CVE-2026-10749

UNKNOWN NVD

CVSS Score 0

Severity UNKNOWN

Published Jun 24, 2026

Vendor unknown

Description

The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP Object.

References

https://wpscan.com/vulnerability/224c36b5-e604-4eb3-aad8-47283b95e994/