From edf322b9ca8403af99f7bceddeaf06f72e56eff1 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:20:10 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2025-22785 rule --- .../crowdsecurity/vpatch-CVE-2025-22785.yaml | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2025-22785.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-22785.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-22785.yaml new file mode 100644 index 00000000000..b1c4d954d15 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-22785.yaml @@ -0,0 +1,52 @@ +## autogenerated on 2026-04-15 13:20:07 +name: crowdsecurity/vpatch-CVE-2025-22785 +description: 'Detects SQL injection in Course Booking System WordPress plugin via booking_id or course_id parameters.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /wp-admin/admin-ajax.php + - zones: + - BODY_ARGS + variables: + - booking_id + transform: + - lowercase + - urldecode + match: + type: contains + value: ' and ' + - and: + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /wp-admin/admin-ajax.php + - zones: + - BODY_ARGS + variables: + - course_id + transform: + - lowercase + - urldecode + match: + type: contains + value: ' and ' + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'Course Booking System - SQLI' + classification: + - cve.CVE-2025-22785 + - attack.T1190 + - cwe.CWE-89 From f1a603d72b3fd9dd87a87ebf66d815a076bb0cdf Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:20:12 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2025-22785 test config --- .appsec-tests/vpatch-CVE-2025-22785/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2025-22785/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2025-22785/config.yaml b/.appsec-tests/vpatch-CVE-2025-22785/config.yaml new file mode 100644 index 00000000000..99540f738c8 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-22785/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-04-15 13:20:07 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2025-22785.yaml +nuclei_template: CVE-2025-22785.yaml From 7cb22abfaf85ed2a22008035dd0a091ad5f522c7 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:20:14 +0200 Subject: [PATCH 3/4] Add CVE-2025-22785.yaml test --- .../vpatch-CVE-2025-22785/CVE-2025-22785.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2025-22785/CVE-2025-22785.yaml diff --git a/.appsec-tests/vpatch-CVE-2025-22785/CVE-2025-22785.yaml b/.appsec-tests/vpatch-CVE-2025-22785/CVE-2025-22785.yaml new file mode 100644 index 00000000000..f8414547fad --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-22785/CVE-2025-22785.yaml @@ -0,0 +1,21 @@ +## autogenerated on 2026-04-15 13:20:07 +id: CVE-2025-22785 +info: + name: CVE-2025-22785 + author: crowdsec + severity: info + description: CVE-2025-22785 testing + tags: appsec-testing +http: + - raw: + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + action=cbs_action_booking_delete&booking_id=1&course_id=1 AND (SELECT 1 FROM (SELECT(SLEEP(8)))sqltest) + cookie-reuse: true + matchers: + - type: status + status: + - 403 From 664aa185dc032b2102ce1112471971dc084be267 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:20:16 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2025-22785 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 7ccf9a8bf03..5d28a34b83f 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -66,6 +66,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2025-8110 - crowdsecurity/vpatch-CVE-2024-27348 - crowdsecurity/vpatch-CVE-2020-5902 +- crowdsecurity/vpatch-CVE-2025-22785 - crowdsecurity/vpatch-CVE-2018-13379 - crowdsecurity/vpatch-CVE-2022-26134 - crowdsecurity/vpatch-CVE-2026-1557