Duplicator < 1.5.7.1; Duplicator Pro < 4.5.14.2 - Unauthenticated Sensitive Data Exposure

Description The plugin does not disallow listing the backups-dup-lite/tmp directory (or the backups-dup-pro/tmp directory in the Pro version), which temporarily stores files containing sensitive data. When directory listing is enabled in the web server, this allows unauthenticated attackers to discover and access these sensitive files, which include a full database dump and a zip archive of the site.

PoC

1. Ensure that the web server (e.g. nginx or Apache) has directory listing enabled. 2. Visit Duplicator > Packages and click Create New and then Next. 3. Visit /wp-content/backups-dup-lite/tmp/ to see the first sensitive files that are created. 4. Click Build. 5. Visit /wp-content/backups-dup-lite/tmp/ to see database dump and the zip file as it is being assembled. For the Pro version, change the paths above to use backups-dup-pro.