elementor icon indicating copy to clipboard operation
elementor copied to clipboard

Published 20 hours ago verified publisher icon elementor

Custom Code Save & Close 403 Error

Open itslkc opened this issue 3 years ago • 20 comments

Prerequisites

  • [x] I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
  • [x] The issue still exists against the latest stable version of Elementor.

Description

Screen recording of steps and Console error https://youtu.be/dLKBEeEbgCc

Attempting to Save & Close Custom Code results in 403 Error. Console messages below:

common.min.js?ver=3.2.4:2 PUT https://www.lautrecotecabfranc.com/wp-json/elementor/v1/site-editor/templates-conditions/3261 403

{message: "", code: "", data: Array(0)}

Uncaught (in promise) 
Response {type: "basic", url: "https://www.lautrecotecabfranc.com/wp-json/elementor/v1/site-editor/templates-conditions/3261", redirected: false, status: 403, ok: false, …}

Steps to reproduce

  1. Navigate to Elementor > Custom Code
  2. Click Add New Custom Code
  3. Name the Custom Code, add in code. Click Publish.
  4. At the Publish Settings, add condition Entire Site, click Save & Close.
  5. Won't save & close, 403 error appears in the Inspector Console.

* - Problem can be replicated with Safari also.

Isolating the problem

  • [x] This bug happens with only Elementor plugin active (and Elementor Pro).
  • [x] This bug happens with a default WordPress theme active.
  • [x] I can reproduce this bug consistently using the steps above.

Environment

System Info ```

== Server Environment == Operating System: Linux Software: LiteSpeed MySQL version: MariaDB Server v10.3.23 PHP Version: 7.4.20 PHP Max Input Vars: 10000 PHP Max Post Size: 512M GD Installed: Yes ZIP Installed: Yes Write Permissions: All right Elementor Library: Connected

== WordPress Environment == Version: 5.7.2 Site URL: https://www.lautrecotecabfranc.com Home URL: https://www.lautrecotecabfranc.com WP Multisite: No Max Upload Size: 512 MB Memory limit: 1G Permalink Structure: /%postname%/ Language: en-US Timezone: America/Los_Angeles Debug Mode: Inactive

== Theme == Name: L'autre Côte Version: 1.0 Author: Leonel Calara Child Theme: Yes Parent Theme Name: Hello Elementor Parent Theme Version: 2.3.1 Parent Theme Author: Elementor Team

== User == Role: administrator WP Profile lang: en_US User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36

== Active Plugins == All In One WP Security Version: 4.4.8 Author: Tips and Tricks HQ, Peter Petreski, Ruhul, Ivy

Cloudflare
	Version: 4.5.1
	Author: Cloudflare, Inc.

Defender
	Version: 2.5.3
	Author: WPMU DEV

Duplicate Page
	Version: 4.4
	Author: mndpsingh287

Elementor
	Version: 3.2.4
	Author: Elementor.com

Elementor Addon Elements
	Version: 1.11.5
	Author: WPVibes

Elementor Pro
	Version: 3.3.0
	Author: Elementor.com

Erident Custom Login and Dashboard
	Version: 3.5.9
	Author: Libin V Babu

Google Analytics for WordPress by MonsterInsights
	Version: 7.17.0
	Author: MonsterInsights

Head, Footer and Post Injections
	Version: 3.2.2
	Author: Stefano Lissa

Hotjar
	Version: 1.0.10
	Author: Hotjar

Simple Page Ordering
	Version: 2.3.4
	Author: Jake Goldman, 10up

SVG Support
	Version: 2.3.18
	Author: Benbodhi

TablePress
	Version: 1.13
	Author: Tobias Bäthge

WP-Sweep
	Version: 1.1.3
	Author: Lester 'GaMerZ' Chan

WP Server Stats
	Version: 1.6.10
	Author: Saumya Majumder, Acnam Infotech

Yoast SEO
	Version: 16.5
	Author: Team Yoast

== Elementor - Compatibility Tag ==

Elementor Addon Elements: Incompatible
Elementor Pro: Compatible

== Elementor Pro - Compatibility Tag ==

Elementor Addon Elements: Incompatible

== Elements Usage ==

footer : 2
	button : 3
	divider : 5
	heading : 17
	image : 12
	social-icons : 2
header : 5
	button : 3
	heading : 1
	icon : 3
	image : 3
	nav-menu : 5
	search-form : 6
	spacer : 3
	theme-site-logo : 3
popup : 2
	button : 1
	text-editor : 1
	video : 1
section : 3
	heading : 1
	html : 1
	nav-menu : 2
	text-editor : 1
wp-page : 8
	button : 7
	divider : 4
	form : 2
	heading : 26
	html : 2
	icon : 1
	image : 4
	spacer : 2
	text-editor : 30

