The vulnerability is an Improper Neutralization of Special Elements used in an SQL Command (SQL Injection). An attacker can exploit blind SQL injection in the Duplicate Page and Post plugin to read, modify, or delete database contents. The weakness is identified as CWE‑89, indicating a classic input validation flaw that directly compromises the integrity and confidentiality of the site’s data. Maintaining the plugin in a vulnerable version could allow an attacker to extract sensitive information or corrupt the database without user‑direct interaction.

Falcon Solutions Duplicate Page and Post, version 1.0 and earlier. Any WordPress site that has installed this plugin without applying the latest update is impacted. No specific operating system or WordPress version is required beyond the presence of the plugin.

The CVSS score of 8.5 classifies this flaw as High severity. EPSS is reported as < 1%, suggesting the exploitation probability is low to date, and the vulnerability is not listed in the CISA KEV catalog. However, the attack vector is inferred to be web‑based; the plugin’s front‑end or admin functions are typically exposed to all users of a WordPress installation. An attacker could craft a crafted URL or form submission to trigger the blind injection, potentially achieving full database compromise if the WordPress installation grants the plugin sufficient database privileges. The risk remains significant because the impact directly affects core WordPress data, though the likelihood of active exploitation is currently low. It is prudent to assume that the vulnerability may be leveraged by sophisticated threat actors looking to target WordPress sites that run the affected plugin.