Description
Missing Authorization vulnerability in Galaxy Weblinks WP Clone any post type wp-clone-any-post-type allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Clone any post type: from n/a through <= 3.6.
Published: 2025-04-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Galaxy Weblinks WP Clone any post type plugin does not perform proper authorization checks when executing its clone feature, allowing an attacker to duplicate any post type. The vulnerability is classified as CWE-862, indicating a failure to enforce correct permissions. Based on the description, it is inferred that an attacker must be authenticated with a role that has access to the plugin’s interface, but does not need elevated administrator privileges to exploit the flaw.

Affected Systems

All installations of the WP Clone any post type plugin at versions 3.6 or earlier are affected, regardless of the specific patch level or WordPress configuration. Sites that have not applied the official fix are at risk of having their content unintentionally duplicated or exposed.

Risk and Exploitability

The CVSS score of 5.3 places the vulnerability in the moderate range. The EPSS score of less than 1% suggests that exploitation activity is currently low and no public exploit code has been observed. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw by accessing the plugin’s clone functionality as a user with sufficient privileges to reach the interface; based on the description, it is inferred that any authenticated user who can call the cloning endpoint may succeed.

Generated by OpenCVE AI on May 2, 2026 at 02:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Clone any post type plugin to the newest version available (beyond 3.6).
  • In the plugin settings, restrict access to the clone feature to administrative or editor roles only.
  • If an update cannot be applied immediately, disable the clone functionality or remove the plugin from the site to eliminate the vulnerability.

Generated by OpenCVE AI on May 2, 2026 at 02:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9155 Missing Authorization vulnerability in Galaxy Weblinks WP Clone any post type allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Clone any post type: from n/a through 3.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Galaxy Weblinks WP Clone any post type allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Clone any post type: from n/a through 3.4. Missing Authorization vulnerability in Galaxy Weblinks WP Clone any post type wp-clone-any-post-type allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Clone any post type: from n/a through <= 3.6.
Title WordPress WP Clone any post type Plugin <= 3.4 - Broken Access Control vulnerability WordPress WP Clone any post type Plugin <= 3.6 - Broken Access Control vulnerability
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Tue, 01 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Galaxy Weblinks WP Clone any post type allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Clone any post type: from n/a through 3.4.
Title WordPress WP Clone any post type Plugin <= 3.4 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:14.859Z

Reserved: 2025-04-01T13:21:14.641Z

Link: CVE-2025-31872

cve-icon Vulnrichment

Updated: 2025-04-01T15:47:51.526Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:29.580

Modified: 2026-04-23T15:28:27.620

Link: CVE-2025-31872

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:45:32Z

Weaknesses