CVE-2023-6592: 
WordPress vulnerability analysis and mitigation

The FastDup WordPress plugin before version 2.2 contains a directory listing vulnerability (CVE-2023-6592) that was discovered in January 2024. This security flaw affects the plugin's handling of sensitive directories containing export files, specifically exposing backup and export data through directory listing functionality (WPScan, CleanTalk Research).

The vulnerability exists in multiple sensitive directories including 'wordpress/wp-content/plugins/fastdup/logs', 'wordpress/wp-content/njt-fastdup/tmp', and 'wordpress/wp-content/njt-fastdup/packages/'. When exploited, it allows unauthorized access to backup files and sensitive information. The vulnerability has been assigned a CVSS 3.1 base score of 5.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, though WPScan rates it at CVSS 7.5 (HIGH) (NVD, WPScan).

The vulnerability exposes sensitive information about the WordPress site, including configuration details, directories, files, and database contents including user passwords. This exposure could lead to unauthorized access to critical information and potential system compromise through password hash extraction and subsequent brute force attacks (CleanTalk Research).

The vulnerability has been patched in FastDup version 2.2. Users are strongly advised to update to this version or later to protect against potential exploitation. The fix prevents directory listing in sensitive directories containing export files (WPScan).