CVE-2026-53738
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk11th percentile - higher than 11% of all known CVEs
Summary
In version 1.5.4, non-admin users with enabled plugins can invoke operations in the cdp_action_handling AJAX handler. Attackers can delete posts or overwrite plugin settings, bypassing capability checks.
Risk Assessment
The organization may be exposed to unauthorized deletion of posts and modification of plugin settings, potentially leading to data loss and system integrity breaches.
Recommendation
It is recommended to restrict AJAX function access for non-admin roles and conduct a permissions audit of plugins.
Original NVD description (English source)
Copy & Delete Posts through 1.5.4 lets any plugin-enabled non-admin role invoke every operation in the cdp_action_handling AJAX handler. Attackers with an enabled role can delete posts or overwrite plugin settings via the f parameter, bypassing per-function capability checks.

