The Yoast Duplicate Post plugin for WordPress suffers from a missing authorization vulnerability (CWE-862) identified as CVE-2026-1217. This vulnerability exists in all versions up to and including 4.5 due to the absence of proper capability checks in two key functions: clone_bulk_action_handler() and republish_request(). The clone_bulk_action_handler() function allows authenticated users with Contributor-level permissions or higher to duplicate posts indiscriminately, including those that are private, drafts, or trashed, which they normally should not access. The republish_request() function enables users with Author-level access or above to overwrite any published post's content using the Rewrite & Republish feature, effectively allowing unauthorized content modification. The vulnerability is remotely exploitable without user interaction and requires only low-level authenticated access, making it relatively easy to exploit within compromised or insider accounts. The CVSS 3.1 base score is 5.4 (medium), reflecting the moderate impact on confidentiality and integrity but no impact on availability. Although no public exploits have been reported, the flaw could be leveraged to manipulate website content, deface posts, or escalate privileges by altering published material, undermining trust and content integrity on affected WordPress sites.

This vulnerability can significantly impact organizations relying on WordPress sites using the Yoast Duplicate Post plugin. Unauthorized duplication of private, draft, or trashed posts can lead to leakage of sensitive or unpublished content. More critically, the ability for Authors or higher to overwrite published posts can result in content defacement, misinformation, or insertion of malicious content, damaging brand reputation and user trust. Attackers could manipulate website content to conduct phishing, spread disinformation, or embed malicious links. The flaw also facilitates privilege escalation scenarios where attackers with limited access can perform actions reserved for higher privilege levels. For organizations with strict content governance or regulatory compliance requirements, this vulnerability poses risks to data integrity and confidentiality. Although availability is not directly affected, the reputational damage and potential regulatory consequences can be severe.

To mitigate this vulnerability, organizations should immediately update the Yoast Duplicate Post plugin to a patched version once released by the vendor. In the absence of an official patch, administrators should restrict Contributor-level and Author-level permissions to trusted users only, minimizing the risk of exploitation. Implementing strict role-based access controls and regularly auditing user permissions can reduce exposure. Additionally, monitoring logs for unusual duplication or republishing activities can help detect exploitation attempts early. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the clone_bulk_action_handler() and republish_request() endpoints can provide temporary protection. Site owners should also consider disabling the Rewrite & Republish feature if not essential. Regular backups and content integrity verification can aid in recovery if exploitation occurs. Finally, educating content managers and administrators about this vulnerability and safe plugin management practices is recommended.