CVE-2024-12472 is an authorization bypass vulnerability categorized under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the Post Duplicator plugin for WordPress, developed by metaphorcreations. The vulnerability exists in the mtphr_duplicate_post() function, which insufficiently restricts which posts can be duplicated. Authenticated users with Contributor-level permissions or higher can exploit this flaw to duplicate posts they normally cannot access, including password-protected, private, or draft posts. This duplication process exposes the content of these restricted posts, leading to unauthorized information disclosure. The vulnerability affects all versions of the plugin up to and including version 2.36. The attack vector is network-based and requires authentication but no user interaction beyond that. The CVSS 3.1 base score is 5.3, indicating a medium severity level, with the main impact on confidentiality (C:L), no impact on integrity (I:N), and no impact on availability (A:N). No patches or fixes have been published at the time of disclosure, and no known exploits have been observed in the wild. The vulnerability highlights a failure in access control mechanisms within the plugin, allowing privilege escalation in terms of data access. This can be leveraged by malicious insiders or compromised accounts with Contributor or higher roles to extract sensitive content from WordPress sites.

The primary impact of CVE-2024-12472 is unauthorized disclosure of sensitive content from WordPress sites using the Post Duplicator plugin. Attackers with Contributor-level access can access and duplicate posts that are meant to be restricted, such as drafts, private posts, or password-protected content. This can lead to leakage of confidential business information, unpublished content, or sensitive user data. Although the vulnerability does not affect data integrity or site availability, the exposure of confidential information can have reputational, legal, and operational consequences for organizations. Since WordPress powers a significant portion of websites globally, and the Post Duplicator plugin is used by many, the scope of affected systems is potentially large. The ease of exploitation is relatively low complexity, requiring only authenticated access at Contributor level or above, which is a common role in many WordPress installations. This increases the risk especially in environments with weak user management or compromised contributor accounts. The lack of known exploits in the wild currently limits immediate widespread impact, but the vulnerability remains a significant risk until patched.

To mitigate CVE-2024-12472, organizations should immediately review and restrict Contributor-level and higher user permissions to trusted individuals only, minimizing the number of users with such access. Implement strict user account management and monitoring to detect unusual duplication activity or access patterns. Disable or remove the Post Duplicator plugin if it is not essential to reduce attack surface. If the plugin is required, monitor the vendor’s announcements closely for patches or updates addressing this vulnerability and apply them promptly once available. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious duplication requests targeting the mtphr_duplicate_post() function. Additionally, consider implementing content access logging to audit attempts to duplicate or access restricted posts. Educate site administrators about the risks of excessive permissions and encourage regular reviews of user roles and capabilities. Finally, consider isolating sensitive content in separate environments or with additional access controls beyond WordPress roles to reduce exposure risk.