Description
Unauthenticated Path Traversal in FastDup <= 2.7.2 versions.
Published: 2026-06-15
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The FastDup plugin for WordPress contains an unauthenticated path‑traversal flaw that allows reading arbitrary files on the server. The CVE description and the plugin’s behavior suggest that an attacker can construct a request containing traversal sequences to obtain file contents, potentially exposing sensitive configuration or password files. This is a classic path‑traversal issue, classified as CWE‑35, which can lead to a confidentiality breach without authentication.

Affected Systems

WordPress sites running the FastDup plugin version 2.7.2 or earlier, provided by Ninja Team. Any installation of FastDup <= 2.7.2 is vulnerable, including default WordPress installations that have not applied the latest plugin update.

Risk and Exploitability

The CVSS score of 9.6 signals a critical vulnerability, while the EPSS score of less than 1% indicates that real‑world exploitation is currently unlikely. Based on the description, it is inferred that the likely attack vector is a remote request to the plugin’s exposed API or administrative interface, enabling an attacker to trigger the traversal flaw. The vulnerability is unauthenticated and can be exploited by sending crafted URLs or HTTP requests; the lack of distribution in the CISA KEV catalog does not diminish its high severity, so prompt remediation is advised.

Generated by OpenCVE AI on June 18, 2026 at 00:20 UTC.

Remediation

Vendor Solution

Update the WordPress FastDup Plugin to the latest available version (at least 2.7.3).


OpenCVE Recommended Actions

  • Upgrade the FastDup plugin to version 2.7.3 or newer.
  • If an upgrade cannot be performed promptly, deactivate or delete the FastDup plugin to eliminate the attack surface.
  • Monitor the site for anomalous requests that include traversal patterns and apply future security updates from Ninja Team.

Generated by OpenCVE AI on June 18, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Ninjateam
Ninjateam fastdup
Wordpress
Wordpress wordpress
Vendors & Products Ninjateam
Ninjateam fastdup
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Path Traversal in FastDup <= 2.7.2 versions.
Title WordPress FastDup plugin <= 2.7.2 - Path Traversal vulnerability
Weaknesses CWE-35
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}


Subscriptions

Ninjateam Fastdup
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T01:01:07.267Z

Reserved: 2026-06-08T10:11:13.730Z

Link: CVE-2026-52703

cve-icon Vulnrichment

Updated: 2026-06-16T01:01:03.044Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:24.850

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-52703

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:15:02Z

Weaknesses
  • CWE-35

    Path Traversal: '.../...//'