What the vulnerability does
01Description
The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate arbitrary posts, pages, and WooCommerce HPOS orders even when their role is explicitly excluded from the plugin's "Allowed User Roles" setting, potentially exposing sensitive information and allowing duplicate fulfillment of WooCommerce orders.
Explanation of Vulnerability in Simple Terms
02Summary
WP Duplicate Page versions 1.8 and earlier lack proper authorization checks, allowing authenticated users with low privileges to read and modify content they should not access. An attacker with a basic WordPress account can view or alter other users' duplicated pages without restriction. Update to a version newer than 1.8 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Read and modify other users' duplicated pages without authorization.
Potential impact on your site
04Site Impact
Unauthorized users can access and alter sensitive page content, risking data exposure and site integrity.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WordPress user account (e.g., Contributor or Subscriber).
Key dates
06Disclosure timeline
January 13, 2026
CVE published
April 8, 2026
Record updated