Duplicator 1.3.24 & 1.3.26 – Unauthenticated Arbitrary File Download | CVE 2020-11738

Description

The issue is being actively exploited, and allows attackers to download arbitrary files, such as the wp-config.php file.

According to the vendor, the vulnerability was only in two versions v1.3.24 and v1.3.26, the vulnerability wasn't present in versions 1.3.22 and before.

Proof of Concept

http://www.example.com/wp-admin/admin-ajax.php?action=duplicator_download&file=../wp-config.php

Affects Plugins

duplicator

Fixed in 1.3.28

duplicator-pro

Fixed in 3.8.7.1

References

CVE

CVE-2020-11738

Exploitdb

49288

URL

https://cxsecurity.com/issue/WLB-2021010001

URL

https://www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites/

URL

https://snapcreek.com/duplicator/docs/changelog/?lite

URL

https://snapcreek.com/duplicator/docs/changelog/

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-287

CVSS

7.5 (high)

Miscellaneous

Verified

WPVDB ID

35227c3a-e893-4c68-8cb6-ffe79115fb6d

Timeline

Publicly Published

2020-02-19 (about 5 years ago)

Added

2020-02-20 (about 5 years ago)

Last Updated

2021-01-04 (about 4 years ago)

Other

Published

Title

Published

2021-07-20

Title

NEX Forms < 7.8.8 - Authentication Bypass for PDF Reports

Published

2024-07-19

Title

WooCommerce - Social Login < 2.7.4 - Unauthenticated Authentication Bypass

Published

2020-02-05

Title

Merge + Minify + Refresh < 1.10.8 - Authenticated Arbitrary File Delete

Published

2024-12-11

Title

Published

2014-09-17

Title

Custom Contact Forms < 5.1.0.4 - Unauthenticated Database Import/Export