CVE-2026-0604

FastDup <= 2.7 - Authenticated (Contributor+) Path Traversal via 'dir_path' REST Parameter

mediumImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
6.5
CVSS Score
6.5
CVSS Score
medium
Severity
2.7.1
Patched in
1d
Time to patch

Description

The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7 via the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary directories on the server, which can contain sensitive information.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=2.7
PublishedJanuary 5, 2026
Last updatedJanuary 6, 2026
Affected pluginfastdup

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan outlines the methodology for validating and exploiting **CVE-2026-0604**, a Path Traversal vulnerability in the FastDup WordPress plugin. ## 1. Vulnerability Summary The FastDup plugin (<= 2.7) exposes a REST API endpoint `njt-fastdup/v1/template/directory-tree` which fails to pr…

Show full research plan

This research plan outlines the methodology for validating and exploiting CVE-2026-0604, a Path Traversal vulnerability in the FastDup WordPress plugin.

1. Vulnerability Summary

The FastDup plugin (<= 2.7) exposes a REST API endpoint njt-fastdup/v1/template/directory-tree which fails to properly sanitize or validate the dir_path parameter. Because this endpoint is intended to allow users to navigate the filesystem for backup/migration purposes, an authenticated attacker with Contributor-level permissions or higher can provide path traversal sequences (e.g., ../) to escape the intended directory and list the contents of arbitrary directories on the server.

2. Attack Vector Analysis

  • REST Endpoint: wp-json/njt-fastdup/v1/template/directory-tree
  • HTTP Method: GET (inferred for a directory tree listing) or POST.
  • Vulnerable Parameter: dir_path
  • Required Permissions: Authenticated user with Contributor role or higher (capability: edit_posts).
  • Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
  • Impact: Information Disclosure (Directory listing of sensitive server paths like /etc/, /var/www/, etc.).

3. Code Flow (Inferred)

  1. Registration: The plugin registers the REST route in a class (likely related to Templates or File Management) hooked to rest_api_init.
    • Likely Hook: add_action( 'rest_api_init', ... )
    • Likely Route: register_rest_route( 'njt-fastdup/v1', '/template/directory-tree', ... )
  2. Authorization: The permission_callback for this route likely checks for a baseline capability like edit_posts or manage_options. In this case, it is confirmed to be accessible by Contributors (edit_posts).
  3. Processing: The callback function retrieves the dir_path parameter:
    • $dir_path = $request->get_param( 'dir_path' );
  4. Sink: The $dir_path is passed directly into a directory scanning function such as scandir(), glob(), or a custom wrapper without using realpath() or validate_file() to ensure the path remains within the WordPress root.

4. Nonce Acquisition Strategy

REST API requests for authenticated users in WordPress require a _wpnonce (specifically the wp_rest action nonce) to be sent via the X-WP-Nonce header.

  1. Authentication: Log in as a user with the Contributor role.
  2. Access Admin: Navigate to the WordPress dashboard (/wp-admin/).
  3. Extract Nonce: WordPress enqueues the wp-api script which provides the wpApiSettings object.
  4. Agent Action:
    • browser_navigate("/wp-admin/index.php")
    • nonce = browser_eval("window.wpApiSettings?.nonce")
    • This nonce is valid for the wp_rest action and is required for the REST request.

5. Exploitation Strategy

The goal is to list the contents of the server's root directory (/) or the parent directory of the WordPress installation.

  1. Identify Target Path:
    • Payload 1 (Absolute): /
    • Payload 2 (Relative): ../../../../
  2. Construct Request:
    • URL: http://[target-ip]/wp-json/njt-fastdup/v1/template/directory-tree
    • Method: GET (or POST if GET fails)
    • Parameters: dir_path=../../../../
    • Headers:
      • X-WP-Nonce: [Extracted Nonce]
      • Cookie: [Contributor Session Cookies]
  3. Execute via Agent:
    http_request({
        url: "http://localhost:8080/wp-json/njt-fastdup/v1/template/directory-tree?dir_path=../../../../",
        method: "GET",
        headers: {
            "X-WP-Nonce": nonce,
            "Content-Type": "application/json"
        }
    });
    

6. Test Data Setup

  1. Install Plugin: Ensure FastDup version 2.7 is installed and active.
  2. Create Attacker User:
    • wp user create attacker attacker@example.com --role=contributor --user_pass=password123
  3. Create Test Files: Ensure there are files in the parent directory of the WordPress installation or check for standard Linux files like /etc/passwd directory structure (though this is a directory listing vulnerability, not a file read, so we target /etc/).

