Yoast Duplicate Post through 4.6 contains a cross‑site request forgery vulnerability in the duplicate_post_dismiss_notice handler. The handler performs no nonce or capability checks, allowing an attacker to trigger the function by tricking any logged‑in user into visiting a crafted URL. When invoked, the function sets the duplicate_post_show_notice site option, which suppresses the plugin’s administrative notices network‑wide. Because those notices can include critical updates or configuration warnings, an attacker can effectively hide information from site administrators, leading to a denial of service for key alerts.

This issue affects any WordPress installation that has the Yoast Duplicate Post plugin at version 4.6 or earlier. The vulnerability is present in all builds of the plugin distributed through the WordPress plugin repository. Administrators who rely on the plugin’s notices for maintenance or updates are therefore at risk if they are still using an affected release.

The CVSS score for this flaw is 5.1, indicating moderate severity. EPSS is not available, and the flaw is not listed in the CISA KEV catalog, suggesting no publicly known widespread exploitation yet. However, the vulnerability can be exploited from a standard browser session as an authenticated user. An attacker would send a malicious GET or POST request to the duplicate_post_dismiss_notice endpoint, and the lack of nonce verification means the request will be processed. Because the attack only requires a single authenticated request, the effort to exploit is low, and the potential impact—removal of important administrative alerts—warrants prompt mitigation.