FastDup – Fastest WordPress Migration & Duplicator < 2.7.2 – Contributor+ Backup Creation and Download | CVE 2026-1104 | Plugin Vulnerabilities

Description

The plugin is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints. This makes it possible for authenticated attackers, with Contributor-level access and above, to create and download full-site backup archives containing the entire WordPress installation, including database exports and configuration files.

Affects Plugins

Fixed in 2.7.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/29c0fb4d-c38c-4c78-9e15-797f3c3a4b30

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Athiwat Tiprasaharn (Jitlada), Itthidej Aramsri (Boeing777), Waris Damkham

Verified

No

WPVDB ID

6a2808a7-2732-414d-8e04-6fa19a3e5aa3

Timeline

Publicly Published

2026-02-11 (about 3 months ago)

Added

2026-02-12 (about 3 months ago)

Last Updated

2026-02-12 (about 3 months ago)

Other

Published

Title

Published

2025-12-02

Title

WPS Bidouille < 1.33.2 - Missing Authorization

Published

2026-02-05

Title

LC Wizard < 2.1.2 - Missing Authorization to Unauthenticated Settings Update

Published

2026-02-02

Title

Booktics < 1.0.17 - Missing Authorization

Published

2024-01-05

Title

Booster Plus for WooCommerce < 7.1.2 - Missing Authorization to Arbitrary Page/Post Deletion

Published

2026-03-02

Title

BigHearts < 3.1.15 - Missing Authorization