On 19 February 2020, Wordfence reported a highly critical vulnerability found in the popular Duplicator plugin for WordPress.

This plugin is useful when users want to migrate and copy WordPress sites. With Duplicator, sysadmins can create a new copy of the site and the generated file can be downloaded from the WP dashboard.

WordPress Duplicator Plugin Zero-day Vulnerability

Exploiting the newly discovered zero-day vulnerability allows hackers to download arbitrary files from the target sites. More than 1 million WordPress websites are affected by this security flaw.

When users create a copy of a WP site and click on the download button, it’ll trigger a call to the WordPress AJAX handler with the action duplicator_download and a file parameter.

„Unfortunately the duplicator_download action was registered via wp_ajax_nopriv_ and was accessible to unauthenticated users. To make things worse, no validation limited the filepaths being downloaded. The file parameter is passed through sanitize_text_field and appended to the plugin constant DUPLICATOR_SSDIR_PATH, but directory traversal was still possible. An attacker could access files outside of Duplicator’s intended directory by submitting values like ../../../file.php to navigate throughout the server’s file structure.” - WordFence

function duplicator_init() {     if (isset($_GET['action']) && $_GET['action'] == 'duplicator_download') {         $file = sanitize_text_field($_GET['file']);         $filepath = DUPLICATOR_SSDIR_PATH.'/'.$file;         // Process download         if(file_exists($filepath)) {             // Clean output buffer             if (ob_get_level() !== 0 && @ob_end_clean() === FALSE) {                 @ob_clean();             }               header('Content-Description: File Transfer');             header('Content-Type: application/octet-stream');             header('Content-Disposition: attachment; filename="'.basename($filepath).'"');             header('Expires: 0');             header('Cache-Control: must-revalidate');             header('Pragma: public');             header('Content-Length: ' . filesize($filepath));             flush(); // Flush system output buffer               try {                 $fp = @fopen($filepath, 'r');                 if (false === $fp) {                     throw new Exception('Fail to open the file '.$filepath);                 }                 while (!feof($fp) && ($data = fread($fp, DUPLICATOR_BUFFER_READ_WRITE_SIZE)) !== FALSE) {                     echo $data;                 }                 @fclose($fp);             } catch (Exception $e) {                 readfile($filepath);             }             exit;         } else {             wp_die('Invalid installer file name!!');         }     } } add_action('init', 'duplicator_init');

Source: WordFence

What are the signs of exploiting this vulnerability?

If you see the following query strings in a GET request, most probably you became a target for hackers:

• action=duplicator_download
• file=/../wp-config.php