Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More Security & Risk Analysis

The best WordPress backup and migration plugin. Quickly and easily backup ,migrate, copy, move, or clone your site from one location to another.

1.0M active installs v1.5.15 PHP 7.4+ WP 5.3+ Updated Jan 28, 2026

backupcloud-backupdatabase-backupmigrationwordpress-backup

A · Safe

CVEs total15

Unpatched0

Last CVEJul 10, 2024

Plugin page Download

Safety Verdict

Is Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More Safe to Use in 2026?

Generally Safe

Score 87/100

Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More has a strong security track record. Known vulnerabilities have been patched promptly.

15 known CVEsLast CVE: Jul 10, 2024Updated 2mo ago

Risk Assessment

Duplicator v1.5.15 presents a mixed security posture. While it demonstrates good practices like a high percentage of prepared SQL statements and a significant number of nonce and capability checks, several areas raise concerns. The presence of dangerous functions like 'exec', 'popen', and 'shell_exec' inherently increases risk, especially when combined with unescaped output and potential for code injection or path traversal vulnerabilities, as hinted by the taint analysis. The plugin's history of 15 known CVEs, including critical and high-severity issues, is a significant red flag, indicating a recurring pattern of exploitable weaknesses. Even though there are currently no unpatched CVEs, the sheer volume and nature of past vulnerabilities suggest a need for continued vigilance and careful review of updates. The substantial number of AJAX handlers without authentication checks is also a notable attack vector that requires attention.

Key Concerns

Dangerous functions (exec, popen, shell_exec) present
Unsanitized paths in taint flows
Large number of AJAX entry points without auth checks
Significant vulnerability history (15 CVEs)
High percentage of past critical/high severity CVEs
Potentially unsafely handled file operations
Only 50% of outputs properly escaped

Vulnerabilities

Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More Security Vulnerabilities

CVEs by Year

1 CVE in 2014

2014

3 CVEs in 2015

2015

1 CVE in 2016

2016

1 CVE in 2017

2017

2 CVEs in 2018

2018

1 CVE in 2020

2020

2 CVEs in 2022

2022

3 CVEs in 2023

2023

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

15 total CVEs

CVE-2024-6210medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Duplicator <= 1.5.9 - Full Path Disclosure

Jul 10, 2024 Patched in 1.5.10 (1d)

CVE-2023-51681medium · 4.3Cross-Site Request Forgery (CSRF)

Duplicator <= 1.5.7 - Cross-Site Request Forgery via views/tools/diagnostics/information.php

Dec 27, 2023 Patched in 1.5.7.1 (27d)

CVE-2018-25095critical · 9.8Improper Control of Generation of Code ('Code Injection')

Duplicator < 1.3.0 - Unauthenticated Remote Code Execution

Dec 15, 2023 Patched in 1.3.0 (55d)

CVE-2023-6114critical · 9.8Exposure of Sensitive Information to an Unauthorized Actor

Duplicator <= 1.5.7 AND Duplicator Pro < 4.5.14.2 - Unauthenticated Sensitive Information Exposure

Dec 4, 2023 Patched in 1.5.7.1 (50d)

CVE-2022-2552high · 7.5Exposure of Sensitive Information to an Unauthorized Actor

Duplicator – WordPress Migration Plugin <= 1.4.7 - Sensitive Information Disclosure

Jul 27, 2022 Patched in 1.4.7.1 (545d)

CVE-2022-2551critical · 9.8Exposure of Sensitive Information to an Unauthorized Actor

Duplicator – WordPress Migration Plugin <= 1.4.7 - Unauthenticated Backup Download

Jul 27, 2022 Patched in 1.4.7.1 (545d)

CVE-2020-11738high · 7.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Duplicator < 1.3.28 - Directory Traversal

Feb 28, 2020 Patched in 1.3.28 (1425d)

CVE-2018-17207critical · 9.8Exposure of Sensitive Information to an Unauthorized Actor

Duplicator <= 1.2.41 - Sensitive Information Disclosure leading to Remote Code Execution

Aug 29, 2018 Patched in 1.2.42 (1973d)

CVE-2018-7543medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Duplicator <= 1.2.32 - Cross-Site Scripting

