Joining the trail of vulnerable WordPress plugins, here comes another plugin that threatens the security of over 1 million websites. This time the vulnerability appeared in the Duplicator WordPress plugin, which is also under active exploit.
Duplicator WordPress Plugin Flaw
Wordfence, who previously reported bugs in numerous WordPress plugins, has discovered another vulnerable plugin. This time, they have found the flaw in Duplicator WordPress plugin which hackers are currently exploiting in the wild.
Duplicator is a WordPress plugin that facilitates website admins to “migrate and copy” WordPress websites. It also allows admins to download files generated after admins create a new copy of the site. That is where an arbitrary file download vulnerability existed. Regarding how this happens, the researchers state in their blog post,
The download buttons each trigger a call to the WordPress AJAX handler with the action
duplicator_downloadand a file parameter, indicating the location of the file to be downloaded. When clicked, the requested file is downloaded and the user doesn’t need to leave or reload their current page…
duplicator_downloadaction was registered via
wp_ajax_nopriv_and was accessible to unauthenticated users.
There were no restrictions on downloaded file paths. Thus, it became possible for an attacker to access files in different directories by submitting values like .
The file parameter is passed through
sanitize_text_fieldand appended to the plugin constant
DUPLICATOR_SSDIR_PATH, but directory traversal was still possible.
Exploiting this bug allowed attackers to gain access to the target website’s database credentials. Later, attackers could potentially access the database through these credentials.
Update Now To Stay Safe
According to researchers, the vulnerability affected Duplicator plugin versions until 1.3.28. After discovering the flaw, Wordfence informed the developers who patched the bug with the release of plugin version 1.3.28.
Despite patching the bug, around half a million websites haven’t updated their plugin versions. Thus, they remain exposed to the attacks involving the exploitation of this flaw. Users must ensure they update their websites with the latest plugin version ASAP.
Let us know your thoughts in the comments.