Merge branch 'master' into 1776258921-vpatch-CVE-2026-1357

Author: buixor

.appsec-tests/vpatch-CVE-2022-3254/CVE-2022-3254.yaml

@@ -0,0 +1,19 @@
+## autogenerated on 2026-03-30 12:39:17
+id: CVE-2022-3254
+info:
+  name: CVE-2022-3254
+  author: crowdsec
+  severity: info
+  description: CVE-2022-3254 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        GET /wp-admin/admin-ajax.php?action=awpcp-get-regions-options&context=search&parent_type=country&parent=test`+FROM+wp_users+WHERE+1=0+UNION+SELECT+VERSION();--+- HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json, text/javascript, */*; q=0.01
+    cookie-reuse: true
+    matchers:
+    - type: status
+      status:
+       - 403

.appsec-tests/vpatch-CVE-2022-3254/config.yaml

@@ -0,0 +1,5 @@
+## autogenerated on 2026-03-30 12:39:17
+appsec-rules:
+  - ./appsec-rules/crowdsecurity/base-config.yaml
+  - ./appsec-rules/crowdsecurity/vpatch-CVE-2022-3254.yaml
+nuclei_template: CVE-2022-3254.yaml

.appsec-tests/vpatch-CVE-2023-3197/CVE-2023-3197.yaml

@@ -0,0 +1,19 @@
+## autogenerated on 2026-03-30 12:46:51
+id: CVE-2023-3197
+info:
+  name: CVE-2023-3197
+  author: crowdsec
+  severity: info
+  description: CVE-2023-3197 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        GET /wp-json/api/flutter_multi_vendor/product-categories?id=1%20AND%20(SELECT%201%20FROM%20(SELECT%20SLEEP(6))a) HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json
+    cookie-reuse: true
+    matchers:
+    - type: status
+      status:
+       - 403

.appsec-tests/vpatch-CVE-2023-3197/config.yaml

@@ -0,0 +1,5 @@
+## autogenerated on 2026-03-30 12:46:51
+appsec-rules:
+  - ./appsec-rules/crowdsecurity/base-config.yaml
+  - ./appsec-rules/crowdsecurity/vpatch-CVE-2023-3197.yaml
+nuclei_template: CVE-2023-3197.yaml

.index.json

@@ -1895,6 +1895,32 @@
         }
       }
     },
+    "crowdsecurity/vpatch-CVE-2022-3254": {
+      "author": "crowdsecurity",
+      "content": "IyMgYXV0b2dlbmVyYXRlZCBvbiAyMDI2LTAzLTMwIDEyOjM5OjE3Cm5hbWU6IGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTMyNTQKZGVzY3JpcHRpb246ICdEZXRlY3RzIHVuYXV0aGVudGljYXRlZCBTUUwgaW5qZWN0aW9uIGluIEFXUCBDbGFzc2lmaWVkcyB2aWEgYWRtaW4tYWpheC5waHAgYWN0aW9uIGF3cGNwLWdldC1yZWdpb25zLW9wdGlvbnMuJwpydWxlczoKICAtIGFuZDoKICAgICAgLSB6b25lczoKICAgICAgICAgIC0gVVJJCiAgICAgICAgdHJhbnNmb3JtOgogICAgICAgICAgLSBsb3dlcmNhc2UKICAgICAgICAgIC0gdXJsZGVjb2RlCiAgICAgICAgbWF0Y2g6CiAgICAgICAgICB0eXBlOiBjb250YWlucwogICAgICAgICAgdmFsdWU6IC93cC1hZG1pbi9hZG1pbi1hamF4LnBocAogICAgICAtIHpvbmVzOgogICAgICAgICAgLSBBUkdTCiAgICAgICAgdmFyaWFibGVzOgogICAgICAgICAgLSBwYXJlbnQKICAgICAgICB0cmFuc2Zvcm06CiAgICAgICAgICAtIGxvd2VyY2FzZQogICAgICAgICAgLSB1cmxkZWNvZGUKICAgICAgICBtYXRjaDoKICAgICAgICAgIHR5cGU6IHJlZ2V4CiAgICAgICAgICB2YWx1ZTogIlteYS16MC05XSIKICAgICAgLSB6b25lczoKICAgICAgICAgIC0gQVJHUwogICAgICAgIHZhcmlhYmxlczoKICAgICAgICAgIC0gYWN0aW9uCiAgICAgICAgdHJhbnNmb3JtOgogICAgICAgICAgLSBsb3dlcmNhc2UKICAgICAgICAgIC0gdXJsZGVjb2RlCiAgICAgICAgbWF0Y2g6CiAgICAgICAgICB0eXBlOiBlcXVhbHMKICAgICAgICAgIHZhbHVlOiBhd3BjcC1nZXQtcmVnaW9ucy1vcHRpb25zCgpsYWJlbHM6CiAgdHlwZTogZXhwbG9pdAogIHNlcnZpY2U6IGh0dHAKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgYmVoYXZpb3I6ICdodHRwOmV4cGxvaXQnCiAgbGFiZWw6ICdBV1AgQ2xhc3NpZmllZHMgLSBTUUxJJwogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBjdmUuQ1ZFLTIwMjItMzI1NAogICAgLSBhdHRhY2suVDExOTAKICAgIC0gY3dlLkNXRS04OQo=",
+      "description": "Detects unauthenticated SQL injection in AWP Classifieds via admin-ajax.php action awpcp-get-regions-options.",
+      "labels": {
+        "behavior": "http:exploit",
+        "classification": [
+          "cve.CVE-2022-3254",
+          "attack.T1190",
+          "cwe.CWE-89"
+        ],
+        "confidence": 3,
+        "label": "AWP Classifieds - SQLI",
+        "service": "http",
+        "spoofable": 0,
+        "type": "exploit"
+      },
+      "path": "appsec-rules/crowdsecurity/vpatch-CVE-2022-3254.yaml",
+      "version": "0.1",
+      "versions": {
+        "0.1": {
+          "deprecated": false,
+          "digest": "373a3b40761e729e344e66253eb5fb8f0e2ce4e7e699b7f5ef45ef34063870f0"
+        }
+      }
+    },
     "crowdsecurity/vpatch-CVE-2022-35914": {
       "author": "crowdsecurity",
       "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMzU5MTQKZGVzY3JpcHRpb246ICJHTFBJIFJDRSAoQ1ZFLTIwMjItMzU5MTQpIgpydWxlczoKICAtIGFuZDoKICAgIC0gem9uZXM6CiAgICAgIC0gVVJJCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZW5kc1dpdGgKICAgICAgICB2YWx1ZTogL3ZlbmRvci9odG1sYXdlZC9odG1sYXdlZC9odG1sYXdlZHRlc3QucGhwCgpsYWJlbHM6CiAgdHlwZTogZXhwbG9pdAogIHNlcnZpY2U6IGh0dHAKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgYmVoYXZpb3I6ICJodHRwOmV4cGxvaXQiCiAgbGFiZWw6ICJHTFBJIC0gUkNFIgogIGNsYXNzaWZpY2F0aW9uOgogICAtIGN2ZS5DVkUtMjAyMi0zNTkxNAogICAtIGF0dGFjay5UMTU5NQogICAtIGF0dGFjay5UMTE5MAogICAtIGN3ZS5DV0UtNzQ=",
