Vulnerabilities and security researches forlocal-sync local-sync

Jan 26, 2025

CVE, Research URL: CVE-2025-24652
Home page URL: Security reports for WP Duplicate – WordPress Migration Plugin
Application: WP Duplicate – WordPress Migration Plugin
Date: Jan 24, 2025
Research Description: Missing Authorization vulnerability in Revmakx WP Duplicate – WordPress Migration Plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Duplicate – WordPress Migration Plugin: from n/a through 1.1.6.
Affected versions: max 1.1.7.
Status: vulnerable

Apr 15, 2026

CVE, Research URL: CVE-2026-1499
Home page URL: Security reports for WP Duplicate – WordPress Migration Plugin
Application: WP Duplicate – WordPress Migration Plugin
Date: Feb 06, 2026
Research Description: The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the `process_add_site()` AJAX action combined with path traversal in the file upload functionality. This makes it possible for authenticated (subscriber-level) attackers to set the internal `prod_key_random_id` option, which can then be used by an unauthenticated attacker to bypass authentication checks and write arbitrary files to the server via the `handle_upload_single_big_file()` function, ultimately leading to remote code execution.
Affected versions: max 1.1.9.
Status: vulnerable