Remote code execution vulnerability in WordPress Duplicator

Description
  • WordPress Duplicator is a WordPress plugin that creates a package that bundles all the site's plugins, themes, content, database and WordPress files into a simple zip file that can be used to easily migrate a WordPress site.

    Synacktiv discovered that WordPress Duplicator versions lower than 1.2.42 does not remove sensitive files after the restoration process. The installer.php and installer-backup.php files can be reused after the restoration process to inject malicious PHP code in the wp-config.php file.
Remediation
  • Upgrade to the latest version of WordPress Duplicator. This vulnerability was fixed starting with version 1.2.42.
References