Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Arjun Thakur Duplicate Page and Post allows Blind SQL Injection.
This issue affects Duplicate Page and Post: from n/a through 2.9.5.
AnalysisAI
Blind SQL injection in the WordPress plugin Duplicate Page and Post (by Arjun Thakur) through version 2.9.5 lets authenticated low-privilege users inject crafted SQL into a database query, enabling extraction of arbitrary database contents including WordPress user hashes and secrets. The CVSS:3.1 base score is 8.5 with a changed scope, reflecting impact beyond the plugin into the shared WordPress database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported through the Patchstack research program.
Technical ContextAI
The flaw is a CWE-89 Improper Neutralization of Special Elements used in an SQL Command. Duplicate Page and Post is a WordPress plugin that clones existing posts/pages; the vulnerability arises where user-controllable input (such as a post/page identifier passed to the duplication routine) is concatenated into a SQL statement without parameterized queries or proper escaping via WordPress's $wpdb->prepare(). Because it is blind, results are not returned directly in the response and an attacker infers data through boolean/time-based inference. The shared scope is the underlying MySQL/MariaDB database that backs the entire WordPress installation, which is why the CVSS scope is marked Changed (S:C) - exploiting one plugin's query exposes data across the whole site database. No exact CPE string was provided in the source data; affected-product identity comes from the EUVD and Patchstack advisory entries.
RemediationAI
No vendor-released patch version is identified in the available data, so verify the fixed release directly on the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/duplicate-wp-page-post/vulnerability/wordpress-duplicate-page-and-post-plugin-2-9-5-sql-injection-vulnerability?_s_id=cve) and upgrade to any release later than 2.9.5 once published; do not assume a version number that is not confirmed by the vendor. As compensating controls until a confirmed fix is available, restrict who holds authenticated accounts by disabling open user self-registration (Settings → General → "Anyone can register") to remove the low-privilege foothold the attack needs - trade-off: this blocks legitimate self-service signups; deploy a WAF rule (e.g., Patchstack/Wordfence virtual patch) targeting the plugin's duplication endpoint to filter SQL metacharacters - trade-off: virtual patches can be bypassed and may cause false positives on legitimate input; and if the plugin is not actively used, deactivate and remove it entirely to eliminate the attack surface - trade-off: loss of post/page duplication functionality. Also ensure least-privilege role assignment so untrusted users do not retain accounts capable of reaching plugin actions.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32539
GHSA-qf22-3mph-6276