Add vpatch-CVE-2022-3254 rule and test

[crowdsec-automation]

Description

This rule targets the unauthenticated SQL injection vulnerability in the AWP Classifieds WordPress plugin (CVE-2022-3254). The attack is performed via a GET request to /wp-admin/admin-ajax.php with the action parameter set to awpcp-get-regions-options. The vulnerable parameter is parent, which is injected with SQL metacharacters.

• The first rule ensures the request is to the correct endpoint (/wp-admin/admin-ajax.php), using contains with lowercase and urldecode transforms for normalization.
• The second rule matches the parent argument using a regex [^a-z0-9] to detect any non-alphanumeric character (after lowercase and urldecode transforms), flagging SQL injection attempts via special characters.
• The third rule ensures the action parameter is exactly awpcp-get-regions-options, confirming the request is for the vulnerable AJAX action.
• The labels section includes the correct CVE, ATT&CK, and CWE references.

All value: fields are lowercase, and all relevant transforms are applied. The rule is included in the crowdsecurity/appsec-wordpress collection, as CVE-2022-3254 is a WordPress-specific vulnerability.

Checklist

• I have read the contributing guide
• I have tested my changes locally
• For new parsers or scenarios, tests have been added
• I have run the hub linter and no issues were reported (see contributing guide)
• Automated tests are passing
• AI was used to generate any/all content of this PR

[github-actions]

Hello @crowdsec-automation and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2022-3254 🔴

[github-actions]

Hello @crowdsec-automation and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

• labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

• labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

• labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

• labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

• labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

• labels not found

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

• T1110 for bruteforce attacks
• T1595 and T1190 for exploitation of public vulnerabilities
• T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

[buixor]

@copilot Please fix the regular expression in the WAF so we're just looking for non A-Z 0-9

[Copilot]

@copilot Please fix the regular expression in the WAF so we're just looking for non A-Z 0-9

Done in 5e216de. Changed the parent parameter match from contains: "\+from"totype: regexwith[^a-z0-9](non A-Z 0-9, using lowercase since thelowercase` transform is applied).

[github-actions]

Hello @Copilot,

✅ The new VPATCH Rule is compliant, thank you for your contribution!

[github-actions]

Hello @copilot and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

• labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

• labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

• labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

• labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

• labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

• labels not found

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

• T1110 for bruteforce attacks
• T1595 and T1190 for exploitation of public vulnerabilities
• T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

[buixor]

@copilot add the vpatch rule to the wordpress vpatch collection instead

[Copilot]

@copilot add the vpatch rule to the wordpress vpatch collection instead

Done in 4b23302. Moved crowdsecurity/vpatch-CVE-2022-3254 from appsec-virtual-patching to the appsec-wordpress collection.