Vulnerability Description
The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Awesomemotive | Duplicator | < 1.4.7 |
Related Weaknesses (CWE)
References
- https://github.com/SecuriTrust/CVEsLab/tree/main/CVE-2022-2551ExploitThird Party Advisory
- https://wpscan.com/vulnerability/f27d753e-861a-4d8d-9b9a-6c99a8a7ebe0ExploitThird Party Advisory
- https://github.com/SecuriTrust/CVEsLab/tree/main/CVE-2022-2551ExploitThird Party Advisory
- https://wpscan.com/vulnerability/f27d753e-861a-4d8d-9b9a-6c99a8a7ebe0ExploitThird Party Advisory
FAQ
What is CVE-2022-2551?
CVE-2022-2551 is a vulnerability with a CVSS score of 7.5 (HIGH). The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run onc...
How severe is CVE-2022-2551?
CVE-2022-2551 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-2551?
Check the references section above for vendor advisories and patch information. Affected products include: Awesomemotive Duplicator.