CVE-2020-11738
Published: 13 April 2020
Summary
CVE-2020-11738 is a high-severity Path Traversal (CWE-22) vulnerability in Awesomemotive Duplicator. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability is a path traversal flaw, tracked as CWE-22, that affects the Snap Creek Duplicator plugin for WordPress prior to version 1.3.28 and Duplicator Pro prior to 3.8.7.1. Untrusted input supplied in the file parameter to the duplicator_download or duplicator_init actions is not properly sanitized, allowing sequences such as "../" to escape the intended directory.
An unauthenticated remote attacker can exploit the issue over the network with low complexity to read arbitrary files on the underlying server, resulting in disclosure of sensitive configuration data, credentials, or other hosted content. The CVSS 3.1 score of 7.5 reflects the absence of required privileges or user interaction and the high confidentiality impact.
Vendor advisories and the official changelog recommend immediate upgrade to Duplicator 1.3.28 or Duplicator Pro 3.8.7.1. Public exploit code has been released on PacketStorm, and Wordfence has documented active exploitation campaigns targeting more than one million sites that had not yet applied the patch.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-4080
Vulnerability details
The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted file parameters to reject path traversal sequences such as ../ before any file read occurs.
Enforces that only authorized subjects may access files, blocking the unauthenticated duplicator_download and duplicator_init actions from reading arbitrary paths.
Requires timely application of the vendor patch (1.3.28 / 3.8.7.1) that eliminates the unsanitized file parameter handling.