Product: Duplicator WordPress Plugin
Vulnerable Versions: 0.4.4 and probably prior
Tested Version: 0.4.4
Vendor Notification: June 19, 2013
Vendor Fix: July 21, 2013
Public Disclosure: July 24, 2013
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2013-4625
Risk Level: Low
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab
High-Tech Bridge Security Research Lab discovered XSS vulnerability in Duplicator WordPress plugin, which can be exploited to perform cross-site scripting attacks against vulnerable application.
1) Cross-Site Scripting (XSS) in Duplicator WordPress Plugin: CVE-2013-4625
The vulnerability exists due to insufficient filtration of user-supplied data in "package" HTTP GET parameter passed to "/wp-content/plugins/duplicator/files/installer.cleanup.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
Upgrade to Duplicator 0.4.5
 High-Tech Bridge Advisory HTB23162 - Cross-Site Scripting (XSS) in Duplicator WordPress Plugin.
 Duplicator WordPress Plugin - http://lifeinthegrid.com/labs/duplicator/ - This free plugin available at wordpress.org is a powerful tool you can use to rapidly clone and deploy any WordPress site.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.