CVSS: 9.9EPSS: 50%CPEs: 1EXPL: 5CVE-2020-35948 – Backup, Restore and Migrate WordPress Sites With the XCloner Plugin 4.2.1 - 4.2.12 - Unprotected AJAX Actions
https://notcve.org/view.php?id=CVE-2020-35948
18 Aug 2020 — An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php write_file_action could overwrite wp-config.php, for example. Alternatively, an attacker could create an exploit chain to obtain a database dump. • https://packetstorm.news/files/id/163336 • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2020-35950 – Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 4.2.152 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2020-35950
18 Aug 2020 — An issue was discovered in the XCloner Backup and Restore plugin before 4.2.153 for WordPress. It allows CSRF (via almost any endpoint). Se detectó un problema en el plugin XCloner Backup and Restore versiones anteriores a 4.2.153 para WordPress. Permite un ataque de tipo CSRF (por medio de casi cualquier endpoint). • https://wpscan.com/vulnerability/10413 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 8%CPEs: 1EXPL: 1CVE-2020-13424
https://notcve.org/view.php?id=CVE-2020-13424
23 May 2020 — The XCloner component before 3.5.4 for Joomla! allows Authenticated Local File Disclosure. El componente XCloner versiones anteriores a 3.5.4 para Joomla!, permite una Divulgación de Archivo Local Autenticada • https://github.com/mkelepce/CVE-2020-13424 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2015-4337 – Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-4337
10 May 2015 — Cross-site scripting (XSS) vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the excl_manual parameter in the xcloner_show page to wpadmin/plugins.php. Vulnerabilidad de XSS en el plugin XCloner 3.1.2 para WordPress permite a usuarios remotos autenticados inyectar secuencias de comandos web arbitrarios o HTML a través del parámetro excl_manual en la página xcloner_show en wpadmin/plugins.php. WordPress XCloner plugin version ... • https://packetstorm.news/files/id/132107 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2015-4338 – Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.2 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2015-4338
10 May 2015 — Static code injection vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary PHP code into the language files via a Translation LM_FRONT_* field for a language, as demonstrated by language/italian.php. Vulnerabilidad de inyección de código estático en el plugin XCloner 3.1.2 para WordPress permite a usuarios remotos autenticados inyectar código PHP arbitrario en los ficheros de idiomas a través de un campo Translation LM_FRONT_* para un idioma, tal y co... • https://packetstorm.news/files/id/132107 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 3CVE-2015-4336 – Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.2 - Remote Command Execution
https://notcve.org/view.php?id=CVE-2015-4336
10 May 2015 — cloner.functions.php in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to execute arbitrary commands via a file containing filenames with shell metacharacters, as demonstrated by using the backup comments feature to create the file. cloner.functions.php en el plugin XCloner 3.1.2 para WordPress permite a usuarios remotos autenticados ejecutar comandos arbitrarios a través de un fichero que contiene nombres de ficheros con metacaracteres de shell, tal y como fue demostrado mediante ... • https://packetstorm.news/files/id/132107 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 6%CPEs: 2EXPL: 4CVE-2014-8603 – Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.1 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-8603
17 Oct 2014 — cloner.functions.php in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! allows remote administrators to execute arbitrary code via shell metacharacters in the (1) file name when creating a backup or vectors related to the (2) $_CONFIG[tarpath], (3) $exclude, (4) $_CONFIG['tarcompress'], (5) $_CONFIG['filename'], (6) $_CONFIG['exfile_tar'], (7) $_CONFIG[sqldump], (8) $_CONFIG['mysql_host'], (9) $_CONFIG['mysql_pass'], (10) $_CONFIG['mysql_user'], (11) $database_name, or (12) $sqlfile variable. c... • https://packetstorm.news/files/id/129011 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 7%CPEs: 2EXPL: 4CVE-2014-8605 – Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.1 - Improper Access Control to Information Disclosure
https://notcve.org/view.php?id=CVE-2014-8605
17 Oct 2014 — The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! stores database backup files with predictable names under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to a backup file in administrators/backups/. El plugin XCloner 3.1.1 para WordPress y 3.5.1 para Joomla! almacena ficheros de copias de seguridad de la base de datos con nombres previsibles bajo el root web con un control de acceso insuficiente, lo que permite a ... • https://packetstorm.news/files/id/129011 • CWE-264: Permissions, Privileges, and Access Controls CWE-284: Improper Access Control •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 4CVE-2014-8607 – Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.1 - Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2014-8607
17 Oct 2014 — The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! provides the MySQL username and password on the command line, which allows local users to obtain sensitive information via the ps command. El plugin XCloner 3.1.1 para WordPress y 3.5.1 para Joomla! proporciona el nombre de usuario y la contraseña de MySQL en la línea de comando, lo que permite a usuarios locales obtener información sensible a través de el comando ps. The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! • https://packetstorm.news/files/id/129011 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 8%CPEs: 2EXPL: 4CVE-2014-8604 – Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.1 - Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2014-8604
17 Oct 2014 — The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! returns the MySQL password in cleartext to a text box in the configuration panel, which allows remote attackers to obtain sensitive information via unspecified vectors. El plugin XCloner 3.1.1 para WordPress y 3.5.1 para Joomla! devuelve la contraseña MySQL en texto plano al cuadro de texto en el panel de configuración, lo que permite a atacantes remotos obtener información sensible a través de vectores no especificados. XCloner plugin version 3.1... • https://packetstorm.news/files/id/129011 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •