• Resolved harryfear

    (@harryfear)


    We have an issue where the server is falsly responding ‘success’ in its admin-ajax response.

    Moreover, there is no front-end warning or message on this occasion; the form just appears to fails to submit/redirect. This is catastrophic UX.

    The server responded with {success: true, data: {…}}, indicating a successful operation on the server-side. However, this is falsy as the plugin actually refused to accept the entry: the form submissions are not being saved; the user isn’t receiving notification emails; and the thank-you page is never seen.

    The presence of “wpformsAjaxBeforeSubmit” and “wpformsAjaxSubmitSuccess” events indicates that the form is being submitted asynchronously using AJAX, which is relevant.

    In the affected browser sessions, we see:
    https://ibb.co/wp3MQKB

    In normal working browser sessions, we see:
    https://ibb.co/zmjg1Nb

    – Why is the plugin responding from the server like this, reporting success if it’s in fact not processing the submissions?

    – Why is there no handling on the client side in the WPForms JavaScript to handle cases like this? Why is there no fallback message or alert for the user in case of an unusual server response like this?

    We have no steps to reproduce this; this affects a handful of users randomly, across mobile and desktop, using latest Chrome, each month according to the logging we have in place.

Viewing 15 replies - 1 through 15 (of 18 total)
  • Plugin Support Ralden Souza

    (@rsouzaam)

    Hi @harryfear,

    Thanks for reaching out! I’m sorry to hear about the issue with admin-ajax on your site.

    Please note that this is unexpected, and here is a screenshot of the expected result for your reference.

    To help us investigate the issue, we’ll need a few details from you:

    • The URL where the form is located.
    • The details from?WPForms > Tools > System Info?(screenshot).

    As you mentioned that “the plugin actually refused to accept the entry: the form submissions are not being saved”, it seems that you are using the paid version of WPForms.

    If you have an active license subscription with us, could you please submit a support ticket through the WPForms account dashboard when you have a chance and share the details above? Please mention that the ticket should be assigned to Ralden Souza.

    The details above may help us better understand the issue you’re experiencing.

    Thanks!

    Thread Starter harryfear

    (@harryfear)

    Thanks for your fast reply.

    Yes, in the case of an on-page message, we’d expect the HTML to be delivered over admin-ajax.

    However, in our case, on this form in question, we are expecting a redirect URL to be received and processed by the client side for relocation. (Hence my thank-you page reference.)

    I don’t believe we have an active license at this time:

    Diagnostic info:
    https://cryptobin.co/b4u3g1e0
    Open: wpforms
    Thread Starter harryfear

    (@harryfear)

    I was able to reproduce this issue by modifying the value of the nonce:

    <input type="hidden" name="wpforms[nonce]" value="bde3c1cbaf">

    We already faced an issue like this before in May but it was meant to have been fixed?

    https://www.ads-software.com/support/topic/anti-spam-feature-disaster-in-production/#post-17830570

    This is really poor UX. There should be a client-side handling of this and an error message at least!

    Can we urgently get a fix and even a JavaScript event to plug into?

    Thread Starter harryfear

    (@harryfear)

    After addiitonal testing, another related issue/bug:

    Even with “Store spam entries in the database” turned on, these “Fail Silently” nonce-failing submissions don’t get saved under Spam in the entries database.

    Plugin Support Kenneth Macharia

    (@kmacharia)

    Hey @harryfear

    Thank you for the additional details. Our team is currently reviewing this and we’ll get back to you soon.

    We appreciate your patience. ??

    Thread Starter harryfear

    (@harryfear)

    Any updates on this?

    For now, we’ve disabled all WPForms spam settings to off and are now relying on Akismet.

    Plugin Support Kenneth Macharia

    (@kmacharia)

    Hey @harryfear

    I’m sorry for the delay. Our team has reviewed the issue and we have confirmed that the issue is unrelated to the antispam settings. However, we have noted down that the current approach in handling expired nonces needs an update and this has been noted down. We’ll be working on a fix for this and I will keep you posted.

    Thank you!

