CVE-2023-31214

The WP Quick Post Duplicator plugin for WordPress suffers from a missing authorization vulnerability (CVE-2023-31214). The plugin fails to properly verify user capabilities or nonce tokens before allowing post duplication actions, meaning any user—including unauthenticated visitors—can trigger these functions. This is a classic broken access control issue [1].

Exploitation requires no special network position or authentication; an attacker can simply send crafted requests to the plugin's endpoints. The vulnerability is particularly dangerous because it can be automated and used in mass-exploit campaigns targeting thousands of sites simultaneously [1].

Successful exploitation allows an attacker to duplicate arbitrary posts, potentially creating spam, phishing content, or overwhelming the site with unwanted entries. While the impact is limited to post duplication (not full site takeover), it can still disrupt site operations and be leveraged for further attacks [1].

The vulnerability affects all versions up to and including 2.0. The plugin developer has released version 2.1 which addresses the issue by adding proper authorization checks. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins [1].