CVE-2018-25095

CWE-94 — Code Injection3 documents3 sources

Severity

9.8CRITICAL

EPSS

0.7%

top 28.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Duplicator Awesomemotive Duplicator

Timeline

PublishedJan 8

Description

The Duplicator WordPress plugin before 1.3.0 does not properly escape values when its installer script replaces values in WordPress configuration files. If this installer script is left on the site after use, it could be use to run arbitrary code on the server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5unknown/duplicator< 1.3.0

▶NVDawesomemotive/duplicator< 1.3.0

🔴Vulnerability Details

GHSA

GHSA-jp26-vw47-9r58: The Duplicator WordPress plugin before 1↗2024-01-08

▶

CVEList

Duplicator < 1.3.0 - Unauthenticated RCE↗2024-01-08

▶