CVE-2022-2551

Name of the Vulnerable Software and Affected Versions Duplicator WordPress plugin versions prior to 1.4.7

Description The issue allows unauthenticated visitors to access the main installer endpoint of the plugin and download the full site backup without authentication, if the installer script has been run once by an administrator. This occurs because the plugin discloses the URL of the backup to unauthenticated visitors.

Recommendations For versions prior to 1.4.7, update to version 1.4.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the main installer endpoint of the plugin until the update is applied.