Elementor Pro "Custom Code" 403 Error

ofm1990 · October 29, 2022, 2:12pm

Hello if you are having problems with the “Custom Code” of Elementor Pro, I inform you that after a lot of research, I found the problem related to ModSecurity used by Cyberpanel, it is a false positive and it is already under review by the OWASP team:

github.com/coreruleset/coreruleset

HTTP PUT being blocked in WordPress is a false positive

opened 06:17AM - 24 Jul 21 UTC

closed 06:15PM - 19 Dec 22 UTC

firasd

False Positive

Need more info

### Description It seems like PUT requests trigger the rule "911100: Method i…s not allowed by policy". This is an increasingly common type of HTTP request in WordPress plugins Request: PUT /lmstest/wp-json/elementor/v1/site-editor/templates-conditions/263 Action Description: Access denied with code 200 (phase 2). Justification: Test 'REQUEST_METHOD' against '!@within %{tx.allowed_methods}' is true. Seems like this should be allowed using the WordPress exclusion rules ### Your Environment OWASP ModSecurity 2.9 Core Rule Set v3.3.0 ### Confirmation [x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

There is still no solution, if not to disable the rule.

If anyone here comes up with a better solution, please help.

sochun2424 · November 14, 2022, 3:17am

Hi, has this been resolved?

I can’t set the condition for Elementor Custom Code, I’m getting 403 Forbidden for a PUT request

I need to disable the “ModSecurity rules packages” before I can save the changes.

It’s kind of hassle to deactivate and re-activate each time I need to save the changes to the Elementor Custom Code.

josephgodwinke · November 15, 2022, 2:59pm

Hello @sochun2424

do not recommend modsecurity. Development stopped years ago. Kindly use an alternative WAF. I recommend CloudFlare for your website, Imunify for your server

For wordpress websites use WordFence premium, Sucuri or BPS. They all work like a charm

ofm1990 · November 15, 2022, 3:51pm

@josephgodwinke Did you take a look at the link I sent?

github.com/coreruleset/coreruleset

HTTP PUT being blocked in WordPress is a false positive

opened 06:17AM - 24 Jul 21 UTC

closed 06:15PM - 19 Dec 22 UTC

firasd

False Positive

Need more info

### Description It seems like PUT requests trigger the rule "911100: Method i…s not allowed by policy". This is an increasingly common type of HTTP request in WordPress plugins Request: PUT /lmstest/wp-json/elementor/v1/site-editor/templates-conditions/263 Action Description: Access denied with code 200 (phase 2). Justification: Test 'REQUEST_METHOD' against '!@within %{tx.allowed_methods}' is true. Seems like this should be allowed using the WordPress exclusion rules ### Your Environment OWASP ModSecurity 2.9 Core Rule Set v3.3.0 ### Confirmation [x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

Seems like it’s in constant development, 4 will be released soon, using Sucuri on more than 30 sites is a headache, better to have a solution on the panel/server.