CVE-2025-12481
BaseFortify
Publication date: 2025-11-18
Last updated on: 2025-11-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wp_duplicate_page | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the WP Duplicate Page plugin for WordPress (up to version 1.7) due to missing authorization checks in the 'saveSettings' function. Authenticated users with Contributor-level access or higher can modify plugin settings that control role capabilities without proper permission verification. This allows them to exploit misconfigured capabilities to duplicate and view password-protected posts containing sensitive information.
How can this vulnerability impact me? :
An attacker with Contributor-level access or above can change plugin settings to escalate their capabilities, enabling them to duplicate and access password-protected posts that may contain sensitive information. This can lead to unauthorized disclosure of confidential data within a WordPress site.