Request for new release

[gene1wood]

I've been struggling with a problem that appears to have been fixed in #47 as I'm running v1.0.0 of the wordpress-rule-exclusions-plugin

When I update to the HEAD of master, it fixes the problem.

I'm running libapache2-mod-security2 2.9.3-1ubuntu0.1
I have CRS ver.4.6.0-dev

Editing the footer of a wordpress theme triggers HTTP header is restricted by policy (/x-http-method-override/) followed by a 5 more warnings

• Matched Data: XSS data found within ARGS:content: <!-- wp:group {\\x22align\\x22:\\x22wide\\x22,\\x22layout\\x22:{\\x22type\\x22:\\x22constrained\\x22}} -->\\x0a<div class=\\x22wp-block-group alignwide\\x22><!-- wp:group {\\x22align\\x22:\\x22wide\\x22,\\x22style\\x22:{\\x22spacing\\x22:{\\x22padding\\x22:{\\x22top\\x22:\\x22var:preset|spacing|50\\x22,\\x22bottom\\x22:\\x22var:preset|spacing|50\\x22}}}} -->\\x0a<div class=\\x22wp-block-group alignwide\\x22 style=\\x22padding-top:var(--wp--preset--spacing--50);padding-bottom:var(--wp--pres...
• NoScript XSS InjectionChecker: HTML Injection
• Node-Validator Deny List Keywords
• Inbound Anomaly Score Exceeded (Total Score: 20)
• Anomaly Scores: (Inbound Scores: blocking=20, detection=20, per_pl=20-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=15, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=20)

Would it be possible to cut a new release with these fixes (just so others don't struggle trying to figure out why wordpress won't work with modsecurity)?

[EsadCetiner]

@gene1wood I'll try to get a new release out in a few days #59, there have been a fair few amount of fixes since the release of this plugin.

For the false positive you reported, can you share the full log line? I can't fully see what's causing the false positive.

[gene1wood]

No problem. I can reproduce the problem by switching back to v1.0.0 of the wordpress-rule-exclusion-plugin

