From 746775135247092f050ad79206a7ca7055903329 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 26 Nov 2025 16:01:19 +0100 Subject: [PATCH 1/4] Add vpatch-CVE-2022-0434 rule --- .../crowdsecurity/vpatch-CVE-2022-0434.yaml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2022-0434.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2022-0434.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2022-0434.yaml new file mode 100644 index 00000000000..2c472e7694d --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2022-0434.yaml @@ -0,0 +1,35 @@ +## autogenerated on 2025-11-26 15:01:16 +name: crowdsecurity/vpatch-CVE-2022-0434 +description: 'Detects unauthenticated SQL injection in WordPress Page Views Count plugin via post_ids parameter in REST endpoint.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: '/?rest_route=/pvc/v1/increase/' + - zones: + - ARGS + variables: + - post_ids + transform: + - lowercase + - urldecode + match: + type: contains + value: 'union select' + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'WordPress Page Views Count - SQLI' + classification: + - cve.CVE-2022-0434 + - attack.T1190 + - cwe.CWE-89 From 5d197463209fe0393a44d9a119b403f6787289e9 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 26 Nov 2025 16:01:21 +0100 Subject: [PATCH 2/4] Add vpatch-CVE-2022-0434 test config --- .appsec-tests/vpatch-CVE-2022-0434/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2022-0434/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2022-0434/config.yaml b/.appsec-tests/vpatch-CVE-2022-0434/config.yaml new file mode 100644 index 00000000000..44bb514ad2e --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2022-0434/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2025-11-26 15:01:16 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2022-0434.yaml +nuclei_template: CVE-2022-0434.yaml From 679bdbb159b6a44afd54956f1b4054f1fb224fef Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 26 Nov 2025 16:01:22 +0100 Subject: [PATCH 3/4] Add CVE-2022-0434.yaml test --- .../vpatch-CVE-2022-0434/CVE-2022-0434.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2022-0434/CVE-2022-0434.yaml diff --git a/.appsec-tests/vpatch-CVE-2022-0434/CVE-2022-0434.yaml b/.appsec-tests/vpatch-CVE-2022-0434/CVE-2022-0434.yaml new file mode 100644 index 00000000000..99dfb043983 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2022-0434/CVE-2022-0434.yaml @@ -0,0 +1,18 @@ +## autogenerated on 2025-11-26 15:01:16 +id: CVE-2022-0434 +info: + name: CVE-2022-0434 + author: crowdsec + severity: info + description: CVE-2022-0434 testing + tags: appsec-testing +http: + - raw: + - | + GET /?rest_route=/pvc/v1/increase/1&post_ids=0)%20union%20select%20md5(999999999),null,null%20--%20g HTTP/1.1 + Host: {{Hostname}} + cookie-reuse: true + matchers: + - type: status + status: + - 403 From 93afdcde9f3db38c46631e437e4fa22cee7d9d82 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 26 Nov 2025 16:01:24 +0100 Subject: [PATCH 4/4] Add vpatch-CVE-2022-0434 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index da333d21280..c5dc0ae57aa 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -137,6 +137,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2020-8656 - crowdsecurity/vpatch-CVE-2025-27222 - crowdsecurity/vpatch-CVE-2025-64446 +- crowdsecurity/vpatch-CVE-2022-0434 author: crowdsecurity contexts: - crowdsecurity/appsec_base