FastDup – Fastest WordPress Migration & Duplicator Security & Risk Analysis

The "fastdup" v2.7.2 plugin presents a mixed security posture. On the positive side, the static analysis indicates a relatively small attack surface with no identified AJAX handlers, REST API routes, or shortcodes that lack authentication or permission checks. The plugin also demonstrates good practices in its SQL query handling, with 83% utilizing prepared statements, and most output being properly escaped.

However, significant concerns arise from the presence of the `unserialize` function, a known source of critical vulnerabilities if not handled with extreme care. The vulnerability history of this plugin is also a major red flag, with four past CVEs, including one critical and one high severity. The common vulnerability types (Missing Authorization, Path Traversal, Information Exposure, and Log File Insertion) suggest recurring and potentially severe security flaws in the past. The fact that the last vulnerability was in 2026 suggests a history of ongoing security issues that may not have been fully addressed in prior versions or that new issues are being discovered with some regularity. The absence of nonce checks and a limited number of capability checks further elevate the risk profile, as these are fundamental security mechanisms often exploited in WordPress plugins.

In conclusion, while "fastdup" v2.7.2 shows some adherence to secure coding practices in specific areas like SQL and output escaping, the presence of dangerous functions, a history of critical vulnerabilities, and a lack of robust authentication/authorization checks on potential entry points represent significant security weaknesses. Users should proceed with extreme caution.