Command Execution Vulnerability in XCloner Plugin for WordPress
CVE-2015-4336

Currently unrated

Key Information:

Vendor: Wordpress
Status: Xcloner
Vendor: CVE Published:; 17 June 2015

Summary

The XCloner plugin for WordPress version 3.1.2 contains a command execution vulnerability due to improper handling of user input in the cloner.functions.php file. This flaw allows remote authenticated users to execute arbitrary commands by leveraging crafted filenames that include shell metacharacters. The exploitation can be achieved through features like backup comments, which can lead to unauthorized command execution, compromising the integrity and security of affected WordPress installations.

References

http://www.securityfocus.com/bid/74943

vdb-entryx_refsource_BID

http://packetstormsecurity.com/files/132107/WordPress-XCl...

x_refsource_MISC

http://www.vapid.dhs.org/advisory.php?v=121

x_refsource_MISC

Timeline

Vulnerability published
Jun 17, 2015
Vulnerability Reserved
Jun 5, 2015