Online WordPress Duplicator plugin Directory Traversal Vulnerability CVE-2020-11738 Scanner
Details
Stay Up To Date
Follow @secforeveryoneAsset Type
DOMAIN,IP,URL
Need Membership
Yes
Asset Verify
Yes
API Support
Yes
Estimate Time (Second)
30
Online WordPress Duplicator plugin Directory Traversal Vulnerability CVE-2020-11738 Scanner Detail
If you are using WordPress Duplicator plugin, it is better to check your system if any vulnerability exists.
Vulnerability
On February 12, Snap Creek, makers of the popular WordPress plugin Duplicator, released version 1.3.28 and Duplicator Pro version 3.8.7.1 to address a serious vulnerability.
According to researchers at Wordfence, an unauthenticated arbitrary file download vulnerability exists in Duplicator versions 1.3.26 and Duplicator Pro versions 3.8.7.
Some Advice for Common Problems
Snap Creek addressed this vulnerability in Duplicator version 1.3.28 and Duplicator Pro version 3.8.7.1 on February 12. Duplicator and Duplicator Pro users are strongly encouraged to upgrade to versions 1.3.28 and 3.8.7.1 or greater as soon as possible.
Additionally, review HTTP logs for requests that include the following query strings:
- action=duplicator_download
- file=/../wp-config.php
The most reliable indicator is whether the request contains the file parameter, as that is required to exploit this vulnerability.