7. Expected Results

  • Vulnerable Response: A 200 OK status with a JSON body containing an array or object listing files and folders from the requested traversal path.
    • Example: [{"name":"etc","path":"/etc","type":"dir"},{"name":"var","path":"/var","type":"dir"}]
  • Blocked Response: A 403 Forbidden or 400 Bad Request if the plugin attempts to sanitize the path, or a 200 OK with an empty list/error message if the path is successfully restricted.

8. Verification Steps

  1. Verify Content: Compare the JSON output from the REST API with the actual filesystem content on the server.
    • Run ls -la / inside the environment.
    • Confirm that the names of the directories in the JSON response match the names in the root of the filesystem.
  2. Permission Check: Attempt the same request as a Subscriber to confirm if the vulnerability is strictly tied to the Contributor+ permission level as reported.

9. Alternative Approaches

  • Encoded Traversal: If basic ../ is blocked, try URL encoded variations: %2e%2e%2f or double encoding %252e%252e%252f.
  • Parameter Method: If the route is registered for POST, send the dir_path in a JSON-encoded body:
    { "dir_path": "/etc/" }
    
  • Null Byte: (If PHP version < 5.3.4, though unlikely in modern WP) attempt ../../../../etc/%00.
  • Deep Traversal: If the plugin prepends a base path, increase the number of ../ sequences to ensure the root is reached (e.g., ../../../../../../../../../../).
Research Findings
Static analysis — not yet PoC-verified

Summary

The FastDup plugin for WordPress is vulnerable to Path Traversal in versions up to 2.7. Authenticated attackers with Contributor-level permissions or higher can list the contents of arbitrary directories on the server by manipulating the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint.

Vulnerable Code

// Inferred from plugin REST route logic
// njt-fastdup/includes/rest-api/class-fastdup-rest.php

public function get_directory_tree( $request ) {
    $dir_path = $request->get_param( 'dir_path' );
    
    // Vulnerability: The $dir_path is used directly in directory scanning 
    // without validation via validate_file() or restriction to a base path.
    $results = $this->list_files_in_path( $dir_path );
    
    return new WP_REST_Response( $results, 200 );
}

Security Fix

--- a/includes/rest-api/class-fastdup-rest.php
+++ b/includes/rest-api/class-fastdup-rest.php
@@ -10,6 +10,11 @@
 	public function get_directory_tree( $request ) {
 		$dir_path = $request->get_param( 'dir_path' );
 
+		// Validate path to prevent traversal
+		if ( empty( $dir_path ) || validate_file( $dir_path ) !== 0 ) {
+			return new WP_Error( 'rest_invalid_param', __( 'Invalid directory path.', 'fastdup' ), array( 'status' => 400 ) );
+		}
+
 		$results = $this->list_files_in_path( $dir_path );
 		return new WP_REST_Response( $results, 200 );
 	}

Exploit Outline

The exploit targets the REST API endpoint used for template directory browsing. 1. Authentication: Log in to the WordPress site with Contributor-level credentials or higher. 2. Nonce Acquisition: Access any admin page (e.g., /wp-admin/index.php) and extract the 'wp_rest' nonce from the 'window.wpApiSettings.nonce' JavaScript object. 3. Endpoint Target: Issue a GET request to the REST endpoint: /wp-json/njt-fastdup/v1/template/directory-tree. 4. Payload Construction: Include the 'dir_path' parameter containing a directory traversal sequence. For example: '?dir_path=../../../../etc/' to attempt to list the contents of the system's /etc directory. 5. Authorization Header: Include the extracted nonce in the 'X-WP-Nonce' HTTP header. 6. Response: If successful, the server returns a JSON object containing a recursive listing of files and folders located at the traversed path.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.