WP-Safety

WP Duplicate – WordPress Migration Plugin Security & Risk Analysis

wordpress.org/plugins/local-sync

Easily migrate or clone your WordPress Site from one host to another.

200 active installs v1.1.10 PHP + WP 3.0.1+ Updated Feb 6, 2026
clonecopy-sitemigratewp-duplicatewpduplicate
96
A · Safe
CVEs total2
Unpatched0
Last CVEFeb 5, 2026
Plugin page Download
Safety Verdict

Is WP Duplicate – WordPress Migration Plugin Safe to Use in 2026?

Generally Safe

Score 96/100

WP Duplicate – WordPress Migration Plugin has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Feb 5, 2026Updated 3mo ago
Risk Assessment

The 'local-sync' plugin version 1.1.10 exhibits a concerning security posture, primarily due to a significantly large and unprotected attack surface. With 28 AJAX handlers identified, all of which lack authentication checks, this presents a major entry point for malicious actors to interact with the plugin's functionality without proper authorization. The static analysis also flags the presence of dangerous functions like 'unserialize' and 'exec', which, when combined with the lack of input validation indicated by taint analysis showing flows with unsanitized paths, could lead to severe vulnerabilities such as remote code execution. While the plugin does employ prepared statements for a majority of its SQL queries and shows some effort in output escaping, these positive aspects are overshadowed by the fundamental security flaws in its entry points and handling of potentially dangerous functions. The vulnerability history, including a past critical vulnerability and a pattern of missing authorization issues, further reinforces the perception of a plugin that has historically struggled with robust security. Despite the absence of currently unpatched vulnerabilities and a recent security patch in 2026, the plugin's design remains inherently risky, suggesting that new vulnerabilities could easily be introduced.

Key Concerns

  • Large attack surface without auth checks
  • Presence of dangerous functions
  • Flows with unsanitized paths (taint analysis)
  • Missing nonce checks on AJAX
  • Low percentage of proper output escaping
  • Past critical vulnerability (unpatched)
  • History of missing authorization vulnerabilities
Vulnerabilities
2 published

WP Duplicate – WordPress Migration Plugin Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
1

2 total CVEs

CVE-2026-1499high · 8.8Missing Authorization

WP Duplicate <= 1.1.8 - Authenticated (Subscriber+) Arbitrary File Upload via 'process_add_site' AJAX Action

Feb 5, 2026 Patched in 1.1.9 (50d)
CVE-2025-24652medium · 4.3Missing Authorization

WP Duplicate – WordPress Migration Plugin <= 1.1.6 - Missing Authorization

Jan 24, 2025 Patched in 1.1.7 (5d)
Version History

WP Duplicate – WordPress Migration Plugin Release Timeline

v1.1.10Current
v1.1.9
v1.1.81 CVE
CVE-2026-1499
v1.1.71 CVE
CVE-2026-1499
v1.1.62 CVEs
CVE-2025-24652 CVE-2026-1499
v1.1.52 CVEs
CVE-2025-24652 CVE-2026-1499
v1.1.42 CVEs
CVE-2025-24652 CVE-2026-1499
v1.1.32 CVEs
CVE-2025-24652 CVE-2026-1499
v1.1.22 CVEs
CVE-2025-24652 CVE-2026-1499
v1.1.12 CVEs
CVE-2025-24652 CVE-2026-1499
v1.1.02 CVEs
CVE-2025-24652 CVE-2026-1499
v1.0.52 CVEs
CVE-2025-24652 CVE-2026-1499
v1.0.22 CVEs
CVE-2025-24652 CVE-2026-1499
v1.0.12 CVEs
CVE-2025-24652 CVE-2026-1499
Code Analysis
Analyzed Mar 16, 2026

WP Duplicate – WordPress Migration Plugin Code Analysis

Dangerous Functions
12
Raw SQL Queries
30
114 prepared
Unescaped Output
31
43 escaped
Nonce Checks
1
Capability Checks
3
File Operations
259
External Requests
7
Bundled Libraries
0

