WP-Safety

Multisite Post Duplicator Security & Risk Analysis

wordpress.org/plugins/multisite-post-duplicator

Duplicate/Copy/Clone any individual page, post or custom post type from one site on your multisite network to another.

400 active installs v1.7.6 PHP + WP 3.7+ Updated Apr 9, 2018
copyduplicatemulti-sitemultisitepost
63
C · Use Caution
CVEs total1
Unpatched1
Last CVEDec 9, 2016
Plugin page Download
Safety Verdict

Is Multisite Post Duplicator Safe to Use in 2026?

Use With Caution

Score 63/100

Multisite Post Duplicator has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Dec 9, 2016Updated 7yr ago
Risk Assessment

The multisite-post-duplicator v1.7.6 plugin presents a significant security risk, primarily due to a substantial attack surface lacking authentication and a known, unpatched high-severity vulnerability. The static analysis reveals 6 AJAX handlers, all of which are unprotected, creating numerous entry points for potential malicious activity. While the plugin demonstrates some good practices, such as the high percentage of SQL queries using prepared statements, these are overshadowed by critical security oversights. The presence of the `unserialize` function, especially in conjunction with unsanitized data flows identified in the taint analysis, is a major concern that could lead to remote code execution or other severe impacts. The vulnerability history, including a known high-severity CVE from 2016 that remains unpatched, strongly indicates a pattern of security neglect and a high likelihood of exploitation.

Key Concerns

  • Unprotected AJAX handlers
  • Unsanitized paths in taint analysis
  • Use of unserialize function
  • Bundled outdated library (Select2 v3.5.2)
  • Low percentage of properly escaped output
  • 0 Nonce checks on entry points
  • 1 Unpatched high severity CVE
Vulnerabilities
1

Multisite Post Duplicator Security Vulnerabilities

CVEs by Year

1 CVE in 2016 · unpatched
2016
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

CVE-2016-10944high · 8.8Cross-Site Request Forgery (CSRF)

Multisite Post Duplicator <= 1.7.6 - Cross-Site Request Forgery

Dec 9, 2016Unpatched
Code Analysis
Analyzed Mar 16, 2026

Multisite Post Duplicator Code Analysis

Dangerous Functions
1
Raw SQL Queries
1
48 prepared
Unescaped Output
89
17 escaped
Nonce Checks
0
Capability Checks
5
File Operations
3
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserializeupdate_post_meta( $post_id, $key, unserialize($value));inc\mpd-functions.php:1782

Bundled Libraries

Select23.5.2

SQL Query Safety

98% prepared49 total queries

Output Escaping

16% escaped106 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

5 flows2 with unsanitized paths
mpd_admin_menu_markup (inc\admin-ui.php:35)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
6 unprotected

Multisite Post Duplicator Attack Surface

Entry Points6
Unprotected6

AJAX Handlers 6

authwp_ajax_mdp_get_postsinc\admin-ui.php:218
authwp_ajax_mdp_get_sitesinc\admin-ui.php:256
authwp_ajax_mdp_site_usersinc\admin-ui.php:302
authwp_ajax_mpd_dismiss_subdomain_noticeinc\mpd-functions.php:1008
authwp_ajax_mpd_create_link_post_listinc\persist.php:184
authwp_ajax_mpd_create_link_submitinc\persist.php:238
WordPress Hooks 75
filtermdp_default_optionsaddons\bulkaction-mpd-addon.php:23
filtermdp_activation_optionsaddons\bulkaction-mpd-addon.php:37
actionadmin_footer-edit.phpaddons\bulkaction-mpd-addon.php:86
actionadmin_footer-upload.phpaddons\bulkaction-mpd-addon.php:87
actionload-edit.phpaddons\bulkaction-mpd-addon.php:170
actionadmin_noticesaddons\bulkaction-mpd-addon.php:244
actionmdp_end_plugin_setting_pageaddons\bulkaction-mpd-addon.php:257
actionmpd_batch_afteraddons\bulkaction-mpd-addon.php:286
actionmpd_during_core_in_sourceaddons\posts-2-posts-addon.php:64
actionmpd_persist_during_core_in_sourceaddons\posts-2-posts-addon.php:65
actionmpd_end_of_core_before_returnaddons\posts-2-posts-addon.php:74
actionmpd_persist_end_of_core_before_returnaddons\posts-2-posts-addon.php:75
actionp2p_created_connectionaddons\posts-2-posts-addon.php:111
actionp2p_delete_connectionsaddons\posts-2-posts-addon.php:116
actionmdp_end_plugin_setting_pageaddons\restrictSites-mpd-addon.php:28
actionadmin_headaddons\restrictSites-mpd-addon.php:258
filtermpd_is_activeaddons\restrictSites-mpd-addon.php:316
actioninitaddons\restrictSites-mpd-addon.php:318
actionswitch_blogaddons\restrictSites-mpd-addon.php:320
actionmdp_end_plugin_setting_pageaddons\roleAccess-mpd-addon.php:22
actionmpd_during_core_in_sourceinc\acf-functions.php:144
actionmpd_persist_during_core_in_sourceinc\acf-functions.php:145
actionmpd_end_of_core_before_returninc\acf-functions.php:196
actionmpd_persist_end_of_core_before_returninc\acf-functions.php:197
actionmpd_end_of_core_before_returninc\acf-functions.php:297
actionmpd_persist_end_of_core_before_returninc\acf-functions.php:298
actionmpd_single_batch_beforeinc\acf-functions.php:560
actionmpd_single_metabox_beforeinc\acf-functions.php:561
filtermpd_show_metabox_post_statusinc\acf-functions.php:753
filtermpd_show_metabox_prefixinc\acf-functions.php:778
filtermpd_persist_post_argsinc\acf-functions.php:801
actionmpd_after_persistinc\acf-functions.php:818
actionadmin_menuinc\admin-ui.php:27
actionadmin_headinc\considerations.php:71
actionwp_headinc\considerations.php:72
actionadmin_headinc\considerations.php:96
actionwp_headinc\considerations.php:97
actionadmin_enqueue_scriptsinc\load-scripts.php:133
actionload-upload.phpinc\media.php:110
actionedit_attachmentinc\media.php:139
filtermpd_show_metabox_prefixinc\media.php:154
filtermpd_show_metabox_post_statusinc\media.php:155
filtermpd_show_metabox_persistinc\media.php:156
actionadmin_headinc\media.php:161
actionadmin_noticesinc\mpd-functions.php:952
actionadmin_headinc\mpd-functions.php:989
filtermpd_filter_post_metainc\mpd-functions.php:1269
filtermpd_filter_persist_post_metainc\mpd-functions.php:1270
filtermpd_source_datainc\mpd-functions.php:1321
filtermpd_setup_destination_datainc\mpd-functions.php:1349
filtermpd_setup_persist_destination_datainc\mpd-functions.php:1373
actionmpd_after_metabox_contentinc\mpd-functions.php:1396
actionmpd_after_metabox_contentinc\mpd-functions.php:1572
actionshutdowninc\mpd-functions.php:1590
actionmpd_single_metabox_afterinc\mpd-functions.php:1610
filtermpd_do_single_metabox_duplicationinc\mpd-functions.php:1626
filtermpd_enter_the_loopinc\mpd-functions.php:1655
actionmpd_media_image_addedinc\mpd-functions.php:1702
actionmpd_meta_boxinc\persist.php:37
actionmpd_meta_box_globalinc\persist.php:71
actionmdp_end_plugin_setting_pageinc\persist.php:371
filtermdp_activation_optionsinc\persist.php:440
filtermdp_default_optionsinc\persist.php:458
actionmpd_loginc\persist.php:523
actionsave_postinc\persist.php:1000
actionmpd_after_metabox_contentinc\persist.php:1319
actionadd_meta_boxesinc\postform_ui.php:16
actionadmin_noticesinc\postform_ui.php:55
actionmpd_before_metabox_contentinc\postform_ui.php:123
actionmpd_before_metabox_contentinc\postform_ui.php:146
filtersave_postinc\postform_ui.php:293
actionadmin_menuinc\settings-ui.php:11
actionadmin_initinc\settings-ui.php:13
actionupdate_option_mdp_settingsinc\settings-ui.php:474
actionplugins_loadedmpd.php:52
Maintenance & Trust

Multisite Post Duplicator Maintenance & Trust

Maintenance Signals

WordPress version tested4.8.28
Last updatedApr 9, 2018
PHP min version
Downloads97K

Community Trust

Rating94/100
Number of ratings37
Active installs400
Alternatives

Multisite Post Duplicator Alternatives

Multisite Network Repost

Multisite Network Repost

multisite-network-repost

A
85

Repost your stories to selected sites in the multisite network, preserving attachments, custom fields, categories, tags etc.

0 No CVEs
Yoast Duplicate Post

Yoast Duplicate Post

duplicate-post

A
92

The go-to tool for cloning posts and pages, including the powerful Rewrite & Republish feature.

4.0M 3 CVEs
Duplicate Post

Duplicate Post

copy-delete-posts

A
99

Duplicate post

300K 2 CVEs
WP Duplicate Page

WP Duplicate Page

wp-duplicate-page

A
96

Clone WordPress page, post, custom post types

60K 3 CVEs
Clone Posts

Clone Posts

clone-posts

A
100

Easily clone (duplicate) Posts, Pages and Custom Post Types, including their custom fields (post_meta)

10K No CVEs
Developer Profile

Multisite Post Duplicator Developer Profile

MagicStick

2 plugins · 410 total installs

81
trust score
Avg Security Score
82/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Multisite Post Duplicator

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/multisite-post-duplicator/css/select2.min.css/wp-content/plugins/multisite-post-duplicator/js/select2.min.js/wp-content/plugins/multisite-post-duplicator/js/admin-scripts.js/wp-content/plugins/multisite-post-duplicator/css/mpd.css/wp-content/plugins/multisite-post-duplicator/js/admin-settings.js/wp-content/plugins/multisite-post-duplicator/css/ti-ta-toggle.css/wp-content/plugins/multisite-post-duplicator/js/admin.js
Script Paths
/wp-content/plugins/multisite-post-duplicator/js/select2.min.js/wp-content/plugins/multisite-post-duplicator/js/admin-scripts.js/wp-content/plugins/multisite-post-duplicator/js/admin-settings.js/wp-content/plugins/multisite-post-duplicator/js/admin.js

HTML / DOM Fingerprints

JS Globals
mpd_admin_scripts_vars
FAQ

Frequently Asked Questions about Multisite Post Duplicator