XCloner Backup and Restore Plugin is a backup plugin allowing you to back up and restore your WordPress sites. You can send your site backups to SFTP, Dropbox, Amazon, Google Drive, Backblaze and other locations.
A recent vulnerability was identified allowing low-level users such as subscribers the ability to access and run multiple functions which are allowed during a restore.
One of those functions is write_file_action which would allow any of these users to write any file to the website. If there were multiple websites in the same hosting account those would have been writable as well.
This is a critical security vulnerability and would allow anyone with knowledge of this vulnerability to have complete access to the hosting account files and database.
This is the main reason behind us creating the Free WordPress Theme, Plugin and Security Scanner. It will let you know if you are running outdated plugins and themes and other security alerts. So, be sure to scan your site on a regular basis.
If you are using XCloner Backup and Restore, please update immediately.
Article Excerpt: On August 14, our Threat Intelligence team discovered several vulnerabilities present in XCloner Backup and Restore, a WordPress plugin installed on over 30,000 sites.
This flaw gave authenticated attackers, with subscriber-level or above capabilities, the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution on a vulnerable site’s server.
Alternatively, an attacker could create an exploit chain to obtain a database dump due to the same unprotected AJAX endpoint, amongst other things. The plugin also contained several endpoints that were vulnerable to cross-site request forgery (CSRF).
We initially reached out to the plugin’s team on August 17, 2020. After establishing an appropriate communication channel, we provided the full disclosure details on August 18, 2020.
The plugin’s team quickly released an initial patch on August 19, 2020 to resolve the most severe problem, and they released an additional patch on September 8, 2020 to resolve the remaining issues.