Loading...
Security Resources

Software Updates

Trustwave Web Application Firewall 4.62

Trustwave Spiderlabs is pleased to announce the release of CorSigs version 4.62 for Trustwave Web Application Firewall (WAF) version 9.0. These rules are written to detect attacks or classes of attacks on web applications and their components.

Release Summary

This release includes the following new signatures inclusion:

  • WordPress Plugin Visualizer SSRF CVE-2019-16932
  • WordPress Plugin Visualizer XSS CVE-2019-16931
  • WordPress Plugin Broken Link Checker XSS CVE-2019-16521
  • WordPress Plugin All in One SEO Pack XSS CVE-2019-16520
  • WordPress Plugin Lara Google Analytics XSS
  • WordPress Plugin Download Plugins and Themes from Dashboard XSS CVE-2019-17239
  • WordPress Plugin Photo Gallery by 10Web SQLi CVE-2019-16119
  • WordPress Stored XSS CVE-2019-16219
  • WordPress Plugin IgniteUp 3.4 Directory Traversal CVE-2019-17234
  • WordPress Plugin IgniteUp 3.4 CSRF CVE-2019-17235
  • WordPress Plugin IgniteUp 3.4 XSS CVE-2019-17236
  • WordPress Plugin IgniteUp 3.4 SSRF CVE-2019-17237
  • WordPress Plugin Tidio Live Chat 4.1.0 XSS
  • rConfig 3.9.2 Unauthenticated RCE CVE-2019-16662
  • WordPress Plugin WP Maintenance 5.0.5 CSRF
  • Online Inventory Manager 3.2 XSS
  • WordPress Plugin Real Estate 7 Below 2.9.5 XSS
  • WordPress Plugin Resim Ara Up To 3.0 XSS
  • WordPress Plugin Ultimate FAQ Below 1.8.30 XSS
  • WordPress Plugin WooCommerce Conversion Tracking Below 2.0.5 XSS
  • WordPress Plugin 301 Redirects Easy Redirect Manager Up To 2.40 XSS
  • WordPress Plugin ListingPro Up To 2.0.14.2 XSS CVE-2019-19541
  • WordPress Plugin ListingPro Up To 2.0.14.2 XSS CVE-2019-19540
  • WordPress Plugin CSS Hero Up To 4.03 XSS CVE-2019-19133
  • Job Portal 1.0 RCE
  • piSignage 2.6.4 Directory Traversal CVE-2019-20354
  • Apache Solr Velocity template RCE CVE-2019-17558
  • Complaint Management System 4.0 RCE
  • Complaint Management System 4.0 SQLi
  • WordPress Plugin Quiz And Survey Master 6.3.4 XSS CVE-2019-17599
  • Citrix Application Delivery Controller and Citrix Gateway RCE CVE-2019-19781
  • WordPress Plugin bbPress Members Only Up To 1.2.1 CSRF
  • WordPress Plugin bbPress Login Register Links On Forum Topic Pages Up To 2.7.5 XSS
  • WordPress Plugin Donorbox 7.1 XSS
  • WordPress Plugin WP SItemap Page 1.6.2 Stored XSS
  • WordPress Plugin Ninja Forms Below 3.4.23 - Stored XSS CVE-2020-8594
  • WordPress Plugin ThemeGrill Demo Importer Below 1.6.2 - Auth Bypass & Database Wipe
  • WordPress Plugin GDPR Cookie Consent Below 1.8.3 - Stored XSS
  • WordPress Plugin Strong Testimonials Below 2.40.1 - Stored XSS CVE-2020-8549
  • WordPress Plugin LearnDash 3.1.2 Reflected XSS CVE-2020-7108
  • WordPress Plugin Popup Builder Below 3.0 SQLi via PHP Deserialization CVE-2020-9006
  • WordPress Plugin Elementor Page Builder - Reflected XSS CVE-2020-8426
  • WordPress Plugin Duplicator Below 1.3.28 - Unauthenticated Arbitrary File Download
