Vulnerabilities and security researches forduplicate-post duplicate-post

Jun 07, 2024

CVE, Research URL: CVE-2014-10378
Home page URL: Security reports for Yoast Duplicate Post
Application: Yoast Duplicate Post
Date: Aug 22, 2019
Research Description: The duplicate-post plugin before 2.6 for WordPress has XSS.
Affected versions: max 3.0.
Status: vulnerable

CVE, Research URL: CVE-2014-10379
Home page URL: Security reports for Yoast Duplicate Post
Application: Yoast Duplicate Post
Date: Aug 22, 2019
Research Description: The duplicate-post plugin before 2.6 for WordPress has SQL injection.
Affected versions: max 2.6.
Status: vulnerable

Jul 25, 2024

PSC, Research URL: PSC-2024-64516
Home page URL: Security reports for Yoast Duplicate Post
Application: Yoast Duplicate Post
Date: Aug 05, 2025
Research Description: “Yoast Duplicate Post” plugin, has successfully obtained the Plugin Security Certification (PSC) from CleanTalk, demonstrating its commitment to providing a secure and reliable tool for duplicating posts and pages within WordPress environments.
Affected versions: Min 4.6, max 4.6.
Status: SAFE & CERTIFIED

Feb 27, 2026

CVE, Research URL: CVE-2019-25314
Home page URL: Security reports for Yoast Duplicate Post
Application: Yoast Duplicate Post
Date: Feb 11, 2026
Research Description: Yoast Duplicate-Post WordPress Plugin 3.2.3 contains a persistent cross-site scripting vulnerability in plugin settings parameters. Attackers can inject malicious scripts into title prefix, suffix, menu order, and blacklist fields to execute arbitrary JavaScript in admin interfaces.
Affected versions: max 3.2.3.
Status: vulnerable

Apr 13, 2026

CVE, Research URL: CVE-2026-1217
Home page URL: Security reports for Yoast Duplicate Post
Application: Yoast Duplicate Post
Date: Mar 18, 2026
Research Description: The Yoast Duplicate Post plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clone_bulk_action_handler() and republish_request() functions in all versions up to, and including, 4.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate any post on the site including private, draft, and trashed posts they shouldn't have access to. Additionally, attackers with Author-level access and above can use the Rewrite & Republish feature to overwrite any published post with their own content.
Affected versions: max 4.6.
Status: vulnerable

Jun 11, 2026

CVE, Research URL: CVE-2026-53739
Home page URL: Security reports for Yoast Duplicate Post
Application: Yoast Duplicate Post
Date: Jun 11, 2026
Research Description: Yoast Duplicate Post through 4.6 contains a cross-site request forgery vulnerability in the duplicate_post_dismiss_notice handler, which verifies no nonce or capability. Attackers can trick any authenticated user into sending a request that sets the duplicate_post_show_notice site option, suppressing admin notices network-wide.
Affected versions: max 4.6.
Status: vulnerable

CVE, Research URL: CVE-2026-53740
Home page URL: Security reports for Yoast Duplicate Post
Application: Yoast Duplicate Post
Date: Jun 11, 2026
Research Description: Yoast Duplicate Post through 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice. Attackers can schedule a republish copy with a crafted title to execute script when an administrator views the resulting notice.
Affected versions: max 4.6.
Status: vulnerable