WordPress Plugin Vulnerabilities

Delete Duplicate Posts < 4.9 - Missing Authorization via AJAX Actions

Description

The Delete Duplicate Posts plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on some of its AJAX actions in all versions up to 4.9 (exclusive). This makes it possible for authenticated attackers, with subscriber access or higher, to delete duplicate posts, access plugin logs, and opt in to Freemius data gathering.

Affects Plugins

Plugin icon
delete-duplicate-posts
Fixed in 4.9

References

CVE
CVE-2023-47754
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f603a25f-7d56-4cf4-89aa-de87ee49522a

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Huynh Tien Si
Verified
No
WPVDB ID
ef73af70-f709-4cea-821c-a1ef245a9ca7

Timeline

Publicly Published
2023-11-13 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2024-11-12
Title
Buy one click WooCommerce <= 2.2.9 - Missing Authorization to Authenticated (Subscriber+) Settings Export
Published
2023-09-05
Title
WP Directory Kit < 1.2.7 - Missing Authorization
Published
2025-03-27
Title
Quiz Cat < 3.0.9 - Missing Authorization
Published
2026-03-20
Title
YITH WooCommerce Wishlist < 4.13.0 - Unauthenticated Arbitrary Wishlist Renaming via IDOR
Published
2024-08-23
Title
ImageRecycle pdf & image compression < 3.1.15 - Missing Authorization in Several AJAX Actions