Modules update.

Author: Maikuolan

modules/module_botua.php

@@ -8,7 +8,7 @@
  * License: GNU/GPLv2
  * @see LICENSE.txt
  *
- * This file: Bot user agents module (last modified: 2025.07.19).
+ * This file: Bot user agents module (last modified: 2025.07.24).
  *
  * False positive risk (an approximate, rough estimate only): « [ ]Low [x]Medium [ ]High »
  */
@@ -151,7 +151,7 @@
     $Trigger(preg_match(
         '~^(?:wp-iphone$|\'?test|-|default|foo)|_sitemapper|3mir|' .
         'a(?:boundex|dmantx|dnormcrawler|dvbot|lphaserver|thens|ttache)|' .
-        'blekko|blogsnowbot|bytespider|' .
+        'blekko|blogsnowbot|' .
         'cmscrawler|co(?:ccoc|llect|modo-webinspector-crawler|mpspy)|crawler(?:4j|\.feedback)|' .
         'd(?:atacha|igout4uagent|ioscout|kimrepbot|sarobot)|' .
         'easou|exabot|' .
@@ -167,28 +167,28 @@
         'user-agent|visaduhoc|vonchimpenfurlr|webtarantula|wolf|' .
         'y(?:acy|isouspider|[ry]spider|unrang|unyun)|zoominfobot~',
         $UANoSpace
-    ) || strpos($UA, '   ') !== false, 'Banned UA'); // 2021.07.08 mod 2025.03.31
+    ) || strpos($UA, '   ') !== false, 'Banned UA'); // 2021.07.08 mod 2025.07.24
 
     if (!$Trigger((
         preg_match('~^python-requests/2\.27~', $UANoSpace) &&
         preg_match('~admin|config\.php~', $CIDRAM['BlockInfo']['rURI'])
     ), 'Hack attempt')) { // 2022.05.08
         $Trigger(preg_match(
             '~c(?:copyright|enturyb|9hilkat|olly)|fetch/|flipboard|googlealerts|grub|' .
-            'indeedbot|quick-crawler|scrapinghub|ttd-content|zgrab|^(?:abot|python-re' .
-            'quests/|spider)~',
+            'indeedbot|quick-crawler|scrapinghub|ttd-content|^(?:abot|python-requests' .
+            '/|spider)~',
             $UANoSpace
-        ), 'Scraper UA'); // 2022.05.11
+        ), 'Scraper UA'); // 2022.05.11 mod 2025.07.24
     }
 
