Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable CSRF requiring authenticated victim interaction (UI:R, PR:N); scope unchanged; only low integrity impact from modifying one site option; no confidentiality or availability effect.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Yoast Duplicate Post through 4.6 contains a cross-site request forgery vulnerability in the duplicate_post_dismiss_notice handler, which verifies no nonce or capability. Attackers can trick any authenticated user into sending a request that sets the duplicate_post_show_notice site option, suppressing admin notices network-wide.
AnalysisAI
Cross-site request forgery in the Yoast Duplicate Post WordPress plugin through version 4.6 allows any attacker to silently suppress admin notices across a WordPress installation. The duplicate_post_dismiss_notice handler performs no nonce validation and no capability check, meaning any authenticated WordPress user - regardless of role - can be tricked into triggering the vulnerable endpoint. A successful attack sets the duplicate_post_show_notice site option network-wide, potentially hiding important administrative alerts from site operators. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog at time of analysis.
Technical ContextAI
The affected component is the WordPress plugin Yoast Duplicate Post (CPE: cpe:2.3:a:yoast:yoast_duplicate_post:*:*:*:*:*:*:*:*), a widely deployed content-duplication utility. The vulnerability is rooted in CWE-352 (Cross-Site Request Forgery), specifically the failure to implement WordPress's standard nonce-based CSRF protection on the duplicate_post_dismiss_notice AJAX/action handler. WordPress plugins are expected to call check_admin_referer() or wp_verify_nonce() and enforce role-based capability checks before modifying site options via functions like update_site_option(). The absence of both controls means that a forged HTTP request - originating from any attacker-controlled page - will be processed as legitimate when submitted by an authenticated WordPress session. The targeted site option duplicate_post_show_notice is a persistent boolean stored in the WordPress options table, and its modification takes effect network-wide, suggesting potential multisite scope.
RemediationAI
The primary remediation is to update Yoast Duplicate Post to a version beyond 4.6 that incorporates nonce verification and capability checks in the duplicate_post_dismiss_notice handler; however, no specific patched release version was confirmed in the available input data - administrators should consult the official plugin page at https://wordpress.org/plugins/duplicate-post/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/yoast-duplicate-post-through-cross-site-request-forgery-via-duplicate-post-dismiss-notice for the latest release. If an update is not immediately available, a compensating control is to deactivate the plugin entirely, though this disables all duplicate-post functionality. Alternatively, network-level WAF rules that reject unauthenticated or cross-origin POST requests to WordPress admin-ajax.php targeting the duplicate_post_dismiss_notice action can reduce exposure, but may interfere with legitimate plugin use. WordPress administrators can also monitor the duplicate_post_show_notice option in the options table for unauthorized changes as a detective control.
More in Yoast Duplicate Post
View allSame weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36140
GHSA-8jhr-hxr5-g2rc