From a28db2fdd881944fb5247a63725ccc7c20b594af Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 8 Apr 2026 15:29:32 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2025-49071 rule --- .../crowdsecurity/vpatch-CVE-2025-49071.yaml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2025-49071.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-49071.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-49071.yaml new file mode 100644 index 00000000000..ec740477bd5 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-49071.yaml @@ -0,0 +1,42 @@ +## autogenerated on 2026-04-08 13:29:29 +name: crowdsecurity/vpatch-CVE-2025-49071 +description: 'Detects exploitation attempts of the Flozen WordPress theme arbitrary file upload vulnerability (CVE-2025-49071).' +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: /wp-admin/admin-ajax.php + - zones: + - BODY_ARGS + variables: + - action + transform: + - lowercase + - urldecode + match: + type: equals + value: wp_handle_upload + - zones: + - FILENAMES + transform: + - lowercase + match: + type: endsWith + value: .zip + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'Flozen Theme - RCE' + classification: + - cve.CVE-2025-49071 + - attack.T1190 + - cwe.CWE-434 From 84780c8c949ae3d0379ce5b18d041dbc34c16ceb Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 8 Apr 2026 15:29:34 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2025-49071 test config --- .appsec-tests/vpatch-CVE-2025-49071/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2025-49071/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2025-49071/config.yaml b/.appsec-tests/vpatch-CVE-2025-49071/config.yaml new file mode 100644 index 00000000000..33c724dfbd9 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-49071/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-04-08 13:29:29 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2025-49071.yaml +nuclei_template: CVE-2025-49071.yaml From af1244850aae9f0bf30ff5ef673b56a58aad22fb Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 8 Apr 2026 15:29:35 +0200 Subject: [PATCH 3/4] Add CVE-2025-49071.yaml test --- .../vpatch-CVE-2025-49071/CVE-2025-49071.yaml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2025-49071/CVE-2025-49071.yaml diff --git a/.appsec-tests/vpatch-CVE-2025-49071/CVE-2025-49071.yaml b/.appsec-tests/vpatch-CVE-2025-49071/CVE-2025-49071.yaml new file mode 100644 index 00000000000..d6e948449f4 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-49071/CVE-2025-49071.yaml @@ -0,0 +1,30 @@ +## autogenerated on 2026-04-08 13:29:29 +id: CVE-2025-49071 +info: + name: CVE-2025-49071 + author: crowdsec + severity: info + description: CVE-2025-49071 testing + tags: appsec-testing +http: + - raw: + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundary + + ------WebKitFormBoundary + Content-Disposition: form-data; name="action" + + wp_handle_upload + ------WebKitFormBoundary + Content-Disposition: form-data; name="zip_packet_font"; filename="shadow.zip" + Content-Type: application/zip + + + ------WebKitFormBoundary-- + cookie-reuse: true + matchers: + - type: status + status: + - 403 From fe512254cf4989cb42d3a4659b36c2ea86a426ed Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 8 Apr 2026 15:29:37 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2025-49071 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 7ccf9a8bf03..65cde192de2 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -160,6 +160,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2018-13317 - crowdsecurity/vpatch-CVE-2025-9316 - crowdsecurity/vpatch-CVE-2025-11700 +- crowdsecurity/vpatch-CVE-2025-49071 - crowdsecurity/vpatch-CVE-2025-13315 - crowdsecurity/vpatch-CVE-2025-37164 - crowdsecurity/vpatch-CVE-2025-52970