Sucuri reported Formidable Forms / Shortcodes Ultimate Exploits In The Wild On Monday, November 20th.
– Formidable Forms vulnerability – read more
– Shortcodes Ultimate vulnerability – read more
We have not yet seen exploitation of the vulnerability, but we also decided to make the modsecurity rule for this vulnerability.
If you server have certain disable_functions in php.ini file, your server not vulnerability linux system commands.
Background to make ModSecurity rules
Request to WordPress admin-ajax.php
The request comes to WordPress in the admin-ajax.php file:
POST /wp-admin/admin-ajax.php
POST parameter before_html
[su_meta key=1 post_id=1 default='print(privetepta)' filter='assert']
Howto make ModSecurity Rules for Formidable Forms / Shortcodes Ultimate vulnerability
Now we need make rule for this prevent attacks.
SecRule REQUEST_METHOD "POST" "id:500051,phase:2,t:none,chain,deny,log,msg:'Malware.Expert - WordPress - Shortcodes Ultimate'" SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "t:none,t:lowercase,t:urldecode,chain" SecRule ARGS:before_html "@pm assert eval system escapeshellarg exec passthru proc_open shell_exec" "t:none,t:lowercase,t:urldecode"
Final Words
If you don’t wanna build own rules, you can use Malware Expert – ModSecurity rules to protect your web server vulnerabilities and attacks.