WordPress Plugin Vulnerabilities

XCloner Backup and Restore < 4.2.153 - Cross-Site Request Forgery

Description

Almost all of the endpoints in the plugin were vulnerable to cross-site request forgery due to a failure to implement nonces and corresponding checks.

An attacker could use a CSRF attack to trigger a backup or update plugin options, along with all of the malicious activity outlined in the reference below.

Affects Plugins

Plugin icon
xcloner-backup-and-restore
Fixed in 4.2.153

References

CVE
CVE-2020-35950
URL
https://www.wordfence.com/blog/2020/09/critical-vulnerabilities-patched-in-xcloner-backup-and-restore-plugin/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
https://wordfence.com
Submitter twitter
infosecchloe
Verified
No
WPVDB ID
6f26fe84-e5a4-4864-8ceb-0589dac04f8f

Timeline

Publicly Published
2020-09-22 (about 5 years ago)
Added
2020-09-22 (about 5 years ago)
Last Updated
2021-01-19 (about 5 years ago)

Other

Published
Title
Published
2025-02-18
Title
Apptivo Business Site CRM <= 5.3 - Cross-Site Request Forgery to IP Address Block
Published
2024-04-10
Title
e2pdf < 1.23.00 - Cross-Site Request Forgery
Published
2025-08-14
Title
Simple Poll <= 1.1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-11-01
Title
Random Featured Post <= 1.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2014-08-01
Title
WP-DownloadManager 1.60 - Script Insertion CSRF