Yoast Duplicate Post
Monthly
Stored cross-site scripting in Yoast Duplicate Post (WordPress plugin, through version 4.6) allows an authenticated low-privilege user to plant a malicious payload in the Classic Editor's scheduled republish notice by crafting the cloned post's title or permalink. When an administrator subsequently views the notice in the Classic Editor, the injected script executes in their browser session, enabling session hijacking or unauthorized admin-level actions. No public exploit code and no CISA KEV listing have been identified at time of analysis, keeping this at medium priority despite the admin-targeting impact.
Cross-site request forgery in the Yoast Duplicate Post WordPress plugin through version 4.6 allows any attacker to silently suppress admin notices across a WordPress installation. The `duplicate_post_dismiss_notice` handler performs no nonce validation and no capability check, meaning any authenticated WordPress user - regardless of role - can be tricked into triggering the vulnerable endpoint. A successful attack sets the `duplicate_post_show_notice` site option network-wide, potentially hiding important administrative alerts from site operators. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog at time of analysis.
Stored cross-site scripting in Yoast Duplicate Post (WordPress plugin, through version 4.6) allows an authenticated low-privilege user to plant a malicious payload in the Classic Editor's scheduled republish notice by crafting the cloned post's title or permalink. When an administrator subsequently views the notice in the Classic Editor, the injected script executes in their browser session, enabling session hijacking or unauthorized admin-level actions. No public exploit code and no CISA KEV listing have been identified at time of analysis, keeping this at medium priority despite the admin-targeting impact.
Cross-site request forgery in the Yoast Duplicate Post WordPress plugin through version 4.6 allows any attacker to silently suppress admin notices across a WordPress installation. The `duplicate_post_dismiss_notice` handler performs no nonce validation and no capability check, meaning any authenticated WordPress user - regardless of role - can be tricked into triggering the vulnerable endpoint. A successful attack sets the `duplicate_post_show_notice` site option network-wide, potentially hiding important administrative alerts from site operators. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog at time of analysis.