Description
WordPress Duplicator is a WordPress plugin that creates a package that bundles all the site's plugins, themes, content, database and WordPress files into a simple zip file that can be used to easily migrate a WordPress site.
Synacktiv discovered that WordPress Duplicator versions lower than 1.2.42 does not remove sensitive files after the restoration process. The installer.php and installer-backup.php files can be reused after the restoration process to inject malicious PHP code in the wp-config.php file.
Remediation
Upgrade to the latest version of WordPress Duplicator. This vulnerability was fixed starting with version 1.2.42.
References
Related Vulnerabilities
WordPress Plugin WP-Filebase Download Manager Remote Code Execution (0.3.0.03)
Drupal Core 8.9.x Remote Code Execution (8.9.0 - 8.9.8)
Drupal Core 7.x Remote Code Execution (7.0 - 7.73)
Sitecore XM/XP Insecure Deserialization (CVE-2025-27218)
WordPress Plugin WooCommerce Possible Remote Code Execution (3.4.5)