XSS false positive in ACF content

  • Resolved jcbecode

    (@jcbecode)


    10 months ago

    Hi,

    i have a customer who uses the “advanced custom field” plugin. Sometimes he is embedding content from other social media websites (for example instagram). When he is embedding the content he has to insert a <script> from this specific website (www.instagram.com/embed.js). This action triggers the following popup:


    Background Request Blocked
    Wordfence Firewall blocked a background request to WordPress for the URL somedomain.com/wp-admin/admin-ajax.php. If this occurred as a result of an intentional action, you may consider allowlisting the request to allow it in the future.

    The manual whitelisting doesn’t work, it’s only whitelisting the request for this exact ACF field. The learning mode is also only whitelisting this action for this specific AFC field.
    Is there some way to whitelist a <script> to prevent this popup?

Viewing 1 replies (of 1 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @jcbecode, thanks for getting in touch!

    We don’t currently permit wildcards in the Allowlisted URLs created either manually or via Learning Mode. This sounds to me like a case where each unique submission would need to be allowlisted (in other words, Learning Mode would have to be turned on whenever they update) as a rule will always catch it.

    It could be worth checking the rule blocking this, just in case it’s specific to the ACF plugin. However, disabling a general XSS blocking rule wouldn’t be recommended in case of a real threat in future.?It might be possible to find a dedicated Instagram plugin/add-on that will insert images into the required site pages. Another alternative may be using ACF for the URL part only, and inserting the <script> tags into the page template where they’ll be displayed instead, so they’ll only need to be allowed once.

    Thanks,
    Peter.

Viewing 1 replies (of 1 total)
  • The topic ‘XSS false positive in ACF content’ is closed to new replies.