CVE-2026-0604
Path Traversal in FastDup WordPress Plugin Allows Data Exposure
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| njt | fastdup | to 2.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-0604 is a Path Traversal vulnerability in the FastDup WordPress plugin (up to version 2.7) that affects the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint. Authenticated users with Contributor-level access or higher can exploit this flaw to read arbitrary directories on the server by manipulating the directory path parameter, potentially exposing sensitive information stored on the server. [2]
How can this vulnerability impact me? :
This vulnerability allows an attacker with Contributor-level or higher access to read contents of arbitrary directories on the server hosting the WordPress site. This can lead to exposure of sensitive information such as configuration files, user data, or other confidential files, which may compromise the security and privacy of the website and its users. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, you can monitor REST API requests to the endpoint '/njt-fastdup/v1/template/directory-tree' that include the 'dir_path' parameter. Since the vulnerability involves path traversal via this parameter, look for requests where 'dir_path' contains suspicious patterns or attempts to access directories outside the intended scope. You can use tools like curl to test the endpoint if you have authenticated access with Contributor-level permissions or higher. Example command to test (replace URL and authentication accordingly): curl -X GET 'https://yourwordpresssite.com/wp-json/njt-fastdup/v1/template/directory-tree?dir_path=../../' -H 'Authorization: Bearer <token>' -v. Additionally, review your web server logs or use intrusion detection systems to flag unusual directory access patterns via this REST API endpoint. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restrict access to the FastDup plugin's REST API endpoints to only trusted users with appropriate permissions (Contributor-level or higher). 2) Update the FastDup plugin to a version later than 2.7 that addresses this vulnerability, if available. 3) If an update is not yet available, consider disabling the FastDup plugin or restricting access to the vulnerable REST API endpoint '/njt-fastdup/v1/template/directory-tree' via web server rules or firewall to prevent exploitation. 4) Monitor logs for suspicious activity targeting this endpoint. 5) Review and tighten user roles and capabilities to minimize the number of users who can access this API. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with Contributor-level access and above to read arbitrary directories on the server, potentially exposing sensitive information. This unauthorized access to sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information. Therefore, exploitation of this vulnerability may result in violations of these standards due to unauthorized data disclosure. [2]