NinjaTeam WP Duplicate Page
Moderate fix1 remedy
cpe:2.3:a:ninjateam:wp_duplicate_page:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 1.8
WP Duplicate Page Missing Authorization Vulnerability in WordPress Plugin
Vulnerability
Patched
A vulnerability exists in the WP Duplicate Page plugin for WordPress, in all versions through 1.8, allowing unauthorized data modification. The issue arises from inadequate capability checks in the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions. This flaw enables authenticated attackers with Contributor-level access and above to duplicate any posts, pages, or WooCommerce HPOS orders, regardless of their role's exclusion from the plugin's 'Allowed User Roles' setting. Such exploitation could reveal sensitive information and result in the unauthorized fulfillment of WooCommerce orders.
Impact
Exploitation of this vulnerability could lead to unauthorized duplication of posts, pages, and WooCommerce HPOS orders, potentially exposing sensitive information and allowing for duplicate fulfillment of WooCommerce orders.
Reproduction
To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can initiate a bulk action to duplicate posts or pages. The vulnerability can also be reproduced by duplicating WooCommerce HPOS orders, taking advantage of the same missing authorization checks.
Remediation
Users are advised to update the WP Duplicate Page plugin to version 1.8.1 or a newer patched version.
Added: Jan 13, 2026, 12:27 PM
Updated: Jan 13, 2026, 2:42 PM
Vulnerability Rating
Custom Algorithm
spread
6.4impact
0.6exploitability
6.4remediation
7.7relevance
2.0threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.