Unauthenticated Attackers Can Reset Settings and Generate New Backup Encryption Key in XCloner Plugin

Unauthenticated Attackers Can Reset Settings and Generate New Backup Encryption Key in XCloner Plugin

CVE-2022-0444 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key.

Learn more about our Wordpress Pen Testing.