], "target": "plugin", "versions": "<=0.3"}, "RULE-CVE-2026-1755-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:_wp_attachment_image_alt", "type": "regex", "value": "~(?:<\\\\s*script|on(?:error|load|click|mouseover|focus|blur|input|change|submit|reset|keydown|keyup|keypress|dblclick|mousedown|mouseup|mouseenter|mouseleave|mousemove|mouseout)\\\\s*=)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1755", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1755", "description": "Menu Icons by ThemeIsle <=0.13.20 Stored XSS via media attachment alt text (post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "menu-icons", "tags": ["xss", "stored-xss", "media-upload"], "target": "plugin", "versions": "<=0.13.20"}, "RULE-CVE-2026-1755-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/media/\\\\d+~"}, {"name": "ARGS:alt_text", "type": "regex", "value": "~(?:<\\\\s*script|on(?:error|load|click|mouseover|focus|blur|input|change|submit|reset|keydown|keyup|keypress|dblclick|mousedown|mouseup|mouseenter|mouseleave|mousemove|mouseout)\\\\s*=)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1755", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1755", "description": "Menu Icons by ThemeIsle <=0.13.20 Stored XSS via REST API media alt_text update", "method": "POST", "mode": "block", "severity": 6.4, "slug": "menu-icons", "tags": ["xss", "stored-xss", "rest-api"], "target": "plugin", "versions": "<=0.13.20"}, "RULE-CVE-2026-1786-01": {"action": "init", "conditions": [{"name": "ARGS:/^dg_tw_options/", "type": "regex", "value": "~\\\\S~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1786", "method": "POST", "mode": "block", "severity": 6.5, "slug": "twitter-posts-to-blog", "target": "plugin", "versions": "<1.11.26"}, "RULE-CVE-2026-1787-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/.*delete-migrated-data/tutor(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1787", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1787", "description": "LearnPress Export Import <=4.1.0 unauthenticated deletion of migrated course data via REST API delete-migrated-data/tutor endpoint", "method": "DELETE", "mode": "block", "severity": 4.8, "slug": "learnpress-import-export", "tags": ["missing-authorization", "unauthenticated", "rest-api", "data-deletion"], "target": "plugin", "versions": "<=4.1.0"}, "RULE-CVE-2026-1793-01": {"action": "init", "conditions": [{"name": "ARGS:actions", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}(?:[\\\\w./\\\\\\\\-]*)?(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env|debug\\\\.log|error_log)~i"}], "cve": "CVE-2026-1793", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1793", "description": "Element Pack Addons for Elementor <=8.3.17 authenticated arbitrary file read via SVG Image widget path traversal", "method": "POST", "mode": "block", "severity": 6.5, "slug": "bdthemes-element-pack-lite", "tags": ["path-traversal", "arbitrary-file-read", "authenticated"], "target": "plugin", "versions": "<=8.3.17"}, "RULE-CVE-2026-1796-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "stylebidet"}, {"name": "REQUEST_URI", "type": "regex", "value": "~(?:<script[\\\\s/>]|<svg[\\\\s/>]|<img[\\\\s/]|<iframe[\\\\s/>]|<object[\\\\s/>]|<embed[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-1796", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1796", "description": "StyleBidet <=1.0.0 reflected XSS via $_SERVER[\'PHP_SELF\'] on admin settings page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "stylebidet", "tags": ["xss", "reflected", "unauthenticated"], "target": "plugin", "versions": "<=1.0.0"}, "RULE-CVE-2026-1800-01": {"action": "init", "conditions": [{"name": "ARGS:fmcfIdSelectedFnt", "type": "regex", "value": "~[^0-9]~"}], "cve": "CVE-2026-1800", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1800", "description": "Fonts Manager | Custom Fonts <=1.2 unauthenticated SQL injection via fmcfIdSelectedFnt parameter", "method": "POST", "mode": "block", "severity": 7.5, "slug": "fonts-manager-custom-fonts", "tags": ["sql-injection", "unauthenticated", "no-patch"], "target": "plugin", "versions": "<=1.2"}, "RULE-CVE-2026-1805-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~damedia_giglist[^]]*list_title[ ]*=[ ]*[\\"\'][^]]*(<[a-zA-Z]|on[a-zA-Z]+=|javascript:)~i"}], "cve": "CVE-2026-1805", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1805", "description": "DAMedia GigList <=1.9.0 Stored XSS via damedia_giglist shortcode list_title attribute in post content (post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "damedia-giglist", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.9.0"}, "RULE-CVE-2026-1805-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~damedia_giglist[^]]*list_title[ ]*=[ ]*[\\"\'][^]]*(<[a-zA-Z]|on[a-zA-Z]+=|javascript:)~i"}], "cve": "CVE-2026-1805", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1805", "description": "DAMedia GigList <=1.9.0 Stored XSS via damedia_giglist shortcode list_title attribute in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "damedia-giglist", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.9.0"}, "RULE-CVE-2026-1808-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[ocplus_button\\\\b[^\\\\]]*style\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:on[a-zA-Z0-9_]+\\\\s*=|<script|javascript:|<script|<script)~i"}], "cve": "CVE-2026-1808", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1808", "description": "Orange Confort+ <=0.7 Stored XSS via ocplus_button shortcode style attribute in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "orange-confort-plus", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=0.7"}, "RULE-CVE-2026-1808-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[ocplus_button\\\\b[^\\\\]]*style\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:on[a-zA-Z0-9_]+\\\\s*=|<script|javascript:|<script|<script)~i"}], "cve": "CVE-2026-1808", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1808", "description": "Orange Confort+ <=0.7 Stored XSS via ocplus_button shortcode style attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "orange-confort-plus", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=0.7"}, "RULE-CVE-2026-1809-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(?:a|div|span|button|img|p|hr|br|iframe)\\\\b[^\\\\]]*\\\\bon\\\\w+\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1809", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1809", "description": "HTML Shortcodes <=1.1 Stored XSS via shortcode event handler attributes in post editor", "method": "POST", "mode": "block", "severity": 6.4, "slug": "html-shortcodes", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2026-1809-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(?:a|div|span|button|img|p|hr|br|iframe)\\\\b[^\\\\]]*javascript\\\\s*:~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1809", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1809", "description": "HTML Shortcodes <=1.1 Stored XSS via javascript: protocol in shortcode attributes in post editor", "method": "POST", "mode": "block", "severity": 6.4, "slug": "html-shortcodes", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2026-1809-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content[raw]", "type": "regex", "value": "~\\\\[(?:a|div|span|button|img|p|hr|br|iframe)\\\\b[^\\\\]]*\\\\bon\\\\w+\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1809", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1809", "description": "HTML Shortcodes <=1.1 Stored XSS via shortcode event handler attributes in REST API", "method": "POST", "mode": "block", "severity": 6.4, "slug": "html-shortcodes", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2026-1809-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content[raw]", "type": "regex", "value": "~\\\\[(?:a|div|span|button|img|p|hr|br|iframe)\\\\b[^\\\\]]*javascript\\\\s*:~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1809", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1809", "description": "HTML Shortcodes <=1.1 Stored XSS via javascript: protocol in shortcode attributes in REST API", "method": "POST", "mode": "block", "severity": 6.4, "slug": "html-shortcodes", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2026-1820-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[bvmalt_sc_div_update_alt_text[^\\\\]]*post_id[^\\\\]]*(?:<script|<img|<iframe|<svg|<object|<embed|on[a-zA-Z]+=|javascript:)~i"}], "cve": "CVE-2026-1820", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1820", "description": "Media Library Alt Text Editor <=1.0.0 Stored XSS via bvmalt_sc_div_update_alt_text shortcode post_id attribute in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "media-library-alt-text-editor", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.0"}, "RULE-CVE-2026-1820-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[bvmalt_sc_div_update_alt_text[^\\\\]]*post_id[^\\\\]]*(?:<script|<img|<iframe|<svg|<object|<embed|on[a-zA-Z]+=|javascript:)~i"}], "cve": "CVE-2026-1820", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1820", "description": "Media Library Alt Text Editor <=1.0.0 Stored XSS via bvmalt_sc_div_update_alt_text shortcode post_id attribute in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "media-library-alt-text-editor", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.0.0"}, "RULE-CVE-2026-1821-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[mt_(?:reservation|video|courses|form)[^\\\\]]*restkey\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1821", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1821", "description": "Microtango <=0.9.29 Stored XSS via restkey shortcode attribute in mt_reservation/mt_video", "method": "POST", "mode": "block", "severity": 6.4, "slug": "microtango", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=0.9.29"}, "RULE-CVE-2026-1821-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[mt_(?:reservation|video|courses|form)[^\\\\]]*restkey\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1821", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1821", "description": "Microtango <=0.9.29 Stored XSS via restkey shortcode attribute in mt_reservation/mt_video (post_content)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "microtango", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=0.9.29"}, "RULE-CVE-2026-1824-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~infomaniak_connect_generic_auth_url.*?endpoint_login[ ]*=[ ]*[\\"\']?[ ]*(?:javascript|data|vbscript)[ ]*:~i"}], "cve": "CVE-2026-1824", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1824", "description": "Infomaniak Connect OpenID <=1.0.2 Stored XSS via endpoint_login shortcode attribute in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "infomaniak-connect-openid", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2026-1825-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[syv\\\\s[^\\\\]]*id\\\\s*=\\\\s*[\'\\"][^\\\\]]*(?:on[a-zA-Z]+=|<script|javascript:|</iframe)~i"}], "cve": "CVE-2026-1825", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1825", "description": "Show YouTube Video <=1.1 Stored XSS via syv shortcode id attribute in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "show-youtube-video", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2026-1826-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:action", "type": "equals", "value": "editpost"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[order_qrcode[^\\\\]]*width\\\\s*=\\\\s*[^\\\\]]*(?:on\\\\w+\\\\s*=|<script|javascript:|<img|<svg|<iframe)~i"}], "cve": "CVE-2026-1826", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1826", "description": "OpenPOS Lite <=3.0 Stored XSS via order_qrcode shortcode width attribute in classic editor post submission", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wpos-lite-version", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.0"}, "RULE-CVE-2026-1826-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[order_qrcode[^\\\\]]*width\\\\s*=\\\\s*[^\\\\]]*(?:on\\\\w+\\\\s*=|<script|javascript:|<img|<svg|<iframe)~i"}], "cve": "CVE-2026-1826", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1826", "description": "OpenPOS Lite <=3.0 Stored XSS via order_qrcode shortcode width attribute in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wpos-lite-version", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=3.0"}, "RULE-CVE-2026-1841-01": {"action": "init", "conditions": [{"name": "ARGS:pys_source", "type": "detectXSS"}], "cve": "CVE-2026-1841", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1841", "description": "PixelYourSite <=11.2.0 stored XSS via unsanitized pys_source request parameter during checkout", "method": "POST", "mode": "block", "severity": 7.2, "slug": "pixelyoursite", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=11.2.0"}, "RULE-CVE-2026-1841-02": {"action": "init", "conditions": [{"name": "ARGS:pys_landing", "type": "regex", "value": "~<[a-zA-Z/!]|javascript:~i"}], "cve": "CVE-2026-1841", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1841", "description": "PixelYourSite <=11.2.0 stored XSS via unsanitized pys_landing request parameter during checkout", "method": "POST", "mode": "block", "severity": 7.2, "slug": "pixelyoursite", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=11.2.0"}, "RULE-CVE-2026-1843-01": {"action": "init", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<script[\\\\s>]~i"}], "cve": "CVE-2026-1843", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1843", "description": "Super Page Cache <=5.2.2 unauthenticated stored XSS via Activity Log - script tag injection", "method": "GET", "mode": "block", "severity": 7.2, "slug": "wp-cloudflare-page-cache", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=5.2.2"}, "RULE-CVE-2026-1843-02": {"action": "init", "conditions": [{"name": "ARGS", "type": "regex", "value": "~\\\\bon(?:error|load|click|mouseover|focus|blur)\\\\s*=~i"}], "cve": "CVE-2026-1843", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1843", "description": "Super Page Cache <=5.2.2 unauthenticated stored XSS via Activity Log - event handler injection", "method": "GET", "mode": "block", "severity": 7.2, "slug": "wp-cloudflare-page-cache", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=5.2.2"}, "RULE-CVE-2026-1857-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/kb-getresponse/v1/get(?:[/?&]|$)~"}, {"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|&|\\\\?)endpoint=~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1857", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1857", "description": "Kadence Blocks <=3.6.1 authenticated (Contributor+) SSRF via endpoint parameter in GetResponse REST API route", "method": "GET", "mode": "block", "severity": 4.3, "slug": "kadence-blocks", "tags": ["ssrf", "missing-authorization", "rest-api"], "target": "plugin", "versions": "<=3.6.1"}, "RULE-CVE-2026-1860-01": {"ajax_action": "kaliforms_form_delete_uploaded_file", "conditions": [{"name": "ARGS:id", "type": "regex", "value": "~(?:<script|</script|<img|onerror[[:space:]]*=|onload[[:space:]]*=|javascript:)~i"}], "cve": "CVE-2026-1860", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1860", "description": "Kali Forms <= 2.4.7 Reflected XSS via id parameter in kaliforms_form_delete_uploaded_file AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "kali-forms", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=2.4.7"}, "RULE-CVE-2026-1865-01": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "regex", "value": "~^user_registration_membership_~"}, {"name": "ARGS:membership_ids", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\(|/\\\\*[^*]*\\\\*/|(?:--|#)\\\\s|\\\\b(?:OR|AND)\\\\s+[\'\\"]?\\\\d+[\'\\"]?\\\\s*=\\\\s*[\'\\"]?\\\\d+)~i"}], "cve": "CVE-2026-1865", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1865", "description": "User Registration & Membership <=5.1.2 authenticated (Subscriber+) SQL injection via membership_ids[] in membership AJAX handlers", "mode": "block", "severity": 6.5, "slug": "user-registration", "tags": ["sql-injection", "authenticated", "ajax"], "target": "plugin", "versions": "<=5.1.2"}, "RULE-CVE-2026-1866-01": {"action": "init", "conditions": [{"name": "ARGS:name_directory_name", "type": "regex", "value": "~(?:&|�*38;|�*26;)(lt|gt|quot|amp|apos|#0*\\\\d{2,5}|#x[0-9a-fA-F]+);~i"}], "cve": "CVE-2026-1866", "method": "POST", "mode": "block", "severity": 7.2, "slug": "name-directory", "target": "plugin", "versions": "<=1.32.0"}, "RULE-CVE-2026-1866-02": {"action": "init", "conditions": [{"name": "ARGS:name_directory_description", "type": "regex", "value": "~(?:&|�*38;|�*26;)(lt|gt|quot|amp|apos|#0*\\\\d{2,5}|#x[0-9a-fA-F]+);~i"}], "cve": "CVE-2026-1866", "method": "POST", "mode": "block", "severity": 7.2, "slug": "name-directory", "target": "plugin", "versions": "<=1.32.0"}, "RULE-CVE-2026-1870-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/thim-ekit/archive-course/get-courses(?:[/?&]|$)~"}, {"name": "ARGS:params_url[post_status]", "type": "regex", "value": "~^(?:private|draft|pending|trash|auto-draft|future|inherit)$~i"}, {"name": "ARGS:atts", "type": "regex", "value": "~.+~"}], "cve": "CVE-2026-1870", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1870", "description": "Thim Elementor Kit <=1.3.7 unauthenticated information disclosure of private/draft LearnPress courses via post_status in params_url on REST endpoint", "mode": "block", "severity": 5.3, "slug": "thim-elementor-kit", "tags": ["missing-authorization", "information-disclosure", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=1.3.7"}, "RULE-CVE-2026-1888-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[docusplaylist\\\\b[^\\\\]]*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1888", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1888", "description": "Docus \\u2013 YouTube Video Playlist <=1.0.6 Stored XSS via [docusplaylist] shortcode attributes in post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "docus", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.6"}, "RULE-CVE-2026-1888-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[docusplaylist\\\\b[^\\\\]]*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1888", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1888", "description": "Docus \\u2013 YouTube Video Playlist <=1.0.6 Stored XSS via [docusplaylist] shortcode attributes in REST API post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "docus", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.0.6"}, "RULE-CVE-2026-1893-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[orbisius_random_name_generator\\\\b[^\\\\]]*btn_label\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1893", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1893", "description": "Orbisius Random Name Generator <=1.0.2 Stored XSS via btn_label shortcode attribute in classic editor post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "orbisius-random-name-generator", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2026-1893-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[orbisius_random_name_generator\\\\b[^\\\\]]*btn_label\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<[a-z/!]|\\\\bon\\\\w+\\\\s*=)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1893", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1893", "description": "Orbisius Random Name Generator <=1.0.2 Stored XSS via btn_label shortcode attribute in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "orbisius-random-name-generator", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2026-1902-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[hp-calendar-manage-redirect[^\\\\]]*apix\\\\s*=\\\\s*(?:[\\"\'][^\\"\']*[<>();\\\\\\\\`]|[^\\\\s\\\\]]*[<>();\\\\\\\\`])~i"}], "cve": "CVE-2026-1902", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1902", "description": "Hammas Calendar <1.5.12 Stored XSS via apix shortcode attribute in post_content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "hammas-calendar", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<1.5.12"}, "RULE-CVE-2026-1905-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~show_sphere_image[^\\\\]]*width\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:[\\"\'][^\\\\]]*on\\\\w+\\\\s*=|<\\\\s*script|javascript\\\\s*:|expression\\\\s*\\\\()~i"}], "cve": "CVE-2026-1905", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1905", "description": "Sphere Manager <=1.0.2 Stored XSS via show_sphere_image shortcode width attribute in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "sphere-manager", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2026-1905-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~show_sphere_image[^\\\\]]*width\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:[\\"\'][^\\\\]]*on\\\\w+\\\\s*=|<\\\\s*script|javascript\\\\s*:|expression\\\\s*\\\\()~i"}], "cve": "CVE-2026-1905", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1905", "description": "Sphere Manager <=1.0.2 Stored XSS via show_sphere_image shortcode width attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "sphere-manager", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2026-1909-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[wavesurfer\\\\b[^\\\\]]*\\\\b(?:src|ogg)\\\\s*=\\\\s*(?:(?:\\"[^\\"]*(?:<|>|(?:^|[\\\\s\\"\'<>])on\\\\w+\\\\s*=|javascript\\\\s*:)[^\\"]*\\")|(?:\'[^\']*(?:<|>|(?:^|[\\\\s\\"\'<>])on\\\\w+\\\\s*=|javascript\\\\s*:)[^\']*\')|(?:[^\\\\s\\\\]]*(?:<|>|(?:^|[\\\\s\\"\'<>])on\\\\w+\\\\s*=|javascript\\\\s*:)[^\\\\s\\\\]]*))~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1909", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1909", "description": "WaveSurfer-WP <=2.8.3 Stored XSS via [wavesurfer] shortcode src attribute in classic editor post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wavesurfer-wp", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=2.8.3"}, "RULE-CVE-2026-1909-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/|\\\\?|&|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[wavesurfer\\\\b[^\\\\]]*\\\\b(?:src|ogg)\\\\s*=\\\\s*(?:(?:\\"[^\\"]*(?:<|>|(?:^|[\\\\s\\"\'<>])on\\\\w+\\\\s*=|javascript\\\\s*:)[^\\"]*\\")|(?:\'[^\']*(?:<|>|(?:^|[\\\\s\\"\'<>])on\\\\w+\\\\s*=|javascript\\\\s*:)[^\']*\')|(?:[^\\\\s\\\\]]*(?:<|>|(?:^|[\\\\s\\"\'<>])on\\\\w+\\\\s*=|javascript\\\\s*:)[^\\\\s\\\\]]*))~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1909", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1909", "description": "WaveSurfer-WP <=2.8.3 Stored XSS via [wavesurfer] shortcode src attribute in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wavesurfer-wp", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=2.8.3"}, "RULE-CVE-2026-1910-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[upmenu-menu[^\\\\]]*lang[^\\\\]]*(?:<[a-zA-Z/]|on[a-zA-Z]+=|javascript:)~i"}], "cve": "CVE-2026-1910", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1910", "description": "UpMenu <=3.1 Stored XSS via lang attribute of upmenu-menu shortcode in post content (classic editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "upmenu", "tags": ["xss", "stored-xss", "shortcode", "contributor"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2026-1910-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[upmenu-menu[^\\\\]]*lang[^\\\\]]*(?:<[a-zA-Z/]|on[a-zA-Z]+=|javascript:)~i"}], "cve": "CVE-2026-1910", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1910", "description": "UpMenu <=3.1 Stored XSS via lang attribute of upmenu-menu shortcode in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "upmenu", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "contributor"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2026-1910-03": {"ajax_action": "ajaxUpdateOption", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1910", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1910", "description": "UpMenu <=3.1 unauthenticated arbitrary option update via ajaxUpdateOption AJAX endpoint", "method": "POST", "mode": "block", "severity": 6.4, "slug": "upmenu", "tags": ["missing-authorization", "unauthenticated", "arbitrary-option-update"], "target": "plugin", "versions": "<=3.1"}, "RULE-CVE-2026-1912-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[ctdoi\\\\s+[^\\\\]]*code\\\\s*=\\\\s*[^\\\\]]*(?:<script[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:|<img\\\\b|<svg\\\\b|<iframe\\\\b)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1912", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1912", "description": "Citations Tools <=0.3.2 Contributor+ stored XSS via ctdoi shortcode code attribute in post editor", "method": "POST", "mode": "block", "severity": 6.4, "slug": "citations-tools", "tags": ["xss", "stored", "shortcode", "authenticated"], "target": "plugin", "versions": "<=0.3.2"}, "RULE-CVE-2026-1912-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[ctdoi\\\\s+[^\\\\]]*code\\\\s*=\\\\s*[^\\\\]]*(?:<script[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:|<img\\\\b|<svg\\\\b|<iframe\\\\b)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1912", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1912", "description": "Citations Tools <=0.3.2 Contributor+ stored XSS via ctdoi shortcode code attribute in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "citations-tools", "tags": ["xss", "stored", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=0.3.2"}, "RULE-CVE-2026-1915-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[plyr[^a-zA-Z0-9_][^\\\\]]*poster[ ]*=[ ]*[\'\\"][^\\\\]]*(?:<[a-z]|on[a-z]+=|javascript:|data:text/html)~i"}], "cve": "CVE-2026-1915", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1915", "description": "Simple Plyr <=0.0.1 Stored XSS via poster attribute in [plyr] shortcode (post editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "simple-plyr", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=0.0.1"}, "RULE-CVE-2026-1915-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[plyr[^a-zA-Z0-9_][^\\\\]]*poster[ ]*=[ ]*[\'\\"][^\\\\]]*(?:<[a-z]|on[a-z]+=|javascript:|data:text/html)~i"}], "cve": "CVE-2026-1915", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1915", "description": "Simple Plyr <=0.0.1 Stored XSS via poster attribute in [plyr] shortcode (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "simple-plyr", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=0.0.1"}, "RULE-CVE-2026-1922-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[ecs-list-events\\\\b[^\\\\]]*message\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<script|<iframe|<svg|<object|<embed|on(?:error|load|click|mouseover|focus|toggle|animationend)\\\\s*=|javascript:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1922", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1922", "description": "The Events Calendar Shortcode & Block <=3.1.2 authenticated stored XSS via ecs-list-events shortcode message attribute in classic editor post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "the-events-calendar-shortcode", "tags": ["xss", "stored-xss", "shortcode", "authenticated"], "target": "plugin", "versions": "<=3.1.2"}, "RULE-CVE-2026-1922-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[ecs-list-events\\\\b[^\\\\]]*message\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:<script|<iframe|<svg|<object|<embed|on(?:error|load|click|mouseover|focus|toggle|animationend)\\\\s*=|javascript:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1922", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1922", "description": "The Events Calendar Shortcode & Block <=3.1.2 authenticated stored XSS via ecs-list-events shortcode message attribute in REST API post creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "the-events-calendar-shortcode", "tags": ["xss", "stored-xss", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=3.1.2"}, "RULE-CVE-2026-1925-01": {"ajax_action": "emailkit_update_template_data", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1925", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1925", "description": "EmailKit <=1.6.2 missing authorization on emailkit_update_template_data AJAX handler allows subscriber+ post modification", "mode": "block", "severity": 4.3, "slug": "emailkit", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=1.6.2"}, "RULE-CVE-2026-1927-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/greenshift/v[0-9]+/figma_settings(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1927", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1927", "description": "GreenShift <=12.5.7 authenticated information disclosure via GET /greenshift/v1/figma_settings/ REST endpoint missing authorization", "method": "GET", "mode": "block", "severity": 4.3, "slug": "greenshift-animation-and-page-builder-blocks", "tags": ["missing-authorization", "information-disclosure", "rest-api"], "target": "plugin", "versions": "<=12.5.7"}, "RULE-CVE-2026-1927-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/greenshift/v[0-9]+/license_settings(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1927", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1927", "description": "GreenShift <=12.5.7 authenticated information disclosure via GET /greenshift/v1/license_settings/ REST endpoint missing authorization", "method": "GET", "mode": "block", "severity": 4.3, "slug": "greenshift-animation-and-page-builder-blocks", "tags": ["missing-authorization", "information-disclosure", "rest-api"], "target": "plugin", "versions": "<=12.5.7"}, "RULE-CVE-2026-1927-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/greenshift/v[0-9]+/figma_settings(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1927", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1927", "description": "GreenShift <=12.5.7 authenticated unauthorized settings update via POST /greenshift/v1/figma_settings/ REST endpoint missing authorization", "method": "POST", "mode": "block", "severity": 4.3, "slug": "greenshift-animation-and-page-builder-blocks", "tags": ["missing-authorization", "rest-api"], "target": "plugin", "versions": "<=12.5.7"}, "RULE-CVE-2026-1929-01": {"ajax_action": "awl-getSelectOptionValues", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:callback", "type": "regex", "value": "~(?:^|\\\\\\\\)(?:system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|assert|eval|call_user_func|call_user_func_array|preg_replace|create_function|file_put_contents|file_get_contents|fwrite|fopen|include|require|include_once|require_once|unlink|rmdir|chmod|chown|curl_exec|mail|header|phpinfo|ob_start|register_shutdown_function|wp_insert_user|wp_set_password|update_option|delete_option|array_map|array_filter|array_walk|usort|uasort|uksort)$~i"}], "cve": "CVE-2026-1929", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1929", "description": "Advanced Woo Labels <=2.36 authenticated (Contributor+) RCE via arbitrary callback in awl-getSelectOptionValues AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "advanced-woo-labels", "tags": ["code-injection", "remote-code-execution", "missing-authorization"], "target": "plugin", "versions": "<=2.36"}, "RULE-CVE-2026-1931-01": {"ajax_action": "propertysearch", "conditions": [{"name": "ARGS:keyword", "type": "detectXSS"}], "cve": "CVE-2026-1931", "method": "POST", "mode": "block", "severity": 7.2, "slug": "rentfetch", "target": "plugin", "versions": "<=0.32.6"}, "RULE-CVE-2026-1931-02": {"ajax_action": "floorplansearch", "conditions": [{"name": "ARGS:keyword", "type": "detectXSS"}], "cve": "CVE-2026-1931", "method": "POST", "mode": "block", "severity": 7.2, "slug": "rentfetch", "target": "plugin", "versions": "<=0.32.6"}, "RULE-CVE-2026-1931-03": {"ajax_action": "rentfetch_track_search_view", "conditions": [{"name": "ARGS:keyword", "type": "detectXSS"}], "cve": "CVE-2026-1931", "method": "POST", "mode": "block", "severity": 7.2, "slug": "rentfetch", "target": "plugin", "versions": "<=0.32.6"}, "RULE-CVE-2026-1932-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/bookr/v1/appointments(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1932", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1932", "description": "Bookr <=1.0.2 unauthenticated appointment status modification via REST API (POST)", "method": "POST", "mode": "block", "severity": 5.3, "slug": "bookr", "tags": ["missing-authorization", "broken-access-control", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2026-1932-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/bookr/v1/appointments(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1932", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1932", "description": "Bookr <=1.0.2 unauthenticated appointment status modification via REST API (PUT)", "method": "PUT", "mode": "block", "severity": 5.3, "slug": "bookr", "tags": ["missing-authorization", "broken-access-control", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2026-1937-01": {"ajax_action": "yaymail_import_state", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1937", "method": "POST", "mode": "block", "severity": 9.8, "slug": "yaymail", "target": "plugin", "versions": "<=4.3.2"}, "RULE-CVE-2026-1938-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/yaymail-license/v1/license/delete(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1938", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1938", "description": "YayMail <=4.3.2 missing authorization on license/delete REST endpoint", "mode": "block", "severity": 5.3, "slug": "yaymail", "tags": ["missing-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": "<=4.3.2"}, "RULE-CVE-2026-1938-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/yaymail-license/v1/license/activate(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1938", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1938", "description": "YayMail <=4.3.2 missing authorization on license/activate REST endpoint", "mode": "block", "severity": 5.3, "slug": "yaymail", "tags": ["missing-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": "<=4.3.2"}, "RULE-CVE-2026-1938-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/yaymail-license/v1/license/update(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1938", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1938", "description": "YayMail <=4.3.2 missing authorization on license/update REST endpoint", "mode": "block", "severity": 5.3, "slug": "yaymail", "tags": ["missing-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": "<=4.3.2"}, "RULE-CVE-2026-1942-01": {"ajax_action": "b2s_curation_draft", "conditions": [{"name": "ARGS:b2s-draft-id", "type": "exists"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2026-1942", "method": "POST", "mode": "block", "severity": 6.5, "slug": "blog2social", "target": "plugin", "versions": "<=8.7.4"}, "RULE-CVE-2026-1942-02": {"ajax_action": "b2s_curation_share", "conditions": [{"name": "ARGS:b2s-draft-id", "type": "exists"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2026-1942", "method": "POST", "mode": "block", "severity": 6.5, "slug": "blog2social", "target": "plugin", "versions": "<=8.7.4"}, "RULE-CVE-2026-1943-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/yaymail/v1/templates(/|\\\\?|$)~"}, {"name": "ARGS:data", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|mouseenter)\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1943", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1943", "description": "YayMail <=4.3.2 authenticated stored XSS via REST template update (rich_text in template_elements)", "method": "POST", "mode": "block", "severity": 4.4, "slug": "yaymail", "tags": ["xss", "stored-xss", "rest-api"], "target": "plugin", "versions": "<=4.3.2"}, "RULE-CVE-2026-1943-02": {"ajax_action": "yaymail_import_templates", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|mouseenter)\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1943", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1943", "description": "YayMail <=4.3.2 authenticated stored XSS via AJAX template import (yaymail_import_templates)", "method": "POST", "mode": "block", "severity": 4.4, "slug": "yaymail", "tags": ["xss", "stored-xss", "ajax"], "target": "plugin", "versions": "<=4.3.2"}, "RULE-CVE-2026-1943-03": {"ajax_action": "yaymail_import_state", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|mouseenter)\\\\s*=~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-1943", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1943", "description": "YayMail <=4.3.2 authenticated stored XSS via AJAX state import (yaymail_import_state)", "method": "POST", "mode": "block", "severity": 4.4, "slug": "yaymail", "tags": ["xss", "stored-xss", "ajax"], "target": "plugin", "versions": "<=4.3.2"}, "RULE-CVE-2026-1944-01": {"ajax_action": "cbk_save_v1", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1944", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1944", "description": "CallbackKiller Service Widget <=1.2 missing authorization on cbk_save_v1 AJAX action allows unauthenticated site ID modification", "method": "POST", "mode": "block", "severity": 5.3, "slug": "callbackkiller-service-widget", "tags": ["missing-authorization", "broken-access-control", "unauthenticated"], "target": "plugin", "versions": "<=1.2"}, "RULE-CVE-2026-1947-01": {"ajax_action": "submit_nex_form", "conditions": [{"name": "ARGS:nf_set_entry_update_id", "type": "exists"}], "cve": "CVE-2026-1947", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1947", "description": "NEX-Forms <=9.1.9 unauthenticated arbitrary form entry overwrite via IDOR in submit_nex_form (nf_set_entry_update_id)", "method": "POST", "mode": "block", "severity": 7.5, "slug": "nex-forms-express-wp-form-builder", "tags": ["idor", "missing-authorization", "unauthenticated"], "target": "plugin", "versions": "<=9.1.9"}, "RULE-CVE-2026-1948-01": {"ajax_action": "deactivate_license", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1948", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1948", "description": "NEX-Forms <=9.1.9 missing authorization on deactivate_license AJAX handler allows Subscriber+ license deactivation", "mode": "block", "severity": 4.3, "slug": "nex-forms-express-wp-form-builder", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=9.1.9"}, "RULE-CVE-2026-1980-01": {"ajax_action": "wpb_ajax_get", "conditions": [{"name": "ARGS:route_name", "type": "equals", "value": "get_customer_list"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1980", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1980", "description": "WPBookit <=1.0.8 unauthenticated sensitive customer data exposure via get_customer_list route", "mode": "block", "severity": 5.3, "slug": "wpbookit", "tags": ["missing-authorization", "information-disclosure", "unauthenticated"], "target": "plugin", "versions": "<=1.0.8"}, "RULE-CVE-2026-1987-01": {"ajax_action": "scheduler_widget_save_event", "conditions": [{"name": "ARGS:id", "type": "regex", "value": "~^[1-9][0-9]*$~"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2026-1987", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1987", "description": "Scheduler Widget <=0.1.6 IDOR allows Subscriber+ to modify arbitrary events via scheduler_widget_save_event AJAX action", "method": "POST", "mode": "block", "severity": 5.4, "slug": "scheduler-widget", "tags": ["idor", "missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=0.1.6"}, "RULE-CVE-2026-1987-02": {"ajax_action": "scheduler_widget_delete_event", "conditions": [{"name": "ARGS:id", "type": "regex", "value": "~^[1-9][0-9]*$~"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2026-1987", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1987", "description": "Scheduler Widget <=0.1.6 IDOR allows Subscriber+ to delete arbitrary events via scheduler_widget_delete_event AJAX action", "method": "POST", "mode": "block", "severity": 5.4, "slug": "scheduler-widget", "tags": ["idor", "missing-authorization", "broken-access-control", "unauthorized-deletion"], "target": "plugin", "versions": "<=0.1.6"}, "RULE-CVE-2026-1988-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~flexipsg_carousel[^]]*theme *= *[\\"\'][^\\"\']*(?:[.][.][/\\\\\\\\]|[.][.][%](?:2[fF]|5[cC])|[%]2[eE][%]2[eE][%]2[fF])[^\\"\']*[\\"\']~i"}], "cve": "CVE-2026-1988", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1988", "description": "Flexi Product Slider/Grid <=1.0.5 authenticated (Contributor+) Local File Inclusion via flexipsg_carousel shortcode theme attribute", "method": "POST", "mode": "block", "severity": 7.5, "slug": "flexi-product-slider-grid", "tags": ["local-file-inclusion", "path-traversal", "shortcode"], "target": "plugin", "versions": "<=1.0.5"}, "RULE-CVE-2026-1988-02": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~flexipsg_carousel[^]]*theme *= *[\\"\'][^\\"\']*(?:php|phar|data|expect|zip)(?:://|[%]3[aA][%]2[fF][%]2[fF])[^\\"\']*[\\"\']~i"}], "cve": "CVE-2026-1988", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1988", "description": "Flexi Product Slider/Grid <=1.0.5 authenticated (Contributor+) Local File Inclusion via flexipsg_carousel shortcode theme attribute (PHP wrapper variant)", "method": "POST", "mode": "block", "severity": 7.5, "slug": "flexi-product-slider-grid", "tags": ["local-file-inclusion", "php-wrapper", "shortcode"], "target": "plugin", "versions": "<=1.0.5"}, "RULE-CVE-2026-1988-03": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~flexipsg_carousel[^]]*theme *= *[\\"\'][^\\"\']*(?:[.][.][/\\\\\\\\]|[.][.][%](?:2[fF]|5[cC])|[%]2[eE][%]2[eE][%]2[fF])[^\\"\']*[\\"\']~i"}], "cve": "CVE-2026-1988", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1988", "description": "Flexi Product Slider/Grid <=1.0.5 authenticated (Contributor+) Local File Inclusion via flexipsg_carousel shortcode theme attribute in content field", "method": "POST", "mode": "block", "severity": 7.5, "slug": "flexi-product-slider-grid", "tags": ["local-file-inclusion", "path-traversal", "shortcode"], "target": "plugin", "versions": "<=1.0.5"}, "RULE-CVE-2026-1988-04": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~flexipsg_carousel[^]]*theme *= *[\\"\'][^\\"\']*(?:php|phar|data|expect|zip)(?:://|[%]3[aA][%]2[fF][%]2[fF])[^\\"\']*[\\"\']~i"}], "cve": "CVE-2026-1988", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1988", "description": "Flexi Product Slider/Grid <=1.0.5 authenticated (Contributor+) Local File Inclusion via flexipsg_carousel shortcode theme attribute in content field (PHP wrapper variant)", "method": "POST", "mode": "block", "severity": 7.5, "slug": "flexi-product-slider-grid", "tags": ["local-file-inclusion", "php-wrapper", "shortcode"], "target": "plugin", "versions": "<=1.0.5"}, "RULE-CVE-2026-1992-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/exactmetrics/v1/onboarding/settings(/|\\\\?|$)~"}, {"name": "ARGS:triggered_by", "type": "exists"}, {"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2026-1992", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1992", "description": "ExactMetrics (Google Analytics Dashboard for WP) >=8.6.0 <=9.0.2 authorization bypass via IDOR in triggered_by parameter on onboarding settings REST endpoint", "method": "POST", "mode": "block", "severity": 8.8, "slug": "google-analytics-dashboard-for-wp", "tags": ["authorization-bypass", "idor", "arbitrary-plugin-install", "rest-api"], "target": "plugin", "versions": ">=8.6.0 <=9.0.2"}, "RULE-CVE-2026-1993-01": {"ajax_action": "exactmetrics_vue_update_settings", "conditions": [{"name": "ARGS:setting", "type": "equals", "value": "save_settings"}, {"name": "ARGS:value", "type": "regex", "value": "~(?:subscriber|contributor|author|editor)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1993", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1993", "description": "ExactMetrics >=7.1.0 <=9.0.2 improper privilege management via exactmetrics_vue_update_settings save_settings", "method": "POST", "mode": "block", "severity": 8.8, "slug": "google-analytics-dashboard-for-wp", "tags": ["privilege-escalation", "improper-privilege-management", "broken-access-control", "ajax"], "target": "plugin", "versions": ">=7.1.0 <=9.0.2"}, "RULE-CVE-2026-1993-02": {"ajax_action": "exactmetrics_vue_update_settings", "conditions": [{"name": "ARGS:setting", "type": "equals", "value": "view_reports"}, {"name": "ARGS:value", "type": "regex", "value": "~(?:subscriber|contributor|author|editor)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1993", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1993", "description": "ExactMetrics >=7.1.0 <=9.0.2 improper privilege management via exactmetrics_vue_update_settings view_reports", "method": "POST", "mode": "block", "severity": 8.8, "slug": "google-analytics-dashboard-for-wp", "tags": ["privilege-escalation", "improper-privilege-management", "broken-access-control", "ajax"], "target": "plugin", "versions": ">=7.1.0 <=9.0.2"}, "RULE-CVE-2026-1993-04": {"ajax_action": "exactmetrics_vue_update_settings_bulk", "conditions": [{"name": "ARGS:settings", "type": "regex", "value": "~save_settings~i"}, {"name": "ARGS:settings", "type": "regex", "value": "~(?:subscriber|contributor|author|editor)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1993", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1993", "description": "ExactMetrics >=7.1.0 <=9.0.2 improper privilege management via exactmetrics_vue_update_settings_bulk save_settings", "method": "POST", "mode": "block", "severity": 8.8, "slug": "google-analytics-dashboard-for-wp", "tags": ["privilege-escalation", "improper-privilege-management", "broken-access-control", "ajax"], "target": "plugin", "versions": ">=7.1.0 <=9.0.2"}, "RULE-CVE-2026-1993-05": {"ajax_action": "exactmetrics_vue_update_settings_bulk", "conditions": [{"name": "ARGS:settings", "type": "regex", "value": "~view_reports~i"}, {"name": "ARGS:settings", "type": "regex", "value": "~(?:subscriber|contributor|author|editor)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-1993", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-1993", "description": "ExactMetrics >=7.1.0 <=9.0.2 improper privilege management via exactmetrics_vue_update_settings_bulk view_reports", "method": "POST", "mode": "block", "severity": 8.8, "slug": "google-analytics-dashboard-for-wp", "tags": ["privilege-escalation", "improper-privilege-management", "broken-access-control", "ajax"], "target": "plugin", "versions": ">=7.1.0 <=9.0.2"}, "RULE-CVE-2026-2001-01": {"ajax_action": "revx_install", "conditions": [{"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2026-2001", "method": "POST", "mode": "block", "severity": 8.8, "slug": "revenue", "target": "plugin", "versions": "<=2.1.3"}, "RULE-CVE-2026-2020-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/(post|admin-ajax)\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[(jQueryArchiveList|JSArchiveList|JsArchiveList)[^\\\\]]*(?:included|excluded)[^\\\\]]*[OC]:[0-9]+:~i"}], "cve": "CVE-2026-2020", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2020", "description": "JS Archive List <=6.1.7 PHP Object Injection via shortcode included/excluded attributes (post.php/admin-ajax save)", "method": "POST", "mode": "block", "severity": 7.5, "slug": "jquery-archive-list-widget", "tags": ["object-injection", "deserialization", "shortcode"], "target": "plugin", "versions": "<=6.1.7"}, "RULE-CVE-2026-2020-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/[0-9]+)?