CVE-2023-6114: 
WordPress vulnerability analysis and mitigation

CVE-2023-6114 affects the Duplicator WordPress plugin before version 1.5.7.1 and Duplicator Pro WordPress plugin before version 4.5.14.2. The vulnerability was discovered by Dmitrii Ignatyev and publicly disclosed on December 4, 2023. The issue stems from the plugins' failure to prevent directory listing of sensitive temporary backup directories (WPScan).

The vulnerability occurs when directory listing is enabled on the web server, allowing unauthenticated attackers to access the backups-dup-lite/tmp directory (or backups-dup-pro/tmp in the Pro version). These directories temporarily store sensitive files including full database dumps and site archives. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with no required privileges or user interaction (NVD).

When exploited, this vulnerability allows attackers to access sensitive information including complete database dumps and full site archives. This exposure could lead to unauthorized access to confidential data, user information, and site configuration details (WPScan).

The vulnerability has been patched in Duplicator version 1.5.7.1 and Duplicator Pro version 4.5.14.2. Users are strongly advised to update to these or later versions to protect against this security issue (WPScan).