Chained Selects or Date Picker triggering WAF rule

Hi all.

I’ve been using the Chained Selects or Date Picker field on a resent project and came across a problem. Or at least I think it’s the Chained Selects or Date Picker field doing this.

The field is triggering a Mod Security (WAF) rule which is then blocking the end user. The rule is “SQL Injection Attack Detected via libinjection”. ID: 942100. Part of the OWASP ModSecurity CRS.

The chain select stopped working by not populating the second dropdown. Browser dev console shows several JS errors, and the network view showed a few files with 404/403 errors. Basically, the files were being blocked by the server for the IP address.

The initial requests recorded in ModSec logs were:

GET /wp-content/plugins/gravityforms/fonts/gform-icons-theme.woff2?a2cayk

GET /wp-content/plugins/gravityforms/images/datepicker/datepicker.svg

GET /wp-content/plugins/gravityforms/fonts/gform-icons-theme.ttf?a2cayk

POST /wp-admin/admin-ajax.php

GET /wp-content/plugins/gravityforms/images/theme/down-arrow.svg

However, some of these will be erroneous entries as by this point the servers would have started to block the client IP.

I’ve whitelisted this rule on the site for now and everything’s working.

Has anyone come across this issue?