What the vulnerability does
01Description
The atec Duplicate Page & Post plugin for WordPress is vulnerable to unauthorized post duplication due to missing authorization validation on the duplicate_post() function in all versions up to, and including, 1.2.20. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate arbitrary posts, including private and password-protected posts, leading to data exposure.
Explanation of Vulnerability in Simple Terms
02Summary
The atec Duplicate Page & Post plugin for WordPress does not properly check user permissions before allowing access to its duplication functionality. An unauthenticated attacker can read sensitive page and post data by duplicating content without authorization. This affects versions 1.2.20 and earlier. Update to a version newer than 1.2.20.
What an attacker can do
03Attacker Capabilities
Read sensitive page and post content without logging in.
Potential impact on your site
04Site Impact
Unauthorized users can view and duplicate your pages and posts, exposing private or draft content.
Conditions required to exploit
05Prerequisites
Network access to the WordPress site; no authentication or user interaction required.
Key dates
06Disclosure timeline
November 25, 2025
CVE published
April 8, 2026
Record updated