CVE-2026-1499

Description

The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the `process_add_site()` AJAX action combined with path traversal in the file upload functionality. This makes it possible for authenticated (subscriber-level) attackers to set the internal `prod_key_random_id` option, which can then be used by an unauthenticated attacker to bypass authentication checks and write arbitrary files to the server via the `handle_upload_single_big_file()` function, ultimately leading to remote code execution.

PUBLISHED Reserved 2026-01-27 | Published 2026-02-06 | Updated 2026-02-06 | Assigner Wordfence

Problem types

CWE-862 Missing Authorization

Product status

Timeline

Credits

Athiwat Tiprasaharn finder

References

www.wordfence.com/...-023b-45e1-99a5-7313c489ef45?source=cve

cwe.mitre.org/data/definitions/862.html

plugins.trac.wordpress.org/...min/class-local-sync-admin.php

plugins.trac.wordpress.org/...min/class-local-sync-admin.php

plugins.trac.wordpress.org/...ync-handle-server-requests.php

plugins.trac.wordpress.org/...ync-handle-server-requests.php

plugins.trac.wordpress.org/.../class-local-sync-files-op.php

plugins.trac.wordpress.org/.../class-local-sync-files-op.php

plugins.trac.wordpress.org/...cal-sync&sfp_email=&sfph_mail=

cve.org (CVE-2026-1499)

nvd.nist.gov (CVE-2026-1499)

Download JSON