Skip to main content

Post Duplicator EUVDEUVD-2026-38694

| CVE-2026-10749 HIGH
2026-06-24 WPScan GHSA-57q8-6wvw-p94h
7.2
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Description requires only Contributor (low-privilege) access so PR:L not PR:H; network-reachable, low-complexity object injection yielding high C/I/A via gadget chains.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 14:23 vuln.today
CVSS changed
Jun 24, 2026 - 14:22 NVD
7.2 (HIGH)
Patch available
Jun 24, 2026 - 08:16 EUVD
CVE Published
Jun 24, 2026 - 06:00 cve.org
HIGH 7.2
CVE Published
Jun 24, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP Object.

AnalysisAI

PHP Object Injection in the Post Duplicator WordPress plugin before 3.0.15 lets authenticated users with Contributor-level access or higher inject arbitrary serialized PHP objects by abusing the plugin's post-duplication routine, which copies attacker-controlled custom meta-data without the WordPress meta API's double-serialization safeguard. Successful exploitation can lead to property-oriented programming attacks and, with a suitable gadget chain present, full compromise of the site. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as Contributor or higher
Delivery
Craft post meta with serialized PHP object
Exploit
Trigger Post Duplicator clone
Execution
Payload stored without serialization escaping
Persist
Value unserialized by WordPress/plugin
Impact
Gadget chain executes attacker actions

Vulnerability AssessmentAI

Exploitation Requires an authenticated account with Contributor-level access or above on the target WordPress site, and the Post Duplicator plugin (version < 3.0.15) installed and used to duplicate a post carrying attacker-supplied custom meta-data. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and should be read together. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has registered or compromised a Contributor account crafts a post whose custom meta-data contains a serialized PHP object payload, then uses the Post Duplicator clone function so the payload is stored verbatim, bypassing WordPress's serialization escaping. When the duplicated meta is later unserialized by WordPress or another plugin, the malicious object is instantiated and, combined with an available gadget chain, drives unintended actions such as file writes or code execution. …
Remediation Vendor-released patch: 3.0.15 - upgrade the Post Duplicator plugin to version 3.0.15 or later, which restores safe (double-serialized) handling of duplicated meta-data. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

WITHIN 24 HOURS: Identify all WordPress instances using Post Duplicator plugin and audit accounts with Contributor-level access or higher. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2025-47916 CRITICAL POC
10.0 May 16

Invision Community 5.0.0 through 5.0.6 contains an unauthenticated remote code execution vulnerability in the template e

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2025-24367 HIGH POC
8.7 Jan 27

Cacti monitoring platform prior to version 1.2.29 allows authenticated users to achieve remote code execution through th

CVE-2025-3102 HIGH POC
8.1 Apr 10

The SureTriggers WordPress plugin through version 1.0.78 contains an authentication bypass due to a missing empty value

CVE-2025-1661 CRITICAL POC
9.8 Mar 11

The HUSKY Products Filter Professional for WooCommerce plugin through version 1.3.6.5 contains a critical Local File Inc

CVE-2025-2563 HIGH POC
8.1 Apr 14

The User Registration & Membership WordPress plugin before version 4.1.2 fails to prevent users from setting their accou

CVE-2025-13486 CRITICAL POC
9.8 Dec 03

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 thr

CVE-2023-6933 HIGH POC
8.8 Feb 05

PHP Object Injection in the Better Search Replace WordPress plugin (versions up to and including 1.4.4) allows remote un

Share

EUVD-2026-38694 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy