The issue is being actively exploited, and allows attackers to download arbitrary files, such as the wp-config.php file. According to the vendor, the vulnerability was only in two versions v1.3.24 and v1.3.26, the vulnerability wasn’t present in versions 1.3.22 and before.
http://www.example.com/wp-admin/admin-ajax.php?action=duplicator_download&file=../wp-config.php