Actively Exploited Duplicator WordPress Plugin Flaw Risks 1M Sites dextersu, thefreshccsu
Joining the trail of vulnerable WordPress plugins, here comes another plugin that threatens the security of over 1 million websites. This time the vulnerability appeared in the Duplicator WordPress plugin, which is also under active exploit.
Wordfence, who previously reported bugs in numerous WordPress plugins , has discovered another vulnerable plugin. This time, they have found the flaw in Duplicator WordPress plugin which hackers are currently exploiting in the wild.
Duplicator is a WordPress plugin that facilitates website admins to “migrate and copy” WordPress websites. It also allows admins to download files generated after admins create a new copy of the site. That is where an arbitrary file download vulnerability existed. Regarding how this happens, the researchers state in their blog post ,
The download buttons each trigger a call to the WordPress AJAX handler with the action and a file parameter, indicating the location of the file to be downloaded. When clicked, the requested file is downloaded and the user doesn’t need to leave or reload their current page… Unfortunately, the duplicator_download action was registered via wp_ajax_nopriv_ and was accessible to unauthenticated users.
There were no restrictions on downloaded file paths. Thus, it became possible for an attacker to access files in different directories by submitting values like ../../../file.php.
The file parameter is passed through sanitize_text_field and appended to the plugin constant DUPLICATOR_SSDIR_PATH, but directory traversal was still possible.
Exploiting this bug allowed attackers to gain access to the target website’s database credentials. Later, attackers could potentially access the database through these credentials.
According to researchers, the vulnerability affected Duplicator plugin versions until 1.3.28. After discovering the flaw, Wordfence informed the developers who patched the bug with the release of plugin version 1.3.28 .
Despite patching the bug, around half a million websites haven’t updated their plugin versions. Thus, they remain exposed to the attacks involving the exploitation of this flaw. Users must ensure they update their websites with the latest plugin version ASAP.