CVE-2019-25314 | THREATINT

Description

Yoast Duplicate-Post WordPress Plugin 3.2.3 contains a persistent cross-site scripting vulnerability in plugin settings parameters. Attackers can inject malicious scripts into title prefix, suffix, menu order, and blacklist fields to execute arbitrary JavaScript in admin interfaces.

PUBLISHED Reserved 2026-02-11 | Published 2026-02-11 | Updated 2026-02-13 | Assigner VulnCheck

MEDIUM: 4.8CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

MEDIUM: 5.5CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status

unaffected

0.3 (semver)

affected

Credits

Unk9vvN finder

References

www.exploit-db.com/exploits/47424 (ExploitDB-47424) exploit

duplicate-post.lopo.it/ (Duplicate Post Plugin Vendor Homepage) product

wordpress.org/plugins/duplicate-post/ (WordPress Duplicate Post Plugin Repository) product

www.vulncheck.com/...te-post-persistent-cross-site-scripting (VulnCheck Advisory: Duplicate-Post 3.2.3 - Persistent Cross-Site Scripting) third-party-advisory

www.wordfence.com/...cated-admin-stored-cross-site-scripting third-party-advisory

cve.org (CVE-2019-25314)

nvd.nist.gov (CVE-2019-25314)

Download JSON