SQL Injection Vulnerability in Duplicate Page and Post Plugin by Arjun Thakur
CVE-2026-49046

8.5HIGH

Key Information:

Vendor: WordPress
Status: Duplicate Page And Post
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-49046?

The Duplicate Page and Post plugin for WordPress, developed by Arjun Thakur, is vulnerable to a SQL Injection attack. This flaw allows attackers to exploit improper handling of SQL commands, resulting in the potential for unauthorized data manipulation or access. The affected versions range from n/a through 2.9.5, making it critical for users to update their plugin to mitigate the risk of exploitation. Website administrators are advised to review their security posture and apply necessary patches immediately.

Affected Version(s)

Duplicate Page and Post <= 2.9.5

References

https://patchstack.com/database/wordpress/plugin/duplicat...

vdb-entry

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 27, 2026

Credit

timomangcut | Patchstack Bug Bounty Program

CVE-2026-49046 Data

JSON