Technical Tip: Using FortiSIEM to detect the WordPress WPGateway Plugin Vulnerability | CVE-2022-3180

This article describes how to use custom Rules in FortiSIEM to raise incident response related to attacks that attempt to leverage the WordPress WPGateway Plugin vulnerability.

A report is also provided to gain historical visibility into the logs.

The article will be continually updated as more information becomes available.

The Rules and Reports leverage logs from other Fortinet products that can be used to detect the attack in addition to FortiGate logs.

For more information about this attack, see the following FortiGuard Outbreak Alert:
https://www.fortiguard.com/outbreak-alert/wpgateway-plugin-vulnerability

1) Use FortiSIEM_WordPress_WPGateway_Reports_v1.xml as the file to import the Reports.

- Navigate to Resource/Reports.


- It is recommended to create a new group under Resource/Reports/Security called ‘Apache Path Traversal’ and import reports to this group.
- Select the Import option under More.


- Select FortiSIEM_WordPress_WPGateway_Reports_v1.xml and import.

2) Use FortiSIEM_WordPress_WPGateway_Rules_v1.xml as the file to import the Rules.


- Navigate to Resource/Rules.


- It is recommended to create a new group under Resource/Rules/Security/ Threat Hunting is created called 'WordPress WPGateway’ and import the rules to this group.

- Select the Import.
- Select FortiSIEM_WordPress_WPGateway_Rules_v1.xml and import.


FortiSIEM provides content packs for easy installation of these Rules and Reports:

What is included in Fortinet_FortiSIEM_WordPress_WPGateway.zip?


- A FortiSIEM Rule to help with detection.


- A FortiSIEM Report to help with historical reporting.