Contact Form 7 Bypass Solution
-
Hi Jeff,
Happy holidays ??You know that thing when “a new problem” occurs and googling directs to your own post / writing lol?
related topics:
https://www.ads-software.com/support/topic/contact-form-7-non-sending-emails/
https://www.ads-software.com/support/topic/contact-form-7-dont-work-with-disabled-rest-api/Yeah, I noticed in error logs that CF7 failed, and given the errors, this plugin was the main suspect. It was 1.5 years ago when I fixed this with a patch, and you should just ask me what it was back then (haven’t noticed further topics and conversations), because it was a very simple patch.
I didn’t originally post a solution here, because it was a very simple one, and I thought it would be added as an option in the plugin’s settings, because not everyone needs / wants it (e.g. CF7 is not used by everyone).
Problem: CF7 not sending emails
jquery.min.js:2 POST https://.../wp-json/contact-form-7/v1/contact-forms/.../feedback 401 (Unauthorized) jquery.min.js:2 XHR failed loading: POST "https://.../wp-json/contact-form-7/v1/contact-forms/.../feedback". rest api response {"code":"rest_login_required","message":"REST API restricted to authenticated users.","data":{"status":401}}Solution is simple like this:
in function disable_wp_rest_api() change the line from:
if (!is_user_logged_in()) {to this:
if ( !is_user_logged_in() && empty($_POST['_wpcf7']) ) {It does not check any security tokens.
Hopefully, you’ll add this in the future, because with each update it stops working, and that could be very bad for many users, unless they apply this patch.
Thanks!
RegardsThe page I need help with: [log in to see the link]
-
I worked on some of it in the past, outside of the WP environment, but have no code laying around. I assume it would not have to go deep into the API architecture.
All you need to do, I guess, is make whitelists that accepts exceptions to your existing disabling code.
Like in this url:
https://yoursite.com/wp-json/wp/v2/service?token=regrth57u56guyc3fretwg4t3432@3ttc3t3tw
The variable elements here are ‘service’, which could be any API service, like Zapier, and the token. The url woudl be parsed before rendering if it connects to wp-json. You could make it so that only the combination of a specific service slug (and thus endpoint) and the token parameter is allowed access to the wp-json. You could make an option to make this more tight by whitelisting static IP adresses. And even more tight, to whitelist certain url parameters, used for querying the endpoint.
This gives an idea, not for this addition, but in general for creating ones own API plugin: https://webdesign.tutsplus.com/tutorials/how-to-use-the-wordpress-rest-api-a-practical-tutorial–cms-33566
And your plugin could be configured to whitelist the variable elements: endpoint url, token param, query url params and IP address. Individually, or combined.
Exactly. I would definitely also add the ip address and url query params as added options. Not necessarily for the big services, but it is a nice way to allow for safe communication between self-managed servers, or business to business data exchange.
Something like this should be in core, IMO. Like managing ports on a server. Only open what is needed (under controlled conditions), and keep the rest closed. Just allowing it all open with WP-json is bad for security, privacy and resources.
Weird about the link, yesterday it was an actual article, now it is redirected.
Good luck, and thanks for your plugin(s).
Just to follow up with the CF7 bypass, here is the deal. @darko-a7’s elegant solution works great, but also it makes it trivial for anyone to access REST API by simply sending a post variable. Most users would not want this vulnerability introduced. SO, instead I’ve created a simple plugin that you can install alongside Disable WP REST API (version 2.1 or better). Once activated, it enables CF7 to work properly sending emails. Learn more and download at Perishable Press.
- The topic ‘Contact Form 7 Bypass Solution’ is closed to new replies.
