[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fAMF2KuM14_ASm5a4iYpaobnNKKnADqKuVOs8T_H6ipk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-48965","backup-restore-and-migrate-your-sites-with-xcloner-authenticated-subscriber-information-exposure","Backup, Restore and Migrate your sites with XCloner \u003C= 4.8.6 - Authenticated (Subscriber+) Information Exposure","The Backup, Restore and Migrate your sites with XCloner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.","xcloner-backup-and-restore",null,"\u003C=4.8.6","4.8.7","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-06-03 00:00:00","2026-06-11 13:58:19",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F38138775-2069-4878-ae41-06f53c74a0df?source=api-prod",9,[22,23,24,25,26,27,28,29],"CHANGELOG.txt","README.txt","admin\u002Fclass-xcloner-admin.php","admin\u002Fpartials\u002Fremote_storage\u002Faws.php","admin\u002Fpartials\u002Fremote_storage\u002Fazure.php","admin\u002Fpartials\u002Fremote_storage\u002Fbackblaze.php","admin\u002Fpartials\u002Fremote_storage\u002Fdropbox.php","admin\u002Fpartials\u002Fremote_storage\u002Fftp.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-48965\n\n## 1. Vulnerability Summary\nThe **Backup, Restore and Migrate your sites with XCloner** plugin (\u003C= 4.8.6) contains a sensitive information exposure vulnerability. The plugin fails to apply proper capability checks to its administrative menu pages and potentially its AJAX endpoints. Specifically, several menu pages intended for administrators are registered with the `read` capability (or no capability check at all), allowing any authenticated user with **Subscriber** privileges to view sensitive configuration data. This data includes cloud storage identifiers (AWS keys, bucket names), FTP\u002FSFTP connection details (hostnames, usernames), and backup metadata (hashes and file paths) that facilitate unauthorized access to site archives.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin.php?page=xcloner_remote_storage` and `\u002Fwp-admin\u002Fadmin.php?page=xcloner_backup` (inferred slug).\n- **Authentication:** Authenticated (Subscriber-level or higher).\n- **Vulnerable Parameter:** Accessing the `page` parameter via GET requests.\n- **Preconditions:** The plugin must be active, and some configuration (like remote storage or existing backups) must be present for data to be exposed.\n\n## 3. Code Flow\n1. The plugin registers its admin menus (likely using `add_menu_page` or `add_submenu_page`) inside the `Xcloner_Admin` class or a related loader.\n2. The registration uses a weak capability check (e.g., `read`) instead of the standard `manage_options`.\n3. When a Subscriber requests `\u002Fwp-admin\u002Fadmin.php?page=xcloner_remote_storage`, WordPress checks if the user has the `read` capability. Since all Subscribers have `read`, the request is authorized.\n4. The `Xcloner_Admin::xcloner_remote_storage_page()` method is executed.\n5. This method calls `require_once \"partials\u002Fxcloner_remote_storage_page.php\"`, which in turn includes specific storage templates like `admin\u002Fpartials\u002Fremote_storage\u002Faws.php`.\n6. These templates use `get_option()` to retrieve and display sensitive settings:\n   - `value=\"\u003C?php echo esc_attr(get_option(\"xcloner_aws_key\")) ?>\"` (AWS Key)\n   - `value=\"\u003C?php echo esc_attr(get_option(\"xcloner_ftp_hostname\")) ?>\"` (FTP Host)\n7. The sensitive data is rendered into the HTML response sent to the Subscriber.\n\n## 4. Nonce Acquisition Strategy\nAccessing the pages via GET for information exposure typically does **not** require a nonce in WordPress. Nonces are used to protect state-changing actions (POST). However, if an AJAX endpoint is involved:\n1. The `Xcloner_Admin::xcloner_remote_storage_page()` method logic (lines 142-152) confirms that a nonce `xcloner_remote_storage_nonce` with action `xcloner_remote_storage_action` is used for POST requests.\n2. Since the Subscriber can access the page, they can extract this nonce from the HTML source.