CVE-2018-25095: Duplicator < 1.3.0 - Unauthenticated RCE
First published: Mon Jan 08 2024(Updated: )
The Duplicator WordPress plugin before 1.3.0 does not properly escape values when its installer script replaces values in WordPress configuration files. If this installer script is left on the site after use, it could be use to run arbitrary code on the server.
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Snap Creek Duplicator | <1.3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2018-25095?
CVE-2018-25095 has a high severity rating due to its potential for remote code execution.
How do I fix CVE-2018-25095?
To fix CVE-2018-25095, update the Duplicator plugin to version 1.3.0 or higher.
What software is affected by CVE-2018-25095?
CVE-2018-25095 affects the Duplicator plugin for WordPress versions prior to 1.3.0.
What could happen if I don’t address CVE-2018-25095?
If left unaddressed, CVE-2018-25095 could allow attackers to run arbitrary code on your server.
Is it safe to leave the installer script after using CVE-2018-25095?
No, it is unsafe to leave the installer script on your site after use, as it can be exploited.
- agent/type
- agent/first-publish-date
- agent/references
- agent/author
- agent/title
- agent/severity
- agent/weakness
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/description
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- vendor/snapcreek
- canonical/snap creek duplicator