poppydev

Hi Team,

Sorry for the late reply. Here is the site health report. Edit – please delete this log after your investigation. Thanks:

` wp-core

version: 6.4.2
site_language: en_GB
user_language: en_GB
timezone: +00:00
permalink: /%postname%/
https_status: true
multisite: false
user_registration: 0
blog_public: 0
default_comment_status: open
environment_type: production
user_count: 2
dotorg_communication: true wp-paths-sizes

wordpress_path: /homepages/16/d4297805553/htdocs/wordpress
wordpress_size: 1.86 GB (1997567390 bytes)
uploads_path: /homepages/16/d4297805553/htdocs/wordpress/wp-content/uploads
uploads_size: 167.81 MB (175960481 bytes)
themes_path: /homepages/16/d4297805553/htdocs/wordpress/wp-content/themes
themes_size: 56.38 MB (59120339 bytes)
plugins_path: /homepages/16/d4297805553/htdocs/wordpress/wp-content/plugins
plugins_size: 170.75 MB (179046203 bytes)
database_size: 20.31 MB (21299200 bytes)
total_size: 2.27 GB (2432993613 bytes) wp-dropins (1)

advanced-cache.php: true wp-active-theme

name: Listingpro Child (listingpro-child)
version: 1.0.0
author: cridio team
author_website: https://cridio.com/
parent_theme: Listingpro (listingpro)
theme_features: core-block-patterns, widgets-block-editor, editor-style, post-thumbnails, custom-header, custom-background, automatic-feed-links, html5, menus, title-tag, widgets
theme_path: /homepages/16/d4297805553/htdocs/wordpress/wp-content/themes/listingpro-child
auto_update: Disabled wp-parent-theme

name: Listingpro (listingpro)
version: 2.9.1
author: Team of CridioStudio
author_website: https://themeforest.net/user/cridiostudio
theme_path: /homepages/16/d4297805553/htdocs/wordpress/wp-content/themes/listingpro
auto_update: Disabled wp-mu-plugins (3)

aios-firewall-loader.php: author: (undefined), version: (undefined)
block-automation-by-installatron.php: author: (undefined), version: (undefined)
WordPress automation by Installatron: author: (undefined), version: (undefined) wp-plugins-active (22)

All In One WP Security: version: 5.2.5, author: All In One WP Security & Firewall Team, Auto-updates disabled
Anti-Malware Security and Brute-Force Firewall: version: 4.21.96, author: Eli Scheetz, Auto-updates disabled
CookieYes | GDPR Cookie Consent: version: 3.1.7, author: CookieYes, Auto-updates disabled
Database Cleaner: Clean, Optimize & Repair: version: 1.0.1, author: Jordy Meow, Auto-updates disabled
Enable Media Replace: version: 4.1.4, author: ShortPixel, Auto-updates disabled
Filester - File Manager Pro: version: 1.8.1, author: Ninja Team, Auto-updates disabled
ListingPro Ads: version: 1.3, author: CridioStudio (Dev Team), Auto-updates disabled
ListingPro Minifier: version: 1.0.0, author: CridioStudio (Dev Team), Auto-updates disabled
ListingPro Plugin: version: 2.9.1, author: CridioStudio (Dev Team), Auto-updates disabled
ListingPro Reviews: version: 1.4, author: CridioStudio (Dev Team), Auto-updates disabled
Nextend Social Login: version: 3.1.11, author: Nextendweb, Auto-updates disabled
Phoenix Media Rename: version: 3.11.5, author: crossi72, Auto-updates disabled
Rank Math SEO: version: 1.0.208.1, author: Rank Math, Auto-updates disabled
Redux Framework: version: 4.4.10, author: Team Redux, Auto-updates disabled
Solid Security Basic: version: 9.1.0, author: SolidWP (latest version: 9.2.0), Auto-updates disabled
WPBakery Page Builder: version: 7.2, author: Michael M - WPBakery.com (latest version: 7.3), Auto-updates disabled
WPForms: version: 1.8.4, author: WPForms, Auto-updates disabled
Yoast Duplicate Post: version: 4.5, author: Enrico Battocchi & Team Yoast, Auto-updates disabled wp-plugins-inactive (2)

Coming Soon Page, Maintenance Mode, Landing Pages & WordPress Website Builder by SeedProd: version: 6.15.15.3, author: SeedProd, Auto-updates disabled
ListingPro Schema: version: 1.0.0, author: CridioStudio (Dev Team), Auto-updates disabled wp-media

image_editor: WP_Image_Editor_GD
imagick_module_version: Not available
imagemagick_version: Not available
imagick_version: Not available
file_uploads: 1
post_max_size: 600M
upload_max_filesize: 600M
max_effective_size: 600 MB
max_file_uploads: 20
gd_version: 2.3.0
gd_formats: GIF, JPEG, PNG, WebP, BMP, XPM
ghostscript_version: 9.53.3 wp-server

server_architecture: Linux 4.4.400-icpu-097 x86_64
httpd_software: Apache
php_version: 7.4.33 64bit
php_sapi: cgi-fcgi
max_input_variables: 5000
time_limit: 300
memory_limit: 768M
max_input_time: 300
upload_max_filesize: 600M
php_post_max_size: 600M
curl_version: 7.74.0 OpenSSL/1.1.1w
suhosin: false
imagick_availability: false
pretty_permalinks: true
htaccess_extra_rules: true
current: 2023-12-12T12:12:32+00:00
utc-time: Tuesday, 12-Dec-23 12:12:32 UTC
server-time: 2023-12-12T12:12:30+00:00 wp-database

extension: mysqli
server_version: 10.6.15-MariaDB-1:10.6.15+maria~deb11-log
client_version: mysqlnd 7.4.33
max_allowed_packet: 67108864
max_connections: 3000 wp-constants

WP_HOME: undefined
WP_SITEURL: undefined
WP_CONTENT_DIR: /homepages/16/d4297805553/htdocs/wordpress/wp-content
WP_PLUGIN_DIR: /homepages/16/d4297805553/htdocs/wordpress/wp-content/plugins
WP_MEMORY_LIMIT: 40M
WP_MAX_MEMORY_LIMIT: 768M
WP_DEBUG: false
WP_DEBUG_DISPLAY: true
WP_DEBUG_LOG: true
SCRIPT_DEBUG: false
WP_CACHE: true
CONCATENATE_SCRIPTS: undefined
COMPRESS_SCRIPTS: undefined
COMPRESS_CSS: undefined
WP_ENVIRONMENT_TYPE: Undefined
WP_DEVELOPMENT_MODE: undefined
DB_CHARSET: utf8
DB_COLLATE: undefined wp-filesystem

wordpress: writable
wp-content: writable
uploads: writable
plugins: writable
themes: writable
mu-plugins: writable
0: Writable redux-framework

version: 4.4.10
installation: plugin
data directory: /homepages/16/d4297805553/htdocs/wordpress/wp-content/plugins/redux-framework/redux-core/
browser:
Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Browser: Chrome
Version: 120.0.0.0
Platform: Windows redux-instance-listingpro_options

opt_name: listingpro_options
global_variable: listingpro_options
dev_mode: false
ajax_save: true
page_slug: ListingproChild
page_permissions: manage_options
menu_type: menu
page_parent: themes.php
compiler: true
output: true
output_tag: true
templates_path: undefined
extensions:
Accordion: 4.3.16
Custom Fonts: 4.4.2
Customizer: 4.4.2
Datetime: 4.3.15
Google Maps: 4.4.0
Icon Select: 4.4.2
Import Export: 4.0.0
Js Button: 4.3.16
Metaboxes: 4.2.0
Multi Media: 4.4.1
Options Object: 4.0.0
Repeater: 4.3.13
Search: 3.4.5
Shortcodes: 4.3.6
Social Profiles: 4.3.17
Tabbed: 4.4.8
Taxonomy: 4.4.6
Users: 4.4.1
Widget Areas: 4.3.20 wpforms

version: 1.8.4
lite: Oct 12, 2023 @ 3:25pm
pro: Oct 31, 2023 @ 10:36am
upload_dir: Writable
total_forms: 3
total_entries: undefined
license_status: Valid
license: Elite
license_location: option

• This reply was modified 11 months, 2 weeks ago by poppydev.
• This reply was modified 11 months, 2 weeks ago by poppydev.

