Overview for rules released by Trustwave SpiderLabs in April for ModSecurity Commercial Rules package. The rules are available for versions 2.9.x and 3.x of ModSecurity.
ModSecurity Commercial Rules detect attacks or classes of attacks on web applications and their components as well as provide virtual patches for public vulnerabilities.
Release Summary
WordPress Plugin amministrazione-aperta 3.7.3 LFI
WordPress Plugin Mycred < 2.4.4.1 - Subscriber+ User E-mail Information Disclosure CVE-2022-0287
WordPress Plugin Anti-Malware Security and Brute-Force Firewall < 4.20.96 XSS CVE-2022-0953
WordPress Plugin Master Elements <= 8.0 SQLi CVE-2022-0693
WordPress Plugin Users Ultra <= 3.1.0 SQLi CVE-2022-0769
WordPress Plugin 5 Stars Rating Funnel < 1.2.53 Unauthenticated SQLi CVE-2022-0657
WordPress Plugin Nimble Page Builder < 3.1.32 < 3.2.2 XSS CVE-2022-0314
WordPress Plugin English WordPress Admin < 1.5.2 Open Redirect CVE-2021-25111
WordPress Plugin Donations <= 1.8 Unauthenticated SQLi CVE-2022-0782
WordPress Plugin LifterLMS PayPal < 1.4.0 XSS CVE-2022-1250
WordPress Plugin Tipsacarrier <= 1.4.4.2 Information Disclosure CVE-2021-25002
WordPress Plugin Documentor <= 1.5.3 Unauthenticated SQLi CVE-2022-0773
WordPress Plugin Ad Invalid Click Protector (AICP) < 1.2.7 XSS
WordPress Plugin Ad Invalid Click Protector (AICP) < 1.2.7 CSRF CVE-2022-0191
WordPress Plugin Easy Google Maps < 1.9.32 XSS CVE-2021-46780
WordPress Plugin Pricing Table by Supsystic < 1.9.5 XSS CVE-2021-46782
WordPress Plugin Menubar < 5.8 XSS CVE-2022-1152
How to Update
All the rules released this month are available for download and can be configured using the ModSecurity Dashboard. The rules are associated with the default profile and enabled for all licensed servers. To verify the rules were successfully downloaded by ModSecurity, log in to the ModSecurity Dashboard and verify the server "Last seen" date, which indicates the last successful download for the specified server.
