nuclei-templates/http/cves/2023/CVE-2023-6114.yaml

id: CVE-2023-6114

info:
  name: Duplicator < 1.5.7.1; Duplicator Pro < 4.5.14.2 - Unauthenticated Sensitive Data Exposure
  author: DhiyaneshDk
  severity: high
  description: |
    The Duplicator WordPress plugin before 1.5.7.1, Duplicator Pro WordPress plugin before 4.5.14.2 does not disallow listing the `backups-dup-lite/tmp` directory (or the `backups-dup-pro/tmp` directory in the Pro version), which temporarily stores files containing sensitive data. When directory listing is enabled in the web server, this allows unauthenticated attackers to discover and access these sensitive files, which include a full database dump and a zip archive of the site.
  remediation: Duplicator Fixed in 1.5.7.1,Duplicator-Pro Fixed in 4.5.14.2.
  reference:
    - https://drive.google.com/file/d/1mpapFCqfZLv__EAM7uivrrl2h55rpi1V/view?usp=sharing
    - https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1
    - https://nvd.nist.gov/vuln/detail/CVE-2023-6114
    - https://wpscan.com/plugin/duplicator/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-6114
    cwe-id: CWE-552
    epss-score: 0.01646
    epss-percentile: 0.87553
    cpe: cpe:2.3:a:awesomemotive:duplicator:*:*:*:*:-:wordpress:*:*
  metadata:
    max-request: 2
    vendor: awesomemotive
    product: duplicator
    framework: wordpress
    google-query: inurl:"/wp-content/plugins/duplicator"
  tags: cve,cve2023,duplicator,duplicator-pro,lfi,wpscan,wordpress,wp-plugin,wp,awesomemotive

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/backups-dup-lite/tmp/"
      - "{{BaseURL}}/wp-content/backups-dup-pro/tmp/"

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(body, '/tmp') && contains(body, '<title>Index of')"
        condition: and
# digest: 4a0a00473045022100dcc94d59aa7434d71f25eac9193fbfafab7a322c155123ae491ac4510c38ccea022054af43cbe55ecf715023e83dbf40e7e5070d4a06a20a50402a5c5d296ee96dfb:922c64590222798bb761d5b6d8e72950
Adding new templates from Unreleased Templates Repo 2024-03-09 14:23:42 +00:00			`id: CVE-2023-6114`

			`info:`
			`name: Duplicator < 1.5.7.1; Duplicator Pro < 4.5.14.2 - Unauthenticated Sensitive Data Exposure`
			`author: DhiyaneshDk`
			`severity: high`
			`description: \|`
			The Duplicator WordPress plugin before 1.5.7.1, Duplicator Pro WordPress plugin before 4.5.14.2 does not disallow listing the `backups-dup-lite/tmp` directory (or the `backups-dup-pro/tmp` directory in the Pro version), which temporarily stores files containing sensitive data. When directory listing is enabled in the web server, this allows unauthenticated attackers to discover and access these sensitive files, which include a full database dump and a zip archive of the site.
			`remediation: Duplicator Fixed in 1.5.7.1,Duplicator-Pro Fixed in 4.5.14.2.`
			`reference:`
			`- https://drive.google.com/file/d/1mpapFCqfZLv__EAM7uivrrl2h55rpi1V/view?usp=sharing`
			`- https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1`
			`- https://nvd.nist.gov/vuln/detail/CVE-2023-6114`
			`- https://wpscan.com/plugin/duplicator/`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
			`cvss-score: 7.5`
			`cve-id: CVE-2023-6114`
			`cwe-id: CWE-552`
product/queries updated 2024-05-31 19:23:20 +00:00			`epss-score: 0.01646`
			`epss-percentile: 0.87553`
Adding new templates from Unreleased Templates Repo 2024-03-09 14:23:42 +00:00			`cpe: cpe:2.3:a:awesomemotive:duplicator:::::-:wordpress::`
TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot: 2024-03-23 09:28:19 +00:00			`metadata:`
			`max-request: 2`
Revert "TemplateMan Update [Mon Apr 8 11:30:07 UTC 2024] :robot:" This reverts commit 433dda4ae5b824564b44075bb95a96ecdbe263a6. 2024-04-08 11:34:33 +00:00			`vendor: awesomemotive`
product/queries updated 2024-05-31 19:23:20 +00:00			`product: duplicator`
Update CVE-2023-6114.yaml 2024-03-27 22:14:23 +00:00			`framework: wordpress`
product/queries updated 2024-05-31 19:23:20 +00:00			`google-query: inurl:"/wp-content/plugins/duplicator"`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`tags: cve,cve2023,duplicator,duplicator-pro,lfi,wpscan,wordpress,wp-plugin,wp,awesomemotive`
Adding new templates from Unreleased Templates Repo 2024-03-09 14:23:42 +00:00
			`http:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}/wp-content/backups-dup-lite/tmp/"`
			`- "{{BaseURL}}/wp-content/backups-dup-pro/tmp/"`

			`stop-at-first-match: true`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- "status_code == 200"`
			`- "contains(body, '/tmp') && contains(body, '<title>Index of')"`
			`condition: and`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 4a0a00473045022100dcc94d59aa7434d71f25eac9193fbfafab7a322c155123ae491ac4510c38ccea022054af43cbe55ecf715023e83dbf40e7e5070d4a06a20a50402a5c5d296ee96dfb:922c64590222798bb761d5b6d8e72950`