FastDup <= 2.7 - Authenticated (Contributor+) Path Traversal via 'dir_path' REST Parameter
Description
The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7 via the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary directories on the server, which can contain sensitive information.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NTechnical Details
Source Code
WordPress.org SVNThis research plan outlines the methodology for validating and exploiting **CVE-2026-0604**, a Path Traversal vulnerability in the FastDup WordPress plugin. ## 1. Vulnerability Summary The FastDup plugin (<= 2.7) exposes a REST API endpoint `njt-fastdup/v1/template/directory-tree` which fails to pr…
Show full research plan
This research plan outlines the methodology for validating and exploiting CVE-2026-0604, a Path Traversal vulnerability in the FastDup WordPress plugin.
1. Vulnerability Summary
The FastDup plugin (<= 2.7) exposes a REST API endpoint njt-fastdup/v1/template/directory-tree which fails to properly sanitize or validate the dir_path parameter. Because this endpoint is intended to allow users to navigate the filesystem for backup/migration purposes, an authenticated attacker with Contributor-level permissions or higher can provide path traversal sequences (e.g., ../) to escape the intended directory and list the contents of arbitrary directories on the server.
2. Attack Vector Analysis
- REST Endpoint:
wp-json/njt-fastdup/v1/template/directory-tree - HTTP Method:
GET(inferred for a directory tree listing) orPOST. - Vulnerable Parameter:
dir_path - Required Permissions: Authenticated user with
Contributorrole or higher (capability:edit_posts). - Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
- Impact: Information Disclosure (Directory listing of sensitive server paths like
/etc/,/var/www/, etc.).
3. Code Flow (Inferred)
- Registration: The plugin registers the REST route in a class (likely related to Templates or File Management) hooked to
rest_api_init.- Likely Hook:
add_action( 'rest_api_init', ... ) - Likely Route:
register_rest_route( 'njt-fastdup/v1', '/template/directory-tree', ... )
- Likely Hook:
- Authorization: The
permission_callbackfor this route likely checks for a baseline capability likeedit_postsormanage_options. In this case, it is confirmed to be accessible by Contributors (edit_posts). - Processing: The callback function retrieves the
dir_pathparameter:$dir_path = $request->get_param( 'dir_path' );
- Sink: The
$dir_pathis passed directly into a directory scanning function such asscandir(),glob(), or a custom wrapper without usingrealpath()orvalidate_file()to ensure the path remains within the WordPress root.
4. Nonce Acquisition Strategy
REST API requests for authenticated users in WordPress require a _wpnonce (specifically the wp_rest action nonce) to be sent via the X-WP-Nonce header.
- Authentication: Log in as a user with the Contributor role.
- Access Admin: Navigate to the WordPress dashboard (
/wp-admin/). - Extract Nonce: WordPress enqueues the
wp-apiscript which provides thewpApiSettingsobject. - Agent Action:
browser_navigate("/wp-admin/index.php")nonce = browser_eval("window.wpApiSettings?.nonce")- This nonce is valid for the
wp_restaction and is required for the REST request.
5. Exploitation Strategy
The goal is to list the contents of the server's root directory (/) or the parent directory of the WordPress installation.
- Identify Target Path:
- Payload 1 (Absolute):
/ - Payload 2 (Relative):
../../../../
- Payload 1 (Absolute):
- Construct Request:
- URL:
http://[target-ip]/wp-json/njt-fastdup/v1/template/directory-tree - Method:
GET(orPOSTifGETfails) - Parameters:
dir_path=../../../../ - Headers:
X-WP-Nonce: [Extracted Nonce]Cookie: [Contributor Session Cookies]
- URL:
- Execute via Agent:
http_request({ url: "http://localhost:8080/wp-json/njt-fastdup/v1/template/directory-tree?dir_path=../../../../", method: "GET", headers: { "X-WP-Nonce": nonce, "Content-Type": "application/json" } });
6. Test Data Setup
- Install Plugin: Ensure FastDup version 2.7 is installed and active.
- Create Attacker User:
wp user create attacker attacker@example.com --role=contributor --user_pass=password123
- Create Test Files: Ensure there are files in the parent directory of the WordPress installation or check for standard Linux files like
/etc/passwddirectory structure (though this is a directory listing vulnerability, not a file read, so we target/etc/).
7. Expected Results
- Vulnerable Response: A
200 OKstatus with a JSON body containing an array or object listing files and folders from the requested traversal path.- Example:
[{"name":"etc","path":"/etc","type":"dir"},{"name":"var","path":"/var","type":"dir"}]
- Example:
- Blocked Response: A
403 Forbiddenor400 Bad Requestif the plugin attempts to sanitize the path, or a200 OKwith an empty list/error message if the path is successfully restricted.
8. Verification Steps
- Verify Content: Compare the JSON output from the REST API with the actual filesystem content on the server.
- Run
ls -la /inside the environment. - Confirm that the names of the directories in the JSON response match the names in the root of the filesystem.
- Run
- Permission Check: Attempt the same request as a Subscriber to confirm if the vulnerability is strictly tied to the Contributor+ permission level as reported.
9. Alternative Approaches
- Encoded Traversal: If basic
../is blocked, try URL encoded variations:%2e%2e%2for double encoding%252e%252e%252f. - Parameter Method: If the route is registered for
POST, send thedir_pathin a JSON-encoded body:{ "dir_path": "/etc/" } - Null Byte: (If PHP version < 5.3.4, though unlikely in modern WP) attempt
../../../../etc/%00. - Deep Traversal: If the plugin prepends a base path, increase the number of
../sequences to ensure the root is reached (e.g.,../../../../../../../../../../).
Summary
The FastDup plugin for WordPress is vulnerable to Path Traversal in versions up to 2.7. Authenticated attackers with Contributor-level permissions or higher can list the contents of arbitrary directories on the server by manipulating the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint.
Vulnerable Code
// Inferred from plugin REST route logic // njt-fastdup/includes/rest-api/class-fastdup-rest.php public function get_directory_tree( $request ) { $dir_path = $request->get_param( 'dir_path' ); // Vulnerability: The $dir_path is used directly in directory scanning // without validation via validate_file() or restriction to a base path. $results = $this->list_files_in_path( $dir_path ); return new WP_REST_Response( $results, 200 ); }
Security Fix
@@ -10,6 +10,11 @@ public function get_directory_tree( $request ) { $dir_path = $request->get_param( 'dir_path' ); + // Validate path to prevent traversal + if ( empty( $dir_path ) || validate_file( $dir_path ) !== 0 ) { + return new WP_Error( 'rest_invalid_param', __( 'Invalid directory path.', 'fastdup' ), array( 'status' => 400 ) ); + } + $results = $this->list_files_in_path( $dir_path ); return new WP_REST_Response( $results, 200 ); }
Exploit Outline
The exploit targets the REST API endpoint used for template directory browsing. 1. Authentication: Log in to the WordPress site with Contributor-level credentials or higher. 2. Nonce Acquisition: Access any admin page (e.g., /wp-admin/index.php) and extract the 'wp_rest' nonce from the 'window.wpApiSettings.nonce' JavaScript object. 3. Endpoint Target: Issue a GET request to the REST endpoint: /wp-json/njt-fastdup/v1/template/directory-tree. 4. Payload Construction: Include the 'dir_path' parameter containing a directory traversal sequence. For example: '?dir_path=../../../../etc/' to attempt to list the contents of the system's /etc directory. 5. Authorization Header: Include the extracted nonce in the 'X-WP-Nonce' HTTP header. 6. Response: If successful, the server returns a JSON object containing a recursive listing of files and folders located at the traversed path.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.