Wordpress content update blocked as XSS by WAF

I’ve got a WordPress site running on an Azure instance, behind Cloudflare. Last week, the client reported that basic content updates were failing with an “invalid JSON” error. Troubleshooting revealed that the calls by WordPress to /wp-json urls were being blocked as “100136B - XSS - JavaScript URI” by some of the WAF Managed Rules.

I’ve tried a number of different WAF rule configurations, from least specific to most specific, and there is no change.

(http.request.uri contains "/wp-json/*" and http.cookie contains "wordpress_sec" and http.request.method eq "POST")

I’ve set that to BYPASS WAF Managed Rules, to no effect. If I change the cookie to “wordpress”, or remove it altogether, it still blocks requests. Likewise with the http.request.method. Even if I remove that completely and just check based on uri, traffic is still blocked.

I opened a ticket, but it doesn’t seem that anybody is looking at it.

I also set a page rule to bypass caching and disable performance for /wp-json/* urls. No dice.

My company has quite a few WP sites under our care which do not suffer similar issues, but the differentiating factor here is possibly Azure. Either way, I’m out of ideas.

Can anybody point me in the right direction?

May I ask if the HTTP request was made by the plugin, or rather to say WP-Cron, meaning the IP address is the origin host/server, or rather by the user? :thinking:

May I ask if you looked up and searched for that rule by the Rule ID and disabled it? :thinking:

Are you using Free or some paid plan like Pro? :thinking:

1 Like

It appears that the issue was likely the wildcard in the uri.
Support got back to me with a suggestion, so the solution was basically a combination of the uri without wildcard, and the removal of the cookie check.

1 Like