CVE-2020-11738
📋 TL;DR
This vulnerability allows attackers to perform directory traversal attacks on WordPress sites using vulnerable versions of the Snap Creek Duplicator plugin. By exploiting the 'file' parameter in duplicator_download or duplicator_init endpoints, attackers can read arbitrary files outside the intended directory. Over 1 million WordPress sites were affected by this vulnerability.
💻 Affected Systems
- WordPress Snap Creek Duplicator plugin
- WordPress Snap Creek Duplicator Pro plugin
📦 What is this software?
Duplicator by Awesomemotive
Duplicator by Awesomemotive
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive files like wp-config.php containing database credentials, SSH keys, or other configuration files, potentially leading to complete site compromise.
Likely Case
Attackers will read WordPress configuration files to obtain database credentials and other sensitive information, enabling further attacks.
If Mitigated
With proper web application firewalls and file permission controls, exploitation attempts would be blocked or limited in impact.
🎯 Exploit Status
Multiple public exploit scripts exist, and active attacks were observed shortly after disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Duplicator 1.3.28+, Duplicator Pro 3.8.7.1+
Vendor Advisory: https://snapcreek.com/duplicator/docs/changelog/?lite
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Duplicator plugin. 4. Click 'Update Now' or manually update to version 1.3.28 or higher. 5. For Duplicator Pro, update to version 3.8.7.1 or higher.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock requests containing directory traversal sequences in the file parameter
Disable Plugin
allTemporarily disable the Duplicator plugin until patched
🧯 If You Can't Patch
- Implement strict file permission controls to limit access to sensitive files
- Deploy a web application firewall with rules to block directory traversal attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Duplicator version. If version is below 1.3.28 (or below 3.8.7.1 for Pro), the site is vulnerable.Check Version:
wp plugin list --name=duplicator --field=version (if WP-CLI is available)Verify Fix Applied:
Confirm plugin version is 1.3.28 or higher (or 3.8.7.1+ for Pro) in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-admin/admin-ajax.php with 'action=duplicator_download' or 'action=duplicator_init' containing '../' sequences in parameters
- Multiple failed file read attempts from unusual IP addresses
Network Indicators:
- HTTP GET/POST requests with file parameter containing directory traversal sequences like '../' or '..\'
SIEM Query:
source="web_logs" AND (uri_path="*admin-ajax.php*" AND (query_string="*action=duplicator_download*" OR query_string="*action=duplicator_init*") AND (query_string="*..%2f*" OR query_string="*..%5c*"))🔗 References
- http://packetstormsecurity.com/files/160621/WordPress-Duplicator-1.3.26-Directory-Traversal-File-Read.html
- http://packetstormsecurity.com/files/164533/WordPress-Duplicator-1.3.26-Arbitrary-File-Read.html
- https://cwe.mitre.org/data/definitions/23.html
- https://snapcreek.com/duplicator/docs/changelog/?lite
- https://www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites/
- http://packetstormsecurity.com/files/160621/WordPress-Duplicator-1.3.26-Directory-Traversal-File-Read.html
- http://packetstormsecurity.com/files/164533/WordPress-Duplicator-1.3.26-Arbitrary-File-Read.html
- https://cwe.mitre.org/data/definitions/23.html
- https://snapcreek.com/duplicator/docs/changelog/?lite
- https://www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-11738