     $Trigger(preg_match('~^mozila/~', $UANoSpace), 'Hack attempt'); // 2022.05.31
 
     $Trigger(preg_match(
         '~007ac9|200please|360spider|3d-ftp|' .
         'a(?:6-indexer|ccelo|ffinity|ghaven|href|ipbot|naly(?:ticsseo|zer)|pp3lewebkit|rtviper|wcheck)|' .
-        'b(?:acklink|azqux|ender|inlar|itvo|ixo|lex|nf.fr|ogahn|oitho|pimagewalker)|' .
-        'c(?:cbot|ent(?:iverse|ric)|ityreview|msworldmap|omment|ommoncrawl|overscout|r4nk|rawl(?:erbotalpha|fire)|razywebcrawler|uriousgeorge|ydral)|' .
-        'd(?:ataprovider|atenbank|aylife|ebate|igext|(?:cp|isco|ot|ouban|ownload)bot|otcomdotnet|otnetdotcom|owjones|tsagent)|' .
+        'b(?:abbar\.tech|acklink|arkrowler|azqux|ender|inlar|itvo|ixo|lex|nf.fr|ogahn|oitho|pimagewalker)|' .
+        'c(?:ent(?:iverse|ric)|ityreview|msworldmap|omment|ommoncrawl|overscout|r4nk|rawl(?:erbotalpha|fire)|razywebcrawler|uriousgeorge|ydral)|' .
+        'd(?:ataprovider|aylife|ebate|igext|(?:cp|isco|ot|ouban|ownload)bot|otcomdotnet|otnetdotcom|owjones|tsagent)|' .
         'e(?:(?:na|uro|xperi)bot|nvolk|stimatewebstats|vaal|zoom)|' .
         'f(?:dm|etch(?:er.0|or)|ibgen)|' .
         'g(?:alaxydownloads|et(?:download\.ws|ty|url11)|slfbot|umgum|urujibot)|' .
@@ -197,19 +197,18 @@
         'k(?:eywenbot|eywordsearchtool|imengi|kman)|' .
         'l(?:abjs\.pro|arbin|ink(?:dex|walker)|iperhey|(?:t|ush)bot)|' .
         'm(?:ahiti|ahonie|attters|egaindex|iabot|lbot|oreover|ormor|ot-v980|oz\.com|rchrome|ulticrawler)|' .
-        'n(?:eofonie|etestate|ewsbot|extgensearchbot|ineconnections)|' .
+        'n(?:eofonie|ewsbot|extgensearchbot|ineconnections)|' .
         'o(?:afcrawl|fflinenavigator|odlebot|ptimizer)|' .
-        'p(?:age(?:fetch|gett|_verifi)er|agesinventory|anscient|ath2|ic(?:grabber|s|tsnapshot|turefinder)|i(?:pl|xmatch|xray)|oe-component-client-|owermarks|rofiler|roximic|(?:s|ure)bot|urity)|qqdownload|' .
+        'p(?:age(?:fetch|gett|_verifi)er|agesinventory|ath2|ic(?:grabber|s|tsnapshot|turefinder)|i(?:pl|xmatch|xray)|oe-component-client-|owermarks|rofiler|roximic|(?:s|ure)bot|urity)|qqdownload|' .
         'r(?:6_|adian6|ankivabot|ebi-shoveler|everseget|ganalytics|ocketcrawler|ogerbot|sscrawl|ulinki)|' .
-        's(?:afeassign|bider|bl[.-]bot|crap[ey]|creamingfrog|earchmetricsbot|emrush|eo(?:bulls|eng|hunt|kicks|mon|profiler|stat|tool)|erpstat|istrix|ite(?:bot|intel)|n[iy]per|olomono|pbot|p(?:hi|y)der|search|webot)|' .
+        's(?:afeassign|bider|bl[.-]bot|creamingfrog|earchmetricsbot|emrush|eo(?:bulls|eng|hunt|kicks|mon|profiler|stat|tool)|erpstat|istrix|ite(?:bot|intel)|n[iy]per|olomono|pbot|search|webot)|' .
         't(?:-h-u-n|agsdir|ineye|opseo|raumacadx|urnitinbot)|' .
         'u(?:12bot|p(?:downer|ictobot))|' .
         'v(?:agabondo|bseo|isbot|oyager)|' .
         'w(?:arebay|auuu|bsearchbot|eb(?:alta|capture|download|mastercoffee|meup|ripper)|ikio|indows(?:3|seven)|ise-guys|khtmlto|orldbot|otbox)|' .
-        'xtractorpro|' .
         'yoofind~',
         $UANoSpace
-    ), 'Backlink/SEO/Scraper UA'); // 2022.09.19 mod 2025.07.19
+    ), 'Backlink/SEO/Scraper UA'); // 2022.09.19 mod 2025.07.24
 
     $Trigger(strpos($UANoSpace, 'catch') !== false, 'Risky UA'); // 2017.01.13
 
@@ -228,7 +227,7 @@
         '~\.buzz|(?<!amazona)dbot/|(?:\W|^)(?:cu|pe)rl(?:\W|$)|#boss#|' .
         '^(?:[aim]$|(?!linkedinbot).*http-?(?:agent|client))|-xpanse|' .
         'a(?:bonti|ccserver|cme.spider|dreview/\d|jbaxy|nthill$|nyevent-http|ppengine|xios)|' .
-        'b(?:abbar\.tech|igbozz|itsight|lackbird|logsearch|logbot|salsa)|' .
+        'b(?:igbozz|itsight|lackbird|logsearch|logbot|salsa)|' .
         'c(?:astlebot|atexplorador|k=\{\}|lickagy|liqzbot|ms-?checker|ontextad|orporama|ortex/\d|rowsnest|yberpatrol)|' .
         'd(?:eepfield|le_spider|nbcrawler|omainappender|umprendertree)|' .
         'expanse|' .
@@ -243,7 +242,7 @@
         'p(?:4bot|4load|acrawler|ageglimpse|aloalto(?:company|network)|arsijoo|egasusmonitoring|hantomjs|hpcrawl|ingdom|rlog)|' .
         'r(?:arelyused|obo(?:cop|spider)|yze)|' .
         's(?:/got|can\.lol|caninfo|creener|eekport|itedomain|mut|nap(?:preview)?bot|oapclient|ocial(?:ayer|searcher)|oso|pyglass|quider|treetbot|ynapse)|' .
-        't(?:impi|omba|weezler|ryghost)|' .
+        't(?:omba|weezler|ryghost)|' .
         'urlappendbot|urltest|' .
         'w(?:asalive|atchmouse|eb(?:-monitoring|bot|masteraid|money|pros|site-info\.net|thumbnail)|hatweb|ikiapiary|ininet|maid\.com|pbot/1\.|sr-agent|wwtype)|' .
         'xenu|xovi|' .
@@ -252,7 +251,7 @@
     ) || preg_match(
         '~^Mozilla/5\.0( [A-Za-z]{2,5}/0\..)?$~',
         $CIDRAM['BlockInfo']['UA']
-    ), 'Unauthorised'); // 2023.09.15 mod 2025.07.19
+    ), 'Unauthorised'); // 2023.09.15 mod 2025.07.24
 