The apache2 error log shows this

[Thu Aug 29 15:25:32.712154 2024] [:error] [pid 504130] [client 157.131.34.81:54678] [client 157.131.34.81] ModSecurity: Warning. String match within "/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/" at TX:header_name_920450_x-http-method-override. [file "/etc/modsecurity/crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1193"] [id "920450"] [msg "HTTP header is restricted by policy (/x-http-method-override/)"] [data "Restricted header detected: /x-http-method-override/"] [severity "CRITICAL"] [ver "OWASP_CRS/4.6.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/12.1"] [hostname "wordpress.example.com"] [uri "/wp-json/wp/v2/template-parts/twentytwentyfour//footer"] [unique_id "ZtCS7HPxmzlwgfG1dzaoSQAAAAY"], referer: https://wordpress.example.com/wp-admin/site-editor.php?postId=twentytwentyfour%2F%2Ffooter&postType=wp_template_part&focusMode=true&canvas=edit
[Thu Aug 29 15:25:32.716798 2024] [:error] [pid 504130] [client 157.131.34.81:54678] [client 157.131.34.81] ModSecurity: Warning. Pattern match "\\\\$(?:\\\\((?:.*|\\\\(.*\\\\))\\\\)|\\\\{.*\\\\}|\\\\[.*\\\\])|[<>]\\\\(.*\\\\)|/[0-9A-Z_a-z]*\\\\[!?.+\\\\]" at ARGS:content. [file "/etc/modsecurity/crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "312"] [id "932130"] [msg "Remote Command Execution: Unix Shell Expression Found"] [data "Matched Data: >(707) found within ARGS:content: <!-- wp:group {align:wide layout:{type:constrained}} --> <div class=wp-block-group alignwide><!-- wp:group {align:wide style:{spacing:{padding:{top:var:preset|spacing|50 bottom:var:preset|spacing|50}}}} --> <div class=wp-block-group alignwide style=padding-top:var(--wp--preset--spacing--50) padding-bottom:var(--wp--preset--spacing--50)><!-- wp:separator {classname:is-style-wide} --> <hr class=wp-block-separator has-alpha-channel-opacity is-style-wide/> <!--..."] [severity "CRITICAL"] [ver "OWASP_CRS/4.6.0-dev"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/8 [hostname "wordpress.example.com"] [uri "/wp-json/wp/v2/template-parts/twentytwentyfour/footer"] [unique_id "ZtCS7HPxmzlwgfG1dzaoSQAAAAY"], referer: https://wordpress.example.com/wp-admin/site-editor.php?postId=twentytwentyfour%2F%2Ffooter&postType=wp_template_part&focusMode=true&canvas=edit
[Thu Aug 29 15:25:32.722807 2024] [:error] [pid 504130] [client 157.131.34.81:54678] [client 157.131.34.81] ModSecurity: Warning. detected XSS using libinjection. [file "/etc/modsecurity/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "100"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:content: <!-- wp:group {\\x22align\\x22:\\x22wide\\x22,\\x22layout\\x22:{\\x22type\\x22:\\x22constrained\\x22}} -->\\x0a<div class=\\x22wp-block-group alignwide\\x22><!-- wp:group {\\x22align\\x22:\\x22wide\\x22,\\x22style\\x22:{\\x22spacing\\x22:{\\x22padding\\x22:{\\x22top\\x22:\\x22var:preset|spacing|50\\x22,\\x22bottom\\x22:\\x22var:preset|spacing|50\\x22}}}} -->\\x0a<div class=\\x22wp-block-group alignwide\\x22 style=\\x22padding-top:var(--wp--preset--spacing--50);padding-bottom:var(--wp--pres..."] [severity "CRITICAL"] [ver "OWASP_CRS/4.6.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "wordpress.example.com"] [uri "/wp-json/wp/v2/template-parts/twentytwentyfour/footer"] [unique_id "ZtCS7HPxmzlwgfG1dzaoSQAAAAY"], referer: https://wordpress.example.com/wp-admin/site-editor.php?postId=twentytwentyfour%2F%2Ffooter&postType=wp_template_part&focusMode=true&canvas=edit
[Thu Aug 29 15:25:32.725393 2024] [:error] [pid 504130] [client 157.131.34.81:54678] [client 157.131.34.81] ModSecurity: Warning. Pattern match "(?i)<[^0-9<>A-Z_a-z]*(?:[^\\\\s\\\\x0b\\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0- ..." at ARGS:content. [file "/etc/modsecurity/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "219"] [id "941160"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: \\x22align\\x22:\\x22wide\\x22,\\x22layout\\x22:{\\x22type\\x22:\\x22constrained\\x22}} -->\\x0a<div class=\\x22wp-block-group alignwide\\x22><!-- wp:group {\\x22align\\x22:\\x22wide\\x22,\\x22style\\x22:{\\x22spacing\\x22:{\\x22padding\\x22:{\\x22top\\x22:\\x22var:preset|spacing|50\\x22,\\x22bottom\\x22:\\x22var:preset|spacing|50\\x22}}}} -->\\x0a<div class=\\x22wp-block-group alignwide\\x22 style=\\x22padding-top:var(--wp--preset--spacing--50);padding-bottom:var(--wp--preset--spacing--50)\\x22><!-- wp:separator {\\x22classNa..."] [severity "CRITICAL"] [ver "OWASP_CRS/4.6.0-d [hostname "wordpress.example.com"] [uri "/wp-json/wp/v2/template-parts/twentytwentyfour/footer"] [unique_id "ZtCS7HPxmzlwgfG1dzaoSQAAAAY"], referer: https://wordpress.example.com/wp-admin/site-editor.php?postId=twentytwentyfour%2F%2Ffooter&postType=wp_template_part&focusMode=true&canvas=edit
[Thu Aug 29 15:25:32.726371 2024] [:error] [pid 504130] [client 157.131.34.81:54678] [client 157.131.34.81] ModSecurity: Warning. Matched phrase "<!--" at ARGS:content. [file "/etc/modsecurity/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "271"] [id "941180"] [msg "Node-Validator Deny List Keywords"] [data "Matched Data: <!-- found within ARGS:content: <!-- wp:group {\\x22align\\x22:\\x22wide\\x22,\\x22layout\\x22:{\\x22type\\x22:\\x22constrained\\x22}} -->\\x0a<div class=\\x22wp-block-group alignwide\\x22><!-- wp:group {\\x22align\\x22:\\x22wide\\x22,\\x22style\\x22:{\\x22spacing\\x22:{\\x22padding\\x22:{\\x22top\\x22:\\x22var:preset|spacing|50\\x22,\\x22bottom\\x22:\\x22var:preset|spacing|50\\x22}}}} -->\\x0a<div class=\\x22wp-block-group alignwide\\x22 style=\\x22padding-top:var(--wp--preset--spacing--50);padding-bottom:var(--wp--preset--..."] [severity "CRITICAL"] [ver "OWASP_CRS/4.6.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "wordpress.example.com"] [uri "/wp-json/wp/v2/template-parts/twentytwentyfour/footer"] [unique_id "ZtCS7HPxmzlwgfG1dzaoSQAAAAY"], referer: https://wordpress.example.com/wp-admin/site-editor.php?postId=twentytwentyfour%2F%2Ffooter&postType=wp_template_part&focusMode=true&canvas=edit
[Thu Aug 29 15:25:32.735627 2024] [:error] [pid 504130] [client 157.131.34.81:54678] [client 157.131.34.81] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file "/etc/modsecurity/crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "233"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 25)"] [ver "OWASP_CRS/4.6.0-dev"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "wordpress.example.com"] [uri "/wp-json/wp/v2/template-parts/twentytwentyfour/footer"] [unique_id "ZtCS7HPxmzlwgfG1dzaoSQAAAAY"], referer: https://wordpress.example.com/wp-admin/site-editor.php?postId=twentytwentyfour%2F%2Ffooter&postType=wp_template_part&focusMode=true&canvas=edit
[Thu Aug 29 15:25:32.736104 2024] [:error] [pid 504130] [client 157.131.34.81:54678] [client 157.131.34.81] ModSecurity: Warning. Unconditional match in SecAction. [file "/etc/modsecurity/crs/rules/RESPONSE-980-CORRELATION.conf"] [line "98"] [id "980170"] [msg "Anomaly Scores: (Inbound Scores: blocking=25, detection=25, per_pl=25-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=15, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=25)"] [ver "OWASP_CRS/4.6.0-dev"] [tag "reporting"] [tag "OWASP_CRS"] [hostname "wordpress.example.com"] [uri "/wp-json/wp/v2/template-parts/twentytwentyfour/footer"] [unique_id "ZtCS7HPxmzlwgfG1dzaoSQAAAAY"], referer: https://wordpress.example.com/wp-admin/site-editor.php?postId=twentytwentyfour%2F%2Ffooter&postType=wp_template_part&focusMode=true&canvas=edit

