CVE-2022-2551
published 2022-08-22CVE-2022-2551: The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin…
PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.48%
95.7th percentile
The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| awesomemotive | duplicator | < 1.4.7 | 1.4.7 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated GET requests to the Duplicator installer endpoint path '/backups-dup-lite/dup-installer/main.installer.php', especially with the 'is_daws' parameter, which is used to trigger backup file disclosure. ↗
- →Alert on HTTP 200 responses with content-type text/html to the Duplicator main installer endpoint from unauthenticated sessions, as this indicates the installer is accessible and may be leaking backup URLs.
- →The vulnerability is exploitable only if the installer script has been run at least once by an administrator; look for the presence of the installer endpoint being publicly accessible as a precondition indicator. ↗
- ·The vulnerability only manifests if the Duplicator installer has been previously executed by an administrator; sites where the installer was never run are not exposed. ↗
- ·Affected versions are Duplicator WordPress plugin before 1.4.7; version 1.4.7 and above are not vulnerable. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7phj-wp5x-xwr5: The Duplicator WordPress plugin before 1
ghsa_unreviewed·2022-08-23
CVE-2022-2551 [HIGH] CWE-425 GHSA-7phj-wp5x-xwr5: The Duplicator WordPress plugin before 1
The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating.
VulnCheck
awesomemotive duplicator Direct Request ('Forced Browsing')
vulncheck·2022·CVSS 7.5
CVE-2022-2551 [HIGH] awesomemotive duplicator Direct Request ('Forced Browsing')
awesomemotive duplicator Direct Request ('Forced Browsing')
The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating.
Affected: awesomemotive duplicator
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/duplicator/duplicator-wordpress-migration-plugin-147-unauthenticated-backup-download
CISA
Microsoft Internet Explorer Use-After-Free Vulnerability
cisa·2022-03-28·CVSS 8.8
CVE-2013-2551 [HIGH] CWE-416 Microsoft Internet Explorer Use-After-Free Vulnerability
Vulnerability: Microsoft Internet Explorer Use-After-Free Vulnerability
Affected: Microsoft Internet Explorer
Use-after-free vulnerability in Microsoft Internet Explorer allows remote attackers to execute remote code via a crafted web site that triggers access to a deleted object.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-2551
Remediation Due Date: 2022-04-18
No detection rules found.
Exploit-DB
WordPress Plugin Duplicator 1.4.6 - Unauthenticated Backup Download
exploitdb·2022-08-01·CVSS 7.5
CVE-2022-2551 [HIGH] WordPress Plugin Duplicator 1.4.6 - Unauthenticated Backup Download
WordPress Plugin Duplicator 1.4.6 - Unauthenticated Backup Download
---
# Exploit Title: WordPress Plugin Duplicator 1.4.6 - Unauthenticated Backup Download
# Google Dork: N/A
# Date: 07.27.2022
# Exploit Author: SecuriTrust
# Vendor Homepage: https://snapcreek.com/
# Software Link: https://wordpress.org/plugins/duplicator/
# Version: < 1.4.7
# Tested on: Linux, Windows
# CVE : CVE-2022-2551
# Reference: https://securitrust.fr
# Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2551
#Product:
WordPress Plugin Duplicator < 1.4.7
#Vulnerability:
1-It allows an attacker to download the backup file.
#Proof-Of-Concept:
1-Backup download.
The backup file can be downloaded using the "is_daws" parameter.
http://[PATH]/backups-dup-lite/dup-installer/main.installer.php
Nuclei
WordPress Duplicator <1.4.7 - Authentication Bypass
nuclei·CVSS 7.5
CVE-2022-2551 [HIGH] WordPress Duplicator <1.4.7 - Authentication Bypass
WordPress Duplicator restart this install process"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# digest: 4b0a0048304602210095cc9dd18adab96d99376b0e3252253ad7f6dc156543a35c4a2d99c69b52af430221008f196e941d745334eabbd5e1d2b9617dc887061ada2084d2da10d0d224c6aa39:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2022-08-22
Published
Exploited in the wild