Mar 15, 2018 Patched in 1.2.33 (2140d)

CVE-2017-16815medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Duplicator <= 1.2.28 – Unauthenticated Stored Cross-Site Scripting

Nov 7, 2017 Patched in 1.2.30 (2268d)

WF-3f753961-3eeb-402d-876f-4a4dea41a96a-duplicatormedium · 6.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Duplicator < 1.1.4 - Cross-Site Request Forgery

Feb 9, 2016 Patched in 1.1.4 (2905d)

WF-06905738-7e1c-4d1a-97d2-f68f978ad8ed-duplicatormedium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Duplicator <= 0.5.26 - Authenticated (Admin+) Cross-Site Scripting

Aug 15, 2015 Patched in 0.5.28 (3083d)

WF-3762cd92-604a-4dac-a09e-6b4a08c4d804-duplicatorhigh · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Duplicator <= 0.5.14 - SQL Injection

Apr 10, 2015 Patched in 0.5.16 (3210d)

CVE-2014-9262high · 8.2Improper Authentication

Duplicator < 0.5.10 - Arbitrary Backup Creation and Download

Feb 19, 2015 Patched in 0.5.10 (3260d)

CVE-2013-4625medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Duplicator – WordPress Migration Plugin <= 0.4.4 - Cross-Site Scripting

Aug 1, 2014 Patched in 0.4.5 (3462d)

Code Analysis

Analyzed Mar 16, 2026

Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More Code Analysis

Dangerous Functions

Raw SQL Queries

53 prepared

Unescaped Output

651

655 escaped

Nonce Checks

Capability Checks

File Operations

227

External Requests

Bundled Libraries

Dangerous Functions Found

exec@exec($cmd, $out, $rc);classes\class.db.php:197

popen$handle = popen($cmd, "r");classes\package\class.pack.database.php:562

execexec($cmd, $output, $mysqlResult);classes\package\class.pack.database.php:615

unserialize$Package = unserialize($row->package);classes\package\class.pack.php:704

unserialize$Package = @unserialize($rows[0]->package);classes\package\class.pack.php:826

unserialize$obj = @unserialize($row->option_value);classes\package\class.pack.php:1644

unserialize$obj = @unserialize($row->package);classes\package\class.pack.php:1667

shell_execif (!@shell_exec('echo duplicator')) {classes\utilities\class.u.php:446

exec$user = @exec('whoami');classes\utilities\class.u.php:555

shell_execif (shell_exec('hash zip 2>&1') == null) {classes\utilities\class.u.php:727

shell_exec$output = shell_exec($cmd);classes\utilities\class.u.php:880

shell_exec$output = shell_exec($cmd . ' -?');classes\utilities\class.u.php:885

shell_exec$stderr = shell_exec($command);classes\utilities\class.u.zip.php:94

unserialize$unserialize_ret = @unserialize($data);installer\dup-installer\classes\class.engine.php:799

shell_execif (!@shell_exec('echo duplicator')) {installer\dup-installer\classes\class.server.php:80

shell_execif (shell_exec('hash unzip 2>&1') == null) {installer\dup-installer\classes\class.server.php:96

unserialize$var = unserialize(serialize($var));installer\dup-installer\classes\utilities\class.u.php:286

shell_exec$stderr = shell_exec($command);installer\dup-installer\ctrls\classes\class.ctrl.extraction.php:1015

shell_execshell_exec($command);installer\dup-installer\ctrls\classes\class.ctrl.extraction.php:1042

shell_execshell_exec($command);installer\dup-installer\ctrls\classes\class.ctrl.extraction.php:1048

SQL Query Safety

73% prepared73 total queries

Output Escaping

50% escaped1306 total outputs

Data Flows

8 unsanitized

Data Flow Analysis

9 flows8 with unsanitized paths

<controller> (views\packages\details\controller.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

