Title: aucwebm's Replies | WordPress.org

---

# aucwebm

  [  ](https://wordpress.org/support/users/aucwebm/)

 *   [Profile](https://wordpress.org/support/users/aucwebm/)
 *   [Topics Started](https://wordpress.org/support/users/aucwebm/topics/)
 *   [Replies Created](https://wordpress.org/support/users/aucwebm/replies/)
 *   [Reviews Written](https://wordpress.org/support/users/aucwebm/reviews/)
 *   [Topics Replied To](https://wordpress.org/support/users/aucwebm/replied-to/)
 *   [Engagements](https://wordpress.org/support/users/aucwebm/engagements/)
 *   [Favorites](https://wordpress.org/support/users/aucwebm/favorites/)

 Search replies:

## Forum Replies Created

Viewing 2 replies - 1 through 2 (of 2 total)

 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[RSVP and Event Management] RSVP blocks requests to admin-ajax.php](https://wordpress.org/support/topic/rsvp-blocks-requests-to-admin-ajax-php/)
 *  Thread Starter [aucwebm](https://wordpress.org/support/users/aucwebm/)
 * (@aucwebm)
 * [5 days, 2 hours ago](https://wordpress.org/support/topic/rsvp-blocks-requests-to-admin-ajax-php/#post-18936689)
 * Hi [@altesin](https://wordpress.org/support/users/altesin/)
 * Thank you for your feedback. Today, I wanted to install the update, but it was
   apparently not available through wordpress plugin updates. Did you only update
   the paid version?
 * Best regards.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[RSVP and Event Management] RSVP blocks requests to admin-ajax.php](https://wordpress.org/support/topic/rsvp-blocks-requests-to-admin-ajax-php/)
 *  Thread Starter [aucwebm](https://wordpress.org/support/users/aucwebm/)
 * (@aucwebm)
 * [1 week, 2 days ago](https://wordpress.org/support/topic/rsvp-blocks-requests-to-admin-ajax-php/#post-18931670)
 * I’ve found the root cause using AI in the file **class-rsvp-helper.php**. Here
   is the output of the anlysis:
   The **real bug is this line in the constructor**:
 *     ```wp-block-code
       add_action( 'admin_init', array( $this, 'bulk_delete_attendees' ) );
       add_action( 'admin_init', array( $this, 'bulk_delete_questions' ) );
       add_action( 'admin_init', array( $this, 'rsvp_admin_export' ) );
       ```
   
 * Why this is fatal:
 * `admin_init` runs on:
    - ✅ wp-admin pages
    - ✅ **admin-ajax.php**
    - ✅ **login / 2FA AJAX calls**
 * But those functions **start with**:
 *     ```wp-block-code
       if ( ! current_user_can( 'manage_options' ) ) {
           wp_die( 'You do not have sufficient permissions...' );
       }
       ```
   
 * 👉 During **Wordfence 2FA**, the user:
    - is **not fully authenticated yet**
    - has **no capabilities**
    - AJAX runs under admin context
 * ➡️ Result:
    - RSVP kills the request
    - Wordfence 2FA never completes
    - Login fails
 * ✅ **Root cause confirmed.**
 * ✅ Correct fix (clean, safe, minimal)
 * You must **prevent these admin_init hooks from running during AJAX**.
 * Edit **class-rsvp-helper.php**
   Wrap the three admin_init handlers with an AJAX
   guard. 🔧 Replace this:
 * add_action( ‘admin_init’, array( $this, ‘bulk_delete_attendees’ ) );
   add_action(‘
   admin_init’, array( $this, ‘bulk_delete_questions’ ) );add_action( ‘admin_init’,
   array( $this, ‘rsvp_admin_export’ ) );
 * ✅ With this:
 *     ```wp-block-code
       if ( ! ( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) {
           add_action( 'admin_init', array( $this, 'bulk_delete_attendees' ) );
           add_action( 'admin_init', array( $this, 'bulk_delete_questions' ) );
           add_action( 'admin_init', array( $this, 'rsvp_admin_export' ) );
       }
       ```
   
 * ✅ Why this fix is correct
    - ✅ RSVP admin functionality still works
    - ✅ Bulk delete / export still protected
    - ✅ Wordfence 2FA AJAX is untouched
    - ✅ No security regression
    - ✅ No behavior change for normal admins
 * This is **exactly how modern plugins should scope admin_init logic**.
 * Alternative (slightly more verbose, also correct)
 * Instead of guarding the hooks, guard inside each function:
 *     ```wp-block-code
       if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
           return;
       }
       ```
   
 * Add at the top of:
    - `bulk_delete_attendees()`
    - `bulk_delete_questions()`
    - `rsvp_admin_export()`
 * But the **hook-level fix above is cleaner**.
 * How to verify:
    1. Apply patch
    2. Enable RSVP plugin
    3. Enable Wordfence 2FA
    4. Open DevTools → Network
    5. Login
 * ✅ `admin-ajax.php` returns 200
   ✅ No permission error✅ 2FA screen appears✅
   Login succeeds
 * Can you **please confirm** that using the correct fix above (wrapping the three
   admin_init handlers with an AJAX guard) doesn’t break the RSVP plugin? Thanks
   for your support.

Viewing 2 replies - 1 through 2 (of 2 total)