FastDup – Fastest WordPress Migration & Duplicator <= 2.7.2 - Unauthenticated Path Traversal
Description
The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7.2. This makes it possible for unauthenticated attackers to perform actions on files outside of the originally intended directory.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v2.7.3
Source Code
WordPress.org SVNThis research plan outlines the process for investigating and exploiting an unauthenticated path traversal vulnerability in the **FastDup** plugin (CVE-2026-52703). ### 1. Vulnerability Summary The FastDup plugin for WordPress (<= 2.7.2) contains an unauthenticated path traversal vulnerability. The…
Show full research plan
This research plan outlines the process for investigating and exploiting an unauthenticated path traversal vulnerability in the FastDup plugin (CVE-2026-52703).
1. Vulnerability Summary
The FastDup plugin for WordPress (<= 2.7.2) contains an unauthenticated path traversal vulnerability. The vulnerability likely resides in a REST API endpoint or AJAX handler designed for file management (such as deleting logs, temporary files, or old migration packages). Because the plugin does not properly validate or sanitize the file path parameter, an unauthenticated attacker can traverse the directory structure and perform actions (specifically file deletion, given the $I:L/A:N$ CVSS vector) on files outside the intended directory.
2. Attack Vector Analysis
- Endpoint:
POST /wp-json/njt-fastdup/v1/system/delete-log(inferred based on plugin architecture andNJT_FASTDUP_PATH_LOGdefinition). - Alternative Endpoint:
POST /wp-json/njt-fastdup/v1/packages/delete(inferred). - Vulnerable Parameter:
logorfileorname. - Authentication: Unauthenticated (REST route registered with
'permission_callback' => '__return_true'). - Preconditions: The plugin must be active. No specific settings or migration packages are required to exist for the traversal itself to work against arbitrary files.
3. Code Flow
- Entry Point: The REST API route is initialized in
NJT\FastDup\Endpoint. - Handler: The route calls a callback function (e.g.,
delete_log_callback). - Input Acquisition: The handler retrieves the
logparameter from the request without sanitization. - Path Construction: The handler joins the
NJT_FASTDUP_PATH_LOGconstant (defined indefine.phpasNJT_FASTDUP_PLUGIN_PATH . 'logs') with the user-provided input. - Sink: The constructed path is passed directly to a file system operation, likely
unlink(). - Traversal: By providing
../../../uploads/test.log, the attacker escapes thelogsdirectory to target thewp-content/uploads/directory.
4. Nonce Acquisition Strategy
Based on the "Unauthenticated" classification, the endpoint likely does not enforce a nonce check. However, if a nonce is required for the REST API (e.g., the wp_rest action), follow these steps:
- Identify Localization: Check the
NJT\FastDup\Adminclass or search forwp_localize_scriptcalls in the plugin folder. - JS Variable: The plugin likely localizes data under a key such as
njt_fastdup_paramsorfastdup_data. - Extraction:
- Create a dummy page to trigger script loading:
wp post create --post_type=page --post_status=publish --post_content='[njt_fastdup_shortcode]'(inferred shortcode name). - Navigate to the page and use
browser_eval("window.njt_fastdup_params?.nonce").
- Create a dummy page to trigger script loading:
- Bypass Check: If the endpoint uses
check_ajax_refererwithdie=falseor ifwp_verify_nonceis called but the return value is not checked, the nonce requirement can be ignored.
5. Exploitation Strategy
We will attempt to delete a non-critical file (test.log) in the wp-content/uploads directory to demonstrate the vulnerability without impacting site availability ($A:N$).
- Target URL:
http://localhost:8080/wp-json/njt-fastdup/v1/system/delete-log(inferred). - Method:
POST. - Payload:
{ "log": "../../../uploads/test.log" } - Traversal Logic:
NJT_FASTDUP_PATH_LOG$\approx$/wp-content/plugins/fastdup/logs/..$\rightarrow$/wp-content/plugins/fastdup/..$\rightarrow$/wp-content/plugins/
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.