Updated x-http-method-override rules for rest-api usage:

joostdekeijzer · joostdekeijzer · commit 21afc04476fd · 2025-10-24T13:31:57.000+02:00
- 9507144 without permalinks - 9507146 With permalinks 1. Added test that REQUEST_METHOD *must be* POST 2. Added support for DELETE override 3. Added tests Please note that the WordPress developer docs state that any WordPress API call may use the x-http-method-override-header (see https://developer.wordpress.org/rest-api/using-the-rest-api/global-parameters/#_method-or-x-http-method-override-header) With current implementation eg. Custom Post Types are not supported.
diff --git a/plugins/wordpress-rule-exclusions-before.conf b/plugins/wordpress-rule-exclusions-before.conf
@@ -237,7 +237,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
             ctl:ruleRemoveById=200002,\
             ctl:ruleRemoveById=200004"
 
-# Editing a page/post with gutenberg editor
+# Cannot update items using WordPress API due to `x-http-method-override` header (eg. for Gutenberg, pretty permalinks disabled).
 SecRule REQUEST_FILENAME "@endsWith /index.php" \
     "id:9507144,\
     phase:1,\
@@ -246,9 +246,17 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
     nolog,\
     ver:'wordpress-rule-exclusions-plugin/1.1.0',\
     chain"
-    SecRule REQUEST_HEADERS:x-http-method-override "@streq PUT" \
+    SecRule &ARGS:rest_route "@eq 1" \
         "t:none,\
-        ctl:ruleRemoveById=920450"
+        nolog,\
+        chain"
+        SecRule REQUEST_METHOD "@streq POST" \
+            "t:none,\
+            nolog,\
+            chain"
+            SecRule REQUEST_HEADERS:x-http-method-override "@pm PUT DELETE" \
+                "t:none,\
+                ctl:ruleRemoveById=920450"
 
 # Gutenberg full site editor (v6.3.1+).
 # Requests can contain CSS data, which are detected by libinjection.
@@ -270,7 +278,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
             "t:none,\
             ctl:ruleRemoveTargetById=942100;ARGS"
 
-# Cannot update page|post in WordPress due to `x-http-method-override` header.
+# Cannot update items using WordPress API due to `x-http-method-override` header (eg. for Gutenberg, pretty permalinks enabled).
 SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:global-styles|navigation|pages|posts|sidebars|template-parts|templates|users)" \
     "id:9507146,\
     phase:1,\
@@ -279,9 +287,13 @@ SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:global-styles|navigation|pa
     nolog,\
     ver:'wordpress-rule-exclusions-plugin/1.1.0',\
     chain"
-    SecRule &REQUEST_HEADERS:x-http-method-override "!@eq 0" \
+    SecRule REQUEST_METHOD "@streq POST" \
         "t:none,\
-        ctl:ruleRemoveById=920450"
+        nolog,\
+        chain"
+        SecRule REQUEST_HEADERS:x-http-method-override "@pm PUT DELETE" \
+            "t:none,\
+            ctl:ruleRemoveById=920450"
 
