Overview for rules released by Trustwave SpiderLabs in December for ModSecurity Commercial Rules package. The rules are available for versions 2.9.x and 3.x of ModSecurity.
ModSecurity Commercial Rules detect attacks or classes of attacks on web applications and their components as well as provide virtual patches for public vulnerabilities.
Release Summary
WordPress Plugin Easy Forms for Mailchimp < 6.8.9 - Reflected XSS CVE-2023-2518
WordPress Plugin Loginizer 1.7.8 - Reflected XSS CVE-2023-2296
WordPress Plugin Product Addons & Fields for WooCommerce < 32.0.7 - Reflected Cross-Site Scripting CVE-2023-2256
WordPress Plugin AP Pricing Tables Lite <= 1.1.6 - Admin+ SQLi CVE-2023-0900
WordPress Plugin 10WebSocial < 1.2.9 - Reflected XSS CVE-2023-2503
WordPress Plugin Quiz Maker < 6.4.2.7 - Reflected XSS CVE-2023-2571
WordPress Plugin Survey Maker < 3.4.7 - Reflected XSS CVE-2023-2572
WordPress Plugin Stop Spammers Security < 2023 - Reflected XSS CVE-2023-2488
WordPress Plugin Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue < 3.1.61 - Reflected XSS CVE-2023-2472
WordPress Plugin ConvertKit < 2.2.1 - Reflected XSS CVE-2023-2337
WordPress Plugin Image Optimizer by 10web < 1.0.27 - Admin+ Path Traversal CVE-2023-2117
WordPress Plugin HollerBox < 2.1.4 - Admin+ SQL Injection CVE-2023-2111
WordPress Plugin Custom 404 Pro < 3.7.3 - Reflected Cross-Site Scripting CVE-2023-2023
How to Update
All the rules released this month are available for download and can be configured using the ModSecurity Dashboard. The rules are associated with the default profile and enabled for all licensed servers. To verify the rules were successfully downloaded by ModSecurity, log in to the ModSecurity Dashboard and verify the server "Last seen" date, which indicates the last successful download for the specified server.
