7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.972 High
EPSS
Percentile
99.8%
The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via β¦/ in the file parameter to duplicator_download or duplicator_init.
Recent assessments:
kevthehermit at April 14, 2020 2:38pm UTC reported:
This plugin is recorded as having over 1 Million installations via Wordpress β <https://wordpress.org/plugins/duplicator/>
It has a free and a pro version with both being impacted.
Other reporting suggests that there are around 170,000 active installations. with ~ 150,000 of these not on the latest version.
The vulnerability allows arbitrary file read of any file on disk in the context of the web application. This kind of attack can lead to further compromise depending on its setup and configuration. Using this level of access can lead to database credentials being compromised which in turn can lead to further exploitation.
This exploit has been seen in active campaigns as reported by wordfence β <https://www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites/>
IOCβs Shared by wordpress and replicated here for ease of discovery.
Indicators Of Compromise (IOCs)
The following Indicators of Compromise (IOCs) can be used to determine if your site may have been attacked.
Traffic logged from the threat actorβs IP address should be considered suspicious:
77.71.115.52
action=duplicator_download
file=/β¦/wp-config.php
Note: Because this vulnerability can be exploited via WP AJAX, itβs possible to exploit via POST request. In this case, itβs possible for the action parameter to be passed in the POST body instead of the query string. This will prevent the action=duplicator_download string from appearing in HTTP logs. The file parameter must be passed as a query string, however, and is a reliable indicator.
Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 5
packetstormsecurity.com/files/160621/WordPress-Duplicator-1.3.26-Directory-Traversal-File-Read.html
packetstormsecurity.com/files/164533/WordPress-Duplicator-1.3.26-Arbitrary-File-Read.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11738
cwe.mitre.org/data/definitions/23.html
snapcreek.com/duplicator/docs/changelog/?lite
snapcreek.com/duplicator/docs/changelog?lite
www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites
www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites/
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.972 High
EPSS
Percentile
99.8%