\n3. **Execution Agent Strategy:**\n   - Navigate to `\u002Fwp-admin\u002Fadmin.php?page=xcloner_remote_storage`.\n   - Use `browser_eval` to extract the nonce: `document.querySelector('input[name=\"xcloner_remote_storage_nonce\"]')?.value`.\n\n## 5. Exploitation Strategy\n### Step 1: Remote Storage Information Extraction\n1. Log in as a Subscriber user.\n2. Use `http_request` to perform a GET request to the Remote Storage page.\n   - **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=xcloner_remote_storage`\n3. Parse the response body for sensitive identifiers:\n   - `xcloner_aws_key`\n   - `xcloner_aws_bucket_name`\n   - `xcloner_ftp_hostname`\n   - `xcloner_ftp_username`\n\n### Step 2: Backup Metadata Extraction\n1. Use `http_request` to perform a GET request to the Manage Backups page.\n   - **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=xcloner_manage_backups` (inferred slug).\n2. Look for the backup list table. According to `README.txt`, backups follow the format `backup_...-XXXXX.tgz`.\n3. Extract the 5-character hash (`XXXXX`) from the backup filenames.\n4. According to `README.txt`, a CSV file containing all archived filenames is stored at `xcloner-XXXXX\u002Fbackup_files.csv`.\n5. Construct the path to the backup log or file list: `wp-content\u002Fxcloner-backups\u002Fxcloner-XXXXX\u002Fxcloner-XXXXX.log`.\n\n## 6. Test Data Setup\n1. **Target:** WordPress with XCloner 4.8.6.\n2. **Attacker Account:** Create a user `attacker` with the `subscriber` role.\n3. **Configuration (Admin):**\n   - Go to **XCloner -> Remote Storage -> AWS**.\n   - Set \"S3 Key\" to `AKIA-TEST-KEY-EXPOSED`.\n   - Set \"S3 Bucket Name\" to `exposed-bucket-name`.\n   - Save settings.\n4. **Generate Data (Admin):**\n   - Run a manual backup to ensure the \"Manage Backups\" list is not empty.\n\n## 7. Expected Results\n- The Subscriber user successfully loads the admin page.\n- The HTTP response contains the string `AKIA-TEST-KEY-EXPOSED` and `exposed-bucket-name`.\n- The response contains backup filenames revealing the unique directory hashes (e.g., `xcloner-1c6c6`).\n\n## 8. Verification Steps\n1. Confirm the user role via CLI: `wp user get attacker --field=roles`.\n2. Confirm the actual option value in the database: `wp option get xcloner_aws_key`.\n3. Verify that the Subscriber can indeed see the values using a single HTTP request:\n   ```bash\n   # Example check for AWS key in response\n   http_request GET \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=xcloner_remote_storage\" | grep \"AKIA-TEST-KEY-EXPOSED\"\n   ```\n\n## 9. Alternative Approaches\nIf the menu page redirection is fixed, check for AJAX actions. The plugin enqueues `admin\u002Fjs\u002Findex.min.js`. Inspecting this script (or using `grep` on the plugin directory) often reveals AJAX actions like `xcloner_get_backups` or `xcloner_get_settings`.\n- **Potential Action:** `wp_ajax_xcloner_get_storage_details`\n- **Test:** `http_request POST \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php\" -d \"action=xcloner_get_storage_details&nonce=...\"`\nCheck if these AJAX handlers verify `current_user_can('manage_options')`. If not, information can be extracted via JSON responses.","The XCloner plugin fails to properly restrict access to its administrative settings pages, allowing authenticated users with Subscriber-level permissions to view sensitive configuration data. This data includes cloud storage API keys (e.g., AWS), FTP\u002FSFTP credentials, and backup metadata which can be used to gain unauthorized access to site archives.","\u002F\u002F admin\u002Fpartials\u002Fremote_storage\u002Faws.php lines 38-42\n\u003Cdiv class=\" col s12 m6\">\n    \u003Cinput placeholder=\"\u003C?php echo __(\"S3 Key\", 'xcloner-backup-and-restore') ?>\" id=\"aws_key\" type=\"text\"\n           name=\"xcloner_aws_key\" class=\"validate\" value=\"\u003C?php echo esc_attr(get_option(\"xcloner_aws_key\")) ?>\"\n           autocomplete=\"off\">\n\u003C\u002Fdiv>\n\n---\n\n\u002F\u002F admin\u002Fpartials\u002Fremote_storage\u002Fftp.php lines 30-36\n\u003Cdiv class=\"col s12 m6\">\n    \u003Cinput\n            id=\"ftp_host\"\n            placeholder=\"\u003C?php echo __(\"Ftp Hostname\", 'xcloner-backup-and-restore') ?