Support » Plugin: Better YOURLS » Security Error

  • I installed Contact Form 7 in my WordPress. However when I add or edit my Form, “Security Error” popup, and nothing got save. Upon scanning WordPress’s plugins folder, this warning come from Better YOURLS. Once I disable Better YOURLS, everything works fine again.

Viewing 4 replies - 1 through 4 (of 4 total)
  • I, too, am getting the “Security Error” message when creating a new post with certain custom post types. Disabling Better YOURLS resolves the issue.

    So far:

    • Advanced Ads
    • Chimpy

    Some advice on debugging this would be greatly appreciated.

    We are also getting this security error when trying to save an ad with Advanced Ads. After disabling Better YOURLS it works though.

    I ran this down.

    The problem is Better YOURLS does not know when it is unable to paint the META box on a particular admin post type page. When it is unable, the INPUT field does not exist. When the script does wp_verify_nonce the var better_yourls_nonce $_POST var is bad (because it does not exist).

    On that condition, it throws an error. You will find this on about line #129 of class-better-yourls-actions.php. I resolved this by doing a return instead of die().

    protected function _generate_post_on_save( $post_id ) {
    
    		// Make sure we are originating from the right place.
    		if (
    			! isset( $_POST['better_yourls_nonce'] ) || // WPCS: input var ok.
    			! wp_verify_nonce( $_POST['better_yourls_nonce'], 'better_yourls_save_post' ) // WPCS: input var ok. Sanitization ok.
    		) {
    		    return; // Do nothing.
    			wp_die( esc_html__( 'Security Error', 'better-yourls' ) );
    		}

    For some reason, the dev of YOURLS is evaluating if the $_POST var is set OR if wp_verify_nonce fails at the same time. This does not make sense. The latter test would always require the $_POST to be set. The dev should evaluate whether or not the $_POST is set then if it is evaluate it using wp_verify_nonce; not both at the same time.

    • This reply was modified 4 years, 1 month ago by moongear.
    • This reply was modified 4 years, 1 month ago by moongear.
    • This reply was modified 4 years, 1 month ago by moongear.

    Confirming the security error…

    I use the plugin on a multisite (Yes, it works like a charm, Chris, tnx!). First I saw “Security Error” at the bottom of the “At Glance” widget in the dashboard of the main site. The <div class="sub"></div> had disappeared too, or at least that section was not styled.

    I just updated a bunch of plugins and didn’t have time to look for the cause. Then I created a new site as a new user to test something and none of the admin screens were available in the new site…

    Then I found this topic, deactivated Better YOURLS: problem solved.

    Activating the plugin again, however, and creating another site, does not reproduce this error.

    Moongear, I don’t think it’s ok to resolve the error like this. You basically interrupt the validation, so yeh, it does not die. Yet I would assume it is not what causes the error, especially since the same method, with OR, can also be found in the codex.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Security Error’ is closed to new replies.