ModSecurity Rules for Formidable Forms / Shortcodes Ultimate vulnerability

Sucuri reported Formidable Forms / Shortcodes Ultimate Exploits In The Wild On Monday, November 20th.

– Formidable Forms vulnerability – read more
– Shortcodes Ultimate vulnerability – read more

We have not yet seen exploitation of the vulnerability, but we also decided to make the modsecurity rule for this vulnerability.

If you server have certain disable_functions in php.ini file, your server not vulnerability linux system commands.

Background to make ModSecurity rules

Request to WordPress admin-ajax.php

The request comes to WordPress in the admin-ajax.php file:

POST /wp-admin/admin-ajax.php

POST parameter before_html

[su_meta key=1 post_id=1 default='print(privetepta)' filter='assert']

Howto make ModSecurity Rules for Formidable Forms / Shortcodes Ultimate vulnerability

Now we need make rule for this prevent attacks.

SecRule REQUEST_METHOD   "POST" "id:500051,phase:2,t:none,chain,deny,log,msg:'Malware.Expert - WordPress - Shortcodes Ultimate'"
SecRule REQUEST_URI      "@contains /wp-admin/admin-ajax.php" "t:none,t:lowercase,t:urldecode,chain"
SecRule ARGS:before_html "@pm assert eval system escapeshellarg exec passthru proc_open shell_exec" "t:none,t:lowercase,t:urldecode"

Final Words

If you don’t wanna build own rules, you can use Malware Expert – ModSecurity rules to protect your web server vulnerabilities and attacks.