(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(jQueryArchiveList|JSArchiveList|JsArchiveList)[^\\\\]]*(?:included|excluded)[^\\\\]]*[OC]:[0-9]+:~i"}], "cve": "CVE-2026-2020", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2020", "description": "JS Archive List <=6.1.7 PHP Object Injection via shortcode included/excluded attributes (REST /wp/v2/posts)", "method": "POST", "mode": "block", "severity": 7.5, "slug": "jquery-archive-list-widget", "tags": ["object-injection", "deserialization", "shortcode", "rest-api"], "target": "plugin", "versions": "<=6.1.7"}, "RULE-CVE-2026-2020-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/pages(/[0-9]+)?(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[(jQueryArchiveList|JSArchiveList|JsArchiveList)[^\\\\]]*(?:included|excluded)[^\\\\]]*[OC]:[0-9]+:~i"}], "cve": "CVE-2026-2020", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2020", "description": "JS Archive List <=6.1.7 PHP Object Injection via shortcode included/excluded attributes (REST /wp/v2/pages)", "method": "POST", "mode": "block", "severity": 7.5, "slug": "jquery-archive-list-widget", "tags": ["object-injection", "deserialization", "shortcode", "rest-api"], "target": "plugin", "versions": "<=6.1.7"}, "RULE-CVE-2026-2022-01": {"ajax_action": "rednao_smart_forms_get_campaigns", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2022", "method": "POST", "mode": "block", "severity": 4.3, "slug": "smart-forms", "target": "plugin", "versions": "<2.7.0"}, "RULE-CVE-2026-2024-01": {"ajax_action": "myajax-submit", "conditions": [{"name": "ARGS:postid", "type": "detectSQLi"}], "cve": "CVE-2026-2024", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2024", "description": "PhotoStack Gallery <=0.4.1 unauthenticated SQL injection via postid parameter in myajax-submit AJAX handler", "method": "POST", "mode": "block", "severity": 7.5, "slug": "photostack-gallery", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=0.4.1"}, "RULE-CVE-2026-2025-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/mailmint/v1/contacts(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2025", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2025", "description": "Mail Mint <1.19.5 unauthenticated access to contacts REST API endpoint exposing user email addresses", "method": "GET", "mode": "block", "severity": 7.5, "slug": "mail-mint", "tags": ["missing-authorization", "information-disclosure", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<1.19.5"}, "RULE-CVE-2026-2027-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:amp_enhancer_custom_css_settings[amp_custom_css]", "type": "regex", "value": "~<\\\\s*(?:script|/style)|\\\\bexpression\\\\s*\\\\(|\\\\burl\\\\s*\\\\(\\\\s*[\\"\']?\\\\s*javascript\\\\s*:|-moz-binding\\\\s*:\\\\s*url|\\\\bbehavior\\\\s*:\\\\s*url~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-2027", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2027", "description": "AMP Enhancer <=1.0.49 authenticated stored XSS via AMP Custom CSS setting", "method": "POST", "mode": "block", "severity": 4.4, "slug": "amp-enhancer", "tags": ["xss", "stored-xss", "settings-api"], "target": "plugin", "versions": "<=1.0.49"}, "RULE-CVE-2026-2029-01": {"action": "init", "conditions": [{"name": "ARGS:content", "type": "regex", "value": "~\\\\[labb_pricing_item\\\\b[^\\\\]]*(?:<|�*60;?|�*3[cC];?)(?:script|img|svg|iframe|details|object|embed|link|meta|body|input|select|textarea|button|form|marquee|video|audio|source|math|style)[ \\\\t>/]~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-2029", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2029", "description": "Livemesh Addons for Beaver Builder <=3.9.2 Stored XSS via labb_pricing_item shortcode title/value attributes (htmlspecialchars_decode after wp_kses_post)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "addons-for-beaver-builder", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=3.9.2"}, "RULE-CVE-2026-2052-01": {"ajax_action": "widgetopts_ajax_validate_expression", "conditions": [{"name": "ARGS:expression", "type": "regex", "value": "~(?:array_map\\\\s*\\\\(\\\\s*[\'\\"]|array_reduce\\\\s*\\\\(\\\\s*[\'\\"]|create_function\\\\s*\\\\(|preg_replace\\\\s*\\\\(\\\\s*[\'\\"][^\'\\"]*\\\\/e[\'\\"]|(?:call_user_func|call_user_func_array)\\\\s*\\\\()~i"}], "cve": "CVE-2026-2052", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2052", "description": "Widget Options <=4.2.2 authenticated RCE via Display Logic expression bypass using eval-triggering PHP functions", "mode": "block", "severity": 8.8, "slug": "widget-options", "tags": ["remote-code-execution", "code-injection", "authenticated", "bypass"], "target": "plugin", "versions": "<=4.2.2"}, "RULE-CVE-2026-2144-01": {"action": "init", "conditions": [{"name": "ARGS:uid", "type": "regex", "value": "~^[+]?0*(?:[1-5])$~"}, {"name": "ARGS:token", "type": "regex", "value": "~^[a-f0-9]{20,}$~"}], "cve": "CVE-2026-2144", "method": "GET", "mode": "block", "severity": 8.1, "slug": "magic-login-mail", "target": "plugin", "versions": "<2.07"}, "RULE-CVE-2026-22202-01": {"ajax_action": "wpdiscuzDeleteDataWithEmail", "conditions": [{"name": "ARGS:commentemail", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-22202", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22202", "description": "wpDiscuz <=7.6.54 unauthenticated/low-privilege destructive comment deletion via wpdiscuzDeleteDataWithEmail AJAX action (CSRF)", "mode": "block", "severity": 6.5, "slug": "wpdiscuz", "tags": ["cross-site-request-forgery", "missing-authorization", "unauthenticated"], "target": "plugin", "versions": "<=7.6.54"}, "RULE-CVE-2026-2231-01": {"ajax_action": "fluent_cal_schedule_meeting", "conditions": [{"name": "ARGS:first_name", "type": "regex", "value": "~(?:<script[\\\\s/>]|<img[\\\\s/]|<svg[\\\\s/]|<iframe[\\\\s/]|<object[\\\\s/]|<embed[\\\\s/]|<math[\\\\s/]|<details[\\\\s/]|on(?:error|load|mouseover|click|focus|blur|mouseenter|animationend|toggle)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-2231", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2231", "description": "Fluent Booking <=2.0.01 unauthenticated stored XSS via first_name in booking submission", "mode": "block", "severity": 7.2, "slug": "fluent-booking", "tags": ["xss", "stored", "unauthenticated"], "target": "plugin", "versions": "<=2.0.01"}, "RULE-CVE-2026-2231-02": {"ajax_action": "fluent_cal_schedule_meeting", "conditions": [{"name": "ARGS:last_name", "type": "regex", "value": "~(?:<script[\\\\s/>]|<img[\\\\s/]|<svg[\\\\s/]|<iframe[\\\\s/]|<object[\\\\s/]|<embed[\\\\s/]|<math[\\\\s/]|<details[\\\\s/]|on(?:error|load|mouseover|click|focus|blur|mouseenter|animationend|toggle)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-2231", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2231", "description": "Fluent Booking <=2.0.01 unauthenticated stored XSS via last_name in booking submission", "mode": "block", "severity": 7.2, "slug": "fluent-booking", "tags": ["xss", "stored", "unauthenticated"], "target": "plugin", "versions": "<=2.0.01"}, "RULE-CVE-2026-2231-03": {"ajax_action": "fluent_cal_schedule_meeting", "conditions": [{"name": "ARGS:phone", "type": "regex", "value": "~(?:<script[\\\\s/>]|<img[\\\\s/]|<svg[\\\\s/]|<iframe[\\\\s/]|<object[\\\\s/]|<embed[\\\\s/]|<math[\\\\s/]|<details[\\\\s/]|on(?:error|load|mouseover|click|focus|blur|mouseenter|animationend|toggle)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-2231", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2231", "description": "Fluent Booking <=2.0.01 unauthenticated stored XSS via phone in booking submission", "mode": "block", "severity": 7.2, "slug": "fluent-booking", "tags": ["xss", "stored", "unauthenticated"], "target": "plugin", "versions": "<=2.0.01"}, "RULE-CVE-2026-2231-04": {"ajax_action": "fluent_cal_schedule_meeting", "conditions": [{"name": "ARGS:message", "type": "regex", "value": "~(?:<script[\\\\s/>]|<img[\\\\s/]|<svg[\\\\s/]|<iframe[\\\\s/]|<object[\\\\s/]|<embed[\\\\s/]|<math[\\\\s/]|<details[\\\\s/]|on(?:error|load|mouseover|click|focus|blur|mouseenter|animationend|toggle)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-2231", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2231", "description": "Fluent Booking <=2.0.01 unauthenticated stored XSS via message in booking submission", "mode": "block", "severity": 7.2, "slug": "fluent-booking", "tags": ["xss", "stored", "unauthenticated"], "target": "plugin", "versions": "<=2.0.01"}, "RULE-CVE-2026-2231-05": {"ajax_action": "fluent_cal_schedule_meeting", "conditions": [{"name": "ARGS:address", "type": "regex", "value": "~(?:<script[\\\\s/>]|<img[\\\\s/]|<svg[\\\\s/]|<iframe[\\\\s/]|<object[\\\\s/]|<embed[\\\\s/]|<math[\\\\s/]|<details[\\\\s/]|on(?:error|load|mouseover|click|focus|blur|mouseenter|animationend|toggle)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-2231", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2231", "description": "Fluent Booking <=2.0.01 unauthenticated stored XSS via address in booking submission", "mode": "block", "severity": 7.2, "slug": "fluent-booking", "tags": ["xss", "stored", "unauthenticated"], "target": "plugin", "versions": "<=2.0.01"}, "RULE-CVE-2026-2231-06": {"ajax_action": "fluent_cal_schedule_meeting", "conditions": [{"name": "ARGS:location[user_location_input]", "type": "regex", "value": "~(?:<script[\\\\s/>]|<img[\\\\s/]|<svg[\\\\s/]|<iframe[\\\\s/]|<object[\\\\s/]|<embed[\\\\s/]|<math[\\\\s/]|<details[\\\\s/]|on(?:error|load|mouseover|click|focus|blur|mouseenter|animationend|toggle)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-2231", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2231", "description": "Fluent Booking <=2.0.01 unauthenticated stored XSS via location[user_location_input] in booking submission", "mode": "block", "severity": 7.2, "slug": "fluent-booking", "tags": ["xss", "stored", "unauthenticated"], "target": "plugin", "versions": "<=2.0.01"}, "RULE-CVE-2026-2231-07": {"ajax_action": "fluent_cal_schedule_meeting", "conditions": [{"name": "ARGS:utm_source", "type": "regex", "value": "~(?:<script[\\\\s/>]|<img[\\\\s/]|<svg[\\\\s/]|<iframe[\\\\s/]|<object[\\\\s/]|<embed[\\\\s/]|<math[\\\\s/]|<details[\\\\s/]|on(?:error|load|mouseover|click|focus|blur|mouseenter|animationend|toggle)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-2231", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2231", "description": "Fluent Booking <=2.0.01 unauthenticated stored XSS via utm_source in booking submission", "mode": "block", "severity": 7.2, "slug": "fluent-booking", "tags": ["xss", "stored", "unauthenticated"], "target": "plugin", "versions": "<=2.0.01"}, "RULE-CVE-2026-2231-08": {"ajax_action": "fluent_cal_schedule_meeting", "conditions": [{"name": "ARGS:utm_medium", "type": "regex", "value": "~(?:<script[\\\\s/>]|<img[\\\\s/]|<svg[\\\\s/]|<iframe[\\\\s/]|<object[\\\\s/]|<embed[\\\\s/]|<math[\\\\s/]|<details[\\\\s/]|on(?:error|load|mouseover|click|focus|blur|mouseenter|animationend|toggle)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-2231", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2231", "description": "Fluent Booking <=2.0.01 unauthenticated stored XSS via utm_medium in booking submission", "mode": "block", "severity": 7.2, "slug": "fluent-booking", "tags": ["xss", "stored", "unauthenticated"], "target": "plugin", "versions": "<=2.0.01"}, "RULE-CVE-2026-2231-09": {"ajax_action": "fluent_cal_schedule_meeting", "conditions": [{"name": "ARGS:utm_campaign", "type": "regex", "value": "~(?:<script[\\\\s/>]|<img[\\\\s/]|<svg[\\\\s/]|<iframe[\\\\s/]|<object[\\\\s/]|<embed[\\\\s/]|<math[\\\\s/]|<details[\\\\s/]|on(?:error|load|mouseover|click|focus|blur|mouseenter|animationend|toggle)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-2231", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2231", "description": "Fluent Booking <=2.0.01 unauthenticated stored XSS via utm_campaign in booking submission", "mode": "block", "severity": 7.2, "slug": "fluent-booking", "tags": ["xss", "stored", "unauthenticated"], "target": "plugin", "versions": "<=2.0.01"}, "RULE-CVE-2026-2231-10": {"ajax_action": "fluent_cal_schedule_meeting", "conditions": [{"name": "ARGS:utm_term", "type": "regex", "value": "~(?:<script[\\\\s/>]|<img[\\\\s/]|<svg[\\\\s/]|<iframe[\\\\s/]|<object[\\\\s/]|<embed[\\\\s/]|<math[\\\\s/]|<details[\\\\s/]|on(?:error|load|mouseover|click|focus|blur|mouseenter|animationend|toggle)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-2231", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2231", "description": "Fluent Booking <=2.0.01 unauthenticated stored XSS via utm_term in booking submission", "mode": "block", "severity": 7.2, "slug": "fluent-booking", "tags": ["xss", "stored", "unauthenticated"], "target": "plugin", "versions": "<=2.0.01"}, "RULE-CVE-2026-2231-11": {"ajax_action": "fluent_cal_schedule_meeting", "conditions": [{"name": "ARGS:utm_content", "type": "regex", "value": "~(?:<script[\\\\s/>]|<img[\\\\s/]|<svg[\\\\s/]|<iframe[\\\\s/]|<object[\\\\s/]|<embed[\\\\s/]|<math[\\\\s/]|<details[\\\\s/]|on(?:error|load|mouseover|click|focus|blur|mouseenter|animationend|toggle)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-2231", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2231", "description": "Fluent Booking <=2.0.01 unauthenticated stored XSS via utm_content in booking submission", "mode": "block", "severity": 7.2, "slug": "fluent-booking", "tags": ["xss", "stored", "unauthenticated"], "target": "plugin", "versions": "<=2.0.01"}, "RULE-CVE-2026-2232-01": {"ajax_action": "wcpt_ajax", "conditions": [{"name": "ARGS:data", "type": "regex", "value": "~(?i:(?:\'\\\\s+(?:AND|OR)\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+|\'\\\\s+UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s+(?:\\\\d|NULL\\\\b|@@|CHAR\\\\s*\\\\(|0x[0-9a-f]|version\\\\s*\\\\(|concat\\\\s*\\\\()|\'\\\\s*[^\\\\n]{0,40}\\\\bSLEEP\\\\s*\\\\(|\'\\\\s*[^\\\\n]{0,40}\\\\bBENCHMARK\\\\s*\\\\(|WAITFOR\\\\s+DELAY|\'\\\\s*;\\\\s*(?:SELECT|INSERT|UPDATE|DELETE|DROP|WAITFOR)\\\\b))~"}], "cve": "CVE-2026-2232", "method": "POST", "mode": "block", "severity": 7.5, "slug": "wc-product-table-lite", "target": "plugin", "versions": "<=4.6.2"}, "RULE-CVE-2026-2232-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[?&]wc-ajax=wcpt_ajax(/|&|$)~"}, {"name": "ARGS:data", "type": "regex", "value": "~(?i:(?:\'\\\\s+(?:AND|OR)\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+|\'\\\\s+UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s+(?:\\\\d|NULL\\\\b|@@|CHAR\\\\s*\\\\(|0x[0-9a-f]|version\\\\s*\\\\(|concat\\\\s*\\\\()|\'\\\\s*[^\\\\n]{0,40}\\\\bSLEEP\\\\s*\\\\(|\'\\\\s*[^\\\\n]{0,40}\\\\bBENCHMARK\\\\s*\\\\(|WAITFOR\\\\s+DELAY|\'\\\\s*;\\\\s*(?:SELECT|INSERT|UPDATE|DELETE|DROP|WAITFOR)\\\\b))~"}], "cve": "CVE-2026-2232", "method": "POST", "mode": "block", "severity": 7.5, "slug": "wc-product-table-lite", "target": "plugin", "versions": "<=4.6.2"}, "RULE-CVE-2026-22344-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22344", "description": "fivestar theme <= 1.7 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "fivestar", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.7"}, "RULE-CVE-2026-22344-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22344", "description": "fivestar theme <= 1.7 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "fivestar", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.7"}, "RULE-CVE-2026-22345-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_type", "type": "equals", "value": "image_gallery"}, {"name": "ARGS", "type": "regex", "value": "~[OC]:\\\\d+:\\"~"}], "cve": "CVE-2026-22345", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22345", "description": "Image Gallery <= 1.6.0 authenticated (Contributor+) PHP Object Injection via save_post deserialization", "method": "POST", "mode": "block", "severity": 8.8, "slug": "new-image-gallery", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=1.6.0"}, "RULE-CVE-2026-22346-01": {"ajax_action": "slide_responsive", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:^|[;]|[{])O:[0-9]+:\\"~"}], "cve": "CVE-2026-22346", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22346", "description": "Slider Responsive Slideshow <=1.5.4 PHP object injection via slide_responsive AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "slider-responsive-slideshow", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=1.5.4"}, "RULE-CVE-2026-22347-01": {"ajax_action": "wa_chpcs_action", "conditions": [{"name": "ARGS:post_type", "type": "regex", "value": "~[^a-zA-Z0-9_-]~"}], "cve": "CVE-2026-22347", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22347", "description": "Carousel Horizontal Posts Content Slider <=3.3.2 reflected XSS via unsanitized post_type parameter in wa_chpcs_action AJAX handler", "method": "POST", "mode": "block", "severity": 6.5, "slug": "carousel-horizontal-posts-content-slider", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=3.3.2"}, "RULE-CVE-2026-22352-01": {"ajax_action": "change_sms_text", "conditions": [{"name": "ARGS:order_status", "type": "regex", "value": "~(?:<script[\\\\s/>]|<[a-z]+[^>]*\\\\bon[a-z]+=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-22352", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22352", "description": "Persian WooCommerce SMS <=7.1.1 reflected XSS via order_status parameter in change_sms_text AJAX handler", "method": "POST", "mode": "block", "severity": 7.1, "slug": "persian-woocommerce-sms", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=7.1.1"}, "RULE-CVE-2026-22353-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "teachpress/authors.php"}, {"name": "ARGS:search", "type": "regex", "value": "~(?:<script[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:|<img[^>]+onerror\\\\s*=|<svg[^>]+onload\\\\s*=)~i"}], "cve": "CVE-2026-22353", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22353", "description": "teachPress <=9.0.12 contributor+ reflected XSS via search parameter on authors admin page", "method": "GET", "mode": "block", "severity": 6.5, "slug": "teachpress", "tags": ["xss", "reflected", "authenticated"], "target": "plugin", "versions": "<=9.0.12"}, "RULE-CVE-2026-22353-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "teachpress/addpublications.php"}, {"name": "ARGS:tags", "type": "regex", "value": "~(?:<script[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:|<img[^>]+onerror\\\\s*=|<svg[^>]+onload\\\\s*=)~i"}], "cve": "CVE-2026-22353", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22353", "description": "teachPress <=9.0.12 contributor+ stored XSS via tags parameter on add publication admin page", "method": "POST", "mode": "block", "severity": 6.5, "slug": "teachpress", "tags": ["xss", "stored", "authenticated"], "target": "plugin", "versions": "<=9.0.12"}, "RULE-CVE-2026-22353-03": {"ajax_action": "tp_document_upload", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "tp_document_upload"}, {"name": "ARGS:/^(async-upload|name)$/", "type": "regex", "value": "~(?:<script[\\\\s/>]|<svg[^>]+onload\\\\s*=|<img[^>]+onerror\\\\s*=|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-22353", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22353", "description": "teachPress <=9.0.12 contributor+ reflected XSS via async-upload parameter in tp_document_upload AJAX handler", "mode": "block", "severity": 6.5, "slug": "teachpress", "tags": ["xss", "reflected", "authenticated", "ajax"], "target": "plugin", "versions": "<=9.0.12"}, "RULE-CVE-2026-22357-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "link_whisper"}, {"name": "ARGS:orderby", "type": "detectXSS"}], "cve": "CVE-2026-22357", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22357", "description": "Link Whisper Free <=0.9.2 reflected XSS via orderby parameter in admin report table", "method": "GET", "mode": "block", "severity": 7.1, "slug": "link-whisper", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=0.9.2"}, "RULE-CVE-2026-22357-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "link_whisper"}, {"name": "ARGS:order", "type": "detectXSS"}], "cve": "CVE-2026-22357", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22357", "description": "Link Whisper Free <=0.9.2 reflected XSS via order parameter in admin report table", "method": "GET", "mode": "block", "severity": 7.1, "slug": "link-whisper", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=0.9.2"}, "RULE-CVE-2026-22357-03": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "link_whisper"}, {"name": "ARGS:post_mime_type", "type": "detectXSS"}], "cve": "CVE-2026-22357", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22357", "description": "Link Whisper Free <=0.9.2 reflected XSS via post_mime_type parameter in admin report table", "method": "GET", "mode": "block", "severity": 7.1, "slug": "link-whisper", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=0.9.2"}, "RULE-CVE-2026-22357-04": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "link_whisper"}, {"name": "ARGS:detached", "type": "detectXSS"}], "cve": "CVE-2026-22357", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22357", "description": "Link Whisper Free <=0.9.2 reflected XSS via detached parameter in admin report table", "method": "GET", "mode": "block", "severity": 7.1, "slug": "link-whisper", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=0.9.2"}, "RULE-CVE-2026-22357-05": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "link_whisper"}, {"name": "ARGS:type", "type": "detectXSS"}], "cve": "CVE-2026-22357", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22357", "description": "Link Whisper Free <=0.9.2 reflected XSS via type parameter in admin report table", "method": "GET", "mode": "block", "severity": 7.1, "slug": "link-whisper", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=0.9.2"}, "RULE-CVE-2026-22357-06": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "link_whisper"}, {"name": "ARGS:category", "type": "detectXSS"}], "cve": "CVE-2026-22357", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22357", "description": "Link Whisper Free <=0.9.2 reflected XSS via category parameter in admin error table", "method": "GET", "mode": "block", "severity": 7.1, "slug": "link-whisper", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=0.9.2"}, "RULE-CVE-2026-22357-07": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "link_whisper"}, {"name": "ARGS:post_id", "type": "detectXSS"}], "cve": "CVE-2026-22357", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22357", "description": "Link Whisper Free <=0.9.2 reflected XSS via post_id parameter in admin error/click tables", "method": "GET", "mode": "block", "severity": 7.1, "slug": "link-whisper", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=0.9.2"}, "RULE-CVE-2026-22357-08": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "link_whisper"}, {"name": "ARGS:codes", "type": "detectXSS"}], "cve": "CVE-2026-22357", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22357", "description": "Link Whisper Free <=0.9.2 reflected XSS via codes parameter in admin error/report tables", "method": "GET", "mode": "block", "severity": 7.1, "slug": "link-whisper", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=0.9.2"}, "RULE-CVE-2026-22357-09": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "link_whisper"}, {"name": "ARGS:link_min_count", "type": "detectXSS"}], "cve": "CVE-2026-22357", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22357", "description": "Link Whisper Free <=0.9.2 reflected XSS via link_min_count parameter in report search", "method": "GET", "mode": "block", "severity": 7.1, "slug": "link-whisper", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=0.9.2"}, "RULE-CVE-2026-22357-10": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "link_whisper"}, {"name": "ARGS:link_max_count", "type": "detectXSS"}], "cve": "CVE-2026-22357", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22357", "description": "Link Whisper Free <=0.9.2 reflected XSS via link_max_count parameter in report search", "method": "GET", "mode": "block", "severity": 7.1, "slug": "link-whisper", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=0.9.2"}, "RULE-CVE-2026-22357-11": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "link_whisper_settings"}, {"name": "ARGS:tab", "type": "detectXSS"}], "cve": "CVE-2026-22357", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22357", "description": "Link Whisper Free <=0.9.2 reflected XSS via tab parameter in settings page", "method": "GET", "mode": "block", "severity": 7.1, "slug": "link-whisper", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=0.9.2"}, "RULE-CVE-2026-22357-12": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "link_whisper_settings"}, {"name": "ARGS:setting_highlight", "type": "detectXSS"}], "cve": "CVE-2026-22357", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22357", "description": "Link Whisper Free <=0.9.2 reflected XSS via setting_highlight parameter in settings page", "method": "GET", "mode": "block", "severity": 7.1, "slug": "link-whisper", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=0.9.2"}, "RULE-CVE-2026-22357-13": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "link_whisper"}, {"name": "ARGS:keywords", "type": "detectXSS"}], "cve": "CVE-2026-22357", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22357", "description": "Link Whisper Free <=0.9.2 reflected XSS via keywords parameter in click details page", "method": "GET", "mode": "block", "severity": 7.1, "slug": "link-whisper", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=0.9.2"}, "RULE-CVE-2026-22361-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22361", "description": "a-mart theme <= 1.0.2 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "a-mart", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.2"}, "RULE-CVE-2026-22361-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22361", "description": "a-mart theme <= 1.0.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "a-mart", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.2"}, "RULE-CVE-2026-22362-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22362", "description": "photolia theme <= 1.0.3 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "photolia", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.3"}, "RULE-CVE-2026-22362-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22362", "description": "photolia theme <= 1.0.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "photolia", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.3"}, "RULE-CVE-2026-22363-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22363", "description": "rhodos theme <= 1.3.3 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "rhodos", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.3"}, "RULE-CVE-2026-22363-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22363", "description": "rhodos theme <= 1.3.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "rhodos", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.3"}, "RULE-CVE-2026-22364-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22364", "description": "seventrees theme <= 1.0.2 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "seventrees", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.2"}, "RULE-CVE-2026-22364-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22364", "description": "seventrees theme <= 1.0.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "seventrees", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.2"}, "RULE-CVE-2026-22365-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22365", "description": "soleng theme <= 1.0.5 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "soleng", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.5"}, "RULE-CVE-2026-22365-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22365", "description": "soleng theme <= 1.0.5 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "soleng", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.5"}, "RULE-CVE-2026-22366-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22366", "description": "jude theme <= 1.3.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "jude", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.0"}, "RULE-CVE-2026-22366-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22366", "description": "jude theme <= 1.3.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "jude", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.0"}, "RULE-CVE-2026-22367-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22367", "description": "coworking theme <= 1.6.1 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "coworking", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.6.1"}, "RULE-CVE-2026-22367-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22367", "description": "coworking theme <= 1.6.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "coworking", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.6.1"}, "RULE-CVE-2026-22368-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22368", "description": "redy theme <= 1.0.2 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "redy", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.2"}, "RULE-CVE-2026-22368-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22368", "description": "redy theme <= 1.0.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "redy", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.2"}, "RULE-CVE-2026-22369-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22369", "description": "ironfit theme <= 1.5 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "ironfit", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.5"}, "RULE-CVE-2026-22369-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22369", "description": "ironfit theme <= 1.5 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "ironfit", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.5"}, "RULE-CVE-2026-22370-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22370", "description": "marveland theme <= 1.3.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "marveland", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.0"}, "RULE-CVE-2026-22370-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22370", "description": "marveland theme <= 1.3.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "marveland", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.0"}, "RULE-CVE-2026-22371-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22371", "description": "gustavo theme <= 1.2.2 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "gustavo", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.2"}, "RULE-CVE-2026-22371-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22371", "description": "gustavo theme <= 1.2.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "gustavo", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.2"}, "RULE-CVE-2026-22372-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22372", "description": "isida theme <= 1.4.2 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "isida", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.4.2"}, "RULE-CVE-2026-22372-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22372", "description": "isida theme <= 1.4.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "isida", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.4.2"}, "RULE-CVE-2026-22373-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22373", "description": "fooddy theme <= 1.3.10 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "fooddy", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.10"}, "RULE-CVE-2026-22373-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22373", "description": "fooddy theme <= 1.3.10 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "fooddy", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.10"}, "RULE-CVE-2026-22374-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22374", "description": "zioalberto theme <= 1.2.2 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "zioalberto", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.2"}, "RULE-CVE-2026-22374-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22374", "description": "zioalberto theme <= 1.2.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "zioalberto", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.2"}, "RULE-CVE-2026-22375-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22375", "description": "impacto-patronus theme <= 1.2.3 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "impacto-patronus", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.3"}, "RULE-CVE-2026-22375-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22375", "description": "impacto-patronus theme <= 1.2.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "impacto-patronus", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.3"}, "RULE-CVE-2026-22376-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22376", "description": "parkivia theme <= 1.1.9 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "parkivia", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.9"}, "RULE-CVE-2026-22376-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22376", "description": "parkivia theme <= 1.1.9 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "parkivia", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.9"}, "RULE-CVE-2026-22377-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22377", "description": "saveo theme <= 1.1.2 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "saveo", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.2"}, "RULE-CVE-2026-22377-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22377", "description": "saveo theme <= 1.1.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "saveo", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.2"}, "RULE-CVE-2026-22378-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22378", "description": "blabber theme <= 1.7.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "blabber", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.7.0"}, "RULE-CVE-2026-22378-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22378", "description": "blabber theme <= 1.7.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "blabber", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.7.0"}, "RULE-CVE-2026-22379-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22379", "description": "netmix theme <= 1.0.10 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "netmix", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.10"}, "RULE-CVE-2026-22379-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22379", "description": "netmix theme <= 1.0.10 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "netmix", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.10"}, "RULE-CVE-2026-22380-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22380", "description": "unlimhost theme <= 1.2.3 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "unlimhost", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.3"}, "RULE-CVE-2026-22380-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22380", "description": "unlimhost theme <= 1.2.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "unlimhost", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.3"}, "RULE-CVE-2026-22381-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22381", "description": "pawfriends theme <= 1.3 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "pawfriends", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.3"}, "RULE-CVE-2026-22381-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22381", "description": "pawfriends theme <= 1.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "pawfriends", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3"}, "RULE-CVE-2026-22387-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22387", "description": "aviana theme <= 2.1 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "aviana", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=2.1"}, "RULE-CVE-2026-22387-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22387", "description": "aviana theme <= 2.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "aviana", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=2.1"}, "RULE-CVE-2026-22389-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22389", "description": "cocco theme <= 1.5.1 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "cocco", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.5.1"}, "RULE-CVE-2026-22389-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22389", "description": "cocco theme <= 1.5.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "cocco", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.5.1"}, "RULE-CVE-2026-22390-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin-ajax\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:action", "type": "equals", "value": "ba_cheetah_disable"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-22390", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22390", "description": "Builderall Builder for WordPress <=3.0.1 missing authorization on ba_cheetah_disable AJAX handler", "mode": "block", "severity": 9.9, "slug": "builderall-cheetah-for-wp", "tags": ["missing-authorization", "broken-access-control", "ajax"], "target": "plugin", "versions": "<=3.0.1"}, "RULE-CVE-2026-22390-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin-ajax\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:action", "type": "equals", "value": "ba_cheetah_duplicate_wpml_layout"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-22390", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22390", "description": "Builderall Builder for WordPress <=3.0.1 missing authorization on ba_cheetah_duplicate_wpml_layout AJAX handler", "mode": "block", "severity": 9.9, "slug": "builderall-cheetah-for-wp", "tags": ["missing-authorization", "broken-access-control", "ajax"], "target": "plugin", "versions": "<=3.0.1"}, "RULE-CVE-2026-22392-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22392", "description": "cortex theme <= 1.5 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "cortex", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.5"}, "RULE-CVE-2026-22392-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22392", "description": "cortex theme <= 1.5 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "cortex", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.5"}, "RULE-CVE-2026-22394-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22394", "description": "evently theme <= 1.7 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "evently", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.7"}, "RULE-CVE-2026-22394-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22394", "description": "evently theme <= 1.7 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "evently", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.7"}, "RULE-CVE-2026-22395-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22395", "description": "fiorello theme <= 1.0 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "fiorello", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.0"}, "RULE-CVE-2026-22395-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22395", "description": "fiorello theme <= 1.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "fiorello", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0"}, "RULE-CVE-2026-22397-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22397", "description": "fleur theme <= 2.0 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "fleur", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=2.0"}, "RULE-CVE-2026-22397-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22397", "description": "fleur theme <= 2.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "fleur", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=2.0"}, "RULE-CVE-2026-22399-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22399", "description": "holmes theme <= 1.7 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "holmes", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.7"}, "RULE-CVE-2026-22399-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22399", "description": "holmes theme <= 1.7 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "holmes", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.7"}, "RULE-CVE-2026-22403-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22403", "description": "innovio theme <= 1.7 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "innovio", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.7"}, "RULE-CVE-2026-22403-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22403", "description": "innovio theme <= 1.7 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "innovio", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.7"}, "RULE-CVE-2026-22405-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22405", "description": "overton theme <= 1.3 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "overton", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.3"}, "RULE-CVE-2026-22405-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22405", "description": "overton theme <= 1.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "overton", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3"}, "RULE-CVE-2026-22408-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22408", "description": "justicia theme <= 1.2 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "justicia", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.2"}, "RULE-CVE-2026-22408-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22408", "description": "justicia theme <= 1.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "justicia", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2"}, "RULE-CVE-2026-22410-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22410", "description": "dolcino theme <= 1.6 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "dolcino", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.6"}, "RULE-CVE-2026-22410-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22410", "description": "dolcino theme <= 1.6 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "dolcino", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.6"}, "RULE-CVE-2026-22412-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22412", "description": "eona theme <= 1.3 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "eona", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.3"}, "RULE-CVE-2026-22412-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22412", "description": "eona theme <= 1.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "eona", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3"}, "RULE-CVE-2026-22413-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22413", "description": "malgre theme <= 1.0.3 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "malgre", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.0.3"}, "RULE-CVE-2026-22413-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22413", "description": "malgre theme <= 1.0.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "malgre", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.3"}, "RULE-CVE-2026-22414-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22414", "description": "marra theme <= 1.2 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "marra", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.2"}, "RULE-CVE-2026-22414-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22414", "description": "marra theme <= 1.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "marra", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2"}, "RULE-CVE-2026-22415-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22415", "description": "the-mounty theme <= 1.1 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "the-mounty", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1"}, "RULE-CVE-2026-22415-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22415", "description": "the-mounty theme <= 1.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "the-mounty", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1"}, "RULE-CVE-2026-22416-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22416", "description": "fixteam theme <= 1.5.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "fixteam", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.5.0"}, "RULE-CVE-2026-22416-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22416", "description": "fixteam theme <= 1.5.