The Copy Move Posts plugin for WordPress suffers from a missing authorization flaw (CWE-862) that allows users to copy and move posts without proper privilege checks. The likely attack vector is any authenticated user on the site, as the plugin does not enforce role-based restrictions on these actions. Based on the description, an attacker could duplicate or relocate content, which may enable the insertion of spam, sensitive material, or other malicious content. This represents a moderate security risk with potential for content integrity violations.

The vulnerability applies to the WordPress plugin "Copy Move Posts" developed by ujjavaljani. Versions from the initial release through and including version 1.6 are affected. WordPress sites that have installed this plugin and have not applied the update to a later release are within scope.

The CVSS v3.1 score of 5.3 indicates medium severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the near term. The vulnerability is not listed in CISA’s KEV catalog, further implying that there are currently no documented public exploits. However, attackers who can authenticate to the site could exploit the broken access control to duplicate or move posts, potentially impacting content integrity and reputation. The risk remains elevated for organizations that rely heavily on post management through this plugin and do not enforce strict role assignments.