CVE-2020-35948

Name of the Vulnerable Software and Affected Versions: XCloner Backup and Restore plugin versions prior to 4.2.13

Description: An issue in the XCloner Backup and Restore plugin for WordPress allows authenticated attackers to modify arbitrary files, including PHP files, which can lead to remote code execution. The write file action in xcloner restore.php can be used to overwrite sensitive files like wp-config.php. Additionally, an attacker could create an exploit chain to obtain a database dump.

Recommendations: For versions prior to 4.2.13, update to version 4.2.13 or later to resolve the issue. As a temporary workaround, consider restricting access to the xcloner restore.php file and limiting the ability to modify sensitive files like wp-config.php until a patch is applied. Avoid using the write file action in xcloner restore.php until the issue is resolved.