WAF blocks Wordpress post

Hi,
I am using a custom post plugin on my wordpress website, and my CF Security Level is: High
when I use Iframe code inside the custom post type as soon as i click Publish/Edit button cloud flare blocks my POST request ( Sorry, you have been blocked )

i have checked WAF logs it shows my blocked request:

Rule ID: OWASP Block (981176)
Rule message: Inbound Anomaly Score Exceeded (Total Score: 41, SQLi=1, XSS=35)
Rule group: OWASP Inbound Blocking
Action taken: Block .

and when I use the same iframe code inside regular wordpress posts it works fine with no Block!! this only happens when i using the code inside custom post plugin, i tried to use custom page rule to set security level to Medium for the /wp-admin/post.php but it doesn’t help! any ideas what should i do to fix this? I really want to keep security level on High, thanks.

Here’s an article which covers that rule:

thank you sdayman! checked the article and I just disabled rule OWASP XSS Attacks -
Cross site scripting (XSS) attacks that may result in unwanted HTML being inserted into web pages.

it worked! now i can save the posts, last question is it safe to keep this rule OFF ? thank you

Please be careful with disabling WAF for an entire URL like /wp-admin/post.php
Some attacks can come to the same URL but use different request parameters, like this https://www.exploit-db.com/exploits/24988

2 Likes

thanks!

I already deleted the custom page rule, i was trying to understand what causes the block because the iframe code that i use it is clean it just embeds a player, WAF is still enabled for entire domain just disabled rule OWASP XSS Attacks the last one.

This topic was automatically closed after 30 days. New replies are no longer allowed.