CVE-2026-24387 – This CVE describes a missing authorization vuln... (How to Fix)

Q: What is the severity of CVE-2026-24387?

CVE-2026-24387 has a CVSS score of 4.3 (MEDIUM). This CVE describes a missing authorization vulnerability in the WP Quick Post Duplicator WordPress plugin that allows attackers to exploit incorrectly configured access controls. Attackers could duplicate posts without proper permissions, affecting WordPress sites running vulnerable versions of this plugin. The vulnerability impacts all users of the plugin from unknown versions through version 2.1.

📋 TL;DR

This CVE describes a missing authorization vulnerability in the WP Quick Post Duplicator WordPress plugin that allows attackers to exploit incorrectly configured access controls. Attackers could duplicate posts without proper permissions, affecting WordPress sites running vulnerable versions of this plugin. The vulnerability impacts all users of the plugin from unknown versions through version 2.1.

💻 Affected Systems

Products:

WP Quick Post Duplicator WordPress Plugin

Versions: n/a through <= 2.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress installations with the vulnerable plugin enabled. No specific OS requirements.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users could duplicate sensitive posts, modify content, or disrupt site operations by creating excessive duplicate content.

🟠

Likely Case

Low-privileged users or attackers could duplicate posts they shouldn't have access to, potentially exposing draft content or manipulating published material.

🟢

If Mitigated

With proper user role management and access controls, impact would be limited to authorized users only performing intended actions.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some level of access to WordPress, but authorization checks are missing for the duplication functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: >2.1

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/wp-quick-post-duplicator/vulnerability/wordpress-wp-quick-post-duplicator-plugin-2-1-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Quick Post Duplicator. 4. Click 'Update Now' if available, or delete and install latest version from WordPress repository.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched version is available

wp plugin deactivate wp-quick-post-duplicator

Restrict User Roles

all

Limit WordPress user roles to minimize potential impact

🧯 If You Can't Patch

Implement strict user role management and review all user permissions
Monitor for unusual post duplication activity and implement web application firewall rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WP Quick Post Duplicator version 2.1 or lower

Check Version:

wp plugin list --name=wp-quick-post-duplicator --field=version

Verify Fix Applied:

Verify plugin version is >2.1 in WordPress admin or using: wp plugin list --name=wp-quick-post-duplicator --field=version

📡 Detection & Monitoring

Log Indicators:

Unusual post duplication activity from non-admin users
Multiple rapid post creation events

Network Indicators:

HTTP POST requests to wp-quick-post-duplicator endpoints from unauthorized users

SIEM Query:

source="wordpress" AND (plugin="wp-quick-post-duplicator" AND action="duplicate_post") AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2026-24387

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-862

EPSS Score: 0.01% exploit probability (0.8th percentile)

Published: January 22, 2026

Last Updated: January 26, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/wp-quick-post-duplicator/vulnerability/wordpress-wp-quick-post-duplicator-plugin-2-1-broken-access-control-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24387, you might also want to check these: