WordPress FastDup <= 2.1.9 Sensitive Information Exposure - Directory Listing
CVE-2023-6592
Verified
Description
FastDup WordPress plugin < 2.2 contains a directory listing vulnerability caused by lack of access restrictions in sensitive directories, letting attackers view export files, exploit requires no authentication.
Severity
Medium
CVSS Score
5.3
Exploit Probability
1%
Published Date
April 9, 2026
Template Author
pussycat0x
CVE-2023-6592.yaml
id: CVE-2023-6592
info:
name: WordPress FastDup <= 2.1.9 Sensitive Information Exposure - Directory Listing
author: pussycat0x
severity: medium
description: |
FastDup WordPress plugin < 2.2 contains a directory listing vulnerability caused by lack of access restrictions in sensitive directories, letting attackers view export files, exploit requires no authentication.
impact: |
Attackers can access sensitive export files, potentially leading to information disclosure.
remediation: |
Update to version 2.2 or later.
reference:
- https://wpscan.com/vulnerability/a39bb807-b143-4863-88ff-1783e407d7d4/
- https://wordpress.org/plugins/fastdup/
- https://plugins.trac.wordpress.org/changeset/3012664
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/fastdup/fastdup-219-sensitive-information-exposure-via-directory-listing
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2023-6592
cwe-id: CWE-548
epss-score: 0.00913
epss-percentile: 0.55842
metadata:
verified: true
max-request: 3
shodan-query: http.component:"WordPress"
fofa-query: body="wp-content/njt-fastdup"
google-query: inurl:"/wp-content/njt-fastdup/packages/" intitle:"Index of"
tags: cve,cve2023,wordpress,wp-plugin,fastdup,log,wp
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/fastdup/logs/"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Index of"
- "Parent Directory"
condition: or
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
name: listed-files
regex:
- 'href="([^"]+\.(zip|sql|log|txt|json|gz|tar))"'
# digest: 490a0046304402200a8f1bf3a57fe2607862fa9351fa03602db72b3371dafea551d65cac629709f00220771c3175b3c56bb23d582f05fdd90bd55f20a53153aa02240e8089ac39fa301a:922c64590222798bb761d5b6d8e729505.3Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE ID:
cve-2023-6592
CWE ID:
cwe-548
References
https://wpscan.com/vulnerability/a39bb807-b143-4863-88ff-1783e407d7d4/https://wordpress.org/plugins/fastdup/https://plugins.trac.wordpress.org/changeset/3012664https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/fastdup/fastdup-219-sensitive-information-exposure-via-directory-listing
Remediation Steps
Update to version 2.2 or later.