Rule History

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Wordpress Social Warfare Plugin Attempted Admin User Creation"; flow:established,to_server; urilen:9; http.method; content:"POST"; http.uri; content:"/AddSites"; fast_pattern; http.content_type; content:"application/json"; nocase; http.request_body; content:"aurl"; content:"domain"; content:"username"; content:"passwordz"; content:"wp_login_path"; reference:url,wordpress.org/support/topic/a-security-message-from-the-plugin-review-team; reference:md5,0469a5e49620710a3e2d579fdfe011e1; classtype:attempted-admin; sid:2053870; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Server, tls_state TLSDecrypt, created_at 2024_06_25, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Wordpress, tag Exploit, updated_at 2026_05_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)