Description
The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate arbitrary posts, pages, and WooCommerce HPOS orders even when their role is explicitly excluded from the plugin's "Allowed User Roles" setting, potentially exposing sensitive information and allowing duplicate fulfillment of WooCommerce orders.
Published: 2026-01-13
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data duplication and sensitive information exposure
Action: Apply Patch
AI Analysis

Impact

The WP Duplicate Page plugin, versions up to and including 1.8, contains missing capability checks in its bulk duplication handlers. An attacker with any authenticated WordPress role of Contributor or higher can invoke these handlers to duplicate posts, pages, or WooCommerce HPOS orders. The result is the creation of duplicate content or orders without authorization, potentially exposing sensitive data and enabling duplicate order fulfillment.

Affected Systems

Any WordPress site that has installed the ninjateam WP Duplicate Page plugin version 1.8 or earlier is affected. The vulnerability applies to all instances of the plugin regardless of the ‘Allowed User Roles’ setting, because the check is omitted from the underlying functions. Any site owner using the plugin in these versions should verify the current plugin version and consider immediate update or removal.

Risk and Exploitability

The CVSS score of 5.4 places this issue in the moderate severity range. The EPSS score of less than 1% indicates a low likelihood of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. However, the attack vector is straightforward: an authenticated user can simply press the duplicate button, bypassing role limits. The missing capability check removes the intended authorization boundary, so exploitation does not require additional privileges, misconfiguration, or network access. The risk remains primarily to data integrity and confidentiality, especially for WooCommerce orders that could be duplicated for illicit fulfillment.

Generated by OpenCVE AI on April 21, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Duplicate Page to the latest version (at least 1.9) where capability checks are enforced
  • If an update is not immediately possible, delete the plugin or disable it for all sites to prevent accidental duplication
  • Configure a role‑based restriction that removes Contributor or higher roles from accessing the duplication functionality by disabling the relevant plugin settings or using a security plugin to block the duplicate endpoint

Generated by OpenCVE AI on April 21, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Ninjateam
Ninjateam wp Duplicate Page
Wordpress
Wordpress wordpress
Vendors & Products Ninjateam
Ninjateam wp Duplicate Page
Wordpress
Wordpress wordpress

Tue, 13 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 11:30:00 +0000

Type Values Removed Values Added
Description The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate arbitrary posts, pages, and WooCommerce HPOS orders even when their role is explicitly excluded from the plugin's "Allowed User Roles" setting, potentially exposing sensitive information and allowing duplicate fulfillment of WooCommerce orders.
Title WP Duplicate Page <= 1.8 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Duplication
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Ninjateam Wp Duplicate Page
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:38.069Z

Reserved: 2025-12-04T00:59:24.837Z

Link: CVE-2025-14001

cve-icon Vulnrichment

Updated: 2026-01-13T17:18:33.007Z

cve-icon NVD

Status : Deferred

Published: 2026-01-13T12:15:48.630

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14001

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:30:40Z

Weaknesses