https://www.pluginvulnerabilities.com/2017/10/20/cross-site-request-forgery-csrf-vulnerability-in-duplicate-page/

While looking into the details of a reflected cross-site scripting (XSS) vulnerability in the plugin Duplicate Page we noticed that there was no protection against cross-site request forgery (CSRF) when using the plugin’s functionality, duplicating a post or page.

As of version 2.3 the URLs for the duplication looks like this:

/wp-admin/admin.php?action=dt_duplicate_post_as_draft&post=1

If there was protection against CSRF there

Share This