Skip to main content

Duplicate Page and Post EUVD-2026-32539

| CVE-2026-49046 HIGH
SQL Injection (CWE-89)
2026-05-27 audit@patchstack.com GHSA-qf22-3mph-6276
SQLi
8.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:09 vuln.today

DescriptionNVD

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Arjun Thakur Duplicate Page and Post allows Blind SQL Injection.

This issue affects Duplicate Page and Post: from n/a through 2.9.5.

AnalysisAI

Blind SQL injection in the WordPress plugin Duplicate Page and Post (by Arjun Thakur) through version 2.9.5 lets authenticated low-privilege users inject crafted SQL into a database query, enabling extraction of arbitrary database contents including WordPress user hashes and secrets. The CVSS:3.1 base score is 8.5 with a changed scope, reflecting impact beyond the plugin into the shared WordPress database. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Audit all WordPress installations to identify sites running Duplicate Page and Post plugin (versions 2.9.5 and below); document inventory. Within 7 days: Disable and uninstall the vulnerable plugin from all affected sites; identify and deploy alternative page duplication solution. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-32539 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy