The atec Duplicate Page & Post WordPress plugin contains a missing authorization check in its duplicate_post() function for all releases up to version 1.2.20. This flaw permits authenticated users with Contributor or higher privileges to duplicate any existing post, including those marked private or password protected. The resulting duplicate posts are accessible to the same audiences as the originals, leading to unintended disclosure of protected content. The weakness corresponds to improper access control (CWE-862).

All installations of the atec Duplicate Page & Post plugin for WordPress that are running version 1.2.20 or earlier are impacted. Users should verify their current plugin version and, if within this range, understand that any Contributor‑level account can trigger the duplication process.

The vulnerability has a CVSS score of 5.3, reflecting moderate severity, and an EPSS score of less than 1%, indicating a low exploitation likelihood at present. The description specifies that only authenticated users with the Contributor role or higher are needed to trigger the flaw; thus, the attack vector is presumptively internal, relying on legitimate role assignment. It is inferred that the duplication operation is exposed through a public endpoint, yet lacks role checks for versions up to 1.2.20. Because the fault is not listed in CISA KEV, moderate severity and low exploitation probability still recommend vigilance for sites handling sensitive content.