From 24945146a4c8e8372bec6bd867e65a8dc233c1ea Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 14 Jan 2026 15:58:58 +0100 Subject: [PATCH 1/5] Add vpatch-CVE-2024-5057 rule --- .../crowdsecurity/vpatch-CVE-2024-5057.yaml | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2024-5057.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-5057.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-5057.yaml new file mode 100644 index 00000000000..ec2e66ea0b1 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-5057.yaml @@ -0,0 +1,45 @@ +## autogenerated on 2026-01-14 14:58:55 +name: crowdsecurity/vpatch-CVE-2024-5057 +description: 'Detects SQL injection vulnerability in WordPress Easy Digital Downloads <= 3.2.12 via the edd_download_search action.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: /wp-admin/admin-ajax.php + - zones: + - ARGS + variables: + - action + transform: + - lowercase + - urldecode + match: + type: equals + value: edd_download_search + - zones: + - ARGS + variables: + - s + transform: + - lowercase + - urldecode + match: + type: contains + value: "')" + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'Easy Digital Downloads - SQLI' + classification: + - cve.CVE-2024-5057 + - attack.T1190 + - cwe.CWE-89 From c4380c3c4eff347d68b93395ce450847b9c413d6 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 14 Jan 2026 15:58:59 +0100 Subject: [PATCH 2/5] Add vpatch-CVE-2024-5057 test config --- .appsec-tests/vpatch-CVE-2024-5057/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2024-5057/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-5057/config.yaml b/.appsec-tests/vpatch-CVE-2024-5057/config.yaml new file mode 100644 index 00000000000..70fa8869136 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-5057/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-01-14 14:58:55 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2024-5057.yaml +nuclei_template: CVE-2024-5057.yaml From 36fdf1979469a8934a972853f4bed6fc6ce72857 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 14 Jan 2026 15:59:01 +0100 Subject: [PATCH 3/5] Add CVE-2024-5057.yaml test --- .../vpatch-CVE-2024-5057/CVE-2024-5057.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2024-5057/CVE-2024-5057.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-5057/CVE-2024-5057.yaml b/.appsec-tests/vpatch-CVE-2024-5057/CVE-2024-5057.yaml new file mode 100644 index 00000000000..f8a6b530e00 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-5057/CVE-2024-5057.yaml @@ -0,0 +1,18 @@ +## autogenerated on 2026-01-14 14:58:55 +id: CVE-2024-5057 +info: + name: CVE-2024-5057 + author: crowdsec + severity: info + description: CVE-2024-5057 testing + tags: appsec-testing +http: + - raw: + - | + GET /wp-admin/admin-ajax.php?action=edd_download_search&s=a')/**/AND/**/SLEEP(6)%23 HTTP/1.1 + Host: {{Hostname}} + cookie-reuse: true + matchers: + - type: status + status: + - 403 From beaec6e7daf0e06df08df9bb41f06da6d778f043 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 14 Jan 2026 15:59:03 +0100 Subject: [PATCH 4/5] Add vpatch-CVE-2024-5057 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index f5c90e4d535..b0a4e90e6b6 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -38,6 +38,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2023-46805 - crowdsecurity/vpatch-CVE-2024-23897 - crowdsecurity/vpatch-CVE-2023-22527 +- crowdsecurity/vpatch-CVE-2024-5057 - crowdsecurity/vpatch-CVE-2023-35078 - crowdsecurity/vpatch-CVE-2023-35082 - crowdsecurity/vpatch-CVE-2022-22954 From 0b1b0b15b6052555e4e36347cc8ce18ca7505a69 Mon Sep 17 00:00:00 2001 From: "Thibault \"bui\" Koechlin" Date: Wed, 14 Jan 2026 16:14:39 +0100 Subject: [PATCH 5/5] Update vpatch-CVE-2024-5057.yaml --- appsec-rules/crowdsecurity/vpatch-CVE-2024-5057.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-5057.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-5057.yaml index ec2e66ea0b1..0cb4ce7a532 100644 --- a/appsec-rules/crowdsecurity/vpatch-CVE-2024-5057.yaml +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-5057.yaml @@ -30,7 +30,7 @@ rules: - urldecode match: type: contains - value: "')" + value: "'" labels: type: exploit