CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0444 – XCloner < 4.3.6 - Plugin Settings Reset
https://notcve.org/view.php?id=CVE-2022-0444
The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key. El plugin Backup, Restore and Migrate WordPress Sites With the XCloner Plugin de WordPress versiones anteriores a 4.3.6, no dispone de comprobaciones de autorización y de tipo CSRF cuando son restablecidos sus ajustes, lo que permite a atacantes no autenticados restablecerlos, incluyendo la generación de una nueva clave de cifrado de la copia de seguridad • https://wpscan.com/vulnerability/9567d295-43c7-4e59-9283-c7726f16d40b • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2020-35950 – Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 4.2.152 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2020-35950
An issue was discovered in the XCloner Backup and Restore plugin before 4.2.153 for WordPress. It allows CSRF (via almost any endpoint). Se detectó un problema en el plugin XCloner Backup and Restore versiones anteriores a 4.2.153 para WordPress. Permite un ataque de tipo CSRF (por medio de casi cualquier endpoint). • https://wpscan.com/vulnerability/10413 https://www.wordfence.com/blog/2020/09/critical-vulnerabilities-patched-in-xcloner-backup-and-restore-plugin • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-13424
https://notcve.org/view.php?id=CVE-2020-13424
The XCloner component before 3.5.4 for Joomla! allows Authenticated Local File Disclosure. El componente XCloner versiones anteriores a 3.5.4 para Joomla!, permite una Divulgación de Archivo Local Autenticada • https://github.com/mkelepce/CVE-2020-13424 https://www.xcloner.com/xcloner-news/security-release-available-for-archived-joomla-version •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2015-4336 – Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.2 - Remote Command Execution
https://notcve.org/view.php?id=CVE-2015-4336
cloner.functions.php in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to execute arbitrary commands via a file containing filenames with shell metacharacters, as demonstrated by using the backup comments feature to create the file. cloner.functions.php en el plugin XCloner 3.1.2 para WordPress permite a usuarios remotos autenticados ejecutar comandos arbitrarios a través de un fichero que contiene nombres de ficheros con metacaracteres de shell, tal y como fue demostrado mediante el uso de la característica de comentarios sobre la copia de seguridad para crear el fichero. WordPress XCloner plugin version 3.1.2 suffers from command execution and cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/132107/WordPress-XCloner-3.1.2-XSS-Command-Execution.html http://www.securityfocus.com/bid/74943 http://www.vapid.dhs.org/advisory.php?v=121 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-4338 – Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.2 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2015-4338
Static code injection vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary PHP code into the language files via a Translation LM_FRONT_* field for a language, as demonstrated by language/italian.php. Vulnerabilidad de inyección de código estático en el plugin XCloner 3.1.2 para WordPress permite a usuarios remotos autenticados inyectar código PHP arbitrario en los ficheros de idiomas a través de un campo Translation LM_FRONT_* para un idioma, tal y como fue demostrado por language/italian.php. WordPress XCloner plugin version 3.1.2 suffers from command execution and cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/132107/WordPress-XCloner-3.1.2-XSS-Command-Execution.html http://www.securityfocus.com/bid/74943 http://www.vapid.dhs.org/advisory.php?v=121 • CWE-94: Improper Control of Generation of Code ('Code Injection') •