diff --git a/.appsec-tests/CVE-2025-6058/CVE-2025-6058.yaml b/.appsec-tests/CVE-2025-6058/CVE-2025-6058.yaml new file mode 100644 index 00000000000..ef697a3d16d --- /dev/null +++ b/.appsec-tests/CVE-2025-6058/CVE-2025-6058.yaml @@ -0,0 +1,42 @@ +## autogenerated on 2025-08-27 14:33:37 +id: CVE-2025-6058 +info: + name: CVE-2025-6058 + author: crowdsec + severity: info + description: CVE-2025-6058 testing + tags: appsec-testing +http: + - raw: + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW + + ------WebKitFormBoundary7MA4YWxkTrZu0gW + Content-Disposition: form-data; name="action" + + wpb_ajax_post + ------WebKitFormBoundary7MA4YWxkTrZu0gW + Content-Disposition: form-data; name="route_name" + + add_booking_type + ------WebKitFormBoundary7MA4YWxkTrZu0gW + Content-Disposition: form-data; name="title" + + testtitle + ------WebKitFormBoundary7MA4YWxkTrZu0gW + Content-Disposition: form-data; name="booking_type" + + testtype + ------WebKitFormBoundary7MA4YWxkTrZu0gW + Content-Disposition: form-data; name="cover_image_img"; filename="testfile.php" + Content-Type: application/octet-stream + + + ------WebKitFormBoundary7MA4YWxkTrZu0gW-- + cookie-reuse: true + matchers: + - type: status + status: + - 403 diff --git a/.appsec-tests/CVE-2025-6058/config.yaml b/.appsec-tests/CVE-2025-6058/config.yaml new file mode 100644 index 00000000000..6688afcf4fb --- /dev/null +++ b/.appsec-tests/CVE-2025-6058/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2025-08-27 14:33:37 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2025-6058.yaml +nuclei_template: CVE-2025-6058.yaml diff --git a/appsec-rules/crowdsecurity/CVE-2025-6058.yaml b/appsec-rules/crowdsecurity/CVE-2025-6058.yaml new file mode 100644 index 00000000000..5ff2b914369 --- /dev/null +++ b/appsec-rules/crowdsecurity/CVE-2025-6058.yaml @@ -0,0 +1,49 @@ +## autogenerated on 2025-08-27 14:33:37 +name: crowdsecurity/vpatch-CVE-2025-6058 +description: 'Detects unauthenticated arbitrary file upload in WPBookit WordPress plugin via add_booking_type route.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /wp-admin/admin-ajax.php + - zones: + - BODY_ARGS + variables: + - action + transform: + - lowercase + match: + type: equals + value: wpb_ajax_post + - zones: + - BODY_ARGS + variables: + - route_name + transform: + - lowercase + match: + type: equals + value: add_booking_type + - zones: + - FILENAMES + transform: + - lowercase + match: + type: endsWith + value: .php + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'WPBookit - File Upload' + classification: + - cve.CVE-2025-6058 + - attack.T1190 + - cwe.CWE-434 diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index be69426f031..537c272d8ed 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -90,6 +90,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2024-27292 - crowdsecurity/vpatch-CVE-2025-24893 - crowdsecurity/vpatch-CVE-2021-43798 +- crowdsecurity/CVE-2025-6058 author: crowdsecurity contexts: - crowdsecurity/appsec_base