aucwebm

Forum Replies Created

Viewing 1 replies (of 1 total)
  • Forum: Plugins
    In reply to: [RSVP and Event Management] RSVP blocks requests to admin-ajax.php
    Thread Starter aucwebm

    (@aucwebm)

    1 day, 7 hours ago

    I’ve found the root cause using AI in the file class-rsvp-helper.php. Here is the output of the anlysis:
    The real bug is this line in the constructor:

    add_action( 'admin_init', array( $this, 'bulk_delete_attendees' ) );
add_action( 'admin_init', array( $this, 'bulk_delete_questions' ) );
add_action( 'admin_init', array( $this, 'rsvp_admin_export' ) );

    Why this is fatal:

    admin_init runs on:

    • ✅ wp-admin pages
    • admin-ajax.php
    • login / 2FA AJAX calls

    But those functions start with:

    if ( ! current_user_can( 'manage_options' ) ) {
    wp_die( 'You do not have sufficient permissions...' );
}

    👉 During Wordfence 2FA, the user:

    • is not fully authenticated yet
    • has no capabilities
    • AJAX runs under admin context

    ➡️ Result:

    • RSVP kills the request
    • Wordfence 2FA never completes
    • Login fails

    Root cause confirmed.

    ✅ Correct fix (clean, safe, minimal)

    You must prevent these admin_init hooks from running during AJAX.

    Edit class-rsvp-helper.php
    Wrap the three admin_init handlers with an AJAX guard. 🔧 Replace this:

    add_action( ‘admin_init’, array( $this, ‘bulk_delete_attendees’ ) );
    add_action( ‘admin_init’, array( $this, ‘bulk_delete_questions’ ) );
    add_action( ‘admin_init’, array( $this, ‘rsvp_admin_export’ ) );

    ✅ With this:

    if ( ! ( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) {
    add_action( 'admin_init', array( $this, 'bulk_delete_attendees' ) );
    add_action( 'admin_init', array( $this, 'bulk_delete_questions' ) );
    add_action( 'admin_init', array( $this, 'rsvp_admin_export' ) );
}

    ✅ Why this fix is correct

    • ✅ RSVP admin functionality still works
    • ✅ Bulk delete / export still protected
    • ✅ Wordfence 2FA AJAX is untouched
    • ✅ No security regression
    • ✅ No behavior change for normal admins

    This is exactly how modern plugins should scope admin_init logic.

    Alternative (slightly more verbose, also correct)

    Instead of guarding the hooks, guard inside each function:

    if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
    return;
}

    Add at the top of:

    • bulk_delete_attendees()
    • bulk_delete_questions()
    • rsvp_admin_export()

    But the hook-level fix above is cleaner.

    How to verify:

    1. Apply patch
    2. Enable RSVP plugin
    3. Enable Wordfence 2FA
    4. Open DevTools → Network
    5. Login

    admin-ajax.php returns 200
    ✅ No permission error
    ✅ 2FA screen appears
    ✅ Login succeeds

    Can you please confirm that using the correct fix above (wrapping the three admin_init handlers with an AJAX guard) doesn’t break the RSVP plugin? Thanks for your support.

Viewing 1 replies (of 1 total)