Arthur Grimault

**Name of the Vulnerable Software and Affected Versions** WordPress Page and Post Clone plugin versions prior to 6.3 **Description** The Page and Post Clone plugin for WordPress is susceptible to SQL Injection via the `meta key` parameter within the `content clone()` function. This is a result of inadequate escaping of user-provided `meta key` values and insufficient preparation of the existing SQL query. Authenticated attackers with Contributor-level access or higher can append additional SQL queries to existing queries, potentially extracting sensitive information from the database. The injection is second-order, meaning the malicious payload is stored as a post meta key and executed during post cloning. **Recommendations** Update WordPress Page and Post Clone plugin to a version newer than 6.3.