CVE Catalog

CVE-2026-10749

HighCVSS 7.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

22th percentile - higher than 22% of all known CVEs

Summary

The Post Duplicator WordPress plugin before version 3.0.15 does not safely handle custom meta-data during post duplication, allowing attacker-supplied serialized values to be stored without the WordPress meta API's double-serialization protection.

Risk Assessment

Users with Contributor-level access and above can inject PHP Objects, posing a risk of executing malicious code on the server.

Recommendation

It is recommended to update the Post Duplicator plugin to version 3.0.15 or later to mitigate this vulnerability.

Original NVD description (English source)

The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP Object.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS