CVE-2026-0604 Overview
The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress contains a Path Traversal vulnerability in all versions up to and including 2.7. The vulnerability exists in the dir_path parameter of the njt-fastdup/v1/template/directory-tree REST API endpoint. This security flaw allows authenticated attackers with Contributor-level access or above to read the contents of arbitrary directories on the server, potentially exposing sensitive configuration files, credentials, and other critical data.
Critical Impact
Authenticated attackers can traverse the file system to read sensitive directory contents, potentially exposing database credentials, configuration files, and other confidential information stored on the WordPress server.
Affected Products
- FastDup – Fastest WordPress Migration & Duplicator plugin versions up to and including 2.7
- WordPress installations with vulnerable FastDup plugin versions
- Web servers hosting affected WordPress sites
Discovery Timeline
- January 6, 2026 - CVE-2026-0604 published to NVD
- January 8, 2026 - Last updated in NVD database
Technical Details for CVE-2026-0604
Vulnerability Analysis
This Path Traversal vulnerability (CWE-22) allows authenticated users with at least Contributor-level privileges to manipulate the dir_path parameter in REST API requests to escape the intended directory scope. The vulnerable endpoint njt-fastdup/v1/template/directory-tree fails to properly validate and sanitize user-supplied path input, enabling directory traversal sequences to access locations outside the plugin's intended directory scope.
The attack requires network access and authenticated credentials with at least Contributor-level permissions. Upon successful exploitation, an attacker gains unauthorized read access to arbitrary directory contents on the server, though the vulnerability does not enable write operations or direct code execution.
Root Cause
The root cause of this vulnerability lies in improper input validation within the TemplateApi.php file. The dir_path parameter is not adequately sanitized before being used to construct file system paths, allowing path traversal sequences such as ../ to be processed. This failure to implement proper path canonicalization or restrict input to allowed directory boundaries enables attackers to traverse outside the intended directory structure.
Attack Vector
The vulnerability is exploited through the WordPress REST API. An authenticated attacker sends a crafted HTTP request to the njt-fastdup/v1/template/directory-tree endpoint with a malicious dir_path parameter containing directory traversal sequences. By using sequences like ../../../, the attacker can navigate up the directory tree and access sensitive system directories such as /etc/, the WordPress root directory containing wp-config.php, or other locations containing configuration files and credentials.
The attack requires valid WordPress authentication with at least Contributor-level access, which can be obtained through compromised credentials, privilege escalation from other vulnerabilities, or legitimate accounts on multi-author WordPress sites.
Detection Methods for CVE-2026-0604
Indicators of Compromise
- Unusual REST API requests to the njt-fastdup/v1/template/directory-tree endpoint
- HTTP requests containing path traversal sequences (../, ..%2f, ..%252f) in the dir_path parameter
- Access logs showing repeated requests to the vulnerable endpoint from the same user session
- Unexpected directory listing or file access attempts outside the WordPress installation directory
Detection Strategies
- Monitor WordPress REST API logs for requests containing directory traversal patterns in parameters
- Implement Web Application Firewall (WAF) rules to detect and block path traversal sequences
- Review access logs for unusual activity patterns targeting the FastDup plugin endpoints
- Deploy file integrity monitoring to detect unauthorized access to sensitive configuration files
Monitoring Recommendations
- Enable detailed logging for WordPress REST API requests
- Configure alerts for multiple failed or suspicious API requests from authenticated users
- Monitor for access attempts to sensitive files like wp-config.php or system configuration directories
- Review Contributor and above user accounts for suspicious activity or unauthorized access patterns
How to Mitigate CVE-2026-0604
Immediate Actions Required
- Update the FastDup plugin to a version newer than 2.7 that contains the security fix
- Audit Contributor-level and above user accounts for suspicious activity
- Review server access logs for evidence of exploitation attempts
- Consider temporarily disabling the FastDup plugin if an immediate update is not possible
Patch Information
The vulnerability has been addressed in versions after 2.7 of the FastDup plugin. The security fix implements proper input validation and path sanitization for the dir_path parameter in the REST API endpoint. Administrators should update through the WordPress plugin dashboard or by downloading the latest version from the official WordPress plugin repository. For detailed information about the changes, refer to the WordPress FastDup Changeset Details and the Wordfence Vulnerability Report.
Workarounds
- Restrict access to the FastDup plugin functionality to Administrator-level users only
- Implement WAF rules to block requests containing path traversal sequences to the affected endpoint
- Review and limit the number of users with Contributor-level access or above
- Monitor and log all REST API activity for the FastDup plugin endpoints
# Example .htaccess rule to block path traversal attempts
# Add to WordPress root .htaccess file
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (\.\./|\.\.%2f|\.\.%252f) [NC,OR]
RewriteCond %{REQUEST_URI} (\.\./|\.\.%2f|\.\.%252f) [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
