id: CVE-2022-2551

info:
  name: WordPress Duplicator <1.4.7 - Authentication Bypass
  author: LRTK-CODER
  severity: high
  description: |
    WordPress Duplicator plugin before 1.4.7 is susceptible to authentication bypass. The plugin discloses the URL of the backup to unauthenticated visitors accessing the main installer endpoint. If the installer script has been run once by an administrator, this allows download of the full site backup without proper authentication.
  remediation: Fixed in version 1.4.7.1.
  reference:
    - https://wpscan.com/vulnerability/f27d753e-861a-4d8d-9b9a-6c99a8a7ebe0
    - https://wordpress.org/plugins/duplicator/
    - https://github.com/SecuriTrust/CVEsLab/tree/main/CVE-2022-2551
    - https://nvd.nist.gov/vuln/detail/CVE-2022-2551
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2022-2551
    cwe-id: CWE-425
    epss-score: 0.79836
    epss-percentile: 0.97981
    cpe: cpe:2.3:a:snapcreek:duplicator:*:*:*:*:lite:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: snapcreek
    product: duplicator
    framework: wordpress
    google-query: inurl:/backups-dup-lite/dup-installer/
  tags: cve2022,wordpress,wp,wp-plugin,duplicator,wpscan,cve

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/backups-dup-lite/dup-installer/main.installer.php?is_daws=1"
      - "{{BaseURL}}/wp-content/dup-installer/main.installer.php?is_daws=1"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<a href='../installer.php'>restart this install process</a>"
        condition: and

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200

# digest: 490a0046304402203e459d9ae595171100c023a53c55f504c2f8c95f525db1150a883ee87cee6317022031e624cad10257bf55038c9a4a8f79eee4ce1adb681e08c442b4ec087c803690:922c64590222798bb761d5b6d8e72950