harryfear

We have pushed manual updates to the client-side JavaScript to address these bugs, as after 26 days of waiting we still haven’t received helpful support from the plugin staff.

Blocking script execution until geolocation is complete
Now, we wait for geolocation to complete before illegally invoking 3rd Party scripts.

Geolocation too aggressive
To improve performance so that geolocation doesn’t have to occur on every page load, we set a conservatively-timed acceptance cookie to prevent unnecessary server load.

If anyone wants to see our codebase changes main.js, please reach out.

Great news. Thanks for the update!

Wonderful news. Thank you so much!

Superb! Thanks to the team!

Wonderful news, Ralden! Thank you! ??

Thanks for your fast response.

I can reproduce this in latest 1.9.1.2:
? Setup form with spam protection enabled
??Login as an WP admin
? Change the hidden nonce value to an invalid value (e.g. 999)

Expected behaviour: front-end user error or warning as nonce is invalid.
Actual behaviour: no success message, no warning; just a silent failure.

Notes:
? Server responds: {“success”:true,”data”:{“confirmation”:””}}
? Screenshots:
https://ibb.co/C0V8GFt
https://ibb.co/nBxL3TP
https://ibb.co/4P45vL6
https://ibb.co/0q72XyJ
https://ibb.co/QYw0nzB

Production scenario explanation:
In cases where a page/form would be privately cached (logged-in cache) the nonce could be expired but no warning is shown to the user. This is not acceptable. Examples: bulletin boards, WooCommerce sites, membership sites, intranets, etc..

Background:
This reproducible bug illustrates how silently failing on the front-end with no user warning can provide an unacceptable UX. However, as noted previously, we also had this for non-logged-in users in the past according to our logs, although the reproduction steps are not immediately available or understood yet.

Suggested resolution:
? The server should not send an empty success message when it is rejecting a nonce; there is no spam or security advantage in doing this. It just is bad UX and poor accessibility, too. The server should respond saying something like: “Security check failed. Please refresh this page or contact an administrator.”.
? The client-side should trigger a custom event like wpforms_ajax_rejected (an additional suggestion).

I can’t reproduce in the latest version(s), only in 1.8.9.2.

I believe the “wpforms[nonce]” input was being injected for logged-in users, yes (and possibly also non-logged-in users).

It seems that if this input was present (b/c of mis-caching, for e.g.) that the request would fail even if it shouldn’t.

Hello!

This has only affected non-logged-in users.

Any updates on this?

For now, we’ve disabled all WPForms spam settings to off and are now relying on Akismet.

After addiitonal testing, another related issue/bug:

Even with “Store spam entries in the database” turned on, these “Fail Silently” nonce-failing submissions don’t get saved under Spam in the entries database.

Kenneth (@kmacharia), just to loop back. The issue effectively hasn’t been resolved as the nonce check is still subject to an 11-22 hour timespan with the:

input type="hidden" name="wpforms[nonce]"

What’s worse; there appears to be no graceful handling of an expired nonce submission on the server or client side.

I was able to reproduce this issue by modifying the value of the nonce:

<input type="hidden" name="wpforms[nonce]" value="bde3c1cbaf">

We already faced an issue like this before in May but it was meant to have been fixed?

https://www.ads-software.com/support/topic/anti-spam-feature-disaster-in-production/#post-17830570

This is really poor UX. There should be a client-side handling of this and an error message at least!

Can we urgently get a fix and even a JavaScript event to plug into?

Thanks for your fast reply.

Yes, in the case of an on-page message, we’d expect the HTML to be delivered over admin-ajax.

However, in our case, on this form in question, we are expecting a redirect URL to be received and processed by the client side for relocation. (Hence my thank-you page reference.)

I don’t believe we have an active license at this time:

Diagnostic info:
https://cryptobin.co/b4u3g1e0
Open: wpforms

That version seems to solve the problem. Thank you.

Do I wait for the official fix in the next public release? 2.9.9?

Thanks; this doesn’t seem to solve the problem.

Post SMTP Version 2.9.8
Post SMTP Pro Version 1.1.1 (Beta Gdrive)

Or is the free version meant to be disabled?