CVE-2023-6114

nvd nist nuclei

Published: Dec 26, 2023Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The Duplicator WordPress plugin before 1.5.7.1, Duplicator Pro WordPress plugin before 4.5.14.2 does not disallow listing the `backups-dup-lite/tmp` directory (or the `backups-dup-pro/tmp` directory in the Pro version), which temporarily stores files containing sensitive data. When directory listing is enabled in the web server, this allows unauthenticated attackers to discover and access these sensitive files, which include a full database dump and a zip archive of the site.

Affected (2)

Products: Awesomemotive: Duplicator

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Awesomemotive Duplicator	Before 1.5.7.1
Awesomemotive Duplicator	Before 4.5.14.2

Related CWEs

Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

References (4)

https://drive.google.com/file/d/1mpapFCqfZLv__EAM7uivrrl2h55rpi1V/view?usp=sharing

Source: contact@wpscan.com

Exploit

https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1

Source: contact@wpscan.com

ExploitThird Party Advisory

https://drive.google.com/file/d/1mpapFCqfZLv__EAM7uivrrl2h55rpi1V/view?usp=sharing

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.