Duplicator 1.3.24 & 1.3.26 – Unauthenticated Arbitrary File Download | CVE 2020-11738

Description

The issue is being actively exploited, and allows attackers to download arbitrary files, such as the wp-config.php file.

According to the vendor, the vulnerability was only in two versions v1.3.24 and v1.3.26, the vulnerability wasn't present in versions 1.3.22 and before.

Proof of Concept

http://www.example.com/wp-admin/admin-ajax.php?action=duplicator_download&file=../wp-config.php

Affects Plugins

duplicator

Fixed in 1.3.28

duplicator-pro

Fixed in 3.8.7.1

References

CVE

CVE-2020-11738

Exploitdb

49288

URL

https://cxsecurity.com/issue/WLB-2021010001

URL

https://www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites/

URL

https://snapcreek.com/duplicator/docs/changelog/?lite

URL

https://snapcreek.com/duplicator/docs/changelog/

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-287

CVSS

7.5 (high)

Miscellaneous

Verified

WPVDB ID

35227c3a-e893-4c68-8cb6-ffe79115fb6d

Timeline

Publicly Published

2020-02-19 (about 5 years ago)

Added

2020-02-20 (about 5 years ago)

Last Updated

2021-01-04 (about 4 years ago)

Other

Published

Title

Published

2025-03-13

Title

WP JobHunt <= 7.1 - Authentication Bypass to Candidate

Published

2023-05-17

Title

MStore API < 3.9.1 - Authentication Bypass

Published

2014-08-01

Title

WordPress 3.7.1 & 3.8.1 - Potential Authentication Cookie Forgery

Published

2024-07-19

Title

WooCommerce - Social Login < 2.7.4 - Unauthenticated Privilege Escalation via One-Time Password

Published

2022-06-27

Title

OAuth Single Sign On < 6.22.6 - Authentication Bypass