CVE-2026-10749

The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP Object.
Configurations

No configuration.

History

24 Jun 2026, 14:17

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.2

24 Jun 2026, 07:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-24 07:16

Updated : 2026-06-25 19:07


NVD link : CVE-2026-10749

Mitre link : CVE-2026-10749

CVE.ORG link : CVE-2026-10749


JSON object : View

Products Affected

No product.

CWE

No CWE.