{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13404", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-19T14:03:17.383Z", "datePublished": "2025-11-25T07:28:23.547Z", "dateUpdated": "2026-04-08T17:13:42.190Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:42.190Z"}, "affected": [{"vendor": "docjojo", "product": "atec Duplicate Page & Post", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.20", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The atec Duplicate Page & Post plugin for WordPress is vulnerable to unauthorized post duplication due to missing authorization validation on the duplicate_post() function in all versions up to, and including, 1.2.20. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate arbitrary posts, including private and password-protected posts, leading to data exposure."}], "title": "atec Duplicate Page & Post <= 1.2.20 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Duplication and Data Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a793b24f-979e-4209-93f7-cff8d3867a7d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/atec-duplicate-page-post/tags/1.2.20/includes/atec-wpdpp-hooks.php#L27"}, {"url": "https://plugins.trac.wordpress.org/browser/atec-duplicate-page-post/tags/1.2.21/includes/atec-wpdpp-hooks.php#L27"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-11-24T19:06:44.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-25T14:54:12.272749Z", "id": "CVE-2025-13404", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T14:54:29.507Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13404", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-25T14:54:12.272749Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T14:54:15.946Z"}}], "cna": {"title": "atec Duplicate Page & Post <= 1.2.20 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Duplication and Data Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "docjojo", "product": "atec Duplicate Page & Post", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.20"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-24T19:06:44.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a793b24f-979e-4209-93f7-cff8d3867a7d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/atec-duplicate-page-post/tags/1.2.20/includes/atec-wpdpp-hooks.php#L27"}, {"url": "https://plugins.trac.wordpress.org/browser/atec-duplicate-page-post/tags/1.2.21/includes/atec-wpdpp-hooks.php#L27"}], "descriptions": [{"lang": "en", "value": "The atec Duplicate Page & Post plugin for WordPress is vulnerable to unauthorized post duplication due to missing authorization validation on the duplicate_post() function in all versions up to, and including, 1.2.20. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate arbitrary posts, including private and password-protected posts, leading to data exposure."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:42.190Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13404", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:13:42.190Z", "dateReserved": "2025-11-19T14:03:17.383Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-25T07:28:23.547Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The atec Duplicate Page & Post plugin for WordPress is vulnerable to unauthorized post duplication due to missing authorization validation on the duplicate_post() function in all versions up to, and including, 1.2.20. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate arbitrary posts, including private and password-protected posts, leading to data exposure."}], "id": "CVE-2025-13404", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-25T08:15:51.187", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/atec-duplicate-page-post/tags/1.2.20/includes/atec-wpdpp-hooks.php#L27"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/atec-duplicate-page-post/tags/1.2.21/includes/atec-wpdpp-hooks.php#L27"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a793b24f-979e-4209-93f7-cff8d3867a7d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:24:49.775200+00:00", "value": {"mitigation_remediation": ["Update the atec Duplicate Page & Post plugin to the current release (\u22651.2.21) where the authorization check has been restored.", "If an immediate upgrade is not possible, remove or disable the duplicate_page_post functionality for all Contributor and higher roles, for example by setting \u201cedit_posts\u201d capability to false for those roles or by customizing the plugin to enforce a stricter role check.", "Audit all Contributor and Editor level users to ensure only trusted individuals have those roles, and restrict private or password protected post creation to Administrators."], "summary": {"action": "Upgrade", "impact": "Data Exposure through Unauthorized Post Duplication"}, "threat_synthesis": {"affected_systems": "All installations of the atec Duplicate Page & Post plugin for WordPress that are running version 1.2.20 or earlier are impacted. Users should verify their current plugin version and, if within this range, understand that any Contributor\u2011level account can trigger the duplication process.", "description_and_impact": "The atec Duplicate Page & Post WordPress plugin contains a missing authorization check in its duplicate_post() function for all releases up to version 1.2.20. This flaw permits authenticated users with Contributor or higher privileges to duplicate any existing post, including those marked private or password protected. The resulting duplicate posts are accessible to the same audiences as the originals, leading to unintended disclosure of protected content. The weakness corresponds to improper access control (CWE-862).", "risk_and_exploitability": "The vulnerability has a CVSS score of 5.3, reflecting moderate severity, and an EPSS score of less than 1%, indicating a low exploitation likelihood at present. The description specifies that only authenticated users with the Contributor role or higher are needed to trigger the flaw; thus, the attack vector is presumptively internal, relying on legitimate role assignment. It is inferred that the duplication operation is exposed through a public endpoint, yet lacks role checks for versions up to 1.2.20. Because the fault is not listed in CISA KEV, moderate severity and low exploitation probability still recommend vigilance for sites handling sensitive content."}}}}, "created": "2025-11-27T09:45:57.672402+00:00", "updated": "2026-04-22T00:30:04.051785+00:00", "vendors": ["atec", "atec$PRODUCT$duplicate_page_post", "wordpress", "wordpress$PRODUCT$wordpress"]}