Executive Summary

The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress has a vulnerability due to a missing capability check on its REST API endpoints in all versions up to and including 2.7.1.

This flaw allows authenticated attackers with Contributor-level access or higher to create and download full-site backup archives. These backups include the entire WordPress installation, such as database exports and configuration files.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows attackers with relatively low privileges (Contributor-level access) to obtain full backups of the WordPress site.

Such backups contain sensitive data including the entire database and configuration files, which can lead to data exposure, site compromise, and potential further exploitation.

The CVSS score of 8.8 (High) reflects the high confidentiality, integrity, and availability impact of this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves unauthorized backup creation and download via REST API endpoints in the FastDup WordPress plugin. Detection can focus on monitoring REST API calls to the plugin's package-related endpoints, especially those that initiate package builds or downloads."}, {'type': 'paragraph', 'content': 'Since the vulnerable endpoints require at least Contributor-level authentication, detection can include reviewing access logs for unusual POST requests to endpoints such as `/wp-json/njt-fastdup/v1/packages` or `/wp-json/njt-fastdup/v1/packages/download`.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious activity include:'}, {'type': 'list_item', 'content': "Using web server logs (e.g., Apache or Nginx) to grep for REST API calls related to FastDup, for example: `grep '/wp-json/njt-fastdup/v1/packages' /var/log/apache2/access.log`"}, {'type': 'list_item', 'content': 'Checking WordPress user activity logs (if available) for Contributor or higher users making POST requests to these endpoints.'}, {'type': 'list_item', 'content': 'Using network monitoring tools to detect unusual outbound traffic corresponding to large backup archive downloads.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update the FastDup plugin to version 2.7.2 or later, where the missing capability check on REST API endpoints has been fixed.

Until the update can be applied, restrict access to the REST API endpoints related to FastDup by limiting Contributor-level and above user permissions or by implementing firewall rules to block unauthorized REST API calls.

Additionally, monitor user accounts with Contributor or higher privileges for suspicious activity and consider temporarily reducing user privileges if possible.

Useful 0 Not Useful 0