Add vpatch-CVE-2025-49071 rule and test

[crowdsec-automation]

This rule detects exploitation attempts against the Flozen WordPress theme (CVE-2025-49071), which allows unauthenticated attackers to upload arbitrary ZIP files via the vulnerable wp_handle_upload AJAX action. The detection logic is as follows:

• The first rule ensures the request is targeting /wp-admin/admin-ajax.php, which is the endpoint used for WordPress AJAX actions.
• The second rule checks that the POST body contains the parameter action with the value wp_handle_upload, which is the specific action exploited by the attack.
• The third rule checks that a file with a .zip extension is being uploaded (as the exploit uploads a ZIP archive containing a webshell).

All value: fields are lowercase, and all relevant transforms (lowercase, urldecode) are applied to ensure case-insensitive and normalized matching. The rule uses contains, equals, and endsWith as appropriate, avoiding regex unless necessary. This approach minimizes false positives and negatives by tightly matching the exploit's characteristics. The test nuclei template simulates the exploit and expects a 403 response, confirming the rule's blocking behavior.

[github-actions]

Hello @crowdsec-automation and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2025-49071 🔴

[github-actions]

Hello @crowdsec-automation and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

• labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

• labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

• labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

• labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

• labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

• labels not found

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

• T1110 for bruteforce attacks
• T1595 and T1190 for exploitation of public vulnerabilities
• T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.