From 576ec612e07588964781a9a5884df6679866a67e Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 26 Nov 2025 16:04:44 +0100 Subject: [PATCH 1/4] Add vpatch-CVE-2022-0434 rule --- .../crowdsecurity/vpatch-CVE-2022-0434.yaml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2022-0434.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2022-0434.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2022-0434.yaml new file mode 100644 index 00000000000..73e7cc86d89 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2022-0434.yaml @@ -0,0 +1,35 @@ +## autogenerated on 2025-11-26 15:04:42 +name: crowdsecurity/vpatch-CVE-2022-0434 +description: 'Detects SQL injection in WordPress Page Views Count plugin via post_ids parameter in REST endpoint.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: '/?rest_route=/pvc/v1/increase/' + - zones: + - ARGS + variables: + - post_ids + transform: + - lowercase + - urldecode + match: + type: contains + value: ') union select ' + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'WordPress Page Views Count - SQLI' + classification: + - cve.CVE-2022-0434 + - attack.T1190 + - cwe.CWE-89 From 18c47f2f57a1f9c42e3030059c91e60800a1aefc Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 26 Nov 2025 16:04:46 +0100 Subject: [PATCH 2/4] Add vpatch-CVE-2022-0434 test config --- .appsec-tests/vpatch-CVE-2022-0434/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2022-0434/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2022-0434/config.yaml b/.appsec-tests/vpatch-CVE-2022-0434/config.yaml new file mode 100644 index 00000000000..f7b135e3d6a --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2022-0434/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2025-11-26 15:04:42 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2022-0434.yaml +nuclei_template: CVE-2022-0434.yaml From e7d333bb67de7c382f29fef48bdf67a4faa2fc64 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 26 Nov 2025 16:04:48 +0100 Subject: [PATCH 3/4] Add CVE-2022-0434.yaml test --- .../vpatch-CVE-2022-0434/CVE-2022-0434.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2022-0434/CVE-2022-0434.yaml diff --git a/.appsec-tests/vpatch-CVE-2022-0434/CVE-2022-0434.yaml b/.appsec-tests/vpatch-CVE-2022-0434/CVE-2022-0434.yaml new file mode 100644 index 00000000000..17bcab75243 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2022-0434/CVE-2022-0434.yaml @@ -0,0 +1,18 @@ +## autogenerated on 2025-11-26 15:04:42 +id: CVE-2022-0434 +info: + name: CVE-2022-0434 + author: crowdsec + severity: info + description: CVE-2022-0434 testing + tags: appsec-testing +http: + - raw: + - | + GET /?rest_route=/pvc/v1/increase/1&post_ids=0)%20union%20select%20md5(999999999),null,null%20--%20g HTTP/1.1 + Host: {{Hostname}} + cookie-reuse: true + matchers: + - type: status + status: + - 403 From d31d80e8eed984f6cac73874c6b24a2f2e076b32 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 26 Nov 2025 16:04:50 +0100 Subject: [PATCH 4/4] Add vpatch-CVE-2022-0434 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index da333d21280..c5dc0ae57aa 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -137,6 +137,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2020-8656 - crowdsecurity/vpatch-CVE-2025-27222 - crowdsecurity/vpatch-CVE-2025-64446 +- crowdsecurity/vpatch-CVE-2022-0434 author: crowdsecurity contexts: - crowdsecurity/appsec_base