Snap Creek Duplicator WordPress Plugin Directory Traversal Vulnerability Allowing Arbitrary File Read

A directory traversal vulnerability has been identified in the Snap Creek Duplicator WordPress plugin, affecting versions prior to 1.3.28, as well as Duplicator Pro versions prior to 3.8.7.1. The vulnerability allows unauthenticated users to traverse directories using '../' sequences in the 'file' parameter of the 'duplicator_download' or 'duplicator_init' actions, leading to arbitrary file read with the privileges of the web server.

Impact

Exploitation of this vulnerability allows for unauthenticated arbitrary file read, with a high likelihood of accessing sensitive files such as 'wp-config.php', which contains database credentials. This access could lead to further compromise of the WordPress site, such as creating an Administrator account or injecting content into the database.

Reproduction

The vulnerability can be reproduced by sending a GET request to 'wp-admin/admin-ajax.php' with the 'action' parameter set to 'duplicator_download' and the 'file' parameter containing a traversal sequence that navigates outside the intended directory. The 'duplicator_init' function can also be used to exploit this vulnerability by adding the same parameters to any WordPress page load.

Remediation

Users are advised to update the Duplicator WordPress plugin to version 1.3.28 or Duplicator Pro to version 3.8.7.1.