Skip to main content

Copy & Delete Posts CVE-2026-53738

| EUVDEUVD-2026-36139 HIGH
Incorrect Authorization (CWE-863)
2026-06-10 VulnCheck GHSA-cx2j-wv5h-5j6v
7.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable admin-ajax endpoint, no user interaction, requires a low-privilege authenticated role (PR:L), and yields high integrity/availability impact via post deletion and settings overwrite with no confidentiality disclosure.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 10, 2026 - 21:19 vuln.today

DescriptionCVE.org

Copy & Delete Posts through 1.5.4 lets any plugin-enabled non-admin role invoke every operation in the cdp_action_handling AJAX handler. Attackers with an enabled role can delete posts or overwrite plugin settings via the f parameter, bypassing per-function capability checks.

AnalysisAI

Broken authorization in the Copy & Delete Posts WordPress plugin through 1.5.4 lets any authenticated user assigned a plugin-enabled (non-admin) role invoke every operation exposed by the cdp_action_handling AJAX endpoint, enabling post deletion and plugin-setting tampering. The flaw stems from a missing per-function capability check that the dispatcher should enforce based on the f parameter. No public exploit identified at time of analysis and the CVE is not on CISA KEV.

Technical ContextAI

Copy & Delete Posts is a WordPress plugin (vendor inisev, CPE inisev:copy_&_delete_posts) that adds bulk post-management actions and exposes a server-side dispatcher named cdp_action_handling via the WordPress admin-ajax interface. The dispatcher reads an f parameter to select which internal handler to run (delete posts, overwrite plugin settings, etc.), but enforces only a coarse 'is the caller a plugin-enabled role' gate at the entry point instead of re-checking the WordPress capability appropriate to each sub-action. This is a textbook CWE-863 (Incorrect Authorization) pattern: the trust decision is made once at the wrapper, so the more sensitive branches inherit the weakest required privilege.

RemediationAI

No vendor-released patch identified at time of analysis - neither the WordPress.org plugin page nor the VulnCheck advisory in the supplied references names a fixed version beyond 1.5.4, so administrators should monitor https://wordpress.org/plugins/copy-delete-posts/ for an update past 1.5.4 and the VulnCheck advisory at https://www.vulncheck.com/advisories/copy-delete-posts-through-privilege-escalation-via-cdp-action-handling-handler for confirmation. Until a fixed release is published, the highest-leverage compensating control is to restrict the plugin's enabled-role list to administrators only via the plugin's own settings, which removes the abusable PR:L path at the cost of losing delegated copy/delete workflows for editors. As a network-layer mitigation, block or require admin authentication on POST requests to /wp-admin/admin-ajax.php where action=cdp_action_handling using a WAF rule, accepting that this will break the plugin's UI for any non-admin role; a stricter fallback is to deactivate the plugin entirely, which fully removes the vulnerability but disables all bulk copy/delete functionality.

Share

CVE-2026-53738 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy