Jili888 app.Enjoy Free 888+200 Daily Legal Bonus

Resolved itsmir
(@itsmir)

3 months, 2 weeks ago

Hello,

Using Modern Events Calendar Pro v7.12.1
WFence v7.11.7

Front end form submision fails when submitted by a logged in user (apart from admin) and WordFence is activated. Deactiavating WordFence fixes issue.

I see this was an issue for v7.11 (https://www.wordfence.com/threat-intel/vulnerabilities/detail/modern-events-calendar-7110-authenticated-subscriber-arbitrary-file-upload) however I’m using the updated plugin and still having issues.

Please advise!
Thanks

Viewing 7 replies - 1 through 7 (of 7 total)

Thread Starter itsmir
(@itsmir)

3 months, 2 weeks ago

Note: I updated the Modern Events Calendar v7.13 and still cannot submit events via the front end form.

Plugin Support wfmargaret
(@wfmargaret)

3 months, 2 weeks ago

Hi @itsmir,

Thanks for reaching out. Sometimes, WordPress plugins or themes may exhibit behavior that resembles known attack patterns which results in the Wordfence Firewall blocking something that is not malicious. This can be resolved by adding the parameter to the firewall or switching the firewall to Learning Mode to eliminate the false positives.

First, please check for any blocked actions from a user who attempted to submit a form. Check for requests from their IP address under Wordfence > Tools > Live Traffic.? Click on the entry or eye icon to expand it and see if you are presented with an “Add Param to Firewall Allowlist” button. Clicking this should allow the blocked actions in the future.

If you don’t see any blocks, try to use Learning Mode instead. From the Wordfence Dashboard click on Manage WAF. Then you will see Basic Firewall Options > Web Application Firewall Status. Change the option to Learning Mode. Now proceed to have a non-administrator submit a form. This will help Wordfence learn that these actions are normal and it will allow them in the future. After they have finished, switch the WAF from Learning Mode back to Enabled and Protecting then test again.

https://www.wordfence.com/help/firewall/learning-mode/ is an amazing resource for learning more about the WAF and learning mode.

Let us know how it goes!

Thanks,
Margaret

Thread Starter itsmir
(@itsmir)

3 months, 2 weeks ago

I found that the if a user role is author or better it works. My user was a “collaborater” , changing their role to author fixed it for me.

Thanks for the info – will keep a note of it ??

franklinfourdesign
(@franklinfourdesign)

3 months, 1 week ago

Hello, unfortunately the error regarding the upload of images when submitting events with the Frontend Submission FES addon from MEC (Webnus) still exists. Apart from a user with the Admin role, it is not possible for anyone to submit event data AND an image. No matter if author or editor: the image upload is blocked. It is only possible in deactivated WordFence mode. Switching to learning mode does not help in the long term either: we left the mode activated for several days and uploaded events ourselves or via our customers. As soon as we switch back to ENABLED AND PROTECTING mode, the upload is blocked by the image.
Thread Starter itsmir
(@itsmir)

3 months, 1 week ago
After seeing your reply @franklinfourdesign I re-tested our site – and yes the problem was back. So have removed the resolved tag from this thread.

I found the denied entry in the WF log (see https://drive.google.com/file/d/1bLRup37_b0uAmyOAEw6Q74fsQrqWflfM/view?usp=drive_link), tapped Add Param to Firewall Allowlist and it now works. Tested at a few different IP’s/browsers and all working.

The only issue is now the image upload can take 20+ seconds which may lead to the end user abandoning the submission. This doesn’t happen for admin users.

I will test again in a day or so as we don’t have a live system yet to see if all still working.
- This reply was modified 3 months, 1 week ago by itsmir.
franklinfourdesign
(@franklinfourdesign)

3 months, 1 week ago
Hello Itsmir.
Thank you for your feedback. We’ve just seen your tip and followed your lead. It seems to be working. I’m curious to see how long it lasts. We have been working with the Pro version of MEC for 3 years now and with various add-ons to manage up to 2,500 events. And more than 130 customers submit events via FES. Unfortunately, the plugin is always causing stress and is not very reliable. Do you have experience with other event management tools that work better? This is our current site: https://www.kulturgehtweiter.de
- This reply was modified 3 months, 1 week ago by franklinfourdesign.
Plugin Support wfmargaret
(@wfmargaret)

3 months, 1 week ago

Hi @itsmir and @franklinfourdesign,

Thanks for following up with us! I’m glad to hear that Add Param to Firewall Allowlist helped. If you’re using a patched version of Modern Events Calendar, you might try disabling the firewall rule and then testing the upload speeds. You can view the known vulnerabilities on Modern Events Calendar here: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/modern-events-calendar

To disable the specific rule in your screenshot, go to Wordfence > Firewall > All Firewall Options > Advanced Firewall Options > Rules and click Show All Rules. Then, locate the file_upload type rule named Modern Events Calendar <= 7.10.0 – Authenticated (Subscriber+) Arbitrary File Upload and disable it.

If you notice an improvement in the upload speed, it is safe to leave this rule disabled as long as you’re running the updated version of the plugin. If you don’t notice any improvements though, I recommend re-enabling the rule.

Let me know how it goes!

Thanks,
Margaret