Dangerous Functions Found

create_function$walk_function = @create_function('&$str', '$str = "`$str`";');admin\class-local-sync-replace-db-links.php:263
unserialize$unserialized_data = @unserialize($data);admin\class-local-sync-replace-db-links.php:457
unserializeif (is_string($data) && ($unserialized = @unserialize($data)) !== false) {admin\class-local-sync-replace-db-links.php:511
unserialize$test = @unserialize($data);admin\class-local-sync-replace-db-links.php:587
unserializeif ( is_string( $data ) && ( $unserialized = @unserialize( $data ) ) !== false ) {admin\class-local-sync-restore-op.php:926
unserialize$tables = @unserialize($raw_result);admin\class-local-sync-restore-op.php:1150
exec$log = @exec($command, $output, $return);admin\class-local-sync-shell-dump.php:301
popen$handle = popen($exec, "r");admin\class-local-sync-zip-facade.php:158
proc_open$handle = proc_open($exec, $descriptorspec, $pipes, $backup_dir);admin\class-local-sync-zip-facade.php:191
proc_open$process = proc_open($exec, $descriptorspec, $pipes, $rdirname);admin\class-local-sync-zip-facade.php:574
unserialize$settings = unserialize($raw_settings);includes\class-local-sync-options.php:556
unserialize$fieldParams = unserialize($fieldParams);local-sync-bridge\iwp-pclzip.php:684

SQL Query Safety

79% prepared144 total queries

Output Escaping

58% escaped74 total outputs
Data Flows · Security
14 unsanitized

Data Flow Analysis

15 flows14 with unsanitized paths
modified_files_modal_ok (admin\class-local-sync-admin.php:471)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
28 unprotected

WP Duplicate – WordPress Migration Plugin Attack Surface

Entry Points28
Unprotected28

AJAX Handlers 28

authwp_ajax_set_as_local_site_losyincludes\class-local-sync.php:192
authwp_ajax_set_as_prod_site_losyincludes\class-local-sync.php:193
authwp_ajax_start_file_list_preparationincludes\class-local-sync.php:194
authwp_ajax_start_db_dumpincludes\class-local-sync.php:195
authwp_ajax_sync_from_live_siteincludes\class-local-sync.php:196
authwp_ajax_push_to_live_siteincludes\class-local-sync.php:197
authwp_ajax_start_zip_downloadincludes\class-local-sync.php:198
authwp_ajax_start_zip_creationincludes\class-local-sync.php:199
authwp_ajax_zip_extract_devincludes\class-local-sync.php:200
authwp_ajax_test_buttonincludes\class-local-sync.php:201
authwp_ajax_test_buttonincludes\class-local-sync.php:202
authwp_ajax_local_sync_get_root_filesincludes\class-local-sync.php:203
authwp_ajax_local_sync_get_tablesincludes\class-local-sync.php:204
authwp_ajax_local_sync_get_init_root_filesincludes\class-local-sync.php:205
authwp_ajax_local_sync_get_files_by_keyincludes\class-local-sync.php:206
authwp_ajax_exclude_file_list_local_syncincludes\class-local-sync.php:207
authwp_ajax_include_file_list_local_syncincludes\class-local-sync.php:208
authwp_ajax_exclude_table_list_local_syncincludes\class-local-sync.php:209
authwp_ajax_include_table_list_local_syncincludes\class-local-sync.php:210
authwp_ajax_include_table_structure_only_local_syncincludes\class-local-sync.php:211
authwp_ajax_save_settings_local_syncincludes\class-local-sync.php:212
authwp_ajax_process_get_steps_for_steps_parent_echoincludes\class-local-sync.php:213
authwp_ajax_process_service_loginincludes\class-local-sync.php:214
authwp_ajax_process_service_logoutincludes\class-local-sync.php:215
authwp_ajax_process_add_siteincludes\class-local-sync.php:216
authwp_ajax_process_remove_siteincludes\class-local-sync.php:217
authwp_ajax_modified_files_modal_okincludes\class-local-sync.php:218
authwp_ajax_modify_all_files_modal_cancelincludes\class-local-sync.php:219
WordPress Hooks 13
actionplugins_loadedincludes\class-local-sync.php:161
actionadmin_enqueue_scriptsincludes\class-local-sync.php:183
actionadmin_enqueue_scriptsincludes\class-local-sync.php:184
actionnetwork_admin_menuincludes\class-local-sync.php:187
actionadmin_menuincludes\class-local-sync.php:189
actionsetup_themeincludes\class-local-sync.php:221
actionthe_contentincludes\class-local-sync.php:222
actionwp_get_attachment_urlincludes\class-local-sync.php:223
actionadmin_print_footer_scriptsincludes\class-local-sync.php:224
filterwp_calculate_image_srcsetincludes\class-local-sync.php:225
filterwp_insert_attachment_dataincludes\class-local-sync.php:226
actionwp_enqueue_scriptsincludes\class-local-sync.php:240
actionwp_enqueue_scriptsincludes\class-local-sync.php:241
Maintenance & Trust

