WordPress Plugin Vulnerabilities

Duplicate Post Page Menu & Custom Post Type < 2.4.0 - Subscriber+ Post Duplication

Description

The plugin is vulnerable to unauthorized page and post duplication due to a missing capability check on the duplicate_ppmc_post_as_draft function in versions up to, and including, 2.3.1. This makes it possible for authenticated attackers with subscriber access or higher to duplicate posts and pages.

Affects Plugins

Plugin icon
duplicate-post-page-menu-custom-post-type
Fixed in 2.4.0

References

CVE
CVE-2023-4792

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
ad52fc51-4ee2-4a74-b3f2-e6cc89822ccb

Timeline

Publicly Published
2023-09-06 (about 2 years ago)
Added
2023-09-07 (about 2 years ago)
Last Updated
2023-09-07 (about 2 years ago)

Other

Published
Title
Published
2025-12-18
Title
Adminify < 4.0.7 - Missing Authorization
Published
2023-08-09
Title
User Activity Log < 1.6.6 - Subscriber+ Log Export
Published
2025-03-27
Title
Cool Author Box < 3.0.0 - Missing Authorization
Published
2022-11-28
Title
WP Shamsi < 4.1.1 - Unauthenticated Arbitrary Plugin Deactivation
Published
2024-06-20
Title
WishList Member X < 3.26.7 - Missing Authorization to Stored Cross-Site Scripting