Description
The Post Duplicator plugin for WordPress is vulnerable to unauthorized arbitrary protected post meta insertion in all versions up to, and including, 3.0.8. This is due to the `duplicate_post()` function in `includes/api.php` using `$wpdb->insert()` directly to the `wp_postmeta` table instead of WordPress's standard `add_post_meta()` function, which would call `is_protected_meta()` to prevent lower-privileged users from setting protected meta keys (those starting with `_`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary protected post meta keys such as `_wp_page_template`, `_wp_attached_file`, and other sensitive meta keys on duplicated posts via the `customMetaData` JSON array parameter in the `/wp-json/post-duplicator/v1/duplicate-post` REST API endpoint.
INFO
Published Date :
2026-02-25T09:26:51.333Z
Last Modified :
2026-04-08T17:29:57.120Z
Source :
Wordfence
AFFECTED PRODUCTS
The following products are affected by CVE-2026-2301 vulnerability.
| Vendors | Products |
|---|---|
| Metaphorcreations |
|
| Wordpress |
|
REFERENCES
Here, you will find a curated list of external links that provide in-depth information to CVE-2026-2301.
