WordPress 4.5.14 has been identified with a high-severity vulnerability (CVE-2023-6114) that could expose sensitive backup files to unauthorized access. This vulnerability affects both the free Duplicator plugin and Duplicator Pro, putting thousands of websites at risk. If you're running this version with the affected Duplicator plugin, immediate action is required to protect your site.
In this comprehensive guide, we'll explain what this vulnerability is, how to check if your site is affected, and provide step-by-step instructions to fix it. Our security experts at SiteRecipe.com have compiled everything you need to secure your WordPress installation.
What is Wordpress 4.5.14?
WordPress 4.5.14 is a legacy version of the popular WordPress content management system released several years ago. While older versions are no longer actively supported, many websites continue running them due to compatibility concerns with plugins and themes. WordPress versions like 4.5.14 contain the core functionality needed to manage website content, including pages, posts, user accounts, and media libraries.
The Duplicator plugin is a popular WordPress backup and migration tool used by site owners to create backups and clone websites. The Duplicator Pro version offers advanced features for larger operations. However, versions prior to 1.5.7.1 (free) and 4.5.14.2 (Pro) have a critical flaw where temporary backup files are stored in directories that can be publicly accessed, potentially exposing sensitive website data to attackers.
Key Vulnerabilities in Wordpress 4.5.14
1 CVEs found. The most critical are explained below.
HIGHCVE-2023-61147.5/10 · CVSS v3.1
⏱ Immediate
Duplicator Plugin Exposes Backup Files to Public View
The Duplicator plugin leaves a folder accessible where anyone on the internet can see temporary backup files. These backups can contain sensitive information like database passwords and user data. This is like leaving your filing cabinet unlocked in the lobby of your building.
Impact: Hackers can access your database credentials, user information, and other sensitive data stored in backups, potentially leading to complete website compromise and customer data theft.
1Log in to your WordPress admin dashboard and navigate to Plugins to check if you have Duplicator or Duplicator Pro installed
2Click on the installed plugin to view its version number—if it's below 1.5.7.1 (free) or 4.5.14.2 (Pro), your site is vulnerable
3Check your site's root directory via FTP or file manager for folders named 'backups-dup-lite/tmp' or 'backups-dup-pro/tmp' which indicate temporary backup storage
How to Fix These Vulnerabilities
1Back up your entire WordPress site immediately using a different backup method than Duplicator to ensure you have a recovery point
2Update the Duplicator plugin to version 1.5.7.1 or later (free version) or 4.5.14.2 or later (Pro version) through your WordPress Plugins dashboard
3Remove any existing temporary backup files by accessing your site via FTP/SFTP and deleting the vulnerable 'backups-dup-lite/tmp' or 'backups-dup-pro/tmp' directories
4Test your website thoroughly after the update to ensure all functionality works correctly and no data has been compromised
Conclusion
CVE-2023-6114 is a serious vulnerability that requires immediate attention if you're running WordPress 4.5.14 with the Duplicator plugin. By following the steps outlined in this guide, you can quickly patch this security flaw and protect your website from potential data exposure. Don't wait—vulnerabilities like this are actively exploited by attackers scanning the internet for unpatched sites.
Make website security monitoring and maintenance easier with SiteRecipe.com's comprehensive vulnerability scanning and compliance tools. Our platform automatically detects outdated plugins, themes, and WordPress versions, alerting you to critical vulnerabilities before they become a problem. Start your free security assessment today and gain peace of mind knowing your website is protected.
Frequently Asked Questions
What files could be exposed by CVE-2023-6114?
The vulnerability exposes temporary backup files stored in the backups-dup-lite/tmp or backups-dup-pro/tmp directories. These files can contain sensitive information including database dumps, configuration files, and other website data that attackers could use to compromise your site.
Do I need to upgrade WordPress 4.5.14 itself?
While WordPress 4.5.14 itself isn't the source of this CVE, we strongly recommend upgrading to a current WordPress version for overall security. However, the immediate priority is updating your Duplicator plugin to the patched version. Upgrading WordPress should be done carefully to ensure theme and plugin compatibility.
How long has this vulnerability been exploited?
CVE-2023-6114 was disclosed in 2023, and attackers have likely been exploiting it since then. If your site has been running a vulnerable version, you should assume your backup files may have been accessed and take additional security measures like changing passwords and monitoring for unauthorized access.
Can I use alternative backup plugins instead of Duplicator?
Yes, there are many reputable WordPress backup plugins available like UpdraftPlus, BackWPup, and Jetpack Backup. Switching to an actively maintained alternative could improve your overall security posture, though updating Duplicator to the latest version will resolve this specific vulnerability.
Generate white-label reports for your clients
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.
DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability
Database (NVD) maintained by NIST. Detection of a technology version does not confirm active
exploitation on any specific website. For informational purposes only.
SiteRecipe is not responsible for actions taken based on this report.
Always consult a qualified security professional.