[{"key":"env_leak","severity":"critical","label":"Env File Exfiltration","description":"Attempt to download .env, .environment, or webroot configuration files containing API keys, database credentials, and secrets. Extremely common automated attack.","count":6830},{"key":"xmlrpc_exploit","severity":"critical","label":"XMLRPC Exploit","description":"Active exploitation of the WordPress XML-RPC interface (xmlrpc.php). Used for brute-force amplification, pingback DDoS, and remote code execution on unpatched instances.","cve":"CVE-2020-28032","count":5953},{"key":"env_exposure","severity":"critical","label":"Environment Exposure","description":"Broad probe for exposed environment configuration — .env variants, docker-compose files, and similar configuration that contains plaintext credentials.","count":740},{"key":"wordpress_credential","severity":"critical","label":"WordPress Credential Attack","description":"Brute-force or credential-stuffing attack targeting WordPress login. Uses leaked username/password lists against wp-login.php.","count":670},{"key":"phpunit_rce","severity":"critical","label":"PHPUnit RCE","description":"Remote code execution via a known vulnerability in PHPUnit's eval-stdin.php (vendor/phpunit). Any server with this file exposed is immediately compromised.","cve":"CVE-2017-9841","count":193},{"key":"webshell","severity":"critical","label":"Web Shell","description":"Upload or execution attempt for a web shell (cmd.php, shell.php, c99.php). Indicates a post-exploitation attempt to establish persistent server access.","cve":"CVE-2021-44228","count":23},{"key":"credential_exfil","severity":"critical","label":"Credential Exfiltration","description":"Targeted retrieval of payment processor credentials, Stripe configuration, or other financial API keys from exposed config files.","count":6},{"key":"wordpress_scan","severity":"high","label":"WordPress Scan","description":"Automated enumeration of WordPress installation paths — wp-admin, wp-login, wp-cron, setup-config.php — to identify exploitable WordPress sites and versions.","count":25200},{"key":"wordpress_admin","severity":"high","label":"WordPress Admin Probe","description":"Targeted probe of the WordPress admin dashboard (wp-admin/) using credential lists or known exploits. Precursor to site takeover.","count":2979},{"key":"git_exposure","severity":"high","label":"Git Repository Exposure","description":"Attempt to access .git/ directory or specific git objects to reconstruct source code, history, and embedded secrets from misconfigured web servers.","count":1321},{"key":"backup_exfil","severity":"high","label":"Backup File Exfiltration","description":"Attempt to download backup archives (.sql, .zip, .tar, backup.sql) left accessible on the web root — a common misconfiguration that exposes full database dumps.","count":189},{"key":"laravel_scan","severity":"high","label":"Laravel Framework Scan","description":"Probe for Laravel-specific endpoints: /telescope (debug UI), /horizon (queue monitor). These often expose internal queue data and application state.","count":161},{"key":"db_admin_scan","severity":"high","label":"DB Admin Panel Probe","description":"Attempt to access phpMyAdmin, Adminer, or similar database management interfaces. Successful access gives full database read/write without application-layer controls.","count":134},{"key":"spring_actuator","severity":"high","label":"Spring Actuator Probe","description":"Probe for exposed Spring Boot actuator endpoints (/actuator/env, /actuator/heapdump) that leak configuration, credentials, and heap memory.","cve":"CVE-2022-22965","count":74},{"key":"jenkins_probe","severity":"high","label":"Jenkins CI Probe","description":"Probe for exposed Jenkins CI/CD dashboards that allow arbitrary code execution on build agents and access to deployment credentials.","count":21},{"key":"adminer_probe","severity":"high","label":"Adminer DB Probe","description":"Targeted probe for the Adminer single-file database management tool. Adminer has a history of file disclosure vulnerabilities.","cve":"CVE-2021-21311","count":4},{"key":"wordpress_xmrpc","severity":"high","label":"WordPress XML-RPC","description":"Abuse of the WordPress XML-RPC interface to perform brute-force credential stuffing or amplification attacks. Often disabled in hardened setups.","count":0},{"key":"cache_exfil","severity":"high","label":"Cache File Exfiltration","description":"Probe for cached PHP files in /tmp or /var/cache that may contain serialized session data, credentials, or compiled templates.","count":0},{"key":"wordpress_content","severity":"medium","label":"WordPress Content Probe","description":"Probe of wp-content/ directory for exposed plugins, themes, or uploaded files that may contain credentials or exploitable code.","count":653},{"key":"phpinfo_probe","severity":"medium","label":"PHPInfo Disclosure","description":"Access to phpinfo.php or equivalent scripts that disclose PHP configuration, loaded modules, server paths, and environment variables.","count":427},{"key":"wordpress_includes","severity":"medium","label":"WordPress Core Scan","description":"Enumeration of wp-includes/ core files to fingerprint the WordPress version for targeted vulnerability matching.","count":266},{"key":"solr_probe","severity":"medium","label":"Apache Solr Probe","description":"Probe for exposed Apache Solr admin interfaces that allow arbitrary queries, data exfiltration, and in some versions remote code execution.","cve":"CVE-2019-17558","count":9},{"key":"generic_probe","severity":"low","label":"Generic Web Probe","description":"Automated scan for common web vulnerabilities not classified into a specific category. Often part of a broader vulnerability sweep.","count":1061},{"key":"wordpress_xmlrpc","label":"wordpress xmlrpc","description":"Automated web vulnerability probe.","severity":"medium","count":3097},{"key":"good_bot_honeypot","label":"good bot honeypot","description":"Automated web vulnerability probe.","severity":"medium","count":64},{"key":"wordpress_config","label":"wordpress config","description":"Automated web vulnerability probe.","severity":"medium","count":12},{"key":"phpmyadmin_probe","label":"phpmyadmin probe","description":"Automated web vulnerability probe.","severity":"medium","count":2},{"key":"webshell_upload","label":"webshell upload","description":"Automated web vulnerability probe.","severity":"medium","count":1}]