id: CVE-2022-2551

info:
  name: Duplicator < 1.4.7 - Unauthenticated Backup Download
  author: LRTK-CODER
  severity: high
  description: |
    The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating.
  reference:
    - https://wpscan.com/vulnerability/f27d753e-861a-4d8d-9b9a-6c99a8a7ebe0
    - https://wordpress.org/plugins/duplicator/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-2551
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2551
    - https://github.com/SecuriTrust/CVEsLab/tree/main/CVE-2022-2551
  remediation: Fixed in version 1.4.7.1
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2022-2551
    cwe-id: CWE-425
  metadata:
    google-query: inurl:/backups-dup-lite/dup-installer/
    verified: "true"
  tags: cve2022,wordpress,wp,wp-plugin,duplicator,wpscan,cve

requests:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/backups-dup-lite/dup-installer/main.installer.php?is_daws=1"
      - "{{BaseURL}}/wp-content/dup-installer/main.installer.php?is_daws=1"

    matchers-condition: and
    matchers:
      - condition: and
        type: word
        part: body
        words:
          - "<a href='../installer.php'>restart this install process</a>"

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200