The WP Quick Post Duplicator plugin implements a missing authorization check that allows an attacker to invoke privileged functions without proper authentication. This flaw is rooted in incorrectly configured security levels and is identified as an authorization bypass (CWE‑862). By exploiting the vulnerability, an attacker could create, modify or delete posts, or otherwise perform any action that the plugin’s privileged functions permit, potentially compromising the integrity of the WordPress site.

The issue affects the WP Quick Post Duplicator plug‑in developed by Arul Prasad J, specifically all releases from the first version through version 2.1. WordPress sites that have installed any of these versions and have the plug‑in enabled are vulnerable until the code is removed, disabled or updated to a non‑affected release.

The fault carries a CVSS score of 4.3, indicating moderate impact, and an EPSS score of less than 1%, meaning the likelihood of exploitation at this time is low. The vulnerability is not listed in CISA’s KEV catalog. The description implies that any user who can reach the plug‑in’s endpoints—potentially unauthenticated visitors or users with minimal WordPress permissions—could exploit the flaw. No special prerequisites beyond regular web‑site connectivity are required; the attack is inferred to involve sending crafted HTTP requests to the plug‑in. The risk thus rests primarily on the existence of this endpoint and the lack of access controls rather than on high‑privilege conditions.