Question 1

What exactly is the vulnerability in Clone?

Accepted Answer

What exactly is the vulnerability in Clone?

The vulnerability allows any user to download database backups created with the Clone plugin without needing to authenticate. This exposes sensitive information like passwords, website content, and user data that is supposed to be protected.

Question 2

How severe is this vulnerability?

Accepted Answer

How severe is this vulnerability?

This is an extremely severe issue since it allows attackers to completely bypass login and security measures. They can access admin-level information, opening up full site takeovers, data destruction, or installing backdoors. The vulnerability received one of the highest possible severity scores.

Question 3

Can my site get hacked just by having an outdated Clone plugin?

Accepted Answer

Can my site get hacked just by having an outdated Clone plugin?

Yes - this vulnerability is remotely exploitable, meaning attackers can access improperly secured backup files without needing access to your server or admin account directly. All that is required is having an outdated Clone version.

Question 4

I have backups turned off in Clone - does this still put me at risk?

Accepted Answer

I have backups turned off in Clone - does this still put me at risk?

Unfortunately yes. The vulnerability exists in the code that handles backups, so even having the feature disabled does not fully protect against this issue being leveraged in an attack. A code update is required.

Question 5

How can I tell if my site has already been compromised via this vulnerability?

Accepted Answer

How can I tell if my site has already been compromised via this vulnerability?

Carefully review logs, file changes, and scan for any new administrator accounts or signs of malware. Unfortunately full access can be gained, so a compromised site may show little evidence of intrusion. It is best to presume your site was breached if running a vulnerable Clone version.

Question 6

I rely on Clone for migrations - are there alternative options I should consider?

Accepted Answer

I rely on Clone for migrations - are there alternative options I should consider?

There are other migration solutions including the built-in WordPress importer, Duplicator, and All-in-One WP Migration that may be safer options. While Clone has patched this issue, its history of security flaws suggests vulnerabilities may surface again.

Question 7

What should I do if my site was already compromised before I updated Clone?

Accepted Answer

What should I do if my site was already compromised before I updated Clone?

Restore your site from a clean backup made before the breach, scan and remove any malware, change all credentials, enable two factor authentication, and notify any users that their data may have been stolen in the incident. You may need professional site recovery assistance.

Question 8

How often do I need to update Clone and other plugins/WordPress?

Accepted Answer

How often do I need to update Clone and other plugins/WordPress?

Best practice is updating WordPress, themes, and plugins at least once per week. Enable automatic background updates in WordPress for a hassle-free way to apply security patches as soon as fixes are released.

Question 9

Why wasn't this vulnerability discovered during testing of Clone before release?

Accepted Answer

Why wasn't this vulnerability discovered during testing of Clone before release?

Insufficient security testing during development is often why serious issues make it into public plugin releases. Code auditing all changes remains a persistent challenge, allowing flaws to slip into production unaware.

Question 10

Who discovered and reported this vulnerability originally?

Accepted Answer

Who discovered and reported this vulnerability originally?

This issue was discovered and responsibly disclosed by researcher Dmitrii Ignatyev. Responsible disclosure gives developers a chance to patch issues before details are made public, preventing exploits in the wild.

vulnerable plugins

Clone Vulnerability – Sensitive Information Exposure – CVE-2023-6750 | WordPress Plugin Vulnerability Report

WordPress Plugin Vulnerability Report – GiveWP – Cross-Site Request Forgery – CVE-2023-4247, CVE-2023-4248

Recent Blog Posts

LiteSpeed Cache Vulnerability – Unauthenticated Sensitive Information Exposure via Log Files – CVE-2024-44000 | WordPress Plugin Vulnerability Report

Elementor Addon Elements Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Parameters – CVE-2024-4401, CVE-2024-7122 | WordPress Plugin Vulnerability Report

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Vulnerability – Authenticated (Contributor+) Information Disclosure – CVE-2024-7418 | WordPress Plugin Vulnerability Report

Additional Resources

About Your WP Guy