Support » Plugin: Disable WP REST API » Contact Form 7 Bypass Solution

  • Resolved Darko A7

    (@darko-a7)


    Hi Jeff,
    Happy holidays πŸ™‚

    You know that thing when “a new problem” occurs and googling directs to your own post / writing lol?

    related topics:
    https://wordpress.org/support/topic/contact-form-7-non-sending-emails/
    https://wordpress.org/support/topic/contact-form-7-dont-work-with-disabled-rest-api/

    Yeah, I noticed in error logs that CF7 failed, and given the errors, this plugin was the main suspect. It was 1.5 years ago when I fixed this with a patch, and you should just ask me what it was back then (haven’t noticed further topics and conversations), because it was a very simple patch.

    I didn’t originally post a solution here, because it was a very simple one, and I thought it would be added as an option in the plugin’s settings, because not everyone needs / wants it (e.g. CF7 is not used by everyone).

    Problem: CF7 not sending emails

    jquery.min.js:2 POST https://.../wp-json/contact-form-7/v1/contact-forms/.../feedback 401 (Unauthorized)
    jquery.min.js:2 XHR failed loading: POST "https://.../wp-json/contact-form-7/v1/contact-forms/.../feedback".
    
    rest api response
    {"code":"rest_login_required","message":"REST API restricted to authenticated users.","data":{"status":401}}

    Solution is simple like this:

    in function disable_wp_rest_api() change the line from:

    if (!is_user_logged_in()) {

    to this:

    if ( !is_user_logged_in() && empty($_POST['_wpcf7']) ) {

    It does not check any security tokens.

    Hopefully, you’ll add this in the future, because with each update it stops working, and that could be very bad for many users, unless they apply this patch.

    Thanks!
    Regards

    The page I need help with: [log in to see the link]

Viewing 15 replies - 16 through 30 (of 42 total)
  • Plugin Author Jeff Starr

    (@specialk)

    Try again..

    Just to follow up with the CF7 bypass, here is the deal. @darko-a7’s elegant solution works great, but also it makes it trivial for anyone to access REST API by simply sending a post variable. Most users would not want this vulnerability introduced. SO, instead I’ve created a simple plugin that you can install alongside Disable WP REST API (version 2.1 or better). Once activated, it enables CF7 to work properly sending emails. Learn more and download at Perishable Press.

    Thread Starter Darko A7

    (@darko-a7)

    Probably you triggered some automated security system. My account was once disabled because of different IPs used to access my account. Contact support and explain the problem, it will be resolved.

    Plugin Author Jeff Starr

    (@specialk)

    Yeah I’m sure it’s something like that. I tried reposting and it says “held for moderation”. So will wait a day or so before contacting support. Until then, you can find the same infos on the plugin homepage.

    Basically your solution would allow anyone to bypass by simply including a POST variable. So decided to go an alternate route.

    Thread Starter Darko A7

    (@darko-a7)

    Hi Jeff, I see that you’ve added filter in 2.1

    Well, that’s fine if a user uses its own theme (as I do), but in case it doesn’t adding filter hook in theme file will overwrite it, and many don’t [know how to] use child themes, so… adding extra plugin for custom filters and hooks… you get the point πŸ™‚

    re: (your latest post)

    Yeah, couldn’t contact CF7 author about including nonce token to make it more secure.

    Plugin Author Jeff Starr

    (@specialk)

    Hi Darko A7, please re-read the post section I linked to (titled “How to allow access for Contact Form 7”).. you can download a free simple plugin that will take care of it πŸ™‚

    • This reply was modified 4 months, 1 week ago by Jeff Starr. Reason: adds info
    Thread Starter Darko A7

    (@darko-a7)

    I see it now, thanks!

    Thread Starter Darko A7

    (@darko-a7)

    Basically your solution would allow anyone to bypass by simply including a POST variable. So decided to go an alternate route.

    Hmm, maybe I’m reading your code wrong, but I don’t see any extra security in disable-wp-rest-api-cf7.php file?

    To be honest, I *hate* the fact CF7 uses API for that πŸ™
    I’ll now open issue at CF7 support forum and link it to here.

    done:
    https://wordpress.org/support/topic/rest-api-dependency-necessary/

    • This reply was modified 4 months, 1 week ago by Darko A7.
    Plugin Author Jeff Starr

    (@specialk)

    Hmm, maybe I’m reading your code wrong, but I don’t see any extra security in disable-wp-rest-api-cf7.php file?

    There doesn’t need to be. Only people using CF7 can optionally employ your suggested technique by installing the addon plugin. All other users will not be affected, will have the same functionality as before.

    Plugin Author Jeff Starr

    (@specialk)

    Btw for a contact form that doesn’t require any REST API access, check out Contact Form X. It’s super lightweight and Ajax-powered. Full disclosure: I am the author of CFX πŸ™‚

    Thread Starter Darko A7

    (@darko-a7)

    Ah, got it!
    I thought something else entirely πŸ™‚

    Thread Starter Darko A7

    (@darko-a7)

    Personally, I think you could add simple settings option for this, having another plugin with effectively 2 lines of code sounds overkill. πŸ™‚

    Plugin Author Jeff Starr

    (@specialk)

    They are removing/moderating my comments again πŸ™

    Try again:

    Btw for a contact form that doesn’t require any REST API access, check out Contact Form X. It’s super lightweight and Ajax-powered. Full disclosure: I am the author of CFX πŸ™‚

    Link omitted because I think that’s why the comment is moderated. You can find it in the Plugin Directory, search for “Contact Form X” (about halfway down on the page, lol).

    Plugin Author Jeff Starr

    (@specialk)

    Personally, I think you could add simple settings option for this, having another plugin with effectively 2 lines of code sounds overkill.

    The plugin does not include any settings code, instead it is kept as lightweight as possible with no settings required. Adding all the settings API code just for CF7 does not make sense.

    Thread Starter Darko A7

    (@darko-a7)

    Well, CF7 is just one plugin I happen to use and know that depends on API, but I only use handful of them, there are likely others, and you always have to think about future-proof solution in advance. Imagine having 10 additional plugins for filters alone πŸ™‚

    Plugin Author Jeff Starr

    (@specialk)

    I hope this reply makes it thru… they have moderated or removed around five of my comments on this thread. In any case, worth a try to respond..

    Imagine having 10 additional plugins for filters alone

    Yeah I thought of that while working on a suitable solution. It’s a balance, trade-off between keeping the plugin lightweight/simple, and yet as widely usable as possible. So far, after years of developing this plugin, you are the only person to mention CF7 or any other plugin that should be allowed access.

Viewing 15 replies - 16 through 30 (of 42 total)
  • You must be logged in to reply to this topic.