Actively Exploited Duplicator WordPress Plugin Exploit Risks 1 Million Websites

Joining the trail of vulnerable WordPress plugins, here comes another plugin that threatens the security of over 1 million websites. This time the vulnerability appeared in the Duplicator WordPress plugin, which is also under active exploit.

Duplicator WordPress Plugin Flaw

Wordfence, who previously reported bugs in numerous WordPress plugins, has discovered another vulnerable plugin. This time, they have found the flaw in Duplicator WordPress plugin which hackers are currently exploiting in the wild.

Duplicator is a WordPress plugin that facilitates website admins to “migrate and copy” WordPress websites. It also allows admins to download files generated after admins create a new copy of the site. That is where an arbitrary file download vulnerability existed. Regarding how this happens, the researchers state in their blog post,

The download buttons each trigger a call to the WordPress AJAX handler with the action duplicator_download and a file parameter, indicating the location of the file to be downloaded. When clicked, the requested file is downloaded and the user doesn’t need to leave or reload their current page…
Unfortunately, the duplicator_download action was registered via wp_ajax_nopriv_ and was accessible to unauthenticated users.

There were no restrictions on downloaded file paths. Thus, it became possible for an attacker to access files in different directories by submitting values like ../../../file.php.

The file parameter is passed through sanitize_text_field and appended to the plugin constant DUPLICATOR_SSDIR_PATH, but directory traversal was still possible.

Exploiting this bug allowed attackers to gain access to the target website’s database credentials. Later, attackers could potentially access the database through these credentials.

Update Now To Stay Safe

According to researchers, the vulnerability affected Duplicator plugin versions until 1.3.28. After discovering the flaw, Wordfence informed the developers who patched the bug with the release of plugin version 1.3.28.

Despite patching the bug, around half a million websites haven’t updated their plugin versions. Thus, they remain exposed to the attacks involving the exploitation of this flaw. Users must ensure they update their websites with the latest plugin version ASAP.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients