The Backup, Restore and Migrate your sites with XCloner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.2. This is due to missing or incorrect nonce validation on the Xcloner_Remote_Storage:save() function. This makes it possible for unauthenticated attackers to add or modify an FTP backup configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows an attacker to set an attacker-controlled FTP site for backup storage and exfiltrate …
GHSA-vvm8-x223-29qp: The Backup, Restore and Migrate your sites with XCloner plugin for WordPress is vulnerable to...
The XCloner WordPress plugin versions up to 4.8.2 is vulnerable to Cross-Site Request Forgery due to missing nonce validation, allowing unauthenticated attackers to modify FTP backup configurations.