Copy Delete Posts
Monthly
Broken authorization in the Copy & Delete Posts WordPress plugin through 1.5.4 lets any authenticated user assigned a plugin-enabled (non-admin) role invoke every operation exposed by the cdp_action_handling AJAX endpoint, enabling post deletion and plugin-setting tampering. The flaw stems from a missing per-function capability check that the dispatcher should enforce based on the f parameter. No public exploit identified at time of analysis and the CVE is not on CISA KEV.
Broken authorization in the Copy & Delete Posts WordPress plugin through 1.5.4 lets any authenticated user assigned a plugin-enabled (non-admin) role invoke every operation exposed by the cdp_action_handling AJAX endpoint, enabling post deletion and plugin-setting tampering. The flaw stems from a missing per-function capability check that the dispatcher should enforce based on the f parameter. No public exploit identified at time of analysis and the CVE is not on CISA KEV.