Description
The Post Duplicator plugin for WordPress is vulnerable to unauthorized arbitrary protected post meta insertion in all versions up to, and including, 3.0.8. This is due to the `duplicate_post()` function in `includes/api.php` using `$wpdb->insert()` directly to the `wp_postmeta` table instead of WordPress's standard `add_post_meta()` function, which would call `is_protected_meta()` to prevent lower-privileged users from setting protected meta keys (those starting with `_`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary protected post meta keys such as `_wp_page_template`, `_wp_attached_file`, and other sensitive meta keys on duplicated posts via the `customMetaData` JSON array parameter in the `/wp-json/post-duplicator/v1/duplicate-post` REST API endpoint.
Published: 2026-02-25
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Protected Meta Data Insertion
Action: Patch
AI Analysis

Impact

The Post Duplicator plugin for WordPress contains a flaw that permits authenticated users with Contributor permissions or higher to insert arbitrary protected post meta keys. The flaw arises because the duplicate_post() function writes directly to the wp_postmeta table with a raw SQL insert, bypassing WordPress’s add_post_meta() routine which normally protects keys that begin with an underscore. Attackers can therefore supply a customMetaData JSON array via the /wp-json/post-duplicator/v1/duplicate-post REST endpoint and create entries such as _wp_page_template, _wp_attached_file, and other sensitive meta fields on duplicated posts. This grants the malicious actor the ability to modify core post metadata that is normally restricted to administrators. The weakness is classified as CWE‑862: Missing Authorization.

Affected Systems

WordPress installations that run Post Duplicator up to and including version 3.0.8, a plugin supplied by metaphorcreations. Any site using these versions is susceptible, regardless of the WordPress core version, as the vector is the plugin’s REST API endpoint.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity vulnerability with limited impact if exploited. The EPSS score of <1% suggests a low probability of real‑world exploitation at this time, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack requires prior authentication—contributor or higher—and the use of the duplicate-post REST endpoint. No known remote code execution or privilege elevation beyond the capabilities to alter protected post meta can be achieved directly from the public internet. However, once protected meta keys like _wp_page_template are modified, there is potential for further indirect exploitation if additional content or plugins rely on these values. Consequently, administrators should treat the issue as a moderate risk that could enable unauthorized metadata manipulation.

Generated by OpenCVE AI on April 15, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Post Duplicator to the latest version (≥3.0.9) where the duplicate_post() function has been fixed to use add_post_meta() and enforce proper authorization for protected keys.
  • If an upgrade cannot be performed immediately, restrict the duplicate-post REST endpoint so that only administrators can access it—for example, by adding capability checks (like current_user_can('edit_posts')) or by disabling the endpoint via a custom snippet or security plugin.
  • Audit existing duplicated posts for unexpected protected meta entries (e.g., keys starting with '_') and delete or correct any that appear suspicious or were not intentionally added by an administrator.

Generated by OpenCVE AI on April 15, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Metaphorcreations
Metaphorcreations post Duplicator
Wordpress
Wordpress wordpress
Vendors & Products Metaphorcreations
Metaphorcreations post Duplicator
Wordpress
Wordpress wordpress

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
Description The Post Duplicator plugin for WordPress is vulnerable to unauthorized arbitrary protected post meta insertion in all versions up to, and including, 3.0.8. This is due to the `duplicate_post()` function in `includes/api.php` using `$wpdb->insert()` directly to the `wp_postmeta` table instead of WordPress's standard `add_post_meta()` function, which would call `is_protected_meta()` to prevent lower-privileged users from setting protected meta keys (those starting with `_`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary protected post meta keys such as `_wp_page_template`, `_wp_attached_file`, and other sensitive meta keys on duplicated posts via the `customMetaData` JSON array parameter in the `/wp-json/post-duplicator/v1/duplicate-post` REST API endpoint.
Title Post Duplicator <= 3.0.8 - Missing Authorization to Authenticated (Contributor+) Protected Post Meta Insertion via 'customMetaData' Parameter
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Metaphorcreations Post Duplicator
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:57.120Z

Reserved: 2026-02-10T18:17:31.628Z

Link: CVE-2026-2301

cve-icon Vulnrichment

Updated: 2026-02-25T21:00:32.648Z

cve-icon NVD

Status : Deferred

Published: 2026-02-25T10:16:18.307

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2301

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:00:07Z

Weaknesses