Duplica < 0.7 – Authenticated (Subscriber+) Missing Authorization to Users/Posts Duplicates Creation | CVE 2024-5997 | Plugin Vulnerabilities

Description

The Duplica – Duplicate Posts, Pages, Custom Posts or Users plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the duplicate_user and duplicate_post functions in all versions up to, and including, 0.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create duplicates of users and posts/pages.

Affects Plugins

Fixed in 0.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/605fac87-e1e8-4354-a9d3-4440e54bc161

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

fa165af6-3732-4a95-adf2-2bebccb8114e

Timeline

Publicly Published

2024-07-18 (about 1 year ago)

Added

2024-07-18 (about 1 year ago)

Last Updated

2024-07-18 (about 1 year ago)

Other

Published

Title

Published

2025-01-15

Title

Ksher < 1.1.3 - Missing Authorization

Published

2026-02-19

Title

SmartFix < 1.2.4 - Missing Authorization

Published

2025-10-05

Title

SEO Meta Description Updater <= 1.2.0 - Missing Authorization

Published

2025-12-21

Title

Virusdie < 1.1.7 - Missing Authorization

Published

2024-12-06

Title

SMS for Lead Capture Forms <= 1.1.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Message Deletion