CVE-2023-6114

HIGH EXPLOITED NUCLEI

Duplicator <1.5.7.1-4.5.14.2 - Info Disclosure

Title source: llm

Exploitation Summary

CVE-2023-6114 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

The Duplicator WordPress plugin before 1.5.7.1, Duplicator Pro WordPress plugin before 4.5.14.2 does not disallow listing the `backups-dup-lite/tmp` directory (or the `backups-dup-pro/tmp` directory in the Pro version), which temporarily stores files containing sensitive data. When directory listing is enabled in the web server, this allows unauthenticated attackers to discover and access these sensitive files, which include a full database dump and a zip archive of the site.

Nuclei Templates (1)

Duplicator < 1.5.7.1; Duplicator Pro < 4.5.14.2 - Unauthenticated Sensitive Data Exposure

HIGHby DhiyaneshDk

References (2)

Core 2

Core References

Exploit

https://drive.google.com/file/d/1mpapFCqfZLv__EAM7uivrrl2h55rpi1V/view?usp=sharing

Exploit, Third Party Advisory exploit vdb-entry technical-description

https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1

Scores

CVSS v3 7.5

EPSS 0.3089

EPSS Percentile 98.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2024-04-11

CWE

CWE-552

Status published

Products (2)

awesomemotive/duplicator < 1.5.7.1

awesomemotive/duplicator < 4.5.14.2

Published Dec 26, 2023

Tracked Since Feb 18, 2026