Any support on here? I can see others with a reply six hours ago but mine has been ignored.

Will leave it until Monday and no reply I will remove and move to another security plugin. At least acknowledge my issue.

I am also getting this in search console when checked in WP Admin on the ‘Setting’ tab. Will hold off on other sites until you figure out what is the cause.

runtime.js:1 Uncaught TypeError: Cannot read properties of undefined (reading ‘call’)
at i (runtime.js:1:147)
at 83195 (settings.js:1:2050)
at i (runtime.js:1:147)
at settings.js:1:104500
at i.O (runtime.js:1:429)
at settings.js:1:104524
at r (runtime.js:1:2923)
at settings.js:1:65

Hope all the above helps….

• This reply was modified 11 months, 3 weeks ago by poppydev.

Ok I have reverted back to v9.1.0 and the only issue I am facing now is the ‘Dashboard’, ‘Site Scans’ and ‘Settings’ pages not being visible. I have cheeked another site that hasn’t had the plugin updated and all these parts work fine on the same version.

Both of these sites use the exact setup, theme builder and plugins.

Not sure what your update has done but its effected the plugin somehow, or corrupt the database.

This is the only error log from today after the update:

[08-Dec-2023 09:26:38 UTC] PHP Warning: require(/homepages/16/d4297805553/htdocs/wordpress/wp-content/plugins/better-wp-security/core/lib/settings.php): failed to open stream: No such file or directory in /homepages/16/d4297805553/htdocs/wordpress/wp-content/plugins/better-wp-security/core/core.php on line 123
[08-Dec-2023 09:26:38 UTC] PHP Fatal error: require(): Failed opening required ‘/homepages/16/d4297805553/htdocs/wordpress/wp-content/plugins/better-wp-security/core/lib/settings.php’ (include_path=’.:/usr/lib/php7.4′) in /homepages/16/d4297805553/htdocs/wordpress/wp-content/plugins/better-wp-security/core/core.php on line 123

• This reply was modified 11 months, 3 weeks ago by poppydev.

Hi alina98 any update on the above security issues and if they have been or are being patched?

Thanks

Hi Mia,

Knowing what you are using for your plugin, I have found a few “scary” security issues on gits repository….

Version 2.1.49 (2019-04-14)

at “www.cvedetails.com” search “elFinder”

at “github.com” search “Studio-42/elFinder”

CVE-2023-35840
_joinPath in elFinderVolumeLocalFileSystem.class.php in elFinder before 2.1.62 allows path traversal in the PHP LocalVolumeDriver connector. In Studio-42 elFinder 2.1.60, there is a vulnerability that causes remote code execution through file name bypass for file upload.

CVE-2022-27115
In Studio-42 elFinder 2.1.60, there is a vulnerability that causes remote code execution through file name bypass for file upload.

CVE-2022-26960
connector.minimal.php in std42 elFinder through 2.1.60 is affected by path traversal. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.

CVE-2021-43421
A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code.

CVE-2021-23394
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.

Can you also clarify these plugin patches have also been applied: https://github.com/Studio-42/elFinder/security

Please can you clarify if you are going to investigate these vulnerabilities, and if you are confident they have been resolved/patched in the latest version?

Thanks

Hi yonifre, definitely an odd move to take away a feature that now shows incorrect statistics on the plugin when data is removed. This was a nice feature to reset both the counter and log files. What was the reason behind this? It feels broken now that’s all At some stage that number will just keep getting bigger and bigger. Would it be easier to integrate the reset counter with the reset log function? So one button to clear both features.

I will come back to you when I clear the next log of spam data to show you the screen is blank on that page.

Shocked to see my error report was identical and that my finding before anyone else’s where taken off here. I respect we have to create a new case but if its the same issue why do we have to repeat ourselves. I can see it isn’t a plugin conflict but something wrong with the way the plugin updates from the old to the new. Others on here seem to be having serious issues after updating as well.

It has really annoyed me that I am trying to support the issue and get a rubbish email to say you have to start your own thread and don’t respond on another even when its the same issue. Mind boggling process when the error was identical and nothing to do with the site setup. If that was the case then your previous plugin wouldn’t have worked as well.

Sad to say I wont be sticking around after this response/action. I was only trying to help due to it being an issue.

Good luck to others getting it sorted. I may come back in the future to see how things are going. Hopefully the support then is not as brutal.

Hi Daniel, thank you for getting back to me.

Sorry if some of my questions came across a little confusing. the issue lies with my host. They force the plugin every time I log into my FH control panel, or if a support agent logs into my site to check for errors etc.

This is fine and its nice to see they can access the site admin and back end without special permission. What I didn’t agree on is when they have finished what they are doing they do not remove this plugin leaving it redundant and possibly a security issue going forward.

I respect you are the author of the plugin and trust you will always keep it up to date and to make sure it doesn’t become a security issue with the nature of what the plugin can do.

All I wanted to make sure is you have no responsibility for a third party user (hosting company) using your plugin on thousands of peoples websites and in that time you decide to leave the project with no support on your end. It’s common and there are loads of plugins on WordPress that have never been updated for years, all with serious security issues. With your being a login plugin it only makes it more concerning. If you are a one man band and not a company then all I am doing is covering your back as you potentially could get back lash from these people if they assume its from your plugin. More so if they have no awareness its installed without their consent.

I have tressed this with the hosting company but they deem to feel its ok and shouldn’t be a problem. I wasn’t 100% happy due to them not supporting it.

Hope this makes more sense and just making sure you are aware of your plugin usage and how its being installed without users being aware.

EDIT:

I know you cannot control who uses it but you could add a disclaimer in your plugin to cover you back if used to install on people sites without consent. You can probably see the install log on your WordPress account and it will probably look abnormally high to say you only have a few reviews etc. These people are not aware and will never know about it being installed.

• This reply was modified 1 year, 1 month ago by poppydev.

I noticed this, feels buggy at the moment. When you reset the log the screen shows as blank, and now I cannot see the reset counter button. Just a few small issues I noticed after the last few updates.

Hi Gregory,

Apologies for the confusion with why you cant have it back on here. I looked at a few other questions further down after I posted mine and get a vague idea to why.

Hopefully some day you can share your plugin freely to the WordPress community and not have to rely on people assuming you exist, especially new users.

Any how I did notice one issue with the latest version. Not sure what is the cause but its missing all icons on the admin side and when you go into to the plugin settings it also removes icons on other plugins as well. This wasn’t something that happened on v9.0.0. I am on v 9.5.5. Same happens with all plugins disabled except yours. Not a big issue as everything works as expected.

I will share some screenshots and see if their is anything in the error log. Will be back shortly.

Just sent you an email from the link shared.

Thank you for your reply. I have added the Cookie script to my caching plugin exclusion rule. I have done this across all sites that use your plugin to make sure any further errors are avoided.

No worries in the colour change. Looking forward to this feature being added.

[EDIT]

Just to keep you in the loop. On WordPress repository the plugin is flagged as not being compatible with the latest version of WordPress even though your plugin had an update 11 hours ago from me replying to this message.

• This reply was modified 1 year, 3 months ago by poppydev.

Also on the FREE version you are limited to colourising all the links/buttons. I cant seem to find the option to change – see screenshot here: https://ibb.co/Vp1TYgk.

Is this something that can be changed and if not can you add it to your road map as a feature? All other colours can be changed except this one. It wouldn’t work if the background colour was blue, or similar in shade. I can get away with it this time with it being black.

Thanks

• This reply was modified 1 year, 3 months ago by poppydev.

All sites are on 5.1.5.

Tried again on another domain and now I cant get it to work at all. Just get the https://127.0.0.1. Going to try renaming it and installing a fresh copy. Hopefully it will re-apply the settings to the .htaccess.

Update: it could be related to Cloudflare or the Host “Fasthost” that is it doesn’t allow this feature to work correctly. issue. Turning this off seems to bring the site back. Everything else works as expected.

The only odd thing about this is that it works when setup. Logout and use the secret name to log back in. All works perfectly. Then at times it just doesn’t like it. Very odd and could be related to my setup.

You do mention that it might not work based on your Host or other plugin factors. The only other plugin I use is iThemes for the server side security features.

• This reply was modified 1 year, 9 months ago by poppydev.
• This reply was modified 1 year, 9 months ago by poppydev.