and the modsecurity audit log shows this

--9e4e976f-A--
[29/Aug/2024:15:25:32 +0000] ZtCS7HPxmzlwgfG1dzaoSQAAAAY 157.131.34.81 54678 51.81.82.182 443
--9e4e976f-B--
POST /wp-json/wp/v2/template-parts/twentytwentyfour//footer?_locale=user HTTP/1.1
Host: wordpress.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0
Accept: application/json, */*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Referer: https://wordpress.example.com/wp-admin/site-editor.php?postId=twentytwentyfour%2F%2Ffooter&postType=wp_template_part&focusMode=true&canvas=edit
X-WP-Nonce: f62a19d55f
X-HTTP-Method-Override: PUT
Content-Type: application/json
Content-Length: 1857
Origin: https://wordpress.example.com
Connection: keep-alive
Cookie: __gads=ID=08e528c41accecee:T=1712177113:RT=1724622035:S=ALNI_MZSXVWBAv-yskd55n4joZXRqYGu5A; __gpi=UID=00_REDACTED_uA; __eoi=ID=26_REDACTED_Qi; __utma=31034925.2110713176.1716236684.1716236684.1716236684.1; __utmz=31034925.1716236684.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wp-settings-time-1=1723845686; wp-settings-1=libraryContent%3Dbrowse; __utmc=31034925; wordpress_test_cookie=WP%20Cookie%20check; wordpress_sec_afe1883185e32a556ef5a2ddb58fb1f1=ge_REDACTED_b3c; wordpress_logged_in_afe1883185e32a556ef5a2ddb58fb1f1=ge_REDACTED_f6
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0

