🦸 👻 Calling all superheroes and haunters! Introducing the Cybersecurity Month Spooktacular Haunt and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through November 11th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers, top-tier researchers earn automatic bonuses of between 10% to 120% for valid submissions, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

Duplicator – Migration & Backup Plugin

Wordfence Intelligence > Vulnerability Database > WordPress Plugins > Duplicator – Migration & Backup Plugin

Information

Software Type	Plugin
Software Slug	duplicator (view on wordpress.org)
Software Status	Active
Software Author	smub
Software Website	duplicator.com
Software Downloads	45,087,314
Software Active Installs	1,000,000
Software Record Last Updated	October 20, 2024

15 Vulnerabilities

Submit a Vulnerability

Duplicator <= 1.5.9 - Full Path Disclosure

5.3

CVE-2024-6210

Jul 10, 2024

Researcher: stealthcopter

Duplicator <= 1.5.7 - Cross-Site Request Forgery via views/tools/diagnostics/information.php

4.3

CVE-2023-51681

Dec 27, 2023

Researcher: Rafie Muhammad

Duplicator < 1.3.0 - Unauthenticated Remote Code Execution

9.8

CVE-2018-25095

Dec 15, 2023

Researcher: Jeremy Lim

Duplicator <= 1.5.7 AND Duplicator Pro < 4.5.14.2 - Unauthenticated Sensitive Information Exposure

9.8

CVE-2023-6114

Dec 4, 2023

Researcher: Dmitrii Ignatyev

Duplicator – WordPress Migration Plugin <= 1.4.7 - Sensitive Information Disclosure

7.5

CVE-2022-2552

Jul 27, 2022

Researcher: SecuriTrust

Duplicator – WordPress Migration Plugin <= 1.4.7 - Unauthenticated Backup Download

9.8

CVE-2022-2551

Jul 27, 2022

Researcher: SecuriTrust

Duplicator < 1.3.28 - Directory Traversal

7.5

CVE-2020-11738

Feb 28, 2020

Researcher: nam3lum

Duplicator <= 1.2.41 - Sensitive Information Disclosure leading to Remote Code Execution

9.8

CVE-2018-17207

Aug 29, 2018

Researchers: Thomas Chauchefoin, Julien Legras

Duplicator <= 1.2.32 - Cross-Site Scripting

6.1

CVE-2018-7543

Mar 15, 2018

Researchers:

Duplicator <= 1.2.28 – Unauthenticated Stored Cross-Site Scripting

6.1

CVE-2017-16815

Nov 7, 2017

Researchers:

Duplicator < 1.1.4 - Cross-Site Request Forgery

6.5

CVE ID Unknown

Feb 9, 2016

Researcher: Ratiosec

Duplicator <= 0.5.26 - Authenticated (Admin+) Cross-Site Scripting

5.5

CVE ID Unknown

Aug 15, 2015

Researcher: Marcin Probola

Duplicator <= 0.5.14 - SQL Injection

8.8

CVE ID Unknown

Apr 10, 2015

Researcher: Claudio Viviani

Duplicator < 0.5.10 - Arbitrary Backup Creation and Download

8.2

CVE-2014-9262

Feb 19, 2015

Researcher: Kacper Szurek

Duplicator – WordPress Migration Plugin <= 0.4.4 - Cross-Site Scripting

6.1

CVE-2013-4625

Aug 1, 2014

Researcher: High-Tech Bridge Security Research Lab

Title	Status	CVE ID	CVSS	Researchers	Date
Duplicator <= 1.5.9 - Full Path Disclosure	Patched	CVE-2024-6210	5.3	stealthcopter	July 10, 2024
Duplicator <= 1.5.7 - Cross-Site Request Forgery via views/tools/diagnostics/information.php	Patched	CVE-2023-51681	4.3	Rafie Muhammad	December 27, 2023
Duplicator < 1.3.0 - Unauthenticated Remote Code Execution	Patched	CVE-2018-25095	9.8	Jeremy Lim	December 15, 2023
Duplicator <= 1.5.7 AND Duplicator Pro < 4.5.14.2 - Unauthenticated Sensitive Information Exposure	Patched	CVE-2023-6114	9.8	Dmitrii Ignatyev	December 4, 2023
Duplicator – WordPress Migration Plugin <= 1.4.7 - Sensitive Information Disclosure	Patched	CVE-2022-2552	7.5	SecuriTrust	July 27, 2022
Duplicator – WordPress Migration Plugin <= 1.4.7 - Unauthenticated Backup Download	Patched	CVE-2022-2551	9.8	SecuriTrust	July 27, 2022
Duplicator < 1.3.28 - Directory Traversal	Patched	CVE-2020-11738	7.5	nam3lum	February 28, 2020
Duplicator <= 1.2.41 - Sensitive Information Disclosure leading to Remote Code Execution	Patched	CVE-2018-17207	9.8	Thomas Chauchefoin, Julien Legras	August 29, 2018
Duplicator <= 1.2.32 - Cross-Site Scripting	Patched	CVE-2018-7543	6.1		March 15, 2018
Duplicator <= 1.2.28 – Unauthenticated Stored Cross-Site Scripting	Patched	CVE-2017-16815	6.1		November 7, 2017
Duplicator < 1.1.4 - Cross-Site Request Forgery	Patched		6.5	Ratiosec	February 9, 2016
Duplicator <= 0.5.26 - Authenticated (Admin+) Cross-Site Scripting	Patched		5.5	Marcin Probola	August 15, 2015
Duplicator <= 0.5.14 - SQL Injection	Patched		8.8	Claudio Viviani	April 10, 2015
Duplicator < 0.5.10 - Arbitrary Backup Creation and Download	Patched	CVE-2014-9262	8.2	Kacper Szurek	February 19, 2015
Duplicator – WordPress Migration Plugin <= 0.4.4 - Cross-Site Scripting	Patched	CVE-2013-4625	6.1	High-Tech Bridge Security Research Lab	August 1, 2014

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation