CVE-2026-39474

Vulnerability

The Post Duplicator plugin for WordPress versions up to and including 3.0.10 is vulnerable to PHP Object Injection. The flaw occurs when the plugin unserializes user-supplied input without proper sanitization, enabling an attacker to inject arbitrary PHP objects. This vulnerability is present in all versions <= 3.0.10 [1].

Exploitation

An attacker must have contributor-level access to the WordPress site. The attacker crafts a malicious serialized object and submits it through the plugin's functionality. If a suitable POP (Property Oriented Programming) chain exists in the WordPress core or any installed plugins or themes, the attacker can trigger arbitrary code execution. No additional user interaction is required beyond the attacker's own actions [1].

Impact

Successful exploitation can lead to arbitrary code execution, SQL injection, path traversal, denial of service, or other impacts depending on available POP chains. The attacker gains the ability to execute arbitrary PHP code, potentially resulting in full site compromise [1].

Mitigation

The vulnerability is fixed in version 3.0.11. Users should update immediately. If updating is not possible, apply a virtual patch or Web Application Firewall rule to block malicious serialized payloads. Patchstack has issued a mitigation rule for its users. No other workarounds are documented [1].