5 unprotected

Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More Attack Surface

Entry Points17

Unprotected5

AJAX Handlers 17

authwp_ajax_duplicator_reset_all_settingsctrls\class.web.services.php:15

authwp_ajax_duplicator_set_admin_notice_viewedctrls\class.web.services.php:16

authwp_ajax_duplicator_admin_notice_to_dismissctrls\class.web.services.php:17

authwp_ajax_duplicator_download_installerctrls\class.web.services.php:18

authwp_ajax_DUP_CTRL_Package_addQuickFiltersctrls\ctrl.package.php:335

authwp_ajax_DUP_CTRL_Package_getActivePackageStatusctrls\ctrl.package.php:336

authwp_ajax_DUP_CTRL_Tools_runScanValidatorctrls\ctrl.tools.php:28

authwp_ajax_DUP_CTRL_Tools_getTraceLogctrls\ctrl.tools.php:29

authwp_ajax_DUP_CTRL_UI_SaveViewStatectrls\ctrl.ui.php:23

authwp_ajax_duplicator_submit_uninstall_reason_actiondeactivation.php:454

authwp_ajax_duplicator_active_package_infosrc\Core\Bootstrap.php:103

authwp_ajax_duplicator_package_scansrc\Core\Bootstrap.php:104

authwp_ajax_duplicator_package_buildsrc\Core\Bootstrap.php:105

authwp_ajax_duplicator_package_deletesrc\Core\Bootstrap.php:106

authwp_ajax_duplicator_duparchive_package_buildsrc\Core\Bootstrap.php:107

authwp_ajax_dup_notice_dismisssrc\Core\Notifications\Notice.php:91

authwp_ajax_duplicator_notice_bar_dismisssrc\Core\Notifications\NoticeBar.php:27

WordPress Hooks 63

filterduplicator_defaults_settingsclasses\host\class.godaddy.host.php:22

filterduplicator_installer_file_pathclasses\host\class.wpengine.host.php:11

filterduplicator_global_file_filters_onclasses\host\class.wpengine.host.php:12

filterduplicator_global_file_filtersclasses\host\class.wpengine.host.php:13

filterduplicator_defaults_settingsclasses\host\class.wpengine.host.php:14

actionadmin_enqueue_scriptsdeactivation.php:27

actionadmin_footerdeactivation.php:44

actionadmin_menusrc\Controllers\WelcomeController.php:48

actionadmin_headsrc\Controllers\WelcomeController.php:49

actionadmin_initsrc\Controllers\WelcomeController.php:50

actioninitsrc\Core\Bootstrap.php:57

actionplugins_loadedsrc\Core\Bootstrap.php:60

actionplugins_loadedsrc\Core\Bootstrap.php:61

actioninitsrc\Core\Bootstrap.php:62

actionnetwork_admin_menusrc\Core\Bootstrap.php:89

filternetwork_admin_plugin_action_linkssrc\Core\Bootstrap.php:90

filternetwork_admin_plugin_row_metasrc\Core\Bootstrap.php:91

actionadmin_menusrc\Core\Bootstrap.php:93

filterplugin_action_linkssrc\Core\Bootstrap.php:94

filterplugin_row_metasrc\Core\Bootstrap.php:95

actionadmin_initsrc\Core\Bootstrap.php:98

actionin_admin_footersrc\Core\Bootstrap.php:99

actionadmin_footersrc\Core\Bootstrap.php:100

actionadmin_enqueue_scriptssrc\Core\Bootstrap.php:101

filteradmin_body_classsrc\Core\Bootstrap.php:109

actionin_admin_headersrc\Core\Bootstrap.php:199

actionadmin_headsrc\Core\Bootstrap.php:214

actionadmin_enqueue_scriptssrc\Core\Bootstrap.php:221

actionadmin_initsrc\Core\MigrationMng.php:48

actioncurrent_screensrc\Core\MigrationMng.php:72

actionadmin_noticessrc\Core\Notifications\Notice.php:90

actionin_admin_headersrc\Core\Notifications\NoticeBar.php:26

actiondeactivate_pluginsrc\Core\Notifications\Notifications.php:58

filterduplicator_menu_label_duplicatorsrc\Core\Notifications\Notifications.php:65

actionadmin_initsrc\Core\Notifications\Review.php:29

filteradmin_footer_textsrc\Core\Notifications\Review.php:32

filterupdate_footersrc\Core\Notifications\Review.php:35

actionadmin_initsrc\Lite\Requirements.php:47

actionadmin_noticessrc\Lite\Requirements.php:100

actionadmin_noticessrc\Lite\Requirements.php:112

filtercron_schedulessrc\Utils\CronUtils.php:18

actionnetwork_admin_noticessrc\Utils\DuplicatorPhpVersionCheck.php:35

actionadmin_noticessrc\Utils\DuplicatorPhpVersionCheck.php:37

actionduplicator_package_after_set_statussrc\Utils\Email\EmailSummaryBootstrap.php:28

actionduplicator_after_activationsrc\Utils\Email\EmailSummaryBootstrap.php:34

actionduplicator_after_deactivationsrc\Utils\Email\EmailSummaryBootstrap.php:35

filterwp_mail_content_typesrc\Utils\Email\EmailSummaryBootstrap.php:83

actionduplicator_after_activationsrc\Utils\UsageStatistics\StatsBootstrap.php:25

actionduplicator_after_deactivationsrc\Utils\UsageStatistics\StatsBootstrap.php:26

actionduplicator_package_after_set_statussrc\Utils\UsageStatistics\StatsBootstrap.php:27

actionduplicator_after_scan_reportsrc\Utils\UsageStatistics\StatsBootstrap.php:28

actionduplicator_usage_tracking_cronsrc\Utils\UsageStatistics\StatsBootstrap.php:29

actionadmin_initsrc\Views\AdminNotices.php:41

actionadmin_enqueue_scriptssrc\Views\AdminNotices.php:42

actionwp_network_dashboard_setupsrc\Views\DashboardWidget.php:27

actionwp_dashboard_setupsrc\Views\DashboardWidget.php:29

actionduplicator_settings_page_footersrc\Views\EducationElements.php:25

actionduplicator_scan_progress_headersrc\Views\EducationElements.php:26

actionduplicator_scan_progress_footersrc\Views\EducationElements.php:27

actionduplicator_build_progress_headersrc\Views\EducationElements.php:28

actionduplicator_build_progress_footersrc\Views\EducationElements.php:29

actionduplicator_build_success_footersrc\Views\EducationElements.php:30

actionduplicator_before_packages_footersrc\Views\EducationElements.php:31

Maintenance & Trust

Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 28, 2026

PHP min version7.4

Downloads52.2M

Community Trust

Rating98/100

Number of ratings4,859

Active installs1.0M

Alternatives

Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More Alternatives

UpdraftPlus: WP Backup & Migration Plugin

updraftplus

Backup, restore or migrate your WordPress website to another host or domain. Schedule backups or run manually. Migrate in minutes.

3.0M 14 CVEs

Backup, Restore and Migrate your sites with XCloner

xcloner-backup-and-restore

XCloner is a backup plugin that allows you to safely back up and restore your WordPress sites. You can send site backups to SFTP, Dropbox, Amazon, Goo …

10K 16 CVEs

Backuply – Backup, Restore, Migrate and Clone

backuply

Backup, restores, and migration with Backuply are fairly simple with a wide range of storage options from Local Backups, FTP to cloud options like AWS …

600K 5 CVEs

BackWPup – WordPress Backup & Restore Plugin

backwpup

Create a complete WordPress backup easily. Schedule automatic backups, store securely, and restore effortlessly with the best WordPress backup plugin!

500K 10 CVEs

Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid

boldgrid-backup

Automated backups, remote backup to Amazon S3 and Google Drive, stop website crashes before they happen and more. Total Upkeep is the backup solution …

60K 6 CVEs

Developer Profile

Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More Developer Profile

Syed Balkhi

94 plugins · 23.5M total installs

trust score

Avg Security Score

91/100

Avg Patch Time

795 days

View full developer profile

Detection Fingerprints

How We Detect Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/duplicator/assets/css/modal.css

HTML / DOM Fingerprints

CSS Classes

duplicator-modalduplicator-modal-deactivation-feedbackduplicator-modal-dialogduplicator-modal-bodyduplicator-modal-panelduplicator-modal-reasonduplicator-modal-internal-message

Data Attributes

data-input-typedata-input-placeholder

JS Globals

DuplicatorPhpVersionCheck

FAQ