Medium severity4.3NVD Advisory· Published Feb 25, 2026· Updated Apr 15, 2026

CVE-2026-2301

Description

The Post Duplicator plugin for WordPress is vulnerable to unauthorized arbitrary protected post meta insertion in all versions up to, and including, 3.0.8. This is due to the duplicate_post() function in includes/api.php using $wpdb->insert() directly to the wp_postmeta table instead of WordPress's standard add_post_meta() function, which would call is_protected_meta() to prevent lower-privileged users from setting protected meta keys (those starting with _). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary protected post meta keys such as _wp_page_template, _wp_attached_file, and other sensitive meta keys on duplicated posts via the customMetaData JSON array parameter in the /wp-json/post-duplicator/v1/duplicate-post REST API endpoint.

Affected products

WordPress/Duplicate Postllm-fuzzy
Range: <=3.0.8
Package: https://wordpress.org/plugins/duplicate-post

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000