WP Clinic
Log in Sign up

PLUGIN SECURITY

Is Duplicator safe?

Known vulnerabilities, PHP compatibility and safer alternatives for the Duplicator WordPress plugin — checked against WP Clinic's local security database.

Plugin details

  • Slug: duplicator
  • Requires PHP: 7.4+
  • Max supported PHP (analyzed): <8.0

Known vulnerabilities

  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 1.3.28 [CVE-2020-11738, Duplicator < 1.3.28 - Directory Traversal, Duplicator 1.3.24 &amp; 1.3.26 - Unauthenticated Arbitrary File Download]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 1.2.33 [CVE-2018-7543, WordPress Duplicator plugin <=1.2.32 - Cross-Site Scripting (XSS) vulnerability, Duplicator &lt;= 1.2.32 - Cross-Site Scripting (XSS), Duplicator <= 1.2.32 - Cross-Site Scripting]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 1.2.30 [CVE-2017-16815, WordPress Duplicator plugin <=1.2.28 – Stored Cross-Site Scripting (XSS) vulnerability, Duplicator &lt;= 1.2.28 &ndash; Unauthenticated Stored Cross-Site Scripting (XSS), Duplicator <= 1.2.28 – Unauthenticated Stored Cross-Site Scripting]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 0.5.10 [CVE-2014-9262, Duplicator 0.5.8 - Privilege Escalation, Duplicator < 0.5.10 - Arbitrary Backup Creation and Download]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 0.4.5 [CVE-2013-4625, Duplicator - installer.cleanup.php package Parameter XSS, Duplicator – WordPress Migration Plugin <= 0.4.4 - Cross-Site Scripting]
+ 20 more known vulnerabilities
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 1.2.42 [CVE-2018-17207, Duplicator <= 1.2.41 - Sensitive Information Disclosure leading to Remote Code Execution]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 1.3.28 [WordPress Duplicator plugin <= 1.3.26 - Unauthenticated Arbitrary File Download vulnerability]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 1.2.42 [WordPress Duplicator plugin <= 1.2.40 - Arbitrary Code Execution vulnerability]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 1.1.4 [WordPress Duplicator Plugin <= 1.1.3 - Cross Site Request Forgery]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 0.5.28 [WordPress Duplicator Plugin <= 0.5.26 - Cross Site Scripting]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 0.4.5 [WordPress Duplicator Plugin - Cross Site Scripting]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 0.5.15 [WordPress Duplicator Plugin <= 0.5.14 - SQL Injection and CSRF]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 1.4.7.1 [CVE-2022-2552, WordPress Duplicator plugin <= 1.4.7 - Unauthenticated System Information Disclosure vulnerability, Duplicator – WordPress Migration Plugin <= 1.4.7 - Sensitive Information Disclosure, Duplicator &lt; 1.4.7.1 - Unauthenticated System Information Disclosure]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 1.4.7.1 [CVE-2022-2551, WordPress Duplicator plugin <= 1.4.6 - Unauthenticated Backup Download vulnerability, Duplicator – WordPress Migration Plugin <= 1.4.7 - Unauthenticated Backup Download, Duplicator &lt; 1.4.7 - Unauthenticated Backup Download]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 1.2.42 [Duplicator &lt;= 1.2.40 - Unauthenticated Arbitrary Code Execution]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 1.1.4 [wpscan.com]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 0.5.28 [Duplicator &lt;= 0.5.26 - Authenticated Cross-Site Scripting (XSS)]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 0.5.16 [Duplicator &lt;= 0.5.14 - SQL Injection &amp; CSRF]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 1.1.4 [Duplicator < 1.1.4 - Cross-Site Request Forgery]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 0.5.28 [Duplicator <= 0.5.26 - Authenticated (Admin+) Cross-Site Scripting]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 0.5.16 [Duplicator <= 0.5.14 - SQL Injection]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 1.5.7.1 [CVE-2023-6114, Duplicator <= 1.5.7 AND Duplicator Pro < 4.5.14.2 - Unauthenticated Sensitive Information Exposure, Duplicator &lt; 1.5.7.1; Duplicator Pro &lt; 4.5.14.2 - Unauthenticated Sensitive Data Exposure]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 1.5.7.1 [CVE-2023-51681, WordPress Duplicator Plugin <= 1.5.7 is vulnerable to Cross Site Request Forgery (CSRF), Duplicator <= 1.5.7 - Cross-Site Request Forgery via views/tools/diagnostics/information.php, Duplicator &lt; 1.5.7.1 - Settings Removal via CSRF]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 1.3.0 [CVE-2018-25095, Duplicator &lt; 1.3.0 - Unauthenticated RCE, Duplicator < 1.3.0 - Unauthenticated Remote Code Execution]
  • Duplicator &#8211; Backups &amp; Migration Plugin &#8211; Cloud Backups, Scheduled Backups, &amp; More [duplicator] < 1.5.10 [CVE-2024-6210, Duplicator <= 1.5.9 - Full Path Disclosure, WordPress Duplicator Plugin <= 1.5.9 is vulnerable to Full Path Disclosure (FPD)]

Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.

Safer / more established alternatives

Check your own WordPress site

Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.