CVE-2026-2893

Name of the Vulnerable Software and Affected Versions WordPress Page and Post Clone plugin versions prior to 6.3

Description The Page and Post Clone plugin for WordPress is susceptible to SQL Injection via the meta key parameter within the content clone() function. This is a result of inadequate escaping of user-provided meta key values and insufficient preparation of the existing SQL query. Authenticated attackers with Contributor-level access or higher can append additional SQL queries to existing queries, potentially extracting sensitive information from the database. The injection is second-order, meaning the malicious payload is stored as a post meta key and executed during post cloning.

Recommendations Update WordPress Page and Post Clone plugin to a version newer than 6.3.