>\"\n            type=\"text\" name=\"xcloner_ftp_hostname\" class=\"validate\"\n            value=\"\u003C?php echo esc_attr(get_option(\"xcloner_ftp_hostname\")) ?>\">\n\u003C\u002Fdiv>\n\n---\n\n\u002F\u002F admin\u002Fpartials\u002Fremote_storage\u002Fftp.php lines 44-48\n\u003Cdiv class=\" col s12 m6\">\n    \u003Cinput placeholder=\"\u003C?php echo __(\"Ftp Username\", 'xcloner-backup-and-restore') ?>\" id=\"ftp_username\"\n           type=\"text\" name=\"xcloner_ftp_username\" class=\"validate\"\n           value=\"\u003C?php echo esc_attr(get_option(\"xcloner_ftp_username\")) ?>\" autocomplete=\"off\">\n\u003C\u002Fdiv>","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fxcloner-backup-and-restore\u002F4.8.6\u002Fadmin\u002Fclass-xcloner-admin.php\t2026-04-07 07:51:28.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fxcloner-backup-and-restore\u002F4.8.7\u002Fadmin\u002Fclass-xcloner-admin.php\t2026-05-25 09:58:30.000000000 +0000\n@@ -127,11 +127,13 @@\n             $domain = 'xcloner-backup-and-restore';\n             $statusCode = 403;\n             if (!isset($_POST['xcloner_remote_storage_nonce'])) {\n-                \\wp_die(\\__($errorMessage, $domain), $statusCode);\n+                \\wp_die(\\__('Nonce verification failed', 'xcloner-backup-and-restore'), $statusCode);\n+                \u002F\u002F phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped\n             }\n             $nonce = wp_unslash($_POST['xcloner_remote_storage_nonce']);\n             if (!\\wp_verify_nonce($nonce, 'xcloner_remote_storage_action')) {\n-                \\wp_die(\\__($errorMessage, $domain), $statusCode);\n+                \\wp_die(\\__('Nonce verification failed', 'xcloner-backup-and-restore'), $statusCode);\n+                \u002F\u002F phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped\n             }\n         }\n         if (isset($_POST['action'])) {\n@@ -194,7 +196,7 @@\n         \u002F\u002F wordpress will add the \"settings-updated\" $_GET parameter to the url\n         if (isset($_GET['settings-updated'])) {\n             \u002F\u002F add settings saved message with the class of \"updated\"\n-            \\add_settings_error('wporg_messages', 'wporg_message', \\__('Settings Saved', 'wporg'), 'updated');\n+            \\add_settings_error('wporg_messages', 'wporg_message', \\__('Settings Saved', 'xcloner-backup-and-restore'), 'updated');\n         }\n         \u002F\u002F show error\u002Fupdate messages\n         \\settings_errors('wporg_messages');","The exploit involves accessing administrative menu pages that are incorrectly registered with low capability requirements (typically 'read'). \n\n1. Authenticate to the target WordPress site as a Subscriber-level user.\n2. Navigate directly to the XCloner Remote Storage settings page via the URL: `\u002Fwp-admin\u002Fadmin.php?page=xcloner_remote_storage`.\n3. Observe that the page loads successfully despite the low privilege role.\n4. Extract sensitive identifiers from the HTML source, such as the `xcloner_aws_key` (AWS Access Key ID), `xcloner_aws_bucket_name`, or `xcloner_ftp_hostname` and `xcloner_ftp_username` found in the value attributes of their respective input fields.\n5. Navigate to the Manage Backups page (`\u002Fwp-admin\u002Fadmin.php?page=xcloner_manage_backups`) to view existing backup names, which reveal unique 5-character hashes used in backup storage directory paths.","gemini-3-flash-preview","2026-06-26 05:31:39","2026-06-26 05:33:13",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.8.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fxcloner-backup-and-restore\u002Ftags\u002F4.8.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fxcloner-backup-and-restore.4.8.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fxcloner-backup-and-restore\u002Ftags\u002F4.8.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fxcloner-backup-and-restore.4.8.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fxcloner-backup-and-restore\u002Ftags"]