Support have responded to this, specifically in agreement with @cbrandt,
This is not a paste of their reply…
The vulnerability that this rule is mitigating is: Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.1 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type.
Free plan users can’t disable this rule without upgrading and given that it is not an issue with WordPress’ core function, it is unlikely that this rule will be modified.
The rules active on the free plan are to protect against specific vulnerabilities, as explained in this blog post, this rule is not mentioned, but the principle is similar.
It is not recommended to disable this rule even on a higher plan due to the vulnerability that it is protecting from.
But I want to shoot myself in the foot, why won’t Cloudflare let me shoot myself in the foot? Just because CV in the rule description means Critical Vulnerability…
I’d recommend uninstalling plugins until you get to a point where this WAF rule isn’t triggered. Barring that, there are probably a ton of other CDNs who will let you shoot yourself in the foot for free (or next to it) if that’s what you are into.
@domjh Thanks for your thorough follow-up.
I am also using the Comment Attachment plugin, didn’t know it was closed by wordpress.org. But if this vulnerability only applies to WordPress before 4.2.1, why do we still need this WAF rule?
The fact that another plugin (DCO Comment Attachment) has the same issue makes me wonder: is there something intrinsically dangerous in letting users upload images? Or would it be possible to write an image upload plugin that avoids the vulnerability, as @cbrandt suggests?
On reading through this thread I had the same question. What are the steps plugin developers must take to allow the upload of images in a way that doesn’t trigger this WAF rule?
I’m on the free plan and therefore cannot manage any firewall rules. But I really hope there’s a solution to this problem even for those currently on the free plan.
I have a Wordpress installation with version 5.2.2 and the rule is still firing. I don’t use the plugin but made a function for this without vulnerability.
It seems that this rule is always firing and not checking WordPress version nr what gives issues here.
There is now no possibly to upload images to wp-comments-post.php.
The response marked as the solution is as far as we can help you in this thread. Though I’m curious as to how it used to work for @frank5 before.
It’s deliberately set by Cloudflare, so you would have to contact them for more detailed assistance: Login to Cloudflare and then contact Cloudflare Support by clicking on the Get More Help button.
I created Request #1741534 three days ago, but I haven’t heard back from them yet.
@sdayman, I am also curious why this was working before. But it was, I am sure of that. I suppose CloudFlare recently activated or changed this rule on Free accounts.
I wouldn’t be surprised. As they monitor web traffic for millions of web properties, I’d expect them to apply certain rules more widely as whatever these rules protect become the object of widespread attack attempts.
I doubt Cloudflare will provide much information on that front, as of course one of the tenets of web security (and security in general) is that you don’t completely reveal your protections, otherwise you’d be making the life of criminals a lot easier.
I am working with CloudFlare support. They’re asking me to do something to isolate the problem. That will take me a few days. When I have a definite answer, I will post it here.
If the issue persists after Cloudflare has been paused, it means that there is an issue with your origin, since Cloudflare is only operating as your DNS provider while it is paused.
That’s exactly what Cloudflare support suggested. But if I simply pause Cloudflare my site stops working because I rely on Cloudflare for SSL. So I need to change my test site to not require SSL, and I haven’t had time to do that yet.
If the issue persists after Cloudflare has been paused, it means that there is an issue with your origin, since Cloudflare is only operating as your DNS provider while paused.