--9e4e976f-C--
{"id":"twentytwentyfour//footer","content":"<!-- wp:group {\"align\":\"wide\",\"layout\":{\"type\":\"constrained\"}} -->\n<div class=\"wp-block-group alignwide\"><!-- wp:group {\"align\":\"wide\",\"style\":{\"spacing\":{\"padding\":{\"top\":\"var:preset|spacing|50\",\"bottom\":\"var:preset|spacing|50\"}}}} -->\n<div class=\"wp-block-group alignwide\" style=\"padding-top:var(--wp--preset--spacing--50);padding-bottom:var(--wp--preset--spacing--50)\"><!-- wp:separator {\"className\":\"is-style-wide\"} -->\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\"/>\n<!-- /wp:separator -->\n\n<!-- wp:columns {\"style\":{\"spacing\":{\"padding\":{\"top\":\"var:preset|spacing|10\"}}}} -->\n<div class=\"wp-block-columns\" style=\"padding-top:var(--wp--preset--spacing--10)\"><!-- wp:column {\"width\":\"57%\"} -->\n<div class=\"wp-block-column\" style=\"flex-basis:57%\"><!-- wp:heading {\"fontSize\":\"x-large\"} -->\n<h2 class=\"wp-block-heading has-x-large-font-size\">Schedule a Ride</h2>\n<!-- /wp:heading --></div>\n<!-- /wp:column -->\n\n<!-- wp:column {\"width\":\"30%\"} -->\n<div class=\"wp-block-column\" style=\"flex-basis:30%\"><!-- wp:group {\"style\":{\"spacing\":{\"blockGap\":\"var:preset|spacing|10\"}},\"layout\":{\"type\":\"flex\",\"orientation\":\"vertical\"}} -->\n<div class=\"wp-block-group\"><!-- wp:heading {\"level\":3,\"style\":{\"typography\":{\"fontSize\":\"1.5rem\"}}} -->\n<h3 class=\"wp-block-heading\" style=\"font-size:1.5rem\"><a href=\"sms:7073853861\" target=\"_blank\" rel=\"noreferrer noopener\">Text</a> or Call <a href=\"tel:7073853861\" target=\"_blank\" rel=\"noreferrer noopener\">(707) 385-3861</a><br>example@example.com </h3>\n<!-- /wp:heading --></div>\n<!-- /wp:group --></div>\n<!-- /wp:column --></div>\n<!-- /wp:columns --></div>\n<!-- /wp:group --></div>\n<!-- /wp:group -->"}
--9e4e976f-F--
HTTP/1.1 403 Forbidden
Content-Length: 298
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--9e4e976f-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at wordpress.example.com Port 443</address>
</body></html>

--9e4e976f-H--
Message: Warning. String match within "/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/" at TX:header_name_920450_x-http-method-override. [file "/etc/modsecurity/crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1193"] [id "920450"] [msg "HTTP header is restricted by policy (/x-http-method-override/)"] [data "Restricted header detected: /x-http-method-override/"] [severity "CRITICAL"] [ver "OWASP_CRS/4.6.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/12.1"]
Message: Warning. Pattern match "\\$(?:\\((?:.*|\\(.*\\))\\)|\\{.*\\}|\\[.*\\])|[<>]\\(.*\\)|/[0-9A-Z_a-z]*\\[!?.+\\]" at ARGS:content. [file "/etc/modsecurity/crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "312"] [id "932130"] [msg "Remote Command Execution: Unix Shell Expression Found"] [data "Matched Data: >(707) found within ARGS:content: <!-- wp:group {align:wide layout:{type:constrained}} --> <div class=wp-block-group alignwide><!-- wp:group {align:wide style:{spacing:{padding:{top:var:preset|spacing|50 bottom:var:preset|spacing|50}}}} --> <div class=wp-block-group alignwide style=padding-top:var(--wp--preset--spacing--50) padding-bottom:var(--wp--preset--spacing--50)><!-- wp:separator {classname:is-style-wide} --> <hr class=wp-block-separator has-alpha-channel-opacity is-style-wide/> <!--..."] [severity "CRITICAL"] [ver "OWASP_CRS/4.6.0-dev"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/8
Message: Warning. detected XSS using libinjection. [file "/etc/modsecurity/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "100"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:content: <!-- wp:group {\x22align\x22:\x22wide\x22,\x22layout\x22:{\x22type\x22:\x22constrained\x22}} -->\x0a<div class=\x22wp-block-group alignwide\x22><!-- wp:group {\x22align\x22:\x22wide\x22,\x22style\x22:{\x22spacing\x22:{\x22padding\x22:{\x22top\x22:\x22var:preset|spacing|50\x22,\x22bottom\x22:\x22var:preset|spacing|50\x22}}}} -->\x0a<div class=\x22wp-block-group alignwide\x22 style=\x22padding-top:var(--wp--preset--spacing--50);padding-bottom:var(--wp--pres..."] [severity "CRITICAL"] [ver "OWASP_CRS/4.6.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"]
Message: Warning. Pattern match "(?i)<[^0-9<>A-Z_a-z]*(?:[^\\s\\x0b\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0- ..." at ARGS:content. [file "/etc/modsecurity/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "219"] [id "941160"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: \x22align\x22:\x22wide\x22,\x22layout\x22:{\x22type\x22:\x22constrained\x22}} -->\x0a<div class=\x22wp-block-group alignwide\x22><!-- wp:group {\x22align\x22:\x22wide\x22,\x22style\x22:{\x22spacing\x22:{\x22padding\x22:{\x22top\x22:\x22var:preset|spacing|50\x22,\x22bottom\x22:\x22var:preset|spacing|50\x22}}}} -->\x0a<div class=\x22wp-block-group alignwide\x22 style=\x22padding-top:var(--wp--preset--spacing--50);padding-bottom:var(--wp--preset--spacing--50)\x22><!-- wp:separator {\x22classNa..."] [severity "CRITICAL"] [ver "OWASP_CRS/4.6.0-d
Message: Warning. Matched phrase "<!--" at ARGS:content. [file "/etc/modsecurity/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "271"] [id "941180"] [msg "Node-Validator Deny List Keywords"] [data "Matched Data: <!-- found within ARGS:content: <!-- wp:group {\x22align\x22:\x22wide\x22,\x22layout\x22:{\x22type\x22:\x22constrained\x22}} -->\x0a<div class=\x22wp-block-group alignwide\x22><!-- wp:group {\x22align\x22:\x22wide\x22,\x22style\x22:{\x22spacing\x22:{\x22padding\x22:{\x22top\x22:\x22var:preset|spacing|50\x22,\x22bottom\x22:\x22var:preset|spacing|50\x22}}}} -->\x0a<div class=\x22wp-block-group alignwide\x22 style=\x22padding-top:var(--wp--preset--spacing--50);padding-bottom:var(--wp--preset--..."] [severity "CRITICAL"] [ver "OWASP_CRS/4.6.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file "/etc/modsecurity/crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "233"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 25)"] [ver "OWASP_CRS/4.6.0-dev"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"]
