cbcvebase.
CVE-2022-2551
published 2022-08-22

CVE-2022-2551: The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin…

PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.48%
95.7th percentile
The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating.

Affected

1 ranges
VendorProductVersion rangeFixed in
awesomemotiveduplicator< 1.4.71.4.7

Detection & IOCsextracted from sources · hover to see the quote

path/backups-dup-lite/dup-installer/main.installer.php
  • Monitor for unauthenticated GET requests to the Duplicator installer endpoint path '/backups-dup-lite/dup-installer/main.installer.php', especially with the 'is_daws' parameter, which is used to trigger backup file disclosure.
  • Alert on HTTP 200 responses with content-type text/html to the Duplicator main installer endpoint from unauthenticated sessions, as this indicates the installer is accessible and may be leaking backup URLs.
  • The vulnerability is exploitable only if the installer script has been run at least once by an administrator; look for the presence of the installer endpoint being publicly accessible as a precondition indicator.
  • ·The vulnerability only manifests if the Duplicator installer has been previously executed by an administrator; sites where the installer was never run are not exposed.
  • ·Affected versions are Duplicator WordPress plugin before 1.4.7; version 1.4.7 and above are not vulnerable.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.