@@ -2569,6 +2595,32 @@
         }
       }
     },
+    "crowdsecurity/vpatch-CVE-2023-3197": {
+      "author": "crowdsecurity",
+      "content": "IyMgYXV0b2dlbmVyYXRlZCBvbiAyMDI2LTAzLTMwIDEyOjQ2OjUxCm5hbWU6IGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTMxOTcKZGVzY3JpcHRpb246ICdEZXRlY3RzIHVuYXV0aGVudGljYXRlZCBTUUwgaW5qZWN0aW9uIGluIFdvcmRQcmVzcyBNU3RvcmUgQVBJIHBsdWdpbiB2aWEgaWQgcGFyYW1ldGVyLicKcnVsZXM6CiAgLSBhbmQ6CiAgICAgIC0gem9uZXM6CiAgICAgICAgICAtIFVSSQogICAgICAgIHRyYW5zZm9ybToKICAgICAgICAgIC0gbG93ZXJjYXNlCiAgICAgICAgICAtIHVybGRlY29kZQogICAgICAgIG1hdGNoOgogICAgICAgICAgdHlwZTogY29udGFpbnMKICAgICAgICAgIHZhbHVlOiAvd3AtanNvbi9hcGkvZmx1dHRlcl9tdWx0aV92ZW5kb3IvcHJvZHVjdC1jYXRlZ29yaWVzCiAgICAgIC0gem9uZXM6CiAgICAgICAgICAtIEFSR1MKICAgICAgICB2YXJpYWJsZXM6CiAgICAgICAgICAtIGlkCiAgICAgICAgdHJhbnNmb3JtOgogICAgICAgICAgLSBsb3dlcmNhc2UKICAgICAgICAgIC0gdXJsZGVjb2RlCiAgICAgICAgbWF0Y2g6CiAgICAgICAgICB0eXBlOiByZWdleAogICAgICAgICAgdmFsdWU6ICdbXmEtejAtOV0nCgpsYWJlbHM6CiAgdHlwZTogZXhwbG9pdAogIHNlcnZpY2U6IGh0dHAKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgYmVoYXZpb3I6ICdodHRwOmV4cGxvaXQnCiAgbGFiZWw6ICdXb3JkUHJlc3MgTVN0b3JlIEFQSSAtIFNRTEknCiAgY2xhc3NpZmljYXRpb246CiAgICAtIGN2ZS5DVkUtMjAyMy0zMTk3CiAgICAtIGF0dGFjay5UMTE5MAogICAgLSBjd2UuQ1dFLTg5Cg==",
+      "description": "Detects unauthenticated SQL injection in WordPress MStore API plugin via id parameter.",
+      "labels": {
+        "behavior": "http:exploit",
+        "classification": [
+          "cve.CVE-2023-3197",
+          "attack.T1190",
+          "cwe.CWE-89"
+        ],
+        "confidence": 3,
+        "label": "WordPress MStore API - SQLI",
+        "service": "http",
+        "spoofable": 0,
+        "type": "exploit"
+      },
+      "path": "appsec-rules/crowdsecurity/vpatch-CVE-2023-3197.yaml",
+      "version": "0.1",
+      "versions": {
+        "0.1": {
+          "deprecated": false,
+          "digest": "3aa0ba2809288c222157e493466cd4fde98fdbbe3674442cd5d56c9a9d003ba5"
+        }
+      }
+    },
     "crowdsecurity/vpatch-CVE-2023-33617": {
       "author": "crowdsecurity",
       "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzM2MTcKZGVzY3JpcHRpb246ICJBdGxhc3NpYW4gQ29uZmx1ZW5jZSBQcml2ZXNjIChDVkUtMjAyMy0zMzYxNykiCnJ1bGVzOgogIC0gYW5kOgogICAgLSB6b25lczoKICAgICAgLSBNRVRIT0QKICAgICAgdHJhbnNmb3JtOgogICAgICAtIGxvd2VyY2FzZQogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiBlcXVhbHMKICAgICAgICB2YWx1ZTogcG9zdAogICAgLSB6b25lczoKICAgICAgLSBVUkkKICAgICAgdHJhbnNmb3JtOgogICAgICAtIGxvd2VyY2FzZQogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiBlbmRzV2l0aAogICAgICAgIHZhbHVlOiAvYm9hZm9ybS9hZG1pbi9mb3JtbG9naW4KICAgIC0gem9uZXM6CiAgICAgIC0gQk9EWV9BUkdTCiAgICAgIHZhcmlhYmxlczoKICAgICAgIC0gdXNlcm5hbWUKICAgICAgdHJhbnNmb3JtOgogICAgICAtIGxvd2VyY2FzZQogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiBlcXVhbHMKICAgICAgICB2YWx1ZTogImFkbWluIgogICAgLSB6b25lczoKICAgICAgLSBCT0RZX0FSR1MKICAgICAgdmFyaWFibGVzOgogICAgICAgLSBwc2QKICAgICAgdHJhbnNmb3JtOgogICAgICAtIGxvd2VyY2FzZQogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiBlcXVhbHMKICAgICAgICB2YWx1ZTogInBhcmtzIgogIC0gYW5kOgogICAgLSB6b25lczoKICAgICAgLSBNRVRIT0QKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZXF1YWxzCiAgICAgICAgdmFsdWU6IFBPU1QKICAgIC0gem9uZXM6CiAgICAgIC0gVVJJCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZW5kc1dpdGgKICAgICAgICB2YWx1ZTogL2JvYWZvcm0vYWRtaW4vZm9ybXBpbmcKICAgIC0gem9uZXM6CiAgICAgIC0gQk9EWV9BUkdTCiAgICAgIHZhcmlhYmxlczoKICAgICAgLSB0YXJnZXRfYWRkcgogICAgICB0cmFuc2Zvcm06CiAgICAgIC0gbG93ZXJjYXNlCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IHJlZ2V4CiAgICAgICAgdmFsdWU6ICJbXmEtZjAtOTouXSsiCmxhYmVsczoKICB0eXBlOiBleHBsb2l0CiAgc2VydmljZTogaHR0cAogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBiZWhhdmlvcjogImh0dHA6ZXhwbG9pdCIKICBsYWJlbDogIkF0bGFzc2lhbiBDb25mbHVlbmNlIC0gUHJpdmlsZWdlIEVzY2FsYXRpb24iCiAgY2xhc3NpZmljYXRpb246CiAgIC0gY3ZlLkNWRS0yMDIzLTMzNjE3CiAgIC0gYXR0YWNrLlQxNTk1CiAgIC0gYXR0YWNrLlQxMTkwCiAgIC0gY3dlLkNXRS03OA==",
@@ -8643,10 +8695,12 @@
         "crowdsecurity/vpatch-CVE-2024-1071",
         "crowdsecurity/generic-wordpress-uploads-php",
         "crowdsecurity/vpatch-CVE-2024-6205",
-        "crowdsecurity/generic-wordpress-uploads-listing"
+        "crowdsecurity/vpatch-CVE-2022-3254",
+        "crowdsecurity/generic-wordpress-uploads-listing",
+        "crowdsecurity/vpatch-CVE-2023-3197"
       ],
       "author": "crowdsecurity",
-      "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9hcHBzZWMtd29yZHByZXNzCmFwcHNlYy1ydWxlczoKICAtIGNyb3dkc2VjdXJpdHkvYmFzZS1jb25maWcKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTA2MDAKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTA5MDAKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMDkKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIzNDg4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzQ4OQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDYzNAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjM2MAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjU2NwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjYyMwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTA2MQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTA3MQogIC0gY3Jvd2RzZWN1cml0eS9nZW5lcmljLXdvcmRwcmVzcy11cGxvYWRzLXBocAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNjIwNQogIC0gY3Jvd2RzZWN1cml0eS9nZW5lcmljLXdvcmRwcmVzcy11cGxvYWRzLWxpc3RpbmcKYXBwc2VjLWNvbmZpZ3M6CiAgLSBjcm93ZHNlY3VyaXR5L3ZpcnR1YWwtcGF0Y2hpbmcKcGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvYXBwc2VjLWxvZ3MKc2NlbmFyaW9zOgogIC0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtdnBhdGNoCiAgLSBjcm93ZHNlY3VyaXR5L2FwcHNlYy1uYXRpdmUKY29udGV4dHM6CiAgLSBjcm93ZHNlY3VyaXR5L2FwcHNlY19iYXNlCmRlc2NyaXB0aW9uOiAiQSB2aXJ0dWFsIHBhdGNoaW5nIGNvbGxlY3Rpb24sIHN1aXRhYmxlIGZvciBXb3JkUHJlc3Mgd2Vic2l0ZXMiCmxhYmVsczoKICBsYWJlbDogIldvcmRQcmVzcyAtIFdBRiBSdWxlcyIKYXV0aG9yOiBjcm93ZHNlY3VyaXR5CnRhZ3M6CiAgLSB3YWYK",
+      "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9hcHBzZWMtd29yZHByZXNzCmFwcHNlYy1ydWxlczoKICAtIGNyb3dkc2VjdXJpdHkvYmFzZS1jb25maWcKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTA2MDAKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTA5MDAKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMDkKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIzNDg4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzQ4OQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDYzNAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjM2MAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjU2NwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjYyMwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTA2MQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTA3MQogIC0gY3Jvd2RzZWN1cml0eS9nZW5lcmljLXdvcmRwcmVzcy11cGxvYWRzLXBocAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNjIwNQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMzI1NAogIC0gY3Jvd2RzZWN1cml0eS9nZW5lcmljLXdvcmRwcmVzcy11cGxvYWRzLWxpc3RpbmcKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTMxOTcKYXBwc2VjLWNvbmZpZ3M6CiAgLSBjcm93ZHNlY3VyaXR5L3ZpcnR1YWwtcGF0Y2hpbmcKcGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvYXBwc2VjLWxvZ3MKc2NlbmFyaW9zOgogIC0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtdnBhdGNoCiAgLSBjcm93ZHNlY3VyaXR5L2FwcHNlYy1uYXRpdmUKY29udGV4dHM6CiAgLSBjcm93ZHNlY3VyaXR5L2FwcHNlY19iYXNlCmRlc2NyaXB0aW9uOiAiQSB2aXJ0dWFsIHBhdGNoaW5nIGNvbGxlY3Rpb24sIHN1aXRhYmxlIGZvciBXb3JkUHJlc3Mgd2Vic2l0ZXMiCmxhYmVsczoKICBsYWJlbDogIldvcmRQcmVzcyAtIFdBRiBSdWxlcyIKYXV0aG9yOiBjcm93ZHNlY3VyaXR5CnRhZ3M6CiAgLSB3YWYK",
       "contexts": [
         "crowdsecurity/appsec_base"
       ],
@@ -8663,7 +8717,7 @@
         "crowdsecurity/appsec-vpatch",
         "crowdsecurity/appsec-native"
       ],
-      "version": "0.7",
+      "version": "0.9",
       "versions": {
         "0.1": {
           "deprecated": false,
@@ -8692,6 +8746,14 @@
         "0.7": {
           "deprecated": false,
           "digest": "37d84182a2fc459aec85da16d52c245971d3901c580d7d74175fe4d135aaae75"
+        },
+        "0.8": {
+          "deprecated": false,
+          "digest": "8275e964719ea8bc0530c9fd06fad7e6ed4975a80cc1d94c4e82c2ca67c0cb1c"
+        },
+        "0.9": {
+          "deprecated": false,
+          "digest": "81650393ee520918ae7299d7c0f3809d4707714421e62445ab5357e3fc7207d1"
         }
       }
     },

