Clone < 2.4.3 – Unauthenticated Backup Download | CVE 2023-6750 | Plugin Vulnerabilities

Description

The plugin uses buffer files to store in-progress backup informations, which is stored at a publicly accessible, statically defined file path.

Proof of Concept

While a backup job is running, visitors can access one of the following files (it might take a couple tries, as the timing needs to be right):
 
"http://127.0.0.1/wordpress/wp-content/uploads/wp-clone/wpclone_backup/file.list",
"http://127.0.0.1/wordpress/wp-content/uploads/wp-clone/wpclone_backup/database.sql",
"http://127.0.0.1/wordpress/wp-content/uploads/wp-clone/wpclone_backup/prefix.txt"

Affects Plugins

wp-clone-by-wp-academy

Fixed in 2.4.3

References

CVE

URL

https://research.cleantalk.org/cve-2023-6750-clone-poc-exploit

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

fad9eefe-4552-4d20-a1fd-bb2e172ec8d7

Timeline

Publicly Published

2023-12-18 (about 4 months ago)

Added

2023-12-18 (about 4 months ago)

Last Updated

2023-12-20 (about 4 months ago)

Other

Published

Title

Published

2023-06-23

Title

MainWP Child < 4.4.1.2 - Sensitive File Disclosure

Published

2024-01-22

Title

File Manager < 7.2.2 - Sensitive Information Exposure via Backup Filenames

Published

2020-07-30

Title

JetBackup < 1.4.1 - Subscriber+ Sensitive Information Disclosure

Published

2024-03-28

Title

Paid Memberships Pro – Payfast Gateway Add On < 1.4.2 - Unauthenticated Information Exposure

Published

2024-03-18

Title

WP Go Maps < 9.0.35 - Information Exposure to Potential Denial of Service