As already mentioned, the first step in protecting your site from this vulnerability is to update the Duplicator plugin to the latest version. That will stop the vulnerability cold.
Every plugin in your installation, even a reputable one like Duplicator, adds to your site's attack surface. Limit the active plugins on your site to those you need and use. Deactivate or delete the rest. Keep all the ones you use up to date. Keep an eye out for plugins that stop getting updates. If one disappears from the WordPress.org plugin directory, consider replacing it with something in better standing.
If you're using a vulnerable version of Duplicator, or if you have in the past, you should consider changing your database password on general principles. You may have to contact your hosting provider to do this, depending on what access privileges you have. Do this only after updating Duplicator.
Path traversal vulnerabilities are a common problem in plugins. Sometimes the crooks find out first and launch zero-day attacks. Patching can't stop bugs that are exploited before the publisher knows about them.
Run WordPress from an account with limited privileges. A WordPress site running as root exposes the entire filesystem to attackers taking advantage of a path traversal bug.
Limiting access to the database makes exploitation of credentials harder. If your database is on the same network as the WordPress installation, you can disallow outside access. If it's a remote database, you can limit access to the IP addresses you run WordPress on.
If you had the Quttera Web Application Firewall (WAF), you would have an extra layer of
website security against the Duplicator vulnerability and others of its kind. It guards against requests with behavioral patterns suggesting attempts to breach the system, as well as identifying known threats.
All Quttera customers using WAF were protected from the Duplicator attack. You can have this protection and improve your WordPress security against known and unknown threats, simply by signing up for Quttera ThreatSign.