Bug with CiviCRM 5.10.3 Remote Profiles HTML Form Snippet Form Action URL
Version: CiviCRM 5.10.3
Type: Bug
With the update to CiviCRM 5.10.3, I noticed the form action URL in the HTML Form Snippet generated for Remote Profile submissions has changed, breaking the form submission functionality for anonymous users with all newly generated HTML Form Snippets.
This is the first time I have noticed this bug, which was definitely introduced sometime after version CiviCRM 5.7.2, the last time I generated an HTML Form Snippet that was used with a Remote Profile.
Previously, the HTML Form Snippet generated code with a form action URL that posted to the "create profile" URL, allowing form submissions from anonymous users:
<form action="https://wpmaster.demo.civicrm.org/civicrm/?page=CiviCRM&q=civicrm%2Fprofile%2Fcreate" method="post" name="Edit" id="Edit" class="CRM_Profile_Form_Edit" >
After the update, the code generated by the HTML Form Snippet includes a form action URL that posts to the default "admin group":
<form action="https://wpmaster.demo.civicrm.org/civicrm/?page=CiviCRM&q=civicrm%2Fadmin%2Fuf%2Fgroup" method="post" name="Edit" id="Edit" class="CRM_Profile_Form_Edit" >
With the above form action URL, anonymous users see the following error when the user clicks the "Submit" button:
You do not have permission to access this content.
Manually changing the code in the HTML Form Snippet to use a form action URL with the previous "create profile" version restores the functionality.
This bug is specifically related to the generate HTML Form Snippet code as Profiles work properly for anonymous users when inserted using the "Add CiviCRM Public Pages" button within WordPress, which inserts the code that includes the correct "create profile" form action URL.
I tested both WordPress and Drupal 7 demo sites and was able to replicate the bug with ONLY the WordPress demo site:
https://wpmaster.demo.civicrm.org/
https://dmaster.demo.civicrm.org/
Steps to Reproduce Bug with WordPress CiviCRM 5.10.3+:
Login
CiviCRM > Administer > System Settings > Misc (Undelete, PDFs, Limits, Logging, Captcha, etc.)
For the "Accept profile submissions from external sites" option, select "Yes" and then click "Save"
Administer > Custom Data and Screens > Profiles
For any Profile, generate the code by clicking: more > HTML Form Snippet
The code generated by the updated version includes a "post" action URL to the "admin group"