Atec Duplicate Page and Post WordPress Plugin Missing Authorization Vulnerability Allowing Arbitrary Post Duplication
Vulnerability
A vulnerability exists in the Atec Duplicate Page & Post plugin for WordPress, specifically in versions through 1.2.20. The issue arises from a lack of proper authorization validation in the 'duplicate_post()' function, allowing authenticated attackers with Contributor-level access or higher to duplicate any post. This includes private and password-protected posts, resulting in unauthorized data exposure.
Impact
Exploitation of this vulnerability allows for unauthorized duplication of posts, including those that are private or password-protected, leading to unintended data exposure.
Reproduction
To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can use the 'Atec Duplicate Page & Post' plugin to duplicate posts. The vulnerability can be exploited by selecting the 'duplicate' action for any post, including private and password-protected ones, without the necessary authorization checks.
Remediation
Users are advised to update the Atec Duplicate Page & Post plugin to version 1.2.21 or a newer patched version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.