Rules Updates: Changelog

2015.05.14
Rules for Apache: version 1.33
Rules for LiteSpeed: version 1.27
Rules for Nginx: version 1.06

• CVE-2012-2687 - Multiple XSS vulnerabilities in the Apache HTTP Server 2.4.x before 2.4.3
• CVE-2012-0984 - Multiple XSS vulnerabilities in XOOPS before 2.5.5
• CVE-2014-5107 - Information leakage in the Concrete5 before 5.6.3
• CVE-2014-3550 - Multiple XSS vulnerabilities in Moodle 2.7.x before 2.7.1
• CVE-2014-3547 - Multiple XSS vulnerabilities in Moodle 2.5.x before 2.5.7, 2.6.x before 2.6.4
• Updated list of malware and phishing domains

2015.05.26
Rules for Apache: version 1.34
Rules for LiteSpeed: version 1.28
Rules for Nginx: version 1.07

• CVE-2015-2195 - Multiple XSS vulnerabilities in the WP Media Cleaner plugin 2.2.6 for WordPress
• CVE-2015-2199 - Multiple SQL injection vulnerabilities in the WonderPlugin Audio Player plugin before 2.1 for WordPress
• CVE-2015-2218 - Multiple XSS vulnerabilities in the WonderPlugin Audio Player plugin before 2.1 for WordPress
• CVE-2015-2315 - XSS vulnerability in the WPML plugin before 3.1.9 for WordPress
• bl_domains updated

2015.06.03
Rules for Apache: version 1.35
Rules for LiteSpeed: version 1.29
Rules for Nginx: version 1.08

• XSS vulnerability in the Blubrry PowerPress Podcasting plugin before 6.0.1 for WordPress (CVE-2015-1385)
• XSS vulnerability in the Easing Slider plugin before 2.2.0.7 for WordPress (CVE-2015-1436)
• XSS vulnerability in the FancyBox plugin for WordPress before 3.0.3 (CVE-2015-1494)
• XSS vulnerabilities in the Spider Facebook plugin before 1.0.11 for WordPress (CVE-2015-1582)
• XSS vulnerability in the Google Doc Embedder plugin before 2.5.19 for WordPress (CVE-2015-1879)
• XSS vulnerability in the Contact Form DB plugin 2.8.26 for WordPress (CVE-2015-2040)
• XSS vulnerability in the WooCommerce plugin before 2.2.11 (CVE-2015-2069)
• bl_domains updated

2015.06.10
Rules for Apache: version 1.36
Rules for LiteSpeed: version 1.30
Rules for Nginx: version 1.09

• Overflow and DOS Attack Vulnerability in the PHP through 5.5.6 (CVE-2013-6712)
• Various vulnerabilities in the Slider Revolution Plugin
• XSS vulnerability in the Ninja Forms plugin before 2.8.9 for WordPress (CVE-2015-2220)
• XSS vulnerability in the Banner Effect Header plugin before 1.2.8 for WordPress (CVE-2015-1384)
• Upload URL vulnerability in Pixabay Images plugin before 2.4 for WordPress (CVE-2015-1376)
• XSS and CSRF vulnerabilities in the AB Google Map Travel (AB-MAP) plugin before 4.0 for WordPress (CVE-2015-2755)
• CSRF Vulnerabilty in WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 (CVE-2015-2293)
• SQL Vulnerabilty in WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 (CVE-2015-2292)
• userdata_bl_domains
• bl_domains update

2015.06.17
Rules for Apache: version 1.37
Rules for LiteSpeed: version 1.31
Rules for Nginx: version 1.10

• Possible Information Disclosure by Directory Listing fixed
• CSRF and XSS vulnerabilities in the CrossSlide jQuery plugin 2.0.5 for WordPress (CVE-2015-2089)
• CSRF and XSS vulnerabilities in the Acobot Live Chat & Contact Form plugin 2.0 for WordPress (CVE-2015-2039)
• Write file vulnerability in the Pixabay Images plugin before 2.4 for WordPress (CVE-2015-1375)
• XSS vulnerability in Pixabay Images plugin before 2.4 for WordPress (CVE-2015-1366)
• Directory traversal vulnerability in the Pixabay Images plugin before 2.4 for WordPress (CVE-2015-1365)
• bl_domains update
• false positives fixed

2015.06.23
Rules for Apache: version 1.38
Rules for LiteSpeed: version 1.32
Rules for Nginx: version 1.11

• Multiple CSRF vulnerabilities in the MailPoet Newsletters WordPress plugin before 2.6.11 (CVE-2014-3907)
• Multiple CSRF vulnerabilities in the GD Star Rating plugin 19.22 for WordPress (CVE-2014-2838)
• CSRF and XSS vulnerabilities in the Easy Social Icons plugin before 1.2.3 for WordPress (CVE-2015-2084)
• CSRF vulnerability in the Contact Form DB plugin before 2.8.32 for WordPress (CVE-2015-1874)
• XSS vulnerability in the duwasai flashy theme 1.3 and earlier for WordPress (CVE-2015-0901)
• Multiple XSS vulnerabilities in the Image Metadata Cruncher plugin for WordPress (CVE-2015-1614)
• Multiple XSS and CSRF vulnerabilities in the Mobile Domain plugin 1.5.2 for WordPress (CVE-2015-1581)
• XSS vulnerability in the WP Slimstat plugin before 3.9.2 for WordPress (CVE-2015-1204)
• XSS vulnerability in the April Super Functions Pack plugin before 1.4.8 for WordPress (CVE-2014-100026)
• Multiple XSS and CSRF vulnerabilities in the Redirection Page plugin 1.2 for WordPress (CVE-2015-1580)
• XSS vulnerability in the mTouch Quiz before 3.0.7 for WordPress (CVE-2014-100023)
• SQL injection vulnerability in the mTouch Quiz before 3.0.7 for WordPress (CVE-2014-100022)
• Multiple XSS vulnerabilities in OrangeHRM before 2.7 (CVE-2012-1507)
• bl_domains update

2015.07.07
Rules for Apache: version 1.39
Rules for LiteSpeed: version 1.33
Rules for Nginx: version 1.12

• CSRF vulnerability in the SEO Plugin LiveOptim plugin before 1.1.4-free for WordPress (CVE-2014-100001)
• SQL injection vulnerability in the Code Futures YourMembers plugin for WordPress (CVE-2014-100003)
• Multiple SQL injection vulnerabilities in the Welcart e-Commerce plugin 1.3.12 for WordPress (CVE-2014-10017)
• XSS vulnerability in the Pods plugin before 2.5 for WordPress (CVE-2014-7956)
• Multiple XSS vulnerabilities in the Welcart e-Commerce plugin 1.3.12 for WordPress (CVE-2014-10016)
• CSRF and XSS vulnerabilities in the Pods plugin before 2.5 for WordPress (CVE-2014-7957)
• CSRF vulnerability in the All In One WP Security & Firewall plugin before 3.9.0 for WordPress (CVE-2015-0895)
• SQL injection vulnerability in the GD Star Rating plugin 19.22 for WordPress (CVE-2014-2839)
• bl_domains update

2015.07.21
Rules for Apache: version 1.40
Rules for LiteSpeed: version 1.34
Rules for Nginx: version 1.13

• Multiple CSRF vulnerabilities in the Disqus Comment System plugin 2.77 for WordPress (CVE-2014-5346)
• SQL injection vulnerability in the Another WordPress Classifieds Plugin plugin for WordPress (CVE-2014-10013)
• Vulnerability in the Pie Register plugin before 2.0.14 for WordPress (CVE-2014-8802)
• XSS vulnerability in the Unconfirmed plugin before 1.2.5 for WordPress (CVE-2014-100018)
• False positives fix
• bl_domains update

