{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1104", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-17T01:44:21.479Z", "datePublished": "2026-02-12T14:25:40.615Z", "dateUpdated": "2026-04-08T16:43:22.019Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:22.019Z"}, "affected": [{"vendor": "ninjateam", "product": "FastDup \u2013 Fastest WordPress Migration & Duplicator", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.7.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The FastDup \u2013 Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to create and download full-site backup archives containing the entire WordPress installation, including database exports and configuration files."}], "title": "FastDup \u2013 Fastest WordPress Migration & Duplicator <= 2.7.1 - Missing Authorization to Authenticated (Contributor+) Backup Creation and Download", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29c0fb4d-c38c-4c78-9e15-797f3c3a4b30?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/fastdup/trunk/includes/Endpoint/PackageApi.php#L371"}, {"url": "https://plugins.trac.wordpress.org/changeset/3449530/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Waris Damkham"}], "timeline": [{"time": "2026-01-17T02:05:13.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-11T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T21:13:47.024162Z", "id": "CVE-2026-1104", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T21:13:52.866Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1104", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-12T21:13:47.024162Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T21:13:50.362Z"}}], "cna": {"title": "FastDup \u2013 Fastest WordPress Migration & Duplicator <= 2.7.1 - Missing Authorization to Authenticated (Contributor+) Backup Creation and Download", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Waris Damkham"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "ninjateam", "product": "FastDup \u2013 Fastest WordPress Migration & Duplicator", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.7.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-17T02:05:13.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-11T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29c0fb4d-c38c-4c78-9e15-797f3c3a4b30?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/fastdup/trunk/includes/Endpoint/PackageApi.php#L371"}, {"url": "https://plugins.trac.wordpress.org/changeset/3449530/"}], "descriptions": [{"lang": "en", "value": "The FastDup \u2013 Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to create and download full-site backup archives containing the entire WordPress installation, including database exports and configuration files."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:22.019Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1104", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:43:22.019Z", "dateReserved": "2026-01-17T01:44:21.479Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-12T14:25:40.615Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The FastDup \u2013 Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to create and download full-site backup archives containing the entire WordPress installation, including database exports and configuration files."}, {"lang": "es", "value": "El plugin FastDup \u2013 Fastest WordPress Migration &amp; Duplicator para WordPress es vulnerable a la creaci\u00f3n y descarga de copias de seguridad no autorizadas debido a una comprobaci\u00f3n de capacidad faltante en los endpoints de la API REST en todas las versiones hasta la 2.7.1, inclusive. Esto permite a atacantes autenticados, con acceso de nivel Colaborador y superior, crear y descargar archivos de copia de seguridad de sitio completo que contienen la instalaci\u00f3n completa de WordPress, incluyendo exportaciones de la base de datos y archivos de configuraci\u00f3n."}], "id": "CVE-2026-1104", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-12T15:16:08.993", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fastdup/trunk/includes/Endpoint/PackageApi.php#L371"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3449530/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29c0fb4d-c38c-4c78-9e15-797f3c3a4b30?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.7.1]"}}], "product": "fastdup_\u2013_fastest_wordpress_migration_&_duplicator", "vendor": "ninjateam"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:48:23.921851+00:00", "value": {"mitigation_remediation": ["Upgrade the FastDup plugin to the latest released version.", "Restrict Contributor and lower role permissions so they cannot invoke backup\u2011related REST API endpoints. ", "If an upgrade is not immediately possible, disable the affected REST API endpoints for all non\u2011admin users or block them entirely."], "summary": {"action": "Apply Patch", "impact": "Data Disclosure through Unauthorized Backup Access"}, "threat_synthesis": {"affected_systems": "All installations of FastDup \u2013 Fastest WordPress Migration & Duplicator up to and including version 2.7.1 are affected. The flaw exists in any instance of the plugin that exposes the vulnerable REST API endpoints for backup creation and download.", "description_and_impact": "The FastDup \u2013 Fastest WordPress Migration & Duplicator plugin has a missing capability check on several REST API endpoints. Because the endpoints do not verify that the requesting user has the required privileges, any authenticated user with Contributor-level access or higher can trigger a full\u2011site backup archive to be created and subsequently download it. The backup archive contains the entire WordPress installation, including database dumps and configuration files. The vulnerability does not grant code execution or privilege escalation; it simply allows an attacker to exfiltrate confidential site data.", "risk_and_exploitability": "The assigned CVSS score of 8.8 classifies this as a high\u2011severity flaw. The EPSS score of less than 1% indicates a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only authenticated access, which an attacker with Contributor\u2011level permissions can obtain. Because the flaw results in data disclosure rather than system compromise, the threat domain is limited to confidentiality loss."}}}}, "created": "2026-02-13T21:35:33.944436+00:00", "updated": "2026-04-16T01:00:19.950514+00:00", "vendors": ["ninjateam", "ninjateam$PRODUCT$fastdup_\u2013_fastest_wordpress_migration_&_duplicator", "wordpress", "wordpress$PRODUCT$wordpress"]}