Unrated severityNVD Advisory· Published Feb 20, 2023· Updated Aug 6, 2024
meta4creations Post Duplicator Plugin notices.php mtphr_post_duplicator_notice cross site scripting
CVE-2016-15027
Description
Post Duplicator plugin <=2.18 for WordPress has a stored XSS vulnerability in the post-duplicated parameter via mtphr_post_duplicator_notice().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Post Duplicator plugin <=2.18 for WordPress has a stored XSS vulnerability in the post-duplicated parameter via mtphr_post_duplicator_notice().
Vulnerability
The Post Duplicator plugin for WordPress up to and including version 2.18 contains a cross-site scripting (XSS) vulnerability. The issue resides in the function mtphr_post_duplicator_notice within the file includes/notices.php. The plugin does not properly sanitize the post-duplicated argument, allowing an attacker to inject arbitrary JavaScript or HTML. The vulnerability is classified as problematic and is triggered when the function renders the notice after duplicating a post. Affected versions are all releases prior to 2.19.
Exploitation
An attacker can exploit this vulnerability remotely without authentication. The attack requires the victim (typically a site administrator) to follow a crafted link or be tricked into performing an action that passes malicious input as the post-duplicated parameter. No special network position beyond standard web access is needed; the attacker simply sends a malicious URL to a logged-in administrator.
Impact
Successful exploitation leads to stored cross-site scripting (XSS). The injected script executes in the context of the victim's browser session on the WordPress admin dashboard. This could allow an attacker to perform administrative actions, steal session cookies, or deface the site. The impact is limited to the admin interface and requires an authenticated administrator to trigger the payload.
Mitigation
The vulnerability is fixed in version 2.19. The patch is available as commit ca67c05e490c0cf93a1e9b2d93bfeff3dd96f594 [1]. Users should upgrade to version 2.19 or later immediately [2]. No workarounds are documented; if upgrading is not possible, consider restricting access to the plugin's functionality or removing the vulnerable notices file.
References
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=2.18
- meta4creations/Post Duplicator Pluginv5Range: 2.18
Patches
2c6a53ccf2695Added Duplicate button to published post edit pages
5 files changed · +24 −4
assets/js/pd-admin.js+2 −0 modified@@ -12,6 +12,8 @@ jQuery( document ).ready( function() { jQuery( '.m4c-duplicate-post' ).live( 'click', function( e ) { e.preventDefault(); + var $spinner = jQuery(this).next('.spinner'); + $spinner.css('visibility', 'visible'); // Create the data to pass var data = {
includes/functions.php+15 −1 modified@@ -30,4 +30,18 @@ function get_mtphr_post_duplicator_settings() { // Return the settings return wp_parse_args( $settings, $defaults ); -} \ No newline at end of file +} + + +function mtphr_post_duplicator_submitbox( $post ) { + if( $post->post_status == 'publish' ) { + $post_type = get_post_type_object( $post->post_type ); + $nonce = wp_create_nonce( 'm4c_ajax_file_nonce' ); + ?> + <div class="misc-pub-section misc-pub-duplicator" id="duplicator"> + <a class="m4c-duplicate-post button button-small" rel="<?php echo $nonce; ?>" href="#" data-postid="<?php echo $post->ID; ?>"><?php printf( __( 'Duplicate %s', 'post-duplicator' ), $post_type->labels->singular_name ); ?></a><span class="spinner" style="float:none;margin-top:2px;margin-left:4px;"></span> + </div> + <?php + } +} +add_action( 'post_submitbox_misc_actions', 'mtphr_post_duplicator_submitbox' ); \ No newline at end of file
