{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24387", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:48.125Z", "datePublished": "2026-01-22T16:52:47.509Z", "dateUpdated": "2026-04-28T16:14:48.457Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-quick-post-duplicator", "product": "WP Quick Post Duplicator", "vendor": "Arul Prasad J", "versions": [{"changes": [{"at": "2.2", "status": "unaffected"}], "lessThanOrEqual": "2.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:00.681Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Arul Prasad J WP Quick Post Duplicator wp-quick-post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Quick Post Duplicator: from n/a through <= 2.1.</p>"}], "value": "Missing Authorization vulnerability in Arul Prasad J WP Quick Post Duplicator wp-quick-post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Quick Post Duplicator: from n/a through <= 2.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:48.457Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-quick-post-duplicator/vulnerability/wordpress-wp-quick-post-duplicator-plugin-2-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP Quick Post Duplicator plugin <= 2.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T19:58:20.272752Z", "id": "CVE-2026-24387", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:07:05.327Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24387", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:48.125Z", "datePublished": "2026-01-22T16:52:47.509Z", "dateUpdated": "2026-04-28T14:07:05.327Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-quick-post-duplicator", "product": "WP Quick Post Duplicator", "vendor": "Arul Prasad J", "versions": [{"changes": [{"at": "2.2", "status": "unaffected"}], "lessThanOrEqual": "2.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:00.681Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Arul Prasad J WP Quick Post Duplicator wp-quick-post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Quick Post Duplicator: from n/a through <= 2.1.</p>"}], "value": "Missing Authorization vulnerability in Arul Prasad J WP Quick Post Duplicator wp-quick-post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Quick Post Duplicator: from n/a through <= 2.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:05.052Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-quick-post-duplicator/vulnerability/wordpress-wp-quick-post-duplicator-plugin-2-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP Quick Post Duplicator plugin <= 2.1 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24387", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T19:58:20.272752Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T19:55:33.952Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Arul Prasad J WP Quick Post Duplicator wp-quick-post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Quick Post Duplicator: from n/a through <= 2.1."}, {"lang": "es", "value": "Vulnerabilidad de Autorizaci\u00f3n Faltante en Arul Prasad J WP Quick Post Duplicator wp-quick-post-duplicator permite Explotar Niveles de Seguridad de Control de Acceso Incorrectamente Configurados. Este problema afecta a WP Quick Post Duplicator: desde n/a hasta &lt;= 2.1."}], "id": "CVE-2026-24387", "lastModified": "2026-04-28T15:16:09.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:41.747", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-quick-post-duplicator/vulnerability/wordpress-wp-quick-post-duplicator-plugin-2-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T07:38:33.406507+00:00", "value": {"mitigation_remediation": ["Upgrade the WP Quick Post Duplicator plug\u2011in to the latest version that omits the vulnerable code", "If an upgrade is not possible, remove or deactivate the plug\u2011in to eliminate the exposed endpoints", "Restrict access to any remaining plug\u2011in files by adjusting server permissions or implementing IP\u2010based restrictions to reduce the attack surface"], "summary": {"action": "Update Plugin", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "The issue affects the WP Quick Post Duplicator plug\u2011in developed by Arul Prasad J, specifically all releases from the first version through version 2.1. WordPress sites that have installed any of these versions and have the plug\u2011in enabled are vulnerable until the code is removed, disabled or updated to a non\u2011affected release.", "description_and_impact": "The WP Quick Post Duplicator plugin implements a missing authorization check that allows an attacker to invoke privileged functions without proper authentication. This flaw is rooted in incorrectly configured security levels and is identified as an authorization bypass (CWE\u2011862). By exploiting the vulnerability, an attacker could create, modify or delete posts, or otherwise perform any action that the plugin\u2019s privileged functions permit, potentially compromising the integrity of the WordPress site.", "risk_and_exploitability": "The fault carries a CVSS score of 4.3, indicating moderate impact, and an EPSS score of less than 1%, meaning the likelihood of exploitation at this time is low. The vulnerability is not listed in CISA\u2019s KEV catalog. The description implies that any user who can reach the plug\u2011in\u2019s endpoints\u2014potentially unauthenticated visitors or users with minimal WordPress permissions\u2014could exploit the flaw. No special prerequisites beyond regular web\u2011site connectivity are required; the attack is inferred to involve sending crafted HTTP requests to the plug\u2011in. The risk thus rests primarily on the existence of this endpoint and the lack of access controls rather than on high\u2011privilege conditions."}}}}, "created": "2026-01-23T16:27:34.291146+00:00", "updated": "2026-04-16T07:45:06.019657+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}