CVE-2022-2551: 
WordPress vulnerability analysis and mitigation

The Duplicator WordPress plugin before version 1.4.7 contains a security vulnerability identified as CVE-2022-2551. The vulnerability allows unauthenticated visitors to access and download full site backups by accessing the main installer endpoint of the plugin, if the installer script has been previously run by an administrator (WPScan, CVE Mitre).

The vulnerability exists in the main installer endpoint of the plugin. When accessed with the parameter 'is_daws=1' at the URL path '/wp-content/backups-dup-lite/dup-installer/main.installer.php', the plugin discloses the URL of the backup file. By manipulating the URL path from '_installer.php' to '_archive.zip', attackers can download the full backup. Additionally, changing the extension to '.log' reveals system information. The vulnerability has been assigned a CVSS score of 7.5 (High) and is classified as a Broken Access Control issue (OWASP Top 10 A5) (WPScan, SecuriTrust).

The vulnerability allows unauthorized users to download complete site backups, which typically contain sensitive information including configuration files, database contents, and potentially credentials. This could lead to complete site compromise and unauthorized access to sensitive data (WPScan).

The vulnerability has been fixed in version 1.4.7 of the Duplicator plugin. Site administrators are strongly advised to update to this version or later to prevent unauthorized access to backup files (WPScan).