hub icon indicating copy to clipboard operation
hub copied to clipboard
verified publisher icon crowdsecurity

Add vpatch-CVE-2023-3169 rule and test

Open crowdsec-automation opened this issue 2 months ago • 4 comments

This rule detects exploitation attempts of CVE-2023-3169, a stored XSS vulnerability in the tagDiv Composer WordPress plugin. The attack is performed by sending a POST request to the /wp-json/tdw/save_css endpoint with the compiled_css parameter containing injected JavaScript (e.g., <script> tags).

  • The first rule condition matches requests to the vulnerable endpoint by checking if the URI contains /wp-json/tdw/save_css, using a lowercase transform for case insensitivity.
  • The second rule condition inspects the compiled_css parameter in the POST body, decoding and lowercasing it, and matches if it contains the string <script>, which is a strong indicator of XSS payload injection.
  • The rule avoids false positives by targeting only the relevant parameter and endpoint, and by looking for the generic XSS vector <script> rather than specific payloads.
  • The test nuclei template is adapted to check for a 403 response, as expected from a WAF block.

Validation checklist:

  • All value: fields are lowercase.
  • transform includes lowercase and urldecode where applicable.
  • No match.value contains capital letters.
  • Rule uses contains instead of regex where applicable.

crowdsec-automation avatar Oct 15 '25 14:10 crowdsec-automation

Hello @crowdsec-automation and thank you for your contribution!

:heavy_exclamation_mark: It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

:red_circle: crowdsecurity/vpatch-CVE-2023-3169 :red_circle:

github-actions[bot] avatar Oct 15 '25 14:10 github-actions[bot]

Hello @crowdsec-automation,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

github-actions[bot] avatar Oct 15 '25 14:10 github-actions[bot]

Hello @seemanne and thank you for your contribution!

:heavy_exclamation_mark: It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

:red_circle: crowdsecurity/vpatch-CVE-2023-0600 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-2009 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-0900 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6623 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-23489 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-4634 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-23488 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2024-1071 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6567 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6360 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2024-1061 :red_circle:

github-actions[bot] avatar Oct 22 '25 14:10 github-actions[bot]

Hello @seemanne,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

github-actions[bot] avatar Oct 22 '25 14:10 github-actions[bot]

closing in favor of https://github.com/crowdsecurity/hub/pull/1573

seemanne avatar Nov 05 '25 15:11 seemanne