Cyber Resilience

CVE-2020-11738

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 13 April 2020

Published
13 April 2020
Modified
02 February 2026
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9425 99.9th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-11738 is a high-severity Path Traversal (CWE-22) vulnerability in Awesomemotive Duplicator. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability is a path traversal flaw, tracked as CWE-22, that affects the Snap Creek Duplicator plugin for WordPress prior to version 1.3.28 and Duplicator Pro prior to 3.8.7.1. Untrusted input supplied in the file parameter to the duplicator_download or duplicator_init actions is not properly sanitized, allowing sequences such as "../" to escape the intended directory.

An unauthenticated remote attacker can exploit the issue over the network with low complexity to read arbitrary files on the underlying server, resulting in disclosure of sensitive configuration data, credentials, or other hosted content. The CVSS 3.1 score of 7.5 reflects the absence of required privileges or user interaction and the high confidentiality impact.

Vendor advisories and the official changelog recommend immediate upgrade to Duplicator 1.3.28 or Duplicator Pro 3.8.7.1. Public exploit code has been released on PacketStorm, and Wordfence has documented active exploitation campaigns targeting more than one million sites that had not yet applied the patch.

EU & UK References

Vulnerability details

The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

awesomemotive
duplicator
≤ 1.3.28 · ≤ 3.8.7.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted file parameters to reject path traversal sequences such as ../ before any file read occurs.

prevent

Enforces that only authorized subjects may access files, blocking the unauthenticated duplicator_download and duplicator_init actions from reading arbitrary paths.

prevent

Requires timely application of the vendor patch (1.3.28 / 3.8.7.1) that eliminates the unsanitized file parameter handling.

References