Description
The WP Duplicate Page plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'saveSettings' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify plugin settings that control role capabilities, and subsequently exploit the misconfigured capabilities to duplicate and view password-protected posts containing sensitive information.
Published: 2025-11-18
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The WP Duplicate Page plugin contains a missing authorization flaw in its saveSettings function that allows any authenticated user with a Contributor role or higher to modify the plugin’s settings, specifically the role capabilities. By changing these settings, an attacker can grant themselves or other users permission to duplicate and read password‑protected posts that should be confidential. The vulnerability therefore enables a confidentiality breach by exposing sensitive content to users who should not have access to it.

Affected Systems

The vulnerability affects the WP Duplicate Page plugin, version 1.7 and earlier, distributed by ninjateam. Only installations running these versions are impacted; newer releases are presumed to have the issue resolved.

Risk and Exploitability

The CVSS score of 4.3 reflects a moderate severity. The EPSS score of less than 1% indicates a very low probability of exploitation in the wild, and the vulnerability is currently not listed in CISA’s KEV catalog. Exploitation requires an authenticated user with at least Contributor privileges, so the attack vector is indirect but readily achievable for anyone who can log in to the WordPress site. If a site grants Contributor access to a broad user base, the risk of accidental or malicious disclosure increases.

Generated by OpenCVE AI on April 21, 2026 at 18:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Duplicate Page plugin to a version newer than 1.7 that contains the authorization fix.
  • If an upgrade is not possible, disable or uninstall the plugin to eliminate the attack surface.
  • Review and tighten WordPress user roles and capabilities to ensure contributors cannot modify plugin settings or duplicate protected posts.

Generated by OpenCVE AI on April 21, 2026 at 18:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 18 Nov 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 18 Nov 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Ninjateam
Ninjateam wp Duplicate Page
Wordpress
Wordpress wordpress
Vendors & Products Ninjateam
Ninjateam wp Duplicate Page
Wordpress
Wordpress wordpress

Tue, 18 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
Description The WP Duplicate Page plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'saveSettings' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify plugin settings that control role capabilities, and subsequently exploit the misconfigured capabilities to duplicate and view password-protected posts containing sensitive information.
Title WP Duplicate Page <= 1.7 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Ninjateam Wp Duplicate Page
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:44.550Z

Reserved: 2025-10-29T17:11:16.657Z

Link: CVE-2025-12481

cve-icon Vulnrichment

Updated: 2025-11-18T21:01:35.065Z

cve-icon NVD

Status : Deferred

Published: 2025-11-18T10:15:47.920

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12481

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:15:36Z

Weaknesses