CVE-2022-0444

MEDIUM

XCloner < 4.3.6 - Unauthenticated Settings Reset and Backup Encryption Key Generation

Title source: llm
STIX 2.1

Description

The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key.

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/9567d295-43c7-4e59-9283-c7726f16d40b

Scores

CVSS v3 4.3
EPSS 0.0028
EPSS Percentile 20.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Details

CWE
CWE-352 CWE-862
Status published
Products (1)
watchful/xcloner < 4.3.6
Published Jun 27, 2022
Tracked Since Feb 18, 2026