From bc1c1f6d82b8558eea6fe0c59775765b918cca2a Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 25 Feb 2026 15:27:53 +0100 Subject: [PATCH 1/7] Add vpatch-CVE-2024-3495 rule --- .../crowdsecurity/vpatch-CVE-2024-3495.yaml | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2024-3495.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-3495.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-3495.yaml new file mode 100644 index 00000000000..3625ccd3fd4 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-3495.yaml @@ -0,0 +1,52 @@ +## autogenerated on 2026-02-25 14:27:50 +name: crowdsecurity/vpatch-CVE-2024-3495 +description: 'Detects SQL injection attempts in Country State City Dropdown CF7 plugin for WordPress via sid and cnt parameters.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /wp-admin/admin-ajax.php + - zones: + - BODY_ARGS + variables: + - sid + transform: + - lowercase + - urldecode + match: + type: contains + value: " or " + - and: + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /wp-admin/admin-ajax.php + - zones: + - BODY_ARGS + variables: + - cnt + transform: + - lowercase + - urldecode + match: + type: contains + value: " or " + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'Country State City Dropdown CF7 - SQLI' + classification: + - cve.CVE-2024-3495 + - attack.T1190 + - cwe.CWE-89 From 5d396280f0a1182595af4fd017db14ab0834ac5d Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 25 Feb 2026 15:27:55 +0100 Subject: [PATCH 2/7] Add vpatch-CVE-2024-3495 test config --- .appsec-tests/vpatch-CVE-2024-3495/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2024-3495/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-3495/config.yaml b/.appsec-tests/vpatch-CVE-2024-3495/config.yaml new file mode 100644 index 00000000000..87682b8170b --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-3495/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-02-25 14:27:50 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2024-3495.yaml +nuclei_template: CVE-2024-3495.yaml From 6a809b2233b9c48ecef360a7ed51c04993fd1a99 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 25 Feb 2026 15:27:57 +0100 Subject: [PATCH 3/7] Add CVE-2024-3495.yaml test --- .../vpatch-CVE-2024-3495/CVE-2024-3495.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2024-3495/CVE-2024-3495.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-3495/CVE-2024-3495.yaml b/.appsec-tests/vpatch-CVE-2024-3495/CVE-2024-3495.yaml new file mode 100644 index 00000000000..9f849e4f182 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-3495/CVE-2024-3495.yaml @@ -0,0 +1,21 @@ +## autogenerated on 2026-02-25 14:27:50 +id: CVE-2024-3495 +info: + name: CVE-2024-3495 + author: crowdsec + severity: info + description: CVE-2024-3495 testing + tags: appsec-testing +http: + - raw: + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + action=tc_csca_get_cities&nonce_ajax={{nonce}}&sid=1 or 0 union select concat(0x64617461626173653a,(select md5(999999999)),0x7c76657273696f6e3a,(select md5(999999999)),0x7c757365723a,user()),2,3--+- + cookie-reuse: true + matchers: + - type: status + status: + - 403 From fd71dad4723abdf087088f43cea9c6c43a6d777f Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 25 Feb 2026 15:27:58 +0100 Subject: [PATCH 4/7] Add vpatch-CVE-2024-3495 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 76dd7e12251..22386a28f17 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -140,6 +140,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2025-2611 - crowdsecurity/vpatch-CVE-2022-24086 - crowdsecurity/vpatch-CVE-2021-32478 +- crowdsecurity/vpatch-CVE-2024-3495 - crowdsecurity/vpatch-CVE-2021-26072 - crowdsecurity/vpatch-CVE-2025-55748 - crowdsecurity/vpatch-CVE-2022-25322 From ac10b75788ba70ff3fa897c357b5f3ccbdb1d009 Mon Sep 17 00:00:00 2001 From: blotus Date: Wed, 25 Feb 2026 15:33:54 +0100 Subject: [PATCH 5/7] Refactor vpatch for CVE-2024-3495 with updated match rules --- .../crowdsecurity/vpatch-CVE-2024-3495.yaml | 22 +++++-------------- 1 file changed, 6 insertions(+), 16 deletions(-) diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-3495.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-3495.yaml index 3625ccd3fd4..6d2b5293f5b 100644 --- a/appsec-rules/crowdsecurity/vpatch-CVE-2024-3495.yaml +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-3495.yaml @@ -13,31 +13,21 @@ rules: - zones: - BODY_ARGS variables: - - sid - transform: - - lowercase - - urldecode + - action match: - type: contains - value: " or " - - and: - - zones: - - URI - transform: - - lowercase - match: - type: contains - value: /wp-admin/admin-ajax.php + type: equals + value: tc_csca_get_cities - zones: - BODY_ARGS variables: + - sid - cnt transform: - lowercase - urldecode match: - type: contains - value: " or " + type: regex + value: [^0-9]+ labels: type: exploit From 032e3cb8bf9afca1381bbb7a678654079638ec0f Mon Sep 17 00:00:00 2001 From: blotus Date: Wed, 25 Feb 2026 15:36:14 +0100 Subject: [PATCH 6/7] Fix regex value syntax in vpatch-CVE-2024-3495.yaml --- appsec-rules/crowdsecurity/vpatch-CVE-2024-3495.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-3495.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-3495.yaml index 6d2b5293f5b..353cdd7202c 100644 --- a/appsec-rules/crowdsecurity/vpatch-CVE-2024-3495.yaml +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-3495.yaml @@ -27,7 +27,7 @@ rules: - urldecode match: type: regex - value: [^0-9]+ + value: '[^0-9]' labels: type: exploit From fe761a60147be1762c69fc34e75734a1db8c2313 Mon Sep 17 00:00:00 2001 From: blotus Date: Wed, 25 Feb 2026 15:56:38 +0100 Subject: [PATCH 7/7] Refactor CVE-2024-3495.yaml for improved query structure --- .appsec-tests/vpatch-CVE-2024-3495/CVE-2024-3495.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.appsec-tests/vpatch-CVE-2024-3495/CVE-2024-3495.yaml b/.appsec-tests/vpatch-CVE-2024-3495/CVE-2024-3495.yaml index 9f849e4f182..2d2036c2360 100644 --- a/.appsec-tests/vpatch-CVE-2024-3495/CVE-2024-3495.yaml +++ b/.appsec-tests/vpatch-CVE-2024-3495/CVE-2024-3495.yaml @@ -13,7 +13,7 @@ http: Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - action=tc_csca_get_cities&nonce_ajax={{nonce}}&sid=1 or 0 union select concat(0x64617461626173653a,(select md5(999999999)),0x7c76657273696f6e3a,(select md5(999999999)),0x7c757365723a,user()),2,3--+- + action=tc_csca_get_cities&nonce_ajax={{nonce}}&sid=1+or+0+union+select+concat(0x64617461626173653a,(select+md5(999999999)),0x7c76657273696f6e3a,(select+md5(999999999)),0x7c757365723a,user()),2,3--+- cookie-reuse: true matchers: - type: status