Old WordPress Plugin Being Exploited in RCE Attacks

Old instances of the popular WordPress Duplicator Plugin are leaving sites open to remote code execution attacks.

Researchers are warning that attackers are abusing a vulnerability in WordPress site admins’ outdated versions of a migration plugin called Duplicator – allowing them to execute remote code.

Made by Snap Creek Software, all Duplicator plugins earlier than version 1.2.42 are vulnerable to the attack. As the name suggests, the plugin facilitates the migration of a site by allowing the website admin to duplicate the WordPress site.

“WordPress Duplicator does not remove sensitive files after the restoration process,” wrote researchers at Synacktiv (PDF) last month. “Indeed, the installer.php and installer-backup.php files can be reused after the restoration process to inject malicious PHP code in the wp-config.php file. Thus, an attacker could abuse these scripts to execute arbitrary code on the server and take it over.”

On Friday, researchers at Sucuri said they had been seeing an uptick in the number of cases where attackers are disabling WordPress sites simply by removing or rewriting its wp-config.php file.

“These cases are all linked to the same vulnerable software: WordPress Duplicator Plugin,” said Peter Gramantik, a malware researcher with Sucuri. “To eliminate the risk of attack, you can check your site’s root folder and remove the installer.php file. This is not a vital site file and just a leftover after site migration.”

Gramantik said that Snap Creek Software addressed a similar Cross-Site Scripting Duplicator vulnerability (CVE-2017-16815) impacting version 1.2.30, reported in November 2017.

An additional warning was issued by Wordfense earlier this month. Experts there note that the bug is not present in the Duplicator plugin directory itself. “The flaw becomes exposed when using Duplicator to migrate or restore a backed-up copy of a WordPress site,” wrote Mikey Veenstra, in a Wordfence bulletin.

“We’ve also seen attackers supplying remote database credentials to connect the WordPress site to a database under the attacker’s control. From there, the attacker can login using their own admin user accounts, and upload a malicious plugin or theme in order to fully compromise the site,” wrote Matt Barry, Wordfence engineer in an email interview with Threatpost.

Because the vulnerability is only triggered when the Duplicator plugin has been used, it’s difficult to estimate how many are impacted by the bug. According Snap Creek Software’s own numbers the plugin has been installed 1 million times. Only a small portion of those users who actually migrated their sites using the Duplicator tool would be impacted, experts said.

Sucuri researchers note that the group of impacted users might further be winnowed down by the fact that vulnerable users would have to meet the following conditions:

  • The installer.php file must have been generated by Duplicator plugin
  • The installer.php file must be left on the site’s root folder
  • The installer version must be older than 1.2.42

Synacktiv researchers first reported the bug to Snap Creek Software on July 13, 2018. A patch was deployed on Aug. 24, 2018. The company published the first advisory of the vulnerability on Aug. 29.

Suggested articles