Cyber Resilience

CVE-2026-1499

High

Published: 06 February 2026

Published
06 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0094 56.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-1499 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

The WP Duplicate plugin for WordPress is vulnerable to missing authorization that enables arbitrary file upload in all versions through 1.1.8. The flaw stems from the absence of a capability check on the process_add_site AJAX action together with path traversal in the upload code, allowing an authenticated user to set the prod_key_random_id option and subsequently abuse the handle_upload_single_big_file function for unauthenticated file writes that result in remote code execution. The issue carries a CVSS 3.1 score of 8.8 and is tracked under CWE-862.

An authenticated subscriber-level attacker can first invoke the unprotected AJAX handler to configure the internal prod_key_random_id value. An unauthenticated attacker can then leverage that value to bypass authentication checks and write arbitrary files to the server, achieving remote code execution on the affected WordPress site.

The supplied references point to the vulnerable code paths in class-local-sync-admin.php, class-local-sync-files-op.php, and class-local-sync-handle-server-requests.php but contain no mitigation guidance or patch information.

EPSS for the vulnerability rose from a low baseline to a peak of 0.0147 on 2026-02-12 before receding to the current value of 0.0046, indicating that exploitation interest emerged after public disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the `process_add_site()` AJAX action combined with path…

more

traversal in the file upload functionality. This makes it possible for authenticated (subscriber-level) attackers to set the internal `prod_key_random_id` option, which can then be used by an unauthenticated attacker to bypass authentication checks and write arbitrary files to the server via the `handle_upload_single_big_file()` function, ultimately leading to remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authorization and path traversal in arbitrary file upload allows unauthenticated RCE on public-facing WordPress plugin.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-69311Shared CWE-862
CVE-2026-3266Shared CWE-862
CVE-2026-45438Shared CWE-862
CVE-2025-23477Shared CWE-862
CVE-2025-68834Shared CWE-862
CVE-2026-22663Shared CWE-862
CVE-2024-12544Shared CWE-862
CVE-2024-50967Shared CWE-862
CVE-2025-68059Shared CWE-862
CVE-2025-14070Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces required authorization checks on the process_add_site() AJAX action to prevent subscriber-level attackers from setting the prod_key_random_id option.

prevent

Applies least privilege to restrict subscriber-level users from accessing administrative AJAX handlers that manipulate sensitive plugin options.

prevent

Validates file paths in handle_upload_single_big_file() to block path traversal and arbitrary file writes by unauthenticated attackers.

References