Error 403 when saving settings at /wp-admin/index.php?page=aioseo-setup-wizard#/category

path: example.com/wp-admin/index.php?page=aioseo-setup-wizard#/category

Clicking save button causes endless animation of button without any further visual results or changes. Log file of modsecurity reports error 403 Log file of accesslog reports error 403

---0axHjVCS---A--

[17/May/2021:23:48:52 +0200] 162128813271.917277 yyy.yyy.yyy.yyy 57906 xxx.xxx.xxx.xxx 80

---0axHjVCS---B--

POST /wp-json/aioseo/v1/wizard HTTP/1.1

Accept-Encoding: gzip, deflate

Cookie: _fbp=fb.1.1598866358706.1826547220; _ga=GA1.2.771664089.1598866361; ajs_anonymous_id=%22101e7a5c-754e-4d63-b61a-6428795a136f%22; _hjid=ef1192b3-fbb7-43f5-a616-be9a9596bbce; ajs_user_id=%22ps.-server.example.com%22; mp_c8aed77ebc880f4222724bc14a0d8a0d_mixpanel=%7Bmixerstinct_id%22%3A%20%22ps.example.com%22%2C%22%24device_id%22%3A%20%22178be0130ab701-07999816b59176-3b7f0650-1e6d71-178be0130acc07%22%2C%22mp_lib%22%3A%20%22Segment%3A%20web%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Fps.example.com%2Fadmin383sagpej%2Findex.php%3Fcontroller%3DAdminLogin%26token%3D01bdc31380f2a324e1e264a6f96e0a0a%22%2C%22%24initial_referring_domain%22%3A%20%22ps.example.com%22%2C%22%24user_id%22%3A%20%22ps.example.com%22%2C%22mp_name_tag%22%3A%20%22ps.example.com%22%2C%22language%22%3A%20%22pl%22%2C%22version_ps%22%3A%20%221.7.7.3%22%2C%22version_module%22%3A%20%221.3.3%22%2C%22module%22%3A%20%22ps_metrics%22%2C%22id%22%3A%20%22ps.example.com%22%2C%22%24first_name%22%3A%20%22http%3A%2F%2Fps.example.com%2F%22%2C%22%24name%22%3A%20%22http%3A%2F%2Fps.example.com%2F%22%7D; __gads=ID=71d0a2c6958f4bd3-2206138a1ebb007b:T=1618482997:RT=1618482997:S=ALNI_MbK6goyCUI9Bso4GoeyiXaUMboN2w; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_72a0324d9c077ad9cef625af54565376=test%7C1621460657%7CtyexE0B7mf5fOnWAB6SJCfDrg5aphEQ2KnLdCSpFL6G%7C7d909892951568e131dcaa2c3d304712688e8233ae1e0943d87ec4851faf012a; wp-settings-time-1=1621287870; wp-settings-1=libraryContent%3Dbrowse

Referer: http://example.com/wp-admin/index.php?page=aioseo-setup-wizard

Origin: http://example.com

Accept: */*

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36

Content-Type: application/json

X-WP-Nonce: cc9587282c

Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7

Content-Length: 1326

Connection: keep-alive

Host: example.com



---0axHjVCS---D--



---0axHjVCS---E--

<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a



---0axHjVCS---F--

HTTP/1.1 403

Server: nginx

Date: Mon, 17 May 2021 21:48:52 GMT

Content-Length: 548

Content-Type: text/html

Connection: keep-alive



---0axHjVCS---H--

ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS_NAMES:json.wizard.additionalInformation.social.profiles.sameUsername.included.array_2' (Value: `json.wizard.additionalInformation.social.profiles.sameUsername.included.array_2' ) [file "/usr/local/etc/nginx/modsecurity/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "78"] [id "930120"] [rev ""] [msg "OS File Access Attempt"] [data "Matched Data: .profile found within ARGS_NAMES:json.wizard.additionalInformation.social.profiles.sameUsername.included.array_2: json.wizard.additionalinformation.social.profiles.sameusername.included. (7 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [tag "PCI/6.5.4"] [hostname "xxx.xxx.xxx.xxx"] [uri "/wp-json/aioseo/v1/wizard"] [unique_id "162128813271.917277"] [ref "o40,8v0,64t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercaseo40,8v0,67t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercaseo40,8v0,68t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWi (1220 characters omitted)"]

ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `50' against variable `TX:ANOMALY_SCORE' (Value: `100' ) [file "/usr/local/etc/nginx/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 100)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "xxx.xxx.xxx.xxx] [uri "/wp-json/aioseo/v1/wizard"] [unique_id "162128813271.917277"] [ref ""]



---0axHjVCS---I--



---0axHjVCS---J--



---0axHjVCS---Z--

Environment

CRS version (e.g., v3.2.0): 3.30

• Paranoia level setting: 1
• ModSecurity version (e.g., 2.9.3): 3
• Web Server and version (e.g., apache 2.4.41): nginx 1.18.0
• Operating System and version: FreeBSD 12.2-RELEASE amd64