Duplicator Lite versions 1.3.24 to 1.3.26 and Duplicator Pro versions prior to 3.8.7.1 . Immediate Remediation Steps
This vulnerability allows unauthenticated attackers to download sensitive files directly from your server. If you see this pattern, your site has likely been targeted by a known exploit. Understanding the Vulnerability (CVE-2020-11738)
If you suspect your site is vulnerable or has been scanned, follow these steps immediately:
By downloading wp-config.php , an attacker gains access to your database credentials , secret authentication keys, and salts. This can lead to a full site takeover or data theft.
The Duplicator plugin, used for site migration and backups, contained a flaw in its AJAX handling functions ( duplicator_download and duplicator_init ). Because the plugin did not properly sanitize the file parameter, attackers could use "dot-dot-slash" ( ../ ) sequences to navigate outside the intended folder.
The string action=duplicator_download and file= appearing in your WordPress logs or a security scan is a serious indicator of an attempted attack targeting the Duplicator plugin (CVE-2020-11738).
The most common target is your wp-config.php file.
Duplicator Lite versions 1.3.24 to 1.3.26 and Duplicator Pro versions prior to 3.8.7.1 . Immediate Remediation Steps
This vulnerability allows unauthenticated attackers to download sensitive files directly from your server. If you see this pattern, your site has likely been targeted by a known exploit. Understanding the Vulnerability (CVE-2020-11738) /wp-admin/admin-ajax.php action=duplicator download file=
If you suspect your site is vulnerable or has been scanned, follow these steps immediately: Duplicator Lite versions 1
By downloading wp-config.php , an attacker gains access to your database credentials , secret authentication keys, and salts. This can lead to a full site takeover or data theft. Because the plugin did not properly sanitize the
The Duplicator plugin, used for site migration and backups, contained a flaw in its AJAX handling functions ( duplicator_download and duplicator_init ). Because the plugin did not properly sanitize the file parameter, attackers could use "dot-dot-slash" ( ../ ) sequences to navigate outside the intended folder.
The string action=duplicator_download and file= appearing in your WordPress logs or a security scan is a serious indicator of an attempted attack targeting the Duplicator plugin (CVE-2020-11738).
The most common target is your wp-config.php file.