includes/scripts.php+1 −0 modified@@ -28,6 +28,7 @@ function mtphr_post_duplicator_metaboxer_scripts( $hook ) { function m4c_duplicate_post_scripts( $hook_suffix ) { if( $hook_suffix == 'edit.php' || + $hook_suffix == 'post.php' || $hook_suffix == 'customer-area_page_wpca-list,content,cuar_private_page' || $hook_suffix == 'customer-area_page_wpca-list,content,cuar_private_file' ) {
m4c-postduplicator.php+2 −2 modified@@ -2,7 +2,7 @@ /* Plugin Name: Post Duplicator Description: Creates functionality to duplicate any and all post types, including taxonomies & custom fields -Version: 2.18 +Version: 2.19 Author: Metaphor Creations Author URI: http://www.metaphorcreations.com Text Domain: post-duplicator @@ -30,7 +30,7 @@ /**Define Widget Constants */ -define ( 'MTPHR_POST_DUPLICATOR_VERSION', '2.18' ); +define ( 'MTPHR_POST_DUPLICATOR_VERSION', '2.19' ); define ( 'MTPHR_POST_DUPLICATOR_DIR', plugin_dir_path(__FILE__) ); define ( 'MTPHR_POST_DUPLICATOR_URL', plugins_url().'/post-duplicator' );
readme.txt+4 −1 modified@@ -41,6 +41,9 @@ Check out the 'Installation' tab. == Changelog == += 2.19 = +* Added Duplicate button to published post edit pages + = 2.18 = * Modified javascript for allow duplication of duplicated page before page reload @@ -115,4 +118,4 @@ Must upgrade in order for the plugin to work. The file paths where initially wro == Upgrade Notice == -Modified javascript for allow duplication of duplicated page before page reload \ No newline at end of file +Added Duplicate button to published post edit pages \ No newline at end of file
ca67c05e490cXSS vulnerability fix
10 files changed · +347 −95
includes/notices.php+1 −1 modified@@ -6,7 +6,7 @@ function mtphr_post_duplicator_notice() { - $duplicated_id = isset($_GET['post-duplicated']) ? $_GET['post-duplicated'] : ''; + $duplicated_id = isset($_GET['post-duplicated']) ? htmlspecialchars($_GET['post-duplicated'], ENT_QUOTES, 'UTF-8') : ''; if( $duplicated_id != '' ) { $settings = get_mtphr_post_duplicator_settings();
includes/settings.php+2 −2 modified@@ -9,8 +9,8 @@ function mtphr_post_duplicator_settings_page() { add_management_page( - 'Post Duplicator', // The value used to populate the browser's title bar when the menu page is active - 'Post Duplicator', // The label of this submenu item displayed in the menu + __('Post Duplicator', 'post-duplicator'), // The value used to populate the browser's title bar when the menu page is active + __('Post Duplicator', 'post-duplicator'), // The label of this submenu item displayed in the menu 'administrator', // What roles are able to access this submenu item 'mtphr_post_duplicator_settings_menu', // The ID used to represent this submenu item 'mtphr_post_duplicator_settings_display' // The callback function used to render the options for this submenu item
languages/post-duplicator-de_DE.mo+0 −0 modifiedlanguages/post-duplicator-de_DE.po+89 −40 modified@@ -1,113 +1,162 @@ msgid "" msgstr "" -"Project-Id-Version: Post Duplicator v2.8\n" +"Project-Id-Version: Post Duplicator v2.16\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2015-09-17 10:33+0100\n" -"PO-Revision-Date: 2015-09-18 01:48:47+0000\n" +"PO-Revision-Date: 2016-03-11 12:49-0600\n" "Last-Translator: \n" "Language-Team: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=n != 1;\n" -"X-Generator: Poedit 1.7.4\n" -"X-Poedit-Language: \n" -"X-Poedit-Country: \n" +"X-Generator: Poedit 1.8.7\n" "X-Poedit-SourceCharset: utf-8\n" -"X-Poedit-KeywordsList: __;_e;__ngettext:1,2;_n:1,2;__ngettext_noop:1,2;_n_noop:1,2;_c,_nc:4c,1,2;_x:1,2c;_ex:1,2c;_nx:4c,1,2;_nx_noop:4c,1,2;\n" +"X-Poedit-KeywordsList: __;_e;__ngettext:1,2;_n:1,2;__ngettext_noop:1,2;_n_noop:1,2;_c,_nc:4c,1,2;_x:1,2c;_ex:1,2c;_nx:4c,1,2;_nx_noop:4c,1,2\n" "X-Poedit-Basepath: ..\n" -"X-Poedit-Bookmarks: \n" +"X-Textdomain-Support: yes\n" +"Language: de_DE\n" "X-Poedit-SearchPath-0: .\n" -"X-Textdomain-Support: yes" -#: includes/edit.php:17 +# @ post-duplicator +#: includes/edit.php:16 #, php-format -#@ post-duplicator msgid "Duplicate %s" msgstr "Kopiere %s" +# @ post-duplicator #: includes/settings.php:32 -#@ post-duplicator msgid "Post Status" msgstr "Status" -#: includes/settings.php:35 -#@ post-duplicator +# @ post-duplicator +#: includes/helpers.php:10 includes/settings.php:35 msgid "Same as original" msgstr "Wie Original" +# @ post-duplicator #: includes/settings.php:36 -#@ post-duplicator msgid "Draft" msgstr "Entwurf" +# @ post-duplicator #: includes/settings.php:37 -#@ post-duplicator msgid "Published" msgstr "Veröffentlicht" +# @ post-duplicator #: includes/settings.php:38 -#@ post-duplicator msgid "Pending" msgstr "Ausstehend" -#: includes/settings.php:44 -#@ post-duplicator +# @ post-duplicator +#: includes/settings.php:51 msgid "Post Date" msgstr "Datum" -#: includes/settings.php:47 -#@ post-duplicator +# @ post-duplicator +#: includes/settings.php:54 msgid "Duplicate Timestamp" msgstr "Kopiere Zeitstempel" -#: includes/settings.php:48 -#@ post-duplicator +# @ post-duplicator +#: includes/settings.php:55 msgid "Current Time" msgstr "Aktuelle Zeit" -#: includes/settings.php:55 -#@ post-duplicator +# @ post-duplicator +#: includes/settings.php:78 msgid "Offset Date" msgstr "Datums-Abweichung" -#: includes/settings.php:61 -#@ post-duplicator +# @ post-duplicator +#: includes/settings.php:84 msgid " days" msgstr "Tage" -#: includes/settings.php:68 -#@ post-duplicator +# @ post-duplicator +#: includes/settings.php:91 msgid " hours" msgstr "Stunden" -#: includes/settings.php:75 -#@ post-duplicator +# @ post-duplicator +#: includes/settings.php:98 msgid " minutes" msgstr "Minuten" -#: includes/settings.php:82 -#@ post-duplicator +# @ post-duplicator +#: includes/settings.php:105 msgid " seconds" msgstr "Sekunden" -#: includes/settings.php:89 -#@ post-duplicator +# @ post-duplicator +#: includes/settings.php:112 msgid "newer" msgstr "früher" -#: includes/settings.php:90 -#@ post-duplicator +# @ post-duplicator +#: includes/settings.php:113 msgid "older" msgstr "später" -#: includes/settings.php:136 -#@ post-duplicator +# @ post-duplicator +#: includes/settings.php:159 msgid "Post Duplicator Settings" msgstr "Post Duplicator Einstellungen" -#: includes/settings.php:160 -#@ post-duplicator +# @ post-duplicator +#: includes/settings.php:183 msgid "Customize the settings for duplicated posts." msgstr "Konfiguriere die Einstellungen für kopierte \"Posts\"." +# @ post-duplicator +#: includes/edit.php:22 +#, php-format +msgid "Duplicate %1$s to %2$s" +msgstr "Doppelte %1$s auf %2$s" + +# @ post-duplicator +#: includes/functions.php:18 includes/settings.php:66 +msgid "Copy" +msgstr "Kopieren" + +# @ post-duplicator +#: includes/notices.php:20 +msgid "here" +msgstr "hier" + +# @ post-duplicator +#: includes/notices.php:21 +#, php-format +msgid "Successfully Duplicated! You can edit your new %1$s %2$s." +msgstr "Erfolgreich dupliziert! Sie können Ihre neue %1$s %2$s bearbeiten." + +# @ post-duplicator +#: includes/settings.php:12 includes/settings.php:13 +msgid "Post Duplicator" +msgstr "Post-Duplizierer" + +# @ post-duplicator +#: includes/settings.php:44 +msgid "Post Type" +msgstr "Beitragstyp" + +# @ post-duplicator +#: includes/settings.php:62 +msgid "Duplicate Title" +msgstr "Doppelte Titel" + +# @ post-duplicator +#: includes/settings.php:63 +msgid "String that should be appended to the duplicate post's title" +msgstr "Zeichenfolge, die an den doppelten Post-Titel angefügt werden soll" + +# @ post-duplicator +#: includes/settings.php:70 +msgid "Duplicate Slug" +msgstr "Doppelte Schnecke" + +# @ post-duplicator +#: includes/settings.php:71 +msgid "String that should be appended to the duplicate post's slug" +msgstr "Zeichenfolge, die an den doppelten Post Flug angefügt werden soll"
