CVE-2021-25075: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2021-25075) affects the WordPress plugin 'Duplicate Page or Post' versions below 1.5.1. The vulnerability was publicly disclosed on January 24, 2022, and received a CVSS score of 8.0 (high). This security flaw impacts the plugin's authorization mechanism and CSRF protection in the wpdevartduplicatepostparametrssaveindb AJAX action (WPScan).

The vulnerability stems from a combination of missing authorization controls and a flawed CSRF check in the wpdevartduplicatepostparametrssaveindb AJAX action. Additionally, the lack of proper escaping in the plugin's code compounds the issue. The vulnerability allows any authenticated user, including those with subscriber-level access, to modify the plugin's settings. The technical classification identifies this as a CWE-862 issue, falling under the OWASP Top 10 category A5: Broken Access Control (WPScan).

When exploited, this vulnerability can lead to Stored Cross-Site Scripting (XSS) attacks. The impact is particularly severe as it allows authenticated users to modify plugin settings and potentially execute malicious JavaScript code that would be triggered when an administrator accesses the plugin's settings page (WPScan).

The vulnerability has been patched in version 1.5.1 of the Duplicate Page or Post plugin. The fix was implemented across multiple versions: v1.4.7 added proper authorization, v1.4.8 added escaping, and v1.5.1 fixed the flawed CSRF check. Users are strongly advised to update to version 1.5.1 or later to protect against this vulnerability (WPScan).