Overview for rules released by Trustwave SpiderLabs in August for ModSecurity Commercial Rules package. The rules are available for versions 2.9.x and 3.x of ModSecurity.
ModSecurity Commercial Rules detect attacks or classes of attacks on web applications and their components as well as provide virtual patches for public vulnerabilities.
Release Summary
WordPress Plugin OAuth Single Sign On - SSO (OAuth Client) < 6.24.2 - IdP Discard via CSRF CVE-2023-1093
WordPress Plugin OAuth Single Sign On - SSO (OAuth Client) Premium < 38.4.9 Enterprise < 48.4.9 Standard < 28.4.9 Free < 6.24.2 IdP Deletion via CSRF CVE-2023-1092
WordPress Plugin Multiple e-plugins - Subscriber+ Privilege Escalation CVE-2020-36666
WordPress Plugin WP Dark Mode < 4.0.8 - Subscriber+ Local File Inclusion CVE-2023-0467
WordPress Plugin Coupon Zen < 1.0.6 - Arbitrary Plugin Activation via CSRF CVE-2023-1089
WordPress Plugin WP Plugin Manager < 1.1.8 - Arbitrary Plugin Activation via CSRF CVE-2023-1088
WordPress Plugin WC Sales Notification < 1.2.3 - Arbitrary Plugin Activation via CSRF CVE-2023-1087
WordPress Plugin Preview Link Generator < 1.0.4 - Arbitrary Plugin Activation via CSRF CVE-2023-1086
WordPress Plugin Ever Compare < 1.2.4 - Arbitrary Plugin Activation via CSRF CVE-2023-0505
WordPress Plugin HT Politic < 2.3.8 - Arbitrary Plugin Activation via CSRF CVE-2023-0504
WordPress Plugin Free WooCommerce Theme 99fy Extension < 1.2.8 - Arbitrary Plugin Activation via CSRF CVE-2023-0503
WordPress Plugin QuickSwish < 1.1.0 - Arbitrary Plugin Activation via CSRF CVE-2023-0499
WordPress Plugin WP Education < 1.2.7 - Arbitrary Plugin Activation via CSRF CVE-2023-0498
WordPress Plugin HT Portfolio < 1.1.6 - Arbitrary Plugin Activation via CSRF CVE-2023-0497
WordPress Plugin HT Event < 1.4.6 - Arbitrary Plugin Activation via CSRF CVE-2023-0496
WordPress Plugin HT Slider For Elementor < 1.4.0 - Arbitrary Plugin Activation via CSRF CVE-2023-0495
WordPress Plugin Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks < 1.1.6 - Arbitrary Plugin Activation via CSRF CVE-2023-0484
WordPress Plugin WP News <= 1.1.9 - Arbitrary Plugin Activation via CSRF CVE-2023-0502
WordPress Plugin WP Insurance < 2.1.4 - Arbitrary Plugin Activation via CSRF CVE-2023-0501
WordPress Plugin WP Film Studio < 1.3.5 - Arbitrary Plugin Activation via CSRF CVE-2023-0500
WordPress Plugin OoohBoi Steroids for Elementor < 2.1.5 - Subscriber+ Attachment Deletion CVE-2023-0336
WordPress Plugin WP Shamsi <= 4.3.3 - Subscriber+ Attachment Deletion CVE-2023-0335
WordPress Plugin Gallery Blocks with Lightbox < 3.0.8 - Subscriber+ Arbitrary Options Update CVE-2023-0441
WordPress Plugin WP Statistics < 14.0 - Authenticated SQLi CVE-2023-0955
How to Update
All the rules released this month are available for download and can be configured using the ModSecurity Dashboard. The rules are associated with the default profile and enabled for all licensed servers. To verify the rules were successfully downloaded by ModSecurity, log in to the ModSecurity Dashboard and verify the server "Last seen" date, which indicates the last successful download for the specified server.
