CNNVD-202602-1046 Information

Feb 06, 2026 cve

CNNVD ID

CNNVD-202602-1046

CVE-2026-1499

  • CNNVD Published: 2026-02-06

Description (Chinese)

WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin WP Duplicate 1.1.8及之前版本存在安全漏洞,该漏洞源于process_add_site AJAX操作缺少能力检查,且文件上传功能存在路径遍历,可能导致经过身份验证的攻击者设置内部选项,进而使未经验证的攻击者绕过身份验证检查并通过handle_upload_single_big_file函数向服务器写入任意文件,最终导致远程代码执行。

Description (English)

WordPress and WordPressplugin are products of WordPress. WordPress is a blog platform developed in the PHP language. The platform has the ability to set up personal blog sites on PHP and MySQL-based servers. WordPress plugin is an application plugin. WordPresin WP Duplicate 1.1.8 and previous versions contain a security loophole stemming from the lack of capacity to check the program add site AJAX operation and the fact that the file upload function has a routing history, which may lead to an identified attacker setting internal options, thus enabling the uncertified assailant to bypass the identity check and write to the server any file through the Handle upload single big file function, leading to remote code execution.

Hazard Level

Low

Vulnerability Type

其他

Affected Vendor

WordPress

Published

2026-02-06

Last Modified

2026-02-24

References

https://cwe.mitre.org/data/definitions/862.html https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/admin/class-local-sync-admin.php#L422 https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/admin/class-local-sync-files-op.php#L843 https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/includes/class-local-sync-handle-server-requests.php#L389 https://plugins.trac.wordpress.org/browser/local-sync/trunk/admin/class-local-sync-admin.php#L422 https://plugins.trac.wordpress.org/browser/local-sync/trunk/admin/class-local-sync-files-op.php#L843 https://plugins.trac.wordpress.org/browser/local-sync/trunk/includes/class-local-sync-handle-server-requests.php#L389 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3452904%40local-sync&old=3400317%40local-sync&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/11bb7190-023b-45e1-99a5-7313c489ef45?source=cve

Share on: