While looking into the details of a reflected cross-site scripting (XSS) vulnerability in the plugin Duplicate Page we noticed that there was no protection against cross-site request forgery (CSRF) when using the plugin’s functionality, duplicating a post or page.
As of version 2.3 the URLs for the duplication looks like this:
/wp-admin/admin.php?action=dt_duplicate_post_as_draft&post=1
If there was protection against CSRF there
Source: Security Feed