{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2301", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-10T18:17:31.628Z", "datePublished": "2026-02-25T09:26:51.333Z", "dateUpdated": "2026-04-08T17:29:57.120Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:57.120Z"}, "affected": [{"vendor": "metaphorcreations", "product": "Post Duplicator", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.0.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Post Duplicator plugin for WordPress is vulnerable to unauthorized arbitrary protected post meta insertion in all versions up to, and including, 3.0.8. This is due to the `duplicate_post()` function in `includes/api.php` using `$wpdb->insert()` directly to the `wp_postmeta` table instead of WordPress's standard `add_post_meta()` function, which would call `is_protected_meta()` to prevent lower-privileged users from setting protected meta keys (those starting with `_`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary protected post meta keys such as `_wp_page_template`, `_wp_attached_file`, and other sensitive meta keys on duplicated posts via the `customMetaData` JSON array parameter in the `/wp-json/post-duplicator/v1/duplicate-post` REST API endpoint."}], "title": "Post Duplicator <= 3.0.8 - Missing Authorization to Authenticated (Contributor+) Protected Post Meta Insertion via 'customMetaData' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e5c86f72-934c-4f3b-ab2a-65df1490ca8a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/post-duplicator/tags/3.0.6/includes/api.php#L923"}, {"url": "https://plugins.trac.wordpress.org/browser/post-duplicator/tags/3.0.6/includes/api.php#L843"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3463768%40post-duplicator%2Ftrunk&old=3459096%40post-duplicator%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Hung Nguyen"}], "timeline": [{"time": "2026-02-11T16:25:17.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-24T21:12:32.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T21:00:26.768409Z", "id": "CVE-2026-2301", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:00:43.772Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2301", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-25T21:00:26.768409Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:00:32.648Z"}}], "cna": {"title": "Post Duplicator <= 3.0.8 - Missing Authorization to Authenticated (Contributor+) Protected Post Meta Insertion via 'customMetaData' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Hung"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "metaphorcreations", "product": "Post Duplicator", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.0.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-11T16:25:17.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-24T21:12:32.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e5c86f72-934c-4f3b-ab2a-65df1490ca8a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/post-duplicator/tags/3.0.6/includes/api.php#L923"}, {"url": "https://plugins.trac.wordpress.org/browser/post-duplicator/tags/3.0.6/includes/api.php#L843"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3463768%40post-duplicator%2Ftrunk&old=3459096%40post-duplicator%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Post Duplicator plugin for WordPress is vulnerable to unauthorized arbitrary protected post meta insertion in all versions up to, and including, 3.0.8. This is due to the `duplicate_post()` function in `includes/api.php` using `$wpdb->insert()` directly to the `wp_postmeta` table instead of WordPress's standard `add_post_meta()` function, which would call `is_protected_meta()` to prevent lower-privileged users from setting protected meta keys (those starting with `_`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary protected post meta keys such as `_wp_page_template`, `_wp_attached_file`, and other sensitive meta keys on duplicated posts via the `customMetaData` JSON array parameter in the `/wp-json/post-duplicator/v1/duplicate-post` REST API endpoint."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-25T09:26:51.333Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2301", "state": "PUBLISHED", "dateUpdated": "2026-02-25T21:00:43.772Z", "dateReserved": "2026-02-10T18:17:31.628Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-25T09:26:51.333Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Post Duplicator plugin for WordPress is vulnerable to unauthorized arbitrary protected post meta insertion in all versions up to, and including, 3.0.8. This is due to the `duplicate_post()` function in `includes/api.php` using `$wpdb->insert()` directly to the `wp_postmeta` table instead of WordPress's standard `add_post_meta()` function, which would call `is_protected_meta()` to prevent lower-privileged users from setting protected meta keys (those starting with `_`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary protected post meta keys such as `_wp_page_template`, `_wp_attached_file`, and other sensitive meta keys on duplicated posts via the `customMetaData` JSON array parameter in the `/wp-json/post-duplicator/v1/duplicate-post` REST API endpoint."}, {"lang": "es", "value": "El plugin Post Duplicator para WordPress es vulnerable a la inserci\u00f3n no autorizada de metadatos de publicaci\u00f3n protegidos arbitrarios en todas las versiones hasta la 3.0.8, inclusive. Esto se debe a que la funci\u00f3n `duplicate_post()` en `includes/api.php` utiliza `$wpdb-&gt;insert()` directamente en la tabla `wp_postmeta` en lugar de la funci\u00f3n est\u00e1ndar de WordPress `add_post_meta()`, la cual llamar\u00eda a `is_protected_meta()` para evitar que usuarios con privilegios inferiores establezcan claves de metadatos protegidas (aquellas que comienzan con `_`). Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador o superior, inyecten claves de metadatos de publicaci\u00f3n protegidas arbitrarias como `_wp_page_template`, `_wp_attached_file` y otras claves de metadatos sensibles en publicaciones duplicadas a trav\u00e9s del par\u00e1metro de array JSON `customMetaData` en el endpoint de la API REST `/wp-json/post-duplicator/v1/duplicate-post`."}], "id": "CVE-2026-2301", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-25T10:16:18.307", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/post-duplicator/tags/3.0.6/includes/api.php#L843"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/post-duplicator/tags/3.0.6/includes/api.php#L923"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3463768%40post-duplicator%2Ftrunk&old=3459096%40post-duplicator%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e5c86f72-934c-4f3b-ab2a-65df1490ca8a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.0.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Post Duplicator", "source": "cna", "vendor": "metaphorcreations"}, "product": "post_duplicator", "vendor": "metaphorcreations"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T16:54:42.781220+00:00", "value": {"mitigation_remediation": ["Upgrade Post Duplicator to the latest version (\u22653.0.9) where the duplicate_post() function has been fixed to use add_post_meta() and enforce proper authorization for protected keys.", "If an upgrade cannot be performed immediately, restrict the duplicate-post REST endpoint so that only administrators can access it\u2014for example, by adding capability checks (like current_user_can('edit_posts')) or by disabling the endpoint via a custom snippet or security plugin.", "Audit existing duplicated posts for unexpected protected meta entries (e.g., keys starting with '_') and delete or correct any that appear suspicious or were not intentionally added by an administrator."], "summary": {"action": "Patch", "impact": "Unauthorized Protected Meta Data Insertion"}, "threat_synthesis": {"affected_systems": "WordPress installations that run Post Duplicator up to and including version 3.0.8, a plugin supplied by metaphorcreations. Any site using these versions is susceptible, regardless of the WordPress core version, as the vector is the plugin\u2019s REST API endpoint.", "description_and_impact": "The Post Duplicator plugin for WordPress contains a flaw that permits authenticated users with Contributor permissions or higher to insert arbitrary protected post meta keys. The flaw arises because the duplicate_post() function writes directly to the wp_postmeta table with a raw SQL insert, bypassing WordPress\u2019s add_post_meta() routine which normally protects keys that begin with an underscore. Attackers can therefore supply a customMetaData JSON array via the /wp-json/post-duplicator/v1/duplicate-post REST endpoint and create entries such as _wp_page_template, _wp_attached_file, and other sensitive meta fields on duplicated posts. This grants the malicious actor the ability to modify core post metadata that is normally restricted to administrators. The weakness is classified as CWE\u2011862: Missing Authorization.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity vulnerability with limited impact if exploited. The EPSS score of <1% suggests a low probability of real\u2011world exploitation at this time, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack requires prior authentication\u2014contributor or higher\u2014and the use of the duplicate-post REST endpoint. No known remote code execution or privilege elevation beyond the capabilities to alter protected post meta can be achieved directly from the public internet. However, once protected meta keys like _wp_page_template are modified, there is potential for further indirect exploitation if additional content or plugins rely on these values. Consequently, administrators should treat the issue as a moderate risk that could enable unauthorized metadata manipulation."}}}}, "created": "2026-02-26T13:18:15.093808+00:00", "updated": "2026-04-15T17:00:07.084875+00:00", "vendors": ["metaphorcreations", "metaphorcreations$PRODUCT$post_duplicator", "wordpress", "wordpress$PRODUCT$wordpress"]}