Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
The Yoast Duplicate Post plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clone_bulk_action_handler() and republish_request() functions in all versions up to, and including, 4.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate any post on the site including private, draft, and trashed posts they shouldn't have access to. Additionally, attackers with Author-level access and above can use the Rewrite & Republish feature to overwrite any published post with their own content.
AnalysisAI
The Yoast Duplicate Post WordPress plugin through version 4.5 contains a missing capability check vulnerability in the clone_bulk_action_handler() and republish_request() functions, allowing authenticated attackers with Contributor-level access to duplicate restricted posts (private, draft, trashed) and Author-level attackers to overwrite published posts via the Rewrite & Republish feature. The vulnerability carries a CVSS score of 5.4 (medium severity) with ENISA EUVD tracking (EUVD-2026-12800), and Wordfence has documented specific vulnerable code paths in the plugin's bulk handler and post republisher modules.
Technical ContextAI
The vulnerability exists in WordPress plugin code (cpe:2.3:a:yoast:yoast_duplicate_post:*:*:*:*:*:*:*:*) and falls under CWE-862 (Missing Authorization / Capability Check). The affected functions—clone_bulk_action_handler() in bulk-handler.php (line 115) and republish_request() in post-republisher.php (line 128)—fail to verify user capabilities before allowing post duplication and republishing actions. WordPress uses capability-based access control (via functions like current_user_can()), and the absence of such checks allows privilege escalation where lower-privileged authenticated users bypass content ownership and publication status restrictions. This is a PHP/WordPress-specific authorization flaw.
RemediationAI
Upgrade the Yoast Duplicate Post plugin to version 4.6 or later, which contains the capability check fixes. Access the plugin update mechanism via WordPress Dashboard (Plugins > Installed Plugins) or download the patched version from https://plugins.wordpress.org/duplicate-post/. Until patching is possible, implement immediate mitigations: (1) restrict user registrations to trusted administrators only via WordPress Settings > General or remove open registration; (2) audit user roles and demote any unnecessary Contributor or Author accounts; (3) enable WordPress post revision history and backup the database to detect unauthorized post modifications; (4) use WordPress security plugins (Wordfence, Sucuri) to monitor bulk actions and post republish events. For multi-author sites requiring Contributor access, consider disabling the Duplicate Post and Rewrite & Republish features via code until the patch is applied.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12800
GHSA-g9w4-m5fx-x3wv