CVE-2022-2551

The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/SecuriTrust/CVEsLab/tree/main/CVE-2022-2551	Exploit Third Party Advisory
https://wpscan.com/vulnerability/f27d753e-861a-4d8d-9b9a-6c99a8a7ebe0	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:snapcreek:duplicator:*:*:*:*:lite:wordpress:*:*

History

23 Aug 2022, 18:56

Type	Values Removed	Values Added
First Time		Snapcreek Snapcreek duplicator
CPE		cpe:2.3:a:snapcreek:duplicator:::::lite:wordpress::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~(MISC) https://github.com/SecuriTrust/CVEsLab/tree/main/CVE-2022-2551 -~~	(MISC) https://github.com/SecuriTrust/CVEsLab/tree/main/CVE-2022-2551 - Exploit, Third Party Advisory
References	~~(MISC) https://wpscan.com/vulnerability/f27d753e-861a-4d8d-9b9a-6c99a8a7ebe0 -~~	(MISC) https://wpscan.com/vulnerability/f27d753e-861a-4d8d-9b9a-6c99a8a7ebe0 - Exploit, Third Party Advisory

22 Aug 2022, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-08-22 15:15

Updated : 2023-12-10 14:35

NVD link : CVE-2022-2551

Mitre link : CVE-2022-2551

CVE.ORG link : CVE-2022-2551

JSON object : View

Products Affected

snapcreek

duplicator

CWE

CWE-425

Direct Request ('Forced Browsing')

7.5 /10