WordPress Plugin Vulnerabilities

Page Duplicator <= 0.1.1 - Missing Authorization to Unauthenticated Post/Page Duplication

Description

The Page Duplicator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the duplicate_dat_page() function in all versions up to, and including, 0.1.1. This makes it possible for unauthenticated attackers to duplicate arbitrary posts and pages.

Affects Plugins

Plugin icon
wp-page-duplicator
No known fix

References

CVE
CVE-2024-1368
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/bcc10e91-4810-4a0d-919c-de3e87137f76

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
c19aa576-413e-4e36-a2ba-b7d3efa6e73e

Timeline

Publicly Published
2024-02-27 (about 2 years ago)
Added
2024-02-27 (about 2 years ago)
Last Updated
2024-02-27 (about 2 years ago)

Other

Published
Title
Published
2025-09-03
Title
Frisbii Pay < 1.8.3 - Missing Authorization
Published
2025-07-28
Title
Brizy < 2.6.21 - Missing Authorization to Unauthenticated Limited File Upload
Published
2025-10-23
Title
LLM Hubspot Blog Import <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Hubspot Import
Published
2024-06-10
Title
Custom Field Template < 2.6.2 - Authenticated(Contributor+) Information Exposure
Published
2025-10-30
Title
The Events Calendar < 6.15.10 - Subscriber+ Draft Event Title/QR Code Exposure