Sheddocksley Baptist Church

@jimtrue:

That is a confirmed fix combination: Pods 2.7.5 with CF 1.7.1.3 on WP 4.9.6 is now working. Thanks for assistance, issue resolved.

Tim

@jimtrue:
I will need to test – it was seemingly not yet visible to me at the time.
I will keep you posted, thanks.
Tim

• This reply was modified 6 years, 9 months ago by Sheddocksley Baptist Church.

@sc0ttkclark

Hi Scott,

A front end user gets a blank display with reported error 500 as the site (WP) is down.

If logged into Admin at the time of activation (crash) there is a friendlier error message produced by iThemes that details the get_home_path not being defined in usage of misc.php. The default file in latest. But Admin is otherwise also down – the combination crashes latest WP.

The exact URL does not matter as WP is down but it seems some iThemes plugin, possibly their security plugin is somehow catching and showing a fuller page message. Regular users don’t see that it only appears if logged in during crash and it then shows on any access.

Tim

• This reply was modified 6 years, 9 months ago by Sheddocksley Baptist Church.
• This reply was modified 6 years, 9 months ago by Sheddocksley Baptist Church.

I want to add as a “me too” on this issue.

Very serious incompatibility!

Combination of Pods and Caldera Forms (CF) in the latest 2.7.4 causes error 500 and reports get_home_path() not defined. Completely fatal.

CF also updated at same time, and they created a further update but incompatibility remains when used in combination.
An old version of iThemes Builder theme (child) may also contribute?
Scenario:
WP deployed in sub folder, not host root.
IThemes Builder (old)
Pods
CF

Disabling pods restores operation but breaks our site content, obviously.
Rolling back Pods to 2.7.3 and 2.7.2 does not fix in combination with latest CF.

Disabling CF and enabling Pods 2.7.4 is the least intrusive site content solution, for us, but obviously kills our forms usage.

Either plugin seems OK on own but is now fatal when used together as of yesterday update.

CF already released a further update but it seems insufficient on own – still broken since 2.7.4 release.

No issue prior to the latest updates to Pods and CF which came out together yesterday.

Awaiting your resolution.

Tim (on behalf Sheddocksley Baptist Church)

• This reply was modified 6 years, 9 months ago by Sheddocksley Baptist Church.

Just want to publicly thank @mikechallis for his continued responsiveness and willingness to address questions: excellent support!

We have deployed this latest update in combination with the WP-SpamShield plugin mentioned previously. We will monitor the situation.

We also use the WordFence plugin.

Any recommendations or experience from other parties remains of interest.

Tim

We also have default SendEmail set to WordPress and PHP Sessions in default unchecked.

Thanks
Tim

@pluginvulnerabilities,

Good to know and thanks for the confirmation. We have used the Fast secure Contact Form for many years so certainly hoped such an answer was possible.

However, personally, I have strong suspicion that some (other) exploit is present – it does seem too coincidental that such a wide expression of increased SPAM is reported in these forums than can all be attributed to “human” user origin? If this is the case I think it still suggests some kind of Semi-Automation of the process is occurring in order to produce the effect?

An example of one such attack on us was of Ukranian IP origin with the mail details claiming @mail.ru. These are common sources that I feel have an automated element – the sheer volume involved kind of makes the “human” aspect less credible?

Also, we are an inconsequential target in real terms it makes no sense as we are not “the big boys” to warrant any “personal” attention. It seems to be targeting some combination of software and WP platform – that all suggest “automation” and “bot” to me?

Thanks again.

Tim

@mikechallis,

We have also had a recent SPAM a increase problem, unfortunately containing a content most unsuitable for receipt in a “church context”. [Not that SPAM content is ever desirable.]

During my investigations into the issue I notice a couple of things:

1) You responded on another related thread about ability to soon use Google reCAPTCHA instead. Is your intent that this will be an alternate, full replacement of the Captcha feature?

2) I noticed the form is based around “SecureImage” Captcha, apparently, I believe, related to this: https://www.phpcaptcha.org/download/
Is it possible to update the scripts of that aspect alone, from the SecureImage OEM source? [Direct replacement?, or have you “tweaked” them (the PHP) for your usage?]
This is important because I notice the version included is your module appears to be old compared to the current 3.6.4, yours is only version 1.x? This is VERY important because older versions of this script are known to suffer from a Cross Site Scripting Vulnerability (XSS). Ref: https://www.redteam-pentesting.de/en/advisories/rt-sa-2016-002/-cross-site-scripting-in-securimage-3-6-2
As I notice the contents of the Captcha code in your distribution appear to be much older than this may make you vulnerable and possibly susceptible to bot attacks in an unanticipated way – will you update this to 3.6.4+?

We are now attempting to tackle the problem by turning OFF the current Captcha and instead deploying the WP-SpamShield plugin as it seems like a good solution and it claims compatibility with your plugin, and others. We will assess the effectiveness.

Any responses appreciated.

Tim
IT Admin on behalf of Sheddocksley Baptist Church

• This reply was modified 8 years, 2 months ago by Sheddocksley Baptist Church. Reason: Correct author contact reference