 # Loading tags/catagories for pages/posts
 # Obtaining metadata for pages/posts
diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507144.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507144.yaml
@@ -0,0 +1,110 @@
+---
+meta:
+  author: "Joost de Keijzer"
+  description: "Wordpress Rule Exclusions Plugin"
+rule_id: 9507144
+tests:
+  - test_id: 1
+    desc: Editing template part of a website i.e header or footer
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: OWASP CRS test agent
+            Accept: application/json, */*;q=0.1
+            Content-Type: application/json
+            x-http-method-override: PUT
+          port: 80
+          method: POST
+          version: "HTTP/1.1"
+          # URI is actually sent with double slashes
+          uri: /index.php?rest_route=/wp/v2/template-parts/twentytwentyfour//header&_locale=user
+          # Data is sent with some special characters escaped
+          data: |
+            {"id":"twentytwentyfour//header","content":"<!-- wp:group {\"align\":\"wide\",\"style\":{\"spacing\":{\"padding\":{\"top\":\"20px\",\"bottom\":\"20px\"}}},\"backgroundColor\":\"base\",\"layout\":{\"type\":\"constrained\"}} -->\n<div class=\"wp-block-group alignwide has-base-background-color has-background\" style=\"padding-top:20px;padding-bottom:20px\"><!-- wp:group {\"align\":\"wide\",\"layout\":{\"type\":\"flex\",\"justifyContent\":\"space-between\",\"flexWrap\":\"wrap\"}} -->\n<div class=\"wp-block-group alignwide\"><!-- wp:group {\"style\":{\"spacing\":{\"blockGap\":\"var:preset|spacing|20\"},\"layout\":{\"selfStretch\":\"fit\",\"flexSize\":null}},\"layout\":{\"type\":\"flex\"}} -->\n<div class=\"wp-block-group\"><!-- wp:site-logo {\"width\":60} /-->\n\n<!-- wp:group {\"style\":{\"spacing\":{\"blockGap\":\"0px\"}}} -->\n<div class=\"wp-block-group\">
+            <!-- wp:site-title {\"level\":0} /--></div>\n<!-- /wp:group --></div>\n<!-- /wp:group -->\n\n<!-- wp:paragraph -->\n<p>testing</p>\n<!-- /wp:paragraph -->\n\n<!-- wp:group {\"layout\":{\"type\":\"flex\",\"flexWrap\":\"wrap\",\"justifyContent\":\"left\"}} -->\n<div class=\"wp-block-group\"><!-- wp:navigation {\"ref\":21,\"style\":{\"spacing\":{\"margin\":{\"top\":\"0\"},\"blockGap\":\"var:preset|spacing|20\"},\"layout\":{\"selfStretch\":\"fit\",\"flexSize\":null}},\"layout\":{\"type\":\"flex\",\"justifyContent\":\"right\",\"orientation\":\"horizontal\"}} /--></div>\n<!-- /wp:group --></div>\n<!-- /wp:group --></div>\n<!-- /wp:group -->"}
+        output:
+          log:
+            no_expect_ids: [920450]
+  - test_id: 2
+    desc: Editing global styles for a theme
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: OWASP CRS test agent
+            Accept: application/json, */*;q=0.1
+            Content-Type: application/json
+            x-http-method-override: PUT
+          port: 80
+          method: POST
+          version: "HTTP/1.1"
+          uri: /index.php?rest_route=/wp/v2/global-styles/26&_locale=user
+          data: |
+            {"id":26,"settings":{"color":{"duotone":{"theme":[{"colors":["#272727","#f9f9f9"],"slug":"duotone-1","name":"Donkergrijs en wit"},{"colors":["#272727","#5F584F"],"slug":"duotone-2","name":"Donkergrijs en walnoot"},{"colors":["#272727","#973C20"],"slug":"duotone-3","name":"Donkergrijs en kaneel"},{"colors":["#272727","#4D5B48"],"slug":"duotone-4","name":"Donkergrijs en olijfgroen"},{"colors":["#272727","#4F5959"],"slug":"duotone-5","name":"Donkergrijs en staal"}]},"gradients":{"theme":[{"slug":"gradient-1","gradient":"linear-gradient(to bottom, #5F584F 0%, #272727 100%)","name":"Verticaal zacht drijfhout naar donkergrijs"},{"slug":"gradient-2","gradient":"linear-gradient(to bottom, #6D533C 0%, #272727 100%)","name":"Verticaal zacht walnoot naar donkergrijs"},
+            {"slug":"gradient-3","gradient":"linear-gradient(to bottom, #973C20 0%, #272727 100%)","name":"Verticaal zacht kaneel naar donkergrijs"},{"slug":"gradient-4","gradient":"linear-gradient(to bottom, #4D5B48 0%, #272727 100%)","name":"Verticaal zacht olijf naar donkergrijs"},{"slug":"gradient-5","gradient":"linear-gradient(to bottom, #4F5959 0%, #272727 100%)","name":"Verticaal zacht staal naar donkergrijs"},{"slug":"gradient-6","gradient":"linear-gradient(to bottom, #909090 0%, #272727 100%)","name":"Verticaal zacht tin naar donkergrijs"},{"slug":"gradient-7","gradient":"linear-gradient(to bottom, #5F584F 50%, #272727 50%)","name":"Verticaal hard beige naar donkergrijs"},{"slug":"gradient-8","gradient":"linear-gradient(to bottom, #6D533C 50%, #272727 50%)","name":"Verticaal hard walnoot naar donkergrijs"},
