Skip to main content

Duplicate Page and Post CVE-2026-49046

| EUVDEUVD-2026-32539 HIGH
SQL Injection (CWE-89)
2026-05-27 audit@patchstack.com GHSA-qf22-3mph-6276
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:09 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Arjun Thakur Duplicate Page and Post allows Blind SQL Injection.

This issue affects Duplicate Page and Post: from n/a through 2.9.5.

AnalysisAI

Blind SQL injection in the WordPress plugin Duplicate Page and Post (by Arjun Thakur) through version 2.9.5 lets authenticated low-privilege users inject crafted SQL into a database query, enabling extraction of arbitrary database contents including WordPress user hashes and secrets. The CVSS:3.1 base score is 8.5 with a changed scope, reflecting impact beyond the plugin into the shared WordPress database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported through the Patchstack research program.

Technical ContextAI

The flaw is a CWE-89 Improper Neutralization of Special Elements used in an SQL Command. Duplicate Page and Post is a WordPress plugin that clones existing posts/pages; the vulnerability arises where user-controllable input (such as a post/page identifier passed to the duplication routine) is concatenated into a SQL statement without parameterized queries or proper escaping via WordPress's $wpdb->prepare(). Because it is blind, results are not returned directly in the response and an attacker infers data through boolean/time-based inference. The shared scope is the underlying MySQL/MariaDB database that backs the entire WordPress installation, which is why the CVSS scope is marked Changed (S:C) - exploiting one plugin's query exposes data across the whole site database. No exact CPE string was provided in the source data; affected-product identity comes from the EUVD and Patchstack advisory entries.

RemediationAI

No vendor-released patch version is identified in the available data, so verify the fixed release directly on the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/duplicate-wp-page-post/vulnerability/wordpress-duplicate-page-and-post-plugin-2-9-5-sql-injection-vulnerability?_s_id=cve) and upgrade to any release later than 2.9.5 once published; do not assume a version number that is not confirmed by the vendor. As compensating controls until a confirmed fix is available, restrict who holds authenticated accounts by disabling open user self-registration (Settings → General → "Anyone can register") to remove the low-privilege foothold the attack needs - trade-off: this blocks legitimate self-service signups; deploy a WAF rule (e.g., Patchstack/Wordfence virtual patch) targeting the plugin's duplication endpoint to filter SQL metacharacters - trade-off: virtual patches can be bypassed and may cause false positives on legitimate input; and if the plugin is not actively used, deactivate and remove it entirely to eliminate the attack surface - trade-off: loss of post/page duplication functionality. Also ensure least-privilege role assignment so untrusted users do not retain accounts capable of reaching plugin actions.

Share

CVE-2026-49046 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy