CVE-2026-0604 identifies a vulnerability in the FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress. This vulnerability allows authenticated attackers, with Contributor-level access and above, to exploit a path traversal issue via the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint. The plugin is affected in all versions up to and including 2.7.
The severity of this vulnerability is classified as medium, with a CVSS score of 6.5. This score indicates a significant risk, as attackers may leverage this vulnerability to read the contents of arbitrary directories on the server, potentially exposing sensitive information.
Given the potential exposure of sensitive information, organizations utilizing the FastDup plugin should prioritize patching immediately to mitigate this risk.
As of now, there are no known public exploits, and the vulnerability status is deferred. However, the risk to organizations includes unauthorized access to sensitive data, which can lead to further compromise.
Organizations should actively monitor their systems and apply the necessary updates as soon as they are available to prevent any potential exploitation of this vulnerability.
The publication date of this CVE is January 6, 2026, and it was last modified on April 15, 2026.
Vulnerability Details
The FastDup plugin is vulnerable to path traversal, which allows attackers to navigate the file system and access sensitive files that should be protected. The CVSS score of 6.5 indicates that this vulnerability has a medium impact on confidentiality, with a confidentiality impact rating of high.
The vulnerability falls under the CWE-22 classification, indicating improper restriction of pathname access. This flaw is particularly dangerous as it can expose critical server information to unauthorized users.
Technical Analysis
The root cause of this vulnerability is the failure to properly validate user input for the 'dir_path' parameter. Attackers can manipulate this parameter to traverse the directory structure, leading to unauthorized access to sensitive files.
The attack vector is network-based, and the complexity of the attack is low, requiring only Contributor-level privileges to exploit the vulnerability. No user interaction is required, and the confidentiality impact is classified as high, while integrity and availability impacts are negligible.
Risk & Impact Analysis
Organizations that use the FastDup plugin face significant risks due to this vulnerability. The ability for authenticated users to read arbitrary files can lead to exposure of sensitive information, such as configuration files, API keys, and user data.
The potential blast radius of this vulnerability is high, especially for websites that rely on sensitive data handling or have other critical components that could be exposed through a successful exploit.
Given the CVSS score of 6.5, organizations should address this vulnerability within their priority patch cycle to avoid unauthorized data access.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | No |
Public PoC | No |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
All versions of the FastDup plugin prior to version 2.8 are affected by this vulnerability. Organizations should ensure that they upgrade to the latest version to mitigate the risk.
Mitigation & Remediation
To mitigate the risks associated with CVE-2026-0604, organizations should apply the following remediation steps:
1. Upgrade the FastDup plugin to version 2.8 or later.
2. Review and restrict user roles and permissions to limit access to sensitive areas of the server.
3. Implement network controls to monitor access to the REST API endpoints.
To further enhance security, organizations should consider implementing a comprehensive vulnerability management program that integrates regular assessments and updates.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)