cleantalk
Vulnerabilities and Security Researches

Yoast Duplicate Post, CVE-2026-1217

CVE, Research URL

CVE-2026-1217

Home page URL

Security reports for Yoast Duplicate Post

Application

Yoast Duplicate Post

Published on
Mar 18, 2026
Research Description
The Yoast Duplicate Post plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clone_bulk_action_handler() and republish_request() functions in all versions up to, and including, 4.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate any post on the site including private, draft, and trashed posts they shouldn't have access to. Additionally, attackers with Author-level access and above can use the Rewrite & Republish feature to overwrite any published post with their own content.
Affected versions
max 4.6.
Status
vulnerable
Previous vulnerability researches
Duplicate Page and Post (CVE-2025-31466) , Apr 02, 2025
Duplicate Page and Post (CVE-2025-31471) , Apr 02, 2025
Remove Duplicate Posts (1f5faa66dc6d492718ce5db9c3895b5840416340) , Jun 07, 2024
Remove Duplicate Posts (CVE-2023-29237) , Jun 10, 2024
Delete Duplicate Posts (CVE-2023-47754) , Jun 07, 2024
New vulnerability
Store Locator WordPress (CVE-2026-9060) , Jun 11, 2026
Woody code snippets – Insert Header Footer Code, AdSense Ads (CVE-2017-20251) , Jun 11, 2026
Custom Blocks Constructor – Lazy Blocks (CVE-2026-8981) , Jun 11, 2026
jQuery Hover Footnotes (CVE-2026-10738) , Jun 11, 2026
jQuery Hover Footnotes (CVE-2026-10553) , Jun 11, 2026