XCloner Backup and Restore is a WordPress plugin with more than 30,000 installations. The plugin is designed to provide WordPress users with easily customizable backups and simple-to-use restore functionality.
Unfortunately, Wordfence (Defiant) researchers recently discovered several vulnerabilities in the plugin, which could allow authenticated attackers with capabilities of a subscriber or above to modify arbitrary files, including PHP files.
This would then allow attackers to perform remote code execution on the server of a vulnerable site. Another possible scenario based on the vulnerabilities in XCloner Backup and Restore plugin is creating an exploit chain to obtain a database dump. In addition, the plugin also contained several endpoints, vulnerable to CSRF attacks (cross-site request forgery).
Fortunately, after the researchers got in touch with the plugin’s developers, an initial patch was quickly released to fix the most severe issue. An additional one followed to resolve the remaining problems.
Since the issues are considered critical, they could lead to remote code execution on a vulnerable site’s server. Updating to the fully patched version, 4.2.153, is highly recommended.
Table of Contents [hide]
XCloner Backup and Restore Plugin: Critical Vulnerabilities
The first vulnerability is described as “Unprotected AJAX Action to Arbitrary File Overwrite and Sensitive Information Disclosure.”
Most of the plugin’s functionality is based on various AJAX actions that don’t require the page to refresh every time. The most critical of these functions that could have been exploited by attackers is the write_file_action one, which would allow users with subscriber-level to overwrite any files, including wp-config.php, which contains WordPress database credentials, among other important data.
Exploiting this vulnerability means an attacker could overwrite the wp-config.php to an empty file so that WordPress is tricked into thinking there is a new installation. This would then allow an attacker to connect their own database to an affected site and modify any files once they have re-configured the WordPress installation. Alternatively, an attacker could overwrite any other file with a backdoor and use that to gain access to the website’s entire filesystem, the Wordfence team explained in their report.
The other vulnerability in the XCloner Backup and Restore plugin is described as Cross-Site Request Forgery. Besides the almost entirely exposed AJAX endpoint, nearly all of the plugin endpoints were vulnerable to cross-site request forgery. This vulnerability stems from a failure to implement nonces and corresponding checks. A CSRF attack could trigger the backup or update options in the plugin, together with all other malicious activities posed by the vulnerabilities.
The security of your WordPress site should be a top concern. Because we know how important web security is, we prepared some useful articles to provide you with valuable insight: