VYPR

Xcloner

by Xcloner

CVEs (13)

  • CVE-2014-8605Jun 10, 2015
    risk 0.04cvss epss 0.07

    The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! stores database backup files with predictable names under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to a backup file in…

  • CVE-2014-8604Jun 10, 2015
    risk 0.04cvss epss 0.07

    The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! returns the MySQL password in cleartext to a text box in the configuration panel, which allows remote attackers to obtain sensitive information via unspecified vectors.

  • CVE-2014-8603Jun 10, 2015
    risk 0.04cvss epss 0.06

    cloner.functions.php in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! allows remote administrators to execute arbitrary code via shell metacharacters in the (1) file name when creating a backup or vectors related to the (2) $_CONFIG[tarpath], (3) $exclude, (4)…

  • CVE-2014-2996Apr 25, 2014
    risk 0.04cvss epss 0.10

    XCloner Standalone 3.5 and earlier, when enable_db_backup and sql_mem are enabled, allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the dbbackup_comp parameter in a generate action to index2.php. NOTE: it is not clear whether…

  • CVE-2014-8607Jun 10, 2015
    risk 0.03cvss epss 0.01

    The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! provides the MySQL username and password on the command line, which allows local users to obtain sensitive information via the ps command.

  • CVE-2014-8606Jun 10, 2015
    risk 0.03cvss epss 0.06

    Directory traversal vulnerability in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! allows remote administrators to read arbitrary files via a .. (dot dot) in the file parameter in a json_return action in the xcloner_show page to wp-admin/admin-ajax.php.

  • CVE-2014-2579Apr 25, 2014
    risk 0.03cvss epss 0.06

    Multiple cross-site request forgery (CSRF) vulnerabilities in XCloner Standalone 3.5 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) change the administrator password via the config task to index2.php or (2) when the…

  • CVE-2014-2340Apr 3, 2014
    risk 0.03cvss epss 0.03

    Cross-site request forgery (CSRF) vulnerability in the XCloner plugin before 3.1.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that create website backups via a request to wp-admin/plugins.php.

  • CVE-2020-13424May 23, 2020
    risk 0.01cvss epss 0.02

    The XCloner component before 3.5.4 for Joomla! allows Authenticated Local File Disclosure.

  • CVE-2022-0444Jun 27, 2022
    risk 0.00cvss epss 0.00

    The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key.

  • CVE-2015-4338Jun 17, 2015
    risk 0.00cvss epss 0.02

    Static code injection vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary PHP code into the language files via a Translation LM_FRONT_* field for a language, as demonstrated by language/italian.php.

  • CVE-2015-4337Jun 17, 2015
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the excl_manual parameter in the xcloner_show page to wpadmin/plugins.php.

  • CVE-2015-4336Jun 17, 2015
    risk 0.00cvss epss 0.03

    cloner.functions.php in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to execute arbitrary commands via a file containing filenames with shell metacharacters, as demonstrated by using the backup comments feature to create the file.