Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Network-reachable WordPress endpoint (AV:N), trivial traversal payload (AC:L), no auth on the request itself (PR:N), victim admin click required (UI:R), plugin bug impacts WordPress core files (S:C, C/I/A:H).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Path Traversal in FastDup <= 2.7.2 versions.
AnalysisAI
Path traversal in the FastDup WordPress plugin through version 2.7.2 allows remote attackers to read or write arbitrary files outside the plugin's intended directory after a single user interaction, with confidentiality, integrity, and availability impacts extending to the WordPress host (scope-changed, CVSS 9.6). The flaw is unauthenticated per the CVSS vector but requires a victim to trigger the malicious request, and no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (a) a target WordPress site running FastDup at version 2.7.2 or earlier, (b) network reachability to that site's wp-admin or admin-ajax endpoint from the attacker's vantage point, and (c) a logged-in WordPress user - almost certainly an administrator, since FastDup is a backup/migration plugin whose file endpoints are normally gated to manage_options-capable users - to interact with the attacker-supplied URL (UI:R in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed but lean toward prioritisation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a page or sends a phishing email containing a link to the victim's own WordPress site that triggers FastDup's vulnerable file-handling endpoint with a path-traversal payload (e.g. ..%2f..%2fwp-config.php). … |
| Remediation | Patch availability is not confirmed from the input data; the advisory only specifies that versions 2.7.2 and earlier are vulnerable, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/fastdup/vulnerability/wordpress-fastdup-plugin-2-7-2-path-traversal-vulnerability) and the FastDup plugin page on wordpress.org for the latest release greater than 2.7.2 and upgrade to it once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and deactivate FastDup plugin across all WordPress instances. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-35 – Path Traversal: '.../...//'
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37004
GHSA-4ch2-hcmc-wjw8