In July of this year, Synacktiv specialists discovered a problem in a popular plug-in Duplicator for WordPress. According to the official WordPress Plugins repository, Duplicator is installed on over a million sites. The plugin makes it much easier to “move” from one server to another by creating a ready-made .zip archive, which contains the entire site, and an installer.php file, with which the archive can be quickly unpacked in a new location.
Synacktiv experts have noticed that the plugin does not delete working files, including the said archive and the PHP file, when it finishes working. That is, an attacker can easily access installer.php, enter their own database credentials and gain temporary control over the site, and also, indirectly, over the server. Since the attacker will have administrator privileges, he can use them to install malicious plugins, which, in turn, can leave hidden backdoors on the server. Thus, even after the inevitable detection of such an attack and the elimination of its consequences, there is a chance that the backdoor introduced by the criminals will go unnoticed.
At the end of August 2018, the developers released an updated version of the plugin,
Duplicator 1.2.42 where the issue has been fixed. All previous versions are considered vulnerable. After the release of the patch, Synacktiv researchers published a report about their find, adding to it a proof-of-concept exploit for problems. Now representatives of the information security company Defiant warn that they are already seeing a sharp increase in scans aimed at finding vulnerable versions of Duplicator. And the journalists of the publication ZDNet supplement this warning with information that Duplicator installations can be found even on sites Alexa leaderboards.