FastDup < 2.7.1 – Authenticated (Contributor+) Path Traversal via 'dir_path' REST Parameter | CVE 2026-0604 | Plugin Vulnerabilities

Description

The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7 via the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary directories on the server, which can contain sensitive information.

Affects Plugins

Fixed in 2.7.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ac97c729-4c75-429b-bbf2-27ca322be1cf

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Athiwat Tiprasaharn (Jitlada)

Verified

No

WPVDB ID

bf0dbda8-f2ad-4620-a058-02d33e6da95a

Timeline

Publicly Published

2026-01-05 (about 2 months ago)

Added

2026-01-05 (about 2 months ago)

Last Updated

2026-01-06 (about 2 months ago)

Other

Published

Title

Published

2024-12-02

Title

ARForms <= 6.4.1 - Directory Traversal to Authenticated (Subscriber+) Arbitrary File Read

Published

2025-04-18

Title

Download Manager < 3.3.13 - Author+ Arbitrary File Deletion

Published

2024-07-11

Title

HT Mega < 2.5.8 - Authenticated (Contributor+) JSON File Directory Traversal

Published

2014-08-01

Title

Filedownload 0.1 - (download.php) Remote File Disclosure

Published

2024-04-22

Title

Sendinblue for WooCommerce < 4.0.18 - Authenticated (Editor+) Arbitrary File Download and Deletion