6.5

CVE-2014-8603

Exploit

Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.1 - Remote Code Execution

cloner.functions.php in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! allows remote administrators to execute arbitrary code via shell metacharacters in the (1) file name when creating a backup or vectors related to the (2) $_CONFIG[tarpath], (3) $exclude, (4) $_CONFIG['tarcompress'], (5) $_CONFIG['filename'], (6) $_CONFIG['exfile_tar'], (7) $_CONFIG[sqldump], (8) $_CONFIG['mysql_host'], (9) $_CONFIG['mysql_pass'], (10) $_CONFIG['mysql_user'], (11) $database_name, or (12) $sqlfile variable.
Mögliche Gegenmaßnahme
Backup, Restore and Migrate your sites with XCloner: Update to version 3.1.2, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
XclonerXcloner Version3.1.1 SwPlatformwordpress
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt Backup, Restore and Migrate your sites with XCloner
Version [*, 3.1.2)
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 6.37% 0.928
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 8 6.4
AV:N/AC:L/Au:S/C:P/I:P/A:P
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.vapid.dhs.org/advisories/wordpress/plugins/Xcloner-v3.1.1/
Exploit
http://www.vapid.dhs.org/advisory.php?v=110
Exploit
https://www.wordfence.com/threat-intel/vulnerabilities/id/b8cdd8b4-52e6-431b-b2f0-bfe1d0c1dd91
Third Party Advisory