This vulnerability arises from a missing authorisation check in the WordPress Post Duplicator plugin, allowing users to duplicate posts and other content without proper privilege verification. The flaw can lead to unauthorized content manipulation or duplication, compromising data integrity and exposing sensitive information through duplicated posts. Because the weakness is a classic Broken Access Control (CWE‑862) instance, the primary impact is the ability for an attacker to perform operations normally restricted to privileged users.

The affected product is the MetaphorCreations Post Duplicator plugin for WordPress. All versions from the first release up to and including 2.35 are vulnerable. Users running these versions should be aware that plugin functionality is exposed to users who may not have the intended permissions.

The CVSS score of 4.3 indicates a medium severity issue under current metrics, and the EPSS score of less than 1% reflects a low current exploit probability. The vulnerability is not listed in the CISA KEV catalog, suggesting it is not yet a known exploitation target. Based on the description, the likely attack vector is web-based through the plugin’s administrative interfaces, and exploitation probably requires a logged‑in user with some level of access, but the absence of specific privileges indicates that any authenticated user potentially could trigger the duplication functionality inadvertently or maliciously. However, this is inferred because the official description does not specify further details.