CVE-2026-10749 - Vulnerability Details - OpenCVE

The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP Object.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
Duplicator Project	Duplicator
Wordpress	Wordpress

No data.

No data.

References

Link	Providers
https://wpscan.com/vulnerability/224c36b5-e604-4eb3-aad8-47283b95e994/

History

Wed, 24 Jun 2026 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Duplicator Project Duplicator Project duplicator Wordpress Wordpress wordpress
Vendors & Products		Duplicator Project Duplicator Project duplicator Wordpress Wordpress wordpress

Wed, 24 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 24 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284 CWE-502

Wed, 24 Jun 2026 06:30:00 +0000

Type	Values Removed	Values Added
Description		The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP Object.
Title		Post Duplicator < 3.0.15 - Contributor+ PHP Object Injection via customMetaData
References		https://wpscan.com/vulnerability/224c36b5-e604-4eb3-aad8-47283b95e994/

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2026-06-24T06:00:02.199Z

Updated: 2026-06-24T13:12:59.561Z

Reserved: 2026-06-03T13:45:00.388Z

Link: CVE-2026-10749

Vulnrichment

Updated: 2026-06-24T13:12:41.898Z

NVD

No data.

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-10749", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-06-03T13:45:00.388Z", "datePublished": "2026-06-24T06:00:02.199Z", "dateUpdated": "2026-06-24T13:12:59.561Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-06-24T06:00:02.199Z"}, "title": "Post Duplicator < 3.0.15 - Contributor+ PHP Object Injection via customMetaData", "problemTypes": [{"descriptions": [{"description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Post Duplicator", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "3.0.15"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP Object."}], "references": [{"url": "https://wpscan.com/vulnerability/224c36b5-e604-4eb3-aad8-47283b95e994/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Md. Minaruzzaman Shovon", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-06-24T13:12:53.775296Z", "id": "CVE-2026-10749", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T13:12:59.561Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-10749", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-24T13:12:53.775296Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T13:12:41.898Z"}}], "cna": {"title": "Post Duplicator < 3.0.15 - Contributor+ PHP Object Injection via customMetaData", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Md. Minaruzzaman Shovon"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Post Duplicator", "versions": [{"status": "affected", "version": "0", "lessThan": "3.0.15", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/224c36b5-e604-4eb3-aad8-47283b95e994/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP Object."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-06-24T06:00:02.199Z"}}}, "cveMetadata": {"cveId": "CVE-2026-10749", "state": "PUBLISHED", "dateUpdated": "2026-06-24T13:12:59.561Z", "dateReserved": "2026-06-03T13:45:00.388Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-06-24T06:00:02.199Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}