Message: Warning. Unconditional match in SecAction. [file "/etc/modsecurity/crs/rules/RESPONSE-980-CORRELATION.conf"] [line "98"] [id "980170"] [msg "Anomaly Scores: (Inbound Scores: blocking=25, detection=25, per_pl=25-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=15, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=25)"] [ver "OWASP_CRS/4.6.0-dev"] [tag "reporting"] [tag "OWASP_CRS"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 157.131.34.81] ModSecurity: Warning. String match within "/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/" at TX:header_name_920450_x-http-method-override. [file "/etc/modsecurity/crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1193"] [id "920450"] [msg "HTTP header is restricted by policy (/x-http-method-override/)"] [data "Restricted header detected: /x-http-method-override/"] [severity "CRITICAL"] [ver "OWASP_CRS/4.6.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/12.1"] [hostname "wordpress.example.com"] [uri "/wp-json/wp/v2/template-parts/twentytwentyfour//footer"] [unique_id "ZtCS7HPxmzlwgfG1dzaoSQAAAAY"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 157.131.34.81] ModSecurity: Warning. Pattern match "\\\\\\\\$(?:\\\\\\\\((?:.*|\\\\\\\\(.*\\\\\\\\))\\\\\\\\)|\\\\\\\\{.*\\\\\\\\}|\\\\\\\\[.*\\\\\\\\])|[<>]\\\\\\\\(.*\\\\\\\\)|/[0-9A-Z_a-z]*\\\\\\\\[!?.+\\\\\\\\]" at ARGS:content. [file "/etc/modsecurity/crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "312"] [id "932130"] [msg "Remote Command Execution: Unix Shell Expression Found"] [data "Matched Data: >(707) found within ARGS:content: <!-- wp:group {align:wide layout:{type:constrained}} --> <div class=wp-block-group alignwide><!-- wp:group {align:wide style:{spacing:{padding:{top:var:preset|spacing|50 bottom:var:preset|spacing|50}}}} --> <div class=wp-block-group alignwide style=padding-top:var(--wp--preset--spacing--50) padding-bottom:var(--wp--preset--spacing--50)><!-- wp:separator {classname:is-style-wide} --> <hr class=wp-block-separator has-alpha-channel-opacity is-style-wide/> <!--..."] [severity "CRITICAL"] [ver "OWASP_CRS/4.6.0-dev"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/8 [hostname "wordpress.example.com"] [uri "/wp-json/wp/v2/template-parts/twentytwentyfour/footer"] [unique_id "ZtCS7HPxmzlwgfG1dzaoSQAAAAY"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 157.131.34.81] ModSecurity: Warning. detected XSS using libinjection. [file "/etc/modsecurity/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "100"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:content: <!-- wp:group {\\\\x22align\\\\x22:\\\\x22wide\\\\x22,\\\\x22layout\\\\x22:{\\\\x22type\\\\x22:\\\\x22constrained\\\\x22}} -->\\\\x0a<div class=\\\\x22wp-block-group alignwide\\\\x22><!-- wp:group {\\\\x22align\\\\x22:\\\\x22wide\\\\x22,\\\\x22style\\\\x22:{\\\\x22spacing\\\\x22:{\\\\x22padding\\\\x22:{\\\\x22top\\\\x22:\\\\x22var:preset|spacing|50\\\\x22,\\\\x22bottom\\\\x22:\\\\x22var:preset|spacing|50\\\\x22}}}} -->\\\\x0a<div class=\\\\x22wp-block-group alignwide\\\\x22 style=\\\\x22padding-top:var(--wp--preset--spacing--50);padding-bottom:var(--wp--pres..."] [severity "CRITICAL"] [ver "OWASP_CRS/4.6.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "wordpress.example.com"] [uri "/wp-json/wp/v2/template-parts/twentytwentyfour/footer"] [unique_id "ZtCS7HPxmzlwgfG1dzaoSQAAAAY"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 157.131.34.81] ModSecurity: Warning. Pattern match "(?i)<[^0-9<>A-Z_a-z]*(?:[^\\\\\\\\s\\\\\\\\x0b\\\\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0- ..." at ARGS:content. [file "/etc/modsecurity/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "219"] [id "941160"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: \\\\x22align\\\\x22:\\\\x22wide\\\\x22,\\\\x22layout\\\\x22:{\\\\x22type\\\\x22:\\\\x22constrained\\\\x22}} -->\\\\x0a<div class=\\\\x22wp-block-group alignwide\\\\x22><!