Is WordPress affected by CVE-2026-1499?

A critical vulnerability in the WP Duplicate WordPress plugin allows attackers to upload arbitrary files and bypass authentication, potentially leading to complete website compromise. Any organization using this plugin is at immediate risk of data theft, malware injection, and service disruption.

CVE-2026-1499

HIGH

2026-02-06 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Feb 06, 2026 - 09:15 nvd

HIGH 8.8

Description

The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the `process_add_site()` AJAX action combined with path traversal in the file upload functionality. This makes it possible for authenticated (subscriber-level) attackers to set the internal `prod_key_random_id` option, which can then be used by an unauthenticated attacker to bypass authentication checks and write arbitrary files to the server via the `handle_upload_single_big_file()` function, ultimately leading to remote code execution.

Analysis

WP Duplicate WordPress plugin has a missing authorization vulnerability leading to arbitrary file deletion that can destroy the WordPress installation.

Remediation

Within 24 hours: Audit all WordPress installations for WP Duplicate plugin presence and immediately disable/deactivate the plugin. Within 7 days: If the plugin is business-critical, engage the vendor for timeline confirmation and implement compensating controls (WAF rules, IP restrictions, access logging). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.7

CVSS: +44

POC: 0

CVE-2026-1499 vulnerability details – vuln.today

Back

CVE-2026-1499

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-1499

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code