How is CVE-2026-53738 exploited?

Network reachability (required): The vulnerable AJAX handler is exposed over the network, so the attacker must be able to reach the WordPress site via HTTP/HTTPS. Authentication (required): Any low-privilege account that holds a plugin-enabled role is sufficient; no admin credentials are needed. Victim interaction (not-required): The attacker sends crafted requests directly to the AJAX endpoint; no victim action or social engineering is needed. Attack complexity (info): Exploitation is reliable and condition-free: no race conditions, memory layout dependencies, or environmental prerequisites are involved.

What is the impact of CVE-2026-53738?

An attacker deletes arbitrary published posts, causing permanent content loss across the site. An attacker overwrites plugin settings via the f parameter, altering site behavior or disabling content-management controls. The combination of content deletion and settings tampering can disrupt site availability and editorial workflows without requiring admin access.

Back to search

HIGHCVE-2026-53738Published 2026-06-10Modified 2026-06-11CNA VulnCheck

CVE-2026-53738: Copy & Delete Posts through 1.5.4 Privilege Escalation via cdp_action_handling Handler

Copy & Delete Posts through 1.5.4 lets any plugin-enabled non-admin role invoke every operation in the cdp_action_handling AJAX handler. Attackers with an enabled role can delete posts or overwrite plugin settings via the f parameter, bypassing per-function capability checks.

CVSS v4.0: 7.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A privilege escalation vulnerability affects the Copy and Delete Posts WordPress plugin (versions up to and including 1.5.4). Any authenticated user with a plugin-enabled role can reach the cdp_action_handling AJAX handler over the network and invoke all of its operations without passing per-function capability checks. Successful exploitation lets an attacker delete arbitrary posts or overwrite plugin settings, causing data loss and tampering. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-53738 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle this plugin. Any image containing Copy and Delete Posts at version 1.5.4 or earlier is flagged automatically.

Available

Triage

Triage is available using the CVSS v4.0 score of 7.2 (HIGH), weighted against each environment's configured compliance policy to prioritize the finding appropriately. Routing to the correct team inbox within each customer organization is handled according to that organization's defined escalation rules.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated release is issued. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable AJAX handler is exposed over the network, so the attacker must be able to reach the WordPress site via HTTP/HTTPS.
AuthenticationRequired
Any low-privilege account that holds a plugin-enabled role is sufficient; no admin credentials are needed.
Victim interactionNot required
The attacker sends crafted requests directly to the AJAX endpoint; no victim action or social engineering is needed.
Attack complexityDetail
Exploitation is reliable and condition-free: no race conditions, memory layout dependencies, or environmental prerequisites are involved.

Blast Radius

An attacker deletes arbitrary published posts, causing permanent content loss across the site.
An attacker overwrites plugin settings via the f parameter, altering site behavior or disabling content-management controls.
The combination of content deletion and settings tampering can disrupt site availability and editorial workflows without requiring admin access.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-53738 is active, and any image containing Copy and Delete Posts at 1.5.4 or earlier is surfaced as a HIGH-severity finding. Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available immediately when a fix is released. For customers with auto-remediation enabled, that moment triggers a full rebuild, regression test run, and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy rules that restrict unauthenticated and low-privilege access to WordPress AJAX endpoints, role audits that remove the plugin-enabled designation from accounts that do not need it, and web application firewall rules that block unexpected values in the f parameter.

See how HarborGuard automates this

Affected packages

Inisev / Copy & Delete Posts
≤ 1.5.4

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified