CVE-2026-1104
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Tags
Description
The FastDup - Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to create and download full-site backup archives containing the entire WordPress installation, including database exports and configuration files.
Analysis
FastDup WordPress plugin versions up to 2.7.1 fail to validate user permissions on REST API endpoints, allowing Contributor-level authenticated users to create and download complete site backups including databases and configuration files. This HIGH severity vulnerability (CVSS 8.8) affects all WordPress installations using the affected plugin versions, with no patch currently available. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all WordPress installations to identify FastDup plugin usage and disable the plugin immediately on all affected sites. Within 7 days: Review backup logs and access records for suspicious activity; notify stakeholders if unauthorized backups were detected. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today