    Plugin Support Ralden Souza

    (@rsouzaam)

    Hi @harryfear,

    Thanks for your patience while the team works on the issue.

    When you have a moment, could you please let us know if the issue occurs when you submit the form as a logged-in user? Or if it’s something your clients are experiencing?

    This information will help us better understand and address the issue.

    Thanks!

    Thread Starter harryfear

    (@harryfear)

    Hello!

    This has only affected non-logged-in users.

    Plugin Support Ralden Souza

    (@rsouzaam)

    Hi @harryfear,

    Thanks for the information!

    We haven’t been able to reproduce the issue for non-logged-in users. By default, WPForms shouldn’t display the nonce input for non-logged-in users.

    To continue troubleshooting, could you please reach out to us through our contact page when you have a moment? Be sure to include a link to this post (https://www.ads-software.com/support/topic/catastrophic-bug-wrong-server-response/).

    From there, we’ll be able to gather additional details and continue working on a solution for this issue.

    Thanks for your help!

    Thread Starter harryfear

    (@harryfear)

    I can’t reproduce in the latest version(s), only in 1.8.9.2.

    I believe the “wpforms[nonce]” input was being injected for logged-in users, yes (and possibly also non-logged-in users).

    It seems that if this input was present (b/c of mis-caching, for e.g.) that the request would fail even if it shouldn’t.

    Plugin Support Ralden Souza

    (@rsouzaam)

    Hi @harryfear,

    Thanks for letting us know that you can reproduce the issue only in version 1.8.9.2.

    We recommend using our latest version (1.9.1.3) to avoid this issue.

    I apologize for the inconvenience caused by this issue, and if you need any further assistance with WPForms Lite, don’t hesitate to reach out.

    Thanks!

    Thread Starter harryfear

    (@harryfear)

    Thanks for your fast response.

    I can reproduce this in latest 1.9.1.2:
    ? Setup form with spam protection enabled
    ??Login as an WP admin
    ? Change the hidden nonce value to an invalid value (e.g. 999)

    Expected behaviour: front-end user error or warning as nonce is invalid.
    Actual behaviour: no success message, no warning; just a silent failure.

    Notes:
    ? Server responds: {“success”:true,”data”:{“confirmation”:””}}
    ? Screenshots:
    https://ibb.co/C0V8GFt
    https://ibb.co/nBxL3TP
    https://ibb.co/4P45vL6
    https://ibb.co/0q72XyJ
    https://ibb.co/QYw0nzB

    Production scenario explanation:
    In cases where a page/form would be privately cached (logged-in cache) the nonce could be expired but no warning is shown to the user. This is not acceptable. Examples: bulletin boards, WooCommerce sites, membership sites, intranets, etc..

    Background:
    This reproducible bug illustrates how silently failing on the front-end with no user warning can provide an unacceptable UX. However, as noted previously, we also had this for non-logged-in users in the past according to our logs, although the reproduction steps are not immediately available or understood yet.

    Suggested resolution:
    ? The server should not send an empty success message when it is rejecting a nonce; there is no spam or security advantage in doing this. It just is bad UX and poor accessibility, too. The server should respond saying something like: “Security check failed. Please refresh this page or contact an administrator.”.
    ? The client-side should trigger a custom event like wpforms_ajax_rejected (an additional suggestion).

    Plugin Support Ralden Souza

    (@rsouzaam)

    Hi @harryfear,

    Thanks for sharing all the details!

    I’ve passed this information along to the development team, and we’ll notify you when an update fixing this issue is released.

    Thanks again for reporting this, and if I can assist with anything else, please feel free to let me know!

    Plugin Support Ralden Souza

    (@rsouzaam)

    Hi @harryfear,

    Thanks for your patience on this!

    I’d like to let you know that the issue of not displaying an alert when the nonce has an invalid value will be fixed with WPForms Lite 1.9.2.

    I’ll send you an update as soon as the new version is released.

    Thanks!

Viewing 15 replies - 1 through 15 (of 18 total)
  • You must be logged in to reply to this topic.