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "fixteam", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.5.0"}, "RULE-CVE-2026-22418-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22418", "description": "great-lotus theme <= 1.3.1 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "great-lotus", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.1"}, "RULE-CVE-2026-22418-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22418", "description": "great-lotus theme <= 1.3.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "great-lotus", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.1"}, "RULE-CVE-2026-22419-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22419", "description": "honor theme <= 2.3 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "honor", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=2.3"}, "RULE-CVE-2026-22419-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22419", "description": "honor theme <= 2.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "honor", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=2.3"}, "RULE-CVE-2026-22420-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22420", "description": "horizon theme <= 1.1 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "horizon", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1"}, "RULE-CVE-2026-22420-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22420", "description": "horizon theme <= 1.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "horizon", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1"}, "RULE-CVE-2026-22421-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22421", "description": "quantum theme <= 1.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "quantum", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0"}, "RULE-CVE-2026-22421-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22421", "description": "quantum theme <= 1.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "quantum", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0"}, "RULE-CVE-2026-22424-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22424", "description": "shaha theme <= 1.1.2 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "shaha", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.2"}, "RULE-CVE-2026-22424-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22424", "description": "shaha theme <= 1.1.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "shaha", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.2"}, "RULE-CVE-2026-22427-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22427", "description": "gotravel theme <= 2.1 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "gotravel", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=2.1"}, "RULE-CVE-2026-22427-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22427", "description": "gotravel theme <= 2.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "gotravel", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=2.1"}, "RULE-CVE-2026-22428-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22428", "description": "tooth-fairy theme <= 1.16 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "tooth-fairy", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.16"}, "RULE-CVE-2026-22428-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22428", "description": "tooth-fairy theme <= 1.16 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "tooth-fairy", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.16"}, "RULE-CVE-2026-22429-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22429", "description": "verdure theme <= 1.6 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "verdure", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.6"}, "RULE-CVE-2026-22429-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22429", "description": "verdure theme <= 1.6 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "verdure", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.6"}, "RULE-CVE-2026-22431-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22431", "description": "wabi-sabi theme <= 1.2 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "wabi-sabi", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2"}, "RULE-CVE-2026-22431-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22431", "description": "wabi-sabi theme <= 1.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "wabi-sabi", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2"}, "RULE-CVE-2026-22432-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22432", "description": "woopy theme <= 1.2 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "woopy", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2"}, "RULE-CVE-2026-22432-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22432", "description": "woopy theme <= 1.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "woopy", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2"}, "RULE-CVE-2026-22433-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22433", "description": "cloudme theme <= 1.2.2 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "cloudme", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.2"}, "RULE-CVE-2026-22433-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22433", "description": "cloudme theme <= 1.2.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "cloudme", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.2"}, "RULE-CVE-2026-22434-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22434", "description": "crown-art theme <= 1.2.11 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "crown-art", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.11"}, "RULE-CVE-2026-22434-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22434", "description": "crown-art theme <= 1.2.11 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "crown-art", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.11"}, "RULE-CVE-2026-22435-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22435", "description": "electroserv theme <= 1.3.2 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "electroserv", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.2"}, "RULE-CVE-2026-22435-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22435", "description": "electroserv theme <= 1.3.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "electroserv", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.2"}, "RULE-CVE-2026-22437-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22437", "description": "playa theme <= 1.3.9 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "playa", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.9"}, "RULE-CVE-2026-22437-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22437", "description": "playa theme <= 1.3.9 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "playa", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.9"}, "RULE-CVE-2026-22439-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22439", "description": "green-planet theme <= 1.1.14 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "green-planet", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.14"}, "RULE-CVE-2026-22439-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22439", "description": "green-planet theme <= 1.1.14 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "green-planet", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.14"}, "RULE-CVE-2026-22457-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22457", "description": "wanderland theme <= 1.5 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "wanderland", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.5"}, "RULE-CVE-2026-22457-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22457", "description": "wanderland theme <= 1.5 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "wanderland", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.5"}, "RULE-CVE-2026-22460-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/formgent/~"}, {"name": "ARGS", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[\\\\\\\\/](?:wp-config\\\\.php|\\\\.htaccess|\\\\.env)|/etc/passwd~i"}], "cve": "CVE-2026-22460", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22460", "description": "FormGent <=1.5.4 unauthenticated arbitrary file deletion via path traversal in REST API", "mode": "block", "severity": 8.6, "slug": "formgent", "tags": ["path-traversal", "arbitrary-file-deletion", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=1.5.4"}, "RULE-CVE-2026-22472-04": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin-ajax\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:action", "type": "equals", "value": "set_setting_Emsfb"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-22472", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22472", "description": "Easy Form Builder <=3.9.6 missing authorization on set_setting_Emsfb AJAX action allows subscriber+ settings manipulation", "method": "POST", "mode": "block", "severity": 8.8, "slug": "easy-form-builder", "tags": ["missing-authorization", "broken-access-control", "settings-manipulation"], "target": "plugin", "versions": "<=3.9.6"}, "RULE-CVE-2026-22472-05": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin-ajax\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:action", "type": "equals", "value": "add_addons_Emsfb"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-22472", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22472", "description": "Easy Form Builder <=3.9.6 missing authorization on add_addons_Emsfb AJAX action allows subscriber+ arbitrary addon installation", "method": "POST", "mode": "block", "severity": 8.8, "slug": "easy-form-builder", "tags": ["missing-authorization", "broken-access-control", "arbitrary-file-install"], "target": "plugin", "versions": "<=3.9.6"}, "RULE-CVE-2026-22477-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22477", "description": "felizia theme <= 1.3.4 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "felizia", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.4"}, "RULE-CVE-2026-22477-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22477", "description": "felizia theme <= 1.3.4 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "felizia", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.4"}, "RULE-CVE-2026-22480-01": {"ajax_action": "pf_export_ajax_basic", "conditions": [{"name": "ARGS:form_data", "type": "regex", "value": "~[OC]:[0-9]+:\\\\\\"~"}, {"type": "missing_capability", "value": "manage_woocommerce"}], "cve": "CVE-2026-22480", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22480", "description": "Product Feed for WooCommerce <=2.3.3 PHP object injection via form_data in pf_export_ajax_basic", "mode": "block", "severity": 7.2, "slug": "webtoffee-product-feed", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=2.3.3"}, "RULE-CVE-2026-22480-02": {"ajax_action": "pf_schedule_ajax", "conditions": [{"name": "ARGS:form_data", "type": "regex", "value": "~[OC]:[0-9]+:\\\\\\"~"}, {"type": "missing_capability", "value": "manage_woocommerce"}], "cve": "CVE-2026-22480", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22480", "description": "Product Feed for WooCommerce <=2.3.3 PHP object injection via form_data in pf_schedule_ajax", "mode": "block", "severity": 7.2, "slug": "webtoffee-product-feed", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=2.3.3"}, "RULE-CVE-2026-22481-01": {"ajax_action": "save_courier_settings", "conditions": [{"type": "missing_capability", "value": "manage_woocommerce"}], "cve": "CVE-2026-22481", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22481", "description": "BD Courier Order Ratio Checker <=2.0.1 missing authorization on save_courier_settings AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "bd-courier-order-ratio-checker", "tags": ["missing-authorization", "broken-access-control", "settings-change"], "target": "plugin", "versions": "<=2.0.1"}, "RULE-CVE-2026-22481-02": {"ajax_action": "refresh_courier_data_edit", "conditions": [{"type": "missing_capability", "value": "manage_woocommerce"}], "cve": "CVE-2026-22481", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22481", "description": "BD Courier Order Ratio Checker <=2.0.1 missing authorization on refresh_courier_data_edit AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "bd-courier-order-ratio-checker", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=2.0.1"}, "RULE-CVE-2026-22481-03": {"ajax_action": "refresh_courier_data_list", "conditions": [{"type": "missing_capability", "value": "manage_woocommerce"}], "cve": "CVE-2026-22481", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22481", "description": "BD Courier Order Ratio Checker <=2.0.1 missing authorization on refresh_courier_data_list AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "bd-courier-order-ratio-checker", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=2.0.1"}, "RULE-CVE-2026-22481-04": {"ajax_action": "fetch_order_ratios", "conditions": [{"type": "missing_capability", "value": "manage_woocommerce"}], "cve": "CVE-2026-22481", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22481", "description": "BD Courier Order Ratio Checker <=2.0.1 missing authorization on fetch_order_ratios AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "bd-courier-order-ratio-checker", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=2.0.1"}, "RULE-CVE-2026-22482-01": {"ajax_action": "wb_scrapy_image", "conditions": [{"name": "ARGS:op", "type": "regex", "value": "~^(?:scrapy|down)$~"}, {"name": "ARGS:image", "type": "regex", "value": "~(?:^https?://(?:localhost(?=[:/]|$)|127\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}(?=[:/]|$)|0\\\\.0\\\\.0\\\\.0(?=[:/]|$)|10\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}(?=[:/]|$)|172\\\\.(?:1[6-9]|2[0-9]|3[01])\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}(?=[:/]|$)|192\\\\.168\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}(?=[:/]|$)|169\\\\.254\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}(?=[:/]|$)|\\\\[::1\\\\](?=[:/]|$)|0x[0-9a-f]{8}(?=[:/]|$))|^file://)~i"}], "cve": "CVE-2026-22482", "method": "POST", "mode": "block", "severity": 9.1, "slug": "imgspider", "target": "plugin", "versions": "<2.3.13"}, "RULE-CVE-2026-22495-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22495", "description": "greenville theme <= 1.3.2 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "greenville", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.2"}, "RULE-CVE-2026-22495-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22495", "description": "greenville theme <= 1.3.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "greenville", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.2"}, "RULE-CVE-2026-22496-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22496", "description": "hypnotherapy theme <= 1.2.10 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "hypnotherapy", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.10"}, "RULE-CVE-2026-22496-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22496", "description": "hypnotherapy theme <= 1.2.10 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "hypnotherapy", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.10"}, "RULE-CVE-2026-22502-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22502", "description": "mr-cobbler theme <= 1.1.9 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "mr-cobbler", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.9"}, "RULE-CVE-2026-22502-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22502", "description": "mr-cobbler theme <= 1.1.9 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "mr-cobbler", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.9"}, "RULE-CVE-2026-22508-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22508", "description": "dentalux theme <= 3.3 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "dentalux", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=3.3"}, "RULE-CVE-2026-22508-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22508", "description": "dentalux theme <= 3.3 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "dentalux", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=3.3"}, "RULE-CVE-2026-22513-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22513", "description": "triompher theme <= 1.1.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "triompher", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.0"}, "RULE-CVE-2026-22513-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22513", "description": "triompher theme <= 1.1.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "triompher", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.0"}, "RULE-CVE-2026-22514-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22514", "description": "unica theme <= 1.4.1 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "unica", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.4.1"}, "RULE-CVE-2026-22514-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22514", "description": "unica theme <= 1.4.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "unica", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.4.1"}, "RULE-CVE-2026-22515-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22515", "description": "vegadays theme <= 1.2.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "vegadays", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.0"}, "RULE-CVE-2026-22515-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22515", "description": "vegadays theme <= 1.2.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "vegadays", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.0"}, "RULE-CVE-2026-22516-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-22516", "description": "wizors-investments theme <= 2.12 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "wizors-investments", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=2.12"}, "RULE-CVE-2026-22516-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-22516", "description": "wizors-investments theme <= 2.12 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "wizors-investments", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=2.12"}, "RULE-CVE-2026-22522-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/block-slider/~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-22522", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22522", "description": "Block Slider <=2.2.3 broken access control on REST API endpoints allows subscriber+ unauthorized data access", "mode": "block", "severity": 6.5, "slug": "block-slider", "tags": ["missing-authorization", "broken-access-control", "rest-api", "information-disclosure"], "target": "plugin", "versions": "<=2.2.3"}, "RULE-CVE-2026-2268-01": {"ajax_action": "nf_ajax_submit", "conditions": [{"name": "ARGS:formData", "type": "regex", "value": "~\\\\{post_meta:[^}]+\\\\}~i"}], "cve": "CVE-2026-2268", "method": "POST", "mode": "block", "severity": 7.5, "slug": "ninja-forms", "target": "plugin", "versions": "<=3.14.0"}, "RULE-CVE-2026-2268-02": {"ajax_action": "nf_ajax_submit", "conditions": [{"name": "ARGS:formData", "type": "regex", "value": "~\\\\{user_meta:[^}]+\\\\}~i"}], "cve": "CVE-2026-2268", "method": "POST", "mode": "block", "severity": 7.5, "slug": "ninja-forms", "target": "plugin", "versions": "<=3.14.0"}, "RULE-CVE-2026-22850-01": {"action": "init", "conditions": [{"name": "ARGS:pa", "type": "regex", "value": "~[)\'][ ]*[,;][ ]*(?:[(][ ]*[\'\\"]|DROP |DELETE |INSERT |UPDATE |SELECT |ALTER |TRUNCATE |CREATE |--)~i"}], "cve": "CVE-2026-22850", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22850", "description": "Koko Analytics <2.1.3 stored SQL injection via pa tracking parameter", "mode": "block", "severity": 8.3, "slug": "koko-analytics", "tags": ["sql-injection", "stored-sqli", "tracking"], "target": "plugin", "versions": "<2.1.3"}, "RULE-CVE-2026-22850-02": {"action": "init", "conditions": [{"name": "ARGS:r", "type": "regex", "value": "~[)\'][ ]*[,;][ ]*(?:[(][ ]*[\'\\"]|DROP |DELETE |INSERT |UPDATE |SELECT |ALTER |TRUNCATE |CREATE |--)~i"}], "cve": "CVE-2026-22850", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22850", "description": "Koko Analytics <2.1.3 stored SQL injection via r referrer parameter", "mode": "block", "severity": 8.3, "slug": "koko-analytics", "tags": ["sql-injection", "stored-sqli", "tracking"], "target": "plugin", "versions": "<2.1.3"}, "RULE-CVE-2026-2295-01": {"ajax_action": "wpz_posts_grid_load_more", "conditions": [{"name": "ARGS:posts_data", "type": "regex", "value": "~\\"post_status\\"[ ]*:~i"}], "cve": "CVE-2026-2295", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2295", "description": "WPZOOM Addons for Elementor <=1.3.2 unauthenticated information disclosure via post_status injection in wpz_posts_grid_load_more AJAX handler", "method": "POST", "mode": "block", "severity": 5.3, "slug": "wpzoom-elementor-addons", "tags": ["information-disclosure", "missing-authorization", "unauthenticated"], "target": "plugin", "versions": "<=1.3.2"}, "RULE-CVE-2026-2296-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wcpa/~"}, {"name": "ARGS", "type": "regex", "value": "~[();`$]|\\\\bsystem\\\\b|\\\\bexec\\\\b|\\\\bpassthru\\\\b|\\\\bshell_exec\\\\b|\\\\bpopen\\\\b|\\\\bproc_open\\\\b|\\\\beval\\\\b|\\\\bassert\\\\b|\\\\bphpinfo\\\\b|\\\\bbase64_decode\\\\b|\\\\bfile_get_contents\\\\b|\\\\bfile_put_contents\\\\b|\\\\bchr\\\\s*\\\\(|\\\\bpack\\\\s*\\\\(~i"}, {"type": "missing_capability", "value": "manage_woocommerce"}], "cve": "CVE-2026-2296", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2296", "description": "Product Addons for Woocommerce <=3.1.0 authenticated (Shop Manager+) PHP code injection via conditional logic operator field in REST API", "method": "POST", "mode": "block", "severity": 7.2, "slug": "woo-custom-product-addons", "tags": ["code-injection", "rce", "rest-api", "authenticated"], "target": "plugin", "versions": "<=3.1.0"}, "RULE-CVE-2026-23549-01": {"ajax_action": "mep_re_ajax_load_ticket_type_list", "conditions": [{"name": "ARGS:event_id", "type": "regex", "value": "~[OCa]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2026-23549", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23549", "description": "WpEvently <=5.1.1 unauthenticated PHP Object Injection via event_id in mep_re_ajax_load_ticket_type_list", "method": "POST", "mode": "block", "severity": 9.8, "slug": "mage-eventpress", "tags": ["object-injection", "deserialization", "unauthenticated"], "target": "plugin", "versions": "<=5.1.1"}, "RULE-CVE-2026-23549-02": {"ajax_action": "mep_re_ajax_load_extra_service_list", "conditions": [{"name": "ARGS:event_id", "type": "regex", "value": "~[OCa]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2026-23549", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23549", "description": "WpEvently <=5.1.1 unauthenticated PHP Object Injection via event_id in mep_re_ajax_load_extra_service_list", "method": "POST", "mode": "block", "severity": 9.8, "slug": "mage-eventpress", "tags": ["object-injection", "deserialization", "unauthenticated"], "target": "plugin", "versions": "<=5.1.1"}, "RULE-CVE-2026-23549-03": {"ajax_action": "mep_re_ajax_load_ticket_time_list", "conditions": [{"name": "ARGS:event_id", "type": "regex", "value": "~[OCa]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2026-23549", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23549", "description": "WpEvently <=5.1.1 unauthenticated PHP Object Injection via event_id in mep_re_ajax_load_ticket_time_list", "method": "POST", "mode": "block", "severity": 9.8, "slug": "mage-eventpress", "tags": ["object-injection", "deserialization", "unauthenticated"], "target": "plugin", "versions": "<=5.1.1"}, "RULE-CVE-2026-23549-04": {"ajax_action": "mep_event_list_date_schedule", "conditions": [{"name": "ARGS:event_id", "type": "regex", "value": "~[OCa]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2026-23549", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23549", "description": "WpEvently <=5.1.1 unauthenticated PHP Object Injection via event_id in mep_event_list_date_schedule", "method": "POST", "mode": "block", "severity": 9.8, "slug": "mage-eventpress", "tags": ["object-injection", "deserialization", "unauthenticated"], "target": "plugin", "versions": "<=5.1.1"}, "RULE-CVE-2026-23550-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/api/modular-connector/login/.*~i"}], "config": {}, "cve": "CVE-2026-23550", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23550", "description": "Modular Connector <=2.5.1 unauthenticated privilege escalation in the Modular DS/Modular Connector plugin caused by incorrect privilege assignment and an overly permissive custom routing layer that allows crafted unauthenticated requests to reach login-related endpoints and obtain elevated privileges, as described by NVD, Patchstack, and the vendor advisory.", "mode": "block", "severity": 10.0, "slug": "modular-connector", "tags": ["priv-esc", "auth-bypass", "modular-connector", "routing"], "target": "plugin", "versions": "<=2.5.1"}, "RULE-CVE-2026-23550-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~/(api/modular-connector|api-modular-connector)/(login|lb|oauth)/[^/?]+~i"}], "config": {}, "cve": "CVE-2026-23550", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23550", "description": "Heuristic coverage for Modular Connector <=2.5.1 privilege escalation where unauthenticated attackers can reach internal login-related routes handled by the plugin\\u2019s custom router (for example, variants of an /api-modular-connector/login path) because routing middleware is bypassed, enabling admin-login behavior consistent with external analyses of this CVE.", "mode": "block", "severity": 10.0, "slug": "modular-connector", "tags": ["priv-esc", "auth-bypass", "modular-connector", "routing"], "target": "plugin", "versions": "<=2.5.1"}, "RULE-CVE-2026-2356-01": {"ajax_action": "user_registration_membership_register_member", "conditions": [{"name": "ARGS:members_data", "type": "regex", "value": "~\\"payment_method\\"\\\\s*:\\\\s*\\"\\"~"}], "cve": "CVE-2026-2356", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2356", "description": "User Registration & Membership <=5.1.2 unauthenticated IDOR user deletion via register_member AJAX handler (empty payment_method path)", "method": "POST", "mode": "block", "severity": 5.3, "slug": "user-registration", "tags": ["idor", "improper-access-control", "unauthenticated", "user-deletion"], "target": "plugin", "versions": "<=5.1.2"}, "RULE-CVE-2026-2358-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~[[]wp_ulike_likers_box[^]]*template[ ]*=[ ]*[\\"\'][^\\"\']*(?:&#(?:0*60|[xX]0*3[cC]);?|<)[ ]*(?:script|img|svg|iframe|details|object|embed|body|marquee|video|audio|input|select|textarea|form|button|a[ ])[^\\"\']*[\\"\']~i"}], "cve": "CVE-2026-2358", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2358", "description": "WP ULike <=5.0.1 Stored XSS via [wp_ulike_likers_box] shortcode template attribute in classic editor post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-ulike", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=5.0.1"}, "RULE-CVE-2026-2358-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)~"}, {"name": "ARGS:content", "type": "regex", "value": "~[[]wp_ulike_likers_box[^]]*template[ ]*=[ ]*[\\"\'][^\\"\']*(?:&#(?:0*60|[xX]0*3[cC]);?|<)[ ]*(?:script|img|svg|iframe|details|object|embed|body|marquee|video|audio|input|select|textarea|form|button|a[ ])[^\\"\']*[\\"\']~i"}], "cve": "CVE-2026-2358", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2358", "description": "WP ULike <=5.0.1 Stored XSS via [wp_ulike_likers_box] shortcode template attribute in REST API post/page save", "mode": "block", "severity": 6.4, "slug": "wp-ulike", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=5.0.1"}, "RULE-CVE-2026-2362-01": {"ajax_action": "save-attachment", "conditions": [{"name": "ARGS:changes[alt]", "type": "regex", "value": "~<[a-zA-Z][^>]*on[a-zA-Z]+=|<(script|svg|iframe|embed|object|math|xmp|noscript)|javascript\\\\s*:~i"}], "cve": "CVE-2026-2362", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2362", "description": "WP Accessibility <=2.3.1 Stored DOM-Based XSS via image alt text in save-attachment AJAX handler", "method": "POST", "mode": "block", "severity": 6.4, "slug": "wp-accessibility", "tags": ["xss", "stored-dom-xss", "media-library"], "target": "plugin", "versions": "<=2.3.1"}, "RULE-CVE-2026-2365-01": {"ajax_action": "fluentform_step_form_save_data", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<script[^>]*>|javascript\\\\s*:|on(?:error|load|click|mouseover|focus|blur)\\\\s*=~i"}], "cve": "CVE-2026-2365", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2365", "description": "Fluent Forms <=6.1.17 unauthenticated stored XSS via fluentform_step_form_save_data AJAX draft endpoint", "method": "POST", "mode": "block", "severity": 7.2, "slug": "fluentform", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=6.1.17"}, "RULE-CVE-2026-2367-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "contains", "value": "[ays_block"}, {"name": "ARGS:content", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|mouseenter)\\\\s*=|javascript\\\\s*:|<svg[^>]*\\\\bon|<iframe[^>]*>~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-2367", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2367", "description": "Secure Copy Content Protection <= 5.0.1 Stored XSS via ays_block shortcode in post content (post.php)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "secure-copy-content-protection", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=5.0.1"}, "RULE-CVE-2026-2367-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "contains", "value": "[ays_block"}, {"name": "ARGS:content", "type": "regex", "value": "~<script[^>]*>|\\\\bon(?:error|load|click|mouseover|focus|mouseenter)\\\\s*=|javascript\\\\s*:|<svg[^>]*\\\\bon|<iframe[^>]*>~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-2367", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2367", "description": "Secure Copy Content Protection <= 5.0.1 Stored XSS via ays_block shortcode in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "secure-copy-content-protection", "tags": ["xss", "stored-xss", "shortcode", "rest-api"], "target": "plugin", "versions": "<=5.0.1"}, "RULE-CVE-2026-2371-01": {"ajax_action": "gspb_el_reusable_load", "conditions": [{"type": "missing_capability", "value": "read"}, {"name": "ARGS:post_id", "type": "exists"}], "cve": "CVE-2026-2371", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2371", "description": "GreenShift <=12.8.3 unauthenticated IDOR disclosure of private/draft/password-protected reusable blocks via gspb_el_reusable_load AJAX handler", "method": "POST", "mode": "block", "severity": 5.3, "slug": "greenshift-animation-and-page-builder-blocks", "tags": ["missing-authorization", "idor", "information-disclosure", "unauthenticated"], "target": "plugin", "versions": "<=12.8.3"}, "RULE-CVE-2026-2373-05": {"ajax_action": "wpr_get_filtered_count_products", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)(?:wp-admin/admin-ajax\\\\.php)(?:\\\\?|$)~i"}, {"name": "ARGS:grid_settings[post_type]", "type": "regex", "value": "~^(?!post$|page$|product$|attachment$|nav_menu_item$|revision$|custom_css$|customize_changeset$|oembed_cache$|user_request$|wp_block$|wp_template$|wp_template_part$|wp_global_styles$|wp_navigation$|elementor_library$)[a-z][a-z0-9_-]{1,31}$~i"}], "cve": "CVE-2026-2373", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2373", "description": "Royal Elementor Addons <=1.7.1049 unauthenticated CPT count exposure via wpr_get_filtered_count_products", "mode": "block", "severity": 5.3, "slug": "royal-elementor-addons", "tags": ["missing-authorization", "information-disclosure", "unauthenticated"], "target": "plugin", "versions": "<=1.7.1049"}, "RULE-CVE-2026-2373-06": {"ajax_action": "wpr_get_media_filtered_count", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)(?:wp-admin/admin-ajax\\\\.php)(?:\\\\?|$)~i"}, {"name": "ARGS:grid_settings[post_type]", "type": "regex", "value": "~^(?!post$|page$|product$|attachment$|nav_menu_item$|revision$|custom_css$|customize_changeset$|oembed_cache$|user_request$|wp_block$|wp_template$|wp_template_part$|wp_global_styles$|wp_navigation$|elementor_library$)[a-z][a-z0-9_-]{1,31}$~i"}], "cve": "CVE-2026-2373", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2373", "description": "Royal Elementor Addons <=1.7.1049 unauthenticated CPT count exposure via wpr_get_media_filtered_count", "mode": "block", "severity": 5.3, "slug": "royal-elementor-addons", "tags": ["missing-authorization", "information-disclosure", "unauthenticated"], "target": "plugin", "versions": "<=1.7.1049"}, "RULE-CVE-2026-23800-01": {"action": "plugins_loaded", "conditions": [{"name": "ARGS:origin", "type": "equals", "value": "mo"}, {"name": "ARGS:type", "type": "equals", "value": "request"}, {"name": "ARGS:mrid", "type": "regex", "value": "~.+~"}, {"name": "ARGS:sig", "type": "regex", "value": "~.+~"}], "cve": "CVE-2026-23800", "method": "GET", "mode": "block", "severity": 10.0, "slug": "modular-connector", "target": "plugin", "versions": "<=2.5.2"}, "RULE-CVE-2026-23806-01": {"action": "init", "conditions": [{"name": "ARGS:job-search", "type": "regex", "value": "~(?:UNION[\\\\s/*]+(?:ALL[\\\\s/*]+)?SELECT[\\\\s/*]|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|/\\\\*[!+]|[\'\\")0-9]\\\\s*--\\\\s|\\\\b(?:OR|AND)\\\\s+[\'\\"]?\\\\d+[\'\\"]?\\\\s*=\\\\s*[\'\\"]?\\\\d+|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|EXTRACTVALUE\\\\s*\\\\(|UPDATEXML\\\\s*\\\\()~i"}], "cve": "CVE-2026-23806", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23806", "description": "Jobs for WordPress <=2.8 unauthenticated SQL injection via job-search shortcode parameter", "mode": "block", "severity": 7.5, "slug": "job-postings", "tags": ["sql-injection", "unauthenticated", "shortcode", "broken-access-control"], "target": "plugin", "versions": "<=2.8"}, "RULE-CVE-2026-23807-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin-post\\\\.php~"}, {"name": "ARGS:action", "type": "equals", "value": "wptelegram_widget_view"}, {"name": "ARGS", "type": "regex", "value": "~(?:<script[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-23807", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23807", "description": "WP Telegram Widget <=2.2.13 unauthenticated reflected XSS via wptelegram_widget_view admin-post handler", "mode": "block", "severity": 7.1, "slug": "wptelegram-widget", "tags": ["xss", "reflected", "unauthenticated"], "target": "plugin", "versions": "<=2.2.13"}, "RULE-CVE-2026-2386-01": {"ajax_action": "tpae_create_page", "conditions": [{"name": "ARGS:post_type", "type": "regex", "value": "~^(?:page|nxt_builder)$~i"}, {"type": "missing_capability", "value": "edit_pages"}], "cve": "CVE-2026-2386", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2386", "description": "The Plus Addons for Elementor <=6.4.7 incorrect authorization in tpae_create_page allows Author+ to create restricted post type drafts via post_type parameter", "method": "POST", "mode": "block", "severity": 4.3, "slug": "the-plus-addons-for-elementor-page-builder", "tags": ["incorrect-authorization", "broken-access-control", "privilege-escalation"], "target": "plugin", "versions": "<=6.4.7"}, "RULE-CVE-2026-2410-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "wdanp-edit-redirects"}, {"name": "ARGS:wdan_add_block", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2410", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2410", "description": "Disable Admin Notices <=1.4.1 CSRF on blocked redirect URL addition via wdanp-edit-redirects admin page", "method": "POST", "mode": "block", "severity": 4.3, "slug": "disable-admin-notices", "tags": ["csrf", "cross-site-request-forgery", "settings-change"], "target": "plugin", "versions": "<=1.4.1"}, "RULE-CVE-2026-2416-01": {"ajax_action": "geo_mashup_query", "conditions": [{"name": "ARGS:sort", "type": "detectSQLi"}], "cve": "CVE-2026-2416", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2416", "description": "Geo Mashup <=1.13.17 unauthenticated SQL injection via sort parameter in geo_mashup_query AJAX handler", "mode": "block", "severity": 7.5, "slug": "geo-mashup", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=1.13.17"}, "RULE-CVE-2026-2416-02": {"ajax_action": "geo_mashup_suggest_custom_keys", "conditions": [{"name": "ARGS:sort", "type": "detectSQLi"}], "cve": "CVE-2026-2416", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2416", "description": "Geo Mashup <=1.13.17 authenticated SQL injection via sort parameter in geo_mashup_suggest_custom_keys AJAX handler", "mode": "block", "severity": 7.5, "slug": "geo-mashup", "tags": ["sql-injection", "ajax"], "target": "plugin", "versions": "<=1.13.17"}, "RULE-CVE-2026-2429-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin-post\\\\.php~"}, {"name": "ARGS:action", "type": "equals", "value": "save_community_events_venues"}, {"name": "ARGS:ce_csv_import", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|/\\\\*.*\\\\*/|(?:--|#)\\\\s|\\\\b(?:OR|AND)\\\\s+[\'\\"]?\\\\d+[\'\\"]?\\\\s*=\\\\s*[\'\\"]?\\\\d+|[\'\\"]\\\\s*(?:OR|AND)\\\\s+[\'\\"]?\\\\d+[\'\\"]?\\\\s*=)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2429", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2429", "description": "Community Events <=1.5.8 authenticated (admin+) SQL injection via ce_venue_name CSV field in venue import", "method": "POST", "mode": "block", "severity": 4.9, "slug": "community-events", "tags": ["sql-injection", "csv-import", "authenticated"], "target": "plugin", "versions": "<=1.5.8"}, "RULE-CVE-2026-2431-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:page", "type": "equals", "value": "cm-custom-reports"}, {"name": "ARGS:date_from", "type": "regex", "value": "~(?:<|>|\\"|\'|on[a-zA-Z0-9_]+[ ]*=|script|svg|img)~i"}], "cve": "CVE-2026-2431", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2431", "description": "CM Custom Reports <=1.2.7 Reflected XSS via date_from parameter on admin reports page", "mode": "block", "severity": 6.1, "slug": "cm-custom-reports", "tags": ["xss", "reflected-xss", "admin-page"], "target": "plugin", "versions": "<=1.2.7"}, "RULE-CVE-2026-2431-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:page", "type": "equals", "value": "cm-custom-reports"}, {"name": "ARGS:date_to", "type": "regex", "value": "~(?:<|>|\\"|\'|on[a-zA-Z0-9_]+[ ]*=|script|svg|img)~i"}], "cve": "CVE-2026-2431", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2431", "description": "CM Custom Reports <=1.2.7 Reflected XSS via date_to parameter on admin reports page", "mode": "block", "severity": 6.1, "slug": "cm-custom-reports", "tags": ["xss", "reflected-xss", "admin-page"], "target": "plugin", "versions": "<=1.2.7"}, "RULE-CVE-2026-24353-01": {"ajax_action": "user_registration_membership_register_member", "conditions": [{"name": "ARGS:members_data", "type": "regex", "value": "~(?:administrator|editor|manage_options|delete_users|edit_users)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24353", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24353", "description": "User Registration <= 4.4.9 privilege escalation via membership registration allowing non-admin role assignment", "method": "POST", "mode": "block", "severity": 8.1, "slug": "user-registration", "tags": ["priv-esc", "role-assignment"], "target": "plugin", "versions": "<=4.4.9"}, "RULE-CVE-2026-24356-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/getgenie/v1/geniechat(/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2026-24356", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24356", "description": "GetGenie <=4.3.0 missing authorization on geniechat REST endpoint allows unauthorized access", "method": "POST", "mode": "block", "severity": 8.8, "slug": "getgenie", "tags": ["missing-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": "<=4.3.0"}, "RULE-CVE-2026-24357-01": {"ajax_action": "wprm_reset_settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24357", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24357", "description": "WP Recipe Maker <=10.2.4 missing authorization on wprm_reset_settings AJAX action", "mode": "block", "severity": 8.1, "slug": "wp-recipe-maker", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=10.2.4"}, "RULE-CVE-2026-24357-02": {"ajax_action": "wprm_export_settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24357", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24357", "description": "WP Recipe Maker <=10.2.4 missing authorization on wprm_export_settings AJAX action", "mode": "block", "severity": 8.1, "slug": "wp-recipe-maker", "tags": ["missing-authorization", "broken-access-control", "information-disclosure"], "target": "plugin", "versions": "<=10.2.4"}, "RULE-CVE-2026-24357-03": {"ajax_action": "wprm_import_settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24357", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24357", "description": "WP Recipe Maker <=10.2.4 missing authorization on wprm_import_settings AJAX action", "mode": "block", "severity": 8.1, "slug": "wp-recipe-maker", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=10.2.4"}, "RULE-CVE-2026-24357-04": {"ajax_action": "wprm_export_templates", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24357", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24357", "description": "WP Recipe Maker <=10.2.4 missing authorization on wprm_export_templates AJAX action", "mode": "block", "severity": 8.1, "slug": "wp-recipe-maker", "tags": ["missing-authorization", "broken-access-control", "information-disclosure"], "target": "plugin", "versions": "<=10.2.4"}, "RULE-CVE-2026-24357-05": {"ajax_action": "wprm_import_templates", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24357", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24357", "description": "WP Recipe Maker <=10.2.4 missing authorization on wprm_import_templates AJAX action", "mode": "block", "severity": 8.1, "slug": "wp-recipe-maker", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=10.2.4"}, "RULE-CVE-2026-24357-06": {"ajax_action": "wprm_anonymize_ratings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24357", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24357", "description": "WP Recipe Maker <=10.2.4 missing authorization on wprm_anonymize_ratings AJAX action", "mode": "block", "severity": 8.1, "slug": "wp-recipe-maker", "tags": ["missing-authorization", "broken-access-control", "data-manipulation"], "target": "plugin", "versions": "<=10.2.4"}, "RULE-CVE-2026-24357-07": {"ajax_action": "wprm_analytics_export_csv", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24357", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24357", "description": "WP Recipe Maker <=10.2.4 missing authorization on wprm_analytics_export_csv AJAX action", "mode": "block", "severity": 8.1, "slug": "wp-recipe-maker", "tags": ["missing-authorization", "broken-access-control", "information-disclosure"], "target": "plugin", "versions": "<=10.2.4"}, "RULE-CVE-2026-24357-08": {"ajax_action": "wprm_health_check", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24357", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24357", "description": "WP Recipe Maker <=10.2.4 missing authorization on wprm_health_check AJAX action", "mode": "block", "severity": 8.1, "slug": "wp-recipe-maker", "tags": ["missing-authorization", "broken-access-control", "information-disclosure"], "target": "plugin", "versions": "<=10.2.4"}, "RULE-CVE-2026-24373-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^(?!/wp-admin/)~"}, {"name": "ARGS:form_id", "type": "exists"}, {"name": "ARGS:rm_user_role", "type": "regex", "value": "~(?:^|\\\\s)(?:administrator|editor|author|contributor)(?:\\\\s|$)~i"}], "cve": "CVE-2026-24373", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24373", "description": "RegistrationMagic <=6.0.7.1 unauthenticated privilege escalation via rm_user_role parameter in registration form submission", "method": "POST", "mode": "block", "severity": 8.1, "slug": "custom-registration-form-builder-with-submission-manager", "tags": ["privilege-escalation", "incorrect-privilege-assignment", "unauthenticated"], "target": "plugin", "versions": "<=6.0.7.1"}, "RULE-CVE-2026-24374-01": {"ajax_action": "rm_activate_rm_user", "conditions": [{"name": "ARGS:user_id", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24374", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24374", "description": "RegistrationMagic <= 6.0.6.9 broken authentication on user activation allowing non-admin account takeover", "method": "POST", "mode": "block", "severity": 5.4, "slug": "custom-registration-form-builder-with-submission-manager", "target": "plugin", "versions": "<=6.0.6.9"}, "RULE-CVE-2026-24377-01": {"ajax_action": "tpgb_get_template_content", "conditions": [{"type": "missing_capability", "value": "read"}], "cve": "CVE-2026-24377", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24377", "description": "Nexter Blocks <=4.6.3 unauthenticated sensitive data exposure via tpgb_get_template_content AJAX handler", "mode": "block", "severity": 7.5, "slug": "the-plus-addons-for-block-editor", "tags": ["sensitive-data-exposure", "missing-authorization", "unauthenticated"], "target": "plugin", "versions": "<=4.6.3"}, "RULE-CVE-2026-24378-01": {"ajax_action": "eventprime_api", "conditions": [{"name": "ARGS", "type": "regex", "value": "~[OC]:[0-9]+:[\\"\\\\{]~"}], "cve": "CVE-2026-24378", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24378", "description": "EventPrime <=4.2.8.0 unauthenticated PHP object injection via eventprime_api AJAX handler", "mode": "block", "severity": 9.8, "slug": "eventprime-event-calendar-management", "tags": ["object-injection", "deserialization", "unauthenticated"], "target": "plugin", "versions": "<=4.2.8.0"}, "RULE-CVE-2026-24382-01": {"ajax_action": "newsx_activate_required_plugins", "conditions": [{"type": "missing_capability", "value": "activate_plugins"}], "cve": "CVE-2026-24382", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24382", "description": "News Magazine X <=1.2.50 unauthenticated plugin activation via newsx_activate_required_plugins AJAX handler", "mode": "block", "severity": 7.5, "slug": "news-magazine-x", "tags": ["missing-authorization", "broken-access-control", "unauthenticated"], "target": "theme", "versions": "<=1.2.50"}, "RULE-CVE-2026-24383-01": {"ajax_action": "bsbPosts", "conditions": [{"name": "ARGS:queryAttr", "type": "regex", "value": "~(?i)(</?[a-z][a-z0-9]*[\\\\s>]|<script|<img|onerror\\\\s*=|onload\\\\s*=|javascript:)~"}], "cve": "CVE-2026-24383", "method": "POST", "mode": "block", "severity": 6.5, "slug": "b-slider", "target": "plugin", "versions": "<=2.0.6"}, "RULE-CVE-2026-24385-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/podlove-web-player/(?:options|configs)(?:/|\\\\?|$)~"}, {"name": "ARGS", "type": "regex", "value": "~[OC]:[0-9]+:[\\"\\\\{]~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24385", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24385", "description": "Podlove Web Player <=5.9.1 PHP Object Injection via unauthenticated REST options/configs endpoints", "method": "POST", "mode": "block", "severity": 7.5, "slug": "podlove-web-player", "tags": ["object-injection", "deserialization", "rest-api", "missing-authorization"], "target": "plugin", "versions": "<=5.9.1"}, "RULE-CVE-2026-2440-01": {"ajax_action": "SurveyJS_SaveResult", "conditions": [{"name": "ARGS:Json", "type": "regex", "value": "~&(amp;)?#(?:x0*(?:3[cC]|3[eE]|2[27fF]|3[bB]|2[28fF]|2[29fF])|0*(?:60|62|34|39|59|40|41));~i"}], "cve": "CVE-2026-2440", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2440", "description": "SurveyJS <=2.5.3 stored XSS via HTML-entity-encoded payloads in Json survey result submissions", "method": "POST", "mode": "block", "severity": 7.2, "slug": "surveyjs", "tags": ["xss", "stored-xss", "unauthenticated", "admin-ajax"], "target": "plugin", "versions": "<=2.5.3"}, "RULE-CVE-2026-24523-01": {"ajax_action": "WP_FullCalendar", "conditions": [{"name": "ARGS:type", "type": "equals", "value": "attachment"}, {"type": "missing_capability", "value": "upload_files"}], "cve": "CVE-2026-24523", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24523", "description": "WP FullCalendar <=1.6 unauthenticated attachment enumeration via WP_FullCalendar AJAX action with type=attachment", "method": "POST", "mode": "block", "severity": 7.5, "slug": "wp-fullcalendar", "tags": ["sensitive-data-exposure", "information-disclosure", "ajax", "unauthenticated"], "target": "plugin", "versions": "<=1.6"}, "RULE-CVE-2026-24524-01": {"ajax_action": "store_tablesome_data", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24524", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24524", "description": "Tablesome <1.2.4 missing authorization on store_tablesome_data AJAX handler allows low-privilege users to modify table data", "method": "POST", "mode": "block", "severity": 8.1, "slug": "tablesome", "tags": ["missing-authorization", "broken-access-control", "authenticated"], "target": "plugin", "versions": "<1.2.4"}, "RULE-CVE-2026-24524-02": {"ajax_action": "get_tables_data", "conditions": [{"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2026-24524", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24524", "description": "Tablesome <1.2.4 missing authorization on get_tables_data AJAX handler allows low-privilege users to read all table data", "method": "GET", "mode": "block", "severity": 8.1, "slug": "tablesome", "tags": ["missing-authorization", "broken-access-control", "authenticated"], "target": "plugin", "versions": "<1.2.4"}, "RULE-CVE-2026-24524-03": {"ajax_action": "get_table_columns", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2026-24524", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24524", "description": "Tablesome <1.2.4 missing authorization on get_table_columns AJAX handler allows low-privilege users to read table column metadata", "method": "GET", "mode": "block", "severity": 8.1, "slug": "tablesome", "tags": ["missing-authorization", "broken-access-control", "authenticated"], "target": "plugin", "versions": "<1.2.4"}, "RULE-CVE-2026-24525-01": {"action": "admin_init", "conditions": [{"name": "ARGS:clp-varnish-cache", "type": "equals", "value": "purge-entire-cache"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24525", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24525", "description": "CLP Varnish Cache <=1.0.2 unauthenticated cache purge via missing authorization on clp-varnish-cache GET parameter", "mode": "block", "severity": 5.3, "slug": "clp-varnish-cache", "tags": ["missing-authorization", "broken-access-control", "unauthenticated"], "target": "plugin", "versions": "<=1.0.2"}, "RULE-CVE-2026-24526-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-json/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~a3blocks/product-inquiry-button[^}]*\\"(?:textAlign|width)\\"\\\\s*:\\\\s*\\"[^\\"]*(?:<|%3C|>|%3E)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24526", "cve_link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24526", "description": "Stored XSS via unescaped Gutenberg block attributes (textAlign/width) in product-inquiry-button block render callback", "method": "POST", "mode": "block", "severity": 6.5, "slug": "woocommerce-email-inquiry-cart-options", "tags": ["xss", "stored-xss", "gutenberg-block", "woocommerce"], "target": "plugin", "versions": "<=3.4.3"}, "RULE-CVE-2026-24526-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:action", "type": "regex", "value": "~^(?:editpost|edit_post)$~i"}, {"name": "ARGS:post_content", "type": "regex", "value": "~<!--\\\\s*wp:a3blocks/product-inquiry-button\\\\b[^>]*\\\\{[^}]*\\"(?:textAlign|width)\\"\\\\s*:\\\\s*\\"[^\\"]*(?:<|%3C|>|%3E)[^\\"]*\\"[^}]*\\\\}[^>]*-->~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24526", "cve_link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24526", "description": "Stored XSS via unescaped Gutenberg block attributes (textAlign/width) in product-inquiry-button block render callback", "method": "POST", "mode": "block", "severity": 6.5, "slug": "woocommerce-email-inquiry-cart-options", "tags": ["xss", "stored-xss", "gutenberg-block", "woocommerce"], "target": "plugin", "versions": "<=3.4.3"}, "RULE-CVE-2026-24529-01": {"ajax_action": "cancel", "conditions": [{"name": "ARGS:post_id", "type": "exists"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2026-24529", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24529", "description": "Quick Restaurant Reservations <=1.6.7 missing authorization on cancel AJAX action allows authenticated users to cancel bookings", "method": "POST", "mode": "block", "severity": 5.3, "slug": "quick-restaurant-reservations", "tags": ["missing-authorization", "broken-access-control", "idor"], "target": "plugin", "versions": "<=1.6.7"}, "RULE-CVE-2026-24529-02": {"ajax_action": "confirm_email", "conditions": [{"name": "ARGS:post_id", "type": "exists"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2026-24529", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24529", "description": "Quick Restaurant Reservations <=1.6.7 missing authorization on confirm_email AJAX action allows authenticated users to confirm bookings", "method": "POST", "mode": "block", "severity": 5.3, "slug": "quick-restaurant-reservations", "tags": ["missing-authorization", "broken-access-control", "idor"], "target": "plugin", "versions": "<=1.6.7"}, "RULE-CVE-2026-24529-03": {"ajax_action": "pending_email", "conditions": [{"name": "ARGS:post_id", "type": "exists"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2026-24529", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24529", "description": "Quick Restaurant Reservations <=1.6.7 missing authorization on pending_email AJAX action allows authenticated users to set bookings to pending", "method": "POST", "mode": "block", "severity": 5.3, "slug": "quick-restaurant-reservations", "tags": ["missing-authorization", "broken-access-control", "idor"], "target": "plugin", "versions": "<=1.6.7"}, "RULE-CVE-2026-24529-04": {"ajax_action": "reject_email", "conditions": [{"name": "ARGS:post_id", "type": "exists"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2026-24529", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24529", "description": "Quick Restaurant Reservations <=1.6.7 missing authorization on reject_email AJAX action allows authenticated users to reject bookings", "method": "POST", "mode": "block", "severity": 5.3, "slug": "quick-restaurant-reservations", "tags": ["missing-authorization", "broken-access-control", "idor"], "target": "plugin", "versions": "<=1.6.7"}, "RULE-CVE-2026-24532-01": {"ajax_action": "sitelock_scan", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24532", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24532", "description": "SiteLock Security <=5.0.2 missing authorization on sitelock_scan AJAX handler allows subscribers to trigger scans", "method": "POST", "mode": "block", "severity": 4.3, "slug": "sitelock", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=5.0.2"}, "RULE-CVE-2026-24532-02": {"ajax_action": "sitelock_dismiss_notice", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24532", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24532", "description": "SiteLock Security <=5.0.2 missing authorization on sitelock_dismiss_notice AJAX handler allows subscribers to dismiss admin notices", "method": "POST", "mode": "block", "severity": 4.3, "slug": "sitelock", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=5.0.2"}, "RULE-CVE-2026-24565-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[?&]page=bab_Dashboard~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24565", "mode": "block", "severity": 6.5, "slug": "b-accordion", "target": "plugin", "versions": "<=2.0.2"}, "RULE-CVE-2026-24572-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/nelio-content/v1/posts(/|\\\\?|$)~"}, {"name": "ARGS:searchTerm", "type": "regex", "value": "~(?:\'[ \\\\t]*(?:OR|AND)[ \\\\t]+[0-9]|UNION[ \\\\t]+(?:ALL[ \\\\t]+)?SELECT|\'[ \\\\t]*(?:--|#)|SLEEP[ \\\\t]*\\\\(|BENCHMARK[ \\\\t]*\\\\()~i"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2026-24572", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24572", "description": "Nelio Content <=4.2.0 authenticated (Contributor+) SQL injection via searchTerm in REST posts endpoint", "method": "GET", "mode": "block", "severity": 8.8, "slug": "nelio-content", "tags": ["sql-injection", "rest-api", "authenticated"], "target": "plugin", "versions": "<=4.2.0"}, "RULE-CVE-2026-24616-01": {"ajax_action": "wppopups_settings_provider_add", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24616", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24616", "description": "WP Popups <=2.2.0.5 missing authorization on wppopups_settings_provider_add AJAX handler", "method": "POST", "mode": "block", "severity": 6.5, "slug": "wp-popups-lite", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=2.2.0.5"}, "RULE-CVE-2026-24616-02": {"ajax_action": "wppopups_settings_provider_disconnect", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24616", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24616", "description": "WP Popups <=2.2.0.5 missing authorization on wppopups_settings_provider_disconnect AJAX handler", "method": "POST", "mode": "block", "severity": 6.5, "slug": "wp-popups-lite", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=2.2.0.5"}, "RULE-CVE-2026-24623-01": {"action": "init", "conditions": [{"name": "ARGS:forum", "type": "regex", "value": "~(?:<script[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-24623", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24623", "description": "NeoForum <=1.0 unauthenticated reflected XSS via forum parameter in shortcode rendering", "mode": "block", "severity": 6.5, "slug": "neoforum", "tags": ["xss", "reflected", "unauthenticated", "shortcode"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24623-02": {"action": "init", "conditions": [{"name": "ARGS:topic", "type": "regex", "value": "~(?:<script[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-24623", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24623", "description": "NeoForum <=1.0 unauthenticated reflected XSS via topic parameter in shortcode rendering", "mode": "block", "severity": 6.5, "slug": "neoforum", "tags": ["xss", "reflected", "unauthenticated", "shortcode"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24623-03": {"ajax_action": "neoforum_get_new_topic_form", "conditions": [{"name": "ARGS:forumid", "type": "regex", "value": "~(?:<script[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-24623", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24623", "description": "NeoForum <=1.0 authenticated reflected XSS via forumid parameter in neoforum_get_new_topic_form AJAX handler", "mode": "block", "severity": 6.5, "slug": "neoforum", "tags": ["xss", "reflected", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-01": {"ajax_action": "neoforum_close_forum", "conditions": [{"name": "ARGS:forumid", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via forumid in close_forum AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-02": {"ajax_action": "neoforum_restrict_forum", "conditions": [{"name": "ARGS:forumid", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via forumid in restrict_forum AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-03": {"ajax_action": "neoforum_delete_forum", "conditions": [{"name": "ARGS:forumid", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via forumid in delete_forum AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-04": {"ajax_action": "neoforum_edit_forum_title", "conditions": [{"name": "ARGS:data", "type": "regex", "value": "~(?:SLEEP\\\\s*[(]|BENCHMARK\\\\s*[(]|UNION\\\\s+(?:ALL\\\\s+)?SELECT|(?:^|[^a-zA-Z0-9_])(?:OR|AND)\\\\s+[0-9]+\\\\s*=\\\\s*[0-9]+)~i"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via data in edit_forum_title AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-05": {"ajax_action": "neoforum_edit_forum_descr", "conditions": [{"name": "ARGS:data", "type": "regex", "value": "~(?:SLEEP\\\\s*[(]|BENCHMARK\\\\s*[(]|UNION\\\\s+(?:ALL\\\\s+)?SELECT|(?:^|[^a-zA-Z0-9_])(?:OR|AND)\\\\s+[0-9]+\\\\s*=\\\\s*[0-9]+)~i"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via data in edit_forum_descr AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-06": {"ajax_action": "neoforum_delete_moderators", "conditions": [{"name": "ARGS:type", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via type in delete_moderators AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-07": {"ajax_action": "neoforum_add_moderators", "conditions": [{"name": "ARGS:forumid", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via forumid in add_moderators AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-08": {"ajax_action": "neoforum_topic_restore", "conditions": [{"name": "ARGS:topicid", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via topicid in topic_restore AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-09": {"ajax_action": "neoforum_topic_eradicate", "conditions": [{"name": "ARGS:topicid", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via topicid in topic_eradicate AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-10": {"ajax_action": "neoforum_post_restore", "conditions": [{"name": "ARGS:postid", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via postid in post_restore AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-11": {"ajax_action": "neoforum_post_eradicate", "conditions": [{"name": "ARGS:postid", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via postid in post_eradicate AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-12": {"ajax_action": "neoforum_report_leave_post", "conditions": [{"name": "ARGS:reportid", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via reportid in report_leave_post AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-13": {"ajax_action": "neoforum_report_delete_post", "conditions": [{"name": "ARGS:reportid", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via reportid in report_delete_post AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-14": {"ajax_action": "neoforum_ban_user", "conditions": [{"name": "ARGS:ban", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via ban in ban_user AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-15": {"ajax_action": "neoforum_unban_user", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via id in unban_user AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-16": {"ajax_action": "neoforum_make_admin", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via id in make_admin AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-17": {"ajax_action": "neoforum_remove_admin", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via id in remove_admin AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-18": {"ajax_action": "neoforum_delete_topic", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated blind SQL injection via id in delete_topic AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-24624-19": {"ajax_action": "neoforum_theme_descr", "conditions": [{"name": "ARGS:theme", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\/\\\\\\\\]){2,}|[\\\\/\\\\\\\\]etc[\\\\/\\\\\\\\]|wp-config\\\\.php)~i"}], "cve": "CVE-2026-24624", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24624", "description": "Neoforum <=1.0 authenticated local file inclusion via theme in theme_descr AJAX handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "neoforum", "tags": ["local-file-inclusion", "path-traversal", "authenticated"], "target": "plugin", "versions": "<=1.0"}, "RULE-CVE-2026-2471-01": {"action": "init", "conditions": [{"name": "ARGS", "type": "regex", "value": "~[OC]:\\\\d+:\\"[^\\"]*\\":\\\\d+:\\\\{~"}], "cve": "CVE-2026-2471", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2471", "description": "WP Mail Logging <=1.15.0 unauthenticated PHP Object Injection via serialized object payload in form fields logged by wp_mail hook", "method": "POST", "mode": "block", "severity": 7.5, "slug": "wp-mail-logging", "tags": ["object-injection", "deserialization", "unauthenticated", "stored-payload"], "target": "plugin", "versions": "<=1.15.0"}, "RULE-CVE-2026-2479-01": {"ajax_action": "rl_upload_image", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2479", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2479", "description": "Responsive Lightbox & Gallery <=2.7.1 SSRF via strpos()-based hostname bypass in rl_upload_image AJAX handler", "method": "POST", "mode": "block", "severity": 5.0, "slug": "responsive-lightbox", "tags": ["ssrf", "hostname-bypass", "authenticated"], "target": "plugin", "versions": "<=2.7.1"}, "RULE-CVE-2026-2486-01": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS:actions", "type": "regex", "value": "~ma_el_bh_table_btn_text[\\\\\\"\']\\\\s*:\\\\s*[\\\\\\"\'][^\\\\\\"\']*(?:<[^>]+\\\\bon\\\\w+\\\\s*=|javascript\\\\s*:|<iframe\\\\b|<embed\\\\b|<object\\\\b)~i"}], "cve": "CVE-2026-2486", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2486", "description": "Master Addons for Elementor <=2.1.1 Stored XSS via ma_el_bh_table_btn_text in Elementor AJAX save (event handler vector)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "master-addons", "tags": ["xss", "stored-xss", "elementor-widget"], "target": "plugin", "versions": "<=2.1.1"}, "RULE-CVE-2026-2486-02": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS:actions", "type": "regex", "value": "~ma_el_bh_table_btn_text[\\\\\\"\']\\\\s*:\\\\s*[\\\\\\"\'][^\\\\\\"\']*<script\\\\b~i"}], "cve": "CVE-2026-2486", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2486", "description": "Master Addons for Elementor <=2.1.1 Stored XSS via ma_el_bh_table_btn_text in Elementor AJAX save (script tag vector)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "master-addons", "tags": ["xss", "stored-xss", "elementor-widget"], "target": "plugin", "versions": "<=2.1.1"}, "RULE-CVE-2026-2489-01": {"ajax_action": "tp2wp_importer_attachments", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<(?:script|img|svg|iframe|object|embed|video|audio|math|details|body|form|input|link|style|base|meta|a)[^a-zA-Z0-9](?:[^>]*(?:on[a-zA-Z]+=|(?:href|src|action|formaction|data) *= *[\\"\']? *(?:javascript|data|vbscript) *:))?~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2489", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2489", "description": "TP2WP Importer <=1.1 Authenticated (Administrator+) Stored XSS via Watched Domains AJAX handler", "method": "POST", "mode": "block", "severity": 4.4, "slug": "tp2wp-importer", "tags": ["xss", "stored-xss", "authenticated"], "target": "plugin", "versions": "<=1.1"}, "RULE-CVE-2026-2495-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/WPNakama/v1/boards(?:[/?&]|$)~i"}, {"name": "ARGS:order", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|EXTRACTVALUE\\\\s*\\\\(|UPDATEXML\\\\s*\\\\(|IF\\\\s*\\\\(.*,|CASE\\\\s+WHEN|/\\\\*[^*]*\\\\*/|(?:--|#)\\\\s|\\\\(\\\\s*SELECT\\\\s)~i"}], "cve": "CVE-2026-2495", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2495", "description": "WPNakama <=0.6.5 unauthenticated SQL injection via order parameter on /WPNakama/v1/boards REST endpoint", "mode": "block", "severity": 7.5, "slug": "wpnakama", "tags": ["sql-injection", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=0.6.5"}, "RULE-CVE-2026-24950-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/authorsy/v1/authors(?:/|$|\\\\?)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24950", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24950", "description": "Authorsy <=1.0.6 unauthenticated access to REST API author endpoints leaking sensitive user data (IDOR)", "method": "GET", "mode": "block", "severity": 7.5, "slug": "authorsy", "tags": ["missing-authorization", "idor", "information-disclosure", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=1.0.6"}, "RULE-CVE-2026-24952-01": {"ajax_action": "update_episode_embed_code", "conditions": [{"name": "ARGS:width", "type": "regex", "value": "~(?:<script[\\\\s/>]|<svg[\\\\s/>]|<iframe[\\\\s/>]|<img\\\\b[^>]*\\\\bon[a-z]+\\\\s*=|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-24952", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24952", "description": "Seriously Simple Podcasting <=3.14.1 authenticated XSS via width parameter in update_episode_embed_code AJAX handler", "method": "POST", "mode": "block", "severity": 6.5, "slug": "seriously-simple-podcasting", "tags": ["xss", "authenticated", "ajax"], "target": "plugin", "versions": "<=3.14.1"}, "RULE-CVE-2026-24954-01": {"ajax_action": "mpwem_save_faq", "conditions": [{"name": "ARGS:/^mep_faq/", "type": "regex", "value": "~[OC]:[0-9]+:\\"~"}], "cve": "CVE-2026-24954", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24954", "description": "WpEvently <=5.0.8 PHP Object Injection via mpwem_save_faq AJAX handler (question/answer fields)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "mage-eventpress", "tags": ["object-injection", "deserialization", "unauthenticated"], "target": "plugin", "versions": "<=5.0.8"}, "RULE-CVE-2026-24954-02": {"ajax_action": "mpwem_save_timeline", "conditions": [{"name": "ARGS:/^mep_timeline_details/", "type": "regex", "value": "~[OC]:[0-9]+:\\"~"}], "cve": "CVE-2026-24954", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24954", "description": "WpEvently <=5.0.8 PHP Object Injection via mpwem_save_timeline AJAX handler (title/desc fields)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "mage-eventpress", "tags": ["object-injection", "deserialization", "unauthenticated"], "target": "plugin", "versions": "<=5.0.8"}, "RULE-CVE-2026-24954-03": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "editpost"}, {"name": "ARGS:mep_speaker_list", "type": "regex", "value": "~[OC]:[0-9]+:\\"~"}], "cve": "CVE-2026-24954", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24954", "description": "WpEvently <=5.0.8 PHP Object Injection via save_post meta fields (mep_speaker_list)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "mage-eventpress", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=5.0.8"}, "RULE-CVE-2026-24954-04": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "editpost"}, {"name": "ARGS:mep_event_cc_email_text", "type": "regex", "value": "~[OC]:[0-9]+:\\"~"}], "cve": "CVE-2026-24954", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24954", "description": "WpEvently <=5.0.8 PHP Object Injection via save_post meta fields (mep_event_cc_email_text)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "mage-eventpress", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=5.0.8"}, "RULE-CVE-2026-24954-05": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "editpost"}, {"name": "ARGS:/^mep_ev_more_date/", "type": "regex", "value": "~[OC]:[0-9]+:\\"~"}], "cve": "CVE-2026-24954", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24954", "description": "WpEvently <=5.0.8 PHP Object Injection via save_post meta fields (mep_ev_more_date)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "mage-eventpress", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=5.0.8"}, "RULE-CVE-2026-24956-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wpdm-elementor/v1/search-packages(/|\\\\?|&|$)~"}, {"name": "ARGS:term", "type": "regex", "value": "~(?:union(?:/[*][^*]*[*]/|[+[:space:]])+(?:all(?:/[*][^*]*[*]/|[+[:space:]])+)?select|select(?:/[*][^*]*[*]/|[+[:space:]])+.*from|(?:sleep|benchmark)[[:space:]]*[(]|waitfor(?:/[*][^*]*[*]/|[+[:space:]])+delay|load_file[[:space:]]*[(]|into(?:/[*][^*]*[*]/|[+[:space:]])+(?:outfile|dumpfile)|[\\"\'`]?[[:space:]]*(?:or|and)(?:/[*][^*]*[*]/|[+[:space:]])+[0-9]+[[:space:]]*=[[:space:]]*[0-9]+|[\\"\'`]?[[:space:]]*(?:or|and)(?:/[*][^*]*[*]/|[+[:space:]])+[\\"\'`][^\\"\'`]+[\\"\'`][[:space:]]*=[[:space:]]*[\\"\'`][^\\"\'`]+[\\"\'`]|[\\"\'`][[:space:]]*(?:or|and)(?:/[*][^*]*[*]/|[+[:space:]])+[\\"\'`][^\\"\'`]*[\\"\'`][[:space:]]*=[[:space:]]*[\\"\'`])~i"}], "cve": "CVE-2026-24956", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24956", "description": "Download Manager Addons for Elementor <=1.3.0 blind SQL injection via term parameter in search-packages REST endpoint", "method": "GET", "mode": "block", "severity": 9.3, "slug": "wpdm-elementor", "tags": ["sql-injection", "blind-sqli", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=1.3.0"}, "RULE-CVE-2026-24957-01": {"ajax_action": "wpmtst_add_field", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:nextKey", "type": "exists"}], "cve": "CVE-2026-24957", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24957", "description": "Strong Testimonials <=3.2.20 broken access control on wpmtst_add_field via nextKey parameter", "method": "POST", "mode": "block", "severity": 6.5, "slug": "strong-testimonials", "tags": ["broken-access-control", "missing-authorization", "ajax"], "target": "plugin", "versions": "<=3.2.20"}, "RULE-CVE-2026-24957-02": {"ajax_action": "wpmtst_add_field_2", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:nextKey", "type": "exists"}], "cve": "CVE-2026-24957", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24957", "description": "Strong Testimonials <=3.2.20 broken access control on wpmtst_add_field_2 via nextKey parameter", "method": "POST", "mode": "block", "severity": 6.5, "slug": "strong-testimonials", "tags": ["broken-access-control", "missing-authorization", "ajax"], "target": "plugin", "versions": "<=3.2.20"}, "RULE-CVE-2026-24957-03": {"ajax_action": "wpmtst_add_field_3", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:nextKey", "type": "exists"}], "cve": "CVE-2026-24957", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24957", "description": "Strong Testimonials <=3.2.20 broken access control on wpmtst_add_field_3 via nextKey parameter", "method": "POST", "mode": "block", "severity": 6.5, "slug": "strong-testimonials", "tags": ["broken-access-control", "missing-authorization", "ajax"], "target": "plugin", "versions": "<=3.2.20"}, "RULE-CVE-2026-24957-04": {"ajax_action": "wpmtst_add_field_4", "conditions": [{"type": "missing_capability", "value": "manage_options"}, {"name": "ARGS:nextKey", "type": "exists"}], "cve": "CVE-2026-24957", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24957", "description": "Strong Testimonials <=3.2.20 broken access control on wpmtst_add_field_4 via nextKey parameter", "method": "POST", "mode": "block", "severity": 6.5, "slug": "strong-testimonials", "tags": ["broken-access-control", "missing-authorization", "ajax"], "target": "plugin", "versions": "<=3.2.20"}, "RULE-CVE-2026-24959-01": {"ajax_action": "jsticket_ajax", "conditions": [{"name": "ARGS:id", "type": "regex", "value": "~[0-9]+[ ]+(?:AND|OR|UNION)[ (]+~i"}], "cve": "CVE-2026-24959", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24959", "description": "JS Help Desk <=3.0.1 authenticated blind SQL injection via id parameter in jsticket_ajax AJAX handler", "method": "POST", "mode": "block", "severity": 8.5, "slug": "js-support-ticket", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=3.0.1"}, "RULE-CVE-2026-24959-02": {"ajax_action": "jsticket_ajax", "conditions": [{"name": "ARGS:status", "type": "regex", "value": "~[0-9]+[ ]+(?:AND|OR|UNION)[ (]+~i"}], "cve": "CVE-2026-24959", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24959", "description": "JS Help Desk <=3.0.1 authenticated blind SQL injection via status parameter in jsticket_ajax AJAX handler", "method": "POST", "mode": "block", "severity": 8.5, "slug": "js-support-ticket", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=3.0.1"}, "RULE-CVE-2026-2498-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:wpsm_fb_admins", "type": "regex", "value": "~<script[\\\\s>]|\\\\bon[a-z]+\\\\s*=|javascript\\\\s*:|<iframe[\\\\s>]|<svg[\\\\s>]~i"}], "cve": "CVE-2026-2498", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2498", "description": "WP Social Meta <=4.1.1 Stored XSS via wpsm_fb_admins settings field (options.php)", "method": "POST", "mode": "block", "severity": 4.4, "slug": "wp-social-meta", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=4.1.1"}, "RULE-CVE-2026-2498-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:wpsm_fb_app_id", "type": "regex", "value": "~<script[\\\\s>]|\\\\bon[a-z]+\\\\s*=|javascript\\\\s*:|<iframe[\\\\s>]|<svg[\\\\s>]~i"}], "cve": "CVE-2026-2498", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2498", "description": "WP Social Meta <=4.1.1 Stored XSS via wpsm_fb_app_id settings field (options.php)", "method": "POST", "mode": "block", "severity": 4.4, "slug": "wp-social-meta", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=4.1.1"}, "RULE-CVE-2026-2498-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:wpsm_tw_site", "type": "regex", "value": "~<script[\\\\s>]|\\\\bon[a-z]+\\\\s*=|javascript\\\\s*:|<iframe[\\\\s>]|<svg[\\\\s>]~i"}], "cve": "CVE-2026-2498", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2498", "description": "WP Social Meta <=4.1.1 Stored XSS via wpsm_tw_site settings field (options.php)", "method": "POST", "mode": "block", "severity": 4.4, "slug": "wp-social-meta", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=4.1.1"}, "RULE-CVE-2026-2498-04": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:wpsm_fb_type", "type": "regex", "value": "~<script[\\\\s>]|\\\\bon[a-z]+\\\\s*=|javascript\\\\s*:|<iframe[\\\\s>]|<svg[\\\\s>]~i"}], "cve": "CVE-2026-2498", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2498", "description": "WP Social Meta <=4.1.1 Stored XSS via wpsm_fb_type settings field (options.php)", "method": "POST", "mode": "block", "severity": 4.4, "slug": "wp-social-meta", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=4.1.1"}, "RULE-CVE-2026-2498-05": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:wpsm_tw_card", "type": "regex", "value": "~<script[\\\\s>]|\\\\bon[a-z]+\\\\s*=|javascript\\\\s*:|<iframe[\\\\s>]|<svg[\\\\s>]~i"}], "cve": "CVE-2026-2498", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2498", "description": "WP Social Meta <=4.1.1 Stored XSS via wpsm_tw_card settings field (options.php)", "method": "POST", "mode": "block", "severity": 4.4, "slug": "wp-social-meta", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=4.1.1"}, "RULE-CVE-2026-2498-06": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:wpsm_gp_type", "type": "regex", "value": "~<script[\\\\s>]|\\\\bon[a-z]+\\\\s*=|javascript\\\\s*:|<iframe[\\\\s>]|<svg[\\\\s>]~i"}], "cve": "CVE-2026-2498", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2498", "description": "WP Social Meta <=4.1.1 Stored XSS via wpsm_gp_type settings field (options.php)", "method": "POST", "mode": "block", "severity": 4.4, "slug": "wp-social-meta", "tags": ["xss", "stored-xss", "admin-settings"], "target": "plugin", "versions": "<=4.1.1"}, "RULE-CVE-2026-24982-02": {"action": "rest_api_init", "conditions": [{"name": "ARGS:rest_route", "type": "regex", "value": "~/wp/v2/spectra-popup(?:/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24982", "method": "GET", "mode": "block", "severity": 5.3, "slug": "ultimate-addons-for-gutenberg", "target": "plugin", "versions": "<=2.19.17"}, "RULE-CVE-2026-24984-01": {"ajax_action": "vlp_get_post_content", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2026-24984", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-24984", "description": "Visual Link Preview <=2.2.9 missing authorization on vlp_get_post_content allows unauthorized post content disclosure", "mode": "block", "severity": 6.5, "slug": "visual-link-preview", "tags": ["missing-authorization", "broken-access-control", "information-disclosure"], "target": "plugin", "versions": "<=2.2.9"}, "RULE-CVE-2026-2499-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:wpcl_custom_logo_path", "type": "regex", "value": "~(<script|</style|javascript:|on(?:error|load|click|mouseover|focus)\\\\s*=)~i"}], "cve": "CVE-2026-2499", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2499", "description": "Custom Logo <=2.2 Authenticated (Administrator+) Stored XSS via wpcl_custom_logo_path setting", "method": "POST", "mode": "block", "severity": 4.4, "slug": "custom-logo", "tags": ["xss", "stored-xss", "settings-api"], "target": "plugin", "versions": "<=2.2"}, "RULE-CVE-2026-24990-01": {"ajax_action": "wpdocs_create_folder", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24990", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wp-docs", "target": "plugin", "versions": "<=2.2.8"}, "RULE-CVE-2026-24990-02": {"ajax_action": "wpdocs_delete_folder", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-24990", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wp-docs", "target": "plugin", "versions": "<=2.2.8"}, "RULE-CVE-2026-25001-01": {"action": "init", "conditions": [{"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[post_snippets[^\\\\]]*(?:(?:eval|assert|system|exec|include|require)\\\\s*\\\\(|passthru\\\\s*\\\\(|shell_exec\\\\s*\\\\(|popen\\\\s*\\\\(|proc_open\\\\s*\\\\(|pcntl_exec\\\\s*\\\\(|base64_decode\\\\s*\\\\(|file_(?:get_contents|put_contents)\\\\s*\\\\(|unserialize\\\\s*\\\\()~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-25001", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25001", "description": "Post Snippets <=4.0.12 authenticated (Contributor+) Remote Code Execution via shortcode PHP eval of attacker-controlled attributes", "mode": "block", "severity": 8.5, "slug": "post-snippets", "tags": ["remote-code-execution", "code-injection", "shortcode", "authenticated"], "target": "plugin", "versions": "<=4.0.12"}, "RULE-CVE-2026-2502-01": {"action": "init", "conditions": [{"name": "REQUEST_HEADERS:X-Forwarded-For", "type": "detectXSS"}], "cve": "CVE-2026-2502", "mode": "block", "severity": 6.1, "slug": "xmlrpc-attacks-blocker", "target": "plugin", "versions": "<1.1"}, "RULE-CVE-2026-25022-01": {"ajax_action": "ajax_post", "conditions": [{"name": "ARGS:route_name", "type": "equals", "value": "static_data"}, {"name": "ARGS", "type": "regex", "value": "~(?:UNION[ ]+(?:ALL[ ]+)?SELECT|SELECT[ ]+.{0,200}FROM[ ]+|(?:AND|OR)[ ]+[0-9]+[ ]*=[ ]*[0-9]+|SLEEP[ ]*[(]|BENCHMARK[ ]*[(]|EXTRACTVALUE[ ]*[(]|UPDATEXML[ ]*[(]|EXP[ ]*[(][ ]*\\\\~[ ]*|(?:AND|OR)[ ]+(?:IF|CASE)[ ]*[(])~i"}], "cve": "CVE-2026-25022", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25022", "description": "KiviCare Clinic Management System <=3.6.16 SQL injection via ajax_post dispatcher (static_data route)", "method": "POST", "mode": "block", "severity": 8.5, "slug": "kivicare-clinic-management-system", "tags": ["sql-injection", "ajax"], "target": "plugin", "versions": "<=3.6.16"}, "RULE-CVE-2026-25022-02": {"ajax_action": "ajax_get", "conditions": [{"name": "ARGS:route_name", "type": "equals", "value": "static_data"}, {"name": "ARGS", "type": "regex", "value": "~(?:UNION[ ]+(?:ALL[ ]+)?SELECT|SELECT[ ]+.{0,200}FROM[ ]+|(?:AND|OR)[ ]+[0-9]+[ ]*=[ ]*[0-9]+|SLEEP[ ]*[(]|BENCHMARK[ ]*[(]|EXTRACTVALUE[ ]*[(]|UPDATEXML[ ]*[(]|EXP[ ]*[(][ ]*\\\\~[ ]*|(?:AND|OR)[ ]+(?:IF|CASE)[ ]*[(])~i"}], "cve": "CVE-2026-25022", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25022", "description": "KiviCare Clinic Management System <=3.6.16 SQL injection via ajax_get dispatcher (static_data route)", "method": "GET", "mode": "block", "severity": 8.5, "slug": "kivicare-clinic-management-system", "tags": ["sql-injection", "ajax"], "target": "plugin", "versions": "<=3.6.16"}, "RULE-CVE-2026-25025-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/admin-ajax\\\\.php)~"}, {"name": "ARGS:action", "type": "equals", "value": "vikrestaurants"}, {"name": "ARGS", "type": "regex", "value": "~(?:<script[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:|<iframe[\\\\s/>]|<svg[\\\\s/]on)~i"}], "cve": "CVE-2026-25025", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25025", "description": "VikRestaurants <=1.5.2 unauthenticated reflected XSS via vikrestaurants AJAX handler", "mode": "block", "severity": 7.1, "slug": "vikrestaurants", "tags": ["xss", "reflected", "unauthenticated"], "target": "plugin", "versions": "<=1.5.2"}, "RULE-CVE-2026-25026-01": {"ajax_action": "tlp_team_smart_popup", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-25026", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25026", "description": "Team Plugin <=5.0.11 missing authorization on tlp_team_smart_popup allows unauthenticated/subscriber access to team member popup data", "mode": "block", "severity": 7.5, "slug": "tlp-team", "tags": ["missing-authorization", "broken-access-control", "unauthenticated", "information-disclosure"], "target": "plugin", "versions": "<=5.0.11"}, "RULE-CVE-2026-25026-02": {"ajax_action": "tlp_md_popup_single", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-25026", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25026", "description": "Team Plugin <=5.0.11 missing authorization on tlp_md_popup_single allows unauthenticated/subscriber access to team member modal data", "mode": "block", "severity": 7.5, "slug": "tlp-team", "tags": ["missing-authorization", "broken-access-control", "unauthenticated", "information-disclosure"], "target": "plugin", "versions": "<=5.0.11"}, "RULE-CVE-2026-2504-01": {"ajax_action": "dealia_ajax_reset", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2504", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2504", "description": "Dealia - Request a Quote <=1.0.7 missing authorization on dealia_ajax_reset AJAX handler allowing Contributor+ plugin configuration reset", "method": "POST", "mode": "block", "severity": 4.3, "slug": "dealia-request-a-quote", "tags": ["missing-authorization", "broken-access-control", "settings-reset"], "target": "plugin", "versions": "<=1.0.7"}, "RULE-CVE-2026-2504-02": {"ajax_action": "dealia_ajax_login", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2504", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2504", "description": "Dealia - Request a Quote <=1.0.7 missing authorization on dealia_ajax_login AJAX handler allowing Contributor+ API credential hijack", "method": "POST", "mode": "block", "severity": 4.3, "slug": "dealia-request-a-quote", "tags": ["missing-authorization", "broken-access-control", "credential-hijack"], "target": "plugin", "versions": "<=1.0.7"}, "RULE-CVE-2026-2504-03": {"ajax_action": "dealia_ajax_manage_account", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2504", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2504", "description": "Dealia - Request a Quote <=1.0.7 missing authorization on dealia_ajax_manage_account AJAX handler allowing Contributor+ external account creation", "method": "POST", "mode": "block", "severity": 4.3, "slug": "dealia-request-a-quote", "tags": ["missing-authorization", "broken-access-control", "account-creation"], "target": "plugin", "versions": "<=1.0.7"}, "RULE-CVE-2026-2504-04": {"ajax_action": "dealia_save_additional_settings", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2504", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2504", "description": "Dealia - Request a Quote <=1.0.7 missing authorization on dealia_save_additional_settings AJAX handler allowing Contributor+ settings modification", "method": "POST", "mode": "block", "severity": 4.3, "slug": "dealia-request-a-quote", "tags": ["missing-authorization", "broken-access-control", "settings-modification"], "target": "plugin", "versions": "<=1.0.7"}, "RULE-CVE-2026-2504-05": {"ajax_action": "dealia_ajax_refresh", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2504", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2504", "description": "Dealia - Request a Quote <=1.0.7 missing authorization on dealia_ajax_refresh AJAX handler allowing Contributor+ token refresh", "method": "POST", "mode": "block", "severity": 4.3, "slug": "dealia-request-a-quote", "tags": ["missing-authorization", "broken-access-control", "token-refresh"], "target": "plugin", "versions": "<=1.0.7"}, "RULE-CVE-2026-2504-06": {"ajax_action": "dealia_get_forms", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2504", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2504", "description": "Dealia - Request a Quote <=1.0.7 missing authorization on dealia_get_forms AJAX handler allowing Contributor+ information disclosure", "method": "POST", "mode": "block", "severity": 4.3, "slug": "dealia-request-a-quote", "tags": ["missing-authorization", "broken-access-control", "information-disclosure"], "target": "plugin", "versions": "<=1.0.7"}, "RULE-CVE-2026-2506-01": {"action": "init", "conditions": [{"name": "ARGS:customer_name", "type": "exists"}, {"name": "ARGS:customer_name", "type": "regex", "value": "~<[a-zA-Z/!][^>]*>~i"}], "cve": "CVE-2026-2506", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2506", "description": "EM Cost Calculator <=2.3.1 unauthenticated stored XSS via customer_name in front-end order form", "method": "POST", "mode": "block", "severity": 6.1, "slug": "cost-calculator", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=2.3.1"}, "RULE-CVE-2026-2506-02": {"action": "admin_init", "conditions": [{"name": "ARGS:cpage", "type": "exists"}, {"name": "ARGS:cpage", "type": "regex", "value": "~<[a-zA-Z/!][^>]*>~i"}], "cve": "CVE-2026-2506", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2506", "description": "EM Cost Calculator <=2.3.1 reflected XSS via cpage parameter on admin Customers page", "method": "GET", "mode": "block", "severity": 6.1, "slug": "cost-calculator", "tags": ["xss", "reflected-xss"], "target": "plugin", "versions": "<=2.3.1"}, "RULE-CVE-2026-2509-01": {"ajax_action": "pagelayer_save_content", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?<![a-zA-Z])on(?:pointer(?:over|enter|leave|down|up|move|out|cancel|rawupdate)|animation(?:end|start|iteration|cancel)|transition(?:end|run|start|cancel)|focus(?:in|out)|auxclick|toggle|beforeinput|formdata|reset|select(?:start)?|gotpointercapture|lostpointercapture|webkitanimation(?:end|start|iteration)|webkittransitionend|touch(?:start|end|move|cancel)|wheel|contextmenu|drag(?:start|end|over|enter|leave)|drop|before(?:copy|cut|paste|toggle)|scrollend|securitypolicyviolation)\\\\s*=~i"}], "cve": "CVE-2026-2509", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2509", "description": "Pagelayer <=2.0.8 contributor+ stored XSS via incomplete event handler blocklist in Button widget custom_attributes (pagelayer_save_content)", "mode": "block", "severity": 6.4, "slug": "pagelayer", "tags": ["xss", "stored", "authenticated", "incomplete-sanitization"], "target": "plugin", "versions": "<=2.0.8"}, "RULE-CVE-2026-2509-02": {"ajax_action": "pagelayer_save_templ_content", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?<![a-zA-Z])on(?:pointer(?:over|enter|leave|down|up|move|out|cancel|rawupdate)|animation(?:end|start|iteration|cancel)|transition(?:end|run|start|cancel)|focus(?:in|out)|auxclick|toggle|beforeinput|formdata|reset|select(?:start)?|gotpointercapture|lostpointercapture|webkitanimation(?:end|start|iteration)|webkittransitionend|touch(?:start|end|move|cancel)|wheel|contextmenu|drag(?:start|end|over|enter|leave)|drop|before(?:copy|cut|paste|toggle)|scrollend|securitypolicyviolation)\\\\s*=~i"}], "cve": "CVE-2026-2509", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2509", "description": "Pagelayer <=2.0.8 contributor+ stored XSS via incomplete event handler blocklist in Button widget custom_attributes (pagelayer_save_templ_content)", "mode": "block", "severity": 6.4, "slug": "pagelayer", "tags": ["xss", "stored", "authenticated", "incomplete-sanitization"], "target": "plugin", "versions": "<=2.0.8"}, "RULE-CVE-2026-2511-01": {"ajax_action": "jsticket_ajax", "conditions": [{"name": "ARGS:multiformid", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|/[*].*[*]/|(?:--|#)\\\\s|\\\\bOR\\\\s+[0-9]+\\\\s*=\\\\s*[0-9]+|\\\\bAND\\\\s+[0-9]+\\\\s*=\\\\s*[0-9]+|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\()~i"}], "cve": "CVE-2026-2511", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2511", "description": "JS Support Ticket <=3.0.4 unauthenticated SQL injection via multiformid parameter in jsticket_ajax AJAX handler", "mode": "block", "severity": 7.5, "slug": "js-support-ticket", "tags": ["sql-injection", "unauthenticated", "cwe-89"], "target": "plugin", "versions": "<=3.0.4"}, "RULE-CVE-2026-2511-02": {"action": "init", "conditions": [{"name": "ARGS:multiformid", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|/[*].