Attack Vectors

CVE-2026-2301 is a Medium-severity vulnerability (CVSS 4.3) affecting the Post Duplicator WordPress plugin (slug: post-duplicator) in versions 3.0.8 and below.

The issue can be abused by an authenticated user with Contributor-level access or higher. By supplying crafted input through the plugin’s duplication functionality—specifically via the customMetaData parameter—an attacker can insert protected post meta (meta keys that start with _) that they normally should not be able to set.

Security Weakness

The weakness is a missing authorization/control gap around protected meta handling. In the plugin’s duplicate_post() function (in includes/api.php), the code inserts rows into the wp_postmeta table using a direct database insert ($wpdb->insert()), rather than using WordPress’s standard add_post_meta() workflow.

This matters because WordPress’s standard meta APIs apply checks such as is_protected_meta() to help prevent lower-privileged users from setting protected meta keys. Bypassing that normal pathway enables Contributor+ users to insert protected meta that WordPress would typically restrict.

Technical or Business Impacts

While the CVSS rating indicates limited integrity impact, this class of issue can create real business risk because protected post meta is frequently used to control behavior across themes and plugins (for example: internal flags, workflow states, or configuration values associated with content).

For marketing and business teams, the practical impacts may include content integrity and governance concerns: unauthorized changes to behind-the-scenes metadata can lead to unexpected page behavior, inconsistent publishing workflows, and time-consuming investigation when content “looks fine” in the editor but behaves differently on the site.

Remediation: Update Post Duplicator to version 3.0.9 or newer (patched). As a defense-in-depth measure, also review who has Contributor access (and above), and ensure accounts are least-privileged for their role.

Similar Attacks

Plugin vulnerabilities that allow attackers to change site behavior—whether through metadata manipulation, unauthorized actions, or other control-plane weaknesses—have been leveraged in broader WordPress compromises. Examples (for context on how plugin flaws can translate into operational risk) include:

Wordfence: 0-day vulnerability in WP File Manager (2020)

Wordfence: RevSlider vulnerability and large-scale WordPress compromise (SoakSoak)