[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fW6N_DWQU1t6eRCkT_aEZwTxHp3VG94cy2SvjYZf_AGM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-52703","fastdup-fastest-wordpress-migration-duplicator-unauthenticated-path-traversal","FastDup – Fastest WordPress Migration & Duplicator \u003C= 2.7.2 - Unauthenticated Path Traversal","The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7.2. This makes it possible for unauthenticated attackers to perform actions on files outside of the originally intended directory.","fastdup",null,"\u003C=2.7.2","2.7.3","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-06-12 00:00:00","2026-06-18 13:21:12",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F483dad33-bde9-4008-b79c-6a66d3514652?source=api-prod",7,[22,23,24,25,26,27,28,29],"assets\u002Fadmin\u002Fbuild\u002Fjs\u002Fapp.js","define.php","fastdup.php","inc\u002Findex.php","inc\u002Finstaller.tmpl","includes\u002FAdmin.php","includes\u002FAdmin\u002FDatabase\u002FDatabase.php","includes\u002FAdmin\u002FHelper\u002FDirectoryHelper.php","researched",false,3,"This research plan outlines the process for investigating and exploiting an unauthenticated path traversal vulnerability in the **FastDup** plugin (CVE-2026-52703).\n\n### 1. Vulnerability Summary\nThe FastDup plugin for WordPress (\u003C= 2.7.2) contains an unauthenticated path traversal vulnerability. The vulnerability likely resides in a REST API endpoint or AJAX handler designed for file management (such as deleting logs, temporary files, or old migration packages). Because the plugin does not properly validate or sanitize the file path parameter, an unauthenticated attacker can traverse the directory structure and perform actions (specifically file deletion, given the $I:L\u002FA:N$ CVSS vector) on files outside the intended directory.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `POST \u002Fwp-json\u002Fnjt-fastdup\u002Fv1\u002Fsystem\u002Fdelete-log` (inferred based on plugin architecture and `NJT_FASTDUP_PATH_LOG` definition).\n*   **Alternative Endpoint:** `POST \u002Fwp-json\u002Fnjt-fastdup\u002Fv1\u002Fpackages\u002Fdelete` (inferred).\n*   **Vulnerable Parameter:** `log` or `file` or `name`.\n*   **Authentication:** Unauthenticated (REST route registered with `'permission_callback' => '__return_true'`).\n*   **Preconditions:** The plugin must be active. No specific settings or migration packages are required to exist for the traversal itself to work against arbitrary files.\n\n### 3. Code Flow\n1.  **Entry Point:** The REST API route is initialized in `NJT\\FastDup\\Endpoint`.\n2.  **Handler:** The route calls a callback function (e.g., `delete_log_callback`).\n3.  **Input Acquisition:** The handler retrieves the `log` parameter from the request without sanitization.\n4.  **Path Construction:** The handler joins the `NJT_FASTDUP_PATH_LOG` constant (defined in `define.php` as `NJT_FASTDUP_PLUGIN_PATH . 'logs'`) with the user-provided input.\n5.  **Sink:** The constructed path is passed directly to a file system operation, likely `unlink()`.\n6.  **Traversal:** By providing `..\u002F..\u002F..\u002Fuploads\u002Ftest.log`, the attacker escapes the `logs` directory to target the `wp-content\u002Fuploads\u002F` directory.\n\n### 4. Nonce Acquisition Strategy\nBased on the \"Unauthenticated\" classification, the endpoint likely does not enforce a nonce check. However, if a nonce is required for the REST API (e.g., the `wp_rest` action), follow these steps:\n\n1.  **Identify Localization:** Check the `NJT\\FastDup\\Admin` class or search for `wp_localize_script` calls in the plugin folder.\n2.  **JS Variable:** The plugin likely localizes data under a key such as `njt_fastdup_params` or `fastdup_data`.\n3.  **Extraction:**\n    *   Create a dummy page to trigger script loading: `wp post create --post_type=page --post_status=publish --post_content='[njt_fastdup_shortcode]'` (inferred shortcode name).\n    *   Navigate to the page and use `browser_eval(\"window.njt_fastdup_params?.nonce\")`.\n4.  **Bypass Check:** If the endpoint uses `check_ajax_referer` with `die=false` or if `wp_verify_nonce` is called but the return value is not checked, the nonce requirement can be ignored.\n\n### 5. Exploitation Strategy\nWe will attempt to delete a non-critical file (`test.log`) in the `wp-content\u002Fuploads` directory to demonstrate the vulnerability without impacting site availability ($A:N$).\n\n1.  **Target URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fnjt-fastdup\u002Fv1\u002Fsystem\u002Fdelete-log` (inferred).\n2.  **Method:** `POST`.\n3.  **Payload:**\n    ```json\n    {\n      \"log\": \"..\u002F..\u002F..\u002Fuploads\u002Ftest.log\"\n    }\n    ```\n4.  **Traversal Logic:**\n    *   `NJT_FASTDUP_PATH_LOG` $\\approx$ `\u002Fwp-content\u002Fplugins\u002Ffastdup\u002Flogs\u002F`\n    *   `..` $\\rightarrow$ `\u002Fwp-content\u002Fplugins\u002Ffastdup\u002F`\n    *   `..` $\\rightarrow$ `\u002Fwp-content\u002Fplugins\u002F`\n    *","gemini-3-flash-preview","2026-06-26 00:50:30","2026-06-26 00:52:18",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","2.7.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffastdup\u002Ftags\u002F2.7.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffastdup.2.7.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffastdup\u002Ftags\u002F2.7.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffastdup.2.7.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffastdup\u002Ftags"]