VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 16 known issues Latest disclosed Dec 04, 2025

Backup, Restore and Migrate your sites with XCloner Vulnerabilities

Review known vulnerability records for the WordPress plugin Backup, Restore and Migrate your sites with XCloner (`xcloner-backup-and-restore`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-11759, CVE-2024-6559 and CVE-2022-0444, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
16
High or Critical
10
Patch Coverage
100%
Last Updated
Dec 05, 2025
Priority CVE Quick Links

Fast paths into Backup, Restore and Migrate your sites with XCloner CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
15
CVE-2022-0444 Critical 4.3.6
CVE-2022-0444 Backup, Restore and Migrate your sites with XCloner Cross-Site Request Forgery

Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 4.2.16 - Unauthenticated Plugin Settings Reset

CVE-2020-35950 Critical 4.2.153
CVE-2020-35950 Backup, Restore and Migrate your sites with XCloner Cross-Site Request Forgery

Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 4.2.152 - Cross-Site Request Forgery

CVE-2015-4338 Critical 3.1.3
CVE-2015-4338 Backup, Restore and Migrate your sites with XCloner Remote Code Execution

Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.2 - Remote Code Execution

CVE-2014-2579 Critical 3.1.1
CVE-2014-2579 Backup, Restore and Migrate your sites with XCloner Cross-Site Request Forgery

Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.0 - Multiple Cross-Site Request Forgery

CVE-2020-35948 High 4.2.153
CVE-2020-35948 Backup, Restore and Migrate your sites with XCloner Remote Code Execution

Backup, Restore and Migrate WordPress Sites With the XCloner Plugin 4.2.1 - 4.2.12 - Unprotected AJAX Actions

CVE-2015-4336 High 3.1.3
CVE-2015-4336 Backup, Restore and Migrate your sites with XCloner Vulnerability

Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.2 - Remote Command Execution

CVE-2014-8605 High 3.1.2
CVE-2014-8605 Backup, Restore and Migrate your sites with XCloner Vulnerability

Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.1 - Improper Access Control to Information Disclosure

CVE-2014-8604 High 3.1.2
CVE-2014-8604 Backup, Restore and Migrate your sites with XCloner Vulnerability

Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.1 - Sensitive Information Disclosure

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Backup, Restore and Migrate your sites with XCloner so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
16 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
4 critical and 6 high severity findings.
Recent CVEs
CVE-2025-11759, CVE-2024-6559 and CVE-2022-0444
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Backup, Restore and Migrate your sites with XCloner

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2025-11759
CVE-2025-11759: Backup, Restore and Migrate your sites with XCloner <= 4.8.2 - Cross-Site Request Forgery in Xcloner_Remote_Storage:save()

The Backup, Restore and Migrate your sites with XCloner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.2. This is due to missing or incorrect nonce validation on the Xcloner_Remote_Storage:save() function. This makes it...

Published
Dec 04, 2025
Patched Release
4.8.3
Affected Versions
Versions up to 4.8.2
Next Step
Update to 4.8.3 or newer if supported.
Open CVE-2025-11759 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-6559
CVE-2024-6559: XCloner <= 4.7.3 - Unauthenticated Full Path Disclosure

The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 4.7.3. This is due the plugin utilizing sabre without preventing direct access to the files. This makes it poss...

Published
Jul 15, 2024
Patched Release
4.7.4
Affected Versions
Versions up to 4.7.3
Next Step
Update to 4.7.4 or newer if supported.
Open CVE-2024-6559 Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2022-0444
CVE-2022-0444: Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 4.2.16 - Unauthenticated Plugin Settings Reset

The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key.

Published
Jun 06, 2022
Patched Release
4.3.6
Affected Versions
Versions up to 4.2.16
Next Step
Update to 4.3.6 or newer if supported.
Open CVE-2022-0444 Report Open CVE Reference
Plugin High Patched: Yes CVE-2020-35948
CVE-2020-35948: Backup, Restore and Migrate WordPress Sites With the XCloner Plugin 4.2.1 - 4.2.12 - Unprotected AJAX Actions

An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php wri...

