Description
The Backup, Restore and Migrate your sites with XCloner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.2. This is due to missing or incorrect nonce validation on the Xcloner_Remote_Storage:save() function. This makes it possible for unauthenticated attackers to add or modify an FTP backup configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows an attacker to set an attacker-controlled FTP site for backup storage and exfiltrate potentially sensitive site data.
Published: 2025-12-05
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential data exfiltration via unauthorized backup configuration
Action: Patch
AI Analysis

Impact

The XCloner plugin for WordPress is vulnerable to Cross‑Site Request Forgery in the Xcloner_Remote_Storage:save() function due to missing or incorrect nonce validation. An unauthenticated attacker can forge a request that, if an administrator clicks a malicious link, adds or modifies an FTP backup configuration. The attacker can set the backup target to a server under their control, thereby exfiltrating potentially sensitive site data. The weakness is a classic CSRF flaw (CWE-352) that compromises the confidentiality of stored content.

Affected Systems

WordPress sites using the Backup, Restore and Migrate your sites with XCloner plugin by watchful. All plugin versions up to and including 4.8.2 are affected. Subsequent releases are not affected.

Risk and Exploitability

The vulnerability has a CVSS score of 4.3, indicating a low‑to‑moderate impact. The EPSS score of less than 1% suggests a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a CSRF scenario that requires an administrator to click a malicious link or submit a forged request; authentication is not required to perform the action.

Generated by OpenCVE AI on April 21, 2026 at 01:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the XCloner plugin to a version newer than 4.8.2, which resolves the CSRF issue.
  • If an upgrade is not immediately possible, configure the plugin to disallow external FTP backup destinations or enforce stricter validation of remote storage parameters.
  • Monitor the "Remote Storage:save()" configuration changes for unexpected FTP destinations and audit backup logs for abnormal activity.

Generated by OpenCVE AI on April 21, 2026 at 01:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Watchful
Watchful xcloner
Wordpress
Wordpress wordpress
Vendors & Products Watchful
Watchful xcloner
Wordpress
Wordpress wordpress

Fri, 05 Dec 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Backup, Restore and Migrate your sites with XCloner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.2. This is due to missing or incorrect nonce validation on the Xcloner_Remote_Storage:save() function. This makes it possible for unauthenticated attackers to add or modify an FTP backup configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows an attacker to set an attacker-controlled FTP site for backup storage and exfiltrate potentially sensitive site data.
Title Backup, Restore and Migrate your sites with XCloner <= 4.8.2 - Cross-Site Request Forgery in Xcloner_Remote_Storage:save()
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Watchful Xcloner
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:13:38.710Z

Reserved: 2025-10-14T19:57:56.210Z

Link: CVE-2025-11759

cve-icon Vulnrichment

Updated: 2025-12-05T16:54:31.292Z

cve-icon NVD

Status : Deferred

Published: 2025-12-05T03:15:56.450

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11759

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:15:20Z

Weaknesses