recaptcha validation bypassed for AJAX requests

  • Resolved wtarie

    (@wtarie)


    1 year, 4 months ago

    As the title states, validation is entirely bypassed if the request is made via an AJAX call.

    This exact issue was raised by Arlind here, 1 year ago: https://ww.wp.xz.cn/support/topic/bypassed-validation-via-admin-ajax-php/

    For anyone attempting to validate a form via an AJAX POST call, the validation is entirely bypassed due to the first few lines of gglcptch_is_recaptcha_required:

    if ( wp_is_json_request() ) {
        return false;
    }

    The above check sees the JSON header that AJAX appends to the request and then the reCAPTCHA validation that this plugin provides is entirely skipped on that grounds alone. That means that gglcptch_verify_recaptcha returns true despite no validation check being done, even when the user should not reasonably be able to submit the form.

    I have set up my form to be validated using a POST request via AJAX, returning the correct redirect url (only if reCAPTCHA is validated) and submitting the form accordingly. This is not an uncommon use case to prevent form submission/page refresh prior to reCAPTCHA validation. I would recommend removing the above JSON request bypass entirely. If, however, it is included in your plugin for a good reason then I would recommend you make this bypass very clear to users of your plugin, lest they be unaware their reCAPTCHA via AJAX is silently being bypassed.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support andrewsupport

    (@andrewsupport)

    1 year, 4 months ago

    To solve this issue, replace the following code:

    if ( wp_is_json_request() ) {
    return false;
    }

    with this:

    $json_actions = apply_filters( 'gglcptch_required_json_actions', array() );

    if ( wp_is_json_request() ) {
    if ( ! empty( $json_actions ) ) {
    foreach( $json_actions as $request_key => $request_value ) {
    if ( isset( $_REQUEST[ $request_key ] ) && $request_value === sanitize_text_field( wp_unslash( $_REQUEST[ $request_key ] ) ) ) {
    return true;
    }
    }
    }
    return false;
    }

    Additionally you need to add the following code. Since the free version doesn’t support custom code, you should add this in your theme’s functions:

    add_filter( 'gglcptch_required_json_actions', 'gglcptch_custom_actions' );
    function gglcptch_custom_actions( $actions ){
    $actions = array_merge( $actions, array( 'REQUEST_ELEMENT_NAME' => 'REQUEST_ELEMENT_VALUE' ) );
    return $actions;
    }

    For example, in the case of:

    {
    "action": "custom-subscribe-form",
    "form[name]": "email",
    "form[value]": "test",
    "form[recaptcha]": "g-recaptcha-response",
    "form[recaptcha_value]": "03AFcWeA7dHWB84iDKTuUl77_z24ygqD2pOFN…"
    }

    You would add:

    $actions = array_merge( $actions, array( 'action' => 'custom-subscribe-form' ) );

    Please let us know the results, as we don’t have the ability to test this by ourselfs. If it doesn’t work, you may need to apply json_decode( $_REQUEST ) before the check.

    Thank you.

    Plugin Support andrewsupport

    (@andrewsupport)

    1 year, 1 month ago

    Hi,

    Since there is no reply from you, we consider this topic as resolved. We hope you’ve found the solution. Have a nice day.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘recaptcha validation bypassed for AJAX requests’ is closed to new replies.