Clone Vulnerability – Sensitive Information Exposure – CVE-2023-6750 | WordPress Plugin Vulnerability Report

Plugin Name: Clone

Key Information:

  • Software Type: Plugin
  • Software Slug: wp-clone-by-wp-academy
  • Software Status: Active
  • Software Author: migrate
  • Software Downloads: 3,152,544
  • Active Installs: 90,000
  • Last Updated: December 18, 2023
  • Patched Versions: 2.4.3
  • Affected Versions: <= 2.4.2

Vulnerability Details:

  • Name: WP Clone <= 2.4.2 - Sensitive Information Exposure
  • Title: Sensitive Information Exposure
  • Type: Information Exposure
  • CVE: CVE-2023-6750
  • CVSS Score: 9.8 (Critical)
  • Publicly Published: December 18, 2023
  • Researcher: Dmitrii Ignatyev
  • Description: The Clone plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.2. This makes it possible for unauthenticated attackers to download database backups made with the plugin resulting in the potential of a complete site takeover.

Summary:

The Clone plugin for WordPress has a critical vulnerability in versions up to and including 2.4.2 that allows unauthenticated attackers to download database backups, exposing sensitive information and enabling potential site takeovers. This vulnerability has been patched in version 2.4.3.

Detailed Overview:

Researcher Dmitrii Ignatyev discovered a sensitive information exposure vulnerability in the Clone plugin that impacts all versions up to and including 2.4.2. This vulnerability allows any unauthenticated attacker to access database backups created by the plugin, exposing administrative credentials, website content, and user information. With this level of access, attackers could potentially takeover WordPress sites completely. The vulnerability received a CVSS score of 9.8 out of 10, indicating its critical severity.

Advice for Users:

  1. Immediate Action: Update to version 2.4.3 immediately to patch this vulnerability.
  2. Check for Signs of Compromise: Review logs and scan for malware to determine if your site has already been compromised via this vulnerability.
  3. Consider Alternatives: While this vulnerability has been patched, consider alternative migration plugins as a precaution.
  4. Stay Updated: Enable automatic background updates in WordPress to receive security patches rapidly.

Conclusion:

The swift response from the Clone developers to patch this severe vulnerability shows their commitment to user security. All Clone users must urgently update to version 2.4.3 or later to prevent unauthorized access to sensitive data. Regular plugin updates are essential to staying secure.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-clone-by-wp-academy

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-clone-by-wp-academy/wp-clone-242-sensitive-information-exposure

Detailed Report:

Keeping your WordPress website secure should be a top priority – unfortunately, far too many site owners fail to do so. Neglecting updates for your themes, plugins, and WordPress core exposes your site to serious vulnerabilities that can lead to hacked sites, data breaches, and even full site takeovers.

Case in point: a critical security issue was recently disclosed in the popular Clone migration plugin, used by over 90,000 WordPress sites. Versions up to and including 2.4.2 contain a sensitive information exposure vulnerability that enables database backups to be downloaded by attackers without authentication. This means hackers could get full copies of your site’s data and admin credentials, allowing them to hijack your site completely.

About the Affected Plugin

The Clone plugin by WP Academy is a migration utility installed on over 3 million WordPress sites. It allows admins to clone, backup, move or duplicate their WordPress install between domains and servers. The plugin has over 90,000 active installs currently.

Details of the Vulnerability

Researcher Dmitrii Ignatyev discovered a flaw that impacts Clone versions up to and including 2.4.2. The vulnerability, tracked as CVE-2023-6750, allows any unauthenticated attacker to download database backups created by the plugin. This exposes sensitive data like admin credentials, website content, and user information.

This is an extremely severe issue that received a 9.8 out of 10 CVSS severity score. With the exposed data, attackers could easily take over affected sites or launch further attacks leveraging the stolen data.

Risks and Potential Impacts

This vulnerability effectively negates any authentication or hardening measures site owners have in place. Attackers can bypass login requirements completely and still access your site’s most sensitive data. Beyond site takeovers, your users’ personal information could be compromised in a data breach as well.

How to Remediate

The good news is that Clone developers have already patched this flaw in version 2.4.3. To secure your site, simply visit the Plugins menu in your WordPress dashboard and update Clone to the latest version. Delete any unused database backups created by the plugin for additional safety.

Previous Vulnerabilities

This is the 5th security issue found in the Clone plugin since March 2023, indicating systemic security deficiencies in its code that lead to repeated problems. While the latest patch resolves this particular exposure, Clone may continue posing risks until security practices improve substantially.

The Importance of Staying Updated

Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.

Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.

Clone Vulnerability – Sensitive Information Exposure – CVE-2023-6750 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment