The Yoast Duplicate Post plugin for WordPress contains missing capability checks in the clone_bulk_action_handler() and republish_request() functions in all versions up to and including 4.5. The flaw, identified as CWE-862 (Missing Authorization), allows authenticated users with Contributor-level access or higher to duplicate any post—private, draft, or trashed—without restriction. Users with Author-level permissions can additionally use the Rewrite & Republish feature to overwrite any published post with their own content. This grants the attacker the ability to alter site content, potentially compromising the integrity and confidentiality of posts hosted on the site.

Any WordPress installation that has the Yoast Duplicate Post plugin installed at version 4.5 or earlier is affected. The plugin is developed by Yoast and is distributed through the WordPress plugin repository. Sites running newer versions of the plugin are not affected.

The vulnerability has a CVSS score of 5.4, placing it in the moderate risk range. No EPSS score is available, so the real‑world likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. The attack vector requires authentication; an attacker must log into the site and possess at least Contributor-level access to duplicate a post, and at least Author-level access to overwrite a post. Once authenticated, the missing authorization check allows the attacker to perform the actions without further approval.