2015.08.05
Rules for Apache: version 1.41
Rules for LiteSpeed: version 1.35
Rules for Nginx: version 1.14

• XSS vulnerability in the Floating Social Bar plugin before 1.1.6 for WordPress (CVE-2015-5528)
• XSS vulnerability in the Twitget plugin before 3.3.3 for WordPress (CVE-2014-2995)
• XSS vulnerability in the Max Foundry MaxButtons plugin before 1.26.1 for WordPress (CVE-2014-7181)
• XSS vulnerability in the Google Calendar Events plugin before 2.0.4 for WordPress (CVE-2014-7138)
• XSS vulnerabilities in the Register Plus plugin 3.5.1 and earlier for WordPress (CVE-2010-4402)
• XSS vulnerability in Landing Pages plugin before 1.8.5 for WordPress (CVE-2015-4065)
• SQL injection vulnerability in the ajax_survey function in the WordPress Survey and Poll plugin 1.1.7 for WordPress (CVE-2015-2090)
• SQL injection vulnerability in the NewStatPress plugin before 0.9.9 for WordPress (CVE-2015-4062)
• SQL injection vulnerability in the Photo Gallery plugin before 1.2.11 for WordPress (CVE-2015-1393)
• XSS vulnerability in the NewStatPress plugin before 0.9.9 for WordPress (CVE-2015-4063)
• CSRF vulnerability in the Login Widget With Shortcode plugin before 3.2.1 for WordPress (CVE-2014-6312)
• XSS vulnerabilities in the MetalGenix GeniXCMS 0.0.3 (CVE-2015-5066)
• IDs change
• False positives fix
• bl_domains update

2015.08.11
Rules for Apache: version 1.42
Rules for LiteSpeed: version 1.36
Rules for Nginx: version 1.15

• SQL injection vulnerability in the Landing Pages plugin before 1.8.5 for WordPress (CVE-2015-4064)
• Open redirect vulnerability in the Redirect function in the StageShow plugin before 5.0.9 for WordPress (CVE-2015-5461)
• Multiple SQL injection vulnerabilities in the GigPress plugin before 2.3.9 for WordPress (CVE-2015-4066)
• SQL injection vulnerability in the FeedWordPress plugin before 2015.0514 for WordPress (CVE-2015-4018)
• Directory traversal vulnerability in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 (CVE-2015-3301)
• CSRF vulnerabilities in Free Reprintables ArticleFR 3.0.6 (CVE-2015-5530)
• XSS vulnerabilities in Free Reprintables ArticleFR 3.0.6 (CVE-2015-5529)

2015.08.18
Rules for Apache: version 1.43
Rules for LiteSpeed: version 1.37
Rules for Nginx: version 1.16

• XSS vulnerability in WordPress before 4.2.1 (CVE-2015-3440)
• Multiple XSS vulnerabilities in the WP Photo Album Plus (aka WPPA) plugin before 6.1.3 for WordPress (CVE-2015-3647)
• XSS vulnerability in the Job Manager plugin 0.7.22 and earlier for WordPress (CVE-2015-2321)
• Directory traversal vulnerability in the Easy2Map plugin before 1.2.5 for WordPress (CVE-2015-4616)
• SQL injection vulnerability in Domain Technologie Control (DTC) before 0.32.11 (CVE-2011-5276) and Directory traversal vulnerability in Domain Technologie Control (DTC) before 0.34.1 (CVE-2011-5273)
• SQL injection vulnerability in Cacti before 0.8.8e (CVE-2015-4634)
• bl_domains update

2015.08.25
Rules for Apache: version 1.44
Rules for LiteSpeed: version 1.38
Rules for Nginx: version 1.17

• SQL injection vulnerability in WP Symposium plugin before 15.4 for WordPress (CVE-2015-3325)
• Directory traversal vulnerability in the Easy2Map plugin before 1.2.5 for WordPress (CVE-2015-4616)
• SQL injection vulnerability in Spider Event Calendar 1.4.9 for WordPress (CVE-2015-2196)
• Unrestricted file upload vulnerability in the Simple Ads Manager plugin before 2.5.96 for WordPress (CVE-2015-2825)
• SQL injection vulnerabilities in the Easy2Map plugin before 1.2.5 for WordPress (CVE-2015-4614)
• Multiple SQL injection vulnerabilities in the Simple Ads Manager plugin before 2.7.97 for WordPress (CVE-2015-2824)
• XSS vulnerabilities in the WP Google Maps plugin before 6.0.27 for WordPress (CVE-2014-7182)
• SQL injection vulnerabilities in the the Powerplay Gallery plugin 3.3 for WordPress (CVE-2015-5599)
• bl_domains update

2015.09.01
Rules for Apache: version 1.45
Rules for LiteSpeed: version 1.41
Rules for Nginx: version 1.18

• SQL injection vulnerabilities in the WP Symposium plugin before 15.8 for WordPress (CVE-2015-6522)
• XSS vulnerability in the qTranslate plugin 2.5.39 and earlier for WordPress (CVE-2015-5535)
• Unrestricted file upload vulnerability in the ReFlex Gallery plugin before 3.1.4 for WordPress (CVE-2015-4133)
• XSS vulnerability in in the Plupload plugin for WordPress and other web apps (CVE-2013-0237 / CVE-2015-3439)
• XML-RPC protection (CVE-2013-0235)
  disabled by default
• XSS vulnerabilities in phpipam 1.1.010 (CVE-2015-6529)
• false positives fixes
• several fixes in previous rules
• bl_domains update
• bl_scanners update

2015.09.08
Rules for Apache: version 1.46
Rules for LiteSpeed: version 1.42
Rules for Nginx: version 1.19

• SQL injection vulnerability in Cacti before 0.8.8d (CVE-2015-4342)
• SQL injection vulnerability in Cacti before 0.8.8d (CVE-2015-4454)
• Multiple XSS vulnerabilities in phpLiteAdmin 1.1 (CVE-2015-6518)
• XSS vulnerability in Cacti before 0.8.8d (CVE-2015-4454)
• XSS vulnerabilities in Coppermine Photo Gallery (CPG) 1.5.36 (CVE-2015-6528)
• Multiple directory traversal vulnerabilities in Tera Charts (tera-charts) plugin 0.1 for WordPress (CVE-2014-4940)
• XSS vulnerability in the Google Analytics by Yoast plugin before 5.1.3 for WordPress (CVE-2014-9174)
• SQL injection vulnerability in the Google Doc Embedder plugin before 2.5.15 for WordPress (CVE-2014-9173)
• XSS vulnerability in the WhyDoWork AdSense plugin 1.2 for WordPress (CVE-2014-9100)
• bl_domains update

2015.09.15
Rules for Apache: version 1.47
Rules for LiteSpeed: version 1.43
Rules for Nginx: version 1.20

• Unrestricted file upload vulnerability in the CformsII plugin 14.7 and earlier for WordPress (CVE-2014-9473)
• XSS vulnerability in the Frontend Uploader plugin 0.9.2 for WordPress (CVE-2014-9444)
• SQL injection vulnerabilities in SP Project & Document Manager plugin (sp-client-document-manager) 2.4.1 and earlier for WordPress (CVE-2014-9178)
• XSS vulnerability in the YouTube Embed plugin before 3.3.3 for WordPress (CVE-2015-6535)
• XSS vulnerability in the Apptha WordPress Video Gallery (contus-video-gallery) plugin 2.5 for WordPress (CVE-2014-9098)
• Unrestricted file upload vulnerability in the Powerplay Gallery plugin 3.3 for WordPress (CVE-2015-5681)
• Directory traversal vulnerability in the GD bbPress Attachments plugin before 2.3 for WordPress (CVE-2015-5482)
• XSS vulnerability in the GD bbPress Attachments plugin before 2.3 for WordPress (CVE-2015-5481)
• XSS vulnerability in the Contact Form Clean and Simple plugin 4.4.0 and earlier for WordPress (CVE-2014-8955)
• XSS vulnerability in the WP Symposium plugin before 14.11 for WordPress (CVE-2014-8809)
• XSS vulnerability in the Navis DocumentCloud plugin before 0.1.1 for WordPress (CVE-2015-2807)
• XSS vulnerability in the Relevanssi plugin before 3.3.8 for WordPress (CVE-2014-9443)
• SQL injection vulnerability in the WP Symposium plugin before 14.11 for WordPress (CVE-2014-8810)
• XSS vulnerability in Modern Tribe Eventbrite Tickets plugin before 3.10.2 for WordPress (CVE-2015-5485)
• XSS vulnerabilities in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress (CVE-2015-3300)
• XSS injection vulnerability in Cacti before 0.8.8d (CVE-2015-2665)
• Directory traversal vulnerability in pimcore before build 3473 (CVE-2015-4425)
• XSS vulnerability in PHP Font Lib before 0.3.1 (CVE-2015-2570)
• XSS vulnerability in MantisBT 1.2.13 through 1.2.17 (CVE-2014-8987)
• XSS vulnerability in WideImage 11.02.19 (CVE-2015-5519)
• XSS vulnerability in BlackCat CMS 1.1.2 (CVE-2015-5521)
• bl_domains update
• 211210 FP fix
• nginx rules reorganization

2015.09.22
Rules for Apache: version 1.48
Rules for LiteSpeed: version 1.44
Rules for Nginx: version 1.21

• XSS vulnerability in the sourceAFRICA plugin 0.1.3 for WordPress (CVE-2015-6920)
• Directory traversal vulnerability in the DukaPress plugin before 2.5.4 for WordPress (CVE-2014-8799)
• Directory traversal vulnerability in the DB Backup plugin 4.5 and earlier for WordPress (CVE-2014-9119)
• Directory traversal vulnerability in the SE HTML5 Album Audio Player plugin 1.1.0 and earlier for WordPress (CVE-2015-4414)
• Absolute path traversal vulnerability in the google currency lookup in the Paypal Currency Converter Basic For WooCommerce plugin before 1.4 for WordPress (CVE-2015-5065)
• XSS vulnerability in Genericons before 3.3.1, as used in WordPress before 4.2.2 (CVE-2015-3429)
• XSS vulnerability in the MDC Private Message plugin 1.0.0 for WordPress (CVE-2015-6805)
• XSS vulnerability in the CBI Referral Manager plugin 1.2.1 and earlier for WordPress (CVE-2014-4517)
• XSS vulnerability in the Web Dorado Spider Video Player (aka WordPress Video Player) plugin before 1.5.2 for WordPress (CVE-2014-8584)
• bl_domains update

2015.10.09
Rules for Apache: version 1.49
Rules for LiteSpeed: version 1.45
Rules for Nginx: version 1.22

• XSS vulnerability in the CBI Referral Manager plugin 1.2.1 and earlier for WordPress (CVE-2014-4517)
• CSRF & XSS vulnerabilities in the Encrypted Contact Form plugin before 1.1 for WordPress (CVE-2015-4010)
• CSRF vulnerability in the Portfolio plugin before 1.05 for WordPress (CVE-2015-6523)
• SQL injection vulnerabilities in the All In One WP Security & Firewall plugin before 3.8.3 for WordPress (CVE-2014-6242)
• XSS vulnerability in the Wordfence Security plugin before 5.1.4 for WordPress (CVE-2014-4664)
• XSS vulnerability in the Web-Dorado Photo Gallery plugin 1.1.30 and earlier for WordPress (CVE-2014-6315)
• Unrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress (CVE-2014-5460)
• XSS vulnerability in the EWWW Image Optimizer plugin before 2.0.2 for WordPress (CVE-2014-6243)
• XSS vulnerability in the Social Connect plugin 1.0.4 and earlier for WordPress (CVE-2014-4551)
• XSS vulnerability in the BulletProof Security plugin before .51.1 for WordPress (CVE-2014-7958)
• XSS vulnerability in the Contact Form DB (aka CFDB and contact-form-7-to-database-extension) plugin before 2.8.16 for WordPress (CVE-2014-7139)
• XSS vulnerability in the Appointment Booking Calendar plugin before 1.1.8 for WordPress (CVE-2015-7320)
• SQL injection vulnerability in the BulletProof Security plugin before .51.1 for WordPress (CVE-2014-7959)
• SQL injection vulnerability in the GB Gallery Slideshow plugin 1.5 for WordPress (CVE-2014-8375)
• XSS vulnerability in the Gallery - Photo Albums - Portfolio plugin 1.3.47 for WordPress (CVE-2015-7386)
• XSS vulnerability in OpenDocMan before 1.3.4 (CVE-2015-5625)
• SQL injection vulnerability in Montala Limited ResourceSpace 7.3.7009 and earlier (CVE-2015-6915)
• bl_domains update

