The vulnerability identified as CVE-2026-0604 affects the FastDup – Fastest WordPress Migration & Duplicator plugin, a tool widely used for migrating and duplicating WordPress sites. The flaw is a path traversal vulnerability (CWE-22) found in the 'dir_path' parameter of the REST API endpoint 'njt-fastdup/v1/template/directory-tree'. This parameter is improperly sanitized, allowing authenticated users with Contributor-level permissions or higher to manipulate the path input to access directories outside the intended restricted scope. Consequently, attackers can read arbitrary directories on the server hosting the WordPress site, potentially exposing sensitive files such as configuration files, credentials, or other private data. The vulnerability affects all plugin versions up to and including 2.7. The CVSS 3.1 base score is 6.5, reflecting a medium severity with a high confidentiality impact but no impact on integrity or availability. The attack vector is network-based, requiring low attack complexity and privileges (Contributor or above), with no user interaction needed. Although no exploits have been reported in the wild, the vulnerability poses a significant risk due to the potential exposure of sensitive information. The lack of a patch at the time of reporting increases the urgency for mitigation. The vulnerability's exploitation could facilitate further attacks, such as credential theft or lateral movement within the hosting environment.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive data stored on web servers running WordPress with the FastDup plugin. Confidentiality breaches may include exposure of database credentials, API keys, or proprietary content, which can result in data leaks, regulatory non-compliance (e.g., GDPR violations), and reputational damage. Since the vulnerability requires Contributor-level access, insider threats or compromised contributor accounts are primary risk vectors. The absence of integrity or availability impact limits direct service disruption but increases the risk of subsequent attacks leveraging stolen information. Organizations with public-facing WordPress sites, especially those in sectors like finance, healthcare, and government, face heightened risks. The medium severity score reflects a moderate but significant threat, emphasizing the need for timely mitigation to prevent data exfiltration and potential escalation.

1. Immediately audit and restrict Contributor-level access to trusted users only, minimizing the number of accounts with such privileges. 2. Monitor REST API usage logs for unusual or unauthorized access patterns targeting the 'njt-fastdup/v1/template/directory-tree' endpoint. 3. Implement Web Application Firewall (WAF) rules to detect and block path traversal attempts targeting the vulnerable parameter. 4. Disable or remove the FastDup plugin if it is not essential to operations until a security patch is released. 5. Upon availability, promptly apply the vendor's security update addressing this vulnerability. 6. Employ file system permissions and isolation techniques to limit the WordPress process's ability to read sensitive directories outside its scope. 7. Educate contributors about the risks of privilege misuse and enforce strong authentication mechanisms, including multi-factor authentication (MFA). 8. Regularly back up WordPress sites and configurations to enable recovery in case of compromise.