CVE-2024-5997

low-risk

Published 2024-07-18

The Duplica – Duplicate Posts, Pages, Custom Posts or Users plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the duplicate_user and duplicate_post functions in all versions up to, and including, 0.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create duplicates of users and posts/pages.

Do I need to act?

-

0.10% chance of exploitation

EPSS score — low exploit probability

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

4

CVSS 4.3/10 Medium

NETWORK / LOW complexity

References (6)

https://plugins.trac.wordpress.org/browser/duplica/tags/0.6/src/AJAX.php#L32

https://plugins.trac.wordpress.org/browser/duplica/tags/0.6/src/AJAX.php#L98

https://www.wordfence.com/threat-intel/vulnerabilities/id/605fac87-e1e8-4354-a9d...

https://plugins.trac.wordpress.org/browser/duplica/tags/0.6/src/AJAX.php#L32

https://plugins.trac.wordpress.org/browser/duplica/tags/0.6/src/AJAX.php#L98

https://www.wordfence.com/threat-intel/vulnerabilities/id/605fac87-e1e8-4354-a9d...

23

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal