CVE-2026-10749 PUBLISHED

Post Duplicator < 3.0.15 - Contributor+ PHP Object Injection via customMetaData

Assigner: WPScan
Reserved: 03.06.2026 Published: 24.06.2026 Updated: 24.06.2026

The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP Object.

Product Status

Vendor	Unknown
Product	Post Duplicator
Versions	Default: unaffected affected from 0 to 3.0.15 (excl.)

Credits

Md. Minaruzzaman Shovon finder
WPScan coordinator

References

https://wpscan.com/vulnerability/224c36b5-e604-4eb3-aad8-47283b95e994/

Problem Types

CWE-502 Deserialization of Untrusted Data CWE