cbcvebase.
CVE-2018-17207
published 2018-09-19

CVE-2018-17207: An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
57.56%
99.0th percentile
An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
awesomemotiveduplicator< 1.2.421.2.42

Detection & IOCsextracted from sources · hover to see the quote

path/installer.php
path/installer-backup.php
commandPOST /installer-backup.php HTTP/1.1
commandaction_ajax=3&action_step=3&dbhost=nowhere&dbuser=test&dbpass=test&dbname=wordpress');echo base64_decode($_GET["input"]);//&dbport=12345&
path/wp-config.php
cookiedupx-header-version
  • Detect exploitation attempts by monitoring HTTP requests to leftover installer files /installer.php and /installer-backup.php on WordPress installations
  • Look for POST requests to /installer-backup.php with parameters action_ajax=3&action_step=3 and a dbname value containing PHP code (e.g., single-quote followed by PHP statements) as a sign of active exploitation
  • Fingerprint vulnerable Duplicator plugin instances by checking for the HTTP response header/body string 'dupx-header-version' and 'Deployment Path:' with HTTP 200 status
  • Flag WordPress sites running Duplicator plugin versions earlier than 1.2.42 as vulnerable
  • Monitor for unexpected modifications to wp-config.php, particularly injection of PHP code, as the exploit overwrites this file with attacker-controlled content
  • Check for subsequent GET requests to /wp-config.php with a base64-encoded 'input' query parameter, which is used to trigger the injected PHP payload after exploitation
  • ·Exploitation WILL corrupt/overwrite wp-config.php; defenders should be aware that a successfully exploited site will have a broken WordPress configuration and should restore from backup
  • ·The vulnerability only exists when leftover installer files (installer.php, installer-backup.php) remain on the filesystem after a backup restoration; sites that have cleaned up these files are not exposed

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.