Vulnerability Description
An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Awesomemotive | Duplicator | < 1.2.42 |
Related Weaknesses (CWE)
References
- https://snapcreek.com/duplicator/docs/changelog/?liteVendor Advisory
- https://www.synacktiv.com/ressources/advisories/WordPress_Duplicator-1.2.40-RCE.ExploitThird Party Advisory
- https://snapcreek.com/duplicator/docs/changelog/?liteVendor Advisory
- https://www.synacktiv.com/ressources/advisories/WordPress_Duplicator-1.2.40-RCE.ExploitThird Party Advisory
FAQ
What is CVE-2018-17207?
CVE-2018-17207 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php durin...
How severe is CVE-2018-17207?
CVE-2018-17207 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-17207?
Check the references section above for vendor advisories and patch information. Affected products include: Awesomemotive Duplicator.