High severity8.8NVD Advisory· Published Feb 6, 2026· Updated Apr 15, 2026
CVE-2026-1499
CVE-2026-1499
Description
The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the process_add_site() AJAX action combined with path traversal in the file upload functionality. This makes it possible for authenticated (subscriber-level) attackers to set the internal prod_key_random_id option, which can then be used by an unauthenticated attacker to bypass authentication checks and write arbitrary files to the server via the handle_upload_single_big_file() function, ultimately leading to remote code execution.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/admin/class-local-sync-admin.phpnvd
- plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/admin/class-local-sync-files-op.phpnvd
- plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/includes/class-local-sync-handle-server-requests.phpnvd
- plugins.trac.wordpress.org/browser/local-sync/trunk/admin/class-local-sync-admin.phpnvd
- plugins.trac.wordpress.org/browser/local-sync/trunk/admin/class-local-sync-files-op.phpnvd
- plugins.trac.wordpress.org/browser/local-sync/trunk/includes/class-local-sync-handle-server-requests.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/11bb7190-023b-45e1-99a5-7313c489ef45nvd
News mentions
0No linked articles in our index yet.