CVE-2020-11738

HIGH KEV NUCLEI

Duplicator < 1.3.28 and < 3.8.7.1 - Directory Traversal via File Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-11738 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 3 public exploits from researchers including nam3lum, raghu66669999, Ramuel Gall, Hoa Nguyen - SunCSR Team, including a Metasploit module auxiliary/scanner/http/wp_duplicator_file_read. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages an unauthenticated arbitrary file read vulnerability in the WordPress Duplicator plugin (1.3.26) via a path traversal attack. It sends a crafted request to admin-ajax.php to read sensitive files like /etc/passwd.

Description

The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init.

Exploits (3)

exploitdb WORKING POC
by nam3lum · pythonwebappsphp
https://www.exploit-db.com/exploits/50420

This exploit leverages an unauthenticated arbitrary file read vulnerability in the WordPress Duplicator plugin (1.3.26) via a path traversal attack. It sends a crafted request to admin-ajax.php to read sensitive files like /etc/passwd.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: WordPress Duplicator plugin 1.3.26
No auth needed
Prerequisites: Target must have the vulnerable Duplicator plugin installed and accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by raghu66669999 · infoleak
https://github.com/raghu66669999/wordpress-snapcreek

This PoC exploits a directory traversal vulnerability in the WordPress Duplicator plugin (CVE-2020-11738) to read arbitrary files from the server. It constructs a traversal path and sends a GET request to the vulnerable endpoint to retrieve the file content.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: WordPress Duplicator plugin (versions prior to 1.3.28)
No auth needed
Prerequisites: Target must have the vulnerable Duplicator plugin installed · Target endpoint must be accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by Ramuel Gall, Hoa Nguyen - SunCSR Team · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wp_duplicator_file_read.rb

This Metasploit module exploits an unauthenticated directory traversal vulnerability in the WordPress Duplicator plugin (versions 1.3.24-1.3.26), allowing arbitrary file read with web server privileges. It sends a crafted GET request to 'admin-ajax.php' with a traversal payload to read sensitive files like '/etc/passwd'.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: WordPress Duplicator plugin versions 1.3.24-1.3.26
No auth needed
Prerequisites: Target must have WordPress Duplicator plugin versions 1.3.24-1.3.26 installed · Network access to the target WordPress site
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress Duplicator 1.3.24 & 1.3.26 - Local File Inclusion
HIGHby dwisiswant0

References (6)

Core 6
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://snapcreek.com/duplicator/docs/changelog/?lite
Not Applicable x_refsource_misc
https://cwe.mitre.org/data/definitions/23.html

Scores

CVSS v3 7.5
EPSS 0.9425
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact partial

Details

CISA KEV 2021-11-03
VulnCheck KEV 2021-04-12
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2020-4080
CWE
CWE-22
Status published
Products (2)
awesomemotive/duplicator < 1.3.28
awesomemotive/duplicator < 3.8.7.1
Published Apr 13, 2020
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026