What the vulnerability does
01Description
The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to create and download full-site backup archives containing the entire WordPress installation, including database exports and configuration files.
Explanation of Vulnerability in Simple Terms
02Summary
The FastDup WordPress migration plugin versions 2.7.1 and earlier lack proper authorization checks on sensitive operations. An authenticated user with low privileges can perform actions intended only for administrators, including reading site data, modifying configurations, and potentially disrupting site availability. Update to a version newer than 2.7.1 immediately.
What an attacker can do
03Attacker Capabilities
Read sensitive site data, modify configurations, and disrupt site availability without admin privileges.
Potential impact on your site
04Site Impact
Any logged-in user can access and modify critical migration and site settings, risking data exposure and site integrity.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WordPress user account (subscriber, contributor, or similar).
Key dates
06Disclosure timeline
February 12, 2026
CVE published
April 8, 2026
Record updated