Directory Traversal Vulnerability in XCloner Plugin for WordPress
CVE-2014-8606

Currently unrated

Key Information:

Vendor: Wordpress
Status: Xcloner
Vendor: CVE Published:; 10 June 2015

Summary

The XCloner plugin for WordPress has a directory traversal vulnerability that allows unauthorized remote administrators to access arbitrary files. This is achieved by manipulating the file parameter in the json_return action on the xcloner_show page, specifically targeting wp-admin/admin-ajax.php. By exploiting this vulnerability, attackers may gain access to sensitive system files, potentially leading to further exploitation of the hosting environment. It is crucial for users of the affected plugin versions to implement protective measures and ensure their installations are up to date to mitigate any risks.

References

http://www.vapid.dhs.org/advisories/wordpress/plugins/Xcl...

x_refsource_MISC

http://www.vapid.dhs.org/advisory.php?v=110

x_refsource_MISC

EPSS Score

7% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Jun 10, 2015
Vulnerability Reserved
Nov 4, 2014