CVE-2026-10749
HighCVSS 7.2Exploitation Probability (EPSS)
Low risk22th percentile - higher than 22% of all known CVEs
Summary
The Post Duplicator WordPress plugin before version 3.0.15 does not safely handle custom meta-data during post duplication, allowing attacker-supplied serialized values to be stored without the WordPress meta API's double-serialization protection.
Risk Assessment
Users with Contributor-level access and above can inject PHP Objects, posing a risk of executing malicious code on the server.
Recommendation
It is recommended to update the Post Duplicator plugin to version 3.0.15 or later to mitigate this vulnerability.
Original NVD description (English source)
The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP Object.

