CVE-2023-6114

Name of the Vulnerable Software and Affected Versions Duplicator WordPress plugin versions prior to 1.5.7.1 Duplicator Pro WordPress plugin versions prior to 4.5.14.2

Description The issue concerns the Duplicator WordPress plugin and its Pro version, where the backups-dup-lite/tmp directory (or backups-dup-pro/tmp in the Pro version) is not properly restricted, allowing unauthenticated attackers to access sensitive files when directory listing is enabled in the web server. These sensitive files include a full database dump and a zip archive of the site.

Recommendations For Duplicator WordPress plugin versions prior to 1.5.7.1, update to version 1.5.7.1 or later. For Duplicator Pro WordPress plugin versions prior to 4.5.14.2, update to version 4.5.14.2 or later. As a temporary workaround, consider disabling directory listing in the web server to minimize the risk of exploitation. Restrict access to the backups-dup-lite/tmp and backups-dup-pro/tmp directories to prevent unauthorized access to sensitive files.