Critical update required for all users of XCloner for WordPress 4.2.152 and earlier

Recently, we were informed of a serious vulnerability affecting the XCloner WordPress plugin. This vulnerability affects all versions up to and including 4.2.152.

We take security very seriously at XCloner and Watchful and within 2 days of the report we had patched the most serious issue. Over the coming days we would add additional fixes.

As a result, all users should immediately upgrade to version 4.2.153.

Details of the vulnerability

The most serious vulnerability described in the report allow users with backend access to overwrite files, including wp-config.php, and potentially gain site access. by uploading a backdoor. Since this applies to users with low-level permissions such as subscribers, the issue is quite serious.

The report also detailed missing permissions checks in AJAX requests and these were also patched.

Thanks to WordFence for the thorough and professional identification of this issue.

Summary of the vulnerability

Description: Cross-Site Request Forgery
Affected Versions: <= 4.2.152
CVE ID: Pending.
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Source: WordFence

Timeline

  • August 14, 2020 – Initial discovery of vulnerable function and further analysis of plugin. Firewall rule creation process begins.
  • August 17, 2020 – Firewall rule tested and deployed to Wordfence premium users. Initial outreach to the plugin’s team.
  • August 18, 2020 – We send full disclosure details.
  • August 19, 2020 – An initial patch is released resolving the unprotected AJAX vulnerability.
  • August 20, 2020 – We follow up to disclose that several endpoints remain with no CSRF protection.
  • August 28, 2020 – The plugin’s team confirms that they are working on the issue and will release a patch shortly.
  • September 8, 2020 – A final and sufficient patch is released in version 4.2.153.
  • September 17, 2020 – Wordfence free users receive the firewall rule.