Skip to main content

FastDup CVE-2026-52703

| EUVDEUVD-2026-37004 CRITICAL
Path Traversal: '.../...//' (CWE-35)
2026-06-15 Patchstack GHSA-4ch2-hcmc-wjw8
9.6
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
9.6 CRITICAL

Network-reachable WordPress endpoint (AV:N), trivial traversal payload (AC:L), no auth on the request itself (PR:N), victim admin click required (UI:R), plugin bug impacts WordPress core files (S:C, C/I/A:H).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:23 vuln.today

DescriptionCVE.org

Unauthenticated Path Traversal in FastDup <= 2.7.2 versions.

AnalysisAI

Path traversal in the FastDup WordPress plugin through version 2.7.2 allows remote attackers to read or write arbitrary files outside the plugin's intended directory after a single user interaction, with confidentiality, integrity, and availability impacts extending to the WordPress host (scope-changed, CVSS 9.6). The flaw is unauthenticated per the CVSS vector but requires a victim to trigger the malicious request, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify WordPress site running FastDup ≤2.7.2
Delivery
Craft path-traversal URL to vulnerable plugin endpoint
Exploit
Deliver link to admin via phishing or watering-hole
Install
Admin clicks link in authenticated session
C2
Plugin resolves traversal and reads or writes target file
Execute
Exfiltrate wp-config.php or drop webshell
Impact
Full WordPress site takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires (a) a target WordPress site running FastDup at version 2.7.2 or earlier, (b) network reachability to that site's wp-admin or admin-ajax endpoint from the attacker's vantage point, and (c) a logged-in WordPress user - almost certainly an administrator, since FastDup is a backup/migration plugin whose file endpoints are normally gated to manage_options-capable users - to interact with the attacker-supplied URL (UI:R in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed but lean toward prioritisation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a page or sends a phishing email containing a link to the victim's own WordPress site that triggers FastDup's vulnerable file-handling endpoint with a path-traversal payload (e.g. ..%2f..%2fwp-config.php). …
Remediation Patch availability is not confirmed from the input data; the advisory only specifies that versions 2.7.2 and earlier are vulnerable, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/fastdup/vulnerability/wordpress-fastdup-plugin-2-7-2-path-traversal-vulnerability) and the FastDup plugin page on wordpress.org for the latest release greater than 2.7.2 and upgrade to it once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and deactivate FastDup plugin across all WordPress instances. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52703 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy