CVE-2026-10749 | THREATINT

Description

The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP Object.

PUBLISHED Reserved 2026-06-03 | Published 2026-06-24 | Updated 2026-06-24 | Assigner WPScan

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Default status

unaffected

Any version before 3.0.15

affected

Credits

Md. Minaruzzaman Shovon finder

WPScan coordinator

References

wpscan.com/...rability/224c36b5-e604-4eb3-aad8-47283b95e994/ exploit vdb-entry technical-description

cve.org (CVE-2026-10749)

nvd.nist.gov (CVE-2026-10749)

Download JSON