No Access to Settings – forbidden

Hi @d1plom4t

does this issue affect just the plugin’s settings or the other screens as well? Is that link in your bookmarks? Could you see if Slimstat is in your admin bar by any chance? If it is, you can put it back in the WP sidebar by going to Slimstat > Settings > General > WordPress Integration > Use Admin Bar (OFF).

Best,
Jason

Hi @coolmann

only the plugin’s settings are effected. Everything else works fine. Slimstat is in my admin bar (the top bar of the dashboard-screen).
Ich would like to toggle the sidebar method – but as stated, I can’t access the settings panel anymore.

Cheers, D1plo

Hi @d1plom4t,

you might be able to access the settings by changing the URL into:

/wp-admin/index.php?page=slimconfig

Let me know if that works,
Jason

That works, but saving the changes leads to wp-admin/admin.php?page=slimconfig&tab=1, which is forbidden. Changes not saving though…

Thanks for your efforts. Other ideas?

Not sure why this is happening, it sounds like a conflict with another plugin. If you have access to phpMyAdmin, could you please find the entry ‘slimstat_options’ in wp_options and send me its value to https://support.wp-slimstat.com ? I’ll send you back the value that you can use to replace it, and everything should go back to normal.

Jason

Hi, just want to let you know that this problem still persists. I have changed some SQL entries as a workaround – but this is no option for the future. I was hoping for an update.

I didnt mention: I am using your plugin on a network install with 6 subsites. Maybe there is a network related issue?

Please help, I would be glad to continue using your plugin?

Sincerly, D1plo

Hi @d1plom4t

is the menu still in the admin bar or did you manage to move it to the sidebar? Again, we have no other users who are experiencing this issue, and we haven’t been able to reproduce on any of our environments or clients’ environments (including multisite). Is the plugin network-activated?

Jason

Hi Jason,

finally I figured out a solution:
I am running PLESK with a “Web Application Firewall” or “modsecurity” which recorded this error (private information marked XXX):

[client 134.101…] ModSecurity: [file “/etc/httpd/conf/modsecurity.d/rules/custom/120_Apps_WPPlugin.conf”] [line “2893”] [id “77230791”] [rev “1”] [msg “IM360 WAF: CSRF vulnerability in Slimstat Analytics 4.7.8.3 plugin for WordPress||MVN:REQUEST_METHOD||MV:post||T:APACHE||PC:6440”] [severity “CRITICAL”] [tag “wp_plugin_wp_slimstat_analytics”] Access denied with code 403 (phase 2). String match “post” at REQUEST_METHOD. [hostname “XXX.de”] [uri “/wp-admin/admin.php”] [unique_id “XXX”], referer: https://xxx/wp-admin/

Disabling the Firewall allowed me to change the settings.

Thanks for your help. D1plo

• This reply was modified 5 years, 5 months ago by d1plom4t.

Hi Jason,

based on your replies, I managed to figure out a solution.
In PLESK I use “modsecurity” firewall which apparently blocked the access to the settings page.
Disabling modsecurity did the job – I was able to move slimstat to the sidebar. Works perfectly again.

Cheers, D1plo

Hi @d1plom4t,

nice find! I’m definitely going to add this to our knowledge base for future reference. I wonder what exactly was triggering the problem. Does mod_security give you a log of some kind to let you know why it blocked a given request?

Jason

The above snippet is the log. I was not able to find further reference.

Cheers, D1plo

Ok, gotcha.