Description
The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the `process_add_site()` AJAX action combined with path traversal in the file upload functionality. This makes it possible for authenticated (subscriber-level) attackers to set the internal `prod_key_random_id` option, which can then be used by an unauthenticated attacker to bypass authentication checks and write arbitrary files to the server via the `handle_upload_single_big_file()` function, ultimately leading to remote code execution.
Published: 2026-02-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via arbitrary file upload by authenticated users
Action: Immediate patch
AI Analysis

Impact

The WP Duplicate plugin contains a missing authorization check on the process_add_site AJAX action, coupled with path traversal in the file upload routine. An authenticated user with subscriber privileges can set an internal option, prod_key_random_id, which an unauthenticated attacker can later use to bypass permission checks and write arbitrary files through handle_upload_single_big_file(). This flaw can be leveraged to upload malicious code, resulting in remote code execution on the host system.

Affected Systems

The vulnerability affects the WordPress plugin WP Duplicate, developed by revmakx, in all releases up to and including 1.1.8. No specific internal plugin revisions were listed, so any installation of the affected versions is considered exposed.

Risk and Exploitability

The CVSS base score is 8.8, classifying it as high severity. The EPSS value is less than 1%, suggesting a low probability of exploitation at the time of this analysis, and the flaw is not listed in the CISA KEV catalog. The attack requires an authenticated subscriber account, but once the internal option is set, an unauthenticated attacker can complete the file upload, making the attack path relatively straightforward for an insider or compromised user. Officials have not provided an official workaround, and no exploit code has been reported yet.

Generated by OpenCVE AI on April 15, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Duplicate to version 1.1.9 or later that includes proper capability checks on the process_add_site AJAX action, addressing the CWE‑862 flaw.
  • If upgrading is not possible, remove or block the process_add_site AJAX endpoint in the plugin code, ensuring that only users with sufficient capabilities can invoke it, thereby mitigating the missing authorization issue.
  • Enforce strict server‑side validation of uploaded file names and paths, and configure the WordPress file upload mechanism to limit uploads to safe directories, preventing the arbitrary file write that exploits the CWE‑862 vulnerability.

Generated by OpenCVE AI on April 15, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 06 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the `process_add_site()` AJAX action combined with path traversal in the file upload functionality. This makes it possible for authenticated (subscriber-level) attackers to set the internal `prod_key_random_id` option, which can then be used by an unauthenticated attacker to bypass authentication checks and write arbitrary files to the server via the `handle_upload_single_big_file()` function, ultimately leading to remote code execution.
Title WP Duplicate <= 1.1.8 - Authenticated (Subscriber+) Arbitrary File Upload via 'process_add_site' AJAX Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-14T15:12:22.866Z

Reserved: 2026-01-27T17:54:40.763Z

Link: CVE-2026-1499

cve-icon Vulnrichment

Updated: 2026-02-06T17:10:52.422Z

cve-icon NVD

Status : Deferred

Published: 2026-02-06T09:15:48.987

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1499

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:45:10Z

Weaknesses