CVE-2022-2551

2022-08-2215:15:15

CWE-425

[email protected]

web.nvd.nist.gov

cve-2022-2551

duplicator wordpress plugin

security vulnerability

backup disclosure

unauthenticated access

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.664 Medium

EPSS

Percentile

98.0%

JSON

The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating.

Affected configurations

Vulners

NVD

Node

wordpresspermalinks_migration_pluginRange<1.4.7

VendorProductVersionCPE
wordpresspermalinks_migration_plugin*cpe:2.3:a:wordpress:permalinks_migration_plugin:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
wordpress	permalinks_migration_plugin	*	cpe:2.3:a:wordpress:permalinks_migration_plugin::::::::

CNA Affected

[
  {
    "product": "Duplicator – WordPress Migration Plugin",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "1.4.7",
        "status": "affected",
        "version": "1.4.7",
        "versionType": "custom"
      }
    ]
  }
]