WordPress Plugin Vulnerability Report: Duplicate Post Page Menu & Custom Post Type – Missing Authorization to Post Duplication – CVE-2023-4792
Plugin Name: Duplicate Post Page Menu & Custom Post Type
Key Information:
- Software Type: Plugin
- Software Slug: duplicate-post-page-menu-custom-post-type
- Software Status: Removed
- Software Author: inqsys
- Software Downloads: 300,152
- Active Installs: 30,000
- Last Updated: September 7, 2023
- Patched Versions: 2.4.0
- Affected Versions: <=2.3.1
Vulnerability Details:
- Name: Duplicate Post Page Menu & Custom Post Type <= 2.3.1 - Missing Authorization to Post Duplication
- Type: Missing Authorization
- CVE: CVE-2023-4792
- CVSS Score: 4.3 (Medium)
- Publicly Published: September 6, 2023
- Researcher: Marco Wotschka
- Description: The plugin is vulnerable to unauthorized page and post duplication due to a missing capability check on the
duplicate_ppmc_post_as_draft
function in versions up to and including 2.3.1.
Summary:
The Duplicate Post Page Menu & Custom Post Type plugin for WordPress has a vulnerability in versions up to and including 2.3.1 that allows unauthorized page and post duplication. This vulnerability has been patched in version 2.4.0.
Detailed Overview:
This vulnerability was discovered by researcher Marco Wotschka and was publicly announced on September 6, 2023. The core of the vulnerability lies in a missing capability check within the duplicate_ppmc_post_as_draft
function, making it possible for attackers with subscriber-level access or higher to duplicate posts and pages. The risk level is moderate, with a CVSS score of 4.3, which indicates that while the vulnerability might not have catastrophic implications, it can still be exploited to potentially damage or compromise a WordPress site.
Advice for Users:
Immediate Action:
Users are encouraged to immediately update to version 2.4.0 to fix the vulnerability.
Check for Signs of Vulnerability:
Users should check their logs for any unusual duplication of posts or pages that they did not authorize, as this could be a sign that their site has been compromised.
Alternate Plugins:
While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
Stay Updated:
Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.
Conclusion:
The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 2.4.0 or later to secure their WordPress installations.
References:
- Wordfence Threat Intel - Duplicate Post Page Menu & Custom Post Type <= 2.3.1 - Missing Authorization to Post Duplication
- Wordfence - Duplicate Post Page Menu & Custom Post Type
Detailed Report
Staying on top of WordPress plugin updates is critical for maintaining a secure website, yet it's easy to let things slip when you're a small business owner juggling multiple priorities. Unfortunately, a neglected update can leave you exposed, as shown by a recently disclosed vulnerability in a widely used plugin. In this post, I'll walk through everything you need to know to secure your site.
The popular Duplicate Post Page Menu & Custom Post Type plugin, with over 300,000 downloads and 30,000 active installs, allows easy duplication of pages and posts in WordPress. On September 6th, researcher Marco Wotschka revealed a vulnerability stemming from a missing capability check in versions 2.3.1 and below.
This vulnerability enables unauthorized users to duplicate posts and pages, posing a threat of content manipulation even though the overall risk level is moderate (CVSS score of 4.3 out of 10). The developer has patched the issue in version 2.4.0, so updating is crucial.
Specifically, you should update to version 2.4.0 or above as soon as possible. It's also wise to check your logs for any unauthorized duplication that may have occurred. If compromised, consider switching to an alternate plugin for that functionality.
This is not the first vulnerability found in this plugin. Another issue allowed unauthorized duplication due to a missing capability check (CVE-2023-36526). It was patched in version 2.4.0 as well.
The key takeaway - keeping your plugins updated is essential, but not always top of mind when running a business. This vulnerability highlights the need to periodically check that your plugins are up-to-date and replace vulnerable ones. Your website's security is worth the minimal time investment.
Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.
Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.