CVE-2026-53738 - Copy & Delete Posts AJAX privilege escalation
Copy & Delete Posts through 1.5.4 lets any WordPress role that the plugin
enables invoke the cdp_action_handling AJAX handler without per-operation
capability enforcement. A low-privilege user can drive destructive or
administrative plugin functions through the f parameter, including deletion
workflows and plugin-setting changes that should remain administrator-only.
The WordPress plugin directory still lists 1.5.4 as the published version, so
many repositories will need a containment-first response: remove or disable the
plugin, or carry a tightly scoped temporary patch, until an upstream fixed
release is available.
When to use it
- A WordPress repository installs or vendors Copy & Delete Posts
1.5.4or older. - Non-admin roles can access plugin functionality or authenticated users can
reach
cdp_action_handlingAJAX operations. - A fixed upstream release is not available and the safe path is removal, deactivation, or a reviewed temporary capability patch.
- You need a bounded PR or triage note that protects destructive AJAX actions and records operator content-review steps.
Inputs
- WordPress plugin inventory, Composer/Bedrock files, WP-CLI scripts, Dockerfiles, plugin zips, Helm/Terraform/Ansible, deployment runbooks, and response-layer controls.
- Plugin role settings,
admin-ajax.phpexposure,cdp_action_handlingoperation map, post deletion/duplication logs, and plugin-setting audit data. - Available WordPress/PHP tests, plugin inventory commands, deployment render, security scans, and inert-content authorization tests.
Affected versions
- Vulnerable: Copy & Delete Posts
<=1.5.4 - Current plugin-directory version:
1.5.4 - Patched upstream release: none published yet on WordPress.org at the time of writing
- Preferred remediation: disable/remove the plugin or deploy an audited temporary capability check until the maintainer ships a fixed release
Source-freshness note: GitHub Advisory Database currently publishes this as an
unreviewed advisory with no package metadata and unknown affected/patched
version fields. The WordPress.org plugin page still shows version 1.5.4, so
repositories should not wait for Dependabot metadata before inventorying plugin
bundles, deployment manifests, and runbooks directly.
Indicator-of-exposure
- The repository owns a WordPress site, plugin bundle, Bedrock/Composer
project, deployment manifest, image, or runbook that installs
copy-delete-posts. - A deployable target resolves Copy & Delete Posts
1.5.4or older. - Non-admin roles are granted plugin access under the plugin’s role settings.
- The site exposes
admin-ajax.phpto authenticated low-privilege users.
Quick checks:
wp plugin list --fields=name,version,status | grep -E '^copy-delete-posts[[:space:]]'
wp plugin status copy-delete-posts
rg -n "copy-delete-posts|Duplicate Post|cdp_action_handling|admin-ajax.php|wp_ajax_" .
find . -path "*/wp-content/plugins/copy-delete-posts/*" -maxdepth 8 -type f | head
Windows:
wp plugin list --fields=name,version,status | Select-String '^copy-delete-posts\s'
wp plugin status copy-delete-posts
rg -n "copy-delete-posts|Duplicate Post|cdp_action_handling|admin-ajax.php|wp_ajax_" .
Get-ChildItem -Path . -Recurse -File -ErrorAction SilentlyContinue | Where-Object { $_.FullName -match "wp-content[\\/]+plugins[\\/]+copy-delete-posts[\\/]" } | Select-Object -First 20
Do not verify exposure by invoking destructive AJAX operations against real posts, pages, plugin settings, or production sessions.
Remediation strategy
- Prefer removing or disabling Copy & Delete Posts if the workflow is not business-critical.
- If the plugin must remain, restrict plugin access back to administrators only
and add a temporary patch that enforces per-action capability checks inside
cdp_action_handlingbefore any delete, copy, cleanup, or settings action. - Monitor for an upstream fixed release and upgrade immediately when it is published.
- Review audit trails, post trash/deletion logs, and plugin-setting changes for unexpected low-privilege activity while the site was exposed.
- If the repository owns edge or authz controls, add temporary containment that blocks low-privilege access to the plugin’s AJAX actions until code changes are deployed.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2026-53738 / GHSA-cx2j-wv5h-5j6v, where Copy & Delete
Posts through 1.5.4 lets plugin-enabled non-admin roles invoke privileged
operations through the `cdp_action_handling` AJAX handler. Produce exactly one
output:
- A reviewer-ready PR/change request that removes, disables, upgrades, or
temporarily patches the vulnerable plugin and documents required operator
cleanup, or
- TRIAGE.md if this repository does not own the WordPress plugin deployment or
cannot make a safe patch.
