CVE-2026-1217
Description
The Yoast Duplicate Post plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clone_bulk_action_handler() and republish_request() functions in all versions up to, and including, 4.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate any post on the site including private, draft, and trashed posts they shouldn't have access to. Additionally, attackers with Author-level access and above can use the Rewrite & Republish feature to overwrite any published post with their own content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing capability checks in Yoast Duplicate Post allow authenticated attackers to duplicate or overwrite any post, including private and trashed content.
Root
Cause
The Yoast Duplicate Post plugin for WordPress fails to perform proper capability checks in the clone_bulk_action_handler() and republish_request() functions. This vulnerability affects all versions up to and including 4.5 [1][2]. The missing authorization allows users with lower-level roles to perform actions that should be restricted to higher-privileged users.
Exploitation
An authenticated attacker with at least Contributor-level access can exploit the missing check in clone_bulk_action_handler() to duplicate any post on the site, including private, draft, and trashed posts that they would normally not be able to access. Additionally, attackers with Author-level access or higher can use the Rewrite & Republish feature via republish_request() to overwrite any published post with their own content [2]. No additional privileges or special conditions are required beyond the specified role levels.
Impact
Successful exploitation enables unauthorized duplication of sensitive content (e.g., private or draft posts) and, for Author-level attackers, the ability to replace published posts with arbitrary content. This can lead to data exposure, defacement, or injection of malicious content into publicly visible pages [1][2].
Mitigation
The vendor has released version 4.6 of the plugin, which addresses the missing capability checks [1]. Users are strongly advised to update to the latest version immediately. No workarounds are documented; updating is the only reliable mitigation.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yoast/duplicate-postPackagist | < 4.6 | 4.6 |
Affected products
1- Range: <=4.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-g9w4-m5fx-x3wvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-1217ghsaADVISORY
- plugins.trac.wordpress.org/browser/duplicate-post/tags/4.5/src/handlers/bulk-handler.phpnvdWEB
- plugins.trac.wordpress.org/browser/duplicate-post/tags/4.5/src/post-republisher.phpnvdWEB
- www.wordfence.com/threat-intel/vulnerabilities/id/05f175e6-08a9-4199-948c-5bd8b3caaa39nvdWEB
News mentions
0No linked articles in our index yet.