<![CDATA[🚨 Hey, so that nginx RCE targeting instances with the unnamed rewrite rule?]]>🚨 Hey, so that nginx RCE targeting instances with the unnamed rewrite rule? => It's extremely common.

That exact rule is the official recommended config from Yoast for their XML sitemaps on NGINX.

From their help page:

rewrite ^/([^/]+?)-sitemap([0-9]+)?.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;

This is copy-pasted verbatim by millions of WP sites running Yoast SEO (5+ million active installs) and also by sites using other SEO plugins that followed Yoast's lead. (1/3)

]]>https://board.circlewithadot.net/topic/8154132a-3737-4837-9615-7c2c795ceb2a/hey-so-that-nginx-rce-targeting-instances-with-the-unnamed-rewrite-ruleRSS for NodeFri, 15 May 2026 04:02:51 GMTThu, 14 May 2026 12:08:10 GMT60<![CDATA[Reply to 🚨 Hey, so that nginx RCE targeting instances with the unnamed rewrite rule? on Thu, 14 May 2026 13:13:10 GMT]]>OH, and FWIW the White House runs WordPress on nginx and likely has a plugin running that causes the weak nginx rewrite rule to be needed.

]]>https://board.circlewithadot.net/post/https://mastodon.social/users/hrbrmstr/statuses/116573103078221129https://board.circlewithadot.net/post/https://mastodon.social/users/hrbrmstr/statuses/116573103078221129Thu, 14 May 2026 13:13:10 GMT<![CDATA[Reply to 🚨 Hey, so that nginx RCE targeting instances with the unnamed rewrite rule? on Thu, 14 May 2026 12:09:51 GMT]]>I still had a lingering nginx box with a legacy WP config (and un-upgrade-able nginx)I had to find and fix, hence the script.

]]>https://board.circlewithadot.net/post/https://mastodon.social/users/hrbrmstr/statuses/116572854108585135https://board.circlewithadot.net/post/https://mastodon.social/users/hrbrmstr/statuses/116572854108585135Thu, 14 May 2026 12:09:51 GMT<![CDATA[Reply to 🚨 Hey, so that nginx RCE targeting instances with the unnamed rewrite rule? on Thu, 14 May 2026 12:08:11 GMT]]>PRs/helpful suggestions/credit to it from skeezy cyber vendors who steal it and put it in their products without compensation is welcome/encouraged (3/3)

]]>https://board.circlewithadot.net/post/https://mastodon.social/users/hrbrmstr/statuses/116572847558280529https://board.circlewithadot.net/post/https://mastodon.social/users/hrbrmstr/statuses/116572847558280529Thu, 14 May 2026 12:08:11 GMT<![CDATA[Reply to 🚨 Hey, so that nginx RCE targeting instances with the unnamed rewrite rule? on Thu, 14 May 2026 12:08:10 GMT]]>The EasyEngine tutorial, StackPointer, WPMU DEV, Stack Overflow, and the WordPress.org forums all reference this same pattern.

This can easily be chained with one (or both) of two recent and trivial-to-exploit local privilege escalation Linux vulns.

In the words of @krypt3ia :

we doomed.

HOWEVER: I threw together a small Bash script that tries to detect whether a given conf file or directory of nginx configs has vulnerable directives. You can find it at:

https://git.sr.ht/~hrbrmstr/cve-2026-42945-scanner… (2/3)

]]>https://board.circlewithadot.net/post/https://mastodon.social/users/hrbrmstr/statuses/116572847528970537https://board.circlewithadot.net/post/https://mastodon.social/users/hrbrmstr/statuses/116572847528970537Thu, 14 May 2026 12:08:10 GMT