CVE-2026-1217

Name of the Vulnerable Software and Affected Versions Yoast Duplicate Post plugin for WordPress versions prior to 4.6

Description The Yoast Duplicate Post plugin for WordPress has a flaw that allows unauthorized modification of data. This is due to a missing capability check in the clone bulk action handler() and republish request() functions. Authenticated attackers with Contributor-level access or higher can duplicate any post, including those marked as private, draft, or trashed, even if they should not have access. Attackers with Author-level access or higher can use the Rewrite & Republish feature to overwrite any published post with their own content.

Recommendations Update to version 4.6 or later. As a temporary workaround, restrict user roles to the minimum necessary permissions.