Multisite Post Duplicator – dxw advisories

Potentially unsafe

Last revised: December 9, 2016

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should very carefully consider its potential problems and should conduct a thorough assessment. Read more about this recommendation.

Warnings

The version of this plugin that this recommendation was based on is known to be vulnerable to attack:

CSRF vulnerability in Multisite Post Duplicator could allow an attacker to do almost anything an admin user can do

This recommendation applies to version 0.9.5.1 of this plugin, but the most recent version is 1.7.6. These findings may no longer be correct.

Findings

HTML and JS output is mostly unescaped.
unserialize() is used on content taken from the database.
Does not use nonces and is vulnerable to CSRF

Reason for the 'Potentially unsafe' result

The plugin contains or is likely to contain a vulnerability which could be exploited by an end user and which would compromise the site’s confidentiality, integrity or availability:

With the lack of escaping it’s fairly likely that a reflected XSS vulnerability exists. Also vulnerable to CSRF with can lead to stored XSS.

Failure criteria

Lack of proper output escaping