Cybersecurity Vulnerabilities

CVE-2025-13404: ATEC Duplicate Page & Post Plugin Vulnerable to Unauthorized Post Duplication

November 25, 2025 - By 

Overview

CVE-2025-13404 is a medium severity vulnerability affecting the ATEC Duplicate Page & Post plugin for WordPress. This vulnerability allows authenticated attackers with Contributor-level access or higher to duplicate arbitrary posts, including private and password-protected ones, without proper authorization validation. This can lead to sensitive data exposure.

Technical Details

The vulnerability resides in the duplicate_post() function within the plugin. Versions up to and including 1.2.20 lack adequate authorization checks before allowing post duplication. Specifically, the plugin fails to verify if the user has the necessary permissions to duplicate the target post. An authenticated user with Contributor access can trigger the function and copy any post, regardless of its privacy settings.

The vulnerable code is located in the atec-wpdpp-hooks.php file. The missing authorization check allows malicious users to bypass intended access controls. An attacker can craft a request to the vulnerable endpoint to duplicate any post, including those marked as private or password-protected.

Affected Versions:

All versions up to and including 1.2.20

CVSS Analysis

  • CVSS Score: 5.3
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

This CVSS score indicates a medium severity vulnerability. The vulnerability is network accessible (AV:N), has a low attack complexity (AC:L), requires low privileges (PR:L), and no user interaction (UI:N). The impact is limited to confidentiality (C:L), with no impact on integrity (I:N) or availability (A:N).

Possible Impact

The exploitation of this vulnerability can lead to the following consequences:

  • Data Exposure: Unauthorized duplication of private or password-protected posts reveals sensitive information to unauthorized users.
  • Content Mismanagement: Uncontrolled duplication of content can lead to confusion and mismanagement of website content.
  • Reputational Damage: Exposure of confidential information can harm the reputation of the website and its owners.

Mitigation or Patch Steps

The recommended mitigation is to update the ATEC Duplicate Page & Post plugin to version 1.2.21 or later. This version includes the necessary authorization checks to prevent unauthorized post duplication.

Steps to Update:

  1. Log in to your WordPress administration dashboard.
  2. Navigate to the “Plugins” section.
  3. Locate the “ATEC Duplicate Page & Post” plugin.
  4. Click the “Update Now” button to update to the latest version.
  5. Verify that the updated version is 1.2.21 or later.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *