CVE-2026-1104 - Vulnerability Analysis

Overview

FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress <= 2.7.1 contains an authorization bypass caused by missing capability checks on REST API endpoints, letting authenticated attackers with Contributor-level access create and download full-site backups.

Severity & Score

Impact

Authenticated attackers with Contributor access can create and download full-site backups, exposing sensitive data including database and configuration files.

Mitigation

Update to a version later than 2.7.1 or the latest available version.

References

• https://plugins.trac.wordpress.org/browser/fastdup/trunk/includes/Endpoint/PackageApi.php#L371
• https://plugins.trac.wordpress.org/changeset/3449530/
• https://www.wordfence.com/threat-intel/vulnerabilities/id/29c0fb4d-c38c-4c78-9e15-797f3c3a4b30?source=cve

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 12, 2026

🟠 CVE-2026-1104 - High (8.8) The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all versions up to, and including, 2.7.1. This make... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1104/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner