Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable admin-ajax endpoint, no user interaction, requires a low-privilege authenticated role (PR:L), and yields high integrity/availability impact via post deletion and settings overwrite with no confidentiality disclosure.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Copy & Delete Posts through 1.5.4 lets any plugin-enabled non-admin role invoke every operation in the cdp_action_handling AJAX handler. Attackers with an enabled role can delete posts or overwrite plugin settings via the f parameter, bypassing per-function capability checks.
AnalysisAI
Broken authorization in the Copy & Delete Posts WordPress plugin through 1.5.4 lets any authenticated user assigned a plugin-enabled (non-admin) role invoke every operation exposed by the cdp_action_handling AJAX endpoint, enabling post deletion and plugin-setting tampering. The flaw stems from a missing per-function capability check that the dispatcher should enforce based on the f parameter. No public exploit identified at time of analysis and the CVE is not on CISA KEV.
Technical ContextAI
Copy & Delete Posts is a WordPress plugin (vendor inisev, CPE inisev:copy_&_delete_posts) that adds bulk post-management actions and exposes a server-side dispatcher named cdp_action_handling via the WordPress admin-ajax interface. The dispatcher reads an f parameter to select which internal handler to run (delete posts, overwrite plugin settings, etc.), but enforces only a coarse 'is the caller a plugin-enabled role' gate at the entry point instead of re-checking the WordPress capability appropriate to each sub-action. This is a textbook CWE-863 (Incorrect Authorization) pattern: the trust decision is made once at the wrapper, so the more sensitive branches inherit the weakest required privilege.
RemediationAI
No vendor-released patch identified at time of analysis - neither the WordPress.org plugin page nor the VulnCheck advisory in the supplied references names a fixed version beyond 1.5.4, so administrators should monitor https://wordpress.org/plugins/copy-delete-posts/ for an update past 1.5.4 and the VulnCheck advisory at https://www.vulncheck.com/advisories/copy-delete-posts-through-privilege-escalation-via-cdp-action-handling-handler for confirmation. Until a fixed release is published, the highest-leverage compensating control is to restrict the plugin's enabled-role list to administrators only via the plugin's own settings, which removes the abusable PR:L path at the cost of losing delegated copy/delete workflows for editors. As a network-layer mitigation, block or require admin authentication on POST requests to /wp-admin/admin-ajax.php where action=cdp_action_handling using a WAF rule, accepting that this will break the plugin's UI for any non-admin role; a stricter fallback is to deactivate the plugin entirely, which fully removes the vulnerability but disables all bulk copy/delete functionality.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36139
GHSA-cx2j-wv5h-5j6v