-- wp:group {\\\\x22align\\\\x22:\\\\x22wide\\\\x22,\\\\x22style\\\\x22:{\\\\x22spacing\\\\x22:{\\\\x22padding\\\\x22:{\\\\x22top\\\\x22:\\\\x22var:preset|spacing|50\\\\x22,\\\\x22bottom\\\\x22:\\\\x22var:preset|spacing|50\\\\x22}}}} -->\\\\x0a<div class=\\\\x22wp-block-group alignwide\\\\x22 style=\\\\x22padding-top:var(--wp--preset--spacing--50);padding-bottom:var(--wp--preset--spacing--50)\\\\x22><!-- wp:separator {\\\\x22classNa..."] [severity "CRITICAL"] [ver "OWASP_CRS/4.6.0-d [hostname "wordpress.example.com"] [uri "/wp-json/wp/v2/template-parts/twentytwentyfour/footer"] [unique_id "ZtCS7HPxmzlwgfG1dzaoSQAAAAY"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 157.131.34.81] ModSecurity: Warning. Matched phrase "<!--" at ARGS:content. [file "/etc/modsecurity/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "271"] [id "941180"] [msg "Node-Validator Deny List Keywords"] [data "Matched Data: <!-- found within ARGS:content: <!-- wp:group {\\\\x22align\\\\x22:\\\\x22wide\\\\x22,\\\\x22layout\\\\x22:{\\\\x22type\\\\x22:\\\\x22constrained\\\\x22}} -->\\\\x0a<div class=\\\\x22wp-block-group alignwide\\\\x22><!-- wp:group {\\\\x22align\\\\x22:\\\\x22wide\\\\x22,\\\\x22style\\\\x22:{\\\\x22spacing\\\\x22:{\\\\x22padding\\\\x22:{\\\\x22top\\\\x22:\\\\x22var:preset|spacing|50\\\\x22,\\\\x22bottom\\\\x22:\\\\x22var:preset|spacing|50\\\\x22}}}} -->\\\\x0a<div class=\\\\x22wp-block-group alignwide\\\\x22 style=\\\\x22padding-top:var(--wp--preset--spacing--50);padding-bottom:var(--wp--preset--..."] [severity "CRITICAL"] [ver "OWASP_CRS/4.6.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "wordpress.example.com"] [uri "/wp-json/wp/v2/template-parts/twentytwentyfour/footer"] [unique_id "ZtCS7HPxmzlwgfG1dzaoSQAAAAY"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 157.131.34.81] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file "/etc/modsecurity/crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "233"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 25)"] [ver "OWASP_CRS/4.6.0-dev"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "wordpress.example.com"] [uri "/wp-json/wp/v2/template-parts/twentytwentyfour/footer"] [unique_id "ZtCS7HPxmzlwgfG1dzaoSQAAAAY"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 157.131.34.81] ModSecurity: Warning. Unconditional match in SecAction. [file "/etc/modsecurity/crs/rules/RESPONSE-980-CORRELATION.conf"] [line "98"] [id "980170"] [msg "Anomaly Scores: (Inbound Scores: blocking=25, detection=25, per_pl=25-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=15, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=25)"] [ver "OWASP_CRS/4.6.0-dev"] [tag "reporting"] [tag "OWASP_CRS"] [hostname "wordpress.example.com"] [uri "/wp-json/wp/v2/template-parts/twentytwentyfour/footer"] [unique_id "ZtCS7HPxmzlwgfG1dzaoSQAAAAY"]
Action: Intercepted (phase 2)
Stopwatch: 1724945132710973 30895 (- - -)
Stopwatch2: 1724945132710973 30895; combined=23971, p1=2058, p2=21625, p3=0, p4=0, p5=287, sr=0, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/4.6.0-dev.
Server: Apache/2.4.41 (Ubuntu)
Engine-Mode: "ENABLED"

--9e4e976f-Z--

[EsadCetiner]

@gene1wood

No problem. I can reproduce the problem by switching back to v1.0.0 of the wordpress-rule-exclusion-plugin

aah so this is already fixed, sorry I misunderstood you. Thank you for the logs anyways.

[EsadCetiner]

@gene1wood A new version of this plugin has been released: https://github.com/coreruleset/wordpress-rule-exclusions-plugin/releases/tag/v1.0.1