Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Subscriber role implies authenticated low-privilege access (PR:L); CWE-201 mandates confidentiality impact (C:L); no integrity or availability impact supported by description.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Sensitive Data Exposure in XCloner <= 4.8.6 versions.
AnalysisAI
Sensitive data exposure in the XCloner backup and restore WordPress plugin (versions up to and including 4.8.6) permits unauthorized access to subscriber-level sensitive information via a network-accessible attack path. The vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data), meaning the plugin inadvertently includes sensitive data in responses or transmitted content accessible without sufficient authorization controls. Discovered and reported by Patchstack, this flaw carries a CVSS 3.1 base score of 6.5 with no public exploit or CISA KEV listing identified at time of analysis.
Technical ContextAI
XCloner is a WordPress backup and restore plugin developed by Watchful (CPE: cpe:2.3:a:watchful:xcloner:*:*:*:*:*:*:*:*). CWE-201 describes a root cause where an application inserts sensitive data - such as credentials, backup paths, configuration parameters, or internal metadata - into data streams, API responses, or rendered output accessible to unauthorized or insufficiently privileged parties. In the context of a backup plugin, sensitive data likely includes backup file paths, database credentials, server configurations, or file system structure details that are embedded in plugin responses. The 'Subscriber' qualifier in the vulnerability title is significant in the WordPress user role model: subscribers are the lowest-privilege authenticated role, suggesting the plugin may expose sensitive output to any logged-in WordPress user, or alternatively exposes subscriber-related PII/data to unauthenticated requestors. The CVSS vector supplied (PR:N, C:N) presents inconsistencies with the CWE-201 classification and the 'subscriber' framing that warrant independent verification.
RemediationAI
The primary remediation is to update the XCloner plugin beyond version 4.8.6 immediately; however, an exact patched release version is not independently confirmed from the available data - consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/xcloner-backup-and-restore/vulnerability/wordpress-xcloner-plugin-4-8-6-sensitive-data-exposure-vulnerability and the official WordPress plugin repository for the latest release. If an updated version is not yet available, the most effective compensating control is to deactivate the XCloner plugin entirely until a patch is applied, accepting the trade-off of losing automated backup scheduling. If deactivation is not operationally viable, restrict the WordPress site to trusted users only (remove public registration, audit subscriber accounts), and ensure backup files and directories are stored outside the web root and protected by server-level access controls (e.g., deny all in .htaccess for the backup storage path). Do not expose wp-admin or plugin REST endpoints to untrusted networks without authentication enforcement at the WAF or reverse proxy layer.
XCloner Standalone 3.5 and earlier, when enable_db_backup and sql_mem are enabled, allows remote authenticated administr
Multiple cross-site request forgery (CSRF) vulnerabilities in XCloner Standalone 3.5 and earlier allow remote attackers
cloner.functions.php in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla!. Rated medium severity (CVSS 6.5),
Cross-site request forgery (CSRF) vulnerability in the XCloner plugin before 3.1.1 for WordPress allows remote attackers
cloner.functions.php in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to execute arbitrary co
The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla!. Rated medium severity (CVSS 5.0), this vulnerability is re
The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla!. Rated medium severity (CVSS 5.0), this vulnerability is re
Directory traversal vulnerability in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla!. Rated medium severity
The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have auth
Cross-site scripting (XSS) vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to
Static code injection vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to injec
The XCloner component before 3.5.4 for Joomla!. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploit
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36864
GHSA-jvmc-v9mp-529c