Arbitrary Protected Post Meta Insertion Vulnerability in Post Duplicator Plugin for WordPress
CVE-2026-2301

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Post Duplicator
Vendor: CVE Published:; 25 February 2026

What is CVE-2026-2301?

The Post Duplicator plugin for WordPress has a vulnerability allowing users with Contributor-level access or higher to insert arbitrary protected post meta information into duplicated posts. The issue arises from the duplicate_post() function's direct use of the $wpdb->insert() method on the wp_postmeta table, bypassing WordPress's appropriate add_post_meta() function that should enforce checks via is_protected_meta(). As a result, authenticated attackers can manipulate sensitive meta keys such as _wp_page_template and _wp_attached_file through the customMetaData parameter in the plugin's REST API endpoint, posing a significant risk to site security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Post Duplicator * <= 3.0.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/post-duplicato...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 25, 2026
Vulnerability Reserved
Feb 10, 2026

Credit

Nguyen Ba Hung

JSON

WordPress

What is CVE-2026-2301?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.