PatchSiren cyber security CVE debrief
CVE-2026-53738 Inisev CVE debrief
CVE-2026-53738 is a HIGH severity vulnerability in the Copy & Delete Posts plugin for WordPress. The plugin's cdp_action_handling AJAX handler allows any plugin-enabled non-admin role to invoke every operation, including deleting posts and overwriting plugin settings. This is possible due to a lack of per-function capability checks. The vulnerability has a CVSS score of 7.2 and was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-53738).
- Vendor
- Inisev
- Product
- Copy & Delete Posts
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Users of the Copy & Delete Posts plugin for WordPress should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability exists in the cdp_action_handling AJAX handler of the Copy & Delete Posts plugin. Any plugin-enabled non-admin role can invoke every operation in the handler, including deleting posts and overwriting plugin settings via the f parameter. This bypasses per-function capability checks.
Defensive priority
HIGH
Recommended defensive actions
- Update to a patched version of the Copy & Delete Posts plugin.
- Restrict access to the plugin's functionality to only admin roles.
- Monitor for suspicious activity related to the plugin.
Evidence notes
The vulnerability was reported by [ref-5](https://www.vulncheck.com/advisories/copy-delete-posts-through-privilege-escalation-via-cdp-action-handling-handler).
Official resources
CVE-2026-53738 was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-53738).