     if ($Trigger(preg_match('~ivre-|masscan~', $UANoSpace), 'Port scanner and synflood tool detected')) {
         $CIDRAM['Reporter']->report([14, 15, 19], ['MASSCAN port scanner and synflood tool detected.'], $CIDRAM['BlockInfo']['IPAddr']);
@@ -292,10 +291,13 @@
         $CIDRAM['Reporter']->report([4, 19], ['BitTorrent user agent seen at HTTP server endpoint (possible flood/DDoS attempt).'], $CIDRAM['BlockInfo']['IPAddr']);
     } // 2017.02.25
 
-    $Trigger(preg_match(
-        '~foregenix|modat|nuclei|projectdiscovery|sslyze|threatview~',
+    if ($Trigger(preg_match(
+        '~foregenix|modat|nuclei|isscyberrisk|projectdiscovery|sslyze|threatview~',
         $UA
-    ), 'Vulnerability scanner detected; Unauthorised'); // 2023.06.16 mod 2025.01.12
+    ), 'Unauthorised vulnerability scanner detected')) {
+        $CIDRAM['Reporter']->report([15, 19, 21], ['Unauthorised vulnerability scanner detected.'], $CIDRAM['BlockInfo']['IPAddr']);
+        $CIDRAM['Tracking options override'] = 'extended';
+    } // 2023.06.16 mod 2025.07.24
 
     $Trigger(preg_match('~^python/|aiohttp/|\.post0~', $UANoSpace), 'Bad context (Python/AIO clients not permitted here)'); // 2021.05.18
 
@@ -314,21 +316,32 @@
     } // 2022.05.08
 
     $Trigger(preg_match(
-        '~adbar|anonymous-?coward|' .
-        'banana-?bot|bot-?test|brands-?bot|' .
-        'clark-?crawler|' .
-        'fidget-?spinner-?bot|friendly-?spider|' .
-        'imagesift|' .
+        '~80legs|' .
+        'a(?:dbar|i2bot|ihitbot|i.?searchbot|liyun|ndibot|nonymous-?coward|wario)|' .
+        'b(?:anana-?bot|edrockbot|ot-?test|rands-?bot|rightbot|ytespider)|' .
+        'c(?:asperbot|cbot|hinaclaw|lark-?crawler|ohere-)|' .
+        'd(?:atenbank|eep-?research)|' .
+        'echobo[tx]|' .
+        'f(?:idget-?spinner-?bot|irecrawl|riendly-?(?:crawler|spider))|' .
+        'i(?:askspider|magesift|mg2dataset)|' .
         'jaddjabot|' .
-        'keys-?so-?bot|' .
+        'k(?:angaroobot|eys-?so-?bot)|' .
+        'm(?:amac(?:asper|yber)|istral|ozilla/0|ycentralai)|' .
+        'n(?:etestate|ovaact)|' .
         'orbbot|' .
-        'phxbot|' .
-        'storm-?crawler|' .
-        't(?:est-?bot|hesis-?research-?bot|hinkchaos|iny-?(?:bot|test)|rafilatura)|' .
-        'whatstuffwherebot|winhttp|' .
-        'zephuli-?bot~',
+        'p(?:angubot|anscient|erplexity|hindbot|hxbot|oseidon|ublicwebcrawler)|' .
+        'q(?:ualifiedbot|uillbot)|' .
+        'research.?crawler|' .
+        's(?:bintuition|crap[ey]|idetrade|p(?:hi|y)der|torm-?crawler|ummalybot)|' .
+        't(?:est-?bot|heknowledgeai|hesis-?research-?bot|hinkchaos|impi|iny-?(?:bot|test)|rafilatura)|' .
+        'velenpublic|' .
+        'w(?:ardbot|ebzio|hatstuffwherebot|inhttp)|' .
+        'xtractorpro|' .
+        'z(?:ephuli-?bot|grab)~',
         $UANoSpace
-    ), 'Scraper UA'); // 2023.11.17 mod 2025.07.19
+    ), 'Scraper UA')) {
+        $CIDRAM['Tracking options override'] = 'extended';
+    } // 2023.11.17 mod 2025.07.24
 
