CVE-2026-1499

Summary

The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the process_add_site() AJAX action combined with path traversal in the file upload functionality. This makes it possible for authenticated (subscriber-level) attackers to set the internal prod_key_random_id option, which can then be used by an unauthenticated attacker to bypass authentication checks and write arbitrary files to the server via the handle_upload_single_big_file() function, ultimately leading to remote code execution.

Affected Software

VendorProductVersion RangeStatus
revmakxWP Duplicate – WordPress Migration Plugin0 <= 1.1.8affected

Weaknesses

  • CWE-862: CWE-862 Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References