CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0444 – XCloner < 4.3.6 - Plugin Settings Reset
https://notcve.org/view.php?id=CVE-2022-0444
The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key. El plugin Backup, Restore and Migrate WordPress Sites With the XCloner Plugin de WordPress versiones anteriores a 4.3.6, no dispone de comprobaciones de autorización y de tipo CSRF cuando son restablecidos sus ajustes, lo que permite a atacantes no autenticados restablecerlos, incluyendo la generación de una nueva clave de cifrado de la copia de seguridad • https://wpscan.com/vulnerability/9567d295-43c7-4e59-9283-c7726f16d40b • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 9.9EPSS: 14%CPEs: 1EXPL: 4CVE-2020-35948 – Backup, Restore and Migrate WordPress Sites With the XCloner Plugin 4.2.1 - 4.2.12 - Unprotected AJAX Actions
https://notcve.org/view.php?id=CVE-2020-35948
An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php write_file_action could overwrite wp-config.php, for example. Alternatively, an attacker could create an exploit chain to obtain a database dump. • https://www.exploit-db.com/exploits/50077 http://packetstormsecurity.com/files/163336/WordPress-XCloner-4.2.12-Remote-Code-Execution.html https://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2020-35948 https://wpscan.com/vulnerability/10412 https://www.wordfence.com/blog/2020/09/critical-vulnerabilities-patched-in-xcloner-backup-and-restore-plugin • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2020-35950 – Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 4.2.152 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2020-35950
An issue was discovered in the XCloner Backup and Restore plugin before 4.2.153 for WordPress. It allows CSRF (via almost any endpoint). Se detectó un problema en el plugin XCloner Backup and Restore versiones anteriores a 4.2.153 para WordPress. Permite un ataque de tipo CSRF (por medio de casi cualquier endpoint). • https://wpscan.com/vulnerability/10413 https://www.wordfence.com/blog/2020/09/critical-vulnerabilities-patched-in-xcloner-backup-and-restore-plugin • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-13424
https://notcve.org/view.php?id=CVE-2020-13424
The XCloner component before 3.5.4 for Joomla! allows Authenticated Local File Disclosure. El componente XCloner versiones anteriores a 3.5.4 para Joomla!, permite una Divulgación de Archivo Local Autenticada • https://github.com/mkelepce/CVE-2020-13424 https://www.xcloner.com/xcloner-news/security-release-available-for-archived-joomla-version •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2015-4336 – Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.2 - Remote Command Execution
https://notcve.org/view.php?id=CVE-2015-4336
cloner.functions.php in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to execute arbitrary commands via a file containing filenames with shell metacharacters, as demonstrated by using the backup comments feature to create the file. cloner.functions.php en el plugin XCloner 3.1.2 para WordPress permite a usuarios remotos autenticados ejecutar comandos arbitrarios a través de un fichero que contiene nombres de ficheros con metacaracteres de shell, tal y como fue demostrado mediante el uso de la característica de comentarios sobre la copia de seguridad para crear el fichero. WordPress XCloner plugin version 3.1.2 suffers from command execution and cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/132107/WordPress-XCloner-3.1.2-XSS-Command-Execution.html http://www.securityfocus.com/bid/74943 http://www.vapid.dhs.org/advisory.php?v=121 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •