A critical remote code execution vulnerability has been fixed in the latest release of Duplicator, one of the most popular WordPress backup and migration plugin. In a public disclosure of this bug the software’s developer Synacktiv detailed the scope and severity of the issue.
The vulnerability isn’t present within the Duplicator plugin directory itself, the bug only becomes exposed when using Duplicator to migrate or restore a WordPress website.
Backing up a site using the Duplicator plugin generates two files, both of which are necessary to restore the website – an archived .zip file, and the installer.php script which decompresses and configures it. These two files can be transferred to a new server, allowing the website admin to load the installer.php script in their web browser to begin the process of restoring the website’s files and database.
Once the migration is completed there’s a Final Steps List which reminds users to remove the two files leftover from their Duplicator migration. If these files are not removed a warning message will be displayed until either the files are removed or Duplicator is uninstalled.
This warning message are there for a good reason – leaving an installer script available in a freely-accessible location can be extremely dangerous.
In the case of unpatched Duplicator backups, the installer.php script (and generated copies, like installer-backup.php,found in a site’s root directory after unpacking) creates an injection vulnerability.
Two issues regarding installation security were addressed in the recent patch to Duplicator. Most relevant to the code injection flaw, installer.php scripts generated by patched versions of Duplicator now use addslashes() to sanitize the database connection strings input by users. Now, attackers are unable to inject PHP code into these values.
A new optional setting has also been added that allows users to password-protect their generated installer scripts when creating Duplicator packages. This adds additional security to the install process – third parties will no longer have access to the installer script at all. Be aware that this option is concealed by a collapsible menu when generating new packages so users may not be aware that this feature has been added.
Can NinjaWP help?
When you partner with NinjaWP to maintain your website, one of the first things we do is run a security audit to make sure things are as up-to-date and rock solid as possible. All security issues are fixed before we tackle content updates and design tweaks.
We ensure that all plugins are up-to-date and any known vulnerabilities are addressed.
Get Two Free Website Updates!
Sign-up for our free trial and we’ll complete two changes or updates to your website for no cost and no obligation. Click here to get started.