Duplicator – Migration & Backup Plugin Vulnerability – Full Path Disclosure – CVE-2024-6210 | WordPress Plugin Vulnerability Report
Plugin Name: Duplicator – Migration & Backup Plugin
Key Information:
- Software Type: Plugin
- Software Slug: duplicator
- Software Status: Active
- Software Author: smub
- Software Downloads: 43,284,982
- Active Installs: 1,000,000
- Last Updated: July 29, 2024
- Patched Versions: 1.5.10
- Affected Versions: <= 1.5.9
Vulnerability Details:
- Name: Duplicator <= 1.5.9
- Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- CVE: CVE-2024-6210
- CVSS Score: 5.3
- Publicly Published: July 10, 2024
- Researcher: stealthcopter
- Description: The Duplicator plugin for WordPress is vulnerable to information exposure in all versions up to and including 1.5.9. This vulnerability allows unauthenticated attackers to obtain the full path to the server's installation directory. While the exposed information has limited immediate use, it can facilitate reconnaissance and potentially be combined with other vulnerabilities for more severe exploits.
Summary:
The Duplicator plugin for WordPress has a vulnerability in versions up to and including 1.5.9 that results in full path disclosure, allowing unauthenticated attackers to view the server's installation path. This vulnerability has been patched in version 1.5.10.
Detailed Overview:
Researcher stealthcopter identified the vulnerability in the Duplicator plugin, which exposes the full path to the server's installation directory. This information disclosure occurs due to inadequate access control and can be exploited without authentication. While the direct impact is limited, the information could assist attackers in planning further exploits, especially if combined with other vulnerabilities. The exposure of the full path could simplify an attacker's reconnaissance efforts and potentially lead to more targeted attacks.
Advice for Users:
Immediate Action: Users should update the Duplicator plugin to version 1.5.10 or later to mitigate this vulnerability and secure their websites. Check for Signs of Vulnerability: Although this vulnerability primarily involves information exposure, users should monitor their websites for any unusual activity that could suggest further exploitation. Alternate Plugins: While the issue has been patched, users may consider exploring alternative plugins for site migration and backup that offer enhanced security features. Stay Updated: Regularly updating all plugins and the WordPress core is crucial to maintaining website security and protecting against known vulnerabilities.
Conclusion:
The prompt response from the Duplicator developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 1.5.10 or later to maintain the security and integrity of their WordPress installations.