*[*]/|(?:--|#)\\\\s|\\\\bOR\\\\s+[0-9]+\\\\s*=\\\\s*[0-9]+|\\\\bAND\\\\s+[0-9]+\\\\s*=\\\\s*[0-9]+|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\()~i"}], "cve": "CVE-2026-2511", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2511", "description": "JS Support Ticket <=3.0.4 unauthenticated SQL injection via multiformid parameter in frontend form submission", "mode": "block", "severity": 7.5, "slug": "js-support-ticket", "tags": ["sql-injection", "unauthenticated", "cwe-89"], "target": "plugin", "versions": "<=3.0.4"}, "RULE-CVE-2026-25309-01": {"ajax_action": "ppma_block_fetch_author_boxes", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2026-25309", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25309", "description": "PublishPress Authors <=4.10.1 unauthenticated access to author box editor preview via ppma_block_fetch_author_boxes", "mode": "block", "severity": 7.5, "slug": "publishpress-authors", "tags": ["missing-authorization", "broken-access-control", "information-disclosure", "unauthenticated"], "target": "plugin", "versions": "<=4.10.1"}, "RULE-CVE-2026-25345-01": {"ajax_action": "pgc_sgb_action_wizard", "conditions": [{"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2026-25345", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25345", "description": "Simply Gallery Block <=3.3.2 unauthorized access to pgc_sgb_action_wizard AJAX handler", "mode": "block", "severity": 9.9, "slug": "simply-gallery-block", "tags": ["arbitrary-code-execution", "missing-authorization", "rce"], "target": "plugin", "versions": "<=3.3.2"}, "RULE-CVE-2026-25346-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php~"}, {"name": "ARGS:page", "type": "equals", "value": "faq-builder-ays"}, {"name": "ARGS:faq", "type": "regex", "value": "~(?:<script[\\\\s/>]|<svg[\\\\s/]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-25346", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25346", "description": "FAQ Builder AYS <=1.8.3 reflected XSS via faq parameter in admin page", "mode": "block", "severity": 7.1, "slug": "faq-builder-ays", "tags": ["xss", "reflected", "authenticated"], "target": "plugin", "versions": "<=1.8.3"}, "RULE-CVE-2026-25361-01": {"ajax_action": "mep_event_list_date_schedule", "conditions": [{"name": "ARGS:event_id", "type": "regex", "value": "~(?:<script[^a-zA-Z]|on(?:error|load|mouseover|click|focus|blur)[ \\\\t]*=|javascript[ \\\\t]*:|<(?:img|svg|iframe|object|embed|video|audio|details|math)[^a-zA-Z])~i"}], "cve": "CVE-2026-25361", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25361", "description": "WPEvently <=5.1.4 unauthenticated reflected XSS via event_id in mep_event_list_date_schedule AJAX handler", "mode": "block", "severity": 7.1, "slug": "mage-eventpress", "tags": ["xss", "reflected", "unauthenticated"], "target": "plugin", "versions": "<=5.1.4"}, "RULE-CVE-2026-25369-02": {"action": "init", "conditions": [{"name": "ARGS:search_referral_url", "type": "regex", "value": "~(?:on(?:load|error|mouseover|click|focus)\\\\s*=|<script[\\\\s/>]|javascript\\\\s*:)~i"}], "cve": "CVE-2026-25369", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25369", "description": "Flexmls IDX <=3.15.9 reflected XSS via unsanitized search_referral_url on listing details pages", "method": "GET", "mode": "block", "severity": 7.1, "slug": "flexmls-idx", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=3.15.9"}, "RULE-CVE-2026-25383-01": {"action": "init", "conditions": [{"name": "ARGS:page_url", "type": "regex", "value": "~(?:<script[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:|<(?:img|svg|iframe|object|embed|video|audio|body|details|math|marquee|isindex|form|input|button|select|textarea|keygen|frameset)\\\\b[^>]*\\\\bon[a-z]+=)~i"}], "cve": "CVE-2026-25383", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25383", "description": "KiviCare Clinic Management System <=3.6.16 unauthenticated reflected XSS via page_url parameter in popupBookAppointment template", "mode": "block", "severity": 7.1, "slug": "kivicare-clinic-management-system", "tags": ["xss", "reflected", "unauthenticated", "shortcode"], "target": "plugin", "versions": "<=3.6.16"}, "RULE-CVE-2026-25396-01": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "ccwc_hide_notice"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-25396", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25396", "description": "Commerce Coinbase for WooCommerce <=1.6.7 missing authorization on ccwc_hide_notice admin-post action allows subscriber+ option update", "method": "POST", "mode": "block", "severity": 7.5, "slug": "commerce-coinbase-for-woocommerce", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=1.6.7"}, "RULE-CVE-2026-25418-01": {"ajax_action": "bitforms_get_form_entries", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2026-25418", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25418", "description": "Bit Form <=2.21.10 SQL injection via id parameter in bitforms_get_form_entries AJAX handler", "method": "POST", "mode": "block", "severity": 7.6, "slug": "bit-form", "tags": ["sql-injection", "authenticated", "admin-ajax"], "target": "plugin", "versions": "<=2.21.10"}, "RULE-CVE-2026-25418-02": {"ajax_action": "bitforms_get_form_entries", "conditions": [{"name": "ARGS:offset", "type": "detectSQLi"}], "cve": "CVE-2026-25418", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25418", "description": "Bit Form <=2.21.10 SQL injection via offset parameter in bitforms_get_form_entries AJAX handler", "method": "POST", "mode": "block", "severity": 7.6, "slug": "bit-form", "tags": ["sql-injection", "authenticated", "admin-ajax"], "target": "plugin", "versions": "<=2.21.10"}, "RULE-CVE-2026-25418-03": {"ajax_action": "bitforms_get_entries_for_report", "conditions": [{"name": "ARGS:orderBy", "type": "detectSQLi"}], "cve": "CVE-2026-25418", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25418", "description": "Bit Form <=2.21.10 SQL injection via orderBy parameter in bitforms_get_entries_for_report AJAX handler", "method": "POST", "mode": "block", "severity": 7.6, "slug": "bit-form", "tags": ["sql-injection", "authenticated", "admin-ajax"], "target": "plugin", "versions": "<=2.21.10"}, "RULE-CVE-2026-25418-04": {"ajax_action": "bitforms_get_entries_for_report", "conditions": [{"name": "ARGS:order", "type": "detectSQLi"}], "cve": "CVE-2026-25418", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25418", "description": "Bit Form <=2.21.10 SQL injection via order parameter in bitforms_get_entries_for_report AJAX handler", "method": "POST", "mode": "block", "severity": 7.6, "slug": "bit-form", "tags": ["sql-injection", "authenticated", "admin-ajax"], "target": "plugin", "versions": "<=2.21.10"}, "RULE-CVE-2026-25418-05": {"ajax_action": "bitforms_get_entries_for_report", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2026-25418", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25418", "description": "Bit Form <=2.21.10 SQL injection via id parameter in bitforms_get_entries_for_report AJAX handler", "method": "POST", "mode": "block", "severity": 7.6, "slug": "bit-form", "tags": ["sql-injection", "authenticated", "admin-ajax"], "target": "plugin", "versions": "<=2.21.10"}, "RULE-CVE-2026-25418-06": {"ajax_action": "bitforms_filter_export_data", "conditions": [{"name": "ARGS:orderBy", "type": "detectSQLi"}], "cve": "CVE-2026-25418", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25418", "description": "Bit Form <=2.21.10 SQL injection via orderBy parameter in bitforms_filter_export_data AJAX handler", "method": "POST", "mode": "block", "severity": 7.6, "slug": "bit-form", "tags": ["sql-injection", "authenticated", "admin-ajax"], "target": "plugin", "versions": "<=2.21.10"}, "RULE-CVE-2026-25418-07": {"ajax_action": "bitforms_filter_export_data", "conditions": [{"name": "ARGS:order", "type": "detectSQLi"}], "cve": "CVE-2026-25418", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25418", "description": "Bit Form <=2.21.10 SQL injection via order parameter in bitforms_filter_export_data AJAX handler", "method": "POST", "mode": "block", "severity": 7.6, "slug": "bit-form", "tags": ["sql-injection", "authenticated", "admin-ajax"], "target": "plugin", "versions": "<=2.21.10"}, "RULE-CVE-2026-25418-08": {"ajax_action": "bitforms_filter_export_data", "conditions": [{"name": "ARGS:fields", "type": "detectSQLi"}], "cve": "CVE-2026-25418", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25418", "description": "Bit Form <=2.21.10 SQL injection via fields parameter in bitforms_filter_export_data AJAX handler", "method": "POST", "mode": "block", "severity": 7.6, "slug": "bit-form", "tags": ["sql-injection", "authenticated", "admin-ajax"], "target": "plugin", "versions": "<=2.21.10"}, "RULE-CVE-2026-25418-09": {"ajax_action": "bitforms_form_log_history", "conditions": [{"name": "ARGS:id", "type": "detectSQLi"}], "cve": "CVE-2026-25418", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25418", "description": "Bit Form <=2.21.10 SQL injection via id parameter in bitforms_form_log_history AJAX handler", "method": "POST", "mode": "block", "severity": 7.6, "slug": "bit-form", "tags": ["sql-injection", "authenticated", "admin-ajax"], "target": "plugin", "versions": "<=2.21.10"}, "RULE-CVE-2026-25418-10": {"ajax_action": "bitforms_form_log_history", "conditions": [{"name": "ARGS:offset", "type": "detectSQLi"}], "cve": "CVE-2026-25418", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25418", "description": "Bit Form <=2.21.10 SQL injection via offset parameter in bitforms_form_log_history AJAX handler", "method": "POST", "mode": "block", "severity": 7.6, "slug": "bit-form", "tags": ["sql-injection", "authenticated", "admin-ajax"], "target": "plugin", "versions": "<=2.21.10"}, "RULE-CVE-2026-25418-11": {"ajax_action": "bitforms_entry_status_update", "conditions": [{"name": "ARGS:entryID", "type": "detectSQLi"}], "cve": "CVE-2026-25418", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25418", "description": "Bit Form <=2.21.10 SQL injection via entryID parameter in bitforms_entry_status_update AJAX handler", "method": "POST", "mode": "block", "severity": 7.6, "slug": "bit-form", "tags": ["sql-injection", "authenticated", "admin-ajax"], "target": "plugin", "versions": "<=2.21.10"}, "RULE-CVE-2026-25429-01": {"ajax_action": "nexa_load_more_posts", "conditions": [{"name": "ARGS:attributes", "type": "regex", "value": "~(?:[OC]:[0-9]+:[\\"\\\\{]|(?:Tzo|Qzo)[0-9A-Za-z+/]*[=]{0,2})~"}], "cve": "CVE-2026-25429", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25429", "description": "Nexa Blocks <=1.1.1 unauthenticated PHP object injection via base64-encoded attributes parameter in nexa_load_more_posts AJAX handler", "mode": "block", "severity": 9.8, "slug": "nexa-blocks", "tags": ["object-injection", "deserialization", "unauthenticated", "php-object-injection"], "target": "plugin", "versions": "<=1.1.1"}, "RULE-CVE-2026-25438-01": {"ajax_action": "unlimited_section_post_category_layout_block", "conditions": [{"name": "ARGS:attr", "type": "regex", "value": "~(?:<[a-zA-Z!/]|on[a-zA-Z]{3,}[ ]*=|javascript[ ]*:|\\\\\\\\u003[cC]|%3[cC])~i"}], "cve": "CVE-2026-25438", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25438", "description": "Unlimited Blocks <=1.2.8 reflected XSS via attr parameter in post_category_layout_block AJAX handler", "method": "POST", "mode": "block", "severity": 7.1, "slug": "unlimited-blocks", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.2.8"}, "RULE-CVE-2026-25438-02": {"ajax_action": "unlimited_section_post_category_layout_choose_category", "conditions": [{"name": "ARGS:attr", "type": "regex", "value": "~(?:<[a-zA-Z!/]|on[a-zA-Z]{3,}[ ]*=|javascript[ ]*:|\\\\\\\\u003[cC]|%3[cC])~i"}], "cve": "CVE-2026-25438", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25438", "description": "Unlimited Blocks <=1.2.8 reflected XSS via attr parameter in post_category_layout_choose_category AJAX handler", "method": "POST", "mode": "block", "severity": 7.1, "slug": "unlimited-blocks", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.2.8"}, "RULE-CVE-2026-25438-03": {"ajax_action": "unlimited_section_post_image_five_post", "conditions": [{"name": "ARGS:attr", "type": "regex", "value": "~(?:<[a-zA-Z!/]|on[a-zA-Z]{3,}[ ]*=|javascript[ ]*:|\\\\\\\\u003[cC]|%3[cC])~i"}], "cve": "CVE-2026-25438", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25438", "description": "Unlimited Blocks <=1.2.8 reflected XSS via attr parameter in post_image_five_post AJAX handler", "method": "POST", "mode": "block", "severity": 7.1, "slug": "unlimited-blocks", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.2.8"}, "RULE-CVE-2026-25438-04": {"ajax_action": "unlimited_section_post_image_four_post", "conditions": [{"name": "ARGS:attr", "type": "regex", "value": "~(?:<[a-zA-Z!/]|on[a-zA-Z]{3,}[ ]*=|javascript[ ]*:|\\\\\\\\u003[cC]|%3[cC])~i"}], "cve": "CVE-2026-25438", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25438", "description": "Unlimited Blocks <=1.2.8 reflected XSS via attr parameter in post_image_four_post AJAX handler", "method": "POST", "mode": "block", "severity": 7.1, "slug": "unlimited-blocks", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.2.8"}, "RULE-CVE-2026-25438-05": {"ajax_action": "unlimited_section_post_image_three_post", "conditions": [{"name": "ARGS:attr", "type": "regex", "value": "~(?:<[a-zA-Z!/]|on[a-zA-Z]{3,}[ ]*=|javascript[ ]*:|\\\\\\\\u003[cC]|%3[cC])~i"}], "cve": "CVE-2026-25438", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25438", "description": "Unlimited Blocks <=1.2.8 reflected XSS via attr parameter in post_image_three_post AJAX handler", "method": "POST", "mode": "block", "severity": 7.1, "slug": "unlimited-blocks", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.2.8"}, "RULE-CVE-2026-25438-06": {"ajax_action": "unlimited_section_post_layout_grid", "conditions": [{"name": "ARGS:attr", "type": "regex", "value": "~(?:<[a-zA-Z!/]|on[a-zA-Z]{3,}[ ]*=|javascript[ ]*:|\\\\\\\\u003[cC]|%3[cC])~i"}], "cve": "CVE-2026-25438", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25438", "description": "Unlimited Blocks <=1.2.8 reflected XSS via attr parameter in post_layout_grid AJAX handler", "method": "POST", "mode": "block", "severity": 7.1, "slug": "unlimited-blocks", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.2.8"}, "RULE-CVE-2026-25438-07": {"ajax_action": "unlimited_section_post_layout_list", "conditions": [{"name": "ARGS:attr", "type": "regex", "value": "~(?:<[a-zA-Z!/]|on[a-zA-Z]{3,}[ ]*=|javascript[ ]*:|\\\\\\\\u003[cC]|%3[cC])~i"}], "cve": "CVE-2026-25438", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25438", "description": "Unlimited Blocks <=1.2.8 reflected XSS via attr parameter in post_layout_list AJAX handler", "method": "POST", "mode": "block", "severity": 7.1, "slug": "unlimited-blocks", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.2.8"}, "RULE-CVE-2026-25456-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/shipi/v1/connect/fedex/?(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-25456", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25456", "description": "Automated FedEx Shipping <=5.1.8 unauthenticated access to transient nonce data via shipi/v1/connect/fedex REST endpoint", "method": "GET", "mode": "block", "severity": 7.5, "slug": "a2z-fedex-shipping", "tags": ["missing-authorization", "information-disclosure", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=5.1.8"}, "RULE-CVE-2026-25471-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-login\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:tpsa_verify_email_otp", "type": "exists"}], "cve": "CVE-2026-25471", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25471", "description": "Admin Safety Guard <=1.2.6 broken authentication via OTP submission on wp-login.php", "method": "POST", "mode": "block", "severity": 8.1, "slug": "admin-safety-guard", "tags": ["authentication-bypass", "broken-authentication", "unauthenticated", "otp-bypass"], "target": "plugin", "versions": "<=1.2.6"}, "RULE-CVE-2026-25471-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-login\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:tpsa_verify_email_otp", "type": "regex", "value": "~(?:<script[^>]*>|<img[^>]*onerror[[:space:]]*=|on(?:error|load|mouseover|click)[[:space:]]*=|javascript:)~i"}], "cve": "CVE-2026-25471", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-25471", "description": "Admin Safety Guard <=1.2.6 reflected XSS via unsanitized tpsa_verify_email_otp on wp-login.php", "method": "GET", "mode": "block", "severity": 8.1, "slug": "admin-safety-guard", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.2.6"}, "RULE-CVE-2026-2554-01": {"ajax_action": "delete_wcfm_customer", "conditions": [{"name": "", "type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2554", "description": "WCFM <=6.7.25 IDOR allowing authenticated Vendor+ to delete arbitrary users via customerid parameter", "mode": "block", "severity": 8.1, "slug": "wc-frontend-manager", "tags": ["idor", "authorization-bypass", "privilege-escalation"], "target": "plugin", "versions": "<=6.7.25"}, "RULE-CVE-2026-2568-01": {"action": "admin_init", "conditions": [{"name": "ARGS:entry_id", "type": "detectXSS"}], "cve": "CVE-2026-2568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2568", "description": "WP Zendesk for Contact Form 7 <=1.1.5 reflected XSS via entry_id parameter on admin logs page", "method": "GET", "mode": "block", "severity": 7.2, "slug": "cf7-zendesk", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.1.5"}, "RULE-CVE-2026-2568-02": {"action": "admin_init", "conditions": [{"name": "ARGS:start_date", "type": "detectXSS"}], "cve": "CVE-2026-2568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2568", "description": "WP Zendesk for Contact Form 7 <=1.1.5 reflected XSS via start_date parameter on admin logs page", "method": "GET", "mode": "block", "severity": 7.2, "slug": "cf7-zendesk", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.1.5"}, "RULE-CVE-2026-2568-03": {"action": "admin_init", "conditions": [{"name": "ARGS:end_date", "type": "detectXSS"}], "cve": "CVE-2026-2568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2568", "description": "WP Zendesk for Contact Form 7 <=1.1.5 reflected XSS via end_date parameter on admin logs page", "method": "GET", "mode": "block", "severity": 7.2, "slug": "cf7-zendesk", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.1.5"}, "RULE-CVE-2026-2568-04": {"action": "admin_init", "conditions": [{"name": "ARGS:vx_debug", "type": "detectXSS"}], "cve": "CVE-2026-2568", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2568", "description": "WP Zendesk for Contact Form 7 <=1.1.5 reflected XSS via vx_debug parameter on admin entry box page", "method": "GET", "mode": "block", "severity": 7.2, "slug": "cf7-zendesk", "tags": ["xss", "reflected-xss", "unauthenticated"], "target": "plugin", "versions": "<=1.1.5"}, "RULE-CVE-2026-2571-01": {"ajax_action": "wpdmdz_user_status", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2571", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2571", "description": "Download Manager <=3.3.49 missing authorization on wpdmdz_user_status AJAX handler allows subscriber+ user enumeration", "mode": "block", "severity": 4.3, "slug": "download-manager", "tags": ["missing-authorization", "information-disclosure", "idor"], "target": "plugin", "versions": "<=3.3.49"}, "RULE-CVE-2026-2576-01": {"action": "template_redirect", "conditions": [{"name": "ARGS:payment", "type": "detectSQLi"}], "cve": "CVE-2026-2576", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2576", "description": "Business Directory Plugin <=6.4.21 unauthenticated time-based SQL injection via payment parameter (scalar)", "mode": "block", "severity": 7.5, "slug": "business-directory-plugin", "tags": ["sql-injection", "unauthenticated", "time-based-blind"], "target": "plugin", "versions": "<=6.4.21"}, "RULE-CVE-2026-2576-02": {"action": "template_redirect", "conditions": [{"name": "ARGS:payment[0]", "type": "regex", "value": "~(?:\'|\\"|;|--|#|/\\\\*|\\\\bOR\\\\b|\\\\bAND\\\\b|\\\\bUNION\\\\b|\\\\bSELECT\\\\b|\\\\bSLEEP\\\\b|\\\\bBENCHMARK\\\\b)~i"}], "cve": "CVE-2026-2576", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2576", "description": "Business Directory Plugin <=6.4.21 unauthenticated time-based SQL injection via payment[] array parameter", "mode": "block", "severity": 7.5, "slug": "business-directory-plugin", "tags": ["sql-injection", "unauthenticated", "time-based-blind"], "target": "plugin", "versions": "<=6.4.21"}, "RULE-CVE-2026-2576-03": {"action": "template_redirect", "conditions": [{"name": "ARGS:payment[1]", "type": "regex", "value": "~(?:\'|\\"|;|--|#|/\\\\*|\\\\bOR\\\\b|\\\\bAND\\\\b|\\\\bUNION\\\\b|\\\\bSELECT\\\\b|\\\\bSLEEP\\\\b|\\\\bBENCHMARK\\\\b)~i"}], "cve": "CVE-2026-2576", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2576", "description": "Business Directory Plugin <=6.4.21 unauthenticated time-based SQL injection via payment[] array parameter (index 1)", "mode": "block", "severity": 7.5, "slug": "business-directory-plugin", "tags": ["sql-injection", "unauthenticated", "time-based-blind"], "target": "plugin", "versions": "<=6.4.21"}, "RULE-CVE-2026-2579-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wopb/product-search(/|\\\\?|$)~"}, {"name": "ARGS:search", "type": "regex", "value": "~(?i)(?:[\'\\"`]\\\\s*(?:OR|AND)\\\\s+[\'\\"`\\\\d]|\\\\bUNION\\\\b\\\\s+(?:ALL\\\\s+)?\\\\bSELECT\\\\b\\\\s+(?:[0-9]|NULL\\\\b|@@|0x|CONCAT|CHAR)|\\\\bSLEEP\\\\s*[(]|\\\\bBENCHMARK\\\\s*[(]|\\\\bEXTRACTVALUE\\\\s*[(]|\\\\bUPDATEXML\\\\s*[(]|/[*][!*]|;\\\\s*(?:DROP|ALTER|CREATE|TRUNCATE)\\\\b)~"}], "cve": "CVE-2026-2579", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2579", "description": "ProductX/WowStore <=4.4.3 unauthenticated SQL injection via search parameter in wopb/product-search REST endpoint", "method": "POST", "mode": "block", "severity": 7.5, "slug": "product-blocks", "tags": ["sql-injection", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=4.4.3"}, "RULE-CVE-2026-2582-01": {"ajax_action": "show_direct_debit", "conditions": [{"name": "ARGS:account_holder", "type": "regex", "value": "~\\\\[\\\\s*[a-z_][a-z0-9_]{2,}[\\\\s\\\\]\\\\/]~"}], "cve": "CVE-2026-2582", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2582", "description": "Germanized for WooCommerce <=3.20.5 unauthenticated arbitrary shortcode execution via account_holder parameter in direct debit mandate AJAX handler", "mode": "block", "severity": 6.5, "slug": "woocommerce-germanized", "tags": ["code-injection", "shortcode-execution", "unauthenticated"], "target": "plugin", "versions": "<=3.20.5"}, "RULE-CVE-2026-2589-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-content/plugins/greenshift-animation-and-page-builder-blocks/).*(?:backup|settings_backup).*\\\\.(?:json|txt|zip)(?:\\\\?|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2589", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2589", "description": "GreenShift <= 12.8.3 unauthenticated sensitive information exposure via settings backup file in plugin directory", "method": "GET", "mode": "block", "severity": 5.3, "slug": "greenshift-animation-and-page-builder-blocks", "tags": ["information-disclosure", "unauthenticated", "sensitive-data-exposure"], "target": "plugin", "versions": "<=12.8.3"}, "RULE-CVE-2026-2589-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-content/uploads/greenshift/).*(?:backup|settings_backup).*\\\\.(?:json|txt|zip)(?:\\\\?|$)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2589", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2589", "description": "GreenShift <= 12.8.3 unauthenticated sensitive information exposure via settings backup file in uploads directory", "method": "GET", "mode": "block", "severity": 5.3, "slug": "greenshift-animation-and-page-builder-blocks", "tags": ["information-disclosure", "unauthenticated", "sensitive-data-exposure"], "target": "plugin", "versions": "<=12.8.3"}, "RULE-CVE-2026-2592-01": {"action": "init", "conditions": [{"name": "ARGS:wc-api", "type": "equals", "value": "wc_zpal"}, {"name": "ARGS:Status", "type": "equals", "value": "OK"}, {"name": "ARGS:wc_order", "type": "exists"}, {"name": "ARGS:Authority", "type": "regex", "value": "~^[A-Za-z0-9]{16,35}$~"}], "cve": "CVE-2026-2592", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2592", "description": "ZarinPal WooCommerce Payment Gateway <=5.0.16 improper access control via wc-api wc_zpal callback with forged short Authority token", "mode": "block", "severity": 7.7, "slug": "zarinpal-woocommerce-payment-gateway", "tags": ["improper-access-control", "payment-bypass", "woocommerce-api", "unauthenticated"], "target": "plugin", "versions": "<=5.0.16"}, "RULE-CVE-2026-2593-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/[0-9]+)?(/|\\\\?|$)~"}, {"name": "ARGS:meta[_gspb_post_css]", "type": "regex", "value": "~</?[a-zA-Z][a-zA-Z0-9]*[\\\\s/>]~i"}], "cve": "CVE-2026-2593", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2593", "description": "GreenShift <=12.8.5 Stored XSS via _gspb_post_css post meta through REST API", "method": "POST", "mode": "block", "severity": 6.4, "slug": "greenshift-animation-and-page-builder-blocks", "tags": ["xss", "stored-xss", "rest-api"], "target": "plugin", "versions": "<=12.8.5"}, "RULE-CVE-2026-2593-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(/[0-9]+)?(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~greenshift-blocks/element[^}]*dynamicAttributes[^}]*<[a-zA-Z][a-zA-Z0-9]*[ /][^>]*(?:on[a-zA-Z]+=|javascript:|<script)~i"}], "cve": "CVE-2026-2593", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2593", "description": "GreenShift <=12.8.5 Stored XSS via dynamicAttributes in block content through REST API", "method": "POST", "mode": "block", "severity": 6.4, "slug": "greenshift-animation-and-page-builder-blocks", "tags": ["xss", "stored-xss", "rest-api", "block-editor"], "target": "plugin", "versions": "<=12.8.5"}, "RULE-CVE-2026-2593-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:meta[_gspb_post_css]", "type": "regex", "value": "~</?[a-zA-Z][a-zA-Z0-9]*[\\\\s/>]~i"}], "cve": "CVE-2026-2593", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2593", "description": "GreenShift <=12.8.5 Stored XSS via _gspb_post_css meta through classic editor", "method": "POST", "mode": "block", "severity": 6.4, "slug": "greenshift-animation-and-page-builder-blocks", "tags": ["xss", "stored-xss", "classic-editor"], "target": "plugin", "versions": "<=12.8.5"}, "RULE-CVE-2026-2599-01": {"action": "init", "conditions": [{"name": "ARGS:vx_crm_form_action", "type": "equals", "value": "download_csv"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2599", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2599", "description": "Contact Form Entries <=1.4.7 unauthenticated PHP Object Injection via download_csv deserialization trigger", "method": "GET", "mode": "block", "severity": 9.8, "slug": "contact-form-entries", "tags": ["object-injection", "deserialization", "unauthenticated"], "target": "plugin", "versions": "<=1.4.7"}, "RULE-CVE-2026-2628-01": {"action": "init", "conditions": [{"name": "ARGS:id_token", "type": "regex", "value": "~^[A-Za-z0-9_=-]+\\\\.[A-Za-z0-9_=-]+\\\\.?[A-Za-z0-9_=-]*$~"}, {"name": "ARGS:code", "type": "exists"}], "cve": "CVE-2026-2628", "method": "GET", "mode": "block", "severity": 9.8, "slug": "login-with-azure", "target": "plugin", "versions": "<2.2.6"}, "RULE-CVE-2026-27044-01": {"ajax_action": "totalpoll_modules_install_from_file", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-27044", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-27044", "description": "Total Poll Lite <=4.12.0 authenticated remote code execution via totalpoll_modules_install_from_file AJAX handler", "mode": "block", "severity": 9.9, "slug": "totalpoll-lite", "tags": ["remote-code-execution", "code-injection", "missing-authorization"], "target": "plugin", "versions": "<=4.12.0"}, "RULE-CVE-2026-27068-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:llms_generator_settings", "type": "regex", "value": "~(?:<script[^>]*>|</script>|javascript\\\\s*:|on[a-z]+\\\\s*=|<iframe[^>]*>|<svg[^>]*>)~i"}], "cve": "CVE-2026-27068", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-27068", "description": "Website LLMs.txt <=8.2.6 reflected XSS via llms_generator_settings reflected in admin/admin-page.php hidden input attributes", "mode": "block", "severity": 7.1, "slug": "website-llms-txt", "tags": ["xss", "reflected-xss", "admin-page", "crafted-link"], "target": "plugin", "versions": "<=8.2.6"}, "RULE-CVE-2026-27071-01": {"ajax_action": "save_location", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-27071", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-27071", "description": "WPCafe <=3.0.6 unauthenticated broken access control on save_location AJAX handler", "mode": "block", "severity": 9.1, "slug": "wp-cafe", "tags": ["missing-authorization", "broken-access-control", "unauthenticated"], "target": "plugin", "versions": "<=3.0.6"}, "RULE-CVE-2026-27072-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:pys_head", "type": "exists"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-27072", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-27072", "description": "PixelYourSite <=11.2.0.1 Stored XSS via pys_head parameter in HeadFooter save_meta_box", "method": "POST", "mode": "block", "severity": 7.1, "slug": "pixelyoursite", "tags": ["xss", "stored-xss", "post-meta"], "target": "plugin", "versions": "<=11.2.0.1"}, "RULE-CVE-2026-27072-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:pys_footer", "type": "exists"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-27072", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-27072", "description": "PixelYourSite <=11.2.0.1 Stored XSS via pys_footer parameter in HeadFooter save_meta_box", "method": "POST", "mode": "block", "severity": 7.1, "slug": "pixelyoursite", "tags": ["xss", "stored-xss", "post-meta"], "target": "plugin", "versions": "<=11.2.0.1"}, "RULE-CVE-2026-27075-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-27075", "description": "belfort theme <= 1.0 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "belfort", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.0"}, "RULE-CVE-2026-27075-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-27075", "description": "belfort theme <= 1.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "belfort", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0"}, "RULE-CVE-2026-27076-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-27076", "description": "luxedrive theme <= 1.0 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "luxedrive", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.0"}, "RULE-CVE-2026-27076-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-27076", "description": "luxedrive theme <= 1.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "luxedrive", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0"}, "RULE-CVE-2026-27077-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-27077", "description": "multioffice theme <= 1.2 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "multioffice", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.2"}, "RULE-CVE-2026-27077-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-27077", "description": "multioffice theme <= 1.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "multioffice", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2"}, "RULE-CVE-2026-27078-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-27078", "description": "emaurri theme <= 1.0.1 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "emaurri", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.0.1"}, "RULE-CVE-2026-27078-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-27078", "description": "emaurri theme <= 1.0.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "emaurri", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.1"}, "RULE-CVE-2026-27079-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-27079", "description": "amfissa theme <= 1.1 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "amfissa", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.1"}, "RULE-CVE-2026-27079-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-27079", "description": "amfissa theme <= 1.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "amfissa", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1"}, "RULE-CVE-2026-27080-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-27080", "description": "deston theme <= 1.0 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "deston", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.0"}, "RULE-CVE-2026-27080-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-27080", "description": "deston theme <= 1.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "deston", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0"}, "RULE-CVE-2026-27081-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-27081", "description": "rosebud theme <= 1.4 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "rosebud", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.4"}, "RULE-CVE-2026-27081-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-27081", "description": "rosebud theme <= 1.4 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "rosebud", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.4"}, "RULE-CVE-2026-27095-04": {"ajax_action": "get_wbtm_return_date", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)(?:wp-admin/admin-ajax\\\\.php|wp-admin/admin-post\\\\.php)(?:$|[?])~"}, {"name": "ARGS", "type": "regex", "value": "~(?:^|[;{])(?:O|C):\\\\d+:\\"[^\\"]+\\"(?::\\\\d+)?:\\\\{~"}], "cve": "CVE-2026-27095", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-27095", "description": "Bus Ticket Booking with Seat Reservation <=5.6.0 unauthenticated PHP object injection via get_wbtm_return_date AJAX handler", "mode": "block", "severity": 9.8, "slug": "bus-ticket-booking-with-seat-reservation", "tags": ["object-injection", "deserialization", "unauthenticated"], "target": "plugin", "versions": "<=5.6.0"}, "RULE-CVE-2026-27095-05": {"ajax_action": "get_wbtm_dropping_point", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)(?:wp-admin/admin-ajax\\\\.php|wp-admin/admin-post\\\\.php)(?:$|[?])~"}, {"name": "ARGS", "type": "regex", "value": "~(?:^|[;{])(?:O|C):\\\\d+:\\"[^\\"]+\\"(?::\\\\d+)?:\\\\{~"}], "cve": "CVE-2026-27095", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-27095", "description": "Bus Ticket Booking with Seat Reservation <=5.6.0 unauthenticated PHP object injection via get_wbtm_dropping_point AJAX handler", "mode": "block", "severity": 9.8, "slug": "bus-ticket-booking-with-seat-reservation", "tags": ["object-injection", "deserialization", "unauthenticated"], "target": "plugin", "versions": "<=5.6.0"}, "RULE-CVE-2026-27095-06": {"ajax_action": "wbtm_create_seat_plan", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)(?:wp-admin/admin-ajax\\\\.php|wp-admin/admin-post\\\\.php)(?:$|[?])~"}, {"name": "ARGS", "type": "regex", "value": "~(?:^|[;{])(?:O|C):\\\\d+:\\"[^\\"]+\\"(?::\\\\d+)?:\\\\{~"}], "cve": "CVE-2026-27095", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-27095", "description": "Bus Ticket Booking with Seat Reservation <=5.6.0 unauthenticated PHP object injection via wbtm_create_seat_plan AJAX handler", "mode": "block", "severity": 9.8, "slug": "bus-ticket-booking-with-seat-reservation", "tags": ["object-injection", "deserialization", "unauthenticated"], "target": "plugin", "versions": "<=5.6.0"}, "RULE-CVE-2026-27095-07": {"ajax_action": "wbtm_create_seat_plan_dd", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)(?:wp-admin/admin-ajax\\\\.php|wp-admin/admin-post\\\\.php)(?:$|[?])~"}, {"name": "ARGS", "type": "regex", "value": "~(?:^|[;{])(?:O|C):\\\\d+:\\"[^\\"]+\\"(?::\\\\d+)?:\\\\{~"}], "cve": "CVE-2026-27095", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-27095", "description": "Bus Ticket Booking with Seat Reservation <=5.6.0 unauthenticated PHP object injection via wbtm_create_seat_plan_dd AJAX handler", "mode": "block", "severity": 9.8, "slug": "bus-ticket-booking-with-seat-reservation", "tags": ["object-injection", "deserialization", "unauthenticated"], "target": "plugin", "versions": "<=5.6.0"}, "RULE-CVE-2026-27095-08": {"ajax_action": "wbtm_get_bus_detail", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)(?:wp-admin/admin-ajax\\\\.php|wp-admin/admin-post\\\\.php)(?:$|[?])~"}, {"name": "ARGS", "type": "regex", "value": "~(?:^|[;{])(?:O|C):\\\\d+:\\"[^\\"]+\\"(?::\\\\d+)?:\\\\{~"}], "cve": "CVE-2026-27095", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-27095", "description": "Bus Ticket Booking with Seat Reservation <=5.6.0 unauthenticated PHP object injection via wbtm_get_bus_detail AJAX handler", "mode": "block", "severity": 9.8, "slug": "bus-ticket-booking-with-seat-reservation", "tags": ["object-injection", "deserialization", "unauthenticated"], "target": "plugin", "versions": "<=5.6.0"}, "RULE-CVE-2026-27095-09": {"ajax_action": "wbtm_reload_pricing", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)(?:wp-admin/admin-ajax\\\\.php|wp-admin/admin-post\\\\.php)(?:$|[?])~"}, {"name": "ARGS", "type": "regex", "value": "~(?:^|[;{])(?:O|C):\\\\d+:\\"[^\\"]+\\"(?::\\\\d+)?:\\\\{~"}], "cve": "CVE-2026-27095", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-27095", "description": "Bus Ticket Booking with Seat Reservation <=5.6.0 unauthenticated PHP object injection via wbtm_reload_pricing AJAX handler", "mode": "block", "severity": 9.8, "slug": "bus-ticket-booking-with-seat-reservation", "tags": ["object-injection", "deserialization", "unauthenticated"], "target": "plugin", "versions": "<=5.6.0"}, "RULE-CVE-2026-27097-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-27097", "description": "casamia theme <= 1.1.2 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "casamia", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.2"}, "RULE-CVE-2026-27097-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-27097", "description": "casamia theme <= 1.1.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "casamia", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.2"}, "RULE-CVE-2026-2712-01": {"ajax_action": "heartbeat", "conditions": [{"name": "ARGS:data[wp-optimize-heartbeat-smush][command]", "type": "regex", "value": "~^(?:get_smush_logs|clean_all_backup_images|process_bulk_smush|update_smush_options|get_smush_options|clear_smush_stats|clear_backup_images|clear_backup_images_directory|delete_log_files|get_logfile_path)$~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2712", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2712", "description": "WP-Optimize <=4.5.0 missing authorization in receive_heartbeat() allows subscriber+ to invoke admin-only Smush commands via Heartbeat API", "method": "POST", "mode": "block", "severity": 5.4, "slug": "wp-optimize", "tags": ["incorrect-authorization", "missing-capability", "heartbeat-abuse"], "target": "plugin", "versions": "<=4.5.0"}, "RULE-CVE-2026-2718-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "contains", "value": "wp:dealia/"}, {"name": "ARGS:content", "type": "regex", "value": "~wp:dealia/[^}]*(?:on[a-z]+\\\\s*=|javascript\\\\s*:|<script[\\\\s/>])~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-2718", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2718", "description": "Dealia - Request a Quote <=1.0.8 Contributor+ stored XSS via Gutenberg block attributes in classic editor post content", "method": "POST", "mode": "block", "severity": 6.4, "slug": "dealia-request-a-quote", "tags": ["xss", "stored", "gutenberg-block", "authenticated"], "target": "plugin", "versions": "<=1.0.8"}, "RULE-CVE-2026-2718-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)~"}, {"name": "ARGS:content", "type": "contains", "value": "wp:dealia/"}, {"name": "ARGS:content", "type": "regex", "value": "~wp:dealia/[^}]*(?:on[a-z]+\\\\s*=|javascript\\\\s*:|<script[\\\\s/>])~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-2718", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2718", "description": "Dealia - Request a Quote <=1.0.8 Contributor+ stored XSS via Gutenberg block attributes in REST API post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "dealia-request-a-quote", "tags": ["xss", "stored", "gutenberg-block", "rest-api", "authenticated"], "target": "plugin", "versions": "<=1.0.8"}, "RULE-CVE-2026-2721-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/options\\\\.php~"}, {"name": "ARGS:mailarchiver_archiver_privacy_encryption", "type": "regex", "value": "~(?:<script[\\\\s/>]|on(?:error|load|mouseover|focus|blur|click)\\\\s*=|javascript\\\\s*:|<i(?:mg|frame)[\\\\s/]|</(?:title|textarea|style)>)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-2721", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2721", "description": "MailArchiver <=4.4.0 authenticated stored XSS via mailarchiver_archiver_privacy_encryption settings field", "method": "POST", "mode": "block", "severity": 4.8, "slug": "mailarchiver", "tags": ["xss", "stored", "authenticated", "settings-api"], "target": "plugin", "versions": "<=4.4.0"}, "RULE-CVE-2026-2724-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~admin-ajax\\\\.php~"}, {"name": "ARGS:action", "type": "equals", "value": "unitecreator_ajax_action"}, {"name": "ARGS", "type": "detectXSS"}], "cve": "CVE-2026-2724", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2724", "description": "Unlimited Elements for Elementor <=2.0.5 unauthenticated stored XSS via form field values", "method": "POST", "mode": "block", "severity": 7.2, "slug": "unlimited-elements-for-elementor", "tags": ["xss", "stored-xss", "unauthenticated", "elementor"], "target": "plugin", "versions": "<=2.0.5"}, "RULE-CVE-2026-2732-01": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "emr_prepare_remove_background"}, {"name": "ARGS:attachment_id", "type": "exists"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2026-2732", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2732", "description": "Enable Media Replace <=4.1.7 missing authorization on Remove Background GET handler allows Author+ to access arbitrary attachments", "method": "GET", "mode": "block", "severity": 5.4, "slug": "enable-media-replace", "tags": ["missing-authorization", "idor", "broken-access-control"], "target": "plugin", "versions": "<=4.1.7"}, "RULE-CVE-2026-2732-02": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "emr_process_remove_background"}, {"name": "ARGS:ID", "type": "exists"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2026-2732", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2732", "description": "Enable Media Replace <=4.1.7 missing authorization on Remove Background POST handler allows Author+ to replace arbitrary attachments", "method": "POST", "mode": "block", "severity": 5.4, "slug": "enable-media-replace", "tags": ["missing-authorization", "idor", "broken-access-control"], "target": "plugin", "versions": "<=4.1.7"}, "RULE-CVE-2026-27326-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-27326", "description": "window-ac-services theme <= 1.2.5 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "window-ac-services", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.5"}, "RULE-CVE-2026-27326-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-27326", "description": "window-ac-services theme <= 1.2.5 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "window-ac-services", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.5"}, "RULE-CVE-2026-27335-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-27335", "description": "ekoterra theme <= 1.0.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "ekoterra", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.0"}, "RULE-CVE-2026-27335-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-27335", "description": "ekoterra theme <= 1.0.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "ekoterra", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.0"}, "RULE-CVE-2026-27336-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-27336", "description": "consultor theme <= 1.2.4 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "consultor", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.4"}, "RULE-CVE-2026-27336-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-27336", "description": "consultor theme <= 1.2.4 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "consultor", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.4"}, "RULE-CVE-2026-27337-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-27337", "description": "chronicle theme <= 1.0 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "chronicle", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0"}, "RULE-CVE-2026-27337-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-27337", "description": "chronicle theme <= 1.0 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "chronicle", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0"}, "RULE-CVE-2026-27339-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-27339", "description": "buzzstone theme <= 1.0.2 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "buzzstone", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.2"}, "RULE-CVE-2026-27339-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-27339", "description": "buzzstone theme <= 1.0.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "buzzstone", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.2"}, "RULE-CVE-2026-27340-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-27340", "description": "apollo theme <= 1.3.1 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "apollo", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.1"}, "RULE-CVE-2026-27340-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-27340", "description": "apollo theme <= 1.3.