False positive response when usting wordpress + woocommerce

[Munrok]

When trying to update products in the store (WordPress + WooCommerce), I encounter the following false positives:

ModSecurity: Warning. Matched "Operator `Rx' with parameter `\xbc[^\xbe>]*[\xbe>]|<[^\xbe]*\xbe' against variable `ARGS:data[wp_autosave][excerpt]' (Value: `Warsztaty, podczas kt\xc3\xb3rych uczestniczymy w \xc4\x87wiczeniach, wyk\xc5\x82adach, ustawieniach (520 characters omitted)' ) [file "/etc/nginx/modsecurity/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "528"] [id "941310"] [rev ""] [msg "US-ASCII Malformed Encoding XSS Filter - Attack Detected"] [data "Matched Data: \xbcyw\xc4\x85 map\xc4\x99 problemu wraz z reprezentantami, dzi\xc4\x99ki czemu zyskujemy g\xc5\x82\xc4\x99bszy obraz twojego tematu, kt\xc3\xb3ry cz\xc4\x99sto prowadzi do rozwi\xc4\x85zania i jasno\xc5\x9bci.\x0a\x0aczas trwania 8 godzin.\x0a\x0adat\xc4\x99 i (669 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.5"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-tomcat"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname " SERVER_IP"] [uri "/wp-admin/admin-ajax.php"] [unique_id "169589244837.755644"] [ref "o148,323v1719,485t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode"]

ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "81"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.5"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname " SERVER_IP"] [uri "/wp-admin/admin-ajax.php"] [unique_id "169589244837.755644"] [ref ""]

• CRS version (e.g., v3.3.4): 3.3.5
• Paranoia level setting (e.g. PL1) : 2
• Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): Nginx
• Operating System and version: FreeBSD

[azurit]

@Munrok Thanks for reporting this. Unfortunately, we do not support Woocommerce or any other WordPress plugin. For plain WordPress, you can use WordPress Rule Exclusions Plugin.

Anyway, this exclusion rule will probably help you:

SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
    "id:9990126,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    chain"
    SecRule ARGS:action "@streq heartbeat" \
        "t:none,\
        chain"
        SecRule &ARGS:action "@eq 1" \
            "t:none,\
            ctl:ruleRemoveTargetByTag=attack-xss;ARGS:data[wp_autosave][excerpt],\
            ctl:ruleRemoveTargetById=921110;ARGS:data[wp_autosave][excerpt],\
            ctl:ruleRemoveTargetById=932110;ARGS:data[wp_autosave][excerpt],\
            ctl:ruleRemoveTargetById=932105;ARGS:data[wp_autosave][excerpt],\
            ctl:ruleRemoveTargetById=932115;ARGS:data[wp_autosave][excerpt],\
            ctl:ruleRemoveTargetById=933210;ARGS:data[wp_autosave][excerpt]"

[azurit]

Fixed with coreruleset/wordpress-rule-exclusions-plugin#43.