Description
The Page and Post Clone plugin for WordPress is vulnerable to SQL Injection via the 'meta_key' parameter in the content_clone() function in all versions up to, and including, 6.3. This is due to insufficient escaping on the user-supplied meta_key value and insufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The injection is second-order: the malicious payload is stored as a post meta key and executed when the post is cloned.
Published: 2026-03-05
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data exfiltration via SQL injection
Action: Immediate patch
AI Analysis

Impact

The vulnerability is an unescaped SQL injection that allows attackers with Contributor-level or higher access to a WordPress site to inject payloads into the 'meta_key' parameter used when cloning a post. The payload is stored as a post meta key and later executed during the cloning process, enabling the attacker to append arbitrary SQL statements to existing database queries. This second‑order injection can read, modify, or delete sensitive database information. The weakness corresponds to CWE‑89, reflecting improper input sanitization for database queries.

Affected Systems

The Fast Page & Post Duplicator plugin for WordPress is affected in all releases up to and including version 6.3. Sites that run any of these versions and have role users with Contributor or higher privileges are vulnerable to exploitation.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% suggests a low probability of active exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Attack requires an authenticated user with Contributor privileges or above; the attack vector is inferred from the description as it relies on the ability to perform a post clone operation and supply a crafted meta_key parameter. An attacker could use this to read confidential data or manipulate the database, with potential downstream effects on site integrity and confidentiality.

Generated by OpenCVE AI on April 15, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Page and Post Clone plugin to version 6.4 or later, where the meta_key parameter is properly sanitized and the second‑order injection is fixed.
  • If an immediate upgrade is not feasible, disable the clone feature for all users at the Contributor level or lower, and restrict cloning to administrators only.
  • Remove the plugin from the WordPress installation if it is not required for site functionality, thereby eliminating the injection vector.

Generated by OpenCVE AI on April 15, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Carlosfazenda
Carlosfazenda page And Post Clone
Wordpress
Wordpress wordpress
Vendors & Products Carlosfazenda
Carlosfazenda page And Post Clone
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Page and Post Clone plugin for WordPress is vulnerable to SQL Injection via the 'meta_key' parameter in the content_clone() function in all versions up to, and including, 6.3. This is due to insufficient escaping on the user-supplied meta_key value and insufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The injection is second-order: the malicious payload is stored as a post meta key and executed when the post is cloned.
Title Page and Post Clone <= 6.3 - Authenticated (Contributor+) SQL Injection via 'meta_key' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Carlosfazenda Page And Post Clone
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:36.416Z

Reserved: 2026-02-20T18:48:50.173Z

Link: CVE-2026-2893

cve-icon Vulnrichment

Updated: 2026-03-05T15:02:02.322Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T08:15:59.963

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-2893

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:00:15Z

Weaknesses