Skip to main content

Yoast Duplicate Post CVE-2026-53739

| EUVDEUVD-2026-36140 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-10 VulnCheck GHSA-8jhr-hxr5-g2rc
5.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-reachable CSRF requiring authenticated victim interaction (UI:R, PR:N); scope unchanged; only low integrity impact from modifying one site option; no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 10, 2026 - 21:24 vuln.today

DescriptionCVE.org

Yoast Duplicate Post through 4.6 contains a cross-site request forgery vulnerability in the duplicate_post_dismiss_notice handler, which verifies no nonce or capability. Attackers can trick any authenticated user into sending a request that sets the duplicate_post_show_notice site option, suppressing admin notices network-wide.

AnalysisAI

Cross-site request forgery in the Yoast Duplicate Post WordPress plugin through version 4.6 allows any attacker to silently suppress admin notices across a WordPress installation. The duplicate_post_dismiss_notice handler performs no nonce validation and no capability check, meaning any authenticated WordPress user - regardless of role - can be tricked into triggering the vulnerable endpoint. A successful attack sets the duplicate_post_show_notice site option network-wide, potentially hiding important administrative alerts from site operators. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog at time of analysis.

Technical ContextAI

The affected component is the WordPress plugin Yoast Duplicate Post (CPE: cpe:2.3:a:yoast:yoast_duplicate_post:*:*:*:*:*:*:*:*), a widely deployed content-duplication utility. The vulnerability is rooted in CWE-352 (Cross-Site Request Forgery), specifically the failure to implement WordPress's standard nonce-based CSRF protection on the duplicate_post_dismiss_notice AJAX/action handler. WordPress plugins are expected to call check_admin_referer() or wp_verify_nonce() and enforce role-based capability checks before modifying site options via functions like update_site_option(). The absence of both controls means that a forged HTTP request - originating from any attacker-controlled page - will be processed as legitimate when submitted by an authenticated WordPress session. The targeted site option duplicate_post_show_notice is a persistent boolean stored in the WordPress options table, and its modification takes effect network-wide, suggesting potential multisite scope.

RemediationAI

The primary remediation is to update Yoast Duplicate Post to a version beyond 4.6 that incorporates nonce verification and capability checks in the duplicate_post_dismiss_notice handler; however, no specific patched release version was confirmed in the available input data - administrators should consult the official plugin page at https://wordpress.org/plugins/duplicate-post/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/yoast-duplicate-post-through-cross-site-request-forgery-via-duplicate-post-dismiss-notice for the latest release. If an update is not immediately available, a compensating control is to deactivate the plugin entirely, though this disables all duplicate-post functionality. Alternatively, network-level WAF rules that reject unauthenticated or cross-origin POST requests to WordPress admin-ajax.php targeting the duplicate_post_dismiss_notice action can reduce exposure, but may interfere with legitimate plugin use. WordPress administrators can also monitor the duplicate_post_show_notice option in the options table for unauthorized changes as a detective control.

Share

CVE-2026-53739 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy