Et rule 2049627 - Magic-SigExplorer

""ET EXPLOIT Suspected WordPress Plugin Royal Elementor RCE (CVE-2023-5360)""

SID: 2049627

Revision: 1

Class Type: attempted-admin

Metadata: attack_target Web_Server, created_at 2023_12_08, cve CVE_2023_5360, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2023_12_08

Reference:

cve
2023-5360

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: $HOME_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

Value: "POST"
Value: "/wp-admin/admin-ajax.php"
Value: "form-data|3b 20|name=|22|wpr_addons_nonce|22|"
Value: "form-data|3b 20|name=|22|max_file_size|22|"
Value: "form-data|3b 20|name=|22|allowed_file_types|22|"
Value: "form-data|3b 20|name=|22|triggering_event|22|"
Value: "form-data|3b 20|name=|22|uploaded_file|22 3b 20|"
Value: "Content-Type|3a 20|multipart/form-data|3b 20|boundary="

Within:

PCRE: "/\/wp-admin\/admin-ajax.php$/U"

Special Options:

http_method
http_uri
http_client_body
http_client_body
http_client_body
http_client_body
http_client_body
http_header

source