diff --git a/plugins/wordpress-rule-exclusions-before.conf b/plugins/wordpress-rule-exclusions-before.conf
index fd3635b..b8be909 100644
--- a/plugins/wordpress-rule-exclusions-before.conf
+++ b/plugins/wordpress-rule-exclusions-before.conf
@@ -255,7 +255,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
ctl:ruleRemoveTargetById=942100;ARGS"
# Cannot update page|post in WordPress due to `x-http-method-override` header.
-SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:global-styles|navigation|pages|posts|template-parts|templates|users)" \
+SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:global-styles|navigation|pages|posts|sidebars|template-parts|templates|users)" \
"id:9507146,\
phase:1,\
pass,\
@@ -386,6 +386,45 @@ SecRule REQUEST_FILENAME "@endsWith /wp-cron.php" \
ctl:ruleRemoveById=920300,\
ver:'wordpress-rule-exclusions-plugin/1.0.1'"
+# Modifying widgets under Appearance --> Widgets
+# Rules are disabled for all args because the paramater name keeps on changing
+SecRule REQUEST_FILENAME "@rx /wp-json/batch/v[0-9]$" \
+ "id:9507201,\
+ phase:2,\
+ pass,\
+ t:none,\
+ nolog,\
+ ver:'wordpress-rule-exclusions-plugin/1.0.1',\
+ chain"
+ SecRule ARGS:_locale "@streq user" \
+ "t:none,\
+ ctl:ruleRemoveTargetById=920272;ARGS,\
+ ctl:ruleRemoveTargetById=920273;ARGS,\
+ ctl:ruleRemoveTargetById=932200;ARGS,\
+ ctl:ruleRemoveTargetById=932236;ARGS,\
+ ctl:ruleRemoveTargetById=932240;ARGS,\
+ ctl:ruleRemoveTargetById=932370;ARGS,\
+ ctl:ruleRemoveTargetById=941150;ARGS,\
+ ctl:ruleRemoveTargetById=941180;ARGS,\
+ ctl:ruleRemoveTargetById=941181;ARGS,\
+ ctl:ruleRemoveTargetById=941320;ARGS,\
+ ctl:ruleRemoveTargetById=941330;ARGS,\
+ ctl:ruleRemoveTargetById=942130;ARGS,\
+ ctl:ruleRemoveTargetById=942131;ARGS,\
+ ctl:ruleRemoveTargetById=942200;ARGS,\
+ ctl:ruleRemoveTargetById=942210;ARGS,\
+ ctl:ruleRemoveTargetById=942260;ARGS,\
+ ctl:ruleRemoveTargetById=942330;ARGS,\
+ ctl:ruleRemoveTargetById=942340;ARGS,\
+ ctl:ruleRemoveTargetById=942370;ARGS,\
+ ctl:ruleRemoveTargetById=942430;ARGS,\
+ ctl:ruleRemoveTargetById=942431;ARGS,\
+ ctl:ruleRemoveTargetById=942432;ARGS,\
+ ctl:ruleRemoveTargetById=942440;ARGS,\
+ ctl:ruleRemoveTargetById=942460;ARGS,\
+ ctl:ruleRemoveTargetById=942520;ARGS,\
+ ctl:ruleRemoveTargetById=920272;REQUEST_BODY,\
+ ctl:ruleRemoveTargetById=920273;REQUEST_BODY"
#
# [ Cookies ]
@@ -858,7 +897,6 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/async-upload.php" \
ctl:ruleRemoveTargetById=933210;ARGS:name,\
ctl:ruleRemoveTargetById=942100;ARGS:name"
-
#
# [ Options and Settings ]
#
diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507146.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507146.yaml
index 1f0c963..03f3e52 100644
--- a/tests/regression/wordpress-rule-exclusions-plugin/9507146.yaml
+++ b/tests/regression/wordpress-rule-exclusions-plugin/9507146.yaml
@@ -46,3 +46,23 @@ tests:
data: |
{"id":2934,"styles":{"blocks":{"core/site-title":{"typography":{"fontWeight":"400"}},"core/pullquote":{"typography":{"fontSize":"var(--wp--preset--font-size--large)","fontStyle":"normal","fontWeight":"normal","lineHeight":"1.2"}},"core/quote":{"variations":{"plain":{"typography":{"fontStyle":"normal","fontWeight":"400"}}},"typography":{"fontFamily":"var(--wp--preset--font-family--heading)","fontSize":"var(--wp--preset--font-size--large)","fontStyle":"normal"}},"core/navigation":{"typography":{"fontWeight":"400"}}},"elements":{"button":{"typography":{"fontFamily":"var(--wp--preset--font-family--heading)","fontSize":"var(--wp--preset--font-size--small)","fontStyle":"normal"}},"heading":{"color":{"background":"#ab5a5a"}}},"css":""}}
no_log_contains: id "920450"
+ - test_title: 9507146-3
+ desc: Editing widgets
+ stages:
+ - stage:
+ input:
+ dest_addr: 127.0.0.1
+ headers:
+ Host: localhost
+ User-Agent: "OWASP CRS test agent"
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+ Content-Type: application/json
+ x-http-method-override: PUT
+ port: 80
+ method: POST
+ version: "HTTP/1.1"
+ uri: /post/wp-json/wp/v2/sidebars/sidebar-1?_locale=user
+ data: |
+ {"id":"sidebar-1","widgets":["block-16","block-17","block-18"]}
+ output:
+ no_log_contains: id "920450"
diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507201.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507201.yaml
new file mode 100644
index 0000000..6fd1ea1
--- /dev/null
+++ b/tests/regression/wordpress-rule-exclusions-plugin/9507201.yaml
@@ -0,0 +1,28 @@
+---
+meta:
+ author: "Esad Cetiner"
+ description: "Wordpress Rule Exclusions Plugin"
+ enabled: true
+ name: 9507201.yaml
+tests:
+ - test_title: 9507201-1
+ desc:
+ stages:
+ - stage:
+ input:
+ dest_addr: 127.0.0.1
+ headers:
+ Host: localhost
+ User-Agent: "OWASP CRS test agent"
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+ Content-Type: application/json
+ port: 80
+ method: POST
+ version: "HTTP/1.1"
+ uri: /post/wp-json/batch/v1?_locale=user
+ data: |
+ {"validation":"require-all-validate","requests":[{"path":"/wp/v2/widgets","body":{"id_base":"block","instance":{"raw":{"content":"\ntest
\n"}},"sidebar":"sidebar-1"},"method":"POST"},{"path":"/wp/v2/widgets","body":{"id_base":"block","instance":{"raw":{"content":""}},
+ "sidebar":"sidebar-1"},"method":"POST"},{"path":"/wp/v2/widgets","body":{"id_base":"block","instance":{"raw":{"content":"\n\n"}},"sidebar":"sidebar-1"},"method":"POST"}]}
+ output:
+ no_log_contains: |
+ id "920272"|id "920273"|id "932200"|id "932236"|id "932240"|id "932370"|id "941150"|id "941180"|id "941181"|id "941320"|id "941330"|id "942130"|id "942131"|id "942200"|id "942210"|id "942260"|id "942330"|id "942340"|id "942370"|id "942430"|id "942431"|id "942432"|id "942440"|id "942460"|id "942520"