CVE-2026-1499

CVE-2026-1499, published on 2026-02-06, is a Missing Authorization vulnerability (CWE-862) in the WP Duplicate plugin for WordPress, affecting all versions up to and including 1.1.8. The issue stems from a missing capability check on the `process_add_site()` AJAX action, combined with path traversal in the file upload functionality. This allows authenticated attackers at the subscriber level to manipulate internal plugin options, enabling subsequent unauthenticated file uploads. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated attacker with subscriber-level permissions can exploit the missing authorization in the `process_add_site()` AJAX handler to set the internal `prod_key_random_id` option. This option then permits an unauthenticated attacker to bypass authentication checks and invoke the `handle_upload_single_big_file()` function, allowing arbitrary file writes to the server via path traversal, which ultimately leads to remote code execution.

The provided references link to the plugin's source code in the WordPress plugin trac repository, specifically highlighting vulnerable code locations such as line 422 in `admin/class-local-sync-admin.php`, line 843 in `admin/class-local-sync-files-op.php`, and line 389 in `includes/class-local-sync-handle-server-requests.php` across tags/1.1.8 and trunk versions. No patch or mitigation details are specified in the available information.