WordPress plugin Duplicator (versions <= 1.3.26) is vulnerable to an Unauthenticated Arbitrary File Download vulnerability that allows attackers to download arbitrary files from the WordPress installation. For example, an attacker can download the WordPress configuration file wp-config.php that contains WordPress database credentials and authentication unique keys and salts.


Upgrade to the latest version of WordPress Duplicator plugin. This isses was fixed in version 1.3.26.


Related Vulnerabilities