{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0604", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-05T14:49:51.853Z", "datePublished": "2026-01-06T03:21:39.433Z", "dateUpdated": "2026-04-08T17:14:55.411Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:55.411Z"}, "affected": [{"vendor": "ninjateam", "product": "FastDup \u2013 Fastest WordPress Migration & Duplicator", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The FastDup \u2013 Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7 via the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary directories on the server, which can contain sensitive information."}], "title": "FastDup <= 2.7 - Authenticated (Contributor+) Path Traversal via 'dir_path' REST Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ac97c729-4c75-429b-bbf2-27ca322be1cf?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/fastdup/trunk/includes/Endpoint/TemplateApi.php#L219"}, {"url": "https://plugins.trac.wordpress.org/browser/fastdup/tags/2.7/includes/Endpoint/TemplateApi.php#L219"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3432226%40fastdup&new=3432226%40fastdup&sfp_email=&sfph_mail=#file3"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-12-11T19:37:55.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-05T14:50:03.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T15:20:42.364685Z", "id": "CVE-2026-0604", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T15:20:50.194Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0604", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-06T15:20:42.364685Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T15:20:47.431Z"}}], "cna": {"title": "FastDup <= 2.7 - Authenticated (Contributor+) Path Traversal via 'dir_path' REST Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "ninjateam", "product": "FastDup \u2013 Fastest WordPress Migration & Duplicator", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T19:37:55.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-05T14:50:03.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ac97c729-4c75-429b-bbf2-27ca322be1cf?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/fastdup/trunk/includes/Endpoint/TemplateApi.php#L219"}, {"url": "https://plugins.trac.wordpress.org/browser/fastdup/tags/2.7/includes/Endpoint/TemplateApi.php#L219"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3432226%40fastdup&new=3432226%40fastdup&sfp_email=&sfph_mail=#file3"}], "descriptions": [{"lang": "en", "value": "The FastDup \u2013 Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7 via the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary directories on the server, which can contain sensitive information."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:55.411Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0604", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:14:55.411Z", "dateReserved": "2026-01-05T14:49:51.853Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-06T03:21:39.433Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The FastDup \u2013 Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7 via the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary directories on the server, which can contain sensitive information."}], "id": "CVE-2026-0604", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-06T04:15:53.633", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fastdup/tags/2.7/includes/Endpoint/TemplateApi.php#L219"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fastdup/trunk/includes/Endpoint/TemplateApi.php#L219"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3432226%40fastdup&new=3432226%40fastdup&sfp_email=&sfph_mail=#file3"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ac97c729-4c75-429b-bbf2-27ca322be1cf?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T19:14:36.543092+00:00", "value": {"mitigation_remediation": ["Update FastDup to the latest version or apply the official patch that sanitizes the dir_path input.", "Restrict Contributor role by revoking or temporarily suspending accounts with Contributor permissions until remediation or re\u2011review.", "Configure WordPress to disable or limit the REST API endpoint, or use a security plugin that blocks directory traversal attempts and monitors suspicious API usage."], "summary": {"action": "Patch Now", "impact": "Information disclosure via authenticated path traversal"}, "threat_synthesis": {"affected_systems": "All FastDup installations up to and including version 2.7. The plugin is found under the ninjateam:FastDup \u2013 Fastest WordPress Migration & Duplicator product line, typically integrated in WordPress sites that rely on FastDup for migration.", "description_and_impact": "FastDup plugin for WordPress contains a path traversal vulnerability in the 'dir_path' REST endpoint. The flaw allows an authenticated user with Contributor role or higher to influence directory traversal, enabling the reading of files from arbitrary directories on the server. This exposes sensitive configuration files, credentials, or private files, directly creating an information disclosure risk.", "risk_and_exploitability": "The CVSS score of 6.5 classifies it as medium severity, while an EPSS score below 1% indicates a low probability of exploitation at the time of disclosure. The vulnerability is not listed in CISA's KEV catalog, further suggesting limited active exploitation. Because the path traversal requires authenticated access with Contributor privileges, the attacker must possess valid credentials; however, once authenticated, the API call can be used to read any file path that the server process can access, making the attack straightforward for compromised or poorly protected accounts."}}}}, "created": "2026-01-06T14:16:11.516690+00:00", "updated": "2026-04-15T19:15:12.084809+00:00", "vendors": ["ninjateam", "ninjateam$PRODUCT$fastdup", "wordpress", "wordpress$PRODUCT$wordpress"]}