Impact
The FastDup plugin for WordPress contains an unauthenticated path‑traversal flaw that allows reading arbitrary files on the server. The CVE description and the plugin’s behavior suggest that an attacker can construct a request containing traversal sequences to obtain file contents, potentially exposing sensitive configuration or password files. This is a classic path‑traversal issue, classified as CWE‑35, which can lead to a confidentiality breach without authentication.
Affected Systems
WordPress sites running the FastDup plugin version 2.7.2 or earlier, provided by Ninja Team. Any installation of FastDup <= 2.7.2 is vulnerable, including default WordPress installations that have not applied the latest plugin update.
Risk and Exploitability
The CVSS score of 9.6 signals a critical vulnerability, while the EPSS score of less than 1% indicates that real‑world exploitation is currently unlikely. Based on the description, it is inferred that the likely attack vector is a remote request to the plugin’s exposed API or administrative interface, enabling an attacker to trigger the traversal flaw. The vulnerability is unauthenticated and can be exploited by sending crafted URLs or HTTP requests; the lack of distribution in the CISA KEV catalog does not diminish its high severity, so prompt remediation is advised.
OpenCVE Enrichment