More threads by djbaxter


Jun 28, 2012
Reaction score
Active Attack on Recently Patched Duplicator Plugin Vulnerability Affects Over 1 Million Sites
by Mikey Veenstra,
Feb 19, 2020

A critical security update was recently issued for Duplicator, one of the most popular plugins in the WordPress ecosystem. Over a million WordPress sites were affected by a vulnerability allowing attackers to download arbitrary files from victim sites. We urge all Duplicator users to update to version 1.3.28 as soon as possible.

The Duplicator plugin helps site administrators migrate and copy WordPress sites. Part of this functionality involves exporting database and file content into portable archives. When an administrator creates a new copy of their site, Duplicator lets them download the generated files from their WordPress dashboard.
We are detecting active exploitation of this vulnerability in the wild, and estimate more than half a million sites are still running a vulnerable version.

Duplicator’s massive install base, combined with the ease of exploiting this vulnerability, makes this flaw a noteworthy target for hackers. It’s crucial that Duplicator’s users update their plugins to the latest available version as soon as possible to remove this risk. All Wordfence users are protected from these attacks, but don’t forget to update despite this. Also, due to the nature of Duplicator’s functionality, it’s likely that it’s no longer required on your site. If you have no intent of using it to migrate or clone your site in the immediate future, you can delete the plugin without worry. It can always be reinstalled later if needed.


Login / Register

Already a member?   LOG IN
Not a member yet?   REGISTER

LocalU Event


Trending: Most Viewed

  Promoted Posts

New advertising option: A review of your product or service posted by a Sterling Sky employee. This will also be shared on the Sterling Sky & LSF Twitter accounts, our Facebook group, LinkedIn, and both newsletters. More...
Top Bottom