Duplicator, a plugin deployed on millions of sites that allows users to migrate, copy, move, clone, and create backups of WordPress sites, is vulnerable in versions 1.3.26 and below.
Increased number of attacks against vulnerabilities in the plugin Duplicator
The query admin-ajax.php?action=duplicator_download, a hack against the plugin Duplicator, is currently the #1 or #2 most frequent attack in the WordPress attack patterns detected daily by WordPress Doctor.
The vulnerability is in the externally accessible function duplicator_download in admin-ajax.php, which allows hackers to download any file on the server.
This means that wp-config.php, which contains the database connection settings for WordPress and the unique authentication key that ensures the identity of the logged-in user, can be downloaded and its contents compromised.
What happens if wp-config.php is compromised?
If this file is compromised, if you have a mechanism to access the database from a browser (e.g. installation of a database connection program such as phpmyadmin, adminer, etc.) or if you allow access to the database from an external IP, the WordPress admin useror unauthorized login, or tampering with posts or settings may occur.
Remedies for Plugin Duplicator Vulnerability
1 Please update the plugin.
2 Delete the plugin if it is not in use
Deactivating the plugin will also prevent attacks against this vulnerability, but the more unused programs you have on WordPress, the more likely it is that they will be exploited.
We recommend that you remove any unused plug-ins.
Security Plug-ins for WordPress Vulnerability Scanning
Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].