Xcloner
by Xcloner
CVEs (13)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2014-8605 | 0.04 | — | 0.07 | Jun 10, 2015 | The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! stores database backup files with predictable names under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to a backup file in… | |||
| CVE-2014-8604 | 0.04 | — | 0.07 | Jun 10, 2015 | The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! returns the MySQL password in cleartext to a text box in the configuration panel, which allows remote attackers to obtain sensitive information via unspecified vectors. | |||
| CVE-2014-8603 | 0.04 | — | 0.06 | Jun 10, 2015 | cloner.functions.php in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! allows remote administrators to execute arbitrary code via shell metacharacters in the (1) file name when creating a backup or vectors related to the (2) $_CONFIG[tarpath], (3) $exclude, (4)… | |||
| CVE-2014-2996 | 0.04 | — | 0.10 | Apr 25, 2014 | XCloner Standalone 3.5 and earlier, when enable_db_backup and sql_mem are enabled, allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the dbbackup_comp parameter in a generate action to index2.php. NOTE: it is not clear whether… | |||
| CVE-2014-8607 | 0.03 | — | 0.01 | Jun 10, 2015 | The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! provides the MySQL username and password on the command line, which allows local users to obtain sensitive information via the ps command. | |||
| CVE-2014-8606 | 0.03 | — | 0.06 | Jun 10, 2015 | Directory traversal vulnerability in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! allows remote administrators to read arbitrary files via a .. (dot dot) in the file parameter in a json_return action in the xcloner_show page to wp-admin/admin-ajax.php. | |||
| CVE-2014-2579 | 0.03 | — | 0.06 | Apr 25, 2014 | Multiple cross-site request forgery (CSRF) vulnerabilities in XCloner Standalone 3.5 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) change the administrator password via the config task to index2.php or (2) when the… | |||
| CVE-2014-2340 | 0.03 | — | 0.03 | Apr 3, 2014 | Cross-site request forgery (CSRF) vulnerability in the XCloner plugin before 3.1.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that create website backups via a request to wp-admin/plugins.php. | |||
| CVE-2020-13424 | 0.01 | — | 0.02 | May 23, 2020 | The XCloner component before 3.5.4 for Joomla! allows Authenticated Local File Disclosure. | |||
| CVE-2022-0444 | 0.00 | — | 0.00 | Jun 27, 2022 | The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key. | |||
| CVE-2015-4338 | 0.00 | — | 0.02 | Jun 17, 2015 | Static code injection vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary PHP code into the language files via a Translation LM_FRONT_* field for a language, as demonstrated by language/italian.php. | |||
| CVE-2015-4337 | 0.00 | — | 0.02 | Jun 17, 2015 | Cross-site scripting (XSS) vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the excl_manual parameter in the xcloner_show page to wpadmin/plugins.php. | |||
| CVE-2015-4336 | 0.00 | — | 0.03 | Jun 17, 2015 | cloner.functions.php in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to execute arbitrary commands via a file containing filenames with shell metacharacters, as demonstrated by using the backup comments feature to create the file. |
- CVE-2014-8605Jun 10, 2015risk 0.04cvss —epss 0.07
The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! stores database backup files with predictable names under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to a backup file in…
- CVE-2014-8604Jun 10, 2015risk 0.04cvss —epss 0.07
The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! returns the MySQL password in cleartext to a text box in the configuration panel, which allows remote attackers to obtain sensitive information via unspecified vectors.
- CVE-2014-8603Jun 10, 2015risk 0.04cvss —epss 0.06
cloner.functions.php in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! allows remote administrators to execute arbitrary code via shell metacharacters in the (1) file name when creating a backup or vectors related to the (2) $_CONFIG[tarpath], (3) $exclude, (4)…
- CVE-2014-2996Apr 25, 2014risk 0.04cvss —epss 0.10
XCloner Standalone 3.5 and earlier, when enable_db_backup and sql_mem are enabled, allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the dbbackup_comp parameter in a generate action to index2.php. NOTE: it is not clear whether…
- CVE-2014-8607Jun 10, 2015risk 0.03cvss —epss 0.01
The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! provides the MySQL username and password on the command line, which allows local users to obtain sensitive information via the ps command.
- CVE-2014-8606Jun 10, 2015risk 0.03cvss —epss 0.06
Directory traversal vulnerability in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! allows remote administrators to read arbitrary files via a .. (dot dot) in the file parameter in a json_return action in the xcloner_show page to wp-admin/admin-ajax.php.
- CVE-2014-2579Apr 25, 2014risk 0.03cvss —epss 0.06
Multiple cross-site request forgery (CSRF) vulnerabilities in XCloner Standalone 3.5 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) change the administrator password via the config task to index2.php or (2) when the…
- CVE-2014-2340Apr 3, 2014risk 0.03cvss —epss 0.03
Cross-site request forgery (CSRF) vulnerability in the XCloner plugin before 3.1.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that create website backups via a request to wp-admin/plugins.php.
- CVE-2020-13424May 23, 2020risk 0.01cvss —epss 0.02
The XCloner component before 3.5.4 for Joomla! allows Authenticated Local File Disclosure.
- CVE-2022-0444Jun 27, 2022risk 0.00cvss —epss 0.00
The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key.
- CVE-2015-4338Jun 17, 2015risk 0.00cvss —epss 0.02
Static code injection vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary PHP code into the language files via a Translation LM_FRONT_* field for a language, as demonstrated by language/italian.php.
- CVE-2015-4337Jun 17, 2015risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the excl_manual parameter in the xcloner_show page to wpadmin/plugins.php.
- CVE-2015-4336Jun 17, 2015risk 0.00cvss —epss 0.03
cloner.functions.php in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to execute arbitrary commands via a file containing filenames with shell metacharacters, as demonstrated by using the backup comments feature to create the file.