The WordPress plugin Duplicator—a great tool for migrating your WordPress site to another host or backing up all of your content, themes, and plugins—has more than one million active installations. It also has one glaring vulnerability that you’re going to want to patch right now. Otherwise, a savvy attacker could use the plugin to download critical files from a WordPress site, like your ever-important wp-config.php file.
And once they have their hands on that, your blog, e-commerce site, or portfolio could get very interesting. As Tenable describes:
“An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a WordPress site using the vulnerable version of the Duplicator plugin. This would allow them to download files outside of the intended directory. An attacker would need some knowledge of the target file structure or attempt to download commonly known files.
These files could include the wp-config.php file, referred to as ‘one of the most important files’ in a WordPress installation. This is because the configuration file contains database credentials and authentication keys and salts. An attacker could use this information to create their own administrator account on the vulnerable site or ‘inject content or harvest data.”’
According to Wordfence, the Duplicator vulnerability affects any version of the extension earlier than (and including) 1.3.26, as well as any version of the Duplicator Pro extension earlier than (and including) 3.8.7. Duplicator developer Snap Creek has already issued fixes for the issue, so you’ll want to update your plugin to version 1.3.28 (or 3.8.7.1, for Duplicator Pro) as soon as possible.
To do this, simply log into your WordPress administrative page and click on Plugins. You’ll be able to view any plugins that have updates, and downloading and installing the new versions is as easy as clicking on a link.
As before, I think it’s also worth taking a few minutes to install a plugin that can handle this updating process for you, which ensures that you’re always using the most up to date versions of your plugins whenever they launch.
Install a WordPress plugin like Companion Auto Update, and you’ll never have to worry about updating your other plugins ever again. While, yes, this could break your site if an update somehow breaks a critical feature, I think using an auto-updater is a great idea for most people who have a WordPress blog or simple portfolio.
Leave a Reply
You must be logged in to post a comment.