Rule blocks Ninja Forms <= 3.5.7 when newer version is installed

  • VaDims

    (@vadims00)


    9 months ago

    Hey!

    We are getting blocks by firewall for Ninja Forms <= 3.5.7 – Unprotected REST-API to Sensitive Information Disclosure even though the installed version of the plugin Ninja Forms is 3.8.0. The blocks show up when a user with editor permissions, which was granted the required permissions, tries to access or download the form submissions.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @vadims00,

    This can be resolved by manually disabling a firewall rule. “Ninja Forms <= 3.5.7 – Unprotected REST-API to Sensitive Information Disclosure” can be found in Wordfence > All Options > Firewall Options > Advanced Firewall Options > Rules, after expanding the list.

    This has been placed here for our customers’ protection against a known issue that could be exploited in that older version, so as you’re already up-to-date, it should be safe to disable. There are layers to how uploaded files are checked, so having to turn this particular rule off should still ensure malicious files are caught at a different stage of the checking process.

    Thanks,
    Peter.

    Thread Starter VaDims

    (@vadims00)

    Hi Peter
    Thank you for your prompt reply!

    I’ve whitelist two urls that the rule is blocking and both access and download of the form submissions are working fine now. I can’t remember where but I came across with some guidelines some time ago that were suggesting to whitelist all necessary urls instead of completely disabling a firewall rule. Is this still a better solution?

    Thanks again!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Rule blocks Ninja Forms <= 3.5.7 when newer version is installed’ is closed to new replies.