CVE-2026-1104
Unauthorized Backup Creation in FastDup WordPress Plugin REST API
Publication date: 2026-02-12
Last updated on: 2026-02-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fastdup | fastdup | to 2.7.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The FastDup β Fastest WordPress Migration & Duplicator plugin for WordPress has a vulnerability due to a missing capability check on its REST API endpoints in all versions up to and including 2.7.1.
This flaw allows authenticated attackers with Contributor-level access or higher to create and download full-site backup archives. These backups include the entire WordPress installation, such as database exports and configuration files.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows attackers with relatively low privileges (Contributor-level access) to obtain full backups of the WordPress site.
Such backups contain sensitive data including the entire database and configuration files, which can lead to data exposure, site compromise, and potential further exploitation.
The CVSS score of 8.8 (High) reflects the high confidentiality, integrity, and availability impact of this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves unauthorized backup creation and download via REST API endpoints in the FastDup WordPress plugin. Detection can focus on monitoring REST API calls to the plugin's package-related endpoints, especially those that initiate package builds or downloads."}, {'type': 'paragraph', 'content': 'Since the vulnerable endpoints require at least Contributor-level authentication, detection can include reviewing access logs for unusual POST requests to endpoints such as `/wp-json/njt-fastdup/v1/packages` or `/wp-json/njt-fastdup/v1/packages/download`.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious activity include:'}, {'type': 'list_item', 'content': "Using web server logs (e.g., Apache or Nginx) to grep for REST API calls related to FastDup, for example: `grep '/wp-json/njt-fastdup/v1/packages' /var/log/apache2/access.log`"}, {'type': 'list_item', 'content': 'Checking WordPress user activity logs (if available) for Contributor or higher users making POST requests to these endpoints.'}, {'type': 'list_item', 'content': 'Using network monitoring tools to detect unusual outbound traffic corresponding to large backup archive downloads.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the FastDup plugin to version 2.7.2 or later, where the missing capability check on REST API endpoints has been fixed.
Until the update can be applied, restrict access to the REST API endpoints related to FastDup by limiting Contributor-level and above user permissions or by implementing firewall rules to block unauthorized REST API calls.
Additionally, monitor user accounts with Contributor or higher privileges for suspicious activity and consider temporarily reducing user privileges if possible.