{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2893", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-20T18:48:50.173Z", "datePublished": "2026-03-05T07:30:55.134Z", "dateUpdated": "2026-04-08T17:04:36.416Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:36.416Z"}, "affected": [{"vendor": "carlosfazenda", "product": "Fast Page & Post Duplicator", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Page and Post Clone plugin for WordPress is vulnerable to SQL Injection via the 'meta_key' parameter in the content_clone() function in all versions up to, and including, 6.3. This is due to insufficient escaping on the user-supplied meta_key value and insufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The injection is second-order: the malicious payload is stored as a post meta key and executed when the post is cloned."}], "title": "Page and Post Clone <= 6.3 - Authenticated (Contributor+) SQL Injection via 'meta_key' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/85674d8a-96b3-4fae-8bff-900ca78073a4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/page-or-post-clone/tags/6.3/page-or-post-clone.php#L95"}, {"url": "https://plugins.trac.wordpress.org/browser/page-or-post-clone/trunk/page-or-post-clone.php#L95"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3474651%40page-or-post-clone%2Ftrunk&old=3202933%40page-or-post-clone%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Arthur GRIMAULT"}], "timeline": [{"time": "2026-03-04T19:00:38.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T15:01:15.371730Z", "id": "CVE-2026-2893", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T15:02:06.475Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2893", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-05T15:01:15.371730Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T15:02:02.322Z"}}], "cna": {"title": "Page and Post Clone <= 6.3 - Authenticated (Contributor+) SQL Injection via 'meta_key' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Arthur GRIMAULT"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "carlosfazenda", "product": "Fast Page & Post Duplicator", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-04T19:00:38.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/85674d8a-96b3-4fae-8bff-900ca78073a4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/page-or-post-clone/tags/6.3/page-or-post-clone.php#L95"}, {"url": "https://plugins.trac.wordpress.org/browser/page-or-post-clone/trunk/page-or-post-clone.php#L95"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3474651%40page-or-post-clone%2Ftrunk&old=3202933%40page-or-post-clone%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Page and Post Clone plugin for WordPress is vulnerable to SQL Injection via the 'meta_key' parameter in the content_clone() function in all versions up to, and including, 6.3. This is due to insufficient escaping on the user-supplied meta_key value and insufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The injection is second-order: the malicious payload is stored as a post meta key and executed when the post is cloned."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:36.416Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2893", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:04:36.416Z", "dateReserved": "2026-02-20T18:48:50.173Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-05T07:30:55.134Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Page and Post Clone plugin for WordPress is vulnerable to SQL Injection via the 'meta_key' parameter in the content_clone() function in all versions up to, and including, 6.3. This is due to insufficient escaping on the user-supplied meta_key value and insufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The injection is second-order: the malicious payload is stored as a post meta key and executed when the post is cloned."}, {"lang": "es", "value": "El plugin Page and Post Clone para WordPress es vulnerable a inyecci\u00f3n SQL a trav\u00e9s del par\u00e1metro 'meta_key' en la funci\u00f3n content_clone() en todas las versiones hasta la 6.3, inclusive. Esto se debe a un escape insuficiente del valor 'meta_key' proporcionado por el usuario y a una preparaci\u00f3n insuficiente en la consulta SQL existente. Esto permite a atacantes autenticados, con acceso de nivel Colaborador o superior, a\u00f1adir consultas SQL adicionales a consultas ya existentes que pueden usarse para extraer informaci\u00f3n sensible de la base de datos. La inyecci\u00f3n es de segundo orden: la carga \u00fatil maliciosa se almacena como una clave meta de publicaci\u00f3n y se ejecuta cuando se clona la publicaci\u00f3n."}], "id": "CVE-2026-2893", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-05T08:15:59.963", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/page-or-post-clone/tags/6.3/page-or-post-clone.php#L95"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/page-or-post-clone/trunk/page-or-post-clone.php#L95"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3474651%40page-or-post-clone%2Ftrunk&old=3202933%40page-or-post-clone%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/85674d8a-96b3-4fae-8bff-900ca78073a4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Page and Post Clone", "source": "cna", "vendor": "carlosfazenda"}, "product": "page_and_post_clone", "vendor": "carlosfazenda"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T17:53:08.099175+00:00", "value": {"mitigation_remediation": ["Upgrade the Page and Post Clone plugin to version 6.4 or later, where the meta_key parameter is properly sanitized and the second\u2011order injection is fixed.", "If an immediate upgrade is not feasible, disable the clone feature for all users at the Contributor level or lower, and restrict cloning to administrators only.", "Remove the plugin from the WordPress installation if it is not required for site functionality, thereby eliminating the injection vector."], "summary": {"action": "Immediate patch", "impact": "Data exfiltration via SQL injection"}, "threat_synthesis": {"affected_systems": "The Fast Page & Post Duplicator plugin for WordPress is affected in all releases up to and including version 6.3. Sites that run any of these versions and have role users with Contributor or higher privileges are vulnerable to exploitation.", "description_and_impact": "The vulnerability is an unescaped SQL injection that allows attackers with Contributor-level or higher access to a WordPress site to inject payloads into the 'meta_key' parameter used when cloning a post. The payload is stored as a post meta key and later executed during the cloning process, enabling the attacker to append arbitrary SQL statements to existing database queries. This second\u2011order injection can read, modify, or delete sensitive database information. The weakness corresponds to CWE\u201189, reflecting improper input sanitization for database queries.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% suggests a low probability of active exploitation at this time. The vulnerability is not listed in CISA\u2019s KEV catalog. Attack requires an authenticated user with Contributor privileges or above; the attack vector is inferred from the description as it relies on the ability to perform a post clone operation and supply a crafted meta_key parameter. An attacker could use this to read confidential data or manipulate the database, with potential downstream effects on site integrity and confidentiality."}}}}, "created": "2026-03-06T15:08:00.383242+00:00", "updated": "2026-04-15T18:00:15.483505+00:00", "vendors": ["carlosfazenda", "carlosfazenda$PRODUCT$page_and_post_clone", "wordpress", "wordpress$PRODUCT$wordpress"]}