There are usually two ways ModSecurity comes into play, but both ultimately do the same thing: block requests that attempt to send data to the website.
1. Blocking a redirect back from checkout.stripe.com
2. Blocking an internal request made to the website.
For #1, they need to allow the domains listed here https://stripe.com/docs/ips#stripe-domains to redirect back to the site or add special handling to remove specific rules blocking those incoming requests that contain request data.
They could ask their host via a message like:
“Please disable Mod Security for requests originating from the domains listed here: https://stripe.com/docs/ips#stripe-domains. These come from Stripe and are necessary for my payment integration to work properly.”
For #2, they need to do something similar but ensure the /wp-json path on their website is given full allowance. Any rules blocking requests containing POST data must be disabled when requests to that path are made.
They could ask their host via a message like:
“Please disable Mod Security for requests to /wp-json/*”
Sometimes, both fixes need to be implemented and will need to be tested.
Documentation: https://wpsimplepay.com/doc/406-403-not-acceptable-modsecurity/
Saved Reply: https://secure.helpscout.net/settings/saved-replies/260398/2445807