Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Arjun Thakur Duplicate Page and Post allows Blind SQL Injection.

This issue affects Duplicate Page and Post: from n/a through 2.9.5.
Published: 2026-05-27
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL Injection flaw caused by improper neutralization of special elements in an SQL command. An attacker can exploit this weakness to perform Blind SQL Injection, allowing the execution of arbitrary SQL queries against the WordPress database. This could lead to unauthorized data disclosure, credential theft, or modification of the database contents, all of which compromise data confidentiality and integrity.

Affected Systems

The flaw exists in the WordPress plugin Duplicate Page and Post developed by Arjun Thakur. All releases from the initial version up to and including 2.9.5 are affected. Any WordPress site that runs one of these versions of the plugin is vulnerable.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity of risk. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves an attacker supplying crafted input through the plugin’s duplication interface or related URL parameters, which the plugin then incorporates into an SQL statement without proper encoding.

Generated by OpenCVE AI on May 27, 2026 at 21:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or uninstall the Duplicate Page and Post plugin to remove the attack surface.
  • Monitor database logs for abnormal queries or attempts to access privileged database tables as an indicator of exploitation attempts.
  • Configure a web application firewall to block or rate‑limit suspicious SQL injection patterns on the plugin’s endpoints.
  • Once the vendor releases a patched version, upgrade the plugin to the new release and remove any custom modifications that may reintroduce the flaw.

Generated by OpenCVE AI on May 27, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Arjun Thakur
Arjun Thakur duplicate Page And Post
Wordpress
Wordpress wordpress
Vendors & Products Arjun Thakur
Arjun Thakur duplicate Page And Post
Wordpress
Wordpress wordpress

Thu, 28 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Arjun Thakur Duplicate Page and Post allows Blind SQL Injection. This issue affects Duplicate Page and Post: from n/a through 2.9.5.
Title WordPress Duplicate Page and Post plugin <= 2.9.5 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Arjun Thakur Duplicate Page And Post
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-28T15:25:29.625Z

Reserved: 2026-05-27T08:41:55.487Z

Link: CVE-2026-49046

cve-icon Vulnrichment

Updated: 2026-05-28T15:25:14.955Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T15:16:33.087

Modified: 2026-06-17T10:55:27.660

Link: CVE-2026-49046

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:50:38Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')