2015.10.20
Rules for: Apache, LiteSpeed, nginx
Version 1.50

• CSRF & XSS vulnerability in the WP Smiley plugin 1.4.1 for WordPress (CVE-2015-4140)
• SQL injection vulnerability in Appointment Booking Calendar plugin before 1.1.8 for WordPress (CVE-2015-7319)
• XSS vulnerability in the WooCommerce plugin before 2.2.3 for WordPress (CVE-2014-6313)
• XSS vulnerability in the Contact Bank plugin before 2.0.20 for WordPress (CVE-2014-3841)
• SQL injection vulnerability in the AdRotate Pro plugin 3.9 through 3.9.5 and AdRotate Free plugin 3.9 through 3.9.4 for WordPress (CVE-2014-1854)
• XSS vulnerability in the MyWebsiteAdvisor Simple Security plugin 1.1.5 and earlier for WordPress (CVE-2014-9570)
• SQL injection vulnerability in the Users Ultra plugin before 1.5.16 for WordPress (CVE-2015-4109)
• CSRF & XSS vulnerability in the Facebook Like Box (cardoza-facebook-like-box) plugin before 2.8.3 for WordPress (CVE-2014-9524)
• XSS vulnerability in the Lazyest Gallery plugin before 1.1.21 for WordPress (CVE-2014-2333)
• CSRF & XSS vulnerability in the Our Team Showcase (our-team-enhanced) plugin before 1.3 for WordPress (CVE-2014-9523)
• CSRF & Directory Traversal vulnerability in the TheCartPress eCommerce Shopping Cart plugin before 1.3.9.3 for WordPress (CVE-2015-3986)
• SQL injection vulnerability in the Serendipity before 2.0.2 (CVE-2015-6943)
• bl_domains update

2015.10.30
Rules for: Apache, LiteSpeed, nginx
Version 1.51

• CSRF & XSS vulnerability in the Simple Share Buttons Adder plugin before 4.5 for WordPress (CVE-2014-4717)
• XSS vulnerability in the Pie Register plugin before 2.0.19 for WordPress (CVE-2015-7377)
• Absolute path traversal vulnerability in the Font plugin before 7.5.1 for WordPress (CVE-2015-7683)
• SQL injection vulnerabilities in the Pie Register plugin before 2.0.19 for WordPress (CVE-2015-7682)
• Unrestricted file upload vulnerability in the My Image plugin in Nibbleblog before 4.0.5 (CVE-2015-6967)
• SQL injection vulnerability in Montala Limited ResourceSpace 7.3.7009 and earlier (CVE-2015-6915)
• XSS vulnerability in Dotclear before 2.8.1 (CVE-2015-5651)
• SQL injection vulnerability in the Serendipity before 2.0.2 (CVE-2015-6943)
• XSS vulnerability in 4images 1.7.11 and earlier (CVE-2015-7708)
• Unrestricted file upload vulnerability in the GLPI before 0.85.3 (CVE-2015-7684)
• XSS vulnerability in the 2k11 theme in Serendipity before 2.0.2 (CVE-2015-6969)
• SQLmap check
• FPs fixed
• Revision metadata
• The mole vulnerability scanner blacklisted
• bl_domains update

2015.11.03
Rules for: Apache, LiteSpeed, nginx
Version 1.52

• SQL injection vulnerability in Joomla! 3.2 before 3.4.5 (CVE-2015-7297, CVE-2015-7857, CVE-2015-7858)
• CSRF in Revive Adserver before 3.2.2 (CVE-2015-7364)
• Multiple incomplete blacklist vulnerabilities in Serendipity before 2.0.2 (CVE-2015-6968)
• XSS vulnerability in Serendipity before 2.0.1 (CVE-2015-2289)
• bl_domains update
• false positives fix