PT-2015-4053 · WordPress+1 · Xcloner+1

Larry W. Cashdollar

Published

2015-06-10

Updated

2015-06-11

CVE-2014-8607

CVSS v2.0

2.1

Low

Vector

AV:L/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions XCloner plugin version 3.1.1 for WordPress XCloner plugin version 3.5.1 for Joomla!

Description The issue allows local users to obtain sensitive information, specifically the MySQL username and password, via the ps command. This is because the XCloner plugin provides these credentials on the command line.

Recommendations For XCloner plugin version 3.1.1 for WordPress, consider restricting access to the command line interface to minimize the risk of exploitation. For XCloner plugin version 3.5.1 for Joomla!, avoid using the plugin until a patch is available that properly secures the MySQL username and password. As a temporary workaround, consider disabling the XCloner plugin until a secure version is released.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2014-8607

Affected Products

Mysql Server

Xcloner

PT-2015-4053 · WordPress+1 · Xcloner+1

CVE-2014-8607

Weakness Enumeration

Related Identifiers

Affected Products

References · 5