cleantalk
Vulnerabilities and Security Researches

Post Duplicator, CVE-2026-2301

CVE, Research URL

CVE-2026-2301

Home page URL

Security reports for Post Duplicator

Application

Post Duplicator

Published on
Feb 25, 2026
Research Description
The Post Duplicator plugin for WordPress is vulnerable to unauthorized arbitrary protected post meta insertion in all versions up to, and including, 3.0.8. This is due to the `duplicate_post()` function in `includes/api.php` using `$wpdb->insert()` directly to the `wp_postmeta` table instead of WordPress's standard `add_post_meta()` function, which would call `is_protected_meta()` to prevent lower-privileged users from setting protected meta keys (those starting with `_`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary protected post meta keys such as `_wp_page_template`, `_wp_attached_file`, and other sensitive meta keys on duplicated posts via the `customMetaData` JSON array parameter in the `/wp-json/post-duplicator/v1/duplicate-post` REST API endpoint.
Affected versions
max 3.0.9.
Status
vulnerable
Previous vulnerability researches
GNA Search Shortcode (CVE-2025-46540) , Apr 26, 2025
New vulnerability
WP Accessibility (CVE-2026-2362) , Apr 15, 2026
Community Events (CVE-2026-2429) , Apr 15, 2026
3D FlipBook – PDF Flipbook WordPress (CVE-2026-1314) , Apr 15, 2026
Responsive Contact Form Builder & Lead Generation Plugin (CVE-2026-1454) , Apr 15, 2026
wpForo Forum (CVE-2026-1581) , Apr 15, 2026