CVE-2026-53738
Deferred Deferred - Pending Action

Copy & Delete Posts Plugin AJAX Handler Post Deletion and Settings Overwrite

Vulnerability report for CVE-2026-53738, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VulnCheck

Description

Copy & Delete Posts through 1.5.4 lets any plugin-enabled non-admin role invoke every operation in the cdp_action_handling AJAX handler. Attackers with an enabled role can delete posts or overwrite plugin settings via the f parameter, bypassing per-function capability checks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
copy_and_delete_posts copy_and_delete_posts to 1.5.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in the Copy & Delete Posts plugin allows unauthorized users with plugin-enabled non-admin roles to delete posts or overwrite plugin settings by bypassing capability checks. This unauthorized access and potential data manipulation could lead to non-compliance with standards and regulations that require strict access controls and data integrity, such as GDPR and HIPAA.

Although the plugin itself is described as GDPR-compliant, the presence of this privilege escalation vulnerability undermines the enforcement of access controls, which are critical for maintaining compliance with data protection regulations.

Executive Summary

This vulnerability exists in the Copy & Delete Posts plugin version 1.5.4 and earlier. It allows any user with a plugin-enabled non-admin role to invoke all operations in the cdp_action_handling AJAX handler. Specifically, attackers with such roles can delete posts or overwrite plugin settings by exploiting the 'f' parameter, effectively bypassing the intended per-function capability checks.

Impact Analysis

The vulnerability can lead to unauthorized deletion of posts and modification of plugin settings by users who should not have such privileges. This can result in data loss, disruption of website content, and potential compromise of site functionality due to altered plugin configurations.

Mitigation Strategies

To mitigate the CVE-2026-53738 vulnerability, you should immediately update the Copy & Delete Posts WordPress plugin to a version later than 1.5.4 where this issue is fixed.

Additionally, restrict plugin-enabled non-admin user roles from accessing or invoking the cdp_action_handling AJAX handler until the update is applied.

Review and adjust user role permissions to ensure that only trusted users have plugin capabilities that could be exploited.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53738. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart