Post Duplicator Missing Authorization Vulnerability Allowing Protected Post Meta Insertion

A vulnerability exists in the Post Duplicator plugin for WordPress, affecting all versions through 3.0.8. The issue arises from the 'duplicate_post()' function in 'includes/api.php', which directly uses '$wpdb->insert()' to the 'wp_postmeta' table. This bypasses WordPress's standard 'add_post_meta()' function, which is designed to prevent lower-privileged users from modifying protected meta keys (those starting with '_'). As a result, authenticated attackers with Contributor-level access or higher can inject arbitrary protected post meta keys, such as '_wp_page_template' and '_wp_attached_file', into duplicated posts. This exploitation occurs via the 'customMetaData' JSON array parameter in the '/wp-json/post-duplicator/v1/duplicate-post' REST API endpoint.

Impact

Exploitation of this vulnerability allows for unauthorized insertion of protected post meta, which could lead to manipulation of post data or functionality that relies on this meta information.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access can send a POST request to the '/wp-json/post-duplicator/v1/duplicate-post' endpoint. The request must include the 'customMetaData' parameter with the desired protected meta keys. This will result in the specified meta keys being injected into a duplicated post, bypassing the usual restrictions on modifying protected meta.

Remediation

Users are advised to update the Post Duplicator plugin to version 3.0.9 or later, where this vulnerability has been patched.