CVE-2022-2551

HIGH EXPLOITED NUCLEI

Duplicator <1.4.7 - Info Disclosure

Title source: llm

Description

The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating.

Exploits (1)

exploitdb WORKING POC

by SecuriTrust · textwebappsphp

https://www.exploit-db.com/exploits/50992

View Code ZIP pw:eip

Nuclei Templates (1)

WordPress Duplicator <1.4.7 - Authentication Bypass

HIGHVERIFIEDby LRTK-CODER

References (2)

[Exploit, Third Party Advisory] https://github.com/SecuriTrust/CVEsLab/tree/main/CVE-2022-2551

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/f27d753e-861a-4d8d-9b9a-6c99a8a7ebe0

Scores

CVSS v3 7.5

EPSS 0.5971

EPSS Percentile 98.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2023-02-01

CWE

CWE-425

Status published

Products (1)

awesomemotive/duplicator < 1.4.7

Published Aug 22, 2022

Tracked Since Feb 18, 2026