languages/post-duplicator-fr_FR.mo+0 −0 addedlanguages/post-duplicator-fr_FR.po+161 −0 added@@ -0,0 +1,161 @@ +msgid "" +msgstr "" +"Project-Id-Version: Post Duplicator v2.16\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: \n" +"PO-Revision-Date: 2016-03-11 12:47-0600\n" +"Last-Translator: \n" +"Language-Team: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=n>1;\n" +"X-Generator: Poedit 1.8.7\n" +"X-Poedit-SourceCharset: utf-8\n" +"X-Poedit-KeywordsList: __;_e;__ngettext:1,2;_n:1,2;__ngettext_noop:1,2;_n_noop:1,2;_c,_nc:4c,1,2;_x:1,2c;_ex:1,2c;_nx:4c,1,2;_nx_noop:4c,1,2\n" +"X-Textdomain-Support: yes\n" +"Language: fr_FR\n" +"X-Poedit-SearchPath-0: .\n" + +# @ post-duplicator +#: includes/settings.php:71 +msgid "String that should be appended to the duplicate post's slug" +msgstr "Chaîne qui doit être ajoutée au plug du double post" + +# @ post-duplicator +#: includes/settings.php:70 +msgid "Duplicate Slug" +msgstr "Plug en double" + +# @ post-duplicator +#: includes/edit.php:22 +#, php-format +msgid "Duplicate %1$s to %2$s" +msgstr "Dupliquer %1$s %2$s" + +# @ post-duplicator +#: includes/notices.php:20 +msgid "here" +msgstr "ici" + +# @ post-duplicator +#: includes/notices.php:21 +#, php-format +msgid "Successfully Duplicated! You can edit your new %1$s %2$s." +msgstr "Reproduit avec succès ! Vous pouvez modifier votre nouveau %1$s %2$s." + +# @ post-duplicator +#: includes/settings.php:44 +msgid "Post Type" +msgstr "Type de contenu" + +# @ post-duplicator +#: includes/edit.php:16 +#, php-format +msgid "Duplicate %s" +msgstr "Dupliquer %s" + +# @ post-duplicator +#: includes/settings.php:32 +msgid "Post Status" +msgstr "Statut" + +# @ post-duplicator +#: includes/helpers.php:10 includes/settings.php:35 +msgid "Same as original" +msgstr "Identique à l’original" + +# @ post-duplicator +#: includes/settings.php:36 +msgid "Draft" +msgstr "Brouillon" + +# @ post-duplicator +#: includes/settings.php:37 +msgid "Published" +msgstr "Publié" + +# @ post-duplicator +#: includes/settings.php:38 +msgid "Pending" +msgstr "En attente" + +# @ post-duplicator +#: includes/settings.php:51 +msgid "Post Date" +msgstr "Date de l’article" + +# @ post-duplicator +#: includes/settings.php:54 +msgid "Duplicate Timestamp" +msgstr "Plug en double" + +# @ post-duplicator +#: includes/settings.php:55 +msgid "Current Time" +msgstr "Heure actuelle" + +# @ post-duplicator +#: includes/settings.php:78 +msgid "Offset Date" +msgstr "Décalage de date" + +# @ post-duplicator +#: includes/settings.php:84 +msgid " days" +msgstr "jours" + +# @ post-duplicator +#: includes/settings.php:91 +msgid " hours" +msgstr "heures" + +# @ post-duplicator +#: includes/settings.php:98 +msgid " minutes" +msgstr "minutes" + +# @ post-duplicator +#: includes/settings.php:105 +msgid " seconds" +msgstr "secondes" + +# @ post-duplicator +#: includes/settings.php:112 +msgid "newer" +msgstr "plus récent" + +# @ post-duplicator +#: includes/settings.php:113 +msgid "older" +msgstr "précédents" + +# @ post-duplicator +#: includes/settings.php:159 +msgid "Post Duplicator Settings" +msgstr "Paramètres" + +# @ post-duplicator +#: includes/settings.php:183 +msgid "Customize the settings for duplicated posts." +msgstr "Personnaliser les paramètres des messages dupliqués." + +# @ post-duplicator +#: includes/functions.php:18 includes/settings.php:66 +msgid "Copy" +msgstr "Exemplaire" + +# @ post-duplicator +#: includes/settings.php:62 +msgid "Duplicate Title" +msgstr "Titre en double" + +# @ post-duplicator +#: includes/settings.php:63 +msgid "String that should be appended to the duplicate post's title" +msgstr "Chaîne qui doit être ajoutée au titre de la double post" + +# @ post-duplicator +#: includes/settings.php:12 includes/settings.php:13 +msgid "Post Duplicator" +msgstr "Duplicateur de post"
