[WAF] Elementor template downloads blocked by security

Hi team,

I’m having another security-related issue, with the live site this time. Basically, I can’t insert Elementor Pro templates from the library. It just loads forever. I looked at the console and saw that the XMLHTTP request to their library connect URL is being blocked by the CORS policy.

Here is a screenshot, and below is the error text from the Chrome Inspector Console:

Access to XMLHttpRequest at 'https://my.elementor.com/connect/v1/library?action=authorize&response_type=code&client_id=TKIVDgq10VIqOcJOuQH7cwSE5EdIhdGU&auth_secret=ZqMMNX1Nv2iTgA4qvo0fzcGPbIy2sErh&state=n4O7Vn3V6TWQ&redirect_uri=https%3A%2F%2Fcoach.today%2Fwp-admin%2Fadmin.php%3Fpage%3Delementor-connect%26app%3Dlibrary%26action%3Dget_token%26nonce%3Da1266fb36f&reconnect_nonce=501c5e5a3f' (redirected from 'https://coach.today/wp-admin/admin-ajax.php') from origin 'https://coach.today' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
editor.min.js?ver=3.1.4:2 Uncaught TypeError: Cannot read property 'message' of undefined
    at editor.min.js?ver=3.1.4:2
    at Function.v.each.v.forEach (load-scripts.php?c=0&load[chunk_0]=jquery-core,jquery-migrate,underscore,backbone,jquery-ui-core,jquery-ui-mouse,wp-api-request&ver=5.7.1:8)
    at TemplateLibraryManager.showErrorDialog (editor.min.js?ver=3.1.4:2)
    at error (editor.min.js?ver=3.1.4:2)
    at c (load-scripts.php?c=0&load[chunk_0]=jquery-core,jquery-migrate,underscore,backbone,jquery-ui-core,jquery-ui-mouse,wp-api-request&ver=5.7.1:2)
    at Object.fireWith [as rejectWith] (load-scripts.php?c=0&load[chunk_0]=jquery-core,jquery-migrate,underscore,backbone,jquery-ui-core,jquery-ui-mouse,wp-api-request&ver=5.7.1:2)
    at Object.s.<computed> [as reject] (load-scripts.php?c=0&load[chunk_0]=jquery-core,jquery-migrate,underscore,backbone,jquery-ui-core,jquery-ui-mouse,wp-api-request&ver=5.7.1:2)
    at common.min.js?ver=3.1.4:2
    at Array.forEach (<anonymous>)
    at error (common.min.js?ver=3.1.4:2)
common.min.js?ver=3.1.4:2 Uncaught ReferenceError: originalEvent is not defined
    at onError (common.min.js?ver=3.1.4:2)
    at dispatch (load-scripts.php?c=0&load[chunk_0]=jquery-core,jquery-migrate,underscore,backbone,jquery-ui-core,jquery-ui-mouse,wp-api-request&ver=5.7.1:2)
    at v.handle (load-scripts.php?c=0&load[chunk_0]=jquery-core,jquery-migrate,underscore,backbone,jquery-ui-core,jquery-ui-mouse,wp-api-request&ver=5.7.1:2)

Sorry for all these requests, but I’m glad we are polishing things up, and hopefully you will get some value from all this feedback.

Thu, 15 Apr 2021 19:04:13

Patrick Freitas
- FLS
- 4,539 pts: Hero points 25,257 pts: Rep. points LEVEL 30
Hi adaldesign

I hope you are doing well.

It can happen because of the way some plugins or add-ons save the content the WAF gets as a possible script injection attempt.

The best way to prevent it is to let the plugin developer know as our WAF uses the OWASP rules which is a well-known organization.

You can add your IP in the allowlist on Hosting Tools > WAF, disabling the rule, WAF or bypassing any plugin would be a security issue.

Let us know if you have any additional question.
Best Regards
Patrick Freitas
adaldesign
- The Incredible Code Injector
- 122 pts: Hero points 263 pts: Rep. points LEVEL 5
Thanks Patrick, adding the IP to the WAF whitelist seems to have helped.

How do you rate me?

Thank you for rating your experience!