Description
WordPress plugin Duplicator (versions <= 1.3.26) is vulnerable to an Unauthenticated Arbitrary File Download vulnerability that allows attackers to download arbitrary files from the WordPress installation. For example, an attacker can download the WordPress configuration file wp-config.php that contains WordPress database credentials and authentication unique keys and salts.
Remediation
Upgrade to the latest version of WordPress Duplicator plugin. This isses was fixed in version 1.3.26.
References
Related Vulnerabilities
Drupal Core 8.x.x Directory Traversal (8.0.0 - 8.8.12)
WordPress Plugin YITH WooCommerce Product Add-Ons Multiple Vulnerabilities (2.0.7)
WordPress Plugin WP-Lister Lite for eBay Directory Traversal (2.0.20)
WordPress 4.7.x Multiple Vulnerabilities (4.7 - 4.7.5)
WordPress Plugin MAC PHOTO GALLERY 'albid' Parameter Arbitrary File Disclosure (2.8)