Phil McKerracher

Good point, WordFence is hyperventilating a bit when calling it a “critical” vulnerability (not for the first time). I’m still looking for replacements though, because even though the scope is limited the severity is potentially high.

I’m guessing they don’t even monitor this forum, only support tickets from paying customers.

Quite a few other vulnerabilities already reported (and fixed) https://patchstack.com/database/vulnerability/woocommerce-jetpack

I’m guessing this vulnerability was reported by WordFence a month ago (because I’m seeing it on the free plan) and no action taken so far, so it’s not looking good.

Update: It seems the error message and the broken functionality were unrelated. The functionality wasn’t working because the contact I used to generate the API key was merged with another (due to a completely unrelated bug) and so the API key had to be updated.

There is another error here, though – the incorrect key was showing as “Validation successful” in Settings > CiviCRM Contact Form 7 Settings, but I can see in the access log that pressing the “Save changes and validate” button causes a 500 error:

2a01:7c8:d000:434::1 – – [30/Apr/2023:00:52:41 +0100] “POST /wp-json/civicrm/v3/rest?entity=System&action=get HTTP/1.1” 500 6552 “-” “-“

Thanks for the info. It’s going to take me a couple of hours to do that on all my sites. Where do I send the bill?

…but it comes back again the next time the cron runs.

If you hit “Synchronize with cloud” then “Save Changes” the warning goes away.

I generated the API keys using the “API Key Management” extension in CiviCRM. I think any contact in CiviCRM who is also a user in the host CMS with appropriate permissions can be used to generate the keys you need. I couldn’t quickly find a documentation link for this, sorry.

Just a quick update on the other issue (spinning progress indicator) – it appears a change to another plugin (“Contact Form 7 CiviCRM integration”) triggered this and I’ve found a workaround, so I will NOT bother raising a new issue for it. It was an entirely reasonable request, though. I’ll be in touch about the UI improvements sometime next week.

I think I’ve spotted a problemm, unfortunately. Forms are displaying and validating OK but when the “Submit” button is pressed, I don’t see the “thank you” message, just a circling progress indicator. If I disable the SG7 plugin the problem goes away.

The javascript console shows:

Objectcode: "invalid_json"message: "The response is not a valid JSON response."Prototype: Objectconstructor: ? Object()hasOwnProperty: ? hasOwnProperty()isPrototypeOf: ? isPrototypeOf()propertyIsEnumerable: ? propertyIsEnumerable()toLocaleString: ? toLocaleString()toString: ? toString()valueOf: ? valueOf()__defineGetter__: ? __defineGetter__()__defineSetter__: ? __defineSetter__()__lookupGetter__: ? __lookupGetter__()__lookupSetter__: ? __lookupSetter__()__proto__: (...)get __proto__: ? __proto__()set __proto__: ? __proto__()
(anonymous) @ index.js?ver=5.6.3:1

You can witness the issue at https://www.bromleysymphony.org/contact. Happy to give you an admin login.

Can I just say that although I haven’t had time for a thorough test, version 4.14.1 seems to be working really well for me so far, many thanks for your efforts.

Your efforts are greatly appreciated and from my point of view there’s no rush, this issue is not causing serious practical problems and I’d rather it worked reliably. This plugin is precious because it’s a key part of the jigsaw that allows complex forms to be built in WordPress without coding or an annual fee. (Depending on your definition of “complex” of course, which in my case includes CiviCRM interworking.)

Good point, I meant that at least the warning is shown (which it isn’t otherwise) but you’re correct that the submission is still accepted when it shouldn’t be. (And thanks for the screenshot!)

That’s strange – I just noticed that the field validation IS working with the latest version of CF7 and CF7 Grid, but only if a conditional group is triggered. You can try it at https://www.bromleysymphony.org/contact (leave the name field blank but select “I would like to join…”).

I’m not sure this information will help, but I thought I’d mention it anyway, because it surprised me. I can’t find any way to attach a screenshot here, sorry.