CVE-2022-2551

moderate-risk
Published 2022-08-22

The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating.

Do I need to act?

!
59.7% chance of exploitation in next 30 days
EPSS score — higher than 40% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
50992
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Awesomemotive

References (4)

Exploit https://github.com/SecuriTrust/CVEsLab/tree/main/CVE-2022-2551
Exploit https://wpscan.com/vulnerability/f27d753e-861a-4d8d-9b9a-6c99a8a7ebe0
Exploit https://github.com/SecuriTrust/CVEsLab/tree/main/CVE-2022-2551
Exploit https://wpscan.com/vulnerability/f27d753e-861a-4d8d-9b9a-6c99a8a7ebe0
49
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 18/34 · Moderate
Exposure 5/34 · Minimal