WordPress Duplicator plugin Unauthenticated Arbitrary File Download
Description
The WordPress Duplicator plugin versions 1.3.26 and earlier contain an unauthenticated arbitrary file download vulnerability (CWE-22: Path Traversal). This flaw allows remote attackers to download any file accessible to the web server without authentication. Attackers commonly exploit this to retrieve the wp-config.php file, which contains database credentials, authentication keys, and salts that protect the WordPress installation.
Remediation
Take the following immediate actions to remediate this vulnerability:
1. Update the Plugin: Upgrade the Duplicator plugin to version 1.3.28 or later, which contains the security fix for this vulnerability. Navigate to the WordPress admin panel, go to Plugins → Installed Plugins, locate Duplicator, and click "Update Now".
2. Remove Installer Files: Delete any Duplicator installer files (typically named installer.php and associated archive files) from your web root directory after completing migrations, as these files can be exploited even in patched versions if left accessible.
3. Verify Security: Review server access logs for suspicious download attempts to sensitive files like wp-config.php. Look for unusual HTTP requests to Duplicator endpoints.
4. Rotate Credentials: If you suspect exploitation, immediately change your WordPress database passwords and regenerate authentication keys and salts in wp-config.php using the WordPress.org secret key generator.