False positive using Events Made Easy Plugin

Hi kayphoonstar,
I would suggest -temporarily- enabling the “Learning Mode” from (Wordfence > Firewall => Firewall Status), then you can use your plugin to create/book events, this should add these requests to the firewall whitelisted URLs, and you can revert the firewall settings back to “Enable and Protecting” after that.

Let me know how it goes,
Thanks.

Thanks,

While in learning mode, when someone books an event, a whitelist entry is created. If no one tries to book an event, it isn’t whitelisted. It is, in fact, possible to whitelist each event individually but it isn’t really feasible for the person who is creating these events to add a new whitelist entry for each event (10-15 new events per month, which are added regularly). I mean, I could do it *for* her but . . .

Is there any way of using url wildcards in the whitelist options? That would probably be the only option for the site in question.

I read about an earlier report of an XSS vulnerability in this plugin (EME) but I understood it had been fixed.

Thank you for any further input.

K

While “Enable and Protecting” is activated and you got these requests blocked, please go to (Wordfence > Live Traffic) and set “Filter Traffic” to “Blocked By Firewall”, this will list all requests blocked by Firewall, from there you can click on “Whitelist param from Firewall”.

BTW, do you have “Monitor Background Requests for False Positives” enabled under (Wordfence > Firewall)?

Thanks.

Thank you. Yes, “Monitor Background Requests for False Positives” is enabled. I’ve used the “Whitelist param from Firewall”. However the page is only listed under “Blocked By Firewall” after a customer has been blocked after entering their info, seeing the “403 Forbidden – A potentially unsafe operation has been detected in your request to this site” – which is not optimal. Also, the booking is actually entered in the database but the customer never sees the confirmation page and the confirmation/notification emails aren’t sent.

The problem is that, in “Events Made Easy”, each Class/Event is a different url, i.e., “/events/1111/the-name-of-the-event” & “/events/1112/name-of-another-event”, etc. As new classes are added, they must be added to the whitelist individually.

Please help me reproducing this issue, I installed the plugin, then enabled RSVP for one event, after that I opened incognito browser window and I managed to fill in the form without getting blocked by firewall.

It will be helpful if you can share one of your pages here, or let me know how I can reproduce this issue.

Thanks.

Thank you for sticking with me on this. I did a little more digging into the problem and found the following.

EME allows ‘templates’ for ‘booking recorded’ and it turns out that the template that was created includes this:

<style>#preview, #preview_2{display:none;} p#eme_mark_required_field {display:none;}#cpr_aed{display:none}</style>

That code is in place to (obviously) hide various elements from the confirmation display. That is apparently the culprit – not the plugin itself.

Might there be a better way to include this markup?

Just to confirm, the problem has been resolved by removing the style tag and the topic can be closed. I would like to know, though, if there’s a better/alternate way of including a piece of code like that or if it’s just ‘bad practice’ (?)

Thanks again,

K

Hi,
There is a long debate in the SEO world if hiding elements using CSS is considered as bad practice or not, check this answer on Google Webmaster Forum.

But I suggest using a plugin like “Simple Custom CSS” to add your custom CSS codes to your theme/plugins.

Glad to know you managed to fix this issue.
Thanks.

I do have the same issue, but why should I remove the CSS? And if where to find it?

In my case, there was <style></style> in the event RSVP form template. I believe that what was required was to move the <style> tag out of the template and put the css code directly into the theme’s style sheet.