Zero-day Duplicator Plugin Vulnerability – Patch it with BitNinja WAF
Eniko Toth

Zero-day Duplicator Plugin Vulnerability – Patch it with BitNinja WAF

On 19 February 2020, Wordfence reported a highly critical vulnerability found in the popular Duplicator plugin for WordPress.

This plugin is useful when users want to migrate and copy WordPress sites. With Duplicator, sysadmins can create a new copy of the site and the generated file can be downloaded from the WP dashboard.

WordPress Duplicator Plugin Zero-day Vulnerability

Exploiting the newly discovered zero-day vulnerability allows hackers to download arbitrary files from the target sites. More than 1 million WordPress websites are affected by this security flaw.

When users create a copy of a WP site and click on the download button, it’ll trigger a call to the WordPress AJAX handler with the action duplicator_download and a file parameter.

„Unfortunately the duplicator_download action was registered via wp_ajax_nopriv_ and was accessible to unauthenticated users. To make things worse, no validation limited the filepaths being downloaded. The file parameter is passed through sanitize_text_field and appended to the plugin constant DUPLICATOR_SSDIR_PATH, but directory traversal was still possible. An attacker could access files outside of Duplicator’s intended directory by submitting values like ../../../file.php to navigate throughout the server’s file structure.” - WordFence

duplicator_init() {
(isset($_GET['action']) && $_GET['action'] == 'duplicator_download') {
= sanitize_text_field($_GET['file']);
        // Process download
        if(file_exists($filepath)) {
            // Clean output buffer
(ob_get_level() !== 0 && @ob_end_clean() === FALSE) {
            header('Content-Description: File Transfer');
            header('Content-Type: application/octet-stream');
            header('Content-Disposition: attachment; filename="'.basename($filepath).'"');
            header('Expires: 0');
            header('Cache-Control: must-revalidate');
            header('Pragma: public');
            header('Content-Length: '
            flush(); // Flush system output buffer
= @fopen($filepath'r');
(false === $fp) {
Exception('Fail to open the file '.$filepath);
(!feof($fp) && ($data
(Exception $e) {
            wp_die('Invalid installer file name!!');

Source: WordFence

What are the signs of exploiting this vulnerability?

If you see the following query strings in a GET request, most probably you became a target for hackers:

  • action=duplicator_download
  • file=/../wp-config.php

BitNinja patches the Duplicator Vulnerability

Hackers can easily exploit this critical vulnerability, so if you are using Duplicator on your WordPress site, you should take action right now!

Of course, updating the plugin is crucial, but BitNinja also provides protection server-wide. If BitNinja WAF is already running on your servers with the default settings, you are safe!

The Recommended ruleset contains the necessary WAF rule to patch the Duplicator vulnerability. However, if you want to ensure that hackers won’t be able to exploit this vulnerability, follow these steps:

1. Make sure that BitNinja WAF is active on your servers

BitNinja WAF

2. Set the Recommended ruleset

The default pre-defined ruleset is the „Recommended”. You can read more about the WAF module and the rulesets in this article.

3. Check the status of the rule 930120 OS File Access

Rule is activated in the Recommended ruleset by default, so you don't have to make any more steps. Still, you can make sure you are 100% safe by checking rule 930120 OS File Access. 

BitNinja WAF patches WordPress Duplicator zero-day vulnerability

The 930120 WAF rule will block those malicious requests, which calls the wp-config.php in GET requests.

Patch Duplicator vulnerability with BitNinja WAF

Do you need assistance with securing your servers? Contact us at and we’ll gladly help you eliminate hackers and bots.

Stay safe!

Share your ideas with us about this article

Previous posts

The Impact of AI and 5G in Cyber Security
Critical Issues for Companies Looking to Get On Board the 5G, AI Revolution As companies brace themselves for the ongoing fourth industrial revolution, cybersecurity remains high on the agenda. Executives are wary about the challenges that accompany emerging major technologies such as 5G, but Artificial Intelligence (AI) is widely regarded as a cyber-security life line. The connectivity landscape is becoming more intricate. Networks carry an endless array of connected devices, and companies reckon cybersecurity issues may become exasperated as a result. They’ll need to protect more devic...
Best of 2019 – The 15 Most-Read Cybersecurity News
Hackers and cyberattack techniques are evolving every day. Hosting companies and every server owner should keep an eye on the cybersecurity news to prepare themselves and protect their systems against the new types of threats. That’s why BitNinja collects the hottest cybersecurity news and sends out a Cybersecurity Digest each month. Now, we’ve summarized the Top 15 articles from 2019 that our readers loved the most. Here is the list: 1. Hackers Planted Backdoor in Webmin, Popular Utility for Linux/Unix Servers On the 10th of August at the DevConf, a Turkish researcher revealed a z...