+            {"slug":"gradient-9","gradient":"linear-gradient(to bottom, #973C20 50%, #272727 50%)","name":"Verticaal hard kaneel naar donkergrijs"},{"slug":"gradient-10","gradient":"linear-gradient(to bottom, #4D5B48 50%, #272727 50%)","name":"Verticaal hard olijf naar donkergrijs"},{"slug":"gradient-11","gradient":"linear-gradient(to bottom, #4F5959 50%, #272727 50%)","name":"Verticaal hard staal naar donkergrijs"},{"slug":"gradient-12","gradient":"linear-gradient(to bottom, #A4A4A4 50%, #272727 50%)","name":"Verticaal hard tin naar donkergrijs"}]},"palette":{"theme":[{"color":"#272727","name":"Basis","slug":"base"},{"color":"#303030","name":"Basis / Twee","slug":"base-2"},{"color":"#f9f9f9","name":"Contrast","slug":"contrast"},{"color":"#B7B7B7","name":"Contrast / Twee","slug":"contrast-2"},
+            {"color":"#909090","name":"Contrast / Drie","slug":"contrast-3"},{"color":"#5F584F","name":"Accent","slug":"accent"},{"color":"#6D533C","name":"Accent / Twee","slug":"accent-2"},{"color":"#973C20","name":"Accent / Drie","slug":"accent-3"},{"color":"#4D5B48","name":"Accent / Vier","slug":"accent-4"},{"color":"#4F5959","name":"Accent / Vijf","slug":"accent-5"}]}}}}
+        output:
+          log:
+            no_expect_ids: [920450]
+  - test_id: 3
+    desc: Editing widgets
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: application/json, */*;q=0.1
+            Content-Type: application/json
+            x-http-method-override: PUT
+          port: 80
+          method: POST
+          version: "HTTP/1.1"
+          uri: /index.php?rest_route=/wp/v2/sidebars/sidebar-1&_locale=user
+          data: |
+            {"id":"sidebar-1","widgets":["search-2","recent-posts-2","recent-comments-2","archives-2","categories-2","meta-2","block-2","block-3"]}
+        output:
+          log:
+            no_expect_ids: [920450]
+  - test_id: 4
+    desc: Save post
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: application/json, */*;q=0.1
+            Content-Type: application/json
+            x-http-method-override: PUT
+          port: 80
+          method: POST
+          version: "HTTP/1.1"
+          uri: /index.php?rest_route=/wp/v2/posts/1&_locale=user
+          data: |
+            {"id":1,"content":"<p>Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!</p>\n\n<!-- wp:paragraph -->\n<p>dddd</p>\n<!-- /wp:paragraph -->"}
+        output:
+          log:
+            no_expect_ids: [920450]
+  - test_id: 5
+    desc: Delete post
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: application/json, */*;q=0.1
+            Content-Type: application/json
+            x-http-method-override: DELETE
+          port: 80
+          method: POST
+          version: "HTTP/1.1"
+          uri: /index.php?rest_route=/wp/v2/posts/1&_locale=user
+        output:
+          log:
+            no_expect_ids: [920450]
diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507146.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507146.yaml
@@ -67,3 +67,81 @@ tests:
         output:
           log:
             no_expect_ids: [920450]
+  - test_id: 4
+    desc: Save post
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: application/json, */*;q=0.1
+            Content-Type: application/json
+            x-http-method-override: PUT
+          port: 80
+          method: POST
+          version: "HTTP/1.1"
+          uri: /wp-json/wp/v2/posts/1&_locale=user
+          data: |
+            {"id":1,"content":"<p>Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!</p>\n\n<!-- wp:paragraph -->\n<p>dddd</p>\n<!-- /wp:paragraph -->"}
+        output:
+          log:
+            no_expect_ids: [920450]
+  - test_id: 5
+    desc: Delete post
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: application/json, */*;q=0.1
+            Content-Type: application/json
+            x-http-method-override: DELETE
+          port: 80
+          method: POST
+          version: "HTTP/1.1"
+          uri: /wp-json/wp/v2/posts/1&_locale=user
+        output:
+          log:
+            no_expect_ids: [920450]
+  - test_id: 6
+    desc: Save post when permalink struct starts with /index.php/
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: application/json, */*;q=0.1
+            Content-Type: application/json
+            x-http-method-override: PUT
+          port: 80
+          method: POST
+          version: "HTTP/1.1"
+          uri: /index.php/wp-json/wp/v2/posts/1&_locale=user
+          data: |
+            {"id":1,"content":"<p>Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!</p>\n\n<!-- wp:paragraph -->\n<p>dddd</p>\n<!-- /wp:paragraph -->"}
+        output:
+          log:
+            no_expect_ids: [920450]
+  - test_id: 7
+    desc: Save post for multisite or a WordPress installation in "nested directories"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: application/json, */*;q=0.1
+            Content-Type: application/json
+            x-http-method-override: PUT
+          port: 80
+          method: POST
+          version: "HTTP/1.1"
+          uri: /subdir/wordpress-here/wp-json/wp/v2/posts/1&_locale=user
+          data: |
+            {"id":1,"content":"<p>Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!</p>\n\n<!-- wp:paragraph -->\n<p>dddd</p>\n<!-- /wp:paragraph -->"}
+        output:
+          log:
+            no_expect_ids: [920450]
