The WP Duplicate – WordPress Migration Plugin suffers from a Missing Authorization vulnerability (CWE-862) identified as CVE-2026-1499. The root cause is the absence of a capability check on the `process_add_site()` AJAX action, which is accessible to authenticated users with subscriber-level privileges. This flaw allows such low-privileged users to set the internal `prod_key_random_id` option. Subsequently, an unauthenticated attacker can exploit this manipulated state to bypass authentication checks and invoke the `handle_upload_single_big_file()` function. This function contains a path traversal vulnerability in its file upload mechanism, enabling the attacker to write arbitrary files to the server. The consequence is remote code execution, allowing full compromise of the WordPress host. The vulnerability affects all versions up to and including 1.1.8 of the plugin. The CVSS 3.1 score of 9.8 reflects its critical nature, with network attack vector, no required privileges for the final exploit step, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the vulnerability’s characteristics make it a prime target for attackers once weaponized.

This vulnerability poses a severe risk to organizations running WordPress sites with the WP Duplicate plugin installed. Successful exploitation leads to remote code execution, which can result in full server compromise, data theft, defacement, malware deployment, or pivoting to internal networks. The ability for low-privileged authenticated users to enable unauthenticated attackers to upload arbitrary files significantly lowers the attack barrier. This can disrupt business operations, damage reputation, and cause regulatory compliance issues due to data breaches. Given WordPress’s widespread use globally, many websites, including corporate, governmental, and e-commerce platforms, could be affected. The lack of authentication requirement for the final exploit step increases the likelihood of automated attacks and wormable scenarios. Organizations may face downtime, data loss, and costly incident response efforts if exploited.

Immediate mitigation involves updating the WP Duplicate plugin to a version where this vulnerability is patched once available. Until a patch is released, organizations should restrict access to the WordPress admin area, especially limiting subscriber-level accounts from accessing AJAX endpoints related to the plugin. Implement web application firewall (WAF) rules to detect and block suspicious AJAX requests targeting `process_add_site()` and file upload functions. Disable or remove the plugin if not essential. Monitor server logs for unusual file upload activity or changes to the `prod_key_random_id` option. Employ file integrity monitoring to detect unauthorized file writes. Harden WordPress installations by enforcing least privilege principles, disabling unnecessary user roles, and restricting plugin installation to trusted administrators. Regularly back up sites and test restoration procedures to mitigate damage from potential exploitation.