Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total6
Critical0
High3
Medium3
Reset
Showing 1-6 of 6 records
Threat Entry Updated 2026-04-15

CVE-2026-1104 - Duplicator Plugin

The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to create and download full-site backup archives containing the entire WordPress installation, including database exports and configuration files.

PLUGIN Duplicator

CVE-2026-1104

HIGH CVSS 8.8 2026-02-12
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0604 - Duplicator Plugin

The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7 via the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary directories on the server, which can contain sensitive information.

PLUGIN Duplicator

CVE-2026-0604

MEDIUM CVSS 6.5 2026-01-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6210 - Duplicator Plugin

The Duplicator plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 1.5.9. This makes it possible for unauthenticated attackers to obtain the full path to instances, which they may be able to use in combination with other vulnerabilities or to simplify reconnaissance work. On its own, this information is of very limited use.

PLUGIN Duplicator

CVE-2024-6210

MEDIUM CVSS 5.3 2024-07-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6114 - Duplicator Plugin

The Duplicator WordPress plugin before 1.5.7.1, Duplicator Pro WordPress plugin before 4.5.14.2 does not disallow listing the `backups-dup-lite/tmp` directory (or the `backups-dup-pro/tmp` directory in the Pro version), which temporarily stores files containing sensitive data. When directory listing is enabled in the web server, this allows unauthenticated attackers to discover and access these sensitive files, which include a full database dump and a zip archive of the site.

PLUGIN Duplicator

CVE-2023-6114

HIGH CVSS 7.5 2023-12-26
Open Full Technical Breakdown
Threat Entry Updated 2026-02-02

CVE-2022-2551 - Duplicator Plugin

The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating.

PLUGIN Duplicator

CVE-2022-2551

HIGH CVSS 7.5 2022-08-22
Open Full Technical Breakdown
Threat Entry Updated 2026-02-02

CVE-2022-2552 - Duplicator Plugin

The Duplicator WordPress plugin before 1.4.7 does not authenticate or authorize visitors before displaying information about the system such as server software, php version and full file system path to the site.

PLUGIN Duplicator

CVE-2022-2552

MEDIUM CVSS 5.3 2022-08-22
Open Full Technical Breakdown
Scroll to top