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "apollo", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.1"}, "RULE-CVE-2026-27341-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-27341", "description": "topscorer theme <= 1.2 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "topscorer", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.2"}, "RULE-CVE-2026-27341-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-27341", "description": "topscorer theme <= 1.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "topscorer", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2"}, "RULE-CVE-2026-27342-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-27342", "description": "topfit theme <= 1.9 path traversal and PHP wrapper abuse in template selector parameters. Mikado-Themes mikado-core/bridge-core framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "topfit", "tags": ["lfi", "path-traversal", "generic", "mikado-core"], "target": "theme", "versions": "<=1.9"}, "RULE-CVE-2026-27342-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-27342", "description": "topfit theme <= 1.9 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "topfit", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.9"}, "RULE-CVE-2026-27379-01": {"ajax_action": "nxs_saveSiteSets", "conditions": [{"name": "ARGS:fltrs", "type": "regex", "value": "~[OC]:[0-9]+:[\\"\\\\{]~"}], "cve": "CVE-2026-27379", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-27379", "description": "NextScripts SNAP <=4.4.7 PHP Object Injection via unserialize of fltrs parameter in nxs_saveSiteSets AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "social-networks-auto-poster-facebook-twitter-g", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=4.4.7"}, "RULE-CVE-2026-27379-02": {"ajax_action": "nxs_snap_aj", "conditions": [{"name": "ARGS:fltrs", "type": "regex", "value": "~[OC]:[0-9]+:[\\"\\\\{]~"}], "cve": "CVE-2026-27379", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-27379", "description": "NextScripts SNAP <=4.4.7 PHP Object Injection via unserialize of fltrs parameter in nxs_snap_aj AJAX handler", "method": "POST", "mode": "block", "severity": 8.8, "slug": "social-networks-auto-poster-facebook-twitter-g", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=4.4.7"}, "RULE-CVE-2026-27384-01": {"ajax_action": "w3tc_dismiss_license_notice", "conditions": [{"name": "ARGS:notice_id", "type": "detectSQLi"}], "cve": "CVE-2026-27384", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-27384", "description": "W3 Total Cache <=2.9.1 authenticated SQL injection via notice_id in w3tc_dismiss_license_notice AJAX handler", "method": "POST", "mode": "block", "severity": 9.0, "slug": "w3-total-cache", "tags": ["sql-injection", "authenticated", "ajax"], "target": "plugin", "versions": "<=2.9.1"}, "RULE-CVE-2026-27984-01": {"ajax_action": "widgetopts_ajax_validate_expression", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:system|passthru|exec|shell_exec|popen|proc_open|pcntl_exec|eval|assert|preg_replace|create_function|call_user_func|call_user_func_array|file_get_contents|file_put_contents|fopen|fwrite|include|require|phpinfo|unlink|rmdir|mail|header|curl_exec|base64_decode)[ ]*[(]~i"}], "cve": "CVE-2026-27984", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-27984", "description": "Widget Options <=4.1.3 authenticated code injection via widgetopts_ajax_validate_expression AJAX handler", "method": "POST", "mode": "block", "severity": 9.0, "slug": "widget-options", "tags": ["code-injection", "rce", "authenticated"], "target": "plugin", "versions": "<=4.1.3"}, "RULE-CVE-2026-28024-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-28024", "description": "helion theme <= 1.1.12 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "helion", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.1.12"}, "RULE-CVE-2026-28024-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-28024", "description": "helion theme <= 1.1.12 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "helion", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.1.12"}, "RULE-CVE-2026-28041-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-28041", "description": "grit theme <= 1.0.1 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "grit", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.0.1"}, "RULE-CVE-2026-28041-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-28041", "description": "grit theme <= 1.0.1 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "grit", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.0.1"}, "RULE-CVE-2026-28079-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-28079", "description": "conquerors theme <= 1.2.13 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "conquerors", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.2.13"}, "RULE-CVE-2026-28079-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-28079", "description": "conquerors theme <= 1.2.13 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "conquerors", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.2.13"}, "RULE-CVE-2026-28117-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-28117", "description": "smartSEO theme <= 2.9 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "smartseo", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=2.9"}, "RULE-CVE-2026-28117-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-28117", "description": "smartSEO theme <= 2.9 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "smartseo", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=2.9"}, "RULE-CVE-2026-28118-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-28118", "description": "welldone theme <= 2.4 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "welldone", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=2.4"}, "RULE-CVE-2026-28118-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-28118", "description": "welldone theme <= 2.4 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "welldone", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=2.4"}, "RULE-CVE-2026-28119-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-28119", "description": "nir-vana theme <= 2.6 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "nir-vana", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=2.6"}, "RULE-CVE-2026-28119-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-28119", "description": "nir-vana theme <= 2.6 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "nir-vana", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=2.6"}, "RULE-CVE-2026-28121-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-28121", "description": "andersonclinic theme <= 1.4.2 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "andersonclinic", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.4.2"}, "RULE-CVE-2026-28121-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-28121", "description": "andersonclinic theme <= 1.4.2 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "andersonclinic", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.4.2"}, "RULE-CVE-2026-28123-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-28123", "description": "veil theme <= 1.9 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "veil", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.9"}, "RULE-CVE-2026-28123-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-28123", "description": "veil theme <= 1.9 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "veil", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.9"}, "RULE-CVE-2026-28124-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-28124", "description": "notarius theme <= 1.9 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "notarius", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.9"}, "RULE-CVE-2026-28124-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-28124", "description": "notarius theme <= 1.9 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "notarius", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.9"}, "RULE-CVE-2026-28125-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file|data)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-28125", "description": "midi theme <= 1.14 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "midi", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.14"}, "RULE-CVE-2026-28125-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-28125", "description": "midi theme <= 1.14 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "midi", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.14"}, "RULE-CVE-2026-28129-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:(?:\\\\.\\\\.|%2[eE]%2[eE])(?:[/\\\\\\\\]|%2[fF]|%5[cC])){2,}|(?:php|phar|expect|zip|compress\\\\.zlib|file)://|%70%68%70%3[aA]%2[fF]%2[fF]|(?:^|=)data:[a-zA-Z]~i"}], "cve": "CVE-2026-28129", "description": "little-birdies theme <= 1.3.16 path traversal and PHP wrapper abuse in template selector parameters. AncoraThemes/axiomthemes trx_addons framework shared LFI pattern.", "mode": "block", "severity": 8.1, "slug": "little-birdies", "tags": ["lfi", "path-traversal", "generic", "trx_addons"], "target": "theme", "versions": "<=1.3.16"}, "RULE-CVE-2026-28129-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:/wp-admin/|/wp-json/|\\\\?)~i"}, {"name": "ARGS:/^(type|layout|template|view|skin|style)$/", "type": "regex", "value": "~(?:wp-config|/etc/passwd|/proc/self/environ|/var/log/|\\\\.htaccess|\\\\.env|debug\\\\.log)~i"}], "cve": "CVE-2026-28129", "description": "little-birdies theme <= 1.3.16 sensitive file detection in template parameters.", "mode": "block", "severity": 8.1, "slug": "little-birdies", "tags": ["lfi", "sensitive-file", "defense-in-depth"], "target": "theme", "versions": "<=1.3.16"}, "RULE-CVE-2026-2830-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "pmxi-admin-import"}, {"name": "ARGS:filepath", "type": "regex", "value": "~(?:<[^>]+>|%3c[^%]*%3e|javascript:|on[a-z]+[ \\t]*=)~i"}], "cve": "CVE-2026-2830", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2830", "description": "WP All Import <=4.0.0 reflected XSS via filepath parameter on import wizard admin page (GET)", "method": "GET", "mode": "block", "severity": 6.1, "slug": "wp-all-import", "tags": ["xss", "reflected-xss", "admin-page"], "target": "plugin", "versions": "<=4.0.0"}, "RULE-CVE-2026-2830-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "pmxi-admin-import"}, {"name": "ARGS:filepath", "type": "regex", "value": "~(?:<[^>]+>|%3c[^%]*%3e|javascript:|on[a-z]+[ \\t]*=)~i"}], "cve": "CVE-2026-2830", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2830", "description": "WP All Import <=4.0.0 reflected XSS via filepath parameter on import wizard admin page (POST)", "method": "POST", "mode": "block", "severity": 6.1, "slug": "wp-all-import", "tags": ["xss", "reflected-xss", "admin-page"], "target": "plugin", "versions": "<=4.0.0"}, "RULE-CVE-2026-2831-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "mailarchiver-viewer"}, {"name": "ARGS:logid", "type": "detectSQLi"}], "cve": "CVE-2026-2831", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2831", "description": "MailArchiver <=4.5.0 authenticated SQL injection via logid parameter on events viewer admin page", "method": "GET", "mode": "block", "severity": 4.9, "slug": "mailarchiver", "tags": ["sql-injection", "authenticated", "admin-page"], "target": "plugin", "versions": "<=4.5.0"}, "RULE-CVE-2026-2831-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "mailarchiver-viewer"}, {"name": "ARGS:eventid", "type": "detectSQLi"}], "cve": "CVE-2026-2831", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2831", "description": "MailArchiver <=4.5.0 authenticated SQL injection via eventid parameter on events viewer admin page", "method": "GET", "mode": "block", "severity": 4.9, "slug": "mailarchiver", "tags": ["sql-injection", "authenticated", "admin-page"], "target": "plugin", "versions": "<=4.5.0"}, "RULE-CVE-2026-2840-01": {"action": "init", "conditions": [{"name": "ARGS:eeb_mail", "type": "regex", "value": "~<script[ />]|<[^>]+[^a-zA-Z0-9_]on[a-zA-Z0-9_]+ *=|javascript\\\\s*:~i"}], "cve": "CVE-2026-2840", "description": "Email Encoder Bundle <=2.4.4 reflected XSS via eeb_mail parameter in eeb_mailto shortcode", "mode": "block", "severity": 6.4, "slug": "email-encoder-bundle", "target": "plugin", "versions": "<=2.4.4"}, "RULE-CVE-2026-28557-01": {"action": "admin_init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "wpforo_synch_roles"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-28557", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-28557", "description": "wpForo Forum >=2.4.0 <2.4.16 missing authorization on wpforo_synch_roles AJAX handler allows privilege escalation via bulk usergroup-to-role reassignment", "method": "POST", "mode": "block", "severity": 6.5, "slug": "wpforo", "tags": ["missing-authorization", "privilege-escalation", "broken-access-control", "role-remapping"], "target": "plugin", "versions": ">=2.4.0 <2.4.16"}, "RULE-CVE-2026-28562-01": {"action": "init", "conditions": [{"name": "ARGS:wpfob", "type": "detectSQLi"}], "cve": "CVE-2026-28562", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-28562", "description": "wpForo Forum >=2.4.0 <2.4.15 unauthenticated SQL injection via wpfob ORDER BY parameter", "method": "GET", "mode": "block", "severity": 9.8, "slug": "wpforo", "tags": ["sql-injection", "unauthenticated", "order-by-injection"], "target": "plugin", "versions": ">=2.4.0 <2.4.15"}, "RULE-CVE-2026-2879-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/getgenie/v1/geniechat(?:/|\\\\?|&|$)~"}, {"name": "ARGS:id", "type": "regex", "value": "~^[1-9][0-9]*$~"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2026-2879", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2879", "description": "GetGenie <=4.3.2 authenticated (Author+) IDOR allows arbitrary post overwrite via id parameter in getgenie/v1/chat REST endpoint", "method": "POST", "mode": "block", "severity": 5.4, "slug": "getgenie", "tags": ["idor", "broken-access-control", "rest-api", "authenticated"], "target": "plugin", "versions": "<=4.3.2"}, "RULE-CVE-2026-2890-01": {"ajax_action": "frm_forms_preview", "conditions": [{"name": "ARGS", "type": "regex", "value": "~<[a-zA-Z][^>]*\\\\s+on[a-zA-Z]+=|<script[^>]*>|javascript\\\\s*:|<iframe[^>]*>|<object[^>]*>|<embed[^>]*>|<svg[^>]*\\\\s+on[a-zA-Z]+=~i"}], "cve": "CVE-2026-2890", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2890", "description": "Formidable Forms <=6.28 reflected/stored XSS via item_meta in form preview AJAX handler", "method": "POST", "mode": "block", "severity": 6.1, "slug": "formidable", "tags": ["xss", "unauthenticated", "reflected-xss"], "target": "plugin", "versions": "<=6.28"}, "RULE-CVE-2026-2918-01": {"ajax_action": "ha_condition_update", "conditions": [{"name": "ARGS", "type": "regex", "value": "~[\\"\'] *on[a-z]+ *=~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2918", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2918", "description": "Happy Elementor Addons <=3.21.0 IDOR + Stored XSS via ha_condition_update AJAX action", "method": "POST", "mode": "block", "severity": 6.4, "slug": "happy-elementor-addons", "tags": ["idor", "stored-xss", "broken-access-control"], "target": "plugin", "versions": "<=3.21.0"}, "RULE-CVE-2026-2924-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts~"}, {"name": "ARGS:content", "type": "regex", "value": "~imageLoad[\\\\\\\\\\"\':=\\\\s]*(?:on(?:load|error|mouseover|click|focus|blur|mousedown|mouseup|keydown|keyup|input|change)\\\\s*=|javascript\\\\s*:|<script[\\\\s/>]|<img[^>]+onerror)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-2924", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2924", "description": "Gutenverse <=3.4.6 authenticated (Contributor+) stored XSS via imageLoad block attribute in REST API post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "gutenverse", "tags": ["xss", "stored", "authenticated", "gutenberg-block"], "target": "plugin", "versions": "<=3.4.6"}, "RULE-CVE-2026-2924-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:content", "type": "regex", "value": "~imageLoad[\\\\\\\\\\"\':=\\\\s]*(?:on(?:load|error|mouseover|click|focus|blur|mousedown|mouseup|keydown|keyup|input|change)\\\\s*=|javascript\\\\s*:|<script[\\\\s/>]|<img[^>]+onerror)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-2924", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2924", "description": "Gutenverse <=3.4.6 authenticated (Contributor+) stored XSS via imageLoad block attribute in classic editor post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "gutenverse", "tags": ["xss", "stored", "authenticated", "gutenberg-block"], "target": "plugin", "versions": "<=3.4.6"}, "RULE-CVE-2026-2941-01": {"ajax_action": "linksy_search_and_replace_item_details", "conditions": [{"name": "ARGS:option", "type": "equals", "value": "set"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2941", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2941", "description": "Linksy Search and Replace <=1.0.4 missing authorization on linksy_search_and_replace_item_details allowing subscriber+ arbitrary database update", "method": "POST", "mode": "block", "severity": 8.8, "slug": "linksy-search-and-replace", "tags": ["missing-authorization", "privilege-escalation", "arbitrary-db-update"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2026-2941-02": {"ajax_action": "linksy_search_and_replace_replace_db", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2941", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2941", "description": "Linksy Search and Replace <=1.0.4 missing authorization on linksy_search_and_replace_replace_db allowing subscriber+ bulk arbitrary database update", "method": "POST", "mode": "block", "severity": 8.8, "slug": "linksy-search-and-replace", "tags": ["missing-authorization", "privilege-escalation", "arbitrary-db-update"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2026-2941-03": {"ajax_action": "linksy_search_and_replace_fetch_db_list", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-2941", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2941", "description": "Linksy Search and Replace <=1.0.4 missing authorization on linksy_search_and_replace_fetch_db_list allowing subscriber+ database table enumeration", "method": "POST", "mode": "block", "severity": 8.8, "slug": "linksy-search-and-replace", "tags": ["missing-authorization", "information-disclosure"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2026-2942-01": {"ajax_action": "proSol_fileUploadProcess", "conditions": [{"name": "FILES:file:name", "type": "regex", "value": "~\\\\.(?:ph(?:p[0-9]?|s|tml?|t|ar)|s?html?|cgi|asp|aspx|jsp|jspx|cfm|user\\\\.ini)$|(?:^|[\\\\\\\\/])\\\\.ht(?:access|passwd)$~i"}], "cve": "CVE-2026-2942", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2942", "description": "ProSolution WP Client <=1.9.9 unauthenticated arbitrary file upload via proSol_fileUploadProcess AJAX handler", "method": "POST", "mode": "block", "severity": 9.8, "slug": "prosolution-wp-client", "tags": ["arbitrary-file-upload", "remote-code-execution", "unauthenticated"], "target": "plugin", "versions": "<=1.9.9"}, "RULE-CVE-2026-2942-02": {"ajax_action": "proSol_fileUploadModalProcess", "conditions": [{"name": "FILES:file:name", "type": "regex", "value": "~\\\\.(?:ph(?:p[0-9]?|s|tml?|t|ar)|s?html?|cgi|asp|aspx|jsp|jspx|cfm|user\\\\.ini)$|(?:^|[\\\\\\\\/])\\\\.ht(?:access|passwd)$~i"}], "cve": "CVE-2026-2942", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2942", "description": "ProSolution WP Client <=1.9.9 unauthenticated arbitrary file upload via proSol_fileUploadModalProcess AJAX handler", "method": "POST", "mode": "block", "severity": 9.8, "slug": "prosolution-wp-client", "tags": ["arbitrary-file-upload", "remote-code-execution", "unauthenticated"], "target": "plugin", "versions": "<=1.9.9"}, "RULE-CVE-2026-2948-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/gutenverse-client/v2/import/images(?:[/?&]|$)~"}, {"name": "ARGS:imageUrl", "type": "regex", "value": "~^(?:ftp|file|dict|gopher|ssh|smtp|news|telnet|nntp|irc|imap|mongo):|^(?:https?:)?//(?:localhost|127\\\\.0\\\\.0\\\\.1|10\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|192\\\\.168\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|172\\\\.(?:1[6-9]|2[0-9]|3[01])\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}|169\\\\.254\\\\.169\\\\.254|0\\\\.0\\\\.0\\\\.0|/|[a-zA-Z]:\\\\\\\\|[a-zA-Z0-9.-]+\\\\.internal)~i"}], "cve": "CVE-2026-2948", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2948", "description": "Gutenverse <=3.5.3 server-side request forgery via imageUrl in import_images REST endpoint", "method": "POST", "mode": "block", "severity": 6.4, "slug": "gutenverse", "tags": ["ssrf", "server-side-request-forgery", "authenticated"], "target": "plugin", "versions": "<=3.5.3"}, "RULE-CVE-2026-2987-01": {"action": "init", "conditions": [{"name": "ARGS:sac_text", "type": "exists"}, {"name": "ARGS:sac_text", "type": "regex", "value": "~(?:<script[\\\\s/>]|<svg[\\\\s/][^>]*on[a-z]+=|<img[\\\\s/][^>]*on(?:error|load)\\\\s*=|javascript\\\\s*:|<iframe[\\\\s/>]|<object[\\\\s/>]|<embed[\\\\s/>]|on(?:error|load|click|mouseover|focus)\\\\s*=)~i"}], "cve": "CVE-2026-2987", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-2987", "description": "Simple Ajax Chat <=20260217 unauthenticated stored XSS via chat message", "method": "POST", "mode": "block", "severity": 6.1, "slug": "simple-ajax-chat", "tags": ["xss", "stored-xss", "unauthenticated"], "target": "plugin", "versions": "<=20260217"}, "RULE-CVE-2026-3003-01": {"action": "admin_init", "conditions": [{"name": "ARGS:vagaro_command", "type": "regex", "value": "~^(?:Add|Update)$~i"}, {"name": "ARGS:vagaro_code", "type": "regex", "value": "~(?:<(?:script|svg|math|embed|object)[^>]*|&#(?:0*60|x0*3c);?(?:script|svg|math|embed|object)|on[a-z]{3,16}[[:space:]]*=|javascript[[:space:]]*:|&#(?:0*106|x0*6a);?&#(?:0*97|x0*61);?&#(?:0*118|x0*76);?&#(?:0*97|x0*61);?&#(?:0*115|x0*73);?&#(?:0*99|x0*63);?&#(?:0*114|x0*72);?&#(?:0*105|x0*69);?&#(?:0*112|x0*70);?&#(?:0*116|x0*74);?[[:space:]]*:)~i"}], "cve": "CVE-2026-3003", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3003", "description": "Vagaro Booking Widget <=0.3 unauthenticated stored XSS via vagaro_code on admin_init POST handler", "method": "POST", "mode": "block", "severity": 7.2, "slug": "vagaro-booking-widget", "tags": ["xss", "stored-xss", "unauthenticated", "admin-post"], "target": "plugin", "versions": "<=0.3"}, "RULE-CVE-2026-3045-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/ssa/v1/settings/[a-z_]+(\\\\?|&|/|$)~"}, {"type": "missing_capability", "value": "ssa_manage_site_settings"}], "cve": "CVE-2026-3045", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3045", "description": "Simply Schedule Appointments <=1.6.9.29 unauthenticated sensitive settings exposure via ssa/v1/settings REST endpoint", "method": "GET", "mode": "block", "severity": 7.5, "slug": "simply-schedule-appointments", "tags": ["missing-authorization", "information-disclosure", "rest-api", "unauthenticated"], "target": "plugin", "versions": "<=1.6.9.29"}, "RULE-CVE-2026-3056-01": {"ajax_action": "seraph_accel_api", "conditions": [{"name": "ARGS:fn", "type": "equals", "value": "LogClear"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-3056", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3056", "description": "Seraphinite Accelerator <=2.28.14 missing authorization on LogClear via seraph_accel_api AJAX handler", "mode": "block", "severity": 4.3, "slug": "seraphinite-accelerator", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=2.28.14"}, "RULE-CVE-2026-3058-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin-post\\\\.php~"}, {"name": "ARGS:action", "type": "equals", "value": "seraph_accel_api"}, {"name": "ARGS:fn", "type": "equals", "value": "GetData"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-3058", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3058", "description": "Seraphinite Accelerator <=2.28.14 unauthenticated sensitive information exposure via admin-post.php nopriv route with fn=GetData", "mode": "block", "severity": 4.3, "slug": "seraphinite-accelerator", "tags": ["missing-authorization", "information-exposure", "unauthenticated"], "target": "plugin", "versions": "<=2.28.14"}, "RULE-CVE-2026-3090-01": {"ajax_action": "ps-get-email-logs", "conditions": [{"name": "ARGS:search", "type": "regex", "value": "~(?:<script|</script|<[^>]+on[a-zA-Z]+[[:space:]]*=|javascript[[:space:]]*:)~i"}], "cve": "CVE-2026-3090", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3090", "description": "Post SMTP <=3.8.0 stored XSS via unescaped event_type rendering in ps-get-email-logs AJAX response", "method": "POST", "mode": "block", "severity": 7.2, "slug": "post-smtp", "tags": ["xss", "stored-xss", "ajax", "email-logs"], "target": "plugin", "versions": "<=3.8.0"}, "RULE-CVE-2026-3098-01": {"ajax_action": "smart-slider3", "conditions": [{"name": "ARGS:nextendcontroller", "type": "regex", "value": "~^sliders?$~i"}, {"name": "ARGS:nextendaction", "type": "regex", "value": "~^export~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-3098", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3098", "description": "Smart Slider 3 <=3.5.1.33 arbitrary file read via export \\u2014 restricts slider export to admins only (blocks subscriber/editor-level exploitation)", "method": "POST", "mode": "block", "severity": 6.5, "slug": "smart-slider-3", "tags": ["arbitrary-file-read", "lfi", "missing-authorization"], "target": "plugin", "versions": "<=3.5.1.33"}, "RULE-CVE-2026-3132-01": {"ajax_action": "jltma_widget_render_preview", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-3132", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3132", "description": "Master Addons for Elementor <=2.1.3 authenticated (Subscriber+) RCE via jltma_widget_render_preview AJAX handler missing capability check", "method": "POST", "mode": "block", "severity": 8.8, "slug": "master-addons", "tags": ["missing-authorization", "remote-code-execution", "code-injection"], "target": "plugin", "versions": "<=2.1.3"}, "RULE-CVE-2026-3132-02": {"ajax_action": "jltma_widget_save_data", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-3132", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3132", "description": "Master Addons for Elementor <=2.1.3 authenticated (Subscriber+) RCE via jltma_widget_save_data AJAX handler missing capability check", "method": "POST", "mode": "block", "severity": 8.8, "slug": "master-addons", "tags": ["missing-authorization", "remote-code-execution", "code-injection"], "target": "plugin", "versions": "<=2.1.3"}, "RULE-CVE-2026-3132-03": {"ajax_action": "jltma_widget_get_data", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-3132", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3132", "description": "Master Addons for Elementor <=2.1.3 authenticated (Subscriber+) unauthorized data access via jltma_widget_get_data AJAX handler missing capability check", "method": "POST", "mode": "block", "severity": 8.8, "slug": "master-addons", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=2.1.3"}, "RULE-CVE-2026-3132-04": {"ajax_action": "jltma_widget_delete", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-3132", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3132", "description": "Master Addons for Elementor <=2.1.3 authenticated (Subscriber+) unauthorized widget deletion via jltma_widget_delete AJAX handler missing capability check", "method": "POST", "mode": "block", "severity": 8.8, "slug": "master-addons", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=2.1.3"}, "RULE-CVE-2026-3132-05": {"ajax_action": "jltma_widget_update_category", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-3132", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3132", "description": "Master Addons for Elementor <=2.1.3 authenticated (Subscriber+) unauthorized category update via jltma_widget_update_category AJAX handler missing capability check", "method": "POST", "mode": "block", "severity": 8.8, "slug": "master-addons", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=2.1.3"}, "RULE-CVE-2026-3132-06": {"ajax_action": "jltma_widget_get_conditions", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-3132", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3132", "description": "Master Addons for Elementor <=2.1.3 authenticated (Subscriber+) unauthorized conditions read via jltma_widget_get_conditions AJAX handler missing capability check", "method": "POST", "mode": "block", "severity": 8.8, "slug": "master-addons", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=2.1.3"}, "RULE-CVE-2026-3132-07": {"ajax_action": "jltma_widget_save_conditions", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-3132", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3132", "description": "Master Addons for Elementor <=2.1.3 authenticated (Subscriber+) unauthorized conditions save via jltma_widget_save_conditions AJAX handler missing capability check", "method": "POST", "mode": "block", "severity": 8.8, "slug": "master-addons", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=2.1.3"}, "RULE-CVE-2026-3178-01": {"action": "init", "conditions": [{"name": "ARGS:name_directory_name", "type": "regex", "value": "~<[a-zA-Z/!][^>]*>|&#(?:0*6[02]|x0*3[cCeE]);|<|>~i"}, {"name": "ARGS:directory", "type": "exists"}], "cve": "CVE-2026-3178", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3178", "description": "Name Directory <=1.32.1 unauthenticated stored XSS via name_directory_name parameter in public submission form", "method": "POST", "mode": "block", "severity": 7.2, "slug": "name-directory", "tags": ["xss", "stored-xss", "unauthenticated", "shortcode"], "target": "plugin", "versions": "<=1.32.1"}, "RULE-CVE-2026-3178-02": {"action": "init", "conditions": [{"name": "ARGS:name_directory_description", "type": "regex", "value": "~<[a-zA-Z/!][^>]*>|&#(?:0*6[02]|x0*3[cCeE]);|<|>~i"}, {"name": "ARGS:directory", "type": "exists"}], "cve": "CVE-2026-3178", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3178", "description": "Name Directory <=1.32.1 unauthenticated stored XSS via name_directory_description parameter in public submission form", "method": "POST", "mode": "block", "severity": 7.2, "slug": "name-directory", "tags": ["xss", "stored-xss", "unauthenticated", "shortcode"], "target": "plugin", "versions": "<=1.32.1"}, "RULE-CVE-2026-3180-01": {"ajax_action": "post_cg1l_resend_unconfirmed_mail_frontend", "conditions": [{"name": "ARGS:cgl_mail", "type": "regex", "value": "~\'[ \\t]*(?:OR|AND|UNION|SELECT|INSERT|UPDATE|DELETE|DROP|HAVING|ORDER|GROUP)[ \\t]|\'[ \\t]*--|\'[ \\t]*/[*]|\'[ \\t]*#~i"}], "cve": "CVE-2026-3180", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3180", "description": "Contest Gallery <=28.1.4 unauthenticated SQL injection via cgl_mail in post_cg1l_resend_unconfirmed_mail_frontend", "method": "POST", "mode": "block", "severity": 7.5, "slug": "contest-gallery", "tags": ["sql-injection", "unauthenticated", "blind-sqli"], "target": "plugin", "versions": "<=28.1.4"}, "RULE-CVE-2026-3180-02": {"ajax_action": "post_cg_login", "conditions": [{"name": "ARGS:cgl_mail", "type": "regex", "value": "~\'[ \\t]*(?:OR|AND|UNION|SELECT|INSERT|UPDATE|DELETE|DROP|HAVING|ORDER|GROUP)[ \\t]|\'[ \\t]*--|\'[ \\t]*/[*]|\'[ \\t]*#~i"}], "cve": "CVE-2026-3180", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3180", "description": "Contest Gallery <=28.1.4 unauthenticated SQL injection via cgl_mail in post_cg_login", "method": "POST", "mode": "block", "severity": 7.5, "slug": "contest-gallery", "tags": ["sql-injection", "unauthenticated", "blind-sqli"], "target": "plugin", "versions": "<=28.1.4"}, "RULE-CVE-2026-3180-03": {"ajax_action": "post_cg_login", "conditions": [{"name": "ARGS:cgLostPasswordEmail", "type": "regex", "value": "~\'[ \\t]*(?:OR|AND|UNION|SELECT|INSERT|UPDATE|DELETE|DROP|HAVING|ORDER|GROUP)[ \\t]|\'[ \\t]*--|\'[ \\t]*/[*]|\'[ \\t]*#~i"}], "cve": "CVE-2026-3180", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3180", "description": "Contest Gallery <=28.1.3 unauthenticated SQL injection via cgLostPasswordEmail in post_cg_login", "method": "POST", "mode": "block", "severity": 7.5, "slug": "contest-gallery", "tags": ["sql-injection", "unauthenticated", "blind-sqli"], "target": "plugin", "versions": "<=28.1.3"}, "RULE-CVE-2026-3222-01": {"ajax_action": "wpgmp_ajax_call", "conditions": [{"name": "ARGS:location_id", "type": "regex", "value": "~(?:UNION[^a-zA-Z]+(?:ALL[^a-zA-Z]+)?SELECT|(?:AND|OR)[^a-zA-Z]+(?:SLEEP|BENCHMARK|IF|CASE)[^a-zA-Z]*[(]|(?:AND|OR)[^a-zA-Z]+[0-9]+[^a-zA-Z]*=[^a-zA-Z]*[0-9]|SLEEP[^a-zA-Z]*[(]|BENCHMARK[^a-zA-Z]*[(])~i"}], "cve": "CVE-2026-3222", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3222", "description": "WP Maps <=4.9.1 unauthenticated time-based blind SQL injection via location_id parameter in wpgmp_ajax_call AJAX handler", "mode": "block", "severity": 7.5, "slug": "wp-google-map-plugin", "tags": ["sql-injection", "unauthenticated", "time-based-blind"], "target": "plugin", "versions": "<=4.9.1"}, "RULE-CVE-2026-3225-01": {"action": "init", "conditions": [{"name": "ARGS:lp-load-ajax", "type": "equals", "value": "delete_question_answer"}, {"type": "missing_capability", "value": "edit_lp_lessons"}], "cve": "CVE-2026-3225", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3225", "description": "LearnPress <=4.3.2.8 missing authorization on delete_question_answer via custom lp-load-ajax dispatcher allows subscriber+ arbitrary quiz answer deletion", "mode": "block", "severity": 4.3, "slug": "learnpress", "tags": ["missing-authorization", "broken-access-control", "data-deletion"], "target": "plugin", "versions": "<=4.3.2.8"}, "RULE-CVE-2026-3226-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/lp/v1/send-email(/|\\\\?|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-3226", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3226", "description": "LearnPress <=4.3.2.8 missing authorization on SendEmailAjax REST endpoints allows Subscriber+ to trigger arbitrary email notifications", "method": "POST", "mode": "block", "severity": 4.3, "slug": "learnpress", "tags": ["missing-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": "<=4.3.2.8"}, "RULE-CVE-2026-3228-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:snapFB", "type": "regex", "value": "~(?:<script[ />]|<svg[ />]|on(?:error|load|click|mouseover|focus)[ ]*=|javascript[ ]*:)~i"}], "cve": "CVE-2026-3228", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3228", "description": "NextScripts: Social Networks Auto-Poster <=4.4.6 Stored XSS via snapFB post meta parameter during post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "social-networks-auto-poster-facebook-twitter-g", "tags": ["xss", "stored-xss", "shortcode"], "target": "plugin", "versions": "<=4.4.6"}, "RULE-CVE-2026-32358-01": {"ajax_action": "WPBC_AJX_BOOKING_LISTING", "conditions": [{"name": "ARGS:wh_booking_date", "type": "detectSQLi"}], "cve": "CVE-2026-32358", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32358", "description": "Booking Calendar <=10.14.15 blind SQL injection via date interval parameters in WPBC_AJX_BOOKING_LISTING AJAX handler", "method": "POST", "mode": "block", "severity": 7.6, "slug": "booking", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=10.14.15"}, "RULE-CVE-2026-32358-02": {"ajax_action": "WPBC_AJX_BOOKING_LISTING", "conditions": [{"name": "ARGS:wh_modification_date", "type": "detectSQLi"}], "cve": "CVE-2026-32358", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32358", "description": "Booking Calendar <=10.14.15 blind SQL injection via modification date interval parameter in WPBC_AJX_BOOKING_LISTING AJAX handler", "method": "POST", "mode": "block", "severity": 7.6, "slug": "booking", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=10.14.15"}, "RULE-CVE-2026-32399-01": {"ajax_action": "query-attachments", "conditions": [{"name": "ARGS:query[s]", "type": "regex", "value": "~(?i)(?:[\'\\"` ][ ]*(?:OR|AND)[ ]+[\'\\"`0-9]|SELECT[ (]+.*FROM[ ]+|SLEEP[ ]*[(]|BENCHMARK[ ]*[(]|EXTRACTVALUE[ ]*[(]|UPDATEXML[ ]*[(]|UNION[ ]+(?:ALL[ ]+)?SELECT[ ]+|/[*].*[*]/)~"}], "cve": "CVE-2026-32399", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32399", "description": "Media Library Assistant <=3.32 authenticated SQL injection via query[s] in query-attachments AJAX handler", "method": "POST", "mode": "block", "severity": 8.5, "slug": "media-library-assistant", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=3.32"}, "RULE-CVE-2026-32399-02": {"ajax_action": "query-attachments", "conditions": [{"name": "ARGS:query[orderby]", "type": "regex", "value": "~(?i)(?:SELECT[ (]+.*FROM[ ]+|SLEEP[ ]*[(]|BENCHMARK[ ]*[(]|EXTRACTVALUE[ ]*[(]|UPDATEXML[ ]*[(]|IF[ ]*[(]|/[*].*[*]/)~"}], "cve": "CVE-2026-32399", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32399", "description": "Media Library Assistant <=3.32 authenticated SQL injection via query[orderby] in query-attachments AJAX handler", "method": "POST", "mode": "block", "severity": 8.5, "slug": "media-library-assistant", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=3.32"}, "RULE-CVE-2026-32399-03": {"ajax_action": "query-attachments", "conditions": [{"name": "ARGS:query[order]", "type": "regex", "value": "~(?i)(?:SELECT[ (]+.*FROM[ ]+|SLEEP[ ]*[(]|BENCHMARK[ ]*[(]|EXTRACTVALUE[ ]*[(]|UPDATEXML[ ]*[(]|IF[ ]*[(]|[\'\\"` ][ ]*(?:OR|AND)[ ]+[\'\\"`0-9]|/[*].*[*]/)~"}], "cve": "CVE-2026-32399", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32399", "description": "Media Library Assistant <=3.32 authenticated SQL injection via query[order] in query-attachments AJAX handler", "method": "POST", "mode": "block", "severity": 8.5, "slug": "media-library-assistant", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=3.32"}, "RULE-CVE-2026-32399-04": {"ajax_action": "query-attachments", "conditions": [{"name": "ARGS:query[post_mime_type]", "type": "regex", "value": "~(?i)(?:[\'\\"` ][ ]*(?:OR|AND)[ ]+[\'\\"`0-9]|SELECT[ (]+.*FROM[ ]+|SLEEP[ ]*[(]|BENCHMARK[ ]*[(]|UNION[ ]+(?:ALL[ ]+)?SELECT[ ]+|/[*].*[*]/)~"}], "cve": "CVE-2026-32399", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32399", "description": "Media Library Assistant <=3.32 authenticated SQL injection via query[post_mime_type] in query-attachments AJAX handler", "method": "POST", "mode": "block", "severity": 8.5, "slug": "media-library-assistant", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=3.32"}, "RULE-CVE-2026-3243-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/amem/avatar/v1/crop(?:[/?]|$)~"}, {"name": "ARGS", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env))~i"}], "cve": "CVE-2026-3243", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3243", "description": "Advanced Members <=1.2.5 authenticated path traversal via REST /amem/avatar/v1/crop leading to arbitrary file deletion", "mode": "block", "severity": 8.8, "slug": "advanced-members", "tags": ["path-traversal", "arbitrary-file-deletion", "rest-api"], "target": "plugin", "versions": "<=1.2.5"}, "RULE-CVE-2026-3243-02": {"ajax_action": "amem_avatar_crop", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env))~i"}], "cve": "CVE-2026-3243", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3243", "description": "Advanced Members <=1.2.5 authenticated path traversal via amem_avatar_crop AJAX handler leading to arbitrary file deletion", "mode": "block", "severity": 8.8, "slug": "advanced-members", "tags": ["path-traversal", "arbitrary-file-deletion", "ajax"], "target": "plugin", "versions": "<=1.2.5"}, "RULE-CVE-2026-32441-01": {"action": "init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "hw_cmt_csv_im_ex"}, {"name": "ARGS:action", "type": "equals", "value": "export"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-32441", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32441", "description": "Comments Import & Export <=2.4.9 authenticated (Subscriber+) unauthorized comment export via catch_export_request on init hook", "mode": "block", "severity": 7.7, "slug": "comments-import-export-woocommerce", "tags": ["missing-authorization", "broken-access-control", "authenticated"], "target": "plugin", "versions": "<=2.4.9"}, "RULE-CVE-2026-32441-02": {"action": "init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "hw_cmt_csv_im_ex"}, {"name": "ARGS:action", "type": "equals", "value": "settings"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-32441", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32441", "description": "Comments Import & Export <=2.4.9 authenticated (Subscriber+) unauthorized settings modification via catch_save_settings on init hook", "mode": "block", "severity": 7.7, "slug": "comments-import-export-woocommerce", "tags": ["missing-authorization", "broken-access-control", "authenticated"], "target": "plugin", "versions": "<=2.4.9"}, "RULE-CVE-2026-32459-01": {"ajax_action": "cuw_ajax", "conditions": [{"name": "ARGS:order_by", "type": "regex", "value": "~[^a-zA-Z0-9_-]~"}], "cve": "CVE-2026-32459", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32459", "description": "UpsellWP <=2.2.4 SQL injection via order_by parameter in cuw_ajax handler", "method": "POST", "mode": "block", "severity": 8.5, "slug": "checkout-upsell-and-order-bumps", "tags": ["sql-injection", "blind-sqli", "ajax"], "target": "plugin", "versions": "<=2.2.4"}, "RULE-CVE-2026-32459-02": {"ajax_action": "cuw_ajax", "conditions": [{"name": "ARGS:limit", "type": "regex", "value": "~[^0-9]~"}], "cve": "CVE-2026-32459", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32459", "description": "UpsellWP <=2.2.4 SQL injection via limit parameter in cuw_ajax handler", "method": "POST", "mode": "block", "severity": 8.5, "slug": "checkout-upsell-and-order-bumps", "tags": ["sql-injection", "blind-sqli", "ajax"], "target": "plugin", "versions": "<=2.2.4"}, "RULE-CVE-2026-32459-03": {"ajax_action": "cuw_ajax", "conditions": [{"name": "ARGS:offset", "type": "regex", "value": "~[^0-9]~"}], "cve": "CVE-2026-32459", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32459", "description": "UpsellWP <=2.2.4 SQL injection via offset parameter in cuw_ajax handler", "method": "POST", "mode": "block", "severity": 8.5, "slug": "checkout-upsell-and-order-bumps", "tags": ["sql-injection", "blind-sqli", "ajax"], "target": "plugin", "versions": "<=2.2.4"}, "RULE-CVE-2026-32461-01": {"ajax_action": "rsssl_force_confirm_email", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-32461", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32461", "description": "Really Simple SSL <=9.5.7 missing authorization on rsssl_force_confirm_email AJAX handler", "mode": "block", "severity": 5.3, "slug": "really-simple-ssl", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=9.5.7"}, "RULE-CVE-2026-32461-02": {"ajax_action": "rsssl_resend_verification_email", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-32461", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32461", "description": "Really Simple SSL <=9.5.7 missing authorization on rsssl_resend_verification_email AJAX handler", "mode": "block", "severity": 5.3, "slug": "really-simple-ssl", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=9.5.7"}, "RULE-CVE-2026-32485-01": {"ajax_action": "wpuf_draft_post", "conditions": [{"name": "ARGS:post_id", "type": "regex", "value": "~^[0-9]+$~"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2026-32485", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32485", "description": "WP User Frontend <=4.2.8 unauthenticated broken access control allows modifying arbitrary draft posts via wpuf_draft_post AJAX action with post_id parameter", "method": "POST", "mode": "block", "severity": 7.5, "slug": "wp-user-frontend", "tags": ["broken-access-control", "missing-authorization", "unauthenticated"], "target": "plugin", "versions": "<=4.2.8"}, "RULE-CVE-2026-32494-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "regex", "value": "~^ays-slider~"}, {"name": "ARGS:type", "type": "regex", "value": "~(?:<script[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:|</?(?:iframe|object|embed|img|svg|details|math)[\\\\s/>])~i"}], "cve": "CVE-2026-32494", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32494", "description": "Image Slider by Ays <=2.7.1 reflected XSS via type parameter in admin notices", "method": "GET", "mode": "block", "severity": 7.1, "slug": "ays-slider", "tags": ["xss", "reflected", "admin-page"], "target": "plugin", "versions": "<=2.7.1"}, "RULE-CVE-2026-32494-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "regex", "value": "~^ays-slider~"}, {"name": "ARGS:slider", "type": "regex", "value": "~(?:<script[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:|</?(?:iframe|object|embed|img|svg|details|math)[\\\\s/>])~i"}], "cve": "CVE-2026-32494", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32494", "description": "Image Slider by Ays <=2.7.1 reflected XSS via slider parameter in admin actions page", "method": "GET", "mode": "block", "severity": 7.1, "slug": "ays-slider", "tags": ["xss", "reflected", "admin-page"], "target": "plugin", "versions": "<=2.7.1"}, "RULE-CVE-2026-32498-01": {"ajax_action": "rm_options_default_payment_method", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-32498", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32498", "description": "RegistrationMagic <=6.0.7.6 missing authorization on rm_options_default_payment_method AJAX handler allows authenticated users to modify payment settings", "mode": "block", "severity": 7.5, "slug": "custom-registration-form-builder-with-submission-manager", "tags": ["missing-authorization", "broken-access-control", "settings-change"], "target": "plugin", "versions": "<=6.0.7.6"}, "RULE-CVE-2026-32499-01": {"action": "init", "conditions": [{"name": "ARGS:qc_bot_str_fields", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|[\'\\"]\\\\s*(?:OR|AND)\\\\s+[\'\\"]?[0-9]+[\'\\"]?\\\\s*=\\\\s*[\'\\"]?[0-9]+|(?:[\'\\"][0-9])\\\\s*AND\\\\s+(?:SLEEP|BENCHMARK)\\\\s*\\\\(|SLEEP\\\\s*\\\\(\\\\s*[0-9]|BENCHMARK\\\\s*\\\\(\\\\s*[0-9]|/\\\\*[!+]|\'\\\\s*(?:OR|AND)\\\\s+[a-zA-Z0-9_]+\\\\s*(?:--|#)\\\\s|[\'\\"]\\\\s*--\\\\s|[0-9]\\\\s*--\\\\s)~i"}], "cve": "CVE-2026-32499", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32499", "description": "ChatBot <=7.7.9 unauthenticated blind SQL injection via qc_bot_str_fields on init hook", "mode": "block", "severity": 9.3, "slug": "chatbot", "tags": ["sql-injection", "unauthenticated", "blind-sqli"], "target": "plugin", "versions": "<=7.7.9"}, "RULE-CVE-2026-32499-02": {"ajax_action": "wpbo_search_site", "conditions": [{"name": "ARGS:s", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|[\'\\"]\\\\s*(?:OR|AND)\\\\s+[\'\\"]?[0-9]+[\'\\"]?\\\\s*=\\\\s*[\'\\"]?[0-9]+|(?:[\'\\"][0-9])\\\\s*AND\\\\s+(?:SLEEP|BENCHMARK)\\\\s*\\\\(|SLEEP\\\\s*\\\\(\\\\s*[0-9]|BENCHMARK\\\\s*\\\\(\\\\s*[0-9]|/\\\\*[!+]|\'\\\\s*(?:OR|AND)\\\\s+[a-zA-Z0-9_]+\\\\s*(?:--|#)\\\\s|[\'\\"]\\\\s*--\\\\s|[0-9]\\\\s*--\\\\s)~i"}], "cve": "CVE-2026-32499", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32499", "description": "ChatBot <=7.7.9 unauthenticated blind SQL injection via s parameter in wpbo_search_site AJAX handler", "mode": "block", "severity": 9.3, "slug": "chatbot", "tags": ["sql-injection", "unauthenticated", "blind-sqli"], "target": "plugin", "versions": "<=7.7.9"}, "RULE-CVE-2026-32513-01": {"action": "init", "conditions": [{"name": "ARGS", "type": "regex", "value": "~[OCa]:[0-9]+:\\"~"}], "cve": "CVE-2026-32513", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32513", "description": "JS Archive List <=6.1.7 PHP Object Injection via serialized included/excluded widget settings", "mode": "block", "severity": 8.8, "slug": "jquery-archive-list-widget", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=6.1.7"}, "RULE-CVE-2026-32520-01": {"ajax_action": "rewardswp_create_member", "conditions": [{"name": "ARGS:role", "type": "regex", "value": "~(?:administrator|editor|author|shop_manager)~i"}], "cve": "CVE-2026-32520", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32520", "description": "RewardsWP <=1.0.4 unauthenticated privilege escalation via rewardswp_create_member role parameter", "mode": "block", "severity": 9.8, "slug": "rewardswp", "tags": ["privilege-escalation", "incorrect-privilege-assignment", "unauthenticated"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2026-32520-02": {"ajax_action": "rewardswp_create_member", "conditions": [{"name": "ARGS_NAMES", "type": "regex", "value": "~wp_capabilities\\\\[~"}], "cve": "CVE-2026-32520", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32520", "description": "RewardsWP <=1.0.4 unauthenticated privilege escalation via rewardswp_create_member wp_capabilities array injection", "mode": "block", "severity": 9.8, "slug": "rewardswp", "tags": ["privilege-escalation", "incorrect-privilege-assignment", "unauthenticated"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2026-32525-01": {"ajax_action": "jet_fb_ssr_validation_ajax", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:^|[\\\\s\\"\',=:])(?:(?:system|exec|passthru|eval|assert|include|include_once|require|require_once)\\\\s*\\\\(|(?:shell_exec|popen|proc_open|pcntl_exec|create_function|call_user_func|call_user_func_array|unserialize|maybe_unserialize|file_get_contents|file_put_contents|fwrite|fopen|curl_exec|preg_replace_callback|array_map|array_filter|array_reduce|usort|uasort|uksort|array_walk|array_walk_recursive)(?:[\\\\s\\"\',;(]|$))~i"}], "cve": "CVE-2026-32525", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32525", "description": "JetFormBuilder <=3.5.6.1 unauthenticated RCE via dangerous callback in SSR validation AJAX handler", "mode": "block", "severity": 9.9, "slug": "jetformbuilder", "tags": ["code-injection", "remote-code-execution", "unauthenticated"], "target": "plugin", "versions": "<=3.5.6.1"}, "RULE-CVE-2026-32525-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/jet-form-builder/v1/validate-field(?:[/?]|$)~i"}, {"name": "ARGS:callable", "type": "regex", "value": "~^(?:system|exec|passthru|shell_exec|popen|proc_open|pcntl_exec|assert|eval|create_function|call_user_func|call_user_func_array)$~i"}], "cve": "CVE-2026-32525", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32525", "description": "JetFormBuilder <=3.5.6.1 unauthenticated RCE via dangerous callback in SSR validation REST endpoint", "mode": "block", "severity": 9.9, "slug": "jetformbuilder", "tags": ["code-injection", "remote-code-execution", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=3.5.6.1"}, "RULE-CVE-2026-32530-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/creator-lms/v1/courses(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2026-32530", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32530", "description": "Creator LMS <=1.1.18 privilege escalation via missing authorization on REST API course endpoints", "mode": "block", "severity": 8.8, "slug": "creatorlms", "tags": ["privilege-escalation", "missing-authorization", "rest-api"], "target": "plugin", "versions": "<=1.1.18"}, "RULE-CVE-2026-32530-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/creator-lms/v1/quiz(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2026-32530", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32530", "description": "Creator LMS <=1.1.18 privilege escalation via missing authorization on REST API quiz endpoints", "mode": "block", "severity": 8.8, "slug": "creatorlms", "tags": ["privilege-escalation", "missing-authorization", "rest-api"], "target": "plugin", "versions": "<=1.1.18"}, "RULE-CVE-2026-32530-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/creator-lms/v1/migration(?:[/?&]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-32530", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32530", "description": "Creator LMS <=1.1.18 privilege escalation via missing authorization on REST API migration endpoint", "mode": "block", "severity": 8.8, "slug": "creatorlms", "tags": ["privilege-escalation", "missing-authorization", "rest-api"], "target": "plugin", "versions": "<=1.1.18"}, "RULE-CVE-2026-32532-01": {"ajax_action": "Save_Form_Data", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:<script[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur|toggle)\\\\s*=|javascript\\\\s*:|<svg[\\\\s/]|<iframe[\\\\s/]|<embed[\\\\s/]|<object[\\\\s/])~i"}], "cve": "CVE-2026-32532", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32532", "description": "Lead Form Builder <=2.0.1 unauthenticated stored XSS via Save_Form_Data form submission fields", "mode": "block", "severity": 7.1, "slug": "lead-form-builder", "tags": ["xss", "stored", "unauthenticated"], "target": "plugin", "versions": "<=2.0.1"}, "RULE-CVE-2026-32533-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin-post\\\\.php$~"}, {"name": "ARGS:action", "type": "equals", "value": "latepoint_route_call"}, {"name": "ARGS:route_name", "type": "regex", "value": "~^(bookings|customers|agents|services|locations|transactions|coupons|settings|orders)(__|\\\\.)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-32533", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32533", "description": "LatePoint <=5.2.6 IDOR via admin-post.php latepoint_route_call endpoint", "method": "POST", "mode": "block", "severity": 6.5, "slug": "latepoint", "tags": ["insecure-direct-object-reference", "missing-authorization"], "target": "plugin", "versions": "<=5.2.6"}, "RULE-CVE-2026-32537-01": {"ajax_action": "vp_dynamic_control_callback", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env|debug\\\\.log|error_log))~i"}], "cve": "CVE-2026-32537", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32537", "description": "Visual Portfolio <=3.5.1 authenticated local file inclusion via path traversal in vp_dynamic_control_callback AJAX handler", "mode": "block", "severity": 7.5, "slug": "visual-portfolio", "tags": ["local-file-inclusion", "path-traversal", "authenticated"], "target": "plugin", "versions": "<=3.5.1"}, "RULE-CVE-2026-32545-01": {"action": "init", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:<script(?![\\\\s]+src\\\\s*=\\\\s*[\'\\"]https://)[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:|<img[^>]+\\\\bonerror\\\\b|<svg[^>]+\\\\bonload\\\\b|<iframe[\\\\s/>])~i"}], "cve": "CVE-2026-32545", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32545", "description": "Taboola Pixel <=1.1.4 unauthenticated reflected XSS via front-end query parameters", "mode": "block", "severity": 7.1, "slug": "taboola-pixel", "tags": ["xss", "reflected", "unauthenticated"], "target": "plugin", "versions": "<=1.1.4"}, "RULE-CVE-2026-32546-01": {"action": "init", "conditions": [{"name": "ARGS:rcp_action", "type": "equals", "value": "toggle_auto_renew_off"}, {"name": "ARGS:membership_id", "type": "exists"}, {"type": "missing_capability", "value": "read"}], "cve": "CVE-2026-32546", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-32546", "description": "Restrict Content <=3.2.22 unauthenticated membership auto-renew toggle via rcp_action parameter", "mode": "block", "severity": 7.5, "slug": "restrict-content", "tags": ["missing-authorization", "broken-access-control", "unauthenticated"], "target": "plugin", "versions": "<=3.2.22"}, "RULE-CVE-2026-3296-01": {"ajax_action": "everest_forms_ajax_form_submission", "conditions": [{"name": "ARGS", "type": "regex", "value": "~[OCa]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2026-3296", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3296", "description": "Everest Forms <=3.4.3 unauthenticated PHP object injection via serialized payload in form field submission (AJAX path)", "method": "POST", "mode": "block", "severity": 9.8, "slug": "everest-forms", "tags": ["object-injection", "deserialization", "unauthenticated", "stored"], "target": "plugin", "versions": "<=3.4.3"}, "RULE-CVE-2026-3296-02": {"action": "init", "conditions": [{"name": "ARGS:everest_forms[form_id]", "type": "exists"}, {"name": "ARGS", "type": "regex", "value": "~[OCa]:\\\\d+:[\\"\\\\{]~"}], "cve": "CVE-2026-3296", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3296", "description": "Everest Forms <=3.4.3 unauthenticated PHP object injection via serialized payload in form field submission (non-AJAX init path)", "method": "POST", "mode": "block", "severity": 9.8, "slug": "everest-forms", "tags": ["object-injection", "deserialization", "unauthenticated", "stored"], "target": "plugin", "versions": "<=3.4.3"}, "RULE-CVE-2026-3328-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:post_type", "type": "equals", "value": "admin_form"}, {"name": "ARGS:action", "type": "equals", "value": "editpost"}, {"name": "ARGS:form[redirect]", "type": "regex", "value": "~(?:^|;)(?:O|C|a):\\\\d+:[\\\\\\"{]~"}], "cve": "CVE-2026-3328", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3328", "description": "Frontend Admin by DynamiApps <=3.28.31 authenticated (Editor+) PHP Object Injection via form[redirect] in admin_form post save", "method": "POST", "mode": "block", "severity": 7.2, "slug": "acf-frontend-form-element", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=3.28.31"}, "RULE-CVE-2026-3328-02": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:post_type", "type": "equals", "value": "admin_form"}, {"name": "ARGS:action", "type": "equals", "value": "editpost"}, {"name": "ARGS:form[custom_url]", "type": "regex", "value": "~(?:^|;)(?:O|C|a):\\\\d+:[\\\\\\"{]~"}], "cve": "CVE-2026-3328", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3328", "description": "Frontend Admin by DynamiApps <=3.28.31 authenticated (Editor+) PHP Object Injection via form[custom_url] in admin_form post save", "method": "POST", "mode": "block", "severity": 7.2, "slug": "acf-frontend-form-element", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=3.28.31"}, "RULE-CVE-2026-3328-03": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:post_type", "type": "equals", "value": "admin_form"}, {"name": "ARGS:action", "type": "equals", "value": "editpost"}, {"name": "ARGS:form[update_message]", "type": "regex", "value": "~(?:^|;)(?:O|C|a):\\\\d+:[\\\\\\"{]~"}], "cve": "CVE-2026-3328", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3328", "description": "Frontend Admin by DynamiApps <=3.28.31 authenticated (Editor+) PHP Object Injection via form[update_message] in admin_form post save", "method": "POST", "mode": "block", "severity": 7.2, "slug": "acf-frontend-form-element", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=3.28.31"}, "RULE-CVE-2026-3328-04": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:post_type", "type": "equals", "value": "admin_form"}, {"name": "ARGS:action", "type": "equals", "value": "editpost"}, {"name": "ARGS:form[custom_fields_save]", "type": "regex", "value": "~(?:^|;)(?:O|C|a):\\\\d+:[\\\\\\"{]~"}], "cve": "CVE-2026-3328", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3328", "description": "Frontend Admin by DynamiApps <=3.28.31 authenticated (Editor+) PHP Object Injection via form[custom_fields_save] in admin_form post save", "method": "POST", "mode": "block", "severity": 7.2, "slug": "acf-frontend-form-element", "tags": ["object-injection", "deserialization", "authenticated"], "target": "plugin", "versions": "<=3.28.31"}, "RULE-CVE-2026-3352-01": {"action": "admin_init", "conditions": [{"name": "ARGS:easy_php_settings_wp_memory_settings[wp_memory_limit]", "type": "regex", "value": "~[\';$(){}]~"}], "cve": "CVE-2026-3352", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3352", "description": "Easy PHP Settings <=1.0.4 PHP code injection via wp_memory_limit in update_wp_memory_constants()", "method": "POST", "mode": "block", "severity": 7.2, "slug": "easy-php-settings", "tags": ["code-injection", "php-code-injection", "authenticated"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2026-3352-02": {"action": "admin_init", "conditions": [{"name": "ARGS:easy_php_settings_wp_memory_settings[wp_max_memory_limit]", "type": "regex", "value": "~[\';$(){}]~"}], "cve": "CVE-2026-3352", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3352", "description": "Easy PHP Settings <=1.0.4 PHP code injection via wp_max_memory_limit in update_wp_memory_constants()", "method": "POST", "mode": "block", "severity": 7.2, "slug": "easy-php-settings", "tags": ["code-injection", "php-code-injection", "authenticated"], "target": "plugin", "versions": "<=1.0.4"}, "RULE-CVE-2026-3459-01": {"ajax_action": "dnd_codedropz_upload", "conditions": [{"name": "ARGS:supported_type", "type": "regex", "value": "~[*]~"}], "cve": "CVE-2026-3459", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3459", "description": "Drag and Drop Multiple File Upload CF7 <=1.3.9.5 unauthenticated arbitrary file upload via wildcard supported_type parameter", "method": "POST", "mode": "block", "severity": 8.1, "slug": "drag-and-drop-multiple-file-upload-contact-form-7", "tags": ["arbitrary-file-upload", "unauthenticated", "file-type-validation"], "target": "plugin", "versions": "<=1.3.9.5"}, "RULE-CVE-2026-3459-03": {"ajax_action": "dnd_codedropz_upload_delete", "conditions": [{"name": "ARGS:path", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\/]){2,}|/etc/passwd|(?:^|[\\\\/])(?:wp-config\\\\.php|\\\\.htaccess|\\\\.env|debug\\\\.log|error_log)$)~i"}], "cve": "CVE-2026-3459", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3459", "description": "Drag and Drop Multiple File Upload CF7 <=1.3.9.5 unauthenticated arbitrary file deletion via path traversal in delete handler", "method": "POST", "mode": "block", "severity": 8.1, "slug": "drag-and-drop-multiple-file-upload-contact-form-7", "tags": ["arbitrary-file-deletion", "path-traversal", "unauthenticated"], "target": "plugin", "versions": "<=1.3.9.5"}, "RULE-CVE-2026-3464-01": {"ajax_action": "cuar_attach_file", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|(?:/|\\\\\\\\)etc(?:/|\\\\\\\\)passwd|wp-config\\\\.php|\\\\.htaccess|\\\\.env)~i"}], "cve": "CVE-2026-3464", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3464", "description": "WP Customer Area <=8.3.4 authenticated arbitrary file read/deletion via path traversal in cuar_attach_file AJAX handler", "mode": "block", "severity": 8.8, "slug": "customer-area", "tags": ["path-traversal", "arbitrary-file-read", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=8.3.4"}, "RULE-CVE-2026-3464-02": {"ajax_action": "cuar_remove_attached_file", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|(?:/|\\\\\\\\)etc(?:/|\\\\\\\\)passwd|wp-config\\\\.php|\\\\.htaccess|\\\\.env)~i"}], "cve": "CVE-2026-3464", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3464", "description": "WP Customer Area <=8.3.4 authenticated arbitrary file deletion via path traversal in cuar_remove_attached_file AJAX handler", "mode": "block", "severity": 8.8, "slug": "customer-area", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=8.3.4"}, "RULE-CVE-2026-34885-01": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "query-attachments"}, {"name": "ARGS:query[s]", "type": "regex", "value": "~(?:UNION[\\\\s/\\\\*]+(?:ALL[\\\\s/\\\\*]+)?SELECT[\\\\s/\\\\*]+|;[\\\\s/\\\\*]*(?:DROP|DELETE|INSERT|UPDATE)[\\\\s/\\\\*]+|\\\\b(?:OR|AND)[\\\\s/\\\\*]+[\'\\"]?[0-9]+[\'\\"]?[\\\\s/\\\\*]*=[\\\\s/\\\\*]*[\'\\"]?[0-9]+|/\\\\*[\\\\S\\\\s]*?\\\\*/|--\\\\s*$|[\'\\")0-9]\\\\s*#[\\\\s\\\\S]*$)~i"}], "cve": "CVE-2026-34885", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-34885", "description": "Media Library Assistant <=3.34 authenticated SQL injection via query[s] in query-attachments AJAX handler", "mode": "block", "severity": 8.5, "slug": "media-library-assistant", "tags": ["sql-injection", "authenticated", "media-library"], "target": "plugin", "versions": "<=3.34"}, "RULE-CVE-2026-34885-02": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "query-attachments"}, {"name": "ARGS:query[mla_search_value]", "type": "regex", "value": "~(?:UNION[\\\\s/\\\\*]+(?:ALL[\\\\s/\\\\*]+)?SELECT[\\\\s/\\\\*]+|;[\\\\s/\\\\*]*(?:DROP|DELETE|INSERT|UPDATE)[\\\\s/\\\\*]+|\\\\b(?:OR|AND)[\\\\s/\\\\*]+[\'\\"]?[0-9]+[\'\\"]?[\\\\s/\\\\*]*=[\\\\s/\\\\*]*[\'\\"]?[0-9]+|/\\\\*[\\\\S\\\\s]*?\\\\*/|[\'\\")0-9]\\\\s*(?:--|#)\\\\s*$)~i"}], "cve": "CVE-2026-34885", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-34885", "description": "Media Library Assistant <=3.34 authenticated SQL injection via query[mla_search_value] in query-attachments AJAX handler", "mode": "block", "severity": 8.5, "slug": "media-library-assistant", "tags": ["sql-injection", "authenticated", "media-library"], "target": "plugin", "versions": "<=3.34"}, "RULE-CVE-2026-34885-03": {"action": "init", "conditions": [{"name": "ARGS:action", "type": "equals", "value": "query-attachments"}, {"name": "ARGS:query[orderby]", "type": "regex", "value": "~(?:UNION[\\\\s/\\\\*]+(?:ALL[\\\\s/\\\\*]+)?SELECT[\\\\s/\\\\*]+|;[\\\\s/\\\\*]*(?:DROP|DELETE|INSERT|UPDATE)[\\\\s/\\\\*]+|,[\\\\s/\\\\*]*\\\\([\\\\s/\\\\*]*SELECT[\\\\s/\\\\*]+|\\\\b(?:OR|AND)[\\\\s/\\\\*]+[\'\\"]?[0-9]+[\'\\"]?[\\\\s/\\\\*]*=[\\\\s/\\\\*]*[\'\\"]?[0-9]+|/\\\\*[\\\\S\\\\s]*?\\\\*/|[\'\\")0-9]\\\\s*(?:--|#)\\\\s*$)~i"}], "cve": "CVE-2026-34885", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-34885", "description": "Media Library Assistant <=3.34 authenticated SQL injection via query[orderby] in query-attachments AJAX handler", "mode": "block", "severity": 8.5, "slug": "media-library-assistant", "tags": ["sql-injection", "authenticated", "media-library"], "target": "plugin", "versions": "<=3.34"}, "RULE-CVE-2026-3499-01": {"ajax_action": "adt_migrate_to_custom_post_type", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-3499", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3499", "description": "Product Feed PRO for WooCommerce >=13.4.6 <=13.5.2.1 CSRF on adt_migrate_to_custom_post_type AJAX handler", "mode": "block", "severity": 8.8, "slug": "woo-product-feed-pro", "tags": ["csrf", "missing-nonce", "state-change"], "target": "plugin", "versions": ">=13.4.6 <=13.5.2.1"}, "RULE-CVE-2026-3499-02": {"ajax_action": "adt_clear_custom_attributes_product_meta_keys", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-3499", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3499", "description": "Product Feed PRO for WooCommerce >=13.4.6 <=13.5.2.1 CSRF on adt_clear_custom_attributes_product_meta_keys AJAX handler", "mode": "block", "severity": 8.8, "slug": "woo-product-feed-pro", "tags": ["csrf", "missing-nonce", "state-change"], "target": "plugin", "versions": ">=13.4.6 <=13.5.2.1"}, "RULE-CVE-2026-3550-04": {"ajax_action": "rockpress_check_services", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-3550", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3550", "description": "FT RockPress <=1.0.17 missing authorization on rockpress_check_services AJAX handler allows subscriber+ to perform system connection checks", "mode": "block", "severity": 5.3, "slug": "ft-rockpress", "tags": ["missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=1.0.17"}, "RULE-CVE-2026-3584-01": {"ajax_action": "kaliforms_form_process", "conditions": [{"name": "ARGS:data[{entryCounter}]", "type": "regex", "value": "~^\\\\\\\\?(?:system|exec|passthru|shell_exec|popen|proc_open|pcntl_exec|eval|assert|create_function|call_user_func|call_user_func_array|phpinfo|file_put_contents|file_get_contents|unlink|rmdir|mail|header|preg_replace)$~i"}], "cve": "CVE-2026-3584", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3584", "description": "Kali Forms <=2.4.9 unauthenticated RCE via placeholder overwrite in kaliforms_form_process using {entryCounter}", "method": "POST", "mode": "block", "severity": 9.8, "slug": "kali-forms", "tags": ["code-injection", "remote-code-execution", "unauthenticated", "callable-injection"], "target": "plugin", "versions": "<=2.4.9"}, "RULE-CVE-2026-3585-01": {"ajax_action": "tribe_aggregator_create_import", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|file\\\\s*://)~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-3585", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3585", "description": "The Events Calendar <=6.15.17 authenticated (Author+) arbitrary file read via path traversal in tribe_aggregator_create_import AJAX handler", "method": "POST", "mode": "block", "severity": 7.5, "slug": "the-events-calendar", "tags": ["path-traversal", "arbitrary-file-read", "authenticated"], "target": "plugin", "versions": "<=6.15.17"}, "RULE-CVE-2026-3585-02": {"ajax_action": "tribe_aggregator_create_import", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|(?:^|[\\\\\\\\/])\\\\.env(?:$|[^a-zA-Z0-9])|debug\\\\.log|(?:^|[\\\\\\\\/])error_log(?:$|[^a-zA-Z0-9]))~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-3585", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3585", "description": "The Events Calendar <=6.15.17 authenticated (Author+) arbitrary file read via sensitive file path in tribe_aggregator_create_import AJAX handler", "method": "POST", "mode": "block", "severity": 7.5, "slug": "the-events-calendar", "tags": ["path-traversal", "arbitrary-file-read", "authenticated"], "target": "plugin", "versions": "<=6.15.17"}, "RULE-CVE-2026-3589-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wc/store/v1/batch([/?&]|$)~i"}, {"name": "ARGS:requests[/\\\\d+/][path]", "type": "regex", "value": "~^/(?!wc/store[/?])~i"}], "cve": "CVE-2026-3589", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3589", "description": "WooCommerce >=5.4.0 <=10.5.2 CSRF via Store API batch endpoint routing sub-requests to arbitrary non-Store REST endpoints. Covers both form-urlencoded and JSON body (application/json) POST variants via transparent JSON body parsing.", "method": "POST", "mode": "block", "severity": 7.5, "slug": "woocommerce", "tags": ["csrf", "broken-access-control", "rest-api", "batch-route-hijack"], "target": "plugin", "versions": ">=5.4.0 <=10.5.2"}, "RULE-CVE-2026-3629-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-login\\\\.php~"}, {"name": "ARGS:wp_capabilities", "type": "exists"}], "cve": "CVE-2026-3629", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3629", "description": "Import and export users and customers <=1.29.7 unauthenticated privilege escalation via wp_capabilities parameter during registration", "method": "POST", "mode": "block", "severity": 8.1, "slug": "import-users-from-csv-with-meta", "tags": ["privilege-escalation", "unauthenticated", "improper-privilege-management"], "target": "plugin", "versions": "<=1.29.7"}, "RULE-CVE-2026-3629-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/(?:profile|user-edit)\\\\.php~"}, {"name": "ARGS:wp_capabilities", "type": "exists"}], "cve": "CVE-2026-3629", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3629", "description": "Import and export users and customers <=1.29.7 authenticated privilege escalation via wp_capabilities parameter during profile update", "method": "POST", "mode": "block", "severity": 8.1, "slug": "import-users-from-csv-with-meta", "tags": ["privilege-escalation", "improper-privilege-management"], "target": "plugin", "versions": "<=1.29.7"}, "RULE-CVE-2026-3629-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-login\\\\.php~"}, {"name": "ARGS:wp_capabilities[administrator]", "type": "exists"}], "cve": "CVE-2026-3629", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3629", "description": "Import and export users and customers <=1.29.7 privilege escalation via wp_capabilities bracket notation during registration", "method": "POST", "mode": "block", "severity": 8.1, "slug": "import-users-from-csv-with-meta", "tags": ["privilege-escalation", "unauthenticated", "improper-privilege-management"], "target": "plugin", "versions": "<=1.29.7"}, "RULE-CVE-2026-3629-04": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/(?:profile|user-edit)\\\\.php~"}, {"name": "ARGS:wp_capabilities[administrator]", "type": "exists"}], "cve": "CVE-2026-3629", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3629", "description": "Import and export users and customers <=1.29.7 privilege escalation via wp_capabilities bracket notation during profile update", "method": "POST", "mode": "block", "severity": 8.1, "slug": "import-users-from-csv-with-meta", "tags": ["privilege-escalation", "improper-privilege-management"], "target": "plugin", "versions": "<=1.29.7"}, "RULE-CVE-2026-3643-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/otm-ac/v1/update-widget-options(?:[/?]|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-3643", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3643", "description": "Accessibly <=3.0.3 unauthenticated stored XSS via REST API update-widget-options endpoint", "method": "POST", "mode": "block", "severity": 7.2, "slug": "otm-accessibly", "tags": ["xss", "stored", "missing-authorization", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=3.0.3"}, "RULE-CVE-2026-3844-01": {"ajax_action": "save_settings_tab_basic", "conditions": [{"name": "ARGS:breeze-store-gravatars-locally", "type": "equals", "value": "1"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-3844", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3844", "description": "Breeze Cache <=2.4.4 - block enabling \'Host Files Locally Gravatars\' setting (defense in depth; prevents activating the vulnerable code path)", "method": "POST", "mode": "block", "severity": 9.8, "slug": "breeze", "tags": ["arbitrary-file-upload", "remote-code-execution", "unauthenticated", "configuration-block"], "target": "plugin", "versions": "<=2.4.4"}, "RULE-CVE-2026-3844-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/(?:wp-comments-post\\\\.php(?:\\\\?|$)|(?:index\\\\.php\\\\?rest_route=/)?wp(?:-json)?/wp/v2/comments(?:/|\\\\?|$))~"}, {"name": "ARGS:/^(?:author|email|url|author_name|author_email|author_url|comment_author(?:_email|_url)?)$/", "type": "regex", "value": "~\\\\bsrc(?:set)?\\\\s*=\\\\s*[\\"\']?\\\\s*https?://[^\\\\s\\"\'<>]{1,500}\\\\.(?:php[3-8s]?|phtml|phar|pht|inc|phps|jsp|aspx?|cgi|pl|py|rb|sh|exe|htaccess)(?:[?#/\\\\s\\"\'&]|$)~i"}], "cve": "CVE-2026-3844", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3844", "description": "Breeze Cache <=2.4.4 - block comment submission carrying src/srcset payload pointing to executable extension (Stage 1; attacker seeds malicious gravatar URL via author fields, which Breeze\'s loose regex extracts and fetches)", "method": "POST", "mode": "block", "severity": 9.8, "slug": "breeze", "tags": ["arbitrary-file-upload", "remote-code-execution", "unauthenticated", "server-side-fetch"], "target": "plugin", "versions": "<=2.4.4"}, "RULE-CVE-2026-3844-04": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/(?:wp-comments-post\\\\.php(?:\\\\?|$)|(?:index\\\\.php\\\\?rest_route=/)?wp(?:-json)?/wp/v2/comments(?:/|\\\\?|$))~"}, {"name": "ARGS:/^(?:author|email|url|author_name|author_email|author_url|comment_author(?:_email|_url)?)$/", "type": "regex", "value": "~\\\\bsrc(?:set)?\\\\s*=\\\\s*[\\"\']?\\\\s*https?://~i"}], "cve": "CVE-2026-3844", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3844", "description": "Breeze Cache <=2.4.4 - block embedded src/srcset URL injection in any of\\nthe comment-form fields shared with RULE-02, without requiring an\\nexecutable file extension on the source URL. Mirrors RULE-02\'s\\nfield-source set and keyword pattern but drops the URL extension\\nconstraint, since the plugin writes the cached file based on fetch-time\\nContent-Type rather than source-URL extension. Closes the\\nnon-exec-extension bypass class on the Stage-1 surface.\\n", "method": "POST", "mode": "block", "severity": 9.8, "slug": "breeze", "tags": ["arbitrary-file-upload", "remote-code-execution", "unauthenticated", "server-side-fetch", "bypass-fix"], "target": "plugin", "versions": "<=2.4.4"}, "RULE-CVE-2026-3844-05": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/(?:wp-comments-post\\\\.php(?:\\\\?|$)|(?:index\\\\.php\\\\?rest_route=/)?wp(?:-json)?/wp/v2/comments(?:/|\\\\?|$))~"}, {"name": "ARGS:srcset", "type": "regex", "value": "~^\\\\s*https?://~i"}], "cve": "CVE-2026-3844", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3844", "description": "Breeze Cache <=2.4.4 - block a structurally-suspicious standalone POST\\nfield carrying an http(s):// URL on comment-submission endpoints. Native\\nWordPress comment forms do not POST this field, so its presence with a\\nURL value is consistent only with attacker-driven URL injection aimed at\\ncircumventing RULE-02\'s named-field allowlist. The plugin\'s URL extractor\\nscans the entire POST array, so this rule covers fields outside RULE-02\'s\\nsource set.\\n", "method": "POST", "mode": "block", "severity": 9.8, "slug": "breeze", "tags": ["arbitrary-file-upload", "remote-code-execution", "unauthenticated", "server-side-fetch", "bypass-fix"], "target": "plugin", "versions": "<=2.4.4"}, "RULE-CVE-2026-3876-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^|/)wp-comments-post\\\\.php~"}, {"name": "ARGS:comment", "type": "regex", "value": "~\\\\[prismatic_encoded\\\\b[^\\\\]]*(?:on(?:mouse(?:over|out|down|up|move|enter|leave)|error|load|focus|blur|click|dblclick|key(?:down|up|press)|change|submit|reset|select|abort|unload|resize|scroll|beforeunload|hashchange|pointerover|pointerenter|animationend|transitionend)\\\\s*=|javascript\\\\s*:|<script[\\\\s/>])~i"}], "cve": "CVE-2026-3876", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3876", "description": "Prismatic <=3.7.3 unauthenticated stored XSS via prismatic_encoded pseudo-shortcode in comment body", "method": "POST", "mode": "block", "severity": 7.2, "slug": "prismatic", "tags": ["xss", "stored", "unauthenticated", "comment-injection"], "target": "plugin", "versions": "<=3.7.3"}, "RULE-CVE-2026-39466-01": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "blc_local"}, {"name": "ARGS:filter_id", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|\\\\b(?:OR|AND)\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|/\\\\*[^*]*\\\\*/|\'|\\\\\\\\|--\\\\s)~i"}], "cve": "CVE-2026-39466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-39466", "description": "Broken Link Checker <=2.4.7 authenticated blind SQL injection via filter_id parameter on links page", "method": "GET", "mode": "block", "severity": 7.6, "slug": "broken-link-checker", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=2.4.7"}, "RULE-CVE-2026-39466-02": {"ajax_action": "blc_link_details", "conditions": [{"name": "ARGS:link_id", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|\\\\b(?:OR|AND)\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|/\\\\*[^*]*\\\\*/|\'|\\\\\\\\|--\\\\s)~i"}], "cve": "CVE-2026-39466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-39466", "description": "Broken Link Checker <=2.4.7 authenticated blind SQL injection via link_id in blc_link_details AJAX handler", "mode": "block", "severity": 7.6, "slug": "broken-link-checker", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=2.4.7"}, "RULE-CVE-2026-39466-03": {"ajax_action": "blc_discard", "conditions": [{"name": "ARGS:link_id", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|\\\\b(?:OR|AND)\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|/\\\\*[^*]*\\\\*/|\'|\\\\\\\\|--\\\\s)~i"}], "cve": "CVE-2026-39466", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-39466", "description": "Broken Link Checker <=2.4.7 authenticated blind SQL injection via link_id in blc_discard AJAX handler", "mode": "block", "severity": 7.6, "slug": "broken-link-checker", "tags": ["sql-injection", "blind-sqli", "authenticated"], "target": "plugin", "versions": "<=2.4.7"}, "RULE-CVE-2026-39479-01": {"action": "admin_init", "conditions": [{"name": "ARGS:status_filter", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\(|(?:--|#)\\\\s|/\\\\*[\\\\s\\\\S]*?\\\\*/|\'\\\\s*(?:OR|AND)\\\\s+[\'\\"]?\\\\d)~i"}, {"name": "ARGS:page", "type": "regex", "value": "~suretriggers~"}], "cve": "CVE-2026-39479", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-39479", "description": "OttoKit (SureTriggers) <=1.1.20 authenticated (admin+) blind SQL injection via status_filter parameter in outgoing requests admin page", "method": "GET", "mode": "block", "severity": 7.6, "slug": "suretriggers", "tags": ["sql-injection", "blind-sqli", "authenticated", "admin-page"], "target": "plugin", "versions": "<=1.1.20"}, "RULE-CVE-2026-39479-02": {"action": "admin_init", "conditions": [{"name": "ARGS:orderby", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\(|(?:--|#)\\\\s|/\\\\*[\\\\s\\\\S]*?\\\\*/|\\\\(\\\\s*SELECT\\\\b)~i"}, {"name": "ARGS:page", "type": "regex", "value": "~suretriggers~"}], "cve": "CVE-2026-39479", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-39479", "description": "OttoKit (SureTriggers) <=1.1.20 authenticated (admin+) blind SQL injection via orderby parameter in outgoing requests admin page", "method": "GET", "mode": "block", "severity": 7.6, "slug": "suretriggers", "tags": ["sql-injection", "blind-sqli", "authenticated", "admin-page"], "target": "plugin", "versions": "<=1.1.20"}, "RULE-CVE-2026-39479-03": {"action": "admin_init", "conditions": [{"name": "ARGS:order", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\(|(?:--|#)\\\\s|/\\\\*[\\\\s\\\\S]*?\\\\*/|\\\\(\\\\s*SELECT\\\\b|[^A-Z](?:ASC|DESC)[^A-Z].*(?:ASC|DESC|SELECT|SLEEP|BENCHMARK))~i"}, {"name": "ARGS:page", "type": "regex", "value": "~suretriggers~"}], "cve": "CVE-2026-39479", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-39479", "description": "OttoKit (SureTriggers) <=1.1.20 authenticated (admin+) blind SQL injection via order parameter in outgoing requests admin page", "method": "GET", "mode": "block", "severity": 7.6, "slug": "suretriggers", "tags": ["sql-injection", "blind-sqli", "authenticated", "admin-page"], "target": "plugin", "versions": "<=1.1.20"}, "RULE-CVE-2026-39495-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/ssa/v1/~"}, {"name": "ARGS", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|/\\\\*[\\\\s\\\\S]*?\\\\*/|(?:--|#)\\\\s|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\(|\\\\bEXTRACTVALUE\\\\s*\\\\(|\\\\bUPDATEXML\\\\s*\\\\()~i"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2026-39495", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-39495", "description": "Simply Schedule Appointments <=1.6.9.27 authenticated (Contributor+) SQL injection via REST API", "mode": "block", "severity": 8.5, "slug": "simply-schedule-appointments", "tags": ["sql-injection", "authenticated", "rest-api"], "target": "plugin", "versions": "<=1.6.9.27"}, "RULE-CVE-2026-3986-01": {"action": "admin_init", "conditions": [{"name": "ARGS:form_structure", "type": "regex", "value": "~(?:<script[\\\\s/>]|\\\\bon(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:|<iframe[\\\\s/>]|<svg[\\\\s/>]|<object[\\\\s/>]|<embed[\\\\s/>])~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-3986", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-3986", "description": "Calculated Fields Form <=5.4.5.0 authenticated (Contributor+) stored XSS via form_structure parameter containing unsanitized fcontent in fhtml field types", "method": "POST", "mode": "block", "severity": 6.4, "slug": "calculated-fields-form", "tags": ["xss", "stored", "authenticated", "insufficient-sanitization"], "target": "plugin", "versions": "<=5.4.5.0"}, "RULE-CVE-2026-4021-01": {"ajax_action": "post_cg1l_login_user_by_key", "conditions": [{"name": "ARGS:cglKey", "type": "exists"}, {"type": "missing_capability", "value": "read"}], "cve": "CVE-2026-4021", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4021", "description": "Contest Gallery <=28.1.5 unauthenticated account takeover via post_cg1l_login_user_by_key AJAX action (key-based login after type-confusion activation key overwrite)", "method": "POST", "mode": "block", "severity": 8.1, "slug": "contest-gallery", "tags": ["authentication-bypass", "privilege-escalation", "unauthenticated"], "target": "plugin", "versions": "<=28.1.5"}, "RULE-CVE-2026-4056-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/user-registration/v1/content-access-rules(?:/|\\\\?|&|$)~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-4056", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4056", "description": "User Registration & Membership <=5.1.4 missing authorization on Content Access Rules REST API allows Contributor+ to create/read/update/delete/toggle/duplicate content restriction rules", "mode": "block", "severity": 5.4, "slug": "user-registration", "tags": ["missing-authorization", "broken-access-control", "rest-api"], "target": "plugin", "versions": "<=5.1.4"}, "RULE-CVE-2026-4061-01": {"ajax_action": "geo_mashup_query", "conditions": [{"name": "ARGS:map_post_type", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\()~i"}], "cve": "CVE-2026-4061", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4061", "description": "Geo Mashup <=1.13.18 unauthenticated SQL injection via map_post_type parameter in geo_mashup_query AJAX handler", "mode": "block", "severity": 7.5, "slug": "geo-mashup", "tags": ["sql-injection", "unauthenticated", "ajax"], "target": "plugin", "versions": "<=1.13.18"}, "RULE-CVE-2026-40744-01": {"ajax_action": "fl_builder_export_templates_data", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|\\\\b(?:SLEEP|BENCHMARK|EXTRACTVALUE|UPDATEXML)\\\\s*\\\\(|/\\\\*[!+]|(?:--|#)\\\\s)~i"}, {"type": "missing_capability", "value": "edit_posts"}], "cve": "CVE-2026-40744", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-40744", "description": "Beaver Builder <=2.10.1.2 authenticated SQL injection via fl_builder_export_templates_data AJAX handler", "mode": "block", "severity": 8.5, "slug": "beaver-builder-lite-version", "tags": ["sql-injection", "authenticated", "blind-sql-injection"], "target": "plugin", "versions": "<=2.10.1.2"}, "RULE-CVE-2026-40745-01": {"ajax_action": "elementpack_dynamic_select_input_data", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT\\\\s|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|\\\\bSLEEP\\\\s*\\\\(|\\\\bBENCHMARK\\\\s*\\\\(|/\\\\*[!+]|\'\\\\s*(?:OR|AND)\\\\s+[\'\\"\']?\\\\d)~i"}, {"type": "missing_capability", "value": "edit_others_posts"}], "cve": "CVE-2026-40745", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-40745", "description": "Element Pack Elementor Addons <=8.4.2 authenticated blind SQL injection via elementpack_dynamic_select_input_data AJAX handler", "mode": "block", "severity": 7.6, "slug": "bdthemes-element-pack-lite", "tags": ["sql-injection", "authenticated", "blind-sqli"], "target": "plugin", "versions": "<=8.4.2"}, "RULE-CVE-2026-4075-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:posts|pages)(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[baf_sbox\\\\s[^\\\\]]*(?:sbox_id|sbox_class|placeholder|highlight_color|highlight_bg|cont_ext_class)\\\\s*=\\\\s*[\\\\\\"\'][^\\\\\\"\']*(?:on[a-z]+=|javascript\\\\s*:|<script[\\\\s/>])~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-4075", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4075", "description": "BWL Advanced FAQ Manager Lite <=1.1.1 authenticated (Contributor+) stored XSS via baf_sbox shortcode attributes in REST API post/page creation", "method": "POST", "mode": "block", "severity": 6.4, "slug": "bwl-advanced-faq-manager-lite", "tags": ["xss", "stored", "shortcode", "authenticated", "rest-api"], "target": "plugin", "versions": "<=1.1.1"}, "RULE-CVE-2026-4075-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[baf_sbox\\\\s[^\\\\]]*(?:sbox_id|sbox_class|placeholder|highlight_color|highlight_bg|cont_ext_class)\\\\s*=\\\\s*[\\\\\\"\'][^\\\\\\"\']*(?:on[a-z]+=|javascript\\\\s*:|<script[\\\\s/>])~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-4075", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4075", "description": "BWL Advanced FAQ Manager Lite <=1.1.1 authenticated (Contributor+) stored XSS via baf_sbox shortcode attributes in classic editor post save", "method": "POST", "mode": "block", "severity": 6.4, "slug": "bwl-advanced-faq-manager-lite", "tags": ["xss", "stored", "shortcode", "authenticated"], "target": "plugin", "versions": "<=1.1.1"}, "RULE-CVE-2026-40764-01": {"ajax_action": "wpforms_admin_forms_overview_save_tags", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-40764", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-40764", "description": "WPForms Lite <=1.10.0.2 CSRF on save_tags AJAX handler \\u2014 missing nonce and capability check", "mode": "block", "severity": 8.1, "slug": "wpforms-lite", "tags": ["csrf", "missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=1.10.0.2"}, "RULE-CVE-2026-40764-02": {"ajax_action": "wpforms_admin_forms_overview_delete_tags", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-40764", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-40764", "description": "WPForms Lite <=1.10.0.2 CSRF on delete_tags AJAX handler \\u2014 missing nonce and capability check", "mode": "block", "severity": 8.1, "slug": "wpforms-lite", "tags": ["csrf", "missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=1.10.0.2"}, "RULE-CVE-2026-40764-03": {"ajax_action": "wpforms_update_lite_connect_enabled_setting", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-40764", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-40764", "description": "WPForms Lite <=1.10.0.2 CSRF on update_lite_connect_enabled_setting \\u2014 missing nonce and capability check", "mode": "block", "severity": 8.1, "slug": "wpforms-lite", "tags": ["csrf", "missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=1.10.0.2"}, "RULE-CVE-2026-40764-04": {"ajax_action": "wpforms_lite_connect_finalize", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-40764", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-40764", "description": "WPForms Lite <=1.10.0.2 CSRF on lite_connect_finalize \\u2014 missing nonce and capability check", "mode": "block", "severity": 8.1, "slug": "wpforms-lite", "tags": ["csrf", "missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=1.10.0.2"}, "RULE-CVE-2026-40764-05": {"ajax_action": "wpforms_lite_settings_upgrade", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-40764", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-40764", "description": "WPForms Lite <=1.10.0.2 missing capability check on lite_settings_upgrade AJAX handler", "mode": "block", "severity": 8.1, "slug": "wpforms-lite", "tags": ["csrf", "missing-authorization", "broken-access-control"], "target": "plugin", "versions": "<=1.10.0.2"}, "RULE-CVE-2026-40784-01": {"ajax_action": "fluentform_fluent_board_config", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-40784", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-40784", "description": "FluentBoards <=1.91.2 IDOR via fluentform_fluent_board_config AJAX handler missing authorization", "mode": "block", "severity": 8.1, "slug": "fluent-boards", "tags": ["missing-authorization", "idor", "broken-access-control"], "target": "plugin", "versions": "<=1.91.2"}, "RULE-CVE-2026-4100-02": {"ajax_action": "pmpro_stripe_delete_webhook", "conditions": [{"name": "ARGS:action", "type": "regex", "value": "~^pmpro_stripe_delete_webhook$~"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-4100", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4100", "description": "Paid Memberships Pro <=3.6.5 missing authorization on pmpro_stripe_delete_webhook allows authenticated Subscriber+ users to delete Stripe webhooks and disrupt payment processing", "mode": "block", "severity": 7.1, "slug": "paid-memberships-pro", "tags": ["missing-authorization", "service-disruption"], "target": "plugin", "versions": "<=3.6.5"}, "RULE-CVE-2026-42379-04": {"ajax_action": "templately_save_conditions", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/admin-ajax.php"}, {"name": "ARGS:action", "type": "equals", "value": "templately_save_conditions"}, {"name": "ARGS:conditions", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-42379", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-42379", "description": "Templately <=3.6.1 unauthorized condition saving via templately_save_conditions AJAX handler missing capability check", "mode": "block", "severity": 7.7, "slug": "templately", "tags": ["missing-authorization", "sensitive-data-exposure"], "target": "plugin", "versions": "<=3.6.1"}, "RULE-CVE-2026-4248-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\{usermeta:[^}]*(?:password_reset_link|user_pass|session_tokens|user_activation_key)[^}]*\\\\}~i"}], "cve": "CVE-2026-4248", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4248", "description": "Ultimate Member <=2.11.2 authenticated (Contributor+) sensitive usermeta disclosure via {usermeta:} placeholder in post content", "method": "POST", "mode": "block", "severity": 8.0, "slug": "ultimate-member", "tags": ["insecure-direct-object-reference", "sensitive-data-exposure", "stored-content"], "target": "plugin", "versions": "<=2.11.2"}, "RULE-CVE-2026-4283-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin-ajax\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:action", "type": "equals", "value": "super-unsubscribe"}, {"name": "ARGS:process_now", "type": "exists"}, {"name": "ARGS:email", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-4283", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4283", "description": "WP DSGVO Tools (GDPR) <=3.1.38 unauthenticated account destruction via super-unsubscribe process_now branch", "mode": "block", "severity": 9.1, "slug": "shapepress-dsgvo", "tags": ["missing-authorization", "business-logic-abuse", "unauthenticated", "account-destruction"], "target": "plugin", "versions": "<=3.1.38"}, "RULE-CVE-2026-4302-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/optn/v1/integration-action(/|\\\\?