Published
Aug 18, 2020
Patched Release
4.2.153
Affected Versions
4.2.1 through 4.2.12
Next Step
Update to 4.2.153 or newer if supported.
Open CVE-2020-35948 Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2020-35950
CVE-2020-35950: Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 4.2.152 - Cross-Site Request Forgery

An issue was discovered in the XCloner Backup and Restore plugin before 4.2.153 for WordPress. It allows CSRF (via almost any endpoint).

Published
Aug 18, 2020
Patched Release
4.2.153
Affected Versions
Versions before 4.2.153
Next Step
Update to 4.2.153 or newer if supported.
Open CVE-2020-35950 Report Open CVE Reference
Plugin Medium Patched: Yes
Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.4 - Path Traversal to Sensitive Information Disclosure

The XCloner plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 3.1.4 via leaked directory listings from the 'files_xml.' AJAX action. This can allow authenticated attackers to extract sensitive data including otherwise private filepath...

Published
Dec 31, 2016
Patched Release
3.1.5
Affected Versions
Versions up to 3.1.4
Next Step
Update to 3.1.5 or newer if supported.
Open Full Report
Plugin Critical Patched: Yes CVE-2015-4338
CVE-2015-4338: Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.2 - Remote Code Execution

Static code injection vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary PHP code into the language files via a Translation LM_FRONT_* field for a language, as demonstrated by language/italian.php.

Published
May 10, 2015
Patched Release
3.1.3
Affected Versions
Versions before 3.1.3
Next Step
Update to 3.1.3 or newer if supported.
Open CVE-2015-4338 Report Open CVE Reference
Plugin High Patched: Yes CVE-2015-4336
CVE-2015-4336: Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.2 - Remote Command Execution

cloner.functions.php in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to execute arbitrary commands via a file containing filenames with shell metacharacters, as demonstrated by using the backup comments feature to create the file.

Published
May 10, 2015
Patched Release
3.1.3
Affected Versions
Versions up to 3.1.2
Next Step
Update to 3.1.3 or newer if supported.
Open CVE-2015-4336 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2015-4337
CVE-2015-4337: Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.2 - Cross-Site Scripting

Cross-site scripting (XSS) vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the excl_manual parameter in the xcloner_show page to wpadmin/plugins.php.

Published
May 10, 2015
Patched Release
3.1.3
Affected Versions
Versions up to 3.1.2
Next Step
Update to 3.1.3 or newer if supported.
Open CVE-2015-4337 Report Open CVE Reference
Plugin High Patched: Yes CVE-2014-8605
CVE-2014-8605: Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.1 - Improper Access Control to Information Disclosure

The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! stores database backup files with predictable names under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to a backup file in administrat...

Published
Oct 17, 2014
Patched Release
3.1.2
Affected Versions
Versions up to 3.1.1
Next Step
Update to 3.1.2 or newer if supported.
Open CVE-2014-8605 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2014-8606
CVE-2014-8606: Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.1 - Directory Traversal

Directory traversal vulnerability in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! allows remote administrators to read arbitrary files via a .. (dot dot) in the file parameter in a json_return action in the xcloner_show page to wp-admin/admin-ajax.php.

Published
Oct 17, 2014
Patched Release
3.1.2
Affected Versions
Versions before 3.1.2
Next Step
Update to 3.1.2 or newer if supported.
Open CVE-2014-8606 Report Open CVE Reference
Plugin High Patched: Yes CVE-2014-8607
CVE-2014-8607: Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.1 - Sensitive Information Disclosure

The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! provides the MySQL username and password on the command line, which allows local users with administrator privileges to obtain sensitive information via the ps command.

Published
Oct 17, 2014
Patched Release
3.1.2
Affected Versions
Versions before 3.1.2
Next Step
Update to 3.1.2 or newer if supported.
Open CVE-2014-8607 Report Open CVE Reference