CVE-2026-0604
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2Tags
Description
The FastDup - Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7 via the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary directories on the server, which can contain sensitive information.
Analysis
Path traversal in the FastDup WordPress plugin through version 2.7 allows authenticated contributors and above to enumerate and read arbitrary directories on affected servers via a malicious 'dir_path' parameter in the REST API. This vulnerability enables attackers with low-level WordPress access to access sensitive files and configuration data without requiring elevated privileges or user interaction.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running for WordPress is vulnerable to Path Traversal in all and apply vendor patches as part of regular patch cycle. Review file handling controls.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today