CVSS: 9.8EPSS: 93%CPEs: 1EXPL: 1CVE-2018-17207 – Duplicator <= 1.2.41 - Sensitive Information Disclosure leading to Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-17207
An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution. Se ha descubierto un problema en Snap Creek Duplicator en versiones anteriores a la 1.2.42. Al acceder a los archivos de instalación sobrantes (installer.php e installer-backup.php), un atacante puede inyectar código PHP en wp-config.php durante el paso de configuración de la base de datos, conduciendo a una ejecución de código arbitrario. An issue was discovered in Duplicator before 1.2.42. • https://snapcreek.com/duplicator/docs/changelog/?lite https://www.synacktiv.com/ressources/advisories/WordPress_Duplicator-1.2.40-RCE.pdf • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-7543 – Duplicator <= 1.2.32 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-7543
Cross-site scripting (XSS) vulnerability in installer/build/view.step4.php of the SnapCreek Duplicator plugin 1.2.32 for WordPress allows remote attackers to inject arbitrary JavaScript or HTML via the json parameter. Vulnerabilidad de Cross-Site Scripting (XSS) en installer/build/view.step4.php del plugin SnapCreek Duplicator 1.2.32 para WordPress permite a atacantes remotos ejecutar código JavaScript o HTML arbitrario mediante el parámetro json. WordPress Duplicator plugin version 1.2.32 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/44288 https://snapcreek.com/duplicator/docs/changelog/?lite • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16815 – Duplicator <= 1.2.28 – Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-16815
installer.php in the Snap Creek Duplicator (WordPress Site Migration & Backup) plugin before 1.2.30 for WordPress has XSS because the values "url_new" (/wp-content/plugins/duplicator/installer/build/view.step4.php) and "logging" (wp-content/plugins/duplicator/installer/build/view.step2.php) are not filtered correctly. installer.php en el plugin Snap Creek Duplicator (WordPress Site Migration Backup) en versiones anteriores a la 1.2.30 para WordPress contiene XSS debido a que los valores "url_new" (/wp-content/plugins/duplicator/installer/build/view.step4.php) y "logging" (wp-content/plugins/duplicator/installer/build/view.step2.php) no se filtran correctamente. • https://packetstormsecurity.com/files/144914/WordPress-Duplicator-Migration-1.2.28-Cross-Site-Scripting.html https://snapcreek.com/duplicator/docs/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.2EPSS: 2%CPEs: 1EXPL: 1CVE-2014-9262 – Duplicator < 0.5.10 - Arbitrary Backup Creation and Download
https://notcve.org/view.php?id=CVE-2014-9262
The Duplicator plugin in Wordpress before 0.5.10 allows remote authenticated users to create and download backup files. El plugin Duplicator para Wordpress en versiones anteriores a la 0.5.10 permite que atacantes remotos autenticados creen y descarguen archivos de copia de seguridad. • https://www.exploit-db.com/exploits/36112 • CWE-264: Permissions, Privileges, and Access Controls CWE-287: Improper Authentication •