     $Trigger(preg_match('~ct‑git‑scanner/~i', $CIDRAM['BlockInfo']['UA']), 'Unauthorised Git scanner'); // 2025.07.05
 
@@ -357,12 +370,10 @@
             strpos($UANoSpace, '}__') !== false ||
             preg_match('~0wn[3e]d|dkemdif.\d|f' . 'uck|:(?:\{[\w]:|[\w\d][;:]\})~', $UANoSpace)
         ), 'Hack UA') || // 2021.06.28
-        $Trigger(preg_match('~(?:(aihit|casper)bot|mamac(asper|yber)|mozilla/0)~', $UANoSpace), 'Probe UA') || // 2017.02.25
         $Trigger(strpos($UANoSpace, 'wopbot') !== false, 'Bash/Shellshock UA') || // 2017.01.06
         $Trigger(preg_match('/(?:x(rumer|pymep)|хрумер)/', $UANoSpace), 'Spam UA') || // 2017.01.02
-        $Trigger(preg_match('~loadimpact|re-?animator|root|theknowledgeai|webster~', $UANoSpace), 'Banned UA') || // 2021.02.10
+        $Trigger(preg_match('~loadimpact|re-?animator|root|webster~', $UANoSpace), 'Banned UA') || // 2021.02.10 mod 2025.07.24
         $Trigger(strpos($UANoSpace, '(somename)') !== false, 'Banned UA') || // 2017.02.02
-        $Trigger(preg_match('~80legs|chinaclaw~', $UANoSpace), 'Scraper UA') || // 2017.01.08 mod 2021.06.28
         $Trigger(preg_match('~brandwatch|magpie~', $UANoSpace), 'Snoop UA') || // 2017.01.13 mod 2021.06.28
         $Trigger(strpos($CIDRAM['BlockInfo']['UA'], 'MSIECrawler') !== false, 'Hostile / Fake IE') // 2017.02.25 mod 2021.06.28
     ) {
@@ -389,8 +400,6 @@
             $CIDRAM['Reporter']->report([15], ['Shell upload attempt detected in user agent.'], $CIDRAM['BlockInfo']['IPAddr']);
         } elseif (strpos($CIDRAM['BlockInfo']['WhyReason'], 'Hack UA') !== false) {
             $CIDRAM['Reporter']->report([15, 19, 21], ['Hack identifier detected in user agent.'], $CIDRAM['BlockInfo']['IPAddr']);
-        } elseif (strpos($CIDRAM['BlockInfo']['WhyReason'], 'Vulner') !== false) {
-            $CIDRAM['Reporter']->report([15, 19, 21], ['Caught looking for vulnerabilities.'], $CIDRAM['BlockInfo']['IPAddr']);
         } elseif (strpos($CIDRAM['BlockInfo']['WhyReason'], 'UASQLi') !== false) {
             $CIDRAM['Reporter']->report([16], ['SQLi attempt detected in user agent.'], $CIDRAM['BlockInfo']['IPAddr']);
         } elseif (strpos($CIDRAM['BlockInfo']['WhyReason'], 'Probe UA') !== false) {
@@ -430,10 +439,10 @@
      * @link https://www.reddit.com/r/singularity/comments/1cdm97j/anthropics_claudebot_is_aggressively_scraping_the/
      * @link https://www.linode.com/community/questions/24842/ddos-from-anthropic-ai
      */
-    if ($Trigger((strpos($UANoSpace, 'anthropic') !== false || strpos($UANoSpace, 'claudebot') !== false), 'Unauthorised AI scanner')) {
+    if ($Trigger(preg_match('~anthropic|claude-?(?:bot|searchbot|user|web)~', $UANoSpace), 'Unauthorised AI scanner')) {
         $CIDRAM['Reporter']->report([4, 19], ['AI scanner notorious for flooding and DDoS attacks detected.'], $CIDRAM['BlockInfo']['IPAddr']);
         $CIDRAM['Tracking options override'] = 'extended';
-    } // 2023.08.10 mod 2024.04.27
+    } // 2023.08.10 mod 2025.07.24
 
     /**
      * @link https://github.com/CIDRAM/CIDRAM/issues/606

modules/module_extras.php

@@ -8,7 +8,7 @@
  * License: GNU/GPLv2
  * @see LICENSE.txt
  *
- * This file: Optional security extras module (last modified: 2025.07.21).
+ * This file: Optional security extras module (last modified: 2025.07.22).
  *
  * False positive risk (an approximate, rough estimate only): « [ ]Low [x]Medium [ ]High »
  */
@@ -182,6 +182,13 @@
             $CIDRAM['Reporter']->report([15, 21], ['Caught probing for ' . $Exploit . ' vulnerability.'], $CIDRAM['BlockInfo']['IPAddr']);
         }
 
+        /** Probing for common vulnerabilities and exploits. */
+        if (
+            $Trigger(preg_match('~/services/contributor/1&(?:amp;)?id=1(?:(?:%20|[ +-])(?:union|all|select)|.*(?:null,|md5\\(|--(?:%20|[ +-])?))~', $LCNrURI), $Exploit = 'CVE-2021-24666') // 2025.07.22
+        ) {
+            $CIDRAM['Reporter']->report([15, 16, 21], ['Caught probing for ' . $Exploit . ' vulnerability.'], $CIDRAM['BlockInfo']['IPAddr']);
+        }
+
         /** Probing for exposed Git data. */
         if ($Trigger(preg_match('~\.git(?:config)?(?:$|\W)~', $LCNrURI), 'Probing for exposed Git data')) {
             $CIDRAM['Reporter']->report([15, 21], ['Caught probing for exposed Git data.'], $CIDRAM['BlockInfo']['IPAddr']);
@@ -381,10 +388,7 @@
         $Trigger(strpos($CIDRAM['BlockInfo']['Query'], ',\'\',') !== false, 'Bad query'); // 2017.02.25
 
         $Trigger(preg_match('/(?<![a-z])id=.*(?:benchmark\\(|id[xy]=|sleep\\()/', $QueryNoSpace), 'Query SQLi'); // 2017.03.01 mod 2023.11.10
-        $Trigger(preg_match(
-            '~(?:from|union|where).*select|then.*else|(?:o[nr]|where).*isnull|(?:inner|left|outer|right)join~',
-            $QueryNoSpace
-        ), 'Query SQLi'); // 2017.03.01 mod 2023.08.30
+        $Trigger(preg_match('~(?:from|union|where).*select|then.*else|(?:o[nr]|where).*isnull|(?:inner|left|outer|right)join~', $QueryNoSpace), 'Query SQLi'); // 2017.03.01 mod 2023.08.30
 
         $Trigger(preg_match('/cpis_.*i0seclab@intermal\.com/', $QueryNoSpace), 'Hack attempt'); // 2018.02.20
         $Trigger(preg_match('/^(?:3x=3x|of=1&a=1)/i', $CIDRAM['BlockInfo']['Query']), 'Hack attempt'); // 2023.07.13 mod 2023.09.02

modules/module_refspam.php

@@ -8,7 +8,7 @@
  * License: GNU/GPLv2
  * @see LICENSE.txt
  *
- * This file: Referrer spam module (last modified: 2023.12.01).
+ * This file: Referrer spam module (last modified: 2025.07.24).
  *
  * False positive risk (an approximate, rough estimate only): « [ ]Low [x]Medium [ ]High »
  */
@@ -218,6 +218,10 @@
         ], $CIDRAM['BlockInfo']['IPAddr']);
     } // 2023.06.16
 
+    if ($Trigger(preg_match('~//blog//wp-login\.php$~i', $CIDRAM['BlockInfo']['Referrer']), 'Hack attempt via referrer header injection detected')) {
+        $CIDRAM['Reporter']->report([10, 15, 21], ['Hack attempt via referrer header injection detected.'], $CIDRAM['BlockInfo']['IPAddr']);
+    } // 2025.07.24
+
     $Trigger($RefLC === '(null)', 'Illegal referrer'); // 2018.03.13
 };
 

modules/modules.dat

@@ -203,7 +203,7 @@ module_bgpview.php:
 module_botua.php:
  Name: "Bot user agents module"
  False Positive Risk: "Medium"
- Version: "2025.201.0"
+ Version: "2025.204.0"
  Dependencies:
   PHP: "^5.4|^7|^8"
   CIDRAM Core: "^1.13.1|^2.0.1"
@@ -215,7 +215,7 @@ module_botua.php:
   To:
    - "module_botua.php"
   Checksum:
-   - "eea3ad338f778c90d7fae205d3b61c154c9c6ba7c2f4000a61e282980cd2e395:26815"
+   - "976c8e99a4ea64732c84908e6da706c08af399d780058777fc8b37c6065af8f0:27204"
  Used with: "modules"
  Reannotate: "modules.dat"
 module_cookies.php:
@@ -239,7 +239,7 @@ module_cookies.php:
 module_extras.php:
  Name: "Optional security extras module"
  False Positive Risk: "Medium"
- Version: "2025.201.0"
+ Version: "2025.204.0"
  Dependencies:
   PHP: "^5.4|^7|^8"
   CIDRAM Core: "^1.13.1|^2.0.1"
@@ -254,7 +254,7 @@ module_extras.php:
    - "module_extras.php"
    - "module_extras.yaml"
   Checksum:
-   - "f2f2aa2c6d55815f4dbc54d4afec1244485b5c1b2a477dc9f6bbde1950ce08a1:37153"
+   - "baac683d8d17fd1aebf277177948eca962b9bb04aeb466d217220dc0dc77c4b9:37564"
    - "7b891d1fa4b1c52c410220bc758e8cb7064bd6040430fb149a5b60e9ae2e0838:890"
  Used with: "modules"
  Reannotate: "modules.dat"
@@ -305,7 +305,7 @@ module_projecthoneypot.php:
 module_refspam.php:
  Name: "Referrer spam module"
  False Positive Risk: "Medium"
- Version: "2023.334.0"
+ Version: "2025.204.0"
  Dependencies:
   PHP: "^7.1|^8"
   CIDRAM Core: "^1.13.1|^2.0.1"
@@ -318,7 +318,7 @@ module_refspam.php:
   To:
    - "module_refspam.php"
   Checksum:
-   - "f4fa6f28a692edd2204774982a08e3a9ce9e4f83cf4ec0508e9fa2bc414735b8:13394"
+   - "272163903124f9dcc799fe98c0eeaa591815507b54327a741a77a9c631b222c9:13371"
  Used with: "modules"
  Reannotate: "modules.dat"
 module_sfs.php:

modules/modules.yml

@@ -53,11 +53,11 @@ PHPMailer:
 Referrer spam module:
  Name: "Referrer spam module"
  False Positive Risk: "Medium"
- Version: "2025.197.0"
+ Version: "2025.204.0"
  Dependencies:
   intl: "*"
  Files:
   modules/refspam.php:
    From: "https://raw.githubusercontent.com/CIDRAM/CIDRAM-Extras/master/modules/refspam.php"
-   Checksum: "00922342042389bf9e19eee0ae67b957ed46e08d272a5d54c09b101c3275cbf5:12899"
+   Checksum: "85684e22c718ed4e6878b4d02f6ea4ff86eff1a47d1bdce818c0124bee488d73:13205"
    Used with: "modules"

modules/refspam.php

@@ -8,7 +8,7 @@
  * License: GNU/GPLv2
  * @see LICENSE.txt
  *
- * This file: Referrer spam module (last modified: 2025.07.17).
+ * This file: Referrer spam module (last modified: 2025.07.24).
  *
  * False positive risk (an approximate, rough estimate only): « [ ]Low [x]Medium [ ]High »
  */
@@ -210,6 +210,10 @@
         ], $this->BlockInfo['IPAddr']);
     } // 2023.06.16
 
+    if ($this->trigger(preg_match('~//blog//wp-login\.php$~i', $this->BlockInfo['Referrer']), 'Hack attempt via referrer header injection detected')) {
+        $this->Reporter->report([10, 15, 21], ['Hack attempt via referrer header injection detected.'], $this->BlockInfo['IPAddr']);
+    } // 2025.07.24
+
     $this->trigger($RefLC === '(null)', 'Illegal referrer'); // 2018.03.13
 };