Skip to main content

Post Duplicator CVE-2026-39474

| EUVD-2026-36937 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-15 Patchstack GHSA-gq8x-f6pq-64xj
PHP Deserialization Post Duplicator
8.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable WordPress endpoint (AV:N), low complexity once Contributor account obtained (AC:L, PR:L), no user interaction, and deserialization-to-RCE yields full CIA impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:29 vuln.today

DescriptionCVE.org

Contributor PHP Object Injection in Post Duplicator <= 3.0.10 versions.

AnalysisAI

PHP Object Injection in the Post Duplicator WordPress plugin versions <= 3.0.10 allows authenticated users with Contributor-level privileges to trigger insecure deserialization, potentially leading to remote code execution, data tampering, or full site compromise. The flaw is rated CVSS 8.8 (High) and was disclosed by Patchstack. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain Contributor account
Delivery
Send crafted serialized payload to plugin
Exploit
Trigger unserialize() on attacker input
Install
Instantiate POP gadget chain objects
C2
Execute arbitrary code via magic methods
Execute
Establish webshell persistence
Impact
Full site compromise
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account with at least Contributor-level privileges on a site running Post Duplicator plugin version 3.0.10 or earlier, plus the presence of a usable POP gadget chain in WordPress core or another installed plugin/theme to escalate the deserialization primitive into meaningful impact (RCE, file write, or SQLi). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 8.8 score with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H reflects network-reachable exploitation with low complexity, low privileges (Contributor account), no user interaction, and full impact on confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a Contributor account on a target WordPress site running Post Duplicator <= 3.0.10, then submits a request to the plugin's duplication endpoint containing a crafted serialized PHP payload that triggers a POP gadget chain in WordPress core or another installed plugin. The deserialization instantiates attacker-controlled objects whose magic methods execute arbitrary code, write a webshell, or exfiltrate database contents, resulting in full site compromise. …
Remediation No vendor-released patch identified at time of analysis based on the provided data - the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/post-duplicator/vulnerability/wordpress-post-duplicator-plugin-3-0-10-php-object-injection-vulnerability) should be consulted for the latest fixed version, and administrators should upgrade to any release newer than 3.0.10 once available. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit contributor-level user accounts and revoke unnecessary access; document all installations of Post Duplicator plugin. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-39474 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy