Post Duplicator < 3.0.15 - Contributor+ PHP Object Injection via customMetaData

An attacker with Contributor-level access or above triggers the post duplication feature of the plugin. The plugin copies custom meta-data from the source post but fails to re-serialize the values through the WordPress meta API, meaning attacker-controlled serialized strings stored in the meta table are passed directly to PHP's `unserialize()` when the duplicated post is processed. If a suitable POP (Property Oriented Programming) chain exists in another installed plugin or theme, this can lead to remote code execution, arbitrary file operations, or sensitive data disclosure.

The Post Duplicator plugin before version 3.0.15 does not safely handle custom meta-data during post duplication. The plugin stores attacker-supplied serialized values without the WordPress meta API's double-serialization protection, which would normally prevent deserialization of untrusted data.

The fix in version 3.0.15 ensures that custom meta-data is properly handled through the WordPress meta API, which applies double-serialization protection. This prevents attacker-supplied serialized strings from being passed directly to PHP's `unserialize()`, thereby blocking PHP Object Injection. The advisory does not show the exact code diff, but the remediation is to use the WordPress meta API functions that safely serialize and deserialize meta values.