WordPress Security Bulletin: Yoast Duplicate Post Plugin Vulnerability (CVE-2026-1217)

Security Alert Summary

The Yoast Duplicate Post plugin for WordPress contains missing capability checks in specific handlers, allowing authenticated users with Contributor-level access and above to duplicate posts they would not normally access. Authors and higher can also use the republish feature to overwrite published posts. Site owners should review access and take recommended actions based on the information below.

CVE Details

• CVE ID: CVE-2026-1217
• Affected component: Yoast Duplicate Post plugin for WordPress
• Affected versions: All versions up to, and including, 4.5
• Published: March 18, 2026 at 10:16:23 AM (UTC)
• Last modified: March 18, 2026 at 2:52:44 PM (UTC)
• CVSS v3.1: Base Score 5.4, Medium — Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
• Authentication / Privileges / User Interaction: Privileges required: LOW (authenticated users). User interaction: NONE.
• Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
• CWE: CWE-862 (Missing Authorization)

Technical Details

The vulnerability is caused by missing capability checks on two functions in the plugin: clone_bulk_action_handler() and republish_request(). Because these handlers do not properly verify that the acting user has permission to perform the requested action, an authenticated user with Contributor-level access or higher can trigger duplication of posts, including private, draft, and trashed posts they should not be able to duplicate.

Additionally, users with Author-level access and above can leverage the Rewrite & Republish functionality to overwrite published posts with their own content via the republish_request() path. The issue stems from missing authorization checks rather than a flaw in WordPress core permissions.

How This Could Impact Your Website

Consider a site where the owner assigns Contributor accounts to regular content contributors and grants Author accounts to external contractors. A contributor could duplicate private or draft posts they do not normally have access to, potentially exposing unpublished content or internal notes. An author-level user could overwrite a published post using the republish flow, altering live content without the site owner’s intent.

Practical consequences include exposure of internal post metadata or email addresses referenced in duplicated drafts, and an increased risk of targeted phishing or social engineering if sensitive content is duplicated and accessed by unauthorized users. The impacts align with the CVSS ratings: limited confidentiality and integrity effects rather than complete site takeover.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

• Update the affected plugin as soon as a patched version is available (if not specified, monitor the plugin’s official channels).
• Review and reduce unnecessary user roles, especially contributors and authors.
• Enforce strong passwords and two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins.
• Monitor site activity and post changes for unusual behavior, including unexpected duplications or republished content.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://plugins.trac.wordpress.org/browser/duplicate-post/tags/4.5/src/handlers/bulk-handler.php#L115
• https://plugins.trac.wordpress.org/browser/duplicate-post/tags/4.5/src/post-republisher.php#L128
• https://www.wordfence.com/threat-intel/vulnerabilities/id/05f175e6-08a9-4199-948c-5bd8b3caaa39?source=cve