Description

WordPress Plugin Duplicator-WordPress Migration is prone to a remote code execution vulnerability because it fails to sufficiently sanitize user-supplied input. Successful exploitation may allow attackers to execute arbitrary commands with the privileges of the user running the application, to compromise the application or the underlying database, to access or modify data or to compromise a vulnerable system. WordPress Plugin Duplicator-WordPress Migration version 1.2.40 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.2.42 or latest

References

https://www.synacktiv.com/ressources/advisories/WordPress_Duplicator-1.2.40-RCE.pdf

https://www.wordfence.com/blog/2018/09/duplicator-update-patches-remote-code-execution-flaw/

https://snapcreek.com/duplicator/docs/changelog/?lite

Related Vulnerabilities

WordPress Plugin Breeze-WordPress Cache Open Redirect (1.0.10)

WordPress Plugin Premmerce Wishlist for WooCommerce Security Bypass (1.1.2)

MySQL CVE-2021-2028 Vulnerability (CVE-2021-2028)

WordPress Plugin DZS Video Gallery Multiple Cross-Site Scripting Vulnerabilities (All)

WordPress Plugin Contus HD FLV Player 'process-sortable.php' SQL Injection (1.3)

Severity

High

Classification

CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Code Execution