Security Resources

Software Updates

Web Application Security – ModSecurity Commercial Rules, Update for June 2020

Overview for rules released by Trustwave SpiderLabs in June for ModSecurity Commercial Rules package. The rules are available for versions 2.9.x and 3.x of ModSecurity.

ModSecurity Commercial Rules detect attacks or classes of attacks on web applications and their components as well as provide virtual patches for public vulnerabilities.

Release Summary

WordPress Plugin JobSearch < 1.5.1 XSS
WordPress Plugin Careerfy < 3.9.0 XSS
WordPress Plugin Newspaper < 10.3.4 XSS
WordPress Plugin AdRotate < 5.8.4 SQLi
WordPress Plugin Delightful Downloads <= 1.6.6 Directory Traversal CVE-2017-1000170
WordPress Plugin KingComposer < 2.9.4 Directory Traversal
WordPress Plugin KingComposer < 2.9.4 XSS
WordPress Plugin Xenon Theme < 1.3 XSS CVE-2020-14010
WordPress Plugin Rank Math 0.9 - Authentication Bypass
WordPress Plugin Testimonial Rotator < 3.0.3 XSS
WordPress Plugin SportsPress < 2.7.2 XSS CVE-2020-13892
WordPress Plugin Elementor Page Builder < 2.9.10 XSS CVE-2020-13864
WordPress Plugin Blog2Social < 6.3.1 SQLi
WordPress Plugin Page Builder: PageLayer < 1.1.2 pagelayer_update_content XSS
WordPress Plugin Page Builder: PageLayer < 1.1.2 pagelayer-address XSS
WordPress Plugin Final Tiles Gallery < 3.4.19 XSS CVE-2020-14962
Joomla! Plugin J2 Store 3.3.11 SQLi
WordPress <= 5.2.3 Directory traversal
WordPress Plugin VRView <= 1.1.3/VRView library < 2.0.2/WP-VR-view <= 1.6 XSS
WordPress Plugin Team Members < 5.0.4 XSS
WordPress Plugin Form Maker 5.4.1/Form Maker by 10Web <= 1.13.35 SQLi
WordPress Plugin MapPress Maps Pro < 2.54.6 RCE CVE-2020-12675
WordPress Plugin MapPress Maps Pro < 2.53.9 RCE CVE-2020-12077
WordPress Plugin Official MailerLite Sign Up Forms < 1.4.5 SQLi
WordPress Plugin Add-on SweetAlert Contact Form 7 < 1.0.8 XSS
WordPress Plugin Drag and Drop File Upload Contact Form RCE CVE-2020-12800
Joomla! Plugin XCloner Backup 3.5.3 LFI
WordPress Plugin Multi-Scheduler 1.0.0 CSRF
WordPress Plugin ThirstyAffiliates < 3.9.3 XSS
WordPress Plugin Photo Gallery by 10Web <1.5.55 SQLi

How to Update

All the rules released this month are available for download and can be configured using the ModSecurity Dashboard. The rules are associated with the default profile and enabled for all licensed servers. To verify the rules were successfully downloaded by ModSecurity, log in to the ModSecurity Dashboard and verify the server "Last seen" date, which indicates the last successful download for the specified server.