CVE-2026-0604 is a path traversal vulnerability classified under CWE-22 in the FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress. The flaw exists in all versions up to and including 2.7 and is triggered via the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint. An authenticated attacker with Contributor-level or higher privileges can manipulate this parameter to traverse directories outside the intended scope, enabling them to read arbitrary files on the server. This can lead to unauthorized disclosure of sensitive information such as configuration files, credentials, or other private data stored on the web server. The vulnerability does not allow modification or deletion of files, nor does it require user interaction beyond authentication. The CVSS v3.1 score of 6.5 reflects a medium severity, with a network attack vector, low attack complexity, and privileges required. No patches or exploit code are currently publicly available, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors. The REST API endpoint exposure increases the attack surface, making it critical to control access and monitor usage.

The primary impact of CVE-2026-0604 is unauthorized disclosure of sensitive server files, which can compromise confidentiality. Attackers with Contributor-level access can leverage this vulnerability to gain insights into server configurations, credentials, or other sensitive data that could facilitate further attacks such as privilege escalation or lateral movement. While the vulnerability does not directly affect integrity or availability, the information gained could indirectly lead to more severe compromises. Organizations running WordPress sites with this plugin are at risk of data leakage, which can damage reputation, violate compliance requirements, and expose intellectual property. The risk is heightened in environments with multiple contributors or where contributor accounts are less tightly controlled. Since exploitation requires authentication, the threat is somewhat limited to insiders or compromised accounts, but the ease of exploitation and network accessibility make it a notable concern for web-facing systems.

To mitigate CVE-2026-0604, organizations should first verify if they are using the FastDup plugin and identify the version in use. Immediate steps include restricting access to the vulnerable REST API endpoint by implementing role-based access controls or IP whitelisting to limit who can invoke it. Administrators should enforce the principle of least privilege by reviewing and minimizing Contributor-level accounts and ensuring strong authentication mechanisms are in place. Monitoring and logging REST API usage can help detect suspicious activity indicative of exploitation attempts. Until an official patch is released, consider disabling or removing the plugin if it is not essential. If the plugin is critical, isolate the WordPress instance or run it in a hardened environment with limited file system permissions to reduce the impact of potential exploitation. Stay updated with vendor advisories and apply patches promptly once available. Additionally, conduct regular security audits and vulnerability scans to identify similar issues proactively.