appsec-rules/crowdsecurity/vpatch-CVE-2022-3254.yaml

@@ -0,0 +1,45 @@
+## autogenerated on 2026-03-30 12:39:17
+name: crowdsecurity/vpatch-CVE-2022-3254
+description: 'Detects unauthenticated SQL injection in AWP Classifieds via admin-ajax.php action awpcp-get-regions-options.'
+rules:
+  - and:
+      - zones:
+          - URI
+        transform:
+          - lowercase
+          - urldecode
+        match:
+          type: contains
+          value: /wp-admin/admin-ajax.php
+      - zones:
+          - ARGS
+        variables:
+          - parent
+        transform:
+          - lowercase
+          - urldecode
+        match:
+          type: regex
+          value: "[^a-z0-9]"
+      - zones:
+          - ARGS
+        variables:
+          - action
+        transform:
+          - lowercase
+          - urldecode
+        match:
+          type: equals
+          value: awpcp-get-regions-options
+
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: 'http:exploit'
+  label: 'AWP Classifieds - SQLI'
+  classification:
+    - cve.CVE-2022-3254
+    - attack.T1190
+    - cwe.CWE-89

appsec-rules/crowdsecurity/vpatch-CVE-2023-3197.yaml

@@ -0,0 +1,35 @@
+## autogenerated on 2026-03-30 12:46:51
+name: crowdsecurity/vpatch-CVE-2023-3197
+description: 'Detects unauthenticated SQL injection in WordPress MStore API plugin via id parameter.'
+rules:
+  - and:
+      - zones:
+          - URI
+        transform:
+          - lowercase
+          - urldecode
+        match:
+          type: contains
+          value: /wp-json/api/flutter_multi_vendor/product-categories
+      - zones:
+          - ARGS
+        variables:
+          - id
+        transform:
+          - lowercase
+          - urldecode
+        match:
+          type: regex
+          value: '[^a-z0-9]'
+
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: 'http:exploit'
+  label: 'WordPress MStore API - SQLI'
+  classification:
+    - cve.CVE-2023-3197
+    - attack.T1190
+    - cwe.CWE-89

collections/crowdsecurity/appsec-wordpress.yaml

@@ -14,7 +14,9 @@ appsec-rules:
   - crowdsecurity/vpatch-CVE-2024-1071
   - crowdsecurity/generic-wordpress-uploads-php
   - crowdsecurity/vpatch-CVE-2024-6205
+  - crowdsecurity/vpatch-CVE-2022-3254
   - crowdsecurity/generic-wordpress-uploads-listing
+  - crowdsecurity/vpatch-CVE-2023-3197
 appsec-configs:
   - crowdsecurity/virtual-patching
 parsers:

taxonomy/scenarios.json

@@ -1122,6 +1122,28 @@
       "CWE-94"
     ]
   },
+  "crowdsecurity/vpatch-CVE-2022-3254": {
+    "name": "crowdsecurity/vpatch-CVE-2022-3254",
+    "description": "Detects unauthenticated SQL injection in AWP Classifieds via admin-ajax.php action awpcp-get-regions-options.",
+    "label": "AWP Classifieds - SQLI",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "created_at": "2026-04-15T13:43:05",
+    "cves": [
+      "CVE-2022-3254"
+    ],
+    "cwes": [
+      "CWE-89"
+    ]
+  },
   "crowdsecurity/vpatch-CVE-2022-35914": {
     "name": "crowdsecurity/vpatch-CVE-2022-35914",
     "description": "GLPI RCE (CVE-2022-35914)",
@@ -1579,6 +1601,28 @@
       "CWE-79"
     ]
   },
+  "crowdsecurity/vpatch-CVE-2023-3197": {
+    "name": "crowdsecurity/vpatch-CVE-2023-3197",
+    "description": "Detects unauthenticated SQL injection in WordPress MStore API plugin via id parameter.",
+    "label": "WordPress MStore API - SQLI",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "created_at": "2026-04-15T13:44:20",
+    "cves": [
+      "CVE-2023-3197"
+    ],
+    "cwes": [
+      "CWE-89"
+    ]
+  },
   "crowdsecurity/vpatch-CVE-2023-33617": {
     "name": "crowdsecurity/vpatch-CVE-2023-33617",
     "description": "Atlassian Confluence Privesc (CVE-2023-33617)",