The WP Bulk Post Duplicator plugin for WordPress versions up to and including 1.2 implements no Cross‑Site Request Forgery protection for its duplicate post function. A malicious actor can send a crafted request to a site where an authorized administrator is logged in, forcing the duplicate action and creating unintended copies of existing posts. The effect is an unauthorized change of content, potential site clutter, performance degradation, and, in worst cases, data integrity compromise if the duplicated content is incorrectly edited or contains malicious data.

This vulnerability affects WordPress sites that have installed the Rajesh Kumar WP Bulk Post Duplicator plugin version 1.2 or earlier. Any site that relies on this plugin for bulk post duplication is at risk, regardless of other security measures in place.

The vulnerability carries a CVSS score of 4.3, indicating a moderate risk level. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the issue is not listed in the CISA KEV catalog. Attackers would need to target a WordPress site where an administrator with an active session is present; the vector would be an HTTP request to the duplicate endpoint, often via a social‑engineering link or embedded image. Without the need for additional authentication privileges, the attack can succeed if the targeted admin is tricked into visiting a malicious URL.