  • WordPress Plugin ThemeREX Addons RCE CVE-2020-10257
  • eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 RCE CVE-2017-9841
  • Joomla! com_hdwplayer 4.2 - search.php SQLi
  • ZyXEL pre Authentication RCE CVE-2020-8540
  • WordPress Plugin Hero Maps Premium Below 2.2.3 - Unauthenticated Reflected XSS CVE-2019-19134
  • rConfig Up To 3.94 commands.inc.php searchColumn SQLi CVE-2020-10220
  • WordPress Plugin Testimonial Below 2.1.7 - Authenticated Stored XSS
  • Zoho ManageEngine Desktop Central Below 10.0.474 - RCE via deserialized object CVE-2020-10189
  • WordPress Plugin Async Javascript Below 2.20.02.27 - Stored XSS via Plugin Settings Change
  • WordPress Plugin Modern Events Calendar Lite Below 5.1.7 Stored XSS CVE-2020-9459
  • WordPress Plugin Profile Builder Below 3.1.1 - User Registration With Administrator Role
  • WordPress Plugin Rank Math SEO Up To 1.0.40.2 REST Endpoint (strict) CVE-2020-11514
  • WordPress Plugin Rank Math SEO Up To 1.0.40.2 REST Endpoint SQLi CVE-2020-11514
  • WordPress Plugin Rank Math SEO Up To 1.0.40.2 REST Endpoint XSS CVE-2020-11514
  • WordPress Plugin Rank Math SEO Up To 1.0.40.2 REST Endpoint Privilege Escalation CVE-2020-11514
  • WordPress Plugin Duplicate Page and Post Below 2.5.7 SQLi
  • WordPress Plugin Support Ticket System by Phoeniix Up To 2.7 Unauthenticated XSS
  • IBM Data Risk Manager Below 2.0.4 Directory Traversal
  • IBM Data Risk Manager Below 2.0.4 RCE
  • WordPress Plugin Responsive Poll Up To 1.3.4 Authentication Bypass CVE-2020-11673
  • WordPress Plugin Media Library Assistant 2.81 Local File Inclusion CVE-2020-11732
  • Joomla! com_fabrik 3.9.11 Directory Traversal
  • WordPress Plugin Easy Testimonials 3.6 XSS
  • WordPress Plugin Visual Composer 27.0 XSS
  • WordPress Plugin Ajax Load More 5.3.1
  • vBulletin 5.6.1 SQLi CVE-2020-12720
  • WordPress Plugin Advanced Order Export For WooCommerce 3.1.4 CVE-2020-11727
  • WordPress Plugin Chopslider 3.4 SQLi CVE-2020-11530
  • WordPress Plugin LifterLMS 3.37.15 File-Upload CVE-2020-6008
  • WordPress Plugin LearnDash 3.1.6 SQLi CVE-2020-6009
  • WordPress Plugin LearnPress 3.2.6.8 CSRF CVE-2020-11511
  • WordPress Plugin LearnPress 3.2.6.8 CSRF CVE-2020-11510
  • WordPress Plugin JobSearch Below 1.5.1 XSS
  • WordPress Plugin Careerfy Below 3.9.0 XSS
  • WordPress Plugin Newspaper Below 10.3.4 XSS
  • WordPress Plugin AdRotate Below 5.8.4 SQLi
  • WordPress Plugin Delightful Downloads Up To 1.6.6 Directory Traversal CVE-2017-1000170
  • WordPress Plugin KingComposer Below 2.9.4 Directory Traversal
  • WordPress Plugin KingComposer Below 2.9.4 XSS
  • WordPress Plugin Xenon Theme Below 1.3 XSS CVE-2020-14010
  • WordPress Plugin Rank Math 0.9 - 1.0.42.1 Authentication Bypass
  • WordPress Plugin Testimonial Rotator Below 3.0.3 XSS
  • WordPress Plugin SportsPress Below 2.7.2 XSS CVE-2020-13892
  • WordPress Plugin Elementor Page Builder Below 2.9.10 XSS CVE-2020-13864
  • WordPress Plugin Blog2Social Below 6.3.1 SQLi
