WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Duplicator < 1.4.7 - Unauthenticated Backup Download

Description

The plugin discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating.

Proof of Concept

Find the URL of the actual installer script in the html returned by this endpoint: http://example.com/wp-content/backups-dup-lite/dup-installer/main.installer.php?is_daws=1

By changing the last part of the URL from '_installer.php' to '_archive.zip' the full backup is available.

As a bonus, by changing the last part of the URL from '_installer.php' to '.log', some information about the system is revealed.

Affects Plugins

duplicator
Fixed in version 1.4.7.1

References

CVE
CVE-2022-2551
URL
https://github.com/SecuriTrust/CVEsLab/tree/main/CVE-2022-2551
URL
https://packetstormsecurity.com/files/167896/

Classification

Type

ACCESS CONTROLS

OWASP top 10
A5: Broken Access Control
CWE
CWE-284

Miscellaneous

Original Researcher

Ihsan Sencan

Submitter

Ihsan Sencan

Submitter website
https://www.securitrust.fr
Verified

Yes

WPVDB ID
f27d753e-861a-4d8d-9b9a-6c99a8a7ebe0

Timeline

Publicly Published

2022-08-01 (about 7 months ago)

Added

2022-08-01 (about 7 months ago)

Last Updated

2022-08-04 (about 7 months ago)

Our Other Services

WPScan WordPress Security Plugin