Xcloner
Monthly
Sensitive data exposure in the XCloner backup and restore WordPress plugin (versions up to and including 4.8.6) permits unauthorized access to subscriber-level sensitive information via a network-accessible attack path. The vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data), meaning the plugin inadvertently includes sensitive data in responses or transmitted content accessible without sufficient authorization controls. Discovered and reported by Patchstack, this flaw carries a CVSS 3.1 base score of 6.5 with no public exploit or CISA KEV listing identified at time of analysis.
The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The XCloner component before 3.5.4 for Joomla!. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Static code injection vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary PHP code into the language files via a Translation LM_FRONT_* field. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross-site scripting (XSS) vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the excl_manual parameter in the. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
cloner.functions.php in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to execute arbitrary commands via a file containing filenames with shell metacharacters, as. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla!. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Directory traversal vulnerability in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla!. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla!. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla!. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
cloner.functions.php in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla!. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
XCloner Standalone 3.5 and earlier, when enable_db_backup and sql_mem are enabled, allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 13.8%.
Multiple cross-site request forgery (CSRF) vulnerabilities in XCloner Standalone 3.5 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) change the. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
Cross-site request forgery (CSRF) vulnerability in the XCloner plugin before 3.1.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that create. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
Sensitive data exposure in the XCloner backup and restore WordPress plugin (versions up to and including 4.8.6) permits unauthorized access to subscriber-level sensitive information via a network-accessible attack path. The vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data), meaning the plugin inadvertently includes sensitive data in responses or transmitted content accessible without sufficient authorization controls. Discovered and reported by Patchstack, this flaw carries a CVSS 3.1 base score of 6.5 with no public exploit or CISA KEV listing identified at time of analysis.
The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The XCloner component before 3.5.4 for Joomla!. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Static code injection vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary PHP code into the language files via a Translation LM_FRONT_* field. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross-site scripting (XSS) vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the excl_manual parameter in the. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
cloner.functions.php in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to execute arbitrary commands via a file containing filenames with shell metacharacters, as. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla!. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Directory traversal vulnerability in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla!. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla!. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla!. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
cloner.functions.php in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla!. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
XCloner Standalone 3.5 and earlier, when enable_db_backup and sql_mem are enabled, allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 13.8%.
Multiple cross-site request forgery (CSRF) vulnerabilities in XCloner Standalone 3.5 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) change the. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
Cross-site request forgery (CSRF) vulnerability in the XCloner plugin before 3.1.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that create. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.