CGS Web Designs

Not sure if it’s a false positive or not, but I have the same issue on 38 sites that I just updated to 6.6. Different hosts as well. It’s either an issue with the WordPress update or Wordfence is flagging them in error.

@wpo365 thanks for the reply – right now, the only option that is working is just using “?sig=”. Your suggesting won’t work because the plugin doesn’t allow anything that includes /wp-admin/ in the path (for obvious reasons). I am content with the solution I have for now.

It is possible to use the unique chain – but I have over 40 child sites and that would be a lot of rules to manage & maintain (plus those chains do change occasionally).

The good news is everything is working and I am good to go. Again, thanks for engaging here, I’m making good use of your SSO plugin and am very happy with it.

Hi @wpo365 thanks for responding so quickly. I spoke to the guys at MainWP and with their assistance I was able to come up with an entry on the “pages freed from authentication” section that works. That being said, I wanted to make sure I’m doing this as secure as possible so I wanted to ask an additional question. As it turns out, when installing via ZIP file, the child site reaches back to the MainWP Dashboard site to download the ZIP. When it does so, it reaches back via /wp-admin/admin.php?sig=xxxxx&mwpdl=yyyyy where sig= and mwpdl= will vary with every installation.

As a result, I was able to use an entry for freed pages of “?sig=” which allows the plugins to be installed however, I wanted to know if there is a more strict entry that would work. I couldn’t find anything in your documentation about wildcards or regex being allowed here – I originally tried “?sig=*” and that resulted in failure (regex such as “?sig=.+&mwpdl=.+” also failed).

Thanks for that info, so it looks like the nomenclature has changed but it was already there prior.

I just posted this too. Hopefully there is an answer soon. I took a fresh download of the plugin and checked out the file in question. It appears that the file is searching for any existing redirections to that URL in the rank_math_redirections table and removing them if it finds them.

This concerns me because it almost seems like the team is stealthily trying to cover up a previous security breach (that’s pure conjecture and I have no way of knowing if that’s truly the case).

Thanks for the update, looks to be fixed with the update you’ve released. Appreciate the quick response!

Thank you, I’ve submitted a support ticket as you requested.

@mohsinbsf this plugin has had a 5-star rating from me for a very long time already ??

Thank you for the information @mohsinbsf – I sent the information over to the developers at MeowApps and they released an update to the plugin today which resolves the issue. I appreciate the time your team spent on this even though the issue was with another plugin that wasn’t yours. You guys really are first class!

Hi @mohsinbsf have you any update on this issue? It has been confirmed by myself and the plugin vendor support.

Hi, I have already determined the issue only occurs when BOTH plugins are active. If I turn either one off, the issue resolves. The vendor at MeowApps was able to replicate this behavior as well. The response from them was as follows:

I can indeed replicate your issue. It seems that the root of the problem is some sort of override of the React Styled Components library, as the following element is added to the HTML, which is the cause of the CSS looking weird: <style data-styled=”active” data-styled-version=”6.0.8″></style> If you manually remove it, it pops back to normal.

Let’s wait for Spectra’s response on the matter as this isn’t experienced in any other plugin that I know of.

According to the original reports, the current version is also vulnerable.

The moderator’s answer is the correct one. However, you can likely accomplish this with some custom CSS. In your Customizer, under the additional CSS section, add this code and see if it works:

.cv-container image-overlay {
   display: none;
}

This is not the cleanest way to do it, and you want to check your plugin settings to see if it can be configured there first.

Try disabling your Miniorange OTP Verification plugin and Ultimate Member plugin. They’re both called out in the error message you posted.

If you can’t get into your dashboard to disable them, then use FTP or your host’s file manager program (usually CPanel) to rename the folders to .old.

*I’m not a WP associate, just another forum user who saw your issue and thought I might be able to help.

I had this exact same issue on one of my sites after upgrading to WP 6.1. I am not sure exactly what fixed it, but here’s what I did…

I used the Health Check & Troubleshooting plugin to enable troubleshooting mode. I was then able to use the editor (with all plugins disabled in troubleshooting mode). I then disabled troubleshooting mode and cleared my browser cache. I was then able to access the editor.

The quickest way to clear your browser cache is to hit F12 which opens the developer console, then right-click the reload button in the browser and choose “clear cache and hard reload” from the context menu. Also try using a fresh browser in incognito/private mode.