Vulnerability Description
An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php write_file_action could overwrite wp-config.php, for example. Alternatively, an attacker could create an exploit chain to obtain a database dump.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xcloner | Xcloner | >= 4.2.1, < 4.2.13 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/163336/WordPress-XCloner-4.2.12-Remote-CodeThird Party AdvisoryVDB Entry
- https://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2020-35948ExploitThird Party Advisory
- https://wpscan.com/vulnerability/10412ExploitThird Party Advisory
- https://www.wordfence.com/blog/2020/09/critical-vulnerabilities-patched-in-xclonExploitThird Party Advisory
- http://packetstormsecurity.com/files/163336/WordPress-XCloner-4.2.12-Remote-CodeThird Party AdvisoryVDB Entry
- https://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2020-35948ExploitThird Party Advisory
- https://wpscan.com/vulnerability/10412ExploitThird Party Advisory
- https://www.wordfence.com/blog/2020/09/critical-vulnerabilities-patched-in-xclonExploitThird Party Advisory
FAQ
What is CVE-2020-35948?
CVE-2020-35948 is a vulnerability with a CVSS score of 9.9 (CRITICAL). An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, including PHP files. Doing so would...
How severe is CVE-2020-35948?
CVE-2020-35948 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-35948?
Check the references section above for vendor advisories and patch information. Affected products include: Xcloner Xcloner.