WordFence and FPD unwhitelistable “potentially unsafe operation…”

Hi @digitallion,

Topics are generally closed after around 7 days of inactivity but the www.remarpro.com forums also has a cut-off point where no further replies can be made to “resurrect” a topic, so thanks for creating this and linking me back to the other.

I haven’t received any emails containing your forum username yet, although if there are any other keywords I should be looking for, please let me know. If you’d prefer to keep that information private, please send another email containing “digitallion” in the subject along with the instructions for me to find the emails you’ve already sent.

Let me know here when everything’s been sent and I’ll take another look!

Peter.

Ok, I’ve sent another email. Please confirm you received it. The last email didn’t use my forum username as the ONLY word in the subject, but it was in there. The email I just sent uses only my username.

Hi, I haven’t heard back from you.

Hi @digitallion, thank-you for sending the email over to us to show the screen you are presented with for this plugin.

If you are unable to permanently prevent the issue using the “I am certain this is a false positive” checkbox on the blocking page and leaving Learning Mode just returns to blocking the actions, we have seen issues in the past with dynamic URLs but there may be some action we can take.

Is uploading a file part of the activity when updating through FPD? You can manually take action if so, as there are usually 3 possible rules involved. “Malicious File Upload“, “Malicious File Upload (PHP)“, or “Malicious File Upload (Patterns)”. These rules can be found in Wordfence > All Options > Firewall Options > Advanced Firewall Options > Rules, after expanding the list. There are layers to how uploaded files are checked, so having to turn one of these rules off to fix your issue should still ensure malicious files are caught at a different stage of the checking process.

If you’re not uploading files when Wordfence blocks FPD, I would expect these blocks and the reason for them to show in your Live Traffic feed. You could try checking this immediately after attempting another blocked request, just to see whether you’re able to click on the Live Traffic entry to expand it for me. Could you take a screenshot of the reason Wordfence is giving for the block (usually in red text) and share it here using a site like Snipboard? You can obscure any other information like your domain name or IP addresses so long as I can see the block reason being given.

Thanks,
Peter.

Hey, did you make a change on the staging server to help it begin working?

Actually, it’s still not working. I think it depends on the product. Perhaps the whitelist only applies to a particular product, so new products that haven’t been whitelisted don’t work. A file upload is not necessary. Check out this message I got in live traffic:

**** left **** and?was?blocked by firewall for XSS: Cross Site Scripting in POST body: fpd_print_order=%7B%22used_fonts%22%3A%5B%5D%2C%22svg_data%22%3A%5B%7B%22svg%22%3A%22%3C!–%3Fxml%20version%3D%5C%22…?at ****

Try with the round hardboard keychain.

I expect the values after the = are different for every product and for certain things people design themselves within each product, so how can this be allowed safely?

Check the allowlisted URLs to see what’s in there as I think it may be helpful to you. Perhaps there is a way to safely apply it to all product URLS?

• This reply was modified 2 years, 2 months ago by Ryan.

Here is another block for a different product:

…. and?was?blocked by firewall for XSS: Cross Site Scripting in POST body: fpd_print_order=%7B%22used_fonts%22%3A%5B%7B%22name%22%3A%22Pacifico%22%2C%22url%22%3A%22google%22%7D%5D%2C%22svg_da…?at *****