Overview for rules released by Trustwave SpiderLabs in October for ModSecurity Commercial Rules package. The rules are available for versions 2.9.x and 3.x of ModSecurity.
ModSecurity Commercial Rules detect attacks or classes of attacks on web applications and their components as well as provide virtual patches for public vulnerabilities.
Release Summary
WordPress Plugin WPCode Lite < 2.0.9 - Arbitrary Log File Deletion via CSRF CVE-2023-1624
WordPress Plugin Custom Post Type UI < 1.13.5 - Debug Info Sending via CSRF CVE-2023-1623
WordPress Plugin Ajax Search Lite Pro < 4.26.2 - Multiple Reflected Cross-Site Scripting CVE-2023-1435
WordPress Plugin Ajax Search Lite < 4.11.1, Pro < 4.26.2 - Reflected Cross-Site Scripting CVE-2023-1420
WordPress Plugin WP VR < 8.3.0 - Subscriber+ Arbitrary Tour Update CVE-2023-1414
WordPress Plugin Easy Forms for MailChimp < 6.8.8 - Reflected XSS CVE-2023-1324
WordPress Plugin Steveas WP Live Chat Shoutbox <= 1.4.2 - Unauthenticated SQLi CVE-2023-1020
WordPress Plugin Steveas WP Live Chat Shoutbox <= 1.4.2 - Unauthenticated Stored XSS CVE-2023-0899
WordPress Plugin Random Text <= 0.3.0 - Subscriber+ SQLi CVE-2023-0388
WordPress Plugin Custom Post Type and Taxonomy GUI Manager <= 1.1 - Stored XSS via CSRF CVE-2023-0420
WordPress Plugin MyCryptoCheckout < 2.124 - Reflected XSS CVE-2023-1546
WordPress Plugin Quick Paypal Payments < 5.7.26.4 - Admin+ Stored XSS CVE-2023-1554
How to Update
All the rules released this month are available for download and can be configured using the ModSecurity Dashboard. The rules are associated with the default profile and enabled for all licensed servers. To verify the rules were successfully downloaded by ModSecurity, log in to the ModSecurity Dashboard and verify the server "Last seen" date, which indicates the last successful download for the specified server.
