{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11759", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-14T19:57:56.210Z", "datePublished": "2025-12-05T01:55:21.515Z", "dateUpdated": "2026-04-08T17:13:38.710Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:38.710Z"}, "affected": [{"vendor": "watchful", "product": "Backup, Restore and Migrate your sites with XCloner", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.8.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Backup, Restore and Migrate your sites with XCloner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.2. This is due to missing or incorrect nonce validation on the Xcloner_Remote_Storage:save() function. This makes it possible for unauthenticated attackers to add or modify an FTP backup configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows an attacker to set an attacker-controlled FTP site for backup storage and exfiltrate potentially sensitive site data."}], "title": "Backup, Restore and Migrate your sites with XCloner <= 4.8.2 - Cross-Site Request Forgery in Xcloner_Remote_Storage:save()", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a76a8e36-635a-48a3-8683-c24a0395212e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3398881/xcloner-backup-and-restore"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "timeline": [{"time": "2025-11-10T09:27:09.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-04T13:31:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-05T16:54:22.958745Z", "id": "CVE-2025-11759", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T16:54:34.597Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11759", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-05T16:54:22.958745Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T16:54:31.292Z"}}], "cna": {"title": "Backup, Restore and Migrate your sites with XCloner <= 4.8.2 - Cross-Site Request Forgery in Xcloner_Remote_Storage:save()", "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "watchful", "product": "Backup, Restore and Migrate your sites with XCloner", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.8.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-10T09:27:09.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-04T13:31:53.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a76a8e36-635a-48a3-8683-c24a0395212e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3398881/xcloner-backup-and-restore"}], "descriptions": [{"lang": "en", "value": "The Backup, Restore and Migrate your sites with XCloner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.2. This is due to missing or incorrect nonce validation on the Xcloner_Remote_Storage:save() function. This makes it possible for unauthenticated attackers to add or modify an FTP backup configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows an attacker to set an attacker-controlled FTP site for backup storage and exfiltrate potentially sensitive site data."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-05T01:55:21.515Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11759", "state": "PUBLISHED", "dateUpdated": "2025-12-05T16:54:34.597Z", "dateReserved": "2025-10-14T19:57:56.210Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-05T01:55:21.515Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Backup, Restore and Migrate your sites with XCloner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.2. This is due to missing or incorrect nonce validation on the Xcloner_Remote_Storage:save() function. This makes it possible for unauthenticated attackers to add or modify an FTP backup configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows an attacker to set an attacker-controlled FTP site for backup storage and exfiltrate potentially sensitive site data."}, {"lang": "es", "value": "El plugin Backup, Restore and Migrate your sites with XCloner para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 4.8.2, inclusive. Esto se debe a la validaci\u00f3n de nonce faltante o incorrecta en la funci\u00f3n Xcloner_Remote_Storage:save(). Esto hace posible que atacantes no autenticados a\u00f1adan o modifiquen una configuraci\u00f3n de copia de seguridad FTP a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace. La explotaci\u00f3n exitosa permite a un atacante establecer un sitio FTP controlado por el atacante para el almacenamiento de copias de seguridad y exfiltrar datos del sitio potencialmente sensibles."}], "id": "CVE-2025-11759", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-05T03:15:56.450", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3398881/xcloner-backup-and-restore"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a76a8e36-635a-48a3-8683-c24a0395212e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:09:39.886244+00:00", "value": {"mitigation_remediation": ["Upgrade the XCloner plugin to a version newer than 4.8.2, which resolves the CSRF issue.", "If an upgrade is not immediately possible, configure the plugin to disallow external FTP backup destinations or enforce stricter validation of remote storage parameters.", "Monitor the \"Remote Storage:save()\" configuration changes for unexpected FTP destinations and audit backup logs for abnormal activity."], "summary": {"action": "Patch", "impact": "Potential data exfiltration via unauthorized backup configuration"}, "threat_synthesis": {"affected_systems": "WordPress sites using the Backup, Restore and Migrate your sites with XCloner plugin by watchful. All plugin versions up to and including 4.8.2 are affected. Subsequent releases are not affected.", "description_and_impact": "The XCloner plugin for WordPress is vulnerable to Cross\u2011Site Request Forgery in the Xcloner_Remote_Storage:save() function due to missing or incorrect nonce validation. An unauthenticated attacker can forge a request that, if an administrator clicks a malicious link, adds or modifies an FTP backup configuration. The attacker can set the backup target to a server under their control, thereby exfiltrating potentially sensitive site data. The weakness is a classic CSRF flaw (CWE-352) that compromises the confidentiality of stored content.", "risk_and_exploitability": "The vulnerability has a CVSS score of 4.3, indicating a low\u2011to\u2011moderate impact. The EPSS score of less than 1% suggests a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a CSRF scenario that requires an administrator to click a malicious link or submit a forged request; authentication is not required to perform the action."}}}}, "created": "2025-12-05T10:51:51.439544+00:00", "updated": "2026-04-21T01:15:20.132462+00:00", "vendors": ["watchful", "watchful$PRODUCT$xcloner", "wordpress", "wordpress$PRODUCT$wordpress"]}