WordPress Plugin Vulnerabilities
Duplicator < 1.5.7.1; Duplicator Pro < 4.5.14.2 - Unauthenticated Sensitive Data Exposure
Description
The plugin does not disallow listing the `backups-dup-lite/tmp` directory (or the `backups-dup-pro/tmp` directory in the Pro version), which temporarily stores files containing sensitive data. When directory listing is enabled in the web server, this allows unauthenticated attackers to discover and access these sensitive files, which include a full database dump and a zip archive of the site.
Proof of Concept
1. Ensure that the web server (e.g. nginx or Apache) has directory listing enabled. 2. Visit Duplicator > Packages and click Create New and then Next. 3. Visit `/wp-content/backups-dup-lite/tmp/` to see the first sensitive files that are created. 4. Click Build. 5. Visit `/wp-content/backups-dup-lite/tmp/` to see database dump and the zip file as it is being assembled. For the Pro version, change the paths above to use `backups-dup-pro`.
Affects Plugins
Fixed in 1.5.7.1
Fixed in 4.5.14.2 References
Classification
Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
CWE
Miscellaneous
Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-12-04 (about 5 months ago)
Added
2023-12-04 (about 5 months ago)
Last Updated
2023-12-05 (about 5 months ago)
WPScan 