What is Security Exposure?
Web application by design own vulnerability that should be mitigated by fixing them or preventing them using a WAF. WAF are the swiss army knife for detecting and preventing vulnerabilities. However, WAF themselves may or may not have the necessary mitigations to fix the vulnerability.
When a WAF (or any other security product) doesn’t have the necessary tools to fix or mitigate attacks it is said to be “the WAF has security exposure” since it can’t prevent against the relevant attack. this is not a vulnerability since it doesn’t compromise the WAF, it does compromise the app which own the vulnerability.