  • WordPress Plugin Page Builder: PageLayer Below 1.1.2 pagelayer_update_content XSS
  • WordPress Plugin Page Builder: PageLayer Below 1.1.2 pagelayer-address XSS
  • WordPress Plugin Final Tiles Gallery Below 3.4.19 XSS CVE-2020-14962
  • Joomla! Plugin J2 Store 3.3.11 SQLi
  • WordPress Up To 5.2.3 Directory traversal
  • WordPress Plugin VRView Up To 1.1.3/VRView library < 2.0.2/WP-VR-view <= 1.6 XSS
  • WordPress Plugin Team Members Below 5.0.4 XSS
  • WordPress Plugin Form Maker 5.4.1 and Form Maker by 10Web Up To 1.13.35 SQLi
  • WordPress Plugin MapPress Maps Pro Below 2.54.6 RCE CVE-2020-12675
  • WordPress Plugin MapPress Maps Pro Below 2.53.9 RCE CVE-2020-12077
  • WordPress Plugin Official MailerLite Sign Up Forms Below 1.4.5 SQLi
  • WordPress Plugin Add-on SweetAlert Contact Form 7 Below 1.0.8 XSS
  • WordPress Plugin Drag and Drop File Upload Contact Form 1.3.3.2 RCE CVE-2020-12800
  • Joomla! Plugin XCloner Backup 3.5.3 LFI
  • WordPress Plugin Multi-Scheduler 1.0.0 CSRF
  • WordPress Plugin ThirstyAffiliates Below 3.9.3 XSS
  • WordPress Plugin Photo Gallery by 10Web Below 1.5.55 SQLi
  • WordPress Plugin Adning Advertising Below 1.5.6 Arbitrary File Delete via Directory Traversal
  • WordPress Plugin Adning Advertising Below 1.5.6 Arbitrary File Upload to RCE
  • WordPress Theme Careerfy Below 4.1.0 - Unauthenticated XSS
  • Joomla! J2 Jobs 1.3.0 Authenticated SQLi
  • WordPress Plugin ACF to REST API Below 3.3.0 Unauthenticated Arbitrary wp_options Disclosure CVE-
  • WordPress Theme Nexos-Real Estate Below 1.8 - Unauthenticated XSS CVE-2020-15364
  • WordPress Theme Nexos-Real Estate Below 1.8 - Unauthenticated SQLi CVE-2020-15363
  • WordPress Plugin TC Custom JavaScript Below 1.2.2 Unauthenticated Stored XSS CVE-2020-14063
  • WordPress Theme Workup Below 2.1.6 Unauthenticated Reflected XSS
  • WordPress Plugin SRS Simple Hits Counter Up To 1.0.4 Unauthenticated Blind SQLi CVE-2020-5766
  • SAP LM Configuration Wizard Authentication Bypass CVE-2020-6287
  • SAP LM Configuration Wizard Directory Traversal CVE-2020-6286
  • WordPress Plugin Coming Soon Page Below 5.1.2 Authenticated Stored XSS CVE-2020-15038
  • Nagios XI 5.6.12 - export-rrd.php start,end arguments RCE
  • Nagios XI 5.6.12 - export-rrd.php step argument RCE
  • WordPress Plugin wpDiscuz 7.0.0 - 7.0.4 - Unauthenticated Arbitrary File Upload
  • vBulletin 5.x - pre-auth RCE CVE-2019-16759

How to Update

No action is required by customers running version 9.0 of Trustwave Web Application Firewall and whom subscribe to the online update feature. Their deployments will update automatically.

Please note that even if blocking actions are defined for a protected site, Simulation Mode for these rules is ON by default in order to allow site managers to inspect the impact of new rules before blocking relevant traffic. If you want to activate blocking actions for this rule, you must update the Actions for this signature in the Policy Manager.