CVE-2026-2301

Name of the Vulnerable Software and Affected Versions Post Duplicator plugin for WordPress versions up to and including 3.0.8

Description The Post Duplicator plugin for WordPress is susceptible to unauthorized modification of protected post meta data. This occurs because the duplicate post() function utilizes $wpdb->insert() directly into the wp postmeta table, bypassing the standard add post meta() function and its associated is protected meta() check. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary protected meta keys, such as wp page template and wp attached file, on duplicated posts. The issue is exploitable through the customMetaData JSON array parameter in the /wp-json/post-duplicator/v1/duplicate-post API endpoint.

Recommendations Update the Post Duplicator plugin to a version later than 3.0.8.