CVE-2018-17207

CRITICAL EXPLOITED NUCLEI LAB

Snap Creek Duplicator <1.2.42 - Code Injection

Title source: llm

Exploitation Summary

CVE-2018-17207 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including cved-sources, Julien Legras <[email protected]>, Thomas Chauchefoin <[email protected]>, including a Metasploit module exploits/multi/php/wp_duplicator_code_inject. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2018-17207, a vulnerability in the WordPress Duplicator plugin, by sending crafted POST requests to the installer.php endpoint to achieve unauthorized database manipulation and potential remote code execution.

Description

An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution.

Exploits (2)

nomisec WORKING POC

by cved-sources · poc

https://github.com/cved-sources/cve-2018-17207

View Code ZIP pw:eip

This PoC exploits CVE-2018-17207, a vulnerability in the WordPress Duplicator plugin, by sending crafted POST requests to the installer.php endpoint to achieve unauthorized database manipulation and potential remote code execution.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress Duplicator plugin < 1.2.38

Auth required

Prerequisites: WordPress installation with Duplicator plugin activated · Valid WordPress admin credentials

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC MANUAL

by Julien Legras <[email protected]>, Thomas Chauchefoin <[email protected]> · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/php/wp_duplicator_code_inject.rb

View Code ZIP pw:eip

This Metasploit module exploits a code injection vulnerability in the Snap Creek Duplicator WordPress plugin (CVE-2018-17207) by overwriting the wp-config.php file with arbitrary PHP code. It leverages the installer.php or installer-backup.php files left by the plugin to inject a payload, leading to remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Snap Creek Duplicator WordPress plugin <= 1.2.40

No auth needed

Prerequisites: Access to installer.php or installer-backup.php · WordPress site with vulnerable Duplicator plugin

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress Duplicator Plugin < 1.2.42 - Arbitrary Code Execution

CRITICALVERIFIEDby synacktiv,iamnoooob,pdresearch

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://snapcreek.com/duplicator/docs/changelog/?lite

Exploit, Third Party Advisory x_refsource_misc

https://www.synacktiv.com/ressources/advisories/WordPress_Duplicator-1.2.40-RCE.pdf

Scores

CVSS v3 9.8

EPSS 0.5756

EPSS Percentile 99.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull cved/base-wordpress

https://github.com/cved-sources/cve-2018-17207

https://github.com/rapid7/metasploit-framework

View in Library

Details

VulnCheck KEV 2023-02-01

CWE

CWE-94

Status published

Products (1)

awesomemotive/duplicator < 1.2.42

Published Sep 19, 2018

Tracked Since Feb 18, 2026