alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET MALWARE Wordpress Social Warfare Plugin Exploit Payload Impression Request"; flow:established,to_server; urilen:17; http.method; content:"GET"; http.uri; content:"/impression|3f|bid|3d|"; startswith; fast_pattern; pcre:"/^(TH|SE|US|NO|SE|DK|FI|CH|AT|DE|IT|UK|CA|NZ|AU|CN|IN|FR)$/R"; reference:md5,0469a5e49620710a3e2d579fdfe011e1; reference:url,wordpress.org/support/topic/a-security-message-from-the-plugin-review-team/; classtype:attempted-admin; sid:2053879; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Server, tls_state TLSDecrypt, created_at 2024_06_25, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Critical, tag Wordpress, tag Exploit, updated_at 2024_06_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)