The log message for version 1.1 of the plugin Page and Post Clone was “cookie exploit resolution”.  In looking at the changes made in that version to see if that was a vulnerability that we should add to our data we found that what was being fixed there was a cross-site request forgery (CSRF) vulnerability. As far we can think of, that seems of little consequence. In looking into that though we realized that the plugin did have a slightly more serious issue that we had previously also noticed in other plugins that provide the same functionality (one of the negatives of having so many WordPress plugins is that you can have the same vulnerabilities come up again and again as new plugins are introduced).

As of version 1.1 the plugin doesn’t check if the user cloning a page or post has the ability to edit the post, which could, for example, lead to a contributor-level user or author-level users gaining access to the contents of password protected posts. [Read more]