Add vpatch-CVE-2023-3197 rule and test

[crowdsec-automation]

Description

Adds a new AppSec rule crowdsecurity/vpatch-CVE-2023-3197 to detect unauthenticated SQL injection in the WordPress MStore API plugin, included in the crowdsecurity/appsec-wordpress collection.

Detection logic:

• Matches requests where the URI contains /wp-json/api/flutter_multi_vendor/product-categories (case-insensitive, URL-decoded)
• Flags requests where the id query parameter contains any character outside [a-z0-9] after applying lowercase and urldecode transforms (regex: [^a-z0-9])

This regex-based approach is robust since a legitimate numeric category id should only contain alphanumeric characters. Any injected SQL characters (spaces, parentheses, quotes, operators, etc.) will trigger the rule. The rule is included in the crowdsecurity/appsec-wordpress collection, which is the appropriate collection for WordPress-specific virtual patching rules.

A nuclei test template is included that verifies requests with a malicious id parameter (containing a SQL injection payload) are blocked with a 403 status.

Checklist

• I have read the contributing guide
• I have tested my changes locally
• For new parsers or scenarios, tests have been added
• I have run the hub linter and no issues were reported (see contributing guide)
• Automated tests are passing
• AI was used to generate any/all content of this PR

[github-actions]

Hello @crowdsec-automation and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2023-3197 🔴

[github-actions]

Hello @crowdsec-automation and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

• labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

• labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

• labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

• labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

• labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

• labels not found

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

• T1110 for bruteforce attacks
• T1595 and T1190 for exploitation of public vulnerabilities
• T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

[buixor]

@copilot please fix the search condition to look for non a-z0-9 patterns

[Copilot]

@copilot please fix the search condition to look for non a-z0-9 patterns

Updated in fa4c7a8 — changed the id parameter match from contains: ' and ' to regex: '[^a-z0-9]'. After lowercase + urldecode transforms, any id value containing characters outside [a-z0-9] (spaces, parentheses, quotes, etc.) will be flagged, which catches SQL injection attempts more broadly while still being precise to the endpoint.

[github-actions]

Hello @Copilot,

✅ The new VPATCH Rule is compliant, thank you for your contribution!

[github-actions]

Hello @Copilot and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

• labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

• labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

• labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

• labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

• labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

• labels not found

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

• T1110 for bruteforce attacks
• T1595 and T1190 for exploitation of public vulnerabilities
• T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

[buixor]

@copilot move it to the wordpress vpatch collection

[Copilot]

@copilot move it to the wordpress vpatch collection

Done in 38d0d50 — moved crowdsecurity/vpatch-CVE-2023-3197 from appsec-virtual-patching to appsec-wordpress collection.

[github-actions]

Hello @buixor and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2023-6360 🔴
🔴 crowdsecurity/vpatch-CVE-2023-0600 🔴
🔴 crowdsecurity/vpatch-CVE-2023-0900 🔴
🔴 crowdsecurity/vpatch-CVE-2023-6567 🔴
🔴 crowdsecurity/vpatch-CVE-2023-23489 🔴
🔴 crowdsecurity/vpatch-CVE-2024-1061 🔴
🔴 crowdsecurity/vpatch-CVE-2023-3197 🔴
🔴 crowdsecurity/vpatch-CVE-2025-40552 🔴
🔴 crowdsecurity/vpatch-CVE-2023-6623 🔴
🔴 crowdsecurity/vpatch-CVE-2024-1071 🔴
🔴 crowdsecurity/vpatch-CVE-2023-4634 🔴
🔴 crowdsecurity/vpatch-CVE-2023-2009 🔴
🔴 crowdsecurity/vpatch-CVE-2023-23488 🔴

[github-actions]

Hello @buixor and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

• labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

• labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

• labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

• labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

• labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

• labels not found

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

• T1110 for bruteforce attacks
• T1595 and T1190 for exploitation of public vulnerabilities
• T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.