Impact
The vulnerability resides in the Post Duplicator WordPress plugin versions older than 3.0.15 and permits attackers with Contributor or higher level privileges to supply serialized data via customMetaData during post duplication. This data is stored without the double‑serialization safeguards of the WordPress meta API, enabling the creation of PHP object injection payloads that can lead to arbitrary code execution within the context of the web application. The impact is confined to sites that host the affected plugin and provide Contributor or higher access to users, potentially compromising both Confidentiality and Integrity of the system.
Affected Systems
Any WordPress installation that has the Post Duplicator plugin installed at a version prior to 3.0.15 is vulnerable. The plugin is listed under the vendor designation "Unknown:Post Duplicator" and does not specify more granular product variants; the version cutoff is explicitly 3.0.15.
Risk and Exploitability
The CVSS score of 7.2 indicates a high severity, and the EPSS score of < 1% suggests a low likelihood of exploitation, but the nature of PHP Object Injection still implies that, if exploited, it would allow code execution on the affected WordPress site. The vulnerability requires at least Contributor‑level authentication, meaning attackers would need to obtain or compromise legitimate user credentials or exploit another vulnerability that grants such access. While the attack vector is not remote in the pure sense—an attacker must first authenticate with sufficient privileges—the privilege escalation and local code execution characteristics mean that a compromise of the site can have widespread ramifications. As the CVE is not listed in the CISA KEV catalog, there is currently no known exploitation cluster pending, yet the theoretical risk warrants immediate remediation.
OpenCVE Enrichment