Description
The Duplicate Page and Post plugin for WordPress is vulnerable to time-based SQL Injection via the ‘meta_key’ parameter in all versions up to, and including, 2.9.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-09-10
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection allowing data extraction by authenticated users
Action: Immediate Patch
AI Analysis

Impact

The Duplicate Page and Post WordPress plugin suffers from a time‑based SQL injection flaw in the meta_key parameter in all releases up to 2.9.5. The thin or missing escaping of user supplied data, combined with a lack of query preparation, permits an attacker with Contributor or greater privileges to inject additional SQL statements. Exploitation can result in the read‑out of sensitive database content, representing a confidentiality breach. The weakness is identified as a classic SQL injection (CWE‑89).

Affected Systems

The issue affects the WordPress plugin named Duplicate Page and Post, developed by arjunthakur. All versions whose release number is 2.9.5 or earlier are vulnerable; any instance running one of those versions is at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, but the EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is currently very low. The vulnerability is confined to authenticated users with Contributor level or higher, and the plugin must be active for exploitation. It is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on April 22, 2026 at 00:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Duplicate Page and Post plugin to the latest version that does not contain this vulnerability. The fix is available in releases newer than 2.9.5.
  • If an upgrade cannot be performed immediately, disable the Duplicate Page and Post plugin on the affected WordPress sites until a patch can be applied.
  • Review and limit the use of Contributor roles on the site to reduce the attack surface; consider removing or limiting Contributor permissions for content that triggers the vulnerable code.

Generated by OpenCVE AI on April 22, 2026 at 00:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27568 The Duplicate Page and Post plugin for WordPress is vulnerable to time-based SQL Injection via the ‘meta_key’ parameter in all versions up to, and including, 2.9.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Fri, 12 Sep 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Duplicate Page And Post Project
Duplicate Page And Post Project duplicate Page And Post
Wordpress
Wordpress wordpress
Vendors & Products Duplicate Page And Post Project
Duplicate Page And Post Project duplicate Page And Post
Wordpress
Wordpress wordpress

Wed, 10 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Sep 2025 06:45:00 +0000

Type Values Removed Values Added
Description The Duplicate Page and Post plugin for WordPress is vulnerable to time-based SQL Injection via the ‘meta_key’ parameter in all versions up to, and including, 2.9.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Duplicate Page and Post <= 2.9.5 - Authenticated (Contributor+) SQL Injection via meta_key Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Duplicate Page And Post Project Duplicate Page And Post
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:34.848Z

Reserved: 2025-06-16T21:27:28.826Z

Link: CVE-2025-6189

cve-icon Vulnrichment

Updated: 2025-09-10T16:11:00.639Z

cve-icon NVD

Status : Deferred

Published: 2025-09-10T07:15:44.973

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6189

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:00:04Z

Weaknesses