CVE-2026-53738 - Copy & Delete Posts AJAX privilege escalation

Copy & Delete Posts through 1.5.4 lets any WordPress role that the plugin enables invoke the cdp_action_handling AJAX handler without per-operation capability enforcement. A low-privilege user can drive destructive or administrative plugin functions through the f parameter, including deletion workflows and plugin-setting changes that should remain administrator-only.

The WordPress plugin directory still lists 1.5.4 as the published version, so many repositories will need a containment-first response: remove or disable the plugin, or carry a tightly scoped temporary patch, until an upstream fixed release is available.

When to use it

  • A WordPress repository installs or vendors Copy & Delete Posts 1.5.4 or older.
  • Non-admin roles can access plugin functionality or authenticated users can reach cdp_action_handling AJAX operations.
  • A fixed upstream release is not available and the safe path is removal, deactivation, or a reviewed temporary capability patch.
  • You need a bounded PR or triage note that protects destructive AJAX actions and records operator content-review steps.

Inputs

  • WordPress plugin inventory, Composer/Bedrock files, WP-CLI scripts, Dockerfiles, plugin zips, Helm/Terraform/Ansible, deployment runbooks, and response-layer controls.
  • Plugin role settings, admin-ajax.php exposure, cdp_action_handling operation map, post deletion/duplication logs, and plugin-setting audit data.
  • Available WordPress/PHP tests, plugin inventory commands, deployment render, security scans, and inert-content authorization tests.

Affected versions

  • Vulnerable: Copy & Delete Posts <=1.5.4
  • Current plugin-directory version: 1.5.4
  • Patched upstream release: none published yet on WordPress.org at the time of writing
  • Preferred remediation: disable/remove the plugin or deploy an audited temporary capability check until the maintainer ships a fixed release

Source-freshness note: GitHub Advisory Database currently publishes this as an unreviewed advisory with no package metadata and unknown affected/patched version fields. The WordPress.org plugin page still shows version 1.5.4, so repositories should not wait for Dependabot metadata before inventorying plugin bundles, deployment manifests, and runbooks directly.

Indicator-of-exposure

  • The repository owns a WordPress site, plugin bundle, Bedrock/Composer project, deployment manifest, image, or runbook that installs copy-delete-posts.
  • A deployable target resolves Copy & Delete Posts 1.5.4 or older.
  • Non-admin roles are granted plugin access under the plugin’s role settings.
  • The site exposes admin-ajax.php to authenticated low-privilege users.

Quick checks:

wp plugin list --fields=name,version,status | grep -E '^copy-delete-posts[[:space:]]'
wp plugin status copy-delete-posts
rg -n "copy-delete-posts|Duplicate Post|cdp_action_handling|admin-ajax.php|wp_ajax_" .
find . -path "*/wp-content/plugins/copy-delete-posts/*" -maxdepth 8 -type f | head

Windows:

wp plugin list --fields=name,version,status | Select-String '^copy-delete-posts\s'
wp plugin status copy-delete-posts
rg -n "copy-delete-posts|Duplicate Post|cdp_action_handling|admin-ajax.php|wp_ajax_" .
Get-ChildItem -Path . -Recurse -File -ErrorAction SilentlyContinue | Where-Object { $_.FullName -match "wp-content[\\/]+plugins[\\/]+copy-delete-posts[\\/]" } | Select-Object -First 20

Do not verify exposure by invoking destructive AJAX operations against real posts, pages, plugin settings, or production sessions.

Remediation strategy

  • Prefer removing or disabling Copy & Delete Posts if the workflow is not business-critical.
  • If the plugin must remain, restrict plugin access back to administrators only and add a temporary patch that enforces per-action capability checks inside cdp_action_handling before any delete, copy, cleanup, or settings action.
  • Monitor for an upstream fixed release and upgrade immediately when it is published.
  • Review audit trails, post trash/deletion logs, and plugin-setting changes for unexpected low-privilege activity while the site was exposed.
  • If the repository owns edge or authz controls, add temporary containment that blocks low-privilege access to the plugin’s AJAX actions until code changes are deployed.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-53738 / GHSA-cx2j-wv5h-5j6v, where Copy & Delete
Posts through 1.5.4 lets plugin-enabled non-admin roles invoke privileged
operations through the `cdp_action_handling` AJAX handler. Produce exactly one
output:

- A reviewer-ready PR/change request that removes, disables, upgrades, or
  temporarily patches the vulnerable plugin and documents required operator
  cleanup, or
- TRIAGE.md if this repository does not own the WordPress plugin deployment or
  cannot make a safe patch.

