Backup, Restore and Migrate your sites with XCloner Security & Risk Analysis

The plugin "xcloner-backup-and-restore" v4.8.4 presents a mixed security posture. While static analysis indicates a limited attack surface with no apparent AJAX handlers, REST API routes, shortcodes, or cron events directly exposed without authentication, and all SQL queries utilize prepared statements, there are significant concerns. The low percentage of properly escaped output (29%) is a red flag, suggesting a high potential for Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is not handled carefully. Furthermore, the presence of a single flow with unsanitized paths in the taint analysis, even if not classified as critical or high, warrants careful review, as it could lead to path traversal or other file manipulation issues.

The plugin's vulnerability history is a major concern, with a substantial number of known CVEs, including a significant portion classified as critical and high. The variety of vulnerability types found in the history (Exposure of Sensitive Information, Missing Authorization, Path Traversal, Code Injection, Command Injection, XSS, Improper Access Control, CSRF) suggests a systemic issue with how user input and access control are managed within the plugin. The fact that the last recorded vulnerability was in 2025 indicates that even recent versions have had security flaws.

In conclusion, despite the apparent lack of directly exposed entry points in the static analysis, the plugin's history of numerous critical and high-severity vulnerabilities, coupled with the low percentage of proper output escaping and the identified unsanitized path flow, indicates a significant risk. The plugin has a track record of severe security flaws, and the current static analysis does not fully mitigate the risks suggested by its past. Users should exercise extreme caution and prioritize updating to a version that has demonstrably addressed the historical vulnerability patterns.