Old WordPress Plugin Being Exploited in RCE Attacks

Old instances of the popular WordPress Duplicator Plugin are leaving sites open to remote code execution attacks.

Researchers are warning that attackers are abusing a vulnerability in WordPress site admins’ outdated versions of a migration plugin called Duplicator – allowing them to execute remote code.

Made by Snap Creek Software, all Duplicator plugins earlier than version 1.2.42 are vulnerable to the attack. As the name suggests, the plugin facilitates the migration of a site by allowing the website admin to duplicate the WordPress site.

“WordPress Duplicator does not remove sensitive files after the restoration process,” wrote researchers at Synacktiv (PDF) last month. “Indeed, the installer.php and installer-backup.php files can be reused after the restoration process to inject malicious PHP code in the wp-config.php file. Thus, an attacker could abuse these scripts to execute arbitrary code on the server and take it over.”

On Friday, researchers at Sucuri said they had been seeing an uptick in the number of cases where attackers are disabling WordPress sites simply by removing or rewriting its wp-config.php file.

“These cases are all linked to the same vulnerable software: WordPress Duplicator Plugin,” said Peter Gramantik, a malware researcher with Sucuri. “To eliminate the risk of attack, you can check your site’s root folder and remove the installer.php file. This is not a vital site file and just a leftover after site migration.”

Gramantik said that Snap Creek Software addressed a similar Cross-Site Scripting Duplicator vulnerability (CVE-2017-16815) impacting version 1.2.30, reported in November 2017.

An additional warning was issued by Wordfense earlier this month. Experts there note that the bug is not present in the Duplicator plugin directory itself. “The flaw becomes exposed when using Duplicator to migrate or restore a backed-up copy of a WordPress site,” wrote Mikey Veenstra, in a Wordfence bulletin.

“We’ve also seen attackers supplying remote database credentials to connect the WordPress site to a database under the attacker’s control. From there, the attacker can login using their own admin user accounts, and upload a malicious plugin or theme in order to fully compromise the site,” wrote Matt Barry, Wordfence engineer in an email interview with Threatpost.

Because the vulnerability is only triggered when the Duplicator plugin has been used, it’s difficult to estimate how many are impacted by the bug. According Snap Creek Software’s own numbers the plugin has been installed 1 million times. Only a small portion of those users who actually migrated their sites using the Duplicator tool would be impacted, experts said.

Sucuri researchers note that the group of impacted users might further be winnowed down by the fact that vulnerable users would have to meet the following conditions:

  • The installer.php file must have been generated by Duplicator plugin
  • The installer.php file must be left on the site’s root folder
  • The installer version must be older than 1.2.42

Synacktiv researchers first reported the bug to Snap Creek Software on July 13, 2018. A patch was deployed on Aug. 24, 2018. The company published the first advisory of the vulnerability on Aug. 29.

Suggested articles


  • Brian Johnson on

    I'm confused how this is a "bug" or even anything new. Leaving the installer.php file has always been a security threat, which is why for years, Duplicator has warned admins to delete the file every time they enter the backend. Am I missing something?
  • Michael Habib on

    The software is great, users need to read the warning messages !! So the plug itself is not vulnerable but users were less technical don't remove the installation files even though the plugin shows a warning! Unless there is a code bug, I don't understand this public attack on a great software!
  • Connor Croteau on

    What do I need to do in order to ensure my site is safe? I went ahead and deactivated the plugin. Any other suggestions?
  • nick on

    How we Get Our WordPress website to secure? form a public attack/hackers!

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.