alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET MALWARE Wordpress Social Warfare Plugin Exploit CMS Users Exfil M1"; flow:established,to_server; urilen:9; http.method; content:"POST"; http.uri; content:"/CMSUsers"; fast_pattern; http.request_body; content:"host"; content:"HTTP_HOST"; content:"cms"; reference:md5,0469a5e49620710a3e2d579fdfe011e1; reference:url,wordpress.org/support/topic/a-security-message-from-the-plugin-review-team/; classtype:attempted-admin; sid:2053880; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Server, tls_state TLSDecrypt, created_at 2024_06_25, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Wordpress, tag Exploit, updated_at 2024_06_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)