CVE-2026-49046

Vulnerability

The Duplicate Page and Post plugin for WordPress, versions from n/a through 2.9.5, fails to properly neutralize special elements used in an SQL command. This flaw leads to a Blind SQL Injection vulnerability, as noted by the vendor advisory [1]. The weakness resides in the plugin's handling of user-supplied input when processing duplication actions, allowing an attacker to inject malicious SQL payloads.

Exploitation

An attacker needs no authenticated session; the vulnerability is exploitable remotely over HTTP. The attacker sends crafted requests to the vulnerable WordPress instance, injecting SQL commands via input parameters that are not sanitized. The blind nature means the attacker may not see direct query results but can infer them through timing or boolean responses from the application, enabling enumeration of database tables and values step by step [1].

Impact

Successful exploitation allows a malicious actor to directly interact with the WordPress database, potentially leading to information disclosure of sensitive data such as user credentials, post content, and configuration details. The attacker can extract any data stored in the database without needing elevated privileges, compromising the confidentiality of the website [1].

Mitigation

Update the Duplicate Page and Post plugin to a version higher than 2.9.5 as soon as possible. The vendor has released a patch; security advisories recommend immediate action [1]. If updating is not feasible, contact your hosting provider or web developer for assistance in applying a workaround or temporarily disabling the plugin until it can be updated.