CVE-2026-52703

FastDup – Fastest WordPress Migration & Duplicator <= 2.7.2 - Unauthenticated Path Traversal

mediumImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.7.3
Patched in
7d
Time to patch

Description

The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7.2. This makes it possible for unauthenticated attackers to perform actions on files outside of the originally intended directory.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.7.2
PublishedJune 12, 2026
Last updatedJune 18, 2026
Affected pluginfastdup

What Changed in the Fix

Changes introduced in v2.7.3

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan outlines the process for investigating and exploiting an unauthenticated path traversal vulnerability in the **FastDup** plugin (CVE-2026-52703). ### 1. Vulnerability Summary The FastDup plugin for WordPress (<= 2.7.2) contains an unauthenticated path traversal vulnerability. The…

Show full research plan

This research plan outlines the process for investigating and exploiting an unauthenticated path traversal vulnerability in the FastDup plugin (CVE-2026-52703).

1. Vulnerability Summary

The FastDup plugin for WordPress (<= 2.7.2) contains an unauthenticated path traversal vulnerability. The vulnerability likely resides in a REST API endpoint or AJAX handler designed for file management (such as deleting logs, temporary files, or old migration packages). Because the plugin does not properly validate or sanitize the file path parameter, an unauthenticated attacker can traverse the directory structure and perform actions (specifically file deletion, given the $I:L/A:N$ CVSS vector) on files outside the intended directory.

2. Attack Vector Analysis

  • Endpoint: POST /wp-json/njt-fastdup/v1/system/delete-log (inferred based on plugin architecture and NJT_FASTDUP_PATH_LOG definition).
  • Alternative Endpoint: POST /wp-json/njt-fastdup/v1/packages/delete (inferred).
  • Vulnerable Parameter: log or file or name.
  • Authentication: Unauthenticated (REST route registered with 'permission_callback' => '__return_true').
  • Preconditions: The plugin must be active. No specific settings or migration packages are required to exist for the traversal itself to work against arbitrary files.

3. Code Flow

  1. Entry Point: The REST API route is initialized in NJT\FastDup\Endpoint.
  2. Handler: The route calls a callback function (e.g., delete_log_callback).
  3. Input Acquisition: The handler retrieves the log parameter from the request without sanitization.
  4. Path Construction: The handler joins the NJT_FASTDUP_PATH_LOG constant (defined in define.php as NJT_FASTDUP_PLUGIN_PATH . 'logs') with the user-provided input.
  5. Sink: The constructed path is passed directly to a file system operation, likely unlink().
  6. Traversal: By providing ../../../uploads/test.log, the attacker escapes the logs directory to target the wp-content/uploads/ directory.

4. Nonce Acquisition Strategy

Based on the "Unauthenticated" classification, the endpoint likely does not enforce a nonce check. However, if a nonce is required for the REST API (e.g., the wp_rest action), follow these steps:

  1. Identify Localization: Check the NJT\FastDup\Admin class or search for wp_localize_script calls in the plugin folder.
  2. JS Variable: The plugin likely localizes data under a key such as njt_fastdup_params or fastdup_data.
  3. Extraction:
    • Create a dummy page to trigger script loading: wp post create --post_type=page --post_status=publish --post_content='[njt_fastdup_shortcode]' (inferred shortcode name).
    • Navigate to the page and use browser_eval("window.njt_fastdup_params?.nonce").
  4. Bypass Check: If the endpoint uses check_ajax_referer with die=false or if wp_verify_nonce is called but the return value is not checked, the nonce requirement can be ignored.

5. Exploitation Strategy

We will attempt to delete a non-critical file (test.log) in the wp-content/uploads directory to demonstrate the vulnerability without impacting site availability ($A:N$).

  1. Target URL: http://localhost:8080/wp-json/njt-fastdup/v1/system/delete-log (inferred).
  2. Method: POST.
  3. Payload:
    {
      "log": "../../../uploads/test.log"
    }
    
  4. Traversal Logic:
    • NJT_FASTDUP_PATH_LOG $\approx$ /wp-content/plugins/fastdup/logs/
    • .. $\rightarrow$ /wp-content/plugins/fastdup/
    • .. $\rightarrow$ /wp-content/plugins/

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.