alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT WordPress Plugin video-synchro-pdf 1.7.4 - Local File Inclusion"; flow:established,to_server; http.uri.raw; content:"/reglages/Menu_Plugins/"; fast_pattern; content:"|2e|php?p=|2e 2e 2f|"; distance:0; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,www.exploit-db.com/exploits/50844; classtype:attempted-admin; sid:2036727; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Server, created_at 2022_05_31, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag LFI, tag RFI, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)