Post Duplicator, CVE-2026-10749

CVE, Research URL: CVE-2026-10749
Home page URL: Security reports for Post Duplicator
Application: Post Duplicator
Published on: Jun 24, 2026
Research Description: The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP Object.
Affected versions: max 3.0.15.
Status: vulnerable