Description
The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7 via the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary directories on the server, which can contain sensitive information.
Published: 2026-01-06
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure via authenticated path traversal
Action: Patch Now
AI Analysis

Impact

FastDup plugin for WordPress contains a path traversal vulnerability in the 'dir_path' REST endpoint. The flaw allows an authenticated user with Contributor role or higher to influence directory traversal, enabling the reading of files from arbitrary directories on the server. This exposes sensitive configuration files, credentials, or private files, directly creating an information disclosure risk.

Affected Systems

All FastDup installations up to and including version 2.7. The plugin is found under the ninjateam:FastDup – Fastest WordPress Migration & Duplicator product line, typically integrated in WordPress sites that rely on FastDup for migration.

Risk and Exploitability

The CVSS score of 6.5 classifies it as medium severity, while an EPSS score below 1% indicates a low probability of exploitation at the time of disclosure. The vulnerability is not listed in CISA's KEV catalog, further suggesting limited active exploitation. Because the path traversal requires authenticated access with Contributor privileges, the attacker must possess valid credentials; however, once authenticated, the API call can be used to read any file path that the server process can access, making the attack straightforward for compromised or poorly protected accounts.

Generated by OpenCVE AI on April 15, 2026 at 19:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FastDup to the latest version or apply the official patch that sanitizes the dir_path input.
  • Restrict Contributor role by revoking or temporarily suspending accounts with Contributor permissions until remediation or re‑review.
  • Configure WordPress to disable or limit the REST API endpoint, or use a security plugin that blocks directory traversal attempts and monitors suspicious API usage.

Generated by OpenCVE AI on April 15, 2026 at 19:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 06 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Ninjateam
Ninjateam fastdup
Wordpress
Wordpress wordpress
Vendors & Products Ninjateam
Ninjateam fastdup
Wordpress
Wordpress wordpress

Tue, 06 Jan 2026 03:30:00 +0000

Type Values Removed Values Added
Description The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7 via the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary directories on the server, which can contain sensitive information.
Title FastDup <= 2.7 - Authenticated (Contributor+) Path Traversal via 'dir_path' REST Parameter
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Ninjateam Fastdup
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:14:55.411Z

Reserved: 2026-01-05T14:49:51.853Z

Link: CVE-2026-0604

cve-icon Vulnrichment

Updated: 2026-01-06T15:20:47.431Z

cve-icon NVD

Status : Deferred

Published: 2026-01-06T04:15:53.633

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0604

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T19:15:12Z

Weaknesses