CVE-2014-8603

Published: Jun 10, 2015Modified: May 6, 2026

6.5

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability: 8.0 / Impact: 6.4

Source: NVD

Description

cloner.functions.php in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! allows remote administrators to execute arbitrary code via shell metacharacters in the (1) file name when creating a backup or vectors related to the (2) $_CONFIG[tarpath], (3) $exclude, (4) $_CONFIG['tarcompress'], (5) $_CONFIG['filename'], (6) $_CONFIG['exfile_tar'], (7) $_CONFIG[sqldump], (8) $_CONFIG['mysql_host'], (9) $_CONFIG['mysql_pass'], (10) $_CONFIG['mysql_user'], (11) $database_name, or (12) $sqlfile variable.

Affected (2)

Products: Xcloner: Xcloner

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Xcloner Xcloner	Version 3.1.1
Xcloner Xcloner	Version 3.5.1

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (4)

http://www.vapid.dhs.org/advisories/wordpress/plugins/Xcloner-v3.1.1/

Source: cve@mitre.org

Exploit

http://www.vapid.dhs.org/advisory.php?v=110

Source: cve@mitre.org

Exploit

http://www.vapid.dhs.org/advisories/wordpress/plugins/Xcloner-v3.1.1/

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

http://www.vapid.dhs.org/advisory.php?v=110

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

Timeline

No history available yet.