CVE-2024-6210: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in smub Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More
The Duplicator plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 1.5.9. This makes it possible for unauthenticated attackers to obtain the full path to instances, which they may be able to use in combination with other vulnerabilities or to simplify reconnaissance work. On its own, this information is of very limited use.
AI Analysis
Technical Summary
The Duplicator – Backups & Migration Plugin for WordPress suffers from an information exposure vulnerability (CWE-200) in versions up to 1.5.9. This flaw permits unauthenticated attackers to retrieve the full path to the WordPress installation. Such exposure can aid attackers in further attacks or reconnaissance but does not directly compromise confidentiality, integrity, or availability beyond revealing this path information. The vulnerability is rated medium severity with a CVSS 3.1 base score of 5.3, reflecting its network attack vector, low complexity, no privileges required, and no user interaction needed.
Potential Impact
An attacker can obtain the full file system path of the WordPress instance without authentication. This information disclosure is of limited standalone impact but may facilitate further attacks or reconnaissance activities. There is no direct impact on data confidentiality, integrity, or availability beyond the path exposure. No known active exploitation has been reported.
Mitigation Recommendations
No official patch or remediation is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, consider restricting access to plugin files or employing web application firewall rules to limit exposure of sensitive paths.
CVE-2024-6210: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in smub Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More
Description
The Duplicator plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 1.5.9. This makes it possible for unauthenticated attackers to obtain the full path to instances, which they may be able to use in combination with other vulnerabilities or to simplify reconnaissance work. On its own, this information is of very limited use.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Duplicator – Backups & Migration Plugin for WordPress suffers from an information exposure vulnerability (CWE-200) in versions up to 1.5.9. This flaw permits unauthenticated attackers to retrieve the full path to the WordPress installation. Such exposure can aid attackers in further attacks or reconnaissance but does not directly compromise confidentiality, integrity, or availability beyond revealing this path information. The vulnerability is rated medium severity with a CVSS 3.1 base score of 5.3, reflecting its network attack vector, low complexity, no privileges required, and no user interaction needed.
Potential Impact
An attacker can obtain the full file system path of the WordPress instance without authentication. This information disclosure is of limited standalone impact but may facilitate further attacks or reconnaissance activities. There is no direct impact on data confidentiality, integrity, or availability beyond the path exposure. No known active exploitation has been reported.
Mitigation Recommendations
No official patch or remediation is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, consider restricting access to plugin files or employing web application firewall rules to limit exposure of sensitive paths.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-06-20T16:46:45.811Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6bfeb7ef31ef0b55d665
Added to database: 2/25/2026, 9:39:10 PM
Last enriched: 4/9/2026, 8:05:56 AM
Last updated: 4/11/2026, 4:02:33 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.