A full site backup is essentially the "keys to the kingdom." If an attacker successfully downloads this file, they gain access to:
If you are running Duplicator version 1.4.6 or earlier, immediate action is required to secure your site. A full site backup is essentially the "keys to the kingdom
Accessing the wp-config.php file reveals database credentials and authentication salts. Information about the server environment and file paths,
The vulnerability stems from the plugin exposing the specific URL of a backup file to unauthenticated visitors through its main installer endpoint. email addresses) and proprietary business data.
Information about the server environment and file paths, which can be used for further reconnaissance or targeted attacks. Remediation and Protection
By simply changing the file extension in the discovered URL from _installer.php to _archive.zip , an attacker can download the entire site's backup without any login credentials. Risks of Unauthenticated Access
This includes user tables (usernames, hashed passwords, email addresses) and proprietary business data.