Security Alert Summary
The WP Duplicate plugin for WordPress contains a missing authorization vulnerability that can lead to arbitrary file upload and possible remote code execution. According to the CVE entry, a missing capability check on an AJAX action combined with path traversal in the file upload flow allows an authenticated low-privileged user to set an internal option that can be abused by unauthenticated attackers to write files to the server.
CVE Details
- CVE ID:
CVE-2026-1499 - Affected plugin / component: WP Duplicate plugin for WordPress
- Affected versions: all versions up to and including 1.1.8
- Published: February 6, 2026 at 9:15:48 AM
- Last modified: February 6, 2026 at 3:14:47 PM
- CVSS v3.1: Base Score 9.8 — Severity: CRITICAL — Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - Authentication / Privileges / User Interaction: Privileges Required: NONE; User Interaction: NONE (as reported in CVSS data)
- Primary impact: Confidentiality: HIGH; Integrity: HIGH; Availability: HIGH
- CWE / weakness: CWE-862 (Missing Authorization)
Technical Details
The vulnerability exists because a capability check is missing on the process_add_site() AJAX action. Combined with path traversal in the plugin’s file upload functionality, this allows an authenticated (subscriber-level) attacker to set an internal option named prod_key_random_id. Once that option can be controlled, an unauthenticated attacker may bypass authentication checks and write arbitrary files to the server via the handle_upload_single_big_file() function. The chain of issues—missing authorization on an AJAX action, a modifiable internal option, and unsafe file upload handling with path traversal—enables arbitrary file write and can lead to remote code execution as described in the CVE description.
How This Could Impact Your Website
In a realistic scenario, a site owner manages a WordPress site with multiple accounts: administrators, editors, internal staff with contributor or subscriber roles, and external contractors who have low-level access for content. If a subscriber-level account (or another low-privileged account) is compromised or intentionally abused, that account could be used to set the prod_key_random_id option. An unauthenticated attacker could then leverage the unsafe upload path to place files on the server.
Potential practical consequences include exposure of sensitive data stored on the server or the ability for an attacker to upload executable files that could be used to run arbitrary code. This could increase the risk of targeted phishing or social engineering against users whose information is exposed. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE notes affected versions up to and including 1.1.8.)
- Review and reduce unnecessary user roles and capabilities, especially for contributor and subscriber accounts.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior such as unexpected file uploads or changes to options like
prod_key_random_id.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://cwe.mitre.org/data/definitions/862.html
- https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/admin/class-local-sync-admin.php#L422
- https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/admin/class-local-sync-files-op.php#L843
- https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/includes/class-local-sync-handle-server-requests.php#L389
- https://plugins.trac.wordpress.org/browser/local-sync/trunk/admin/class-local-sync-admin.php#L422
- https://plugins.trac.wordpress.org/browser/local-sync/trunk/admin/class-local-sync-files-op.php#L843
- https://plugins.trac.wordpress.org/browser/local-sync/trunk/includes/class-local-sync-handle-server-requests.php#L389
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3452904%40local-sync&old=3400317%40local-sync&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/11bb7190-023b-45e1-99a5-7313c489ef45?source=cve