This vulnerability is a missing authorization flaw in the Menu Duplicator WordPress plugin that allows any authenticated user to copy or duplicate menu items. The lack of proper access controls increases the risk of unauthorized modification of site navigation, which could be leveraged to mislead visitors or tamper with site structure. The weakness is categorized as CWE‑862, identifying an error in user authorization verification.

The issue affects the WordPress plugin named Menu Duplicator developed by swayam.tejwani, for all releases up to and including version 1.0. No specific sub‑versions are listed, but any installation that has not been updated beyond 1.0 is vulnerable.

With a CVSS score of 4.3 the vulnerability is considered moderate; the EPSS score of less than 1% indicates a slim chance of active exploitation in the wild. It is not listed in the CISA KEV catalog, implying that no known extensive public exploits have been observed. The most likely attack vector is a user logged into the WordPress site who does not possess administrative privileges, yet can still trigger the menu-copy functionality. Successful exploitation does not grant code execution but can alter site navigation, signaling a need for prompt remediation.