CVE-2020-11738

HIGH KEV NUCLEI

Awesomemotive Duplicator < 1.3.28 - Path Traversal

Title source: rule

Description

The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init.

Exploits (3)

exploitdb WORKING POC
by nam3lum · pythonwebappsphp
https://www.exploit-db.com/exploits/50420
nomisec WORKING POC
by raghu66669999 · infoleak
https://github.com/raghu66669999/wordpress-snapcreek
metasploit WORKING POC
by Ramuel Gall, Hoa Nguyen - SunCSR Team · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wp_duplicator_file_read.rb

Nuclei Templates (1)

WordPress Duplicator 1.3.24 & 1.3.26 - Local File Inclusion
HIGHby dwisiswant0

References (6)

Scores

CVSS v3 7.5
EPSS 0.9412
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CISA KEV 2021-11-03
VulnCheck KEV 2021-04-12
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2020-4080
CWE
CWE-22
Status published
Products (2)
awesomemotive/duplicator < 1.3.28
awesomemotive/duplicator < 3.8.7.1
Published Apr 13, 2020
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026