What the vulnerability does
01Description
The WP Duplicate Page plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'saveSettings' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify plugin settings that control role capabilities, and subsequently exploit the misconfigured capabilities to duplicate and view password-protected posts containing sensitive information.
Explanation of Vulnerability in Simple Terms
02Summary
WP Duplicate Page versions 1.7 and earlier lack proper authorization checks, allowing authenticated users with low privileges to read sensitive data they should not access. An attacker with a standard WordPress account can view confidential information without additional interaction. Update to a version newer than 1.7 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the site that their account level should not permit.
Potential impact on your site
04Site Impact
Any registered user can access confidential information, risking data exposure and privacy violations.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WordPress user account (e.g., subscriber or contributor).
Key dates
06Disclosure timeline
November 18, 2025
CVE published
April 8, 2026
Record updated
