Title: Mark Costlow's Replies | WordPress.org --- # Mark Costlow [ ](https://wordpress.org/support/users/swcp/) * [Profile](https://wordpress.org/support/users/swcp/) * [Topics Started](https://wordpress.org/support/users/swcp/topics/) * [Replies Created](https://wordpress.org/support/users/swcp/replies/) * [Reviews Written](https://wordpress.org/support/users/swcp/reviews/) * [Topics Replied To](https://wordpress.org/support/users/swcp/replied-to/) * [Engagements](https://wordpress.org/support/users/swcp/engagements/) * [Favorites](https://wordpress.org/support/users/swcp/favorites/) Search replies: ## Forum Replies Created Viewing 15 replies - 1 through 15 (of 19 total) 1 [2](https://wordpress.org/support/users/swcp/replies/page/2/?output_format=md) [→](https://wordpress.org/support/users/swcp/replies/page/2/?output_format=md) * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[WooCommerce] Security Concern: Direct Add-to-Cart GET Requests Vulnerability](https://wordpress.org/support/topic/security-concern-direct-add-to-cart-get-requests-vulnerability/) * [Mark Costlow](https://wordpress.org/support/users/swcp/) * (@swcp) * [2 months, 3 weeks ago](https://wordpress.org/support/topic/security-concern-direct-add-to-cart-get-requests-vulnerability/#post-18828592) * [@oppitz](https://wordpress.org/support/users/oppitz/) thanks for the info. I hadn’t used fail2ban for this issue because it’s so distributed we rarely see the same IP twice (at least over the short time-spans I’ve been looking at). But banning each IP for a long stretch when any bad request comes sounds like a good idea. It’s going to become a big block list … * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[WooCommerce] Security Concern: Direct Add-to-Cart GET Requests Vulnerability](https://wordpress.org/support/topic/security-concern-direct-add-to-cart-get-requests-vulnerability/) * [Mark Costlow](https://wordpress.org/support/users/swcp/) * (@swcp) * [2 months, 3 weeks ago](https://wordpress.org/support/topic/security-concern-direct-add-to-cart-get-requests-vulnerability/#post-18828587) * Why is there an AI chatbot answering every human post on this thread? If we wanted to paste this thread into ChatGPT we could do it ourselves. It isn’t adding any useful information. * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[WooCommerce] Security Concern: Direct Add-to-Cart GET Requests Vulnerability](https://wordpress.org/support/topic/security-concern-direct-add-to-cart-get-requests-vulnerability/) * [Mark Costlow](https://wordpress.org/support/users/swcp/) * (@swcp) * [2 months, 3 weeks ago](https://wordpress.org/support/topic/security-concern-direct-add-to-cart-get-requests-vulnerability/#post-18827474) * Hi, I’ve been dealing with this same “attack” on a couple of large-ish woo sites. This flavor of abuse started for us in early January this year. I have a question and some additional information. * You said, “WooCommerce does support adding products to the cart via GET requests such as /?add-to-cart=123. […] Disabling all add-to-cart query strings at the HTTP level […] is a valid mitigation” * Are you saying the legitimate GET requests for add-to-cart are not significant and it’s OK to block them? * The other thing we noted is many requests look like this: `"GET /slug?ppp=-1? add-to-cart=196769036?add-to-cart=196769030?add-to-cart=125471?add-to-cart=196769016? add-to-cart=196769034?add-to-cart=121757?add-to-cart=196768998 HTTP/1.1"` * One feature we’ve been blocking on is multiple add-to-cart elements in the query string. * Most of the time these requests are coming from hundreds of different IPs per hour, all in different net blocks, each making 1-2 requests only. But also have had events where thousands of requests come from over 100 different IPs all in one /24 (most recently, one owned by Facebook using meta-externalagent/1.1 agent string). * I’m personally on the fence about whether this is AI harvesters gone awry, AI agents gone awry, or baddies fuzzing ecommerce sites looking for exploits. * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe] One of the PNG files in contest-gallery.28.1.1.zip is invalid](https://wordpress.org/support/topic/one-of-the-png-files-in-contest-gallery-28-1-1-zip-is-invalid/) * Thread Starter [Mark Costlow](https://wordpress.org/support/users/swcp/) * (@swcp) * [4 months, 1 week ago](https://wordpress.org/support/topic/one-of-the-png-files-in-contest-gallery-28-1-1-zip-is-invalid/#post-18777085) * Hi, just FYI, updates to the plugin have still been distributing that broken version of minimize-form-bright.png * Latest was 28.1.2.1 today * Thanks * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe] One of the PNG files in contest-gallery.28.1.1.zip is invalid](https://wordpress.org/support/topic/one-of-the-png-files-in-contest-gallery-28-1-1-zip-is-invalid/) * Thread Starter [Mark Costlow](https://wordpress.org/support/users/swcp/) * (@swcp) * [5 months, 1 week ago](https://wordpress.org/support/topic/one-of-the-png-files-in-contest-gallery-28-1-1-zip-is-invalid/#post-18749542) * Thank you for the quick response! * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Timely All-in-One Events Calendar] Not compatible with PHP and WordPress latest versions](https://wordpress.org/support/topic/not-compatible-with-php-and-wordpress-latest-versions/) * [Mark Costlow](https://wordpress.org/support/users/swcp/) * (@swcp) * [2 years, 2 months ago](https://wordpress.org/support/topic/not-compatible-with-php-and-wordpress-latest-versions/#post-17444342) * I’m having this problem too. It has generated a 28GB error log for today (well, today is only 2/3 over for me so it will get bigger). * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Timely All-in-One Events Calendar] deprecated functions crashing site](https://wordpress.org/support/topic/deprecated-functions-crashing-site/) * [Mark Costlow](https://wordpress.org/support/users/swcp/) * (@swcp) * [2 years, 2 months ago](https://wordpress.org/support/topic/deprecated-functions-crashing-site/#post-17444339) * Are you saying the plugin in the public repo will not be fixed? * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Download Monitor] A long timeout on every page load for license check](https://wordpress.org/support/topic/a-long-timeout-on-every-page-load-for-license-check/) * [Mark Costlow](https://wordpress.org/support/users/swcp/) * (@swcp) * [2 years, 3 months ago](https://wordpress.org/support/topic/a-long-timeout-on-every-page-load-for-license-check/#post-17385856) * Razvan, After updating from 4.9.8 to 4.9.9 it seems to be fixed. Thanks, * Mark * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Download Monitor] A long timeout on every page load for license check](https://wordpress.org/support/topic/a-long-timeout-on-every-page-load-for-license-check/) * [Mark Costlow](https://wordpress.org/support/users/swcp/) * (@swcp) * [2 years, 3 months ago](https://wordpress.org/support/topic/a-long-timeout-on-every-page-load-for-license-check/#post-17385270) * Any update on this? I’m experiencing the same problem. I can ping license.wpchill. com with good response times, but the curl command to check a license takes at least a few seconds, but in many cases times out after 2 minutes. I have a site with 9 dlm plugins on it, and because of this we can’t manage any of the plugins because every page view is a 2-3 minute timeout. * I’ve tried running the curl command from a couple of different locations with different upstream networks. Same issue. * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[All-In-One Security (AIOS) – Security and Firewall] curl error 77 when using wp-cli](https://wordpress.org/support/topic/curl-error-77-when-using-wp-cli/) * Thread Starter [Mark Costlow](https://wordpress.org/support/users/swcp/) * (@swcp) * [2 years, 11 months ago](https://wordpress.org/support/topic/curl-error-77-when-using-wp-cli/#post-16820572) * Here’s some more info. Well not really new info, just a transcript of a few commands to demonstrate I believe I set cafile in the right php.ini file, but still get the curl error on many, but not all, wp-cli runs. * ```wp-block-code $ php --version PHP 7.4.30 (cli) (built: Jun 27 2022 08:14:10) ( NTS ) Copyright (c) The PHP Group Zend Engine v3.4.0, Copyright (c) Zend Technologies with Zend OPcache v7.4.30, Copyright (c), by Zend Technologies $ wp --version WP-CLI 2.8.1 $ php info.php | grep curl /etc/php/7.4/cli/conf.d/20-curl.ini, curl curl.cainfo => /etc/php/7.4/cli/cacert.pem => /etc/php/7.4/cli/cacert.pem $ head -5 /etc/php/7.4/cli/cacert.pem ## ## Bundle of CA Root Certificates ## ## Certificate data from Mozilla as of: Tue May 30 03:12:04 2023 GMT ## $ wp transient delete --all AIOS_Helper::request_remote exception - cURL error 77: error setting certificate verify locations: CAfile: /home/XXX/public_html/sitename/wp-includes/Requests/s rc/../certificates/cacert.pem CApath: /etc/ssl/certs Success: 2 transients deleted from the database. ``` * Note, when I set curl.capath or curl.cafile, it doesn’t change the error message which mentions a location in core for CAfile and /etc/ssl/certs for CApath. * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[All-In-One Security (AIOS) – Security and Firewall] curl error 77 when using wp-cli](https://wordpress.org/support/topic/curl-error-77-when-using-wp-cli/) * Thread Starter [Mark Costlow](https://wordpress.org/support/users/swcp/) * (@swcp) * [2 years, 11 months ago](https://wordpress.org/support/topic/curl-error-77-when-using-wp-cli/#post-16820527) * I’m afraid my announcement of success was premature as well. It turns out the problem is more intermittent than I thought. When I tested after adding the cainfo setting, it didn’t give the error. But then later doing some other things (`search- replace` mostly) I’m back to getting curl error 77. * I tried some more variations, like setting `cafile` or `capath`, but the results are inconsistent. I still see curl error 77 on many, but not all, wp-cli runs. * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[All-In-One Security (AIOS) – Security and Firewall] curl error 77 when using wp-cli](https://wordpress.org/support/topic/curl-error-77-when-using-wp-cli/) * Thread Starter [Mark Costlow](https://wordpress.org/support/users/swcp/) * (@swcp) * [2 years, 11 months ago](https://wordpress.org/support/topic/curl-error-77-when-using-wp-cli/#post-16819530) * [@hjogiupdraftplus](https://wordpress.org/support/users/hjogiupdraftplus/) thank you for the pointer, that got me to a fix. * I downloaded a current cacert.pem from [https://curl.se/docs/caextract.html](https://curl.se/docs/caextract.html) and set `curl.cainfo` in my php.ini to point to the file. No more error messages from curl. * I was led astray by curl mentioning a specific path in the WP core that was really not related to the issue. * Thanks again, Mark * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[WP Shortcodes Plugin — Shortcodes Ultimate] Youtube no longer works](https://wordpress.org/support/topic/youtube-no-longer-works/) * [Mark Costlow](https://wordpress.org/support/users/swcp/) * (@swcp) * [4 years, 9 months ago](https://wordpress.org/support/topic/youtube-no-longer-works/page/2/#post-14697089) * [@highzera](https://wordpress.org/support/users/highzera/) I looked at your page, and see the empty playlist= is still there. I compared it to what my customer’s page produces and there are a couple of differences (on hers the URL is in a src=”…” tag and on yours it’s is a data-src=”…” tag. I don’t know the cause of those differences. * If you’d like to email your youtube-advanced.php file to me at [ythelp@swcp.com](https://wordpress.org/support/users/swcp/replies/ythelp@swcp.com?output_format=md) I can verify it looks right. * If someone else understands what causes the different src tags maybe they can chime in. - This reply was modified 4 years, 9 months ago by [Mark Costlow](https://wordpress.org/support/users/swcp/). * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[WP Shortcodes Plugin — Shortcodes Ultimate] Youtube no longer works](https://wordpress.org/support/topic/youtube-no-longer-works/) * [Mark Costlow](https://wordpress.org/support/users/swcp/) * (@swcp) * [4 years, 9 months ago](https://wordpress.org/support/topic/youtube-no-longer-works/#post-14694618) * [@mustafaaksoy](https://wordpress.org/support/users/mustafaaksoy/) the file is in the shortcodes-ultimate plugin directory. From the top level of your WordPress site, it would be in `wp-content/plugins/shortcodes-ultimate/includes/shortcodes/ youtube-advanced.php` * [@highzera](https://wordpress.org/support/users/highzera/) That should do it. In some environments it takes a couple of minutes before the server will see the change. If it’s still not working after 5 minutes or so then I’m not sure what the issue may be. * If you “View Source” on the web page with the video, search for the youtube.com link, does the URL have “playlist=” in it? - This reply was modified 4 years, 9 months ago by [Mark Costlow](https://wordpress.org/support/users/swcp/). Reason: formatting * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[WP Shortcodes Plugin — Shortcodes Ultimate] Youtube no longer works](https://wordpress.org/support/topic/youtube-no-longer-works/) * [Mark Costlow](https://wordpress.org/support/users/swcp/) * (@swcp) * [4 years, 9 months ago](https://wordpress.org/support/topic/youtube-no-longer-works/#post-14691600) * I had a customer with this problem too. The loop=1 workaround worked, but the site has hundreds of embedded videos so it wasn’t practical. I thought about adding loop=1 in a database search/replace but that seemed dangerous and time consuming (if it didn’t work right the first time). * I confirmed the issue just popped up, while this site was using version 5.9.0 of the plugin, and I tried a few versions between that and 5.10.1 with the same result. Based on this I think the change might have been at youtube, deciding“ playlist=” is an error, whereas before it was ignored. * I eventually decided to kludge this in the plugin code. In the file includes/ shortcodes/youtube-advanced.php around line 212 I changed this: `if ( '1' === $url_params['loop'] && '' === $url_params['playlist'] ) {` to this: `if ( '' === $url_params['playlist'] ) {` * Now it’s worked around, without the loop=1 parameter being needed. I’m assuming this will all get worked out somewhere before the next update of this plugin. - This reply was modified 4 years, 9 months ago by [Mark Costlow](https://wordpress.org/support/users/swcp/). Reason: spelling Viewing 15 replies - 1 through 15 (of 19 total) 1 [2](https://wordpress.org/support/users/swcp/replies/page/2/?output_format=md) [→](https://wordpress.org/support/users/swcp/replies/page/2/?output_format=md)