Impact
Contributor PHP Object Injection in the Post Duplicator plugin up to version 3.0.10 allows an attacker to supply crafted serialized data that is unserialized by the plugin. This flaw can result in arbitrary code execution or other destructive actions when the code runs, directly compromising the affected WordPress site.
Affected Systems
WordPress sites that have installed the Metaphor Creations Post Duplicator plugin version 3.0.10 or earlier.
Risk and Exploitability
The vulnerability carries a CVSS score of 8.8, classifying it as high severity. The EPSS score is reported as less than 1%, indicating a low probability of widespread exploitation at present. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to inject malicious serialized data through the plugin’s input interfaces, which may require administrative access to the site’s plugin configuration or, in some cases, the ability to submit data from an external source if the plugin does not restrict deserialization inputs. Given the severity and the low current exploitation likelihood, immediate patching is strongly advised.
OpenCVE Enrichment