RSVP blocks requests to admin-ajax.php

  • Resolved aucwebm

    (@aucwebm)


    1 week, 2 days ago

    Hi

    When I try to login with 2FA activated, the secondary login page (where I usually enter the generated 2FA code) is not displayed anymore. The issue started after installing and activating the RSVP plugin. When I remove the RSVP plugin, the 2FA page is displayed as desired.

    I’m using the plugin wordfence to handle the 2FA codes and have been in touch with them. They identified, that POST requests to admin-ajax.php are being blocked (reply is You do not have sufficient permissions to access this page.). I’ve been able to confirm that this is the indeed the issue in combination with the RSVP plugin.

    I’m using PHP version 8.3 and run wordpress 7.0.

    I have two possible ideas for workarounds, but would like to know if you are aware of this issue or even already have a solution? In my personal opinion, I think that admin-ajax.php has to be whitelisted more explicitly in your code.

    Thank you for your feedback and best regards.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter aucwebm

    (@aucwebm)

    1 week, 2 days ago

    I’ve found the root cause using AI in the file class-rsvp-helper.php. Here is the output of the anlysis:
    The real bug is this line in the constructor:

    add_action( 'admin_init', array( $this, 'bulk_delete_attendees' ) );
add_action( 'admin_init', array( $this, 'bulk_delete_questions' ) );
add_action( 'admin_init', array( $this, 'rsvp_admin_export' ) );

    Why this is fatal:

    admin_init runs on:

    • ✅ wp-admin pages
    • admin-ajax.php
    • login / 2FA AJAX calls

    But those functions start with:

    if ( ! current_user_can( 'manage_options' ) ) {
    wp_die( 'You do not have sufficient permissions...' );
}

    👉 During Wordfence 2FA, the user:

    • is not fully authenticated yet
    • has no capabilities
    • AJAX runs under admin context

    ➡️ Result:

    • RSVP kills the request
    • Wordfence 2FA never completes
    • Login fails

    Root cause confirmed.

    ✅ Correct fix (clean, safe, minimal)

    You must prevent these admin_init hooks from running during AJAX.

    Edit class-rsvp-helper.php
    Wrap the three admin_init handlers with an AJAX guard. 🔧 Replace this:

    add_action( ‘admin_init’, array( $this, ‘bulk_delete_attendees’ ) );
    add_action( ‘admin_init’, array( $this, ‘bulk_delete_questions’ ) );
    add_action( ‘admin_init’, array( $this, ‘rsvp_admin_export’ ) );

    ✅ With this:

    if ( ! ( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) {
    add_action( 'admin_init', array( $this, 'bulk_delete_attendees' ) );
    add_action( 'admin_init', array( $this, 'bulk_delete_questions' ) );
    add_action( 'admin_init', array( $this, 'rsvp_admin_export' ) );
}

    ✅ Why this fix is correct

    • ✅ RSVP admin functionality still works
    • ✅ Bulk delete / export still protected
    • ✅ Wordfence 2FA AJAX is untouched
    • ✅ No security regression
    • ✅ No behavior change for normal admins

    This is exactly how modern plugins should scope admin_init logic.

    Alternative (slightly more verbose, also correct)

    Instead of guarding the hooks, guard inside each function:

    if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
    return;
}

    Add at the top of:

    • bulk_delete_attendees()
    • bulk_delete_questions()
    • rsvp_admin_export()

    But the hook-level fix above is cleaner.

    How to verify:

    1. Apply patch
    2. Enable RSVP plugin
    3. Enable Wordfence 2FA
    4. Open DevTools → Network
    5. Login

    admin-ajax.php returns 200
    ✅ No permission error
    ✅ 2FA screen appears
    ✅ Login succeeds

    Can you please confirm that using the correct fix above (wrapping the three admin_init handlers with an AJAX guard) doesn’t break the RSVP plugin? Thanks for your support.

    Plugin Author Teo Alex

    (@altesin)

    1 week, 1 day ago

    Hello @aucwebm ,

    Thank you for the detailed report and for reproducing this. We confirmed the issue on our end as well.

    You identified the root cause correctly. Your AJAX guard fix works, but we’ll go with a slightly different approach: adding an early-return check inside each function to verify the specific RSVP action is present before doing anything. This is more targeted and avoids silently disabling the hooks for all AJAX contexts.

    public function bulk_delete_attendees() {
    if ( ! isset( $_REQUEST['rsvp_action'] ) ) {
        return;
    }
    if ( ! current_user_can( 'manage_options' ) ) {
        wp_die( 'You do not have sufficient permissions to access this page.' );
    }
    // ...
}

    Same guard at the top of bulk_delete_questions() and rsvp_admin_export().

    We’ll release a fix tomorrow. Thanks again!

    Thread Starter aucwebm

    (@aucwebm)

    4 days, 22 hours ago

    Hi @altesin

    Thank you for your feedback. Today, I wanted to install the update, but it was apparently not available through wordpress plugin updates. Did you only update the paid version?

    Best regards.

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.