The issue is being actively exploited, and allows attackers to download arbitrary files, such as the wp-config.php file. According to the vendor, the vulnerability was only in two versions v1.3.24 and v1.3.26, the vulnerability wasn’t present in versions 1.3.22 and before.
http://www.example.com/wp-admin/admin-ajax.php?action=duplicator_download&file;=../wp-config.php
CPE | Name | Operator | Version |
---|---|---|---|
duplicator | lt | 1.3.28 | |
duplicator-pro | lt | 3.8.7.1 |