WordFence XSS

  • Resolved keeker

    (@keeker)


    8 years, 7 months ago

    I noticed in the network traffic that the entire page_data object is being passed via POST data when submitting the AJAX form. Is this intentional? If so, why is it necessary?

    The only reason I investigated is because WordFence is complaining about the POST data being potentially an XSS risk since it has non-formatting tags in it that can trigger fetching data (like <img>, etc.). Since WordFence responds with a 403, the form breaks in a pretty unhelpful way leaving the user stuck wondering if their request worked (and it didn’t).

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Contributor yikesitskevin

    (@yikesitskevin)

    8 years, 7 months ago

    Hi @keeker,

    This is intentional and is related to the way we do our redirects. We can add a filter so you can disable this. If you’re not using redirects it will have not affect your submissions.

    Will that work?

    I’ll let you know when that’s available.

    Cheers,
    Kevin.

    Thread Starter keeker

    (@keeker)

    8 years, 7 months ago

    That sounds great! Thanks for the update/response!

    Plugin Contributor yikesitskevin

    (@yikesitskevin)

    8 years, 7 months ago

    Hi @keeker,

    We’ve just released a new version of the plugin – 6.3.29.

    Once you’ve downloaded that, you can add the following filter function to remove the page data: 

    // Remove page data from the POST request
add_filter( 'yikes-mailchimp-page-data', '__return_false' );

    Are you familiar with adding filter functions in WordPress?

    Let me know if you need any help!

    Cheers,
    Kevin.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘WordFence XSS’ is closed to new replies.