A critical vulnerability chain in the WP Duplicate plugin allows authenticated users to bypass security checks, enabling unauthenticated attackers to upload malicious files and execute code remotely.

This is a multi-stage flaw involving missing authorization on the process_add_site() AJAX action and path traversal. A subscriber-level attacker can set an internal key, which an unauthenticated attacker can subsequently use to bypass checks in the handle_upload_single_big_file() function, resulting in arbitrary file upload and remote code execution (RCE).

The impact is severe, as it allows low-privileged users to facilitate a full server compromise by unauthenticated external actors. This can lead to website defacement, data exfiltration, or the use of the server as a pivot point for further internal network attacks. The CVSS score of 9.8 is justified by the ease of moving from low-level access to full RCE.

Immediate Action: Deactivate and remove the WP Duplicate plugin immediately until a version higher than 1.1.8 is available and verified to contain the fix.

Proactive Monitoring: Review WordPress AJAX logs and check the /wp-content/uploads/ directory for suspicious PHP files or unexpected directory structures.

Compensating Controls: Implement a WAF to block unauthorized AJAX calls and restrict file upload types at the web server level.

Public Exploit Available: No

The complexity of this vulnerability chain does not diminish its risk; rather, it highlights a fundamental failure in the plugin's authorization logic. Organizations running WordPress should immediately update or remove this plugin. Given the potential for unauthenticated RCE, this is a critical priority for any web-facing WordPress installation.