CVE-2025-11759
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xcloner | xcloner | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Update the XCloner WordPress plugin to version 4.8.3 or later, which includes security fixes that add nonce verification for POST requests to prevent CSRF attacks and sanitize input parameters. This update enforces nonce validation and terminates unauthorized requests with a 403 Forbidden status, effectively mitigating the vulnerability. [2]
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Backup, Restore and Migrate your sites with XCloner plugin for WordPress, affecting all versions up to and including 4.8.2. It occurs because the plugin's Xcloner_Remote_Storage:save() function lacks proper nonce validation, allowing unauthenticated attackers to trick a site administrator into performing actions like clicking a malicious link. This can enable the attacker to add or modify an FTP backup configuration on the site.
How can this vulnerability impact me? :
Exploitation of this vulnerability allows an attacker to set an attacker-controlled FTP site for backup storage, which can lead to exfiltration of potentially sensitive site data. This means an attacker could gain unauthorized access to backup data, potentially compromising the confidentiality of the site's information.