boriskrielen

Hi Kevin,

Thank you for the help! Much appreciated. Here’s the raw data you mentioned:

id => 205
module => site-scanner
type => critical-issue
code => vulnerable-software
timestamp => 2024-10-21 20:47:27
init_timestamp => 2024-10-21 20:47:17
remote_ip => 2a06:2ec0:1::130
user_id => [empty string]
url => wp-cron
memory_current => 92499368
memory_peak => 92574336
data => Array
results => Array
url => https://www.vasaprevia.nl
version => 1.1
entries => Array
blacklist => Array
0 => Array
report_details => https://transparencyreport.google.com/safe-browsing/search?url=www.vasaprevia.nl
status => clean
vendor => Array
slug => google
label => Google Safe Browsing
vulnerabilities => Array
0 => Array
type => plugin
software => Array
slug => responsive-lightbox
label => Responsive Lightbox
latest_version => null
issues => Array
0 => Array
title => WordPress Responsive Lightbox & Gallery plugin <= 2.4.8 - Cross Site Scripting (XSS) vulnerability description => Cross Site Scripting (XSS) vulnerability discovered by Robert DeVore (Patchstack Alliance) in WordPress Plugin Responsive Lightbox (versions <= 2.4.8) affected_in => <= 2.4.8 fixed_in => [empty string]
references => Array
0 => Array
slug => patchstack
label => PatchStack
refs => Array( 1 )
1 => Array
slug => cve
label => CVE
refs => Array( 1 )
type => Array
label => Cross Site Scripting (XSS)
slug => [empty string]
id => ps-21549
created_at => 2024-10-15T10:14:13+00:00
updated_at => 2024-10-15T10:14:13+00:00
published_at => 2024-10-15T10:13:55+00:00
score => [double] 5.9
score_group => [empty string]
score_vector => [empty string]
is_exploited => [boolean] false
patched_in_ranges => Array()
patch_priority => [integer] 1
link => https://itsec-site-scanner.ithemes.com/vulnerability-details/djIubG9jYWwuX2RocE9ld0ZDSGpLMjZvZE9UcFgzM3MybXJ3a1pIVEpJSEtSdXFYWlJhZUp5MnYxVTNabzhXamMwVTdWbnlnbG42aWx4S3BGOFFTQ1Bab1F6dGl0ZEJHNFZlLXFibnhOT3Z4MnNQeGdDcC1XMWJ4MHlUN3hIQUVrWU5YaVlmRHE1M2NLeHVWR19LX0tzOS0tMVpJT0Q4T2lHNlVvbHlUZFF5aUh5aWl4NkhHRlV3Yi1kd1BISmU2S2NPZElwQkNrdnI0b1QyMGJTZ1VYVEMyVC1VbU1sczBlem56QUdjdEZha2F3Y19NYXpLa0dOX2xtVHVyZjdSY0ctU0NNQWNSTTBibWRVblY0Q1Bqc0ZmMWptRjlDcDM4b1FaUUNsWjdMdjRieXRkcWdmUkE5WFZuSU1SMGtVYTF2MHhtcDFZNHZuR2EtWkE2QmpXaVE3T2d0ejJLWElLYjZMQ2VZNFdBODMtSkZOMTNlYmNIZXo5M294TFVYM2tzWEd5OFdZTHJINjYtZ2g3TFE%253D
errors => Array()
cached => [boolean] false

I use this Responsive Lightbox & Gallery plugin on several sites and Solid Security doesn’t list it as a vulnerability on those sites.

The URL of the website = https://www.vasaprevia.nl

Also I just noticed that I cannot use any of the Solid Security tools like “Change WordPress salts” etc. They all give a red warning “Cookie check failed”.

I’ll do the other checks asap. Thnx again for your help!

Best regards, Alex

My webshop encountered the same 9.0.0 update critical error as countless others. The mentioned current workaround for the issues with the legacy API “installing the update manually through the plugin’s zip file” doesn’t work. Plugin won’t upload, even after I changed the maximum file size for uploads. Also Woocommerce keeps updating automatically daily, even though it is set not to. So I need to rollback daily as well. When is a bug fix expected?

• This reply was modified 5 months, 1 week ago by boriskrielen.

As the issue is resolved, I’ll close this thread.

Hi Rick,

OK, that really helped! I switched to the 2020 theme and then the donation form worked fine. I found an old function in the used child-theme that caused the problem, preventing non-logged-in or non-admin users access to the wp-admin area.

Many thanks for your patience and expertise, also from this charitative foundation I’ve been helping.

Best regards, Boris

Update:

I’ve deleted everything and installed the Give WP plugin again. New donation form is located at: https://www.vasaprevia.nl/donations/2417/. Unfortunately the problem is still there, unchanged.

Also deactivated all plugins, but that didn’t make any change either.

I installed the Give WP plugin on my own website, which is hosted by the same webhost. It was working without any problem within 10 minutes.

After further testing:

– There’s no plugin or WordPress setting that affects logged out users. This is a simple WordPress site with just a few standard plugins and no special customization.

– I disabled the_cotent filter. This has no effect.

– I switched to the Legacy form template, as well as the other template. This has no effect on the issue.

The problem seems to be purely in the content that is loaded when a different payment gateways on the form is selected. When logged in this content shows as it’s supposed to, but when logged out this content cannot be found. Instead the homepage is shown in the iframe (or a white page). As if that content page with the payment information isn’t published and therefor can’t be shown to logged out users, and instead the page redirects to the homepage (or white page).

I read in the Give WP settings that this content page is loaded in an invisible iframe. The URL of this page is: https://www.vasaprevia.nl/give/donation-form/. When I go to that URL, the homepage is shown, which seems to confirm that this is where the problem is.

Hi Rick,

Thanks for your help! Sorry, I’ve been trying most of your suggestions, but I’m doing this for free for this foundation and I had lots of other things to take care of as well. Tomorrow morning I’ll have some time to look at this issue again and get back to you with my findings in detail.

Best regards, Boris

Hi John,

No errors in sight anywhere. Latest versions already in place (of course). Spent all day reading all that is available on the web about this issue. Tried all offered solutions.

SEO title field now works OK (sort of) by using [:nl] [:en] tags. But that doesn’t work in Meta description field; the tags are being removed when saving the page.

Hi,

I activated the Yoast SEO & qTranslate-X plugin, but SEO title and Meta description fields still do not work in different languages. What is the use of this plugin if I can’t use any of the SEO fields? Do I do something wrong?

The page with the suggested solution shows only “There isn’t anything to compare.” and no solution whatsoever.

Yes, same plugins and theme. They are not on the same server. But I found out that if I change the Permalink setting from “Message Name” to “Default” the “Brute Force > Rename Login Page Settings” does work OK. If I change the Permalink setting back, than it stops working. So it does cause the problem.

I also found out that the only rules in the .htaccess-file are from the All In One WP Security & Firewall plugin and from the Permalink setting, but only if set to “Message Name”. Permalink setting “Default” doesn’t write any rules in the .htaccess-file, then all rules are from the All In One WP Security & Firewall plugin. So I suppose when both write rules to the .htaccess-file, those rules conflict.

PS. I compared with another one of my websites where the plugin does work. Only difference between the 2 websites is the WordPress Permalink settings.

In the website where this is set to “default” the plugin works OK. In the website where it is set to “Message Name” the plugin doesn’t work. So I guess that’s where the problem is. Still wondering why this basic wp-setting stops the plugin from working. I suppose many people use another Permalink setting than “default”.

Is there a way to make it work while keeping the Permalink setting set to “Message Name”?