CVE-2026-1104 HIGH

CVE-2026-1104: FastDup – Fastest WordPress Migration & Duplicator <= 2.7.1 - Missing Authorization to Authenticated (Contributor+) Backup Creation and Download

Vendor Ninjateam
Product FastDup – Fastest WordPress Migration & Duplicator
Weakness CWE-862 · Missing authorization
Published February 12, 2026
Last update April 8, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to create and download full-site backup archives containing the entire WordPress installation, including database exports and configuration files.

Explanation of Vulnerability in Simple Terms

02Summary

The FastDup WordPress migration plugin versions 2.7.1 and earlier lack proper authorization checks on sensitive operations. An authenticated user with low privileges can perform actions intended only for administrators, including reading site data, modifying configurations, and potentially disrupting site availability. Update to a version newer than 2.7.1 immediately.

What an attacker can do

03Attacker Capabilities

Read sensitive site data, modify configurations, and disrupt site availability without admin privileges.

Potential impact on your site

04Site Impact

Any logged-in user can access and modify critical migration and site settings, risking data exposure and site integrity.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege WordPress user account (subscriber, contributor, or similar).

Key dates

06Disclosure timeline

February 12, 2026 CVE published
April 8, 2026 Record updated