{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1499", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-27T17:54:40.763Z", "datePublished": "2026-02-06T08:25:25.712Z", "dateUpdated": "2026-04-14T15:12:22.866Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:16.704Z"}, "affected": [{"vendor": "revmakx", "product": "WP Duplicate \u2013 WordPress Migration Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the `process_add_site()` AJAX action combined with path traversal in the file upload functionality. This makes it possible for authenticated (subscriber-level) attackers to set the internal `prod_key_random_id` option, which can then be used by an unauthenticated attacker to bypass authentication checks and write arbitrary files to the server via the `handle_upload_single_big_file()` function, ultimately leading to remote code execution."}], "title": "WP Duplicate <= 1.1.8 - Authenticated (Subscriber+) Arbitrary File Upload via 'process_add_site' AJAX Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/11bb7190-023b-45e1-99a5-7313c489ef45?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/local-sync/trunk/admin/class-local-sync-admin.php#L422"}, {"url": "https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/admin/class-local-sync-admin.php#L422"}, {"url": "https://plugins.trac.wordpress.org/browser/local-sync/trunk/includes/class-local-sync-handle-server-requests.php#L389"}, {"url": "https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/includes/class-local-sync-handle-server-requests.php#L389"}, {"url": "https://plugins.trac.wordpress.org/browser/local-sync/trunk/admin/class-local-sync-files-op.php#L843"}, {"url": "https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/admin/class-local-sync-files-op.php#L843"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3452904%40local-sync&old=3400317%40local-sync&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2026-01-30T11:21:13.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-05T19:59:16.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:12:17.995769Z", "id": "CVE-2026-1499", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:12:22.866Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1499", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T15:12:17.995769Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T17:10:52.422Z"}}], "cna": {"title": "WP Duplicate <= 1.1.8 - Authenticated (Subscriber+) Arbitrary File Upload via 'process_add_site' AJAX Action", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "revmakx", "product": "WP Duplicate \u2013 WordPress Migration Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-30T11:21:13.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-05T19:59:16.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/11bb7190-023b-45e1-99a5-7313c489ef45?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/local-sync/trunk/admin/class-local-sync-admin.php#L422"}, {"url": "https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/admin/class-local-sync-admin.php#L422"}, {"url": "https://plugins.trac.wordpress.org/browser/local-sync/trunk/includes/class-local-sync-handle-server-requests.php#L389"}, {"url": "https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/includes/class-local-sync-handle-server-requests.php#L389"}, {"url": "https://plugins.trac.wordpress.org/browser/local-sync/trunk/admin/class-local-sync-files-op.php#L843"}, {"url": "https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/admin/class-local-sync-files-op.php#L843"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3452904%40local-sync&old=3400317%40local-sync&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the `process_add_site()` AJAX action combined with path traversal in the file upload functionality. This makes it possible for authenticated (subscriber-level) attackers to set the internal `prod_key_random_id` option, which can then be used by an unauthenticated attacker to bypass authentication checks and write arbitrary files to the server via the `handle_upload_single_big_file()` function, ultimately leading to remote code execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:16.704Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1499", "state": "PUBLISHED", "dateUpdated": "2026-04-14T15:12:22.866Z", "dateReserved": "2026-01-27T17:54:40.763Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-06T08:25:25.712Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the `process_add_site()` AJAX action combined with path traversal in the file upload functionality. This makes it possible for authenticated (subscriber-level) attackers to set the internal `prod_key_random_id` option, which can then be used by an unauthenticated attacker to bypass authentication checks and write arbitrary files to the server via the `handle_upload_single_big_file()` function, ultimately leading to remote code execution."}, {"lang": "es", "value": "El plugin WP Duplicate para WordPress es vulnerable a una Autorizaci\u00f3n Faltante que lleva a una Carga Arbitraria de Archivos en todas las versiones hasta la 1.1.8 inclusive. Esto se debe a una verificaci\u00f3n de capacidad faltante en la acci\u00f3n AJAX 'process_add_site()' combinada con un salto de ruta en la funcionalidad de carga de archivos. Esto hace posible que atacantes autenticados (a nivel de suscriptor) establezcan la opci\u00f3n interna 'prod_key_random_id', que luego puede ser utilizada por un atacante no autenticado para eludir las verificaciones de autenticaci\u00f3n y escribir archivos arbitrarios en el servidor a trav\u00e9s de la funci\u00f3n 'handle_upload_single_big_file()', lo que finalmente lleva a la ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2026-1499", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-02-06T09:15:48.987", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/admin/class-local-sync-admin.php#L422"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/admin/class-local-sync-files-op.php#L843"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/includes/class-local-sync-handle-server-requests.php#L389"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/local-sync/trunk/admin/class-local-sync-admin.php#L422"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/local-sync/trunk/admin/class-local-sync-files-op.php#L843"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/local-sync/trunk/includes/class-local-sync-handle-server-requests.php#L389"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3452904%40local-sync&old=3400317%40local-sync&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/11bb7190-023b-45e1-99a5-7313c489ef45?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T15:50:29.349573+00:00", "value": {"mitigation_remediation": ["Upgrade WP Duplicate to version 1.1.9 or later that includes proper capability checks on the process_add_site AJAX action, addressing the CWE\u2011862 flaw.", "If upgrading is not possible, remove or block the process_add_site AJAX endpoint in the plugin code, ensuring that only users with sufficient capabilities can invoke it, thereby mitigating the missing authorization issue.", "Enforce strict server\u2011side validation of uploaded file names and paths, and configure the WordPress file upload mechanism to limit uploads to safe directories, preventing the arbitrary file write that exploits the CWE\u2011862 vulnerability."], "summary": {"action": "Immediate patch", "impact": "Remote code execution via arbitrary file upload by authenticated users"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress plugin WP Duplicate, developed by revmakx, in all releases up to and including 1.1.8. No specific internal plugin revisions were listed, so any installation of the affected versions is considered exposed.", "description_and_impact": "The WP Duplicate plugin contains a missing authorization check on the process_add_site AJAX action, coupled with path traversal in the file upload routine. An authenticated user with subscriber privileges can set an internal option, prod_key_random_id, which an unauthenticated attacker can later use to bypass permission checks and write arbitrary files through handle_upload_single_big_file(). This flaw can be leveraged to upload malicious code, resulting in remote code execution on the host system.", "risk_and_exploitability": "The CVSS base score is 8.8, classifying it as high severity. The EPSS value is less than 1%, suggesting a low probability of exploitation at the time of this analysis, and the flaw is not listed in the CISA KEV catalog. The attack requires an authenticated subscriber account, but once the internal option is set, an unauthenticated attacker can complete the file upload, making the attack path relatively straightforward for an insider or compromised user. Officials have not provided an official workaround, and no exploit code has been reported yet."}}}}, "created": "2026-02-09T10:52:51.034283+00:00", "updated": "2026-04-15T17:45:10.849014+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}