Description

WordPress Plugin Backup, Restore and Migrate WordPress Sites With the XCloner is prone to arbitrary command execution, directory traversal and information disclosure vulnerabilities. An attacker may leverage these issues to execute arbitrary commands within the context of the vulnerable application or to obtain potentially sensitive information which could help in launching further attacks. WordPress Plugin Backup, Restore and Migrate WordPress Sites With the XCloner version 3.1.1 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 3.1.2 or latest

References

http://www.vapid.dhs.org/advisories/wordpress/plugins/Xcloner-v3.1.1/

http://seclists.org/oss-sec/2014/q4/538

http://security.szurek.pl/xcloner-backup-and-restore-311-backup-download.html

http://www.exploit-db.com/exploits/35212/

http://packetstormsecurity.com/files/129011/Joomla-WordPress-XCloner-Command-Execution-Password-Disclosure.html

http://www.vapidlabs.com/advisory.php?v=110

Related Vulnerabilities

WordPress Plugin WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) Security Bypass (7.6.0)

Oracle Application Server CVE-2008-7237 Vulnerability (CVE-2008-7237)

Oracle JRE CVE-2012-0505 Vulnerability (CVE-2012-0505)

IBM RTC Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-2947)

Apache Tomcat Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2009-2693)

Severity

High

Classification

CVE-2014-8603 CVE-2014-8604 CVE-2014-8605 CVE-2014-8606 CVE-2014-8607 CVE-2014-8813 CWE-22 CWE-78 CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update