WP Duplicate – WordPress Migration Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 6, 2026
PHP min version
Downloads10K

Community Trust

Rating66/100
Number of ratings7
Active installs200
Alternatives

WP Duplicate – WordPress Migration Plugin Alternatives

All-in-One WP Migration and Backup

All-in-One WP Migration and Backup

all-in-one-wp-migration

A
90

Trusted by 60M+ sites: The gold standard for WordPress migration and backup. Migrate, backup, and restore your WordPress site with one click.

5.0M 13 CVEs
WPvivid — Backup, Migration & Staging

WPvivid — Backup, Migration & Staging

wpvivid-backuprestore

B
75

Migrate, staging, backup WordPress, all in one.

900K 26 CVEs
Migrate Guru – Site Migration & Cloning

Migrate Guru – Site Migration & Cloning

migrate-guru

A
100

Effortlessly migrate, clone, or transfer your WordPress site to over 5,000 web hosts with Migrate Guru, trusted by Cloudways, Pantheon, and Dreamhost.

200K No CVEs
WP Migrate Lite – Migration Made Easy

WP Migrate Lite – Migration Made Easy

wp-migrate-db

A
99

Migrate your database. Export full sites including media, themes, and plugins. Find and replace content with support for serialized data.

200K 1 CVE
Clone

Clone

wp-clone-by-wp-academy

A
93

100% FREE clone and migration

50K 5 CVEs
Developer Profile

WP Duplicate – WordPress Migration Plugin Developer Profile

revmakx

8 plugins · 224K total installs

71
trust score
Avg Security Score
89/100
Avg Patch Time
707 days
View full developer profile
Detection Fingerprints

How We Detect WP Duplicate – WordPress Migration Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/local-sync/admin/css/local-sync-admin.css/wp-content/plugins/local-sync/admin/js/local-sync-admin.js/wp-content/plugins/local-sync/public/css/local-sync-public.css/wp-content/plugins/local-sync/public/js/local-sync-public.js
Script Paths
/wp-content/plugins/local-sync/admin/js/local-sync-admin.js/wp-content/plugins/local-sync/public/js/local-sync-public.js
Version Parameters
local-sync/admin/css/local-sync-admin.css?ver=local-sync/admin/js/local-sync-admin.js?ver=local-sync/public/css/local-sync-public.css?ver=local-sync/public/js/local-sync-public.js?ver=

HTML / DOM Fingerprints

CSS Classes
local-sync-admin-wrapls-notice-box
HTML Comments
<!-- Local Sync Admin Footer --><!-- Local Sync Main Content Area -->
Data Attributes
data-ls-actiondata-ls-target
JS Globals
LOCAL_SYNC_SITE_TYPELOCAL_SYNC_PROD_URLLOCAL_SYNC_LOCAL_URLLOCAL_SYNC_PROD_UPLOADS_URLLOCAL_SYNC_LOCAL_UPLOADS_URLLOCAL_SYNC_LOAD_IMAGES_FROM_LIVE+1 more
REST Endpoints
/wp-json/local-sync/v1/settings/wp-json/local-sync/v1/migrate
Shortcode Output
[local_sync_form][local_sync_status]
FAQ

Frequently Asked Questions about WP Duplicate – WordPress Migration Plugin