Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Description requires only Contributor (low-privilege) access so PR:L not PR:H; network-reachable, low-complexity object injection yielding high C/I/A via gadget chains.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP Object.
Articles & Coverage 2
AnalysisAI
PHP Object Injection in the Post Duplicator WordPress plugin before 3.0.15 lets authenticated users with Contributor-level access or higher inject arbitrary serialized PHP objects by abusing the plugin's post-duplication routine, which copies attacker-controlled custom meta-data without the WordPress meta API's double-serialization safeguard. Successful exploitation can lead to property-oriented programming attacks and, with a suitable gadget chain present, full compromise of the site. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated account with Contributor-level access or above on the target WordPress site, and the Post Duplicator plugin (version < 3.0.15) installed and used to duplicate a post carrying attacker-supplied custom meta-data. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and should be read together. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has registered or compromised a Contributor account crafts a post whose custom meta-data contains a serialized PHP object payload, then uses the Post Duplicator clone function so the payload is stored verbatim, bypassing WordPress's serialization escaping. When the duplicated meta is later unserialized by WordPress or another plugin, the malicious object is instantiated and, combined with an available gadget chain, drives unintended actions such as file writes or code execution. … |
| Remediation | Vendor-released patch: 3.0.15 - upgrade the Post Duplicator plugin to version 3.0.15 or later, which restores safe (double-serialized) handling of duplicated meta-data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
WITHIN 24 HOURS: Identify all WordPress instances using Post Duplicator plugin and audit accounts with Contributor-level access or higher. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
Invision Community 5.0.0 through 5.0.6 contains an unauthenticated remote code execution vulnerability in the template e
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
Cacti monitoring platform prior to version 1.2.29 allows authenticated users to achieve remote code execution through th
The SureTriggers WordPress plugin through version 1.0.78 contains an authentication bypass due to a missing empty value
The HUSKY Products Filter Professional for WooCommerce plugin through version 1.3.6.5 contains a critical Local File Inc
The User Registration & Membership WordPress plugin before version 4.1.2 fails to prevent users from setting their accou
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 thr
PHP Object Injection in the Better Search Replace WordPress plugin (versions up to and including 1.4.4) allows remote un
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38694
GHSA-57q8-6wvw-p94h