cbcvebase.
CVE-2023-6114
published 2023-12-26

CVE-2023-6114: The Duplicator WordPress plugin before 1.5.7.1, Duplicator Pro WordPress plugin before 4.5.14.2 does not disallow listing the `backups-dup-lite/tmp` directory…

PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
30.89%
98.0th percentile
The Duplicator WordPress plugin before 1.5.7.1, Duplicator Pro WordPress plugin before 4.5.14.2 does not disallow listing the `backups-dup-lite/tmp` directory (or the `backups-dup-pro/tmp` directory in the Pro version), which temporarily stores files containing sensitive data. When directory listing is enabled in the web server, this allows unauthenticated attackers to discover and access these sensitive files, which include a full database dump and a zip archive of the site.

Affected

2 ranges
VendorProductVersion rangeFixed in
awesomemotiveduplicator< 1.5.7.11.5.7.1
awesomemotiveduplicator< 4.5.14.24.5.14.2

Detection & IOCsextracted from sources · hover to see the quote

pathbackups-dup-lite/tmp
pathbackups-dup-pro/tmp
sigma
title: Duplicator WordPress Plugin Sensitive Backup Directory Listing
detection:
  keywords:
    - 'Duplicator'
    - "Index of'"
  condition: and
  • Monitor HTTP GET requests to the backups-dup-lite/tmp or backups-dup-pro/tmp directories; a directory listing response (HTTP 200 with 'Index of') indicates the vulnerability is being exploited to enumerate sensitive backup files.
  • Alert on unauthenticated access to .sql database dump files or .zip archive files served from the Duplicator plugin tmp directories, as these contain a full database dump and a zip archive of the site.
  • Use the Sigma rule keyword combination of 'Duplicator' and "Index of'" in web server access logs to detect directory listing enumeration attempts against the plugin's backup directories.
  • ·The vulnerability is only exploitable when directory listing is enabled on the web server; if directory listing is disabled, unauthenticated attackers cannot enumerate the backup files even if the tmp directory exists.
  • ·Affected versions are Duplicator (free) before 1.5.7.1 and Duplicator Pro before 4.5.14.2; detections should be scoped to installations running these older versions.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.