CVE-2018-25095 Duplicator < 1.3.0 - Unauthenticated RCE

2024-01-0819:00:33

WPScan

www.cve.org

cve-2018-25095

duplicator wordpress plugin

unauthenticated rce

installer script

arbitrary code

AI Score

9.6

Confidence

High

EPSS

0.001

Percentile

43.4%

JSON

The Duplicator WordPress plugin before 1.3.0 does not properly escape values when its installer script replaces values in WordPress configuration files. If this installer script is left on the site after use, it could be use to run arbitrary code on the server.

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Duplicator",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "1.3.0"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]

References

wpscan.com/vulnerability/16cc47aa-cb31-4114-b014-7ac5fbc1d3ee