languages/post-duplicator-fr.mo+0 −0 modifiedlanguages/post-duplicator-fr.po+87 −49 modified@@ -1,123 +1,161 @@ -# Translation of Development (trunk) in French (France) -# This file is distributed under the same license as the Development (trunk) package. msgid "" msgstr "" -"PO-Revision-Date: 2015-12-07 07:08:49+0000\n" +"Project-Id-Version: Post Duplicator v2.16\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: \n" +"PO-Revision-Date: 2016-03-11 12:47-0600\n" +"Last-Translator: \n" +"Language-Team: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"Plural-Forms: nplurals=2; plural=n > 1;\n" -"X-Generator: GlotPress/1.0-alpha-1100\n" -"Project-Id-Version: Development (trunk)\n" - -#: includes/settings.php:63 +"Plural-Forms: nplurals=2; plural=n>1;\n" +"X-Generator: Poedit 1.8.7\n" +"X-Poedit-SourceCharset: utf-8\n" +"X-Poedit-KeywordsList: __;_e;__ngettext:1,2;_n:1,2;__ngettext_noop:1,2;_n_noop:1,2;_c,_nc:4c,1,2;_x:1,2c;_ex:1,2c;_nx:4c,1,2;_nx_noop:4c,1,2\n" +"X-Textdomain-Support: yes\n" +"Language: fr\n" +"X-Poedit-SearchPath-0: .\n" + +# @ post-duplicator +#: includes/settings.php:71 msgid "String that should be appended to the duplicate post's slug" -msgstr "" +msgstr "Chaîne qui doit être ajoutée au plug du double post" -#: includes/settings.php:62 +# @ post-duplicator +#: includes/settings.php:70 msgid "Duplicate Slug" -msgstr "" +msgstr "Plug en double" +# @ post-duplicator #: includes/edit.php:22 +#, php-format msgid "Duplicate %1$s to %2$s" -msgstr "" +msgstr "Dupliquer %1$s %2$s" +# @ post-duplicator #: includes/notices.php:20 msgid "here" msgstr "ici" +# @ post-duplicator #: includes/notices.php:21 +#, php-format msgid "Successfully Duplicated! You can edit your new %1$s %2$s." -msgstr "" +msgstr "Reproduit avec succès ! Vous pouvez modifier votre nouveau %1$s %2$s." +# @ post-duplicator #: includes/settings.php:44 msgid "Post Type" msgstr "Type de contenu" +# @ post-duplicator #: includes/edit.php:16 +#, php-format msgid "Duplicate %s" -msgstr "" +msgstr "Dupliquer %s" +# @ post-duplicator #: includes/settings.php:32 msgid "Post Status" -msgstr "" +msgstr "Statut" +# @ post-duplicator #: includes/helpers.php:10 includes/settings.php:35 msgid "Same as original" -msgstr "" +msgstr "Identique à l’original" +# @ post-duplicator #: includes/settings.php:36 msgid "Draft" msgstr "Brouillon" +# @ post-duplicator #: includes/settings.php:37 msgid "Published" msgstr "Publié" +# @ post-duplicator #: includes/settings.php:38 msgid "Pending" msgstr "En attente" +# @ post-duplicator #: includes/settings.php:51 msgid "Post Date" -msgstr "" +msgstr "Date de l’article" +# @ post-duplicator #: includes/settings.php:54 msgid "Duplicate Timestamp" -msgstr "" +msgstr "Plug en double" +# @ post-duplicator #: includes/settings.php:55 msgid "Current Time" -msgstr "" +msgstr "Heure actuelle" -#: includes/settings.php:70 +# @ post-duplicator +#: includes/settings.php:78 msgid "Offset Date" -msgstr "" +msgstr "Décalage de date" -#: includes/settings.php:76 +# @ post-duplicator +#: includes/settings.php:84 msgid " days" -msgstr "" +msgstr "jours" -#: includes/settings.php:83 +# @ post-duplicator +#: includes/settings.php:91 msgid " hours" -msgstr "" +msgstr "heures" -#: includes/settings.php:90 +# @ post-duplicator +#: includes/settings.php:98 msgid " minutes" -msgstr "" +msgstr "minutes" -#: includes/settings.php:97 +# @ post-duplicator +#: includes/settings.php:105 msgid " seconds" -msgstr "" +msgstr "secondes" -#: includes/settings.php:104 +# @ post-duplicator +#: includes/settings.php:112 msgid "newer" -msgstr "" +msgstr "plus récent" -#: includes/settings.php:105 +# @ post-duplicator +#: includes/settings.php:113 msgid "older" -msgstr "" +msgstr "précédents" -#: includes/settings.php:151 +# @ post-duplicator +#: includes/settings.php:159 msgid "Post Duplicator Settings" -msgstr "" +msgstr "Paramètres" -#: includes/settings.php:175 +# @ post-duplicator +#: includes/settings.php:183 msgid "Customize the settings for duplicated posts." -msgstr "" +msgstr "Personnaliser les paramètres des messages dupliqués." -#. Plugin Name of the plugin/theme -msgid "Post Duplicator" -msgstr "" +# @ post-duplicator +#: includes/functions.php:18 includes/settings.php:66 +msgid "Copy" +msgstr "Exemplaire" -#. Description of the plugin/theme -msgid "Creates functionality to duplicate any and all post types, including taxonomies & custom fields" -msgstr "" +# @ post-duplicator +#: includes/settings.php:62 +msgid "Duplicate Title" +msgstr "Titre en double" -#. Author of the plugin/theme -msgid "Metaphor Creations" -msgstr "" +# @ post-duplicator +#: includes/settings.php:63 +msgid "String that should be appended to the duplicate post's title" +msgstr "Chaîne qui doit être ajoutée au titre de la double post" -#. Author URI of the plugin/theme -msgid "http://www.metaphorcreations.com" -msgstr "" \ No newline at end of file +# @ post-duplicator +#: includes/settings.php:12 includes/settings.php:13 +msgid "Post Duplicator" +msgstr "Duplicateur de post"
m4c-postduplicator.php+2 −2 modified@@ -2,7 +2,7 @@ /* Plugin Name: Post Duplicator Description: Creates functionality to duplicate any and all post types, including taxonomies & custom fields -Version: 2.16 +Version: 2.17 Author: Metaphor Creations Author URI: http://www.metaphorcreations.com Text Domain: post-duplicator @@ -30,7 +30,7 @@ /**Define Widget Constants */ -define ( 'MTPHR_POST_DUPLICATOR_VERSION', '2.16' ); +define ( 'MTPHR_POST_DUPLICATOR_VERSION', '2.17' ); define ( 'MTPHR_POST_DUPLICATOR_DIR', plugin_dir_path(__FILE__) ); define ( 'MTPHR_POST_DUPLICATOR_URL', plugins_url().'/post-duplicator' );
readme.txt+5 −1 modified@@ -41,6 +41,10 @@ Check out the 'Installation' tab. == Changelog == += 2.17 = +* XSS vulnerability fix +* Language file updates + = 2.16 = * Modified how post meta is saved to database * Modified duplicate slug implementation @@ -108,4 +112,4 @@ Must upgrade in order for the plugin to work. The file paths where initially wro == Upgrade Notice == -Multiple updates \ No newline at end of file +XSS vulnerability fix \ No newline at end of file
Vulnerability mechanics
Root cause
"Missing output sanitization of the `post-duplicated` GET parameter in `mtphr_post_duplicator_notice` allows reflected cross-site scripting."
Attack vector
An attacker can craft a URL containing a malicious payload in the `post-duplicated` query parameter. When a WordPress administrator or user who can trigger the duplication notice visits this URL, the unsanitized value is echoed directly into the page, causing reflected cross-site scripting (XSS). The attack is remote and requires no authentication beyond the victim visiting the crafted link.
Affected code
The vulnerability is in the function `mtphr_post_duplicator_notice` in the file `includes/notices.php`. The function reads the `post-duplicated` parameter from the `$_GET` superglobal and outputs it without sanitization.
What the fix does
The patch in `includes/notices.php` wraps the `$_GET['post-duplicated']` value with `htmlspecialchars($value, ENT_QUOTES, 'UTF-8')` before output. This escapes HTML special characters, preventing any injected script tags or event handlers from being interpreted by the browser. The commit message explicitly states "XSS vulnerability fix" [patch_id=2247380].
Preconditions
- inputThe victim must visit a crafted URL containing the malicious post-duplicated parameter.
- networkThe attacker does not need any authenticated session or special network position.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/meta4creations/post-duplicator/commit/ca67c05e490c0cf93a1e9b2d93bfeff3dd96f594mitrepatch
- github.com/meta4creations/post-duplicator/releases/tag/2.19mitrepatch
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.