Update WordPress Duplicator Plugin to Block Zero Day Attack
WordPress Duplicator Plugin is a great tool for migrating your WordPress site to another host or backing up all your content, themes and plugins – has over a million active installations. It also has one glaring vulnerability that you will want to fix right now. Otherwise, a skilled attacker could use a plugin to download critical files from your WordPress site, such as your always-important wp-config.php file.
And once they get it, your blog, e-commerce site, or portfolio can get very interesting. As Tenable describes:
“An unauthenticated remote attacker could exploit this vulnerability by submitting a specially crafted request to the WordPress site using the vulnerable version of the Duplicator plugin. This will allow them to upload files outside of the intended directory. An attacker would need some knowledge of the target file structure or an attempt to download well-known files.
These files can include a wp-config.php file called “one of the most important files” in your WordPress installation. This is because the config file contains database credentials, authentication keys and salts. An attacker could use this information to create his own administrator account for a vulnerable site or to “inject content or collect data.”
According to Wordfence , the Duplicator vulnerability affects any version of the extension up to (inclusive) 1.3.26, as well as any version of the Duplicator Pro extension up to (inclusive) 3.8.7. Duplicator developer Snap Creek has already released fixes for this issue, so you need to update your plugin to version 1.3.28 (or 3.8.7.1 for Duplicator Pro) as soon as possible.
To do this, simply login to your WordPress admin page and click on Plugins. You can view any plugins with updates, and downloading and installing new versions is as easy as clicking a link.
As before , I think it’s also worth spending a few minutes installing a plugin that can handle this update process for you, ensuring that you always use the most recent versions of your plugins when you launch them.
Install a WordPress plugin like Companion Auto Update and you never have to worry about updating other plugins again. While yes, it could break your site if an update breaks a critical function in some way, I think using auto-update is a great idea for most people who have a WordPress blog or simple portfolio.