Remote code execution vulnerability in WordPress Duplicator
Description
WordPress Duplicator is a migration plugin that packages WordPress sites into zip files containing all plugins, themes, content, database, and core files. Versions prior to 1.2.42 contain a critical vulnerability where sensitive installer files (installer.php and installer-backup.php) are not properly removed after site restoration. These leftover files can be accessed by unauthenticated attackers to inject malicious PHP code directly into the wp-config.php configuration file, leading to remote code execution.
Remediation
Take the following steps immediately to remediate this vulnerability:
1. Update the Duplicator Plugin
Upgrade to WordPress Duplicator version 1.2.42 or later through the WordPress admin panel (Plugins → Installed Plugins → Update) or by downloading the latest version from the official WordPress plugin repository.
2. Remove Leftover Installer Files
Manually verify and delete any remaining installer files from your WordPress root directory:
installer.phpinstaller-backup.php- Any
installer-log.txtfiles - Duplicator package files (*.zip, *.daf, *.sql)
3. Verify wp-config.php Integrity
Inspect your
wp-config.php file for any suspicious or unauthorized PHP code, particularly near the end of the file. Look for unfamiliar code blocks, obfuscated code, or unexpected function calls.4. Conduct Security Audit
If installer files were present after migration, assume potential compromise and perform a full security audit including review of user accounts, file integrity checks, and access log analysis.