Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
WordPress Page and Post Clone Plugin Exposes Sensitive Data
CVE-2026-2893
Summary
The Page and Post Clone plugin for WordPress allows attackers to extract sensitive information from your database if they have Contributor-level access. This can happen when a malicious user creates a new post with a specially crafted meta key, which is then executed when the post is cloned. To protect your site, update the plugin to a version higher than 6.3.
Original title
The Page and Post Clone plugin for WordPress is vulnerable to SQL Injection via the 'meta_key' parameter in the content_clone() function in all versions up to, and including, 6.3. This is due to in...
Original description
The Page and Post Clone plugin for WordPress is vulnerable to SQL Injection via the 'meta_key' parameter in the content_clone() function in all versions up to, and including, 6.3. This is due to insufficient escaping on the user-supplied meta_key value and insufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The injection is second-order: the malicious payload is stored as a post meta key and executed when the post is cloned.
nvd CVSS3.1
6.5
Vulnerability type
CWE-89
SQL Injection
- https://plugins.trac.wordpress.org/browser/page-or-post-clone/tags/6.3/page-or-p...
- https://plugins.trac.wordpress.org/browser/page-or-post-clone/trunk/page-or-post...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/85674d8a-96b3-4fae-8bf...
Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026