CVE-2026-53739
Deferred Deferred - Pending Action

Yoast Duplicate Post CSRF Bypass Disables Admin Notices

Vulnerability report for CVE-2026-53739, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VulnCheck

Description

Yoast Duplicate Post through 4.6 contains a cross-site request forgery vulnerability in the duplicate_post_dismiss_notice handler, which verifies no nonce or capability. Attackers can trick any authenticated user into sending a request that sets the duplicate_post_show_notice site option, suppressing admin notices network-wide.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
yoast duplicate_post to 4.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-53739 is a cross-site request forgery (CSRF) vulnerability in the Yoast Duplicate Post plugin through version 4.6. The vulnerability exists in the duplicate_post_dismiss_notice handler, which does not verify any nonce or user capability. This flaw allows attackers to trick any authenticated user into sending a request that changes the duplicate_post_show_notice site option, effectively suppressing admin notices across the entire network.

Impact Analysis

This vulnerability can impact you by allowing an attacker to manipulate site options without proper authorization. Specifically, it can suppress important admin notices network-wide by setting the duplicate_post_show_notice option. This could lead to administrators missing critical notifications or alerts, potentially reducing the visibility of important site events or warnings.

Compliance Impact

The provided context and resources do not include information about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves a Cross-Site Request Forgery (CSRF) in the duplicate_post_dismiss_notice handler of the Yoast Duplicate Post plugin through version 4.6. Detection would involve monitoring for unauthorized or suspicious requests that set the duplicate_post_show_notice site option, which suppresses admin notices network-wide.

Since the vulnerability exploits the absence of nonce or capability verification, detection can focus on identifying unexpected POST requests to the duplicate_post_dismiss_notice handler endpoint from authenticated users.

Specific commands are not provided in the available resources, but general approaches include:

  • Review web server logs for POST requests to endpoints related to duplicate_post_dismiss_notice.
  • Use network monitoring tools to detect unusual POST requests from authenticated users.
  • Check the WordPress database or site options for unexpected changes to the duplicate_post_show_notice option.
Mitigation Strategies

Immediate mitigation steps include updating the Yoast Duplicate Post plugin to a version later than 4.6 where this vulnerability is fixed.

If an update is not immediately possible, consider restricting access to the plugin's functionality to trusted users only and monitoring for suspicious activity related to the duplicate_post_dismiss_notice handler.

Additionally, implementing web application firewall (WAF) rules to block unauthorized POST requests to the affected handler can help reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53739. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart