CVE-2026-2301 – The Post Duplicator WordPress plugin allows aut... (How to Fix)

Q: What is the severity of CVE-2026-2301?

CVE-2026-2301 has a CVSS score of 4.3 (MEDIUM). The Post Duplicator WordPress plugin allows authenticated attackers with Contributor-level access or higher to inject arbitrary protected post meta keys (starting with '_') when duplicating posts. This vulnerability exists because the plugin bypasses WordPress's standard meta protection mechanisms. All WordPress sites using Post Duplicator versions up to 3.0.8 are affected.

📋 TL;DR

The Post Duplicator WordPress plugin allows authenticated attackers with Contributor-level access or higher to inject arbitrary protected post meta keys (starting with '_') when duplicating posts. This vulnerability exists because the plugin bypasses WordPress's standard meta protection mechanisms. All WordPress sites using Post Duplicator versions up to 3.0.8 are affected.

💻 Affected Systems

Products:

Post Duplicator WordPress Plugin

Versions: All versions up to and including 3.0.8

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Post Duplicator plugin enabled and at least one user with Contributor role or higher.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify critical post metadata like _wp_page_template to change page layouts, inject malicious content, or manipulate _wp_attached_file to compromise media handling, potentially leading to site defacement or privilege escalation.

🟠

Likely Case

Attackers with contributor access could manipulate post templates, visibility settings, or other protected metadata to disrupt site functionality or gain unauthorized control over duplicated content.

🟢

If Mitigated

With proper user access controls and monitoring, impact is limited to content manipulation within the attacker's existing post creation capabilities.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access and involves sending crafted JSON to the REST API endpoint. The vulnerability is well-documented and easy to understand.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.9

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3463768%40post-duplicator%2Ftrunk&old=3459096%40post-duplicator%2Ftrunk&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Post Duplicator and click 'Update Now'. 4. Verify version is 3.0.9 or higher.

🔧 Temporary Workarounds

Disable Post Duplicator Plugin

all

Temporarily disable the vulnerable plugin until patching is possible

wp plugin deactivate post-duplicator

Restrict REST API Access

linux

Limit access to the vulnerable endpoint using WordPress security plugins or .htaccess rules

# Add to .htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/post-duplicator/v1/duplicate-post
RewriteRule .* - [F,L]
</IfModule>

🧯 If You Can't Patch

Restrict user roles: Limit Contributor and higher roles to trusted users only
Monitor logs: Enable detailed logging of REST API requests and review for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for Post Duplicator version. If version is 3.0.8 or lower, you are vulnerable.

Check Version:

wp plugin get post-duplicator --field=version

Verify Fix Applied:

After updating, verify Post Duplicator version shows 3.0.9 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-json/post-duplicator/v1/duplicate-post with customMetaData parameter
Multiple post duplication attempts from single user in short timeframe
Posts with unexpected protected meta keys (starting with '_')

Network Indicators:

HTTP POST requests to vulnerable endpoint with JSON payload containing customMetaData array
Unusual traffic patterns to WordPress REST API from authenticated users

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-json/post-duplicator/v1/duplicate-post" AND http_method="POST")

📊 Metadata

CVE ID: CVE-2026-2301

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

Published: February 25, 2026

Last Updated: February 25, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2301, you might also want to check these: