Tuhin Ahmed

While a single plugin/theme vulnerability may not directly enable deletion of a website, it can pose a significant security risk. Consider the scenario where such a vulnerability grants an attacker full administrator access. This attacker could then:

1. Install a file manager plugin: This provides a convenient interface for uploading malicious files.
2. Upload web shells, PHP file manager scripts, or databases: Files like adminer.php grant direct access and control over the website and database.

Therefore, even seemingly indirect vulnerabilities can be exploited for website deletion. Reviewing the access_log (typically located in /user/home/logs/ on cPanel servers) is crucial to identify such malicious activities. The access log file should be there unless someone deletes it. You have the cPanel login log too under /user/home/.lastlogin to determine any unknown login into your cPanel account.

• This reply was modified 11 months, 3 weeks ago by Tuhin Ahmed.

@troy144
That’s not all my friend.
I wouldn’t like to authorize a third party to view and download my website backup either. Here updraftplus (I mean team@updraftplus, not the plugin) is the API owner.

Hi
I think either I am misunderstanding things or you are trying to ignore my concern by misinterpreting.
Please correct me if I am wrong.

What is the reference for this?

drive.readonly – “Allows read-only access to file metadata and file content.”

In your shared link https://developers.google.com/drive/api/guides/api-specific-auth
I see this as
https://www.googleapis.com/auth/drive.readonly
Description: View and download all your Drive files.

I think you understand what it means. As you said, "The read-only drive-wide access (not full access – nothing can be edited, over-written or deleted)."

You are right. You must also know that "Thedrive.readonly access allows to view and download all your drive files"
But I think you intentionally skipped this part which is my main concern. I never said that the API allowed to edit or delete my drive files. I said the API got permission to view and download my whole drive files.

About GCloud API and verification:
A lot of people use Gmail API with SMTP plugin and it requires them to create project +API.
I don’t see any problem with that.

I simply understand that “It will be hard for users” – doesn’t allow you to get “view and download” access to users whole drive”

• This reply was modified 1 year, 4 months ago by Tuhin Ahmed.

So, you guys don’t see any problem in “UpdraftPlus” owning the app and getting full permission to your Google drive (not only website backup created by updraftplus plugin)?

Hello,

I would like to address my concern regarding the Google App that is owned by “[email protected]” and is redirected to “https://auth.updraftplus.com” for authorization. I am authorizing a third-party app, not my own app with my own website auth redirect URL.

The issue at hand is that this app is granted permission as “drive.readonly,” which allows it to “View and download all your Drive files. (It’s not “Allows read-only access to file metadata and file content.” as stated in the reference link.)

My question is, why am I being asked to authorize a third-party Google app, owned by “[email protected],” to have access to all of my drive files?

Users can set up their own Google App and connect it with the plugin to send backups to their Drive.

I hope you understand what I mean.

Thanks

Hi @bcrodua
Exactly! Then why it’s “See and download all your Google Drive files” please?
I hope you have reviewed the screenshot I shared above.

Thanks

By the way
If you need any more info related to those errors I found after the upgrade, here is my email address ??
https://1ty.me/9zA6H4i3D

Hi @fixbd
Thank you so much for this super fast update!
I see you are gonna make it! It’s just not gonna be a trash project ??

I have tested the updated version and I see you have added those features I suggested ??
I have found some bugs too. I know you are still working on it… in case these bug reports help…
1. Critical error due to a PHP syntax error on the file includes/functions.php line number 3013
2. Results are not returning now after the update.
3. Error on publishing marks.

Regards
Tuhin

Thank you for your reply on this and also for the version update!

I meant the list of students by class.
Right now it can just add students while adding results.

But I would say a more accurate approach is adding students first.

So the action flow will be like this:

1. Add student: Name, roll, assign class, and other optional fields.
2. Add marks (not results): select class and subject. When you select class 8, and select the subject math, you will get an input form for all the students of class 8 who have taken the subject “math”.
Student name and roll number on left, a mark input field on right. The teacher will input math marks for all the students on the same screen at once.
Because teacher can’t have all subject mark by student name. Instead, they got the exam papers by subject wise…

3. All student: In this screen, a list of students will be shown. There will be a view button for results, profiles, and edit profiles. Result print button is good to have too.

I wish this project gonna be a very successful one for you and a very useful app for teachers.

Regards
Tuhin

Actually, it’s working after deactivation and activation the plugin

I am facing the same issue here.
Seems auto-generation adding unwanted taxonomies.
Updating manually solve the issue though.
But again in schedule generation, it’s adding unwanted taxonomies again!
Please solve the bug.

Did you try after renaming the theme name as well?
If you don’t have twenty-twenty default theme in the themes directory, renaming active theme will give a white screen.

The best way to resolve this issue is by calling Ads support directly. As a professional WordPress security expert, I have faced this issue a lot’s time. After making the site clean secure, the client still complains that Google doesn’t approve their site because malicious links exist.

Contacting Google ads support, they just send the link but never arrange to rescan or check the website manually.
I had to write them a tricky email like “show me where the link is”!!

Before that, make sure your website is really clean and those links doesn’t exist!

Then they will truly rescan the site actually!!
It took 7 business days for me.
https://solvewp.com/blog/tutorial/google-ads-disapproved-malicious-or-unwanted-software/

• This reply was modified 4 years, 7 months ago by Tuhin Ahmed.

The best way to resolve this issue is by calling Ads support directly. As a professional WordPress security expert, I have faced this issue a lot’s time. After making the site clean secure, the client still complains that Google doesn’t approve their site because malicious links exist.

Contacting Google ads support, they just send the link but never arrange to rescan or check the website manually.
I had to write them a tricky email like “show me where the link is”!!

Before that, make sure your website is really clean and those links doesn’t exist!

Then they will truly rescan the site actually!!
It took 7 business days for me.
https://solvewp.com/blog/tutorial/google-ads-disapproved-malicious-or-unwanted-software/

• This reply was modified 4 years, 7 months ago by Tuhin Ahmed.

@kojaa how??