## Rules
- Scope only CVE-2026-53738 / GHSA-cx2j-wv5h-5j6v and directly related
WordPress capability checks, plugin-role configuration, and AJAX containment.
- Treat WordPress sessions, nonces, customer content, draft posts, deleted
posts, and administrator URLs as sensitive.
- Do not broaden scope into unrelated plugin refactors or role redesigns.
- Do not silently restore or delete production content.
- Do not auto-merge.
## Steps
1. Inventory WordPress ownership in this repository:
- `wp-content/plugins/copy-delete-posts`;
- Composer or Bedrock references such as
`wpackagist-plugin/copy-delete-posts`;
- WP-CLI install scripts, Dockerfiles, plugin zips, Helm charts, Terraform,
Ansible, deployment runbooks, and response-layer controls for
`admin-ajax.php`.
2. If the repository does not deploy or package a WordPress site with Copy &
Delete Posts, stop with `TRIAGE.md` explaining what was checked and who owns
runtime remediation.
3. Determine the resolved plugin version for every deployable target. A target
is vulnerable if it resolves to `<=1.5.4`.
4. Determine whether non-admin roles are granted plugin access and which plugin
operations are reachable through `cdp_action_handling`.
5. If the plugin is optional, prefer removal or deactivation over carrying a
vulnerable duplicate/delete helper.
6. If the plugin must remain before an upstream fix exists:
- restrict plugin access to administrators only;
- add explicit per-action capability checks inside the vulnerable AJAX
handler before delete, cleanup, copy, or settings functions run;
- fail closed on unknown `f` values;
- preserve existing nonces and CSRF protections.
7. When a safe upstream release exists and is controlled by this repo, upgrade
to it and refresh plugin artifacts, checksums, image metadata, SBOMs, and
deployment render output.
8. Add a PR body section named `CVE-2026-53738 operator actions` that requires:
- confirmation that production no longer grants low-privilege plugin access;
- review of unexpected post deletion, duplication, or plugin-setting changes
while the site was exposed;
- review of WordPress users and roles that had plugin access;
- confirmation that production now runs a fixed release, a reviewed
temporary patch, or the plugin is disabled/removed.
9. Add or update verification that a low-privilege authenticated user cannot
invoke destructive or settings-changing `cdp_action_handling` operations.
Use inert test content only and do not delete real production posts.
10. Run the relevant validation: Composer/WP-CLI dependency checks, WordPress
plugin inventory, PHP tests, deployment rendering, and security scans
available in this repository.
11. Use PR title:
`fix(sec): remediate CVE-2026-53738 in Copy & Delete Posts`.
## Stop conditions
- No WordPress site or Copy & Delete Posts deployment is controlled by this
repository.
- The plugin version is managed only in production outside the repo.
- The only apparent fix would require unsafe direct database edits or broad
content restoration the repo does not control.
- No reviewed temporary patch is acceptable and no upstream fixed release is
available; in that case disable or remove the plugin and document why.
- Validation fails for unrelated pre-existing reasons; document the failure
instead of broadening scope.
Verification - what the reviewer looks for
- No deployable target still exposes low-privilege
cdp_action_handlingaccess. - The real plugin delivery path is updated or the plugin is disabled/removed.
- Temporary patches enforce per-action capability checks and fail closed on unexpected action names.
- Operator notes cover post-deletion review, role review, and plugin-setting review.
- Verification uses inert test content and does not destroy production posts.
Output contract
- Reviewer-ready PR removing, disabling, upgrading, or temporarily patching Copy & Delete Posts with server-side per-action capability checks.
- Evidence that low-privilege users cannot invoke destructive or settings
changing
cdp_action_handlingoperations. - Operator notes for role review, post deletion/duplication review, plugin-setting review, and fixed-release follow-up.
TRIAGE.mdwhen plugin versioning, production-only configuration, or content recovery is outside repository control.
Watch for
- Repositories that vendor plugins under
wp-content/pluginswhile also installing them via Composer or WP-CLI. - Fixes that gate the menu UI but leave the AJAX handler callable.
- Leaving low-privilege roles enabled in plugin settings after patching code.
- Containment that blocks one function name but not other
fvalues in the same handler.
Related recipes
References
- GitHub Advisory Database: https://github.com/advisories/GHSA-cx2j-wv5h-5j6v
- NVD CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-53738
- WordPress plugin directory: https://wordpress.org/plugins/copy-delete-posts/