Post Duplicator < 2.37 – Authenticated (Contributor+) Protected Post Disclosure | CVE 2024-12472 | Plugin Vulnerabilities

Description

The Post Duplicator plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.36 via the mtphr_duplicate_post() function due to insufficient restrictions on which posts can be duplicated. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to by duplicating the post.

Affects Plugins

post-duplicator

Fixed in 2.37

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/3071b2dc-9673-4e30-bd04-7404eb6a1ed9

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Webbernaut

Verified

No

WPVDB ID

ef8b069b-fa64-46c7-8b9c-ae3c51cd775c

Timeline

Publicly Published

2025-01-10 (about 1 year ago)

Added

2025-01-10 (about 1 year ago)

Last Updated

2025-01-23 (about 1 year ago)

Other

Published

Title

Published

2026-05-13

Title

MW WP Form < 5.1.3 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'post_id' Query Parameter

Published

2025-01-09

Title

One to one user Chat by WPGuppy < 1.1.1 - Authorization Bypass

Published

2024-12-02

Title

Client Invoicing by Sprout Invoices < 20.8.1 - Insecure Direct Object Reference

Published

2025-04-07

Title

Streamit < 4.0.3 - Authenticated (Subscriber+) Privilege Escalation via User Email Change/Account Takeover

Published

2026-03-05

Title

Subscription for WooCommerce – WordPress Recurring Payments Plugin < 1.8.11 - Authenticated (Customer+) Insecure Direct Object Reference