== Log ==

Log: showing 20 of 402021-04-22 06:50:28 [info] Elementor data updater process has been completed. [array ( 'plugin' => 'Elementor', 'from' => '3.1.4', 'to' => '3.2.1', )] 2021-05-01 06:50:24 [info] Elementor data updater process has been completed. [array ( 'plugin' => 'Elementor', 'from' => '3.2.1', 'to' => '3.2.2', )] 2021-05-09 22:26:22 [info] Elementor data updater process has been completed. [array ( 'plugin' => 'Elementor', 'from' => '3.2.2', 'to' => '3.2.3', )] 2021-05-09 22:26:22 [info] Elementor data updater process has been completed. [array ( 'plugin' => 'Elementor Pro', 'from' => '3.2.1', 'to' => '3.2.2', )] 2021-05-29 08:17:25 [info] Elementor data updater process has been completed. [array ( 'plugin' => 'Elementor', 'from' => '3.2.3', 'to' => '3.2.4', )] 2021-06-09 13:11:15 [info] elementor-pro::elementor_pro_updater Started 2021-06-09 13:11:15 [info] Elementor Pro/Upgrades - _v_3_3_0_nav_menu_icon Start
2021-06-09 13:11:15 [info] Elementor data updater process has been queued. [array ( 'plugin' => 'Elementor Pro', 'from' => '3.2.2', 'to' => '3.3.0', )] 2021-06-09 13:11:15 [info] Elementor Pro/Upgrades - _v_3_3_0_nav_menu_icon callback needs to run more 3 times 2021-06-09 13:11:16 [info] elementor-pro::elementor_pro_updater Started 2021-06-09 13:11:16 [info] Elementor Pro/Upgrades - _v_3_3_0_nav_menu_icon Start (2 of 4, 50%) 2021-06-09 13:11:17 [info] elementor-pro::elementor_pro_updater Started 2021-06-09 13:11:17 [info] Elementor Pro/Upgrades - _v_3_3_0_nav_menu_icon Start (3 of 4, 75%) 2021-06-09 13:11:18 [info] elementor-pro::elementor_pro_updater Started 2021-06-09 13:11:18 [info] Elementor Pro/Upgrades - _v_3_3_0_nav_menu_icon Start (4 of 4, 100%) 2021-06-09 13:11:19 [info] Elementor Pro/Upgrades - _v_3_3_0_nav_menu_icon Finished 2021-06-09 13:11:20 [info] elementor-pro::elementor_pro_updater Started 2021-06-09 13:11:20 [info] Elementor Pro/Upgrades - _v_3_3_0_recalc_usage_data Start
2021-06-09 13:11:20 [info] Elementor Pro/Upgrades - _v_3_3_0_recalc_usage_data Finished 2021-06-09 13:11:20 [info] Elementor data updater process has been completed. [array ( 'plugin' => 'Elementor Pro', 'from' => '3.2.2', 'to' => '3.3.0', )]

PHP: showing 2 of 2PHP: 2021-04-04 02:41:23 [notice X 10][/home/nelcalara/lautrecotecabfranc.com/wp-content/plugins/elementor/modules/system-info/reporters/user.php::113] Undefined index: HTTP_USER_AGENT [array ( 'trace' => ' #0: Elementor\Core\Logger\Manager -> shutdown() ', )] PHP: 2021-05-10 16:39:11 [notice X 11][/home/nelcalara/lautrecotecabfranc.com/wp-content/plugins/elementor/includes/conditions.php::90] Trying to access array offset on value of type null [array ( 'trace' => ' #0: Elementor\Core\Logger\Manager -> shutdown() ', )]

</details>

itslkc avatar Jun 16 '21 03:06 itslkc

Hi, Thanks for the detailed report and video. I was not able to reproduce this issue. I can only suggest opening a support ticket.

Sorry for not being able to help. I can however suggest making sure you're using a user with admin permissions, try to replicate the bug with no other plugins activated and turn off all elementor experiments.

Aviad-Herman avatar Jul 03 '21 22:07 Aviad-Herman

I found the issue. Some security plugins modify .htaccess which prevents assigning conditions to Custom Code.

Solution: Remove the necessary changes to .htaccess, or temporarily deactivate the plugin that modified .htaccess.

In my case simply deactivating the plugin All In One WP Security removed their modifications to .htaccess which allowed me to add the Custom Code I needed. I reactivated once my Custom Code was complete.

itslkc avatar Jul 09 '21 03:07 itslkc

Great catch!

Aviad-Herman avatar Jul 11 '21 13:07 Aviad-Herman

Hi,

I have the same problem on a WordPress 5.8.2 platform with Elementor 3.4.7 and Elementor Pro 3.5.0. I have the Wordfence security plugin free version 7.5.6 .

What I tried to do:

  • [x] Disabling and deleting Wordfence tables
  • [x] Deleting custom .htaccess setting lines
  • [x] Disabling plugins and themes
  • [x] Moving database and all files in my dev environment makes it work fine

I'm starting to think that it's a server-side problem, like a firewall or similar, I'll check with my server admin on that.

A workaround I used is to create a record in database in the wp_postmeta table. The meta_value value is a serialized string composed by the editor, in my case I needed the snippet to display in a particular page:

  • post_id => [The custom code snippet ID you created, even if it is a draft]
  • meta_key => _elementor_conditions
  • meta_value => a:1:{i:0;s:26:"include/singular/page/[ID]";}

MarDenDev avatar Nov 11 '21 09:11 MarDenDev

I have the same problem. Has anyone found a solution? I don't have any plugin installed other than Elementor and Elementor PRO.

riandeodato avatar Jun 06 '22 01:06 riandeodato

I have the same problem in the latest version, does anyone have a solution?

ofmarconi avatar Oct 14 '22 15:10 ofmarconi

I have the same problem in the latest version, does anyone have a solution?

Check if you have "WAF/ModSecurity" enabled on your server. If the setting is enabled just turn it off :)

Wapozon11 avatar Nov 06 '22 16:11 Wapozon11

The real solution is for Elementor to encode form data on the client-side before sending it to the web server.

When you are using a web server with mod_security2 enabled, or some WP security plugins that use similar security rules, saving some types of content can trigger RCE, XSS, or other security rules. This will result in 403 or other HTML response codes, and your page won't be saved.

For example, I tried to save a web page that had a telephone link in the content. Just trying to save edits with "> (866)" in the page content was enough to trigger a security rule and prevent me from saving my page edits.

Encoding the data with base64, or some other encoding method, before sending it from the client-side to the web server will prevent most security systems from thinking saving your edits is an attack.

Disabling security features on your web server is a dangerous way to deal with this problem. Please do not do this unless you are really desperate to save your edits AND you are going to re-enable your security immediately after your page edits are saved.

I see this as a major problem, and I'm surprised that Elementor does not test how their product interacts with mod_security2 since it is so widely used.

More information is available here... #22683

ghost avatar Jun 11 '23 22:06 ghost

Hey guys, no updates for Elementor level users right? We've already used a Builder so as not to go into such technical details.

ofmarconi avatar Jul 12 '23 21:07 ofmarconi

Hello Guys,

I faced the same issue and it was due to the WordFence security plugin, I made the following changes it worked for me.

We need to add this in the WordFence > All Options > Allowlisted URLs

Screenshot 2023-07-13 at 10 43 40 AM
  1. Add "/wp-admin/admin-ajax.php" in the URL field
  2. Keep Param Type: POST Body
  3. And "actions" as Param Name
  4. Hit Add
  5. Click "Save Changes"
  6. Refresh the page you are trying to publish and then try making changes.

I hope this helps.

makarandPatil avatar Jul 13 '23 05:07 makarandPatil

So in other words, all a hacker has to do to completely bypass your firewall is add a POST parameter named "action" to their attack.

In my humble opinion, leaving a gaping hole in your firewall so Elementor can work is not a valid solution.

The real solution is for Elementor to encode their POST data so that nothing in it can be misinterpreted as an attack.

ghost avatar Jul 13 '23 13:07 ghost

@makarandPatil undo it my friend, it opens the way to one of the most common hacking actions

ofmarconi avatar Jul 14 '23 13:07 ofmarconi

@ofmarconi @wpkc Thank you for the feedback friends, I have disabled it. Until Elementor fixes this bug, We can add that rule till we are working on the page and disable it once finished.

makarandPatil avatar Jul 14 '23 13:07 makarandPatil

Sadly, this thread started two years ago, and the Elementor devs have done nothing to address this. I doubt they ever will.

I don't use WordFence, so I can't help you there. But if you were going to write an exception, you could try to be more specific. For example, you could make a rule that bypasses the firewall only if all these conditions are true...

  • Request Header "Host:" = "www.mysite.com" (replace with your web server name) This prevents hackers that are only using an IP address from getting through.
  • Request Header "Referer:" contains "/wp-admin/post.php?post=" This ignores requests that did not set the correct referrer.
  • Request File Path ends with "/wp-admin/admin-ajax.php" Saving an Elementor page goes through the WP AJAX API.
  • POST body has an argument named "action"
  • POST body argument "action" has a value that starts with "elementor_"

Not perfect, since all these conditions can be easily simulated by a hacker. But at least if all these conditions are met, then any hacking that might be going on will routed only to the Elementor plugin. This is better than bypassing the firewall for all AJAX interfaces.

ghost avatar Jul 14 '23 23:07 ghost

Maaaaan it's almost 2024 and same problem image

rebofel avatar Nov 22 '23 05:11 rebofel

@rebofel welcome to elementor

ofmarconi avatar Nov 22 '23 11:11 ofmarconi

Login to your hosting and disable WAF/ModSecurity > SecRuleEngine

WebKoncept avatar Jan 03 '24 11:01 WebKoncept

Login to your hosting and disable WAF/ModSecurity > SecRuleEngine

Horrible solution! Turning off security is never an option!

ofmarconi avatar Jan 04 '24 11:01 ofmarconi

Login to your hosting and disable WAF/ModSecurity > SecRuleEngine

Horrible solution! Turning off security is never an option!

After adding the code, simply enable SecRuleEngine again 🤦

WebKoncept avatar Jan 04 '24 12:01 WebKoncept

I'm having the same issue now; turning off security is a no-go, to be honest.

dericlima avatar May 12 '24 19:05 dericlima

Almost 2025 and still the same error. Capturar

parmando avatar Sep 28 '24 01:09 parmando