CVE-2026-1499

critical

Description

The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the `process_add_site()` AJAX action combined with path traversal in the file upload functionality. This makes it possible for authenticated (subscriber-level) attackers to set the internal `prod_key_random_id` option, which can then be used by an unauthenticated attacker to bypass authentication checks and write arbitrary files to the server via the `handle_upload_single_big_file()` function, ultimately leading to remote code execution.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/11bb7190-023b-45e1-99a5-7313c489ef45?source=cve

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3452904%40local-sync&old=3400317%40local-sync&sfp_email=&sfph_mail=

https://plugins.trac.wordpress.org/browser/local-sync/trunk/includes/class-local-sync-handle-server-requests.php#L389

https://plugins.trac.wordpress.org/browser/local-sync/trunk/admin/class-local-sync-files-op.php#L843

https://plugins.trac.wordpress.org/browser/local-sync/trunk/admin/class-local-sync-admin.php#L422

https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/includes/class-local-sync-handle-server-requests.php#L389

https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/admin/class-local-sync-files-op.php#L843

https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/admin/class-local-sync-admin.php#L422

Details

Source: Mitre, NVD

Published: 2026-02-06

Updated: 2026-04-15

Risk Information

CVSS v2

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.01232