WordPress Plugin Vulnerabilities

Duplicate Post <= 3.2.3 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The Duplicate Post plugin was vulnerable to Authenticated Stored Cross-Site Scripting (XSS). However, the POST request had a CSRF nonce that was verified, and no user's without the unfiltered_html capability, such as Author or Subscriber, were able to access the affected Duplicate Post settings page. Therefore, this vulnerability would be very difficult to exploit in the real world. The risk of this issue is very low.

Affects Plugins

Plugin icon
duplicate-post
Fixed in 3.2.4

References

URL
https://packetstormsecurity.com/files/#154622/
URL
https://wordpress.org/support/topic/cross-site-scripting-xss-vulnerability-2/
URL
https://plugins.trac.wordpress.org/changeset/2208827/duplicate-post

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
Unk9vvN
Verified
No
WPVDB ID
e73b1e92-153a-4f81-ade9-a55ffe603245

Timeline

Publicly Published
2019-09-26 (about 6 years ago)
Added
2019-12-19 (about 6 years ago)
Last Updated
2019-12-20 (about 6 years ago)

Other

Published
Title
Published
2025-10-10
Title
WoodMart < 8.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-10-09
Title
Survey Maker < 5.1.8.9 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-01-07
Title
WP Cookie <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-01-16
Title
Display custom fields in the frontend – Post and User Profile Fields < 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via vg_display_data
Published
2025-04-01
Title
Access Areas < 1.5.20 - Reflected Cross-Site Scripting