Description
The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP Object.
Published: 2026-06-24
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Post Duplicator WordPress plugin versions older than 3.0.15 and permits attackers with Contributor or higher level privileges to supply serialized data via customMetaData during post duplication. This data is stored without the double‑serialization safeguards of the WordPress meta API, enabling the creation of PHP object injection payloads that can lead to arbitrary code execution within the context of the web application. The impact is confined to sites that host the affected plugin and provide Contributor or higher access to users, potentially compromising both Confidentiality and Integrity of the system.

Affected Systems

Any WordPress installation that has the Post Duplicator plugin installed at a version prior to 3.0.15 is vulnerable. The plugin is listed under the vendor designation "Unknown:Post Duplicator" and does not specify more granular product variants; the version cutoff is explicitly 3.0.15.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, and the EPSS score of < 1% suggests a low likelihood of exploitation, but the nature of PHP Object Injection still implies that, if exploited, it would allow code execution on the affected WordPress site. The vulnerability requires at least Contributor‑level authentication, meaning attackers would need to obtain or compromise legitimate user credentials or exploit another vulnerability that grants such access. While the attack vector is not remote in the pure sense—an attacker must first authenticate with sufficient privileges—the privilege escalation and local code execution characteristics mean that a compromise of the site can have widespread ramifications. As the CVE is not listed in the CISA KEV catalog, there is currently no known exploitation cluster pending, yet the theoretical risk warrants immediate remediation.

Generated by OpenCVE AI on June 24, 2026 at 15:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Post Duplicator plugin to version 3.0.15 or later, which removes the insecure customMetaData handling.
  • Restrict Contributor users from performing post duplication until the plugin is patched, or remove untrusted customMetaData fields from existing posts.
  • Perform a selective scan of the WordPress database for serialized PHP objects that may have been injected via malicious metadata and clean or delete such entries.

Generated by OpenCVE AI on June 24, 2026 at 15:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Duplicator Project
Duplicator Project duplicator
Wordpress
Wordpress wordpress
Vendors & Products Duplicator Project
Duplicator Project duplicator
Wordpress
Wordpress wordpress

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-502

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP Object.
Title Post Duplicator < 3.0.15 - Contributor+ PHP Object Injection via customMetaData
References

Subscriptions

Duplicator Project Duplicator
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-24T13:12:59.561Z

Reserved: 2026-06-03T13:45:00.388Z

Link: CVE-2026-10749

cve-icon Vulnrichment

Updated: 2026-06-24T13:12:41.898Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:45:06Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-502

    Deserialization of Untrusted Data