CVE-2024-5997
📋 TL;DR
The Duplica WordPress plugin has a missing capability check vulnerability that allows authenticated attackers with Subscriber-level access or higher to duplicate users and posts/pages without authorization. This affects all versions up to and including 0.6. Attackers can create unauthorized copies of content and user accounts.
💻 Affected Systems
- Duplica – Duplicate Posts, Pages, Custom Posts or Users WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers create multiple administrator-level user duplicates to gain full control of the WordPress site, then deface content, install backdoors, or exfiltrate sensitive data.
Likely Case
Attackers create duplicate posts/pages with malicious content or spam, duplicate legitimate users to cause confusion, and potentially escalate privileges through user duplication.
If Mitigated
With proper access controls and monitoring, impact is limited to minor content duplication that can be cleaned up without significant damage.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via AJAX endpoints. The vulnerability details are publicly documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.7 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/duplica/tags/0.7
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Duplica plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin, then install version 0.7+ from WordPress repository.
🔧 Temporary Workarounds
Disable Duplica Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate duplica
Restrict User Registration
allTemporarily disable new user registration to prevent attacker account creation
Update WordPress Settings → General → Membership to uncheck 'Anyone can register'
🧯 If You Can't Patch
- Implement strict user role management and review all Subscriber+ accounts
- Add web application firewall rules to block requests to /wp-admin/admin-ajax.php with duplicate_user or duplicate_post actions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Duplica version. If version is 0.6 or earlier, you are vulnerable.Check Version:
wp plugin list --name=duplica --field=versionVerify Fix Applied:
Verify Duplica plugin version is 0.7 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=duplicate_user or action=duplicate_post from same user
- Unusual increase in post/page or user creation events
Network Indicators:
- HTTP POST requests to WordPress AJAX endpoint with duplicate parameters
- Unusual traffic patterns to admin-ajax.php
SIEM Query:
source="wordpress.log" AND ("action=duplicate_user" OR "action=duplicate_post")🔗 References
- https://plugins.trac.wordpress.org/browser/duplica/tags/0.6/src/AJAX.php#L32
- https://plugins.trac.wordpress.org/browser/duplica/tags/0.6/src/AJAX.php#L98
- https://www.wordfence.com/threat-intel/vulnerabilities/id/605fac87-e1e8-4354-a9d3-4440e54bc161?source=cve
- https://plugins.trac.wordpress.org/browser/duplica/tags/0.6/src/AJAX.php#L32
- https://plugins.trac.wordpress.org/browser/duplica/tags/0.6/src/AJAX.php#L98
- https://www.wordfence.com/threat-intel/vulnerabilities/id/605fac87-e1e8-4354-a9d3-4440e54bc161?source=cve
