• Resolved Bozz

    (@bozzmedia)


    This error repeats in the console when viewing any page in the wp admin for me recently. Anyone else?

    Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://safe-load.gotmls.net/report.php?ver=4.18.63&attack[]=FW__fs_blog_admin&SERVER_REMOTE_ADDR=97.120.108.250&SERVER_HTTP_HOST=redacted.org&SERVER_REQUEST_URI=%2Fwp-admin%2Fadmin-ajax.php%3F_fs_blog_admin%3Dtrue&SERVER_HTTP_REFERER=https%3A%2F%redacted.org%2Fwp-admin%2Fadmin.php%3Fpage%3DWordfenceScan&SERVER_HTTP_USER_AGENT=Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%3B+rv%3A66.0%29+Gecko%2F20100101+Firefox%2F66.0. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

Viewing 4 replies - 1 through 4 (of 4 total)
  • Turns out this plugin was blocking most of my backend requests. Very interesting. Haven’t run into this before with GOTMLS and it really surprised me this was the culprit.

    The site was not operating properly, including not allowing the saving of any settings, removal of plugins, etc. Deactivating was the solution.

    Plugin Author Eli

    (@scheeeli)

    Thanks for reporting this. I would like to verify that this was isolated to a single Firewall rule violation and confirm that it was do to a vulnerability in another plugin.

    First, you would only need to Disable the “False blog_admin” Protection in the Firewall Options to suspend this odd behavior, it is not necessary that you deactivate the whole GOTMLS plugin.

    More important, is that this firewall rule is in place to stop the known exploit of a plugin called “WP Cost Estimation & Payment Forms Builder”. This plugin can be exploited and used by anyone (even a non-authenticated user) to upload and execute PHP code. This particular firewall rule prevents this exploit but it may interfere with the functionality of this vulnerable plugin as well.

    If you are willing to help me get to the bottom of this then I would like to work with you to verify the deficiencies and improve this firewall rule.

    Can you please confirm if you have the WP Cost Estimation & Payment Forms Builder plugin installed on this site?

    Also, would you be willing to re-activate the GOTMLS plugin and then disable the False blog_admin Protection in the Firewall Options to make sure that everything works as expected?

    Thanks for the quick response and support!

    I responded via email, happy to help test further.

    Plugin Author Eli

    (@scheeeli)

    Ok, got you email, thanks for confirming that deactivating the “false blog admin” protection in the firewall restored the full functionality and there no more CORS errors.

    It looks like this protection might interfere with any plugin that uses the 3rd-party “Freemius class” that has not been since before 2016.

    I am trying to find a good way to locate this class in plugins and determine in which ones this exploit is still a vulnerability.

    Please let me know if you can figure out which of your plugins uses this Freemius class.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘CORS error’ is closed to new replies.