CVE-2026-1499
Published: 06 February 2026
Summary
CVE-2026-1499 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
The WP Duplicate plugin for WordPress is vulnerable to missing authorization that enables arbitrary file upload in all versions through 1.1.8. The flaw stems from the absence of a capability check on the process_add_site AJAX action together with path traversal in the upload code, allowing an authenticated user to set the prod_key_random_id option and subsequently abuse the handle_upload_single_big_file function for unauthenticated file writes that result in remote code execution. The issue carries a CVSS 3.1 score of 8.8 and is tracked under CWE-862.
An authenticated subscriber-level attacker can first invoke the unprotected AJAX handler to configure the internal prod_key_random_id value. An unauthenticated attacker can then leverage that value to bypass authentication checks and write arbitrary files to the server, achieving remote code execution on the affected WordPress site.
The supplied references point to the vulnerable code paths in class-local-sync-admin.php, class-local-sync-files-op.php, and class-local-sync-handle-server-requests.php but contain no mitigation guidance or patch information.
EPSS for the vulnerability rose from a low baseline to a peak of 0.0147 on 2026-02-12 before receding to the current value of 0.0046, indicating that exploitation interest emerged after public disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5649
Vulnerability details
The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the `process_add_site()` AJAX action combined with path…
more
traversal in the file upload functionality. This makes it possible for authenticated (subscriber-level) attackers to set the internal `prod_key_random_id` option, which can then be used by an unauthenticated attacker to bypass authentication checks and write arbitrary files to the server via the `handle_upload_single_big_file()` function, ultimately leading to remote code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization and path traversal in arbitrary file upload allows unauthenticated RCE on public-facing WordPress plugin.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces required authorization checks on the process_add_site() AJAX action to prevent subscriber-level attackers from setting the prod_key_random_id option.
Applies least privilege to restrict subscriber-level users from accessing administrative AJAX handlers that manipulate sensitive plugin options.
Validates file paths in handle_upload_single_big_file() to block path traversal and arbitrary file writes by unauthenticated attackers.