CVE-2026-1499

Name of the Vulnerable Software and Affected Versions WP Duplicate versions up to and including 1.1.8

Description The WP Duplicate plugin for WordPress is susceptible to a missing authorization issue, leading to arbitrary file upload. This occurs because of a missing capability check on the process add site() AJAX action, combined with a path traversal issue in the file upload functionality. An authenticated attacker with subscriber-level privileges can set the internal prod key random id option. Subsequently, an unauthenticated attacker can utilize this to bypass authentication checks and write arbitrary files to the server using the handle upload single big file() function, potentially resulting in remote code execution. The process add site() AJAX action is involved in the initial stage of the attack.

Recommendations Update WP Duplicate to version 1.1.9.