CVE-2026-1499

216.73.217.22

· Published 06/02/2026 09:15 · Modified 06/02/2026 15:14

Labels: CVE-2026-1499 2026-02-06 CVE-2026-1499 CWE-862 [email protected]

Essential information

Published: 06/02/2026 09:15
Modified: 06/02/2026 15:14
Author: —
Creator: —
CVSS: 9.8 CRITICAL (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the `process_add_site()` AJAX action combined with path traversal in the file upload functionality. This makes it possible for authenticated (subscriber-level) attackers to set the internal `prod_key_random_id` option, which can then be used by an unauthenticated attacker to bypass authentication checks and write arbitrary files to the server via the `handle_upload_single_big_file()` function, ultimately leading to remote code execution.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
wordpress / wp duplicate plugin	`cpe:2.3:a:wordpress:wp_duplicate_plugin:<=1.1.8:::::wordpress::`