|$)~"}, {"name": "ARGS:link", "type": "regex", "value": "~(?:^(?:https?://)?(?:127\\\\.|10\\\\.|172\\\\.(?:1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.|169\\\\.254\\\\.|0\\\\.0\\\\.0\\\\.0|0[.]|0x|\\\\[[:0-9a-fA-F]|localhost))|(?:^(?:gopher|file|dict|ftp|telnet|ldap)://)~i"}], "cve": "CVE-2026-4302", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4302", "description": "Optin (optin) <=1.4.29 unauthenticated SSRF via REST API optn/v1/integration-action link parameter", "method": "POST", "mode": "block", "severity": 7.2, "slug": "optin", "tags": ["ssrf", "unauthenticated", "rest-api", "cwe-918"], "target": "plugin", "versions": "<=1.4.29"}, "RULE-CVE-2026-4306-01": {"ajax_action": "wpjobportal_ajax", "conditions": [{"name": "ARGS:task", "type": "equals", "value": "getNextJobs"}, {"name": "ARGS:radius", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|EXTRACTVALUE\\\\s*\\\\(|UPDATEXML\\\\s*\\\\(|(?:AND|OR)\\\\s+\\\\d+=\\\\d+|/\\\\*.*\\\\*/|(?:--|#)\\\\s)~i"}], "cve": "CVE-2026-4306", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4306", "description": "WP Job Portal <=2.4.8 unauthenticated SQL injection via radius parameter in getNextJobs AJAX task", "method": "POST", "mode": "block", "severity": 7.5, "slug": "wp-job-portal", "tags": ["sql-injection", "unauthenticated"], "target": "plugin", "versions": "<=2.4.8"}, "RULE-CVE-2026-4306-02": {"ajax_action": "wpjobportal_ajax", "conditions": [{"name": "REQUEST_URI", "type": "contains", "value": "/wp-admin/admin-ajax.php"}, {"name": "ARGS:task", "type": "equals", "value": "getNextTemplateJobs"}, {"name": "ARGS:radius", "type": "regex", "value": "~(?:\\\\bUNION\\\\b\\\\s+(?:\\\\bALL\\\\b\\\\s+)?\\\\bSELECT\\\\b|\\\\b(?:SLEEP|BENCHMARK|EXTRACTVALUE|UPDATEXML)\\\\s*\\\\(|\\\\b(?:AND|OR)\\\\b\\\\s+\\\\d+\\\\s*=\\\\s*\\\\d+\\\\b|/\\\\*[^*]*\\\\*+(?:[^/*][^*]*\\\\*+)*/|(?:--|#)\\\\s*$)~i"}], "cve": "CVE-2026-4306", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4306", "description": "WP Job Portal <=2.4.8 unauthenticated SQL injection via radius parameter in getNextTemplateJobs AJAX task", "method": "POST", "mode": "block", "severity": 7.5, "slug": "wp-job-portal", "tags": ["sql-injection", "unauthenticated"], "target": "plugin", "versions": "<=2.4.8"}, "RULE-CVE-2026-4326-01": {"ajax_action": "afeb_activate_required_plugins", "conditions": [{"type": "missing_capability", "value": "install_plugins"}], "cve": "CVE-2026-4326", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4326", "description": "Vertex Addons for Elementor <=1.6.4 missing authorization on afeb_activate_required_plugins allows subscriber+ arbitrary plugin installation", "mode": "block", "severity": 8.8, "slug": "addons-for-elementor-builder", "tags": ["missing-authorization", "arbitrary-plugin-installation", "privilege-escalation"], "target": "plugin", "versions": "<=1.6.4"}, "RULE-CVE-2026-4329-01": {"action": "init", "conditions": [{"name": "ARGS:page", "type": "regex", "value": "~(?:<script[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:)~i"}], "cve": "CVE-2026-4329", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4329", "description": "Blackhole Bad Bots <=3.8 stored XSS via unescaped bot log data on admin settings page", "mode": "block", "severity": 7.2, "slug": "blackhole-bad-bots", "tags": ["xss", "stored", "unauthenticated"], "target": "plugin", "versions": "<=3.8"}, "RULE-CVE-2026-4331-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin-ajax\\\\.php(?:\\\\?|$)~"}, {"name": "ARGS:action", "type": "equals", "value": "b2s_reset_social_meta_tags"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-4331", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4331", "description": "Blog2Social <=8.8.2 missing authorization on b2s_reset_social_meta_tags allows subscriber+ deletion of all social meta data", "mode": "block", "severity": 4.3, "slug": "blog2social", "tags": ["missing-authorization", "data-deletion", "authenticated"], "target": "plugin", "versions": "<=8.8.2"}, "RULE-CVE-2026-4333-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/post\\\\.php~"}, {"name": "ARGS:post_content", "type": "regex", "value": "~\\\\[learn_press_courses\\\\b[^\\\\]]*skin\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:on[a-zA-Z]+\\\\s*=|<script|<img|<iframe|javascript\\\\s*:)[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-4333", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4333", "description": "LearnPress <=4.3.3 Stored XSS via learn_press_courses shortcode skin attribute in post content (post editor)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "learnpress", "tags": ["xss", "stored", "shortcode", "authenticated"], "target": "plugin", "versions": "<=4.3.3"}, "RULE-CVE-2026-4333-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/posts(?:/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~\\\\[learn_press_courses\\\\b[^\\\\]]*skin\\\\s*=\\\\s*[\\"\'][^\\"\']*(?:on[a-zA-Z]+\\\\s*=|<script|<img|<iframe|javascript\\\\s*:)[^\\"\']*[\\"\']~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-4333", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4333", "description": "LearnPress <=4.3.3 Stored XSS via learn_press_courses shortcode skin attribute in post content (REST API)", "method": "POST", "mode": "block", "severity": 6.4, "slug": "learnpress", "tags": ["xss", "stored", "shortcode", "rest-api", "authenticated"], "target": "plugin", "versions": "<=4.3.3"}, "RULE-CVE-2026-4335-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/media/[0-9]+~"}, {"name": "ARGS:title", "type": "regex", "value": "~(?:on(?:focus|blur|click|mouse(?:over|out|enter|move)|load|error|keydown|keyup|change|input|submit|reset|drag|drop|pointer(?:down|up|enter|leave))\\\\s*=|<script[\\\\s/>]|javascript\\\\s*:)~i"}, {"type": "missing_capability", "value": "unfiltered_html"}], "cve": "CVE-2026-4335", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4335", "description": "ShortPixel Image Optimizer <=6.4.3 Author+ stored XSS via attachment post_title rendered unescaped in AI editor popup", "method": "POST", "mode": "block", "severity": 5.4, "slug": "shortpixel-image-optimiser", "tags": ["xss", "stored", "authenticated"], "target": "plugin", "versions": "<=6.4.3"}, "RULE-CVE-2026-4347-01": {"action": "template_redirect", "conditions": [{"name": "ARGS:MWF_file", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env))~i"}, {"name": "ARGS:_mw_wp_form_token", "type": "exists"}], "cve": "CVE-2026-4347", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4347", "description": "MW WP Form <=5.1.0 unauthenticated path traversal via file upload move flow (generate_user_filepath / move_temp_file_to_upload_dir)", "method": "POST", "mode": "block", "severity": 8.1, "slug": "mw-wp-form", "tags": ["path-traversal", "arbitrary-file-upload", "unauthenticated"], "target": "plugin", "versions": "<=5.1.0"}, "RULE-CVE-2026-4347-02": {"action": "template_redirect", "conditions": [{"name": "ARGS:MWF_file", "type": "regex", "value": "~\\\\.(?:ph(?:p[0-9s]?|tml?|t|ar)|phs|s?html?|cgi|asp|aspx|jsp|jspx|cfm|user\\\\.ini)$|[\\\\\\\\/]\\\\.htaccess$|[\\\\\\\\/]\\\\.htpasswd$~i"}, {"name": "ARGS:_mw_wp_form_token", "type": "exists"}], "cve": "CVE-2026-4347", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4347", "description": "MW WP Form <=5.1.0 unauthenticated path traversal via crafted uploaded filename in file field", "method": "POST", "mode": "block", "severity": 8.1, "slug": "mw-wp-form", "tags": ["path-traversal", "arbitrary-file-upload", "unauthenticated"], "target": "plugin", "versions": "<=5.1.0"}, "RULE-CVE-2026-4365-01": {"action": "init", "conditions": [{"name": "ARGS:lp-ajax", "type": "equals", "value": "delete_question_answer"}, {"type": "missing_capability", "value": "edit_lp_courses"}], "cve": "CVE-2026-4365", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4365", "description": "LearnPress <=4.3.2.8 unauthenticated arbitrary quiz answer deletion via lp-ajax delete_question_answer", "method": "POST", "mode": "block", "severity": 9.1, "slug": "learnpress", "tags": ["missing-authorization", "data-deletion", "unauthenticated"], "target": "plugin", "versions": "<=4.3.2.8"}, "RULE-CVE-2026-4373-01": {"ajax_action": "jet_form_builder_submit", "conditions": [{"name": "ARGS", "type": "regex", "value": "~\\"file\\"\\\\s*:\\\\s*\\"(?:[^\\"]*(?:\\\\.\\\\.[\\\\\\\\/])|/(?:etc|proc|var/log)[\\\\\\\\/])~i"}], "cve": "CVE-2026-4373", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4373", "description": "JetFormBuilder <=3.5.6.2 unauthenticated arbitrary file read via path traversal in Media Field JSON preset (AJAX path)", "method": "POST", "mode": "block", "severity": 7.5, "slug": "jetformbuilder", "tags": ["path-traversal", "arbitrary-file-read", "unauthenticated"], "target": "plugin", "versions": "<=3.5.6.2"}, "RULE-CVE-2026-4373-02": {"ajax_action": "jet_form_builder_submit", "conditions": [{"name": "ARGS", "type": "regex", "value": "~\\"file\\"\\\\s*:\\\\s*\\"[^\\"]*(?:wp-config\\\\.php|\\\\.htaccess|\\\\.env(?![a-z])|debug\\\\.log|error_log(?![a-z]))~i"}], "cve": "CVE-2026-4373", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4373", "description": "JetFormBuilder <=3.5.6.2 unauthenticated arbitrary file read via sensitive file path in Media Field JSON preset (AJAX path)", "method": "POST", "mode": "block", "severity": 7.5, "slug": "jetformbuilder", "tags": ["path-traversal", "arbitrary-file-read", "unauthenticated"], "target": "plugin", "versions": "<=3.5.6.2"}, "RULE-CVE-2026-4373-03": {"action": "wp_loaded", "conditions": [{"name": "ARGS:_jfb_form_id", "type": "exists"}, {"name": "ARGS", "type": "regex", "value": "~\\"file\\"\\\\s*:\\\\s*\\"(?:[^\\"]*(?:\\\\.\\\\.[\\\\\\\\/])|/(?:etc|proc|var/log)[\\\\\\\\/])~i"}], "cve": "CVE-2026-4373", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4373", "description": "JetFormBuilder <=3.5.6.2 unauthenticated arbitrary file read via path traversal in Media Field JSON preset (non-AJAX form submission)", "method": "POST", "mode": "block", "severity": 7.5, "slug": "jetformbuilder", "tags": ["path-traversal", "arbitrary-file-read", "unauthenticated"], "target": "plugin", "versions": "<=3.5.6.2"}, "RULE-CVE-2026-4373-04": {"action": "wp_loaded", "conditions": [{"name": "ARGS:_jfb_form_id", "type": "exists"}, {"name": "ARGS", "type": "regex", "value": "~\\"file\\"\\\\s*:\\\\s*\\"[^\\"]*(?:wp-config\\\\.php|\\\\.htaccess|\\\\.env(?![a-z])|debug\\\\.log|error_log(?![a-z]))~i"}], "cve": "CVE-2026-4373", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4373", "description": "JetFormBuilder <=3.5.6.2 unauthenticated arbitrary file read via sensitive file path in Media Field JSON preset (non-AJAX form submission)", "method": "POST", "mode": "block", "severity": 7.5, "slug": "jetformbuilder", "tags": ["path-traversal", "arbitrary-file-read", "unauthenticated"], "target": "plugin", "versions": "<=3.5.6.2"}, "RULE-CVE-2026-4484-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/masteriyo/v1/users/instructors/[0-9]+(?:[/?]|$)~"}, {"name": "ARGS:roles", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-4484", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4484", "description": "Masteriyo LMS <=2.1.6 authenticated (Student+) privilege escalation to administrator via roles parameter in instructors REST endpoint", "mode": "block", "severity": 9.8, "slug": "learning-management-system", "tags": ["missing-authorization", "privilege-escalation", "rest-api"], "target": "plugin", "versions": "<=2.1.6"}, "RULE-CVE-2026-4659-01": {"ajax_action": "elementor_ajax", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[/\\\\\\\\]+){2,}|/etc/passwd|[/\\\\\\\\](?:wp-config\\\\.php|\\\\.htaccess|\\\\.env))~i"}], "cve": "CVE-2026-4659", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4659", "description": "Unlimited Elements for Elementor <=2.0.6 authenticated contributor+ arbitrary file read via path traversal in Repeater JSON/CSV URL within Elementor widget settings", "mode": "block", "severity": 7.5, "slug": "unlimited-elements-for-elementor", "tags": ["path-traversal", "arbitrary-file-read", "authenticated", "elementor"], "target": "plugin", "versions": "<=2.0.6"}, "RULE-CVE-2026-4758-01": {"ajax_action": "wpjobportal_ajax", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env(?:$|[^a-zA-Z0-9_])))~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-4758", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4758", "description": "WP Job Portal <=2.4.9 authenticated arbitrary file deletion via path traversal in wpjobportal_ajax", "mode": "block", "severity": 8.8, "slug": "wp-job-portal", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=2.4.9"}, "RULE-CVE-2026-4758-02": {"ajax_action": "wpjobportal_ajax_popup", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env(?:$|[^a-zA-Z0-9_])))~i"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-4758", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4758", "description": "WP Job Portal <=2.4.9 authenticated arbitrary file deletion via path traversal in wpjobportal_ajax_popup", "mode": "block", "severity": 8.8, "slug": "wp-job-portal", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=2.4.9"}, "RULE-CVE-2026-4801-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:pages|posts)(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~coblocks/events[\\\\s\\\\S]*?(?:icalFeedUrl|eventsTitle|eventsDescription|eventsLocation)[\\\\s\\\\S]*?<[^>]+(?:on(?:error|load|click|mouseover|focus|blur)\\\\s*=|javascript\\\\s*:|<script[\\\\s/>])~i"}], "cve": "CVE-2026-4801", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4801", "description": "CoBlocks <=3.1.16 stored XSS via Events block iCal feed attributes in Gutenberg REST API", "mode": "block", "severity": 6.4, "slug": "coblocks", "tags": ["xss", "stored", "authenticated", "gutenberg"], "target": "plugin", "versions": "<=3.1.16"}, "RULE-CVE-2026-4801-02": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp/v2/(?:pages|posts)(/|\\\\?|$)~"}, {"name": "ARGS:content", "type": "regex", "value": "~coblocks/events[\\\\s\\\\S]*?icalFeedUrl[\\\\s\\\\S]*?(?:javascript\\\\s*:|<[^>]+on\\\\w+\\\\s*=)~i"}], "cve": "CVE-2026-4801", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4801", "description": "CoBlocks <=3.1.16 stored XSS via Events block iCal feed URL attribute", "mode": "block", "severity": 6.4, "slug": "coblocks", "tags": ["xss", "stored", "authenticated", "gutenberg"], "target": "plugin", "versions": "<=3.1.16"}, "RULE-CVE-2026-4880-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin-ajax\\\\.php~"}, {"name": "ARGS:action", "type": "equals", "value": "barcodeScannerConfigs"}, {"name": "ARGS:token", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-4880", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4880", "description": "Barcode Scanner and Inventory manager <=1.11.0 unauthenticated token leak via barcodeScannerConfigs AJAX action (GET or POST)", "mode": "block", "severity": 9.8, "slug": "barcode-scanner-lite-pos-to-manage-products-inventory-and-orders", "tags": ["privilege-escalation", "authentication-bypass", "unauthenticated", "token-leak"], "target": "plugin", "versions": "<=1.11.0"}, "RULE-CVE-2026-4880-02": {"ajax_action": "setUserMeta", "conditions": [{"name": "ARGS", "type": "regex", "value": "~(?:wp_capabilities|wp_user_level)~"}], "cve": "CVE-2026-4880", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4880", "description": "Barcode Scanner and Inventory manager <=1.11.0 unauthenticated privilege escalation via setUserMeta AJAX action (wp_capabilities)", "mode": "block", "severity": 9.8, "slug": "barcode-scanner-lite-pos-to-manage-products-inventory-and-orders", "tags": ["privilege-escalation", "broken-access-control", "unauthenticated"], "target": "plugin", "versions": "<=1.11.0"}, "RULE-CVE-2026-4880-03": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[?&]action=barcodeScannerConfigs(?:&|$)~"}, {"name": "ARGS:token", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-4880", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4880", "description": "Barcode Scanner <=1.11.0 unauthenticated token leak via barcodeScannerConfigs AJAX GET request (REQUEST_URI detection)", "mode": "block", "severity": 9.8, "slug": "barcode-scanner-lite-pos-to-manage-products-inventory-and-orders", "tags": ["privilege-escalation", "authentication-bypass", "unauthenticated", "token-leak"], "target": "plugin", "versions": "<=1.11.0"}, "RULE-CVE-2026-4880-04": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~[/\\\\\\\\]barcode-scanner-lite-pos-to-manage-products-inventory-and-orders[/\\\\\\\\]request\\\\.php~"}, {"name": "ARGS:route", "type": "equals", "value": "setUserMeta"}, {"name": "ARGS", "type": "regex", "value": "~(?:wp_capabilities|wp_user_level)~"}], "cve": "CVE-2026-4880", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4880", "description": "Barcode Scanner and Inventory manager <=1.11.0 unauthenticated privilege escalation via direct request.php setUserMeta endpoint (wp_capabilities)", "method": "POST", "mode": "block", "severity": 9.8, "slug": "barcode-scanner-lite-pos-to-manage-products-inventory-and-orders", "tags": ["privilege-escalation", "broken-access-control", "unauthenticated"], "target": "plugin", "versions": "<=1.11.0"}, "RULE-CVE-2026-4987-01": {"ajax_action": "srfm_create_payment_intent", "conditions": [{"name": "ARGS:form_id", "type": "regex", "value": "~^(?![1-9][0-9]*$)~"}], "cve": "CVE-2026-4987", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4987", "description": "SureForms <=2.5.2 unauthenticated payment amount validation bypass via invalid form_id in srfm_create_payment_intent", "mode": "block", "severity": 7.5, "slug": "sureforms", "tags": ["improper-input-validation", "payment-bypass", "unauthenticated"], "target": "plugin", "versions": "<=2.5.2"}, "RULE-CVE-2026-4987-02": {"ajax_action": "srfm_create_subscription_intent", "conditions": [{"name": "ARGS:form_id", "type": "regex", "value": "~^(?![1-9][0-9]*$)~"}], "cve": "CVE-2026-4987", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-4987", "description": "SureForms <=2.5.2 unauthenticated payment amount validation bypass via invalid form_id in srfm_create_subscription_intent", "mode": "block", "severity": 7.5, "slug": "sureforms", "tags": ["improper-input-validation", "payment-bypass", "unauthenticated"], "target": "plugin", "versions": "<=2.5.2"}, "RULE-CVE-2026-5207-01": {"action": "admin_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~admin-ajax\\\\.php~"}, {"name": "ARGS:order", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|EXTRACTVALUE\\\\s*\\\\(|UPDATEXML\\\\s*\\\\(|IF\\\\s*\\\\(|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|/\\\\*[^*]*\\\\*/)~i"}], "cve": "CVE-2026-5207", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-5207", "description": "LifterLMS <=9.2.1 authenticated SQL injection via order parameter in quiz non-attempts reporting (AJAX vector)", "mode": "block", "severity": 6.5, "slug": "lifterlms", "tags": ["sql-injection", "authenticated", "reporting"], "target": "plugin", "versions": "<=9.2.1"}, "RULE-CVE-2026-5207-02": {"action": "admin_init", "conditions": [{"name": "ARGS:page", "type": "equals", "value": "llms-reporting"}, {"name": "ARGS:order", "type": "regex", "value": "~(?:UNION\\\\s+(?:ALL\\\\s+)?SELECT|SLEEP\\\\s*\\\\(|BENCHMARK\\\\s*\\\\(|EXTRACTVALUE\\\\s*\\\\(|UPDATEXML\\\\s*\\\\(|IF\\\\s*\\\\(|;\\\\s*(?:DROP|DELETE|INSERT|UPDATE)\\\\s|/\\\\*[^*]*\\\\*/)~i"}], "cve": "CVE-2026-5207", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-5207", "description": "LifterLMS <=9.2.1 authenticated SQL injection via order parameter in quiz non-attempts reporting (admin page vector)", "method": "GET", "mode": "block", "severity": 6.5, "slug": "lifterlms", "tags": ["sql-injection", "authenticated", "reporting"], "target": "plugin", "versions": "<=9.2.1"}, "RULE-CVE-2026-5231-01": {"action": "admin_init", "conditions": [{"name": "ARGS:tab", "type": "regex", "value": "~(?:<script[\\\\s/>]|on(?:error|load|mouseover|click|focus|blur)\\\\s*=|javascript\\\\s*:|<img[^>]+on[a-z]+=|<iframe[\\\\s/>]|<svg[\\\\s/>]|<embed[\\\\s/>]|<object[\\\\s/>])~i"}], "cve": "CVE-2026-5231", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-5231", "description": "WP Statistics <=14.16.4 reflected XSS via unsanitized tab parameter in admin template", "mode": "block", "severity": 7.2, "slug": "wp-statistics", "tags": ["xss", "reflected", "admin-template"], "target": "plugin", "versions": "<=14.16.4"}, "RULE-CVE-2026-5294-01": {"ajax_action": "geekybot_frontendajax", "conditions": [{"name": "", "type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-5294", "description": "Geeky Bot <=1.2.2 unauthenticated arbitrary plugin installation via geekybot_frontendajax AJAX handler", "mode": "block", "severity": 9.8, "slug": "geeky-bot", "target": "plugin", "versions": "<=1.2.2"}, "RULE-CVE-2026-5364-01": {"ajax_action": "cf7_file_uploads", "conditions": [{"name": "ARGS:type", "type": "regex", "value": "~(?:^|\\\\|)\\\\s*(?:ph(?:p[2-9s]?|tml?|ar)|s?html?|cgi|aspx?|jspx?|cfm|htaccess|user\\\\.ini)\\\\s*(?:\\\\||$)~i"}], "cve": "CVE-2026-5364", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-5364", "description": "Drag and Drop File Upload for Contact Form 7 <=1.1.3 unauthenticated arbitrary PHP file upload via extension validation bypass in cf7_file_uploads AJAX handler", "mode": "block", "severity": 8.1, "slug": "drag-and-drop-file-upload-for-contact-form-7", "tags": ["arbitrary-file-upload", "remote-code-execution", "unauthenticated", "extension-bypass"], "target": "plugin", "versions": "<=1.1.3"}, "RULE-CVE-2026-5465-01": {"ajax_action": "wpamelia_api", "conditions": [{"name": "ARGS:call", "type": "regex", "value": "~users/providers/~i"}, {"name": "ARGS:externalId", "type": "exists"}, {"name": "ARGS:password", "type": "exists"}], "cve": "CVE-2026-5465", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-5465", "description": "Amelia Booking <=2.1.3 IDOR account takeover via externalId in provider profile update (wpamelia_api)", "method": "POST", "mode": "block", "severity": 8.8, "slug": "ameliabooking", "tags": ["idor", "account-takeover", "insecure-direct-object-reference", "authenticated"], "target": "plugin", "versions": "<=2.1.3"}, "RULE-CVE-2026-5488-01": {"ajax_action": "exactmetrics_ads_get_token", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-5488", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-5488", "description": "ExactMetrics <=9.1.2 missing authorization on exactmetrics_ads_get_token allows subscriber+ role access to Google Ads OAuth token", "mode": "block", "severity": 5.3, "slug": "google-analytics-dashboard-for-wp", "tags": ["missing-authorization", "authenticated", "broken-access-control"], "target": "plugin", "versions": "<=9.1.2"}, "RULE-CVE-2026-5488-02": {"ajax_action": "exactmetrics_ads_reset_experience", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-5488", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-5488", "description": "ExactMetrics <=9.1.2 missing authorization on exactmetrics_ads_reset_experience allows subscriber+ role to reset Google Ads experience", "mode": "block", "severity": 5.3, "slug": "google-analytics-dashboard-for-wp", "tags": ["missing-authorization", "authenticated", "broken-access-control"], "target": "plugin", "versions": "<=9.1.2"}, "RULE-CVE-2026-5710-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/contact-form-7/v1/contact-forms/[0-9]+/feedback(?:[/?]|$)~"}, {"name": "ARGS:mfile", "type": "regex", "value": "~(?:\\\\.\\\\.[\\\\\\\\/]|[\\\\\\\\/])~"}], "cve": "CVE-2026-5710", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-5710", "description": "Drag and Drop Multiple File Upload for CF7 <=1.3.9.6 unauthenticated path traversal leading to arbitrary file read via mfile[] parameter on CF7 REST feedback endpoint", "method": "POST", "mode": "block", "severity": 7.5, "slug": "drag-and-drop-multiple-file-upload-contact-form-7", "tags": ["path-traversal", "arbitrary-file-read", "unauthenticated", "rest-api"], "target": "plugin", "versions": "<=1.3.9.6"}, "RULE-CVE-2026-5722-01": {"ajax_action": "wlfmc_waitlist_signup", "conditions": [{"name": "ARGS:token", "type": "exists"}, {"name": "ARGS:email", "type": "exists"}], "cve": "CVE-2026-5722", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-5722", "description": "Smart Wishlist for More Convert <=1.9.14 authentication bypass via waitlist token reuse with email change", "mode": "block", "severity": 9.8, "slug": "smart-wishlist-for-more-convert", "tags": ["authentication-bypass", "token-reuse", "cwe-287"], "target": "plugin", "versions": "<=1.9.14"}, "RULE-CVE-2026-5722-02": {"action": "init", "conditions": [{"name": "ARGS:waitlist_verify", "type": "equals", "value": "1"}, {"name": "ARGS:token", "type": "exists"}, {"name": "ARGS:email", "type": "exists"}], "cve": "CVE-2026-5722", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-5722", "description": "Smart Wishlist for More Convert <=1.9.14 authentication bypass via waitlist verification link token reuse (blocks verification endpoint on vulnerable version; legitimate verification clicks also blocked until patched to 1.9.15)", "mode": "block", "severity": 9.8, "slug": "smart-wishlist-for-more-convert", "tags": ["authentication-bypass", "token-reuse", "verification-link", "cwe-287"], "target": "plugin", "versions": "<=1.9.14"}, "RULE-CVE-2026-6229-01": {"action": "init", "conditions": [{"name": "ARGS:csv_url", "type": "regex", "value": "~(?:^(?:https?://)?(?:(?:127\\\\.)|(?:10\\\\.)|(?:172\\\\.(?:1[6-9]|2[0-9]|3[01])\\\\.)|(?:192\\\\.168\\\\.)|(?:169\\\\.254\\\\.)|(?:0\\\\.)|localhost|\\\\[::1?\\\\]|0x[0-9a-f]|0[0-7])|(?:metadata\\\\.google|169\\\\.254\\\\.169\\\\.254|metadata\\\\.aws)|^(?:file|gopher|dict|ftp|ldap|tftp|php|data|expect|phar)://)~i"}], "cve": "CVE-2026-6229", "description": "Royal Elementor Addons <=1.7.1057 authenticated SSRF via Data Table widget CSV URL parameter", "method": "POST", "mode": "block", "severity": 7.2, "slug": "royal-elementor-addons", "target": "plugin", "versions": "<=1.7.1057"}, "RULE-CVE-2026-6229-02": {"ajax_action": "wpr_data_fetch", "conditions": [{"name": "ARGS:csv_url", "type": "regex", "value": "~(?:^(?:https?://)?(?:(?:127\\\\.)|(?:10\\\\.)|(?:172\\\\.(?:1[6-9]|2[0-9]|3[01])\\\\.)|(?:192\\\\.168\\\\.)|(?:169\\\\.254\\\\.)|(?:0\\\\.)|localhost|\\\\[::1?\\\\]|0x[0-9a-f]|0[0-7])|(?:metadata\\\\.google|169\\\\.254\\\\.169\\\\.254|metadata\\\\.aws)|^(?:file|gopher|dict|ftp|ldap|tftp|php|data|expect|phar)://)~i"}], "cve": "CVE-2026-6229", "description": "Royal Elementor Addons <=1.7.1057 authenticated SSRF via url parameter in Data Table CSV fetch", "mode": "block", "severity": 7.2, "slug": "royal-elementor-addons", "target": "plugin", "versions": "<=1.7.1057"}, "RULE-CVE-2026-6235-01": {"action": "admin_init", "conditions": [{"name": "ARGS:sm_apikey", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-6235", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-6235", "description": "Sendmachine for WordPress <=1.0.20 unauthenticated SMTP configuration overwrite via manage_admin_requests", "method": "POST", "mode": "block", "severity": 9.8, "slug": "sendmachine", "tags": ["missing-authorization", "unauthenticated", "configuration-overwrite"], "target": "plugin", "versions": "<=1.0.20"}, "RULE-CVE-2026-6235-02": {"action": "admin_init", "conditions": [{"name": "ARGS:sm_apisecret", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-6235", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-6235", "description": "Sendmachine for WordPress <=1.0.20 unauthenticated SMTP configuration overwrite via sm_apisecret", "method": "POST", "mode": "block", "severity": 9.8, "slug": "sendmachine", "tags": ["missing-authorization", "unauthenticated", "configuration-overwrite"], "target": "plugin", "versions": "<=1.0.20"}, "RULE-CVE-2026-6248-01": {"action": "init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~^/wp-admin/admin-post\\\\.php~"}, {"name": "ARGS", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[\\\\\\\\/]etc[\\\\\\\\/]passwd|wp-config\\\\.php|\\\\.htaccess|\\\\.env)~i"}], "cve": "CVE-2026-6248", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-6248", "description": "wpForo Forum <=3.0.5 authenticated arbitrary file deletion via path traversal in file-type custom profile field (admin-post.php)", "method": "POST", "mode": "block", "severity": 8.1, "slug": "wpforo", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=3.0.5"}, "RULE-CVE-2026-6248-02": {"action": "init", "conditions": [{"name": "ARGS:wpforo", "type": "exists"}, {"name": "ARGS", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|[\\\\\\\\/]etc[\\\\\\\\/]passwd|wp-config\\\\.php|\\\\.htaccess|\\\\.env)~i"}], "cve": "CVE-2026-6248", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-6248", "description": "wpForo Forum <=3.0.5 authenticated arbitrary file deletion via path traversal in file-type custom profile field (front-end profile update)", "method": "POST", "mode": "block", "severity": 8.1, "slug": "wpforo", "tags": ["path-traversal", "arbitrary-file-deletion", "authenticated"], "target": "plugin", "versions": "<=3.0.5"}, "RULE-CVE-2026-6320-01": {"ajax_action": "salon", "conditions": [{"name": "ARGS:file", "type": "regex", "value": "~(?:(?:\\\\.\\\\.[\\\\\\\\/]){2,}|(?:wp-config\\\\.php|/etc/passwd|\\\\.htaccess|\\\\.env|debug\\\\.log|error_log))~i"}], "cve": "CVE-2026-6320", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-6320", "description": "Salon Booking System <=10.30.25 unauthenticated arbitrary file read via booking attachment file field path traversal", "mode": "block", "severity": 7.5, "slug": "salon-booking-system", "tags": ["arbitrary-file-read", "path-traversal", "unauthenticated", "file-inclusion"], "target": "plugin", "versions": "<=10.30.25"}, "RULE-CVE-2026-6518-01": {"ajax_action": "cmp_theme_update_install", "conditions": [{"name": "ARGS:file", "type": "exists"}, {"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-6518", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-6518", "description": "CMP Coming Soon & Maintenance <=4.1.16 authenticated arbitrary file upload via cmp_theme_update_install AJAX action", "mode": "block", "severity": 8.8, "slug": "cmp-coming-soon-maintenance", "tags": ["arbitrary-file-upload", "remote-code-execution", "missing-authorization"], "target": "plugin", "versions": "<=4.1.16"}, "RULE-CVE-2026-6963-01": {"ajax_action": "wmg_save_provider_config", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-6963", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-6963", "description": "WP Mail Gateway <=1.8 missing authorization on wmg_save_provider_config allows subscriber+ privilege escalation", "mode": "block", "severity": 9.8, "slug": "wp-mail-gateway", "tags": ["missing-authorization", "privilege-escalation"], "target": "plugin", "versions": "<=1.8"}, "RULE-CVE-2026-6963-02": {"ajax_action": "wmg_get_saved_configs", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-6963", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-6963", "description": "WP Mail Gateway <=1.8 missing authorization on wmg_get_saved_configs allows subscriber+ data disclosure", "mode": "block", "severity": 7.5, "slug": "wp-mail-gateway", "tags": ["missing-authorization", "information-disclosure"], "target": "plugin", "versions": "<=1.8"}, "RULE-CVE-2026-6963-03": {"ajax_action": "wmg_test_provider_config_send_mail", "conditions": [{"type": "missing_capability", "value": "manage_options"}], "cve": "CVE-2026-6963", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-6963", "description": "WP Mail Gateway <=1.8 missing authorization on wmg_test_provider_config_send_mail allows subscriber+ email sending", "mode": "block", "severity": 7.5, "slug": "wp-mail-gateway", "tags": ["missing-authorization", "email-abuse"], "target": "plugin", "versions": "<=1.8"}, "RULE-CVE-2026-7106-01": {"action": "personal_options_update", "conditions": [{"name": "ARGS:hscrm_user_roles", "type": "exists"}, {"type": "missing_capability", "value": "promote_users"}], "cve": "CVE-2026-7106", "cve_link": "https://nvd.nist.gov/vuln/detail/CVE-2026-7106", "description": "Highland Software Custom Role Manager <=1.0.0 authenticated privilege escalation via hscrm_user_roles[] on personal_options_update", "method": "POST", "mode": "block", "severity": 8.8, "slug": "highland-software-custom-role-manager", "tags": ["missing-authorization", "privilege-escalation", "authenticated"], "target": "plugin", "versions": "<=1.0.0"}, "RULE-CVE-2026-900001-01": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/popup-anything-on-click/v1/analytics(?:[/?]|$)~"}], "cve": "CVE-2026-900001", "description": "WP Online Support / Essential Plugin supply chain attack: unauthenticated RCE via wpos-analytics REST endpoint. Compromised analytics.essentialplugin.com returns malicious serialized PHP object through unserialize() in class-anylc-admin.php, leading to arbitrary file_put_contents (dropper: wp-comments-posts.php, wp-config.php injection). Shared SDK affects 22 plugins (~200k installs). No CVE assigned \\u2014 synthetic ID.", "method": "POST", "mode": "block", "severity": 10.0, "slug": "popup-anything-on-click", "tags": ["supply-chain", "unauthenticated", "rce", "deserialization", "ssrf", "backdoor", "rest-api"], "target": "plugin", "versions": ">=0"}, "RULE-CVE-2026-900001-02": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp-logo-showcase-responsive-slider/v1/analytics(?:[/?]|$)~"}], "cve": "CVE-2026-900001", "description": "WP Online Support supply chain \\u2014 unauthenticated RCE via wpos-analytics REST endpoint in WP Logo Showcase plugin", "method": "POST", "mode": "block", "severity": 10.0, "slug": "wp-logo-showcase-responsive-slider-slider", "tags": ["supply-chain", "unauthenticated", "rce", "deserialization", "rest-api"], "target": "plugin", "versions": ">=0"}, "RULE-CVE-2026-900001-03": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/countdown-timer-ultimate/v1/analytics(?:[/?]|$)~"}], "cve": "CVE-2026-900001", "description": "WP Online Support supply chain \\u2014 unauthenticated RCE via wpos-analytics REST endpoint in Countdown Timer Ultimate plugin", "method": "POST", "mode": "block", "severity": 10.0, "slug": "countdown-timer-ultimate", "tags": ["supply-chain", "unauthenticated", "rce", "deserialization", "rest-api"], "target": "plugin", "versions": ">=0"}, "RULE-CVE-2026-900001-04": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wprps-post-slider/v1/analytics(?:[/?]|$)~"}], "cve": "CVE-2026-900001", "description": "WP Online Support supply chain \\u2014 unauthenticated RCE via wpos-analytics REST endpoint in WP Responsive Recent Post Slider plugin", "method": "POST", "mode": "block", "severity": 10.0, "slug": "wp-responsive-recent-post-slider", "tags": ["supply-chain", "unauthenticated", "rce", "deserialization", "rest-api"], "target": "plugin", "versions": ">=0"}, "RULE-CVE-2026-900001-05": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp-news-and-scrolling-widgets/v1/analytics(?:[/?]|$)~"}], "cve": "CVE-2026-900001", "description": "WP Online Support supply chain \\u2014 unauthenticated RCE via wpos-analytics REST endpoint in SP News and Widget plugin", "method": "POST", "mode": "block", "severity": 10.0, "slug": "sp-news-and-widget", "tags": ["supply-chain", "unauthenticated", "rce", "deserialization", "rest-api"], "target": "plugin", "versions": ">=0"}, "RULE-CVE-2026-900001-06": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp-slick-slider-and-image-carousel/v1/analytics(?:[/?]|$)~"}], "cve": "CVE-2026-900001", "description": "WP Online Support supply chain \\u2014 unauthenticated RCE via wpos-analytics REST endpoint in WP Slick Slider plugin", "method": "POST", "mode": "block", "severity": 10.0, "slug": "wp-slick-slider-and-image-carousel", "tags": ["supply-chain", "unauthenticated", "rce", "deserialization", "rest-api"], "target": "plugin", "versions": ">=0"}, "RULE-CVE-2026-900001-07": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/album-and-image-gallery-plus-lightbox/v1/analytics(?:[/?]|$)~"}], "cve": "CVE-2026-900001", "description": "WP Online Support supply chain \\u2014 unauthenticated RCE via wpos-analytics REST endpoint in Album and Image Gallery plugin", "method": "POST", "mode": "block", "severity": 10.0, "slug": "album-and-image-gallery-plus-lightbox", "tags": ["supply-chain", "unauthenticated", "rce", "deserialization", "rest-api"], "target": "plugin", "versions": ">=0"}, "RULE-CVE-2026-900001-08": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp-testimonials-with-rotator-widget/v1/analytics(?:[/?]|$)~"}], "cve": "CVE-2026-900001", "description": "WP Online Support supply chain \\u2014 unauthenticated RCE via wpos-analytics REST endpoint in WP Testimonial with Widget plugin", "method": "POST", "mode": "block", "severity": 10.0, "slug": "wp-testimonial-with-widget", "tags": ["supply-chain", "unauthenticated", "rce", "deserialization", "rest-api"], "target": "plugin", "versions": ">=0"}, "RULE-CVE-2026-900001-09": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp-blog-and-widget/v1/analytics(?:[/?]|$)~"}], "cve": "CVE-2026-900001", "description": "WP Online Support supply chain \\u2014 unauthenticated RCE via wpos-analytics REST endpoint in WP Blog and Widgets plugin", "method": "POST", "mode": "block", "severity": 10.0, "slug": "wp-blog-and-widgets", "tags": ["supply-chain", "unauthenticated", "rce", "deserialization", "rest-api"], "target": "plugin", "versions": ">=0"}, "RULE-CVE-2026-900001-10": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/blog-designer-post-and-widget/v1/analytics(?:[/?]|$)~"}], "cve": "CVE-2026-900001", "description": "WP Online Support supply chain \\u2014 unauthenticated RCE via wpos-analytics REST endpoint in Blog Designer for Post and Widget plugin", "method": "POST", "mode": "block", "severity": 10.0, "slug": "blog-designer-for-post-and-widget", "tags": ["supply-chain", "unauthenticated", "rce", "deserialization", "rest-api"], "target": "plugin", "versions": ">=0"}, "RULE-CVE-2026-900001-11": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/meta-slider-and-carousel-with-lightbox/v1/analytics(?:[/?]|$)~"}], "cve": "CVE-2026-900001", "description": "WP Online Support supply chain \\u2014 unauthenticated RCE via wpos-analytics REST endpoint in Meta Slider and Carousel plugin", "method": "POST", "mode": "block", "severity": 10.0, "slug": "meta-slider-and-carousel-with-lightbox", "tags": ["supply-chain", "unauthenticated", "rce", "deserialization", "rest-api"], "target": "plugin", "versions": ">=0"}, "RULE-CVE-2026-900001-12": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/post-grid-and-filter-ultimate/v1/analytics(?:[/?]|$)~"}], "cve": "CVE-2026-900001", "description": "WP Online Support supply chain \\u2014 unauthenticated RCE via wpos-analytics REST endpoint in Post Grid and Filter Ultimate plugin", "method": "POST", "mode": "block", "severity": 10.0, "slug": "post-grid-and-filter-ultimate", "tags": ["supply-chain", "unauthenticated", "rce", "deserialization", "rest-api"], "target": "plugin", "versions": ">=0"}, "RULE-CVE-2026-900001-13": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/timeline-and-history-slider/v1/analytics(?:[/?]|$)~"}], "cve": "CVE-2026-900001", "description": "WP Online Support supply chain \\u2014 unauthenticated RCE via wpos-analytics REST endpoint in Timeline and History Slider plugin", "method": "POST", "mode": "block", "severity": 10.0, "slug": "timeline-and-history-slider", "tags": ["supply-chain", "unauthenticated", "rce", "deserialization", "rest-api"], "target": "plugin", "versions": ">=0"}, "RULE-CVE-2026-900001-14": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp-responsive-faq-with-category-plugin/v1/analytics(?:[/?]|$)~"}], "cve": "CVE-2026-900001", "description": "WP Online Support supply chain \\u2014 unauthenticated RCE via wpos-analytics REST endpoint in SP FAQ plugin", "method": "POST", "mode": "block", "severity": 10.0, "slug": "sp-faq", "tags": ["supply-chain", "unauthenticated", "rce", "deserialization", "rest-api"], "target": "plugin", "versions": ">=0"}, "RULE-CVE-2026-900001-15": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp-team-showcase-and-slider/v1/analytics(?:[/?]|$)~"}], "cve": "CVE-2026-900001", "description": "WP Online Support supply chain \\u2014 unauthenticated RCE via wpos-analytics REST endpoint in WP Team Showcase plugin", "method": "POST", "mode": "block", "severity": 10.0, "slug": "wp-team-showcase-and-slider", "tags": ["supply-chain", "unauthenticated", "rce", "deserialization", "rest-api"], "target": "plugin", "versions": ">=0"}, "RULE-CVE-2026-900001-17": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp-trending-post-slider-and-widget/v1/analytics(?:[/?]|$)~"}], "cve": "CVE-2026-900001", "description": "WP Online Support supply chain \\u2014 unauthenticated RCE via wpos-analytics REST endpoint in WP Trending Post Slider plugin", "method": "POST", "mode": "block", "severity": 10.0, "slug": "wp-trending-post-slider-and-widget", "tags": ["supply-chain", "unauthenticated", "rce", "deserialization", "rest-api"], "target": "plugin", "versions": ">=0"}, "RULE-CVE-2026-900001-18": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/featured-post-creative/v1/analytics(?:[/?]|$)~"}], "cve": "CVE-2026-900001", "description": "WP Online Support supply chain \\u2014 unauthenticated RCE via wpos-analytics REST endpoint in Featured Post Creative plugin", "method": "POST", "mode": "block", "severity": 10.0, "slug": "featured-post-creative", "tags": ["supply-chain", "unauthenticated", "rce", "deserialization", "rest-api"], "target": "plugin", "versions": ">=0"}, "RULE-CVE-2026-900001-19": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/portfolio-and-projects/v1/analytics(?:[/?]|$)~"}], "cve": "CVE-2026-900001", "description": "WP Online Support supply chain \\u2014 unauthenticated RCE via wpos-analytics REST endpoint in Portfolio and Projects plugin", "method": "POST", "mode": "block", "severity": 10.0, "slug": "portfolio-and-projects", "tags": ["supply-chain", "unauthenticated", "rce", "deserialization", "rest-api"], "target": "plugin", "versions": ">=0"}, "RULE-CVE-2026-900001-20": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/ticker-ultimate/v1/analytics(?:[/?]|$)~"}], "cve": "CVE-2026-900001", "description": "WP Online Support supply chain \\u2014 unauthenticated RCE via wpos-analytics REST endpoint in Ticker Ultimate plugin", "method": "POST", "mode": "block", "severity": 10.0, "slug": "ticker-ultimate", "tags": ["supply-chain", "unauthenticated", "rce", "deserialization", "rest-api"], "target": "plugin", "versions": ">=0"}, "RULE-CVE-2026-900001-21": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/video-gallery-and-player/v1/analytics(?:[/?]|$)~"}], "cve": "CVE-2026-900001", "description": "WP Online Support supply chain \\u2014 unauthenticated RCE via wpos-analytics REST endpoint in HTML5 Video Gallery plugin", "method": "POST", "mode": "block", "severity": 10.0, "slug": "html5-videogallery-plus-player", "tags": ["supply-chain", "unauthenticated", "rce", "deserialization", "rest-api"], "target": "plugin", "versions": ">=0"}, "RULE-CVE-2026-900001-22": {"action": "rest_api_init", "conditions": [{"name": "REQUEST_URI", "type": "regex", "value": "~(?:^/wp-json|(?:^|&|\\\\?)rest_route=)/wp-featured-content-and-slider/v1/analytics(?:[/?]|$)~"}], "cve": "CVE-2026-900001", "description": "WP Online Support supply chain \\u2014 unauthenticated RCE via wpos-analytics REST endpoint in WP Featured Content and Slider plugin", "method": "POST", "mode": "block", "severity": 10.0, "slug": "wp-featured-content-and-slider", "tags": ["supply-chain", "unauthenticated", "rce", "deserialization", "rest-api"], "target": "plugin", "versions": ">=0"}, "TEST-HEARTBEAT": {"action": "init", "conditions": [{"type": "probabilistic", "value": "0.0001"}], "cve": "TEST-HEARTBEAT", "mode": "pass", "severity": 0.1, "target": "core", "versions": ">=1.0.0"}, "TEST-PROBE-STORAGE": {"action": "plugins_loaded", "conditions": [{"name": "storage", "type": "probe", "value": "86400"}], "cve": "TEST-PROBE-STORAGE", "mode": "pass", "severity": 0.1, "target": "core", "versions": ">=1.0.0"}, "TEST-RULE": {"action": "init", "conditions": [{"name": "ARGS:test-rule", "type": "equals", "value": "b3d45e60-53a5-4959-b911-5178baaef7ac"}], "cve": "TEST-CVE", "mode": "block", "severity": 2.0, "target": "core", "versions": ">=1.0.0"}}}', true );