{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1217", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-19T22:11:13.075Z", "datePublished": "2026-03-18T09:28:28.758Z", "dateUpdated": "2026-04-08T16:33:31.708Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:31.708Z"}, "affected": [{"vendor": "yoast", "product": "Yoast Duplicate Post", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Yoast Duplicate Post plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clone_bulk_action_handler() and republish_request() functions in all versions up to, and including, 4.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate any post on the site including private, draft, and trashed posts they shouldn't have access to. Additionally, attackers with Author-level access and above can use the Rewrite & Republish feature to overwrite any published post with their own content."}], "title": "Yoast Duplicate Post <= 4.5 - Authenticated (Contributor+) Missing Authorization to Arbitrary Post Duplication and Overwrite", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05f175e6-08a9-4199-948c-5bd8b3caaa39?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/duplicate-post/tags/4.5/src/handlers/bulk-handler.php#L115"}, {"url": "https://plugins.trac.wordpress.org/browser/duplicate-post/tags/4.5/src/post-republisher.php#L128"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2026-01-07T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-03-17T20:54:49.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T14:23:06.267298Z", "id": "CVE-2026-1217", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T14:23:18.924Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1217", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T14:23:06.267298Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T14:23:15.499Z"}}], "cna": {"title": "Yoast Duplicate Post <= 4.5 - Authenticated (Contributor+) Missing Authorization to Arbitrary Post Duplication and Overwrite", "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "yoast", "product": "Yoast Duplicate Post", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-07T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-03-17T20:54:49.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05f175e6-08a9-4199-948c-5bd8b3caaa39?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/duplicate-post/tags/4.5/src/handlers/bulk-handler.php#L115"}, {"url": "https://plugins.trac.wordpress.org/browser/duplicate-post/tags/4.5/src/post-republisher.php#L128"}], "descriptions": [{"lang": "en", "value": "The Yoast Duplicate Post plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clone_bulk_action_handler() and republish_request() functions in all versions up to, and including, 4.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate any post on the site including private, draft, and trashed posts they shouldn't have access to. Additionally, attackers with Author-level access and above can use the Rewrite & Republish feature to overwrite any published post with their own content."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-18T09:28:28.758Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1217", "state": "PUBLISHED", "dateUpdated": "2026-03-18T14:23:18.924Z", "dateReserved": "2026-01-19T22:11:13.075Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-18T09:28:28.758Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Yoast Duplicate Post plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clone_bulk_action_handler() and republish_request() functions in all versions up to, and including, 4.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate any post on the site including private, draft, and trashed posts they shouldn't have access to. Additionally, attackers with Author-level access and above can use the Rewrite & Republish feature to overwrite any published post with their own content."}, {"lang": "es", "value": "El plugin Yoast Duplicate Post para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una falta de verificaci\u00f3n de capacidad en las funciones clone_bulk_action_handler() y republish_request() en todas las versiones hasta la 4.5, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, dupliquen cualquier entrada en el sitio, incluyendo entradas privadas, borradores y entradas en la papelera a las que no deber\u00edan tener acceso. Adem\u00e1s, los atacantes con acceso de nivel Autor y superior pueden usar la funci\u00f3n 'Reescribir y Republicar' para sobrescribir cualquier entrada publicada con su propio contenido."}], "id": "CVE-2026-1217", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-18T10:16:23.960", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/duplicate-post/tags/4.5/src/handlers/bulk-handler.php#L115"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/duplicate-post/tags/4.5/src/post-republisher.php#L128"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05f175e6-08a9-4199-948c-5bd8b3caaa39?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Yoast Duplicate Post", "source": "cna", "vendor": "yoast"}, "product": "yoast_duplicate_post", "vendor": "yoast"}], "analysis": {"en": {"generated_at": "2026-03-18T10:51:06.238417+00:00", "value": {"mitigation_remediation": ["Upgrade Yoast Duplicate Post to the latest version that addresses this issue (any version newer than 4.5).", "If an upgrade cannot be performed immediately, disable or uninstall the Yoast Duplicate Post plugin to eliminate the attack surface."], "summary": {"action": "Update Plugin", "impact": "Unauthorized Post Duplication & Overwrite"}, "threat_synthesis": {"affected_systems": "Any WordPress installation that has the Yoast Duplicate Post plugin installed at version 4.5 or earlier is affected. The plugin is developed by Yoast and is distributed through the WordPress plugin repository. Sites running newer versions of the plugin are not affected.", "description_and_impact": "The Yoast Duplicate Post plugin for WordPress contains missing capability checks in the clone_bulk_action_handler() and republish_request() functions in all versions up to and including 4.5. The flaw, identified as CWE-862 (Missing Authorization), allows authenticated users with Contributor-level access or higher to duplicate any post\u2014private, draft, or trashed\u2014without restriction. Users with Author-level permissions can additionally use the Rewrite & Republish feature to overwrite any published post with their own content. This grants the attacker the ability to alter site content, potentially compromising the integrity and confidentiality of posts hosted on the site.", "risk_and_exploitability": "The vulnerability has a CVSS score of 5.4, placing it in the moderate risk range. No EPSS score is available, so the real\u2011world likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. The attack vector requires authentication; an attacker must log into the site and possess at least Contributor-level access to duplicate a post, and at least Author-level access to overwrite a post. Once authenticated, the missing authorization check allows the attacker to perform the actions without further approval."}}}}, "created": "2026-03-18T12:12:49.615013+00:00", "updated": "2026-03-24T10:59:03.862019+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "yoast", "yoast$PRODUCT$yoast_duplicate_post"]}