An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php write_file_action could overwrite wp-config.php, for example. Alternatively, an attacker could create an exploit chain to obtain a database dump.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/163336/WordPress-XCloner-4.2.12-Remote-Code-Execution.html | Third Party Advisory VDB Entry |
https://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2020-35948 | Exploit Third Party Advisory |
https://wpscan.com/vulnerability/10412 | Exploit Third Party Advisory |
https://www.wordfence.com/blog/2020/09/critical-vulnerabilities-patched-in-xcloner-backup-and-restore-plugin/ | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2021-01-01T03:27:47
Updated: 2022-02-14T19:43:06
Reserved: 2021-01-01T00:00:00
Link: CVE-2020-35948
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-01-01T04:15:13.497
Modified: 2022-02-22T10:14:44.160
Link: CVE-2020-35948
JSON object: View
Redhat Information
No data.
CWE