A critical path traversal vulnerability in the FastDup WordPress plugin allows unauthenticated attackers to read sensitive files from the underlying server filesystem.

The plugin fails to properly sanitize user-supplied input, enabling path traversal attacks. An unauthenticated attacker can manipulate input parameters to traverse outside the intended directory and access sensitive system or configuration files.

The 9.6 CVSS score signifies a Critical risk to the organization. Successful exploitation allows for the disclosure of configuration files, database credentials, or sensitive site data, which can serve as a precursor to further system exploitation or data theft.

Immediate Action: Update the FastDup plugin to the latest version to address the path traversal vulnerability.

Proactive Monitoring: Monitor server logs for directory traversal patterns (e.g., ../../) targeting the WordPress installation.

Compensating Controls: Configure the web server to restrict directory listing and ensure the web user has the least privilege necessary to access the filesystem.

Public Exploit Available: Unknown

Path traversal vulnerabilities often lead to significant information disclosure. It is imperative to update the plugin immediately and audit sensitive configuration files (such as wp-config.php) to ensure they have not been accessed or modified by unauthorized parties.