WordPress Post Duplicator Plugin Allows Attackers to Steal Sensitive Data

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.3

WordPress Post Duplicator Plugin Allows Attackers to Steal Sensitive Data

CVE-2026-2301

Summary

The Post Duplicator plugin for WordPress is vulnerable to a security issue that could allow an attacker with Contributor-level access to steal sensitive information from duplicated posts. This means that an attacker could potentially access confidential data, such as file paths and page templates, from posts that they shouldn't have access to. To fix this issue, you should update the Post Duplicator plugin to version 3.0.9 or later.

Original title

Original description

The Post Duplicator plugin for WordPress is vulnerable to unauthorized arbitrary protected post meta insertion in all versions up to, and including, 3.0.8. This is due to the `duplicate_post()` function in `includes/api.php` using `$wpdb->insert()` directly to the `wp_postmeta` table instead of WordPress's standard `add_post_meta()` function, which would call `is_protected_meta()` to prevent lower-privileged users from setting protected meta keys (those starting with `_`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary protected post meta keys such as `_wp_page_template`, `_wp_attached_file`, and other sensitive meta keys on duplicated posts via the `customMetaData` JSON array parameter in the `/wp-json/post-duplicator/v1/duplicate-post` REST API endpoint.

nvd CVSS3.1 4.3

Vulnerability type

CWE-862 Missing Authorization

Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026