The Duplicator plugin is one of the most popular migration and backup solutions for WordPress, boasting over a million active installations. However, even the most trusted tools can have vulnerabilities. In early 2020, a critical security flaw was discovered in Duplicator version 1.4.7 (and several previous versions) that allowed unauthenticated users to download site backups.
If you suspect you were running the vulnerable version during early 2020, check your server logs for unusual GET requests to the Duplicator plugin folder. duplicator 1.4.7 - unauthenticated backup download
An attacker could craft a specific URL pointing to the Duplicator download handler. By appending the name of an existing backup file to the query string, the server would serve the file to the requester, regardless of their login status. The Duplicator plugin is one of the most
The plugin utilized a specific function to facilitate the download of backup files (archives and installers). Due to insufficient input validation and a lack of permission checks, the download script could be manipulated. If you suspect you were running the vulnerable
If you were compromised, changing your WordPress salt keys and database passwords is a mandatory next step.
The core of the issue in Duplicator 1.4.7 was an "Unauthenticated Arbitrary File Download" vulnerability. In simple terms, this means an attacker did not need a username or password to access and download sensitive files from the server.
If you are still running Duplicator 1.4.7 or older, your site is highly vulnerable to automated scanners looking for this specific exploit.
