CVE-2014-8607

XCloner 3.1.1 and 3.5.1 - Exposure of Sensitive Information via Command Line Arguments

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-8607. PoCs published by Larry W. Cashdollar.

AI-analyzed exploit summary The exploit demonstrates arbitrary command execution in XCloner WordPress/Joomla! backup plugin due to unsanitized user input passed to exec() functions. Multiple input fields are vulnerable, allowing authenticated users with administrative access to execute arbitrary commands.

Description

The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! provides the MySQL username and password on the command line, which allows local users to obtain sensitive information via the ps command.

Exploits (1)

exploitdb WORKING POC

by Larry W. Cashdollar · textwebappsphp

https://www.exploit-db.com/exploits/35212

View Code ZIP pw:eip

The exploit demonstrates arbitrary command execution in XCloner WordPress/Joomla! backup plugin due to unsanitized user input passed to exec() functions. Multiple input fields are vulnerable, allowing authenticated users with administrative access to execute arbitrary commands.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: XCloner WordPress/Joomla! backup plugin v3.1.1 (WordPress) v3.5.1 (Joomla!)

Auth required

Prerequisites: Administrative access to the plugin · Plugin installed and configured

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1202 - Indirect Command Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit x_refsource_misc

http://www.vapid.dhs.org/advisories/wordpress/plugins/Xcloner-v3.1.1/

Exploit x_refsource_misc

http://www.vapid.dhs.org/advisory.php?v=110

Scores

EPSS 0.0086

EPSS Percentile 53.9%

Details

CWE

CWE-200

Status published

Products (2)

xcloner/xcloner 3.1.1

xcloner/xcloner 3.5.1

Published Jun 10, 2015

Tracked Since Feb 18, 2026