WP Duplicate Page < 1.8 – Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure | CVE 2025-12481 | Plugin Vulnerabilities

Description

The WP Duplicate Page plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'saveSettings' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify plugin settings that control role capabilities, and subsequently exploit the misconfigured capabilities to duplicate and view password-protected posts containing sensitive information.

Affects Plugins

wp-duplicate-page

Fixed in 1.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/61105f6a-1bd7-415d-9481-a1c2c310f778

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Athiwat Tiprasaharn (Jitlada)

Verified

No

WPVDB ID

a2de184b-5b2f-4556-afb2-0053c3d84eb6

Timeline

Publicly Published

2025-11-17 (about 5 months ago)

Added

2025-11-17 (about 5 months ago)

Last Updated

2025-11-18 (about 5 months ago)

Other

Published

Title

Published

2022-11-01

Title

WatchTowerHQ < 3.6.16 - Unauthenticated Arbitrary File Deletion

Published

2025-03-17

Title

Logo Slider < 3.7.4 - Unauthenticated Arbitrary Shortcode Execution

Published

2024-12-11

Title

CoSchool LMS <= 1.4.3 - Missing Authorization to Privilege Escalation

Published

2025-06-19

Title

Cookie-Script.com < 1.2.2 - Missing Authorization

Published

2022-01-24

Title

Duplicate Page or Post < 1.5.1 - Arbitrary Settings Update to Stored XSS