Skip to main content

XCloner WordPress Plugin CVE-2026-48965

| EUVDEUVD-2026-36864 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-06-15 Patchstack GHSA-jvmc-v9mp-529c
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
4.3 MEDIUM

Subscriber role implies authenticated low-privilege access (PR:L); CWE-201 mandates confidentiality impact (C:L); no integrity or availability impact supported by description.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:54 vuln.today

DescriptionCVE.org

Subscriber Sensitive Data Exposure in XCloner <= 4.8.6 versions.

AnalysisAI

Sensitive data exposure in the XCloner backup and restore WordPress plugin (versions up to and including 4.8.6) permits unauthorized access to subscriber-level sensitive information via a network-accessible attack path. The vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data), meaning the plugin inadvertently includes sensitive data in responses or transmitted content accessible without sufficient authorization controls. Discovered and reported by Patchstack, this flaw carries a CVSS 3.1 base score of 6.5 with no public exploit or CISA KEV listing identified at time of analysis.

Technical ContextAI

XCloner is a WordPress backup and restore plugin developed by Watchful (CPE: cpe:2.3:a:watchful:xcloner:*:*:*:*:*:*:*:*). CWE-201 describes a root cause where an application inserts sensitive data - such as credentials, backup paths, configuration parameters, or internal metadata - into data streams, API responses, or rendered output accessible to unauthorized or insufficiently privileged parties. In the context of a backup plugin, sensitive data likely includes backup file paths, database credentials, server configurations, or file system structure details that are embedded in plugin responses. The 'Subscriber' qualifier in the vulnerability title is significant in the WordPress user role model: subscribers are the lowest-privilege authenticated role, suggesting the plugin may expose sensitive output to any logged-in WordPress user, or alternatively exposes subscriber-related PII/data to unauthenticated requestors. The CVSS vector supplied (PR:N, C:N) presents inconsistencies with the CWE-201 classification and the 'subscriber' framing that warrant independent verification.

RemediationAI

The primary remediation is to update the XCloner plugin beyond version 4.8.6 immediately; however, an exact patched release version is not independently confirmed from the available data - consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/xcloner-backup-and-restore/vulnerability/wordpress-xcloner-plugin-4-8-6-sensitive-data-exposure-vulnerability and the official WordPress plugin repository for the latest release. If an updated version is not yet available, the most effective compensating control is to deactivate the XCloner plugin entirely until a patch is applied, accepting the trade-off of losing automated backup scheduling. If deactivation is not operationally viable, restrict the WordPress site to trusted users only (remove public registration, audit subscriber accounts), and ensure backup files and directories are stored outside the web root and protected by server-level access controls (e.g., deny all in .htaccess for the backup storage path). Do not expose wp-admin or plugin REST endpoints to untrusted networks without authentication enforcement at the WAF or reverse proxy layer.

CVE-2014-2996 HIGH POC
7.1 Apr 25

XCloner Standalone 3.5 and earlier, when enable_db_backup and sql_mem are enabled, allows remote authenticated administr

CVE-2014-2579 HIGH POC
7.6 Apr 25

Multiple cross-site request forgery (CSRF) vulnerabilities in XCloner Standalone 3.5 and earlier allow remote attackers

CVE-2014-8603 MEDIUM POC
6.5 Jun 10

cloner.functions.php in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla!. Rated medium severity (CVSS 6.5),

CVE-2014-2340 MEDIUM POC
6.8 Apr 03

Cross-site request forgery (CSRF) vulnerability in the XCloner plugin before 3.1.1 for WordPress allows remote attackers

CVE-2015-4336 MEDIUM POC
6.5 Jun 17

cloner.functions.php in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to execute arbitrary co

CVE-2014-8604 MEDIUM POC
5.0 Jun 10

The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla!. Rated medium severity (CVSS 5.0), this vulnerability is re

CVE-2014-8605 MEDIUM POC
5.0 Jun 10

The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla!. Rated medium severity (CVSS 5.0), this vulnerability is re

CVE-2014-8606 MEDIUM POC
4.0 Jun 10

Directory traversal vulnerability in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla!. Rated medium severity

CVE-2022-0444 MEDIUM POC
4.3 Jun 27

The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have auth

CVE-2015-4337 LOW POC
3.5 Jun 17

Cross-site scripting (XSS) vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to

CVE-2015-4338 MEDIUM
6.5 Jun 17

Static code injection vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to injec

CVE-2020-13424 MEDIUM
6.5 May 23

The XCloner component before 3.5.4 for Joomla!. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploit

Share

CVE-2026-48965 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy