CVE-2018-7543

MEDIUM

Duplicator 1.2.32 - Cross-Site Scripting via JSON Parameter in Installer

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-7543. PoCs published by Stefan Broeder.

AI-analyzed exploit summary This exploit demonstrates a reflected XSS vulnerability in the Duplicator WordPress plugin (version 1.2.32) by injecting malicious JavaScript via the 'json' POST parameter, leading to arbitrary code execution in the victim's browser.

Description

Cross-site scripting (XSS) vulnerability in installer/build/view.step4.php of the SnapCreek Duplicator plugin 1.2.32 for WordPress allows remote attackers to inject arbitrary JavaScript or HTML via the json parameter.

Exploits (1)

exploitdb WORKING POC

by Stefan Broeder · textwebappsphp

https://www.exploit-db.com/exploits/44288

View Code ZIP pw:eip

This exploit demonstrates a reflected XSS vulnerability in the Duplicator WordPress plugin (version 1.2.32) by injecting malicious JavaScript via the 'json' POST parameter, leading to arbitrary code execution in the victim's browser.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Duplicator WordPress Plugin 1.2.32

No auth needed

Prerequisites: Victim must visit a crafted URL or be tricked into submitting a malicious POST request

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://snapcreek.com/duplicator/docs/changelog/?lite

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44288/

Scores

CVSS v3 6.1

EPSS 0.0350

EPSS Percentile 87.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

awesomemotive/duplicator 1.2.32

Published Mar 26, 2018

Tracked Since Feb 18, 2026