CVE-2025-11759 MEDIUM

CVE-2025-11759: Backup, Restore and Migrate your sites with XCloner <= 4.8.2 - Cross-Site Request Forgery in Xcloner_Remote_Storage:save()

Vendor Watchful
Product Backup, Restore and Migrate your sites with XCloner
Weakness CWE-352 · CSRF
Published December 5, 2025
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Backup, Restore and Migrate your sites with XCloner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.2. This is due to missing or incorrect nonce validation on the Xcloner_Remote_Storage:save() function. This makes it possible for unauthenticated attackers to add or modify an FTP backup configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows an attacker to set an attacker-controlled FTP site for backup storage and exfiltrate potentially sensitive site data.

Explanation of Vulnerability in Simple Terms

02Summary

XCloner versions up to 4.8.2 are vulnerable to cross-site request forgery (CSRF) attacks. An attacker can craft a malicious webpage that, when visited by a logged-in site administrator, performs unwanted actions within XCloner without the admin's knowledge or consent. The vulnerability requires the victim to visit the attacker's page while authenticated to the site.

What an attacker can do

03Attacker Capabilities

Perform unwanted actions in XCloner on behalf of a logged-in administrator without their knowledge.

Potential impact on your site

04Site Impact

An attacker could modify backup settings, trigger unwanted backups, or alter site configuration through a tricked admin.

Conditions required to exploit

05Prerequisites

Administrator must be logged into the site and visit an attacker-controlled webpage.

Key dates

06Disclosure timeline

December 5, 2025 CVE published
April 8, 2026 Record updated