## Rules

- Scope only CVE-2026-53738 / GHSA-cx2j-wv5h-5j6v and directly related
  WordPress capability checks, plugin-role configuration, and AJAX containment.
- Treat WordPress sessions, nonces, customer content, draft posts, deleted
  posts, and administrator URLs as sensitive.
- Do not broaden scope into unrelated plugin refactors or role redesigns.
- Do not silently restore or delete production content.
- Do not auto-merge.

## Steps

1. Inventory WordPress ownership in this repository:
   - `wp-content/plugins/copy-delete-posts`;
   - Composer or Bedrock references such as
     `wpackagist-plugin/copy-delete-posts`;
   - WP-CLI install scripts, Dockerfiles, plugin zips, Helm charts, Terraform,
     Ansible, deployment runbooks, and response-layer controls for
     `admin-ajax.php`.
2. If the repository does not deploy or package a WordPress site with Copy &
   Delete Posts, stop with `TRIAGE.md` explaining what was checked and who owns
   runtime remediation.
3. Determine the resolved plugin version for every deployable target. A target
   is vulnerable if it resolves to `<=1.5.4`.
4. Determine whether non-admin roles are granted plugin access and which plugin
   operations are reachable through `cdp_action_handling`.
5. If the plugin is optional, prefer removal or deactivation over carrying a
   vulnerable duplicate/delete helper.
6. If the plugin must remain before an upstream fix exists:
   - restrict plugin access to administrators only;
   - add explicit per-action capability checks inside the vulnerable AJAX
     handler before delete, cleanup, copy, or settings functions run;
   - fail closed on unknown `f` values;
   - preserve existing nonces and CSRF protections.
7. When a safe upstream release exists and is controlled by this repo, upgrade
   to it and refresh plugin artifacts, checksums, image metadata, SBOMs, and
   deployment render output.
8. Add a PR body section named `CVE-2026-53738 operator actions` that requires:
   - confirmation that production no longer grants low-privilege plugin access;
   - review of unexpected post deletion, duplication, or plugin-setting changes
     while the site was exposed;
   - review of WordPress users and roles that had plugin access;
   - confirmation that production now runs a fixed release, a reviewed
     temporary patch, or the plugin is disabled/removed.
9. Add or update verification that a low-privilege authenticated user cannot
   invoke destructive or settings-changing `cdp_action_handling` operations.
   Use inert test content only and do not delete real production posts.
10. Run the relevant validation: Composer/WP-CLI dependency checks, WordPress
    plugin inventory, PHP tests, deployment rendering, and security scans
    available in this repository.
11. Use PR title:
    `fix(sec): remediate CVE-2026-53738 in Copy & Delete Posts`.

## Stop conditions

- No WordPress site or Copy & Delete Posts deployment is controlled by this
  repository.
- The plugin version is managed only in production outside the repo.
- The only apparent fix would require unsafe direct database edits or broad
  content restoration the repo does not control.
- No reviewed temporary patch is acceptable and no upstream fixed release is
  available; in that case disable or remove the plugin and document why.
- Validation fails for unrelated pre-existing reasons; document the failure
  instead of broadening scope.

Verification - what the reviewer looks for

  • No deployable target still exposes low-privilege cdp_action_handling access.
  • The real plugin delivery path is updated or the plugin is disabled/removed.
  • Temporary patches enforce per-action capability checks and fail closed on unexpected action names.
  • Operator notes cover post-deletion review, role review, and plugin-setting review.
  • Verification uses inert test content and does not destroy production posts.

Output contract

  • Reviewer-ready PR removing, disabling, upgrading, or temporarily patching Copy & Delete Posts with server-side per-action capability checks.
  • Evidence that low-privilege users cannot invoke destructive or settings changing cdp_action_handling operations.
  • Operator notes for role review, post deletion/duplication review, plugin-setting review, and fixed-release follow-up.
  • TRIAGE.md when plugin versioning, production-only configuration, or content recovery is outside repository control.

Watch for

  • Repositories that vendor plugins under wp-content/plugins while also installing them via Composer or WP-CLI.
  • Fixes that gate the menu UI but leave the AJAX handler callable.
  • Leaving low-privilege roles enabled in plugin settings after patching code.
  • Containment that blocks one function name but not other f values in the same handler.

References