Overview for rules released by Trustwave SpiderLabs in June for ModSecurity Commercial Rules package. The rules are available for versions 2.9.x and 3.x of ModSecurity.
ModSecurity Commercial Rules detect attacks or classes of attacks on web applications and their components as well as provide virtual patches for public vulnerabilities.
Release Summary
- WordPress Plugin JobSearch < 1.5.1 XSS
- WordPress Plugin Careerfy < 3.9.0 XSS
- WordPress Plugin Newspaper < 10.3.4 XSS
- WordPress Plugin AdRotate < 5.8.4 SQLi
- WordPress Plugin Delightful Downloads <= 1.6.6 Directory Traversal CVE-2017-1000170
- WordPress Plugin KingComposer < 2.9.4 Directory Traversal
- WordPress Plugin KingComposer < 2.9.4 XSS
- WordPress Plugin Xenon Theme < 1.3 XSS CVE-2020-14010
- WordPress Plugin Rank Math 0.9 - 1.0.42.1 Authentication Bypass
- WordPress Plugin Testimonial Rotator < 3.0.3 XSS
- WordPress Plugin SportsPress < 2.7.2 XSS CVE-2020-13892
- WordPress Plugin Elementor Page Builder < 2.9.10 XSS CVE-2020-13864
- WordPress Plugin Blog2Social < 6.3.1 SQLi
- WordPress Plugin Page Builder: PageLayer < 1.1.2 pagelayer_update_content XSS
- WordPress Plugin Page Builder: PageLayer < 1.1.2 pagelayer-address XSS
- WordPress Plugin Final Tiles Gallery < 3.4.19 XSS CVE-2020-14962
- Joomla! Plugin J2 Store 3.3.11 SQLi
- WordPress <= 5.2.3 Directory traversal
- WordPress Plugin VRView <= 1.1.3/VRView library < 2.0.2/WP-VR-view <= 1.6 XSS
- WordPress Plugin Team Members < 5.0.4 XSS
- WordPress Plugin Form Maker 5.4.1/Form Maker by 10Web <= 1.13.35 SQLi
- WordPress Plugin MapPress Maps Pro < 2.54.6 RCE CVE-2020-12675
- WordPress Plugin MapPress Maps Pro < 2.53.9 RCE CVE-2020-12077
- WordPress Plugin Official MailerLite Sign Up Forms < 1.4.5 SQLi
- WordPress Plugin Add-on SweetAlert Contact Form 7 < 1.0.8 XSS
- WordPress Plugin Drag and Drop File Upload Contact Form 1.3.3.2 RCE CVE-2020-12800
- Joomla! Plugin XCloner Backup 3.5.3 LFI
- WordPress Plugin Multi-Scheduler 1.0.0 CSRF
- WordPress Plugin ThirstyAffiliates < 3.9.3 XSS
- WordPress Plugin Photo Gallery by 10Web <1.5.55 SQLi
How to Update
All the rules released this month are available for download and can be configured using the ModSecurity Dashboard. The rules are associated with the default profile and enabled for all licensed servers. To verify the rules were successfully downloaded by ModSecurity, log in to the ModSecurity Dashboard and verify the server "Last seen" date, which indicates the last successful download for the specified server.
