Rule History

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WP Download From Files Plugin <= 1.48 Arbitrary File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; bsize:4; http.uri; content:"/wp-admin/admin-ajax.php"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|files[]|22 3b 20|filename=|22|"; content:"<?"; content:"download_from_files_617_fileupload"; fast_pattern; reference:url,cxsecurity.com/issue/WLB-2021090097; classtype:attempted-admin; sid:2033989; rev:1; metadata:created_at 2021_09_20, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_06, reviewed_at 2023_12_11;)