jnorell

Of course after posting, I immediately come across the answer “by chance” .. for my first issue, it sounds like it’s definitely a problem because I’m integrating in a theme: https://github.com/BracketSpace/Notification/issues/201 I’ll move things to a plugin instead. The two questions/issues remain.

Thanks!

@malayladu please note this issue. The matter may be resolved for the original poster, as she switched to another plugin, but the issue reported here certainly isn’t resolved, it is an open security issue for every user of your plugin. Even a small acknowledgement that you have seen this and might address it in an upcoming release would be in order.

Thank you,
Jesse

I was actually just looking for where to report security issues on this plugin for exactly this. There appear to be absolutely no capability checks within the plugin to limit admin functionality at all.

I was planning to replace this plugin sooner or later anyways, due partly to recurring security issues – guess this moves that up the schedule.

Right, my thoughts were that maybe some javascript was not able to load, so a http request wasn’t sent properly (eg. missing some data) and that lead to triggering the php error when the request was handled. But that’s merely a guess.

I see you just released a new wpadverts with “FIXED: Browser AdBlockers are hiding some inputs in wp-admin / Classifieds / Options / Core panel.” in the changelog, and that makes me think – perhaps this was caused by an ad blocker in my browser? I had come across some other places where it (uBlock Origin) was blocking some assets from loading, and had configured it to allow everything on this dev site between the time that I reported this and when I couldn’t reproduce it. I haven’t tried to undo that and verify, but it is certainly a possibility.

Just tested this again and I am not getting any errors/notices/issues, so just ignore it (looks like it is marked resolved, just following up….).

Ok, thank you. On a related note, do you plan to support custom taxonomies in the future (so my custom post type could be limited to a taxonomy it actually uses)? Or alternatively, have you created any filter hooks which might allow that (ie. when new post is my cpt, I check the category and return indication of whether it should be notified or not)

Thanks!

Try [adverts_add moderate=”1″]

I have spent a fair bit of time reworking rewrite rules to change all the wpadverts paths to be more to my liking (and should be seo friendly), it’s in a custom theme but I’d be glad to share if you want. (make that “all” wpadverts paths for components we use, we don’t have all the modules enabled, etc.)

FWIW we use:
/classifieds/ top level [adverts_list] page
/classifieds/{adverts_category}/ category archives
/classifieds/{adverts_category}/{advert_post_title}
/classifieds/locations/{country}/{state}/{city} hierarchical location paths

I didn’t make the category path hierarchical, for better or worse (would be easy to do).

I just ran into this yesterday with uBlock Origin; I added all the sites the the uBlock whitelist to resolve it, and then just hoped not too many customers were affected. I believe it was the admin site (including adverts-admin.js or similar) that was the problem, not publicly viewing the ads.

Ok, I can confirm that behavior for the contact form, thanks. Likely related to the error/issue mentioned here, we apparently already had the Contact Form enabled and working (ie. we had the “Send Message” button with a form), even though the presence of the “Enable” button for the contact form feature implied it was not.

On a related note, I just disabled the Contact Form feature to test (which worked, “Send Message” changed to “Show Contact Information”), and now I cannot enable it again. Hitting Enable goes to the contact form settings page with a notice that reads, “Module activated successfully.”, but when I hit the “Update Options” button I get the error:

Notice: Undefined property: Adverts_Flash::$_new in /path/to/wp-content/plugins/wpadverts/includes/class-flash.php on line 150

and going back to Classifieds > Options shows the Enable button still available (also the front end does not change back to “Send Message” button). No php fatal errors this time, though.

Never mind on this, it seems to now be working, though I don’t know what was causing the issue.

I changed to the default theme (with some difficulty, which is odd), and deactivated and reactived all plugins (except wpadverts) a few times, and cleared the server cache (varnish) a few times .. nothing seemed to behave with consistency; initially I couldn’t enable Emails with all plugins deactivating and using default theme … after a while of reactivating plugins, I couldn’t cause it to fail, then back to the original theme, and again, I can’t cause any failures.

My guess is it was a hosting related issue, as the problem was in finding/loading the php class, but who knows.

• This reply was modified 5 years, 4 months ago by jnorell.

It seems like a proper solution would be to modify the upstream HierarchicalTermSelector component to accept a property specifying whether it should allow multiple selections (the default, and renders with checkboxes) or not (renders with radio button). That should be pretty simple, and I intended (intend?) to attempt that, but being entirely new to react, I’m still working on getting the environment setup to be able to do so.

• This reply was modified 5 years, 5 months ago by jnorell.

I’m guessing this might get seen since the topic is marked resolved, but trying one bump before starting a new topic…

I ate up a bit of time tracking all the pieces down, but in the end it’s pretty simple to build a custom login form which is compatible with the new Wordfence 2FA, though I only tested recaptcha, not the otp app yet.

For a demo, I made a /login/ page to display the custom login form. In functions.php add:

add_filter( 'login_url', function( $login_url, $redirect, $force_reauth ) {
    $login_page = home_url( '/login/' );
    $login_url = add_query_arg( 'redirect_to', $redirect, $login_page );
    return $login_url;
}, 10, 3 );

add_filter( 'logout_url', function( $logout_url, $redirect ) {
    $login_page = home_url( '/login/' );
    $logout_url = add_query_arg( 'redirect_to', $login_page, $logout_url );
    return $logout_url;
}, 10, 2 );

The login_url filter is needed to make the link in the verification url’s point to the /login/ page.

In the template displaying the custom login page you need to mimic a little behavior from wp-login.php. I found 4 things were needed: to enqueue login scripts, do the login_init action (which calls wordfence::loginInitAction), do the login_form action in the middle of the login form (which calls wordfence::showTwoFactorField) by tying it to the login_form_middle action, and include appropriate markup so the ‘#login > h1’ selector has a match to place error messages.

if ( is_user_logged_in() ) {
        ?> <p>You are already logged in.  <a href="/wp-login.php?action=logout&redirect=/login">Log out</a>.</p> <?php
} else {
        add_action( 'login_form_middle', function() { do_action( 'login_form' ); } );
        
        do_action( 'login_enqueue_scripts' );
        do_action( 'login_init' );
        
        ?> <div id="login"><h1 style="display: none;"></h1></div> <?php

        wp_login_form( array('redirect' => home_url()) );
}

And don’t forget to style ‘.login_error’ to call attention to the ‘VERIFICATION REQUIRED …’ error.

There are a few things missing that the full wp-login.php would include (eg. wordfence::wfLogHumanHeader and wordfence::addSyncAttackDataAjax which are normally called by login_head action), so there is room for improvement if Wordfence were to officially support custom login pages. Of note, I managed to lock myself out during testing, and Wordfence’s ‘You are temporarily locked out’ block was preceded by ‘ Cannot modify header information – headers already sent’ warnings. But this is much better than having those login forms completely unprotected.

@wfdave: is there an official feature request open for supporting custom login pages? If not, please consider this a request to create one. On sites which use them (and ours uses it exclusively), there’s really a need to have a good login security solution. Thanks!